AWS CloudFormation User Guide Cloud Formation Gettng Started

User Manual:

Open the PDF directly: View PDF .
Page Count: 2474

Download
Open PDF In Browser	View PDF

AWS CloudFormation
User Guide
API Version 2010-05-15

AWS CloudFormation User Guide

AWS CloudFormation: User Guide

Copyright © 2018 Amazon Web Services, Inc. and/or its aﬃliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner
that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not
owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by
Amazon.

AWS CloudFormation User Guide

Table of Contents
What is AWS CloudFormation? ............................................................................................................. 1
Simplify Infrastructure Management ............................................................................................. 1
Quickly Replicate Your Infrastructure ............................................................................................ 1
Easily Control and Track Changes to Your Infrastructure .................................................................. 1
Related Information ................................................................................................................... 2
AWS CloudFormation Concepts .................................................................................................... 2
Templates ......................................................................................................................... 2
Stacks ............................................................................................................................... 4
Change Sets ...................................................................................................................... 5
How Does AWS CloudFormation Work? ......................................................................................... 5
Updating a Stack with Change Sets ...................................................................................... 7
Deleting a Stack ................................................................................................................ 8
Additional Resources .......................................................................................................... 8
Setting Up ........................................................................................................................................ 9
Signing Up for an AWS Account and Pricing .................................................................................. 9
Pricing .............................................................................................................................. 9
Controlling Access with IAM ........................................................................................................ 9
AWS CloudFormation Actions ............................................................................................. 10
AWS CloudFormation Resources ......................................................................................... 11
AWS CloudFormation Conditions ........................................................................................ 12
Acknowledging IAM Resources in AWS CloudFormation Templates .......................................... 15
Manage Credentials for Applications Running on Amazon EC2 Instances .................................. 16
Grant Temporary Access (Federated Access) ......................................................................... 16
AWS CloudFormation Service Role ...................................................................................... 17
Logging API Calls ..................................................................................................................... 17
AWS CloudFormation Information in CloudTrail .................................................................... 18
Understanding AWS CloudFormation Log File Entries ............................................................ 18
Limits ..................................................................................................................................... 21
Endpoints ................................................................................................................................ 23
AWS CloudFormation and VPC Endpoints .................................................................................... 24
Getting Started ................................................................................................................................ 25
Get Started ............................................................................................................................. 25
Step 1: Pick a template ..................................................................................................... 25
Step 2: Make sure you have prepared any required items for the stack ..................................... 30
Step 3: Create the stack .................................................................................................... 31
Step 4: Monitor the progress of stack creation ..................................................................... 31
Step 5: Use your stack resources ........................................................................................ 32
Step 6: Clean Up .............................................................................................................. 33
Learn Template Basics .............................................................................................................. 33
What is an AWS CloudFormation Template? ......................................................................... 33
Resources: Hello Bucket! .................................................................................................... 34
Resource Properties and Using Resources Together ............................................................... 34
Receiving User Input Using Input Parameters ....................................................................... 40
Specifying Conditional Values Using Mappings ..................................................................... 42
Constructed Values and Output Values ............................................................................... 44
Next Steps ....................................................................................................................... 46
Walkthrough: Updating a Stack .................................................................................................. 47
A Simple Application ........................................................................................................ 48
Create the Initial Stack ..................................................................................................... 53
Update the Application ..................................................................................................... 54
Changing Resource Properties ............................................................................................ 56
Adding Resource Properties ............................................................................................... 59
Change the Stack's Resources ............................................................................................ 60
Availability and Impact Considerations ................................................................................ 66
API Version 2010-05-15
iii

AWS CloudFormation User Guide

Related Resources ............................................................................................................ 67
Best Practices .................................................................................................................................. 68
Organize Your Stacks By Lifecycle and Ownership ........................................................................ 68
Use Cross-Stack References to Export Shared Resources ................................................................ 69
Use IAM to Control Access ......................................................................................................... 69
Verify Quotas for All Resource Types .......................................................................................... 69
Reuse Templates to Replicate Stacks in Multiple Environments ....................................................... 70
Use Nested Stacks to Reuse Common Template Patterns ............................................................... 70
Do Not Embed Credentials in Your Templates .............................................................................. 70
Use AWS-Speciﬁc Parameter Types ............................................................................................. 70
Use Parameter Constraints ........................................................................................................ 71
Use AWS::CloudFormation::Init to Deploy Software Applications on Amazon EC2 Instances ................. 71
Use the Latest Helper Scripts ..................................................................................................... 71
Validate Templates Before Using Them ....................................................................................... 71
Manage All Stack Resources Through AWS CloudFormation ........................................................... 72
Create Change Sets Before Updating Your Stacks ......................................................................... 72
Use Stack Policies ..................................................................................................................... 72
Use AWS CloudTrail to Log AWS CloudFormation Calls .................................................................. 72
Use Code Reviews and Revision Controls to Manage Your Templates ............................................... 73
Update Your Amazon EC2 Linux Instances Regularly ..................................................................... 73
Continuous Delivery .......................................................................................................................... 74
Walkthrough: Building a Pipeline for Test and Production Stacks .................................................... 74
Prerequisites .................................................................................................................... 74
Walkthrough Overview ...................................................................................................... 75
Step 1: Edit the Artifact and Upload It to an S3 Bucket ......................................................... 75
Step 2: Create the Pipeline Stack ....................................................................................... 76
Step 3: View the WordPress Stack ...................................................................................... 80
Step 4: Clean Up Resources .............................................................................................. 80
Conﬁguration Properties Reference ............................................................................................. 81
Conﬁguration Properties (Console) ..................................................................................... 81
Conﬁguration Properties (JSON Object) .............................................................................. 83
AWS CloudFormation Artifacts ................................................................................................... 85
Stack Template File .......................................................................................................... 85
Template Conﬁguration File ............................................................................................... 85
Using Parameter Override Functions with AWS CodePipeline Pipelines ............................................ 86
Fn::GetArtifactAtt ............................................................................................................. 86
Fn::GetParam ................................................................................................................... 87
Working with Stacks ......................................................................................................................... 90
Using the Console .................................................................................................................... 90
In This Section ................................................................................................................. 90
Logging In to the Console ................................................................................................. 91
Creating a Stack ............................................................................................................... 92
Creating an EC2 Key Pair ................................................................................................... 98
Estimating the Cost of Your Stack ...................................................................................... 99
Viewing Stack Data and Resources ..................................................................................... 99
Monitor and Roll Back Stack Operations ............................................................................ 102
Creating Quick-Create Links for Stacks .............................................................................. 103
Deleting a Stack ............................................................................................................. 105
Protecting a Stack From Being Deleted ............................................................................. 106
Viewing Deleted Stacks ................................................................................................... 107
Related Topics ................................................................................................................ 108
Using the AWS CLI .................................................................................................................. 108
Creating a Stack ............................................................................................................. 108
Describing and Listing Your Stacks .................................................................................... 109
Viewing Stack Event History ............................................................................................ 112
Listing Resources ............................................................................................................ 114
Retrieving a Template ..................................................................................................... 114
API Version 2010-05-15
iv

AWS CloudFormation User Guide

Validating a Template .....................................................................................................
Uploading Local Artifacts to an S3 Bucket .........................................................................
Quickly Deploying Templates with Transforms ...................................................................
Deleting a Stack .............................................................................................................
Stack Updates ........................................................................................................................
Update Behaviors of Stack Resources ................................................................................
Modifying a Stack Template .............................................................................................
Updating Stacks Using Change Sets ..................................................................................
Updating Stacks Directly .................................................................................................
Monitoring Progress ........................................................................................................
Canceling a Stack Update ................................................................................................
Prevent Updates to Stack Resources .................................................................................
Continue Rolling Back an Update .....................................................................................
Exporting Stack Output Values .................................................................................................
Exporting Stack Output Values vs. Using Nested Stacks .......................................................
Listing Exported Output Values ........................................................................................
Listing Stacks That Import an Exported Output Value .................................................................
Working with Nested Stacks ....................................................................................................
Working with Windows Stacks ..................................................................................................
In This Section ...............................................................................................................
Windows AMIs and Templates ..........................................................................................
Bootstrapping Windows Stacks .........................................................................................
Working with Templates ..................................................................................................................
Template Formats ...................................................................................................................
Template Anatomy .................................................................................................................
JSON ............................................................................................................................
YAML ............................................................................................................................
Template Sections ..........................................................................................................
Format Version ...............................................................................................................
Description ....................................................................................................................
Metadata .......................................................................................................................
Parameters ....................................................................................................................
Mappings .......................................................................................................................
Conditions .....................................................................................................................
Transform ......................................................................................................................
Resources ......................................................................................................................
Outputs .........................................................................................................................
What Is AWS CloudFormation Designer? ....................................................................................
Why Use Designer? .........................................................................................................
Interface Overview .........................................................................................................
How to Get Started ........................................................................................................
Walkthroughs .........................................................................................................................
Walkthrough: Use AWS CloudFormation Designer to Create a Basic Web Server .......................
Walkthrough: Use AWS CloudFormation Designer to Modify a Stack's Template ......................
Peer with a VPC in Another Account .................................................................................
Walkthrough: Refer to Resource Outputs in Another AWS CloudFormation Stack .....................
Create a Scalable, Load-balancing Web Server ...................................................................
Deploying Applications ....................................................................................................
Creating Wait Conditions .................................................................................................
Template Snippets ..................................................................................................................
General .........................................................................................................................
Auto Scaling ..................................................................................................................
AWS CloudFormation ......................................................................................................
CloudFront .....................................................................................................................
CloudWatch ...................................................................................................................
CloudWatch Logs ............................................................................................................
DynamoDB .....................................................................................................................
API Version 2010-05-15
v

115
116
117
117
118
118
119
122
136
139
140
141
150
153
153
154
154
155
157
157
157
157
162
162
163
163
164
164
165
166
166
167
182
187
191
196
199
202
202
204
213
213
213
230
241
248
250
260
276
280
280
288
292
296
303
307
333

AWS CloudFormation User Guide

Amazon EC2 .................................................................................................................. 337
Amazon ECS .................................................................................................................. 353
Amazon EFS ................................................................................................................... 369
Elastic Beanstalk ............................................................................................................. 384
Elastic Load Balancing ..................................................................................................... 386
IAM ............................................................................................................................... 387
AWS Lambda ................................................................................................................. 400
AWS OpsWorks .............................................................................................................. 404
Amazon Redshift ............................................................................................................ 410
Amazon RDS .................................................................................................................. 416
Route 53 ........................................................................................................................ 422
Amazon S3 .................................................................................................................... 426
Amazon SNS .................................................................................................................. 431
Amazon SQS .................................................................................................................. 432
Custom Resources ................................................................................................................... 432
How Custom Resources Work ........................................................................................... 432
Amazon Simple Notiﬁcation Service-backed Custom Resources ............................................. 434
AWS Lambda-backed Custom Resources ............................................................................ 439
Custom Resource Reference ............................................................................................. 446
Using Regular Expressions ....................................................................................................... 458
Using CloudFormer to Create Templates .................................................................................... 458
Step 1: Create a CloudFormer Stack .................................................................................. 459
Step 2: Launch the CloudFormer Stack .............................................................................. 459
Step 3: Use CloudFormer to Create a Template .................................................................. 460
Step 4: Delete the CloudFormer Stack ............................................................................... 464
Working with AWS CloudFormation StackSets .................................................................................... 465
StackSets Concepts ................................................................................................................. 465
Administrator and target accounts .................................................................................... 466
Stack sets ...................................................................................................................... 466
Stack instances ............................................................................................................... 466
Stack set operations ....................................................................................................... 467
Stack set operation options ............................................................................................. 468
Tags .............................................................................................................................. 469
Stack set and stack instance status codes .......................................................................... 469
Prerequisites: Granting Permissions for Stack Set Operations ....................................................... 470
Set Up Basic Permissions for Stack Sets Operations ............................................................ 470
Set Up Advanced Permissions Options for Stack Set Operations ........................................... 473
Getting Started ...................................................................................................................... 478
Create a New Stack Set ................................................................................................... 478
Update Your Stack Set .................................................................................................... 483
Add Stacks to a Stack Set ............................................................................................... 488
Override Parameters on Stack Instances ............................................................................ 489
Delete Stack Instances .................................................................................................... 490
Delete Stack Sets ........................................................................................................... 492
Target account gates ............................................................................................................... 494
Setup Requirements ........................................................................................................ 494
Sample Lambda Account Gating Functions ........................................................................ 494
Best Practices ......................................................................................................................... 495
Deﬁning the Template .................................................................................................... 495
Creating or Adding Stacks to the Stack Set ........................................................................ 495
Updating Stacks in a Stack Set ......................................................................................... 495
Limitations of StackSets .......................................................................................................... 496
Sample Templates .................................................................................................................. 496
Troubleshooting ..................................................................................................................... 497
Common reasons for stack operation failure ...................................................................... 497
Retrying failed stack creation or update operations ............................................................. 497
Stack instance deletion fails ............................................................................................. 498
API Version 2010-05-15
vi

AWS CloudFormation User Guide

Template Reference ........................................................................................................................
AWS Resource Types ...............................................................................................................
AWS::AmazonMQ::Broker .................................................................................................
AWS::AmazonMQ::Conﬁguration .......................................................................................
AWS::ApiGateway::Account ...............................................................................................
AWS::ApiGateway::ApiKey ................................................................................................
AWS::ApiGateway::Authorizer ...........................................................................................
AWS::ApiGateway::BasePathMapping .................................................................................
AWS::ApiGateway::ClientCertiﬁcate ....................................................................................
AWS::ApiGateway::Deployment .........................................................................................
AWS::ApiGateway::DocumentationPart ...............................................................................
AWS::ApiGateway::DocumentationVersion ..........................................................................
AWS::ApiGateway::DomainName .......................................................................................
AWS::ApiGateway::GatewayResponse .................................................................................
AWS::ApiGateway::Method ...............................................................................................
AWS::ApiGateway::Model .................................................................................................
AWS::ApiGateway::RequestValidator ..................................................................................
AWS::ApiGateway::Resource ..............................................................................................
AWS::ApiGateway::RestApi ................................................................................................
AWS::ApiGateway::Stage ..................................................................................................
AWS::ApiGateway::UsagePlan ...........................................................................................
AWS::ApiGateway::UsagePlanKey ......................................................................................
AWS::ApiGateway::VpcLink ...............................................................................................
AWS::ApplicationAutoScaling::ScalableTarget ......................................................................
AWS::ApplicationAutoScaling::ScalingPolicy ........................................................................
AWS::AppSync::ApiKey .....................................................................................................
AWS::AppSync::DataSource ...............................................................................................
AWS::AppSync::GraphQLApi .............................................................................................
AWS::AppSync::GraphQLSchema .......................................................................................
AWS::AppSync::Resolver ...................................................................................................
AWS::Athena::NamedQuery ..............................................................................................
AWS::AutoScaling::AutoScalingGroup .................................................................................
AWS::AutoScaling::LaunchConﬁguration .............................................................................
AWS::AutoScaling::LifecycleHook .......................................................................................
AWS::AutoScaling::ScalingPolicy ........................................................................................
AWS::AutoScaling::ScheduledAction ...................................................................................
AWS::AutoScalingPlans::ScalingPlan ..................................................................................
AWS::Batch::ComputeEnvironment ....................................................................................
AWS::Batch::JobDeﬁnition ................................................................................................
AWS::Batch::JobQueue .....................................................................................................
AWS::Budgets::Budget .....................................................................................................
AWS::CertiﬁcateManager::Certiﬁcate ..................................................................................
AWS::Cloud9::EnvironmentEC2 ..........................................................................................
AWS::CloudFormation::Authentication ................................................................................
AWS::CloudFormation::CustomResource .............................................................................
AWS::CloudFormation::Init ................................................................................................
AWS::CloudFormation::Interface ........................................................................................
AWS::CloudFormation::Stack .............................................................................................
AWS::CloudFormation::WaitCondition ................................................................................
AWS::CloudFormation::WaitConditionHandle ......................................................................
AWS::CloudFront::Distribution ...........................................................................................
AWS::CloudFront::CloudFrontOriginAccessIdentity ...............................................................
AWS::CloudFront::StreamingDistribution ............................................................................
AWS::CloudTrail::Trail .......................................................................................................
AWS::CloudWatch::Alarm .................................................................................................
AWS::CloudWatch::Dashboard ...........................................................................................
AWS::CodeBuild::Project ...................................................................................................
API Version 2010-05-15
vii

499
499
506
513
516
518
522
525
527
528
531
534
538
545
548
556
558
561
563
570
574
577
578
581
594
601
604
608
611
613
618
620
628
637
640
646
650
651
655
658
660
663
666
668
674
677
691
694
696
699
700
703
705
708
714
719
720

AWS CloudFormation User Guide

AWS::CodeCommit::Repository ..........................................................................................
AWS::CodeDeploy::Application ..........................................................................................
AWS::CodeDeploy::DeploymentConﬁg ................................................................................
AWS::CodeDeploy::DeploymentGroup ................................................................................
AWS::CodePipeline::CustomActionType ..............................................................................
AWS::CodePipeline::Pipeline .............................................................................................
AWS::CodePipeline::Webhook ...........................................................................................
AWS::Cognito::IdentityPool ...............................................................................................
AWS::Cognito::IdentityPoolRoleAttachment ........................................................................
AWS::Cognito::UserPool ...................................................................................................
AWS::Cognito::UserPoolClient ...........................................................................................
AWS::Cognito::UserPoolGroup ...........................................................................................
AWS::Cognito::UserPoolUser .............................................................................................
AWS::Cognito::UserPoolUserToGroupAttachment ................................................................
AWS::Conﬁg::AggregationAuthorization .............................................................................
AWS::Conﬁg::ConﬁgRule ..................................................................................................
AWS::Conﬁg::ConﬁgurationAggregator ...............................................................................
AWS::Conﬁg::ConﬁgurationRecorder ..................................................................................
AWS::Conﬁg::DeliveryChannel ...........................................................................................
AWS::DataPipeline::Pipeline ..............................................................................................
AWS::DAX::Cluster ...........................................................................................................
AWS::DAX::ParameterGroup ..............................................................................................
AWS::DAX::SubnetGroup ..................................................................................................
AWS::DirectoryService::MicrosoftAD ...................................................................................
AWS::DirectoryService::SimpleAD ......................................................................................
AWS::DMS::Certiﬁcate ......................................................................................................
AWS::DMS::Endpoint ........................................................................................................
AWS::DMS::EventSubscription ...........................................................................................
AWS::DMS::ReplicationInstance .........................................................................................
AWS::DMS::ReplicationSubnetGroup ..................................................................................
AWS::DMS::ReplicationTask ...............................................................................................
AWS::DynamoDB::Table ...................................................................................................
AWS::EC2::CustomerGateway ............................................................................................
AWS::EC2::DHCPOptions ..................................................................................................
AWS::EC2::EgressOnlyInternetGateway ...............................................................................
AWS::EC2::EIP .................................................................................................................
AWS::EC2::EIPAssociation .................................................................................................
AWS::EC2::FlowLog ..........................................................................................................
AWS::EC2::Host ...............................................................................................................
AWS::EC2::Instance ..........................................................................................................
AWS::EC2::InternetGateway ..............................................................................................
AWS::EC2::LaunchTemplate ..............................................................................................
AWS::EC2::NatGateway ....................................................................................................
AWS::EC2::NetworkAcl .....................................................................................................
AWS::EC2::NetworkAclEntry ..............................................................................................
AWS::EC2::NetworkInterface .............................................................................................
AWS::EC2::NetworkInterfaceAttachment ............................................................................
AWS::EC2::NetworkInterfacePermission ..............................................................................
AWS::EC2::PlacementGroup ..............................................................................................
AWS::EC2::Route .............................................................................................................
AWS::EC2::RouteTable ......................................................................................................
AWS::EC2::SecurityGroup .................................................................................................
AWS::EC2::SecurityGroupEgress .........................................................................................
AWS::EC2::SecurityGroupIngress ........................................................................................
AWS::EC2::SpotFleet ........................................................................................................
AWS::EC2::Subnet ...........................................................................................................
AWS::EC2::SubnetCidrBlock ..............................................................................................
API Version 2010-05-15
viii

729
731
733
735
751
755
760
763
766
768
772
774
776
779
780
788
794
797
799
801
810
816
818
821
825
828
830
835
838
842
845
848
861
863
867
868
870
875
877
879
890
891
893
895
897
901
906
908
910
911
915
917
921
925
932
935
938

AWS CloudFormation User Guide

AWS::EC2::SubnetNetworkAclAssociation ............................................................................ 940
AWS::EC2::SubnetRouteTableAssociation ............................................................................ 942
AWS::EC2::Volume ........................................................................................................... 944
AWS::EC2::VolumeAttachment .......................................................................................... 948
AWS::EC2::VPC ................................................................................................................ 950
AWS::EC2::VPCCidrBlock ................................................................................................... 953
AWS::EC2::VPCDHCPOptionsAssociation ............................................................................. 956
AWS::EC2::VPCEndpoint ................................................................................................... 958
AWS::EC2::VPCEndpointConnectionNotiﬁcation ................................................................... 961
AWS::EC2::VPCEndpointService ......................................................................................... 963
AWS::EC2::VPCEndpointServicePermissions ......................................................................... 964
AWS::EC2::VPCGatewayAttachment ................................................................................... 965
AWS::EC2::VPCPeeringConnection ..................................................................................... 967
AWS::EC2::VPNConnection ................................................................................................ 977
AWS::EC2::VPNConnectionRoute ....................................................................................... 980
AWS::EC2::VPNGateway ................................................................................................... 982
AWS::EC2::VPNGatewayRoutePropagation .......................................................................... 984
AWS::ECR::Repository ...................................................................................................... 985
AWS::ECS::Cluster ............................................................................................................ 989
AWS::ECS::Service ........................................................................................................... 991
AWS::ECS::TaskDeﬁnition ................................................................................................ 1002
AWS::EFS::FileSystem ..................................................................................................... 1009
AWS::EFS::MountTarget .................................................................................................. 1013
AWS::EKS::Cluster .......................................................................................................... 1015
AWS::ElastiCache::CacheCluster ....................................................................................... 1018
AWS::ElastiCache::ParameterGroup .................................................................................. 1026
AWS::ElastiCache::ReplicationGroup ................................................................................. 1028
AWS::ElastiCache::SecurityGroup ..................................................................................... 1039
AWS::ElastiCache::SecurityGroupIngress ........................................................................... 1040
AWS::ElastiCache::SubnetGroup ....................................................................................... 1041
AWS::ElasticBeanstalk::Application ................................................................................... 1043
AWS::ElasticBeanstalk::ApplicationVersion ........................................................................ 1045
AWS::ElasticBeanstalk::ConﬁgurationTemplate .................................................................. 1047
AWS::ElasticBeanstalk::Environment ................................................................................. 1050
AWS::ElasticLoadBalancing::LoadBalancer ......................................................................... 1063
AWS::ElasticLoadBalancingV2::Listener ............................................................................. 1074
AWS::ElasticLoadBalancingV2::ListenerCertiﬁcate .............................................................. 1077
AWS::ElasticLoadBalancingV2::ListenerRule ....................................................................... 1080
AWS::ElasticLoadBalancingV2::LoadBalancer ..................................................................... 1082
AWS::ElasticLoadBalancingV2::TargetGroup ...................................................................... 1088
AWS::Elasticsearch::Domain ............................................................................................ 1096
AWS::EMR::Cluster ......................................................................................................... 1104
AWS::EMR::InstanceFleetConﬁg ....................................................................................... 1122
AWS::EMR::InstanceGroupConﬁg ..................................................................................... 1124
AWS::EMR::SecurityConﬁguration .................................................................................... 1127
AWS::EMR::Step ............................................................................................................ 1130
AWS::Events::Rule .......................................................................................................... 1132
AWS::GameLift::Alias ..................................................................................................... 1138
AWS::GameLift::Build ..................................................................................................... 1140
AWS::GameLift::Fleet ..................................................................................................... 1142
AWS::Glue::Classiﬁer ...................................................................................................... 1146
AWS::Glue::Connection ................................................................................................... 1147
AWS::Glue::Crawler ........................................................................................................ 1149
AWS::Glue::Database ...................................................................................................... 1154
AWS::Glue::DevEndpoint ................................................................................................ 1155
AWS::Glue::Job .............................................................................................................. 1157
AWS::Glue::Partition ...................................................................................................... 1162
API Version 2010-05-15
ix

AWS CloudFormation User Guide

AWS::Glue::Table ...........................................................................................................
AWS::Glue::Trigger .........................................................................................................
AWS::GuardDuty::Detector ..............................................................................................
AWS::GuardDuty::Filter ...................................................................................................
AWS::GuardDuty::Master ................................................................................................
AWS::GuardDuty::Member ..............................................................................................
AWS::GuardDuty::IPSet ...................................................................................................
AWS::GuardDuty::ThreatIntelSet ......................................................................................
AWS::IAM::AccessKey .....................................................................................................
AWS::IAM::Group ...........................................................................................................
AWS::IAM::InstanceProﬁle ...............................................................................................
AWS::IAM::ManagedPolicy ..............................................................................................
AWS::IAM::Policy ...........................................................................................................
AWS::IAM::Role .............................................................................................................
AWS::IAM::ServiceLinkedRole ..........................................................................................
AWS::IAM::User .............................................................................................................
AWS::IAM::UserToGroupAddition .....................................................................................
AWS::Inspector::AssessmentTarget ...................................................................................
AWS::Inspector::AssessmentTemplate ...............................................................................
AWS::Inspector::ResourceGroup .......................................................................................
AWS::IoT::Certiﬁcate ......................................................................................................
AWS::IoT::Policy ............................................................................................................
AWS::IoT::PolicyPrincipalAttachment ................................................................................
AWS::IoT::Thing .............................................................................................................
AWS::IoT::ThingPrincipalAttachment ................................................................................
AWS::IoT::TopicRule .......................................................................................................
AWS::Kinesis::Stream .....................................................................................................
AWS::KinesisAnalytics::Application ...................................................................................
AWS::KinesisAnalytics::ApplicationOutput .........................................................................
AWS::KinesisAnalytics::ApplicationReferenceDataSource .....................................................
AWS::KinesisFirehose::DeliveryStream ..............................................................................
AWS::KMS::Alias ............................................................................................................
AWS::KMS::Key ..............................................................................................................
AWS::Lambda::EventSourceMapping ................................................................................
AWS::Lambda::Alias .......................................................................................................
AWS::Lambda::Function .................................................................................................
AWS::Lambda::Permission ...............................................................................................
AWS::Lambda::Version ...................................................................................................
AWS::Logs::Destination ..................................................................................................
AWS::Logs::LogGroup .....................................................................................................
AWS::Logs::LogStream ...................................................................................................
AWS::Logs::MetricFilter ..................................................................................................
AWS::Logs::SubscriptionFilter ..........................................................................................
AWS::Neptune::DBCluster ...............................................................................................
AWS::Neptune::DBClusterParameterGroup ........................................................................
AWS::Neptune::DBInstance .............................................................................................
AWS::Neptune::DBParameterGroup ..................................................................................
AWS::Neptune::DBSubnetGroup ......................................................................................
AWS::OpsWorks::App .....................................................................................................
AWS::OpsWorks::ElasticLoadBalancerAttachment ...............................................................
AWS::OpsWorks::Instance ...............................................................................................
AWS::OpsWorks::Layer ...................................................................................................
AWS::OpsWorks::Stack ...................................................................................................
AWS::OpsWorks::UserProﬁle ...........................................................................................
AWS::OpsWorks::Volume ................................................................................................
AWS::RDS::DBCluster .....................................................................................................
AWS::RDS::DBClusterParameterGroup ..............................................................................
API Version 2010-05-15
x

1164
1165
1171
1172
1175
1177
1180
1182
1184
1186
1188
1190
1194
1197
1204
1205
1208
1209
1211
1214
1215
1218
1220
1221
1224
1225
1228
1231
1234
1235
1237
1245
1247
1251
1254
1257
1263
1265
1267
1270
1272
1273
1275
1278
1282
1284
1288
1290
1293
1297
1298
1305
1316
1327
1329
1331
1338

AWS CloudFormation User Guide

AWS::RDS::DBInstance ....................................................................................................
AWS::RDS::DBParameterGroup ........................................................................................
AWS::RDS::DBSecurityGroup ...........................................................................................
AWS::RDS::DBSecurityGroupIngress .................................................................................
AWS::RDS::DBSubnetGroup .............................................................................................
AWS::RDS::EventSubscription ..........................................................................................
AWS::RDS::OptionGroup .................................................................................................
AWS::Redshift::Cluster ....................................................................................................
AWS::Redshift::ClusterParameterGroup ............................................................................
AWS::Redshift::ClusterSecurityGroup ................................................................................
AWS::Redshift::ClusterSecurityGroupIngress ......................................................................
AWS::Redshift::ClusterSubnetGroup .................................................................................
AWS::Route53::HealthCheck ...........................................................................................
AWS::Route53::HostedZone ............................................................................................
AWS::Route53::RecordSet ...............................................................................................
AWS::Route53::RecordSetGroup ......................................................................................
AWS::S3::Bucket ............................................................................................................
AWS::S3::BucketPolicy ....................................................................................................
AWS::SageMaker::Endpoint .............................................................................................
AWS::SageMaker::EndpointConﬁg ....................................................................................
AWS::SageMaker::Model .................................................................................................
AWS::SageMaker::NotebookInstance ................................................................................
AWS::SageMaker::NotebookInstanceLifecycleConﬁg ...........................................................
AWS::SDB::Domain ........................................................................................................
AWS::ServiceCatalog::AcceptedPortfolioShare ...................................................................
AWS::ServiceCatalog::CloudFormationProduct ...................................................................
AWS::ServiceCatalog::CloudFormationProvisionedProduct ...................................................
AWS::ServiceCatalog::LaunchNotiﬁcationConstraint ...........................................................
AWS::ServiceCatalog::LaunchRoleConstraint ......................................................................
AWS::ServiceCatalog::LaunchTemplateConstraint ...............................................................
AWS::ServiceCatalog::Portfolio ........................................................................................
AWS::ServiceCatalog::PortfolioPrincipalAssociation ............................................................
AWS::ServiceCatalog::PortfolioProductAssociation .............................................................
AWS::ServiceCatalog::PortfolioShare ................................................................................
AWS::ServiceCatalog::TagOption .....................................................................................
AWS::ServiceCatalog::TagOptionAssociation ......................................................................
AWS::ServiceDiscovery::Instance ......................................................................................
AWS::ServiceDiscovery::PrivateDnsNamespace ...................................................................
AWS::ServiceDiscovery::PublicDnsNamespace ....................................................................
AWS::ServiceDiscovery::Service ........................................................................................
AWS::SES::ConﬁgurationSet ............................................................................................
AWS::SES::ConﬁgurationSetEventDestination ....................................................................
AWS::SES::ReceiptFilter ..................................................................................................
AWS::SES::ReceiptRule ...................................................................................................
AWS::SES::ReceiptRuleSet ...............................................................................................
AWS::SES::Template .......................................................................................................
AWS::SNS::Subscription ..................................................................................................
AWS::SNS::Topic ............................................................................................................
AWS::SNS::TopicPolicy ....................................................................................................
AWS::SQS::Queue ..........................................................................................................
AWS::SQS::QueuePolicy ..................................................................................................
AWS::SSM::Association ...................................................................................................
AWS::SSM::Document ....................................................................................................
AWS::SSM::MaintenanceWindow ......................................................................................
AWS::SSM::MaintenanceWindowTarget .............................................................................
AWS::SSM::MaintenanceWindowTask ................................................................................
AWS::SSM::Parameter ....................................................................................................
API Version 2010-05-15
xi

1341
1357
1360
1363
1365
1367
1370
1373
1381
1384
1386
1388
1390
1392
1395
1401
1403
1419
1421
1425
1430
1435
1440
1444
1444
1445
1448
1453
1455
1456
1458
1460
1461
1463
1464
1465
1466
1468
1470
1471
1473
1475
1479
1480
1484
1486
1488
1492
1494
1495
1503
1504
1507
1511
1513
1515
1518

AWS CloudFormation User Guide

AWS::SSM::PatchBaseline ...............................................................................................
AWS::SSM::ResourceDataSync .........................................................................................
AWS::StepFunctions::Activity ...........................................................................................
AWS::StepFunctions::StateMachine ..................................................................................
AWS::WAF::ByteMatchSet ...............................................................................................
AWS::WAF::IPSet ...........................................................................................................
AWS::WAF::Rule ............................................................................................................
AWS::WAF::SizeConstraintSet ..........................................................................................
AWS::WAF::SqlInjectionMatchSet .....................................................................................
AWS::WAF::WebACL .......................................................................................................
AWS::WAF::XssMatchSet .................................................................................................
AWS::WAFRegional::ByteMatchSet ...................................................................................
AWS::WAFRegional::IPSet ...............................................................................................
AWS::WAFRegional::Rule ................................................................................................
AWS::WAFRegional::SizeConstraintSet ..............................................................................
AWS::WAFRegional::SqlInjectionMatchSet .........................................................................
AWS::WAFRegional::WebACL ...........................................................................................
AWS::WAFRegional::WebACLAssociation ...........................................................................
AWS::WAFRegional::XssMatchSet .....................................................................................
AWS::WorkSpaces::Workspace .........................................................................................
Resource Property Types ........................................................................................................
Amazon MQ Broker ConﬁgurationId ................................................................................
Amazon MQ Broker MaintenanceWindow .........................................................................
Amazon MQ Broker User ...............................................................................................
API Gateway ApiKey StageKey ........................................................................................
API Gateway Deployment StageDescription ......................................................................
API Gateway Deployment MethodSetting .........................................................................
API Gateway DocumentationPart Location .......................................................................
API Gateway DomainName EndpointConﬁguration ............................................................
API Gateway Method Integration ....................................................................................
API Gateway Method Integration IntegrationResponse .......................................................
API Gateway Method MethodResponse ............................................................................
API Gateway RestApi S3Location ....................................................................................
API Gateway RestApi EndpointConﬁguration ....................................................................
API Gateway Stage MethodSetting ..................................................................................
API Gateway UsagePlan ApiStage ...................................................................................
API Gateway UsagePlan QuotaSettings ............................................................................
API Gateway UsagePlan ThrottleSettings .........................................................................
Application Auto Scaling ScalingPolicy CustomizedMetricSpeciﬁcation .................................
Application Auto Scaling ScalingPolicy MetricDimension ....................................................
Application Auto Scaling ScalingPolicy PredeﬁnedMetricSpeciﬁcation ..................................
Application Auto Scaling ScalingPolicy StepScalingPolicyConﬁguration ................................
Application Auto Scaling ScalingPolicy StepScalingPolicyConﬁguration StepAdjustment .........
Application Auto Scaling ScalingPolicy TargetTrackingScalingPolicyConﬁguration ..................
Application Auto Scaling ScalableTarget ScalableTargetAction ............................................
Application Auto Scaling ScalableTarget ScheduledAction ..................................................
AWS AppSync DataSource DynamoDBConﬁg ....................................................................
AWS AppSync DataSource HttpConﬁg .............................................................................
AWS AppSync DataSource ElasticsearchConﬁg ..................................................................
AWS AppSync DataSource LambdaConﬁg ........................................................................
AWS AppSync GraphQLApi LogConﬁg .............................................................................
AWS AppSync GraphQLApi UserPoolConﬁg ......................................................................
AWS AppSync GraphQLApi OpenId Connect Conﬁg ...........................................................
Amazon EC2 Auto Scaling Block Device Mapping ..............................................................
Amazon EC2 Auto Scaling EBS Block Device .....................................................................
Amazon EC2 Auto Scaling AutoScalingGroup LifecycleHookSpeciﬁcation ..............................
Amazon EC2 Auto Scaling AutoScalingGroup LaunchTemplateSpeciﬁcation ..........................
API Version 2010-05-15
xii

1522
1524
1527
1529
1532
1535
1539
1541
1544
1547
1551
1555
1558
1561
1563
1567
1570
1574
1575
1579
1581
1594
1595
1596
1597
1598
1600
1602
1604
1604
1607
1609
1610
1611
1612
1614
1615
1615
1616
1618
1618
1619
1621
1622
1624
1624
1626
1627
1628
1629
1630
1630
1632
1633
1634
1636
1639

AWS CloudFormation User Guide

Amazon EC2 Auto Scaling AutoScalingGroup MetricsCollection ...........................................
Amazon EC2 Auto Scaling AutoScalingGroup NotiﬁcationConﬁguration ................................
Amazon EC2 Auto Scaling AutoScalingGroup TagProperty ..................................................
Amazon EC2 Auto Scaling ScalingPolicy CustomizedMetricSpeciﬁcation ...............................
Amazon EC2 Auto Scaling ScalingPolicy MetricDimension ..................................................
Amazon EC2 Auto Scaling ScalingPolicy PredeﬁnedMetricSpeciﬁcation ................................
Amazon EC2 Auto Scaling ScalingPolicy StepAdjustments ..................................................
Amazon EC2 Auto Scaling ScalingPolicy TargetTrackingConﬁguration ..................................
AWS Auto Scaling ScalingPlan ApplicationSource ..............................................................
AWS Auto Scaling ScalingPlan CustomizedScalingMetricSpeciﬁcation ...................................
AWS Auto Scaling ScalingPlan MetricDimension ................................................................
AWS Auto Scaling ScalingPlan PredeﬁnedScalingMetricSpeciﬁcation ....................................
AWS Auto Scaling ScalingPlan ScalingInstruction ..............................................................
AWS Auto Scaling ScalingPlan TagFilter ...........................................................................
AWS Auto Scaling ScalingPlan TargetTrackingConﬁguration ...............................................
AWS Batch ComputeEnvironment ComputeResources ........................................................
AWS Batch JobDeﬁnition ContainerProperties ..................................................................
AWS Batch JobDeﬁnition Environment ............................................................................
AWS Batch JobDeﬁnition MountPoints ............................................................................
AWS Batch JobDeﬁnition RetryStrategy ...........................................................................
AWS Batch JobDeﬁnition Timeout ...................................................................................
AWS Batch JobDeﬁnition Ulimit ......................................................................................
AWS Batch JobDeﬁnition Volumes ..................................................................................
AWS Batch JobDeﬁnition VolumesHost ............................................................................
AWS Batch JobQueue ComputeEnvironmentOrder ............................................................
Billing and Cost Management Budget BudgetData ............................................................
Billing and Cost Management Budget CostTypes ...............................................................
Billing and Cost Management Budget Notiﬁcation ............................................................
Billing and Cost Management Budget NotiﬁcationWithSubscribers ......................................
Billing and Cost Management Budget Spend ....................................................................
Billing and Cost Management Budget Subscriber ..............................................................
Billing and Cost Management Budget TimePeriod .............................................................
AWS Cloud9 EnvironmentEC2 Repository .........................................................................
ACM Certiﬁcate DomainValidationOption .........................................................................
AWS CloudFormation Stack Parameters ...........................................................................
AWS CloudFormation Interface Label ..............................................................................
AWS CloudFormation Interface ParameterGroup ...............................................................
AWS CloudFormation Interface ParameterLabel ................................................................
CloudFront CloudFrontOriginAccessIdentity CloudFrontOriginAccessIdentityConﬁg ................
CloudFront Distribution CacheBehavior ............................................................................
CloudFront Distribution Cookies .....................................................................................
CloudFront Distribution CustomErrorResponse ..................................................................
CloudFront Distribution CustomOriginConﬁg ....................................................................
CloudFront Distribution DefaultCacheBehavior ..................................................................
CloudFront Distribution DistributionConﬁg .......................................................................
CloudFront Distribution ForwardedValues ........................................................................
CloudFront Distribution GeoRestriction ............................................................................
CloudFront Distribution LambdaFunctionAssociation .........................................................
CloudFront Distribution Logging .....................................................................................
CloudFront Distribution Origin ........................................................................................
CloudFront Distribution OriginCustomHeader ...................................................................
CloudFront Distribution Restrictions ................................................................................
CloudFront Distribution S3Origin ....................................................................................
CloudFront Distribution ViewerCertiﬁcate ........................................................................
CloudFront StreamingDistribution Logging .......................................................................
CloudFront StreamingDistribution S3Origin ......................................................................
CloudFront StreamingDistribution StreamingDistributionConﬁg ..........................................
API Version 2010-05-15
xiii

1640
1641
1642
1644
1645
1646
1647
1648
1649
1650
1652
1652
1653
1655
1656
1658
1660
1664
1664
1665
1666
1667
1668
1668
1669
1670
1672
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1685
1686
1689
1690
1691
1692
1695
1699
1700
1701
1702
1703
1705
1705
1706
1707
1708
1709
1710

AWS CloudFormation User Guide

CloudFront StreamingDistribution Tag .............................................................................
CloudFront StreamingDistribution TrustedSigners .............................................................
CloudTrail Trail EventSelector .........................................................................................
CloudTrail Trail DataResource .........................................................................................
CloudWatch Metric Dimension ........................................................................................
CloudWatch Events Rule EcsParameters ...........................................................................
CloudWatch Events Rule InputTransformer .......................................................................
CloudWatch Events Rule KinesisParameters ......................................................................
CloudWatch Events Rule RunCommandParameters ............................................................
CloudWatch Events Rule RunCommandTarget ..................................................................
CloudWatch Events Rule Target ......................................................................................
CloudWatch Logs MetricFilter MetricTransformation Property .............................................
AWS CodeBuild Project Artifacts .....................................................................................
AWS CodeBuild Project Environment ...............................................................................
AWS CodeBuild Project EnvironmentVariable ....................................................................
AWS CodeBuild Project ProjectCache ...............................................................................
AWS CodeBuild Project Source .......................................................................................
AWS CodeBuild Project SourceAuth .................................................................................
AWS CodeBuild Project ProjectTriggers ............................................................................
AWS CodeBuild Project VpcConﬁg ...................................................................................
AWS CodeCommit Repository Trigger ..............................................................................
AWS CodeDeploy DeploymentConﬁg MinimumHealthyHosts ..............................................
AWS CodeDeploy DeploymentGroup Alarm ......................................................................
AWS CodeDeploy DeploymentGroup AlarmConﬁguration ...................................................
AWS CodeDeploy DeploymentGroup AutoRollbackConﬁguration .........................................
AWS CodeDeploy DeploymentGroup Deployment .............................................................
AWS CodeDeploy DeploymentGroup DeploymentStyle ......................................................
AWS CodeDeploy DeploymentGroup ELBInfo ....................................................................
AWS CodeDeploy DeploymentGroup LoadBalancerInfo ......................................................
AWS CodeDeploy DeploymentGroup TargetGroupInfo .......................................................
AWS CodeDeploy DeploymentGroup Deployment Revision .................................................
AWS CodeDeploy DeploymentGroup Deployment Revision GitHubLocation ...........................
AWS CodeDeploy DeploymentGroup Deployment Revision S3Location .................................
AWS CodeDeploy DeploymentGroup Ec2TagFilters ............................................................
AWS CodeDeploy DeploymentGroup OnPremisesInstanceTagFilters .....................................
AWS CodeDeploy DeploymentGroup TriggerConﬁg ...........................................................
AWS CodePipeline CustomActionType ArtifactDetails ........................................................
AWS CodePipeline CustomActionType ConﬁgurationProperties ...........................................
AWS CodePipeline CustomActionType Settings .................................................................
AWS CodePipeline Pipeline ArtifactStore .........................................................................
AWS CodePipeline Pipeline ArtifactStore EncryptionKey .....................................................
AWS CodePipeline Pipeline DisableInboundStageTransitions ...............................................
AWS CodePipeline Pipeline Stages ..................................................................................
AWS CodePipeline Pipeline Stages Actions .......................................................................
AWS CodePipeline Pipeline Stages Actions ActionTypeId ....................................................
AWS CodePipeline Pipeline Stages Actions InputArtifacts ...................................................
AWS CodePipeline Pipeline Stages Actions OutputArtifacts ................................................
AWS CodePipeline Pipeline Stages Blockers ......................................................................
AWS CodePipeline Webhook WebhookAuthConﬁguration ...................................................
AWS CodePipeline Webhook WebhookFilterRule ...............................................................
Amazon Cognito IdentityPool CognitoStreams ..................................................................
Amazon Cognito IdentityPool PushSync ...........................................................................
Amazon Cognito IdentityPoolRoleAttachment RoleMapping ...............................................
Amazon Cognito IdentityPoolRoleAttachment MappingRule ...............................................
Amazon Cognito IdentityPool CognitoIdentityProvider .......................................................
Amazon Cognito IdentityPoolRoleAttachment RoleMapping RulesConﬁguration ....................
Amazon Cognito UserPool AdminCreateUserConﬁg ...........................................................
API Version 2010-05-15
xiv

1712
1713
1714
1715
1716
1718
1719
1720
1720
1721
1722
1727
1728
1730
1731
1732
1733
1735
1736
1737
1738
1739
1740
1740
1741
1742
1743
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1754
1756
1757
1758
1759
1759
1760
1762
1763
1763
1764
1765
1765
1766
1767
1768
1769
1770
1771
1772

AWS CloudFormation User Guide

Amazon Cognito UserPool DeviceConﬁguration ................................................................
Amazon Cognito UserPool EmailConﬁguration ..................................................................
Amazon Cognito UserPool InviteMessageTemplate ............................................................
Amazon Cognito UserPool LambdaConﬁg ........................................................................
Amazon Cognito UserPool NumberAttributeConstraints .....................................................
Amazon Cognito UserPool PasswordPolicy .......................................................................
Amazon Cognito UserPool Policies ..................................................................................
Amazon Cognito UserPool SchemaAttribute .....................................................................
Amazon Cognito UserPool SmsConﬁguration ...................................................................
Amazon Cognito UserPool StringAttributeConstraints ........................................................
Amazon Cognito UserPoolUser AttributeType ...................................................................
Amazon Cognito UserPool InviteMessageTemplate ............................................................
AWS Conﬁg ConﬁgRule Scope ........................................................................................
AWS Conﬁg ConﬁgRule Source .......................................................................................
AWS Conﬁg ConﬁgRule SourceDetails .............................................................................
AWS Conﬁg ConﬁgurationAggregator AccountAggregationSource .......................................
AWS Conﬁg ConﬁgurationAggregator OrganizationAggregationSource .................................
AWS Conﬁg ConﬁgurationRecorder RecordingGroup ..........................................................
AWS Conﬁg DeliveryChannel ConﬁgSnapshotDeliveryProperties .........................................
AWS Data Pipeline Pipeline ParameterObjects ..................................................................
AWS Data Pipeline Parameter Objects Attributes ..............................................................
AWS Data Pipeline Pipeline ParameterValues ...................................................................
AWS Data Pipeline PipelineObject ...................................................................................
AWS Data Pipeline Pipeline Field ....................................................................................
AWS Data Pipeline Pipeline PipelineTags .........................................................................
AWS DMS Endpoint DynamoDBSettings ...........................................................................
AWS DMS Endpoint MongoDbSettings .............................................................................
AWS DMS Endpoint S3Settings .......................................................................................
AWS Directory Service MicrosoftAD VpcSettings ...............................................................
AWS Directory Service SimpleAD VpcSettings ...................................................................
DAX Cluster SSESpeciﬁcation .........................................................................................
DynamoDB Table AttributeDeﬁnition ...............................................................................
DynamoDB Table GlobalSecondaryIndex ..........................................................................
DynamoDB Table KeySchema .........................................................................................
DynamoDB Table LocalSecondaryIndex ............................................................................
DynamoDB Table PointInTimeRecoverySpeciﬁcation ..........................................................
DynamoDB Table Projection ...........................................................................................
DynamoDB Table ProvisionedThroughput ........................................................................
DynamoDB SSESpeciﬁcation ...........................................................................................
DynamoDB Table StreamSpeciﬁcation .............................................................................
DynamoDB Table TimeToLiveSpeciﬁcation .......................................................................
Amazon EC2 Block Device Mapping Property ....................................................................
Amazon Elastic Block Store Block Device Property ............................................................
Amazon EC2 Instance CreditSpeciﬁcation .........................................................................
Amazon EC2 Instance ElasticGpuSpeciﬁcation ...................................................................
Amazon EC2 Instance LaunchTemplateSpeciﬁcation ..........................................................
Amazon EC2 Instance SsmAssociations AssociationParameters ............................................
Amazon EC2 Instance SsmAssociations ............................................................................
Amazon EC2 LaunchTemplate BlockDeviceMapping ...........................................................
Amazon EC2 LaunchTemplate CreditSpeciﬁcation .............................................................
Amazon EC2 LaunchTemplate Ebs ...................................................................................
Amazon EC2 LaunchTemplate ElasticGpuSpeciﬁcation .......................................................
Amazon EC2 LaunchTemplate IamInstanceProﬁle ..............................................................
Amazon EC2 LaunchTemplate InstanceMarketOptions .......................................................
Amazon EC2 LaunchTemplate Ipv6Add ............................................................................
Amazon EC2 LaunchTemplate LaunchTemplateData ..........................................................
Amazon EC2 LaunchTemplate Monitoring ........................................................................
API Version 2010-05-15
xv

1773
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1791
1792
1794
1795
1796
1797
1799
1800
1801
1802
1802
1803
1804
1805
1806
1807
1808
1809
1809
1810
1811
1813
1814
1815
1816
1817
1818
1818
1820
1820
1822
1823
1824
1825
1826
1830

AWS CloudFormation User Guide

Amazon EC2 LaunchTemplate NetworkInterface ...............................................................
Amazon EC2 LaunchTemplate Placement .........................................................................
Amazon EC2 LaunchTemplate PrivateIpAdd ......................................................................
Amazon EC2 LaunchTemplate SpotOptions ......................................................................
Amazon EC2 LaunchTemplate TagSpeciﬁcation .................................................................
EC2 MountPoint ...........................................................................................................
EC2 Network Interface ..................................................................................................
EC2 NetworkAclEntry Icmp ............................................................................................
EC2 NetworkAclEntry PortRange .....................................................................................
EC2 NetworkInterface Ipv6Addresses ...............................................................................
EC2 Network Interface Private IP Speciﬁcation .................................................................
EC2 Security Group Rule ................................................................................................
Amazon EC2 SpotFleet SpotFleetRequestConﬁgData .........................................................
Amazon EC2 SpotFleet LaunchSpeciﬁcations ....................................................................
Amazon EC2 SpotFleet BlockDeviceMappings ...................................................................
Amazon EC2 SpotFleet Ebs ............................................................................................
Amazon EC2 SpotFleet FleetLaunchTemplateSpeciﬁcation ..................................................
Amazon EC2 SpotFleet IamInstanceProﬁle .......................................................................
Amazon EC2 SpotFleet LaunchTemplateConﬁg .................................................................
Amazon EC2 SpotFleet LaunchTemplateOverrides .............................................................
Amazon EC2 SpotFleet Monitoring ..................................................................................
Amazon EC2 SpotFleet NetworkInterfaces ........................................................................
Amazon EC2 SpotFleet PrivateIpAddresses .......................................................................
Amazon EC2 SpotFleet Placement ..................................................................................
Amazon EC2 SpotFleet SecurityGroups ............................................................................
Amazon EC2 SpotFleet SpotFleetTagSpeciﬁcation .............................................................
EC2 VPNConnection VpnTunnelOptionsSpeciﬁcation .........................................................
Amazon ECS Service AwsVpcConﬁguration .......................................................................
Amazon ECR Repository LifecyclePolicy ...........................................................................
Amazon ECS Service DeploymentConﬁguration ................................................................
Amazon ECS Service NetworkConﬁguration ......................................................................
Amazon ECS Service PlacementConstraint ........................................................................
Amazon ECS Service PlacementStrategies ........................................................................
Amazon ECS Service LoadBalancers .................................................................................
Amazon ECS Service ServiceRegistry ...............................................................................
Amazon ECS TaskDeﬁnition HealthCheck .........................................................................
Amazon ECS TaskDeﬁnition ContainerDeﬁnition ...............................................................
Amazon ECS TaskDeﬁnition Device ..................................................................................
Amazon ECS TaskDeﬁnition HostEntry .............................................................................
Amazon ECS TaskDeﬁnition KernelCapabilities ..................................................................
Amazon ECS TaskDeﬁnition KeyValuePair .........................................................................
Amazon ECS TaskDeﬁnition LinuxParameters ....................................................................
Amazon ECS TaskDeﬁnition LogConﬁguration ..................................................................
Amazon ECS TaskDeﬁnition MountPoint ..........................................................................
Amazon ECS TaskDeﬁnition ContainerDeﬁnitions PortMapping ...........................................
Amazon ECS TaskDeﬁnition Ulimit ..................................................................................
Amazon ECS TaskDeﬁnition VolumeFrom .........................................................................
Amazon ECS Service PlacementConstraint ........................................................................
Amazon ECS TaskDeﬁnition Volumes ...............................................................................
Amazon ECS TaskDeﬁnition Volumes Host .......................................................................
Amazon Elastic File System FileSystem FileSystemTags ......................................................
EKS Cluster ResourcesVpcConﬁg .....................................................................................
Elastic Beanstalk Application ApplicationResourceLifecycleConﬁg ........................................
Elastic Beanstalk Application ApplicationVersionLifecycleConﬁg ..........................................
Elastic Beanstalk Application MaxAgeRule ........................................................................
Elastic Beanstalk Application MaxCountRule .....................................................................
Elastic Beanstalk ConﬁgurationTemplate ConﬁgurationOptionSetting ..................................
API Version 2010-05-15
xvi

1831
1834
1835
1836
1837
1838
1840
1842
1843
1844
1844
1845
1850
1853
1856
1857
1859
1860
1860
1861
1862
1863
1865
1866
1866
1867
1868
1869
1870
1871
1872
1872
1873
1874
1875
1876
1878
1883
1884
1885
1886
1887
1888
1889
1890
1891
1891
1892
1893
1894
1895
1895
1896
1897
1898
1899
1900

AWS CloudFormation User Guide

Elastic Beanstalk ConﬁgurationTemplate SourceConﬁguration ............................................
Elastic Beanstalk Environment Tier ..................................................................................
Elastic Beanstalk Environment OptionSetting ...................................................................
Elastic Beanstalk SourceBundle Property Type ..................................................................
ElastiCache ReplicationGroup NodeGroupConﬁguration .....................................................
Elastic Load Balancing AccessLoggingPolicy .....................................................................
AppCookieStickinessPolicy .............................................................................................
Elastic Load Balancing ConnectionDrainingPolicy ..............................................................
Elastic Load Balancing ConnectionSettings .......................................................................
ElasticLoadBalancing LoadBalancer HealthCheck ...............................................................
LBCookieStickinessPolicy ................................................................................................
ElasticLoadBalancing Listener .........................................................................................
ElasticLoadBalancing Policy ............................................................................................
Elastic Load Balancing Listener Certiﬁcate .......................................................................
Elastic Load Balancing ListenerCertiﬁcate Certiﬁcate .........................................................
Elastic Load Balancing Listener Action .............................................................................
Elastic Load Balancing ListenerRule Actions ......................................................................
Elastic Load Balancing ListenerRule Conditions .................................................................
Elastic Load Balancing LoadBalancer LoadBalancerAttributes ..............................................
Elastic Load Balancing LoadBalancer SubnetMapping ........................................................
Elastic Load Balancing TargetGroup Matcher ....................................................................
Elastic Load Balancing TargetGroup TargetDescription .......................................................
Elastic Load Balancing TargetGroup TargetGroupAttributes ................................................
Amazon ES Domain EBSOptions .....................................................................................
Amazon ES Domain ElasticsearchClusterConﬁg .................................................................
Amazon ES Domain EncryptionAtRestOptions ..................................................................
Amazon ES Domain SnapshotOptions .............................................................................
Amazon ES Domain VPCOptions .....................................................................................
Amazon EMR Cluster Application ....................................................................................
Amazon EMR Cluster AutoScalingPolicy ...........................................................................
Amazon EMR Cluster BootstrapActionConﬁg ....................................................................
Amazon EMR Cluster CloudWatchAlarmDeﬁnition .............................................................
Amazon EMR Cluster Conﬁgurations ...............................................................................
Amazon EMR Cluster InstanceFleetConﬁg ........................................................................
Amazon EMR Cluster InstanceFleetProvisioningSpeciﬁcations .............................................
Amazon EMR Cluster InstanceGroupConﬁg .......................................................................
Amazon EMR Cluster InstanceTypeConﬁg .........................................................................
Amazon EMR Cluster JobFlowInstancesConﬁg ..................................................................
Amazon EMR Cluster MetricDimension ............................................................................
Amazon EMR Cluster PlacementType ...............................................................................
Amazon EMR Cluster ScalingAction .................................................................................
Amazon EMR Cluster ScalingConstraints ..........................................................................
Amazon EMR Cluster ScalingRule ....................................................................................
Amazon EMR Cluster ScalingTrigger ................................................................................
Amazon EMR Cluster ScriptBootstrapActionConﬁg ............................................................
Amazon EMR Cluster SimpleScalingPolicyConﬁguration .....................................................
Amazon EMR Cluster SpotProvisioningSpeciﬁcation ...........................................................
Amazon EMR Cluster KerberosAttributes ..........................................................................
Amazon EMR EbsConﬁguration .......................................................................................
Amazon EMR EbsConﬁguration EbsBlockDeviceConﬁgs ......................................................
Amazon EMR EbsConﬁguration EbsBlockDeviceConﬁg VolumeSpeciﬁcation ..........................
Amazon EMR InstanceFleetConﬁg Conﬁguration ...............................................................
Amazon EMR InstanceFleetConﬁg EbsBlockDeviceConﬁg ....................................................
Amazon EMR InstanceFleetConﬁg EbsConﬁguration ..........................................................
Amazon EMR InstanceFleetConﬁg InstanceFleetProvisioningSpeciﬁcations ............................
Amazon EMR InstanceFleetConﬁg InstanceTypeConﬁg .......................................................
Amazon EMR InstanceFleetConﬁg SpotProvisioningSpeciﬁcation .........................................
API Version 2010-05-15
xvii

1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1914
1916
1917
1917
1918
1919
1919
1920
1921
1922
1922
1923
1924
1926
1927
1927
1928
1929
1930
1931
1933
1934
1935
1936
1938
1939
1943
1944
1944
1945
1946
1947
1947
1948
1949
1950
1952
1953
1954
1955
1956
1957
1957
1958
1960

AWS CloudFormation User Guide

Amazon EMR InstanceFleetConﬁg VolumeSpeciﬁcation ......................................................
Amazon EMR InstanceGroupConﬁg AutoScalingPolicy ........................................................
Amazon EMR InstanceGroupConﬁg CloudWatchAlarmDeﬁnition ..........................................
Amazon EMR InstanceGroupConﬁg MetricDimension .........................................................
Amazon EMR InstanceGroupConﬁg ScalingAction ..............................................................
Amazon EMR InstanceGroupConﬁg ScalingConstraints .......................................................
Amazon EMR InstanceGroupConﬁg ScalingRule ................................................................
Amazon EMR InstanceGroupConﬁg ScalingTrigger .............................................................
Amazon EMR InstanceGroupConﬁg SimpleScalingPolicyConﬁguration ..................................
Amazon EMR Step HadoopJarStepConﬁg .........................................................................
Amazon EMR Step KeyValue ..........................................................................................
GameLift Alias RoutingStrategy ......................................................................................
GameLift Build StorageLocation .....................................................................................
GameLift Fleet EC2InboundPermission ............................................................................
AWS Glue Classiﬁer GrokClassiﬁer ...................................................................................
AWS Glue Connection ConnectionInput ...........................................................................
AWS Glue Connection PhysicalConnectionRequirements .....................................................
AWS Glue Crawler JdbcTarget ........................................................................................
AWS Glue Crawler S3Target ...........................................................................................
AWS Glue Crawler Schedule ...........................................................................................
AWS Glue Crawler SchemaChangePolicy ..........................................................................
AWS Glue Crawler Targets .............................................................................................
AWS Glue Database DatabaseInput .................................................................................
AWS Glue Job ConnectionsList .......................................................................................
AWS Glue Job ExecutionProperty ....................................................................................
AWS Glue Job JobCommand ..........................................................................................
AWS Glue Partition Column ...........................................................................................
AWS Glue Partition Order ..............................................................................................
AWS Glue Partition PartitionInput ...................................................................................
AWS Glue Partition SerdeInfo .........................................................................................
AWS Glue Partition SkewedInfo ......................................................................................
AWS Glue Partition StorageDescriptor .............................................................................
AWS Glue Table Column ................................................................................................
AWS Glue Table Order ...................................................................................................
AWS Glue Table SerdeInfo .............................................................................................
AWS Glue Table SkewedInfo ..........................................................................................
AWS Glue Table StorageDescriptor ..................................................................................
AWS Glue Table TableInput ............................................................................................
AWS Glue Trigger Action ...............................................................................................
AWS Glue Trigger Condition ...........................................................................................
AWS Glue Trigger Predicate ...........................................................................................
GuardDuty Filter FindingCriteria .....................................................................................
GuardDuty Filter Condition ............................................................................................
IAM Policies .................................................................................................................
IAM User LoginProﬁle ....................................................................................................
AWS IoT TopicRule Action ..............................................................................................
AWS IoT TopicRule CloudwatchAlarmAction .....................................................................
AWS IoT TopicRule CloudwatchMetricAction .....................................................................
AWS IoT TopicRule DynamoDBAction ..............................................................................
AWS IoT TopicRule DynamoDBv2Action ...........................................................................
AWS IoT TopicRule ElasticsearchAction ............................................................................
AWS IoT TopicRule FirehoseAction ..................................................................................
AWS IoT TopicRule KinesisAction ....................................................................................
AWS IoT TopicRule LambdaAction ...................................................................................
AWS IoT TopicRule PutItemInput ....................................................................................
AWS IoT TopicRule RepublishAction ................................................................................
AWS IoT TopicRule S3Action ..........................................................................................
API Version 2010-05-15
xviii

1961
1962
1965
1967
1968
1969
1970
1971
1971
1972
1973
1974
1975
1976
1977
1978
1980
1981
1982
1982
1983
1984
1985
1986
1987
1987
1988
1989
1990
1991
1992
1993
1996
1997
1998
1999
2000
2003
2006
2007
2008
2009
2009
2011
2012
2012
2015
2016
2017
2019
2020
2021
2022
2022
2023
2024
2024

AWS CloudFormation User Guide

AWS IoT TopicRule SnsAction .........................................................................................
AWS IoT TopicRule SqsAction .........................................................................................
AWS IoT Thing AttributePayload .....................................................................................
AWS IoT TopicRule TopicRulePayload ..............................................................................
Kinesis StreamEncryption ...............................................................................................
Kinesis Data Analytics Application CSVMappingParameters .................................................
Kinesis Data Analytics Application Input ..........................................................................
Kinesis Data Analytics Application InputLambdaProcessor ..................................................
Kinesis Data Analytics Application InputParallelism ...........................................................
Kinesis Data Analytics Application InputProcessingConﬁguration .........................................
Kinesis Data Analytics Application InputSchema ................................................................
Kinesis Data Analytics Application JSONMappingParameters ..............................................
Kinesis Data Analytics Application KinesisFirehoseInput .....................................................
Kinesis Data Analytics Application KinesisStreamsInput ......................................................
Kinesis Data Analytics Application MappingParameters ......................................................
Kinesis Data Analytics Application RecordColumn ..............................................................
Kinesis Data Analytics Application RecordFormat ..............................................................
Kinesis Data Analytics ApplicationOutput DestinationSchema .............................................
Kinesis Data Analytics ApplicationOutput KinesisFirehoseOutput .........................................
Kinesis Data Analytics ApplicationOutput KinesisStreamsOutput .........................................
Kinesis Data Analytics ApplicationOutput LambdaOutput ...................................................
Kinesis Data Analytics ApplicationOutput Output ..............................................................
Kinesis Data Analytics ApplicationReferenceDataSource CSVMappingParameters ...................
Kinesis Data Analytics ApplicationReferenceDataSource JSONMappingParameters .................
Kinesis Data Analytics ApplicationReferenceDataSource MappingParameters .........................
Kinesis Data Analytics ApplicationReferenceDataSource RecordColumn ................................
Kinesis Data Analytics ApplicationReferenceDataSource RecordFormat .................................
Kinesis Data Analytics ApplicationReferenceDataSource ReferenceDataSource .......................
Kinesis Data Analytics ApplicationReferenceDataSource ReferenceSchema ............................
Kinesis Data Analytics ApplicationReferenceDataSource S3ReferenceDataSource ...................
Kinesis Data Firehose DeliveryStream BuﬀeringHints .........................................................
Kinesis Data Firehose DeliveryStream CloudWatchLoggingOptions ......................................
Kinesis Data Firehose DeliveryStream CopyCommand ........................................................
Kinesis Data Firehose DeliveryStream ElasticsearchBuﬀeringHints ........................................
Kinesis Data Firehose DeliveryStream ElasticsearchDestinationConﬁguration .........................
Kinesis Data Firehose DeliveryStream ElasticsearchRetryOptions .........................................
Kinesis Data Firehose DeliveryStream EncryptionConﬁguration ...........................................
Kinesis Data Firehose DeliveryStream ExtendedS3DestinationConﬁguration ..........................
Kinesis Data Firehose DeliveryStream KinesisStreamSourceConﬁguration ..............................
Kinesis Data Firehose DeliveryStream KMSEncryptionConﬁg ...............................................
Kinesis Data Firehose DeliveryStream ProcessingConﬁguration ............................................
Kinesis Data Firehose DeliveryStream Processor ................................................................
Kinesis Data Firehose DeliveryStream ProcessorParameter ..................................................
Kinesis Data Firehose DeliveryStream RedshiftDestinationConﬁguration ...............................
Kinesis Data Firehose DeliveryStream S3DestinationConﬁguration .......................................
Kinesis Data Firehose DeliveryStream SplunkDestinationConﬁguration .................................
Kinesis Data Firehose DeliveryStream SplunkRetryOptions .................................................
AWS Lambda Alias AliasRoutingConﬁguration ..................................................................
AWS Lambda Alias VersionWeight ...................................................................................
AWS Lambda Function DeadLetterConﬁg .........................................................................
AWS Lambda Function Environment ................................................................................
AWS Lambda Function Code ..........................................................................................
AWS Lambda Function TracingConﬁg ..............................................................................
AWS Lambda Function VpcConﬁg ...................................................................................
Name Type ..................................................................................................................
AWS OpsWorks App DataSource .....................................................................................
AWS OpsWorks App Environment ...................................................................................
API Version 2010-05-15
xix

2025
2026
2027
2028
2029
2030
2031
2033
2033
2034
2035
2036
2037
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2060
2061
2061
2064
2065
2065
2066
2067
2068
2070
2072
2074
2075
2076
2077
2077
2078
2084
2085
2085
2087
2088

AWS CloudFormation User Guide

AWS OpsWorks AutoScalingThresholds Type ....................................................................
AWS OpsWorks ChefConﬁguration Type ..........................................................................
AWS OpsWorks Layer LifeCycleConﬁguration ....................................................................
AWS OpsWorks Layer LifeCycleConﬁguration ShutdownEventConﬁguration ..........................
AWS OpsWorks LoadBasedAutoScaling Type ....................................................................
AWS OpsWorks Instance BlockDeviceMapping ..................................................................
AWS OpsWorks Instance BlockDeviceMapping EbsBlockDevice ............................................
AWS OpsWorks Recipes Type .........................................................................................
AWS OpsWorks Source Type ..........................................................................................
AWS OpsWorks SslConﬁguration Type .............................................................................
AWS OpsWorks Stack ElasticIp .......................................................................................
AWS OpsWorks Stack RdsDbInstance ...............................................................................
AWS OpsWorks StackConﬁgurationManager Type .............................................................
AWS OpsWorks TimeBasedAutoScaling Type ....................................................................
AWS OpsWorks VolumeConﬁguration Type ......................................................................
Amazon Redshift Parameter Type ...................................................................................
Amazon Redshift Cluster LoggingProperties .....................................................................
AWS CloudFormation Resource Tags ................................................................................
Amazon RDS OptionGroup OptionConﬁguration ...............................................................
Amazon RDS OptionGroup OptionSetting ........................................................................
RDS Security Group Rule ...............................................................................................
Route 53 AliasTarget Property ........................................................................................
Route 53 Record Set GeoLocation Property ......................................................................
Route 53 HealthCheck HealthCheckConﬁg .......................................................................
Route 53 HealthCheck AlarmIdentiﬁer .............................................................................
Route 53 HealthCheck HealthCheckTags ..........................................................................
Route 53 HostedZoneConﬁg Property .............................................................................
Amazon Route 53 HostedZoneTags .................................................................................
Route 53 QueryLoggingConﬁg ........................................................................................
Route 53 HostedZoneVPCs .............................................................................................
Amazon S3 Bucket AbortIncompleteMultipartUpload ........................................................
Amazon S3 Bucket AccelerateConﬁguration .....................................................................
Amazon S3 Bucket AccessControlTranslation ....................................................................
Amazon S3 Bucket AnalyticsConﬁguration .......................................................................
Amazon S3 Bucket BucketEncryption ..............................................................................
Amazon S3 Bucket CorsConﬁguration ..............................................................................
Amazon S3 Bucket CorsRule ...........................................................................................
Amazon S3 Bucket DataExport .......................................................................................
Amazon S3 Bucket Destination .......................................................................................
Amazon S3 EncryptionConﬁguration ...............................................................................
Amazon S3 Bucket FilterRule .........................................................................................
Amazon S3 Bucket InventoryConﬁguration ......................................................................
Amazon S3 Bucket LambdaConﬁguration .........................................................................
Amazon S3 Bucket LifecycleConﬁguration ........................................................................
Amazon S3 Bucket LoggingConﬁguration ........................................................................
Amazon S3 Bucket MetricsConﬁguration ..........................................................................
Amazon S3 Bucket NoncurrentVersionTransition ...............................................................
Amazon S3 Bucket NotiﬁcationConﬁguration ...................................................................
Amazon S3 Bucket NotiﬁcationFilter ...............................................................................
Amazon S3 Bucket QueueConﬁguration ...........................................................................
Amazon S3 Bucket ReplicationConﬁguration ....................................................................
Amazon S3 Bucket ReplicationDestination .......................................................................
Amazon S3 Bucket ReplicationRule .................................................................................
Amazon S3 Bucket Rule .................................................................................................
Amazon S3 Bucket S3KeyFilter .......................................................................................
Amazon S3 Bucket ServerSideEncryptionRule ...................................................................
Amazon S3 Bucket ServerSideEncryptionByDefault ...........................................................
API Version 2010-05-15
xx

2089
2090
2091
2092
2092
2093
2094
2096
2097
2099
2099
2100
2101
2102
2103
2104
2105
2106
2108
2110
2111
2112
2113
2114
2118
2118
2119
2120
2120
2121
2122
2122
2124
2124
2125
2126
2127
2128
2129
2130
2131
2131
2133
2135
2135
2136
2137
2138
2139
2140
2141
2141
2143
2144
2147
2148
2148

AWS CloudFormation User Guide

Amazon S3 Bucket SseKmsEncryptedObjects ....................................................................
Amazon S3 Bucket SourceSelectionCriteria .......................................................................
Amazon S3 Bucket StorageClassAnalysis ..........................................................................
Amazon S3 Bucket TagFilter ...........................................................................................
Amazon S3 Bucket TopicConﬁguration ............................................................................
Amazon S3 Bucket Transition .........................................................................................
Amazon S3 Bucket VersioningConﬁguration .....................................................................
Amazon S3 Website Conﬁguration Property .....................................................................
Amazon S3 Website Conﬁguration Redirect All Requests To Property ...................................
Amazon S3 Website Conﬁguration Routing Rules Property .................................................
Amazon S3 Website Conﬁguration Routing Rules Redirect Rule Property ..............................
Amazon S3 Website Conﬁguration Routing Rules Routing Rule Condition Property ................
Amazon SageMaker Endpoint Tag ...................................................................................
Amazon SageMaker EndpointConﬁg ProductionVariant ......................................................
Amazon SageMaker EndpointConﬁg Tag ..........................................................................
Amazon SageMaker NotebookInstance Tag ......................................................................
Amazon SageMaker NotebookInstanceLifecycleConﬁg NotebookInstanceLifecycleHook ..........
Amazon SageMaker Model ContainerDeﬁnition .................................................................
Amazon SageMaker Model Tag .......................................................................................
Amazon SageMaker Model VpcConﬁg ..............................................................................
AWS Service Catalog CloudFormationProduct ProvisioningArtifactProperties ........................
AWS Service Catalog CloudFormationProvisionedProduct ProvisioningParameter ...................
Amazon Route 53 ServiceDiscovery DnsConﬁg ..................................................................
Amazon Route 53 ServiceDiscovery DnsRecord .................................................................
Amazon Route 53 ServiceDiscovery HealthCheckConﬁg ......................................................
Route 53 ServiceDiscovery Service HealthCheckCustomConﬁg ............................................
Amazon SES ConﬁgurationSetEventDestination CloudWatchDestination ...............................
Amazon SES ConﬁgurationSetEventDestination DimensionConﬁguration ..............................
Amazon SES ConﬁgurationSetEventDestination EventDestination ........................................
Amazon SES ConﬁgurationSetEventDestination KinesisFirehoseDestination ..........................
Amazon SES ReceiptFilter Filter ......................................................................................
Amazon SES ReceiptFilter IpFilter ...................................................................................
Amazon SES ReceiptRule Action .....................................................................................
Amazon SES ReceiptRule AddHeaderAction ......................................................................
Amazon SES ReceiptRule BounceAction ...........................................................................
Amazon SES ReceiptRule LambdaAction ..........................................................................
Amazon SES ReceiptRule Rule ........................................................................................
Amazon SES ReceiptRule S3Action ..................................................................................
Amazon SES ReceiptRule SNSAction ................................................................................
Amazon SES ReceiptRule StopAction ...............................................................................
Amazon SES ReceiptRule WorkmailAction ........................................................................
Amazon SES Template Template ....................................................................................
Systems Manager Association InstanceAssociationOutputLocation .......................................
Systems Manager Association S3OutputLocation ..............................................................
Systems Manager Association Targets ..............................................................................
Systems Manager MaintenanceWindowTarget Targets .......................................................
Systems Manager MaintenanceWindowTask LoggingInfo ....................................................
Systems Manager MaintenanceWindowTask MaintenanceWindowAutomationParameters .......
Systems Manager MaintenanceWindowTask MaintenanceWindowLambdaParameters .............
Systems Manager MaintenanceWindowTask MaintenanceWindowRunCommandParameters ....
Systems Manager MaintenanceWindowTask MaintenanceWindowStepFunctionsParameters ....
Systems Manager MaintenanceWindowTask NotiﬁcationConﬁg ...........................................
Systems Manager MaintenanceWindowTask Target ............................................................
Systems Manager MaintenanceWindowTask TaskInvocationParameters ................................
Systems Manager PatchBaseline PatchFilterGroup .............................................................
Systems Manager PatchBaseline Rule ..............................................................................
Systems Manager PatchBaseline PatchFilter .....................................................................
API Version 2010-05-15
xxi

2149
2150
2150
2151
2152
2153
2154
2154
2156
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2177
2178
2179
2180
2182
2183
2185
2186
2188
2190
2192
2193
2194
2195
2196
2196
2197
2198
2199
2200
2201
2203
2204
2205
2206
2208
2208
2210

AWS CloudFormation User Guide

Systems Manager PatchBaseline RuleGroup ......................................................................
Amazon SNS Subscription ..............................................................................................
Amazon SQS RedrivePolicy ............................................................................................
AWS WAF ByteMatchSet ByteMatchTuples .......................................................................
AWS WAF ByteMatchSet ByteMatchTuples FieldToMatch ....................................................
AWS WAF IPSet IPSetDescriptors ....................................................................................
AWS WAF Rule Predicates ..............................................................................................
AWS WAF SizeConstraintSet SizeConstraint ......................................................................
AWS WAF SizeConstraintSet SizeConstraint FieldToMatch ..................................................
AWS WAF SqlInjectionMatchSet SqlInjectionMatchTuples ...................................................
AWS WAF SqlInjectionMatchSet SqlInjectionMatchTuples FieldToMatch ................................
AWS WAF XssMatchSet XssMatchTuple ............................................................................
AWS WAF XssMatchSet XssMatchTuple FieldToMatch .........................................................
AWS WAF WebACL Action ..............................................................................................
AWS WAF WebACL ActivatedRule ....................................................................................
AWS WAF Regional ByteMatchSet ByteMatchTuples ..........................................................
AWS WAF Regional ByteMatchSet ByteMatchTuples FieldToMatch .......................................
AWS WAF Regional IPSet IPSetDescriptors .......................................................................
AWS WAF Regional Rule Predicates .................................................................................
AWS WAF Regional SizeConstraintSet SizeConstraint .........................................................
AWS WAF Regional SizeConstraintSet SizeConstraint FieldToMatch ......................................
AWS WAF Regional SqlInjectionMatchSet SqlInjectionMatchTuples ......................................
AWS WAF Regional SqlInjectionMatchSet SqlInjectionMatchTuples FieldToMatch ...................
AWS WAF Regional XssMatchSet XssMatchTuple ...............................................................
AWS WAF Regional XssMatchSet XssMatchTuple FieldToMatch ............................................
AWS WAF Regional WebACL Action .................................................................................
AWS WAF Regional WebACL Rules ..................................................................................
Resource Speciﬁcation ...........................................................................................................
Speciﬁcation Format .....................................................................................................
Resource Attributes ...............................................................................................................
CreationPolicy ..............................................................................................................
DeletionPolicy ..............................................................................................................
DependsOn ..................................................................................................................
Metadata .....................................................................................................................
UpdatePolicy ................................................................................................................
Intrinsic Functions .................................................................................................................
Fn::Base64 ................................................................................................................
Fn::Cidr ....................................................................................................................
Condition Functions ......................................................................................................
Fn::FindInMap ..........................................................................................................
Fn::GetAtt ................................................................................................................
Fn::GetAZs ................................................................................................................
Fn::ImportValue .......................................................................................................
Fn::Join ....................................................................................................................
Fn::Select ................................................................................................................
Fn::Split ..................................................................................................................
Fn::Sub .....................................................................................................................
Ref .............................................................................................................................
Pseudo Parameters ...............................................................................................................
Example ......................................................................................................................
AWS::AccountId .............................................................................................................
AWS::NotiﬁcationARNs ...................................................................................................
AWS::NoValue ...............................................................................................................
AWS::Partition ..............................................................................................................
AWS::Region .................................................................................................................
AWS::StackId ................................................................................................................
AWS::StackName ...........................................................................................................
API Version 2010-05-15
xxii

2211
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2231
2232
2233
2234
2234
2236
2244
2245
2248
2250
2254
2255
2264
2265
2266
2268
2283
2285
2298
2300
2302
2304
2306
2308
2311
2322
2322
2322
2322
2323
2324
2324
2324
2324

AWS CloudFormation User Guide

AWS::URLSuﬃx ............................................................................................................. 2324
CloudFormation Helper Scripts ............................................................................................... 2324
Amazon Linux AMI Images ............................................................................................. 2325
Downloading Packages for Other Platforms ..................................................................... 2325
Permissions for helper scripts ......................................................................................... 2326
Using the Latest Version ................................................................................................ 2327
cfn-init ........................................................................................................................ 2328
cfn-signal ..................................................................................................................... 2331
cfn-get-metadata .......................................................................................................... 2335
cfn-hup ....................................................................................................................... 2337
Sample Templates ........................................................................................................................ 2342
Troubleshooting ............................................................................................................................ 2343
Troubleshooting Guide .......................................................................................................... 2343
Troubleshooting Errors .......................................................................................................... 2343
Delete Stack Fails ......................................................................................................... 2344
Dependency Error ......................................................................................................... 2344
Error Parsing Parameter When Passing a List .................................................................... 2345
Insuﬃcient IAM Permissions ........................................................................................... 2345
Invalid Value or Unsupported Resource Property .............................................................. 2345
Limit Exceeded ............................................................................................................. 2345
Nested Stacks are Stuck in UPDATE_COMPLETE_CLEANUP_IN_PROGRESS,
UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS, or
UPDATE_ROLLBACK_IN_PROGRESS ................................................................................. 2345
No Updates to Perform ................................................................................................. 2346
Resource Failed to Stabilize During a Create, Update, or Delete Stack Operation .................... 2346
Security Group Does Not Exist in VPC .............................................................................. 2346
Update Rollback Failed ................................................................................................. 2347
Wait Condition Didn't Receive the Required Number of Signals from an Amazon EC2 Instance .. 2348
Contacting Support ............................................................................................................... 2348
Release History ............................................................................................................................. 2349
Earlier Updates ..................................................................................................................... 2366
Supported AWS Services ........................................................................................................ 2436
Analytics ...................................................................................................................... 2437
Application Services ...................................................................................................... 2438
Compute ...................................................................................................................... 2438
Customer Engagement .................................................................................................. 2440
Database ..................................................................................................................... 2440
Developer Tools ............................................................................................................ 2442
Enterprise Applications .................................................................................................. 2442
Game Development ...................................................................................................... 2442
Internet of Things ......................................................................................................... 2443
Machine Learning ......................................................................................................... 2443
Management Tools ....................................................................................................... 2443
Mobile Services ............................................................................................................ 2445
Networking .................................................................................................................. 2445
Security and Identity ..................................................................................................... 2447
Storage and Content Delivery ........................................................................................ 2448
Additional Software and Services .................................................................................... 2449
Release History for Helper Scripts ........................................................................................... 2449
AWS Glossary ............................................................................................................................... 2451

API Version 2010-05-15
xxiii

AWS CloudFormation User Guide
Simplify Infrastructure Management

What is AWS CloudFormation?
AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources
so that you can spend less time managing those resources and more time focusing on your applications
that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon
EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and
conﬁguring those resources for you. You don't need to individually create and conﬁgure AWS resources
and ﬁgure out what's dependent on what; AWS CloudFormation handles all of that. The following
scenarios demonstrate how AWS CloudFormation can help.

Simplify Infrastructure Management
For a scalable web application that also includes a back-end database, you might use an Auto Scaling
group, an Elastic Load Balancing load balancer, and an Amazon Relational Database Service database
instance. Normally, you might use each individual service to provision these resources. And after you
create the resources, you would have to conﬁgure them to work together. All these tasks can add
complexity and time before you even get your application up and running.
Instead, you can create or modify an existing AWS CloudFormation template. A template describes all
of your resources and their properties. When you use that template to create an AWS CloudFormation
stack, AWS CloudFormation provisions the Auto Scaling group, load balancer, and database for you.
After the stack has been successfully created, your AWS resources are up and running. You can delete the
stack just as easily, which deletes all the resources in the stack. By using AWS CloudFormation, you easily
manage a collection of resources as a single unit.

Quickly Replicate Your Infrastructure
If your application requires additional availability, you might replicate it in multiple regions so that if
one region becomes unavailable, your users can still use your application in other regions. The challenge
in replicating your application is that it also requires you to replicate your resources. Not only do you
need to record all the resources that your application requires, but you must also provision and conﬁgure
those resources in each region.
When you use AWS CloudFormation, you can reuse your template to set up your resources consistently
and repeatedly. Just describe your resources once and then provision the same resources over and over in
multiple regions.

Easily Control and Track Changes to Your
Infrastructure
In some cases, you might have underlying resources that you want to upgrade incrementally. For
example, you might change to a higher performing instance type in your Auto Scaling launch
conﬁguration so that you can reduce the maximum number of instances in your Auto Scaling group. If
problems occur after you complete the update, you might need to roll back your infrastructure to the
original settings. To do this manually, you not only have to remember which resources were changed, you
also have to know what the original settings were.
API Version 2010-05-15
1

AWS CloudFormation User Guide
Related Information

When you provision your infrastructure with AWS CloudFormation, the AWS CloudFormation template
describes exactly what resources are provisioned and their settings. Because these templates are text
ﬁles, you simply track diﬀerences in your templates to track changes to your infrastructure, similar to
the way developers control revisions to source code. For example, you can use a version control system
with your templates so that you know exactly what changes were made, who made them, and when. If
at any point you need to reverse changes to your infrastructure, you can use a previous version of your
template.

Related Information
• For more information about AWS CloudFormation stacks and templates, see AWS CloudFormation
Concepts (p. 2).
• For an overview about how to use AWS CloudFormation, see How Does AWS CloudFormation
Work? (p. 5).
• For pricing information, see AWS CloudFormation Pricing.

AWS CloudFormation Concepts
When you use AWS CloudFormation, you work with templates and stacks. You create templates to
describe your AWS resources and their properties. Whenever you create a stack, AWS CloudFormation
provisions the resources that are described in your template.
Topics
• Templates (p. 2)
• Stacks (p. 4)
• Change Sets (p. 5)

Templates
An AWS CloudFormation template is a JSON or YAML formatted text ﬁle. You can save these ﬁles with
any extension, such as .json, .yaml, .template, or .txt. AWS CloudFormation uses these templates
as blueprints for building your AWS resources. For example, in a template, you can describe an Amazon
EC2 instance, such as the instance type, the AMI ID, block device mappings, and its Amazon EC2 key pair
name. Whenever you create a stack, you also specify a template that AWS CloudFormation uses to create
whatever you described in the template.
For example, if you created a stack with the following template, AWS CloudFormation provisions an
instance with an ami-2f726546 AMI ID, t1.micro instance type, testkey key pair name, and an
Amazon EBS volume.

Example JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "A sample template",
"Resources" : {
"MyEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "ami-2f726546",
"InstanceType" : "t1.micro",
"KeyName" : "testkey",

API Version 2010-05-15
2

AWS CloudFormation User Guide
Templates

}

}

}

}

"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sdm",
"Ebs" : {
"VolumeType" : "io1",
"Iops" : "200",
"DeleteOnTermination" : "false",
"VolumeSize" : "20"
}
}
]

Example YAML
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
MyEC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: "ami-2f726546"
InstanceType: t1.micro
KeyName: testkey
BlockDeviceMappings:
DeviceName: /dev/sdm
Ebs:
VolumeType: io1
Iops: 200
DeleteOnTermination: false
VolumeSize: 20

You can also specify multiple resources in a single template and conﬁgure these resources to work
together. For example, you can modify the previous template to include an Elastic IP (EIP) and associate
it with the Amazon EC2 instance, as shown in the following example:

Example JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "A sample template",
"Resources" : {
"MyEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "ami-2f726546",
"InstanceType" : "t1.micro",
"KeyName" : "testkey",
"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sdm",
"Ebs" : {
"VolumeType" : "io1",
"Iops" : "200",
"DeleteOnTermination" : "false",
"VolumeSize" : "20"
}
}

API Version 2010-05-15
3

AWS CloudFormation User Guide
Stacks

}

}

}

]

},
"MyEIP" : {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"InstanceId" : {"Ref": "MyEC2Instance"}
}
}

Example YAML
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
MyEC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: "ami-2f726546"
InstanceType: t1.micro
KeyName: testkey
BlockDeviceMappings:
DeviceName: /dev/sdm
Ebs:
VolumeType: io1
Iops: 200
DeleteOnTermination: false
VolumeSize: 20
MyEIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref MyEC2Instance

The previous templates are centered around a single Amazon EC2 instance; however, AWS
CloudFormation templates have additional capabilities that you can use to build complex sets of
resources and reuse those templates in multiple contexts. For example, you can add input parameters
whose values are speciﬁed when you create an AWS CloudFormation stack. In other words, you can
specify a value like the instance type when you create a stack instead of when you create the template,
making the template easier to reuse in diﬀerent situations.
For more information about template creation and capabilities, see Template Anatomy (p. 163).
For more information about declaring speciﬁc resources, see AWS Resource Types Reference (p. 499).
To start designing your own templates with AWS CloudFormation Designer, go to https://
console.aws.amazon.com/cloudformation/designer.

Stacks
When you use AWS CloudFormation, you manage related resources as a single unit called a stack. You
create, update, and delete a collection of resources by creating, updating, and deleting stacks. All the
resources in a stack are deﬁned by the stack's AWS CloudFormation template. Suppose you created a
template that includes an Auto Scaling group, Elastic Load Balancing load balancer, and an Amazon
Relational Database Service (Amazon RDS) database instance. To create those resources, you create
a stack by submitting the template that you created, and AWS CloudFormation provisions all those
resources for you. You can work with stacks by using the AWS CloudFormation console, API, or AWS CLI.
API Version 2010-05-15
4

AWS CloudFormation User Guide
Change Sets

For more information about creating, updating, or deleting stacks, see Working with Stacks (p. 90).

Change Sets
If you need to make changes to the running resources in a stack, you update the stack. Before making
changes to your resources, you can generate a change set, which is summary of your proposed changes.
Change sets allow you to see how your changes might impact your running resources, especially for
critical resources, before implementing them.
For example, if you change the name of an Amazon RDS database instance, AWS CloudFormation
will create a new database and delete the old one. You will lose the data in the old database unless
you've already backed it up. If you generate a change set, you will see that your change will cause your
database to be replaced, and you will be able to plan accordingly before you update your stack. For more
information, see Updating Stacks Using Change Sets (p. 122).

How Does AWS CloudFormation Work?
When you create a stack, AWS CloudFormation makes underlying service calls to AWS to provision
and conﬁgure your resources. Note that AWS CloudFormation can perform only actions that you
have permission to do. For example, to create EC2 instances by using AWS CloudFormation, you need
permissions to create instances. You'll need similar permissions to terminate instances when you delete
stacks with instances. You use AWS Identity and Access Management (IAM) to manage permissions.
The calls that AWS CloudFormation makes are all declared by your template. For example, suppose
you have a template that describes an EC2 instance with a t1.micro instance type. When you use that
template to create a stack, AWS CloudFormation calls the Amazon EC2 create instance API and speciﬁes
the instance type as t1.micro. The following diagram summarizes the AWS CloudFormation workﬂow
for creating stacks.

API Version 2010-05-15
5

AWS CloudFormation User Guide
How Does AWS CloudFormation Work?

1. You can design an AWS CloudFormation template (a JSON or YAML-formatted document) in AWS
CloudFormation Designer or write one in a text editor. You can also choose to use a provided
template. The template describes the resources you want and their settings. For example, suppose you
want to create an EC2 instance. Your template can declare an EC2 instance and describe its properties,
as shown in the following example:

Example JSON Syntax
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "A simple EC2 instance",
"Resources" : {
"MyEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "ami-2f726546",
"InstanceType" : "t1.micro"
}
}
}

Example YAML Syntax
AWSTemplateFormatVersion: '2010-09-09'
Description: A simple EC2 instance
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-2f726546
InstanceType: t1.micro

2. Save the template locally or in an S3 bucket. If you created a template, save it with any ﬁle extension
like .json, .yaml, or .txt.
3. Create an AWS CloudFormation stack by specifying the location of your template ﬁle , such as a path
on your local computer or an Amazon S3 URL. If the template contains parameters, you can specify
input values when you create the stack. Parameters enable you to pass in values to your template so
that you can customize your resources each time you create a stack.
You can create stacks by using the AWS CloudFormation console (p. 92), API, or AWS CLI.

Note

If you specify a template ﬁle stored locally, AWS CloudFormation uploads it to an S3 bucket
in your AWS account. AWS CloudFormation creates a bucket for each region in which
you upload a template ﬁle. The buckets are accessible to anyone with Amazon Simple
Storage Service (Amazon S3) permissions in your AWS account. If a bucket created by AWS
CloudFormation is already present, the template is added to that bucket.
You can use your own bucket and manage its permissions by manually uploading templates
to Amazon S3. Then whenever you create or update a stack, specify the Amazon S3 URL of a
template ﬁle.
AWS CloudFormation provisions and conﬁgures resources by making calls to the AWS services that are
described in your template.
After all the resources have been created, AWS CloudFormation reports that your stack has been created.
You can then start using the resources in your stack. If stack creation fails, AWS CloudFormation rolls
back your changes by deleting the resources that it created.
API Version 2010-05-15
6

AWS CloudFormation User Guide
Updating a Stack with Change Sets

Updating a Stack with Change Sets
When you need to update your stack's resources, you can modify the stack's template. You don't need
to create a new stack and delete the old one. To update a stack, create a change set by submitting
a modiﬁed version of the original stack template, diﬀerent input parameter values, or both. AWS
CloudFormation compares the modiﬁed template with the original template and generates a change
set. The change set lists the proposed changes. After reviewing the changes, you can execute the change
set to update your stack or you can create a new change set. The following diagram summarizes the
workﬂow for updating a stack.

Important

Updates can cause interruptions. Depending on the resource and properties that you are
updating, an update might interrupt or even replace an existing resource. For more information,
see AWS CloudFormation Stacks Updates (p. 118).
1. You can modify an AWS CloudFormation stack template by using AWS CloudFormation Designer or
a text editor. For example, if you want to change the instance type for an EC2 instance, you would
change the value of the InstanceType property in the original stack's template.
For more information, see Modifying a Stack Template (p. 119).
2. Save the AWS CloudFormation template locally or in an S3 bucket.
3. Create a change set by specifying the stack that you want to update and the location of the modiﬁed
template, such as a path on your local computer or an Amazon S3 URL. If the template contains
parameters, you can specify values when you create the change set.
For more information about creating change sets, see Updating Stacks Using Change Sets (p. 122).

Note

If you specify a template that is stored on your local computer, AWS CloudFormation
automatically uploads your template to an S3 bucket in your AWS account.
4. View the change set to check that AWS CloudFormation will perform the changes that you expect. For
example, check whether AWS CloudFormation will replace any critical stack resources. You can create
as many change sets as you need until you have included the changes that you want.

Important

Change sets don't indicate whether your stack update will be successful. For example,
a change set doesn't check if you will surpass an account limit (p. 21), if you're
updating a resource (p. 499) that doesn't support updates, or if you have insuﬃcient
permissions (p. 9) to modify a resource, all of which can cause a stack update to fail.
5. Execute the change set that you want to apply to your stack. AWS CloudFormation updates your stack
by updating only the resources that you modiﬁed and signals that your stack has been successfully
updated. If the stack updates fails, AWS CloudFormation rolls back changes to restore the stack to the
last known working state.

API Version 2010-05-15
7

AWS CloudFormation User Guide
Deleting a Stack

Deleting a Stack
When you delete a stack, you specify the stack to delete, and AWS CloudFormation deletes the stack and
all the resources in that stack. You can delete stacks by using the AWS CloudFormation console (p. 105),
API, or AWS CLI.
If you want to delete a stack but want to retain some resources in that stack, you can use a deletion
policy (p. 2248) to retain those resources.
After all the resources have been deleted, AWS CloudFormation signals that your stack has been
successfully deleted. If AWS CloudFormation cannot delete a resource, the stack will not be deleted. Any
resources that haven't been deleted will remain until you can successfully delete the stack.

Additional Resources
• For more information about creating AWS CloudFormation templates, see Template
Anatomy (p. 163).
• For more information about creating, updating, or deleting stacks, see Working with Stacks (p. 90).

API Version 2010-05-15
8

AWS CloudFormation User Guide
Signing Up for an AWS Account and Pricing

Setting Up
Before you start using AWS CloudFormation, you might need to know what IAM permissions you need,
how to start logging AWS CloudFormation API calls, or what endpoints to use. The following topics
provide this information so that you can start using AWS CloudFormation.
Topics
• Signing Up for an AWS Account and Pricing (p. 9)
• Controlling Access with AWS Identity and Access Management (p. 9)
• Logging AWS CloudFormation API Calls with AWS CloudTrail (p. 17)
• AWS CloudFormation Limits (p. 21)
• AWS CloudFormation Endpoints (p. 23)
• AWS CloudFormation and VPC Endpoints (p. 24)

Signing Up for an AWS Account and Pricing
Before you can use AWS CloudFormation or any Amazon Web Services, you must ﬁrst sign up for an AWS
account.

To sign up for an AWS account
1.

Open https://aws.amazon.com/, and then choose Create an AWS Account.

Note

2.

This might be unavailable in your browser if you previously signed into the AWS
Management Console. In that case, choose Sign in to a diﬀerent account, and then choose
Create a new AWS account.
Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a PIN using the phone
keypad.

After signing up for an AWS account, you can use AWS CloudFormation through the AWS Management
Console, AWS CloudFormation API, or AWS CLI.

Pricing
AWS CloudFormation is a free service; however, you are charged for the AWS resources you include in
your stacks at the current rates for each. For more information about AWS pricing, go to the detail page
for each product on http://aws.amazon.com.

Controlling Access with AWS Identity and Access
Management
With AWS Identity and Access Management (IAM), you can create IAM users to control who has access
to which resources in your AWS account. You can use IAM with AWS CloudFormation to control what
users can do with AWS CloudFormation, such as whether they can view stack templates, create stacks, or
delete stacks.
API Version 2010-05-15
9

AWS CloudFormation User Guide
AWS CloudFormation Actions

In addition to AWS CloudFormation actions, you can manage what AWS services and resources are
available to each user. That way, you can control which resources users can access when they use
AWS CloudFormation. For example, you can specify which users can create Amazon EC2 instances,
terminate database instances, or update VPCs. Those same permissions are applied anytime they use
AWS CloudFormation to do those actions.
For more information about all the services that you can control access to, see AWS Services that
Support IAM in IAM User Guide.
Topics
• AWS CloudFormation Actions (p. 10)
• AWS CloudFormation Resources (p. 11)
• AWS CloudFormation Conditions (p. 12)
• Acknowledging IAM Resources in AWS CloudFormation Templates (p. 15)
• Manage Credentials for Applications Running on Amazon EC2 Instances (p. 16)
• Grant Temporary Access (Federated Access) (p. 16)
• AWS CloudFormation Service Role (p. 17)

AWS CloudFormation Actions
When you create a group or an IAM user in your AWS account, you can associate an IAM policy with that
group or user, which speciﬁes the permissions that you want to grant. For example, imagine you have
a group of entry-level developers. You can create a Junior application developers group that
includes all entry-level developers. Then, you associate a policy with that group that allows users to only
view AWS CloudFormation stacks. In this scenario, you might have a policy such as the following sample:

Example A sample policy that grants view stack permissions
{

}

"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":[
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources"
],
"Resource":"*"
}]

The policy grants permissions to all DescribeStack API actions listed in the Action element.

Note

If you don't specify a stack name or ID in your statement, you must also grant the permission to
use all resources for the action using the * wildcard for the Resource element.
In addition to AWS CloudFormation actions, IAM users who create or delete stacks require additional
permissions that depends on the stack templates. For example, if you have a template that describes
an Amazon SQS Queue, the user must have the corresponding permissions for Amazon SQS actions to
successfully create the stack, as shown in the following sample policy:

Example A sample policy that grants create and view stack actions and all Amazon SQS
actions
{

API Version 2010-05-15
10

AWS CloudFormation User Guide
AWS CloudFormation Resources

}

"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":[
"sqs:*",
"cloudformation:CreateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:ValidateTemplate"
],
"Resource":"*"
}]

For a list of all AWS CloudFormation actions that you can allow or deny, see the AWS CloudFormation API
Reference.

AWS CloudFormation Console-Speciﬁc Actions
IAM users who use the AWS CloudFormation console require additional permissions that are not required
for using the AWS Command Line Interface or AWS CloudFormation APIs. Compared to the CLI and API,
the console provides additional features that require additional permissions, such as template uploads to
Amazon S3 buckets and drop-down lists for AWS-speciﬁc parameter types (p. 171).
For all the following actions, grant permissions to all resources; don't limit actions to speciﬁc stacks or
buckets.
The following required action is used only by the AWS CloudFormation console and is not documented in
the API reference. The action allows users to upload templates to Amazon S3 buckets.
cloudformation:CreateUploadBucket

When users upload templates, they require the following Amazon S3 permissions:
s3:PutObject
s3:ListBucket
s3:GetObject
s3:CreateBucket

For templates with AWS-speciﬁc parameter types (p. 171), users need permissions
to make the corresponding describe API calls. For example, if a template includes the
AWS::EC2::KeyPair::KeyName parameter type, users need permission to call the EC2
DescribeKeyPairs action (this is how the console gets values for the parameter drop-down list). The
following examples are actions that users need for other parameter types:
ec2:DescribeSecurityGroups (for the AWS::EC2::SecurityGroup::Id parameter type)
ec2:DescribeSubnets (for the Subnet::Id parameter type)
ec2:DescribeVpcs (for the AWS::EC2::VPC::Id parameter type)

AWS CloudFormation Resources
AWS CloudFormation supports resource-level permissions, so you can specify actions for a speciﬁc stack,
as shown in the following policy:
API Version 2010-05-15
11

AWS CloudFormation User Guide
AWS CloudFormation Conditions

Example A sample policy that denies the delete and update stack actions for the
MyProductionStack
{

*"
}

"Version":"2012-10-17",
"Statement":[{
"Effect":"Deny",
"Action":[
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Resource":"arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/
}]

The policy above uses a wild card at the end of the stack name so that delete stack and update stack are
denied on the full stack ID (such as arn:aws:cloudformation:us-east-1:123456789012:stack/
MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c) and on the stack name (such as
MyProductionStack).
To allow AWS::Serverless transforms to create a change set, the policy should include the
arn:aws:cloudformation::aws:transform/Serverless-2016-10-31 resource-level
permission, as shown in the folllowing policy:

Example A sample policy that allows the create change set action for the transform
{

}

"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"cloudformation:CreateChangeSet"
],
"Resource": "arn:aws:cloudformation:us-west-2:aws:transform/Serverless-2016-10-31"
}]

AWS CloudFormation Conditions
In an IAM policy, you can optionally specify conditions that control when a policy is in eﬀect. For
example, you can deﬁne a policy that allows IAM users to create a stack only when they specify a certain
template URL. You can deﬁne AWS CloudFormation-speciﬁc conditions and AWS-wide conditions, such
as DateLessThan, which speciﬁes when a policy stops taking eﬀect. For more information and a list of
AWS-wide conditions, see Condition in IAM Policy Elements Reference in IAM User Guide.

Note

Do not use the aws:SourceIp AWS-wide condition. AWS CloudFormation provisions resources
by using its own IP address, not the IP address of the originating request. For example, when
you create a stack, AWS CloudFormation makes requests from its IP address to launch an EC2
instance or to create an S3 bucket, not from the IP address from the CreateStack call or the
aws cloudformation create-stack command.
The following list describes the AWS CloudFormation-speciﬁc conditions. These conditions are applied
only when users create or update stacks:
cloudformation:ChangeSetName
An AWS CloudFormation change set name that you want to associate with a policy. Use this
condition to control which change sets IAM users can execute or delete.
API Version 2010-05-15
12

AWS CloudFormation User Guide
AWS CloudFormation Conditions

cloudformation:ResourceTypes
The template resource types, such as AWS::EC2::Instance, that you want to associate with
a policy. Use this condition to control which resource types IAM users can work with when they
create or update a stack. This condition is checked against the resource types that users declare
in the ResourceTypes parameter, which is currently supported only for CLI and API requests.
When using this parameter, users must specify all the resource types that are in their template. For
more information about the ResourceTypes parameter, see the CreateStack action in the AWS
CloudFormation API Reference.
The following list describes how to deﬁne resource types. For a list of resource types, see AWS
Resource Types Reference (p. 499).
AWS::*
Specify all AWS resources.
AWS::service_name::*
Specify all resources for a speciﬁc AWS service.
AWS::service_name::resource_type
Specify a speciﬁc AWS resource type, such as AWS::EC2::Instance (all EC2 instances).
Custom::*
Specify all custom resources.
Custom::resource_type
Specify a speciﬁc custom resource type, which is deﬁned in the template.
cloudformation:RoleARN
The Amazon Resource Name (ARN) of an IAM service role that you want to associate with a policy.
Use this condition to control which service role IAM users can use when they work with stacks or
change sets.
cloudformation:StackPolicyUrl
An Amazon S3 stack policy URL that you want to associate with a policy. Use this condition to
control which stack policies IAM users can associate with a stack during a create or update stack
action. For more information about stack policies, see Prevent Updates to Stack Resources (p. 141).

Note

To ensure that IAM users can only create or update stacks with the stack policies that you
uploaded, set the S3 bucket to read only for those users.
cloudformation:TemplateUrl
An Amazon S3 template URL that you want to associate with a policy. Use this condition to control
which templates IAM users can use when they create or update stacks.

Note

To ensure that IAM users can only create or update stacks with the templates that you
uploaded, set the S3 bucket to read only for those users.

Examples
The following example policy allows users to use only the https://s3.amazonaws.com/
testbucket/test.template template URL to create or update a stack.
API Version 2010-05-15
13

AWS CloudFormation User Guide
AWS CloudFormation Conditions

Example Template URL Condition
{

"Version":"2012-10-17",
"Statement":[
{
"Effect" : "Allow",
"Action" : [ "cloudformation:CreateStack", "cloudformation:UpdateStack" ],
"Resource" : "*",
"Condition" : {
"ForAllValues:StringEquals" : {
"cloudformation:TemplateUrl" : [ "https://s3.amazonaws.com/testbucket/
test.template" ]
}
}
}
]
}

The following example policy allows users to create stacks but denies requests if the stack's template
include any resource from the IAM service. The policy also requires users to specify the ResourceTypes
parameter, which is available only for CLI and API requests. This policy uses explicit deny statements so
that if any other policy grants additional permissions, this policy always remain in eﬀect (an explicit deny
statement always overrides an explicit allow statement).

Example Resource Type Condition
{

}

"Version":"2012-10-17",
"Statement":[
{
"Effect" : "Allow",
"Action" : [ "cloudformation:CreateStack" ],
"Resource" : "*"
},
{
"Effect" : "Deny",
"Action" : [ "cloudformation:CreateStack" ],
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringLikeIfExists" : {
"cloudformation:ResourceTypes" : [ "AWS::IAM::*" ]
}
}
},
{
"Effect": "Deny",
"Action" : [ "cloudformation:CreateStack" ],
"Resource": "*",
"Condition": {
"Null": {
"cloudformation:ResourceTypes": "true"
}
}
}
]

The following example policy is similar to the preceding example. The policy allows users to create a
stack unless the stack's template includes any resource from the IAM service. It also requires users to
specify the ResourceTypes parameter, which is available only for CLI and API requests. This policy is
API Version 2010-05-15
14

AWS CloudFormation User Guide
Acknowledging IAM Resources in
AWS CloudFormation Templates

simpler, but it doesn't use explicit deny statements. Other policies, granting additional permissions, could
override this policy.

Example Resource Type Condition
{

}

"Version":"2012-10-17",
"Statement":[
{
"Effect" : "Allow",
"Action" : [ "cloudformation:CreateStack" ],
"Resource" : "*",
"Condition" : {
"ForAllValues:StringNotLikeIfExists" : {
"cloudformation:ResourceTypes" : [ "AWS::IAM::*" ]
},
"Null":{
"cloudformation:ResourceTypes": "false"
}
}
}
]

Acknowledging IAM Resources in AWS
CloudFormation Templates
Before you can create a stack, AWS CloudFormation validates your template. During validation, AWS
CloudFormation checks your template for IAM resources that it might create. IAM resources, such as
an IAM user with full access, can access and modify any resource in your AWS account. Therefore, we
recommend that you review the permissions associated with each IAM resource before proceeding so
that you don't unintentionally create resources with escalated permissions. To ensure that you've done
so, you must acknowledge that the template contains those resources, giving AWS CloudFormation the
speciﬁed capabilities before it creates the stack.
You can acknowledge the capabilities of AWS CloudFormation templates by using the AWS
CloudFormation console, AWS Command Line Interface (CLI), or API:
• In the AWS CloudFormation console, on the Review page of the Create Stack or Update Stack wizards,
choose I acknowledge that this template may create IAM resources.
• In the CLI, when you use the aws cloudformation create-stack and aws cloudformation
update-stack commands, specify the CAPABILITY_IAM or CAPABILITY_NAMED_IAM value
for the --capabilities parameter. If your template includes IAM resources, you can specify
either capability. If your template includes custom names for IAM resources, you must specify
CAPABILITY_NAMED_IAM.
• In the API, when you use the CreateStack and UpdateStack
actions, specify Capabilities.member.1=CAPABILITY_IAM or
Capabilities.member.1=CAPABILITY_NAMED_IAM. If your template includes IAM resources, you
can specify either capability. If your template includes custom names for IAM resources, you must
specify CAPABILITY_NAMED_IAM.

Important

If your template contains custom named IAM resources, don't create multiple stacks reusing
the same template. IAM resources must be globally unique within your account. If you use the
same template to create multiple stacks in diﬀerent regions, your stacks might share the same
IAM resources, instead of each having a unique one. Shared resources among stacks can have
API Version 2010-05-15
15

AWS CloudFormation User Guide
Manage Credentials for Applications
Running on Amazon EC2 Instances

unintended consequences from which you can't recover. For example, if you delete or update
shared IAM resources in one stack, you will unintentionally modify the resources of other stacks.

Manage Credentials for Applications Running on
Amazon EC2 Instances
If you have an application that runs on an Amazon EC2 instance and needs to make requests to AWS
resources such as Amazon S3 buckets or an DynamoDB table, the application requires AWS security
credentials. However, distributing and embedding long-term security credentials in every instance that
you launch is a challenge and a potential security risk. Instead of using long-term credentials, like IAM
user credentials, we recommend that you create an IAM role that is associated with an Amazon EC2
instance when the instance is launched. An application can then get temporary security credentials from
the Amazon EC2 instance. You don't have to embed long-term credentials on the instance. Also, to make
managing credentials easier, you can specify just a single role for multiple Amazon EC2 instances; you
don't have to create unique credentials for each instance.
For a template snippet that shows how to launch an instance with a role, see IAM Role Template
Examples (p. 396).

Note

Applications on instances that use temporary security credentials can call any AWS
CloudFormation actions. However, because AWS CloudFormation interacts with many other AWS
services, you must verify that all the services that you want to use support temporary security
credentials. For more information, see AWS Services that Support AWS STS.

Grant Temporary Access (Federated Access)
In some cases, you might want to grant users with no AWS credentials temporary access to your AWS
account. Instead of creating and deleting long-term credentials whenever you want to grant temporary
access, use AWS Security Token Service (AWS STS). For example, you can use IAM roles. From one IAM
role, you can programmatically create and then distribute many temporary security credentials (which
include an access key, secret access key, and security token). These credentials have a limited life, so they
cannot be used to access your AWS account after they expire. You can also create multiple IAM roles
in order to grant individual users diﬀerent levels of permissions. IAM roles are useful for scenarios like
federated identities and single sign-on.
A federated identity is a distinct identity that you can use across multiple systems. For enterprise users
with an established on-premises identity system (such as LDAP or Active Directory), you can handle
all authentication with your on-premises identity system. After a user has been authenticated, you
provide temporary security credentials from the appropriate IAM user or role. For example, you can
create an administrators role and a developers role, where administrators have full access to
the AWS account and developers have permissions to work only with AWS CloudFormation stacks.
After an administrator is authenticated, the administrator is authorized to obtain temporary security
credentials from the administrators role. However, for developers, they can obtain temporary
security credentials from only the developers role.
You can also grant federated users access to the AWS Management Console. After users authenticate
with your on-premises identity system, you can programmatically construct a temporary URL that gives
direct access to the AWS Management Console. When users use the temporary URL, they won't need to
sign in to AWS because they have already been authenticated (single sign-on). Also, because the URL is
constructed from the users' temporary security credentials, the permissions that are available with those
credentials determine what permissions users have in the AWS Management Console.
You can use several diﬀerent AWS STS APIs to generate temporary security credentials. For more
information about which API to use, see Ways to Get Temporary Security Credentials in Using Temporary
Security Credentials.
API Version 2010-05-15
16

AWS CloudFormation User Guide
AWS CloudFormation Service Role

Important

You cannot work with IAM when you use temporary security credentials that were generated
from the GetFederationToken API. Instead, if you need to work with IAM, use temporary
security credentials from a role.
AWS CloudFormation interacts with many other AWS services. When you use temporary security
credentials with AWS CloudFormation, verify that all the services that you want to use support
temporary security credentials. For more information, see AWS Services that Support AWS STS.
For more information, see the following related resources in Using Temporary Security Credentials:
• Scenarios for Granting Temporary Access
• Giving Federated Users Direct Access to the AWS Management Console

AWS CloudFormation Service Role
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation
to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS
CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses
a temporary session that it generates from your user credentials for stack operations. If you specify a
service role, AWS CloudFormation uses the role's credentials.
Use a service role to explicitly specify the actions that AWS CloudFormation can perform which
might not always be the same actions that you or other users can do. For example, you might have
administrative privileges, but you can limit AWS CloudFormation access to only Amazon EC2 actions.
You create the service role and its permission policy with the IAM service. For more information about
creating a service role, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User
Guide. Specify AWS CloudFormation (cloudformation.amazonaws.com) as the service that can
assume the role.
To associate a service role with a stack, specify the role when you create the stack. For details, see
Setting Stack Options (p. 95). You can also change the service role when you update (p. 118)
or delete the stack. Before you specify a service role, ensure that you have permission to pass it
(iam:PassRole). The iam:PassRole permission speciﬁes which roles you can use.

Important

When you specify a service role, AWS CloudFormation always uses that role for all operations
that are performed on that stack. Other users that have permissions to perform operations on
this stack will be able to use this role, even if they don't have permission to pass it. If the role
includes permissions that the user shouldn't have, you can unintentionally escalate a user's
permissions. Ensure that the role grants least privilege.

Logging AWS CloudFormation API Calls with AWS
CloudTrail
AWS CloudFormation is integrated with AWS CloudTrail, a service that provides a record of actions
taken by a user, role, or an AWS service in AWS CloudFormation. CloudTrail captures all API calls for
AWS CloudFormation as events, including calls from the AWS CloudFormation console and from code
calls to the AWS CloudFormation APIs. If you create a trail, you can enable continuous delivery of
CloudTrail events to an Amazon S3 bucket, including events for AWS CloudFormation. If you don't
conﬁgure a trail, you can still view the most recent events in the CloudTrail console in Event history.
Using the information collected by CloudTrail, you can determine the request that was made to AWS
CloudFormation, the IP address from which the request was made, who made the request, when it was
made, and additional details.
API Version 2010-05-15
17

AWS CloudFormation User Guide
AWS CloudFormation Information in CloudTrail

To learn more about CloudTrail, see the AWS CloudTrail User Guide.
Topics
• AWS CloudFormation Information in CloudTrail (p. 18)
• Understanding AWS CloudFormation Log File Entries (p. 18)

AWS CloudFormation Information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in AWS
CloudFormation, that activity is recorded in a CloudTrail event along with other AWS service events
in Event history. You can view, search, and download recent events in your AWS account. For more
information, see Viewing Events with CloudTrail Event History.
For an ongoing record of events in your AWS account, including events for AWS CloudFormation, create
a trail. A trail enables CloudTrail to deliver log ﬁles to an Amazon S3 bucket. By default, when you create
a trail in the console, the trail applies to all regions. The trail logs events from all regions in the AWS
partition and delivers the log ﬁles to the Amazon S3 bucket that you specify. Additionally, you can
conﬁgure other AWS services to further analyze and act upon the event data collected in CloudTrail logs.
For more information, see:
• Overview for Creating a Trail
• CloudTrail Supported Services and Integrations
• Conﬁguring Amazon SNS Notiﬁcations for CloudTrail
• Receiving CloudTrail Log Files from Multiple Regions and Receiving CloudTrail Log Files from Multiple
Accounts
All AWS CloudFormation actions are logged by CloudTrail and are documented in the AWS
CloudFormation API Reference. For example, calls to the CreateStack, DeleteStack, and ListStacks
sections generate entries in the CloudTrail log ﬁles.
Every event or log entry contains information about who generated the request. The identity
information helps you determine the following:
• Whether the request was made with root or IAM user credentials.
• Whether the request was made with temporary security credentials for a role or federated user.
• Whether the request was made by another AWS service.
For more information, see the CloudTrail userIdentity Element.

Understanding AWS CloudFormation Log File Entries
A trail is a conﬁguration that enables delivery of events as log ﬁles to an Amazon S3 bucket that you
specify. CloudTrail log ﬁles contain one or more log entries. An event represents a single request from
any source and includes information about the requested action, the date and time of the action, request
parameters, and so on. CloudTrail log ﬁles are not an ordered stack trace of the public API calls, so they
do not appear in any speciﬁc order.
The following example shows a CloudTrail log entry that demonstrates the CreateStack action. The
action was made by an IAM user named Alice.

Note

Only the input parameter key names are logged; no parameter values are logged.
{

API Version 2010-05-15
18

AWS CloudFormation User Guide
Understanding AWS CloudFormation Log File Entries
"eventVersion": "1.01",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAABCDEFGHIJKLNMOPQ",
"arn": "arn:aws:iam::012345678910:user/Alice",
"accountId": "012345678910",
"accessKeyId": "AKIDEXAMPLE",
"userName": "Alice"
},
"eventTime": "2014-03-24T21:02:43Z",
"eventSource": "cloudformation.amazonaws.com",
"eventName": "CreateStack",
"awsRegion": "us-east-1",
"sourceIPAddress": "127.0.0.1",
"userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5",
"requestParameters": {
"templateURL": "https://s3.amazonaws.com/Alice-dev/create_stack",
"tags": [
{
"key": "test",
"value": "tag"
}
],
"stackName": "my-test-stack",
"disableRollback": true,
"parameters": [
{
"parameterKey": "password"
},
{
"parameterKey": "securitygroup"
}
]
},
"responseElements": {
"stackId": "arn:aws:cloudformation:us-east-1:012345678910:stack/my-test-stack/a38e6a60b397-11e3-b0fc-08002755629e"
},
"requestID": "9f960720-b397-11e3-bb75-a5b75389b02d",
"eventID": "9bf6cfb8-83e1-4589-9a70-b971e727099b"
}

The following example shows that Alice called the UpdateStack action on the my-test-stack stack:
{

"eventVersion": "1.01",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAABCDEFGHIJKLNMOPQ",
"arn": "arn:aws:iam::012345678910:user/Alice",
"accountId": "012345678910",
"accessKeyId": "AKIDEXAMPLE",
"userName": "Alice"
},
"eventTime": "2014-03-24T21:04:29Z",
"eventSource": "cloudformation.amazonaws.com",
"eventName": "UpdateStack",
"awsRegion": "us-east-1",
"sourceIPAddress": "127.0.0.1",
"userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5",
"requestParameters": {
"templateURL": "https://s3.amazonaws.com/Alice-dev/create_stack",
"parameters": [
{
"parameterKey": "password"

API Version 2010-05-15
19

AWS CloudFormation User Guide
Understanding AWS CloudFormation Log File Entries
},
{
}

"parameterKey": "securitygroup"

],
"stackName": "my-test-stack"

},
"responseElements": {
"stackId": "arn:aws:cloudformation:us-east-1:012345678910:stack/my-test-stack/a38e6a60b397-11e3-b0fc-08002755629e"
},
"requestID": "def0bf5a-b397-11e3-bb75-a5b75389b02d",
"eventID": "637707ce-e4a3-4af1-8edc-16e37e851b17"
}

The following example shows that Alice called the ListStacks action.
{

}

"eventVersion": "1.01",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAABCDEFGHIJKLNMOPQ",
"arn": "arn:aws:iam::012345678910:user/Alice",
"accountId": "012345678910",
"accessKeyId": "AKIDEXAMPLE",
"userName": "Alice"
},
"eventTime": "2014-03-24T21:03:16Z",
"eventSource": "cloudformation.amazonaws.com",
"eventName": "ListStacks",
"awsRegion": "us-east-1",
"sourceIPAddress": "127.0.0.1",
"userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5",
"requestParameters": null,
"responseElements": null,
"requestID": "b7d351d7-b397-11e3-bb75-a5b75389b02d",
"eventID": "918206d0-7281-4629-b778-b91eb0d83ce5"

The following example shows that Alice called the DescribeStacks action on the my-test-stack
stack.
{

"eventVersion": "1.01",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAABCDEFGHIJKLNMOPQ",
"arn": "arn:aws:iam::012345678910:user/Alice",
"accountId": "012345678910",
"accessKeyId": "AKIDEXAMPLE",
"userName": "Alice"
},
"eventTime": "2014-03-24T21:06:15Z",
"eventSource": "cloudformation.amazonaws.com",
"eventName": "DescribeStacks",
"awsRegion": "us-east-1",
"sourceIPAddress": "127.0.0.1",
"userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5",
"requestParameters": {
"stackName": "my-test-stack"
},
"responseElements": null,
"requestID": "224f2586-b398-11e3-bb75-a5b75389b02d",

API Version 2010-05-15
20

AWS CloudFormation User Guide
Limits

}

"eventID": "9e5b2fc9-1ba8-409b-9c13-587c2ea940e2"

The following example shows that Alice called the DeleteStack action on the my-test-stack stack.
{

}

"eventVersion": "1.01",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAABCDEFGHIJKLNMOPQ",
"arn": "arn:aws:iam::012345678910:user/Alice",
"accountId": "012345678910",
"accessKeyId": "AKIDEXAMPLE",
"userName": "Alice"
},
"eventTime": "2014-03-24T21:07:15Z",
"eventSource": "cloudformation.amazonaws.com",
"eventName": "DeleteStack",
"awsRegion": "us-east-1",
"sourceIPAddress": "127.0.0.1",
"userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5",
"requestParameters": {
"stackName": "my-test-stack"
},
"responseElements": null,
"requestID": "42dae739-b398-11e3-bb75-a5b75389b02d",
"eventID": "4965eb38-5705-4942-bb7f-20ebe79aa9aa"

AWS CloudFormation Limits
Your AWS account has AWS CloudFormation limits that you might need to know when authoring
templates and creating stacks. By understanding these limits, you can avoid limitation errors that would
require you to redesign your templates or stacks.

AWS CloudFormation limits
Limit

Description

Value

Tuning Strategy

cfn-signal
wait condition
data (p. 2331)

Maximum amount of
data that cfn-signal can
pass.

4,096 bytes

To pass a larger
amount, send the
data to an Amazon S3
bucket, and then use
cfn-signal to pass the
Amazon S3 URL to that
bucket.

Custom resource
response (p. 674)

Maximum amount of
data that a custom
resource provider can
pass.

4,096 bytes

Mappings (p. 163)

Maximum number of
mappings that you
can declare in your
AWS CloudFormation
template.

100 mappings

API Version 2010-05-15
21

To specify more
mappings, separate
your template into
multiple templates
by using, for example,
nested stacks (p. 694).

AWS CloudFormation User Guide
Limits

Limit

Description

Value

Tuning Strategy

Mapping
attributes (p. 163)

Maximum number of
mapping attributes
for each mapping that
you can declare in your
AWS CloudFormation
template.

64 attributes

To specify more
mapping attributes,
separate the attributes
into multiple mappings.

Mapping name and
mapping attribute
name (p. 163)

Maximum size of each
mapping name.

255 characters

Outputs (p. 163)

Maximum number
of outputs that you
can declare in your
AWS CloudFormation
template.

60 outputs

Output name (p. 163)

Maximum size of an
output name.

255 characters

Parameters (p. 163)

Maximum number of
parameters that you
can declare in your
AWS CloudFormation
template.

60 parameters

Parameter
name (p. 163)

Maximum size of a
parameter name.

255 characters

Parameter
value (p. 163)

Maximum size of a
parameter value.

4,096 bytes

To use a larger
parameter value, create
multiple parameters
and then use Fn::Join
to append the multiple
values into a single
value.

Resources (p. 163)

Maximum number of
resources that you
can declare in your
AWS CloudFormation
template.

200 resources

To specify more
resources, separate your
template into multiple
templates by using,
for example, nested
stacks (p. 694).

Resource
name (p. 163)

Maximum size of a
resource name.

255 characters

API Version 2010-05-15
22

To specify more
parameters, you can
use mappings or lists in
order to assign multiple
values to a single
parameter.

AWS CloudFormation User Guide
Endpoints

Limit

Description

Value

Tuning Strategy

Stacks (p. 90)

Maximum number of
AWS CloudFormation
stacks that you can
create.

200 stacks

To create more stacks,
delete stacks that you
don't need or request
an increase in the
maximum number of
stacks in your AWS
account. For more
information, see AWS
Service Limits in the
AWS General Reference.

StackSets (p. 465)

Maximum number of
AWS CloudFormation
stack sets you
can create in your
administrator account.

20 stack sets

StackSets (p. 465)

Maximum number of
stack instances you can
create per stack set.

500 stack instances per
stack set

Template body size in a
request (p. 163)

Maximum size of
a template body
that you can pass
in a CreateStack,
UpdateStack, or
ValidateTemplate
request.

51,200 bytes

To use a larger
template body,
separate your template
into multiple templates
by using, for example,
nested stacks (p. 694).
Or upload the template
to an Amazon S3
bucket.

Template body size
in an Amazon S3
object (p. 163)

Maximum size of a
template body that
you can pass in an
Amazon S3 object
for a CreateStack,
UpdateStack,
ValidateTemplate
request with an
Amazon S3 template
URL.

460,800 bytes

To use a larger
template body,
separate your template
into multiple templates
by using, for example,
nested stacks (p. 694).

Template
description (p. 163)

Maximum size of a
template description.

1,024 bytes

AWS CloudFormation Endpoints
To reduce data latency in your applications, most Amazon Web Services products allow you to select a
regional endpoint to make your requests. An endpoint is a URL that is the entry point for a web service.
When you work with stacks by using the command line interface or API actions, you can specify a
regional endpoint. For more information about the regions and endpoints for AWS CloudFormation, see
Regions and Endpoints in the Amazon Web Services General Reference.
API Version 2010-05-15
23

AWS CloudFormation User Guide
AWS CloudFormation and VPC Endpoints

AWS CloudFormation and VPC Endpoints
You can use a VPC endpoint to create a private connection between your VPC and another AWS service
without requiring access over the Internet, through a NAT instance, a VPN connection, or AWS Direct
Connect. If you use AWS CloudFormation to create resources in a VPC with a VPC endpoint, you might
need to modify your IAM endpoint policy so that it permits access to certain S3 buckets.
AWS CloudFormation has S3 buckets in each region to monitor responses to a custom resource (p. 432)
request or a wait condition (p. 276). If a template includes custom resources or wait conditions in a
VPC, the VPC endpoint policy must allow users to send responses to the following buckets:
• For custom resources, permit traﬃc to the cloudformation-custom-resourceresponse-region bucket.
• For wait conditions, permit traﬃc to the cloudformation-waitcondition-region bucket.
If the endpoint policy blocks traﬃc to these buckets, AWS CloudFormation won't receive responses
and the stack operation fails. For example, if you have a resource in a VPC in the us-west-2
region that must respond to a wait condition, the resource must be able to send a response to the
cloudformation-waitcondition-us-west-2 bucket.
For a list of regions that AWS CloudFormation supports, see the Regions and Endpoints page in the
Amazon Web Services General Reference.

API Version 2010-05-15
24

AWS CloudFormation User Guide
Get Started

Getting Started with AWS
CloudFormation
Because you can use AWS CloudFormation to launch many diﬀerent types of resources, the getting
started walkthrough will touch on just a few simple concepts to help you get an idea of how to use AWS
CloudFormation.
In this section, you will use the AWS Management Console to create a stack from an example template
from the AWS CloudFormation Sample Template Library and learn the basics of creating a template.
In the following walkthrough, we'll use a sample template to launch, update, and delete a stack. After
you learn the fundamentals, you can learn more about creating more complex templates and stacks.
AWS CloudFormation makes deploying a set of Amazon Web Services (AWS) resources as simple as
submitting a template. A template is a simple text ﬁle that describes a stack, a collection of AWS
resources you want to deploy together as a group. You use the template to deﬁne all the AWS resources
you want in your stack. This can include Amazon Elastic Compute Cloud instances, Amazon Relational
Database Service DB Instances, and other resources. For a list of resource types, see AWS Resource Types
Reference (p. 499).
The following video walks you through the stack creation example presented in the Get
Started (p. 25) section: Getting Started with AWS CloudFormation
Topics
• Get Started (p. 25)
• Learn Template Basics (p. 33)
• Walkthrough: Updating a Stack (p. 47)

Get Started
With the right template, you can deploy at once all the AWS resources you need for an application.
In this section, you'll examine a template that declares the resources for a WordPress blog, creates a
WordPress blog as a stack, monitors the stack creation process, examines the resources on the stack, and
then deletes the stack. You use the AWS Management Console to complete these tasks.

Step 1: Pick a template
First, you'll need a template that speciﬁes the resources that you want in your stack. For this step, you
use a sample template that is already prepared. The sample template creates a basic WordPress blog
that uses a single Amazon EC2 instance with a local MySQL database for storage. The template also
creates an Amazon EC2 security group to control ﬁrewall settings for the Amazon EC2 instance.

Important

AWS CloudFormation is free, but the AWS resources that AWS CloudFormation creates are
live (and not running in a sandbox). You will incur the standard usage fees for these resources
API Version 2010-05-15
25

AWS CloudFormation User Guide
Step 1: Pick a template

until you terminate them in the last task in this tutorial. The total charges will be minimal. For
information about how you might minimize any charges, go to http://aws.amazon.com/free/.

To view the template
•

You can view the JSON or YAML WordPress sample template. You don't need to download it because
you will use the template URL later in this guide. For more information about the template formats,
see AWS CloudFormation Template Formats (p. 162).

A template is a JSON or YAML text ﬁle that contains the conﬁguration information about the AWS
resources you want to create in the stack. For this walkthrough, the sample template includes six toplevel sections: AWSTemplateFormatVersion, Description, Parameters, Mappings, Resources,
and Outputs; however, only the Resources section is required.
The Resources section contains the deﬁnitions of the AWS resources you want to create with the
template. Each resource is listed separately and speciﬁes the properties that are necessary for creating
that particular resource. The following resource declaration is the conﬁguration for the EC2 instance,
which in this example has the logical name WebServer:

Example JSON
"Resources" : {
...
"WebServer": {
"Type" : "AWS::EC2::Instance",
"Properties": {
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" },
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" :
"InstanceType" }, "Arch" ] } ] },
"InstanceType"
: { "Ref" : "InstanceType" },
"SecurityGroups" : [ {"Ref" : "WebServerSecurityGroup"} ],
"KeyName"
: { "Ref" : "KeyName" },
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"yum update -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource WebServer ",
"
--configsets wordpress_install ",
"
--region ", { "Ref" : "AWS::Region" }, "\n",

]]}}
},
...

"/opt/aws/bin/cfn-signal -e $? ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource WebServer ",
"
--region ", { "Ref" : "AWS::Region" }, "\n"

},
...
"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 locked down to the load balancer
+ SSH access",
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : { "Ref" :
"SSHLocation"}}
]
}

API Version 2010-05-15
26

AWS CloudFormation User Guide
Step 1: Pick a template
},
...

},

Example YAML
Resources:
...
WebServer:
Type: AWS::EC2::Instance
Properties:
ImageId: !FindInMap [AWSRegionArch2AMI, !Ref 'AWS::Region', !FindInMap
[AWSInstanceType2Arch, !Ref InstanceType, Arch]]
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyName
SecurityGroups:
- Ref: WebServerSecurityGroup
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum update -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource WebServer -configsets wordpress_install --region ${AWS::Region}
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource WebServer -region ${AWS::Region}
...
...
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Enable HTTP access via port 80 locked down to the load balancer +
SSH access"
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: '80'
IpProtocol: tcp
ToPort: '80'
- CidrIp: !Ref SSHLocation
FromPort: '22'
IpProtocol: tcp
ToPort: '22'
...

If you have created EC2 instances before, you can recognize properties, such as ImageId,
InstanceType, and KeyName, that determine the conﬁguration of the instance. Resource declarations
are an eﬃcient way to specify all these conﬁguration settings at once. When you put resource
declarations in a template, you can create and conﬁgure all the declared resources easily by using the
template to create a stack. To launch the same conﬁguration of resources, all you have to do is create a
new stack that uses the same template.
The resource declaration begins with a string that speciﬁes the logical name for the resource. As you'll
see, the logical name can be used to refer to resources within the template.
You use the Parameters section to declare values that can be passed to the template when you create
the stack. A parameter is an eﬀective way to specify sensitive information, such as user names and
passwords, that you don't want to store in the template itself. It is also a way to specify information that
might be unique to the speciﬁc application or conﬁguration you are deploying, for example, a domain
name or instance type. When you create the WordPress stack later in this section, you'll see the set of
API Version 2010-05-15
27

AWS CloudFormation User Guide
Step 1: Pick a template

parameters declared in the template appear on the Specify Details page of the Create Stack wizard,
where you can specify the parameters before you create the stack.
The following parameters are used in the template to specify values that are used in properties of the
EC2 instance:

Example JSON
"Parameters" : {
...
"KeyName": {
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to the
instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription" : "must be the name of an existing EC2 KeyPair."
},
"InstanceType" : {
"Description" : "WebServer EC2 instance type",
"Type" : "String",
"Default" : "t2.small",
"AllowedValues" : [ "t1.micro", "t2.nano", "t2.micro", "t2.small", "t2.medium",
"t2.large", "m1.small", "m1.medium", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge",
"m2.4xlarge", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge", "m4.large", "m4.xlarge",
"m4.2xlarge", "m4.4xlarge", "m4.10xlarge", "c1.medium", "c1.xlarge", "c3.large",
"c3.xlarge", "c3.2xlarge", "c3.4xlarge", "c3.8xlarge", "c4.large", "c4.xlarge",
"c4.2xlarge", "c4.4xlarge", "c4.8xlarge", "g2.2xlarge", "g2.8xlarge", "r3.large",
"r3.xlarge", "r3.2xlarge", "r3.4xlarge", "r3.8xlarge", "i2.xlarge", "i2.2xlarge",
"i2.4xlarge", "i2.8xlarge", "d2.xlarge", "d2.2xlarge", "d2.4xlarge", "d2.8xlarge",
"hi1.4xlarge", "hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", "cg1.4xlarge"],
"ConstraintDescription" : "must be a valid EC2 instance type."
},
...

Example YAML
Parameters:
...
KeyName:
ConstraintDescription: must be the name of an existing EC2 KeyPair.
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: AWS::EC2::KeyPair::KeyName
InstanceType:
AllowedValues:
- t1.micro
- t2.nano
- t2.micro
- t2.small
- t2.medium
- t2.large
- m1.small
- m1.medium
- m1.large
- m1.xlarge
- m2.xlarge
- m2.2xlarge
- m2.4xlarge
- m3.medium
- m3.large
- m3.xlarge
- m3.2xlarge
- m4.large

API Version 2010-05-15
28

AWS CloudFormation User Guide
Step 1: Pick a template

...

- m4.xlarge
- m4.2xlarge
- m4.4xlarge
- m4.10xlarge
- c1.medium
- c1.xlarge
- c3.large
- c3.xlarge
- c3.2xlarge
- c3.4xlarge
- c3.8xlarge
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
- g2.2xlarge
- g2.8xlarge
- r3.large
- r3.xlarge
- r3.2xlarge
- r3.4xlarge
- r3.8xlarge
- i2.xlarge
- i2.2xlarge
- i2.4xlarge
- i2.8xlarge
- d2.xlarge
- d2.2xlarge
- d2.4xlarge
- d2.8xlarge
- hi1.4xlarge
- hs1.8xlarge
- cr1.8xlarge
- cc2.8xlarge
- cg1.4xlarge
ConstraintDescription: must be a valid EC2 instance type.
Default: t2.small
Description: WebServer EC2 instance type
Type: String

In the WebServer resource declaration, you see the KeyName property speciﬁed with the KeyName
parameter:

Example JSON
"WebServer" : {
"Type": "AWS::EC2::Instance",
"Properties": {
"KeyName" : { "Ref" : "KeyName" },
...
}
},

Example YAML
WebServer:
Type: AWS::EC2::Instance
Properties:
KeyName:
Ref: KeyName

API Version 2010-05-15
29

AWS CloudFormation User Guide
Step 2: Make sure you have prepared
any required items for the stack
...

The braces contain a call to the Ref (p. 2311) function with KeyName as its input. The Ref function
returns the value of the object it refers to. In this case, the Ref function sets the KeyName property to the
value that was speciﬁed for KeyName when the stack was created.
The Ref function can also set a resource's property to the value of another resource. For example, the
resource declaration WebServer contains the following property declaration:

Example JSON
"WebServer" : {
"Type": "AWS::EC2::Instance",
"Properties": {
...
"SecurityGroups" : [ {"Ref" : "WebServerSecurityGroup"} ],
...
}
},

Example YAML
WebServer:
Type: AWS::EC2::Instance
Properties:
SecurityGroups:
- Ref: WebServerSecurityGroup
...

The SecurityGroups property takes a list of EC2 security groups. The Ref function has an input of
WebServerSecurityGroup, which is the logical name of a security group in the template, and adds the
name of WebServerSecurityGroup to the SecurityGroups property.
In the template, you'll also ﬁnd a Mappings section. You use mappings to declare conditional values that
are evaluated in a similar manner as a lookup table statement. The template uses mappings to select
the correct Amazon machine image (AMI) for the region and the architecture type for the instance type.
Outputs deﬁne custom values that are returned by the aws cloudformation describe-stacks
command and in the AWS CloudFormation console Outputs tab after the stack is created. You can use
output values to return information from the resources in the stack, such as the URL for a website that
was created in the template. We cover mappings, outputs, and other things about templates in more
detail in Learn Template Basics (p. 33).
That's enough about templates for now. Let's start creating a stack.

Step 2: Make sure you have prepared any required
items for the stack
Before you create a stack from a template, you must ensure that all dependent resources that the
template requires are available. A template can use or refer to both existing AWS resources and resources
declared in the template itself. AWS CloudFormation takes care of checking references to resources in the
template and also checks references to existing resources to ensure that they exist in the region where
you are creating the stack. If your template refers to a dependent resource that does not exist, stack
creation fails.
The example WordPress template contains an input parameter, KeyName, that speciﬁes the key pair used
for the Amazon EC2 instance that is declared in the template. The template depends on the user who
creates a stack from the template to supply a valid Amazon EC2 key pair for the KeyName parameter. If
API Version 2010-05-15
30

AWS CloudFormation User Guide
Step 3: Create the stack

you supply a valid key pair name, the stack creates successfully. If you don't supply a valid key pair name,
the stack is rolled back.
Make sure you have a valid Amazon EC2 key pair and record the key pair name before you create the
stack.
To see your key pairs, open the Amazon EC2 console, then click Key Pairs in the navigation pane.

Note

If you don't have an Amazon EC2 key pair, you must create the key pair in the same region
where you are creating the stack. For information about creating a key pair, see Getting an SSH
Key Pair in the Amazon EC2 User Guide for Linux Instances.
Now that you have a valid key pair, let's use the WordPress template to create a stack.

Step 3: Create the stack
You will create your stack based on the WordPress-1.0.0 ﬁle discussed earlier. The template contains
several AWS resources, such as an EC2 instance.

To create the WordPress stack
1.

Sign in to the AWS Management Console and open the AWS CloudFormation console at https://
console.aws.amazon.com/cloudformation.

2.

If this is a new AWS CloudFormation account, click Create New Stack. Otherwise, click Create Stack.

3.

In the Template section, select Specify an Amazon S3 Template URL to type or paste the URL for
the sample WordPress template, and then click Next:
https://s3-us-west-2.amazonaws.com/cloudformation-templates-us-west-2/
WordPress_Single_Instance.template

Note

AWS CloudFormation templates that are stored in an S3 bucket must be accessible to the
user who is creating the stack, and must be located in the same region as the stack that is
being created. Therefore, if the S3 bucket is located in the us-east-2 Region, the stack
must also be created in us-east-2.
4.

In the Specify Details section, enter a stack name in the Name ﬁeld. For this example, use
MyWPTestStack. The stack name cannot contain spaces.

5.

In the KeyName ﬁeld, enter the name of a valid Amazon EC2 key pair in the same region you are
creating the stack.

Note

On the Specify Parameters page, you'll recognize the parameters from the Parameters
section of the template.
6.

Click Next.

7.

In this scenario, we won't add any tags. Click Next. Tags, which are key-value pairs, can help you
identify your stacks. For more information, see Adding Tags to Your AWS CloudFormation Stack.

8.

Review the information for the stack. When you're satisﬁed with the settings, click Create.

Your stack might take several minutes to create—but you probably don't want to just sit around waiting.
If you're like us, you'll want to know how the stack creation is going.

Step 4: Monitor the progress of stack creation
After you complete the Create Stack wizard, AWS CloudFormation begins creating the resources that are
speciﬁed in the template. Your new stack, MyWPTestStack, appears in the list at the top portion of the
API Version 2010-05-15
31

AWS CloudFormation User Guide
Step 5: Use your stack resources

CloudFormation console. Its status should be CREATE_IN_PROGRESS. You can see detailed status for a
stack by viewing its events.

To view the events for the stack
1.

On the AWS CloudFormation console, select the stack MyWPTestStack in the list.

2.

In the stack details pane, click the Events tab.
The console automatically refreshes the event list with the most recent events every 60 seconds.

The Events tab displays each major step in the creation of the stack sorted by the time of each event,
with latest events on top.
The ﬁrst event (at the bottom of the event list) is the start of the stack creation process:
2013-04-24 18:54 UTC-7 CREATE_IN_PROGRESS AWS::CloudFormation::Stack
MyWPTestStack User initiated
Next are events that mark the beginning and completion of the creation of each resource. For example,
creation of the EC2 instance results in the following entries:
2013-04-24 18:59 UTC-7 CREATE_COMPLETE AWS::EC2::Instance...
2013-04-24 18:54 UTC-7 CREATE_IN_PROGRESS AWS::EC2::Instance...
The CREATE_IN_PROGRESS event is logged when AWS CloudFormation reports that it has begun to
create the resource. The CREATE_COMPLETE event is logged when the resource is successfully created.
When AWS CloudFormation has successfully created the stack, you will see the following event at the top
of the Events tab:
2013-04-24 19:17 UTC-7 CREATE_COMPLETE AWS::CloudFormation::Stack MyWPTestStack
If AWS CloudFormation cannot create a resource, it reports a CREATE_FAILED event and, by default,
rolls back the stack and deletes any resources that have been created. The Status Reason column
displays the issue that caused the failure.

Step 5: Use your stack resources
When the stack MyWPTestStack has a status of CREATE_COMPLETE, AWS CloudFormation has ﬁnished
creating the stack, and you can start using its resources.
The sample WordPress stack creates a WordPress website. You can continue with the WordPress setup by
running the WordPress installation script.

To complete the WordPress installation
1.

On the Outputs tab, in the WebsiteURL row, click the link in the Value column.
The WebsiteURL output value is the URL of the installation script for the WordPress website that
you created with the stack.

2.

On the web page for the WordPress installation, follow the on-screen instructions to complete
the WordPress installation. For more information about installing WordPress, see http://
codex.wordpress.org/Installing_WordPress.
After you complete the installation and log in, you are directed to the dashboard where you can set
additional options for your WordPress blog. Then, you can start writing posts for your blog that you
successfully created by using a AWS CloudFormation template.
API Version 2010-05-15
32

AWS CloudFormation User Guide
Step 6: Clean Up

Step 6: Clean Up
You have completed the AWS CloudFormation getting started tasks. To make sure you are not charged
for any unwanted services, you can clean up by deleting the stack and its resources.

To delete the stack and its resources
1.

From the AWS CloudFormation console, select the MyWPTestStack stack.

2.

Click Delete Stack.

3.

In the conﬁrmation message that appears, click Yes, Delete.

The status for MyWPTestStack changes to DELETE_IN_PROGRESS. In the same way you monitored the
creation of the stack, you can monitor its deletion by using the Event tab. When AWS CloudFormation
completes the deletion of the stack, it removes the stack from the list.
Congratulations! You successfully picked a template, created a stack, viewed and used its resources, and
deleted the stack and its resources. Not only that, you were able to set up a WordPress blog using a AWS
CloudFormation template. You can ﬁnd other templates in the AWS CloudFormation Sample Template
Library.
Now it's time to learn more about templates so that you can easily modify existing templates or create
your own: Learn Template Basics (p. 33).

Learn Template Basics
Topics
• What is an AWS CloudFormation Template? (p. 33)
• Resources: Hello Bucket! (p. 34)
• Resource Properties and Using Resources Together (p. 34)
• Receiving User Input Using Input Parameters (p. 40)
• Specifying Conditional Values Using Mappings (p. 42)
• Constructed Values and Output Values (p. 44)
• Next Steps (p. 46)
In Get Started (p. 25), you learned how to use a template to create a stack. You saw resources declared
in a template and how they map to resources in the stack. We also touched on input parameters and how
they enable you to pass in speciﬁc values when you create a stack from a template. In this section, we'll
go deeper into resources and parameters. We'll also cover the other components of templates so that
you'll know how to use these components together to create templates that produce the AWS resources
you want.

What is an AWS CloudFormation Template?
A template is a declaration of the AWS resources that make up a stack. The template is stored as a text
ﬁle whose format complies with the JavaScript Object Notation (JSON) or YAML standard. Because
they are just text ﬁles, you can create and edit them in any text editor and manage them in your source
control system with the rest of your source code. For more information about the template formats, see
AWS CloudFormation Template Formats (p. 162).
In the template, you declare the AWS resources you want to create and conﬁgure. You declare an object
as a name-value pair or a pairing of a name with a set of child objects enclosed. The syntax depends on
API Version 2010-05-15
33

AWS CloudFormation User Guide
Resources: Hello Bucket!

the format you use. For more information, see the Template Anatomy (p. 163). The only required toplevel object is the Resources object, which must declare at least one resource. Let's start with the most
basic template containing only a Resources object, which contains a single resource declaration.

Resources: Hello Bucket!
The Resources object contains a list of resource objects. A resource declaration contains the resource's
attributes, which are themselves declared as child objects. A resource must have a Type attribute, which
deﬁnes the kind of AWS resource you want to create. The Type attribute has a special format:
AWS::ProductIdentifier::ResourceType

For example, the resource type for an Amazon S3 bucket is AWS::S3::Bucket (p. 1403). For a full list of
resource types, see Template Reference (p. 499).
Let's take a look at a very basic template. The following template declares a single resource of type
AWS::S3::Bucket: with the name HelloBucket.

Example JSON
{

}

"Resources" : {
"HelloBucket" : {
"Type" : "AWS::S3::Bucket"
}
}

Example YAML
Resources:
HelloBucket:
Type: AWS::S3::Bucket

If you use this template to create a stack, AWS CloudFormation will create an Amazon S3 bucket.
Creating a bucket is simple, because AWS CloudFormation can create a bucket with default settings.
For other resources, such as an Auto Scaling group or EC2 instance, AWS CloudFormation requires more
information. Resource declarations use a Properties attribute to specify the information used to
create a resource.
Depending on the resource type, some properties are required, such as the ImageId property for an
AWS::EC2::Instance (p. 879) resource, and others are optional. Some properties have default values,
such as the AccessControl property of the AWS::S3::Bucket resource, so specifying a value for those
properties is optional. Other properties are not required but may add functionality that you want,
such as the WebsiteConﬁguration property of the AWS::S3::Bucket resource. Specifying a value for
such properties is entirely optional and based on your needs. In the example above, because the
AWS::S3::Bucket resource has only optional properties and we didn't need any of the optional features,
we could accept the defaults and omit the Properties attribute.
To view the properties for each resource type, see the topics in Resource Property Types
Reference (p. 1581).

Resource Properties and Using Resources Together
Usually, a property for a resource is simply a string value. For example, the following template speciﬁes a
canned ACL (PublicRead) for the AccessControl property of the bucket.
API Version 2010-05-15
34

AWS CloudFormation User Guide
Resource Properties and Using Resources Together

Example JSON
{

}

"Resources" : {
"HelloBucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"AccessControl" : "PublicRead"
}
}
}

Example YAML
Resources:
HelloBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead

Some resources can have multiple properties, and some properties can have one or more subproperties.
For example, the AWS::S3::Bucket (p. 1403) resource has two properties, AccessControl and
WebsiteConﬁguration. The WebsiteConﬁguration property has two subproperties, IndexDocument
and ErrorDocument. The following template shows our original bucket resource with the additional
properties.

Example JSON
{

}

"Resources" : {
"HelloBucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"AccessControl" : "PublicRead",
"WebsiteConfiguration" : {
"IndexDocument" : "index.html",
"ErrorDocument" : "error.html"
}
}
}
}

Example YAML
Resources:
HelloBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html

One of the greatest beneﬁts of templates and AWS CloudFormation is the ability to create a set of
resources that work together to create an application or solution. The name used for a resource within
the template is a logical name. When AWS CloudFormation creates the resource, it generates a physical
name that is based on the combination of the logical name, the stack name, and a unique ID.
API Version 2010-05-15
35

AWS CloudFormation User Guide
Resource Properties and Using Resources Together

You're probably wondering how you set properties on one resource based on the name or property
of another resource. For example, you can create a CloudFront distribution backed by an S3 bucket
or an EC2 instance that uses EC2 security groups, and all of these resources can be created in the
same template. AWS CloudFormation has a number of intrinsic functions that you can use to refer to
other resources and their properties. You can use the Ref function (p. 2311) to refer to an identifying
property of a resource. Frequently, this is the physical name of the resource; however, sometimes
it can be an identiﬁer, such as the IP address for an AWS::EC2::EIP (p. 868) resource or an Amazon
Resource Name (ARN) for an Amazon SNS topic. For a list of values returned by the Ref function, see
Ref function (p. 2311). The following template contains an AWS::EC2::Instance (p. 879) resource.
The resource's SecurityGroups property calls the Ref function to refer to the AWS::EC2::SecurityGroup
resource InstanceSecurityGroup.

Example JSON
{

}

"Resources": {
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"SecurityGroups": [
{
"Ref": "InstanceSecurityGroup"
}
],
"KeyName": "mykey",
"ImageId": ""
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
}
}

Example YAML
Resources:
Ec2Instance:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroups:
- !Ref InstanceSecurityGroup
KeyName: mykey
ImageId: ''
InstanceSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'

API Version 2010-05-15
36

AWS CloudFormation User Guide
Resource Properties and Using Resources Together
ToPort: '22'
CidrIp: 0.0.0.0/0

The SecurityGroups property is a list of security groups, and in the previous example we have only one
item in the list. The following template has an additional item in the SecurityGroups property list.

Example JSON
{

}

"Resources": {
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"SecurityGroups": [
{
"Ref": "InstanceSecurityGroup"
},
"MyExistingSecurityGroup"
],
"KeyName": "mykey",
"ImageId": "ami-7a11e213"
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
}
}

Example YAML
Resources:
Ec2Instance:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroups:
- !Ref InstanceSecurityGroup
- MyExistingSecurityGroup
KeyName: mykey
ImageId: ami-7a11e213
InstanceSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0

API Version 2010-05-15
37

AWS CloudFormation User Guide
Resource Properties and Using Resources Together

MyExistingSecurityGroup is a string that refers to an existing EC2 security group instead of a security
group declared in a template. You use literal strings to refer to existing AWS resources.
In the example above, the KeyName property of the AWS::EC2::Instance (p. 879) is the literal string
mykey. This means that a key pair with the name mykey must exist in the region where the stack is
being created; otherwise, stack creation will fail because the key pair does not exist. The key pair you
use can vary with the region where you are creating the stack, or you may want to share the template
with someone else so that they can use it with their AWS account. If so, you can use an input parameter
so that the key pair name can be speciﬁed when the stack is created. The Ref function can refer to
input parameters that are speciﬁed at stack creation time. The following template adds a Parameters
object containing the KeyName parameter, which is used to specify the KeyName property for the
AWS::EC2::Instance resource. The parameter type is AWS::EC2::KeyPair::KeyName, which ensures
a user speciﬁes a valid key pair name in his or her account and in the region where the stack is being
created.

Example JSON
{

}

"Parameters": {
"KeyName": {
"Description": "The EC2 Key Pair to allow SSH access to the instance",
"Type": "AWS::EC2::KeyPair::KeyName"
}
},
"Resources": {
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"SecurityGroups": [
{
"Ref": "InstanceSecurityGroup"
},
"MyExistingSecurityGroup"
],
"KeyName": {
"Ref": "KeyName"
},
"ImageId": "ami-7a11e213"
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
}
}

Example YAML
Parameters:
KeyName:
Description: The EC2 Key Pair to allow SSH access to the instance

API Version 2010-05-15
38

AWS CloudFormation User Guide
Resource Properties and Using Resources Together
Type: 'AWS::EC2::KeyPair::KeyName'
Resources:
Ec2Instance:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroups:
- !Ref InstanceSecurityGroup
- MyExistingSecurityGroup
KeyName: !Ref KeyName
ImageId: ami-7a11e213
InstanceSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0

The Ref function is handy if the parameter or the value returned for a resource is exactly what you want;
however, you may need other attributes of a resource. For example, if you want to create a CloudFront
distribution with an S3 origin, you need to specify the bucket location by using a DNS-style address.
A number of resources have additional attributes whose values you can use in your template. To get
these attributes, you use the Fn::GetAtt (p. 2285) function. The following template creates a CloudFront
distribution resource that speciﬁes the DNS name of an S3 bucket resource using Fn::GetAtt function to
get the bucket's DomainName attribute.

Example JSON
{

"Resources": {
"myBucket": {
"Type": "AWS::S3::Bucket"
},
"myDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Origins": [
{
"DomainName": {
"Fn::GetAtt": [
"myBucket",
"DomainName"
]
},
"Id": "myS3Origin",
"S3OriginConfig": {}
}
],
"Enabled": "true",
"DefaultCacheBehavior": {
"TargetOriginId": "myS3Origin",
"ForwardedValues": {
"QueryString": "false"
},
"ViewerProtocolPolicy": "allow-all"
}
}
}
}
}

API Version 2010-05-15
39

AWS CloudFormation User Guide
Receiving User Input Using Input Parameters
}

Example YAML
Resources:
myBucket:
Type: 'AWS::S3::Bucket'
myDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Origins:
- DomainName: !GetAtt
- myBucket
- DomainName
Id: myS3Origin
S3OriginConfig: {}
Enabled: 'true'
DefaultCacheBehavior:
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'false'
ViewerProtocolPolicy: allow-all

The Fn::GetAtt function takes two parameters, the logical name of the resource and the name of the
attribute to be retrieved. For a full list of available attributes for resources, see Fn::GetAtt (p. 2285).
You'll notice that the Fn::GetAtt function lists its two parameters in an array. For functions that take
multiple parameters, you use an array to specify their parameters.

Receiving User Input Using Input Parameters
So far, you've learned about resources and a little bit about how to use them together within a template.
You've learned how to refer to input parameters, but we haven't gone deeply into how to deﬁne the
input parameters themselves. Let's take a look at parameter declarations and how you can restrict and
validate user input.
You declare parameters in a template's Parameters object. A parameter contains a list of attributes that
deﬁne its value and constraints against its value. The only required attribute is Type, which can be String,
Number, or an AWS-speciﬁc type. You can also add a Description attribute that tells a user more about
what kind of value they should specify. The parameter's name and description appear in the Specify
Parameters page when a user uses the template in the Create Stack wizard.
The following template fragment is a Parameters object that declares the parameters used in the Specify
Parameters page above.

Example JSON
"Parameters": {
"KeyName": {
"Description" : "Name of an existing EC2 KeyPair to enable SSH access into the
WordPress web server",
"Type": "AWS::EC2::KeyPair::KeyName"
},
"WordPressUser": {
"Default": "admin",
"NoEcho": "true",
"Description" : "The WordPress database admin account user name",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",

API Version 2010-05-15
40

AWS CloudFormation User Guide
Receiving User Input Using Input Parameters

}

"AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*"
},
"WebServerPort": {
"Default": "8888",
"Description" : "TCP/IP port for the WordPress web server",
"Type": "Number",
"MinValue": "1",
"MaxValue": "65535"
}

Example YAML
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access into the WordPress
web server
Type: AWS::EC2::KeyPair::KeyName
WordPressUser:
Default: admin
NoEcho: true
Description: The WordPress database admin account user name
Type: String
MinLength: 1
MaxLength: 16
AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
WebServerPort:
Default: 8888
Description: TCP/IP port for the WordPress web server
Type: Number
MinValue: 1
MaxValue: 65535

For parameters with default values, AWS CloudFormation uses the default values unless users specify
another value. If you omit the default attribute, users are required to specify a value for that parameter;
however, requiring the user to input a value does not ensure that the value is valid. To validate the value
of a parameter, you can declare constraints or specify an AWS-speciﬁc parameter type.
You'll notice that the KeyName parameter has no Default attribute and the other parameters do. For
example, the WordPress parameter has the attribute Default: admin, but the KeyName parameter
has none. Users must specify a key name value at stack creation. If they don’t, AWS CloudFormation fails
to create the stack and throws an exception: Parameters: [KeyName] must have values.
For AWS-speciﬁc parameter types, AWS CloudFormation validates input values against existing values
in the user's AWS account and in the region where he or she is creating the stack before creating
any stack resources. In the sample template, the KeyName parameter is an AWS-speciﬁc parameter
type of AWS::EC2::KeyPair::KeyName. AWS CloudFormation checks that users specify a valid
EC2 key pair name before creating the stack. Another example of an AWS-speciﬁc parameter type is
AWS::EC2::VPC::Id, which requires users to specify a valid VPC ID. In addition to upfront validation,
the AWS console shows a drop-down list of valid values for AWS-speciﬁc parameter types, such as valid
EC2 key pair names or VPC IDs, when users use the Create Stack wizard.
For the String type, you can use the following attributes to declare constraints: MinLength,
MaxLength, Default, AllowedValues, and AllowedPattern. In the example above, the
WordPressUser parameter has three constraints: the parameter value must be 1 to 16 character long
(MinLength, MaxLength) and must begin with a letter followed by any combination of letters and
numbers (AllowedPattern).
For the Number type, you can declare the following constraints: MinValue, MaxValue, Default,
and AllowedValues. A number can be an integer or a ﬂoat value. In the example above, the
WebServerPort parameter must be a number between 1 and 65535 inclusive (MinValue, MaxValue).
API Version 2010-05-15
41

AWS CloudFormation User Guide
Specifying Conditional Values Using Mappings

Earlier in this section, we mentioned that parameters are a good way to specify sensitive or
implementation-speciﬁc data, such as passwords or user names, that you need to use but do not want
to embed in the template itself. For sensitive information, you can use the NoEcho attribute to prevent a
parameter value from being displayed in the console, command line tools, or API. If you set the NoEcho
attribute to true, the parameter value is returned as asterisks (*****). In the example above, the
WordPressUser parameter value is not visible to anyone viewing the stack's settings, and its value is
returned as asterisks.

Specifying Conditional Values Using Mappings
Parameters are a great way to enable users to specify unique or sensitive values for use in the properties
of stack resources; however, there may be settings that are region dependent or are somewhat complex
for users to ﬁgure out because of other conditions or dependencies. In these cases, you would want to
put some logic in the template itself so that users can specify simpler values (or none at all) to get the
results that they want. In an earlier example, we hardcoded the AMI ID for the ImageId property of our
EC2 instance. This works ﬁne in the US-East region, where it represents the AMI that we want. However,
if the user tries to build the stack in a diﬀerent region he or she will get the wrong AMI or no AMI at all.
(AMI IDs are unique to a region, so the same AMI ID in a diﬀerent region may not represent any AMI or a
completely diﬀerent one.)
To avoid this problem, you need a way to specify the right AMI ID based on a conditional input (in this
example, the region where the stack is created). There are two template features that can help, the
Mappings object and the AWS::Region pseudo parameter.
The AWS::Region pseudo parameter is a value that AWS CloudFormation resolves as the region where
the stack is created. Pseudo parameters are resolved by AWS CloudFormation when you create the
stack. Mappings enable you to use an input value as a condition that determines another value. Similar
to a switch statement, a mapping associates one set of values with another. Using the AWS::Region
parameter together with a mapping, you can ensure that an AMI ID appropriate to the region is speciﬁed.
The following template contains a Mappings object with a mapping named RegionMap that is used to
map an AMI ID to the appropriate region.

Example JSON
{

"Parameters": {
"KeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the
instance",
"Type": "String"
}
},
"Mappings": {
"RegionMap": {
"us-east-1": {
"AMI": "ami-76f0061f"
},
"us-west-1": {
"AMI": "ami-655a0a20"
},
"eu-west-1": {
"AMI": "ami-7fd4e10b"
},
"ap-southeast-1": {
"AMI": "ami-72621c20"
},
"ap-northeast-1": {
"AMI": "ami-8e08a38f"
}
}

API Version 2010-05-15
42

AWS CloudFormation User Guide
Specifying Conditional Values Using Mappings

}

},
"Resources": {
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"KeyName": {
"Ref": "KeyName"
},
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"AMI"
]
},
"UserData": {
"Fn::Base64": "80"
}
}
}
}

Example YAML
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: String
Mappings:
RegionMap:
us-east-1:
AMI: ami-76f0061f
us-west-1:
AMI: ami-655a0a20
eu-west-1:
AMI: ami-7fd4e10b
ap-southeast-1:
AMI: ami-72621c20
ap-northeast-1:
AMI: ami-8e08a38f
Resources:
Ec2Instance:
Type: 'AWS::EC2::Instance'
Properties:
KeyName: !Ref KeyName
ImageId: !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- AMI
UserData: !Base64 '80'

In the RegionMap, each region is mapped to a name-value pair. The name-value pair is a label, and the
value to map. In the RegionMap, AMI is the label and the AMI ID is the value. To use a map to return a
value, you use the Fn::FindInMap (p. 2283) function, passing the name of the map, the value used to
ﬁnd the mapped value, and the label of the mapped value you want to return. In the example above, the
ImageId property of the resource Ec2Instance uses the Fn::FindInMap function to determine its value by
specifying RegionMap as the map to use, AWS::Region as the input value to map from, and AMI as the
label to identify the value to map to. For example, if this template were used to create a stack in the uswest-1 region, ImageId would be set to ami-655a0a20.
API Version 2010-05-15
43

AWS CloudFormation User Guide
Constructed Values and Output Values

Tip

The AWS::Region pseudo parameter enables you to get the
region where the stack is created. Some resources, such as
AWS::EC2::Instance (p. 879), AWS::AutoScaling::AutoScalingGroup (p. 620), and
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063), have a property that speciﬁes availability
zones. You can use the Fn::GetAZs function (p. 2298) to get the list of all availability zones in a
region.

Constructed Values and Output Values
Parameters and mappings are an excellent way to pass or determine speciﬁc values at stack creation
time, but there can be situations where a value from a parameter or other resource attribute is only part
of the value you need. For example, in the following fragment from the WordPress template, the Fn::Join
function constructs the Target subproperty of the HealthCheck property for the ElasticLoadBalancer
resource by concatenating the WebServerPort parameter with other literal strings to form the value
needed.

Example JSON
{

"Resources": {
"ElasticLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": {
"Fn::GetAZs": ""
},
"Instances": [
{
"Ref": "Ec2Instance1"
},
{
"Ref": "Ec2Instance2"
}
],
"Listeners": [
{
"LoadBalancerPort": "80",
"InstancePort": {
"Ref": "WebServerPort"
},
"Protocol": "HTTP"
}
],
"HealthCheck": {
"Target": {
"Fn::Join": [
"",
[
"HTTP:",
{
"Ref": "WebServerPort"
},
"/"
]
]
},
"HealthyThreshold": "3",
"UnhealthyThreshold": "5",
"Interval": "30",
"Timeout": "5"
}

API Version 2010-05-15
44

AWS CloudFormation User Guide
Constructed Values and Output Values

}

}

}

}

Example YAML
Resources:
ElasticLoadBalancer:
Type: 'AWS::ElasticLoadBalancing::LoadBalancer'
Properties:
AvailabilityZones: !GetAZs ''
Instances:
- !Ref Ec2Instance1
- !Ref Ec2Instance2
Listeners:
- LoadBalancerPort: '80'
InstancePort: !Ref WebServerPort
Protocol: HTTP
HealthCheck:
Target: !Join
- ''
- - 'HTTP:'
- !Ref WebServerPort
- /
HealthyThreshold: '3'
UnhealthyThreshold: '5'
Interval: '30'
Timeout: '5'

The Fn::Join function takes two parameters, a delimiter that separates the values you want to
concatenate and an array of values in the order that you want them to appear. In the example above, the
Fn::Join function speciﬁes an empty string as the delimiter and HTTP:, the value of the WebServerPort
parameter, and a / character as the values to concatenate. If WebServerPort had a value of 8888, the
Target property would be set to the following value:
HTTP:8888/

The Fn::Join function is also useful for declaring output values for the stack. The Outputs object in
the template contains declarations for the values that you want to have available after the stack is
created. An output is a convenient way to capture important information about your resources or input
parameters. For example, in the WordPress template, we declare the following Outputs object.

Example JSON
"Outputs": {
"InstallURL": {
"Value": {
"Fn::Join": [
"",
[
"http://",
{
"Fn::GetAtt": [
"ElasticLoadBalancer",
"DNSName"
]
},
"/wp-admin/install.php"
]

API Version 2010-05-15
45

AWS CloudFormation User Guide
Next Steps
]
},
"Description": "Installation URL of the WordPress website"

}

},
"WebsiteURL": {
"Value": {
"Fn::Join": [
"",
[
"http://",
{
"Fn::GetAtt": [
"ElasticLoadBalancer",
"DNSName"
]
}
]
]
}
}

Example YAML
Outputs:
InstallURL:
Value: !Join
- ''
- - 'http://'
- !GetAtt
- ElasticLoadBalancer
- DNSName
- /wp-admin/install.php
Description: Installation URL of the WordPress website
WebsiteURL:
Value: !Join
- ''
- - 'http://'
- !GetAtt
- ElasticLoadBalancer
- DNSName

Each output value has a name, a Value attribute that contains declaration of the value returned as
the output value, and optionally a description of the value. In the previous example, InstallURL is the
string returned by a Fn::Join function call that concatenates http://, the DNS name of the resource
ElasticLoadBalancer, and /wp-admin/install.php. The output value would be similar to the following:
http://mywptests-elasticl-1gb51l6sl8y5v-206169572.us-east-2.elb.amazonaws.com/wp-admin/
install.php

In the Get Started tutorial, we used this link to conveniently go to the installation page for the
WordPress blog that we created. AWS CloudFormation generates the output values after it ﬁnishes
creating the stack. You can view output values in the Outputs tab of the AWS CloudFormation console or
by using the aws cloudformation describe-stacks command.

Next Steps
We just walked through the basic parts of a template and how to use them. You learned the following
about templates:
API Version 2010-05-15
46

AWS CloudFormation User Guide
Walkthrough: Updating a Stack

• Declaring resources and their properties
• Referencing other resources with the Ref function and resource attributes using the Fn::GetAtt
function
• Using parameters to enable users to specify values at stack creation time and using constraints to
validate parameter input
• Using mappings to determine conditional values
• Using the Fn::Join function to construct values based on parameters, resource attributes, and other
strings
• Using output values based to capture information about the stack's resources.
We didn't cover two top level objects in a template: AWSTemplateFormatVersion and Description.
AWSTemplateFormatVersion is simply the version of the template format—if you don't specify it,
AWS CloudFormation will use the latest version. The Description is any valid JSON or YAML string. This
description appears in the Specify Parameters page of the Create Stack wizard. For more information,
see Format Version (p. 165) and Description (p. 166).
Of course, there are more advanced template and stack features. Here is a list of a few important ones
that you'll want to learn more about:
Optional attributes that can be used with any resource:
• DependsOn attribute (p. 2250) enables you to specify that one resource must be created after
another.
• DeletionPolicy attribute (p. 2248) enables you to specify how AWS CloudFormation should handle the
deletion of a resource.
• Metadata (p. 2254) attribute enables you to specify structured data with a resource.
AWS::CloudFormation::Stack (p. 694) enables you to nest another stack as a resource within your
template.

Walkthrough: Updating a Stack
With AWS CloudFormation, you can update the properties for resources in your existing stacks. These
changes can range from simple conﬁguration changes, such as updating the alarm threshold on a
CloudWatch alarm, to more complex changes, such as updating the Amazon Machine Image (AMI)
running on an Amazon EC2 instance. Many of the AWS resources in a template can be updated, and we
continue to add support for more.
This section walks through a simple progression of updates of a running stack. It shows how the use
of templates makes it possible to use a version control system for the conﬁguration of your AWS
infrastructure, just as you use version control for the software you are running. We will walk through the
following steps:
1. Create the Initial Stack (p. 53)—create a stack using a base Amazon Linux AMI, installing the
Apache Web Server and a simple PHP application using the AWS CloudFormation helper scripts.
2. Update the Application (p. 54)—update one of the ﬁles in the application and deploy the software
using AWS CloudFormation.
3. Update the Instance Type (p. 56)—change the instance type of the underlying Amazon EC2
instance.
4. Update the AMI on an Amazon EC2 instance (p. 58)—change the Amazon Machine Image (AMI) for
the Amazon EC2 instance in your stack.
API Version 2010-05-15
47

AWS CloudFormation User Guide
A Simple Application

5. Add a Key Pair to an Instance (p. 59)—add an Amazon EC2 key pair to the instance, and then
update the security group to allow SSH access to the instance.
6. Change the Stack's Resources (p. 60)—add and remove resources from the stack, converting it to an
auto-scaled, load-balanced application by updating the template.

A Simple Application
We'll begin by creating a stack that we can use throughout the rest of this section. We have provided a
simple template that launches a single instance PHP web application hosted on the Apache Web Server
and running on an Amazon Linux AMI.
The Apache Web Server, PHP, and the simple PHP application are all installed by the AWS
CloudFormation helper scripts that are installed by default on the Amazon Linux AMI. The following
template snippet shows the metadata that describes the packages and ﬁles to install, in this case the
Apache Web Server and the PHP infrastructure from the Yum repository for the Amazon Linux AMI. The
snippet also shows the Services section, which ensures that the Apache Web Server is running. In the
Properties section of the Amazon EC2 instance deﬁnition, the UserData property contains the CloudInit
script that calls cfn-init to install the packages and ﬁles.

"WebServerInstance": {
"Type" : "AWS::EC2::Instance",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
"packages" : {
"yum" : {
"httpd"
: [],
"php"
: []
}
},
"files" : {
"/var/www/html/index.php" : {
"content" : { "Fn::Join" : ["", [
"AWS CloudFormation sample PHP application';\n",
"echo '", { "Ref" : "WelcomeMessage" }, "';\n",
"?>\n"
]]},
"mode"
: "000644",
"owner"
: "apache",
"group"
: "apache"
},

},
:

}

}

"services" : {
"sysvinit" : {
"httpd"
: { "enabled" : "true", "ensureRunning" : "true" }
}
}

},

"Properties": {
:
"UserData"

: { "Fn::Base64" : { "Fn::Join" : ["", [

API Version 2010-05-15
48

AWS CloudFormation User Guide
A Simple Application
"#!/bin/bash\n",
"yum install -y aws-cfn-bootstrap\n",
:

}

"# Install the files and packages from the metadata\n",
"/opt/aws/bin/cfn-init -v ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource WebServerInstance ",
"
--region ", { "Ref" : "AWS::Region" }, "\n",
:
]]}}

},

The application itself is a very simple two-line "Hello, World" example that is entirely deﬁned within
the template. For a real-world application, the ﬁles may be stored on Amazon S3, GitHub, or another
repository and referenced from the template. AWS CloudFormation can download packages (such as
RPMs or RubyGems), as well as reference individual ﬁles and expand .zip and .tar ﬁles to create the
application artifacts on the Amazon EC2 instance.
The template enables and conﬁgures the cfn-hup daemon to listen for changes to the conﬁguration
deﬁned in the metadata for the Amazon EC2 instance. By using the cfn-hup daemon, you can update
application software, such as the version of Apache or PHP, or you can update the PHP application ﬁle
itself from AWS CloudFormation. The following snippet from the same Amazon EC2 resource in the
template shows the pieces necessary to conﬁgure cfn-hup to call cfn-init to update the software if any
changes to the metadata are detected:

"WebServerInstance": {
"Type" : "AWS::EC2::Instance",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
:
"files" : {
:
"/etc/cfn/cfn-hup.conf" : {
"content" : { "Fn::Join" : ["", [
"[main]\n",
"stack=", { "Ref" : "AWS::StackName" }, "\n",
"region=", { "Ref" : "AWS::Region" }, "\n"
]]},
"mode"
: "000400",
"owner"
: "root",
"group"
: "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf" : {
"content": { "Fn::Join" : ["", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -s ", { "Ref" : "AWS::StackId" }, " -r
WebServerInstance ",
" --region
", { "Ref" : "AWS::Region" }, "\n",
"runas=root\n"
]]}
}

API Version 2010-05-15
49

AWS CloudFormation User Guide
A Simple Application
},
:

},

"Properties": {
:
"UserData"

: { "Fn::Base64" : { "Fn::Join" : ["", [

:
"# Start up the cfn-hup daemon to listen for changes to the Web Server metadata\n",
"/opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup'\n",

}

:
]]}}

},

To complete the stack, the template creates an Amazon EC2 security group.
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS CloudFormation Sample Template: Sample template that can be used to
test EC2 updates. **WARNING** This template creates an Amazon Ec2 Instance. You will be
billed for the AWS resources used if you create a stack from this template.",
"Parameters" : {

"InstanceType" : {
"Description" : "WebServer EC2 instance type",
"Type" : "String",
"Default" : "m1.small",
"AllowedValues" : [ "t1.micro", "t2.micro", "t2.small", "t2.medium", "m1.small",
"m1.medium", "m1.large", "m1.xlarge", "m2.xlarge",
"m2.2xlarge", "m2.4xlarge", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge",
"c1.medium", "c1.xlarge", "c3.large", "c3.xlarge", "c3.2xlarge",
"c3.4xlarge", "c3.8xlarge", "g2.2xlarge", "r3.large", "r3.xlarge", "r3.2xlarge",
"r3.4xlarge", "r3.8xlarge", "i2.xlarge", "i2.2xlarge", "i2.4xlarge",
"i2.8xlarge", "hi1.4xlarge", "hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", "cg1.4xlarge"],
"ConstraintDescription" : "must be a valid EC2 instance type."
}
},
"Mappings" : {
"AWSInstanceType2Arch" : {
"t1.micro"
: { "Arch"
"t2.micro"
: { "Arch"
"t2.small"
: { "Arch"
"t2.medium"
: { "Arch"
"m1.small"
: { "Arch"
"m1.medium"
: { "Arch"
"m1.large"
: { "Arch"
"m1.xlarge"
: { "Arch"
"m2.xlarge"
: { "Arch"
"m2.2xlarge" : { "Arch"
"m2.4xlarge" : { "Arch"
"m3.medium"
: { "Arch"
"m3.large"
: { "Arch"
"m3.xlarge"
: { "Arch"
"m3.2xlarge" : { "Arch"
"c1.medium"
: { "Arch"
"c1.xlarge"
: { "Arch"

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

"PV64"
"HVM64"
"HVM64"
"HVM64"
"PV64"
"PV64"
"PV64"
"PV64"
"PV64"
"PV64"
"PV64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"PV64"
"PV64"

},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},

API Version 2010-05-15
50

AWS CloudFormation User Guide
A Simple Application
"c3.large"
"c3.xlarge"
"c3.2xlarge"
"c3.4xlarge"
"c3.8xlarge"
"g2.2xlarge"
"r3.large"
"r3.xlarge"
"r3.2xlarge"
"r3.4xlarge"
"r3.8xlarge"
"i2.xlarge"
"i2.2xlarge"
"i2.4xlarge"
"i2.8xlarge"
"hi1.4xlarge"
"hs1.8xlarge"
"cr1.8xlarge"
"cc2.8xlarge"

},

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{

"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

"AWSRegionArch2AMI" : {
"us-east-1"
: { "PV64"
"ami-3a329952" },
"us-west-2"
: { "PV64"
"ami-47296a77" },
"us-west-1"
: { "PV64"
"ami-331b1376" },
"eu-west-1"
: { "PV64"
"ami-00913777" },
"ap-southeast-1" : { "PV64"
"ami-fabe9aa8" },
"ap-northeast-1" : { "PV64"
"ami-5dd1ff5c" },
"ap-southeast-2" : { "PV64"
"ami-e98ae9d3" },
"sa-east-1"
: { "PV64"
"NOT_SUPPORTED" },
"cn-north-1"
: { "PV64"
"NOT_SUPPORTED" },
"eu-central-1"
: { "PV64"
"ami-b03503ad" }
}
},

"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVMG2"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"

},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
}

: "ami-50842d38", "HVM64" : "ami-08842d60", "HVMG2" :
: "ami-af86c69f", "HVM64" : "ami-8786c6b7", "HVMG2" :
: "ami-c7a8a182", "HVM64" : "ami-cfa8a18a", "HVMG2" :
: "ami-aa8f28dd", "HVM64" : "ami-748e2903", "HVMG2" :
: "ami-20e1c572", "HVM64" : "ami-d6e1c584", "HVMG2" :
: "ami-21072820", "HVM64" : "ami-35072834", "HVMG2" :
: "ami-8b4724b1", "HVM64" : "ami-fd4724c7", "HVMG2" :
: "ami-9d6cc680", "HVM64" : "ami-956cc688", "HVMG2" :
: "ami-a857c591", "HVM64" : "ami-ac57c595", "HVMG2" :
: "ami-a03503bd", "HVM64" : "ami-b43503a9", "HVMG2" :

"Resources" : {
"WebServerInstance": {
"Type" : "AWS::EC2::Instance",
"Metadata" : {
"Comment" : "Install a simple
"AWS::CloudFormation::Init" :
"config" : {
"packages" : {
"yum" : {
"httpd"
:
"php"
:
}
},

PHP application",
{

[],
[]

"files" : {
"/var/www/html/index.php" : {
"content" : { "Fn::Join" : ["", [
"AWS CloudFormation sample PHP application';\n",

API Version 2010-05-15
51

AWS CloudFormation User Guide
A Simple Application
"?>\n"
]]},
"mode"
"owner"
"group"

},

: "000644",
: "apache",
: "apache"

"/etc/cfn/cfn-hup.conf" : {
"content" : { "Fn::Join" : ["", [
"[main]\n",
"stack=", { "Ref" : "AWS::StackId" }, "\n",
"region=", { "Ref" : "AWS::Region" }, "\n"
]]},
"mode"
: "000400",
"owner"
: "root",
"group"
: "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf" : {
"content": { "Fn::Join" : ["", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -s ", { "Ref" : "AWS::StackId" }, " -r
WebServerInstance ",
" --region
", { "Ref" :
"AWS::Region" }, "\n",
"runas=root\n"
]]}
}
},
"services" : {
"sysvinit" : {
"httpd"
: { "enabled" : "true", "ensureRunning" : "true" },
"cfn-hup" : { "enabled" : "true", "ensureRunning" : "true",
"files" : ["/etc/cfn/cfn-hup.conf", "/etc/cfn/hooks.d/cfn-autoreloader.conf"]}
}
}
}
}
},
"Properties": {
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" },
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" :
"InstanceType" }, "Arch" ] } ] },
"InstanceType"
: { "Ref" : "InstanceType" },
"SecurityGroups" : [ {"Ref" : "WebServerSecurityGroup"} ],
"UserData"
: { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"yum install -y aws-cfn-bootstrap\n",
"# Install the files and packages from the metadata\n",
"/opt/aws/bin/cfn-init -v ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource WebServerInstance ",
"
--region ", { "Ref" : "AWS::Region" }, "\n",
"# Start up the cfn-hup daemon to listen for changes to the Web Server

metadata\n",

"/opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup'\n",
"# Signal the status from cfn-init\n",

API Version 2010-05-15
52

AWS CloudFormation User Guide
Create the Initial Stack
"/opt/aws/bin/cfn-signal -e $? ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource WebServerInstance ",
"
--region ", { "Ref" : "AWS::Region" }, "\n"

]]}}
},
"CreationPolicy" : {
"ResourceSignal" : {
"Timeout" : "PT5M"
}
}

},

"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80",
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" :
"0.0.0.0/0"}
]
}
}
},
"Outputs" : {
"WebsiteURL" : {
"Description" : "Application URL",
"Value" : { "Fn::Join" : ["", ["http://", { "Fn::GetAtt" : [ "WebServerInstance",
"PublicDnsName" ]}]] }
}
}

}

This example uses a single Amazon EC2 instance, but you can use the same mechanisms on more
complex solutions that make use of Elastic Load Balancers and Auto Scaling groups to manage a
collection of application servers. There are, however, some special considerations for Auto Scaling
groups. For more information, see Updating Auto Scaling Groups (p. 56).

Create the Initial Stack
For the purposes of this example, we’ll use the AWS Management Console to create an initial stack from
the sample template.

Warning

Completing this procedure will deploy live AWS services. You will be charged the standard usage
rates as long as these services are running.

To create the stack from the AWS Management Console
1.
2.
3.
4.

5.
6.
7.

Copy the previous template and save it locally on your system as a text ﬁle. Note the location
because you'll need to use the ﬁle in a subsequent step.
Log in to the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation .
Click Create New Stack.
In the Create New Stack wizard, on the Select Template screen, type UpdateTutorial in the
Name ﬁeld. On the same page, select Upload a template to Amazon S3 and browse to the ﬁle that
you downloaded in the ﬁrst step, and then click Next.
On the Specify Parameters screen, in the Instance Type box, type t1.micro. Then click Next.
On the Options screen, click Next.
On the Review screen, verify that all the settings are as you want them, and then click Create.
API Version 2010-05-15
53

AWS CloudFormation User Guide
Update the Application

After the status of your stack is CREATE_COMPLETE, the output tab will display the URL of your website.
If you click the value of the WebsiteURL output, you will see your new PHP application working.

Update the Application
Now that we have deployed the stack, let's update the application. We'll make a simple change to the
text that is printed out by the application. To do so, we’ll add an echo command to the index.php ﬁle as
shown in this template snippet:
"WebServerInstance": {
"Type" : "AWS::EC2::Instance",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
:
"files" : {
"/var/www/html/index.php" : {
"content" : { "Fn::Join" : ["", [
"AWS CloudFormation sample PHP application';\n",
"echo 'Updated version via UpdateStack';\n ",
"?>\n"
]]},
"mode"
: "000644",
"owner"
: "apache",
"group"
: "apache"
},
:
}

},

Use a text editor to manually edit the template ﬁle that you saved locally.
Now, we'll update the stack.

To update the stack from the AWS Management Console
1.

Log in to the AWS CloudFormation console, at: https://console.aws.amazon.com/cloudformation.

2.

On the AWS CloudFormation dashboard, click the stack you created previously, and then click
Update Stack.

3.

In the Update Stack wizard, on the Select Template screen, select Upload a template to Amazon
S3, select the modiﬁed template, and then click Next.

4.
5.

On the Options screen, click Next.
Click Next because the stack doesn't have a stack policy. All resources can be updated without an
overriding policy.
On the Review screen, verify that all the settings are as you want them, and then click Update.

6.

If you update the stack from the AWS Management Console, you will notice that the parameters that
were used to create the initial stack are prepopulated on the Parameters page of the Update Stack
wizard. If you use the aws cloudformation update-stack command, be sure to type in the same
values for the parameters that you used originally to create the stack.
When your stack is in the UPDATE_COMPLETE state, you can click the WebsiteURL output value again
to verify that the changes to your application have taken eﬀect. By default, the cfn-hup daemon runs
API Version 2010-05-15
54

AWS CloudFormation User Guide
Update the Application

every 15 minutes, so it may take up to 15 minutes for the application to change once the stack has been
updated.
To see the set of resources that were updated, go to the AWS CloudFormation console. On the Events
tab, look at the stack events. In this particular case, the metadata for the Amazon EC2 instance
WebServerInstance was updated, which caused AWS CloudFormation to also reevaluate the other
resources (WebServerSecurityGroup) to ensure that there were no other changes. None of the other
stack resources were modiﬁed. AWS CloudFormation will update only those resources in the stack that
are aﬀected by any changes to the stack. Such changes can be direct, such as property or metadata
changes, or they can be due to dependencies or data ﬂows through Ref, GetAtt, or other intrinsic
template functions.
This simple update illustrates the process; however, you can make much more complex changes to the
ﬁles and packages that are deployed to your Amazon EC2 instances. For example, you might decide that
you need to add MySQL to the instance, along with PHP support for MySQL. To do so, simply add the
additional packages and ﬁles along with any additional services to the conﬁguration and then update the
stack to deploy the changes. In the following template snippet, the changes are highlighted in red:
"WebServerInstance": {
"Type" : "AWS::EC2::Instance",
"Metadata" : {
"Comment" : "Install a simple
"AWS::CloudFormation::Init" :
"config" : {
"packages" : {
"yum" : {
"httpd"
:
"php"
:
"php-mysql"
:
"mysql-server"
:
"mysql-libs"
:
"mysql"
:
}
},

PHP application",
{

[],
[],
[],
[],
[],
[]

:
"services" : {
"sysvinit" : {
"httpd"
: { "enabled" : "true", "ensureRunning" : "true" },
"cfn-hup" : { "enabled" : "true", "ensureRunning" : "true",
"files" : ["/etc/cfn/cfn-hup.conf", "/etc/cfn/hooks.d/cfn-autoreloader.conf"]},
"mysqld"
: { "enabled" : "true", "ensureRunning" : "true" }
}
}
}
}
},

}

"Properties": {
:
}

You can update the CloudFormation metadata to update to new versions of the packages used by the
application. In the previous examples, the version property for each package is empty, indicating that
cfn-init should install the latest version of the package.
"packages" : {
"yum" : {

API Version 2010-05-15
55

AWS CloudFormation User Guide
Changing Resource Properties

}

"httpd"
"php"

: [],
: []

You can optionally specify a version string for a package. If you change the version string in subsequent
update stack calls, the new version of the package will be deployed. Here's an example of using version
numbers for RubyGems packages. Any package that supports versioning can have speciﬁc versions.
"packages" : {
"rubygems" : {
"mysql"
"rubygems-update"
"rake"
"rails"
}
}

:
:
:
:

[],
["1.6.2"],
["0.8.7"],
["2.3.11"]

Updating Auto Scaling Groups
If you are using Auto Scaling groups in your template, as opposed to Amazon EC2 instance resources,
updating the application will work in exactly the same way; however, AWS CloudFormation does not
provide any synchronization or serialization across the Amazon EC2 instances in an Auto Scaling group.
The cfn-hup daemon on each host will run independently and update the application on its own
schedule. When you use cfn-hup to update the on-instance conﬁguration, each instance will run the cfnhup hooks on its own schedule; there is no coordination between the instances in the stack. You should
consider the following:
• If the cfn-hup changes run on all Amazon EC2 instances in the Auto Scaling group at the same time,
your service might be unavailable during the update.
• If the cfn-hup changes run at diﬀerent times, old and new versions of the software may be running at
the same.
To avoid these issues, consider forcing a rolling update on your instances in the Auto Scaling group. For
more information, see UpdatePolicy (p. 2255).

Changing Resource Properties
With AWS CloudFormation, you can change the properties of an existing resource in the stack. The
following sections describe various updates that solve speciﬁc problems; however, any property of any
resource that supports updating in the stack can be modiﬁed as necessary.

Update the Instance Type
The stack we have built so far uses a t1.micro Amazon EC2 instance. Let's suppose that your newly
created website is getting more traﬃc than a t1.micro instance can handle, and now you want to move
to an m1.small Amazon EC2 instance type. If the architecture of the instance type changes, the instance
will be created with a diﬀerent AMI. If you check out the mappings in the template, you will see that
both the t1.micro and m1.small are the same architectures and use the same Amazon Linux AMIs.
"Mappings" : {
"AWSInstanceType2Arch" : {
"t1.micro"
: { "Arch"
"t2.micro"
: { "Arch"
"t2.small"
: { "Arch"
"t2.medium"
: { "Arch"
"m1.small"
: { "Arch"

:
:
:
:
:

"PV64"
"HVM64"
"HVM64"
"HVM64"
"PV64"

},
},
},
},
},

API Version 2010-05-15
56

AWS CloudFormation User Guide
Changing Resource Properties
"m1.medium"
"m1.large"
"m1.xlarge"
"m2.xlarge"
"m2.2xlarge"
"m2.4xlarge"
"m3.medium"
"m3.large"
"m3.xlarge"
"m3.2xlarge"
"c1.medium"
"c1.xlarge"
"c3.large"
"c3.xlarge"
"c3.2xlarge"
"c3.4xlarge"
"c3.8xlarge"
"g2.2xlarge"
"r3.large"
"r3.xlarge"
"r3.2xlarge"
"r3.4xlarge"
"r3.8xlarge"
"i2.xlarge"
"i2.2xlarge"
"i2.4xlarge"
"i2.8xlarge"
"hi1.4xlarge"
"hs1.8xlarge"
"cr1.8xlarge"
"cc2.8xlarge"

},

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{

"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

"AWSRegionArch2AMI" : {
"us-east-1"
: { "PV64"
"ami-3a329952" },
"us-west-2"
: { "PV64"
"ami-47296a77" },
"us-west-1"
: { "PV64"
"ami-331b1376" },
"eu-west-1"
: { "PV64"
"ami-00913777" },
"ap-southeast-1" : { "PV64"
"ami-fabe9aa8" },
"ap-northeast-1" : { "PV64"
"ami-5dd1ff5c" },
"ap-southeast-2" : { "PV64"
"ami-e98ae9d3" },
"sa-east-1"
: { "PV64"
"NOT_SUPPORTED" },
"cn-north-1"
: { "PV64"
"NOT_SUPPORTED" },
"eu-central-1"
: { "PV64"
"ami-b03503ad" }
}
}

"PV64"
"PV64"
"PV64"
"PV64"
"PV64"
"PV64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"PV64"
"PV64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVMG2"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"

},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
}

: "ami-50842d38", "HVM64" : "ami-08842d60", "HVMG2" :
: "ami-af86c69f", "HVM64" : "ami-8786c6b7", "HVMG2" :
: "ami-c7a8a182", "HVM64" : "ami-cfa8a18a", "HVMG2" :
: "ami-aa8f28dd", "HVM64" : "ami-748e2903", "HVMG2" :
: "ami-20e1c572", "HVM64" : "ami-d6e1c584", "HVMG2" :
: "ami-21072820", "HVM64" : "ami-35072834", "HVMG2" :
: "ami-8b4724b1", "HVM64" : "ami-fd4724c7", "HVMG2" :
: "ami-9d6cc680", "HVM64" : "ami-956cc688", "HVMG2" :
: "ami-a857c591", "HVM64" : "ami-ac57c595", "HVMG2" :
: "ami-a03503bd", "HVM64" : "ami-b43503a9", "HVMG2" :

Let's use the template that we modiﬁed in the previous section to change the instance type. Because
InstanceType was an input parameter to the template, we don't need to modify the template; we can
simply change the value of the parameter in the Stack Update wizard, on the Specify Parameters page.

To update the stack from the AWS Management Console
1.

Log in to the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.
API Version 2010-05-15
57

AWS CloudFormation User Guide
Changing Resource Properties

2.

On the AWS CloudFormation dashboard, click the stack you created previously, and then click
Update Stack.

3.

In the Update Stack wizard, on the Select Template screen, select Use current template, and then
click Next.
The Specify Details page appears with the parameters that were used to create the initial stack are
pre-populated in the Specify Parameters section.

4.

Change the value of the InstanceType text box from t1.micro to m1.small. Then, click Next.

5.

On the Options screen, click Next.

6.

Click Next because the stack doesn't have a stack policy. All resources can be updated without an
overriding policy.

7.

On the Review screen, verify that all the settings are as you want them, and then click Update.

You can dynamically change the instance type of an EBS-backed Amazon EC2 instance by starting and
stopping the instance. AWS CloudFormation tries to optimize the change by updating the instance type
and restarting the instance, so the instance ID does not change. When the instance is restarted, however,
the public IP address of the instance does change. To ensure that the Elastic IP address is bound correctly
after the change, AWS CloudFormation will also update the Elastic IP address. You can see the changes in
the AWS CloudFormation console on the Events tab.
To check the instance type from the AWS Management Console, open the Amazon EC2 console, and
locate your instance there.

Update the AMI on an Amazon EC2 instance
Now let's look at how we might change the Amazon Machine Image (AMI) running on the instance.
We will trigger the AMI change by updating the stack to use a new Amazon EC2 instance type, such as
t2.medium, which is an HVM64 instance type.
As in the previous section, we’ll use our existing template to change the instance type used by our
example stack. In the Stack Update wizard, on the Specify Parameters page, change the value of the
Instance Type.
In this case, we cannot simply start and stop the instance to modify the AMI; AWS CloudFormation
considers this a change to an immutable property of the resource. In order to make a change to an
immutable property, AWS CloudFormation must launch a replacement resource, in this case a new
Amazon EC2 instance running the new AMI.
After the new instance is running, AWS CloudFormation updates the other resources in the stack to point
to the new resource. When all new resources are created, the old resource is deleted, a process known
as UPDATE_CLEANUP. This time, you will notice that the instance ID and application URL of the instance
in the stack has changed as a result of the update. The events in the Event table contain a description
"Requested update has a change to an immutable property and hence creating a new physical resource"
to indicate that a resource was replaced.
If you have application code written into the AMI that you want to update, you can use the same stack
update mechanism to update the AMI to load your new application.

To update the AMI for an instance on your stack
1.

Create your new AMIs containing your application or operating system changes. For more
information, go to Creating Your Own AMIs in the Amazon EC2 User Guide for Linux Instances.

2.

Update your template to incorporate the new AMI IDs.

3.

Update the stack, either from the AWS Management Console as explained in Update the
Application (p. 54) or by using the AWS command aws cloudformation update-stack.
API Version 2010-05-15
58

AWS CloudFormation User Guide
Adding Resource Properties

When you update the stack, AWS CloudFormation detects that the AMI ID has changed, and then it
triggers a stack update in the same way as we triggered the one above.

Update the Amazon EC2 Launch Conﬁguration for an Auto
Scaling Group
If you are using Auto Scaling groups rather than Amazon EC2 instances, the process of updating the
running instances is a little diﬀerent. With Auto Scaling resources, the conﬁguration of the Amazon
EC2 instances, such as the instance type or the AMI ID is encapsulated in the Auto Scaling launch
conﬁguration. You can make changes to the launch conﬁguration in the same way as we made
changes to the Amazon EC2 instance resources in the previous sections. However, changing the launch
conﬁguration does not impact any of the running Amazon EC2 instances in the Auto Scaling group. An
updated launch conﬁguration applies only to new instances that are created after the update.
If you want to propagate the change to your launch conﬁguration across all the instances in your Auto
Scaling group, you can use an update attribute. For more information, see UpdatePolicy (p. 2255).

Adding Resource Properties
So far, we've looked at changing existing properties of a resource in a template. You can also add
properties that were not originally speciﬁed in the template. To illustrate that, we’ll add an Amazon EC2
key pair to an existing EC2 instance and then open up port 22 in the Amazon EC2 Security Group so that
you can use Secure Shell (SSH) to access the instance.

Add a Key Pair to an Instance
To add SSH access to an existing Amazon EC2 instance
1.

Add two additional parameters to the template to pass in the name of an existing Amazon EC2 key
pair and SSH location.
"Parameters" : {
"KeyName" : {
"Description" : "Name of an existing Amazon EC2 key pair for SSH access",
"Type": "AWS::EC2::KeyPair::KeyName"
},
"SSHLocation" : {
"Description" : " The IP address range that can be used to SSH to the EC2
instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
}
:
},

2.

Add the KeyName property to the Amazon EC2 instance.
"WebServerInstance": {
"Type" : "AWS::EC2::Instance",
:
"Properties": {
:
"KeyName" : { "Ref" : "KeyName" },
:

API Version 2010-05-15
59

AWS CloudFormation User Guide
Change the Stack's Resources
}
},

3.

Add port 22 and the SSH location to the ingress rules for the Amazon EC2 security group.
"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP and SSH",
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" :
{ "Ref" : "SSHLocation"}},
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" :
"0.0.0.0/0"}
]
}
},

4.

Update the stack, either from the AWS Management Console as explained in Update the
Application (p. 54) or by using the AWS command aws cloudformation update-stack.

Change the Stack's Resources
Since application needs can change over time, AWS CloudFormation allows you to change the set of
resources that make up the stack. To demonstrate, we’ll take the single instance application from Adding
Resource Properties (p. 59) and convert it to an auto-scaled, load-balanced application by updating
the stack.
This will create a simple, single instance PHP application using an Elastic IP address. We'll now turn the
application into a highly available, auto-scaled, load balanced application by changing its resources
during an update.
1.

Add an Elastic Load Balancer resource.
"ElasticLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"CrossZone" : "true",
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"LBCookieStickinessPolicy" : [ {
"PolicyName" : "CookieBasedPolicy",
"CookieExpirationPeriod" : "30"
} ],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP",
"PolicyNames" : [ "CookieBasedPolicy" ]
} ],
"HealthCheck" : {
"Target" : "HTTP:80/",
"HealthyThreshold" : "2",
"UnhealthyThreshold" : "5",
"Interval" : "10",
"Timeout" : "5"
}
}
}

2.

Convert the EC2 instance in the template into an Auto Scaling Launch Conﬁguration. The properties
are identical, so we only need to change the type name from:
API Version 2010-05-15
60

AWS CloudFormation User Guide
Change the Stack's Resources

"WebServerInstance": {
"Type" : "AWS::EC2::Instance",

to:

"LaunchConfig": {
"Type" : "AWS::AutoScaling::LaunchConfiguration",

For clarity in the template, we changed the name of the resource from WebServerInstance to
LaunchConﬁg, so you’ll need to update the resource name referenced by cfn-init and cfn-hup (just
search for WebServerInstance and replace it with LaunchConﬁg, except for cfn-signal). For cfnsignal, you'll need to signal the Auto Scaling group (WebServerGroup) not the instance, as shown in
the following snippet:
"# Signal the status from cfn-init\n",
"/opt/aws/bin/cfn-signal -e $? ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource WebServerGroup ",
"
--region ", { "Ref" : "AWS::Region" }, "\n"

3.

Add an Auto Scaling Group resource.
"WebServerGroup" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },
"MinSize" : "1",
"DesiredCapacity" : "1",
"MaxSize" : "5",
"LoadBalancerNames" : [ { "Ref" : "ElasticLoadBalancer" } ]
},
"CreationPolicy" : {
"ResourceSignal" : {
"Timeout" : "PT15M"
}
},
"UpdatePolicy": {
"AutoScalingRollingUpdate": {
"MinInstancesInService": "1",
"MaxBatchSize": "1",
"PauseTime" : "PT15M",
"WaitOnResourceSignals": "true"
}
}
}

4.

Update the Security Group deﬁnition to lock down the traﬃc to the instances from the load
balancer.
"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 locked down to the ELB and
SSH access",
"SecurityGroupIngress" : [

API Version 2010-05-15
61

AWS CloudFormation User Guide
Change the Stack's Resources
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80",
"SourceSecurityGroupOwnerId" : {"Fn::GetAtt" : ["ElasticLoadBalancer",
"SourceSecurityGroup.OwnerAlias"]},
"SourceSecurityGroupName" : {"Fn::GetAtt" : ["ElasticLoadBalancer",
"SourceSecurityGroup.GroupName"]}},
{"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" :
{ "Ref" : "SSHLocation"}}
]
}
}

5.

Update the Outputs to return the DNS Name of the Elastic Load Balancer as the location of the
application from:

"WebsiteURL" : {
"Value" : { "Fn::Join" : ["", ["http://",
{ "Fn::GetAtt" : [ "WebServerInstance", "PublicDnsName" ]}]]},
"Description" : "Application URL"
}

to:

"WebsiteURL" : {
"Value" : { "Fn::Join" : ["", ["http://",
{ "Fn::GetAtt" : [ "ElasticLoadBalancer", "DNSName" ]}]]},
"Description" : "Application URL"
}

For reference, the follow sample shows the complete template. If you use this template to update the
stack, you will convert your simple, single instance application into a highly available, multi-AZ, autoscaled and load balanced application. Only the resources that need to be updated will be altered, so had
there been any data stores for this application, the data would have remained intact. Now, you can use
AWS CloudFormation to grow or enhance your stacks as your requirements change.
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS CloudFormation Sample Template: Sample template that can be used to
test EC2 updates. **WARNING** This template creates an Amazon Ec2 Instance. You will be
billed for the AWS resources used if you create a stack from this template.",
"Parameters" : {
"KeyName": {
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to the
instance",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription" : "must be the name of an existing EC2 KeyPair."
},
"SSHLocation" : {
"Description" : " The IP address range that can be used to SSH to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},

API Version 2010-05-15
62

AWS CloudFormation User Guide
Change the Stack's Resources

"InstanceType" : {
"Description" : "WebServer EC2 instance type",
"Type" : "String",
"Default" : "m1.small",
"AllowedValues" : [ "t1.micro", "t2.micro", "t2.small", "t2.medium", "m1.small",
"m1.medium", "m1.large", "m1.xlarge", "m2.xlarge",
"m2.2xlarge", "m2.4xlarge", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge",
"c1.medium", "c1.xlarge", "c3.large", "c3.xlarge", "c3.2xlarge",
"c3.4xlarge", "c3.8xlarge", "g2.2xlarge", "r3.large", "r3.xlarge", "r3.2xlarge",
"r3.4xlarge", "r3.8xlarge", "i2.xlarge", "i2.2xlarge", "i2.4xlarge",
"i2.8xlarge", "hi1.4xlarge", "hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", "cg1.4xlarge"],
"ConstraintDescription" : "must be a valid EC2 instance type."
}
},
"Mappings" : {
"AWSInstanceType2Arch" : {
"t1.micro"
: { "Arch"
"t2.micro"
: { "Arch"
"t2.small"
: { "Arch"
"t2.medium"
: { "Arch"
"m1.small"
: { "Arch"
"m1.medium"
: { "Arch"
"m1.large"
: { "Arch"
"m1.xlarge"
: { "Arch"
"m2.xlarge"
: { "Arch"
"m2.2xlarge" : { "Arch"
"m2.4xlarge" : { "Arch"
"m3.medium"
: { "Arch"
"m3.large"
: { "Arch"
"m3.xlarge"
: { "Arch"
"m3.2xlarge" : { "Arch"
"c1.medium"
: { "Arch"
"c1.xlarge"
: { "Arch"
"c3.large"
: { "Arch"
"c3.xlarge"
: { "Arch"
"c3.2xlarge" : { "Arch"
"c3.4xlarge" : { "Arch"
"c3.8xlarge" : { "Arch"
"g2.2xlarge" : { "Arch"
"r3.large"
: { "Arch"
"r3.xlarge"
: { "Arch"
"r3.2xlarge" : { "Arch"
"r3.4xlarge" : { "Arch"
"r3.8xlarge" : { "Arch"
"i2.xlarge"
: { "Arch"
"i2.2xlarge" : { "Arch"
"i2.4xlarge" : { "Arch"
"i2.8xlarge" : { "Arch"
"hi1.4xlarge" : { "Arch"
"hs1.8xlarge" : { "Arch"
"cr1.8xlarge" : { "Arch"
"cc2.8xlarge" : { "Arch"
},

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

"AWSRegionArch2AMI" : {
"us-east-1"
: { "PV64"
"ami-3a329952" },
"us-west-2"
: { "PV64"
"ami-47296a77" },
"us-west-1"
: { "PV64"
"ami-331b1376" },
"eu-west-1"
: { "PV64"
"ami-00913777" },

"PV64"
"HVM64"
"HVM64"
"HVM64"
"PV64"
"PV64"
"PV64"
"PV64"
"PV64"
"PV64"
"PV64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"PV64"
"PV64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVMG2"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"

},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
}

: "ami-50842d38", "HVM64" : "ami-08842d60", "HVMG2" :
: "ami-af86c69f", "HVM64" : "ami-8786c6b7", "HVMG2" :
: "ami-c7a8a182", "HVM64" : "ami-cfa8a18a", "HVMG2" :
: "ami-aa8f28dd", "HVM64" : "ami-748e2903", "HVMG2" :

API Version 2010-05-15
63

AWS CloudFormation User Guide
Change the Stack's Resources
"ap-southeast-1"
"ami-fabe9aa8" },
"ap-northeast-1"
"ami-5dd1ff5c" },
"ap-southeast-2"
"ami-e98ae9d3" },
"sa-east-1"
"NOT_SUPPORTED" },
"cn-north-1"
"NOT_SUPPORTED" },
"eu-central-1"
"ami-b03503ad" }
}
},

: { "PV64" : "ami-20e1c572", "HVM64" : "ami-d6e1c584", "HVMG2" :
: { "PV64" : "ami-21072820", "HVM64" : "ami-35072834", "HVMG2" :
: { "PV64" : "ami-8b4724b1", "HVM64" : "ami-fd4724c7", "HVMG2" :
: { "PV64" : "ami-9d6cc680", "HVM64" : "ami-956cc688", "HVMG2" :
: { "PV64" : "ami-a857c591", "HVM64" : "ami-ac57c595", "HVMG2" :
: { "PV64" : "ami-a03503bd", "HVM64" : "ami-b43503a9", "HVMG2" :

"Resources" : {
"ElasticLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"CrossZone" : "true",
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"LBCookieStickinessPolicy" : [ {
"PolicyName" : "CookieBasedPolicy",
"CookieExpirationPeriod" : "30"
} ],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP",
"PolicyNames" : [ "CookieBasedPolicy" ]
} ],
"HealthCheck" : {
"Target" : "HTTP:80/",
"HealthyThreshold" : "2",
"UnhealthyThreshold" : "5",
"Interval" : "10",
"Timeout" : "5"
}
}
},
"WebServerGroup" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },
"MinSize" : "1",
"DesiredCapacity" : "1",
"MaxSize" : "5",
"LoadBalancerNames" : [ { "Ref" : "ElasticLoadBalancer" } ]
},
"CreationPolicy" : {
"ResourceSignal" : {
"Timeout" : "PT15M"
}
},
"UpdatePolicy": {
"AutoScalingRollingUpdate": {
"MinInstancesInService": "1",
"MaxBatchSize": "1",
"PauseTime" : "PT15M",
"WaitOnResourceSignals": "true"
}
}
},

API Version 2010-05-15
64

AWS CloudFormation User Guide
Change the Stack's Resources

"LaunchConfig": {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Metadata" : {
"Comment" : "Install a simple PHP application",
"AWS::CloudFormation::Init" : {
"config" : {
"packages" : {
"yum" : {
"httpd"
: [],
"php"
: []
}
},
"files" : {
"/var/www/html/index.php" : {
"content" : { "Fn::Join" : ["", [
"AWS CloudFormation sample PHP application';\n",
"echo 'Updated version via UpdateStack';\n ",
"?>\n"
]]},
"mode"
: "000644",
"owner"
: "apache",
"group"
: "apache"
},
"/etc/cfn/cfn-hup.conf" : {
"content" : { "Fn::Join" : ["", [
"[main]\n",
"stack=", { "Ref" : "AWS::StackId" }, "\n",
"region=", { "Ref" : "AWS::Region" }, "\n"
]]},
"mode"
: "000400",
"owner"
: "root",
"group"
: "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf" : {
"content": { "Fn::Join" : ["", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.LaunchConfig.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -s ", { "Ref" : "AWS::StackId" }, " -r
LaunchConfig ",
" --region
", { "Ref" :
"AWS::Region" }, "\n",
"runas=root\n"
]]}
}
},
"services" : {
"sysvinit" : {
"httpd"
: { "enabled" : "true", "ensureRunning" : "true" },
"cfn-hup" : { "enabled" : "true", "ensureRunning" : "true",
"files" : ["/etc/cfn/cfn-hup.conf", "/etc/cfn/hooks.d/cfn-autoreloader.conf"]}
}
}
}
}
},

API Version 2010-05-15
65

AWS CloudFormation User Guide
Availability and Impact Considerations
"Properties": {
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" },
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" :
"InstanceType" }, "Arch" ] } ] },
"InstanceType"
: { "Ref" : "InstanceType" },
"KeyName"
: { "Ref" : "KeyName" },
"SecurityGroups" : [ {"Ref" : "WebServerSecurityGroup"} ],
"UserData"
: { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"yum install -y aws-cfn-bootstrap\n",
"# Install the files and packages from the metadata\n",
"/opt/aws/bin/cfn-init -v ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource LaunchConfig ",
"
--region ", { "Ref" : "AWS::Region" }, "\n",
"# Start up the cfn-hup daemon to listen for changes to the Web Server

metadata\n",

"/opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup'\n",

}

]]}}

"# Signal the status from cfn-init\n",
"/opt/aws/bin/cfn-signal -e $? ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource WebServerGroup ",
"
--region ", { "Ref" : "AWS::Region" }, "\n"

},

"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 locked down to the ELB and SSH
access",
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80",
"SourceSecurityGroupOwnerId" : {"Fn::GetAtt" : ["ElasticLoadBalancer",
"SourceSecurityGroup.OwnerAlias"]},"SourceSecurityGroupName" : {"Fn::GetAtt" :
["ElasticLoadBalancer", "SourceSecurityGroup.GroupName"]}},
{"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : { "Ref" :
"SSHLocation"}}
]
}
}
},
"Outputs" : {
"WebsiteURL" : {
"Description" : "Application URL",
"Value" : { "Fn::Join" : ["", ["http://", { "Fn::GetAtt" : [ "ElasticLoadBalancer",
"DNSName" ]}]] }
}
}

}

Availability and Impact Considerations
Diﬀerent properties have diﬀerent impacts on the resources in the stack. You can use AWS
CloudFormation to update any property; however, before you make any changes, you should consider
these questions:

API Version 2010-05-15
66

AWS CloudFormation User Guide
Related Resources

1. How does the update aﬀect the resource itself? For example, updating an alarm threshold will render
the alarm inactive during the update. As we have seen, changing the instance type requires that the
instance be stopped and restarted. AWS CloudFormation uses the Update or Modify actions for the
underlying resources to make changes to resources. To understand the impact of updates, you should
check the documentation for the speciﬁc resources.
2. Is the change mutable or immutable? Some changes to resource properties, such as changing
the AMI on an Amazon EC2 instance, are not supported by the underlying services. In the case of
mutable changes, AWS CloudFormation will use the Update or Modify type APIs for the underlying
resources. For immutable property changes, AWS CloudFormation will create new resources with
the updated properties and then link them to the stack before deleting the old resources. Although
AWS CloudFormation tries to reduce the down time of the stack resources, replacing a resource is a
multistep process, and it will take time. During stack reconﬁguration, your application will not be fully
operational. For example, it may not be able to serve requests or access a database.

Related Resources
For more information about using AWS CloudFormation to start applications and on integrating with
other conﬁguration and deployment services such as Puppet and Opscode Chef, see the following
whitepapers:
• Bootstrapping Applications via AWS CloudFormation
• Integrating AWS CloudFormation with Opscode Chef
• Integrating AWS CloudFormation with Puppet
The template used throughout this section is a "Hello, World" PHP application. The template library
also has an Amazon ElastiCache sample template that shows how to integrate a PHP application with
ElasticCache using cfn-hup and cfn-init to respond to changes in the Amazon ElastiCache Cache Cluster
conﬁguration, all of which can be performed by Update Stack.

API Version 2010-05-15
67

AWS CloudFormation User Guide
Organize Your Stacks By Lifecycle and Ownership

AWS CloudFormation Best Practices
Best practices are recommendations that can help you use AWS CloudFormation more eﬀectively and
securely throughout its entire workﬂow. Learn how to plan and organize your stacks, create templates
that describe your resources and the software applications that run on them, and manage your stacks
and their resources. The following best practices are based on real-world experience from current AWS
CloudFormation customers.
Planning and organizing
• Organize Your Stacks By Lifecycle and Ownership (p. 68)
• Use Cross-Stack References to Export Shared Resources (p. 69)
• Use IAM to Control Access (p. 69)
• Reuse Templates to Replicate Stacks in Multiple Environments (p. 70)
• Verify Quotas for All Resource Types (p. 69)
• Use Nested Stacks to Reuse Common Template Patterns (p. 70)
Creating templates
• Do Not Embed Credentials in Your Templates (p. 70)
• Use AWS-Speciﬁc Parameter Types (p. 70)
• Use Parameter Constraints (p. 71)
• Use AWS::CloudFormation::Init to Deploy Software Applications on Amazon EC2
Instances (p. 71)
• Use the Latest Helper Scripts (p. 71)
• Validate Templates Before Using Them (p. 71)
Managing stacks
• Manage All Stack Resources Through AWS CloudFormation (p. 72)
• Create Change Sets Before Updating Your Stacks (p. 72)
• Use Stack Policies (p. 72)
• Use AWS CloudTrail to Log AWS CloudFormation Calls (p. 72)
• Use Code Reviews and Revision Controls to Manage Your Templates (p. 73)
• Update Your Amazon EC2 Linux Instances Regularly (p. 73)

Organize Your Stacks By Lifecycle and Ownership
Use the lifecycle and ownership of your AWS resources to help you decide what resources should go
in each stack. Normally, you might put all your resources in one stack, but as your stack grows in scale
and broadens in scope, managing a single stack can be cumbersome and time consuming. By grouping
resources with common lifecycles and ownership, owners can make changes to their set of resources by
using their own process and schedule without aﬀecting other resources.
For example, imagine a team of developers and engineers who own a website that is hosted on
autoscaling instances behind a load balancer. Because the website has its own lifecycle and is maintained
by the website team, you can create a stack for the website and its resources. Now imagine that the
website also uses back-end databases, where the databases are in a separate stack that are owned and
maintained by database administrators. Whenever the website team or database team needs to update
API Version 2010-05-15
68

AWS CloudFormation User Guide
Use Cross-Stack References to Export Shared Resources

their resources, they can do so without aﬀecting each other's stack. If all resources were in a single stack,
coordinating and communicating updates can be diﬃcult.
For additional guidance about organizing your stacks, you can use two common frameworks: a multilayered architecture and service-oriented architecture (SOA).
A layered architecture organizes stacks into multiple horizontal layers that build on top of one another,
where each layer has a dependency on the layer directly below it. You can have one or more stacks in
each layer, but within each layer, your stacks should have AWS resources with similar lifecycles and
ownership.
With a service-oriented architecture, you can organize big business problems into manageable parts.
Each of these parts is a service that has a clearly deﬁned purpose and represents a self-contained unit of
functionality. You can map these services to a stack, where each stack has its own lifecycle and owners.
All of these services (stacks) can be wired together so that they can interact with one another.

Use Cross-Stack References to Export Shared
Resources
When you organize your AWS resources based on lifecycle and ownership, you might want to build a
stack that uses resources that are in another stack. You can hard-code values or use input parameters
to pass resource names and IDs. However, these methods can make templates diﬃcult to reuse or can
increase the overhead to get a stack running. Instead, use cross-stack references to export resources from
a stack so that other stacks can use them. Stacks can use the exported resources by calling them using
the Fn::ImportValue function.
For example, you might have a network stack that includes a VPC, a security group, and a subnet. You
want all public web applications to use these resources. By exporting the resources, you allow all stacks
with public web applications to use them. For more information, see Walkthrough: Refer to Resource
Outputs in Another AWS CloudFormation Stack (p. 248).

Use IAM to Control Access
IAM is an AWS service that you can use to manage users and their permissions in AWS. You can use
IAM with AWS CloudFormation to specify what AWS CloudFormation actions users can perform, such
as viewing stack templates, creating stacks, or deleting stacks. Furthermore, anyone managing AWS
CloudFormation stacks will require permissions to resources within those stacks. For example, if users
want to use AWS CloudFormation to launch, update, or terminate Amazon EC2 instances, they must have
permission to call the relevant Amazon EC2 actions.
In most cases, users require full access to manage all of the resources in a template. AWS
CloudFormation makes calls to create, modify, and delete those resources on their behalf. To
separate permissions between a user and the AWS CloudFormation service, use a service role. AWS
CloudFormation uses the service role's policy to make calls instead of the user's policy. For more
information, see AWS CloudFormation Service Role (p. 17).

Verify Quotas for All Resource Types
Before launching a stack, ensure that you can create all the resources that you want without hitting
your AWS account limits. If you hit a limit, AWS CloudFormation won't create your stack successfully
until you increase your quota or delete extra resources. Each service can have various limits that you
API Version 2010-05-15
69

AWS CloudFormation User Guide
Reuse Templates to Replicate
Stacks in Multiple Environments

should be aware of before launching a stack. For example, by default, you can only launch 200 AWS
CloudFormation stacks per region in your AWS account. For more information about limits and how to
increase the default limits, see AWS Service Limits in the AWS General Reference.

Reuse Templates to Replicate Stacks in Multiple
Environments
After you have your stacks and resources set up, you can reuse your templates to replicate your
infrastructure in multiple environments. For example, you can create environments for development,
testing, and production so that you can test changes before implementing them into production. To
make templates reusable, use the parameters, mappings, and conditions sections so that you can
customize your stacks when you create them. For example, for your development environments,
you can specify a lower-cost instance type compared to your production environment, but all other
conﬁgurations and settings remain the same. For more information about parameters, mappings, and
conditions, see Template Anatomy (p. 163).

Use Nested Stacks to Reuse Common Template
Patterns
As your infrastructure grows, common patterns can emerge in which you declare the same components
in each of your templates. You can separate out these common components and create dedicated
templates for them. That way, you can mix and match diﬀerent templates but use nested stacks to create
a single, uniﬁed stack. Nested stacks are stacks that create other stacks. To create nested stacks, use the
AWS::CloudFormation::Stack (p. 694) resource in your template to reference other templates.
For example, assume that you have a load balancer conﬁguration that you use for most of your stacks.
Instead of copying and pasting the same conﬁgurations into your templates, you can create a dedicated
template for the load balancer. Then, you just use the AWS::CloudFormation::Stack (p. 694) resource to
reference that template from within other templates. If the load balancer template is updated, any stack
that is referencing it will use the updated load balancer (only after you update the stack). In addition
to simplifying updates, this approach lets you use experts to create and maintain components that you
might not be necessarily familiar with. All you need to do is reference their templates.

Do Not Embed Credentials in Your Templates
Rather than embedding sensitive information in your AWS CloudFormation templates, use input
parameters to pass in information whenever you create or update a stack. If you do, make sure to use the
NoEcho property to obfuscate the parameter value.
For example, suppose your stack creates a new database instance. When the database is created,
AWS CloudFormation needs to pass a database administrator password. You can pass in a password
by using an input parameter instead of embedding it in your template. For more information, see
Parameters (p. 167).

Use AWS-Speciﬁc Parameter Types
If your template requires inputs for existing AWS-speciﬁc values, such as existing Amazon Virtual Private
Cloud IDs or an Amazon EC2 key pair name, use AWS-speciﬁc parameter types. For example, you can
API Version 2010-05-15
70

AWS CloudFormation User Guide
Use Parameter Constraints

specify a parameter as type AWS::EC2::KeyPair::KeyName, which takes an existing key pair name
that is in your AWS account and in the region where you are creating the stack. AWS CloudFormation
can quickly validate values for AWS-speciﬁc parameter types before creating your stack. Also, if you use
the AWS CloudFormation console, AWS CloudFormation shows a drop-down list of valid values, so you
don't have to look up or memorize the correct VPC IDs or key pair names. For more information, see
Parameters (p. 167).

Use Parameter Constraints
With constraints, you can describe allowed input values so that AWS CloudFormation catches any invalid
values before creating a stack. You can set constraints such as a minimum length, maximum length, and
allowed patterns. For example, you can set constraints on a database user name value so that it must be
a minimum length of eight character and contain only alpha-numeric characters. For more information,
see Parameters (p. 167).

Use AWS::CloudFormation::Init to Deploy Software
Applications on Amazon EC2 Instances
When you launch stacks, you can install and conﬁgure software applications on Amazon EC2 instances
by using the cfn-init helper script and the AWS::CloudFormation::Init resource. By using
AWS::CloudFormation::Init, you can describe the conﬁgurations that you want rather than
scripting procedural steps. You can also update conﬁgurations without recreating instances. And if
anything goes wrong with your conﬁguration, AWS CloudFormation generates logs that you can use to
investigate issues.
In your template, specify installation and conﬁguration states in the
AWS::CloudFormation::Init (p. 677) resource. For a walkthrough that shows how to use cfninit and AWS::CloudFormation::Init, see Deploying Applications on Amazon EC2 with AWS
CloudFormation (p. 260).

Use the Latest Helper Scripts
The helper scripts (p. 2324) are updated periodically. Be sure you include the following command in the
UserData property of your template before you call the helper scripts to ensure that your launched
instances get the latest helper scripts:
yum install -y aws-cfn-bootstrap

For more information about getting the latest helper scripts, see the CloudFormation Helper Scripts
Reference (p. 2324).

Validate Templates Before Using Them
Before you use a template to create or update a stack, you can use AWS CloudFormation to validate
it. Validating a template can help you catch syntax and some semantic errors, such as circular
dependencies, before AWS CloudFormation creates any resources. If you use the AWS CloudFormation
console, the console automatically validates the template after you specify input parameters. For the
API Version 2010-05-15
71

AWS CloudFormation User Guide
Manage All Stack Resources Through AWS CloudFormation

AWS CLI or AWS CloudFormation API, use the aws cloudformation validate-template command or
ValidateTemplate action.
During validation, AWS CloudFormation ﬁrst checks if the template is valid JSON. If it isn't, AWS
CloudFormation checks if the template is valid YAML. If both checks fail, AWS CloudFormation returns a
template validation error.

Manage All Stack Resources Through AWS
CloudFormation
After you launch a stack, use the AWS CloudFormation console, API, or AWS CLI to update resources
in your stack. Do not make changes to stack resources outside of AWS CloudFormation. Doing so can
create a mismatch between your stack's template and the current state of your stack resources, which
can cause errors if you update or delete the stack. For more information, see Walkthrough: Updating a
Stack (p. 47).

Create Change Sets Before Updating Your Stacks
Change sets allow you to see how proposed changes to a stack might impact your running resources
before you implement them. AWS CloudFormation doesn't make any changes to your stack until you
execute the change set, allowing you to decide whether to proceed with your proposed changes or create
another change set.
Use change sets to check how your changes might impact your running resources, especially for
critical resources. For example, if you change the name of an Amazon RDS database instance, AWS
CloudFormation will create a new database and delete the old one; you will lose the data in the old
database unless you've already backed it up. If you generate a change set, you will see that your change
will replace your database. This can help you plan before you update your stack. For more information,
see Updating Stacks Using Change Sets (p. 122).

Use Stack Policies
Stack policies help protect critical stack resources from unintentional updates that could cause resources
to be interrupted or even replaced. A stack policy is a JSON document that describes what update
actions can be performed on designated resources. Specify a stack policy whenever you create a stack
that has critical resources.
During a stack update, you must explicitly specify the protected resources that you want to update;
otherwise, no changes are made to protected resources. For more information, see Prevent Updates to
Stack Resources (p. 141).

Use AWS CloudTrail to Log AWS CloudFormation
Calls
AWS CloudTrail tracks anyone making AWS CloudFormation API calls in your AWS account. API calls
are logged whenever anyone uses the AWS CloudFormation API, the AWS CloudFormation console,
a back-end console, or AWS CloudFormation AWS CLI commands. Enable logging and specify an
API Version 2010-05-15
72

AWS CloudFormation User Guide
Use Code Reviews and Revision
Controls to Manage Your Templates

Amazon S3 bucket to store the logs. That way, if you ever need to, you can audit who made what AWS
CloudFormation call in your account. For more information, see Logging AWS CloudFormation API Calls
with AWS CloudTrail (p. 17).

Use Code Reviews and Revision Controls to
Manage Your Templates
Your stack templates describe the conﬁguration of your AWS resources, such as their property values. To
review changes and to keep an accurate history of your resources, use code reviews and revision controls.
These methods can help you track changes between diﬀerent versions of your templates, which can help
you track changes to your stack resources. Also, by maintaining a history, you can always revert your
stack to a certain version of your template.

Update Your Amazon EC2 Linux Instances
Regularly
On all your Amazon EC2 Linux instances and Amazon EC2 Linux instances created with AWS
CloudFormation, regularly run the yum update command to update the RPM package. This ensures that
you get the latest ﬁxes and security updates.

API Version 2010-05-15
73

AWS CloudFormation User Guide
Walkthrough: Building a Pipeline
for Test and Production Stacks

Continuous Delivery with AWS
CodePipeline
Continuous delivery is a release practice in which code changes are automatically built, tested, and
prepared for release to production. With AWS CloudFormation and AWS CodePipeline, you can use
continuous delivery to automatically build and test changes to your AWS CloudFormation templates
before promoting them to production stacks. This release process lets you rapidly and reliably make
changes to your AWS infrastructure.
For example, you can create a workﬂow that automatically builds a test stack when you submit an
updated template to a code repository. After AWS CloudFormation builds the test stack, you can test
it and then decide whether to push the changes to a production stack. For more information about the
beneﬁts of continuous delivery, see What is Continuous Delivery?.
Use AWS CodePipeline to build a continuous delivery workﬂow by building a pipeline for AWS
CloudFormation stacks. AWS CodePipeline has built-in integration with AWS CloudFormation, so you can
specify AWS CloudFormation-speciﬁc actions, such as creating, updating, or deleting a stack, within a
pipeline. For more information about AWS CodePipeline, see the AWS CodePipeline User Guide.
Topics
• Walkthrough: Building a Pipeline for Test and Production Stacks (p. 74)
• AWS CloudFormation Conﬁguration Properties Reference (p. 81)
• AWS CloudFormation Artifacts (p. 85)
• Using Parameter Override Functions with AWS CodePipeline Pipelines (p. 86)

Walkthrough: Building a Pipeline for Test and
Production Stacks
Imagine a release process where you submit an AWS CloudFormation template, which AWS
CloudFormation then uses to automatically build a test stack. After you review the test stack, you can
preview how your changes will modify your production stack, and then choose whether to implement
them. To accomplish this workﬂow, you could use AWS CloudFormation to build your test stack, delete
the test stack, create a change set, and then execute the change set. However, with each action, you need
to manually interact with AWS CloudFormation. In this walkthrough, we'll build an AWS CodePipeline
pipeline that automates many of these actions, helping you achieve a continuous delivery workﬂow with
your AWS CloudFormation stacks.

Prerequisites
This walkthrough assumes that you have used AWS CodePipeline and AWS CloudFormation, and know
how pipelines and AWS CloudFormation templates and stacks work. For more information about AWS
CodePipeline, see the AWS CodePipeline User Guide. You also need to have an Amazon S3 bucket in the
same AWS region in which you will create your pipeline.

Important

The sample Word Press template creates an EC2 instance that requires a connection to the
Internet. Check that you have a default VPC and subnet that allow traﬃc to the Internet.
API Version 2010-05-15
74

AWS CloudFormation User Guide
Walkthrough Overview

Walkthrough Overview
This walkthrough builds a pipeline for a sample WordPress site in a stack. The pipeline is separated
into three stages. Each stage must contain at least one action, which is a task the pipeline performs on
your artifacts (your input). A stage organizes actions in a pipeline. AWS CodePipeline must complete all
actions in a stage before the stage processes new artifacts, for example, if you submitted new input to
rerun the pipeline.
By the end of this walkthrough, you'll have a pipeline that performs the following workﬂow:
1. The ﬁrst stage of the pipeline retrieves a source artifact (an AWS CloudFormation template and its
conﬁguration ﬁles) from a repository.
You'll prepare an artifact that includes a sample WordPress template and upload it to an S3 bucket.
2. In the second stage, the pipeline creates a test stack and then waits for your approval.
After you review the test stack, you can choose to continue with the original pipeline or create and
submit another artifact to make changes. If you approve, this stage deletes the test stack, and then
the pipeline continues to the next stage.
3. In the third stage, the pipeline creates a change set against a production stack, and then waits for your
approval.
In your initial run, you won't have a production stack. The change set shows you all of the resources
that AWS CloudFormation will create. If you approve, this stage executes the change set and builds
your production stack.

Note

AWS CloudFormation is a free service. However, you are charged for the AWS resources, such
as the EC2 instance, that you include in your stack at the current rate for each. For more
information about AWS pricing, see the detail page for each product at http://aws.amazon.com.

Step 1: Edit the Artifact and Upload It to an S3
Bucket
Before you build your pipeline, you must set up your source repository and ﬁles. AWS CodePipeline
copies these source ﬁles into your pipeline's artifact store, and then uses them to perform actions in your
pipeline, such as creating an AWS CloudFormation stack.
When you use Amazon Simple Storage Service (Amazon S3) as the source repository, AWS CodePipeline
requires you to zip your source ﬁles before uploading them to an S3 bucket. The zipped ﬁle is an AWS
CodePipeline artifact that can contain an AWS CloudFormation template, a template conﬁguration
ﬁle, or both. We provide an artifact that contains a sample WordPress template and two template
conﬁguration ﬁles. The two conﬁguration ﬁles specify parameter values for the WordPress template.
AWS CodePipeline uses them when it creates the WordPress stacks. One ﬁle contains parameter values
for a test stack, and the other for a production stack. You'll need to edit the conﬁguration ﬁles, for
example, to specify an existing EC2 key-pair name that you own. For more information about artifacts,
see AWS CloudFormation Artifacts (p. 85).
After you build your artifact, you'll upload it to an S3 bucket.

To edit and upload the artifact
1.

Download and open the sample artifact: https://s3.amazonaws.com/cloudformation-examples/
user-guide/continuous-deployment/wordpress-single-instance.zip.
The artifact contains three ﬁles:
API Version 2010-05-15
75

AWS CloudFormation User Guide
Step 2: Create the Pipeline Stack

• The sample WordPress template: wordpress-single-instance.yaml
• The template conﬁguration ﬁle for the test stack.: test-stack-configuration.json
• The template conﬁguration ﬁle for the production stack: prod-stack-configuration.json
2.

Extract all of the ﬁles, and then use any text editor to modify the template conﬁguration ﬁles.
Open the conﬁguration ﬁles to see that they contain key-value pairs that map to the WordPress
template's parameters. The conﬁguration ﬁles specify the parameter values that your pipeline uses
when it creates the test and production stacks.
Edit the test-stack-configuration.json ﬁle to specify parameter values for the test stack and
the prod-stack-configuration.json ﬁle for the production stack.
• Change the values of the DBPassword and DBRootPassword keys to passwords that you can use
to log in to your WordPress database. As deﬁned in the WordPress template, the parameter values
must contain only alphanumeric characters.
• Change the value of the KeyName key to an existing EC2 key-pair name in the region in which you
will create your pipeline.

3.

Add the modiﬁed conﬁguration ﬁles to the original artifact (.zip) ﬁle, replacing duplicate ﬁles.
You now have a customized artifact that you can upload to an S3 bucket.

4.

Upload the artifact to an S3 bucket that you own.
Note the ﬁle's location. You'll specify the location of this ﬁle when you build your pipeline.
Notes about the artifact and S3 bucket:
• Use a bucket that is in the same AWS region in which you will create your pipeline.
• AWS CodePipeline requires that the bucket is versioning enabled.
• You can also use services that don't require you to zip your ﬁles before uploading them, like
GitHub or AWS CodeCommit, for your source repository.
• Artifacts can contain sensitive information such as passwords. Limit access so that only permitted
users can view the ﬁle. When you do, ensure that AWS CodePipeline can still access the ﬁle.

You now have an artifact that AWS CodePipeline can pull in to your pipeline. In the next step, you'll
specify the artifact's location and build the WordPress pipeline.

Step 2: Create the Pipeline Stack
To create the WordPress pipeline, you'll use a sample AWS CloudFormation template. In addition to
building the pipeline, the template sets up AWS Identity and Access Management (IAM) service roles for
AWS CodePipeline and AWS CloudFormation, an S3 bucket for the AWS CodePipeline artifact store, and
an Amazon Simple Notiﬁcation Service (Amazon SNS) topic to which the pipeline sends notiﬁcations,
such as notiﬁcations about reviews. The sample template makes it easy to provision and conﬁgure these
resources in a single AWS CloudFormation stack.
For more details about the conﬁguration of the pipeline, see What the Pipeline Does (p. 77).

Important

The sample WordPress template creates an EC2 instance that requires a connection to the
Internet. Check that your default VPC and subnet allow traﬃc to the Internet.

To create the pipeline stack
1.

Download the sample template at https://s3.amazonaws.com/cloudformation-examples/userguide/continuous-deployment/basic-pipeline.yml. Save it on your computer.
API Version 2010-05-15
76

AWS CloudFormation User Guide
Step 2: Create the Pipeline Stack

2.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.

3.

Choose an AWS region that supports AWS CodePipeline and AWS CloudFormation.
For more information, see AWS Regions and Endpoints in the AWS General Reference.

4.

Choose Create Stack.

5.

In the Template section, choose Upload a template to Amazon S3, and then choose the template
that you just downloaded, basic-pipeline.yml.

6.

Choose Next.

7.

For Stack name, type sample-WordPress-pipeline.

8.

In the Parameters section, specify the following parameter values, and then choose Next.
When setting stack parameters, if you kept the same names for the WordPress template and its
conﬁguration ﬁles, you can use the default values. If not, specify the ﬁlenames that you used.
PipelineName
The name of your pipeline, such as WordPress-test-pipeline.
S3Bucket
The name of the S3 bucket where you saved your artifact (.zip ﬁle).
SourceS3Key
The ﬁlename of your artifact. If you saved the artifact in a folder, include it as part of the
ﬁlename, such as folder/subfolder/wordpress-single-instance.zip.
Email
The email address to which AWS CodePipeline sends pipeline notiﬁcation, such as
myemail@example.com.

9.

For this walkthrough, you don't need to add tags or specify advanced settings, so choose Next.

10. Ensure that the stack name and template URL are correct, and then choose Create.
11. To acknowledge that you're aware that AWS CloudFormation might create IAM resources, choose the
checkbox.
It might take several minutes for AWS CloudFormation to create your stack. To monitor progress, view
the stack events. For more information, see Viewing Stack Data and Resources (p. 99).
After your stack has been created, AWS CodePipeline starts your new pipeline. To view its status, see the
AWS CodePipeline console. From the list of pipelines, choose WordPress-test-pipeline.

What the Pipeline Does
This section explains the pipeline's three stages, using snippets from the sample WordPress pipeline
template.

Stage 1: Source
The ﬁrst stage of the pipeline is a source stage in which you specify the location of your source code.
Every time you push a revision to this location, AWS CodePipeline reruns your pipeline.
The source code is located in an S3 bucket and is identiﬁed by its ﬁlename. You speciﬁed these
values as input parameter values when you created the pipeline stack. To allow using the source
artifact in subsequent stages, the snippet speciﬁes the OutputArtifacts property, with the name
TemplateSource. To use this artifact in later stages, you specify TemplateSource as an input artifact.
- Name: S3Source

API Version 2010-05-15
77

AWS CloudFormation User Guide
Step 2: Create the Pipeline Stack
Actions:
- Name: TemplateSource
ActionTypeId:
Category: Source
Owner: AWS
Provider: S3
Version: '1'
Configuration:
S3Bucket: !Ref 'S3Bucket'
S3ObjectKey: !Ref 'SourceS3Key'
OutputArtifacts:
- Name: TemplateSource

Stage 2: TestStage
In the TestStage stage, the pipeline creates the test stack, waits for approval, and then deletes the test
stack.
For the CreateStack action, the pipeline uses the test conﬁguration ﬁle and WordPress template to
create the test stack. Both ﬁles are contained in the TemplateSource input artifact, which is brought in
from the source stage. The snippet uses the REPLACE_ON_FAILURE action mode. If stack creation fails,
the pipeline replaces it so that you don't need to clean up or troubleshoot the stack before you can rerun
the pipeline. The action mode is useful for quickly iterating on test stacks. For the RoleArn property, the
value is an AWS CloudFormation service role that is declared elsewhere in the template.
The ApproveTestStack action pauses the pipeline and sends a notiﬁcation to the email address
that you speciﬁed when you created the pipeline stack. While the pipeline is paused, you can check
the WordPress test stack and its resources. Use AWS CodePipeline to approve or reject this action. The
CustomData property includes a description of the action you're approving, which the pipeline adds to
the notiﬁcation email.
After you approve this action, AWS CodePipeline moves to the DeleteTestStack action and deletes
the test WordPress stack and its resources.
- Name: TestStage
Actions:
- Name: CreateStack
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
InputArtifacts:
- Name: TemplateSource
Configuration:
ActionMode: REPLACE_ON_FAILURE
RoleArn: !GetAtt [CFNRole, Arn]
StackName: !Ref TestStackName
TemplateConfiguration: !Sub "TemplateSource::${TestStackConfig}"
TemplatePath: !Sub "TemplateSource::${TemplateFileName}"
RunOrder: '1'
- Name: ApproveTestStack
ActionTypeId:
Category: Approval
Owner: AWS
Provider: Manual
Version: '1'
Configuration:
NotificationArn: !Ref CodePipelineSNSTopic
CustomData: !Sub 'Do you want to create a change set against the production stack
and delete the ${TestStackName} stack?'
RunOrder: '2'

API Version 2010-05-15
78

AWS CloudFormation User Guide
Step 2: Create the Pipeline Stack
- Name: DeleteTestStack
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
Configuration:
ActionMode: DELETE_ONLY
RoleArn: !GetAtt [CFNRole, Arn]
StackName: !Ref TestStackName
RunOrder: '3'

Stage 3: ProdStage
The ProdStage stage of the pipeline creates a change set against the existing production stack, waits
for approval, and then executes the change set.
A change set provides a preview of all modiﬁcations AWS CloudFormation will make to your production
stack before implementing them. On your ﬁrst pipeline run, you won't have a running production stack.
The change set shows the actions that AWS CloudFormation performed when creating the test stack.
To create the change set, the CreateChangeSet action uses the WordPress sample template and the
production template conﬁguration from the TemplateSource input artifact.
Similar to the previous stage, the ApproveChangeSet action pauses the pipeline and sends an email
notiﬁcation. While the pipeline is paused, you can view the change set to check all of the proposed
modiﬁcations to the production WordPress stack. Use AWS CodePipeline to approve or reject this action
to continue or stop the pipeline, respectively.
After you approve this action, the ExecuteChangeSet action executes the changes set, so that
AWS CloudFormation performs all of the actions described in the change set. For the initial run, AWS
CloudFormation creates the WordPress production stack. On subsequent runs, AWS CloudFormation
updates the stack.
- Name: ProdStage
Actions:
- Name: CreateChangeSet
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
InputArtifacts:
- Name: TemplateSource
Configuration:
ActionMode: CHANGE_SET_REPLACE
RoleArn: !GetAtt [CFNRole, Arn]
StackName: !Ref ProdStackName
ChangeSetName: !Ref ChangeSetName
TemplateConfiguration: !Sub "TemplateSource::${ProdStackConfig}"
TemplatePath: !Sub "TemplateSource::${TemplateFileName}"
RunOrder: '1'
- Name: ApproveChangeSet
ActionTypeId:
Category: Approval
Owner: AWS
Provider: Manual
Version: '1'
Configuration:
NotificationArn: !Ref CodePipelineSNSTopic
CustomData: !Sub 'A new change set was created for the ${ProdStackName} stack. Do
you want to implement the changes?'
RunOrder: '2'

API Version 2010-05-15
79

AWS CloudFormation User Guide
Step 3: View the WordPress Stack
- Name: ExecuteChangeSet
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
Configuration:
ActionMode: CHANGE_SET_EXECUTE
ChangeSetName: !Ref ChangeSetName
RoleArn: !GetAtt [CFNRole, Arn]
StackName: !Ref ProdStackName
RunOrder: '3'

Step 3: View the WordPress Stack
As AWS CodePipeline runs through the pipeline, it uses AWS CloudFormation to create test and
production stacks. To see the status of these stacks and their output, use the AWS CloudFormation
console.

To view a stack
1.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.

2.

Depending on whether your pipeline is in the test or production stage, choose the TestMyWordPressSite or the Prod-MyWordPressSite stack.
To check the status of your stack, view the stack events (p. 99).

3.

If the stack is in a failed state, view the status reason to ﬁnd the stack error. Fix the error, and then rerun
the pipeline. If the stack is in the CREATE_COMPLETE state, view its outputs to get the URL of your
WordPress site.
You've successfully used AWS CodePipeline to build a continuous delivery workﬂow for a sample
WordPress site. If you submit changes to the S3 bucket, AWS CodePipeline automatically detects a new
version, and then reruns your pipeline. This workﬂow makes it easier to submit and test changes before
making changes to your production site.

Step 4: Clean Up Resources
To make sure that you are not charged for unwanted services, delete your resources.

Important

Delete the test and production WordPress stacks before deleting the pipeline stack. The pipeline
stack contains a service role that's required to delete the WordPress stacks. If you deleted the
pipeline stack ﬁrst, you can associate another service role Amazon Resource Name (ARN) with
the WordPress stacks, and then delete them.

To delete objects in the artifact store
1.
2.

Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
Choose the S3 bucket that AWS CodePipeline used as your pipeline's artifact store.

3.

The bucket's name follows the format: stackname-artifactstorebucket-id. If you followed
this walkthrough, the bucket's name might look similar to the following example: sampleWordPress-pipeline-artifactstorebucket-12345abcd12345.
Delete all of the objects in the artifact store S3 bucket.
When you delete the pipeline stack in the next step, this bucket must be empty. Otherwise, AWS
CloudFormation won't be able to delete the bucket.
API Version 2010-05-15
80

AWS CloudFormation User Guide
Conﬁguration Properties Reference

To delete stacks
1.

From the AWS CloudFormation console, choose the stack that you want to delete.
If the WordPress stacks that were created by the pipeline are still running, choose them ﬁrst. By
default, the stack names are Test-MyWordPressSite and Prod-MyWordPressSite.

2.

If you already deleted the WordPress stacks, choose the sample-WordPress-pipeline stack.
Choose Actions, and then choose Delete Stack.

3.

In the conﬁrmation message, choose Yes, Delete.

AWS CloudFormation deletes the stack all of the stack's resources, such as the EC2 instance, notiﬁcation
topic, service role, and the pipeline.
Now that you understand how to build a basic AWS CloudFormation workﬂow with AWS CodePipeline,
you can use the sample template and artifacts as a starting point for building your own.

AWS CloudFormation Conﬁguration Properties
Reference
When you build an AWS CodePipeline pipeline, you add a Deploy action to the pipeline with AWS
CloudFormation as a provider. You then must specify which AWS CloudFormation action the pipeline
invokes and the action's settings. This topic describes the AWS CloudFormation conﬁguration properties.
To specify properties, you can use the AWS CodePipeline console, or you can create a JSON object to use
for the AWS CLI, AWS CodePipeline API, or AWS CloudFormation templates.
Topics
• Conﬁguration Properties (Console) (p. 81)
• Conﬁguration Properties (JSON Object) (p. 83)

Conﬁguration Properties (Console)
The AWS CodePipeline console shows the conﬁguration properties and indicates the properties that are
required based on the Action mode that you choose.

Note

When you create a new pipeline, you can specify only the Create or update a stack or Create or
replace a change set action modes. Also, properties in the Advanced section are available only
when you edit an existing pipeline.
Action mode
The AWS CloudFormation action that AWS CodePipeline invokes when processing the associated
stage. Choose one of the following action modes:
• Create or replace a change set creates the change set if it doesn't exist based on the stack name
and template that you submit. If the change set exists, AWS CloudFormation deletes it, and then
creates a new one.
• Create or update a stack creates the stack if the speciﬁed stack doesn't exist. If the stack
exists, AWS CloudFormation updates the stack. Use this action to update existing stacks. AWS
CodePipeline won't replace the stack.
• Delete a stack deletes a stack. If you specify a stack that doesn't exist, the action completes
successfully without deleting a stack.
API Version 2010-05-15
81

AWS CloudFormation User Guide
Conﬁguration Properties (Console)

• Execute a change set executes a change set.
• Replace a failed stack creates the stack if the speciﬁed stack doesn't exist. If the stack exists and
is in a failed state (reported as ROLLBACK_COMPLETE, ROLLBACK_FAILED, CREATE_FAILED,
DELETE_FAILED, or UPDATE_ROLLBACK_FAILED), AWS CloudFormation deletes the stack and
then creates a new stack. If the stack isn't in a failed state, AWS CloudFormation updates it. Use
this action to automatically replace failed stacks without recovering or troubleshooting them. You
would typically choose this mode for testing.
Stack name
The name of an existing stack or a stack that you want to create.
Change set name
The name of an existing change set or a new change set that you want to create for the speciﬁed
stack.
Template
The location of an AWS CloudFormation template ﬁle, which follows the format
ArtifactName::TemplateFileName.
Template conﬁguration
The location of a template conﬁguration ﬁle, which follows the format
ArtifactName::TemplateConfigurationFileName. The template conﬁguration ﬁle can
contain template parameter values and a stack policy. If you include sensitive information,
such as passwords, restrict access to this ﬁle. For more information, see AWS CloudFormation
Artifacts (p. 85).
Capabilities
For stacks that contain certain resources, explicit acknowledgement that AWS CloudFormation might
create or update those resources. For example, you must specify CAPABILITY_IAM if your stack
template contains AWS Identity and Access Management (IAM) resources. For more information, see
Acknowledging IAM Resources in AWS CloudFormation Templates (p. 15).
If you have IAM resources in your stack template, you must specify this property.
Role name
The name of the IAM service role that AWS CloudFormation assumes when it operates on resources
in the speciﬁed stack.
Output ﬁle name
In the Advanced section, you can specify an output ﬁle name, such as CreateStackOutput.json,
that AWS CodePipeline adds to the output artifact after performing the speciﬁed action.
If you don't specify a name, AWS CodePipeline doesn't generate an output artifact.
Parameter overrides
In the Advanced section, you can specify a JSON object that overrides template parameter values in
the template conﬁguration ﬁle. All parameter names must be present in the stack template.

Note

There is a maximum size limit of 1 kilobyte for the JSON object that can be stored in the
ParameterOverrides property.
We recommend that you use the template conﬁguration ﬁle to specify most of your parameter
values. Use parameter overrides to specify only dynamic parameter values (values that are unknown
until you run the pipeline).
API Version 2010-05-15
82

AWS CloudFormation User Guide
Conﬁguration Properties (JSON Object)

The following example deﬁnes a value for the ParameterName parameter by using a parameter
override function. The function retrieves a value from an AWS CodePipeline input artifact. For more
information about parameter override functions, see Using Parameter Override Functions with AWS
CodePipeline Pipelines (p. 86).
{

"ParameterName" : { "Fn::GetParam" : ["ArtifactName", "config-file-name.json",
"ParamName"]}

}

Conﬁguration Properties (JSON Object)
When you specify CloudFormation as a provider for a stage action, deﬁne the following properties
within the Configuration property. Use the JSON object for the AWS CLI, AWS CodePipeline API,
or AWS CloudFormation templates. For examples, see Walkthrough: Building a Pipeline for Test and
Production Stacks (p. 74)
ActionMode
The AWS CloudFormation action that AWS CodePipeline invokes when processing the associated
stage. Specify only one of the following action modes:
• CHANGE_SET_EXECUTE executes a change set.
• CHANGE_SET_REPLACE creates the change set if it doesn't exist based on the stack name and
template that you submit. If the change set exists, AWS CloudFormation deletes it, and then
creates a new one.
• CREATE_UPDATE creates the stack if the speciﬁed stack doesn't exist. If the stack exists, AWS
CloudFormation updates the stack. Use this action to update existing stacks. AWS CodePipeline
won't replace the stack.
• DELETE_ONLY deletes a stack. If you specify a stack that doesn't exist, the action completes
successfully without deleting a stack.
• REPLACE_ON_FAILURE creates a stack if the speciﬁed stack doesn't exist. If the stack exists and
is in a failed state (reported as ROLLBACK_COMPLETE, ROLLBACK_FAILED, CREATE_FAILED,
DELETE_FAILED, or UPDATE_ROLLBACK_FAILED), AWS CloudFormation deletes the stack and
then creates a new stack. If the stack isn't in a failed state, AWS CloudFormation updates it. Use
this action to automatically replace failed stacks without recovering or troubleshooting them. You
would typically choose this mode for testing.
This property is required.
Capabilities
For stacks that contain certain resources, explicit acknowledgement that AWS CloudFormation might
create or update those resources. For example, you must specify CAPABILITY_IAM if your stack
template contains AWS Identity and Access Management (IAM) resources. For more information, see
Acknowledging IAM Resources in AWS CloudFormation Templates (p. 15).
This property is conditional. If you have IAM resources in your stack template, you must specify this
property.
ChangeSetName
The name of an existing change set or a new change set that you want to create for the speciﬁed
stack.
This property is required for the following action modes: CHANGE_SET_REPLACE and
CHANGE_SET_EXECUTE. For all other action modes, this property is ignored.
API Version 2010-05-15
83

AWS CloudFormation User Guide
Conﬁguration Properties (JSON Object)

OutputFileName
A name for the output ﬁle, such as CreateStackOutput.json. AWS CodePipeline adds the ﬁle to
the output artifact after performing the speciﬁed action.
This property is optional. If you don't specify a name, AWS CodePipeline doesn't generate an output
artifact.
ParameterOverrides
A JSON object that speciﬁes values for template parameters. If you specify parameters that are also
speciﬁed in the template conﬁguration ﬁle, these values override them. All parameter names must
be present in the stack template.

Note

There is a maximum size limit of 1 kilobyte for the JSON object that can be stored in the
ParameterOverrides property.
We recommend that you use the template conﬁguration ﬁle to specify most of your parameter
values. Use parameter overrides to specify only dynamic parameter values (values that are unknown
until you run the pipeline).
The following example deﬁnes a value for the ParameterName parameter by using a parameter
override function. The function retrieves a value from an AWS CodePipeline input artifact. For more
information about parameter override functions, see Using Parameter Override Functions with AWS
CodePipeline Pipelines (p. 86).
{

"ParameterName" : { "Fn::GetParam" : ["ArtifactName", "config-file-name.json",
"ParamName"]}

}

This property is optional.
RoleArn
The Amazon Resource Name (ARN) of the IAM service role that AWS CloudFormation assumes when
it operates on resources in a stack.
This property is required for the following action modes: CREATE_UPDATE, REPLACE_ON_FAILURE,
DELETE_ONLY, and CHANGE_SET_REPLACE. Note: RoleArn is not applied when executing a change
set. If you do not use CodePipeline to create the change set, you must ensure that the change set or
stack has an associated role.
StackName
The name of an existing stack or a stack that you want to create.
This property is required for all action modes.
TemplateConfiguration
The location of a template conﬁguration ﬁle, which follows the format
ArtifactName::TemplateConfigurationFileName. The template conﬁguration ﬁle can
contain template parameter values and a stack policy. Note that if you include sensitive information,
such as passwords, restrict access to this ﬁle. For more information, see AWS CloudFormation
Artifacts (p. 85).
This property is optional.
TemplatePath
The location of an AWS CloudFormation template ﬁle, which follows the format
ArtifactName::TemplateFileName.
API Version 2010-05-15
84

AWS CloudFormation User Guide
AWS CloudFormation Artifacts

This property is required for the following action modes: CREATE_UPDATE, REPLACE_ON_FAILURE,
and CHANGE_SET_REPLACE. For all other action modes, this property is ignored.

AWS CloudFormation Artifacts
AWS CodePipeline performs tasks on artifacts as AWS CodePipeline runs a pipeline. For AWS
CloudFormation, artifacts can include a stack template ﬁle, a template conﬁguration ﬁle, or both. AWS
CodePipeline uses these artifacts to work with AWS CloudFormation stacks and change sets.
If you use Amazon Simple Storage Service (Amazon S3) as a source repository, you must zip the template
and template conﬁguration ﬁles into a single ﬁle before you upload them to an S3 bucket. For other
repositories, such as GitHub and AWS CodeCommit, upload artifacts without zipping them. For more
information, see Create a Pipeline in AWS CodePipeline in the AWS CodePipeline User Guide.
You can add as many ﬁles as you need to your repository. For example, you might want to include two
diﬀerent conﬁgurations for the same template: one for a test conﬁguration and another for a production
conﬁguration.
This topic describes each artifact type.
Topics
• Stack Template File (p. 85)
• Template Conﬁguration File (p. 85)

Stack Template File
A stack template ﬁle deﬁnes the resources that AWS CloudFormation provisions and conﬁgures.
These ﬁles are the same templates ﬁles that you use when you create or update stacks using AWS
CloudFormation. You can use YAML or JSON-formatted templates. For more information about
templates, see Template Anatomy (p. 163).

Template Conﬁguration File
A template conﬁguration ﬁle is a JSON-formatted text ﬁle that can specify template parameter values,
a stack policy (p. 141), and tags. Use these conﬁguration ﬁles to specify parameter values or a stack
policy for a stack. All of the parameter values that you specify must be declared in the associated
template.
If you include sensitive information—such as passwords—in this ﬁle, restrict access to it. For example, if
you upload your artifact to an S3 bucket, use S3 bucket policies or user policies to restrict access.
To create a conﬁguration ﬁle, use the following format :
{

"Parameters" : {
"NameOfTemplateParameter" : "ValueOfParameter",
...
},
"Tags" : {
"TagKey" : "TagValue",
...
},
"StackPolicy" : {
"Statement" : [

API Version 2010-05-15
85

AWS CloudFormation User Guide
Using Parameter Override Functions
with AWS CodePipeline Pipelines

}

}

]

StackPolicyStatement

The following example speciﬁes TestEC2Key for the KeyName parameter, adds a Department tag
whose value is Marketing, and adds a stack policy that allows all update actions except for an update
that deletes a resource.
{

}

"Parameters" : {
"KeyName" : "TestEC2Key"
},
"Tags" : {
"Department" : "Marketing"
},
"StackPolicy" : {
"Statement" : [
{
"Effect" : "Allow",
"NotAction" : "Update:Delete",
"Principal": "*",
"Resource" : "*"
}
]
}

Using Parameter Override Functions with AWS
CodePipeline Pipelines
In an AWS CodePipeline stage, you can specify parameter overrides (p. 81) for AWS CloudFormation
actions. Parameter overrides let you specify template parameter values that override values in a
template conﬁguration ﬁle. AWS CloudFormation provides functions to help you to specify dynamic
values (values that are unknown until the pipeline runs).
Topics
• Fn::GetArtifactAtt (p. 86)
• Fn::GetParam (p. 87)

Fn::GetArtifactAtt
The Fn::GetArtifactAtt function retrieves the value of an attribute from an input artifact, such as
the S3 bucket name where the artifact is stored. Use this function to specify attributes of an artifact,
such as its ﬁlename or S3 bucket name.
When you run a pipeline, AWS CodePipeline copies and writes ﬁles to the pipeline's artifact store (an S3
bucket). AWS CodePipeline generates the ﬁlenames in the artifact store. These ﬁlenames are unknown
before you run the pipeline.
For example, in your pipeline, you might have a source stage where AWS CodePipeline copies your AWS
Lambda function source code to the artifact store. In the next stage, you have an AWS CloudFormation
template that creates the Lambda function, but AWS CloudFormation requires the ﬁlename to create the
function. You must use the Fn::GetArtifactAtt function to pass the exact S3 bucket and ﬁle names.
API Version 2010-05-15
86

AWS CloudFormation User Guide
Fn::GetParam

Syntax
Use the following syntax to retrieve an attribute value of an artifact.
{ "Fn::GetArtifactAtt" : [ "artifactName", "attributeName" ] }

artifactName
The name of the input artifact. You must declare this artifact as input for the associated action.
attributeName
The name of the artifact attribute whose value you want to retrieve. For details about each artifact
attribute, see the following Attributes section.

Example
The following parameter overrides specify the BucketName and ObjectKey parameters by retrieving
the S3 bucket name and ﬁlename of the LambdaFunctionSource artifact. This example assumes that
AWS CodePipeline copied Lambda function source code and saved it as an artifact, for example, as part
of a source stage.
{
}

"BucketName" : { "Fn::GetArtifactAtt" : ["LambdaFunctionSource", "BucketName"]},
"ObjectKey" : { "Fn::GetArtifactAtt" : ["LambdaFunctionSource", "ObjectKey"]}

Attributes
You can retrieve the following attributes for an artifact.
BucketName
The name of the S3 bucket where the artifact is stored.
ObjectKey
The name of the .zip ﬁle that contains the artifact that is generated by AWS CodePipeline, such as
1ABCyZZ.zip.
URL
The Amazon Simple Storage Service (Amazon S3) URL of the artifact, such as https://
s3-us-west-2.amazonaws.com/artifactstorebucket-yivczw8jma0c/test/
TemplateSo/1ABCyZZ.zip.

Fn::GetParam
The Fn::GetParam function returns a value from a key-value pair in a JSON-formatted ﬁle. The JSON
ﬁle must be included in an artifact.
Use this function to retrieve output values from an AWS CloudFormation stack and use them as input for
another action. For example, if you specify an output ﬁlename for an AWS CloudFormation action, AWS
CodePipeline saves the output in a JSON ﬁle and then adds it to the output artifact's .zip ﬁle. Use the
Fn::GetParam function to retrieve the output value, and use it as input for another action.
API Version 2010-05-15
87

AWS CloudFormation User Guide
Fn::GetParam

Syntax
Use the following syntax to retrieve a value from a key-value pair.
{ "Fn::GetParam" : [ "artifactName", "JSONFileName", "keyName" ] }

artifactName
The name of the artifact, which must be included as an input artifact for the associated action.
JSONFileName
The name of a JSON ﬁle that is contained in the artifact.
keyName
The name of the key whose value you want to retrieve.

Examples
The following examples demonstrate how to use the Fn::GetParam function in a parameter override.

Syntax
The following parameter override speciﬁes the WebSiteURL parameter by retrieving the value of the
URL key from the stack-output.json ﬁle that is in the WebStackOutput artifact.
{
}

"WebSiteURL" : { "Fn::GetParam" : ["WebStackOutput", "stack-output.json", "URL"]}

AWS CloudFormation Template Snippets
The following AWS CloudFormation template snippets, from an AWS CodePipeline pipeline, demonstrate
how to pass stack outputs. These snippets show two stages of pipeline deﬁnition. The ﬁrst stage creates
a stack and save its outputs in the TestOutput.json ﬁle in the StackAOutput artifact. These values
are speciﬁed by the OutputFileName and OutputArtifacts properties.

Example Create Stack A Stage
- Name: CreateTestStackA
Actions:
- Name: CloudFormationCreate
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
Configuration:
ActionMode: CREATE_UPDATE
Capabilities: CAPABILITY_IAM
OutputFileName: TestOutput.json
RoleArn: !GetAtt [CFNRole, Arn]
StackName: StackA
TemplateConfiguration: TemplateSource::test-configuration.json
TemplatePath: TemplateSource::teststackA.yaml
InputArtifacts:
- Name: TemplateSourceA
OutputArtifacts:

API Version 2010-05-15
88

AWS CloudFormation User Guide
Fn::GetParam
- Name: StackAOutput
RunOrder: '1'

In a subsequent stage, stack B uses the outputs from stack A. In the ParameterOverrides property,
the example uses the Fn::GetParam function to specify the StackBInputParam parameter. The
resulting value is the value associated with the StackAOutputName key.

Example Create Stack B Stage
- Name: CreateTestStackB
Actions:
- Name: CloudFormationCreate
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
Configuration:
ActionMode: CREATE_UPDATE
Capabilities: CAPABILITY_IAM
RoleArn: !GetAtt [CFNRole, Arn]
StackName: StackB
TemplateConfiguration: TemplateSource::test-configuration.json
TemplatePath: TemplateSource::teststackB.yaml
ParameterOverrides: |
{
"StackBInputParam" : { "Fn::GetParam" : ["StackAOutput", "TestOutput.json",
"StackAOutputName"]}
}
InputArtifacts:
- Name: TemplateSourceB
- Name: StackAOutput
RunOrder: '1'

API Version 2010-05-15
89

AWS CloudFormation User Guide
Using the Console

Working with Stacks
A stack is a collection of AWS resources that you can manage as a single unit. In other words, you can
create, update, or delete a collection of resources by creating, updating, or deleting stacks. All the
resources in a stack are deﬁned by the stack's AWS CloudFormation template. A stack, for instance,
can include all the resources required to run a web application, such as a web server, a database, and
networking rules. If you no longer require that web application, you can simply delete the stack, and all
of its related resources are deleted.
AWS CloudFormation ensures all stack resources are created or deleted as appropriate. Because
AWS CloudFormation treats the stack resources as a single unit, they must all be created or deleted
successfully for the stack to be created or deleted. If a resource cannot be created, AWS CloudFormation
rolls the stack back and automatically deletes any resources that were created. If a resource cannot be
deleted, any remaining resources are retained until the stack can be successfully deleted.
You can work with stacks by using the AWS CloudFormation console, API, or AWS CLI.

Note

You are charged for the stack resources for the time they were operating (even if you deleted
the stack right away).
Topics
• Using the AWS CloudFormation Console (p. 90)
• Using the AWS Command Line Interface (p. 108)
• AWS CloudFormation Stacks Updates (p. 118)
• Exporting Stack Output Values (p. 153)
• Listing Stacks That Import an Exported Output Value (p. 154)
• Working with Nested Stacks (p. 155)
• Working with Microsoft Windows Stacks on AWS CloudFormation (p. 157)

Using the AWS CloudFormation Console
The AWS CloudFormation console allows you to create, monitor, update and delete stacks directly from
your web browser. This section contains guidance on using the AWS CloudFormation console to perform
common actions.

In This Section
•
•
•
•

Logging In to the Console (p. 91)
Creating a Stack (p. 92)
Creating an EC2 Key Pair (p. 98)
Estimating the Cost of Your AWS CloudFormation Stack (p. 99)

•
•
•
•
•

Viewing Stack Data and Resources (p. 99)
Monitor and Roll Back Stack Operations (p. 102)
Creating Quick-Create Links for Stacks (p. 103)
Deleting a Stack (p. 105)
Protecting a Stack From Being Deleted (p. 106)

• Viewing Deleted Stacks (p. 107)
API Version 2010-05-15
90

AWS CloudFormation User Guide
Logging In to the Console

Logging In to the AWS CloudFormation Console
The AWS CloudFormation console allows you to create, monitor, update, and delete your AWS
CloudFormation stacks with a web-based interface. It is part of the AWS Management Console.
You can access the AWS CloudFormation console in a number of ways:
• Open the AWS CloudFormation console directly with the URL https://console.aws.amazon.com/
cloudformation/ . If you are not logged in to the AWS Management Console yet, you need to log in
before using the AWS CloudFormation console.
• If you are logged into and using the AWS Management Console, you can access the AWS
CloudFormation console by opening the Services menu and selecting CloudFormation in one of the
following sub-menus:
• Deployment and Management

• All Services

API Version 2010-05-15
91

AWS CloudFormation User Guide
Creating a Stack

If you don't have any AWS CloudFormation stacks running, you are presented with the option to Create a
stack. Otherwise, you see a list of your currently-running stacks.

See Also
• Creating a Stack (p. 92)

Creating a Stack on the AWS CloudFormation
Console
Before you create a stack, you must have a template that describes what resources AWS CloudFormation
will include in your stack. For more information, see Working with AWS CloudFormation
Templates (p. 162).

Note

To preview the conﬁguration of a new stack, you can use a change set (p. 97).
Creating a stack on the AWS CloudFormation console is an easy, wizard-driven process that consists of
the following steps:
1. Starting the Create Stack wizard (p. 92)
2. Selecting a stack template (p. 93)
3. Specifying stack parameters (p. 94)
4. Setting Stack Options (p. 95)
5. Reviewing your stack (p. 96)
After creating a stack, you can monitor the stack's progress, view the stack's resources and outputs,
update the stack, and delete it. Information about these actions are provided in their associated topics.

Starting the Create Stack Wizard
To create a stack on the AWS CloudFormation console
1.

Log in to the AWS Management Console and select CloudFormation in the Services menu.

2.

Create a new stack by using one of the following options:
• Click Create Stack. This is the only option if you have a currently running stack.

• Click Create New Stack in the CloudFormation Stacks main window. This option is visible only if
you have no running stacks.

• Click Launch CloudFormer in the CloudFormation Stacks main window to create a stack from
currently running resources. This option is visible only if you have no running stacks.
API Version 2010-05-15
92

AWS CloudFormation User Guide
Creating a Stack

For more information about using CloudFormer to create AWS CloudFormation stacks, see Using
CloudFormer to Create Templates (p. 458).
Next, you choose a stack template (p. 93).

Selecting a Stack Template
After starting the Create Stack wizard (p. 92), you specify the template that you want AWS
CloudFormation to use to create your stack.
AWS CloudFormation templates are JSON- or YAML-formatted ﬁles that specify the AWS resources that
make up your stack. For more information about AWS CloudFormation templates, see Working with AWS
CloudFormation Templates (p. 162).

To choose a stack template:
1.

On the Select Template page, choose a stack template by using one of the following options:
Design a template
To create or modify a template, use AWS CloudFormation Designer, a drag-and-drop interface.
For more information, see What Is AWS CloudFormation Designer? (p. 202).
Choose a template
• Select a sample template.
Select an AWS CloudFormation template from a list of samples. For descriptions of the
templates, see Sample Templates (p. 2342).
To create a stack from existing AWS resources by using the CloudFormer tool, select
CloudFormer from the list. For more information, see Using CloudFormer to Create
Templates (p. 458).
• Upload a template to Amazon S3.
Select an AWS CloudFormation template on your local computer. Choose Choose File to
select the template ﬁle that you want to upload. The template can be a maximum size of
460,800 bytes.
If you use the CLI or API to create a stack, you can upload a template with a maximum size of
51,200 bytes.

Note

If you upload a local template ﬁle, AWS CloudFormation uploads it to an Amazon
Simple Storage Service (Amazon S3) bucket in your AWS account. If you don't already
have an S3 bucket that was created by AWS CloudFormation, it creates a unique
bucket for each Region in which you upload a template ﬁle. If you already have an
S3 bucket that was created by AWS CloudFormation in your AWS account, AWS
CloudFormation adds the template to that bucket.
Considerations to keep in mind about S3 buckets created by AWS CloudFormation
• The buckets are accessible to anyone with Amazon S3 permissions in your AWS
account.
API Version 2010-05-15
93

AWS CloudFormation User Guide
Creating a Stack

• AWS CloudFormation creates the buckets with server-side encryption enabled by
default, thereby encrypting all objects stored in the bucket.
You can directly manage encryption options for buckets that AWS CloudFormation
has created; for example, using the Amazon S3 console at https://
console.aws.amazon.com/s3/ , or the AWS CLI. For more information, see Amazon
S3 Default Encryption for S3 Buckets in the Amazon Simple Storage Service
Developer Guide.
• You can use your own bucket and manage its permissions by manually uploading
templates to Amazon S3. When you create or update a stack, specify the Amazon
S3 URL of a template ﬁle.
• Specify an Amazon S3 template URL.
Specify a URL to a template in an S3 bucket.

Important

If your template includes nested stacks (for example, stacks described in other
template documents located in subdirectories), ensure that your S3 bucket contains
the necessary ﬁles and directories.
If you have a template in a versioning-enabled bucket, you can specify a speciﬁc version of the
template, such as https://s3.amazonaws.com/templates/myTemplate.template?
versionId=123ab1cdeKdOW5IH4GAcYbEngcpTJTDW. For more information, see Managing
Objects in a Versioning-Enabled Bucket in the Amazon Simple Storage Service Console User
Guide.
The URL must point to a template with a maximum size of 460,800 bytes that is stored in
an S3 bucket that you have read permissions to and that is located in the same region as the
stack. The URL can be a maximum of 1024 characters long.
2.

To accept your settings, choose Next, and proceed with specifying the stack name and
parameters (p. 94).
Before creating resources, AWS CloudFormation validates your template to catch syntactic and some
semantic errors, such as circular dependencies. During validation, AWS CloudFormation ﬁrst checks
if the template is valid JSON. If it isn't, AWS CloudFormation checks if the template is valid YAML. If
both checks fail, AWS CloudFormation returns a template validation error.

Specifying Stack Name and Parameters
After selecting a stack template, specify the stack name and values for the parameters that were deﬁned
in the template.
With parameters, you can customize your stack at creation time. Your parameter values can be used in
the stack template to modify how resources are conﬁgured. That way you don't have to hard code values
in multiple templates to specify diﬀerent settings. For more information about parameters in an AWS
CloudFormation template, see Parameters (p. 167).

To specify the stack name parameter values
1.

On the Specify Details page, type a stack name in the Stack name box.
The stack name is an identiﬁer that helps you ﬁnd a particular stack from a list of stacks. A stack
name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an
alphabetic character and can't be longer than 128 characters.

2.

In the Parameters section, specify parameters that are deﬁned in the stack template.
You can use or change any parameters with default values.
API Version 2010-05-15
94

AWS CloudFormation User Guide
Creating a Stack

3.

When you are satisﬁed with the parameter values, click Next to proceed with setting options for
your stack (p. 95).

AWS-speciﬁc Parameter Types
When you create stacks that contain AWS-speciﬁc parameter types, the AWS CloudFormation
console provides drop-down lists of valid values for those parameters. Depending on the parameter
type, you can search for values by ID, name, or the value of the Name tag. For example, with the
AWS::EC2::VPC::Id parameter type, you can search for a speciﬁc VPC ID, such as vpc-b47658d1. If
the VPC was tagged with a name, such as Name:TestVPC, you can also search for TestVPC. Currently,
you can search only for tag values with the Name key.

Note

The console doesn't provide a drop-down list or enable you to search for values with the
AWS::EC2::Image::Id parameter type; AWS CloudFormation only veriﬁes if the input values
are valid Amazon Elastic Compute Cloud image IDs.
Group and Sort Parameters
The console alphabetically lists input parameters by their logical ID. When you create a template, you
can use the AWS::CloudFormation::Interface metadata key to override the default ordering. For
more information and an example of the AWS::CloudFormation::Interface metadata key, see
AWS::CloudFormation::Interface (p. 691).

Setting AWS CloudFormation Stack Options
After specifying parameters (p. 167) that are deﬁned in the template, you can set additional options for
your stack.
You can set the following stack options:
Tags
Tags are arbitrary key-value pairs that can be used to identify your stack for purposes such as cost
allocation. For more information about what tags are and how they can be used, see Tagging Your
Resources in the Amazon EC2 User Guide.
A Key consists of any alphanumeric characters or spaces. Tag keys can be up to 127 characters long.
A Value consists of any alphanumeric characters or spaces. Tag values can be up to 255 characters
long.
Permissions
An existing AWS Identity and Access Management (IAM) service role that AWS CloudFormation can
assume.
Instead of using your account credentials, AWS CloudFormation uses the role's credentials to create
your stack. For more information, see AWS CloudFormation Service Role (p. 17).
Notiﬁcation Options
A new or existing Amazon Simple Notiﬁcation Service topic where notiﬁcations about stack events
are sent.
If you create an Amazon SNS topic, you must specify a name and an email address, where stack
event notiﬁcations are sent.
API Version 2010-05-15
95

AWS CloudFormation User Guide
Creating a Stack

Timeout
Speciﬁes the amount of time, in minutes, that CloudFormation should allot before timing out stack
creation operations. If CloudFormation cannot create the entire stack in the time allotted, it fails
the stack creation due to timeout and rolls back the stack. By default, there is no timeout for stack
creation. However, individual resources may have their own timeouts based on the nature of the
service they implement. For example, if an individual resource in your stack times out, stack creation
also times out even if the timeout you speciﬁed for stack creation has not yet been reached.
Rollback on failure
Speciﬁes whether the stack should be rolled back if stack creation fails. Typically, you want to accept
the default value of Yes. Select No if you want the stack's state retained even if creation fails, such as
when you are debugging a stack template.
Stack policy
Deﬁnes the resources that you want to protect from unintentional updates during a stack update.
By default, all resources can be updated during a stack update. For more information, see Prevent
Updates to Stack Resources (p. 141).
Enable termination protection
Prevents a stack from being accidently deleted. If a user attempts to delete a stack with termination
protection enabled, the deletion fails and the stack--including its status--remains unchanged. For
more information, see Protecting a Stack From Being Deleted (p. 106).

To set stack options
1.

On the Options screen of the Create Stack wizard, you can specify tags or set additional options by
expanding the Advanced section.

2.

When you have entered all of your stack options, click Next Step to proceed with reviewing your
stack (p. 96).

Reviewing Your Stack and Estimating Stack Cost on the AWS
CloudFormation Console
The ﬁnal step before your stack is launched is to review the values entered while creating the stack. You
can also estimate the cost of your stack.
1.

On the Review page, review the details of your stack.
If you need to change any of the values prior to launching the stack, click Back to go back to the
page that has the setting that you want to change.

2.

(Optional) You can click the Cost link to estimate the cost of your stack. The AWS Simple Monthly
Calculator displays values from your stack template and launch settings.

3.

After you review the stack launch settings and the estimated cost of your stack, click Create to
launch your stack.
Your stack appears in the list of AWS CloudFormation stacks, with a status of
CREATE_IN_PROGRESS.
While your stack is being created (or afterward), you can use the stack detail pane to view your
stack's events, data, or resources (p. 99). AWS CloudFormation automatically refreshes stack
events every minute. By viewing stack creation events, you can understand the sequence of events
that lead to your stack's creation (or failure, if you are debugging your stack).
API Version 2010-05-15
96

AWS CloudFormation User Guide
Creating a Stack

After your stack has been successfully created, its status changes to CREATE_COMPLETE. You
can then select it (if necessary) and click the Outputs tab to view your stack's outputs if you have
deﬁned any in the template.

Creating Stacks Using Change Sets
To preview how a AWS CloudFormation stack will be conﬁgured before creating the stack, create a
change set. This functionality allows you to examine various conﬁgurations and make corrections and
changes to your stack before executing the change set.

Creating a Change Set for a New Stack
To create a change set for a new stack, submit the conﬁguration that you want to use by providing a
template, input parameter values, or both.

To create a change set (console)
1.

In the AWS CloudFormation console, choose Create Stack, and then choose Create Change Set for
New Stack.

2.

On the Select Template page, specify the location of your template.
• For a template stored locally, choose Upload a template to Amazon S3. Choose File to navigate
to the ﬁle, choose the ﬁle, and then choose Next.
• For a template stored in an Amazon S3 bucket, choose Specify an Amazon S3 URL. Type or paste
the URL for the template, and then choose Next.
If your template is stored in a versioning-enabled bucket, you can specify a speciﬁc version,
for example: https://s3.amazonaws.com/templates/myTemplate.template?
versionId=123ab1cdeKdOW5IH4GAcYbEngcpTJTDW
For more information, see Managing Objects in a Versioning-Enabled Bucket in the Amazon Simple
Storage Service Console User Guide.

3.

On the Specify Details page, conﬁgure the following items:
• Type the Stack name.
• (Optional) To identify your change set, type its Name and Description.
• If your template contains parameters, type the parameter values in the Parameters section.
When you ﬁnish, choose Next.

4.

(Optional) On the Options page, update the stack's service role, the stack tags, and the stack's
Amazon SNS notiﬁcation topic, and then choose Next.

5.

On the Review page, review the proposed conﬁguration.
If the template includes AWS Identity and Access Management (IAM) resources, select I
acknowledge that this template may create IAM resources to acknowledge that AWS
CloudFormation might create IAM resources if you execute this change set. IAM resources can
modify permissions in your AWS account. Review these resources to ensure that you allow the
API Version 2010-05-15
97

AWS CloudFormation User Guide
Creating an EC2 Key Pair

correction actions. For more information, see Controlling Access with AWS Identity and Access
Management (p. 9).
When you ﬁnish, choose Create change set.
While AWS CloudFormation begins to create the change set, the status of the change set is
CREATE_IN_PROGRESS. When AWS CloudFormation completes the creation progress, it sets its
status to CREATE_COMPLETE. In the Changes section, AWS CloudFormation lists the proposed
conﬁguration of your stack.

If AWS CloudFormation fails to create the change set and reports the CREATE_FAILED status, ﬁx
the error displayed in the Status ﬁeld, and then create a new change set. At this stage, you can try
various conﬁgurations and make corrections and changes to your stack before executing the next
change set.
6.

To create a new stack using the change set, choose Execute, and then choose Execute again.
When you create a change set, AWS CloudFormation launches a stack and reports the
REVIEW_IN_PROGRESS status until you execute the change set.

Creating an EC2 Key Pair
The use of some AWS CloudFormation resources and templates will require you to specify an Amazon
EC2 key pair for authentication, such as when you are conﬁguring SSH access to your instances.
Amazon EC2 key pairs can be created with the AWS Management Console. For more information, see
Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.

API Version 2010-05-15
98

AWS CloudFormation User Guide
Estimating the Cost of Your Stack

Estimating the Cost of Your AWS CloudFormation
Stack
There is no additional charge for AWS CloudFormation. You pay for AWS resources (e.g. Amazon EC2
instances, Elastic Load Balancing load balancers and so on) created using AWS CloudFormation as if you
created them by hand.

To estimate the cost of your stack
1.

On the Review page of the Create Stack dialog, click the Cost link.

This link opens the AWS Simple Monthly Calculator in a new browser page (or tab, depending on
how your browser is set up).

Note

2.

Because you launched the calculator from the AWS CloudFormation console, it is prepopulated with your template conﬁguration and parameter values. There are many
additional conﬁgurable values that can provide you with a better estimate if you have an
idea of how much data transfer you expect to your Amazon EC2 instance.
Click the Estimate of your Monthly Bill tab for a monthly estimate of running your stack, along with
a categorized display of what factors contributed to the estimate.

Viewing AWS CloudFormation Stack Data and
Resources on the AWS Management Console
Viewing Stack Information
After you've created an AWS CloudFormation stack, you can use the AWS Management Console to view
its data and resources. You can view the following stack information:
Outputs
Displays outputs that were declared in the stack's template.
Resources
Displays the resources that are part of the stack.
Events
Displays the operations that are tracked when you create, update, or delete the stack.
API Version 2010-05-15
99

AWS CloudFormation User Guide
Viewing Stack Data and Resources

All events that are triggered by a given stack operation are assigned the same client request token,
which you can use to track operations. Stack operations that are initiated from the console use the
token format Console-StackOperation-ID, which helps you to easily identify the stack operation.
For example, if you create a stack using the console, each resulting stack event would be assigned
the same token in the following format: Console-CreateStack-7f59c3cf-00d2-40c7-b2ffe75db0987002.
Template
Displays the stack's template.
For stacks that contain transforms, choose View original template to view the user-submitted
template, or View processed template to view the template after AWS CloudFormation processes
the transforms. AWS CloudFormation uses the processed template to create or update your stack.
Parameters
Displays the stack's parameters and their values.
For stacks that contain SSM parameters, the Resolved Value column displays the values that are
used in the stack deﬁnition for the SSM parameters. For more information, see SSM Parameter
Types (p. 172).
Tags
Displays any tags that are associated with the stack.
Stack Policy
Describes the stack resources that are protected against stack updates. For you to be able to update
these resources, they must be explicitly allowed during a stack update.

To view information about your AWS CloudFormation stack
1.
2.

Select your stack in the AWS CloudFormation console. This displays information in the stack detail
pane.
In the detail pane, click a tab to view the related information about your stack.
For example, click Outputs to view the outputs that are associated with your stack.

Stack Status Codes
The following table describes stack status codes:

Stack Status

Description

CREATE_COMPLETE

Successful creation of one or more stacks.
API Version 2010-05-15
100

AWS CloudFormation User Guide
Viewing Stack Data and Resources

Stack Status

Description

CREATE_IN_PROGRESS

Ongoing creation of one or more stacks.

CREATE_FAILED

Unsuccessful creation of one or more stacks. View the stack
events to see any associated error messages. Possible reasons
for a failed creation include insuﬃcient permissions to work with
all resources in the stack, parameter values rejected by an AWS
service, or a timeout during resource creation.

DELETE_COMPLETE

Successful deletion of one or more stacks. Deleted stacks are
retained and viewable for 90 days.

DELETE_FAILED

Unsuccessful deletion of one or more stacks. Because the delete
failed, you might have some resources that are still running;
however, you cannot work with or update the stack. Delete the
stack again or view the stack events to see any associated error
messages.

DELETE_IN_PROGRESS

Ongoing removal of one or more stacks.

REVIEW_IN_PROGRESS

Ongoing creation of one or more stacks with an expected
StackId but without any templates or resources.

Important

A stack with this status code counts against the
maximum possible number of stacks (p. 21).
ROLLBACK_COMPLETE

Successful removal of one or more stacks after a failed stack
creation or after an explicitly canceled stack creation. Any
resources that were created during the create stack action are
deleted.
This status exists only after a failed stack creation. It signiﬁes
that all operations from the partially created stack have been
appropriately cleaned up. When in this state, only a delete
operation can be performed.

ROLLBACK_FAILED

Unsuccessful removal of one or more stacks after a failed stack
creation or after an explicitly canceled stack creation. Delete
the stack or view the stack events to see any associated error
messages.

ROLLBACK_IN_PROGRESS

Ongoing removal of one or more stacks after a failed stack
creation or after an explicitly cancelled stack creation.

UPDATE_COMPLETE

Successful update of one or more stacks.

UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
Ongoing removal of old resources for one or more stacks after a
successful stack update. For stack updates that require resources
to be replaced, AWS CloudFormation creates the new resources
ﬁrst and then deletes the old resources to help reduce any
interruptions with your stack. In this state, the stack has been
updated and is usable, but AWS CloudFormation is still deleting
the old resources.
UPDATE_IN_PROGRESS

Ongoing update of one or more stacks.

UPDATE_ROLLBACK_COMPLETE

Successful return of one or more stacks to a previous working
state after a failed stack update.
API Version 2010-05-15
101

AWS CloudFormation User Guide
Monitor and Roll Back Stack Operations

Stack Status

Description

UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS
Ongoing removal of new resources for one or more stacks after a
failed stack update. In this state, the stack has been rolled back to
its previous working state and is usable, but AWS CloudFormation
is still deleting any new resources it created during the stack
update.
UPDATE_ROLLBACK_FAILED

Unsuccessful return of one or more stacks to a previous working
state after a failed stack update. When in this state, you can
delete the stack or continue rollback (p. 150). You might need
to ﬁx errors before your stack can return to a working state. Or,
you can contact customer support to restore the stack to a usable
state.

UPDATE_ROLLBACK_IN_PROGRESS Ongoing return of one or more stacks to the previous working
state after failed stack update.

Monitor and Roll Back Stack Operations
Rollback triggers enable you to have AWS CloudFormation monitor the state of your application during
stack creation and updating, and to roll back that operation if the application breaches the threshold
of any of the alarms you've speciﬁed. For each rollback trigger you create, you specify the Cloudwatch
alarm that AWS CloudFormation should monitor. AWS CloudFormation monitors the speciﬁed alarms
during the stack create or update operation, and for the speciﬁed amount of time after all resources
have been deployed. If any of the alarms goes to ALARM state during the stack operation or the
monitoring period, AWS CloudFormation rolls back the entire stack operation.
You can set a monitoring time from the default of 0 up to 180 minutes. During this time, AWS
CloudFormation monitors all the rollback triggers after the stack creation or update operation deploys
all necessary resources. If any of the alarms goes to ALARM state during the stack operation or this
monitoring period, AWS CloudFormation rolls back the entire stack operation. Then, for update
operations, if the monitoring period expires without any alarms going to ALARM state, CloudFormation
proceeds to dispose of old resources as usual. If you set a monitoring time but do not specify any
rollback triggers, AWS CloudFormation still waits the speciﬁed period of time before cleaning up
old resources for update operations. You can use this monitoring period to perform any manual
stack validation desired, and manually cancel the stack creation or update as necessary. If you set a
monitoring time of 0 minutes, AWS CloudFormation still monitors the rollback triggers during stack
creation and update operations and rolls back the operation if an alarm goes to ALARM state. Then, for
update operations with no breaching alarms, it begins disposing of old resources immediately once the
operation completes.
By default, CloudFormation only rolls back stack operations if an alarm goes to ALARM state, not
INSUFFICIENT_DATA state. To have AWS CloudFormation roll back the stack operation if an alarm goes
to INSUFFICIENT_DATA state as well, edit the CloudWatch alarm to treat missing data as breaching. For
more information, see Conﬁguring How CloudWatch Alarms Treats Missing Data in Amazon CloudWatch
User Guide.
AWS CloudFormation does not monitor rollback triggers when it rolls back a stack during an update
operation.
You can add a maximum of ﬁve rollback triggers. To add a rollback trigger, you specify the ARN (Amazon
Resource Name) of the CloudWatch alarm. Currently, only AWS::CloudWatch::Alarm types can be used
as rollback triggers.
If a given Cloudwatch alarm is missing, the entire stack operation fails and is rolled back.
API Version 2010-05-15
102

AWS CloudFormation User Guide
Creating Quick-Create Links for Stacks

Be aware that access to Amazon CloudWatch requires credentials. Those credentials must have
permissions to access AWS resources, such as retrieving CloudWatch metric data about your cloud
resources. For more information, see Authentication and Access Control for Amazon CloudWatch in
Amazon CloudWatch User Guide.

To add rollback triggers during stack creation or updating
1.

During creating or updating a stack, on the Options page, go to Rollback Triggers.

2.

Specify a monitoring time between 0 and 180 minutes. The default is 0.

3.

Enter the ARN of the Cloudwatch alarm you want to use as a rollback trigger, and click the plus icon.
You can add a maximum of ﬁve rollback triggers.

To add rollback triggers to a change set
1.

During creating or updating a change set, on the Options page, go to Rollback Triggers.

2.

Specify a monitoring time between 0 and 180 minutes. The default is 0.

3.

Enter the ARN of the Cloudwatch alarm you want to use as a rollback trigger, and click the plus icon.
You can add a maximum of ﬁve rollback triggers.

To view rollback triggers for a stack
•

There are two ways to view rollback triggers for a given stack:
• On the Stacks page, select the checkbox for the stack you wish to view, and then select the
Rollback Triggers tab in the detail section.
• On the Stack Detail page, go to the Rollback Triggers section.

Creating Quick-Create Links for Stacks
Use quick-create links to get stacks up and running quickly from the AWS CloudFormation console.
You can specify the template URL, stack name, and template parameters in URL query parameters to
prepopulate a single Create Stack Wizard page. This simpliﬁes the process of creating stacks by reducing
the number of wizard pages and the amount of user input that's required. It also optimizes template
reuse because you can create multiple URLs that specify diﬀerent values for the same template.

Supported Parameters
AWS CloudFormation supports the following URL query parameters:
templateURL
Required. Speciﬁes the URL of the stack template. URL encoding is supported, but it isn't required.
stackName
Optional. Speciﬁes the stack name.A stack name can contain only alphanumeric characters (casesensitive) and hyphens. It must start with an alphabetic character and can't be longer than 128
characters.
Any parameter in the stack template that isn't a NoEcho parameter type
Optional. Use the format param_parameterName to specify template parameters in the URL query
string. The URL parameter must include the param_ preﬁx, and the parameter name segment must
exactly match the parameter name in the template. For example: param_DBName.
API Version 2010-05-15
103

AWS CloudFormation User Guide
Creating Quick-Create Links for Stacks

AWS CloudFormation ignores parameters that don't exist in the template and NoEcho parameter
types (typically, user names and passwords). URL parameters override default values that are
speciﬁed in the template. You can include as many parameters as needed. For more information
about NoEcho parameter types, see Parameters (p. 167).
All query parameter names are case sensitive. Users can overwrite these values in the console before
creating the stack.

Example
The following example is based on the WordPress basic single instance sample template. The query
string includes the required templateURL parameter and the stackName, DBName, InstanceType,
and KeyName parameters.
The following URL has line breaks added for clarity.
https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/
stacks/create/review
?templateURL=https://s3-eu-central-1.amazonaws.com/cloudformation-templates-eucentral-1/WordPress_Single_Instance.template
&stackName=MyWPBlog
¶m_DBName=mywpblog
¶m_InstanceType=t2.medium
¶m_KeyName=MyKeyPair

The following URL includes the same parameters as the previous example, but the line breaks are
removed. This is the actual URL format.

https://eu-central-1.console.aws.amazon.com/cloudformation/home?
region=eu-central-1#/stacks/create/review?templateURL=https://s3eu-central-1.amazonaws.com/cloudformation-templates-eu-central-1/
WordPress_Single_Instance.template&stackName=MyWPBlog¶m_DBName=mywpblog¶m_InstanceType=t2.mediu

The example URL opens the Create Stack Wizard in the console, with the supplied values automatically
used for the parameters.

API Version 2010-05-15
104

AWS CloudFormation User Guide
Deleting a Stack

Deleting a Stack on the AWS CloudFormation
Console
To delete a stack
1.

From the list of stacks in the AWS CloudFormation console, select the stack that you want to delete
(it must be currently running).

2.

Choose Actions and then Delete Stack.

3.

Click Yes, Delete when prompted.

Note

After stack deletion has begun, you cannot abort it. The stack proceeds to the
DELETE_IN_PROGRESS state.
After the stack deletion is complete, the stack will be in the DELETE_COMPLETE state. Stacks in
the DELETE_COMPLETE state are not displayed in the AWS CloudFormation console by default.
API Version 2010-05-15
105

AWS CloudFormation User Guide
Protecting a Stack From Being Deleted

To display deleted stacks, you must change the stack view setting as described in Viewing Deleted
Stacks (p. 107).
If the delete failed, the stack will be in the DELETE_FAILED state. For solutions, see the Delete Stack
Fails (p. 2344) troubleshooting topic.
For information on protecting stacks from being accidently deleted see Protecting a Stack From Being
Deleted (p. 106).

Protecting a Stack From Being Deleted
You can prevent a stack from being accidently deleted by enabling termination protection on the stack. If
a user attempts to delete a stack with termination protection enabled, the deletion fails and the stack-including its status--remains unchanged. You can enable termination protection on a stack when you
create it. Termination protection on stacks is disabled by default. You can set termination protection on a
stack with any status except DELETE_IN_PROGRESS or DELETE_COMPLETE.
Enabling or disabling termination protection on a stack sets it for any nested stacks belonging to that
stack as well. You cannot enable or disable termination protection directly on a nested stack. If a user
attempts to directly delete a nested stack belonging with a stack that has termination protection
enabled, the operation fails and the nested stack remains unchanged.
However, if a user performs a stack update that would delete the nested stack, AWS CloudFormation
deletes the nested stack accordingly.
Termination protection is diﬀerent than disabling rollback. Termination protection applies only to
attempts to delete stacks, while disabling rollback applies to auto rollback when stack creation fails.

To enable termination protection when creating a stack
•

Select Enable Termination Protection when you are creating your stack.
For more information, see Setting Stack Options (p. 95) in Creating a Stack (p. 92).

To enable or disable termination protection on an existing stack
1.

Sign in to the AWS Management Console and open the AWS CloudFormation console at https://
console.aws.amazon.com/cloudformation/. Select the stack that you want.

Note

If NESTED is displayed next to the stack name, the stack is a nested stack. You can only
change termination protection on the root stack to which the nested stack belongs.
2.

Choose Actions and then Change Termination Protection.
CloudFormation displays Enable Termination Protection or Disable Termination Protection, based
on the current termination protection setting for the stack.

3.

Choose Yes, Enable or Yes, Disable.

To enable or disable termination protection on a nested stack
If NESTED is displayed next to the stack name, the stack is a nested stack. You can only change
termination protection on the root stack to which the nested stack belongs. To change termination
protection on the root stack:
1.

Sign in to the AWS Management Console and open the AWS CloudFormation console at https://
console.aws.amazon.com/cloudformation/. Select the nested stack that you want.
API Version 2010-05-15
106

AWS CloudFormation User Guide
Viewing Deleted Stacks

2.
3.

On the Overview tab, click the stack name listed as Root stack.
Choose Other Actions and then choose Change Termination Protection.
CloudFormation displays Enable Termination Protection or Disable Termination Protection, based
on the current termination protection setting for the stack.

4.

Choose Yes, Enable or Yes, Disable.

To enable or disable termination protection using the command line
•

Use the update-termination-protection command.

Controlling Who Can Change Termination Protection on Stacks
To enable or disable termination protection on stacks, a user requires permission to the
cloudformation:UpdateTerminationProtection action. For example, the policy below allows
users to enable or disable termination protection on stacks.
For more information on specifying permissions in AWS CloudFormation, see Controlling Access with
AWS Identity and Access Management (p. 9).

Example A sample policy that grants permissions to change stack termination protection
{

}

"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":[
"cloudformation:UpdateTerminationProtection"
],
"Resource":"*"
}]

Viewing Deleted Stacks on the AWS CloudFormation
Console
By default, the AWS CloudFormation console does not display stacks in the DELETE_COMPLETE state. To
display information about deleted stacks, you must change the stack view.

To view deleted stacks
•

In the AWS CloudFormation console, select Deleted from the Filter list.

AWS CloudFormation lists all of your deleted stacks (stacks with DELETE_COMPLETE status).
API Version 2010-05-15
107

AWS CloudFormation User Guide
Related Topics

See Also
• Deleting a Stack (p. 105)
• Viewing Stack Data and Resources (p. 99)

Related Topics
• Using the AWS CLI (p. 108)

Using the AWS Command Line Interface
With the AWS Command Line Interface (CLI), you can create, monitor, update and delete stacks from
your system's terminal. You can also use the AWS CLI to automate actions through scripts. For more
information about the AWS CLI, see the AWS Command Line Interface User Guide.
If you use Windows PowerShell, AWS also oﬀers the AWS Tools for Windows PowerShell.

Note

The prior AWS CloudFormation CLI tools are still available, but not recommended. If you need
information about the prior AWS CloudFormation CLI tools, see the AWS CloudFormation CLI
Reference in the documentation archive.
Topics
• Creating a Stack (p. 108)
• Describing and Listing Your Stacks (p. 109)
• Viewing Stack Event History (p. 112)
• Listing Resources (p. 114)
• Retrieving a Template (p. 114)
• Validating a Template (p. 115)
• Uploading Local Artifacts to an S3 Bucket (p. 116)
• Quickly Deploying Templates with Transforms (p. 117)
• Deleting a Stack (p. 117)

Creating a Stack
To create a stack you run the aws cloudformation create-stack command. You must provide the
stack name, the location of a valid template, and any input parameters.
Parameters are separated with a space and the key names are case sensitive. If you mistype a parameter
key name when you run aws cloudformation create-stack, AWS CloudFormation doesn't create
the stack and reports that the template doesn't contain that parameter.

Note

If you specify a local template ﬁle, AWS CloudFormation uploads it to an Amazon S3 bucket
in your AWS account. AWS CloudFormation creates a unique bucket for each region in which
you upload a template ﬁle. The buckets are accessible to anyone with Amazon S3 permissions
in your AWS account. If an AWS CloudFormation-created bucket already exists, the template is
added to that bucket.
You can use your own bucket and manage its permissions by manually uploading templates
to Amazon S3. Then whenever you create or update a stack, specify the Amazon S3 URL of a
template ﬁle.
API Version 2010-05-15
108

AWS CloudFormation User Guide
Describing and Listing Your Stacks

By default, aws cloudformation describe-stacks returns parameter values. To prevent sensitive
parameter values such as passwords from being returned, include a NoEcho property set to TRUE in your
AWS CloudFormation template.
The following example creates the myteststack stack:
PROMPT> aws cloudformation create-stack --stack-name myteststack --template-body file:///
home/testuser/mytemplate.json --parameters ParameterKey=Parm1,ParameterValue=test1
ParameterKey=Parm2,ParameterValue=test2
{
"StackId" : "arn:aws:cloudformation:us-west-2:123456789012:stack/
myteststack/330b0120-1771-11e4-af37-50ba1b98bea6"
}

Describing and Listing Your Stacks
You can use two AWS CLI commands to get information about your AWS CloudFormation stacks: aws
cloudformation list-stacks and aws cloudformation describe-stacks.

Note

See the section called “AWS CloudFormation Resources” (p. 11) for a discussion of how IAM
policies may limit what a user can do with these two AWS CLI commands.

aws cloudformation list-stacks
The aws cloudformation list-stacks command enables you to get a list of any of the stacks
you have created (even those which have been deleted up to 90 days). You can use an option to ﬁlter
results by stack status, such as CREATE_COMPLETE and DELETE_COMPLETE. The aws cloudformation
list-stacks command returns summary information about any of your running or deleted stacks,
including the name, stack identiﬁer, template, and status.

Note

The aws cloudformation list-stacks command returns information on deleted stacks for 90 days
after they have been deleted.
The following example shows a summary of all stacks that have a status of CREATE_COMPLETE:
PROMPT> aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE
[
{
"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/myteststack/
644df8e0-0dff-11e3-8e2f-5088487c4896",
"TemplateDescription": "AWS CloudFormation Sample Template S3_Bucket: Sample
template showing how to create a publicly accessible S3 bucket. **WARNING** This template
creates an
S3 bucket. You will be billed for the AWS resources used if you create a stack from this
template.",
"StackStatusReason": null,
"CreationTime": "2013-08-26T03:27:10.190Z",
"StackName": "myteststack",
"StackStatus": "CREATE_COMPLETE"
}
]

aws cloudformation describe-stacks
The aws cloudformation describe-stacks command provides information on your running
stacks. You can use an option to ﬁlter results on a stack name. This command returns information about
the stack, including the name, stack identiﬁer, and status.
API Version 2010-05-15
109

AWS CloudFormation User Guide
Describing and Listing Your Stacks

The following example shows summary information for the myteststack stack:
PROMPT> aws cloudformation describe-stacks --stack-name myteststack
{
"Stacks": [
{
"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/myteststack/
a69442d0-0b8f-11e3-8b8a-500150b352e0",
"Description": "AWS CloudFormation Sample Template S3_Bucket: Sample template
showing how to create a publicly accessible S3 bucket. **WARNING** This template creates
an S3 bucket.
You will be billed for the AWS resources used if you create a stack from this template.",
"Tags": [],
"Outputs": [
{
"Description": "Name of S3 bucket to hold website content",
"OutputKey": "BucketName",
"OutputValue": "myteststack-s3bucket-jssofi1zie2w"
}
],
"StackStatusReason": null,
"CreationTime": "2013-08-23T01:02:15.422Z",
"Capabilities": [],
"StackName": "myteststack",
"StackStatus": "CREATE_COMPLETE",
"DisableRollback": false
}
]
}

If you don't use the --stack-name option to limit the output to one stack, information on all your
running stacks is returned.

Stack Status Codes
You can specify one or more stack status codes to list only stacks with the speciﬁed status codes. The
following table describes each stack status code:

Stack Status

Description

CREATE_COMPLETE

Successful creation of one or more stacks.

CREATE_IN_PROGRESS

Ongoing creation of one or more stacks.

CREATE_FAILED

Unsuccessful creation of one or more stacks. View the stack
events to see any associated error messages. Possible reasons
for a failed creation include insuﬃcient permissions to work with
all resources in the stack, parameter values rejected by an AWS
service, or a timeout during resource creation.

DELETE_COMPLETE

Successful deletion of one or more stacks. Deleted stacks are
retained and viewable for 90 days.

DELETE_FAILED

Unsuccessful deletion of one or more stacks. Because the delete
failed, you might have some resources that are still running;
however, you cannot work with or update the stack. Delete the
stack again or view the stack events to see any associated error
messages.

DELETE_IN_PROGRESS

Ongoing removal of one or more stacks.
API Version 2010-05-15
110

AWS CloudFormation User Guide
Describing and Listing Your Stacks

Stack Status

Description

REVIEW_IN_PROGRESS

Ongoing creation of one or more stacks with an expected
StackId but without any templates or resources.

Important

A stack with this status code counts against the
maximum possible number of stacks (p. 21).
ROLLBACK_COMPLETE

Successful removal of one or more stacks after a failed stack
creation or after an explicitly canceled stack creation. Any
resources that were created during the create stack action are
deleted.
This status exists only after a failed stack creation. It signiﬁes
that all operations from the partially created stack have been
appropriately cleaned up. When in this state, only a delete
operation can be performed.

ROLLBACK_FAILED

Unsuccessful removal of one or more stacks after a failed stack
creation or after an explicitly canceled stack creation. Delete
the stack or view the stack events to see any associated error
messages.

ROLLBACK_IN_PROGRESS

Ongoing removal of one or more stacks after a failed stack
creation or after an explicitly cancelled stack creation.

UPDATE_COMPLETE

Successful update of one or more stacks.

UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
Ongoing removal of old resources for one or more stacks after a
successful stack update. For stack updates that require resources
to be replaced, AWS CloudFormation creates the new resources
ﬁrst and then deletes the old resources to help reduce any
interruptions with your stack. In this state, the stack has been
updated and is usable, but AWS CloudFormation is still deleting
the old resources.
UPDATE_IN_PROGRESS

Ongoing update of one or more stacks.

UPDATE_ROLLBACK_COMPLETE

Successful return of one or more stacks to a previous working
state after a failed stack update.

UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS
Ongoing removal of new resources for one or more stacks after a
failed stack update. In this state, the stack has been rolled back to
its previous working state and is usable, but AWS CloudFormation
is still deleting any new resources it created during the stack
update.
UPDATE_ROLLBACK_FAILED

Unsuccessful return of one or more stacks to a previous working
state after a failed stack update. When in this state, you can
delete the stack or continue rollback (p. 150). You might need
to ﬁx errors before your stack can return to a working state. Or,
you can contact customer support to restore the stack to a usable
state.

UPDATE_ROLLBACK_IN_PROGRESS Ongoing return of one or more stacks to the previous working
state after failed stack update.

API Version 2010-05-15
111

AWS CloudFormation User Guide
Viewing Stack Event History

Viewing Stack Event History
You can track the status of the resources AWS CloudFormation is creating and deleting with the aws
cloudformation describe-stack-events command. The amount of time to create or delete a
stack depends on the complexity of your stack.
In the following example, a sample stack is created from a template ﬁle by using the aws
cloudformation create-stack command. After the stack is created, the events that were reported
during stack creation are shown by using the aws cloudformation describe-stack-events command.
The following example creates a stack with the name myteststack using the sampletemplate.json
template ﬁle:
PROMPT> aws cloudformation create-stack --stack-name myteststack --template-body file:///
home/local/test/sampletemplate.json
[
{
"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/466df9e0-0dff-08e3-8e2f-5088487c4896",
"Description": "AWS CloudFormation Sample Template S3_Bucket: Sample template
showing how to create a publicly accessible S3 bucket. **WARNING** This template creates
an S3 bucket.
You will be billed for the AWS resources used if you create a stack from this template.",
"Tags": [],
"Outputs": [
{
"Description": "Name of S3 bucket to hold website content",
"OutputKey": "BucketName",
"OutputValue": "myteststack-s3bucket-jssofi1zie2w"
}
],
"StackStatusReason": null,
"CreationTime": "2013-08-23T01:02:15.422Z",
"Capabilities": [],
"StackName": "myteststack",
"StackStatus": "CREATE_COMPLETE",
"DisableRollback": false
}
]

The following example describes the myteststack stack:
PROMPT> aws cloudformation describe-stack-events --stack-name myteststack
{
"StackEvents": [
{
"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/466df9e0-0dff-08e3-8e2f-5088487c4896",
"EventId": "af67ef60-0b8f-11e3-8b8a-500150b352e0",
"ResourceStatus": "CREATE_COMPLETE",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2013-08-23T01:02:30.070Z",
"StackName": "myteststack",
"PhysicalResourceId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/a69442d0-0b8f-11e3-8b8a-500150b352e0",
"LogicalResourceId": "myteststack"
},
{
"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/466df9e0-0dff-08e3-8e2f-5088487c4896",
"EventId": "S3Bucket-CREATE_COMPLETE-1377219748025",

API Version 2010-05-15
112

AWS CloudFormation User Guide
Viewing Stack Event History

},
{

"ResourceStatus": "CREATE_COMPLETE",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2013-08-23T01:02:28.025Z",
"StackName": "myteststack",
"ResourceProperties": "{\"AccessControl\":\"PublicRead\"}",
"PhysicalResourceId": "myteststack-s3bucket-jssofi1zie2w",
"LogicalResourceId": "S3Bucket"

"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/466df9e0-0dff-08e3-8e2f-5088487c4896",
"EventId": "S3Bucket-CREATE_IN_PROGRESS-1377219746688",
"ResourceStatus": "CREATE_IN_PROGRESS",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2013-08-23T01:02:26.688Z",
"ResourceStatusReason": "Resource creation Initiated",
"StackName": "myteststack",
"ResourceProperties": "{\"AccessControl\":\"PublicRead\"}",
"PhysicalResourceId": "myteststack-s3bucket-jssofi1zie2w",
"LogicalResourceId": "S3Bucket"
},
{
"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/466df9e0-0dff-08e3-8e2f-5088487c4896",
"EventId": "S3Bucket-CREATE_IN_PROGRESS-1377219743862",
"ResourceStatus": "CREATE_IN_PROGRESS",
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2013-08-23T01:02:23.862Z",
"StackName": "myteststack",
"ResourceProperties": "{\"AccessControl\":\"PublicRead\"}",
"PhysicalResourceId": null,
"LogicalResourceId": "S3Bucket"
},
{
"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/466df9e0-0dff-08e3-8e2f-5088487c4896",
"EventId": "a69469e0-0b8f-11e3-8b8a-500150b352e0",
"ResourceStatus": "CREATE_IN_PROGRESS",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2013-08-23T01:02:15.422Z",
"ResourceStatusReason": "User Initiated",
"StackName": "myteststack",
"PhysicalResourceId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/a69442d0-0b8f-11e3-8b8a-500150b352e0",
"LogicalResourceId": "myteststack"
}
]
}

Note

You can run the aws cloudformation describe-stack-events command while the stack is being
created to view events as they are reported.
The most recent events are reported ﬁrst. The following table describe the ﬁelds returned by the aws
cloudformation describe-stack-events command:
Field

Description

EventId

Event identiﬁer

StackName

Name of the stack that the event corresponds to

StackId

Identiﬁer of the stack that the event corresponds to
API Version 2010-05-15
113

AWS CloudFormation User Guide
Listing Resources

Field

Description

LogicalResourceId

Logical identiﬁer of the resource

PhysicalResourceId

Physical identiﬁer of the resource

ResourceProperties

Properties of the resource

ResourceType

Type of the resource

Timestamp

Time when the event occurred

ResourceStatus

The status of the resource, which can be one of the following
status codes: CREATE_COMPLETE | CREATE_FAILED |
CREATE_IN_PROGRESS | DELETE_COMPLETE | DELETE_FAILED |
DELETE_IN_PROGRESS | DELETE_SKIPPED | UPDATE_COMPLETE |
UPDATE_FAILED | UPDATE_IN_PROGRESS.
The DELETE_SKIPPED status applies to resources with a deletion
policy attribute of retain.

ResourceStatusReason

More information on the status

Listing Resources
Immediately after you run the aws cloudformation create-stack command, you can list its
resources using the aws cloudformation list-stack-resources command. This command lists a
summary of each resource in the stack that you specify with the --stack-name parameter. The report
includes a summary of the stack, including the creation or deletion status.
The following example shows the resources for the myteststack stack:
PROMPT> aws cloudformation list-stack-resources --stack-name myteststack
{
"StackResourceSummaries": [
{
"ResourceStatus": "CREATE_COMPLETE",
"ResourceType": "AWS::S3::Bucket",
"ResourceStatusReason": null,
"LastUpdatedTimestamp": "2013-08-23T01:02:28.025Z",
"PhysicalResourceId": "myteststack-s3bucket-sample",
"LogicalResourceId": "S3Bucket"
}
]
}

AWS CloudFormation reports resource details on any running or deleted stack. If you specify the name of
a stack whose status is CREATE_IN_PROCESS, AWS CloudFormation reports only those resources whose
status is CREATE_COMPLETE.

Note

The aws cloudformation describe-stack-resources command returns information on deleted
stacks for 90 days after they have been deleted.

Retrieving a Template
AWS CloudFormation stores the template you use to create your stack as part of the stack. You can
retrieve the template from AWS CloudFormation using the aws cloudformation get-template
command.
API Version 2010-05-15
114

AWS CloudFormation User Guide
Validating a Template

Note

The aws cloudformation get-template command returns the deleted stacks templates for
up to 90 days after the stack has been deleted.
The following example shows the template for the myteststack stack:
PROMPT> aws cloudformation get-template --stack-name myteststack
{
"TemplateBody": {
"AWSTemplateFormatVersion": "2010-09-09",
"Outputs": {
"BucketName": {
"Description": "Name of S3 bucket to hold website content",
"Value": {
"Ref": "S3Bucket"
}
}
},
"Description": "AWS CloudFormation Sample Template S3_Bucket: Sample template
showing how to create a publicly accessible S3 bucket. **WARNING** This template creates
an S3 bucket.
You will be billed for the AWS resources used if you create a stack from this template.",
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicRead"
}
}
}
}
}

The output contains the entire template body, enclosed in quotation marks.

Validating a Template
To check your template ﬁle for syntax errors, you can use the aws cloudformation validatetemplate command.

Note

The aws cloudformation validate-template command is designed to check only the
syntax of your template. It does not ensure that the property values that you have speciﬁed for
a resource are valid for that resource. Nor does it determine the number of resources that will
exist when the stack is created.
To check the operational validity, you need to attempt to create the stack. There is no sandbox or test
area for AWS CloudFormation stacks, so you are charged for the resources you create during testing.
During validation, AWS CloudFormation ﬁrst checks if the template is valid JSON. If it isn't, AWS
CloudFormation checks if the template is valid YAML. If both checks fail, AWS CloudFormation returns a
template validation error. You can validate templates locally by using the --template-body parameter,
or remotely with the --template-url parameter. The following example validates a template in a
remote location:
PROMPT> aws cloudformation validate-template --template-url https://s3.amazonaws.com/
cloudformation-templates-us-east-1/S3_Bucket.template
{
"Description": "AWS CloudFormation Sample Template S3_Bucket: Sample template showing
how to create a publicly accessible S3 bucket. **WARNING** This template creates an S3
bucket.

API Version 2010-05-15
115

AWS CloudFormation User Guide
Uploading Local Artifacts to an S3 Bucket
You will be billed for the AWS resources used if you create a stack from this template.",
"Parameters": [],
"Capabilities": []
}

The expected result is no error message, with information about all parameters listed.
The following example shows an error with a local template ﬁle:
PROMPT> aws cloudformation validate-template --template-body file:///home/local/test/
sampletemplate.json
{
"ResponseMetadata": {
"RequestId": "4ae33ec0-1988-11e3-818b-e15a6df955cd"
},
"Errors": [
{
"Message": "Template format error: JSON not well-formed. (line 11, column 8)",
"Code": "ValidationError",
"Type": "Sender"
}
],
"Capabilities": [],
"Parameters": []
}
A client error (ValidationError) occurred: Template format error: JSON not well-formed.
(line 11, column 8)

Uploading Local Artifacts to an S3 Bucket
For some resource properties that require an Amazon S3 location (a bucket name and ﬁlename), you can
specify local references instead. For example, you might specify the S3 location of your AWS Lambda
function's source code or an Amazon API Gateway REST API's OpenAPI (formerly Swagger) ﬁle. Instead
of manually uploading the ﬁles to an S3 bucket and then adding the location to your template, you can
specify local references, called local artifacts, in your template and then use the package command to
quickly upload them. A local artifact is a path to a ﬁle or folder that the package command uploads to
Amazon S3. For example, an artifact can be a local path to your AWS Lambda function's source code or
an Amazon API Gateway REST API's OpenAPI ﬁle.
If you specify a ﬁle, the command directly uploads it to the S3 bucket. After uploading the artifacts, the
command returns a copy of your template, replacing references to local artifacts with the S3 location
where the command uploaded the artifacts. Then, you can use the returned template to create or update
a stack.
If you specify a folder, the command creates a .zip ﬁle for the folder, and then uploads the .zip ﬁle. If you
don’t specify a path, the command creates a .zip ﬁle for the working directory, and uploads it. You can
specify an absolute or relative path, where the relative path is relative to your template’s location.
You can use local artifacts only for resource properties that the package command supports. For
more information about this command and a list of the supported resource properties, see the aws
cloudformation package command in the AWS CLI Command Reference.
The following template speciﬁes the local artifact for a Lambda function's source code. The source code
is stored in the user's /home/user/code/lambdafunction folder.
Original Template
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'

API Version 2010-05-15
116

AWS CloudFormation User Guide
Quickly Deploying Templates with Transforms
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs4.3
CodeUri: /home/user/code/lambdafunction

The following command creates a .zip ﬁle containing the function's source code folder, and then uploads
the .zip ﬁle to the root folder of the my-bucket bucket.
Package Command
aws cloudformation package --template /path_to_template/template.json --s3-bucket mybucket
--output json > packaged-template.json

The command saves the template that it generates to the path speciﬁed by the --output option. The
command replaces the artifact with the S3 location, as shown in the following example:
Resulting Template
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs4.3
CodeUri: s3://mybucket/lambdafunction.zip

Quickly Deploying Templates with Transforms
AWS CloudFormation requires you to use a change set to create a template that includes transforms.
Instead of independently creating and then executing a change set, use the aws cloudformation
deploy command. When you run this command, it creates a change set, executes the change set, and
then terminates. This command reduces the numbers of required steps when you create or update a
stack that includes transforms.
The following command creates a new stack by using the my-template.json template.
aws cloudformation deploy --template /path_to_template/my-template.json --stack-name mynew-stack --parameter-overrides Key1=Value1 Key2=Value2

For more information, see the aws cloudformation deploy command in the AWS CLI Command
Reference

Deleting a Stack
To delete a stack, you run the aws cloudformation delete-stack command. You must specify the
name of the stack that you want to delete. When you delete a stack, you delete the stack and all of its
resources.
The following example deletes the myteststack stack:
PROMPT> aws cloudformation delete-stack --stack-name myteststack

API Version 2010-05-15
117

AWS CloudFormation User Guide
Stack Updates

Note

You cannot delete a stack that has termination protection enabled. For more information, see
Protecting a Stack From Being Deleted (p. 106)

AWS CloudFormation Stacks Updates
When you need to make changes to a stack's settings or change its resources, you update the stack
instead of deleting it and creating a new stack. For example, if you have a stack with an EC2 instance, you
can update the stack to change the instance's AMI ID.
When you update a stack, you submit changes, such as new input parameter values or an updated
template. AWS CloudFormation compares the changes you submit with the current state of your stack
and updates only the changed resources. For a summary of the update workﬂow, see How Does AWS
CloudFormation Work? (p. 5).

Note

When updating a stack, AWS CloudFormation might interrupt resources or replace updated
resources, depending on which properties you update. For more information about resource
update behaviors, see Update Behaviors of Stack Resources (p. 118).
Update Methods
AWS CloudFormation provides two methods for updating stacks: direct update or creating and
executing change sets. When you directly update a stack, you submit changes and AWS CloudFormation
immediately deploys them. Use direct updates when you want to quickly deploy your updates.
With change sets, you can preview the changes AWS CloudFormation will make to your stack, and then
decide whether to apply those changes. Change sets are JSON-formatted documents that summarize
the changes AWS CloudFormation will make to a stack. Use change sets when you want to ensure that
AWS CloudFormation doesn't make unintentional changes or when you want to consider several options.
For example, you can use a change set to verify that AWS CloudFormation won't replace your stack's
database instances during an update.
Topics
• Update Behaviors of Stack Resources (p. 118)
• Modifying a Stack Template (p. 119)
• Updating Stacks Using Change Sets (p. 122)
• Updating Stacks Directly (p. 136)
• Monitoring the Progress of a Stack Update (p. 139)
• Canceling a Stack Update (p. 140)
• Prevent Updates to Stack Resources (p. 141)
• Continue Rolling Back an Update (p. 150)

Update Behaviors of Stack Resources
When you submit an update, AWS CloudFormation updates resources based on diﬀerences between
what you submit and the stack's current template. Resources that have not changed run without
disruption during the update process. For updated resources, AWS CloudFormation uses one of the
following update behaviors:
Update with No Interruption
AWS CloudFormation updates the resource without disrupting operation of that resource and
without changing the resource's physical ID. For example, if you update any property on an
AWS::CloudTrail::Trail (p. 708) resource, AWS CloudFormation updates the trail without disruption.
API Version 2010-05-15
118

AWS CloudFormation User Guide
Modifying a Stack Template

Updates with Some Interruption
AWS CloudFormation updates the resource with some interruption and retains the physical ID. For
example, if you update certain properties on an AWS::EC2::Instance (p. 879) resource, the instance
might have some interruption while AWS CloudFormation and Amazon EC2 reconﬁgure the instance.
Replacement
AWS CloudFormation recreates the resource during an update, which also generates a new physical
ID. AWS CloudFormation creates the replacement resource ﬁrst, changes references from other
dependent resources to point to the replacement resource, and then deletes the old resource. For
example, if you update the Engine property of an AWS::RDS::DBInstance (p. 1341) resource type,
AWS CloudFormation creates a new resource and replaces the current DB instance resource with the
new one.
The method AWS CloudFormation uses depends on which property you update for a given resource type.
The update behavior for each property is described in the AWS Resource Types Reference (p. 499).
Depending on the update behavior, you can decide when to modify resources to reduce the impact of
these changes on your application. In particular, you can plan when resources must be replaced during
an update. For example, if you update the Port property of an AWS::RDS::DBInstance (p. 1341) resource
type, AWS CloudFormation replaces the DB instance by creating a new DB instance with the updated
port setting and deletes the old DB instance. Before the update, you might plan to do the following to
prepare for the database replacement:
• Take a snapshot of the current databases.
• Prepare a strategy for how applications that use that DB instance will handle an interruption while the
DB instance is being replaced.
• Ensure that the applications that use that DB instance take into account the updated port setting and
any other updates you have made.
• Use the DB snapshot to restore the databases on the new DB instance.
This example is not exhaustive; it's meant to give you an idea of the things to plan for when a resource is
replaced during an update.

Note

If the template includes one or more nested stacks (p. 694), AWS CloudFormation also initiates
an update for every nested stack. This is necessary to determine whether the nested stacks have
been modiﬁed. AWS CloudFormation updates only those resources in the nested stacks that
have changes speciﬁed in corresponding templates.

Modifying a Stack Template
If you want to modify resources and properties that are declared in a stack template, you must modify
the stack's template. To ensure that you update only the resources that you intend to update, use the
template for the existing stack as a starting point and make your updates to that template. If you are
managing your template in a source control system, use a copy of that template as a starting point.
Otherwise, you can get a copy of a stack template from AWS CloudFormation.
If you want to modify just the parameters or settings of a stack (like a stack's Amazon SNS topic), you
can reuse the existing stack template. You don't need to get a copy of the stack template or make
modiﬁcations to the stack template.

Note

If your template includes an unsupported change, AWS CloudFormation returns a message
saying that the change is not permitted. This message might occur asynchronously, however,
because resources are created and updated by AWS CloudFormation in a non-deterministic
order by default.
API Version 2010-05-15
119

AWS CloudFormation User Guide
Modifying a Stack Template

Topics
• Update a Stack's Template (Console) (p. 120)
• Get and Update a Template for a Stack (CLI) (p. 121)

Update a Stack's Template (Console)
1.

In the AWS CloudFormation console, select the stack that you want to update and then choose the
Actions and then View in Designer.

AWS CloudFormation opens a copy of the stack's template in AWS CloudFormation Designer.
2.

Modify the template.
You can use the AWS CloudFormation Designer drag-and-drop interface or the integrated JSON
and YAML editor to modify the template. For more information about using AWS CloudFormation
Designer, see What Is AWS CloudFormation Designer? (p. 202).
Modify only the resources that you want to update. Use the same values as the current stack
conﬁguration for resources and properties that you aren't updating. You can modify the template by
completing any of the following actions:
• Add new resources, or remove existing resources.
For most resources, changing the logical name of a resource is equivalent to deleting that resource
and replacing it with a new one. Any other resources that depend on the renamed resource also
need to be updated and might cause them to be replaced. Other resources require you to update a
property (not just the logical name) in order to trigger an update.
• Add, modify, or delete properties of existing resources.
Consult the AWS Resource Types Reference (p. 499) for information about the eﬀects of
updating particular resource properties. For each property, the eﬀects of an update will be one of
the following:
• Update requires: No interruption (p. 118)
• Update requires: Some interruptions (p. 119)
• Update requires: Replacement (p. 119)
• Add, modify, or delete attributes for resources (Metadata, DependsOn, CreationPolicy,
UpdatePolicy, and DeletionPolicy).

Important

You cannot update the CreationPolicy, DeletionPolicy. or UpdatePolicy
attribute by itself. You can update them only when you include changes that add, modify,
or delete resources. For example, you can add or modify a metadata attribute of a
resource.
API Version 2010-05-15
120

AWS CloudFormation User Guide
Modifying a Stack Template

• Add, modify, or delete parameter declarations. However, you cannot add, modify, or delete a
parameter that is used by a resource that does not support updates.
• Add, modify, or delete mapping declarations.

Important

If the values in a mapping are not being used by your stack, you can't update the
mapping by itself. You need to include changes that add, modify, or delete resources.
For example, you can add or modify a metadata attribute of a resource. If you update
a mapping value that your stack is using, you don't need to make any other changes to
trigger an update.
• Add, modify, or delete condition declarations.

Important

You cannot update conditions by themselves. You can update conditions only when
you include changes that add, modify, or delete resources. For example, you can add or
modify a metadata attribute of a resource.
• Add, modify, or delete output value declarations.
Some resources or properties may have constraints on property values or changes to those values.
For example, changes to the AllocatedStorage property of an AWS::RDS::DBInstance (p. 1341)
resource must be greater than the current setting. If the value speciﬁed for the update does
not meet those constraints, the update for that resource fails. For the speciﬁc constraints on
AllocatedStorage changes, see ModifyDBInstance.
Updates to a resource can aﬀect the properties of other resources. If you used the Ref function
(p. 2311) or the Fn::GetAtt function (p. 2285) to specify an attribute from an updated resource
as part of a property value in another resource in the template, AWS CloudFormation also updates
the resource that contains the reference to the property that has changed. For example, if you
updated the MasterUsername property of an AWS::RDS::DBInstance resource and you had
an AWS::AutoScaling::LaunchConfiguration resource that had a UserData property that
contained a reference to the DB instance name using the Ref function, AWS CloudFormation would
recreate the DB instance with a new name and also update the LaunchConfiguration resource.
3.

To check for syntax errors in your template, from the AWS CloudFormation Designer toolbar, choose
Validate template (

).

View and ﬁx any errors in the Messages pane, and then validate the template again. If you don't see
any errors, your template is syntactically valid.
4.

From the AWS CloudFormation Designer toolbar, choose the File menu (
the template in an S3 bucket or locally.

) and then Save to save

Get and Update a Template for a Stack (CLI)
1.

To get the template for the stack you want to update, use the command aws cloudformation
get-template.

2.

Copy the template, paste it into a text ﬁle, modify it, and save it. Copy only the template. The
command encloses the template in quotation marks, but do not copy the quotation marks
surrounding the template. The template itself starts with an open brace and ends with the ﬁnal
close brace. Specify changes to the stack's resources in this ﬁle.

API Version 2010-05-15
121

AWS CloudFormation User Guide
Updating Stacks Using Change Sets

Updating Stacks Using Change Sets
When you need to update a stack, understanding how your changes will aﬀect running resources before
you implement them can help you update stacks with conﬁdence. Change sets allow you to preview how
proposed changes to a stack might impact your running resources, for example, whether your changes
will delete or replace any critical resources, AWS CloudFormation makes the changes to your stack
only when you decide to execute the change set, allowing you to decide whether to proceed with your
proposed changes or explore other changes by creating another change set. You can create and manage
change sets using the AWS CloudFormation console, AWS CLI, or AWS CloudFormation API.
Topics
• Creating a Change Set (p. 123)
• Viewing a Change Set (p. 125)
• Executing a Change Set (p. 127)
• Deleting a Change Set (p. 129)
• Example Change Sets (p. 129)

Important

Change sets don't indicate whether AWS CloudFormation will successfully update a stack.
For example, a change set doesn't check if you will surpass an account limit (p. 21), if you're
updating a resource (p. 499) that doesn't support updates, or if you have insuﬃcient
permissions (p. 9) to modify a resource, all of which can cause a stack update to fail. If an update
fails, AWS CloudFormation attempts to roll back your resources to their original state.
Change Set Overview
The following diagram summarizes how you use change sets to update a stack:

1. Create a change set by submitting changes for the stack that you want to update. You can submit a
modiﬁed stack template or modiﬁed input parameter values. AWS CloudFormation compares your
stack with the changes that you submitted to generate the change set; it doesn't make changes to
your stack at this point.
2. View the change set to see which stack settings and resources will change. For example, you can see
which resources AWS CloudFormation will add, modify, or delete.
3. Optional: If you want to consider other changes before you decide which changes to make, create
additional change sets. Creating multiple change sets helps you understand and evaluate how
diﬀerent changes will aﬀect your resources. You can create as many change sets as you need.
4. Execute the change set that contains the changes that you want to apply to your stack. AWS
CloudFormation updates your stack with those changes.

Note

After you execute a change, AWS CloudFormation removes all change sets that are associated
with the stack because they aren't applicable to the updated stack.
You can also delete change sets to prevent executing a change set that shouldn't be applied.
API Version 2010-05-15
122

AWS CloudFormation User Guide
Updating Stacks Using Change Sets

Creating a Change Set
To create a change set for a running stack, submit the changes that you want to make by providing a
modiﬁed template, new input parameter values, or both. AWS CloudFormation generates a change set
by comparing your stack with the changes you submitted.
To modify a template, for example to add a new resource to your stack, modify a copy of the
current template before creating the change set. For more information, see Modifying a Stack
Template (p. 119).

To create a change set (console)
1.

In the AWS CloudFormation console, from the list of stacks, select the running stack for which you
want to create a change set.

2.

Choose Actions, and then choose Create Change Set.

3.

If you modiﬁed the stack template, specify the location of the updated template. If not, select Use
current template.
• For a template stored locally on your computer, select Upload a template to Amazon S3. Choose
Choose File to navigate to the ﬁle and select it, and then click Next.
• For a template stored in an Amazon S3 bucket, select Specify an Amazon S3 URL. Enter or paste
the URL for the template, and then click Next.
If you have a template in a versioning-enabled bucket, you can specify a speciﬁc version of the
template, such as https://s3.amazonaws.com/templates/myTemplate.template?
versionId=123ab1cdeKdOW5IH4GAcYbEngcpTJTDW. For more information, see Managing
Objects in a Versioning-Enabled Bucket in the Amazon Simple Storage Service Console User Guide.

4.

On the Specify Details page, type information about the change set and, if necessary, modify the
parameter values that you want to change, and then choose Next.
In the Specify Details section, specify a name for the change set. You can also specify a description
of the change set to identify its purpose.
If your template contains parameters, in the Parameters section, change applicable parameter
values. If you're reusing the stack's template, AWS CloudFormation populates each parameter with
the current value in the stack,with the exception of parameters declared with the NoEcho attribute.
To use existing values for those parameters, select Use existing value.

5.

On the Options page, you can update the stack's service role, the stack tags, or the stack's Amazon
SNS notiﬁcation topic, as applicable, and then choose Next.

6.

Review the changes for this change set.
If the template includes AWS Identity and Access Management (IAM) resources, select I
acknowledge that this template may create IAM resources to acknowledge that AWS
CloudFormation might create IAM resources if you execute this change set. IAM resources can modify
permissions in your AWS account; review these resources to ensure that you're permitting only the
actions that you intend. For more information, see Controlling Access with AWS Identity and Access
Management (p. 9).
API Version 2010-05-15
123

AWS CloudFormation User Guide
Updating Stacks Using Change Sets

7.

Choose Create change set.
You're redirected to the change set's detail page. While AWS CloudFormation generates the
change set, the status of the change set is CREATE_IN_PROGRESS. After it has created the change
set, AWS CloudFormation sets the status to CREATE_COMPLETE. In the Changes section, AWS
CloudFormation lists all of the changes that it will make to your stack. For more information, see
Viewing a Change Set (p. 125).

If AWS CloudFormation fails to create the change set (reports FAILED status), ﬁx the error displayed
in the Status ﬁeld, and recreate the change set.

To create a change set (AWS CLI)
•

Run the aws cloudformation create-change-set command.
You submit your changes as command options. You can specify new parameter values, a
modiﬁed template, or both. For example, the following command creates a change set named
SampleChangeSet for the SampleStack stack. The change set uses the current stack's template,
but with a diﬀerent value for the Purpose parameter:
aws cloudformation create-change-set --stack-name arn:aws:cloudformation:useast-1:123456789012:stack/SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000
--change-set-name SampleChangeSet --use-previous-template -parameters ParameterKey="InstanceType",UsePreviousValue=true

API Version 2010-05-15
124

AWS CloudFormation User Guide
Updating Stacks Using Change Sets
ParameterKey="KeyPairName",UsePreviousValue=true
ParameterKey="Purpose",ParameterValue="production"

Viewing a Change Set
After you create a change set, you can view the proposed changes before executing them. You can use
the AWS CloudFormation console, AWS CLI, or AWS CloudFormation API to view change sets. The AWS
CloudFormation console provides a summary of the changes and a detailed list of changes in JSON
format. The AWS CLI and AWS CloudFormation API return a detailed list of changes in JSON format.

To view a change (console)
1.

In the AWS CloudFormation console, choose the stack that has the change set that you want to view.

2.

In the stack detail pane, choose Change Sets to view a list of the stack's change sets.

3.

Choose the change set that you want view.
The AWS CloudFormation console directs you to the change set's detail page, where you can see
the time the change set was created, its status, the input used to generate the change set, and a
summary of changes.
In the Changes section, each line represents a resource that AWS CloudFormation will add, delete, or
modify. AWS CloudFormation adds a resource when you add a resource to the stack's template. AWS
CloudFormation deletes a resource when you delete an existing resource from the stack's template.
AWS CloudFormation modiﬁes a resource when you change the properties of a resource. Note that a
modiﬁcation can cause the resource to be interrupted or replaced (recreated). For more information
about resource update behaviors, see Update Behaviors of Stack Resources (p. 118).
To focus on speciﬁc changes, use the ﬁlter view. For example, ﬁlter for a speciﬁc resource type, such
as AWS::EC2::Instance. To ﬁlter for a speciﬁc resource, specify its logical or physical ID, such as
myWebServer or i-123abcd4.
If you want to consider other changes before you decide which changes to make, create additional
change sets.

To view a change set (AWS CLI)
1.

To get the ID of the change set, run the aws cloudformation list-change-sets command.
Specify the stack ID of the stack that has the change set that you want to view, as shown in the
following example:
API Version 2010-05-15
125

AWS CloudFormation User Guide
Updating Stacks Using Change Sets

aws cloudformation list-change-sets --stack-name arn:aws:cloudformation:useast-1:123456789012:stack/SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000

AWS CloudFormation returns a list of change sets, similar to the following:
{

"Summaries": [
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet",
"CreationTime": "2016-03-16T20:44:05.889Z",
"StackName": "SampleStack",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/
SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000"
},
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-conditional",
"CreationTime": "2016-03-16T21:15:56.398Z",
"StackName": "SampleStack",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/
SampleChangeSet-conditional/1a2345b6-0000-00a0-a123-00abc0abc000"
},
{
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-replacement",
"CreationTime": "2016-03-16T21:03:37.706Z",
"StackName": "SampleStack",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/
SampleChangeSet-replacement/1a2345b6-0000-00a0-a123-00abc0abc000"
}
]
}

2.

Run the aws cloudformation describe-change-set command, specifying the ID of the change set that
you want to view. For example:
aws cloudformation describe-change-set --change-set-name arn:aws:cloudformation:useast-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000

AWS CloudFormation returns information about the speciﬁed change set:
{

"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-direct",
"Parameters": [
{
"ParameterValue": "testing",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "ellioty-useast1",
"ParameterKey": "KeyPairName"

API Version 2010-05-15
126

AWS CloudFormation User Guide
Updating Stacks Using Change Sets
},
{

"ParameterValue": "t2.micro",
"ParameterKey": "InstanceType"

}
],
"Changes": [
{
"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",
"PhysicalResourceId": "i-1abc23d4",
"Details": [
{
"ChangeSource": "DirectModification",
"Evaluation": "Static",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
}
],
"Action": "Modify",
"Scope": [
"Tags"
],
"LogicalResourceId": "MyEC2Instance",
"Replacement": "False"
},
"Type": "Resource"
}
],
"CreationTime": "2016-03-17T23:35:25.813Z",
"Capabilities": [],
"StackName": "SampleStack",
"NotificationARNs": [],
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/
SampleChangeSet-direct/9edde307-960d-4e6e-ad66-b09ea2f20255"
}

The Changes key lists changes to resources. If you were to execute this change set, AWS
CloudFormation would update the tags of the i-1abc23d4 EC2 instance. For a description of each
ﬁeld, see the Change data type in the AWS CloudFormation API Reference.
For additional examples of change sets, see Example Change Sets (p. 129).

Executing a Change Set
To make the changes described in a change set to your stack, execute the change set.

Important

After you execute a change set, AWS CloudFormation deletes all change sets that are associated
with the stack because they aren't valid for the updated stack. If an update fails, you need to
create a new change set.
Stack Policies and Executing a Change Set
If you execute a change set on a stack that has a stack policy associated with it, AWS CloudFormation
enforces the policy when it updates the stack. You can't specify a temporary stack policy that overrides
the existing policy when you execute a change set. To update a protected resource, you must update the
stack policy or use the direct update (p. 136) method.
API Version 2010-05-15
127

AWS CloudFormation User Guide
Updating Stacks Using Change Sets

To execute a change set (console)
1.

In the AWS CloudFormation console, choose the stack that you want to update.

2.

In the stack detail pane, choose Change Sets to view a list of the stack's change sets.

3.

Choose the change set that you want execute.
The AWS CloudFormation console directs you to the detail page of the change set.

4.

Choose Execute.

5.

Conﬁrm that this is the change set you want to execute, and then choose Execute.
AWS CloudFormation immediately starts updating the stack. You can monitor the progress of the
update by viewing the Events (p. 99) tab.

To execute a change set (AWS CLI)
•

Run the aws cloudformation execute-change-set command.
Specify the change set ID of the change set that you want to execute, as shown in the following
example:
aws cloudformation execute-change-set --change-set-name arn:aws:cloudformation:useast-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000

The command in the example executes a change set with the ID arn:aws:cloudformation:useast-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0a123-00abc0abc000.
After you run the command, AWS CloudFormation starts updating the stack. To view the stack's
progress, use the aws cloudformation describe-stacks (p. 109) command.

API Version 2010-05-15
128

AWS CloudFormation User Guide
Updating Stacks Using Change Sets

Deleting a Change Set
Deleting a change set removes it from the list of change sets for the stack. Deleting a change set
prevents you or another user from accidentally executing a change set that shouldn't be applied. AWS
CloudFormation retains all change sets until you update the stack unless you delete them.

To delete a change set (console)
1.

In the AWS CloudFormation console, choose the stack that contains the change set that you want to
delete.

2.
3.

In the stack detail pane, choose Change Sets to view a list of the stack's change sets.
Choose the change set that you want delete.
The AWS CloudFormation console directs you to the detail page for the change set.

4.

Choose Other Actions, and then choose Delete.

5.

Conﬁrm that this is the change set you want to delete, and then choose Delete.
AWS CloudFormation deletes the change set from the stack's list of change sets.

To delete a change set (AWS CLI)
•

Run the aws cloudformation delete-change-set command, specifying the ID of the change set that
you want to delete, as shown in the following example:
aws cloudformation delete-change-set --change-set-name arn:aws:cloudformation:useast-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000

Example Change Sets
This section provides examples of the change sets that AWS CloudFormation would create for common
stack changes. They show how to edit a template directly; modify a single input parameter; plan for
resource recreation (replacements), which prevents you from losing data that wasn't backed up or
interrupting applications that are running in your stack; and add and remove resources. To illustrate
how change sets work, we'll walk through the changes that were submitted and discuss the resulting
change set. Because each example builds on and assumes that you understand the previous example, we
recommend that you read them in order. For a description of each ﬁeld in a change set, see the Change
data type in the AWS CloudFormation API Reference.
You can use the console (p. 125), AWS CLI, or AWS CloudFormation API to view change set details.
We generated each of the following change sets from a stack with the following sample template:
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "A sample EC2 instance template for testing change sets.",
"Parameters" : {
"Purpose" : {

API Version 2010-05-15
129

AWS CloudFormation User Guide
Updating Stacks Using Change Sets
"Type" : "String",
"Default" : "testing",
"AllowedValues" : ["testing", "production"],
"Description" : "The purpose of this instance."

},
"KeyPairName" : {
"Type": "AWS::EC2::KeyPair::KeyName",
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to the
instance"
},
"InstanceType" : {
"Type" : "String",
"Default" : "t2.micro",
"AllowedValues" : ["t2.micro", "t2.small", "t2.medium"],
"Description" : "The EC2 instance type."
}
},
"Resources" : {
"MyEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"KeyName" : { "Ref" : "KeyPairName" },
"InstanceType" : { "Ref" : "InstanceType" },
"ImageId" : "ami-8fcee4e5",
"Tags" : [
{
"Key" : "Purpose",
"Value" : { "Ref" : "Purpose" }
}
]
}
}
}

}

Directly Editing a Template
When you directly modify resources in the stack's template to generate a change set, AWS
CloudFormation classiﬁes the change as a direct modiﬁcation, as opposed to changes trigged by an
updated parameter value. The following change set, which added a new tag to the i-1abc23d4
instance, is an example of a direct modiﬁcation. All other input values, such as the parameter values and
capabilities, are unchanged, so we'll focus on the Changes structure.
{

"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-direct",
"Parameters": [
{
"ParameterValue": "testing",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "MyKeyName",
"ParameterKey": "KeyPairName"
},
{
"ParameterValue": "t2.micro",
"ParameterKey": "InstanceType"
}
],
"Changes": [
{

API Version 2010-05-15
130

AWS CloudFormation User Guide
Updating Stacks Using Change Sets
"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",
"PhysicalResourceId": "i-1abc23d4",
"Details": [
{
"ChangeSource": "DirectModification",
"Evaluation": "Static",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
}
],
"Action": "Modify",
"Scope": [
"Tags"
],
"LogicalResourceId": "MyEC2Instance",
"Replacement": "False"
},
"Type": "Resource"

}
],
"CreationTime": "2016-03-17T23:35:25.813Z",
"Capabilities": [],
"StackName": "SampleStack",
"NotificationARNs": [],
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/
SampleChangeSet-direct/1a2345b6-0000-00a0-a123-00abc0abc000"
}

In the Changes structure, there's only one ResourceChange structure. This structure describes
information such as the type of resource AWS CloudFormation will change, the action AWS
CloudFormation will take, the ID of the resource, the scope of the change, and whether the change
requires a replacement (where AWS CloudFormation creates a new resource and then deletes the old
one). In the example, the change set indicates that AWS CloudFormation will modify the Tags attribute
of the i-1abc23d4 EC2 instance, and doesn't require the instance to be replaced.
In the Details structure, AWS CloudFormation labels this change as a direct modiﬁcation that will
never require the instance to be recreated (replaced). You can conﬁdently execute this change, knowing
that AWS CloudFormation won't replace the instance.
AWS CloudFormation shows this change as a Static evaluation. A static evaluation means that AWS
CloudFormation can determine the tag's value before executing the change set. In some cases, AWS
CloudFormation can determine a value only after you execute a change set. AWS CloudFormation
labels those changes as Dynamic evaluations. For example, if you reference an updated resource that
is conditionally replaced, AWS CloudFormation can't determine whether the reference to the updated
resource will change.

Modifying an Input Parameter Value
When you modify an input parameter value, AWS CloudFormation generates two changes for each
resource that uses the updated parameter value. In this example, we want to highlight what those
changes look like and which information you should focus on. The following example was generated by
changing the value of the Purpose input parameter only.
The Purpose parameter speciﬁes a tag key value for the EC2 instance. In the example, the parameter
value was changed from testing to production. The new value is shown in the Parameters
structure.
{

API Version 2010-05-15
131

AWS CloudFormation User Guide
Updating Stacks Using Change Sets
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet",
"Parameters": [
{
"ParameterValue": "production",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "MyKeyName",
"ParameterKey": "KeyPairName"
},
{
"ParameterValue": "t2.micro",
"ParameterKey": "InstanceType"
}
],
"Changes": [
{
"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",
"PhysicalResourceId": "i-1abc23d4",
"Details": [
{
"ChangeSource": "DirectModification",
"Evaluation": "Dynamic",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
},
{
"CausingEntity": "Purpose",
"ChangeSource": "ParameterReference",
"Evaluation": "Static",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
}
],
"Action": "Modify",
"Scope": [
"Tags"
],
"LogicalResourceId": "MyEC2Instance",
"Replacement": "False"
},
"Type": "Resource"
}
],
"CreationTime": "2016-03-16T23:59:18.447Z",
"Capabilities": [],
"StackName": "SampleStack",
"NotificationARNs": [],
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/
SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000"
}

The Changes structure functions similar to way it does in the Directly Editing a Template (p. 130)
example. There's only one ResourceChange structure; it describes a change to the Tags attribute of the
i-1abc23d4 EC2 instance.

API Version 2010-05-15
132

AWS CloudFormation User Guide
Updating Stacks Using Change Sets

However, in the Details structure, the change set shows two changes for the Tags attribute, even
though only a single parameter value was changed. Resources that reference a changed parameter value
(using the Ref intrinsic function) always result in two changes: one with a Dynamic evaluation and
another with a Static evaluation. You can see these types of changes by viewing the following ﬁelds:
• For the Static evaluation change, view the ChangeSource ﬁeld. In this example, the ChangeSource
ﬁeld equals ParameterReference, meaning that this change is a result of an updated parameter
reference value. The change set must contain a similar Dynamic evaluation change.
• You can ﬁnd the matching Dynamic evaluation change by comparing the Target structure for both
changes, which will contain the same information. In this example, the Target structures for both
changes contain the same values for the Attribute and RequireRecreation ﬁelds.
For these types of changes, focus on the static evaluation, which gives you the most detailed information
about the change. In this example, the static evaluation shows that the change is the result of a change
in a parameter reference value (ParameterReference). The exact parameter that was changed is
indicated by the CauseEntity ﬁeld (the Purpose parameter).

Determining the Value of the Replacement Field
The Replacement ﬁeld in a ResourceChange structure indicates whether AWS CloudFormation will
recreate the resource. Planning for resource recreation (replacements) prevents you from losing data that
wasn't backed up or interrupting applications that are running in your stack.
The value in the Replacement ﬁeld depends on whether a change requires a replacement,
indicated by the RequiresRecreation ﬁeld in a change's Target structure. For example, if the
RequiresRecreation ﬁeld is Never, the Replacement ﬁeld is False. However, if there are multiple
changes on a single resource and each change has a diﬀerent value for the RequiresRecreation ﬁeld,
AWS CloudFormation updates the resource using the most intrusive behavior. In other words, if only
one of the many changes requires a replacement, AWS CloudFormation must replace the resource and,
therefore, sets the Replacement ﬁeld to True.
The following change set was generated by changing the values for every parameter (Purpose,
InstanceType, and KeyPairName), which are all used by the EC2 instance. With these changes, AWS
CloudFormation will be required to be replace the instance because the Replacement ﬁeld is equal to
True.
{

"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-multiple",
"Parameters": [
{
"ParameterValue": "production",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "MyNewKeyName",
"ParameterKey": "KeyPairName"
},
{
"ParameterValue": "t2.small",
"ParameterKey": "InstanceType"
}
],
"Changes": [
{
"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",

API Version 2010-05-15
133

AWS CloudFormation User Guide
Updating Stacks Using Change Sets

},

"PhysicalResourceId": "i-7bef86f8",
"Details": [
{
"ChangeSource": "DirectModification",
"Evaluation": "Dynamic",
"Target": {
"Attribute": "Properties",
"Name": "KeyName",
"RequiresRecreation": "Always"
}
},
{
"ChangeSource": "DirectModification",
"Evaluation": "Dynamic",
"Target": {
"Attribute": "Properties",
"Name": "InstanceType",
"RequiresRecreation": "Conditionally"
}
},
{
"ChangeSource": "DirectModification",
"Evaluation": "Dynamic",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
},
{
"CausingEntity": "KeyPairName",
"ChangeSource": "ParameterReference",
"Evaluation": "Static",
"Target": {
"Attribute": "Properties",
"Name": "KeyName",
"RequiresRecreation": "Always"
}
},
{
"CausingEntity": "InstanceType",
"ChangeSource": "ParameterReference",
"Evaluation": "Static",
"Target": {
"Attribute": "Properties",
"Name": "InstanceType",
"RequiresRecreation": "Conditionally"
}
},
{
"CausingEntity": "Purpose",
"ChangeSource": "ParameterReference",
"Evaluation": "Static",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
}
],
"Action": "Modify",
"Scope": [
"Tags",
"Properties"
],
"LogicalResourceId": "MyEC2Instance",
"Replacement": "True"

API Version 2010-05-15
134

AWS CloudFormation User Guide
Updating Stacks Using Change Sets

}

"Type": "Resource"

],
"CreationTime": "2016-03-17T00:39:35.974Z",
"Capabilities": [],
"StackName": "SampleStack",
"NotificationARNs": [],
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/
SampleChangeSet-multiple/1a2345b6-0000-00a0-a123-00abc0abc000"
}

Identify the change that requires the resource to be replaced by viewing each change (the static
evaluations in the Details structure). In this example, each change has a diﬀerent value for the
RequireRecreation ﬁeld, but the change to the KeyName property has the most intrusive update
behavior, always requiring a recreation. AWS CloudFormation will replace the instance because the key
name was changed.
If the key name were unchanged, the change to the InstanceType property would have the most
intrusive update behavior (Conditionally), so the Replacement ﬁeld would be Conditionally. To
ﬁnd the conditions in which AWS CloudFormation replaces the instance, view the update behavior for the
InstanceType property.

Adding and Removing Resources
The following example was generated by submitting a modiﬁed template that removes the EC2 instance
and adds an Auto Scaling group and launch conﬁguration.
{

"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet-addremove",
"Parameters": [
{
"ParameterValue": "testing",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "MyKeyName",
"ParameterKey": "KeyPairName"
},
{
"ParameterValue": "t2.micro",
"ParameterKey": "InstanceType"
}
],
"Changes": [
{
"ResourceChange": {
"Action": "Add",
"ResourceType": "AWS::AutoScaling::AutoScalingGroup",
"Scope": [],
"Details": [],
"LogicalResourceId": "AutoScalingGroup"
},
"Type": "Resource"
},
{
"ResourceChange": {
"Action": "Add",
"ResourceType": "AWS::AutoScaling::LaunchConfiguration",
"Scope": [],

API Version 2010-05-15
135

AWS CloudFormation User Guide
Updating Stacks Directly
"Details": [],
"LogicalResourceId": "LaunchConfig"

},
{

},
"Type": "Resource"

"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",
"PhysicalResourceId": "i-1abc23d4",
"Details": [],
"Action": "Remove",
"Scope": [],
"LogicalResourceId": "MyEC2Instance"
},
"Type": "Resource"

}
],
"CreationTime": "2016-03-18T01:44:08.444Z",
"Capabilities": [],
"StackName": "SampleStack",
"NotificationARNs": [],
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/
SampleChangeSet-addremove/1a2345b6-0000-00a0-a123-00abc0abc000"
}

In the Changes structure, there are three ResourceChange structures, one for each resource. For each
resource, the Action ﬁeld indicates whether AWS CloudFormation adds or removes the resource. The
Scope and Details ﬁelds are empty because they apply only to modiﬁed resources.
For new resources, AWS CloudFormation can't determine the value of some ﬁelds until you execute the
change set. For example, AWS CloudFormation doesn't provide the physical IDs of the Auto Scaling group
and launch conﬁguration because they don't exist yet. AWS CloudFormation creates the new resources
when you execute the change set.

Updating Stacks Directly
When you want to quickly deploy updates to your stack, perform a direct update. With a direct update,
you submit a template or input parameters that specify updates to the resources in the stack, and AWS
CloudFormation immediately deploys them. If you want to use a template to make your updates, you can
modify the current template and store it locally or in an S3 bucket.
For resource properties that don't support updates, you must keep the current values. To preview the
changes that AWS CloudFormation will make to your stack before you update it, use change sets. For
more information, see Updating Stacks Using Change Sets (p. 122).

Note

When updating a stack, AWS CloudFormation might interrupt resources or replace updated
resources, depending on which properties you update. For more information about resource
update behaviors, see Update Behaviors of Stack Resources (p. 118).

To update a AWS CloudFormation stack (console)
1.

In the AWS CloudFormation console, from the list of stacks, select the running stack that you want
to update.

2.

Choose Actions and then Update Stack.

API Version 2010-05-15
136

AWS CloudFormation User Guide
Updating Stacks Directly

3.

If you modiﬁed the stack template, specify the location of the updated template. If not, select Use
current template.
• For a template stored locally on your computer, select Upload a template to Amazon S3. Choose
Choose File to navigate to the ﬁle and select it, and then click Next.

Note

If you upload a local template ﬁle, AWS CloudFormation uploads it to an Amazon Simple
Storage Service (Amazon S3) bucket in your AWS account. If you don't already have an
S3 bucket that was created by AWS CloudFormation, it creates a unique bucket for each
Region in which you upload a template ﬁle. If you already have an S3 bucket that was
created by AWS CloudFormation in your AWS account, AWS CloudFormation adds the
template to that bucket.
Considerations to keep in mind about S3 buckets created by AWS CloudFormation
• The buckets are accessible to anyone with Amazon S3 permissions in your AWS account.
• AWS CloudFormation creates the buckets with server-side encryption enabled by
default, thereby encrypting all objects stored in the bucket.
You can directly manage encryption options for buckets that AWS CloudFormation
has created; for example, using the Amazon S3 console at https://
console.aws.amazon.com/s3/ , or the AWS CLI. For more information, see Amazon
S3 Default Encryption for S3 Buckets in the Amazon Simple Storage Service Developer
Guide.
• You can use your own bucket and manage its permissions by manually uploading
templates to Amazon S3. When you create or update a stack, specify the Amazon S3
URL of a template ﬁle.
• For a template stored in an Amazon S3 bucket, select Specify an Amazon S3 URL. Enter or paste
the URL for the template, and then click Next.
If you have a template in a versioning-enabled bucket, you can specify a speciﬁc version of the
template, such as https://s3.amazonaws.com/templates/myTemplate.template?
versionId=123ab1cdeKdOW5IH4GAcYbEngcpTJTDW. For more information, see Managing
Objects in a Versioning-Enabled Bucket in the Amazon Simple Storage Service Console User Guide.
4.

If your template contains parameters, on the Specify Parameters page, enter or modify the
parameter values, and then click Next.
AWS CloudFormation populates each parameter with the value that is currently set in the stack with
the exception of parameters declared with the NoEcho attribute; however, you can still use current
values by choosing Use existing value.

5.

On the Options page, you can update the stack's service role, enter an overriding stack policy, or
update the Amazon SNS notiﬁcation topic. An overriding stack policy lets you update protected
resources. For more information, see Prevent Updates to Stack Resources (p. 141).
API Version 2010-05-15
137

AWS CloudFormation User Guide
Updating Stacks Directly

Click Next.
6.

Review the stack information and the changes that you submitted.
In the Review section, check that you submitted the correct information, such as the correct
parameter values or template URL. If your template contains IAM resources, select I acknowledge
that this template may create IAM resources to specify that you want to use IAM resources in the
template. For more information about using IAM resources in templates, see Controlling Access with
AWS Identity and Access Management (p. 9).
In the Preview your changes section, check that AWS CloudFormation will make all the changes that
you expect. For example, you can check that AWS CloudFormation adds, removes, and modiﬁes the
resources that you intended to add, remove, or modify. AWS CloudFormation generates this preview
by creating a change set for the stack. For more information, see Updating Stacks Using Change
Sets (p. 122).

7.

Click Update.
Your stack enters the UPDATE_IN_PROGRESS state. After it has ﬁnished updating, the state is set to
UPDATE_COMPLETE.
If the stack update fails, AWS CloudFormation automatically rolls back changes, and sets the state to
UPDATE_ROLLBACK_COMPLETE.

Note

You can cancel an update while it's in the UPDATE_IN_PROGRESS state. For more
information, see Canceling a Stack Update (p. 140).

To update a AWS CloudFormation stack (AWS CLI)
•

Use the aws cloudformation update-stack command to directly update a stack. You specify
the stack, and parameter values and capabilities that you want to update, and, if you want use an
updated template, the name of the template.
The following example updates the template and input parameters for the mystack stack:
PROMPT> aws cloudformation update-stack --stack-name mystack --template-url https://
s3.amazonaws.com/sample/updated.template
--parameters ParameterKey=VPCID,ParameterValue=SampleVPCID
ParameterKey=SubnetIDs,ParameterValue=SampleSubnetID1\\,SampleSubnetID2

The following example updates just the SubnetIDs parameter values for the mystack stack:
PROMPT> aws cloudformation update-stack --stack-name mystack --use-previous-template
--parameters ParameterKey=VPCID,UsePreviousValue=true
ParameterKey=SubnetIDs,ParameterValue=SampleSubnetID1\\,UpdatedSampleSubnetID2

The following example adds two stack notiﬁcation topics to the mystack stack:
PROMPT> aws cloudformation update-stack --stack-name mystack --use-previous-template
--notification-arns "arn:aws:sns:us-east-1:12345678912:mytopic" "arn:aws:sns:useast-1:12345678912:mytopic2"

The following example removes all stack notiﬁcation topics from the mystack stack:
PROMPT> aws cloudformation update-stack --stack-name mystack --use-previous-template
--notification-arns []

API Version 2010-05-15
138

AWS CloudFormation User Guide
Monitoring Progress

Monitoring the Progress of a Stack Update
You can monitor the progress of a stack update by viewing the stack's events. The console's Events tab
displays each major step in the creation and update of the stack sorted by the time of each event with
latest events on top. The start of the stack update process is marked with an UPDATE_IN_PROGRESS
event for the stack:

2011-09-30 09:35 PDT AWS::CloudFormation::Stack MyStack UPDATE_IN_PROGRESS

Next are events that mark the beginning and completion of the update of each resource that was
changed in the update template. For example, updating an AWS::RDS::DBInstance (p. 1341) resource
named MyDB would result in the following entries:

2011-09-30 09:35 PDT AWS::RDS::DBInstance MyDB UPDATE_COMPLETE
2011-09-30 09:35 PDT AWS::RDS::DBInstance MyDB UPDATE_IN_PROGRESS

The UPDATE_IN_PROGRESS event is logged when AWS CloudFormation reports that it has begun to
update the resource. The UPDATE_COMPLETE event is logged when the resource is successfully created.
When AWS CloudFormation has successfully updated the stack, you will see the following event:

2011-09-30 09:35 PDT AWS::CloudFormation::Stack MyStack UPDATE_COMPLETE

If an update of a resource fails, AWS CloudFormation reports an UPDATE_FAILED event that
includes a reason for the failure. For example, if your update template speciﬁed a property
change that is not supported by the resource such as reducing the size of AllocatedStorage for an
AWS::RDS::DBInstance (p. 1341) resource, you would see events like these:

2011-09-30 09:36 PDT AWS::RDS::DBInstance MyDB UPDATE_FAILED Size cannot be less than
current size; requested: 5; current: 10
2011-09-30 09:35 PDT AWS::RDS::DBInstance MyDB UPDATE_IN_PROGRESS

If a resource update fails, AWS CloudFormation rolls back any resources that it has updated during the
upgrade to their conﬁgurations before the update. Here is an example of the events you would see
during an update rollback:

2011-09-30
2011-09-30
2011-09-30
2011-09-30
following

09:38 PDT AWS::CloudFormation::Stack MyStack UPDATE_ROLLBACK_COMPLETE
09:38 PDT AWS::RDS::DBInstance MyDB UPDATE_COMPLETE
09:37 PDT AWS::RDS::DBInstance MyDB UPDATE_IN_PROGRESS
09:37 PDT AWS::CloudFormation::Stack MyStack UPDATE_ROLLBACK_IN_PROGRESS The
resource(s) failed to update: [MyDB]

Topics
• To view stack events by using the console (p. 139)
• To view stack events by using the command line (p. 140)

To view stack events by using the console
1.

In the AWS CloudFormation console, select the stack that you updated and then click the Events tab
to view the stacks events.
API Version 2010-05-15
139

AWS CloudFormation User Guide
Canceling a Stack Update

2.

To update the event list with the most recent events, click the refresh button in the AWS
CloudFormation console.

To view stack events by using the command line
•

Use the command aws cloudformation describe-stack-events to view the events for a
stack.

Canceling a Stack Update
After a stack update has begun, you can cancel the stack update if the stack is still in the
UPDATE_IN_PROGRESS state. After an update has ﬁnished, you cannot cancel it. You can, however,
update a stack again with any previous settings.
If you cancel a stack update, the stack is rolled back to the stack conﬁguration that existed prior to
initiating the stack update.
Topics
• To cancel a stack update by using the console (p. 140)
• To cancel a stack update by using the command line (p. 140)

To cancel a stack update by using the console
1.

From the list of stacks in the AWS CloudFormation console, select the stack that is currently being
updated (its state must be UPDATE_IN_PROGRESS) .

2.

Choose Actions and then Cancel Update.

3.

To continue canceling the update, click Yes, Cancel Update when prompted. Otherwise, click Cancel
to resume the update.

The stack proceeds to the UPDATE_ROLLBACK_IN_PROGRESS state. After the update cancellation is
complete, the stack is set to UPDATE_ROLLBACK_COMPLETE.

To cancel a stack update by using the command line
•

Use the command aws cloudformation cancel-update-stack to cancel an update.

API Version 2010-05-15
140

AWS CloudFormation User Guide
Prevent Updates to Stack Resources

Prevent Updates to Stack Resources
When you create a stack, all update actions are allowed on all resources. By default, anyone with stack
update permissions can update all of the resources in the stack. During an update, some resources might
require an interruption or be completely replaced, resulting in new physical IDs or completely new
storage. You can prevent stack resources (p. 499) from being unintentionally updated or deleted during
a stack update by using a stack policy. A stack policy is a JSON document that deﬁnes the update actions
that can be performed on designated resources.
After you set a stack policy, all of the resources in the stack are protected by default. To allow updates
on speciﬁc resources, you specify an explicit Allow statement for those resources in your stack policy.
You can deﬁne only one stack policy per stack, but, you can protect multiple resources within a single
policy. A stack policy applies to all AWS CloudFormation users who attempt to update the stack. You
can't associate diﬀerent stack policies with diﬀerent users.
A stack policy applies only during stack updates. It doesn't provide access controls like an AWS Identity
and Access Management (IAM) policy. Use a stack policy only as a fail-safe mechanism to prevent
accidental updates to speciﬁc stack resources. To control access to AWS resources or actions, use IAM.
Topics
• Example Stack Policy (p. 141)
• Deﬁning a Stack Policy (p. 142)
• Setting a Stack Policy (p. 144)
• Updating Protected Resources (p. 146)
• Modifying a Stack Policy (p. 148)
• More Example Stack Policies (p. 148)

Example Stack Policy
The following example stack policy prevents updates to the ProductionDatabase resource:
{

}

"Statement" : [
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"
},
{
"Effect" : "Deny",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "LogicalResourceId/ProductionDatabase"
}
]

When you set a stack policy, all resources are protected by default. To allow updates on all resources, we
add an Allow statement that allows all actions on all resources. Although the Allow statement speciﬁes
all resources, the explicit Deny statement overrides it for the resource with the ProductionDatabase
logical ID. This Deny statement prevents all update actions, such as replacement or deletion, on the
ProductionDatabase resource.
The Principal element is required, but supports only the wild card (*), which means that the
statement applies to all principals.
API Version 2010-05-15
141

AWS CloudFormation User Guide
Prevent Updates to Stack Resources

Note

During a stack update, AWS CloudFormation automatically updates resources that depend on
other updated resources. For example, AWS CloudFormation updates a resource that references
an updated resource. AWS CloudFormation makes no physical changes, such as the resources' ID,
to automatically updated resources, but if a stack policy is associated with those resources, you
must have permission to update them.

Deﬁning a Stack Policy
When you create a stack, no stack policy is set, so all update actions are allowed on all resources. To
protect stack resources from update actions, deﬁne a stack policy and then set it on your stack. A
stack policy is a JSON document that deﬁnes the AWS CloudFormation stack update actions that AWS
CloudFormation users can perform and the resources that the actions apply to. You set the stack policy
when you create a stack, by specifying a text ﬁle that contains your stack policy or typing it out. When
you set a stack policy on your stack, any update not explicitly allowed is denied by default.
You deﬁne a stack policy with ﬁve elements: Effect, Action, Principal, Resource, and Condition.
The following pseudo code shows stack policy syntax.
{

}

"Statement" : [
{
"Effect" : "Deny_or_Allow",
"Action" : "update_actions",
"Principal" : "*",
"Resource" : "LogicalResourceId/resource_logical_ID",
"Condition" : {
"StringEquals_or_StringLike" : {
"ResourceType" : [resource_type, ...]
}
}
}
]

Eﬀect
Determines whether the actions that you specify are denied or allowed on the resource(s) that you
specify. You can specify only Deny or Allow, such as:
"Effect" : "Deny"

Important

If a stack policy includes overlapping statements (both allowing and denying updates on
a resource), a Deny statement always overrides an Allow statement. To ensure that a
resource is protected, use a Deny statement for that resource.
Action
Speciﬁes the update actions that are denied or allowed:
Update:Modify
Speciﬁes update actions during which resources might experience no interruptions or some
interruptions while changes are being applied. All resources maintain their physical IDs.
Update:Replace
Speciﬁes update actions during which resources are recreated. AWS CloudFormation creates a
new resource with the speciﬁed updates and then deletes the old resource. Because the resource
is recreated, the physical ID of the new resource might be diﬀerent.
API Version 2010-05-15
142

AWS CloudFormation User Guide
Prevent Updates to Stack Resources

Update:Delete
Speciﬁes update actions during which resources are removed. Updates that completely remove
resources from a stack template require this action.
Update:*
Speciﬁes all update actions. The asterisk is a wild card that represents all update actions.
The following example shows how to specify just the replace and delete actions:
"Action" : ["Update:Replace", "Update:Delete"]

To allow all update actions except for one, use NotAction. For example, to allow all update actions
except for Update:Delete, use NotAction, as shown in this example:
{

}

"Statement" : [
{
"Effect" : "Allow",
"NotAction" : "Update:Delete",
"Principal": "*",
"Resource" : "*"
}
]

For more information about stack updates, see AWS CloudFormation Stacks Updates (p. 118).
Principal
The Principal element speciﬁes the entity that the policy applies to. This element is required but
supports only the wild card (*), which means that the policy applies to all principals.
Resource
Speciﬁes the logical IDs of the resources that the policy applies to. To specify types of
resources (p. 499), use the Condition element.
To specify a single resource, use its logical ID. For example:
"Resource" : ["LogicalResourceId/myEC2instance"]

You can use a wild card with logical IDs. For example, if you use a common logical ID preﬁx for all
related resources, you can specify all of them with a wild card:
"Resource" : ["LogicalResourceId/CriticalResource*"]

You can also use a Not element with resources. For example, to allow updates to all resources except
for one, use a NotResource element to protect that resource:
{

}

"Statement" : [
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"NotResource" : "LogicalResourceId/ProductionDatabase"
}
]

API Version 2010-05-15
143

AWS CloudFormation User Guide
Prevent Updates to Stack Resources

When you set a stack policy, any update not explicitly allowed is denied. By allowing updates
to all resources except for the ProductionDatabase resource, you deny updates to the
ProductionDatabase resource.
Conditions
Speciﬁes the resource type (p. 499) that the policy applies to. To specify the logical IDs of speciﬁc
resources, use the Resource element.
You can specify a resource type, such as all EC2 and RDS DB instances, as shown in the following
example:
{

}

"Statement" : [
{
"Effect" : "Deny",
"Principal" : "*",
"Action" : "Update:*",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ResourceType" : ["AWS::EC2::Instance", "AWS::RDS::DBInstance"]
}
}
},
{
"Effect" : "Allow",
"Principal" : "*",
"Action" : "Update:*",
"Resource" : "*"
}
]

The Allow statement grants update permissions to all resources and the Deny statement denies
updates to EC2 and RDS DB instances. The Deny statement always overrides allow actions.
You can use a wild card with resource types. For example, you can deny update permissions to all
Amazon EC2 resources—such as instances, security groups, and subnets—by using a wild card, as
shown in the following example:
"Condition" : {
"StringLike" : {
"ResourceType" : ["AWS::EC2::*"]
}
}

You must use the StringLike condition when you use wild cards.

Setting a Stack Policy
You can use the console or AWS CLI to apply a stack policy when you create a stack. You can also use the
AWS CLI to apply a stack policy to an existing stack. After you apply a stack policy, you can't remove it
from the stack, but you can use the AWS CLI to modify it.
Stack policies apply to all AWS CloudFormation users who attempt to update the stack. You can't
associate diﬀerent stack policies with diﬀerent users.
For information about writing stack policies, see Deﬁning a Stack Policy (p. 142).
API Version 2010-05-15
144

AWS CloudFormation User Guide
Prevent Updates to Stack Resources

To set a stack policy when you create a stack (console)
1.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

2.

On the CloudFormation Stacks page, choose Create Stack.

3.

In the Create Stack wizard, on the Options page, expand the Advanced section.

4.

Choose Browse, and then choose the ﬁle that contains the stack policy, or type the policy in the
Stack policy text box.

To set a stack policy when you create a stack (CLI)
•

Use the aws cloudformation create-stack command with the --stack-policy-body
option to type in a modiﬁed policy or the --stack-policy-url option to specify a ﬁle containing
the policy.

To set a stack policy on an existing stack (CLI only)
•

Use the aws cloudformation set-stack-policy command with the --stack-policy-body
option to type in a modiﬁed policy or the --stack-policy-url option to specify a ﬁle containing
the policy.
API Version 2010-05-15
145

AWS CloudFormation User Guide
Prevent Updates to Stack Resources

Note

To add a policy to an existing stack, you must have permission to the AWS CloudFormation
SetStackPolicy action.

Updating Protected Resources
To update protected resources, create a temporary policy that overrides the stack policy and allows
updates on those resources. Specify the override policy when you update the stack. The override policy
doesn't permanently change the stack policy.
To update protected resources, you must have permission to use the AWS CloudFormation
SetStackPolicy action. For information about setting AWS CloudFormation permissions, see
Controlling Access with AWS Identity and Access Management (p. 9).

Note

During a stack update, AWS CloudFormation automatically updates resources that depend on
other updated resources. For example, AWS CloudFormation updates a resource that references
an updated resource. AWS CloudFormation makes no physical changes, such as the resources' ID,
to automatically updated resources, but if a stack policy is associated with those resources, you
must have permission to update them.

To update a protected resource (console)
1.
2.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.
Select the stack that you want to update, choose Actions, and then choose Update Stack.

3.

If you modiﬁed the stack template, specify the location of the updated template. If not, choose Use
current template.
• For a template stored locally on your computer, choose Upload a template to Amazon S3. Choose
Choose File to navigate to the ﬁle, select it, and then choose Next.
• For a template stored in an Amazon S3 bucket, choose Specify an Amazon S3 URL. Type or paste
the URL for the template, and then choose Next.

4.

If you have a template in a versioning-enabled bucket, you can specify a speciﬁc version of the
template, such as https://s3.amazonaws.com/templates/myTemplate.template?
versionId=123ab1cdeKdOW5IH4GAcYbEngcpTJTDW. For more information, see Managing
Objects in a Versioning-Enabled Bucket in the Amazon Simple Storage Service Console User Guide.
If your template contains parameters, on the Specify Parameters page, enter or modify the
parameter values, and then choose Next.
AWS CloudFormation populates each parameter with the value that is currently set in the stack
except for parameters declared with the NoEcho attribute. You can use current values for those
parameters by choosing Use existing value.
API Version 2010-05-15
146

AWS CloudFormation User Guide
Prevent Updates to Stack Resources

5.

On the Options page, choose the ﬁle that contains the overriding stack policy or type a policy, and
then choose Next. The override policy must specify an Allow statement for the protected resources
that you want to update.
For example, to update all protected resources, specify a temporary override policy that allows all
updates:
{

}

"Statement" : [
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"
}
]

Note

AWS CloudFormation applies the override policy only during this update. The override
policy doesn't permanently change the stack policy. To modify a stack policy, see Modifying
a Stack Policy (p. 148).
6.

Review the stack information and the changes that you submitted.
In the Review section, check that you submitted the correct information, such as the correct
parameter values or template URL. If your template contains IAM resources, choose I acknowledge
that this template may create IAM resources to specify that you want to use IAM resources in the
template. For more information about using IAM resources in templates, see Controlling Access with
AWS Identity and Access Management (p. 9).
In the Preview your changes section, check that AWS CloudFormation will make all the changes
that you expect. For example, check that AWS CloudFormation adds, removes, and modiﬁes the
resources that you intended to add, remove, or modify. AWS CloudFormation generates this preview
by creating a change set for the stack. For more information, see Updating Stacks Using Change
Sets (p. 122).

7.

Choose Update.
Your stack enters the UPDATE_IN_PROGRESS state. After it has ﬁnished updating, the state is set to
UPDATE_COMPLETE.
If the stack update fails, AWS CloudFormation automatically rolls back changes, and sets the state to
UPDATE_ROLLBACK_COMPLETE.

To update a protected resource (CLI)
•

Use the aws cloudformation update-stack command with the --stack-policy-duringupdate-body option to type in a modiﬁed policy or the --stack-policy-during-update-url
option to specify a ﬁle containing the policy.

Note

AWS CloudFormation applies the override policy only during this update. The override
policy doesn't permanently change the stack policy. To modify a stack policy, see Modifying
a Stack Policy (p. 148).

API Version 2010-05-15
147

AWS CloudFormation User Guide
Prevent Updates to Stack Resources

Modifying a Stack Policy
To protect additional resources or to remove protection from resources, modify the stack policy. For
example, when you add a database that you want to protect to your stack, add a Deny statement
for that database to the stack policy. To modify the policy, you must have permission to use the
SetStackPolicy action.
Use the AWS CLI to modify stack policies.

To modify a stack policy (CLI)
•

Use the aws cloudformation set-stack-policy command with the --stack-policy-body
option to type in a modiﬁed policy or the --stack-policy-url option to specify a ﬁle containing
the policy.

You can't delete a stack policy. To remove all protection from all resources, you modify the policy to
explicitly allow all actions on all resources. The following policy allows all updates on all resources:
{

}

"Statement" : [
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"
}
]

More Example Stack Policies
The following example policies show how to prevent updates to all stack resources and to speciﬁc
resources, and prevent speciﬁc types of updates.

Prevent Updates to All Stack Resources
To prevent updates to all stack resources, the following policy speciﬁes a Deny statement for all update
actions on all resources.
{

}

"Statement" : [
{
"Effect" : "Deny",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"
}
]

Prevent Updates to a Single Resource
The following policy denies all update actions on the database with the MyDatabase logical ID. It allows
all update actions on all other stack resources with an Allow statement. The Allow statement doesn't
apply to the MyDatabase resource because the Deny statement always overrides allow actions.
{

"Statement" : [

API Version 2010-05-15
148

AWS CloudFormation User Guide
Prevent Updates to Stack Resources
{

"Effect" : "Deny",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "LogicalResourceId/MyDatabase"

},
{

}

]

}

"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"

You can achieve the same result as the previous example by using a default denial. When you set a stack
policy, AWS CloudFormation denies any update that is not explicitly allowed. The following policy allows
updates to all resources except for the ProductionDatabase resource, which is denied by default.
{

}

"Statement" : [
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"NotResource" : "LogicalResourceId/ProductionDatabase"
}
]

Important

There is risk in using a default denial. If you have an Allow statement elsewhere in the policy
(such as an Allow statement that uses a wildcard), you might unknowingly grant update
permission to resources that you don't intend to. Because an explicit denial overrides any allow
actions, you can ensure that a resource is protected by using a Deny statement.

Prevent Updates to All Instances of a Resource Type
The following policy denies all update actions on the RDS DB instance resource type. It allows all update
actions on all other stack resources with an Allow statement. The Allow statement doesn't apply to the
RDS DB instance resources because a Deny statement always overrides allow actions.
{

"Statement" : [
{
"Effect" : "Deny",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ResourceType" : ["AWS::RDS::DBInstance"]
}
}
},
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"
}
]

API Version 2010-05-15
149

AWS CloudFormation User Guide
Continue Rolling Back an Update
}

Prevent Replacement Updates for an Instance
The following policy denies updates that would cause a replacement of the instance with the
MyInstance logical ID. It allows all update actions on all other stack resources with an Allow
statement. The Allow statement doesn't apply to the MyInstance resource because the Deny
statement always overrides allow actions.
{

}

"Statement" : [
{
"Effect" : "Deny",
"Action" : "Update:Replace",
"Principal": "*",
"Resource" : "LogicalResourceId/MyInstance"
},
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"
}
]

Prevent Updates to Nested Stacks
The following policy denies all update actions on the AWS CloudFormation stack resource type (nested
stacks). It allows all update actions on all other stack resources with an Allow statement. The Allow
statement doesn't apply to the AWS CloudFormationstack resources because the Deny statement always
overrides allow actions.
{

}

"Statement" : [
{
"Effect" : "Deny",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ResourceType" : ["AWS::CloudFormation::Stack"]
}
}
},
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"
}
]

Continue Rolling Back an Update
A stack goes into the UPDATE_ROLLBACK_FAILED state when AWS CloudFormation cannot roll back
all changes during an update. For example, you might have a stack that begins to roll back to an old
database instance that was deleted outside of AWS CloudFormation. Because AWS CloudFormation
API Version 2010-05-15
150

AWS CloudFormation User Guide
Continue Rolling Back an Update

doesn't know that the database was deleted, it assumes that the database instance still exists and
attempts to roll back to it, causing the update rollback to fail.
When a stack is in the UPDATE_ROLLBACK_FAILED state, you can continue to roll it back
to a working state (UPDATE_ROLLBACK_COMPLETE). You can't update a stack that is in the
UPDATE_ROLLBACK_FAILED state. However, if you can continue to roll it back, you can return the stack
to its original settings and then try to update it again.
In most cases, you must ﬁx the error that causes the update rollback to fail before you can continue to
roll back your stack. In other cases, you can continue to roll back the update without any changes, for
example when a stack operation times out.

Note

If you use nested stacks, rolling back the parent stack will attempt to roll back all the child
stacks as well.

To continue rolling back an update (console)
1.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

2.

Select the stack that you want to update, choose Actions, and then choose Continue Update
Rollback.

If none of the solutions in the troubleshooting guide worked, you can use the advanced option to
skip the resources that AWS CloudFormation can't successfully roll back. You must look up (p. 99)
and type the logical IDs of the resources that you want to skip. Specify only resources that went into
the UPDATE_FAILED state during the UpdateRollback and not during the forward update.

Warning

AWS CloudFormation sets the status of the speciﬁed resources to UPDATE_COMPLETE and
continues to roll back the stack. After the rollback is complete, the state of the skipped
resources will be inconsistent with the state of the resources in the stack template. Before
performing another stack update, you must update the stack or resources to be consistent
with each other. If you don't, subsequent stack updates might fail, and the stack will
become unrecoverable.
Specify the minimum number of resources required to successfully roll back your stack. For example,
a failed resource update might cause dependent resources to fail. In this case, it might not be
necessary to skip the dependent resources.
To skip resources that are part of nested stacks, use the following format:
NestedStackName.ResourceLogicalID. If you want to specify the logical ID of a stack
resource (Type: AWS::CloudFormation::Stack) in the ResourcesToSkip list, then its
corresponding embedded stack must be in one of the following states: DELETE_IN_PROGRESS,
DELETE_COMPLETE, or DELETE_FAILED.
API Version 2010-05-15
151

AWS CloudFormation User Guide
Continue Rolling Back an Update

To continue rolling back an update (AWS CLI)
•

Use the aws cloudformation continue-update-rollback command with the stack-name
option to specify the ID of the stack that you want to continue to roll back.

Using ResourcesToSkip to recover a nested stacks hierarchy
The following diagram shows a nested stacks hierarchy that is in the UPDATE_ROLLBACK_FAILED state.
In this example, the WebInfra root stack has two nested stacks: WebInfra-Compute and WebInfraStorage, which in turn have one or more nested stacks.

Note

The stack names in this example are truncated for simplicity. Child stack names are typically
generated by AWS CloudFormation and contain unique random strings, so actual names might
not be user-friendly.
To successfully get the root stack into an operable state using continue-update-rollback, you
must use the resources-to-skip parameter to skip resources that failed to rollback. In this example,
resources-to-skip would include the following items:
1. myCustom
2. WebInfra-Compute-Asg.myAsg
3. WebInfra-Compute-LB.myLoadBalancer
4. WebInfra-Storage.DB
The following example is the full CLI command:
API Version 2010-05-15
152

AWS CloudFormation User Guide
Exporting Stack Output Values

PROMPT> aws cloudformation continue-update-rollback --stack-name WebInfra --resourcesto-skip myCustom WebInfra-Compute-Asg.myAsg WebInfra-Compute-LB.myLoadBalancer WebInfraStorage.DB

Note that we speciﬁed resources from nested stacks by using the
NestedStackName.ResourceLogicalID format, but for the resources of the root stack, such as
myCustom, we speciﬁed only the logical ID.
Finding the stack name of a nested stack
You can ﬁnd a child stack's name in its stack ID or Amazon Resource Name (ARN). In the following
example, the stack name is WebInfra-Storage-Z2VKC706XKXT:
arn:aws:cloudformation:us-east-1:123456789012:stack/WebInfra-StorageZ2VKC706XKXT/ea9e7f90-54f7-11e6-a032-028f3d2330bd
Finding the logical ID of a nested stack
You can ﬁnd a child stack's logical ID in the template deﬁnition of its parent. In the diagram, the
LogicalId of the WebInfra-Storage-DB child stack is DB in its parent WebInfra-Storage.
In the AWS CloudFormation console, you can also ﬁnd the logical ID in the Logical ID column for the
stack resource on the Resources tab or the Events tab.

Exporting Stack Output Values
To share information between stacks, export a stack's output values. Other stacks that are in the
same AWS account and region can import the exported values. For example, you might have a single
networking stack that exports the IDs of a subnet and security group for public web servers. Stacks with
a public web server can easily import those networking resources. You don't need to hard code resource
IDs in the stack's template or pass IDs as input parameters.
To export a stack's output value, use the Export ﬁeld in the Output (p. 199) section of the stack's
template. To import those values, use the Fn::ImportValue (p. 2300) function in the template for the
other stacks. For a walkthrough and sample templates, see Walkthrough: Refer to Resource Outputs in
Another AWS CloudFormation Stack (p. 248).

Note

After another stack imports an output value, you can't delete the stack that is exporting the
output value or modify the exported output value. All of the imports must be removed before
you can delete the exporting stack or modify the output value.

Exporting Stack Output Values vs. Using Nested
Stacks
A nested stack is a stack that you create within another stack by using the
AWS::CloudFormation::Stack (p. 694) resource. With nested stacks, you deploy and manage all
resources from a single stack. You can use outputs from one stack in the nested stack group as inputs to
another stack in the group. This diﬀers from exporting values.
If you want to isolate information sharing to within a nested stack group, we suggest that you use nested
stacks. To share information with other stacks (not just within the group of nested stacks), export values.
For example, you can create a single stack with a subnet and then export its ID. Other stacks can use that
subnet by importing its ID; each stack doesn't need to create its own subnet. Note that as long as stacks
are importing the subnet ID, you can't change or delete it.
API Version 2010-05-15
153

AWS CloudFormation User Guide
Listing Exported Output Values

Listing Exported Output Values
To see the values that you can import, list all of the exported output values by using the AWS
CloudFormation console, AWS CLI, or AWS CloudFormation API. AWS CloudFormation shows the names
and values of the exported outputs for the current region and the stack from which the outputs are
exported. To reference an exported output value in a stack's template, use the export name and the
Fn::ImportValue (p. 2300) function.

To list exported output values (console)
•

In the AWS CloudFormation console, from the CloudFormation drop-down menu, choose Exports.

To list exported output values (AWS CLI)
•

Run the aws cloudformation list-exports command.

To list exported output values (API)
•

Run the ListExports API.

Listing Stacks That Import an Exported Output
Value
When you export an output value, stacks that are in the same AWS account and region can import that
value. To see which stacks are importing a particular output value, use the list import action.
To delete or modify exported output values, use the ListImports action to track which stacks are
importing them, and then modify those stacks to remove the Fn::ImportValue (p. 2300) functions
that reference the output values. You must remove all of the imports that reference exported output
values before you can delete or modify the exported output values.
For more information about exporting and importing output values, see Exporting Stack Output
Values (p. 153).

To list stacks that import an exported output value (console)
1.

In the AWS CloudFormation console, from the CloudFormation drop-down menu, choose Exports.

API Version 2010-05-15
154

AWS CloudFormation User Guide
Working with Nested Stacks

2.

From the list of exported output values, choose the value. The Imports section of the detail page
lists all of the stacks that are importing the value.

To list stacks that import an exported output value (CLI)
•

Run the aws cloudformation list-imports command, providing the name of the exported output
value.
AWS CloudFormation returns a list of stacks that are importing the value.

To list stacks that import an exported output value (API)
•

Run the ListImports API, providing the name of the exported output value.
AWS CloudFormation returns a list of stacks that are importing the value.

Working with Nested Stacks
Nested stacks are stacks created as part of other stacks. You create a nested stack within another stack by
using the AWS::CloudFormation::Stack (p. 694) resource.
As your infrastructure grows, common patterns can emerge in which you declare the same components
in multiple templates. You can separate out these common components and create dedicated templates
for them. Then use the resource in your template to reference other templates, creating nested stacks.
For example, assume that you have a load balancer conﬁguration that you use for most of your stacks.
Instead of copying and pasting the same conﬁgurations into your templates, you can create a dedicated
template for the load balancer. Then, you just use the resource to reference that template from within
other templates.
Nested stacks can themselves contain other nested stacks, resulting in a hierarchy of stacks, as in the
diagram below. The root stack is the top-level stack to which all the nested stacks ultimately belong. In
addition, each nested stack has an immediate parent stack. For the ﬁrst level of nested stacks, the root
stack is also the parent stack. in the diagram below, for example:
• Stack A is the root stack for all the other, nested, stacks in the hierarchy.
• For stack B, stack A is both the parent stack, as well as the root stack.
• For stack D, stack C is the parent stack; while for stack C, stack B is the parent stack.

API Version 2010-05-15
155

AWS CloudFormation User Guide
Working with Nested Stacks

Using nested stacks to declare common components is considered a best practice (p. 70).
Certain stack operations, such as stack updates, should be initiated from the root stack rather than
performed directly on nested stacks themselves. Also, in some cases, nested stacks aﬀect how stack
operations are performed. For more information, refer to the following topics:
• Use Nested Stacks to Reuse Common Template Patterns (p. 70)
• Protecting a Stack From Being Deleted (p. 106)
• Update Behaviors of Stack Resources (p. 118)
• Exporting Stack Output Values vs. Using Nested Stacks (p. 153)
• Using ResourcesToSkip to recover a nested stacks hierarchy (p. 152)
• Nested Stacks are Stuck in UPDATE_COMPLETE_CLEANUP_IN_PROGRESS,
UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS, or
UPDATE_ROLLBACK_IN_PROGRESS (p. 2345)

To view the root stack of a nested stack
1.

Sign in to the AWS Management Console and open the AWS CloudFormation console at https://
console.aws.amazon.com/cloudformation/. Select the stack that you want.
Nested stacks display NESTED next to their stack name.

2.

On the Overview tab, click the stack name listed as Root stack.

To view the nested stacks that belong to a root stack
1.

Sign in to the AWS Management Console and open the AWS CloudFormation console at https://
console.aws.amazon.com/cloudformation/. Click the name of the root stack whose nested stacks
you want to view.

2.

Expand the Resources section.
Look for resources of type AWS::CloudFormation::Stack.

API Version 2010-05-15
156

AWS CloudFormation User Guide
Working with Windows Stacks

Working with Microsoft Windows Stacks on AWS
CloudFormation
AWS CloudFormation allows you to create Microsoft Windows stacks based on Amazon EC2 Windows
Amazon Machine Images (AMIs) and provides you with the ability to install software, to use remote
desktop to access your stack, and to update and conﬁgure your stack.
The topics in this section are designed to demonstrate how common tasks related to creation and
management of Windows instances are accomplished with AWS CloudFormation.

In This Section
• Microsoft Windows Amazon Machine Images (AMIs) and AWS CloudFormation Templates (p. 157)
• Bootstrapping AWS CloudFormation Windows Stacks (p. 157)

Microsoft Windows Amazon Machine Images (AMIs)
and AWS CloudFormation Templates
With AWS CloudFormation, you can create Microsoft Windows stacks for running Windows server
instances. A number of pre-conﬁgured templates are available to launch directly from the AWS
CloudFormation Sample Templates page, such as the following templates:
• Windows_Single_Server_SharePoint_Foundation.template - SharePoint® Foundation 2010 running on
Microsoft Windows Server® 2008 R2
• Windows_Single_Server_Active_Directory.template - Create a single server installation of Active
Directory running on Microsoft Windows Server® 2008 R2.
• Windows_Roles_And_Features.template - Create a single server specifying server roles running on
Microsoft Windows Server® 2008 R2.
• ElasticBeanstalk_Windows_Sample.template - Launch an AWS Elastic Beanstalk sample application on
Windows Server 2008 R2 running IIS 7.5.

Note

Microsoft, Windows Server, and SharePoint are trademarks of the Microsoft group of companies.
Although these stacks are already conﬁgured, you can use any EC2 Windows AMI as the basis of an AWS
CloudFormation Windows stack.

Bootstrapping AWS CloudFormation Windows Stacks
This topic describes how to bootstrap a Windows stack and troubleshoot stack creation issues. If you will
be creating your own Windows image for use with CloudFormation, see the information at Conﬁguring a
Windows Instance Using EC2ConﬁgService in the Amazon EC2 Microsoft Windows Guide for instructions.
You must set up a Windows instance with EC2ConﬁgService for it to work with the AWS CloudFormation
bootstrapping tools.

Example of Bootstrapping a Windows Stack
For the purposes of illustration, we'll examine the AWS CloudFormation single-instance Sharepoint
server template, which can be viewed, in its entirety, at the following URL:
API Version 2010-05-15
157

AWS CloudFormation User Guide
Bootstrapping Windows Stacks

• https://s3.amazonaws.com/cloudformation-templates-us-east-1/
Windows_Single_Server_SharePoint_Foundation.template
This example demonstrates how to:
• Create an IAM User and Security Group for access to the instance
• Conﬁgure initialization ﬁles: cfn-credentials, cfn-hup.conf, and cfn-auto-reloader.conf
• Download and install a package such as Sharepoint Foundation 2010 on the server instance.
• Use a WaitCondition to ensure resources are ready
• Retrieve an IP for the instance with Amazon Elastic IP (EIP).
The AWS CloudFormation helper script cfn-init is used to perform each of these actions, based
on information in the AWS::CloudFormation::Init (p. 677) resource in the Windows Single Server
Sharepoint Foundation template.
The AWS::CloudFormation::Init section is named "SharePointFoundation", and begins with a standard
declaration:

"SharePointFoundation": {
"Type" : "AWS::EC2::Instance",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {

After this, the ﬁles section of AWS::CloudFormation::Init is declared:

"files" : {
"c:\\cfn\\cfn-hup.conf" : {
"content" : { "Fn::Join" : ["", [
"[main]\n",
"stack=", { "Ref" : "AWS::StackName" }, "\n",
"region=", { "Ref" : "AWS::Region" }, "\n"
]]}
},
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf" : {
"content": { "Fn::Join" : ["", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.SharePointFoundation.Metadata.AWS::CloudFormation::Init\n",
"action=cfn-init.exe -v -s ", { "Ref" : "AWS::StackName" },
" -r SharePointFoundation",
" --region ", { "Ref" : "AWS::Region" }, "\n"
]]}
},
"C:\\SharePoint\\SharePointFoundation2010.exe" : {
"source" : "http://d3adzpja92utk0.cloudfront.net/SharePointFoundation.exe"
}
},

Three ﬁles are created here and placed in the C:\cfn directory on the server instance. They are:
• cfn-hup.conf, the conﬁguration ﬁle for cfn-hup.
• cfn-auto-reloader.conf, the conﬁguration ﬁle for the hook used by cfn-hup to initiate an update
(calling cfn-init) when the metadata in AWS::CloudFormation::Init changes.
API Version 2010-05-15
158

AWS CloudFormation User Guide
Bootstrapping Windows Stacks

There is also a ﬁle that is downloaded to the server: SharePointFoundation.exe. This ﬁle is used to
install SharePoint on the server instance.

Important

Since paths on Windows use a backslash ('\') character, you must always remember to properly
escape all backslashes by prepending another backslash whenever you refer to a Windows path
in the AWS CloudFormation template.
Next is the commands section, which are cmd.exe commands.
"commands" : {
"1-extract" : {
"command" : "C:\\SharePoint\\SharePointFoundation2010.exe /extract:C:\\SharePoint\
\SPF2010 /quiet /log:C:\\SharePoint\\SharePointFoundation2010-extract.log"
},
"2-prereq" : {
"command" : "C:\\SharePoint\\SPF2010\\PrerequisiteInstaller.exe /unattended"
},
"3-install" : {
"command" : "C:\\SharePoint\\SPF2010\\setup.exe /config C:\\SharePoint\\SPF2010\\Files\
\SetupSilent\\config.xml"
}

Because commands in the instance are processed in alphabetical order by name, each command has
been prepended with a number indicating its desired execution order. Thus, we can make sure that the
installation package is ﬁrst extracted, all prerequisites are then installed, and ﬁnally, installation of
SharePoint is started.
Next is the Properties section:

"Properties": {
"InstanceType" : { "Ref" : "InstanceType" },
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" },
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" : "InstanceType" },
"Arch" ] } ] },
"SecurityGroups" : [ {"Ref" : "SharePointFoundationSecurityGroup"} ],
"KeyName" : { "Ref" : "KeyPairName" },
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
""
]]}}

In this section, the UserData property contains a cmd.exe script that will be executed by cfn-init,
surrounded by "
]
]
}
}
}
},
"LogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 7
}
},
"404MetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {
"Ref": "LogGroup"
},
"FilterPattern": "[timestamps,serverip, method, uri, query, port, dash,
clientip, useragent, status_code = 404, ...]",
"MetricTransformations": [
{
"MetricValue": "1",
"MetricNamespace": "test/404s",
"MetricName": "test404Count"
}
]
}
},
"404Alarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "The number of 404s is greater than 2 over 2 minutes",
"MetricName": "test404Count",
"Namespace": "test/404s",
"Statistic": "Sum",
"Period": "60",
"EvaluationPeriods": "2",
"Threshold": "2",
"AlarmActions": [
{
"Ref": "AlarmNotificationTopic"
}
],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"AlarmNotificationTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [
{
"Endpoint": { "Ref": "OperatorEmail" },
"Protocol": "email"
}
]
}
}
},

API Version 2010-05-15
326

AWS CloudFormation User Guide
CloudWatch Logs
"Outputs": {
"InstanceId": {
"Description": "The instance ID of the web server",
"Value": {
"Ref": "WebServerHost"
}
},
"WebsiteURL" : {
"Value" : { "Fn::Join" : ["", ["http://", { "Fn::GetAtt" : [ "WebServerHost",
"PublicDnsName" ]}]] },
"Description" : "URL for newly created IIS web server"
},
"PublicIP": {
"Description": "Public IP address of the web server",
"Value": {
"Fn::GetAtt": [
"WebServerHost",
"PublicIp"
]
}
},
"CloudWatchLogGroupName": {
"Description": "The name of the CloudWatch log group",
"Value": {
"Ref": "LogGroup"
}
}
}

}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Description: Sample template that sets up and configures CloudWatch logs on Windows 2012R2
instance
instance.
Parameters:
KeyPair:
Description: Name of an existing EC2 KeyPair to enable RDP access to the instances
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
RDPLocation:
Description: The IP address range that can be used to RDP to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
OperatorEmail:
Description: Email address to notify if there are any scaling operations
Type: String
Mappings:
AWSAMIRegionMap:
ap-northeast-1:
WS2012R2: ami-cb7429ac
ap-northeast-2:
WS2012R2: ami-34d4075a
ap-south-1:
WS2012R2: ami-dd8cfcb2
ap-southeast-1:
WS2012R2: ami-e5a51786
ap-southeast-2:
WS2012R2: ami-a63934c5

API Version 2010-05-15
327

AWS CloudFormation User Guide
CloudWatch Logs
ca-central-1:
WS2012R2: ami-d242ffb6
eu-central-1:
WS2012R2: ami-d029febf
eu-west-1:
WS2012R2: ami-d3dee9b5
eu-west-2:
WS2012R2: ami-e5b3a681
sa-east-1:
WS2012R2: ami-83f594ef
us-east-1:
WS2012R2: ami-11e84107
us-east-2:
WS2012R2: ami-d85773bd
us-west-1:
WS2012R2: ami-052d7565
us-west-2:
WS2012R2: ami-09f47d69
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and RDP access via port 3389
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '3389'
ToPort: '3389'
CidrIp: !Ref 'RDPLocation'
LogRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
Path: /
Policies:
- PolicyName: LogRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:Create*
- logs:PutLogEvents
- s3:GetObject
Resource:
- arn:aws:logs:*:*:*
- arn:aws:s3:::*
LogRoleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref 'LogRole'

API Version 2010-05-15
328

AWS CloudFormation User Guide
CloudWatch Logs
WebServerHost:
Type: AWS::EC2::Instance
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Metadata:
AWS::CloudFormation::Init:
configSets:
config:
- 00-ConfigureCWLogs
- 01-InstallWebServer
- 02-ConfigureApplication
- 03-Finalize
00-ConfigureCWLogs:
files:
C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch
\AWS.EC2.Windows.CloudWatch.json:
content: !Sub |
{
"EngineConfiguration": {
"Components": [
{
"FullName":
"AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "ApplicationEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Application"
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SystemEventLog",
"Parameters": {
"Levels": "7",
"LogName": "System"
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SecurityEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Security"
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "EC2ConfigLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "EC2ConfigLog.txt",
"LogDirectoryPath": "C:\\Program Files\\Amazon\
\Ec2ConfigService\\Logs",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-ddTHH:mm:ss.fffZ:"
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CfnInitLog",

API Version 2010-05-15
329

AWS CloudFormation User Guide
CloudWatch Logs

},
{

"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "cfn-init.log",
"LogDirectoryPath": "C:\\cfn\\log",
"TimeZoneKind": "Local",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss,fff"
}

"FullName":
"AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "IISLogs",
"Parameters": {
"CultureName": "en-US",
"Encoding": "UTF-8",
"Filter": "",
"LineCount": "3",
"LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\
\W3SVC1",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss"
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windo
"Id": "MemoryPerformanceCounter",
"Parameters": {
"CategoryName": "Memory",
"CounterName": "Available MBytes",
"DimensionName": "",
"DimensionValue": "",
"InstanceName": "",
"MetricName": "Memory",
"Unit": "Megabytes"
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchApplicationEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/ApplicationEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSystemEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/SystemEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSecurityEventLog",

API Version 2010-05-15
330

AWS CloudFormation User Guide
CloudWatch Logs

},
{

"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/SecurityEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}

"FullName":
"AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchEC2ConfigLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/EC2ConfigLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchCfnInitLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/CfnInitLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchIISLogs",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/IISLogs",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatch",
"Parameters": {
"AccessKey": "",
"NameSpace": "Windows/Default",
"Region": "${AWS::Region}",
"SecretKey": ""
}
}
],
"Flows": {
"Flows": [
"ApplicationEventLog,CloudWatchApplicationEventLog",
"SystemEventLog,CloudWatchSystemEventLog",
"SecurityEventLog,CloudWatchSecurityEventLog",
"EC2ConfigLog,CloudWatchEC2ConfigLog",
"CfnInitLog,CloudWatchCfnInitLog",
"IISLogs,CloudWatchIISLogs",
"MemoryPerformanceCounter,CloudWatch"
]

API Version 2010-05-15
331

AWS CloudFormation User Guide
CloudWatch Logs
},
"PollInterval": "00:00:05"

},
"IsEnabled": true

}
commands:
0-enableSSM:
command: 'powershell.exe -Command "Set-Service -Name AmazonSSMAgent StartupType Automatic" '
waitAfterCompletion: '0'
1-restartSSM:
command: 'powershell.exe -Command "Restart-Service AmazonSSMAgent "'
waitAfterCompletion: '30'
01-InstallWebServer:
commands:
01_install_webserver:
command: powershell.exe -Command "Install-WindowsFeature Web-Server IncludeAllSubFeature"
waitAfterCompletion: '0'
02-ConfigureApplication:
files:
c:\Inetpub\wwwroot\index.htm:
content: '

Test Application Page


Congratulations !! Your IIS server is configured.

'
03-Finalize:
commands:
00_signal_success:
command: !Sub 'cfn-signal.exe -e 0 --resource WebServerHost --stack
${AWS::StackName} --region ${AWS::Region}'
waitAfterCompletion: '0'
Properties:
KeyName: !Ref 'KeyPair'
ImageId: !FindInMap [AWSAMIRegionMap, !Ref 'AWS::Region', WS2012R2]
InstanceType: t2.xlarge
SecurityGroupIds:
- !Ref 'WebServerSecurityGroup'
IamInstanceProfile: !Ref 'LogRoleInstanceProfile'
UserData:
Fn::Base64:
!Sub |

LogGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 7
404MetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref 'LogGroup'

API Version 2010-05-15
332

AWS CloudFormation User Guide
DynamoDB
FilterPattern: '[timestamps, serverip, method, uri, query, port, dash, clientip,
useragent, status_code = 404, ...]'
MetricTransformations:
- MetricValue: '1'
MetricNamespace: test/404s
MetricName: test404Count
404Alarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: The number of 404s is greater than 2 over 2 minutes
MetricName: test404Count
Namespace: test/404s
Statistic: Sum
Period: '60'
EvaluationPeriods: '2'
Threshold: '2'
AlarmActions:
- !Ref 'AlarmNotificationTopic'
ComparisonOperator: GreaterThanThreshold
AlarmNotificationTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref 'OperatorEmail'
Protocol: email
Outputs:
InstanceId:
Description: The instance ID of the web server
Value: !Ref 'WebServerHost'
WebsiteURL:
Value: !Sub 'http://${WebServerHost.PublicDnsName}'
Description: URL for newly created IIS web server
PublicIP:
Description: Public IP address of the web server
Value: !GetAtt 'WebServerHost.PublicIp'
CloudWatchLogGroupName:
Description: The name of the CloudWatch log group
Value: !Ref 'LogGroup'

See Also
For more information about CloudWatch Logs resources, see AWS::Logs::LogGroup (p. 1270) or
AWS::Logs::MetricFilter (p. 1273).

Amazon DynamoDB Template Snippets
Topics
• Application Auto Scaling with an Amazon DynamoDB Table (p. 333)
• See Also (p. 337)

Application Auto Scaling with an Amazon DynamoDB Table
This example sets up Application Auto Scaling for a AWS::DynamoDB::Table resource. The template
deﬁnes a TargetTrackingScaling scaling policy that scales up the WriteCapacityUnits
throughput for the table.

JSON
{

API Version 2010-05-15
333

AWS CloudFormation User Guide
DynamoDB
"Resources": {
"DDBTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "ArtistId",
"AttributeType": "S"
},
{
"AttributeName": "Concert",
"AttributeType": "S"
},
{
"AttributeName": "TicketSales",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "ArtistId",
"KeyType": "HASH"
},
{
"AttributeName": "Concert",
"KeyType": "RANGE"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "GSI",
"KeySchema": [
{
"AttributeName": "TicketSales",
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "KEYS_ONLY"
},
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
},
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"MaxCapacity": 15,
"MinCapacity": 5,
"ResourceId": { "Fn::Join": [
"/",
[
"table",
{ "Ref": "DDBTable" }
]
] },
"RoleARN": {
"Fn::GetAtt": ["ScalingRole", "Arn"]

API Version 2010-05-15
334

AWS CloudFormation User Guide
DynamoDB
},
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb"

}
},
"ScalingRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"application-autoscaling.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:SetAlarmState",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
}
]
}
},
"WriteScalingPolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "WriteAutoScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration": {
"TargetValue": 50.0,
"ScaleInCooldown": 60,
"ScaleOutCooldown": 60,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "DynamoDBWriteCapacityUtilization"
}
}

API Version 2010-05-15
335

AWS CloudFormation User Guide
DynamoDB

}

}

}

}

YAML
Resources:
DDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
AttributeName: "ArtistId"
AttributeType: "S"
AttributeName: "Concert"
AttributeType: "S"
AttributeName: "TicketSales"
AttributeType: "S"
KeySchema:
AttributeName: "ArtistId"
KeyType: "HASH"
AttributeName: "Concert"
KeyType: "RANGE"
GlobalSecondaryIndexes:
IndexName: "GSI"
KeySchema:
AttributeName: "TicketSales"
KeyType: "HASH"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
WriteCapacityScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
ResourceId: !Join
- /
- - table
- !Ref DDBTable
RoleARN: !GetAtt ScalingRole.Arn
ScalableDimension: dynamodb:table:WriteCapacityUnits
ServiceNamespace: dynamodb
ScalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:

API Version 2010-05-15
336

AWS CloudFormation User Guide
Amazon EC2
Service:
- application-autoscaling.amazonaws.com
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action:
- "dynamodb:DescribeTable"
- "dynamodb:UpdateTable"
- "cloudwatch:PutMetricAlarm"
- "cloudwatch:DescribeAlarms"
- "cloudwatch:GetMetricStatistics"
- "cloudwatch:SetAlarmState"
- "cloudwatch:DeleteAlarms"
Resource: "*"
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteAutoScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization

See Also
For more information about DynamoDB resources, see AWS::DynamoDB::Table (p. 848).

Amazon EC2 Template Snippets
EC2 Block Device Mapping Examples
EC2 Instance with Block Device Mapping
JSON
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" },
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch",
{ "Ref" : "InstanceType" }, "Arch" ] } ] },
"KeyName" : { "Ref" : "KeyName" },
"InstanceType" : { "Ref" : "InstanceType" },
"SecurityGroups" : [{ "Ref" : "Ec2SecurityGroup" }],
"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sda1",
"Ebs" : { "VolumeSize" : "50" }
},{

API Version 2010-05-15
337

AWS CloudFormation User Guide
Amazon EC2

}

}

]

}

"DeviceName" : "/dev/sdm",
"Ebs" : { "VolumeSize" : "100" }

YAML
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: !FindInMap [ AWSRegionArch2AMI, !Ref 'AWS::Region' , !FindInMap
[ AWSInstanceType2Arch, !Ref InstanceType, Arch ] ]
KeyName: !Ref KeyName
InstanceType: !Ref InstanceType
SecurityGroups:
- !Ref Ec2SecurityGroup
BlockDeviceMappings:
DeviceName: /dev/sda1
Ebs:
VolumeSize: 50
DeviceName: /dev/sdm
Ebs:
VolumeSize: 100

EC2 Instance with Ephemeral Drives
JSON
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" },
"PV64" ]},
"KeyName" : { "Ref" : "KeyName" },
"InstanceType" : "m1.small",
"SecurityGroups" : [{ "Ref" : "Ec2SecurityGroup" }],
"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sdc",
"VirtualName" : "ephemeral0"
}
]
}
}

YAML
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: !FindInMap [ AWSRegionArch2AMI, !Ref 'AWS::Region', PV64 ]
KeyName: !Ref KeyName
InstanceType: m1.small
SecurityGroups:
- !Ref Ec2SecurityGroup
BlockDeviceMappings:
-

API Version 2010-05-15
338

AWS CloudFormation User Guide
Amazon EC2
DeviceName: /dev/sdc
VirtualName: ephemeral0

Assigning an Amazon EC2 Elastic IP Using AWS::EC2::EIP Snippet
This example shows how to allocate an Amazon EC2 Elastic IP address and assign it to an Amazon EC2
instance using a AWS::EC2::EIP resource (p. 868).

JSON
"MyEIP" : {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"InstanceId" : { "Ref" : "logical name of an AWS::EC2::Instance resource" }
}
}

YAML
MyEIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref Logical name of an AWS::EC2::Instance resource

Assigning an Existing Elastic IP to an Amazon EC2 instance using
AWS::EC2::EIPAssociation Snippet
This example shows how to assign an existing Amazon EC2 Elastic IP address to an Amazon EC2 instance
using an AWS::EC2::EIPAssociation resource (p. 870).

JSON
"IPAssoc" : {
"Type" : "AWS::EC2::EIPAssociation",
"Properties" : {
"InstanceId" : { "Ref" : "logical name of an AWS::EC2::Instance resource" },
"EIP" : "existing Elastic IP address"
}
}

YAML
IPAssoc:
Type: AWS::EC2::EIPAssociation
Properties:
InstanceId: !Ref Logical name of an AWS::EC2::Instance resource
EIP: existing Elastic IP Address

Assigning an Existing VPC Elastic IP to an Amazon EC2 instance
using AWS::EC2::EIPAssociation Snippet
This example shows how to assign an existing VPC Elastic IP address to an Amazon EC2 instance using an
AWS::EC2::EIPAssociation resource (p. 870).
API Version 2010-05-15
339

AWS CloudFormation User Guide
Amazon EC2

JSON
"VpcIPAssoc" : {
"Type" : "AWS::EC2::EIPAssociation",
"Properties" : {
"InstanceId" : { "Ref" : "logical name of an AWS::EC2::Instance resource" },
"AllocationId" : "existing VPC Elastic IP allocation ID"
}
}

YAML
VpcIPAssoc:
Type: AWS::EC2::EIPAssociation
Properties:
InstanceId: !Ref Logical name of an AWS::EC2::Instance resource
AllocationId: Existing VPC Elastic IP allocation ID

Elastic Network Interface (ENI) Template Snippets
VPC_EC2_Instance_With_ENI
Sample template showing how to create an instance with two elastic network interface (ENI). The sample
assumes you have already created a VPC.

JSON
"Resources" : {
"ControlPortAddress" : {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"Domain" : "vpc"
}
},
"AssociateControlPort" : {
"Type" : "AWS::EC2::EIPAssociation",
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : [ "ControlPortAddress", "AllocationId" ]},
"NetworkInterfaceId" : { "Ref" : "controlXface" }
}
},
"WebPortAddress" : {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"Domain" : "vpc"
}
},
"AssociateWebPort" : {
"Type" : "AWS::EC2::EIPAssociation",
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : [ "WebPortAddress", "AllocationId" ]},
"NetworkInterfaceId" : { "Ref" : "webXface" }
}
},
"SSHSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : { "Ref" : "VpcId" },
"GroupDescription" : "Enable SSH access via port 22",

API Version 2010-05-15
340

AWS CloudFormation User Guide
Amazon EC2
"SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" :
"22", "CidrIp" : "0.0.0.0/0" } ]
}
},
"WebSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : { "Ref" : "VpcId" },
"GroupDescription" : "Enable HTTP access via user defined port",
"SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80,
"CidrIp" : "0.0.0.0/0" } ]
}
},
"controlXface" : {
"Type" : "AWS::EC2::NetworkInterface",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetId" },
"Description" :"Interface for control traffic such as SSH",
"GroupSet" : [ {"Ref" : "SSHSecurityGroup"} ],
"SourceDestCheck" : "true",
"Tags" : [ {"Key" : "Network", "Value" : "Control"}]
}
},
"webXface" : {
"Type" : "AWS::EC2::NetworkInterface",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetId" },
"Description" :"Interface for web traffic",
"GroupSet" : [ {"Ref" : "WebSecurityGroup"} ],
"SourceDestCheck" : "true",
"Tags" : [ {"Key" : "Network", "Value" : "Web"}]
}
},
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]},
"KeyName" : { "Ref" : "KeyName" },
"NetworkInterfaces" : [ { "NetworkInterfaceId" : {"Ref" : "controlXface"},
"DeviceIndex" : "0" },
{ "NetworkInterfaceId" : {"Ref" : "webXface"}, "DeviceIndex" : "1" }],
"Tags" : [ {"Key" : "Role", "Value" : "Test Instance"}],
"UserData" : {"Fn::Base64" : { "Fn::Join" : ["",[
"#!/bin/bash -ex","\n",
"\n","yum install ec2-net-utils -y","\n",
"ec2ifup eth1","\n",
"service httpd start"]]}
}
}
}
}

YAML
Resources:
ControlPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateControlPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: !GetAtt ControlPortAddress.AllocationId
NetworkInterfaceId: !Ref controlXface

API Version 2010-05-15
341

AWS CloudFormation User Guide
Amazon EC2
WebPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateWebPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: !GetAtt WebPortAddress.AllocationId
NetworkInterfaceId: !Ref webXface
SSHSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VpcId
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 22
IpProtocol: tcp
ToPort: 22
WebSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VpcId
GroupDescription: Enable HTTP access via user defined port
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 80
IpProtocol: tcp
ToPort: 80
controlXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId: !Ref SubnetId
Description: Interface for controlling traffic such as SSH
GroupSet:
- !Ref SSHSecurityGroup
SourceDestCheck: true
Tags:
Key: Network
Value: Control
webXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId: !Ref SubnetId
Description: Interface for controlling traffic such as SSH
GroupSet:
- !Ref WebSecurityGroup
SourceDestCheck: true
Tags:
Key: Network
Value: Web
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: !FindInMap [ RegionMap, !Ref 'AWS::Region', AMI ]
KeyName: !Ref KeyName
NetworkInterfaces:
NetworkInterfaceId: !Ref controlXface
DeviceIndex: 0
NetworkInterfaceId: !Ref webXface
DeviceIndex: 1
Tags:

API Version 2010-05-15
342

AWS CloudFormation User Guide
Amazon EC2
-

Key: Role
Value: Test Instance
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install ec2-net-utils -y
ec2ifup eth1
service httpd start

Amazon EC2 Instance Resource
This snippet shows a simple AWS::EC2::Instance resource.

JSON
"MyInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"AvailabilityZone" : "us-east-1a",
"ImageId" : "ami-20b65349"
}
}

YAML
MyInstance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: us-east-1a
ImageId: ami-20b65349

Amazon EC2 Instance with Volume, Tag, and UserData
Properties
This snippet shows an AWS::EC2::Instance resource with one Amazon EC2 volume, one tag, and
a user data property. An AWS::EC2::SecurityGroup resource, an AWS::SNS::Topic resource, and an
AWS::EC2::Volume resource all must be deﬁned in the same template. Also, the reference to KeyName is
a parameters that must be deﬁned in the Parameters section of the template.

JSON
"MyInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"KeyName" : { "Ref" : "KeyName" },
"SecurityGroups" : [ {
"Ref" : "logical name of AWS::EC2::SecurityGroup resource"
} ],
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [ ":", [
"PORT=80",
"TOPIC=", {
"Ref" : "logical name of an AWS::SNS::Topic resource"
} ]
]
}
},

API Version 2010-05-15
343

AWS CloudFormation User Guide
Amazon EC2
"InstanceType" : "m1.small",
"AvailabilityZone" : "us-east-1a",
"ImageId" : "ami-1e817677",
"Volumes" : [
{ "VolumeId" : {
"Ref" : "logical name of AWS::EC2::Volume resource"
},
"Device" : "/dev/sdk" }
],

}

"Tags" : [ {
"Key" : "Name",
"Value" : "MyTag"
} ]

}

YAML
MyInstance:
Type: AWS::EC2::Instance
Properties:
KeyName: !Ref KeyName
SecurityGroups:
- !Ref logical name of AWS::EC2::SecurityGroup resource
UserData:
Fn::Base64: !Sub |
PORT=80
TOPIC=${ logical name of an AWS::SNS::Topic resource }
InstanceType: m1.small
AvailabilityZone: us-east-1a
ImageId: ami-1e817677
Volumes:
VolumeId: !Ref logical name of AWS::EC2::Volume resource
Device: /dev/sdk
Tags:
Key: Name
Value: MyTag

Amazon EC2 Instance Resource with an Amazon SimpleDB
Domain
This snippet shows an AWS::EC2::Instance resource with an Amazon SimpleDB domain speciﬁed in the
UserData.

JSON
"MyInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [ "",
[ "Domain=", {
"Ref" : "logical name of an AWS::SDB::Domain resource"
} ]
]
}
},

API Version 2010-05-15
344

AWS CloudFormation User Guide
Amazon EC2

}

"AvailabilityZone" : "us-east-1a",
"ImageId" : "ami-20b65349"

}

YAML
MyInstance:
Type: AWS::EC2::Instance
Properties:
UserData:
Fn::Base64: !Sub |
Domain=${ logical name of an AWS::SDB::Domain resource }
AvailabilityZone: us-east-1a
ImageId: ami-20b65349

Amazon EC2 Security Group Resource with Two CIDR Range
Ingress Rules
This snippet shows an AWS::EC2::SecurityGroup resource that describes two ingress rules giving access to
a speciﬁed CIDR range for the TCP protocol on the speciﬁed ports.

JSON
"ServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "allow connections from specified CIDR ranges",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
},{
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : "192.168.1.1/32"
}
]
}
}

YAML
ServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: allow connections from specified CIDR ranges
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 192.168.1.1/32

API Version 2010-05-15
345

AWS CloudFormation User Guide
Amazon EC2

Amazon EC2 Security Group Resource with Two Security Group
Ingress Rules
This snippet shows an AWS::EC2::SecurityGroup resource that describes two security group ingress rules.
The ﬁrst ingress rule grants access to the existing security group myadminsecuritygroup, which is owned
by the 1234-5678-9012 AWS account, for the TCP protocol on port 22. The second ingress rule grants
access to the security group mysecuritygroupcreatedincfn for TCP on port 80. This ingress rule uses the
Ref intrinsic function to refer to a security group (whose logical name is mysecuritygroupcreatedincfn)
created in the same template. You must declare a value for both the SourceSecurityGroupName and
SourceSecurityGroupOwnerId properties.

JSON
"ServerSecurityGroupBySG" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "allow connections from specified source security group",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"SourceSecurityGroupName" : "myadminsecuritygroup",
"SourceSecurityGroupOwnerId" : "123456789012"
},
{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"SourceSecurityGroupName" : {"Ref" : "mysecuritygroupcreatedincfn"}
}
]
}
}

YAML
ServerSecurityGroupBySG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: allow connections from specified source security group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupName: myadminsecuritygroup
SourceSecurityGroupOwnerId: 123456789012
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupName: !Ref mysecuritygroupcreatedincfn

Amazon EC2 Security Group Resource with LoadBalancer Ingress
Rule
This template shows an AWS::EC2::SecurityGroup resource that contains a security group ingress
rule that grants access to the LoadBalancer myELB for TCP on port 80. Note that the rule uses the
API Version 2010-05-15
346

AWS CloudFormation User Guide
Amazon EC2

SourceSecurityGroup.OwnerAlias and SourceSecurityGroup.GroupName properties of the
myELB resource to specify the source security group of the LoadBalancer.

JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myELB": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": [
"eu-west-1a"
],
"Listeners": [
{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP"
}
]
}
},
"myELBIngressGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "ELB ingress group",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupOwnerId": {
"Fn::GetAtt": [
"myELB",
"SourceSecurityGroup",
"OwnerAlias"
]
},
"SourceSecurityGroupName": {
"Fn::GetAtt": [
"myELB",
"SourceSecurityGroup",
"GroupName"
]
}
}
]
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
myELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- eu-west-1a
Listeners:

API Version 2010-05-15
347

AWS CloudFormation User Guide
Amazon EC2
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
myELBIngressGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ELB ingress group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
SourceSecurityGroupOwnerId: !GetAtt myELB.SourceSecurityGroup.OwnerAlias
SourceSecurityGroupName: !GetAtt myELB.SourceSecurityGroup.GroupName

Using AWS::EC2::SecurityGroupIngress to Create Mutually
Referencing Amazon EC2 Security Group Resources
This snippet shows two AWS::EC2::SecurityGroupIngress resources that add mutual ingress rules to the
EC2 security groups SGroup1 and SGroup2. The SGroup1Ingress resource enables ingress from SGroup2
through TCP/IP port 80 to SGroup1. The SGroup2Ingress resource enables ingress from SGroup1 through
TCP/IP port 80 to SGroup2.

Note

If you are using an Amazon VPC, use the AWS::EC2::SecurityGroup resource and specify the
VpcId property.

JSON
"SGroup1" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "EC2 Instance access"
}

},
"SGroup2" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "EC2 Instance access"
}
},
"SGroup1Ingress" : {
"Type" : "AWS::EC2::SecurityGroupIngress",
"Properties" : {
"GroupName" : { "Ref" : "SGroup1" },
"IpProtocol" : "tcp",
"ToPort" : "80",
"FromPort" : "80",
"SourceSecurityGroupName" : { "Ref" : "SGroup2" }
}
},
"SGroup2Ingress" : {
"Type" : "AWS::EC2::SecurityGroupIngress",
"Properties" : {
"GroupName" : { "Ref" : "SGroup2" },
"IpProtocol" : "tcp",
"ToPort" : "80",
"FromPort" : "80",
"SourceSecurityGroupName" : { "Ref" : "SGroup1" }
}
}

API Version 2010-05-15
348

AWS CloudFormation User Guide
Amazon EC2

YAML
SGroup1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 Instance access
SGroup2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 Instance access
SGroup1Ingress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: !Ref SGroup1
IpProtocol: tcp
ToPort: 80
FromPort: 80
SourceSecurityGroupName: !Ref SGroup2
SGroup2Ingress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: !Ref SGroup2
IpProtocol: tcp
ToPort: 80
FromPort: 80
SourceSecurityGroupName: !Ref SGroup1

Amazon EC2 Volume Resource
This snippet shows a simple Amazon EC2 volume resource with a DeletionPolicy attribute set to
Snapshot. With the Snapshot DeletionPolicy set, AWS CloudFormation will take a snapshot of this
volume before deleting it during stack deletion. Make sure you specify a value for SnapShotId, or a
value for Size, but not both. Remove the one you don't need.

JSON
"MyEBSVolume" : {
"Type" : "AWS::EC2::Volume",
"Properties" : {
"Size" : "specify a size if no SnapShotId",
"SnapshotId" : "specify a SnapShotId if no Size",
"AvailabilityZone" : { "Ref" : "AvailabilityZone" }
},
"DeletionPolicy" : "Snapshot"
}

YAML
MyEBSVolume:
Type: AWS::EC2::Volume
Properties:
Size: specify a size if no SnapshotId
SnapshotId: specify a SnapShotId if no Size
AvailabilityZone: !Ref AvailabilityZone
DeletionPolicy: Snapshot

Amazon EC2 VolumeAttachment Resource
This snippet shows the following resources: an Amazon EC2 instance using an Amazon Linux AMI from
the US-East (Northern Virginia) Region, an EC2 security group that allows SSH access to IP addresses, a
API Version 2010-05-15
349

AWS CloudFormation User Guide
Amazon EC2

new Amazon EBS volume sized at 100 GB and in the same Availability Zone as the EC2 instance, and a
volume attachment that attaches the new volume to the EC2 instance.

JSON
"Resources" : {
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"ImageId" : "ami-76f0061f"
}
},
"InstanceSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable SSH access via port 22",
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : "0.0.0.0/0"
} ]
}
},
"NewVolume" : {
"Type" : "AWS::EC2::Volume",
"Properties" : {
"Size" : "100",
"AvailabilityZone" : { "Fn::GetAtt" : [ "Ec2Instance", "AvailabilityZone" ]},
}
},
"MountPoint" : {
"Type" : "AWS::EC2::VolumeAttachment",
"Properties" : {
"InstanceId" : { "Ref" : "Ec2Instance" },
"VolumeId" : { "Ref" : "NewVolume" },
"Device" : "/dev/sdh"
}
}

}

YAML
Resources:
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
SecurityGroups:
- !Ref InstanceSecurityGroup
ImageId: ami-76f0061f
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0

API Version 2010-05-15
350

AWS CloudFormation User Guide
Amazon EC2
NewVolume:
Type: AWS::EC2::Volume
Properties:
Size: 100
AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
MountPoint:
Type: AWS::EC2::VolumeAttachment
Properties:
InstanceId: !Ref Ec2Instance
VolumeId: !Ref NewVolume
Device: /dev/sdh

Amazon EC2 Instance in a Default VPC Security Group
Whenever you create a VPC, AWS automatically creates default resources for that VPC, such as a security
group. However, when you deﬁne a VPC in AWS CloudFormation templates, you don't yet have the
physical IDs of those default resources. To obtain the IDs, use the Fn::GetAtt (p. 2285) intrinsic
function. That way, you can use the default resources instead of creating new ones in your template. For
example, the following template snippet associates the default security group of the myVPC VPC with
the myInstance Amazon EC2 instance.

JSON
"myVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {"Ref": "myVPCCIDRRange"},
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"myInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId": {
"Fn::FindInMap": ["AWSRegionToAMI",{"Ref": "AWS::Region"},"64"]
},
"SecurityGroupIds" : [{"Fn::GetAtt": ["myVPC", "DefaultSecurityGroup"]}],
"SubnetId" : {"Ref" : "mySubnet"}
}
}

YAML
myVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref myVPCCIDRRange
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: default
myInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: !FindInMap [ AWSRegionToAMI , !Ref 'AWS::Region', 64 ]
SecurityGroupIds:
- !GetAtt myVPC.DefaultSecurityGroup
SubnetId: !Ref mySubnet

API Version 2010-05-15
351

AWS CloudFormation User Guide
Amazon EC2

Amazon EC2 Route with Egress-Only Internet Gateway
The following template sets up an egress-only Internet gateway that's used with an EC2 route.

JSON
{

}

"Resources": {
"DefaultIpv6Route": {
"Properties": {
"DestinationIpv6CidrBlock": "::/0",
"EgressOnlyInternetGatewayId": {
"Ref": "EgressOnlyInternetGateway"
},
"RouteTableId": {
"Ref": "RouteTable"
}
},
"Type": "AWS::EC2::Route"
},
"EgressOnlyInternetGateway": {
"Properties": {
"VpcId": {
"Ref": "VPC"
}
},
"Type": "AWS::EC2::EgressOnlyInternetGateway"
},
"RouteTable": {
"Properties": {
"VpcId": {
"Ref": "VPC"
}
},
"Type": "AWS::EC2::RouteTable"
},
"VPC": {
"Properties": {
"CidrBlock": "10.0.0.0/16"
},
"Type": "AWS::EC2::VPC"
}
}

YAML
Resources:
DefaultIpv6Route:
Type: AWS::EC2::Route
Properties:
DestinationIpv6CidrBlock: "::/0"
EgressOnlyInternetGatewayId: !Ref EgressOnlyInternetGateway
RouteTableId: !Ref RouteTable
EgressOnlyInternetGateway:
Type: AWS::EC2::EgressOnlyInternetGateway
Properties:
VpcId: !Ref VPC
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
VPC:

API Version 2010-05-15
352

AWS CloudFormation User Guide
Amazon ECS
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16

Amazon Elastic Container Service Template Snippets
Amazon Elastic Container Service (Amazon ECS) is a container management service that makes it easy to
run, stop, and manage Docker containers on a cluster of Amazon Elastic Compute Cloud (Amazon EC2)
instances.
The following example template deploys a web application in an Amazon ECS container with autoscaling
and an application load balancer. For more information, see Getting Started with Amazon ECS in the
Amazon Elastic Container Service Developer Guide.

Important

For the latest AMI IDs, see Amazon ECS-optimized AMI in the Amazon Elastic Container Service
Developer Guide.

JSON
{

"AWSTemplateFormatVersion":"2010-09-09",
"Parameters":{
"KeyName":{
"Type":"AWS::EC2::KeyPair::KeyName",
"Description":"Name of an existing EC2 KeyPair to enable SSH access to the ECS
instances."
},
"VpcId":{
"Type":"AWS::EC2::VPC::Id",
"Description":"Select a VPC that allows instances to access the Internet."
},
"SubnetId":{
"Type":"List",
"Description":"Select at two subnets in your selected VPC."
},
"DesiredCapacity":{
"Type":"Number",
"Default":"1",
"Description":"Number of instances to launch in your ECS cluster."
},
"MaxSize":{
"Type":"Number",
"Default":"1",
"Description":"Maximum number of instances that can be launched in your ECS cluster."
},
"InstanceType":{
"Description":"EC2 instance type",
"Type":"String",
"Default":"t2.micro",
"AllowedValues":[
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",

API Version 2010-05-15
353

AWS CloudFormation User Guide
Amazon ECS
"m4.4xlarge",
"m4.10xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge"

],
"ConstraintDescription":"Please choose a valid instance type."

}
},
"Mappings":{
"AWSRegionToAMI":{
"us-east-1":{
"AMIID":"ami-eca289fb"
},
"us-east-2":{
"AMIID":"ami-446f3521"
},
"us-west-1":{
"AMIID":"ami-9fadf8ff"
},
"us-west-2":{
"AMIID":"ami-7abc111a"
},
"eu-west-1":{
"AMIID":"ami-a1491ad2"
},
"eu-central-1":{
"AMIID":"ami-54f5303b"
},
"ap-northeast-1":{
"AMIID":"ami-9cd57ffd"
},
"ap-southeast-1":{
"AMIID":"ami-a900a3ca"
},
"ap-southeast-2":{
"AMIID":"ami-5781be34"
}
}
},
"Resources":{
"ECSCluster":{
"Type":"AWS::ECS::Cluster"
},
"EcsSecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"GroupDescription":"ECS Security Group",
"VpcId":{
"Ref":"VpcId"

API Version 2010-05-15
354

AWS CloudFormation User Guide
Amazon ECS

}

}

},
"EcsSecurityGroupHTTPinbound":{
"Type":"AWS::EC2::SecurityGroupIngress",
"Properties":{
"GroupId":{
"Ref":"EcsSecurityGroup"
},
"IpProtocol":"tcp",
"FromPort":"80",
"ToPort":"80",
"CidrIp":"0.0.0.0/0"
}
},
"EcsSecurityGroupSSHinbound":{
"Type":"AWS::EC2::SecurityGroupIngress",
"Properties":{
"GroupId":{
"Ref":"EcsSecurityGroup"
},
"IpProtocol":"tcp",
"FromPort":"22",
"ToPort":"22",
"CidrIp":"0.0.0.0/0"
}
},
"EcsSecurityGroupALBports":{
"Type":"AWS::EC2::SecurityGroupIngress",
"Properties":{
"GroupId":{
"Ref":"EcsSecurityGroup"
},
"IpProtocol":"tcp",
"FromPort":"31000",
"ToPort":"61000",
"SourceSecurityGroupId":{
"Ref":"EcsSecurityGroup"
}
}
},
"CloudwatchLogsGroup":{
"Type":"AWS::Logs::LogGroup",
"Properties":{
"LogGroupName":{
"Fn::Join":[
"-",
[
"ECSLogGroup",
{
"Ref":"AWS::StackName"
}
]
]
},
"RetentionInDays":14
}
},
"taskdefinition":{
"Type":"AWS::ECS::TaskDefinition",
"Properties":{
"Family":{
"Fn::Join":[
"",
[
{

API Version 2010-05-15
355

AWS CloudFormation User Guide
Amazon ECS

]

]

"Ref":"AWS::StackName"
},
"-ecs-demo-app"

},
"ContainerDefinitions":[
{
"Name":"simple-app",
"Cpu":"10",
"Essential":"true",
"Image":"httpd:2.4",
"Memory":"300",
"LogConfiguration":{
"LogDriver":"awslogs",
"Options":{
"awslogs-group":{
"Ref":"CloudwatchLogsGroup"
},
"awslogs-region":{
"Ref":"AWS::Region"
},
"awslogs-stream-prefix":"ecs-demo-app"
}
},
"MountPoints":[
{
"ContainerPath":"/usr/local/apache2/htdocs",
"SourceVolume":"my-vol"
}
],
"PortMappings":[
{
"ContainerPort":80
}
]
},
{
"Name":"busybox",
"Cpu":10,
"Command":[
"/bin/sh -c \"while true; do echo '  Amazon ECS
Sample App 
  Amazon ECS Sample App
Congratulations!
 Your application is now running on a container in Amazon
ECS.
' > top; /bin/date > date ; echo '' > bottom; cat top date
bottom > /usr/local/apache2/htdocs/index.html ; sleep 1; done\""
],
"EntryPoint":[
"sh",
"-c"
],
"Essential":false,
"Image":"busybox",
"Memory":200,
"LogConfiguration":{
"LogDriver":"awslogs",
"Options":{
"awslogs-group":{
"Ref":"CloudwatchLogsGroup"
},
"awslogs-region":{
"Ref":"AWS::Region"
},
"awslogs-stream-prefix":"ecs-demo-app"
}

API Version 2010-05-15
356

AWS CloudFormation User Guide
Amazon ECS
},
"VolumesFrom":[
{
"SourceContainer":"simple-app"
}
]

}
],
"Volumes":[
{
"Name":"my-vol"
}
]

}
},
"ECSALB":{
"Type":"AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties":{
"Name":"ECSALB",
"Scheme":"internet-facing",
"LoadBalancerAttributes":[
{
"Key":"idle_timeout.timeout_seconds",
"Value":"30"
}
],
"Subnets":{
"Ref":"SubnetId"
},
"SecurityGroups":[
{
"Ref":"EcsSecurityGroup"
}
]
}
},
"ALBListener":{
"Type":"AWS::ElasticLoadBalancingV2::Listener",
"DependsOn":"ECSServiceRole",
"Properties":{
"DefaultActions":[
{
"Type":"forward",
"TargetGroupArn":{
"Ref":"ECSTG"
}
}
],
"LoadBalancerArn":{
"Ref":"ECSALB"
},
"Port":"80",
"Protocol":"HTTP"
}
},
"ECSALBListenerRule":{
"Type":"AWS::ElasticLoadBalancingV2::ListenerRule",
"DependsOn":"ALBListener",
"Properties":{
"Actions":[
{
"Type":"forward",
"TargetGroupArn":{
"Ref":"ECSTG"
}
}

API Version 2010-05-15
357

AWS CloudFormation User Guide
Amazon ECS
],
"Conditions":[
{
"Field":"path-pattern",
"Values":[
"/"
]
}
],
"ListenerArn":{
"Ref":"ALBListener"
},
"Priority":1

}
},
"ECSTG":{
"Type":"AWS::ElasticLoadBalancingV2::TargetGroup",
"DependsOn":"ECSALB",
"Properties":{
"HealthCheckIntervalSeconds":10,
"HealthCheckPath":"/",
"HealthCheckProtocol":"HTTP",
"HealthCheckTimeoutSeconds":5,
"HealthyThresholdCount":2,
"Name":"ECSTG",
"Port":80,
"Protocol":"HTTP",
"UnhealthyThresholdCount":2,
"VpcId":{
"Ref":"VpcId"
}
}
},
"ECSAutoScalingGroup":{
"Type":"AWS::AutoScaling::AutoScalingGroup",
"Properties":{
"VPCZoneIdentifier":{
"Ref":"SubnetId"
},
"LaunchConfigurationName":{
"Ref":"ContainerInstances"
},
"MinSize":"1",
"MaxSize":{
"Ref":"MaxSize"
},
"DesiredCapacity":{
"Ref":"DesiredCapacity"
}
},
"CreationPolicy":{
"ResourceSignal":{
"Timeout":"PT15M"
}
},
"UpdatePolicy":{
"AutoScalingReplacingUpdate":{
"WillReplace":"true"
}
}
},
"ContainerInstances":{
"Type":"AWS::AutoScaling::LaunchConfiguration",
"Properties":{
"ImageId":{
"Fn::FindInMap":[

API Version 2010-05-15
358

AWS CloudFormation User Guide
Amazon ECS
"AWSRegionToAMI",
{
"Ref":"AWS::Region"
},
"AMIID"

]
},
"SecurityGroups":[
{
"Ref":"EcsSecurityGroup"
}
],
"InstanceType":{
"Ref":"InstanceType"
},
"IamInstanceProfile":{
"Ref":"EC2InstanceProfile"
},
"KeyName":{
"Ref":"KeyName"
},
"UserData":{
"Fn::Base64":{
"Fn::Join":[
"",
[
"#!/bin/bash -xe\n",
"echo ECS_CLUSTER=",
{
"Ref":"ECSCluster"
},
" >> /etc/ecs/ecs.config\n",
"yum install -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-signal -e $? ",
"
--stack ",
{
"Ref":"AWS::StackName"
},
"
--resource ECSAutoScalingGroup ",
"
--region ",
{
"Ref":"AWS::Region"
},
"\n"
]
]
}
}

}
},
"service":{
"Type":"AWS::ECS::Service",
"DependsOn":"ALBListener",
"Properties":{
"Cluster":{
"Ref":"ECSCluster"
},
"DesiredCount":"1",
"LoadBalancers":[
{
"ContainerName":"simple-app",
"ContainerPort":"80",
"TargetGroupArn":{
"Ref":"ECSTG"
}
}

API Version 2010-05-15
359

AWS CloudFormation User Guide
Amazon ECS
],
"Role":{
"Ref":"ECSServiceRole"
},
"TaskDefinition":{
"Ref":"taskdefinition"
}

}
},
"ECSServiceRole":{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":[
"ecs.amazonaws.com"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
},
"Path":"/",
"Policies":[
{
"PolicyName":"ecs-service",
"PolicyDocument":{
"Statement":[
{
"Effect":"Allow",
"Action":[
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
"ec2:Describe*",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource":"*"
}
]
}
}
]
}
},
"ServiceScalingTarget":{
"Type":"AWS::ApplicationAutoScaling::ScalableTarget",
"DependsOn":"service",
"Properties":{
"MaxCapacity":2,
"MinCapacity":1,
"ResourceId":{
"Fn::Join":[
"",
[
"service/",
{
"Ref":"ECSCluster"
},

API Version 2010-05-15
360

AWS CloudFormation User Guide
Amazon ECS

]

]

"/",
{
"Fn::GetAtt":[
"service",
"Name"
]
}

},
"RoleARN":{
"Fn::GetAtt":[
"AutoscalingRole",
"Arn"
]
},
"ScalableDimension":"ecs:service:DesiredCount",
"ServiceNamespace":"ecs"

}
},
"ServiceScalingPolicy":{
"Type":"AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties":{
"PolicyName":"AStepPolicy",
"PolicyType":"StepScaling",
"ScalingTargetId":{
"Ref":"ServiceScalingTarget"
},
"StepScalingPolicyConfiguration":{
"AdjustmentType":"PercentChangeInCapacity",
"Cooldown":60,
"MetricAggregationType":"Average",
"StepAdjustments":[
{
"MetricIntervalLowerBound":0,
"ScalingAdjustment":200
}
]
}
}
},
"ALB500sAlarmScaleUp":{
"Type":"AWS::CloudWatch::Alarm",
"Properties":{
"EvaluationPeriods":"1",
"Statistic":"Average",
"Threshold":"10",
"AlarmDescription":"Alarm if our ALB generates too many HTTP 500s.",
"Period":"60",
"AlarmActions":[
{
"Ref":"ServiceScalingPolicy"
}
],
"Namespace":"AWS/ApplicationELB",
"Dimensions":[
{
"Name":"LoadBalancer",
"Value":{
"Fn::GetAtt" : [
"ECSALB",
"LoadBalancerFullName"
]
}
}
],

API Version 2010-05-15
361

AWS CloudFormation User Guide
Amazon ECS
"ComparisonOperator":"GreaterThanThreshold",
"MetricName":"HTTPCode_ELB_5XX_Count"

}
},
"EC2Role":{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":[
"ec2.amazonaws.com"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
},
"Path":"/",
"Policies":[
{
"PolicyName":"ecs-service",
"PolicyDocument":{
"Statement":[
{
"Effect":"Allow",
"Action":[
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:Submit*",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource":"*"
}
]
}
}
]
}
},
"AutoscalingRole":{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":[
"application-autoscaling.amazonaws.com"
]
},
"Action":[
"sts:AssumeRole"
]
}
]

API Version 2010-05-15
362

AWS CloudFormation User Guide
Amazon ECS
},
"Path":"/",
"Policies":[
{
"PolicyName":"service-autoscaling",
"PolicyDocument":{
"Statement":[
{
"Effect":"Allow",
"Action":[
"application-autoscaling:*",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"ecs:DescribeServices",
"ecs:UpdateService"
],
"Resource":"*"
}
]
}
}
]

}
},
"EC2InstanceProfile":{
"Type":"AWS::IAM::InstanceProfile",
"Properties":{
"Path":"/",
"Roles":[
{
"Ref":"EC2Role"
}
]
}
}

},
"Outputs":{
"ecsservice":{
"Value":{
"Ref":"service"
}
},
"ecscluster":{
"Value":{
"Ref":"ECSCluster"
}
},
"ECSALB":{
"Description":"Your ALB DNS URL",
"Value":{
"Fn::Join":[
"",
[
{
"Fn::GetAtt":[
"ECSALB",
"DNSName"
]
}
]
]
}
},
"taskdef":{
"Value":{
"Ref":"taskdefinition"

API Version 2010-05-15
363

AWS CloudFormation User Guide
Amazon ECS

}

}

}

}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
KeyName:
Type: AWS::EC2::KeyPair::KeyName
Description: Name of an existing EC2 KeyPair to enable SSH access to the ECS instances.
VpcId:
Type: AWS::EC2::VPC::Id
Description: Select a VPC that allows instances access to the Internet.
SubnetId:
Type: List
Description: Select at two subnets in your selected VPC.
DesiredCapacity:
Type: Number
Default: '1'
Description: Number of instances to launch in your ECS cluster.
MaxSize:
Type: Number
Default: '1'
Description: Maximum number of instances that can be launched in your ECS cluster.
InstanceType:
Description: EC2 instance type
Type: String
Default: t2.micro
AllowedValues: [t2.micro, t2.small, t2.medium, t2.large, m3.medium, m3.large,
m3.xlarge, m3.2xlarge, m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge,
c4.large, c4.xlarge, c4.2xlarge, c4.4xlarge, c4.8xlarge, c3.large, c3.xlarge,
c3.2xlarge, c3.4xlarge, c3.8xlarge, r3.large, r3.xlarge, r3.2xlarge, r3.4xlarge,
r3.8xlarge, i2.xlarge, i2.2xlarge, i2.4xlarge, i2.8xlarge]
ConstraintDescription: Please choose a valid instance type.
Mappings:
AWSRegionToAMI:
us-east-1:
AMIID: ami-eca289fb
us-east-2:
AMIID: ami-446f3521
us-west-1:
AMIID: ami-9fadf8ff
us-west-2:
AMIID: ami-7abc111a
eu-west-1:
AMIID: ami-a1491ad2
eu-central-1:
AMIID: ami-54f5303b
ap-northeast-1:
AMIID: ami-9cd57ffd
ap-southeast-1:
AMIID: ami-a900a3ca
ap-southeast-2:
AMIID: ami-5781be34
Resources:
ECSCluster:
Type: AWS::ECS::Cluster
EcsSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ECS Security Group
VpcId: !Ref 'VpcId'

API Version 2010-05-15
364

AWS CloudFormation User Guide
Amazon ECS
EcsSecurityGroupHTTPinbound:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'EcsSecurityGroup'
IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
EcsSecurityGroupSSHinbound:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'EcsSecurityGroup'
IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
EcsSecurityGroupALBports:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'EcsSecurityGroup'
IpProtocol: tcp
FromPort: '31000'
ToPort: '61000'
SourceSecurityGroupId: !Ref 'EcsSecurityGroup'
CloudwatchLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['-', [ECSLogGroup, !Ref 'AWS::StackName']]
RetentionInDays: 14
taskdefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Join ['', [!Ref 'AWS::StackName', -ecs-demo-app]]
ContainerDefinitions:
- Name: simple-app
Cpu: '10'
Essential: 'true'
Image: httpd:2.4
Memory: '300'
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref 'CloudwatchLogsGroup'
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: ecs-demo-app
MountPoints:
- ContainerPath: /usr/local/apache2/htdocs
SourceVolume: my-vol
PortMappings:
- ContainerPort: 80
- Name: busybox
Cpu: 10
Command: ['/bin/sh -c "while true; do echo ''  Amazon ECS
Sample App    Amazon
ECS Sample App
 Congratulations!
 Your application is now
running on a container in Amazon ECS.'' > top; /bin/date > date ;
echo '''' > bottom; cat top date bottom > /usr/local/
apache2/htdocs/index.html
; sleep 1; done"']
EntryPoint: [sh, -c]
Essential: false
Image: busybox
Memory: 200
LogConfiguration:
LogDriver: awslogs

API Version 2010-05-15
365

AWS CloudFormation User Guide
Amazon ECS
Options:
awslogs-group: !Ref 'CloudwatchLogsGroup'
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: ecs-demo-app
VolumesFrom:
- SourceContainer: simple-app
Volumes:
- Name: my-vol
ECSALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: ECSALB
Scheme: internet-facing
LoadBalancerAttributes:
- Key: idle_timeout.timeout_seconds
Value: '30'
Subnets: !Ref 'SubnetId'
SecurityGroups: [!Ref 'EcsSecurityGroup']
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
DependsOn: ECSServiceRole
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref 'ECSTG'
LoadBalancerArn: !Ref 'ECSALB'
Port: '80'
Protocol: HTTP
ECSALBListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
DependsOn: ALBListener
Properties:
Actions:
- Type: forward
TargetGroupArn: !Ref 'ECSTG'
Conditions:
- Field: path-pattern
Values: [/]
ListenerArn: !Ref 'ALBListener'
Priority: 1
ECSTG:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
DependsOn: ECSALB
Properties:
HealthCheckIntervalSeconds: 10
HealthCheckPath: /
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 5
HealthyThresholdCount: 2
Name: ECSTG
Port: 80
Protocol: HTTP
UnhealthyThresholdCount: 2
VpcId: !Ref 'VpcId'
ECSAutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
VPCZoneIdentifier: !Ref 'SubnetId'
LaunchConfigurationName: !Ref 'ContainerInstances'
MinSize: '1'
MaxSize: !Ref 'MaxSize'
DesiredCapacity: !Ref 'DesiredCapacity'
CreationPolicy:
ResourceSignal:
Timeout: PT15M
UpdatePolicy:

API Version 2010-05-15
366

AWS CloudFormation User Guide
Amazon ECS
AutoScalingReplacingUpdate:
WillReplace: 'true'
ContainerInstances:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId: !FindInMap [AWSRegionToAMI, !Ref 'AWS::Region', AMIID]
SecurityGroups: [!Ref 'EcsSecurityGroup']
InstanceType: !Ref 'InstanceType'
IamInstanceProfile: !Ref 'EC2InstanceProfile'
KeyName: !Ref 'KeyName'
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource
ECSAutoScalingGroup --region ${AWS::Region}
service:
Type: AWS::ECS::Service
DependsOn: ALBListener
Properties:
Cluster: !Ref 'ECSCluster'
DesiredCount: '1'
LoadBalancers:
- ContainerName: simple-app
ContainerPort: '80'
TargetGroupArn: !Ref 'ECSTG'
Role: !Ref 'ECSServiceRole'
TaskDefinition: !Ref 'taskdefinition'
ECSServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer',
'elasticloadbalancing:DeregisterTargets',
'elasticloadbalancing:Describe*',
'elasticloadbalancing:RegisterInstancesWithLoadBalancer',
'elasticloadbalancing:RegisterTargets', 'ec2:Describe*',
'ec2:AuthorizeSecurityGroupIngress']
Resource: '*'
ServiceScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
DependsOn: service
Properties:
MaxCapacity: 2
MinCapacity: 1
ResourceId: !Join ['', [service/, !Ref 'ECSCluster', /, !GetAtt [service, Name]]]
RoleARN: !GetAtt [AutoscalingRole, Arn]
ScalableDimension: ecs:service:DesiredCount
ServiceNamespace: ecs
ServiceScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: AStepPolicy
PolicyType: StepScaling

API Version 2010-05-15
367

AWS CloudFormation User Guide
Amazon ECS
ScalingTargetId: !Ref 'ServiceScalingTarget'
StepScalingPolicyConfiguration:
AdjustmentType: PercentChangeInCapacity
Cooldown: 60
MetricAggregationType: Average
StepAdjustments:
- MetricIntervalLowerBound: 0
ScalingAdjustment: 200
ALB500sAlarmScaleUp:
Type: AWS::CloudWatch::Alarm
Properties:
EvaluationPeriods: '1'
Statistic: Average
Threshold: '10'
AlarmDescription: Alarm if our ALB generates too many HTTP 500s.
Period: '60'
AlarmActions: [!Ref 'ServiceScalingPolicy']
Namespace: AWS/ApplicationELB
Dimensions:
- Name: LoadBalancer
Value: !GetAtt
- ECSALB
- LoadBalancerFullName
ComparisonOperator: GreaterThanThreshold
MetricName: HTTPCode_ELB_5XX_Count
EC2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ec2.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action: ['ecs:CreateCluster', 'ecs:DeregisterContainerInstance',
'ecs:DiscoverPollEndpoint',
'ecs:Poll', 'ecs:RegisterContainerInstance', 'ecs:StartTelemetrySession',
'ecs:Submit*', 'logs:CreateLogStream', 'logs:PutLogEvents']
Resource: '*'
AutoscalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [application-autoscaling.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: service-autoscaling
PolicyDocument:
Statement:
- Effect: Allow
Action: ['application-autoscaling:*', 'cloudwatch:DescribeAlarms',
'cloudwatch:PutMetricAlarm',
'ecs:DescribeServices', 'ecs:UpdateService']
Resource: '*'
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile

API Version 2010-05-15
368

AWS CloudFormation User Guide
Amazon EFS
Properties:
Path: /
Roles: [!Ref 'EC2Role']
Outputs:
ecsservice:
Value: !Ref 'service'
ecscluster:
Value: !Ref 'ECSCluster'
ECSALB:
Description: Your ALB DNS URL
Value: !Join ['', [!GetAtt [ECSALB, DNSName]]]
taskdef:
Value: !Ref 'taskdefinition'

Amazon Elastic File System Sample Template
Amazon Elastic File System (Amazon EFS) is a ﬁle storage service for Amazon Elastic Compute Cloud
(Amazon EC2) instances. With Amazon EFS, your applications have storage when they need it because
storage capacity grows and shrinks automatically as you add and remove ﬁles.
The following sample template deploys EC2 instances (in an Auto Scaling group) that are associated with
an Amazon EFS ﬁle system. To associate the instances with the ﬁle system, the instances run the cfn-init
helper script, which downloads and installs the nfs-utils yum package, creates a new directory, and
then uses the ﬁle system's DNS name to mount the ﬁle system at that directory. The ﬁle system's DNS
name resolves to a mount target’s IP address in the Amazon EC2 instance's Availability Zone. For more
information about the DNS name structure, see Mounting File Systems in the Amazon Elastic File System
User Guide.
To measure Network File System activity, the template includes custom Amazon CloudWatch metrics.
The template also creates a VPC, subnet, and security groups. To allow the instances to communicate
with the ﬁle system, the VPC must have DNS enabled, and the mount target and the EC2 instances must
be in the same Availability Zone (AZ), which is speciﬁed by the subnet.
The security group of the mount target enables a network connection to TCP port 2049, which is
required for an NFSv4 client to mount a ﬁle system. For more information on security groups for EC2
instances and mount targets, see Security in the Amazon Elastic File System User Guide.

Note

If you make an update to the mount target that causes it to be replaced, instances or
applications that use the associated ﬁle system might be disrupted. This can cause uncommitted
writes to be lost. To avoid disruption, stop your instances when you update the mount target by
setting the desired capacity to zero. This allows the instances to unmount the ﬁle system before
the mount target is deleted. After the mount update has completed, start your instances in a
subsequent update by setting the desired capacity.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "This template creates an Amazon EFS file system and mount target and
associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This
template creates Amazon EC2 instances and related resources. You will be billed for the
AWS resources used if you create a stack from this template.",
"Parameters": {
"InstanceType" : {
"Description" : "WebServer EC2 instance type",
"Type" : "String",
"Default" : "m1.small",
"AllowedValues" : [ "t1.micro", "t2.micro", "t2.small", "t2.medium", "m1.small",
"m1.medium", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge",

API Version 2010-05-15
369

AWS CloudFormation User Guide
Amazon EFS
"m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge", "c1.medium", "c1.xlarge", "c3.large",
"c3.xlarge", "c3.2xlarge", "c3.4xlarge", "c3.8xlarge", "c4.large", "c4.xlarge",
"c4.2xlarge", "c4.4xlarge", "c4.8xlarge", "g2.2xlarge", "r3.large", "r3.xlarge",
"r3.2xlarge", "r3.4xlarge", "r3.8xlarge", "i2.xlarge", "i2.2xlarge", "i2.4xlarge",
"i2.8xlarge", "d2.xlarge", "d2.2xlarge", "d2.4xlarge", "d2.8xlarge", "hi1.4xlarge",
"hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", "cg1.4xlarge"],
"ConstraintDescription" : "Must be a valid EC2 instance type."
},
"KeyName": {
"Type": "AWS::EC2::KeyPair::KeyName",
"Description": "Name of an existing EC2 key pair to enable SSH access to the ECS
instances"
},
"AsgMaxSize": {
"Type": "Number",
"Description": "Maximum size and initial desired capacity of Auto Scaling Group",
"Default": "2"
},
"SSHLocation" : {
"Description" : "The IP address range that can be used to connect to the EC2
instances by using SSH",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"VolumeName" : {
"Description" : "The name to be used for the EFS volume",
"Type": "String",
"MinLength": "1",
"Default": "myEFSvolume"
},
"MountPoint" : {
"Description" : "The Linux mount point for the EFS volume",
"Type": "String",
"MinLength": "1",
"Default": "myEFSvolume"
}
},
"Mappings" : {
"AWSInstanceType2Arch" : {
"t1.micro"
: { "Arch" : "PV64"
},
"t2.micro"
: { "Arch" : "HVM64" },
"t2.small"
: { "Arch" : "HVM64" },
"t2.medium"
: { "Arch" : "HVM64" },
"m1.small"
: { "Arch" : "PV64"
},
"m1.medium"
: { "Arch" : "PV64"
},
"m1.large"
: { "Arch" : "PV64"
},
"m1.xlarge"
: { "Arch" : "PV64"
},
"m2.xlarge"
: { "Arch" : "PV64"
},
"m2.2xlarge" : { "Arch" : "PV64"
},
"m2.4xlarge" : { "Arch" : "PV64"
},
"m3.medium"
: { "Arch" : "HVM64" },
"m3.large"
: { "Arch" : "HVM64" },
"m3.xlarge"
: { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"c1.medium"
: { "Arch" : "PV64"
},
"c1.xlarge"
: { "Arch" : "PV64"
},
"c3.large"
: { "Arch" : "HVM64" },
"c3.xlarge"
: { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large"
: { "Arch" : "HVM64" },

API Version 2010-05-15
370

AWS CloudFormation User Guide
Amazon EFS
"c4.xlarge"
"c4.2xlarge"
"c4.4xlarge"
"c4.8xlarge"
"g2.2xlarge"
"r3.large"
"r3.xlarge"
"r3.2xlarge"
"r3.4xlarge"
"r3.8xlarge"
"i2.xlarge"
"i2.2xlarge"
"i2.4xlarge"
"i2.8xlarge"
"d2.xlarge"
"d2.2xlarge"
"d2.4xlarge"
"d2.8xlarge"
"hi1.4xlarge"
"hs1.8xlarge"
"cr1.8xlarge"
"cc2.8xlarge"

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{

"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"
"Arch"

:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:

"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVMG2"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"
"HVM64"

},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
},
}

},
"AWSRegionArch2AMI" : {
"us-east-1"
: {"PV64" : "ami-1ccae774", "HVM64"
"ami-8c6b40e4"},
"us-west-2"
: {"PV64" : "ami-ff527ecf", "HVM64"
"ami-abbe919b"},
"us-west-1"
: {"PV64" : "ami-d514f291", "HVM64"
"ami-f31ffeb7"},
"eu-west-1"
: {"PV64" : "ami-bf0897c8", "HVM64"
"ami-d5bc24a2"},
"eu-central-1"
: {"PV64" : "ami-ac221fb1", "HVM64"
"ami-7cd2ef61"},
"ap-northeast-1"
: {"PV64" : "ami-27f90e27", "HVM64"
"ami-6318e863"},
"ap-southeast-1"
: {"PV64" : "ami-acd9e8fe", "HVM64"
"ami-3807376a"},
"ap-southeast-2"
: {"PV64" : "ami-ff9cecc5", "HVM64"
"ami-89790ab3"},
"sa-east-1"
: {"PV64" : "ami-bb2890a6", "HVM64"
"NOT_SUPPORTED"},
"cn-north-1"
: {"PV64" : "ami-fa39abc3", "HVM64"
"NOT_SUPPORTED"}
}
},
"Resources": {
"CloudWatchPutMetricsRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"Service" : [ "ec2.amazonaws.com" ]
},
"Action" : [ "sts:AssumeRole" ]
} ]
},
"Path" : "/"
}
},
"CloudWatchPutMetricsRolePolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "CloudWatch_PutMetricData",

API Version 2010-05-15
371

: "ami-1ecae776", "HVMG2" :
: "ami-e7527ed7", "HVMG2" :
: "ami-d114f295", "HVMG2" :
: "ami-a10897d6", "HVMG2" :
: "ami-a8221fb5", "HVMG2" :
: "ami-cbf90ecb", "HVMG2" :
: "ami-68d8e93a", "HVMG2" :
: "ami-fd9cecc7", "HVMG2" :
: "ami-b52890a8", "HVMG2" :
: "ami-f239abcb", "HVMG2" :

AWS CloudFormation User Guide
Amazon EFS
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudWatchPutMetricData",
"Effect": "Allow",
"Action": ["cloudwatch:PutMetricData"],
"Resource": ["*"]
}
]
},
"Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ]

}
},
"CloudWatchPutMetricsInstanceProfile" : {
"Type" : "AWS::IAM::InstanceProfile",
"Properties" : {
"Path" : "/",
"Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ]
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"EnableDnsSupport" : "true",
"EnableDnsHostnames" : "true",
"CidrBlock": "10.0.0.0/16",
"Tags": [ {"Key": "Application", "Value": { "Ref": "AWS::StackId"} } ]
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
"Properties" : {
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Public" }
]
}
},
"GatewayToInternet" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"RouteTable":{
"Type":"AWS::EC2::RouteTable",
"Properties":{
"VpcId": {"Ref":"VPC"}
}
},
"SubnetRouteTableAssoc": {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"RouteTableId" : {"Ref":"RouteTable"},
"SubnetId" : {"Ref":"Subnet"}
}
},
"InternetGatewayRoute": {
"Type":"AWS::EC2::Route",
"Properties":{
"DestinationCidrBlock":"0.0.0.0/0",
"RouteTableId":{"Ref":"RouteTable"},
"GatewayId":{"Ref":"InternetGateway"}
}

API Version 2010-05-15
372

AWS CloudFormation User Guide
Amazon EFS
},
"Subnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": { "Ref": "VPC" },
"CidrBlock": "10.0.0.0/24",
"Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } } ]
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": { "Ref": "VPC" },
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{ "IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": { "Ref":
"SSHLocation" } },
{ "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": "0.0.0.0/0" }
]
}
},
"MountTargetSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": { "Ref": "VPC" },
"GroupDescription": "Security group for mount target",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "2049",
"ToPort": "2049",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"FileSystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"PerformanceMode": "generalPurpose",
"FileSystemTags": [
{
"Key": "Name",
"Value": { "Ref" : "VolumeName" }
}
]
}
},
"MountTarget": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": { "Ref": "FileSystem" },
"SubnetId": { "Ref": "Subnet" },
"SecurityGroups": [ { "Ref": "MountTargetSecurityGroup" } ]
}
},
"LaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"configSets" : {
"MountConfig" : [ "setup", "mount" ]
},
"setup" : {
"packages" : {
"yum" : {

API Version 2010-05-15
373

AWS CloudFormation User Guide
Amazon EFS

}

"nfs-utils" : []

},
"files" : {
"/home/ec2-user/post_nfsstat" : {
"content" : { "Fn::Join" : [ "", [
"#!/bin/bash\n",
"\n",
"INPUT=\"$(cat)\"\n",
"CW_JSON_OPEN='{ \"Namespace\": \"EFS\", \"MetricData\": [ '\n",
"CW_JSON_CLOSE=' ] }'\n",
"CW_JSON_METRIC=''\n",
"METRIC_COUNTER=0\n",
"\n",
"for COL in 1 2 3 4 5 6; do\n",
"\n",
" COUNTER=0\n",
" METRIC_FIELD=$COL\n",
" DATA_FIELD=$(($COL+($COL-1)))\n",
"\n",
" while read line; do\n",
"
if [[ COUNTER -gt 0 ]]; then\n",
"\n",
"
LINE=`echo $line | tr -s ' ' `\n",
"
AWS_COMMAND=\"aws cloudwatch put-metric-data --region ",
{ "Ref": "AWS::Region" }, "\"\n",
"
MOD=$(( $COUNTER % 2))\n",
"\n",
"
if [ $MOD -eq 1 ]; then\n",
"
METRIC_NAME=`echo $LINE | cut -d ' ' -f $METRIC_FIELD`\n",
"
else\n",
"
METRIC_VALUE=`echo $LINE | cut -d ' ' -f $DATA_FIELD`\n",
"
fi\n",
"\n",
"
if [[ -n \"$METRIC_NAME\" && -n \"$METRIC_VALUE\" ]]; then\n",
"
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/metadata/instance-id)\n",
"
CW_JSON_METRIC=\"$CW_JSON_METRIC { \\\"MetricName\\\": \\
\"$METRIC_NAME\\\", \\\"Dimensions\\\": [{\\\"Name\\\": \\\"InstanceId\\\", \\\"Value\\\":
\\\"$INSTANCE_ID\\\"} ], \\\"Value\\\": $METRIC_VALUE },\"\n",
"
unset METRIC_NAME\n",
"
unset METRIC_VALUE\n",
"\n",
"
METRIC_COUNTER=$((METRIC_COUNTER+1))\n",
"
if [ $METRIC_COUNTER -eq 20 ]; then\n",
"
# 20 is max metric collection size, so we have to submit
here\n",
"
aws cloudwatch put-metric-data --region ", { "Ref":
"AWS::Region" }, " --cli-input-json \"`echo $CW_JSON_OPEN ${CW_JSON_METRIC%?}
$CW_JSON_CLOSE`\"\n",
"\n",
"
# reset\n",
"
METRIC_COUNTER=0\n",
"
CW_JSON_METRIC=''\n",
"
fi\n",
"
fi \n",
"\n",
"\n",
"\n",
"
COUNTER=$((COUNTER+1))\n",
"
fi\n",
"\n",
"
if [[ \"$line\" == \"Client nfs v4:\" ]]; then\n",
"
# the next line is the good stuff \n",
"
COUNTER=$((COUNTER+1))\n",
"
fi\n",

API Version 2010-05-15
374

AWS CloudFormation User Guide
Amazon EFS
" done <<< \"$INPUT\"\n",
"done\n",
"\n",
"# submit whatever is left\n",
"aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" },
" --cli-input-json \"`echo $CW_JSON_OPEN ${CW_JSON_METRIC%?} $CW_JSON_CLOSE`\""
] ] },
"mode": "000755",
"owner": "ec2-user",
"group": "ec2-user"
},
"/home/ec2-user/crontab" : {
"content" : { "Fn::Join" : [ "", [
"* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n"
] ] },
"owner": "ec2-user",
"group": "ec2-user"
}
},
"commands" : {
"01_createdir" : {
"command" : {"Fn::Join" : [ "", [ "mkdir /", { "Ref" : "MountPoint" }]]}
}
}
},
"mount" : {
"commands" : {
"01_mount" : {
"command" : { "Fn::Sub": "sudo mount -t nfs4 -o
nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${FileSystem}.efs.
${AWS::Region}.amazonaws.com:/ /${MountPoint}"}
},
"02_permissions" : {
"command" : {"Fn::Join" : [ "", [ "chown ec2-user:ec2-user /", { "Ref" :
"MountPoint" }]]}
}
}
}
}
},
"Properties": {
"AssociatePublicIpAddress" : true,
"ImageId": {
"Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, {
"Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ]
} ]
},
"InstanceType": { "Ref": "InstanceType" },
"KeyName": { "Ref": "KeyName" },
"SecurityGroups": [ { "Ref": "InstanceSecurityGroup" } ],
"IamInstanceProfile" : { "Ref" : "CloudWatchPutMetricsInstanceProfile" },
"UserData"
: { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"yum install -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource LaunchConfiguration ",
"
--configsets MountConfig ",
"
--region ", { "Ref" : "AWS::Region" }, "\n",
"crontab /home/ec2-user/crontab\n",
"/opt/aws/bin/cfn-signal -e $? ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource AutoScalingGroup ",

API Version 2010-05-15
375

AWS CloudFormation User Guide
Amazon EFS

]]}}

"

--region ", { "Ref" : "AWS::Region" }, "\n"

}
},
"AutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"DependsOn": ["MountTarget", "GatewayToInternet"],
"CreationPolicy" : {
"ResourceSignal" : {
"Timeout" : "PT15M",
"Count"
: { "Ref": "AsgMaxSize" }
}
},
"Properties": {
"VPCZoneIdentifier": [ { "Ref": "Subnet" } ],
"LaunchConfigurationName": { "Ref": "LaunchConfiguration" },
"MinSize": "1",
"MaxSize": { "Ref": "AsgMaxSize" },
"DesiredCapacity": { "Ref": "AsgMaxSize" },
"Tags": [ {
"Key": "Name",
"Value": "EFS FileSystem Mounted Instance",
"PropagateAtLaunch": "true"
} ]
}
}

}

},
"Outputs" : {
"MountTargetID" : {
"Description" : "Mount target ID",
"Value" : { "Ref" : "MountTarget" }
},
"FileSystemID" : {
"Description" : "File system ID",
"Value" : { "Ref" : "FileSystem" }
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Description: This template creates an Amazon EFS file system and mount target and
associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This
template creates Amazon EC2 instances and related resources. You will be billed
for the AWS resources used if you create a stack from this template.
Parameters:
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: m1.small
AllowedValues:
- t1.micro
- t2.micro
- t2.small
- t2.medium
- m1.small
- m1.medium
- m1.large
- m1.xlarge
- m2.xlarge
- m2.2xlarge
- m2.4xlarge
- m3.medium

API Version 2010-05-15
376

AWS CloudFormation User Guide
Amazon EFS
- m3.large
- m3.xlarge
- m3.2xlarge
- c1.medium
- c1.xlarge
- c3.large
- c3.xlarge
- c3.2xlarge
- c3.4xlarge
- c3.8xlarge
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
- g2.2xlarge
- r3.large
- r3.xlarge
- r3.2xlarge
- r3.4xlarge
- r3.8xlarge
- i2.xlarge
- i2.2xlarge
- i2.4xlarge
- i2.8xlarge
- d2.xlarge
- d2.2xlarge
- d2.4xlarge
- d2.8xlarge
- hi1.4xlarge
- hs1.8xlarge
- cr1.8xlarge
- cc2.8xlarge
- cg1.4xlarge
ConstraintDescription: Must be a valid EC2 instance type.
KeyName:
Type: AWS::EC2::KeyPair::KeyName
Description: Name of an existing EC2 key pair to enable SSH access to the ECS
instances
AsgMaxSize:
Type: Number
Description: Maximum size and initial desired capacity of Auto Scaling Group
Default: '2'
SSHLocation:
Description: The IP address range that can be used to connect to the EC2 instances
by using SSH
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
VolumeName:
Description: The name to be used for the EFS volume
Type: String
MinLength: '1'
Default: myEFSvolume
MountPoint:
Description: The Linux mount point for the EFS volume
Type: String
MinLength: '1'
Default: myEFSvolume
Mappings:
AWSInstanceType2Arch:
t1.micro:
Arch: PV64

API Version 2010-05-15
377

AWS CloudFormation User Guide
Amazon EFS
t2.micro:
Arch: HVM64
t2.small:
Arch: HVM64
t2.medium:
Arch: HVM64
m1.small:
Arch: PV64
m1.medium:
Arch: PV64
m1.large:
Arch: PV64
m1.xlarge:
Arch: PV64
m2.xlarge:
Arch: PV64
m2.2xlarge:
Arch: PV64
m2.4xlarge:
Arch: PV64
m3.medium:
Arch: HVM64
m3.large:
Arch: HVM64
m3.xlarge:
Arch: HVM64
m3.2xlarge:
Arch: HVM64
c1.medium:
Arch: PV64
c1.xlarge:
Arch: PV64
c3.large:
Arch: HVM64
c3.xlarge:
Arch: HVM64
c3.2xlarge:
Arch: HVM64
c3.4xlarge:
Arch: HVM64
c3.8xlarge:
Arch: HVM64
c4.large:
Arch: HVM64
c4.xlarge:
Arch: HVM64
c4.2xlarge:
Arch: HVM64
c4.4xlarge:
Arch: HVM64
c4.8xlarge:
Arch: HVM64
g2.2xlarge:
Arch: HVMG2
r3.large:
Arch: HVM64
r3.xlarge:
Arch: HVM64
r3.2xlarge:
Arch: HVM64
r3.4xlarge:
Arch: HVM64
r3.8xlarge:
Arch: HVM64
i2.xlarge:
Arch: HVM64

API Version 2010-05-15
378

AWS CloudFormation User Guide
Amazon EFS
i2.2xlarge:
Arch: HVM64
i2.4xlarge:
Arch: HVM64
i2.8xlarge:
Arch: HVM64
d2.xlarge:
Arch: HVM64
d2.2xlarge:
Arch: HVM64
d2.4xlarge:
Arch: HVM64
d2.8xlarge:
Arch: HVM64
hi1.4xlarge:
Arch: HVM64
hs1.8xlarge:
Arch: HVM64
cr1.8xlarge:
Arch: HVM64
cc2.8xlarge:
Arch: HVM64
AWSRegionArch2AMI:
us-east-1:
PV64: ami-1ccae774
HVM64: ami-1ecae776
HVMG2: ami-8c6b40e4
us-west-2:
PV64: ami-ff527ecf
HVM64: ami-e7527ed7
HVMG2: ami-abbe919b
us-west-1:
PV64: ami-d514f291
HVM64: ami-d114f295
HVMG2: ami-f31ffeb7
eu-west-1:
PV64: ami-bf0897c8
HVM64: ami-a10897d6
HVMG2: ami-d5bc24a2
eu-central-1:
PV64: ami-ac221fb1
HVM64: ami-a8221fb5
HVMG2: ami-7cd2ef61
ap-northeast-1:
PV64: ami-27f90e27
HVM64: ami-cbf90ecb
HVMG2: ami-6318e863
ap-southeast-1:
PV64: ami-acd9e8fe
HVM64: ami-68d8e93a
HVMG2: ami-3807376a
ap-southeast-2:
PV64: ami-ff9cecc5
HVM64: ami-fd9cecc7
HVMG2: ami-89790ab3
sa-east-1:
PV64: ami-bb2890a6
HVM64: ami-b52890a8
HVMG2: NOT_SUPPORTED
cn-north-1:
PV64: ami-fa39abc3
HVM64: ami-f239abcb
HVMG2: NOT_SUPPORTED
Resources:
CloudWatchPutMetricsRole:
Type: AWS::IAM::Role

API Version 2010-05-15
379

AWS CloudFormation User Guide
Amazon EFS
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
CloudWatchPutMetricsRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CloudWatch_PutMetricData
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: CloudWatchPutMetricData
Effect: Allow
Action:
- cloudwatch:PutMetricData
Resource:
- "*"
Roles:
- Ref: CloudWatchPutMetricsRole
CloudWatchPutMetricsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: CloudWatchPutMetricsRole
VPC:
Type: AWS::EC2::VPC
Properties:
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
CidrBlock: 10.0.0.0/16
Tags:
- Key: Application
Value:
Ref: AWS::StackId
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Application
Value:
Ref: AWS::StackName
- Key: Network
Value: Public
GatewayToInternet:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: InternetGateway
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
SubnetRouteTableAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:

API Version 2010-05-15
380

AWS CloudFormation User Guide
Amazon EFS
Ref: RouteTable
SubnetId:
Ref: Subnet
InternetGatewayRoute:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
RouteTableId:
Ref: RouteTable
GatewayId:
Ref: InternetGateway
Subnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: VPC
CidrBlock: 10.0.0.0/24
Tags:
- Key: Application
Value:
Ref: AWS::StackId
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VPC
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
MountTargetSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VPC
GroupDescription: Security group for mount target
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '2049'
ToPort: '2049'
CidrIp: 0.0.0.0/0
FileSystem:
Type: AWS::EFS::FileSystem
Properties:
PerformanceMode: generalPurpose
FileSystemTags:
- Key: Name
Value:
Ref: VolumeName
MountTarget:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: FileSystem
SubnetId:
Ref: Subnet
SecurityGroups:
- Ref: MountTargetSecurityGroup
LaunchConfiguration:

API Version 2010-05-15
381

AWS CloudFormation User Guide
Amazon EFS
Type: AWS::AutoScaling::LaunchConfiguration
Metadata:
AWS::CloudFormation::Init:
configSets:
MountConfig:
- setup
- mount
setup:
packages:
yum:
nfs-utils: []
files:
"/home/ec2-user/post_nfsstat":
content: !Sub |
#!/bin/bash
INPUT="$(cat)"
CW_JSON_OPEN='{ "Namespace": "EFS", "MetricData": [ '
CW_JSON_CLOSE=' ] }'
CW_JSON_METRIC=''
METRIC_COUNTER=0
for COL in 1 2 3 4 5 6; do
COUNTER=0
METRIC_FIELD=$COL
DATA_FIELD=$(($COL+($COL-1)))
while read line; do
if [[ COUNTER -gt 0 ]]; then
LINE=`echo $line | tr -s ' ' `
AWS_COMMAND="aws cloudwatch put-metric-data --region ${AWS::Region}"
MOD=$(( $COUNTER % 2))
if [ $MOD -eq 1 ]; then
METRIC_NAME=`echo $LINE | cut -d ' ' -f $METRIC_FIELD`
else
METRIC_VALUE=`echo $LINE | cut -d ' ' -f $DATA_FIELD`
fi
if [[ -n "$METRIC_NAME" && -n "$METRIC_VALUE" ]]; then
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/

instance-id)

CW_JSON_METRIC="$CW_JSON_METRIC { \"MetricName\": \"$METRIC_NAME\",
\"Dimensions\": [{\"Name\": \"InstanceId\", \"Value\": \"$INSTANCE_ID\"} ], \"Value\":
$METRIC_VALUE },"
unset METRIC_NAME
unset METRIC_VALUE

METRIC_COUNTER=$((METRIC_COUNTER+1))
if [ $METRIC_COUNTER -eq 20 ]; then
# 20 is max metric collection size, so we have to submit here
aws cloudwatch put-metric-data --region ${AWS::Region} --cliinput-json "`echo $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`"
# reset
METRIC_COUNTER=0
CW_JSON_METRIC=''

fi

fi

COUNTER=$((COUNTER+1))

fi

API Version 2010-05-15
382

AWS CloudFormation User Guide
Amazon EFS

if [[ "$line" == "Client nfs v4:" ]]; then
# the next line is the good stuff
COUNTER=$((COUNTER+1))
fi
done <<< "$INPUT"
done
# submit whatever is left
aws cloudwatch put-metric-data --region ${AWS::Region} --cli-input-json
"`echo $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`"
mode: '000755'
owner: ec2-user
group: ec2-user
"/home/ec2-user/crontab":
content: "* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n"
owner: ec2-user
group: ec2-user
commands:
01_createdir:
command: !Sub "mkdir /${MountPoint}"
mount:
commands:
01_mount:
command: !Sub >
mount -t nfs4 -o nfsvers=4.1 ${FileSystem}.efs.
${AWS::Region}.amazonaws.com:/ /${MountPoint}
02_permissions:
command: !Sub "chown ec2-user:ec2-user /${MountPoint}"
Properties:
AssociatePublicIpAddress: true
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyName
SecurityGroups:
- Ref: InstanceSecurityGroup
IamInstanceProfile:
Ref: CloudWatchPutMetricsInstanceProfile
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfiguration
--configsets MountConfig --region ${AWS::Region}
crontab /home/ec2-user/crontab
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource
AutoScalingGroup --region ${AWS::Region}
AutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
DependsOn:
- MountTarget
- GatewayToInternet
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Count:
Ref: AsgMaxSize

API Version 2010-05-15
383

AWS CloudFormation User Guide
Elastic Beanstalk
Properties:
VPCZoneIdentifier:
- Ref: Subnet
LaunchConfigurationName:
Ref: LaunchConfiguration
MinSize: '1'
MaxSize:
Ref: AsgMaxSize
DesiredCapacity:
Ref: AsgMaxSize
Tags:
- Key: Name
Value: EFS FileSystem Mounted Instance
PropagateAtLaunch: 'true'
Outputs:
MountTargetID:
Description: Mount target ID
Value:
Ref: MountTarget
FileSystemID:
Description: File system ID
Value:
Ref: FileSystem

Elastic Beanstalk Template Snippets
With Elastic Beanstalk, you can quickly deploy and manage applications in AWS without worrying about
the infrastructure that runs those applications. The following sample template can help you describe
Elastic Beanstalk resources in your AWS CloudFormation template.

Elastic Beanstalk Sample PHP
The following sample template deploys a sample PHP web application that is stored in an Amazon S3
bucket. The Elastic Beanstalk environment is 64-bit Amazon Linux running PHP 5.3. The environment is
also an autoscaling, load-balancing environment, with a minimum of two Amazon EC2 instances and a
maximum of six.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"sampleApplication": {
"Type": "AWS::ElasticBeanstalk::Application",
"Properties": {
"Description": "AWS Elastic Beanstalk Sample Application"
}
},
"sampleApplicationVersion": {
"Type": "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties": {
"ApplicationName": { "Ref": "sampleApplication" },
"Description": "AWS ElasticBeanstalk Sample Application Version",
"SourceBundle": {
"S3Bucket": { "Fn::Join": [ "-", [ "elasticbeanstalk-samples", { "Ref":
"AWS::Region" } ] ] },
"S3Key": "php-newsample-app.zip"
}
}
},
"sampleConfigurationTemplate": {

API Version 2010-05-15
384

AWS CloudFormation User Guide
Elastic Beanstalk
"Type": "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties": {
"ApplicationName": { "Ref": "sampleApplication" },
"Description": "AWS ElasticBeanstalk Sample Configuration Template",
"OptionSettings": [
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MinSize",
"Value": "2"
},
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MaxSize",
"Value": "6"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "EnvironmentType",
"Value": "LoadBalanced"
}
],
"SolutionStackName": "64bit Amazon Linux running PHP 5.3"
}

}

}

},
"sampleEnvironment": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": { "Ref": "sampleApplication" },
"Description": "AWS ElasticBeanstalk Sample Environment",
"TemplateName": { "Ref": "sampleConfigurationTemplate" },
"VersionLabel": { "Ref": "sampleApplicationVersion" }
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
sampleApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Sample Application
sampleApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Application Version
SourceBundle:
S3Bucket: !Sub "elasticbeanstalk-samples-${AWS::Region}"
S3Key: php-newsample-app.zip
sampleConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Configuration Template
OptionSettings:
- Namespace: aws:autoscaling:asg
OptionName: MinSize
Value: '2'
- Namespace: aws:autoscaling:asg

API Version 2010-05-15
385

AWS CloudFormation User Guide
Elastic Load Balancing
OptionName: MaxSize
Value: '6'
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: LoadBalanced
SolutionStackName: 64bit Amazon Linux running PHP 5.3
sampleEnvironment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Environment
TemplateName:
Ref: sampleConfigurationTemplate
VersionLabel:
Ref: sampleApplicationVersion

Elastic Load Balancing Template Snippets
Elastic Load Balancing Load Balancer Resource
This example shows an Elastic Load Balancing load balancer with a single listener, and no instances.

JSON
"MyLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : [ "us-east-1a" ],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP"
} ]
}
}

YAML
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-1a"
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP

Elastic Load Balancing Load Balancer Resource with Health
Check
This example shows an Elastic Load Balancing load balancer with two Amazon EC2 instances, a single
listener and a health check.

JSON
"MyLoadBalancer" : {

API Version 2010-05-15
386

AWS CloudFormation User Guide
IAM
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : [ "us-east-1a" ],
"Instances" : [
{ "Ref" : "logical name of AWS::EC2::Instance resource 1" },
{ "Ref" : "logical name of AWS::EC2::Instance resource 2" }
],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP"
} ],

}

}

"HealthCheck" : {
"Target" : "HTTP:80/",
"HealthyThreshold" : "3",
"UnhealthyThreshold" : "5",
"Interval" : "30",
"Timeout" : "5"
}

YAML
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-1a"
Instances:
- Ref: logical name of AWS::EC2::Instance resource 1
- Ref: logical name of AWS::EC2::Instance resource 2
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '3'
UnhealthyThreshold: '5'
Interval: '30'
Timeout: '5'

AWS Identity and Access Management Template
Snippets
This section contains AWS Identity and Access Management template snippets.
Topics
• Declaring an IAM User Resource (p. 388)
• Declaring an IAM Access Key Resource (p. 389)
• Declaring an IAM Group Resource (p. 391)
• Adding Users to a Group (p. 392)
• Declaring an IAM Policy (p. 392)
• Declaring an Amazon S3 Bucket Policy (p. 393)
• Declaring an Amazon SNS Topic Policy (p. 394)
API Version 2010-05-15
387

AWS CloudFormation User Guide
IAM

• Declaring an Amazon SQS Policy (p. 395)
• IAM Role Template Examples (p. 396)

Important

When creating or updating a stack using a template containing IAM resources, you must
acknowledge the use of IAM capabilities. For more information about using IAM resources in
templates, see Controlling Access with AWS Identity and Access Management (p. 9).

Declaring an IAM User Resource
This snippet shows how to declare an AWS::IAM::User (p. 1205) resource to create an IAM user. The
user is declared with the path ("/") and a login proﬁle with the password (myP@ssW0rd).
The policy document named giveaccesstoqueueonly gives the user permission to perform all
Amazon SQS actions on the Amazon SQS queue resource myqueue, and denies access to all other
Amazon SQS queue resources. The Fn::GetAtt (p. 2285) function gets the Arn attribute of the
AWS::SQS::Queue (p. 1495) resource myqueue.
The policy document named giveaccesstotopiconly is added to the user to give the user
permission to perform all Amazon SNS actions on the Amazon SNS topic resource mytopic and
to deny access to all other Amazon SNS resources. The Ref (p. 2311) function gets the ARN of the
AWS::SNS::Topic (p. 1492) resource mytopic.

JSON
"myuser" : {
"Type" : "AWS::IAM::User",
"Properties" : {
"Path" : "/",
"LoginProfile" : {
"Password" : "myP@ssW0rd"
},
"Policies" : [ {
"PolicyName" : "giveaccesstoqueueonly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}, {
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}
] }
}, {
"PolicyName" : "giveaccesstotopiconly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sns:*" ],
"Resource" : [ { "Ref" : "mytopic" } ]
}, {

API Version 2010-05-15
388

AWS CloudFormation User Guide
IAM
"Effect" : "Deny",
"Action" : [ "sns:*" ],
"NotResource" : [ { "Ref" : "mytopic" } ]

}

}

}

} ]

} ]

YAML
myuser:
Type: AWS::IAM::User
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
- PolicyName: giveaccesstotopiconly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:*
Resource:
- !Ref mytopic
- Effect: Deny
Action:
- sns:*
NotResource:
- !Ref mytopic

Declaring an IAM Access Key Resource
This snippet shows an AWS::IAM::AccessKey (p. 1184) resource. The myaccesskey resource
creates an access key and assigns it to an IAM user that is declared as an AWS::IAM::User (p. 1205)
resource in the template.

JSON

"myaccesskey" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : { "Ref" : "myuser" }

API Version 2010-05-15
389

AWS CloudFormation User Guide
IAM

}

}

YAML
myaccesskey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref myuser

You can get the secret key for an AWS::IAM::AccessKey resource using the Fn::GetAtt (p. 2285)
function. The only time that you can get the secret key for an AWS access key is when it is created. One
way to retrieve the secret key is to put it into an Output value. You can get the access key using the Ref
function. The following Output value declarations get the access key and secret key for myaccesskey.

JSON

"AccessKeyformyaccesskey" : {
"Value" : { "Ref" : "myaccesskey" }
},
"SecretKeyformyaccesskey" : {
"Value" : {
"Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ]
}
}

YAML
AccessKeyformyaccesskey:
Value:
!Ref myaccesskey
SecretKeyformyaccesskey:
Value: !GetAtt myaccesskey.SecretAccessKey

You can also pass the AWS access key and secret key to an EC2 instance or Auto Scaling group deﬁned
in the template. The following AWS::EC2::Instance (p. 879) declaration uses the UserData
property to pass the access key and secret key for the myaccesskey resource.

JSON

"myinstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"AvailabilityZone" : "us-east-1a",
"ImageId" : "ami-20b65349",
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [
"", [
"ACCESS_KEY=", {
"Ref" : "myaccesskey"
},
"&",

API Version 2010-05-15
390

AWS CloudFormation User Guide
IAM

}

}

}

}

]

]

"SECRET_KEY=",
{
"Fn::GetAtt" : [
"myaccesskey",
"SecretAccessKey"
]
}

YAML
myinstance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: "us-east-1a"
ImageId: ami-20b65349
UserData:
Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}

Declaring an IAM Group Resource
This snippet shows an AWS::IAM::Group (p. 1186) resource. The group has a path ("/
myapplication/"). The policy document named myapppolicy is added to the group to allow the
group's users to perform all Amazon SQS actions on the Amazon SQS queue resource myqueue and deny
access to all other Amazon SQS resources except myqueue.
To assign a policy to a resource, IAM requires the Amazon Resource Name (ARN) for the resource. In the
snippet, the Fn::GetAtt (p. 2285) function gets the ARN of the AWS::SQS::Queue (p. 1495)
resource queue.

JSON
"mygroup" : {
"Type" : "AWS::IAM::Group",
"Properties" : {
"Path" : "/myapplication/",
"Policies" : [ {
"PolicyName" : "myapppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
},
{
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ]
}
] }
} ]
}

API Version 2010-05-15
391

AWS CloudFormation User Guide
IAM
}

YAML
mygroup:
Type: AWS::IAM::Group
Properties:
Path: "/myapplication/"
Policies:
- PolicyName: myapppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource: !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource: !GetAtt myqueue.Arn

Adding Users to a Group
The AWS::IAM::UserToGroupAddition (p. 1208) resource adds users to a group. In the following
snippet, the addUserToGroup resource adds the following users to an existing group named
myexistinggroup2: the existing user existinguser1 and the user myuser which is declared as an
AWS::IAM::User (p. 1205) resource in the template.

JSON
"addUserToGroup" : {
"Type" : "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName" : "myexistinggroup2",
"Users" : [ "existinguser1", { "Ref" : "myuser" } ]
}
}

YAML
addUserToGroup:
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName: myexistinggroup2
Users:
- existinguser1
- !Ref myuser

Declaring an IAM Policy
This snippet shows how to create a policy and apply it to multiple groups using an
AWS::IAM::Policy (p. 1194) resource named mypolicy. The mypolicy resource contains a
PolicyDocument property that allows GetObject, PutObject, and PutObjectAcl actions on
the objects in the S3 bucket represented by the ARN arn:aws:s3:::myAWSBucket. The mypolicy
resource applies the policy to an existing group named myexistinggroup1 and a group mygroup that
API Version 2010-05-15
392

AWS CloudFormation User Guide
IAM

is declared in the template as an AWS::IAM::Group (p. 1186) resource. This example shows how
to apply a policy to a group using the Groups property; however, you can alternatively use the Users
property to add a policy document to a list of users.

Important

The Amazon SNS policy actions that are declared in the AWS::IAM::Policy
resource (p. 392) diﬀer from the Amazon SNS topic policy actions that are declared
in the AWS::SNS::TopicPolicy resource (p. 394). For example, the policy actions
sns:Unsubscribe and sns:SetSubscriptionAttributes are valid for the
AWS::IAM::Policy resource, but are invalid for the AWS::SNS::TopicPolicy resource.
For more information about valid Amazon SNS policy actions that you can use with the
AWS::IAM::Policy resource, see Special Information for Amazon SNS Policies in the Amazon
Simple Notiﬁcation Service Developer Guide.

JSON
"mypolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "mygrouppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [
"s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ],
"Resource" : "arn:aws:s3:::myAWSBucket/*"
} ]
},
"Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ]
}
}

YAML
mypolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::myAWSBucket/*
Groups:
- myexistinggroup1
- !Ref mygroup

Declaring an Amazon S3 Bucket Policy
This snippet shows how to create a policy and apply it to an Amazon S3 bucket using the
AWS::S3::BucketPolicy (p. 1419) resource. The mybucketpolicy resource declares a policy
document that allows the user1 IAM user to perform the GetObject action on all objects in the
S3 bucket to which this policy is applied. In the snippet, the Fn::GetAtt (p. 2285) function
gets the ARN of the user1 resource. The mybucketpolicy resource applies the policy to the
API Version 2010-05-15
393

AWS CloudFormation User Guide
IAM

AWS::S3::Bucket (p. 1403) resource mybucket. The Ref (p. 2311) function gets the bucket name
of the mybucket resource.

JSON
"mybucketpolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyPolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "ReadAccess",
"Action" : [ "s3:GetObject" ],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ]
] },
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] }
}
} ]
},
"Bucket" : { "Ref" : "mybucket" }
}
}

YAML
mybucketpolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: '2012-10-17'
Statement:
- Sid: ReadAccess
Action:
- s3:GetObject
Effect: Allow
Resource: !Sub "arn:aws:s3:::${mybucket}/*"
Principal:
AWS: !GetAtt user1.Arn
Bucket: !Ref mybucket

Declaring an Amazon SNS Topic Policy
This snippet shows how to create a policy and apply it to an Amazon SNS topic using the
AWS::SNS::TopicPolicy (p. 1494) resource. The mysnspolicy resource contains a
PolicyDocument property that allows the AWS::IAM::User (p. 1205) resource myuser to perform
the Publish action on an AWS::SNS::Topic (p. 1492) resource mytopic. In the snippet, the
Fn::GetAtt (p. 2285) function gets the ARN for the myuser resource and the Ref (p. 2311)
function gets the ARN for the mytopic resource.

Important

The Amazon SNS policy actions that are declared in the AWS::IAM::Policy
resource (p. 392) diﬀer from the Amazon SNS topic policy actions that are declared
in the AWS::SNS::TopicPolicy resource (p. 394). For example, the policy actions
sns:Unsubscribe and sns:SetSubscriptionAttributes are valid for the
API Version 2010-05-15
394

AWS CloudFormation User Guide
IAM

AWS::IAM::Policy resource, but are invalid for the AWS::SNS::TopicPolicy resource.
For more information about valid Amazon SNS policy actions that you can use with the
AWS::IAM::Policy resource, see Special Information for Amazon SNS Policies in the Amazon
Simple Notiﬁcation Service Developer Guide.

JSON
"mysnspolicy" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyTopicPolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] }
},
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "mytopic" } ]
}
}

YAML
mysnspolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Sid: My-statement-id
Effect: Allow
Principal:
AWS: !GetAtt myuser.Arn
Action: sns:Publish
Resource: "*"
Topics:
- !Ref mytopic

Declaring an Amazon SQS Policy
This snippet shows how to create a policy and apply it to an Amazon SQS queue using the
AWS::SQS::QueuePolicy (p. 1503) resource. The PolicyDocument property allows the existing
user myapp (speciﬁed by its ARN) to perform the SendMessage action on an existing queue, which
is speciﬁed by its URL, and an AWS::SQS::Queue (p. 1495) resource myqueue. The Ref (p. 2311)
function gets the URL for the myqueue resource.

JSON
"mysqspolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"Properties" : {

API Version 2010-05-15
395

AWS CloudFormation User Guide
IAM

}

}

"PolicyDocument" : {
"Id" : "MyQueuePolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "Allow-User-SendMessage",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},
"Action" : [ "sqs:SendMessage" ],
"Resource" : "*"
} ]
},
"Queues" : [
"https://sqs.us-east-2.amazonaws.com/123456789012/myexistingqueue",
{ "Ref" : "myqueue" }
]

YAML
mysqspolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Id: MyQueuePolicy
Version: '2012-10-17'
Statement:
- Sid: Allow-User-SendMessage
Effect: Allow
Principal:
AWS: arn:aws:iam::123456789012:user/myapp
Action:
- sqs:SendMessage
Resource: "*"
Queues:
- https://sqs.us-east-2.amazonaws.com/123456789012/myexistingqueue
- !Ref myqueue

IAM Role Template Examples
This section provides CloudFormation template examples for IAM Roles for EC2 Instances.
For more information about IAM roles, see Working with Roles in the AWS Identity and Access
Management User Guide.

IAM Role with EC2
In this example, the instance proﬁle is referenced by the IamInstanceProfile property of the EC2
Instance. Both the instance policy and role policy reference AWS::IAM::Role (p. 1197).

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myEC2Instance": {
"Type": "AWS::EC2::Instance",
"Version": "2009-05-15",
"Properties": {

API Version 2010-05-15
396

AWS CloudFormation User Guide
IAM
"ImageId": "ami-205fba49",
"InstanceType": "m1.small",
"Monitoring": "true",
"DisableApiTermination": "false",
"IamInstanceProfile": {
"Ref": "RootInstanceProfile"
}

}

}

}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myEC2Instance:
Type: AWS::EC2::Instance
Version: '2009-05-15'
Properties:
ImageId: ami-205fba49
InstanceType: m1.small
Monitoring: 'true'
DisableApiTermination: 'false'
IamInstanceProfile:
!Ref RootInstanceProfile

API Version 2010-05-15
397

AWS CloudFormation User Guide
IAM
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole

IAM Role with AutoScaling Group
In this example, the instance proﬁle is referenced by the IamInstanceProfile property of an
AutoScaling Group Launch Conﬁguration.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myLCOne": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-205fba49",
"InstanceType": "m1.small",
"InstanceMonitoring": "true",
"IamInstanceProfile": { "Ref": "RootInstanceProfile" }
}
},
"myASGrpOne": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Version": "2009-05-15",
"Properties": {
"AvailabilityZones": [ "us-east-1a" ],
"LaunchConfigurationName": { "Ref": "myLCOne" },
"MinSize": "0",
"MaxSize": "0",
"HealthCheckType": "EC2",
"HealthCheckGracePeriod": "120"
}
},

API Version 2010-05-15
398

AWS CloudFormation User Guide
IAM

}

}

"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myLCOne:
Type: AWS::AutoScaling::LaunchConfiguration
Version: '2009-05-15'
Properties:
ImageId: ami-205fba49
InstanceType: m1.small
InstanceMonitoring: 'true'
IamInstanceProfile:
!Ref RootInstanceProfile
myASGrpOne:
Type: AWS::AutoScaling::AutoScalingGroup
Version: '2009-05-15'
Properties:
AvailabilityZones:
- "us-east-1a"
LaunchConfigurationName:
!Ref myLCOne
MinSize: '0'
MaxSize: '0'

API Version 2010-05-15
399

AWS CloudFormation User Guide
AWS Lambda
HealthCheckType: EC2
HealthCheckGracePeriod: '120'
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole

AWS Lambda Template
The following template uses an AWS Lambda (Lambda) function and custom resource to append a new
security group to a list of existing security groups. This function is useful when you want to build a list
of security groups dynamically, so that your list includes both new and existing security groups. For
example, you can pass a list of existing security groups as a parameter value, append the new value to
the list, and then associate all your values with an EC2 instance. For more information about the Lambda
function resource type, see AWS::Lambda::Function (p. 1257).
In the example, when AWS CloudFormation creates the AllSecurityGroups custom resource, AWS
CloudFormation invokes the AppendItemToListFunction Lambda function. AWS CloudFormation
passes the list of existing security groups and a new security group (NewSecurityGroup) to the
function, which appends the new security group to the list and then returns the modiﬁed list. AWS
CloudFormation uses the modiﬁed list to associate all security groups with the MyEC2Instance
resource.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"ExistingSecurityGroups" : {
"Type" : "List"
},
"ExistingVPC" : {

API Version 2010-05-15
400

AWS CloudFormation User Guide
AWS Lambda
"Type" : "AWS::EC2::VPC::Id",
"Description" : "The VPC ID that includes the security groups in the
ExistingSecurityGroups parameter."
},
"InstanceType" : {
"Type" : "String",
"Default" : "t2.micro",
"AllowedValues" : ["t2.micro", "m1.small"]
}
},
"Mappings": {
"AWSInstanceType2Arch" : {
"t2.micro"
: { "Arch" : "HVM64" },
"m1.small"
: { "Arch" : "PV64"
}
},
"AWSRegionArch2AMI" : {
"us-east-1"
: {"PV64" : "ami-1ccae774", "HVM64" : "ami-1ecae776"},
"us-west-2"
: {"PV64" : "ami-ff527ecf", "HVM64" : "ami-e7527ed7"},
"us-west-1"
: {"PV64" : "ami-d514f291", "HVM64" : "ami-d114f295"},
"eu-west-1"
: {"PV64" : "ami-bf0897c8", "HVM64" : "ami-a10897d6"},
"eu-central-1"
: {"PV64" : "ami-ac221fb1", "HVM64" : "ami-a8221fb5"},
"ap-northeast-1"
: {"PV64" : "ami-27f90e27", "HVM64" : "ami-cbf90ecb"},
"ap-southeast-1"
: {"PV64" : "ami-acd9e8fe", "HVM64" : "ami-68d8e93a"},
"ap-southeast-2"
: {"PV64" : "ami-ff9cecc5", "HVM64" : "ami-fd9cecc7"},
"sa-east-1"
: {"PV64" : "ami-bb2890a6", "HVM64" : "ami-b52890a8"},
"cn-north-1"
: {"PV64" : "ami-fa39abc3", "HVM64" : "ami-f239abcb"}
}
},
"Resources" : {
"SecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Allow HTTP traffic to the host",
"VpcId" : {"Ref" : "ExistingVPC"},
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
}],
"SecurityGroupEgress" : [{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
}]
}
},
"AllSecurityGroups": {
"Type": "Custom::Split",
"Properties": {
"ServiceToken": { "Fn::GetAtt" : ["AppendItemToListFunction", "Arn"] },
"List": { "Ref" : "ExistingSecurityGroups" },
"AppendedItem": { "Ref" : "SecurityGroup" }
}
},
"AppendItemToListFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.handler",
"Role": { "Fn::GetAtt" : ["LambdaExecutionRole", "Arn"] },
"Code": {
"ZipFile": { "Fn::Join": ["", [
"var response = require('cfn-response');",
"exports.handler = function(event, context) {",
"
var responseData = {Value: event.ResourceProperties.List};",

API Version 2010-05-15
401

AWS CloudFormation User Guide
AWS Lambda
"
responseData.Value.push(event.ResourceProperties.AppendedItem);",
"
response.send(event, context, response.SUCCESS, responseData);",
"};"
]]}

},
"Runtime": "nodejs4.3"

}
},
"MyEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId": { "Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" },
{ "Fn::FindInMap": [
"AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ] } ]
},
"SecurityGroupIds" : { "Fn::GetAtt": [ "AllSecurityGroups", "Value" ] },
"InstanceType" : { "Ref" : "InstanceType" }
}
},
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{ "Effect": "Allow", "Principal": {"Service":
["lambda.amazonaws.com"]}, "Action": ["sts:AssumeRole"] }]
},
"Path": "/",
"Policies": [{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{ "Effect": "Allow", "Action": ["logs:*"], "Resource":
"arn:aws:logs:*:*:*" }]
}
}]
}
}
},
"Outputs" : {
"AllSecurityGroups" : {
"Description" : "Security Groups that are associated with the EC2 instance",
"Value" : { "Fn::Join" : [ ", ", { "Fn::GetAtt": [ "AllSecurityGroups", "Value" ] }]}
}
}

}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
ExistingSecurityGroups:
Type: List
ExistingVPC:
Type: AWS::EC2::VPC::Id
Description: The VPC ID that includes the security groups in the ExistingSecurityGroups
parameter.
InstanceType:
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- m1.small
Mappings:

API Version 2010-05-15
402

AWS CloudFormation User Guide
AWS Lambda
AWSInstanceType2Arch:
t2.micro:
Arch: HVM64
m1.small:
Arch: PV64
AWSRegionArch2AMI:
us-east-1:
PV64: ami-1ccae774
HVM64: ami-1ecae776
us-west-2:
PV64: ami-ff527ecf
HVM64: ami-e7527ed7
us-west-1:
PV64: ami-d514f291
HVM64: ami-d114f295
eu-west-1:
PV64: ami-bf0897c8
HVM64: ami-a10897d6
eu-central-1:
PV64: ami-ac221fb1
HVM64: ami-a8221fb5
ap-northeast-1:
PV64: ami-27f90e27
HVM64: ami-cbf90ecb
ap-southeast-1:
PV64: ami-acd9e8fe
HVM64: ami-68d8e93a
ap-southeast-2:
PV64: ami-ff9cecc5
HVM64: ami-fd9cecc7
sa-east-1:
PV64: ami-bb2890a6
HVM64: ami-b52890a8
cn-north-1:
PV64: ami-fa39abc3
HVM64: ami-f239abcb
Resources:
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP traffic to the host
VpcId:
Ref: ExistingVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
AllSecurityGroups:
Type: Custom::Split
Properties:
ServiceToken: !GetAtt AppendItemToListFunction.Arn
List:
Ref: ExistingSecurityGroups
AppendedItem:
Ref: SecurityGroup
AppendItemToListFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn

API Version 2010-05-15
403

AWS CloudFormation User Guide
AWS OpsWorks
Code:
ZipFile: !Sub |
var response = require('cfn-response');
exports.handler = function(event, context) {
var responseData = {Value: event.ResourceProperties.List};
responseData.Value.push(event.ResourceProperties.AppendedItem);
response.send(event, context, response.SUCCESS, responseData);
};
Runtime: nodejs4.3
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
SecurityGroupIds: !GetAtt AllSecurityGroups.Value
InstanceType:
Ref: InstanceType
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
Outputs:
AllSecurityGroups:
Description: Security Groups that are associated with the EC2 instance
Value:
Fn::Join:
- ", "
- Fn::GetAtt:
- AllSecurityGroups
- Value

AWS OpsWorks Template Snippets
AWS OpsWorks is an application management service that simpliﬁes a wide range of tasks such as
software conﬁguration, application deployment, scaling, and monitoring. AWS CloudFormation is a
resource management service that you can use to manage AWS OpsWorks resources, such as AWS
OpsWorks stacks, layers, apps, and instances.

API Version 2010-05-15
404

AWS CloudFormation User Guide
AWS OpsWorks

AWS OpsWorks Sample PHP App
The following sample template deploys a sample AWS OpsWorks PHP web application that is stored in
public Git repository. The AWS OpsWorks stack includes two application servers with a load balancer
that distributes incoming traﬃc evenly across the servers. The AWS OpsWorks stack also includes a
back-end MySQL database server to store data. For more information about the sample AWS OpsWorks
application, see Walkthrough: Learn AWS AWS OpsWorks Basics by Creating an Application Server Stack
in the AWS OpsWorks User Guide.

Note

The ServiceRoleArn and DefaultInstanceProfileArn properties reference IAM roles that
are created after you use AWS OpsWorks for the ﬁrst time.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"ServiceRole": {
"Default": "aws-opsworks-service-role",
"Description": "The OpsWorks service role",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9-]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric
characters."
},
"InstanceRole": {
"Default": "aws-opsworks-ec2-role",
"Description": "The OpsWorks instance role",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9-]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric
characters."
},
"AppName": {
"Default": "myapp",
"Description": "The app name",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric
characters."
},
"MysqlRootPassword" : {
"Description" : "MysqlRootPassword",
"NoEcho" : "true",
"Type" : "String"
}
},
"Resources": {
"myStack": {
"Type": "AWS::OpsWorks::Stack",
"Properties": {
"Name": {
"Ref": "AWS::StackName"
},
"ServiceRoleArn": {
"Fn::Join": [

API Version 2010-05-15
405

AWS CloudFormation User Guide
AWS OpsWorks
"", ["arn:aws:iam::", {"Ref": "AWS::AccountId"},
":role/", {"Ref": "ServiceRole"}]

]
},
"DefaultInstanceProfileArn": {
"Fn::Join": [
"", ["arn:aws:iam::", {"Ref": "AWS::AccountId"},
":instance-profile/", {"Ref": "InstanceRole"}]
]
},
"UseCustomCookbooks": "true",
"CustomCookbooksSource": {
"Type": "git",
"Url": "git://github.com/amazonwebservices/opsworks-example-cookbooks.git"
}

}
},
"myLayer": {
"Type": "AWS::OpsWorks::Layer",
"DependsOn": "myApp",
"Properties": {
"StackId": {"Ref": "myStack"},
"Type": "php-app",
"Shortname" : "php-app",
"EnableAutoHealing" : "true",
"AutoAssignElasticIps" : "false",
"AutoAssignPublicIps" : "true",
"Name": "MyPHPApp",
"CustomRecipes" : {
"Configure" : ["phpapp::appsetup"]
}
}
},
"DBLayer" : {
"Type" : "AWS::OpsWorks::Layer",
"DependsOn": "myApp",
"Properties" : {
"StackId" : {"Ref":"myStack"},
"Type" : "db-master",
"Shortname" : "db-layer",
"EnableAutoHealing" : "true",
"AutoAssignElasticIps" : "false",
"AutoAssignPublicIps" : "true",
"Name" : "MyMySQL",
"CustomRecipes" : {
"Setup" : ["phpapp::dbsetup"]
},
"Attributes" : {
"MysqlRootPassword" : {"Ref":"MysqlRootPassword"},
"MysqlRootPasswordUbiquitous": "true"
},
"VolumeConfigurations":[{"MountPoint":"/vol/mysql","NumberOfDisks":1,"Size":10}]
}
},
"ELBAttachment" : {
"Type" : "AWS::OpsWorks::ElasticLoadBalancerAttachment",
"Properties" : {
"ElasticLoadBalancerName" : { "Ref" : "ELB" },
"LayerId" : { "Ref" : "myLayer" }
}
},
"ELB" : {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": { "Fn::GetAZs" : "" } ,
"Listeners": [{

API Version 2010-05-15
406

AWS CloudFormation User Guide
AWS OpsWorks
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP",
"InstanceProtocol": "HTTP"
}],
"HealthCheck": {
"Target": "HTTP:80/",
"HealthyThreshold": "2",
"UnhealthyThreshold": "10",
"Interval": "30",
"Timeout": "5"
}

}

}

}
},
"myAppInstance1": {
"Type": "AWS::OpsWorks::Instance",
"Properties": {
"StackId": {"Ref": "myStack"},
"LayerIds": [{"Ref": "myLayer"}],
"InstanceType": "m1.small"
}
},
"myAppInstance2": {
"Type": "AWS::OpsWorks::Instance",
"Properties": {
"StackId": {"Ref": "myStack"},
"LayerIds": [{"Ref": "myLayer"}],
"InstanceType": "m1.small"
}
},
"myDBInstance": {
"Type": "AWS::OpsWorks::Instance",
"Properties": {
"StackId": {"Ref": "myStack"},
"LayerIds": [{"Ref": "DBLayer"}],
"InstanceType": "m1.small"
}
},
"myApp" : {
"Type" : "AWS::OpsWorks::App",
"Properties" : {
"StackId" : {"Ref":"myStack"},
"Type" : "php",
"Name" : {"Ref": "AppName"},
"AppSource" : {
"Type" : "git",
"Url" : "git://github.com/amazonwebservices/opsworks-demo-php-simple-app.git",
"Revision" : "version2"
},
"Attributes" : {
"DocumentRoot" : "web"
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
ServiceRole:
Default: aws-opsworks-service-role
Description: The OpsWorks service role

API Version 2010-05-15
407

AWS CloudFormation User Guide
AWS OpsWorks
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: "[a-zA-Z][a-zA-Z0-9-]*"
ConstraintDescription: must begin with a letter and contain only alphanumeric
characters.
InstanceRole:
Default: aws-opsworks-ec2-role
Description: The OpsWorks instance role
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: "[a-zA-Z][a-zA-Z0-9-]*"
ConstraintDescription: must begin with a letter and contain only alphanumeric
characters.
AppName:
Default: myapp
Description: The app name
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
ConstraintDescription: must begin with a letter and contain only alphanumeric
characters.
MysqlRootPassword:
Description: MysqlRootPassword
NoEcho: 'true'
Type: String
Resources:
myStack:
Type: AWS::OpsWorks::Stack
Properties:
Name:
Ref: AWS::StackName
ServiceRoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${ServiceRole}"
DefaultInstanceProfileArn: !Sub "arn:aws:iam::${AWS::AccountId}:instance-profile/
${InstanceRole}"
UseCustomCookbooks: 'true'
CustomCookbooksSource:
Type: git
Url: git://github.com/amazonwebservices/opsworks-example-cookbooks.git
myLayer:
Type: AWS::OpsWorks::Layer
DependsOn: myApp
Properties:
StackId:
Ref: myStack
Type: php-app
Shortname: php-app
EnableAutoHealing: 'true'
AutoAssignElasticIps: 'false'
AutoAssignPublicIps: 'true'
Name: MyPHPApp
CustomRecipes:
Configure:
- phpapp::appsetup
DBLayer:
Type: AWS::OpsWorks::Layer
DependsOn: myApp
Properties:
StackId:
Ref: myStack
Type: db-master
Shortname: db-layer
EnableAutoHealing: 'true'
AutoAssignElasticIps: 'false'

API Version 2010-05-15
408

AWS CloudFormation User Guide
AWS OpsWorks
AutoAssignPublicIps: 'true'
Name: MyMySQL
CustomRecipes:
Setup:
- phpapp::dbsetup
Attributes:
MysqlRootPassword:
Ref: MysqlRootPassword
MysqlRootPasswordUbiquitous: 'true'
VolumeConfigurations:
- MountPoint: "/vol/mysql"
NumberOfDisks: 1
Size: 10
ELBAttachment:
Type: AWS::OpsWorks::ElasticLoadBalancerAttachment
Properties:
ElasticLoadBalancerName:
Ref: ELB
LayerId:
Ref: myLayer
ELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
Fn::GetAZs: ''
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
InstanceProtocol: HTTP
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '2'
UnhealthyThreshold: '10'
Interval: '30'
Timeout: '5'
myAppInstance1:
Type: AWS::OpsWorks::Instance
Properties:
StackId:
Ref: myStack
LayerIds:
- Ref: myLayer
InstanceType: m1.small
myAppInstance2:
Type: AWS::OpsWorks::Instance
Properties:
StackId:
Ref: myStack
LayerIds:
- Ref: myLayer
InstanceType: m1.small
myDBInstance:
Type: AWS::OpsWorks::Instance
Properties:
StackId:
Ref: myStack
LayerIds:
- Ref: DBLayer
InstanceType: m1.small
myApp:
Type: AWS::OpsWorks::App
Properties:
StackId:
Ref: myStack
Type: php

API Version 2010-05-15
409

AWS CloudFormation User Guide
Amazon Redshift
Name:
Ref: AppName
AppSource:
Type: git
Url: git://github.com/amazonwebservices/opsworks-demo-php-simple-app.git
Revision: version2
Attributes:
DocumentRoot: web

Amazon Redshift Template Snippets
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can use
AWS CloudFormation to provision and manage Amazon Redshift clusters.

Amazon Redshift Cluster
The following sample template creates an Amazon Redshift cluster according to the parameter values
that are speciﬁed when the stack is created. The cluster parameter group that is associated with the
Amazon Redshift cluster enables user activity logging. The template also launches the Amazon Redshift
clusters in an Amazon VPC that is deﬁned in the template. The VPC includes an internet gateway so that
you can access the Amazon Redshift clusters from the Internet. However, the communication between
the cluster and the Internet gateway must also be enabled, which is done by the route table entry.

Note

The template includes the IsMultiNodeCluster condition so that the NumberOfNodes
parameter is declared only when the ClusterType parameter value is set to multi-node.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"DatabaseName" : {
"Description" : "The name of the first database to be created when the cluster is
created",
"Type" : "String",
"Default" : "dev",
"AllowedPattern" : "([a-z]|[0-9])+"
},
"ClusterType" : {
"Description" : "The type of cluster",
"Type" : "String",
"Default" : "single-node",
"AllowedValues" : [ "single-node", "multi-node" ]
},
"NumberOfNodes" : {
"Description" : "The number of compute nodes in the cluster. For multi-node clusters,
the NumberOfNodes parameter must be greater than 1",
"Type" : "Number",
"Default" : "1"
},
"NodeType" : {
"Description" : "The type of node to be provisioned",
"Type" : "String",
"Default" : "ds2.xlarge",
"AllowedValues" : [ "ds2.xlarge", "ds2.8xlarge", "dc1.large", "dc1.8xlarge" ]
},
"MasterUsername" : {
"Description" : "The user name that is associated with the master user account for
the cluster that is being created",
"Type" : "String",
"Default" : "defaultuser",

API Version 2010-05-15
410

AWS CloudFormation User Guide
Amazon Redshift
"AllowedPattern" : "([a-z])([a-z]|[0-9])*"
},
"MasterUserPassword" : {
"Description" : "The password that is associated with the master user account for the
cluster that is being created.",
"Type" : "String",
"NoEcho" : "true"
},
"InboundTraffic" : {
"Description" : "Allow inbound traffic to the cluster from this CIDR range.",
"Type" : "String",
"MinLength": "9",
"MaxLength": "18",
"Default" : "0.0.0.0/0",
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x."
},
"PortNumber" : {
"Description" : "The port number on which the cluster accepts incoming connections.",
"Type" : "Number",
"Default" : "5439"
}
},
"Conditions" : {
"IsMultiNodeCluster" : {
"Fn::Equals" : [{ "Ref" : "ClusterType" }, "multi-node" ]
}
},
"Resources" : {
"RedshiftCluster" : {
"Type" : "AWS::Redshift::Cluster",
"DependsOn" : "AttachGateway",
"Properties" : {
"ClusterType" : { "Ref" : "ClusterType" },
"NumberOfNodes" : { "Fn::If" : [ "IsMultiNodeCluster", { "Ref" :
"NumberOfNodes" }, { "Ref" : "AWS::NoValue" }]},
"NodeType" : { "Ref" : "NodeType" },
"DBName" : { "Ref" : "DatabaseName" },
"MasterUsername" : { "Ref" : "MasterUsername" },
"MasterUserPassword" : { "Ref" : "MasterUserPassword" },
"ClusterParameterGroupName" : { "Ref" : "RedshiftClusterParameterGroup" },
"VpcSecurityGroupIds" : [ { "Ref" : "SecurityGroup" } ],
"ClusterSubnetGroupName" : { "Ref" : "RedshiftClusterSubnetGroup" },
"PubliclyAccessible" : "true",
"Port" : { "Ref" : "PortNumber" }
}
},
"RedshiftClusterParameterGroup" : {
"Type" : "AWS::Redshift::ClusterParameterGroup",
"Properties" : {
"Description" : "Cluster parameter group",
"ParameterGroupFamily" : "redshift-1.0",
"Parameters" : [{
"ParameterName" : "enable_user_activity_logging",
"ParameterValue" : "true"
}]
}
},
"RedshiftClusterSubnetGroup" : {
"Type" : "AWS::Redshift::ClusterSubnetGroup",
"Properties" : {
"Description" : "Cluster subnet group",
"SubnetIds" : [ { "Ref" : "PublicSubnet" } ]
}
},
"VPC" : {

API Version 2010-05-15
411

AWS CloudFormation User Guide
Amazon Redshift
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "10.0.0.0/16"
}

},
"PublicSubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"CidrBlock" : "10.0.0.0/24",
"VpcId" : { "Ref" : "VPC" }
}
},
"SecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Security group",
"SecurityGroupIngress" : [ {
"CidrIp" : { "Ref": "InboundTraffic" },
"FromPort" : { "Ref" : "PortNumber" },
"ToPort" : { "Ref" : "PortNumber" },
"IpProtocol" : "tcp"
} ],
"VpcId" : { "Ref" : "VPC" }
}
},
"myInternetGateway" : {
"Type" : "AWS::EC2::InternetGateway"
},
"AttachGateway" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "myInternetGateway" }
}
},
"PublicRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
}
}
},
"PublicRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : "AttachGateway",
"Properties" : {
"RouteTableId" : {
"Ref" : "PublicRouteTable"
},
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : {
"Ref" : "myInternetGateway"
}
}
},
"PublicSubnetRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {
"Ref" : "PublicSubnet"
},
"RouteTableId" : {
"Ref" : "PublicRouteTable"
}
}

API Version 2010-05-15
412

AWS CloudFormation User Guide
Amazon Redshift
}
},
"Outputs" : {
"ClusterEndpoint" : {
"Description" : "Cluster endpoint",
"Value" : { "Fn::Join" : [ ":", [ { "Fn::GetAtt" : [ "RedshiftCluster",
"Endpoint.Address" ] }, { "Fn::GetAtt" : [ "RedshiftCluster", "Endpoint.Port" ] } ] ] }
},
"ClusterName" : {
"Description" : "Name of cluster",
"Value" : { "Ref" : "RedshiftCluster" }
},
"ParameterGroupName" : {
"Description" : "Name of parameter group",
"Value" : { "Ref" : "RedshiftClusterParameterGroup" }
},
"RedshiftClusterSubnetGroupName" : {
"Description" : "Name of cluster subnet group",
"Value" : { "Ref" : "RedshiftClusterSubnetGroup" }
},
"RedshiftClusterSecurityGroupName" : {
"Description" : "Name of cluster security group",
"Value" : { "Ref" : "SecurityGroup" }
}
}

}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
DatabaseName:
Description: The name of the first database to be created when the cluster is
created
Type: String
Default: dev
AllowedPattern: "([a-z]|[0-9])+"
ClusterType:
Description: The type of cluster
Type: String
Default: single-node
AllowedValues:
- single-node
- multi-node
NumberOfNodes:
Description: The number of compute nodes in the cluster. For multi-node clusters,
the NumberOfNodes parameter must be greater than 1
Type: Number
Default: '1'
NodeType:
Description: The type of node to be provisioned
Type: String
Default: ds2.xlarge
AllowedValues:
- ds2.xlarge
- ds2.8xlarge
- dc1.large
- dc1.8xlarge
MasterUsername:
Description: The user name that is associated with the master user account for
the cluster that is being created
Type: String
Default: defaultuser
AllowedPattern: "([a-z])([a-z]|[0-9])*"

API Version 2010-05-15
413

AWS CloudFormation User Guide
Amazon Redshift
MasterUserPassword:
Description: The password that is associated with the master user account for
the cluster that is being created.
Type: String
NoEcho: 'true'
InboundTraffic:
Description: Allow inbound traffic to the cluster from this CIDR range.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid CIDR range of the form x.x.x.x/x.
PortNumber:
Description: The port number on which the cluster accepts incoming connections.
Type: Number
Default: '5439'
Conditions:
IsMultiNodeCluster:
Fn::Equals:
- Ref: ClusterType
- multi-node
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
DependsOn: AttachGateway
Properties:
ClusterType:
Ref: ClusterType
NumberOfNodes:
Fn::If:
- IsMultiNodeCluster
- Ref: NumberOfNodes
- Ref: AWS::NoValue
NodeType:
Ref: NodeType
DBName:
Ref: DatabaseName
MasterUsername:
Ref: MasterUsername
MasterUserPassword:
Ref: MasterUserPassword
ClusterParameterGroupName:
Ref: RedshiftClusterParameterGroup
VpcSecurityGroupIds:
- Ref: SecurityGroup
ClusterSubnetGroupName:
Ref: RedshiftClusterSubnetGroup
PubliclyAccessible: 'true'
Port:
Ref: PortNumber
RedshiftClusterParameterGroup:
Type: AWS::Redshift::ClusterParameterGroup
Properties:
Description: Cluster parameter group
ParameterGroupFamily: redshift-1.0
Parameters:
- ParameterName: enable_user_activity_logging
ParameterValue: 'true'
RedshiftClusterSubnetGroup:
Type: AWS::Redshift::ClusterSubnetGroup
Properties:
Description: Cluster subnet group
SubnetIds:
- Ref: PublicSubnet
VPC:

API Version 2010-05-15
414

AWS CloudFormation User Guide
Amazon Redshift
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
VpcId:
Ref: VPC
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group
SecurityGroupIngress:
- CidrIp:
Ref: InboundTraffic
FromPort:
Ref: PortNumber
ToPort:
Ref: PortNumber
IpProtocol: tcp
VpcId:
Ref: VPC
myInternetGateway:
Type: AWS::EC2::InternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: myInternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
PublicRoute:
Type: AWS::EC2::Route
DependsOn: AttachGateway
Properties:
RouteTableId:
Ref: PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: myInternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: PublicSubnet
RouteTableId:
Ref: PublicRouteTable
Outputs:
ClusterEndpoint:
Description: Cluster endpoint
Value: !Sub "${RedshiftCluster.Endpoint.Address}:${RedshiftCluster.Endpoint.Port}"
ClusterName:
Description: Name of cluster
Value:
Ref: RedshiftCluster
ParameterGroupName:
Description: Name of parameter group
Value:
Ref: RedshiftClusterParameterGroup
RedshiftClusterSubnetGroupName:

API Version 2010-05-15
415

AWS CloudFormation User Guide
Amazon RDS
Description: Name of cluster subnet group
Value:
Ref: RedshiftClusterSubnetGroup
RedshiftClusterSecurityGroupName:
Description: Name of cluster security group
Value:
Ref: SecurityGroup

See Also
AWS::Redshift::Cluster (p. 1373)

Amazon RDS Template Snippets
Topics
• Amazon RDS DB Instance Resource (p. 416)
• Amazon RDS Oracle Database DB Instance Resource (p. 417)
• Amazon RDS DBSecurityGroup Resource for CIDR Range (p. 417)
• Amazon RDS DBSecurityGroup with an Amazon EC2 security group (p. 418)
• Multiple VPC security groups (p. 419)
• Amazon RDS Database Instance in a VPC Security Group (p. 420)

Amazon RDS DB Instance Resource
This example shows an Amazon RDS DB Instance resource. Because the optional EngineVersion
property is not speciﬁed, the default engine version is used for this DB Instance. For details
about the default engine version and other default settings, see CreateDBInstance. The
DBSecurityGroups property authorizes network ingress to the AWS::RDS::DBSecurityGroup resources
named MyDbSecurityByEC2SecurityGroup and MyDbSecurityByCIDRIPGroup. For details, see
AWS::RDS::DBInstance (p. 1341). The DB Instance resource also has a DeletionPolicy attribute set to
Snapshot. With the Snapshot DeletionPolicy set, AWS CloudFormation will take a snapshot of this DB
Instance before deleting it during stack deletion.

JSON
"MyDB" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"DBSecurityGroups" : [
{"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" :
"MyDbSecurityByCIDRIPGroup"} ],
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.m1.small",
"Engine" : "MySQL",
"MasterUsername" : "MyName",
"MasterUserPassword" : "MyPassword"
},
"DeletionPolicy" : "Snapshot"
}

YAML
MyDB:
Type: AWS::RDS::DBInstance
Properties:

API Version 2010-05-15
416

AWS CloudFormation User Guide
Amazon RDS
DBSecurityGroups:
- Ref: MyDbSecurityByEC2SecurityGroup
- Ref: MyDbSecurityByCIDRIPGroup
AllocatedStorage: '5'
DBInstanceClass: db.m1.small
Engine: MySQL
MasterUsername: MyName
MasterUserPassword: MyPassword
DeletionPolicy: Snapshot

Amazon RDS Oracle Database DB Instance Resource
This example creates an Oracle Database DB Instance resource by specifying the Engine as oracle-ee
with a license model of bring-your-own-license. For details about the settings for Oracle Database
DB instances, see CreateDBInstance. The DBSecurityGroups property authorizes network ingress
to the AWS::RDS::DBSecurityGroup resources named MyDbSecurityByEC2SecurityGroup and
MyDbSecurityByCIDRIPGroup. For details, see AWS::RDS::DBInstance (p. 1341). The DB Instance
resource also has a DeletionPolicy attribute set to Snapshot. With the Snapshot DeletionPolicy set, AWS
CloudFormation will take a snapshot of this DB Instance before deleting it during stack deletion.

JSON
"MyDB" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"DBSecurityGroups" : [
{"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" :
"MyDbSecurityByCIDRIPGroup"} ],
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.m1.small",
"Engine" : "oracle-ee",
"LicenseModel" : "bring-your-own-license",
"MasterUsername" : "master",
"MasterUserPassword" : "SecretPassword01"
},
"DeletionPolicy" : "Snapshot"
}

YAML
MyDB:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
- Ref: MyDbSecurityByEC2SecurityGroup
- Ref: MyDbSecurityByCIDRIPGroup
AllocatedStorage: '5'
DBInstanceClass: db.m1.small
Engine: oracle-ee
LicenseModel: bring-your-own-license
MasterUsername: master
MasterUserPassword: SecretPassword01
DeletionPolicy: Snapshot

Amazon RDS DBSecurityGroup Resource for CIDR Range
This example shows an Amazon RDS DBSecurityGroup resource with ingress authorization
for the speciﬁed CIDR range in the format ddd.ddd.ddd.ddd/dd. For details, see
AWS::RDS::DBSecurityGroup (p. 1360) and Amazon RDS Security Group Rule (p. 2111).
API Version 2010-05-15
417

AWS CloudFormation User Guide
Amazon RDS

JSON
"MyDbSecurityByCIDRIPGroup" : {
"Type" : "AWS::RDS::DBSecurityGroup",
"Properties" : {
"GroupDescription" : "Ingress for CIDRIP",
"DBSecurityGroupIngress" : {
"CIDRIP" : "192.168.0.0/32"
}
}
}

YAML
MyDbSecurityByCIDRIPGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: Ingress for CIDRIP
DBSecurityGroupIngress:
CIDRIP: "192.168.0.0/32"

Amazon RDS DBSecurityGroup with an Amazon EC2 security
group
This example shows an AWS::RDS::DBSecurityGroup (p. 1360) resource with ingress authorization from
an Amazon EC2 security group referenced by MyEc2SecurityGroup.
To do this, you deﬁne an EC2 security group and then use the intrinsic Ref function to refer to the EC2
security group within your DBSecurityGroup.

JSON
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName"
: { "Ref" :
"Engine"
: "MySQL",
"MasterUsername"
: { "Ref" :
"DBInstanceClass"
: { "Ref" :
"DBSecurityGroups" : [ { "Ref"
"AllocatedStorage" : { "Ref" :
"MasterUserPassword": { "Ref" :
}
},

"DBName" },
"DBUsername" },
"DBClass" },
: "DBSecurityGroup" } ],
"DBAllocatedStorage" },
"DBPassword" }

"DBSecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"DBSecurityGroupIngress": { "EC2SecurityGroupName": { "Ref":
"WebServerSecurityGroup" } },
"GroupDescription"
: "Frontend Access"
}
},
"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 and SSH access",

API Version 2010-05-15
418

AWS CloudFormation User Guide
Amazon RDS
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" :
"0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"}
]
}

}

YAML
This example is extracted from the following full example: Drupal_Single_Instance_With_RDS.template
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: DBName
Engine: MySQL
MasterUsername:
Ref: DBUsername
DBInstanceClass:
Ref: DBClass
DBSecurityGroups:
- Ref: DBSecurityGroup
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
DBSecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
DBSecurityGroupIngress:
EC2SecurityGroupName:
Ref: WebServerSecurityGroup
GroupDescription: Frontend Access
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0

Multiple VPC security groups
This example shows an AWS::RDS::DBSecurityGroup (p. 1360) resource with ingress authorization for
multiple Amazon EC2 VPC security groups in AWS::RDS::DBSecurityGroupIngress (p. 1363).

JSON
{

"Resources" : {
"DBinstance" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "5",

API Version 2010-05-15
419

AWS CloudFormation User Guide
Amazon RDS
"DBInstanceClass" : "db.m1.small",
"DBName" : {"Ref": "MyDBName" },
"DBSecurityGroups" : [ { "Ref" : "DbSecurityByEC2SecurityGroup" } ],
"DBSubnetGroupName" : { "Ref" : "MyDBSubnetGroup" },
"Engine" : "MySQL",
"MasterUserPassword": { "Ref" : "MyDBPassword" },
"MasterUsername"
: { "Ref" : "MyDBUsername" }

},
"DeletionPolicy" : "Snapshot"

}

}

},
"DbSecurityByEC2SecurityGroup" : {
"Type" : "AWS::RDS::DBSecurityGroup",
"Properties" : {
"GroupDescription" : "Ingress for Amazon EC2 security group",
"EC2VpcId" : { "Ref" : "MyVPC" },
"DBSecurityGroupIngress" : [ {
"EC2SecurityGroupId" : "sg-b0ff1111",
"EC2SecurityGroupOwnerId" : "111122223333"
}, {
"EC2SecurityGroupId" : "sg-ffd722222",
"EC2SecurityGroupOwnerId" : "111122223333"
} ]
}
}

YAML
Resources:
DBinstance:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.m1.small
DBName:
Ref: MyDBName
DBSecurityGroups:
- Ref: DbSecurityByEC2SecurityGroup
DBSubnetGroupName:
Ref: MyDBSubnetGroup
Engine: MySQL
MasterUserPassword:
Ref: MyDBPassword
MasterUsername:
Ref: MyDBUsername
DeletionPolicy: Snapshot
DbSecurityByEC2SecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: Ingress for Amazon EC2 security group
EC2VpcId:
Ref: MyVPC
DBSecurityGroupIngress:
- EC2SecurityGroupId: sg-b0ff1111
EC2SecurityGroupOwnerId: '111122223333'
- EC2SecurityGroupId: sg-ffd722222
EC2SecurityGroupOwnerId: '111122223333'

Amazon RDS Database Instance in a VPC Security Group
This example shows an Amazon RDS database instance associated with an Amazon EC2 VPC security
group.
API Version 2010-05-15
420

AWS CloudFormation User Guide
Amazon RDS

JSON
{

}

"DBEC2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription": "Open database for access",
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : "3306",
"ToPort" : "3306",
"SourceSecurityGroupName" : { "Ref" : "WebServerSecurityGroup" }
}]
}
},
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName"
: { "Ref" : "DBName" },
"Engine"
: "MySQL",
"MultiAZ"
: { "Ref": "MultiAZDatabase" },
"MasterUsername"
: { "Ref" : "DBUser" },
"DBInstanceClass"
: { "Ref" : "DBClass" },
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" },
"VPCSecurityGroups" : [ { "Fn::GetAtt": [ "DBEC2SecurityGroup", "GroupId" ] } ]
}
}

YAML
DBEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '3306'
ToPort: '3306'
SourceSecurityGroupName:
Ref: WebServerSecurityGroup
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: DBName
Engine: MySQL
MultiAZ:
Ref: MultiAZDatabase
MasterUsername:
Ref: DBUser
DBInstanceClass:
Ref: DBClass
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
VPCSecurityGroups:
- !GetAtt DBEC2SecurityGroup.GroupId

API Version 2010-05-15
421

AWS CloudFormation User Guide
Route 53

Route 53 Template Snippets
Topics
• Amazon Route 53 Resource Record Set Using Hosted Zone Name or ID (p. 422)
• Using RecordSetGroup to Set Up Weighted Resource Record Sets (p. 423)
• Using RecordSetGroup to Set Up an Alias Resource Record Set (p. 424)
• Alias Resource Record Set for a CloudFront Distribution (p. 425)

Amazon Route 53 Resource Record Set Using Hosted Zone
Name or ID
When you create an Amazon Route 53 resource record set, you must specify the hosted zone where you
want to add it. AWS CloudFormation provides two ways to do this. You can explicitly specify the hosted
zone using the HostedZoneId property or have AWS CloudFormation ﬁnd the hosted zone using the
HostedZoneName property. If you use the HostedZoneName property and there are multiple hosted
zones with the same domain name, AWS CloudFormation doesn't create the stack.

Adding RecordSet using HostedZoneId
This example adds an Amazon Route 53 resource record set containing an SPF record for the domain
name mysite.example.com that uses the HostedZoneId property to specify the hosted zone.

JSON
"myDNSRecord" : {
"Type" : "AWS::Route53::RecordSet",
"Properties" :
{
"HostedZoneId" : "Z3DG6IL3SJCGPX",
"Name" : "mysite.example.com.",
"Type" : "SPF",
"TTL" : "900",
"ResourceRecords" : [ "\"v=spf1 ip4:192.168.0.1/16 -all\"" ]
}
}

YAML
myDNSRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: Z3DG6IL3SJCGPX
Name: mysite.example.com.
Type: SPF
TTL: '900'
ResourceRecords:
- '"v=spf1 ip4:192.168.0.1/16 -all"'

Adding RecordSet using HostedZoneName
This example adds an Amazon Route 53 resource record set containing A records for the domain name
"mysite.example.com" using the HostedZoneName property to specify the hosted zone.

JSON
"myDNSRecord2" : {

API Version 2010-05-15
422

AWS CloudFormation User Guide
Route 53

}

"Type" : "AWS::Route53::RecordSet",
"Properties" : {
"HostedZoneName" : "example.com.",
"Name" : "mysite.example.com.",
"Type" : "A",
"TTL" : "900",
"ResourceRecords" : [
"192.168.0.1",
"192.168.0.2"
]
}

YAML
myDNSRecord2:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneName: example.com.
Name: mysite.example.com.
Type: A
TTL: '900'
ResourceRecords:
- 192.168.0.1
- 192.168.0.2

Using RecordSetGroup to Set Up Weighted Resource Record
Sets
This example uses an AWS::Route53::RecordSetGroup (p. 1401) to set up two CNAME records for
the "example.com." hosted zone. The RecordSets property contains the CNAME record sets for the
"mysite.example.com" DNS name. Each record set contains an identiﬁer (SetIdentiﬁer) and weight
(Weight). The weighting for Frontend One is 40% (4 of 10) and Frontend Two is 60% (6 of 10). For more
information about weighted resource record sets, see Setting Up Weighted Resource Record Sets in
Route 53 Developer Guide.

JSON
"myDNSOne" : {
"Type" : "AWS::Route53::RecordSetGroup",
"Properties" : {
"HostedZoneName" : "example.com.",
"Comment" : "Weighted RR for my frontends.",
"RecordSets" : [
{
"Name" : "mysite.example.com.",
"Type" : "CNAME",
"TTL" : "900",
"SetIdentifier" : "Frontend One",
"Weight" : "4",
"ResourceRecords" : ["example-ec2.amazonaws.com"]
},
{
"Name" : "mysite.example.com.",
"Type" : "CNAME",
"TTL" : "900",
"SetIdentifier" : "Frontend Two",
"Weight" : "6",
"ResourceRecords" : ["example-ec2-larger.amazonaws.com"]
}

API Version 2010-05-15
423

AWS CloudFormation User Guide
Route 53

}

}

]

YAML
myDNSOne:
Type: AWS::Route53::RecordSetGroup
Properties:
HostedZoneName: example.com.
Comment: Weighted RR for my frontends.
RecordSets:
- Name: mysite.example.com.
Type: CNAME
TTL: '900'
SetIdentifier: Frontend One
Weight: '4'
ResourceRecords:
- example-ec2.amazonaws.com
- Name: mysite.example.com.
Type: CNAME
TTL: '900'
SetIdentifier: Frontend Two
Weight: '6'
ResourceRecords:
- example-ec2-larger.amazonaws.com

Using RecordSetGroup to Set Up an Alias Resource Record Set
This example uses an AWS::Route53::RecordSetGroup (p. 1401) to set up an alias resource record
set for the "example.com." hosted zone. The RecordSets property contains the A record for the
zone apex "example.com." The AliasTarget (p. 2112) property speciﬁes the hosted zone ID and DNS
name for the myELB LoadBalancer by using the GetAtt (p. 2285) intrinsic function to retrieve the
CanonicalHostedZoneNameID and DNSName properties of myELB resource. For more information about
alias resource record sets, see Creating Alias Resource Record Sets in the Route 53 Developer Guide.

JSON
"myELB" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : [ "us-east-1a" ],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP"
} ]
}
},
"myDNS" : {
"Type" : "AWS::Route53::RecordSetGroup",
"Properties" : {
"HostedZoneName" : "example.com.",
"Comment" : "Zone apex alias targeted to myELB LoadBalancer.",
"RecordSets" : [
{
"Name" : "example.com.",
"Type" : "A",
"AliasTarget" : {
"HostedZoneId" : { "Fn::GetAtt" : ["myELB",
"CanonicalHostedZoneNameID"] },

API Version 2010-05-15
424

AWS CloudFormation User Guide
Route 53

}

}

]

}

}

"DNSName" : { "Fn::GetAtt" : ["myELB","DNSName"] }

YAML
myELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-1a"
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
myDNS:
Type: AWS::Route53::RecordSetGroup
Properties:
HostedZoneName: example.com.
Comment: Zone apex alias targeted to myELB LoadBalancer.
RecordSets:
- Name: example.com.
Type: A
AliasTarget:
HostedZoneId: !GetAtt myELB.CanonicalHostedZoneNameID
DNSName: !GetAtt myELB.DNSName

Alias Resource Record Set for a CloudFront Distribution
The following example creates an alias record set that routes queries to the speciﬁed CloudFront
distribution domain name.

Note

When you create alias resource record sets, you must specify Z2FDTNDATAQYW2 for the
HostedZoneId property, as shown in the following example. Alias resource record sets for
CloudFront can't be created in a private zone.

JSON
"myDNS" : {
"Type" : "AWS::Route53::RecordSetGroup",
"Properties" : {
"HostedZoneId" : { "Ref" : "myHostedZoneID" },
"RecordSets" : [{
"Name" : { "Ref" : "myRecordSetDomainName" },
"Type" : "A",
"AliasTarget" : {
"HostedZoneId" : "Z2FDTNDATAQYW2",
"DNSName" : { "Ref" : "myCloudFrontDistributionDomainName" }
}
}]
}
}

YAML
myDNS:

API Version 2010-05-15
425

AWS CloudFormation User Guide
Amazon S3
Type: AWS::Route53::RecordSetGroup
Properties:
HostedZoneId:
Ref: myHostedZoneID
RecordSets:
- Name:
Ref: myRecordSetDomainName
Type: A
AliasTarget:
HostedZoneId: Z2FDTNDATAQYW2
DNSName:
Ref: myCloudFrontDistributionDomainName

Amazon S3 Template Snippets
Topics
• Creating an Amazon S3 Bucket with Defaults (p. 426)
• Creating an Amazon S3 Bucket for Website Hosting and with a DeletionPolicy (p. 426)
• Creating a Static Website Using a Custom Domain (p. 428)

Creating an Amazon S3 Bucket with Defaults
This example uses a AWS::S3::Bucket (p. 1403) to create a bucket with default settings.

JSON
"myS3Bucket" : {
"Type" : "AWS::S3::Bucket"
}

YAML
MyS3Bucket:
Type: AWS::S3::Bucket

Creating an Amazon S3 Bucket for Website Hosting and with a
DeletionPolicy
This example creates a bucket as a website. The AccessControl property is set to the canned ACL
PublicRead (public read permissions are required for buckets set up for website hosting). Because this
bucket resource has a DeletionPolicy attribute (p. 2248) set to Retain, AWS CloudFormation will not
delete this bucket when it deletes the stack. The Output section uses Fn::GetAtt to retrieve the
WebsiteURL attribute and DomainName attribute of the S3Bucket resource.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument": "index.html",

API Version 2010-05-15
426

AWS CloudFormation User Guide
Amazon S3

}

"ErrorDocument": "error.html"

},
"DeletionPolicy": "Retain"

},
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"PolicyDocument": {
"Id": "MyPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "S3Bucket"
},
"/*"
]
]
}
}
]
},
"Bucket": {
"Ref": "S3Bucket"
}
}
}

},
"Outputs": {
"WebsiteURL": {
"Value": {
"Fn::GetAtt": [
"S3Bucket",
"WebsiteURL"
]
},
"Description": "URL for website hosted on S3"
},
"S3BucketSecureURL": {
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"S3Bucket",
"DomainName"
]
}
]
]
},
"Description": "Name of S3 bucket to hold website content"
}
}

API Version 2010-05-15
427

AWS CloudFormation User Guide
Amazon S3
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Principal: '*'
Action: 's3:GetObject'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket
- /*
Bucket: !Ref S3Bucket
Outputs:
WebsiteURL:
Value: !GetAtt
- S3Bucket
- WebsiteURL
Description: URL for website hosted on S3
S3BucketSecureURL:
Value: !Join
- ''
- - 'https://'
- !GetAtt
- S3Bucket
- DomainName
Description: Name of S3 bucket to hold website content

Creating a Static Website Using a Custom Domain
You can use Route 53 with a registered domain. The following sample assumes that you have already
created a hosted zone in Route 53 for your domain. The example creates two buckets for website
hosting. The root bucket hosts the content, and the other bucket redirects www.domainname.com
requests to the root bucket. The record sets map your domain name to Amazon S3 endpoints. Note that
you will also need to add a bucket policy, as shown in the examples above.
For more information about using a custom domain, see Setting Up a Static Website Using a Custom
Domain in the Amazon Simple Storage Service Developer Guide.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",

API Version 2010-05-15
428

AWS CloudFormation User Guide
Amazon S3
"Mappings" : {
"RegionMap" : {
"us-east-1" : { "S3hostedzoneID" : "Z3AQBSTGFYJSTF", "websiteendpoint" : "s3website-us-east-1.amazonaws.com" },
"us-west-1" : { "S3hostedzoneID" : "Z2F56UZL2M1ACD", "websiteendpoint" : "s3website-us-west-1.amazonaws.com" },
"us-west-2" : { "S3hostedzoneID" : "Z3BJ6K6RIION7M", "websiteendpoint" : "s3website-us-west-2.amazonaws.com" },
"eu-west-1" : { "S3hostedzoneID" : "Z1BKCTXD74EZPE", "websiteendpoint" : "s3website-eu-west-1.amazonaws.com" },
"ap-southeast-1" : { "S3hostedzoneID" : "Z3O0J2DXBE1FTB", "websiteendpoint" :
"s3-website-ap-southeast-1.amazonaws.com" },
"ap-southeast-2" : { "S3hostedzoneID" : "Z1WCIGYICN2BYD", "websiteendpoint" :
"s3-website-ap-southeast-2.amazonaws.com" },
"ap-northeast-1" : { "S3hostedzoneID" : "Z2M4EHUR26P7ZW", "websiteendpoint" :
"s3-website-ap-northeast-1.amazonaws.com" },
"sa-east-1" : { "S3hostedzoneID" : "Z31GFT0UA1I2HV", "websiteendpoint" : "s3website-sa-east-1.amazonaws.com" }
}
},
"Parameters": {
"RootDomainName": {
"Description": "Domain name for your website (example.com)",
"Type": "String"
}
},
"Resources": {
"RootBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName" : {"Ref":"RootDomainName"},
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument":"index.html",
"ErrorDocument":"404.html"
}
}
},
"WWWBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]]
},
"AccessControl": "BucketOwnerFullControl",
"WebsiteConfiguration": {
"RedirectAllRequestsTo": {
"HostName": {"Ref": "RootBucket"}
}
}
}
},
"myDNS": {
"Type": "AWS::Route53::RecordSetGroup",
"Properties": {
"HostedZoneName": {
"Fn::Join": ["", [{"Ref": "RootDomainName"}, "."]]
},
"Comment": "Zone apex alias.",
"RecordSets": [
{
"Name": {"Ref": "RootDomainName"},
"Type": "A",
"AliasTarget": {
"HostedZoneId": {"Fn::FindInMap" : [ "RegionMap", { "Ref" :
"AWS::Region" }, "S3hostedzoneID"]},

API Version 2010-05-15
429

AWS CloudFormation User Guide
Amazon S3
"DNSName": {"Fn::FindInMap" : [ "RegionMap", { "Ref" :
"AWS::Region" }, "websiteendpoint"]}
}
},
{
"Name": {
"Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]]
},
"Type": "CNAME",
"TTL" : "900",
"ResourceRecords" : [
{"Fn::GetAtt":["WWWBucket", "DomainName"]}
]
}
]
}
}
},
"Outputs": {
"WebsiteURL": {
"Value": {"Fn::GetAtt": ["RootBucket", "WebsiteURL"]},
"Description": "URL for website hosted on S3"
}
}

}

YAML
Parameters:
RootDomainName:
Description: Domain name for your website (example.com)
Type: String
Mappings:
RegionMap:
us-east-1:
S3hostedzoneID: Z3AQBSTGFYJSTF
websiteendpoint: s3-website-us-east-1.amazonaws.com
us-west-1:
S3hostedzoneID: Z2F56UZL2M1ACD
websiteendpoint: s3-website-us-west-1.amazonaws.com
us-west-2:
S3hostedzoneID: Z3BJ6K6RIION7M
websiteendpoint: s3-website-us-west-2.amazonaws.com
eu-west-1:
S3hostedzoneID: Z1BKCTXD74EZPE
websiteendpoint: s3-website-eu-west-1.amazonaws.com
ap-southeast-1:
S3hostedzoneID: Z3O0J2DXBE1FTB
websiteendpoint: s3-website-ap-southeast-1.amazonaws.com
ap-southeast-2:
S3hostedzoneID: Z1WCIGYICN2BYD
websiteendpoint: s3-website-ap-southeast-2.amazonaws.com
ap-northeast-1:
S3hostedzoneID: Z2M4EHUR26P7ZW
websiteendpoint: s3-website-ap-northeast-1.amazonaws.com
sa-east-1:
S3hostedzoneID: Z31GFT0UA1I2HV
websiteendpoint: s3-website-sa-east-1.amazonaws.com
Resources:
RootBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref RootDomainName
AccessControl: PublicRead

API Version 2010-05-15
430

AWS CloudFormation User Guide
Amazon SNS
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: 404.html
WWWBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub
- www.${Domain}
- Domain: !Ref RootDomainName
AccessControl: BucketOwnerFullControl
WebsiteConfiguration:
RedirectAllRequestsTo:
HostName: !Ref RootBucket
myDNS:
Type: AWS::Route53::RecordSetGroup
Properties:
HostedZoneName: !Sub
- ${Domain}.
- Domain: !Ref RootDomainName
Comment: Zone apex alias.
RecordSets:
Name: !Ref RootDomainName
Type: A
AliasTarget:
HostedZoneId: !FindInMap [ RegionMap, !Ref 'AWS::Region', S3hostedzoneID]
DNSName: !FindInMap [ RegionMap, !Ref 'AWS::Region', websiteendpoint]
Name: !Sub
- www.${Domain}
- Domain: !Ref RootDomainName
Type: CNAME
TTL: 900
ResourceRecords:
- !GetAtt WWWBucket.DomainName
Outputs:
WebsiteURL:
Value: !GetAtt RootBucket.WebsiteURL
Description: URL for website hosted on S3

Amazon SNS Template Snippets
This example shows an Amazon SNS topic resource. It requires a valid email address.

JSON
"MySNSTopic" : {
"Type" : "AWS::SNS::Topic",
"Properties" : {
"Subscription" : [ {
"Endpoint" : "add valid email address",
"Protocol" : "email"
} ]
}
}

YAML
MySNSTopic:
Type: AWS::SNS::Topic

API Version 2010-05-15
431

AWS CloudFormation User Guide
Amazon SQS
Properties:
Subscription:
- Endpoint: "add valid email address"
Protocol: email

Amazon SQS Template Snippets
This example shows an Amazon SQS queue.

JSON
"MyQueue" : {
"Type" : "AWS::SQS::Queue",
"Properties" : {
"VisibilityTimeout" : "value"
}
}

YAML
MyQueue:
Type: AWS::SQS::Queue
Properties:
VisibilityTimeout: value

Custom Resources
Custom resources enable you to write custom provisioning logic in templates that AWS CloudFormation
runs anytime you create, update (if you changed the custom resource), or delete stacks. For example, you
might want to include resources that aren't available as AWS CloudFormation resource types (p. 499).
You can include those resources by using custom resources. That way you can still manage all your
related resources in a single stack.
Use the AWS::CloudFormation::CustomResource (p. 674) or Custom::String (p. 674) resource
type to deﬁne custom resources in your templates. Custom resources require one property: the service
token, which speciﬁes where AWS CloudFormation sends requests to, such as an Amazon SNS topic.

Note

If you use the VPC endpoint feature, custom resources in the VPC must have access to AWS
CloudFormation-speciﬁc S3 buckets. Custom resources must send responses to a pre-signed
Amazon S3 URL. If they can't send responses to Amazon S3, AWS CloudFormation won't receive
a response and the stack operation fails. For more information, see AWS CloudFormation and
VPC Endpoints (p. 24).

How Custom Resources Work
Any action taken for a custom resource involves three parties.
template developer
Creates a template that includes a custom resource type. The template developer speciﬁes the
service token and any input data in the template.
API Version 2010-05-15
432

AWS CloudFormation User Guide
How Custom Resources Work

custom resource provider
Owns the custom resource and determines how to handle and respond to requests from AWS
CloudFormation. The custom resource provider must provide a service token that the template
developer uses.
AWS CloudFormation
During a stack operation, sends a request to a service token that is speciﬁed in the template, and
then waits for a response before proceeding with the stack operation.
The template developer and custom resource provider can be the same person or entity, but the process
is the same. The following steps describe the general process:
1. The template developer deﬁnes a custom resource in his or her template, which includes a service
token and any input data parameters. Depending on the custom resource, the input data might be
required; however, the service token is always required.
The service token speciﬁes where AWS CloudFormation sends requests to, such as to an
Amazon SNS topic ARN or to an AWS Lambda function ARN. For more information, see
AWS::CloudFormation::CustomResource (p. 674). The service token and the structure of the input
data is deﬁned by the custom resource provider.
2. Whenever anyone uses the template to create, update, or delete a custom resource, AWS
CloudFormation sends a request to the speciﬁed service token. The service token must be in the same
region in which you are creating the stack.
In the request, AWS CloudFormation includes information such as the request type and a pre-signed
Amazon Simple Storage Service URL, where the custom resource sends responses to. For more
information about what's included in the request, see Custom Resource Request Objects (p. 446).
The following sample data shows what AWS CloudFormation includes in a request:
{

}

"RequestType" : "Create",
"ResponseURL" : "http://pre-signed-S3-url-for-response",
"StackId" : "arn:aws:cloudformation:us-west-2:EXAMPLE/stack-name/guid",
"RequestId" : "unique id for this create request",
"ResourceType" : "Custom::TestResource",
"LogicalResourceId" : "MyTestResource",
"ResourceProperties" : {
"Name" : "Value",
"List" : [ "1", "2", "3" ]
}

Note

In this example, ResourceProperties allows AWS CloudFormation to create a custom
payload to send to the Lambda function.
3. The custom resource provider processes the AWS CloudFormation request and returns a response of
SUCCESS or FAILED to the pre-signed URL. The custom resource provider provides the response in a
JSON-formatted ﬁle and uploads it to the pre-signed S3 URL. For more information, see Uploading
Objects Using Pre-Signed URLs in the Amazon Simple Storage Service Developer Guide.
In the response, the custom resource provider can also include name-value pairs that the template
developer can access. For example, the response can include output data if the request succeeded or
an error message if the request failed. For more information about responses, see Custom Resource
Response Objects (p. 448).
API Version 2010-05-15
433

AWS CloudFormation User Guide
Amazon Simple Notiﬁcation
Service-backed Custom Resources

Important

If the name-value pairs contain sensitive information, you should use the NoEcho ﬁeld to
mask the output of the custom resource. Otherwise, the values are visible through APIs that
surface property values (such as DescribeStackEvents).
The custom resource provider is responsible for listening and responding to the request. For example,
for Amazon SNS notiﬁcations, the custom resource provider must listen and respond to notiﬁcations
that are sent to a speciﬁc topic ARN. AWS CloudFormation waits and listens for a response in the presigned URL location.
The following sample data shows what a custom resource might include in a response:
{

}

"Status" : "SUCCESS",
"PhysicalResourceId" : "TestResource1",
"StackId" : "arn:aws:cloudformation:us-west-2:EXAMPLE:stack/stack-name/guid",
"RequestId" : "unique id for this create request",
"LogicalResourceId" : "MyTestResource",
"Data" : {
"OutputName1" : "Value1",
"OutputName2" : "Value2",
}

4. After getting a SUCCESS response, AWS CloudFormation proceeds with the stack operation. If a
FAILED or no response is returned, the operation fails. Any output data from the custom resource
is stored in the pre-signed URL location. The template developer can retrieve that data by using the
Fn::GetAtt (p. 2285) function.

Amazon Simple Notiﬁcation Service-backed Custom
Resources
When you associate an Amazon SNS topic with a custom resource, you use Amazon SNS notiﬁcations
to trigger custom provisioning logic. With custom resources and Amazon SNS, you can enable scenarios
such as adding new resources to a stack and injecting dynamic data into a stack. For example, when
you create a stack, AWS CloudFormation can send a create request to a topic that's monitored by an
application that's running on an Amazon Elastic Compute Cloud instance. The Amazon SNS notiﬁcation
triggers the application to carry out additional provisioning tasks, such as retrieve a pool of white-listed
Elastic IPs. After it's done, the application sends a response (and any output data) that notiﬁes AWS
CloudFormation to proceed with the stack operation.

Walkthrough: Using Amazon Simple Notiﬁcation Service to
Create Custom Resources
This walkthrough will step through the custom resource process, explaining the sequence of events and
messages sent and received as a result of custom resource stack creation, updates, and deletion.

Step 1: Stack Creation
1. The template developer creates an AWS CloudFormation stack that contains a custom resource; in the
template example below, we use the custom resource type name Custom::SeleniumTester for the
custom resource MySeleniumTest.
The custom resource type is declared with a service token, optional provider-speciﬁc properties, and
optional Fn::GetAtt (p. 2285) attributes that are deﬁned by the custom resource provider. These
API Version 2010-05-15
434

AWS CloudFormation User Guide
Amazon Simple Notiﬁcation
Service-backed Custom Resources

properties and attributes can be used to pass information from the template developer to the custom
resource provider and vice-versa. Custom resource type names must be alphanumeric and can have a
maximum length of 60 characters.
The following example shows a template that has both custom properties and return attributes:
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MySeleniumTest" : {
"Type": "Custom::SeleniumTester",
"Version" : "1.0",
"Properties" : {
"ServiceToken": "arn:aws:sns:us-west-2:123456789012:CRTest",
"seleniumTester" : "SeleniumTest()",
"endpoints" : [ "http://mysite.com", "http://myecommercesite.com/", "http://
search.mysite.com" ],
"frequencyOfTestsPerHour" : [ "3", "2", "4" ]
}
}
},
"Outputs" : {
"topItem" : {
"Value" : { "Fn::GetAtt" : ["MySeleniumTest", "resultsPage"] }
},
"numRespondents" : {
"Value" : { "Fn::GetAtt" : ["MySeleniumTest", "lastUpdate"] }
}
}
}

Note

The names and values of the data accessed with Fn::GetAtt are returned by the custom
resource provider during the provider's response to AWS CloudFormation. If the custom
resource provider is a third-party, then the template developer must obtain the names of
these return values from the custom resource provider.
2. AWS CloudFormation sends an Amazon SNS notiﬁcation to the resource provider with a
"RequestType" : "Create" that contains information about the stack, the custom resource
properties from the stack template, and an S3 URL for the response.
The SNS topic that is used to send the notiﬁcation is embedded in the template in the ServiceToken
property. To avoid using a hard-coded value, a template developer can use a template parameter so
that the value is entered at the time the stack is launched.
The following example shows a custom resource Create request which includes a custom
resource type name, Custom::SeleniumTester, created with a LogicalResourceId of
MySeleniumTester:
{

"RequestType" : "Create",
"ResponseURL" : "http://pre-signed-S3-url-for-response",
"StackId" : "arn:aws:cloudformation:us-west-2:123456789012:stack/stack-name/guid",
"RequestId" : "unique id for this create request",
"ResourceType" : "Custom::SeleniumTester",
"LogicalResourceId" : "MySeleniumTester",
"ResourceProperties" : {
"seleniumTester" : "SeleniumTest()",
"endpoints" : [ "http://mysite.com", "http://myecommercesite.com/", "http://
search.mysite.com" ],
"frequencyOfTestsPerHour" : [ "3", "2", "4" ]
}

API Version 2010-05-15
435

AWS CloudFormation User Guide
Amazon Simple Notiﬁcation
Service-backed Custom Resources
}

3. The custom resource provider processes the data sent by the template developer and determines
whether the Create request was successful. The resource provider then uses the S3 URL sent by AWS
CloudFormation to send a response of either SUCCESS or FAILED.
Depending on the response type, diﬀerent response ﬁelds will be expected by AWS CloudFormation.
Refer to the Responses section in the reference topic for the RequestType that is being processed.
In response to a create or update request, the custom resource provider can return data elements
in the Data (p. 449) ﬁeld of the response. These are name/value pairs, and the names correspond
to the Fn::GetAtt attributes used with the custom resource in the stack template. The values are
the data that is returned when the template developer calls Fn::GetAtt on the resource with the
attribute name.
The following is an example of a custom resource response:

{

}

"Status" : "SUCCESS",
"PhysicalResourceId" : "Tester1",
"StackId" : "arn:aws:cloudformation:us-west-2:123456789012:stack/stack-name/guid",
"RequestId" : "unique id for this create request",
"LogicalResourceId" : "MySeleniumTester",
"Data" : {
"resultsPage" : "http://www.myexampledomain/test-results/guid",
"lastUpdate" : "2012-11-14T03:30Z",
}

The StackId, RequestId, and LogicalResourceId ﬁelds must be copied verbatim from the
request.
4. AWS CloudFormation declares the stack status as CREATE_COMPLETE or CREATE_FAILED. If the stack
was successfully created, the template developer can use the output values of the created custom
resource by accessing them with Fn::GetAtt (p. 2285).
For example, the custom resource template used for illustration used Fn::GetAtt to copy resource
outputs into the stack outputs:

"Outputs" : {
"topItem" : {
"Value" : { "Fn::GetAtt" : ["MySeleniumTest", "resultsPage"] }
},
"numRespondents" : {
"Value" : { "Fn::GetAtt" : ["MySeleniumTest", "lastUpdate"] }
}
}

For detailed information about the request and response objects involved in Create requests, see
Create (p. 450) in the Custom Resource Reference (p. 446).

Step 2: Stack Updates
To update an existing stack, you must submit a template that speciﬁes updates for the properties of
resources in the stack, as shown in the example below. AWS CloudFormation updates only the resources
that have changes speciﬁed in the template. For more information about updating stacks, see AWS
CloudFormation Stacks Updates (p. 118).
API Version 2010-05-15
436

AWS CloudFormation User Guide
Amazon Simple Notiﬁcation
Service-backed Custom Resources

You can update custom resources that require a replacement of the underlying physical resource. When
you update a custom resource in an AWS CloudFormation template, AWS CloudFormation sends an
update request to that custom resource. If a custom resource requires a replacement, the new custom
resource must send a response with the new physical ID. When AWS CloudFormation receives the
response, it compares the PhysicalResourceId between the old and new custom resources. If they
are diﬀerent, AWS CloudFormation recognizes the update as a replacement and sends a delete request to
the old resource, as shown in Step 3: Stack Deletion (p. 438).

Note

If you didn't make changes to the custom resource, AWS CloudFormation won't send requests to
it during a stack update.
1. The template developer initiates an update to the stack that contains a custom resource. During an
update, the template developer can specify new Properties in the stack template.
The following is an example of an Update to the stack template using a custom resource type:

{

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MySeleniumTest" : {
"Type": "Custom::SeleniumTester",
"Version" : "1.0",
"Properties" : {
"ServiceToken": "arn:aws:sns:us-west-2:123456789012:CRTest",
"seleniumTester" : "SeleniumTest()",
"endpoints" : [ "http://mysite.com", "http://myecommercesite.com/", "http://
search.mysite.com",
"http://mynewsite.com" ],
"frequencyOfTestsPerHour" : [ "3", "2", "4", "3" ]
}
}
},
"Outputs" : {
"topItem" : {
"Value" : { "Fn::GetAtt" : ["MySeleniumTest", "resultsPage"] }
},
"numRespondents" : {
"Value" : { "Fn::GetAtt" : ["MySeleniumTest", "lastUpdate"] }
}
}
}

2. AWS CloudFormation sends an Amazon SNS notiﬁcation to the resource provider with a
"RequestType" : "Update" that contains similar information to the Create call, except that
the OldResourceProperties ﬁeld contains the old resource properties, and ResourceProperties
contains the updated (if any) resource properties.
The following is an example of an Update request:

{

"RequestType" : "Update",
"ResponseURL" : "http://pre-signed-S3-url-for-response",
"StackId" : "arn:aws:cloudformation:us-west-2:123456789012:stack/stack-name/guid",
"RequestId" : "uniqueid for this update request",
"LogicalResourceId" : "MySeleniumTester",
"ResourceType" : "Custom::SeleniumTester"
"PhysicalResourceId" : "Tester1",
"ResourceProperties" : {
"seleniumTester" : "SeleniumTest()",

API Version 2010-05-15
437

AWS CloudFormation User Guide
Amazon Simple Notiﬁcation
Service-backed Custom Resources
"endpoints" : [ "http://mysite.com", "http://myecommercesite.com/", "http://
search.mysite.com",
"http://mynewsite.com" ],
"frequencyOfTestsPerHour" : [ "3", "2", "4", "3" ]
}
"OldResourceProperties" : {
"seleniumTester" : "SeleniumTest()",
"endpoints" : [ "http://mysite.com", "http://myecommercesite.com/", "http://
search.mysite.com" ],
"frequencyOfTestsPerHour" : [ "3", "2", "4" ]
}
}

3. The custom resource provider processes the data sent by AWS CloudFormation. The custom resource
performs the update and sends a response of either SUCCESS or FAILED to the S3 URL. AWS
CloudFormation then compares the PhysicalResourceIDs of old and new custom resources. If they
are diﬀerent, AWS CloudFormation recognizes that the update requires a replacement and sends a
delete request to the old resource. The following example demonstrates the custom resource provider
response to an Update request.
{

}

"Status" : "SUCCESS",
"StackId" : "arn:aws:cloudformation:us-west-2:123456789012:stack/stack-name/guid",
"RequestId" : "uniqueid for this update request",
"LogicalResourceId" : "MySeleniumTester",
"PhysicalResourceId" : "Tester2"

The StackId, RequestId, and LogicalResourceId ﬁelds must be copied verbatim from the
request.
4. AWS CloudFormation declares the stack status as UPDATE_COMPLETE or UPDATE_FAILED. If the
update fails, the stack rolls back. If the stack was successfully updated, the template developer can
access any new output values of the created custom resource with Fn::GetAtt.
For detailed information about the request and response objects involved in Update requests, see
Update (p. 455) in the Custom Resource Reference (p. 446).

Step 3: Stack Deletion
1. The template developer deletes a stack that contains a custom resource. AWS CloudFormation gets
the current properties speciﬁed in the stack template along with the SNS topic, and prepares to make
a request to the custom resource provider.
2. AWS CloudFormation sends an Amazon SNS notiﬁcation to the resource provider with a
"RequestType" : "Delete" that contains current information about the stack, the custom
resource properties from the stack template, and an S3 URL for the response.
Whenever you delete a stack or make an update that removes or replaces the custom resource, AWS
CloudFormation compares the PhysicalResourceId between the old and new custom resources. If
they are diﬀerent, AWS CloudFormation recognizes the update as a replacement and sends a delete
request for the old resource (OldPhysicalResource), as shown in the following example of a
Delete request.
{

"RequestType" : "Delete",
"ResponseURL" : "http://pre-signed-S3-url-for-response",
"StackId" : "arn:aws:cloudformation:us-west-2:123456789012:stack/stack-name/guid",
"RequestId" : "unique id for this delete request",

API Version 2010-05-15
438

AWS CloudFormation User Guide
AWS Lambda-backed Custom Resources
"ResourceType" : "Custom::SeleniumTester",
"LogicalResourceId" : "MySeleniumTester",
"PhysicalResourceId" : "Tester1",
"ResourceProperties" : {
"seleniumTester" : "SeleniumTest()",
"endpoints" : [ "http://mysite.com", "http://myecommercesite.com/", "http://
search.mysite.com",
"http://mynewsite.com" ],
"frequencyOfTestsPerHour" : [ "3", "2", "4", "3" ]
}
}

DescribeStackResource, DescribeStackResources, and ListStackResources display the
user-deﬁned name if it has been speciﬁed.
3. The custom resource provider processes the data sent by AWS CloudFormation and determines
whether the Delete request was successful. The resource provider then uses the S3 URL sent by AWS
CloudFormation to send a response of either SUCCESS or FAILED. To successfully delete a stack with
a custom resource, the custom resource provider must respond successfully to a delete request.
The following is an example of a custom resource provider response to a Delete request:
{

}

"Status" : "SUCCESS",
"StackId" : "arn:aws:cloudformation:us-west-2:123456789012:stack/stack-name/guid",
"RequestId" : "unique id for this delete request",
"LogicalResourceId" : "MySeleniumTester",
"PhysicalResourceId" : "Tester1"

The StackId, RequestId, and LogicalResourceId ﬁelds must be copied verbatim from the
request.
4. AWS CloudFormation declares the stack status as DELETE_COMPLETE or DELETE_FAILED.
For detailed information about the request and response objects involved in Delete requests, see
Delete (p. 453) in the Custom Resource Reference (p. 446).

See Also
• AWS CloudFormation Custom Resource Reference (p. 446)
• AWS::CloudFormation::CustomResource (p. 674)
• Fn::GetAtt (p. 2285)

AWS Lambda-backed Custom Resources
When you associate a Lambda function with a custom resource, the function is invoked whenever the
custom resource is created, updated, or deleted. AWS CloudFormation calls a Lambda API to invoke
the function and to pass all the request data (such as the request type and resource properties) to the
function. The power and customizability of Lambda functions in combination with AWS CloudFormation
enable a wide range of scenarios, such as dynamically looking up AMI IDs during stack creation, or
implementing and using utility functions, such as string reversal functions.
Topics
• Walkthrough: Looking Up Amazon Machine Image IDs (p. 440)
API Version 2010-05-15
439

AWS CloudFormation User Guide
AWS Lambda-backed Custom Resources

Walkthrough: Looking Up Amazon Machine Image IDs
AWS CloudFormation templates that declare an Amazon Elastic Compute Cloud (Amazon EC2) instance
must also specify an Amazon Machine Image (AMI) ID, which includes an operating system and other
software and conﬁguration information used to launch the instance. The correct AMI ID depends on the
instance type and region in which you're launching your stack. And IDs can change regularly, such as
when an AMI is updated with software updates.
Normally, you might map AMI IDs to speciﬁc instance types and regions. To update the IDs, you manually
change them in each of your templates. By using custom resources and AWS Lambda (Lambda), you can
create a function that gets the IDs of the latest AMIs for the region and instance type that you're using so
that you don't have to maintain mappings.
This walkthrough shows you how to create a custom resource and associate a Lambda function with it to
look up AMI IDs. Note that the walkthrough assumes that you understand how to use custom resources
and Lambda. For more information, see Custom Resources (p. 432) or the AWS Lambda Developer
Guide.
Walkthrough Overview
For this walkthrough, you'll create a stack with a custom resource, a Lambda function, and an EC2
instance. The walkthough provides sample code and a sample template that you'll use to create the
stack.
The sample template uses the custom resource type to invoke and send input values to the Lambda
function. When you use the template, AWS CloudFormation invokes the function and sends information
to it, such as the request type, input data, and a pre-signed Amazon Simple Storage Service (Amazon S3)
URL. The function uses that information to look up the AMI ID, and then sends a response to the presigned URL.
After AWS CloudFormation gets a response in the pre-signed URL location, it proceeds with creating the
stack. When AWS CloudFormation creates the instance, it uses the Lambda function's response to specify
the instance's AMI ID.
The following list summarizes the process. You need AWS Identity and Access Management
(IAM) permissions to use all the corresponding services, such as Lambda, Amazon EC2, and AWS
CloudFormation.

Note

AWS CloudFormation is a free service; however, you are charged for the AWS resources, such as
the Lambda function and EC2 instance, that you include in your stacks at the current rate for
each. For more information about AWS pricing, see the detail page for each product at http://
aws.amazon.com.
1. Save the sample Lambda package in an Amazon Simple Storage Service (Amazon S3)
bucket. (p. 441)
The sample package contains everything that's required to create the Lambda function. You must save
the package in a bucket that's in the same region in which you will create your stack.
2. Use the sample template to create a stack. (p. 441)
The stack demonstrates how you associate the Lambda function with a custom resource and how to
use the results from the function to specify an AMI ID. The stack also creates an IAM role (execution
role), which Lambda uses to make calls to Amazon EC2.
3. Delete the stack. (p. 446)
Delete the stack to clean up all the stack resources that you created so that you aren't charged for
unnecessary resources.
API Version 2010-05-15
440

AWS CloudFormation User Guide
AWS Lambda-backed Custom Resources

Step 1: Downloading and Saving the Sample Package in Amazon S3
When you create a stack with a Lambda function, you must specify the location of the Amazon S3 bucket
that contains the function's source code. The bucket must be in the same region in which you create your
stack.
This walkthrough provides a sample package (a .zip ﬁle) that's required to create the Lambda function.
A Lambda package contains the source code for the function and required libraries. For this walkthrough,
the function doesn't require additional libraries.
The function takes an instance's architecture and region as inputs from an AWS CloudFormation custom
resource request and returns the latest AMI ID to a pre-signed Amazon S3 URL.

To download and save the package in Amazon S3
1.

Download the sample package from Amazon S3. When you save the ﬁle, use the same ﬁle name as
the sample, amilookup.zip or amilookup-win.zip.
Look up Linux AMI IDs
https://s3.amazonaws.com/cloudformation-examples/lambda/amilookup.zip
Look up Windows AMI IDs
https://s3.amazonaws.com/cloudformation-examples/lambda/amilookup-win.zip

2.

Open the Amazon S3 console at https://console.aws.amazon.com/s3/home.

3.

Choose or create a bucket that's located in the same region in which you'll create your AWS
CloudFormation stack. Record the bucket name.
You'll save the sample package in this bucket. For more information about creating a bucket, see
Creating a Bucket in the Amazon Simple Storage Service Console User Guide.

4.

Upload the sample package to the bucket that you chose or created.
For more information about uploading objects, see Uploading Objects in the Amazon Simple Storage
Service Console User Guide.

With the package in Amazon S3, you can now specify its location in the Lambda resource declaration
of the AWS CloudFormation template. The next step demonstrates how you declare the function and
invoke it by using a custom resource. You'll also see how to use the results of the function to specify the
AMI ID of an EC2 instance.

Step 2: Creating the Stack
To create the sample Amazon EC2 stack, you'll use a sample template that includes a Lambda function,
an IAM execution role, a custom resource that invokes the function, and an EC2 instance that uses the
results from the function.
During stack creation, the custom resource invokes the Lambda function and waits until the function
sends a response to the pre-signed Amazon S3 URL. In the response, the function returns the ID of the
latest AMI that corresponds to the EC2 instance type and region in which you are creating the instance.
The data from the function's response is stored as an attribute of the custom resource, which is used to
specify the AMI ID of the EC2 instance.
The following snippets explain relevant parts of the sample template to help you understand how to
associate a Lambda function with a custom resource and how to use the function's response. To view the
entire sample template, see:
Linux template
https://s3.amazonaws.com/cloudformation-examples/lambda/LambdaAMILookupSample.template
API Version 2010-05-15
441

AWS CloudFormation User Guide
AWS Lambda-backed Custom Resources

Windows template
https://s3.amazonaws.com/cloudformation-examples/lambda/LambdaAMILookupSamplewin.template
Stack Template Snippets
To create the Lambda function, you declare the AWS::Lambda::Function resource, which requires the
function's source code, handler name, runtime environment, and execution role ARN.

Example JSON Syntax
"AMIInfoFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": { "Ref": "S3Bucket" },
"S3Key": { "Ref": "S3Key" }
},
"Handler": { "Fn::Join" : [ "", [{ "Ref": "ModuleName" },".handler"] ] },
"Runtime": "nodejs4.3",
"Timeout": "30",
"Role": { "Fn::GetAtt" : ["LambdaExecutionRole", "Arn"] }
}
}

Example YAML Syntax
AMIInfoFunction:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: !Ref S3Bucket
S3Key: !Ref S3Key
Handler: !Sub "${ModuleName}.handler"
Runtime: nodejs4.3
Timeout: 30
Role: !GetAtt LambdaExecutionRole.Arn

The Code property speciﬁes the Amazon S3 location (bucket name and ﬁle name) where you uploaded
the sample package. The sample template uses input parameters ("Ref": "S3Bucket" and "Ref":
"S3Key") to set the bucket and ﬁle names so that you are able to specify the names when you create
the stack. Similarly, the handler name, which corresponds to the name of the source ﬁle (the JavaScript
ﬁle) in the .zip package, also uses an input parameter ("Ref": "ModuleName"). Because the source
ﬁle is JavaScript code, the runtime is speciﬁed as nodejs4.3.
For this walkthrough, the execution time for the function exceeds the default value of 3 seconds, so
the timeout is set to 30 seconds. If you don't specify a suﬃciently long timeout, Lambda might cause a
timeout before the function can complete, causing stack creation to fail.
The execution role, which is declared elsewhere in the template, is speciﬁed by using the Fn::GetAtt
intrinsic function in the Role property. The execution role grants the Lambda function permission to
send logs to AWS and to call the EC2 DescribeImages API. The following snippet shows the role and
policy that grant the appropriate permission:

Example JSON Syntax
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {

API Version 2010-05-15
442

AWS CloudFormation User Guide
AWS Lambda-backed Custom Resources

}

}

"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Service": ["lambda.amazonaws.com"]},
"Action": ["sts:AssumeRole"]
}]
},
"Path": "/",
"Policies": [{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": ["ec2:DescribeImages"],
"Resource": "*"
}]
}
}]

Example YAML Syntax
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- ec2:DescribeImages
Resource: "*"

For both the Linux and Windows templates, the custom resource invokes the Lambda function that is
associated with it. To associate a function with a custom resource, you specify the Amazon Resource
Name (ARN) of the function for the ServiceToken property, using the Fn::GetAtt intrinsic function.
AWS CloudFormation sends the additional properties that are included in the custom resource
API Version 2010-05-15
443

AWS CloudFormation User Guide
AWS Lambda-backed Custom Resources

declaration, such as Region and Architecture, to the Lambda function as inputs. The Lambda
function determines the correct names and values for these input properties.

Example JSON Syntax
"AMIInfo": {
"Type": "Custom::AMIInfo",
"Properties": {
"ServiceToken": { "Fn::GetAtt" : ["AMIInfoFunction", "Arn"] },
"Region": { "Ref": "AWS::Region" },
"Architecture": { "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" :
"InstanceType" }, "Arch" ] }
}
}

Example YAML Syntax
AMIInfo:
Type: Custom::AMIInfo
Properties:
ServiceToken: !GetAtt AMIInfoFunction.Arn
Region: !Ref "AWS::Region"
Architecture:
Fn::FindInMap:
- AWSInstanceType2Arch
- !Ref InstanceType
- Arch

For Windows, the custom resource provides the Windows version to the Lambda function instead of the
instance's architecture.

Example JSON Syntax
"AMIInfo": {
"Type": "Custom::AMIInfo",
"Properties": {
"ServiceToken": { "Fn::GetAtt" : ["AMIInfoFunction", "Arn"] },
"Region": { "Ref": "AWS::Region" },
"OSName": { "Ref": "WindowsVersion" }
}
}

Example YAML Syntax
AMIInfo:
Type: Custom::AMIInfo
Properties:
ServiceToken: !GetAtt AMIInfoFunction.Arn
Region: !Ref "AWS::Region"
OSName: !Ref "WindowsVersion"

When AWS CloudFormation invokes the Lambda function, the function calls the EC2 DescribeImages
API, using the region and instance architecture or the OS name to ﬁlter the list of images. Then the
function sorts the list of images by date and returns the ID of the latest AMI.
When returning the ID of the latest AMI, the function sends the ID to a pre-signed URL in the Data
property of the response object (p. 448). The data is structured as a name-value pair, as shown in the
following example:
"Data": {

API Version 2010-05-15
444

AWS CloudFormation User Guide
AWS Lambda-backed Custom Resources

}

"Id": "ami-43795473"

The following snippet shows how to get the data from a Lambda function. It uses the Fn::GetAtt
intrinsic function, providing the name of the custom resource and the attribute name of the value that
you want to get. In this walkthrough, the custom resource name is AMIInfo and the attribute name is
Id.

Example JSON Syntax
"SampleInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType"
: { "Ref" : "InstanceType" },
"ImageId": { "Fn::GetAtt": [ "AMIInfo", "Id" ] }
}
}

Example YAML Syntax
SampleInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref InstanceType
ImageId: !GetAtt AMIInfo.Id

Now that you understand what the template does, use the sample template to create a stack.

To create the stack
1.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.

2.

Choose Create Stack.

3.

In the Template section, choose Specify an Amazon S3 template URL, and then copy and paste the
following URL in the text box:
Linux template
https://s3.amazonaws.com/cloudformation-examples/lambda/
LambdaAMILookupSample.template
Windows template
https://s3.amazonaws.com/cloudformation-examples/lambda/
LambdaAMILookupSample-win.template

4.

Choose Next.

5.

In the Stack name ﬁeld, type SampleEC2Instance.

6.

In the Parameters section, specify the name of the Amazon S3 bucket that you created, and then
choose Next.
The default values for the other parameters are the same names that are used in the sample .zip
package.

7.

For this walkthrough, you don't need to add tags or specify advanced settings, so choose Next.

8.

Ensure that the stack name and template URL are correct, and then choose Create.

It might take several minutes for AWS CloudFormation to create your stack. To monitor progress, view
the stack events. For more information, see Viewing Stack Data and Resources (p. 99).
API Version 2010-05-15
445

AWS CloudFormation User Guide
Custom Resource Reference

If stack creation succeeds, all resources in the stack, such as the Lambda function, custom resource, and
EC2 instance, were created. You successfully used a Lambda function and custom resource to specify the
AMI ID of an EC2 instance. You don't need to create and maintain a mapping of AMI IDs in this template.
To see which AMI ID AWS CloudFormation used to create the EC2 instance, view the stack outputs.
If the Lambda function returns an error, view the function's logs in the Amazon CloudWatch Logs
console. The name of the log stream is the physical ID of the custom resource, which you can ﬁnd by
viewing the stack's resources. For more information, see Viewing Log Data in the Amazon CloudWatch
User Guide.

Step 3: Clean Up Resources
To make sure that you are not charged for unwanted services, delete your stack.

To delete the stack
1.

From the AWS CloudFormation console, choose the SampleEC2Instance stack.

2.

Choose Actions and then Delete Stack.

3.

In the conﬁrmation message, choose Yes, Delete.

All the resources that you created are deleted.
Now that you understand how to create and use Lambda functions with AWS CloudFormation, you can
use the sample template and code from this walkthrough to build other stacks and functions.

Related Information
• AWS CloudFormation Custom Resource Reference (p. 446)

Custom Resource Reference
This section provides detail about:
• The JSON request and response ﬁelds that are used in messages sent to and from AWS
CloudFormation when providing a custom resource.
• Expected ﬁelds for requests to, and responses to, the custom resource provider in response to stack
creation, stack updates, and stack deletion.

In This Section
• Custom Resource Request Objects (p. 446)
• Custom Resource Response Objects (p. 448)
• Custom Resource Request Types (p. 450)

Custom Resource Request Objects
Template Developer Request Properties
The template developer uses the AWS CloudFormation resource,
AWS::CloudFormation::CustomResource (p. 674), to specify a custom resource in a template.
API Version 2010-05-15
446

AWS CloudFormation User Guide
Custom Resource Reference

In AWS::CloudFormation::CustomResource, all properties are deﬁned by the custom resource
provider. There is only one required property: ServiceToken.
ServiceToken
The service token (an Amazon SNS topic or AWS Lambda function Amazon Resource Name) that is
obtained from the custom resource provider to access the service. The service token must be in the
same region in which you are creating the stack.
Required: Yes
Type: String
All other ﬁelds in the resource properties are optional and are sent, verbatim, to the custom resource
provider in the request's ResourceProperties ﬁeld. The provider deﬁnes both the names and the valid
contents of these ﬁelds.

Custom Resource Provider Request Fields
These ﬁelds are sent in JSON requests from AWS CloudFormation to the custom resource provider in the
SNS topic that the provider has conﬁgured for this purpose.
RequestType
The request type is set by the AWS CloudFormation stack operation (create-stack, update-stack, or
delete-stack) that was initiated by the template developer for the stack that contains the custom
resource.
Must be one of: Create, Update, or Delete. For more information, see Custom Resource Request
Types (p. 450).
Required: Yes
Type: String
ResponseURL
The response URL identiﬁes a presigned S3 bucket that receives responses from the custom resource
provider to AWS CloudFormation.
Required: Yes
Type: String
StackId
The Amazon Resource Name (ARN) that identiﬁes the stack that contains the custom resource.
Combining the StackId with the RequestId forms a value that you can use to uniquely identify a
request on a particular custom resource.
Required: Yes
Type: String
RequestId
A unique ID for the request.
Combining the StackId with the RequestId forms a value that you can use to uniquely identify a
request on a particular custom resource.
API Version 2010-05-15
447

AWS CloudFormation User Guide
Custom Resource Reference

Required: Yes
Type: String
ResourceType
The template developer-chosen resource type of the custom resource in the AWS CloudFormation
template. Custom resource type names can be up to 60 characters long and can include
alphanumeric and the following characters: _@-.
Required: Yes
Type: String
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template. This is provided to facilitate communication between the custom resource
provider and the template developer.
Required: Yes
Type: String
PhysicalResourceId
A required custom resource provider-deﬁned physical ID that is unique for that provider.
Required: Always sent with Update and Delete requests; never sent with Create.
Type: String
ResourceProperties
This ﬁeld contains the contents of the Properties object sent by the template developer. Its
contents are deﬁned by the custom resource provider.
Required: No
Type: JSON object
OldResourceProperties
Used only for Update requests. Contains the resource properties that were declared previous to the
update request.
Required: Yes
Type: JSON object

Custom Resource Response Objects
Custom Resource Provider Response Fields
The following are properties that the custom resource provider includes when it sends the JSON ﬁle
to the presigned URL. For more information about uploading objects by using presigned URLs, see the
related topic in the Amazon Simple Storage Service Developer Guide.
Status
The status value sent by the custom resource provider in response to an AWS CloudFormationgenerated request.
API Version 2010-05-15
448

AWS CloudFormation User Guide
Custom Resource Reference

Must be either SUCCESS or FAILED.
Required: Yes
Type: String
Reason
Describes the reason for a failure response.
Required: Required if Status is FAILED. It's optional otherwise.
Type: String
PhysicalResourceId
This value should be an identiﬁer unique to the custom resource vendor, and can be up to 1 Kb in
size. The value must be a non-empty string and must be identical for all responses for the same
resource.
Required: Yes
Type: String
StackId
The Amazon Resource Name (ARN) that identiﬁes the stack that contains the custom resource. This
response value should be copied verbatim from the request.
Required: Yes
Type: String
RequestId
A unique ID for the request. This response value should be copied verbatim from the request.
Required: Yes
Type: String
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template. This response value should be copied verbatim from the request.
Required: Yes
Type: String
NoEcho
Optional. Indicates whether to mask the output of the custom resource when retrieved by using
the Fn::GetAtt function. If set to true, all returned values are masked with asterisks (*****). The
default value is false.
Required: No
Type: Boolean
Data
Optional. The custom resource provider-deﬁned name-value pairs to send with the response. You
can access the values provided here by name in the template with Fn::GetAtt.
API Version 2010-05-15
449

AWS CloudFormation User Guide
Custom Resource Reference

Important

If the name-value pairs contain sensitive information, you should use the NoEcho ﬁeld to
mask the output of the custom resource. Otherwise, the values are visible through APIs that
surface property values (such as DescribeStackEvents).
Required: No
Type: JSON object

Custom Resource Request Types
The request type is sent in the RequestType ﬁeld in the vendor request object (p. 446) sent by AWS
CloudFormation when the template developer creates, updates, or deletes a stack that contains a custom
resource.
Each request type has a particular set of ﬁelds that are sent with the request, including an S3 URL for
the response by the custom resource provider. The provider must respond to the S3 bucket with either a
SUCCESS or FAILED result within one hour. After one hour, the request times out. Each result also has a
particular set of ﬁelds expected by AWS CloudFormation.
This section provides information about the request and response ﬁelds, with examples, for each request
type.

In This Section
• Create (p. 450)
• Delete (p. 453)
• Update (p. 455)

Create
Custom resource provider requests with RequestType set to "Create" are sent when the template
developer creates a stack that contains a custom resource.

Request
Create requests contain the following ﬁelds:
RequestType
Will be "Create".
RequestId
A unique ID for the request.
ResponseURL
The response URL identiﬁes a presigned S3 bucket that receives responses from the custom resource
provider to AWS CloudFormation.
ResourceType
The template developer-chosen resource type of the custom resource in the AWS CloudFormation
template. Custom resource type names can be up to 60 characters long and can include
alphanumeric and the following characters: _@-.
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template.
API Version 2010-05-15
450

AWS CloudFormation User Guide
Custom Resource Reference

StackId
The Amazon Resource Name (ARN) that identiﬁes the stack that contains the custom resource.
ResourceProperties
This ﬁeld contains the contents of the Properties object sent by the template developer. Its
contents are deﬁned by the custom resource provider.

Example
{

}

"RequestType" : "Create",
"RequestId" : "unique id for this create request",
"ResponseURL" : "pre-signed-url-for-create-response",
"ResourceType" : "Custom::MyCustomResourceType",
"LogicalResourceId" : "name of resource in template",
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid",
"ResourceProperties" : {
"key1" : "string",
"key2" : [ "list" ],
"key3" : { "key4" : "map" }
}

Responses
Success
When the create request is successful, a response must be sent to the S3 bucket with the following ﬁelds:
Status
Must be "SUCCESS".
RequestId
A unique ID for the request. This response value should be copied verbatim from the request.
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template. This response value should be copied verbatim from the request.
StackId
The Amazon Resource Name (ARN) that identiﬁes the stack that contains the custom resource. This
response value should be copied verbatim from the request.
PhysicalResourceId
This value should be an identiﬁer unique to the custom resource vendor, and can be up to 1 Kb in
size. The value must be a non-empty string and must be identical for all responses for the same
resource.
NoEcho
Optional. Indicates whether to mask the output of the custom resource when retrieved by using
the Fn::GetAtt function. If set to true, all returned values are masked with asterisks (*****). The
default value is false.
Data
Optional. The custom resource provider-deﬁned name-value pairs to send with the response. You
can access the values provided here by name in the template with Fn::GetAtt.
API Version 2010-05-15
451

AWS CloudFormation User Guide
Custom Resource Reference

Important

If the name-value pairs contain sensitive information, you should use the NoEcho ﬁeld to
mask the output of the custom resource. Otherwise, the values are visible through APIs that
surface property values (such as DescribeStackEvents).

Example
{

"Status" : "SUCCESS",
"RequestId" : "unique id for this create request (copied from request)",
"LogicalResourceId" : "name of resource in template (copied from request)",
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid (copied
from request)",
"PhysicalResourceId" : "required vendor-defined physical id that is unique for that
vendor",
"Data" : {
"keyThatCanBeUsedInGetAtt1" : "data for key 1",
"keyThatCanBeUsedInGetAtt2" : "data for key 2"
}

}

Failed
When the create request fails, a response must be sent to the S3 bucket with the following ﬁelds:
Status
Must be "FAILED".
Reason
Describes the reason for a failure response.
RequestId
A unique ID for the request. This response value should be copied verbatim from the request.
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template. This response value should be copied verbatim from the request.
StackId
The Amazon Resource Name (ARN) that identiﬁes the stack that contains the custom resource. This
response value should be copied verbatim from the request.
PhysicalResourceId
This value should be an identiﬁer unique to the custom resource vendor, and can be up to 1 Kb in
size. The value must be a non-empty string and must be identical for all responses for the same
resource.

Example
{

"Status" : "FAILED",
"Reason" : "Required failure reason string",
"RequestId" : "unique id for this create request (copied from request)",
"LogicalResourceId" : "name of resource in template (copied from request)",

API Version 2010-05-15
452

AWS CloudFormation User Guide
Custom Resource Reference
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid (copied
from request)",
"PhysicalResourceId" : "required vendor-defined physical id that is unique for that
vendor"

}

Delete
Custom resource provider requests with RequestType set to "Delete" are sent when the template
developer deletes a stack that contains a custom resource. To successfully delete a stack with a custom
resource, the custom resource provider must respond successfully to a delete request.

Request
Delete requests contain the following ﬁelds:
RequestType
Will be "Delete".
RequestId
A unique ID for the request.
ResponseURL
The response URL identiﬁes a presigned S3 bucket that receives responses from the custom resource
provider to AWS CloudFormation.
ResourceType
The template developer-chosen resource type of the custom resource in the AWS CloudFormation
template. Custom resource type names can be up to 60 characters long and can include
alphanumeric and the following characters: _@-.
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template.
StackId
The Amazon Resource Name (ARN) that identiﬁes the stack that contains the custom resource.
PhysicalResourceId
A required custom resource provider-deﬁned physical ID that is unique for that provider.
ResourceProperties
This ﬁeld contains the contents of the Properties object sent by the template developer. Its
contents are deﬁned by the custom resource provider.

Example
{

"RequestType" : "Delete",
"RequestId" : "unique id for this delete request",
"ResponseURL" : "pre-signed-url-for-delete-response",
"ResourceType" : "Custom::MyCustomResourceType",
"LogicalResourceId" : "name of resource in template",
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid",
"PhysicalResourceId" : "custom resource provider-defined physical id",

API Version 2010-05-15
453

AWS CloudFormation User Guide
Custom Resource Reference

}

"ResourceProperties" : {
"key1" : "string",
"key2" : [ "list" ],
"key3" : { "key4" : "map" }
}

Responses
Success
When the delete request is successful, a response must be sent to the S3 bucket with the following ﬁelds:
Status
Must be "SUCCESS".
RequestId
A unique ID for the request. This response value should be copied verbatim from the request.
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template. This response value should be copied verbatim from the request.
StackId
The Amazon Resource Name (ARN) that identiﬁes the stack that contains the custom resource. This
response value should be copied verbatim from the request.
PhysicalResourceId
This value should be an identiﬁer unique to the custom resource vendor, and can be up to 1 Kb in
size. The value must be a non-empty string and must be identical for all responses for the same
resource.

Example
{

"Status" : "SUCCESS",
"RequestId" : "unique id for this delete request (copied from request)",
"LogicalResourceId" : "name of resource in template (copied from request)",
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid (copied
from request)",
"PhysicalResourceId" : "custom resource provider-defined physical id"

}

Failed
When the delete request fails, a response must be sent to the S3 bucket with the following ﬁelds:
Status
Must be "FAILED".
Reason
The reason for the failure.
RequestId
The RequestId value copied from the delete request (p. 453).
API Version 2010-05-15
454

AWS CloudFormation User Guide
Custom Resource Reference

LogicalResourceId
The LogicalResourceId value copied from the delete request (p. 453).
StackId
The StackId value copied from the delete request (p. 453).
PhysicalResourceId
A required custom resource provider-deﬁned physical ID that is unique for that provider.

Example
{

"Status" : "FAILED",
"Reason" : "Required failure reason string",
"RequestId" : "unique id for this delete request (copied from request)",
"LogicalResourceId" : "name of resource in template (copied from request)",
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid (copied
from request)",
"PhysicalResourceId" : "custom resource provider-defined physical id"

}

Update
Custom resource provider requests with RequestType set to "Update" are sent when there's any
change to the properties of the custom resource within the template. Therefore, custom resource code
doesn't have to detect changes because it knows that its properties have changed when Update is being
called.

Request
Update requests contain the following ﬁelds:
RequestType
Will be "Update".
RequestId
A unique ID for the request.
ResponseURL
The response URL identiﬁes a presigned S3 bucket that receives responses from the custom resource
provider to AWS CloudFormation.
ResourceType
The template developer-chosen resource type of the custom resource in the AWS CloudFormation
template. Custom resource type names can be up to 60 characters long and can include
alphanumeric and the following characters: _@-. You can't change the type during an update.
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template.
StackId
The Amazon Resource Name (ARN) that identiﬁes the stack that contains the custom resource.
PhysicalResourceId
A required custom resource provider-deﬁned physical ID that is unique for that provider.
API Version 2010-05-15
455

AWS CloudFormation User Guide
Custom Resource Reference

ResourceProperties
The new resource property values that are declared by the template developer in the updated AWS
CloudFormation template.
OldResourceProperties
The resource property values that were previously declared by the template developer in the AWS
CloudFormation template.

Example
{

}

"RequestType" : "Update",
"RequestId" : "unique id for this update request",
"ResponseURL" : "pre-signed-url-for-update-response",
"ResourceType" : "Custom::MyCustomResourceType",
"LogicalResourceId" : "name of resource in template",
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid",
"PhysicalResourceId" : "custom resource provider-defined physical id",
"ResourceProperties" : {
"key1" : "new-string",
"key2" : [ "new-list" ],
"key3" : { "key4" : "new-map" }
},
"OldResourceProperties" : {
"key1" : "string",
"key2" : [ "list" ],
"key3" : { "key4" : "map" }
}

Responses
Success
If the custom resource provider is able to successfully update the resource, AWS CloudFormation expects
the status to be set to "SUCCESS" in the response.
Status
Must be "SUCCESS".
RequestId
A unique ID for the request. This response value should be copied verbatim from the request.
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template. This response value should be copied verbatim from the request.
StackId
The Amazon Resource Name (ARN) that identiﬁes the stack that contains the custom resource. This
response value should be copied verbatim from the request.
PhysicalResourceId
This value should be an identiﬁer unique to the custom resource vendor, and can be up to 1 Kb in
size. The value must be a non-empty string and must be identical for all responses for the same
resource.
API Version 2010-05-15
456

AWS CloudFormation User Guide
Custom Resource Reference

NoEcho
Optional. Indicates whether to mask the output of the custom resource when retrieved by using
the Fn::GetAtt function. If set to true, all returned values are masked with asterisks (*****). The
default value is false.
Data
Optional. The custom resource provider-deﬁned name-value pairs to send with the response. You
can access the values provided here by name in the template with Fn::GetAtt.

Important

If the name-value pairs contain sensitive information, you should use the NoEcho ﬁeld to
mask the output of the custom resource. Otherwise, the values are visible through APIs that
surface property values (such as DescribeStackEvents).

Example
{

"Status" : "SUCCESS",
"RequestId" : "unique id for this update request (copied from request)",
"LogicalResourceId" : "name of resource in template (copied from request)",
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid (copied
from request)",
"PhysicalResourceId" : "custom resource provider-defined physical id",
"Data" : {
"keyThatCanBeUsedInGetAtt1" : "data for key 1",
"keyThatCanBeUsedInGetAtt2" : "data for key 2"
}

}

Failed
If the resource can't be updated with a new set of properties, AWS CloudFormation expects the status to
be set to "FAILED", along with a failure reason in the response.
Status
Must be "FAILED".
Reason
Describes the reason for a failure response.
RequestId
A unique ID for the request. This response value should be copied verbatim from the request.
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template. This response value should be copied verbatim from the request.
StackId
The Amazon Resource Name (ARN) that identiﬁes the stack that contains the custom resource. This
response value should be copied verbatim from the request.
PhysicalResourceId
This value should be an identiﬁer unique to the custom resource vendor, and can be up to 1 Kb in
size. The value must be a non-empty string and must be identical for all responses for the same
resource.
API Version 2010-05-15
457

AWS CloudFormation User Guide
Using Regular Expressions

Example
{

"Status" : "FAILED",
"Reason" : "Required failure reason string",
"RequestId" : "unique id for this update request (copied from request)",
"LogicalResourceId" : "name of resource in template (copied from request)",
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid (copied
from request)",
"PhysicalResourceId" : "custom resource provider-defined physical id"

}

Using Regular Expressions in AWS CloudFormation
Templates
Regular expressions (commonly known as regexes) can be speciﬁed in a number of places within an
AWS CloudFormation template, such as for the AllowedPattern property when creating a template
parameter (p. 167).
Regular expressions in AWS CloudFormation conform to the Java regular expression syntax. A
full description of this syntax and its constructs can be viewed in the Java documentation, here:
java.util.regex.Pattern.

Important

Since AWS CloudFormation templates use the JSON syntax for specifying objects and data, you
will need to add an additional backslash to any backslash characters in your regular expression,
or JSON will interpret these as escape characters.
For example, if you include a \d in your regular expression to match a digit character, you will
need to write it as \\d in your JSON template.

Using CloudFormer to Create AWS CloudFormation
Templates from Existing AWS Resources
CloudFormer is a template creation beta tool that creates an AWS CloudFormation template from
existing AWS resources in your account. You select any supported AWS resources that are running in your
account, and CloudFormer creates a template in an Amazon S3 bucket.

Note

Use CloudFormer to produce templates that you can use as a starting point. Not all AWS
resources or resource properties are supported.
The following list outlines the basic procedure for using CloudFormer:
1. Provision and conﬁgure the required resources using your existing processes and tools.
2. Create and launch a CloudFormer stack.
CloudFormer is an AWS CloudFormation stack. You run CloudFormer by launching the stack from your
AWS environment. It runs on a t2.medium Amazon EC2 instance and requires no other resources.
3. Use CloudFormer to create a template using your existing AWS resources and save the template to an
Amazon S3 bucket.
4. Delete the CloudFormer stack.
API Version 2010-05-15
458

AWS CloudFormation User Guide
Step 1: Create a CloudFormer Stack

You usually don't need CloudFormer beyond this point, so you can avoid additional charges by
deleting the stack.
5. Use the template to launch a new stack, as needed.
The following topics describes how to use CloudFormer by walking you through a basic scenario (a
simple website on an Amazon EC2 instance) that creates a template with multiple resources. However,
this example is just one of many possible scenarios; CloudFormer can create a template from any
collection of supported AWS resources.

Step 1: Create a CloudFormer Stack
CloudFormer is itself an AWS CloudFormation stack, so the ﬁrst step is to create and launch the stack
from the AWS CloudFormation console.

To create a CloudFormer stack using the AWS CloudFormation Console
1.

Log in to the AWS CloudFormation console and click Create New Stack to launch the stack creation
wizard. For instructions on how to log in, see Logging in to the AWS CloudFormation Console.

2.

In the Choose a template section, select Select a sample template and then select CloudFormer
from the drop-down list.

3.
4.

Click Next to specify the stack name and input parameters.
Specify a name for the CloudFormer stack in the Name ﬁeld.

5.

In the Parameters section, type a password and user name that you'll use to log in to CloudFormer,
and then click Next.

Important

You can't use special characters for the password (such as ; & ! " £ $ % ^ ( ) / \) or
leave the password blank.
6.
7.
8.

Click Next.
For CloudFormer, you don't need to specify any additional options.
Review the information about the stack and select I acknowledge that this template may create
IAM resources.
After you ﬁnish reviewing the stack information, click Create to start creating the CloudFormer
stack.
CloudFormer is an AWS CloudFormation stack, so it must go through the normal stack creation
process, which can take a few minutes.

Step 2: Launch the CloudFormer Stack
After the CloudFormer stack's status is CREATE_COMPLETE, you can launch the stack.

To launch the CloudFormer stack
1.
2.
3.

Click the CloudFormer stack's entry in the AWS CloudFormation Console, and select the Outputs tab
in the stack information pane.
In the Value column, click the URL to launch the CloudFormer tool.
Type the user name and password that you speciﬁed when you created the CloudFormer stack.

When you log in to CloudFormer, it displays the ﬁrst page of the tool in your browser, where you can
start to create your template, as described in the next section.

API Version 2010-05-15
459

AWS CloudFormation User Guide
Step 3: Use CloudFormer to Create a Template

Note

The CloudFormer stack launches a t2.medium Amazon EC2 instance. You'll delete this stack at
the end of the walkthrough after the template is created.
After you create a CloudFormer stack, it is added to the collection of stacks in your account. To create
another template, just launch the CloudFormer stack again.

Step 3: Use CloudFormer to Create a Template
Before you start using CloudFormer to create a template, ﬁrst ensure that your account has all the AWS
resources that you want to include in your template. This walkthrough assumes that your account has:
• An Amazon EC2 instance (AWS::EC2::Instance).
• An Amazon EC2 security group (AWS::EC2::SecurityGroup). You should associate the security
group with the instance.
• An Elastic IP Address (AWS::EC2::EIP). You should associate the address with the instance.

To use CloudFormer to create a template from your AWS resources
1.

Under Select the AWS Region, select the template's region from the list, and click Create Template.
The tool must ﬁrst analyze your account, so it might take a few minutes before the Intro page is
displayed.

2.

On the Intro page, enter a description for your template.
Note that you can use this page to select resources with a ﬁlter or select all resources in your
account. However, this walkthrough speciﬁes resources manually, so leave the Resource Name Filter
ﬁeld blank, clear the Select all resources in your account checkbox, and then click Continue.
API Version 2010-05-15
460

AWS CloudFormation User Guide
Step 3: Use CloudFormer to Create a Template

3.

The following pages are for resources that are not used by this walkthrough, so just examine the
page for future reference and click Continue. In order:
1. DNS Names allows you to include Route 53 records.
2. The Virtual Private Clouds allows you to include Amazon VPCs.
3. Virtual Private Cloud Network Topologies allows you to include Amazon VPC subnets, gateways,
DHCP conﬁgurations, and VPN connections.
4. Virtual Private Cloud Security Conﬁguration allows you to include network ACLS and route
tables.

4.

Network Resources allows you to include Elastic Load Balancing load balancers, Elastic IP Addresses,
CloudFront distributions, and Amazon EC2 network interfaces. Select the Elastic IP address you want
to include in the template and click Continue.

5.

The Compute Resources page allows you to include Auto Scaling groups and Amazon EC2 instances.
Before you started creating the template, you associated an Elastic IP Address with your Amazon
EC2 instance, creating a dependent resource. When you reach Compute Resources, CloudFormer
automatically selects dependent instances, so just ensure that your instance is selected and click
Continue.
API Version 2010-05-15
461

AWS CloudFormation User Guide
Step 3: Use CloudFormer to Create a Template

Note

You can manually include additional instances, as needed. If you don't want to include an
automatically selected instance, just clear the check box.
6.

The following pages are for resources that are not used by this walkthrough, so just examine the
page for future reference and click Continue. In order:
1. Storage allows you to include Amazon EBS volumes, Amazon RDS instances, DynamoDB tables,
and Amazon S3 buckets.
2. Application Services allows you to include ElastiCache clusters, Amazon SQS queues, Amazon
SimpleDB domains, and Amazon SNS topics.
System Conﬁguration allows you to include Auto Scaling launch conﬁgurations, Amazon RDS
subnet groups, ElastiCache parameter groups, and Amazon RDS parameter groups.

7.

The Security Groups page allows you include security groups. Before you started creating the
template, you associated an Amazon EC2 security group with your Amazon EC2 instance, creating
a dependent resource. When you reach Security Groups, CloudFormer automatically selects
dependent security groups, so just ensure that your group is selected and click Continue.

Note

You can manually include additional security groups—including Amazon EC2 security
groups, Amazon RDS security groups, and so on—as appropriate. If you don't want to
include an automatically selected security group, just clear the check box.
8.

The Operational Resources page allows you to include Auto Scaling policies and CloudWatch
alarms. This walkthrough uses neither, so just click Continue.

9.

The Summary page serves several purposes:
• It allows you to review the resources you've added to your template.
To modify your resources, click Back to return to the appropriate pages and modify your
selections as needed.
• It allows you to change the auto-generated logical names that were assigned to your resources.
To modify a logical name, click Modify and enter the name in the Logical Name ﬁeld.
• It allows you to specify outputs that provide necessary information, such as your site's IP address
or URL.
To modify an output, click Modify and select the appropriate output from the list.
API Version 2010-05-15
462

AWS CloudFormation User Guide
Step 3: Use CloudFormer to Create a Template

Examine the resources you've selected and make any necessary changes. You should have one Elastic
IP Address, one Amazon EC2 instance, and one Amazon EC2 security group. When you are satisﬁed,
click Continue to generate the template.
10. The AWS CloudFormation Template page displays the generated template. You can use the
template to deploy your resources as a combined set with AWS CloudFormation, or as a base
template for further modiﬁcation.

Note

In addition to the resources that you explicitly speciﬁed, the template includes values that
are associated with those resources such as Amazon EC2 instances' Availability Zones.
Select an Amazon S3 bucket from the S3 Bucket list and click Save Template to save the template
to the bucket and add it to the collection of stacks in your account.

API Version 2010-05-15
463

AWS CloudFormation User Guide
Step 4: Delete the CloudFormer Stack

Save Template gives you two options:
• Launch Stack saves the template to the speciﬁed Amazon S3 bucket and also launches the stack
immediately.
• Create Template simply saves the template to the speciﬁed Amazon S3 bucket.
You can launch the stack later just like you would with any other template, for example, by using
the AWS CloudFormation console.

Step 4: Delete the CloudFormer Stack
Now that you have the template, you don't need the CloudFormer stack any more. To avoid unnecessary
charges to your account, select the stack in the AWS CloudFormation console and then choose Actions >
Delete Stack.

API Version 2010-05-15
464

AWS CloudFormation User Guide
StackSets Concepts

Working with AWS CloudFormation
StackSets
AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update,
or delete stacks across multiple accounts and regions with a single operation. Using an administrator
account, you deﬁne and manage an AWS CloudFormation template, and use the template as the basis
for provisioning stacks into selected target accounts across speciﬁed regions.

This section helps you get started using StackSets, and answers common questions about how to work
with and troubleshoot stack set creation, updates, and deletion.
Topics
• StackSets Concepts (p. 465)
• Prerequisites: Granting Permissions for Stack Set Operations (p. 470)
• Getting Started with AWS CloudFormation StackSets (p. 478)
• Conﬁguring a target account gate in AWS CloudFormation StackSets (p. 494)
• Best Practices (p. 495)
• Limitations of StackSets (p. 496)
• AWS CloudFormation StackSets Sample Templates (p. 496)
• Troubleshooting AWS CloudFormation StackSets (p. 497)

StackSets Concepts
When you use StackSets, you work with stack sets, stack instances, and stacks.
API Version 2010-05-15
465

AWS CloudFormation User Guide
Administrator and target accounts

Topics
• Administrator and target accounts (p. 466)
• Stack sets (p. 466)
• Stack instances (p. 466)
• Stack set operations (p. 467)
• Stack set operation options (p. 468)
• Tags (p. 469)
• Stack set and stack instance status codes (p. 469)

Administrator and target accounts
An administrator account is the AWS account in which you create stack sets. A stack set is managed by
signing in to the AWS administrator account in which it was created. A target account is the account into
which you create, update, or delete one or more stacks in your stack set. Before you can use a stack set
to create stacks in a target account, you must set up a trust relationship between the administrator and
target accounts.

Stack sets
A stack set lets you create stacks in AWS accounts across regions by using a single AWS CloudFormation
template. All the resources included in each stack are deﬁned by the stack set's AWS CloudFormation
template. As you create the stack set, you specify the template to use, as well as any parameters and
capabilities that template requires.
After you've deﬁned a stack set, you can create, update, or delete stacks in the target accounts
and regions you specify. When you create, update, or delete stacks, you can also specify operation
preferences, such as the order of regions in which you want the operation to be performed, the failure
tolerance beyond which stack operations stop, and the number of accounts in which operations are
performed on stacks concurrently.
A stack set is a regional resource. If you create a stack set in one region, you cannot see it or change it in
other regions.

Stack instances
A stack instance is a reference to a stack in a target account within a region. A stack instance can exist
without a stack; for example, if the stack could not be created for some reason, the stack instance shows
the reason for stack creation failure. A stack instance is associated with only one stack set.
The following ﬁgure shows the logical relationships between stack sets, stack operations, and stacks.
When you update a stack set, all associated stack instances are updated throughout all accounts and
regions.

API Version 2010-05-15
466

AWS CloudFormation User Guide
Stack set operations

Stack set operations
You can perform the following operations on stack sets.
Create stack set
Creating a new stack set includes specifying an AWS CloudFormation template that you want to use
to create stacks, specifying the target accounts in which you want to create stacks, and identifying
the AWS regions in which you want to deploy stacks in your target accounts. A stack set ensures
consistent deployment of the same stack resources, with the same settings, to all speciﬁed target
accounts within the regions you choose.
Update stack set
When you update a stack set, you push changes out to stacks in your stack set. You can update a
stack set in one of the following ways. Note that your template updates always aﬀect all stacks; you
cannot selectively update the template for some stacks in the stacks set, but not others.
• Change existing settings in the template or add new resources, such as updating parameter
settings for a speciﬁc service, or adding new Amazon EC2 instances.
• Replace the template with a diﬀerent template.
• Add stacks in existing or additional target accounts, across existing or additional regions.
Delete stacks
When you delete stacks, you are removing a stack and all its associated resources from the target
accounts you specify, within the regions you specify. You can delete stacks in the following ways.
• Delete stacks from some target accounts, while leaving other stacks in other target accounts
running.
• Delete stacks from some regions, while leaving stacks in other regions running.
• Delete stacks from your stack set, but save them so they continue to run independently of
your stack set by choosing the Retain Stacks option. Retained stacks are managed in AWS
CloudFormation, outside of your stack set.
• Delete all stacks in your stack set, in preparation for deleting your entire stack set.
Delete stack set
You can delete your stack set only when there are no stack instances in it.
API Version 2010-05-15
467

AWS CloudFormation User Guide
Stack set operation options

Stack set operation options
The options described in this section help to control the time and number of failures allowed to
successfully perform stack set operations, and prevent you from losing stack resources.
Maximum concurrent accounts
This setting, available in create, update, and delete workﬂows, lets you specify the maximum
number or percentage of target accounts in which an operation is performed at one time. A lower
number or percentage means that an operation is performed in fewer target accounts at one time.
Operations are performed in one region at a time, in the order speciﬁed in the Deployment order
box. For example, if you are deploying stacks to 10 target accounts within two regions, setting
Maximum concurrent accounts to 50 and By percentage will deploy stacks to ﬁve accounts in the
ﬁrst region, then the second ﬁve accounts within the ﬁrst region, before moving on to the next
region and beginning deployment to the ﬁrst ﬁve target accounts.
When you choose By percentage, if the speciﬁed percentage does not represent a whole number of
your speciﬁed accounts, AWS CloudFormation rounds down. For example, if you are deploying stacks
to 10 target accounts, and you set Maximum concurrent accounts to 25 and By percentage, AWS
CloudFormation rounds down from deploying 2.5 stacks concurrently (which would not be possible)
to deploying two stacks concurrently.
Note that this setting lets you specify the maximum for operations. For large deployments, under
certain circumstances the actual number of accounts acted upon concurrently may be lower due to
service throttling.
Failure tolerance
This setting, available in create, update, and delete workﬂows, lets you specify the maximum
number or percentage of stack operation failures that can occur, per region, beyond which AWS
CloudFormation stops an operation automatically. A lower number or percentage means that the
operation is performed on fewer stacks, but you are able to start troubleshooting failed operations
faster. For example, if you are updating 10 stacks in 10 target accounts within three regions, setting
Failure tolerance to 20 and By percentage means that a maximum of two stack updates in a region
can fail for the operation to continue. If a third stack in the same region fails, AWS CloudFormation
stops the operation. If a stack could not be updated in the ﬁrst region, the update operation
continues in that region, and then moves on to the next region. If two stacks cannot be updated in
the second region, the failure tolerance of 20% is reached; if a third stack in the region fails, AWS
CloudFormation stops the update operation, and does not go on to subsequent regions.
When you choose By percentage, if the speciﬁed percentage does not represent a whole number
of your stacks within each region, AWS CloudFormation rounds down. For example, if you are
deploying stacks to 10 target accounts in three regions, and you set Failure tolerance to 25 and By
percentage, AWS CloudFormation rounds down from a failure tolerance of 2.5 stacks (which would
not be possible) to a failure tolerance of two stacks per region.
Retain stacks
This setting, available in delete stack workﬂows, lets you keep stacks and their resources running
even after they have been removed from a stack set. When you retain stacks, AWS CloudFormation
leaves stacks in individual accounts and regions intact. Stacks are disassociated from the stack set,
but the stack and its resources are saved. After a delete stacks operation is complete, you manage
retained stacks in AWS CloudFormation, in the target account (not the administrator account) in
which they were created. Retaining stacks permanently disassociates a stack from a stack set; the
stack cannot be added to the stack set again, and it cannot be added to a new stack set.

API Version 2010-05-15
468

AWS CloudFormation User Guide
Tags

Tags
You can add tags during stack set creation and update operations by specifying key and value pairs.
Tags are useful for sorting and ﬁltering stack set resources for billing and cost allocation. For more
information about how tags are used in AWS, see Using Cost Allocation Tags in the AWS Billing and Cost
Management User Guide. After you specify the key-value pair, choose + to save the tag.You can delete
tags that you are no longer using by choosing the red X to the right of a tag.
Tags that you apply to stack sets are applied to all stacks, and the resources that are created by your
stacks. Tags can be added at the stack-only level in AWS CloudFormation, but those tags might not show
up in StackSets.
Although StackSets does not currently add any system-deﬁned tags, you should not start the key names
of any tags with the string aws:.

Stack set and stack instance status codes
AWS CloudFormation StackSets generates status codes for stack set operations and stack instances.
The following table describes status codes for stack set operations.
Stack Set Operation Status

Description

RUNNING

The operation is currently in progress.

SUCCEEDED

The operation ﬁnished without exceeding the failure tolerance for
the operation.

FAILED

The number of stacks on which the operation could not be
completed exceeded the user-deﬁned failure tolerance. The
failure tolerance value you've set for an operation is applied
for each region during stack creation and update operations. If
the number of failed stacks within a region exceeds the failure
tolerance, the status of the operation in the region is set to
FAILED. The status of the operation as a whole is also set to
FAILED, and AWS CloudFormation cancels the operation in any
remaining regions.

STOPPING

The operation is in the process of stopping, at the user's request.

STOPPED

The operation has been stopped, at the user's request.

The following table describes status codes for stack instances within stack sets.
Stack Instance Status

Description

CURRENT

The stack is currently up to date with the stack set.

OUTDATED

The stack is not currently up to date with the stack set for one of
the following reasons.
• A CreateStackSet or UpdateStackSet operation on the
associated stack failed.
• The stack was part of a CreateStackSet or
UpdateStackSet operation that failed, or was stopped before
the stack was created or updated.
API Version 2010-05-15
469

AWS CloudFormation User Guide
Prerequisites: Granting Permissions
for Stack Set Operations

Stack Instance Status

Description

INOPERABLE

A DeleteStackInstances operation has failed and left the
stack in an unstable state. Stacks in this state are excluded
from further UpdateStackSet operations. You might need
to perform a DeleteStackInstances operation, with
RetainStacks set to true, to delete the stack instance, and
then delete the stack manually.

Prerequisites: Granting Permissions for Stack Set
Operations
Because stack sets perform stack operations across multiple accounts, before you can get started
creating your ﬁrst stack set you need to have the necessary permissions deﬁned in your AWS accounts.
To set up the necessary permissions:
1. Determine which AWS account is the administrator account.
Stack sets are created in this administator account. A target account is the account in which you create
individual stacks that belong to a stack set.
2. Determine how you want to structure permissions for the stack sets.
The simplest (and most permissive) permissions conﬁguration is where you give all users and groups
in the administrator account the ability to create and update all the stack sets managed through that
account. If you need ﬁner-grained control, you can set up permissions to specify:
• Which users and groups can perform stack set operations in which target accounts.
• Which resources users and groups can include in their stack sets.
• Which stack set operations speciﬁc users and groups can perform.
3. Create the necessary IAM service roles in your adminstrator and target accounts to deﬁne the
permissions you want.
Topics
• Set Up Basic Permissions for Stack Sets Operations (p. 470)
• Set Up Advanced Permissions Options for Stack Set Operations (p. 473)

Set Up Basic Permissions for Stack Sets Operations
The simplest (and most permissive) permissions conﬁguration is where you give all users and groups
in the administrator account the ability to create and update all the stack sets managed through that
account. To do this, you create IAM service roles for your administrator and all target accounts. Anyone
with permissions to the adminstrator account then has permissions to create, update, or delete any stack
sets in any of the target accounts.
Your administrator account and target accounts must have service roles conﬁgured that create a trust
relationship between the accounts, and grant the target accounts permission to create and manage the
resources described in your template.
If you structure your permissions this way, users do not pass an administrator role when creating or
updating stack sets.
API Version 2010-05-15
470

AWS CloudFormation User Guide
Set Up Basic Permissions for Stack Sets Operations

Set up permssions for all users of the adminstrator account to perform stack set operations
in all target accounts
1.

In the administrator account, create an IAM role named
AWSCloudFormationStackSetAdministrationRole. You can do this by creating
a stack from the following AWS CloudFormation template, available online at
https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/
AWSCloudFormationStackSetAdministrationRole.yml. The role created by this template enables the
following policy on your administrator account.
{

}

"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"
],
"Effect": "Allow"
}
]

The following trust relationship is created by the preceding template.
{

}

2.

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]

In each target account, create a service role named AWSCloudFormationStackSetExecutionRole
that trusts the administrator account. You can do this by creating a stack from the following AWS
CloudFormation template, available online at https://s3.amazonaws.com/cloudformation-stacksetsample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml. When you use this
template, you are prompted to provide the name of the administrator account with which your
target account must have a trust relationship.

API Version 2010-05-15
471

AWS CloudFormation User Guide
Set Up Basic Permissions for Stack Sets Operations

Important

Be aware that this template grants administrator access. After you use the template
to create a target account execution role, you must scope the permissions in the policy
statement to the types of resources that you are creating by using StackSets.
The target account service role requires permissions to perform any operations that are speciﬁed
in your AWS CloudFormation template. For example, if your template is creating an S3 bucket,
then you need permissions to create new objects for S3. Your target account always needs full AWS
CloudFormation permissions, which include permissions to create, update, delete, and describe
stacks. The role created by this template enables the following policy on a target account.
{

}

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]

The following example shows a policy statement with the minimum permissions for
StackSets to work. To create stacks in target accounts that use resources from services
other than AWS CloudFormation, you must add those service actions and resources to the
AWSCloudFormationStackSetExecutionRole policy statement for each target account.
{

}

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":
[
"cloudformation:*",
"s3:*",
"sns:*"
],
"Resource": "*"
}
]

The following trust relationship is created by the template. The administrator account's ID is shown
as admin_account_id.
{

}

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::admin_account_id:root"
},
"Action": "sts:AssumeRole"
}
]

API Version 2010-05-15
472

AWS CloudFormation User Guide
Set Up Advanced Permissions
Options for Stack Set Operations

You can conﬁgure the trust relationship of an existing target account execution role to trust a
speciﬁc role in the administrator account. If you delete the role in the administrator account, and
create a new one to replace it, you must conﬁgure your target account trust relationships with the
new administrator account role, represented by admin_account_id in the preceding example.

Set Up Advanced Permissions Options for Stack Set
Operations
If you require ﬁner-grained control over the stack sets that users and groups are creating through a
single adminstrator account, you can use IAM roles to specify:
• Which users and groups can perform stack set operations in which target accounts.
• Which resources users and groups can include in their stack sets.
• Which stack set operations speciﬁc users and groups can perform.

Set Up Permissions to Control Target Account Access
Use customized administrator roles to control which users and groups can perform stack set operations
in which target accounts. You might want to control which users of the administrator account can
perform stack set operations in which target accounts. To do this, you create a trust relationship
between each target account and a speciﬁc customized administration role, rather than creating the
AWSCloudFormationStackSetAdministrationRole service role in the administrator account itself. You
then enable speciﬁc users and groups to use the customized administration role when performing stack
set operations in a speciﬁc target account.
For example, you can create Role A and Role B within your administrator account. You can give Role A
permissions to access target account 1 through account 8. You can give Role B permissions to access
target account 9 through account 16.

Setting up the necessary permissions involves deﬁning a customized administrator role, creating a
service role for the target account, and granting users permission to pass the customized administrator
role when performing stack set operations.
In general, here's how it works once you have the necessary permissions in place: When creating a
stack set, the user must specify a customized administrator role to associate with the stack set. The

API Version 2010-05-15
473

AWS CloudFormation User Guide
Set Up Advanced Permissions
Options for Stack Set Operations

user must have permission to pass the role to AWS CloudFormation. In addition, the customized
administrator role must have a trust relationship with the target accounts speciﬁed for the stack set.
AWS CloudFormation creates the stack set and associates the customized administrator role with it.
When updating a stack set, the user has the choice of specifying a customized administrator role. If
they specify a customized administrator role, AWS CloudFormation uses that role to update the stack,
subject to the requirements above. If the user does not specify a customized administrator role, AWS
CloudFormation performs the update using the customized administrator role previously associated
with the stack set, so long as the user has permissions to perform operations on that stack set. If that
customized administrator role no longer exists, AWS CloudFormation uses the default administrator role
for the account, AWSCloudFormationAdministrationRole.

Set up permissions for which users and groups can perform stack set operations in speciﬁc
target accounts
1.

For each stack set, create a customized administrator role with permissions to assume the
AWSCloudFormationStackSetExecutionRole service role in the target accounts.
Create an IAM service role with a custom name, using the following permissions policy:
{

"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::target_account_id:role/
AWSCloudFormationStackSetExecutionRole"
],
"Effect": "Allow"
}
]
}

Or, if you want to specify all target accounts, use the following permissions policy:
{

}

"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"
],
"Effect": "Allow"
}
]

You must provide the following trust policy when you create the role to deﬁne the trust relationship:
{

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {

API Version 2010-05-15
474

AWS CloudFormation User Guide
Set Up Advanced Permissions
Options for Stack Set Operations

}

2.

]

}

"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"

In each target account, create a service role named AWSCloudFormationStackSetExecutionRole
that trusts the customized administration role you want to use with this account.

Important

You must scope the permissions in the policy statement to the types of resources that you
are creating by using StackSets.
The target account service role requires permissions to perform any operations that are speciﬁed
in your AWS CloudFormation template. For example, if your template is creating an S3 bucket,
then you need permissions to create new objects in S3. Your target account always needs full AWS
CloudFormation permissions, which include permissions to create, update, delete, and describe
stacks.
The following example shows a policy statement with the minimum permissions for
StackSets to work. To create stacks in target accounts that use resources from services
other than AWS CloudFormation, you must add those service actions and resources to the
AWSCloudFormationStackSetExecutionRole permissions policy statement for each target account.
{

}

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":
[
"cloudformation:*",
"s3:*",
"sns:*"
],
"Resource": "*"
}
]

You must provide the following trust policy when you create the role to deﬁne the trust relationship:
{

}

3.

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::admin_account_id:role/customized_admin_role"
},
"Action": "sts:AssumeRole"
}
]

Allow users to pass the customized administrator role when performing stack set operations.
Attach an IAM permissions policy to users or groups that allows them to pass the appropriate
customized administrator role when creating or updating speciﬁc stack sets. For more information,
API Version 2010-05-15
475

AWS CloudFormation User Guide
Set Up Advanced Permissions
Options for Stack Set Operations

see Granting a User Permissions to Pass a Role to an AWS Service. In the example below,
customized_admin_role refers to the administrator role the user needs to pass.
{

}

"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/customized_admin_role"
}]

Set Up Permissions to Control Stack Resource Inclusion
Use customized execution roles to control which stack resources users and groups can include in their
stack sets. For example, you might want to set up a group that can only include Amazon S3-related
resources in the stack sets they create, while another team can only include DynamoDB resources. To
do this, you create a trust relationship between the customized administrator role for each group and a
customized execution role for each set of resources. The customized execution role deﬁnes which stack
resources can be included in stack sets. The customized adminstrator role resides in the adminstrator
account, while the customized execution role resides in each target account in which you want to create
stack sets using the deﬁned resources. You then enable speciﬁc users and groups to use the customized
administration role when performing stack set operations.
For example you can create customized adminstrator roles A, B, and C in the administrator account.
Users and groups with permission to use Role A can create stack sets containing the stack resources
speciﬁcally listed in customized execution role X, but not those in roles Y or Z, or resource not included in
any execution role.

When updating a stack set, the user has the choice of specifying a customized administrator role. If
they specify a customized administrator role, AWS CloudFormation uses that role to update the stack,
subject to the requirements above. If the user does not specify a customized administrator role, AWS
CloudFormation performs the update using the customized administrator role previously associated
with the stack set, so long as the user has permissions to perform operations on that stack set. If that
customized administrator role no longer exists, AWS CloudFormation uses the default administrator role
you've deﬁned for the account, AWSCloudFormationAdministrationRole.
API Version 2010-05-15
476

AWS CloudFormation User Guide
Set Up Advanced Permissions
Options for Stack Set Operations

Similarly, the user can also specify a customized execution role. If they specify a customized execution
role, AWS CloudFormation uses that role to update the stack, subject to the requirements above. If the
user does not specify a customized execution role, AWS CloudFormation performs the update using the
customized execution role previously associated with the stack set, so long as the user has permissions to
perform operations on that stack set.

Set up permissions for which resources users and groups can include in speciﬁc stack sets
1.

In the target accounts in which you want to create your stack sets, create a customized execution
role that grants permissions to the services and resources that you want users and groups to be able
to include in the stack sets.
The following example provides the minimum permissions for stack sets, along with permission to
create DynamoDB tables.
{

{

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":
[
"cloudformation:*",
"s3:*",
"sns:*"
],
"Resource": "*"
},
"Effect": "Allow",
"Action":
[
"dynamoDb:createTable"

],

}

]

}

"Resource": "*"

You must provide the following trust policy when you create the role to deﬁne the trust relationship:
{

}

2.

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::admin_account_id:role/customized_admin_role"
},
"Action": "sts:AssumeRole"
}
]

Create a customized administrator role in your adminstrator account, as detailed in Set Up Advanced
Permissions Options for Stack Set Operations (p. 473). Include a trust relationship between the
customized administrator role and the customized execution roles which you want it to use.
The following example includes an sts::AssumeRole policy for both the
AWSCloudFormationStackSetExecutionRole deﬁned for the target account, as well as a customized
execution role.
API Version 2010-05-15
477

AWS CloudFormation User Guide
Getting Started

{

"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1487980684000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole",
"arn:aws:iam::*:role/custom_execution_role"
]
}
]

}

Set Up Permissions for Speciﬁc Stack Set Operations
In addition, you can set up permissions for which user and groups can perform speciﬁc stack set
operations, such as creating, updating, or deleting stack sets or stack instances. For more information,
see Actions, Resources, and Condition Keys for AWS CloudFormation in the IAM User Guide.

Getting Started with AWS CloudFormation
StackSets
Before you create your ﬁrst stack set, be sure that you have completed required account setup steps in
Prerequisites: Granting Permissions for Stack Set Operations (p. 470).
The template in this walkthrough enables AWS Conﬁg in a target account within the US West (Oregon)
Region (us-west-2) and US East (N. Virginia) Region (us-east-1). The Enable AWS Conﬁg template is
located in the following S3 bucket: https://s3.amazonaws.com/cloudformation-stackset-sampletemplates-us-east-1/EnableAWSConﬁg.yml. You can also choose this sample template in the StackSets
console.
Topics
• Create a New Stack Set (p. 478)
• Update Your Stack Set (p. 483)
• Add Stacks to a Stack Set (p. 488)
• Override Parameters on Stack Instances (p. 489)
• Delete Stack Instances (p. 490)
• Delete Stack Sets (p. 492)

Create a New Stack Set
You can create a stack set in either the AWS Management Console, or by using AWS CloudFormation
commands in the AWS CLI.

To create a stack set by using the AWS Management Console
1.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

2.

At the top of the page, choose StackSets, and then choose Create stack set.
API Version 2010-05-15
478

AWS CloudFormation User Guide
Create a New Stack Set

3.

On the Select template page of the Create stack set wizard, choose Select a sample template from
the following templates.

4.

Choose the Enable AWS Conﬁg sample template, and then choose Next.

API Version 2010-05-15
479

AWS CloudFormation User Guide
Create a New Stack Set

5.

On the Specify details page of the wizard, provide the following information.
a.

Provide a name for the stack set. Stack set names must begin with an alphabetical character,
and contain only letters, numbers, and hyphens. In this walkthrough, we use the name myawsconfig-stackset.

b.

You are prompted to specify values for parameters that are used by AWS Conﬁg. For more
information about these parameters, see Setting up AWS Conﬁg with the Console in the AWS

API Version 2010-05-15
480

AWS CloudFormation User Guide
Create a New Stack Set

Conﬁg Developer Guide. In this walkthrough, we will leave default settings for all AWS Conﬁg
parameters.
6.

In the Delivery Channel Conﬁguration area, you can conﬁgure the delivery channel for updates and
notiﬁcations. For more information about the delivery channel in AWS Conﬁg, see Managing the
Delivery Channel in the AWS Conﬁg Developer Guide. For the purposes of this walkthrough, we are
leaving default settings in this area.

7.

In the Delivery Notiﬁcations area, you can conﬁgure Amazon Simple Notiﬁcation Service (SNS)
updates by email, based on log content. For the purposes of this walkthrough, we are not
conﬁguring Amazon SNS updates.

8.

When you are ﬁnished specifying parameters for AWS Conﬁg, choose Next.

9.

On the Set deployment options page, provide the accounts and regions into which you want stacks
in your stack set deployed. AWS CloudFormation deploys stacks in the speciﬁed accounts within the
ﬁrst region, then moves on to the next, and so on, as long as a region's deployment failures do not
exceed a speciﬁed failure tolerance.

a.

In the Accounts area, choose Deploy stacks in accounts. Paste your target account numbers in
the text box, separating multiple numbers with commas.

b.

In the Regions area, choose US West (Oregon) Region and then choose Add. Repeat for the US
East (N. Virginia) Region. US West (Oregon) Region should be ﬁrst in the Deployment order box.
API Version 2010-05-15
481

AWS CloudFormation User Guide
Create a New Stack Set

c.

In the Preferences area, keep the default value of 1 and By number for Maximum concurrent
accounts. This means that AWS CloudFormation deploys your stack in only one account at one
time. Keep Failure tolerance at the default value of 0, and keep the By number default option.
This means that a maximum of one stack deployment can fail in one of your speciﬁed regions
before AWS CloudFormation stops deployment in the current region, and cancels deployment in
remaining regions. Choose Next.

10. On the Tags page, add a tag by specifying a key and value pair. In this walkthrough, we create a tag
called Stage, with a value of Test. Tags that you apply to stack sets are applied to all resources that
are created by your stacks. For more information about how tags are used in AWS, see Using Cost
Allocation Tags in the AWS Billing and Cost Management User Guide. After you specify the key-value
pair, choose + to save the tag. Choose Next.

11. On the Review page, review your choices and your stack set's properties. To make changes, choose
Edit in the area in which you want to change properties. Before you can create the stack set, you
must ﬁll the check box in the Capabilities area to acknowledge that some of the resources that
you are creating with the stack set might require new IAM resources and permissions. For more
information about potentially required permissions, see Acknowledging IAM Resources in AWS
CloudFormation Templates in this guide. When you are are ready to create your stack set, choose
Create.

12. AWS CloudFormation starts creating your stack set. View the progress and status of the creation of
the stacks in your stack set in the Properties page that opens when you choose Create.

API Version 2010-05-15
482

AWS CloudFormation User Guide
Update Your Stack Set

To create a stack set by using the AWS CLI
When you create stack sets by using AWS CLI commands, you run two separate commands: createstack-set to upload your template and create the stack set container, and create-stackinstances to create the stacks within your stack set. Start by running an AWS CLI command, createstack-set, to upload the sample AWS CloudFormation template that enables AWS Conﬁg, and then
start stack set creation.
1.
2.

Open the AWS CLI.
Run the following command. For the --template-url parameter, provide the URL of the Amazon
S3 bucket in which you are storing your template. For this walkthrough, we use my-awsconfigstackset as the value of the --stack-set-name parameter.
aws cloudformation create-stack-set --stack-set-name my-awsconfig-stackset --templateurl https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/
EnableAWSConfig.yml

3.

After your create-stack-set command is ﬁnished, run the list-stack-sets command to see
that your stack set has been created. You should see your new stack set in the results.
aws cloudformation list-stack-sets

4.

Run the create-stack-instances AWS CLI command to add stack instances to your stack set. In
this walkthrough, we use us-west-2 and us-east-1 as the values of the --regions parameter.
Set the failure tolerance and maximum concurrent accounts by setting FailureToleranceCount
to 0 and MaxConcurrentCount to 1 in the --operation-preferences parameter, as shown
in the following example. To apply percentages instead, use FailureTolerancePercentage
or MaxConcurrentPercentage. For the purposes of this walkthrough, we are using count, not
percentage.
aws cloudformation create-stack-instances --stack-set-name my-awsconfig-stackset -accounts '["account_ID_1","account_ID_2"]' --regions '["region_1","region_2"]' -operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1

Important

5.

Wait until an operation is complete before starting another one. You can run only one
operation at a time.
Verify that the stack instances were created successfully. Run DescribeStackSetOperation with
the operation-id that is returned as part of the output of step 4.
aws cloudformation describe-stack-set-operation --stack-set-name my-awsconfig-stackset
--operation-id operation_ID

Update Your Stack Set
You can update your stack set in either the AWS Management Console, or by using AWS CloudFormation
commands in the AWS CLI. In this walkthrough, we are changing the default snapshot delivery frequency
for delivery channel conﬁguration from 24hours to 12hours.
To override parameter values for speciﬁc stack instances, see Override Parameters on Stack
Instances (p. 489).

To update a stack set by using the AWS Management Console
1.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.
API Version 2010-05-15
483

AWS CloudFormation User Guide
Update Your Stack Set

2.

At the top of the page, choose StackSets.

3.

On the StackSets home page, select the stack set that you created in Create a New Stack
Set (p. 478). In this walkthrough, we created a stack set named my-awsconfig-stackset.

4.

With the stack set selected, choose Manage stacks in stack set from the Actions menu.

5.

Choose Edit stacks, and then choose Next.

6.

On the Select template page, choose whether you want to update the current template, specify
an S3 URL to another template, or upload a new template to AWS CloudFormation. In this
walkthrough, we are using the current template. Choose Current template: Update my-aws-conﬁgstackset, and then choose Next.

7.

On the Specify details page of the wizard, change the following information.
a.

You are prompted to specify values for parameters that are used by AWS Conﬁg. For more
information about these parameters, see Setting up AWS Conﬁg with the Console in the AWS
Conﬁg Developer Guide. In this walkthrough, we change the default snapshot delivery frequency
for delivery channel conﬁguration from 24hours to 12hours.

API Version 2010-05-15
484

AWS CloudFormation User Guide
Update Your Stack Set

b.

Do not make changes to the other parameters. For the purposes of this walkthrough, we are not
conﬁguring Amazon SNS updates.

8.

When you are ﬁnished updating the Delivery snapshot frequency parameter for AWS Conﬁg,
choose Next.

9.

On the Set deployment options page, keep the default value of 1 and By number for Maximum
concurrent accounts. This means that AWS CloudFormation updates your stack in only one account
at one time. Keep the default Failure tolerance of 0, and keep the By number default option. This
means that a maximum of one stack update can fail in one of your speciﬁed regions before AWS
CloudFormation stops updates in the current region, and cancels updates in remaining regions.
Choose Next.

Note

You cannot change accounts and regions here; that is, you cannot deploy stack set changes
to stacks in some accounts and regions, but not others.

API Version 2010-05-15
485

AWS CloudFormation User Guide
Update Your Stack Set

10. On the Tags page, no changes are needed, but you can update, delete, or add new tags here if
desired. For more information about how tags are used in AWS, see Using Cost Allocation Tags in the
AWS Billing and Cost Management User Guide. Choose Next.
11. On the Review page, review your choices and your stack set's properties. To make changes, choose
Edit in the upper-right corner of an area in which you want to change properties. Before you can
update the stack set, you must ﬁll the check box in the Capabilities area to acknowledge that some
of the resources that you are updating with the stack set might require new IAM resources and
permissions. For more information about potentially required permissions, see Acknowledging IAM
Resources in AWS CloudFormation Templates in this guide. When you are are ready to create your
stack set, choose Update stacks.

API Version 2010-05-15
486

AWS CloudFormation User Guide
Update Your Stack Set

12. AWS CloudFormation starts applying your updates to your stack set. You can view the progress and
status of updates on the stack set properties page that opens after you choose Update stacks. You
should see the updated Delivery snapshot frequency period in the AWS Conﬁg parameters.

To update a stack set template by using the AWS CLI
Run the update-stack-set AWS CLI command to make changes to your stack set. In this walkthrough,
we are updating the value of the MaximumExecutionFrequency parameter. For more information
about the parameter names and values for creating or updating an AWS Conﬁg rule, see put-conﬁg-rule
in the AWS CLI reference. To change template parameter values, add the --parameters parameter. For
more information about what you can specify as a value for --parameters, see Parameter in the AWS
CloudFormation API Reference, and update-stack in the AWS CLI Command Reference.
In the example command shown here, we are updating the stack set by using --parameters;
speciﬁcally, we change the default snapshot delivery frequency for delivery channel conﬁguration from
TwentyFour_Hours to Twelve_Hours. Because we are still using the current template, we add the -use-previous-template parameter.
API Version 2010-05-15
487

AWS CloudFormation User Guide
Add Stacks to a Stack Set

1.

Run the following command. For stack set name, specify the stack set name my-awsconfigstackset.
Set the failure tolerance and maximum concurrent accounts by setting FailureToleranceCount
to 0, and MaxConcurrentCount to 1 in the --operation-preferences parameter, as shown
in the following example. To apply percentages instead, use FailureTolerancePercentage
or MaxConcurrentPercentage. For the purposes of this walkthrough, we are using count, not
percentage.
aws cloudformation update-stack-set --stack-set-name myawsconfig-stackset --use-previous-template --parameters
ParameterKey=MaximumExecutionFrequency,ParameterValue=TwentyFour_Hours\\,Twelve_Hours
--operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1

2.

Verify that your stack set was updated successfully by running the describe-stack-setoperation command to show the status and results of your update operation. For --operationid, use the operation ID that was returned by your update-stack-set command.
aws cloudformation describe-stack-set-operation --operation-id operation_ID

Add Stacks to a Stack Set
When you create a stack set, you can create the stacks for that stack set. AWS CloudFormation also
enables you to add more stacks, for additional accounts and regions, at any point after the stack
set is created. You can add stack instances using either the AWS Management Console, or by using
AWS CloudFormation commands in the AWS CLI. In this procedure, we will add stack instances for an
additional region to the stack set we created in Create a New Stack Set (p. 478).

To add stacks to a stack set by using the AWS Management Console
1.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

2.

At the top of the page, choose StackSets. On the StackSets home page, select the stack set that you
created in Create a New Stack Set (p. 478). In this walkthrough, we created a stack set named myawsconfig-stackset.

3.

With the stack set selected, choose Manage stacks in stack set from the Actions menu.

4.

Choose Create stacks, and then choose Next.

5.

On the Set deployment options page, in the Accounts area, choose Create stacks from account.

6.

In the Create stacks from account text box, paste all target account IDs that you used to create your
stack set in Create a New Stack Set (p. 478).

7.

In the Regions area, choose US West (N. California), and then choose Add. You will be creating new
stacks, in the US West (N. California) region, for the accounts you've speciﬁed.

8.

In the Preferences area, leave the default value of 1 and By number for Maximum concurrent
accounts, and change the value of Failure tolerance to 1. Be sure Failure tolerance is also set to By
number. Choose Next.

9.

On the Set overrides page, leave the property values as speciﬁed. You won't be overriding any
property values for the stacks you're going to create. Choose Next.

10. On the Review page, review your choices and your stacks' properties. To make changes, choose Edit
in the area in which you want to change properties. When you are are ready to create your stacks,
choose Create stacks.
11. AWS CloudFormation starts creating your stacks. View the progress and status of the creation of the
stacks in your stack set in the Properties page that opens when you choose Create stacks.
API Version 2010-05-15
488

AWS CloudFormation User Guide
Override Parameters on Stack Instances

Override Parameters on Stack Instances
In certain cases, you might want stack instances in certain regions or accounts to have diﬀerent property
values than those speciﬁed in the stack set itself. For example, you might want to specify a diﬀerent
value for a given parameter based on whether an account is used for development or production.
For these situations, AWS CloudFormation allows you to override parameter values in stack instances
by account and region. You can override template parameter values when you ﬁrst create the stack
instances, and you can override parameter values for existing the stack instances. You can only set
parameters you've previously overridden in stack instances back to the values speciﬁed in the stack set.
Parameter value overrides apply to stack instances in the accounts and regions you select. During stack
set updates, any parameter values overridden for a stack instance are not updated, but retain their
overridden value.
You can only override parameter values that are speciﬁed in the stack set; to add or delete a parameter
itself, you need to update the stack set template. If you add a parameter to a stack set template, then
before you can override that parameter value in a stack instance you must ﬁrst update all stack instances
with the new parameter and value speciﬁed in the stack set. Once all stack instances have been updated
with the new parameter, you can then override the parameter value in individual stack instances as
desired.
To learn how to override stack set parameter values when you create stack instances, see Add Stacks to a
Stack Set (p. 488).

To override parameter values in stack instances by using the AWS Management Console
1.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

2.

At the top of the page, choose StackSets. On the StackSets home page, select the stack set that you
created in Create a New Stack Set (p. 478). In that walkthrough, we created a stack set named myawsconfig-stackset.

3.

With the stack set selected, choose Manage stacks in StackSet from the Actions menu.

4.

Choose Override parameters for selected stacks, and then choose Next

5.

On the Set deployment options page, in the Specify accounts area, choose Update stacks in
account.

6.

In the Account text box, paste some or all target account IDs that you used to create your stack set
in Create a New Stack Set (p. 478).

7.

In the Specify regions area, choose all regions (hold down Ctrl while selecting regions to select
multiple regions), and then choose Add to add all stack set regions to the list.

8.

In the Deployment options area, leave the default value of 1 and By number for Maximum
concurrent accounts, and change the value of Failure tolerance to 1. Be sure Failure tolerance is
also set to By number. Choose Next.

9.

On the Set overrides page, in the Delivery Channel Conﬁguration section, for the Snapshot
delivery frequency parameter check Override existing value and then select 6hours. You are
instructing AWS CloudFormation to override the Snapshot delivery frequency parameter value
and use 6hours for all the stack instances for the speciﬁed accounts in the speciﬁed regions. Choose
Next.

Note

To set any overridden parameters back to using the value speciﬁed in the stack set, select
Revert all parameters to StackSet values. Doing so removes all overridden values once you
update the stack instances.
10. Click Next.
11. On the Review page, review your choices. Note that the Snapshot delivery frequency parameter
displays an override icon, indicating that its value has been overridden at the stack level.
API Version 2010-05-15
489

AWS CloudFormation User Guide
Delete Stack Instances

Choose Edit in the upper right corner of each section to go back and make any changes, if necessary.
When you are ready to update your stacks with the overridden parameter, choose Update stacks.

Delete Stack Instances
You can delete stack instances from a stack set in either the AWS Management Console, or by using AWS
CloudFormation commands in the AWS CLI. In this procedure, we will delete all stacks.

To delete stack instances by using the AWS Management Console
1.

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

2.

At the top of the page, choose StackSets. On the StackSets home page, select the stack set that you
created in Create a New Stack Set (p. 478). In this walkthrough, we created a stack set named myawsconfig-stackset.

3.

With the stack set selected, choose Manage stacks in stack set from the Actions menu.

4.

Choose Delete stacks, and then choose Next.

5.

On the Set deployment options page, in the Accounts area, choose Delete stacks from account.

API Version 2010-05-15
490

AWS CloudFormation User Guide
Delete Stack Instances

6.

In the Delete stacks from account text box, paste all target account IDs that you used to create your
stack set in Create a New Stack Set (p. 478).

7.

In the Regions area, choose all regions (hold down Ctrl while selecting regions to select multiple
regions), and then choose Add to add all stack set regions to the list. You are instructing AWS
CloudFormation to delete all stacks, in all target accounts across all regions.

8.

In the Preferences area, leave the default value of 1 and By number for Maximum concurrent
accounts, and change the value of Failure tolerance to 1. Be sure Failure tolerance is also set to By
number.

9.

In the Retain stacks area, keep the default setting, No.
When you are deleting stacks from a stack set, the Retain stacks option lets you choose to remove
the stack instances from your stack set, but save the stacks and their associated resources. When
you save stacks from a stack set by choosing the Retain stacks option, the stack's resources stay in
their current state, but the stack is no longer part of the stack set. You cannot reassociate a retained
stack, or add an existing, saved stack to a new stack set. The stack is permanently independent of a
stack set. In this procedure, we are deleting all stacks in preparation for deleting the entire stack set,
so we are not retaining stacks.

10. Choose Next.
11. On the Review page, review your choices. Choose Edit in the upper right corner of each section to go
back and make any changes, if necessary. When you are ready to delete your stacks, choose Delete
stacks.
12. After stack deletion is ﬁnished, you can verify that stack instances were deleted from your stack set
in the StackSets management console, on the home page.

To delete stack instances by using the AWS CLI
When you are ready to delete stack instances, run the delete-stack-instances AWS CLI command.
•

Run the following command, and replace account_ID with the accounts you used to create your
stack set in Create a New Stack Set (p. 478). For stack set name, specify the stack set name myawsconfig-stackset.
Set the failure tolerance and maximum concurrent accounts by setting FailureToleranceCount
to 0, and MaxConcurrentCount to 1 in the --operation-preferences parameter, as shown
in the following example. To apply percentages instead, use FailureTolerancePercentage
or MaxConcurrentPercentage. For the purposes of this walkthrough, we are using count, not
percentage.
API Version 2010-05-15
491

AWS CloudFormation User Guide
Delete Stack Sets

Because --retain-stacks is a required parameter of delete-stack-instances, if you do not
want to retain (save) stacks, add --no-retain-stacks. In this walkthrough, we add the --noretain-stacks parameter, because we are not retaining any stacks.
aws cloudformation delete-stack-instances --stack-set-name my-awsconfig-stackset -accounts '["account_ID_1","account_ID_2"]' --regions '["region_1","region_2"]' -operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1 --no-retain-stacks

After stack deletion is ﬁnished, you can verify that stack instances were deleted from your stack set
by running the describe-stack-set-operation command to show the status and results of
the delete stacks operation. For --operation-id, use the operation ID that was returned by your
delete-stack-instances command.
aws cloudformation describe-stack-set-operation --operation-id operation_ID

Delete Stack Sets
When you are ﬁnished with the AWS CloudFormation StackSets Getting Started walkthrough, you can
follow procedures in this section to delete stack sets and other resources that you have created as part
of this walkthrough. To delete a stack set, you must ﬁrst delete all stack instances in the stack set. For
information about how to delete all stack instances, see Delete Stack Instances (p. 490).

Delete Stack Set
After you have deleted all stack instances, you can delete the stack set.

To delete a stack set by using the AWS Management Console
1.

On the StackSets home page, select the stack set that you created in Create a New Stack
Set (p. 478). In this walkthrough, we created a stack set named my-awsconfig-stackset.

2.

With the stack set selected, choose Delete stack set from the Actions menu.

3.

When you are prompted to conﬁrm that you want to delete the stack set, choose Yes, Delete.

API Version 2010-05-15
492

AWS CloudFormation User Guide
Delete Stack Sets

To delete a stack set by using the AWS CLI
1.

Run the following command. When you are prompted to conﬁrm, type y, and then press Enter.
aws cloudformation delete-stack-set --stack-set-name my-awsconfig-stackset

2.

Verify that the stack set was deleted by running the list-stack-sets command. The results of
the list-stack-sets command should show your stack with a status of DELETED.
aws cloudformation list-stack-sets

Delete Service Roles (Optional)
Delete the service roles that you created as part of the Prerequisites: Granting Permissions for Stack Set
Operations (p. 470) for the walkthrough in this guide. The roles that you created to get started with
StackSets are named AWSCloudFormationStackSetAdministrationRole in the administrator account,
and AwsCloudFormationStackSetExecutionRole in each target account. For more information about
deleting roles, see Deleting Roles and Instance Proﬁles in the IAM User Guide.

To delete a service role by using the AWS Management Console
1.

Sign in to the AWS Management Console and open the IAM console at https://
console.aws.amazon.com/iam/.

2.

In the navigation pane, choose Roles, and then ﬁll the check box next to the role that you want to
delete.

3.

In the Role actions menu at the top of the page, choose Delete role.

4.

In the conﬁrmation dialog box, choose Yes, Delete. If you are sure, you can proceed with the
deletion even if the service last accessed data is still loading.

To delete a service role by using the AWS CLI
•

Run the following command. When you are prompted to conﬁrm, type y, and then press Enter.
aws iam delete-role --role-name role name

API Version 2010-05-15
493

AWS CloudFormation User Guide
Target account gates

Conﬁguring a target account gate in AWS
CloudFormation StackSets
An account gate is an optional feature that lets you specify an AWS Lambda function to verify that
a target account meets certain requirements before AWS CloudFormation StackSets begins stack
operations in that account. A common example of an account gate is verifying that there are no
CloudWatch alarms active or unresolved on the target account. StackSets invokes the function each
time you start stack operations in the target account, and only continues if the function returns a
SUCCEEDED code. If the Lambda function returns a status of FAILED, StackSets does not continue with
your requested operation. If you do not have an account gating Lambda function conﬁgured, StackSets
skips the check, and continues with your operation.
If your target account fails an account gate check, the failed operation counts toward your speciﬁed
failure tolerance number or percentage of stacks. For more information about failure tolerance, see Stack
set operation options (p. 468).
Account gating is only available for StackSets operations. This functionality is not available for other
AWS CloudFormation operations outside of StackSets.

Setup Requirements
The following list describes setup requirements for account gating.
• To work with the StackSets account gating functionality, your Lambda function must be named
AWSCloudFormationStackSetAccountGate.
• The AWSCloudFormationStackSetExecutionRole needs permissions to invoke your Lambda function.
Without these permissions, StackSets skips the account gating check, and continues with stack
operations.
• The Lambda InvokeFunction permission must be added to target accounts for account gating to
work. The target account trust policy must have a trust relationship with the administrator account.
The following is an example of a policy statement that grants Lambda invokefunction permissions.
{

}

"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "*"
}
]

Sample Lambda Account Gating Functions
The following sample AWS CloudFormation templates are available for you to create Lambda
AWSCloudFormationStackSetAccountGate functions. For more information about how to create a new
stack using either of these templates, see Creating a Stack in this guide.

API Version 2010-05-15
494

AWS CloudFormation User Guide
Best Practices

Template Location

Description

https://s3.amazonaws.com/cloudformationstackset-templates-us-east-1/cloudformationstack-set-accountgate-succeeded.template

Creates a stack that implements a Lambda
account gate function that will return a status of
SUCCEEDED.

https://s3.amazonaws.com/cloudformationstackset-templates-us-east-1/cloudformationstack-set-accountgate-failed.template

Creates a stack that implements a Lambda
account gate function that will return a status of
FAILED.

Best Practices
Topics
• Deﬁning the Template (p. 495)
• Creating or Adding Stacks to the Stack Set (p. 495)
• Updating Stacks in a Stack Set (p. 495)
Review the AWS CloudFormation Best Practices.

Deﬁning the Template
• Deﬁne the template that you want to standardize in multiple accounts, within multiple regions.
• As you create the template, be sure that global resources (such as IAM roles and Amazon S3 buckets)
do not have naming conﬂicts when they are created in more than one region in the same account.
• A stack set has a single template and parameter set. The same stack is created in all accounts that are
associated with a stack set. As you author your templates, make them granular enough to allow you a
good balance of control and standardization. In this release, you cannot customize a stack per account
or region unless the template has per account or per region conﬁguration coded in it.
• We recommend that you store your template in an Amazon S3 bucket.

Creating or Adding Stacks to the Stack Set
• Verify that adding stack instances to your initial stack set works before you add larger numbers of
stack instances to your stack set.
• Choose the deployment (rollout) options that work for your use case.
• For a more conservative deployment, set Maximum Concurrent Accounts to 1, and Failure
Tolerance to 0. Set your lowest-impact region to be ﬁrst in the Region Order list. Start with one
region.
• For a faster deployment, increase the values of Maximum Concurrent Accounts and Failure
Tolerance as needed.
• Operations on stack sets depend on how many stack instances are involved, and can take signiﬁcant
time.

Updating Stacks in a Stack Set
• Updating a stack set always touches all stack instances. If you have 20 accounts each in two regions,
you will have 40 stack instances, and all will be updated when you update the stack set.
API Version 2010-05-15
495

AWS CloudFormation User Guide
Limitations of StackSets

We recommend that to test the updated version of a template, you create a test stack set with the
updated template, then add a few test accounts and deploy your template to the test stack set ﬁrst.
• Because you cannot update only selected stacks within a stack set, to get more granular control over
updating individual stacks within your stack set, plan to create multiple stack sets.
• Updating a stack set that contains a large number of stacks can take signiﬁcant time. In this release,
only one operation is permitted at a time on a stack set. Plan your updates so you are not blocked
from performing other operations on the stack set.

Limitations of StackSets
The following limits apply to AWS CloudFormation StackSets.
• StackSets is supported in all commercial regions of AWS. StackSets is not supported in the following
regions.
• China (Beijing) Region
• AWS GovCloud (US)
• You can create a maximum of 20 stack sets in your administrator account, and a maximum of 500
stack instances per stack set.
• StackSets does not currently support templates that use transforms. For more information about
transforms, see Transform in this guide.

AWS CloudFormation StackSets Sample Templates
This section includes links to some sample AWS CloudFormation templates that can help you use AWS
CloudFormation StackSets in your enterprise. Templates listed in this section enable AWS Conﬁg and
rules within it.

Sample Templates
Description

S3 Link

Enable AWS CloudTrail

https://s3.amazonaws.com/cloudformationstackset-sample-templates-us-east-1/
EnableAWSCloudtrail.yml

Enable AWS Conﬁg

https://s3.amazonaws.com/cloudformationstackset-sample-templates-us-east-1/
EnableAWSConﬁg.yml

Conﬁgure an AWS Conﬁg rule to determine if
CloudTrail is enabled

https://s3.amazonaws.com/cloudformationstackset-sample-templates-us-east-1/
ConﬁgRuleCloudtrailEnabled.yml

Conﬁgure an AWS Conﬁg rule to determine if root
MFA is enabled

https://s3.amazonaws.com/cloudformationstackset-sample-templates-us-east-1/
ConﬁgRuleRootAccountMFAEnabled.yml

Conﬁgure an AWS Conﬁg rule to determine if EIPs
are attached

https://s3.amazonaws.com/cloudformationstackset-sample-templates-us-east-1/
ConﬁgRuleEipAttached.yml

API Version 2010-05-15
496

AWS CloudFormation User Guide
Troubleshooting

Description

S3 Link

Conﬁgure an AWS Conﬁg rule to determine if EBS
volumes are encrypted

https://s3.amazonaws.com/cloudformationstackset-sample-templates-us-east-1/
ConﬁgRuleEncryptedVolumes.yml

Troubleshooting AWS CloudFormation StackSets
This topic contains some common AWS CloudFormation StackSets issues, and suggested solutions for
those issues.
Topics
• Common reasons for stack operation failure (p. 497)
• Retrying failed stack creation or update operations (p. 497)
• Stack instance deletion fails (p. 498)

Common reasons for stack operation failure
Problem: A stack operation failed, and the stack instance status is OUTDATED.
Cause: There can be several common causes for stack operation failure.
• Insuﬃcient permissions in a target account for creating resources that are speciﬁed in your template.
• The AWS CloudFormation template might have errors. Validate the template in AWS CloudFormation
and ﬁx errors before trying to create your stack set.
• The template could be trying to create global resources that must be unique but aren't, such as S3
buckets.
• A speciﬁed target account number doesn't exist. Check the target account numbers that you speciﬁed
on the Set deployment options page of the wizard.
• The administrator account does not have a trust relationship with the target account.
• The maximum number of a resource that is speciﬁed in your template already exists in your target
account. For example, you might have reached the limit of allowed IAM roles in a target account, but
the template creates more IAM roles.
• You have reached the maximum number of stacks that are allowed in a stack set. The maximum is 50.
Solution: For more information about the permissions required of target and administrator accounts
before you can create stack sets, see Set Up Basic Permissions for Stack Sets Operations (p. 470).

Retrying failed stack creation or update operations
Problem: A stack creation or update failed, and the stack instance status is OUTDATED. To troubleshoot
why a stack creation or update failed, open the AWS CloudFormation console, and view the events for
the stack, which will have a status of DELETED (for failed create operations) or FAILED (for failed update
operations). Browse the stack events, and ﬁnd the Status reason column. The value of Status reason
explains why the stack operation failed.
After you have ﬁxed the underlying cause of the stack creation failure, and you are ready to retry stack
creation, perform the following steps.
Solution: Perform the following steps to retry your stack operation.
API Version 2010-05-15
497

AWS CloudFormation User Guide
Stack instance deletion fails

1.
2.
3.

In the console, select the stack set that contains the stack on which the operation failed.
In the Actions menu, choose Manage stacks in stack set.
On the Select action page, choose Edit stacks to retry creating or updating stacks.

4.

On the Select template page, to use the same AWS CloudFormation template, keep the default
option, Current template. If your stack operation failed because the template required changes,
and you want to upload a revised template, choose Upload a template to Amazon S3 instead, and
then choose Browse to select your updated template. When you are ﬁnished uploading your revised
template, choose Next.

5.

On the Specify details page, if you are not changing any parameters that are speciﬁc to your
template, choose Next.
On the Set deployment options page, change defaults for Maximum concurrent accounts and
Failure tolerance, if desired. For more information about these settings, see Stack set operation
options (p. 468).

6.

7.

On the Tags page, add tags if desired. For more information about tags, see Stack set operation
options (p. 468). When you are ﬁnished adding tags, choose Next.

8.

On the Review page, review your selections, and ﬁll the checkbox to acknowledge required IAM
capabilities. Choose Update stacks.
If your stack is not successfully updated, repeat this procedure, after you've resolved any underlying
issues that are preventing stack creation.

9.

Stack instance deletion fails
Problem:A stack deletion has failed.
Cause:Stack deletion will fail for any stacks on which termination protection has been enabled.
Solution:Determine if termination protection has been enabled for the stack. If it has, disable
termination protection and then perform the stack instance deletion again.

API Version 2010-05-15
498

AWS CloudFormation User Guide
AWS Resource Types

Template Reference
This section details the supported resources, type names, intrinsic functions and pseudo parameters used
in AWS CloudFormation templates.
Topics
• AWS Resource Types Reference (p. 499)
• Resource Property Types Reference (p. 1581)
• AWS CloudFormation Resource Speciﬁcation (p. 2234)
• Resource Attribute Reference (p. 2244)
• Intrinsic Function Reference (p. 2264)
• Pseudo Parameters Reference (p. 2322)
• CloudFormation Helper Scripts Reference (p. 2324)

AWS Resource Types Reference
This section contains reference information for all AWS resources that are supported by AWS
CloudFormation
Resource type identiﬁers always take the following form:

AWS::aws-product-name::data-type-name

Topics
• AWS::AmazonMQ::Broker (p. 506)
• AWS::AmazonMQ::Conﬁguration (p. 513)
• AWS::ApiGateway::Account (p. 516)
• AWS::ApiGateway::ApiKey (p. 518)
• AWS::ApiGateway::Authorizer (p. 522)
• AWS::ApiGateway::BasePathMapping (p. 525)
• AWS::ApiGateway::ClientCertiﬁcate (p. 527)
• AWS::ApiGateway::Deployment (p. 528)
• AWS::ApiGateway::DocumentationPart (p. 531)
• AWS::ApiGateway::DocumentationVersion (p. 534)
• AWS::ApiGateway::DomainName (p. 538)
• AWS::ApiGateway::GatewayResponse (p. 545)
• AWS::ApiGateway::Method (p. 548)
• AWS::ApiGateway::Model (p. 556)
• AWS::ApiGateway::RequestValidator (p. 558)
• AWS::ApiGateway::Resource (p. 561)
• AWS::ApiGateway::RestApi (p. 563)
• AWS::ApiGateway::Stage (p. 570)
• AWS::ApiGateway::UsagePlan (p. 574)
API Version 2010-05-15
499

AWS CloudFormation User Guide
AWS Resource Types

• AWS::ApiGateway::UsagePlanKey (p. 577)
• AWS::ApiGateway::VpcLink (p. 578)
• AWS::ApplicationAutoScaling::ScalableTarget (p. 581)
• AWS::ApplicationAutoScaling::ScalingPolicy (p. 594)
• AWS::AppSync::ApiKey (p. 601)
• AWS::AppSync::DataSource (p. 604)
• AWS::AppSync::GraphQLApi (p. 608)
• AWS::AppSync::GraphQLSchema (p. 611)
• AWS::AppSync::Resolver (p. 613)
• AWS::Athena::NamedQuery (p. 618)
• AWS::AutoScaling::AutoScalingGroup (p. 620)
• AWS::AutoScaling::LaunchConﬁguration (p. 628)
• AWS::AutoScaling::LifecycleHook (p. 637)
• AWS::AutoScaling::ScalingPolicy (p. 640)
• AWS::AutoScaling::ScheduledAction (p. 646)
• AWS::AutoScalingPlans::ScalingPlan (p. 650)
• AWS::Batch::ComputeEnvironment (p. 651)
• AWS::Batch::JobDeﬁnition (p. 655)
• AWS::Batch::JobQueue (p. 658)
• AWS::Budgets::Budget (p. 660)
• AWS::CertiﬁcateManager::Certiﬁcate (p. 663)
• AWS::Cloud9::EnvironmentEC2 (p. 666)
• AWS::CloudFormation::Authentication (p. 668)
• AWS::CloudFormation::CustomResource (p. 674)
• AWS::CloudFormation::Init (p. 677)
• AWS::CloudFormation::Interface (p. 691)
• AWS::CloudFormation::Stack (p. 694)
• AWS::CloudFormation::WaitCondition (p. 696)
• AWS::CloudFormation::WaitConditionHandle (p. 699)
• AWS::CloudFront::Distribution (p. 700)
• AWS::CloudFront::CloudFrontOriginAccessIdentity (p. 703)
• AWS::CloudFront::StreamingDistribution (p. 705)
• AWS::CloudTrail::Trail (p. 708)
• AWS::CloudWatch::Alarm (p. 714)
• AWS::CloudWatch::Dashboard (p. 719)
• AWS::CodeBuild::Project (p. 720)
• AWS::CodeCommit::Repository (p. 729)
• AWS::CodeDeploy::Application (p. 731)
• AWS::CodeDeploy::DeploymentConﬁg (p. 733)
• AWS::CodeDeploy::DeploymentGroup (p. 735)
• AWS::CodePipeline::CustomActionType (p. 751)
• AWS::CodePipeline::Pipeline (p. 755)
• AWS::CodePipeline::Webhook (p. 760)
• AWS::Cognito::IdentityPool (p. 763)
• AWS::Cognito::IdentityPoolRoleAttachment (p. 766)
API Version 2010-05-15
500

AWS CloudFormation User Guide
AWS Resource Types

• AWS::Cognito::UserPool (p. 768)
• AWS::Cognito::UserPoolClient (p. 772)
• AWS::Cognito::UserPoolGroup (p. 774)
• AWS::Cognito::UserPoolUser (p. 776)
• AWS::Cognito::UserPoolUserToGroupAttachment (p. 779)
• AWS::Conﬁg::AggregationAuthorization (p. 780)
• AWS::Conﬁg::ConﬁgRule (p. 788)
• AWS::Conﬁg::ConﬁgurationAggregator (p. 794)
• AWS::Conﬁg::ConﬁgurationRecorder (p. 797)
• AWS::Conﬁg::DeliveryChannel (p. 799)
• AWS::DataPipeline::Pipeline (p. 801)
• AWS::DAX::Cluster (p. 810)
• AWS::DAX::ParameterGroup (p. 816)
• AWS::DAX::SubnetGroup (p. 818)
• AWS::DirectoryService::MicrosoftAD (p. 821)
• AWS::DirectoryService::SimpleAD (p. 825)
• AWS::DMS::Certiﬁcate (p. 828)
• AWS::DMS::Endpoint (p. 830)
• AWS::DMS::EventSubscription (p. 835)
• AWS::DMS::ReplicationInstance (p. 838)
• AWS::DMS::ReplicationSubnetGroup (p. 842)
• AWS::DMS::ReplicationTask (p. 845)
• AWS::DynamoDB::Table (p. 848)
• AWS::EC2::CustomerGateway (p. 861)
• AWS::EC2::DHCPOptions (p. 863)
• AWS::EC2::EgressOnlyInternetGateway (p. 867)
• AWS::EC2::EIP (p. 868)
• AWS::EC2::EIPAssociation (p. 870)
• AWS::EC2::FlowLog (p. 875)
• AWS::EC2::Host (p. 877)
• AWS::EC2::Instance (p. 879)
• AWS::EC2::InternetGateway (p. 890)
• AWS::EC2::LaunchTemplate (p. 891)
• AWS::EC2::NatGateway (p. 893)
• AWS::EC2::NetworkAcl (p. 895)
• AWS::EC2::NetworkAclEntry (p. 897)
• AWS::EC2::NetworkInterface (p. 901)
• AWS::EC2::NetworkInterfaceAttachment (p. 906)
• AWS::EC2::NetworkInterfacePermission (p. 908)
• AWS::EC2::PlacementGroup (p. 910)
• AWS::EC2::Route (p. 911)
• AWS::EC2::RouteTable (p. 915)
• AWS::EC2::SecurityGroup (p. 917)
• AWS::EC2::SecurityGroupEgress (p. 921)
• AWS::EC2::SecurityGroupIngress (p. 925)
API Version 2010-05-15
501

AWS CloudFormation User Guide
AWS Resource Types

• AWS::EC2::SpotFleet (p. 932)
• AWS::EC2::Subnet (p. 935)
• AWS::EC2::SubnetCidrBlock (p. 938)
• AWS::EC2::SubnetNetworkAclAssociation (p. 940)
• AWS::EC2::SubnetRouteTableAssociation (p. 942)
• AWS::EC2::Volume (p. 944)
• AWS::EC2::VolumeAttachment (p. 948)
• AWS::EC2::VPC (p. 950)
• AWS::EC2::VPCCidrBlock (p. 953)
• AWS::EC2::VPCDHCPOptionsAssociation (p. 956)
• AWS::EC2::VPCEndpoint (p. 958)
• AWS::EC2:: VPCEndpointConnectionNotiﬁcation (p. 961)
• AWS::EC2::VPCEndpointService (p. 963)
• AWS::EC2::VPCEndpointServicePermissions (p. 964)
• AWS::EC2::VPCGatewayAttachment (p. 965)
• AWS::EC2::VPCPeeringConnection (p. 967)
• AWS::EC2::VPNConnection (p. 977)
• AWS::EC2::VPNConnectionRoute (p. 980)
• AWS::EC2::VPNGateway (p. 982)
• AWS::EC2::VPNGatewayRoutePropagation (p. 984)
• AWS::ECR::Repository (p. 985)
• AWS::ECS::Cluster (p. 989)
• AWS::ECS::Service (p. 991)
• AWS::ECS::TaskDeﬁnition (p. 1002)
• AWS::EFS::FileSystem (p. 1009)
• AWS::EFS::MountTarget (p. 1013)
• AWS::EKS::Cluster (p. 1015)
• AWS::ElastiCache::CacheCluster (p. 1018)
• AWS::ElastiCache::ParameterGroup (p. 1026)
• AWS::ElastiCache::ReplicationGroup (p. 1028)
• AWS::ElastiCache::SecurityGroup (p. 1039)
• AWS::ElastiCache::SecurityGroupIngress (p. 1040)
• AWS::ElastiCache::SubnetGroup (p. 1041)
• AWS::ElasticBeanstalk::Application (p. 1043)
• AWS::ElasticBeanstalk::ApplicationVersion (p. 1045)
• AWS::ElasticBeanstalk::ConﬁgurationTemplate (p. 1047)
• AWS::ElasticBeanstalk::Environment (p. 1050)
• AWS::ElasticLoadBalancing::LoadBalancer (p. 1063)
• AWS::ElasticLoadBalancingV2::Listener (p. 1074)
• AWS::ElasticLoadBalancingV2::ListenerCertiﬁcate (p. 1077)
• AWS::ElasticLoadBalancingV2::ListenerRule (p. 1080)
• AWS::ElasticLoadBalancingV2::LoadBalancer (p. 1082)
• AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088)
• AWS::Elasticsearch::Domain (p. 1096)
• AWS::EMR::Cluster (p. 1104)
API Version 2010-05-15
502

AWS CloudFormation User Guide
AWS Resource Types

• AWS::EMR::InstanceFleetConﬁg (p. 1122)
• AWS::EMR::InstanceGroupConﬁg (p. 1124)
• AWS::EMR::SecurityConﬁguration (p. 1127)
• AWS::EMR::Step (p. 1130)
• AWS::Events::Rule (p. 1132)
• AWS::GameLift::Alias (p. 1138)
• AWS::GameLift::Build (p. 1140)
• AWS::GameLift::Fleet (p. 1142)
• AWS::Glue::Classiﬁer (p. 1146)
• AWS::Glue::Connection (p. 1147)
• AWS::Glue::Crawler (p. 1149)
• AWS::Glue::Database (p. 1154)
• AWS::Glue::DevEndpoint (p. 1155)
• AWS::Glue::Job (p. 1157)
• AWS::Glue::Partition (p. 1162)
• AWS::Glue::Table (p. 1164)
• AWS::Glue::Trigger (p. 1165)
• AWS::GuardDuty::Detector (p. 1171)
• AWS::GuardDuty::Filter (p. 1172)
• AWS::GuardDuty::Master (p. 1175)
• AWS::GuardDuty::Member (p. 1177)
• AWS::GuardDuty::IPSet (p. 1180)
• AWS::GuardDuty::ThreatIntelSet (p. 1182)
• AWS::IAM::AccessKey (p. 1184)
• AWS::IAM::Group (p. 1186)
• AWS::IAM::InstanceProﬁle (p. 1188)
• AWS::IAM::ManagedPolicy (p. 1190)
• AWS::IAM::Policy (p. 1194)
• AWS::IAM::Role (p. 1197)
• AWS::IAM::ServiceLinkedRole (p. 1204)
• AWS::IAM::User (p. 1205)
• AWS::IAM::UserToGroupAddition (p. 1208)
• AWS::Inspector::AssessmentTarget (p. 1209)
• AWS::Inspector::AssessmentTemplate (p. 1211)
• AWS::Inspector::ResourceGroup (p. 1214)
• AWS::IoT::Certiﬁcate (p. 1215)
• AWS::IoT::Policy (p. 1218)
• AWS::IoT::PolicyPrincipalAttachment (p. 1220)
• AWS::IoT::Thing (p. 1221)
• AWS::IoT::ThingPrincipalAttachment (p. 1224)
• AWS::IoT::TopicRule (p. 1225)
• AWS::Kinesis::Stream (p. 1228)
• AWS::KinesisAnalytics::Application (p. 1231)
• AWS::KinesisAnalytics::ApplicationOutput (p. 1234)
• AWS::KinesisAnalytics::ApplicationReferenceDataSource (p. 1235)
API Version 2010-05-15
503

AWS CloudFormation User Guide
AWS Resource Types

• AWS::KinesisFirehose::DeliveryStream (p. 1237)
• AWS::KMS::Alias (p. 1245)
• AWS::KMS::Key (p. 1247)
• AWS::Lambda::EventSourceMapping (p. 1251)
• AWS::Lambda::Alias (p. 1254)
• AWS::Lambda::Function (p. 1257)
• AWS::Lambda::Permission (p. 1263)
• AWS::Lambda::Version (p. 1265)
• AWS::Logs::Destination (p. 1267)
• AWS::Logs::LogGroup (p. 1270)
• AWS::Logs::LogStream (p. 1272)
• AWS::Logs::MetricFilter (p. 1273)
• AWS::Logs::SubscriptionFilter (p. 1275)
• AWS::Neptune::DBCluster (p. 1278)
• AWS::Neptune::DBClusterParameterGroup (p. 1282)
• AWS::Neptune::DBInstance (p. 1284)
• AWS::Neptune::DBParameterGroup (p. 1288)
• AWS::Neptune::DBSubnetGroup (p. 1290)
• AWS::OpsWorks::App (p. 1293)
• AWS::OpsWorks::ElasticLoadBalancerAttachment (p. 1297)
• AWS::OpsWorks::Instance (p. 1298)
• AWS::OpsWorks::Layer (p. 1305)
• AWS::OpsWorks::Stack (p. 1316)
• AWS::OpsWorks::UserProﬁle (p. 1327)
• AWS::OpsWorks::Volume (p. 1329)
• AWS::RDS::DBCluster (p. 1331)
• AWS::RDS::DBClusterParameterGroup (p. 1338)
• AWS::RDS::DBInstance (p. 1341)
• AWS::RDS::DBParameterGroup (p. 1357)
• AWS::RDS::DBSecurityGroup (p. 1360)
• AWS::RDS::DBSecurityGroupIngress (p. 1363)
• AWS::RDS::DBSubnetGroup (p. 1365)
• AWS::RDS::EventSubscription (p. 1367)
• AWS::RDS::OptionGroup (p. 1370)
• AWS::Redshift::Cluster (p. 1373)
• AWS::Redshift::ClusterParameterGroup (p. 1381)
• AWS::Redshift::ClusterSecurityGroup (p. 1384)
• AWS::Redshift::ClusterSecurityGroupIngress (p. 1386)
• AWS::Redshift::ClusterSubnetGroup (p. 1388)
• AWS::Route53::HealthCheck (p. 1390)
• AWS::Route53::HostedZone (p. 1392)
• AWS::Route53::RecordSet (p. 1395)
• AWS::Route53::RecordSetGroup (p. 1401)
• AWS::S3::Bucket (p. 1403)
• AWS::S3::BucketPolicy (p. 1419)
API Version 2010-05-15
504

AWS CloudFormation User Guide
AWS Resource Types

• AWS::SageMaker::Endpoint (p. 1421)
• AWS::SageMaker::EndpointConﬁg (p. 1425)
• AWS::SageMaker::Model (p. 1430)
• AWS::SageMaker::NotebookInstance (p. 1435)
• AWS::SageMaker::NotebookInstanceLifecycleConﬁg (p. 1440)
• AWS::SDB::Domain (p. 1444)
• AWS::ServiceCatalog::AcceptedPortfolioShare (p. 1444)
• AWS::ServiceCatalog::CloudFormationProduct (p. 1445)
• AWS::ServiceCatalog::CloudFormationProvisionedProduct (p. 1448)
• AWS::ServiceCatalog::LaunchNotiﬁcationConstraint (p. 1453)
• AWS::ServiceCatalog::LaunchRoleConstraint (p. 1455)
• AWS::ServiceCatalog::LaunchTemplateConstraint (p. 1456)
• AWS::ServiceCatalog::Portfolio (p. 1458)
• AWS::ServiceCatalog::PortfolioPrincipalAssociation (p. 1460)
• AWS::ServiceCatalog::PortfolioProductAssociation (p. 1461)
• AWS::ServiceCatalog::PortfolioShare (p. 1463)
• AWS::ServiceCatalog::TagOption (p. 1464)
• AWS::ServiceCatalog::TagOptionAssociation (p. 1465)
• AWS::ServiceDiscovery::Instance (p. 1466)
• AWS::ServiceDiscovery::PrivateDnsNamespace (p. 1468)
• AWS::ServiceDiscovery::PublicDnsNamespace (p. 1470)
• AWS::ServiceDiscovery::Service (p. 1471)
• AWS::SES::ConﬁgurationSet (p. 1473)
• AWS::SES::ConﬁgurationSetEventDestination (p. 1475)
• AWS::SES::ReceiptFilter (p. 1479)
• AWS::SES::ReceiptRule (p. 1480)
• AWS::SES::ReceiptRuleSet (p. 1484)
• AWS::SES::Template (p. 1486)
• AWS::SNS::Subscription (p. 1488)
• AWS::SNS::Topic (p. 1492)
• AWS::SNS::TopicPolicy (p. 1494)
• AWS::SQS::Queue (p. 1495)
• AWS::SQS::QueuePolicy (p. 1503)
• AWS::SSM::Association (p. 1504)
• AWS::SSM::Document (p. 1507)
• AWS::SSM::MaintenanceWindow (p. 1511)
• AWS::SSM::MaintenanceWindowTarget (p. 1513)
• AWS::SSM::MaintenanceWindowTask (p. 1515)
• AWS::SSM::Parameter (p. 1518)
• AWS::SSM::PatchBaseline (p. 1522)
• AWS::SSM::ResourceDataSync (p. 1524)
• AWS::StepFunctions::Activity (p. 1527)
• AWS::StepFunctions::StateMachine (p. 1529)
• AWS::WAF::ByteMatchSet (p. 1532)
• AWS::WAF::IPSet (p. 1535)
• AWS::WAF::Rule (p. 1539)
API Version 2010-05-15
505

AWS CloudFormation User Guide
AWS::AmazonMQ::Broker

• AWS::WAF::SizeConstraintSet (p. 1541)
• AWS::WAF::SqlInjectionMatchSet (p. 1544)
• AWS::WAF::WebACL (p. 1547)
• AWS::WAF::XssMatchSet (p. 1551)
• AWS::WAFRegional::ByteMatchSet (p. 1555)
• AWS::WAFRegional::IPSet (p. 1558)
• AWS::WAFRegional::Rule (p. 1561)
• AWS::WAFRegional::SizeConstraintSet (p. 1563)
• AWS::WAFRegional::SqlInjectionMatchSet (p. 1567)
• AWS::WAFRegional::WebACL (p. 1570)
• AWS::WAFRegional::WebACLAssociation (p. 1574)
• AWS::WAFRegional::XssMatchSet (p. 1575)
• AWS::WorkSpaces::Workspace (p. 1579)

AWS::AmazonMQ::Broker
A broker is a message broker environment running on Amazon MQ. It is the basic building block of
Amazon MQ.
The AWS::AmazonMQ::Broker resource lets you create Amazon MQ brokers, add conﬁguration changes
or modify users for the speciﬁed broker, return information about the speciﬁed broker, and delete the
speciﬁed broker. For more information, see Amazon MQ Basic Elements in the Amazon MQ Developer
Guide.
Topics
• Syntax (p. 506)
• Properties (p. 507)
• Return Values (p. 509)
• Examples (p. 510)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::AmazonMQ::Broker",
"Properties" : {
"AutoMinorVersionUpgrade" : Boolean,
"BrokerName" : String,
"Users" : [ User (p. 1596), ... ],
"Configuration" : ConfigurationId (p. 1594),
"DeploymentMode" : String,
"EngineType" : String,
"EngineVersion" : String,
"HostInstanceType" : String,
"MaintenanceWindowStartTime" : MaintenanceWindow (p. 1595),
"PubliclyAccessible" : Boolean,
"SecurityGroups" : [ String, ... ],
"SubnetIds" : [ String, ... ]
}

API Version 2010-05-15
506

AWS CloudFormation User Guide
AWS::AmazonMQ::Broker
}

YAML
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: Boolean
BrokerName: String
Users:
- User (p. 1596)
Configuration:
ConfigurationId (p. 1594)
DeploymentMode: String
EngineType: String
EngineVersion: String
HostInstanceType: String
MaintenanceWindowStartTime: MaintenanceWindow (p. 1595)
PubliclyAccessible: Boolean
SecurityGroups:
- String
SubnetIds:
- String

Properties
AutoMinorVersionUpgrade
Enables automatic upgrades to new minor versions for brokers, as Apache releases the versions. The
automatic upgrades occur during the maintenance window of the broker or after a manual broker
reboot.
Required: Yes
Type: Boolean
Update requires: Replacement (p. 119)
BrokerName
The name of the broker. This value must be unique in your AWS account, 1-50 characters long, must
contain only letters, numbers, dashes, and underscores, and must not contain whitespaces, brackets,
wildcard characters, or special characters.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Users
The list of all ActiveMQ usernames for the speciﬁed broker.
Required: Yes
Type: List of Amazon MQ Broker User (p. 1596) property types
Update requires: Some interruptions (p. 119)
Configuration
The broker conﬁguration. If no conﬁguration exists for a broker, Amazon MQ creates a default
conﬁguration.
API Version 2010-05-15
507

AWS CloudFormation User Guide
AWS::AmazonMQ::Broker

Note

You can use AWS CloudFormation to modify—but not delete—an Amazon MQ
conﬁguration.
Required: No
Type: Amazon MQ Broker ConﬁgurationId (p. 1594)
Update requires: Some interruptions (p. 119)
DeploymentMode
The deployment mode of the broker. SINGLE_INSTANCE creates a single-instance broker in a
single Availability Zone. ACTIVE_STANDBY_MULTI_AZ creates an active/standby broker for high
availability.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
EngineType
The type of broker engine.

Note

Currently, Amazon MQ supports only ACTIVEMQ.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
EngineVersion
The version of the broker engine.

Note

Currently, Amazon MQ supports only 5.15.0.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
HostInstanceType
The broker's instance type. For more information, see Instance Types in the Amazon MQ Developer
Guide.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
MaintenanceWindowStartTime
The parameters that determine the WeeklyStartTime.
Required: No
Type: Amazon MQ Broker MaintenanceWindow (p. 1595)
Update requires: Replacement (p. 119)
API Version 2010-05-15
508

AWS CloudFormation User Guide
AWS::AmazonMQ::Broker

PubliclyAccessible
Enables connections from applications outside of the VPC that hosts the broker's subnets.
Required: Yes
Type: Boolean
Update requires: Replacement (p. 119)
SecurityGroups
The list of rules (1 minimum, 125 maximum) that authorize connections to brokers.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
SubnetIds
The list of groups (2 maximum) that deﬁne which subnets and IP ranges the broker can use from
diﬀerent Availability Zones. A SINGLE_INSTANCE deployment requires one subnet (for example, the
default subnet). An ACTIVE_STANDBY_MULTI_AZ deployment requires two subnets.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::AmazonMQ::Broker resource to the intrinsic Ref function, the
function returns the Amazon MQ broker ID. For example:
b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) of the Amazon MQ broker.
arn:aws:mq:useast-2:123456789012:broker:MyBroker:b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9

ConfigurationId
The unique ID that Amazon MQ generates for the conﬁguration.
c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9

API Version 2010-05-15
509

AWS CloudFormation User Guide
AWS::AmazonMQ::Broker

ConfigurationRevision
The revision number of the conﬁguration.
1

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Basic Amazon MQ Broker
The following example creates a basic Amazon MQ broker with one user that belongs to a group.

Note

We don't recommend including plaintext passwords in AWS CloudFormation templates. To
securely retrieve your user credentials, add a Ref to your template. For example, you can create
a Lambda function and use it to retrieve encrypted credentials stored in a DynamoDB table.
For more information, see Using AWS Lambda with Amazon DynamoDB in the AWS Lambda
Developer Guide.

JSON
{

}

"Description": "Create a basic AmazonMQ broker",
"Resources": {
"BasicBroker": {
"Type": "AWS::AmazonMQ::Broker",
"Properties": {
"AutoMinorVersionUpgrade": "false",
"BrokerName": "MyBasicBroker",
"DeploymentMode": "SINGLE_INSTANCE",
"EngineType": "ActiveMQ",
"EngineVersion": "5.15.0",
"HostInstanceType": "mq.t2.micro",
"PubliclyAccessible": "true",
"Users": [
{
"ConsoleAccess": "true",
"Groups": [
"MyGroup"
],
"Password" : { "Ref" : "AmazonMqPassword" },
"Username" : { "Ref" : "AmazonMqUsername" }
}
]
}
}
}

YAML
--Description: "Create a basic AmazonMQ broker"
Resources:
BasicBroker:
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: "false"

API Version 2010-05-15
510

AWS CloudFormation User Guide
AWS::AmazonMQ::Broker
BrokerName: MyBasicBroker
DeploymentMode: SINGLE_INSTANCE
EngineType: ActiveMQ
EngineVersion: "5.15.0"
HostInstanceType: mq.t2.micro
PubliclyAccessible: "true"
Users:
ConsoleAccess: "true"
Groups:
- MyGroup
Password:
Ref: "BrokerPassword"
Username:
Ref: "BrokerUsername"

Complex Amazon MQ Broker
The following example creates a complex Amazon MQ broker with two users that don't belong to a
group and one user that belongs in a group.

Note

We don't recommend including plaintext passwords in AWS CloudFormation templates. To
securely retrieve your user credentials, add a Ref to your template. For example, you can create
a Lambda function and use it to retrieve encrypted credentials stored in a DynamoDB table.
For more information, see Using AWS Lambda with Amazon DynamoDB in the AWS Lambda
Developer Guide.

JSON
{

"Description": "Create a complex AmazonMQ broker",
"Resources": {
"ComplexBroker": {
"Type": "AWS::AmazonMQ::Broker",
"Properties": {
"AutoMinorVersionUpgrade": "false",
"BrokerName": "MyComplexBroker",
"Configuration": {
"Id": { "Ref": "Configuration1" },
"Revision" : { "Fn::GetAtt": ["Configuration1", "Revision"] }
},
"DeploymentMode": "SINGLE_INSTANCE",
"EngineType": "ActiveMQ",
"EngineVersion": "5.15.0",
"HostInstanceType": "mq.t2.micro",
"MaintenanceWindowStartTime": {
"DayOfWeek": "Monday",
"TimeOfDay": "22:45",
"TimeZone": "America/Los_Angeles"
},
"PubliclyAccessible": "true",
"SecurityGroups": [
"sg-a1b234cd",
"sg-e5f678gh"
],
"SubnetIds": [
"subnet-12a3b45c",
"subnet-67d8e90f"
],
"Users": [{
"ConsoleAccess": "true",
"Password" : { "Ref" : "AmazonMqPassword1" },
"Username" : { "Ref" : "AmazonMqUsername1" }

API Version 2010-05-15
511

AWS CloudFormation User Guide
AWS::AmazonMQ::Broker

}

}

}

}

}, {
"Password" : {
"Username" : {
}, {
"Groups": [
"MyGroup1",
"MyGroup2"
],
"Password" : {
"Username" : {
}]

"Ref" : "AmazonMqPassword2" },
"Ref" : "AmazonMqUsername2" }

"Ref" : "AmazonMqPassword3" },
"Ref" : "AmazonMqUsername3" }

YAML
--Description: "Create a complex AmazonMQ broker"
Resources:
ComplexBroker:
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: "false"
BrokerName: MyComplexBroker
Configuration:
Id: !GetAtt Configuration1.Id
Revision: !GetAtt Configuration1.Revision
DeploymentMode: SINGLE_INSTANCE
EngineType: ActiveMQ
EngineVersion: "5.15.0"
HostInstanceType: mq.t2.micro
MaintenanceWindowStartTime:
DayOfWeek: Monday
TimeOfDay: "22:45"
TimeZone: America/Los_Angeles
PubliclyAccessible: "true"
SecurityGroups:
- "sg-a1b234cd"
- "sg-e5f678gh"
SubnetIds:
- "subnet-12a3b45c"
- "subnet-67d8e90f"
Users:
ConsoleAccess: "true"
Password:
Ref: "BrokerPassword1"
Username:
Ref: "BrokerUsername1"
Password:
Ref: "BrokerPassword2"
Username:
Ref: "BrokerUsername2"
Groups:
- MyGroup1
- MyGroup2
Password:
Ref: "BrokerPassword3"
Username:
Ref: "BrokerUsername3"

API Version 2010-05-15
512

AWS CloudFormation User Guide
AWS::AmazonMQ::Conﬁguration

AWS::AmazonMQ::Conﬁguration
A conﬁguration contains all of the settings for your ActiveMQ broker, in XML format.
The AWS::AmazonMQ::Configuration resource lets you create Amazon MQ conﬁgurations, add
conﬁguration changes or modify users, and return information about the speciﬁed conﬁguration. For
more information, see Conﬁguration and Amazon MQ Broker Conﬁguration Parameters in the Amazon
MQ Developer Guide.
Topics
• Syntax (p. 513)
• Properties (p. 513)
• Return Values (p. 514)
• Examples (p. 515)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::AmazonMQ::Configuration",
"Properties" : {
"Data" : String,
"Description" : String,
"EngineType" : String,
"EngineVersion" : String,
"Name" : String
}

YAML
Type: "AWS::AmazonMQ::Configuration"
Properties:
Data: String
Description: String
EngineType: String
EngineVersion: String
Name: String

Properties
Data
The base64-encoded XML conﬁguration.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Description
The description of the conﬁguration.
API Version 2010-05-15
513

AWS CloudFormation User Guide
AWS::AmazonMQ::Conﬁguration

Required: No
Type: String
Update requires: No interruption (p. 118)
EngineType
The type of broker engine.

Note

Currently, Amazon MQ supports only ACTIVEMQ.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
EngineVersion
The version of the broker engine.

Note

Currently, Amazon MQ supports only 5.15.0.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Name
The name of the conﬁguration. This value can contain only alphanumeric characters, dashes,
periods, underscores, and tildes (- . _ ~). This value must be 1-150 characters long.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::AmazonMQ::Configuration resource to the intrinsic Ref
function, the function returns the Amazon MQ conﬁguration ID. For example:
c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
API Version 2010-05-15
514

AWS CloudFormation User Guide
AWS::AmazonMQ::Conﬁguration

Arn
The Amazon Resource Name (ARN) of the Amazon MQ conﬁguration.

arn:aws:mq:useast-2:123456789012:configuration:MyConfigurationDevelopment:c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9

Revision
The revision number of the conﬁguration.
1

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Amazon MQ Conﬁguration
The following example creates an Amazon MQ conﬁguration in XML format.

JSON
{

"Description": "Create an Amazon MQ configuration",
"Configuration1": {
"Type": "AWS::AmazonMQ::Configuration",
"Properties": {
"Data": {
"Fn::Base64": "\n\n \n
\n
\n
\">\n
\n
\n
\n
\n
\n
policyMap>\n \n \n \n\n"
},
"EngineType": "ACTIVEMQ",
"EngineVersion": "5.15.0",
"Name": "my-configuration-1"
}
}
}

YAML
--Description: "Create an Amazon MQ configuration"
Resources:
Configuration:
Type: "AWS::AmazonMQ::Configuration"
Properties:
Data:
? "Fn::Base64"
: |



API Version 2010-05-15
515















EngineType: ACTIVEMQ
EngineVersion: "5.15.0"
Name: my-configuration-1

AWS::ApiGateway::Account
The AWS::ApiGateway::Account resource speciﬁes the AWS Identity and Access Management
(IAM) role that Amazon API Gateway (API Gateway) uses to write API logs to Amazon CloudWatch Logs
(CloudWatch Logs).

Important

If an API Gateway resource has never been created in your AWS account, you must add a
dependency on another API Gateway resource, such as an AWS::ApiGateway::RestApi (p. 563)
or AWS::ApiGateway::ApiKey (p. 518) resource.
If an API Gateway resource has been created in your AWS account, no dependency is required
(even if the resource was deleted).
Topics
• Syntax (p. 516)
• Properties (p. 517)
• Return Value (p. 517)
• Example (p. 517)

Syntax
The syntax for declaring this resource:

JSON
{

}

"Type" : "AWS::ApiGateway::Account",
"Properties" : {
"CloudWatchRoleArn": String
}

YAML
Type: AWS::ApiGateway::Account
Properties:
CloudWatchRoleArn: String

API Version 2010-05-15
516

AWS CloudFormation User Guide
AWS::ApiGateway::Account

Properties
CloudWatchRoleArn
The Amazon Resource Name (ARN) of an IAM role that has write access to CloudWatch Logs in your
account.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ID of the
resource, such as mysta-accou-01234b567890example.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates an IAM role that API Gateway can assume to push logs to CloudWatch
Logs. The example associates the role with the AWS::ApiGateway::Account resource.

JSON
"CloudWatchRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "Service": [ "apigateway.amazonaws.com" ] },
"Action": "sts:AssumeRole"
}]
},
"Path": "/",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/
AmazonAPIGatewayPushToCloudWatchLogs"]
}
},
"Account": {
"Type": "AWS::ApiGateway::Account",
"Properties": {
"CloudWatchRoleArn": { "Fn::GetAtt": ["CloudWatchRole", "Arn"] }
}
}

YAML
CloudWatchRole:
Type: AWS::IAM::Role
Properties:

API Version 2010-05-15
517

AWS CloudFormation User Guide
AWS::ApiGateway::ApiKey
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "apigateway.amazonaws.com"
Action: "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
Account:
Type: AWS::ApiGateway::Account
Properties:
CloudWatchRoleArn:
"Fn::GetAtt":
- CloudWatchRole
- Arn

AWS::ApiGateway::ApiKey
The AWS::ApiGateway::ApiKey resource creates a unique key that you can distribute to clients who
are executing Amazon API Gateway (API Gateway) Method resources that require an API key. To specify
which API key clients must use, map the API key with the RestApi and Stage resources that include the
methods that require a key.
Topics
• Syntax (p. 518)
• Properties (p. 519)
• Return Value (p. 520)
• Examples (p. 520)
• See Also (p. 521)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApiGateway::ApiKey",
"Properties" : {
"CustomerId" : String,
"Description" : String,
"Enabled" : Boolean,
"GenerateDistinctId" : Boolean,
"Name" : String,
"StageKeys" : [ StageKey (p. 1597), ... ]
}

YAML
Type: AWS::ApiGateway::ApiKey
Properties:
CustomerId: String

API Version 2010-05-15
518

AWS CloudFormation User Guide
AWS::ApiGateway::ApiKey
Description: String
Enabled: Boolean
GenerateDistinctId: Boolean
Name: String
StageKeys:
- StageKey (p. 1597)
- ...

Properties
CustomerId
An AWS Marketplace customer identiﬁer to use when integrating with the AWS SaaS Marketplace.
Required: No
Type: String
Update requires: No interruption (p. 118)
Description
A description of the purpose of the API key.
Required: No
Type: String
Update requires: No interruption (p. 118)
Enabled
Indicates whether the API key can be used by clients.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
GenerateDistinctId
Speciﬁes whether the key identiﬁer is distinct from the created API key value.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
Name
A name for the API key. If you don't specify a name, AWS CloudFormation generates a unique
physical ID and uses that ID for the API key name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
API Version 2010-05-15
519

AWS CloudFormation User Guide
AWS::ApiGateway::ApiKey

Update requires: Replacement (p. 119)
StageKeys
A list of stages to associate with this API key.
Required: No
Type: List of Amazon API Gateway ApiKey StageKey (p. 1597) property types
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the API key ID,
such as m2m1k7sybf.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following example creates an API key and associates it with the Test stage of the
TestAPIDeployment deployment. To ensure that AWS CloudFormation creates the stage and
deployment (which are declared elsewhere in the same template) before the API key, the example adds
an explicit dependency on the deployment and stage. Without this dependency, AWS CloudFormation
might create the API key ﬁrst, which would cause the association to fail because the deployment and
stage wouldn't exist.

JSON
"ApiKey": {
"Type": "AWS::ApiGateway::ApiKey",
"DependsOn": ["TestAPIDeployment", "Test"],
"Properties": {
"Name": "TestApiKey",
"Description": "CloudFormation API Key V1",
"Enabled": "true",
"StageKeys": [{
"RestApiId": { "Ref": "RestApi" },
"StageName": "Test"
}]
}
}

YAML
ApiKey:
Type: AWS::ApiGateway::ApiKey
DependsOn:
- "TestAPIDeployment"
- "Test"
Properties:
Name: "TestApiKey"
Description: "CloudFormation API Key V1"
Enabled: "true"

API Version 2010-05-15
520

AWS CloudFormation User Guide
AWS::ApiGateway::ApiKey
StageKeys:
- RestApiId:
Ref: "RestApi"
StageName: "Test"

The following example creates an API key, and enables you to specify a customer ID and whether to
create a distinct ID.

JSON
{

}

"Parameters": {
"apiKeyName": {
"Type": "String"
},
"customerId": {
"Type": "String"
},
"generateDistinctId": {
"Type": "String"
}
},
"Resources": {
"ApiKey": {
"Type": "AWS::ApiGateway::ApiKey",
"Properties": {
"CustomerId": {
"Ref": "customerId"
},
"GenerateDistinctId": {
"Ref": "generateDistinctId"
},
"Name": {
"Ref": "apiKeyName"
}
}
}
}

YAML
Parameters:
apiKeyName:
Type: String
customerId:
Type: String
generateDistinctId:
Type: String
Resources:
ApiKey:
Type: AWS::ApiGateway::ApiKey
Properties:
CustomerId: !Ref customerId
GenerateDistinctId: !Ref generateDistinctId
Name: !Ref apiKeyName

See Also
• apikey:create operation in the Amazon API Gateway REST API Reference
API Version 2010-05-15
521

AWS CloudFormation User Guide
AWS::ApiGateway::Authorizer

AWS::ApiGateway::Authorizer
The AWS::ApiGateway::Authorizer resource creates an authorization layer that Amazon API
Gateway (API Gateway) activates for methods that have authorization enabled. API Gateway activates
the authorizer when a client calls those methods.
Topics
• Syntax (p. 522)
• Properties (p. 522)
• Return Value (p. 524)
• Examples (p. 525)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApiGateway::Authorizer",
"Properties" : {
"AuthType" : String,
"AuthorizerCredentials" : String,
"AuthorizerResultTtlInSeconds" : Integer,
"AuthorizerUri" : String,
"IdentitySource" : String,
"IdentityValidationExpression" : String,
"Name" : String,
"ProviderARNs" : [ String, ... ],
"RestApiId" : String,
"Type" : String
}

YAML
Type: AWS::ApiGateway::Authorizer
Properties:
AuthType: String
AuthorizerCredentials: String
AuthorizerResultTtlInSeconds: Integer
AuthorizerUri: String
IdentitySource: String
IdentityValidationExpression: String
Name: String
ProviderARNs:
- String
RestApiId: String
Type: String

Properties
AuthType
An optional customer-deﬁned ﬁeld that's used in Swagger imports and exports without functional
impact.
API Version 2010-05-15
522

AWS CloudFormation User Guide
AWS::ApiGateway::Authorizer

Required: No
Type: String
Update requires: No interruption (p. 118)
AuthorizerCredentials
The credentials that are required for the authorizer. To specify an AWS Identity and Access
Management (IAM) role that API Gateway assumes, specify the role's Amazon Resource Name (ARN).
To use resource-based permissions on the AWS Lambda (Lambda) function, specify null.
Required: No
Type: String
Update requires: No interruption (p. 118)
AuthorizerResultTtlInSeconds
The time-to-live (TTL) period, in seconds, that speciﬁes how long API Gateway caches authorizer
results. If you specify a value greater than 0, API Gateway caches the authorizer responses. By
default, API Gateway sets this property to 300. The maximum value is 3600, or 1 hour.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
AuthorizerUri
The authorizer's Uniform Resource Identiﬁer (URI). If you specify TOKEN for the
authorizer's Type property, specify a Lambda function URI that has the form
arn:aws:apigateway:region:lambda:path/path. The path usually has the form
/2015-03-31/functions/LambdaFunctionARN/invocations.
Required: Conditional. Specify this property for Lambda functions only.
Type: String
Update requires: No interruption (p. 118)
IdentitySource
The source of the identity in an incoming request. If you specify TOKEN for the authorizer's Type
property, specify a mapping expression. The custom header mapping expression has the form
method.request.header.name, where name is the name of a custom authorization header that
clients submit as part of their requests.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
IdentityValidationExpression
A validation expression for the incoming identity. If you specify TOKEN for the authorizer's Type
property, specify a regular expression. API Gateway uses the expression to attempt to match the
incoming client token, and proceeds if the token matches. If the token doesn't match, API Gateway
responds with a 401 (unauthorized request) error code.
API Version 2010-05-15
523

AWS CloudFormation User Guide
AWS::ApiGateway::Authorizer

Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the authorizer.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ProviderARNs
A list of the Amazon Cognito user pool Amazon Resource Names (ARNs) to associate with this
authorizer. For more information, see Use Amazon Cognito Your User Pool in the API Gateway
Developer Guide.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
RestApiId
The ID of the RestApi resource that API Gateway creates the authorizer in.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Type
The type of authorizer. Valid values include:
• TOKEN: A custom authorizer that uses a Lambda function.
• COGNITO_USER_POOLS: An authorizer that uses Amazon Cognito user pools.
• REQUEST: An authorizer that uses a Lambda function using incoming request parameters.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the authorizer's
ID, such as abcde1.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
524

AWS CloudFormation User Guide
AWS::ApiGateway::BasePathMapping

Examples
The following examples create a custom authorizer that is an AWS Lambda function.

JSON
"Authorizer": {
"Type": "AWS::ApiGateway::Authorizer",
"Properties": {
"AuthorizerCredentials": { "Fn::GetAtt": ["LambdaInvocationRole", "Arn"] },
"AuthorizerResultTtlInSeconds": "300",
"AuthorizerUri" : {"Fn::Join" : ["", [
"arn:aws:apigateway:",
{"Ref" : "AWS::Region"},
":lambda:path/2015-03-31/functions/",
{"Fn::GetAtt" : ["LambdaAuthorizer", "Arn"]}, "/invocations"
]]},
"Type": "TOKEN",
"IdentitySource": "method.request.header.Auth",
"Name": "DefaultAuthorizer",
"RestApiId": {
"Ref": "RestApi"
}
}
}

YAML
Authorizer:
Type: AWS::ApiGateway::Authorizer
Properties:
AuthorizerCredentials:
Fn::GetAtt:
- "LambdaInvocationRole"
- "Arn"
AuthorizerResultTtlInSeconds: "300"
AuthorizerUri:
Fn::Join:
- ""
- "arn:aws:apigateway:"
- Ref: "AWS::Region"
- ":lambda:path/2015-03-31/functions/"
- Fn::GetAtt:
- "LambdaAuthorizer"
- "Arn"
- "/invocations"
Type: "TOKEN"
IdentitySource: "method.request.header.Auth"
Name: "DefaultAuthorizer"
RestApiId:
Ref: "RestApi"

AWS::ApiGateway::BasePathMapping
The AWS::ApiGateway::BasePathMapping resource creates a base path that clients who call your
Amazon API Gateway API must use in the invocation URL.
Topics
• Syntax (p. 526)
API Version 2010-05-15
525

AWS CloudFormation User Guide
AWS::ApiGateway::BasePathMapping

• Properties (p. 526)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApiGateway::BasePathMapping",
"Properties" : {
"BasePath" : String,
"DomainName" : String,
"RestApiId" : String,
"Stage" : String
}

YAML
Type: AWS::ApiGateway::BasePathMapping
Properties:
BasePath: String
DomainName: String
RestApiId: String
Stage: String

Properties
BasePath
The base path name that callers of the API must provide in the URL after the domain name. If you
specify this property, it can't be an empty string.
Required: No
Type: String
Update requires: Replacement (p. 119)
DomainName
The domain name of a DomainName resource.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
RestApiId
The name of the API.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
526

AWS CloudFormation User Guide
AWS::ApiGateway::ClientCertiﬁcate

Stage
The name of the API's stage.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS::ApiGateway::ClientCertiﬁcate
The AWS::ApiGateway::ClientCertificate resource creates a client certiﬁcate that Amazon API
Gateway (API Gateway) uses to conﬁgure client-side SSL authentication for sending requests to the
integration endpoint.
Topics
• Syntax (p. 527)
• Properties (p. 527)
• Return Value (p. 528)
• Example (p. 528)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApiGateway::ClientCertificate",
"Properties" : {
"Description" : String
}

YAML
Type: AWS::ApiGateway::ClientCertificate
Properties:
Description: String

Properties
Description
A description of the client certiﬁcate.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
527

AWS CloudFormation User Guide
AWS::ApiGateway::Deployment

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the client
certiﬁcate name, such as abc123.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a client certiﬁcate that you can use with an API Gateway deployment and
stage.

JSON
"TestClientCertificate": {
"Type": "AWS::ApiGateway::ClientCertificate",
"Properties": {
"Description": "A test client certificate"
}
}

YAML
TestClientCertificate:
Type: AWS::ApiGateway::ClientCertificate
Properties:
Description: "A test client certificate"

AWS::ApiGateway::Deployment
The AWS::ApiGateway::Deployment resource deploys an Amazon API Gateway (API Gateway)
RestApi (p. 563) resource to a stage so that clients can call the API over the Internet. The stage acts
as an environment.
Topics
• Syntax (p. 528)
• Properties (p. 529)
• Return Value (p. 529)
• Examples (p. 530)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ApiGateway::Deployment",
"Properties" : {
"Description" : String,
"RestApiId" : String,
"StageDescription" : StageDescription (p. 1598),
"StageName" : String

API Version 2010-05-15
528

AWS CloudFormation User Guide
AWS::ApiGateway::Deployment

}

}

YAML
Type: AWS::ApiGateway::Deployment
Properties:
Description: String
RestApiId: String
StageDescription: StageDescription (p. 1598)
StageName: String

Properties
Description
A description of the purpose of the API Gateway deployment.
Required: No
Type: String
Update requires: No interruption (p. 118)
RestApiId
The ID of the RestApi (p. 563) resource to deploy.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
StageDescription
Conﬁgures the stage that API Gateway creates with this deployment.
Required: No
Type: Amazon API Gateway Deployment StageDescription (p. 1598)
Update requires: No interruption (p. 118)
StageName
A name for the stage that API Gateway creates with this deployment. Use only alphanumeric
characters.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the deployment
ID, such as 123abc.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
529

AWS CloudFormation User Guide
AWS::ApiGateway::Deployment

Examples
The following sections provide examples for declaring API Gateway deployments.

Deployment with an Empty Embedded Stage
The following example deploys the MyApi API to a stage named DummyStage.

JSON
"Deployment": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"RestApiId": { "Ref": "MyApi" },
"Description": "My deployment",
"StageName": "DummyStage"
}
}

YAML
Deployment:
Type: AWS::ApiGateway::Deployment
Properties:
RestApiId:
Ref: "MyApi"
Description: "My deployment"
StageName: "DummyStage"

AWS::ApiGateway::Method Dependency
If you create a AWS::ApiGateway::RestApi resource and its methods (using
AWS::ApiGateway::Method) in the same template as your deployment, the deployment must depend
on the RestApi's methods. To create a dependency, add a DependsOn attribute to the deployment. If
you don't, AWS CloudFormation creates the deployment right after it creates the RestApi resource that
doesn't contain any methods, and AWS CloudFormation encounters the following error: The REST API
doesn't contain any methods.

JSON
"Deployment": {
"DependsOn": "MyMethod",
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"RestApiId": { "Ref": "MyApi" },
"Description": "My deployment",
"StageName": "DummyStage"
}
}

YAML
Deployment:
DependsOn: "MyMethod"
Type: AWS::ApiGateway::Deployment
Properties:
RestApiId:
Ref: "MyApi"
Description: "My deployment"

API Version 2010-05-15
530

AWS CloudFormation User Guide
AWS::ApiGateway::DocumentationPart
StageName: "DummyStage"

AWS::ApiGateway::DocumentationPart
The AWS::ApiGateway::DocumentationPart resource creates a documentation part for an Amazon
API Gateway API entity. For more information, see Representation of API Documentation in API Gateway
in the API Gateway Developer Guide.
Topics
• Syntax (p. 531)
• Properties (p. 531)
• Return Value (p. 532)
• Example (p. 532)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApiGateway::DocumentationPart",
"Properties" : {
"Location" : Location (p. 1602),
"Properties" : String,
"RestApiId" : String
}

YAML
Type: AWS::ApiGateway::DocumentationPart
Properties:
Location:
Location (p. 1602)
Properties: String
RestApiId: String

Properties
Note

For more information about each property, including constraints and valid values, see
DocumentationPart in the Amazon API Gateway REST API Reference.
Location
The location of the API entity that the documentation applies to.
Required: Yes
Type: Amazon API Gateway DocumentationPart Location (p. 1602)
Update requires: Replacement (p. 119)
Properties
The documentation content map of the targeted API entity.
API Version 2010-05-15
531

AWS CloudFormation User Guide
AWS::ApiGateway::DocumentationPart

Required: Yes
Type: String
Update requires: No interruption (p. 118)
RestApiId
The identiﬁer of the targeted API entity.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When you pass the logical ID of an AWS::ApiGateway::DocumentationPart resource to the intrinsic
Ref function, the function returns the ID of the documentation part, such as abc123.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example associates a documentation part for an API entity with a documentation version.

JSON
{

"Parameters": {
"apiName": {
"Type": "String"
},
"description": {
"Type": "String"
},
"version": {
"Type": "String"
},
"type": {
"Type": "String"
},
"property": {
"Type": "String"
}
},
"Resources": {
"RestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": {
"Ref": "apiName"
}
}
},
"DocumentationPart": {
"Type": "AWS::ApiGateway::DocumentationPart",

API Version 2010-05-15
532

AWS CloudFormation User Guide
AWS::ApiGateway::DocumentationPart
"Properties": {
"Location": {
"Type": {
"Ref": "type"
}
},
"RestApiId": {
"Ref": "RestApi"
},
"Property": {
"Ref": "property"
}
}

}

}

},
"DocumentationVersion": {
"Type": "AWS::ApiGateway::DocumentationVersion",
"Properties": {
"Description": {
"Ref": "description"
},
"DocumentationVersion": {
"Ref": "version"
},
"RestApiId": {
"Ref": "RestApi"
}
},
"DependsOn": "DocumentationPart"
}

YAML
Parameters:
apiName:
Type: String
description:
Type: String
version:
Type: String
type:
Type: String
property:
Type: String
Resources:
RestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: !Ref apiName
DocumentationPart:
Type: AWS::ApiGateway::DocumentationPart
Properties:
Location:
Type: !Ref type
RestApiId: !Ref RestApi
Property: !Ref property
DocumentationVersion:
Type: AWS::ApiGateway::DocumentationVersion
Properties:
Description: !Ref description
DocumentationVersion: !Ref version
RestApiId: !Ref RestApi
DependsOn: DocumentationPart

API Version 2010-05-15
533

AWS CloudFormation User Guide
AWS::ApiGateway::DocumentationVersion

AWS::ApiGateway::DocumentationVersion
The AWS::ApiGateway::DocumentationVersion resource creates a snapshot of the documentation
for an Amazon API Gateway API entity. For more information, see Representation of API Documentation
in API Gateway in the API Gateway Developer Guide.
Topics
• Syntax (p. 534)
• Properties (p. 534)
• Example (p. 535)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApiGateway::DocumentationVersion",
"Properties" : {
"Description" : String,
"DocumentationVersion" : String,
"RestApiId" : String
}

YAML
Type: AWS::ApiGateway::DocumentationVersion
Properties:
Description: String
DocumentationVersion: String
RestApiId: String

Properties
Note

For more information about each property, see DocumentationVersion in the Amazon API
Gateway REST API Reference.
Description
The description of the API documentation snapshot.
Required: No
Type: String
Update requires: No interruption (p. 118)
DocumentationVersion
The version identiﬁer of the API documentation snapshot.
Required: Yes
API Version 2010-05-15
534

AWS CloudFormation User Guide
AWS::ApiGateway::DocumentationVersion

Type: String
Update requires: Replacement (p. 119)
RestApiId
The identiﬁer of the targeted API entity.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Example
The following example associates a documentation version with an API stage.

JSON
{

"Parameters": {
"apiName": {
"Type": "String"
},
"description": {
"Type": "String"
},
"property": {
"Type": "String"
},
"stageName": {
"Type": "String"
},
"type": {
"Type": "String"
},
"version": {
"Type": "String"
}
},
"Resources": {
"Deployment": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"RestApiId": {
"Ref": "RestApi"
}
},
"DependsOn": [
"Method"
]
},
"DocumentationPart": {
"Type": "AWS::ApiGateway::DocumentationPart",
"Properties": {
"Location": {
"Type": {
"Ref": "type"
}
},

API Version 2010-05-15
535

AWS CloudFormation User Guide
AWS::ApiGateway::DocumentationVersion
"RestApiId": {
"Ref": "RestApi"
},
"Property": {
"Ref": "property"
}

}
},
"DocumentationVersion": {
"Type": "AWS::ApiGateway::DocumentationVersion",
"Properties": {
"Description": {
"Ref": "description"
},
"DocumentationVersion": {
"Ref": "version"
},
"RestApiId": {
"Ref": "RestApi"
}
},
"DependsOn": "DocumentationPart"
},
"Method": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"AuthorizationType": "NONE",
"HttpMethod": "POST",
"ResourceId": {
"Fn::GetAtt": [
"RestApi",
"RootResourceId"
]
},
"RestApiId": {
"Ref": "RestApi"
},
"Integration": {
"Type": "MOCK"
}
}
},
"RestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": {
"Ref": "apiName"
}
}
},
"Stage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"DeploymentId": {
"Ref": "Deployment"
},
"DocumentationVersion": {
"Ref": "version"
},
"RestApiId": {
"Ref": "RestApi"
},
"StageName": {
"Ref": "stageName"
}
},

API Version 2010-05-15
536

AWS CloudFormation User Guide
AWS::ApiGateway::DocumentationVersion

}

}

}

"DependsOn": "DocumentationVersion"

YAML
Parameters:
apiName:
Type: String
description:
Type: String
property:
Type: String
stageName:
Type: String
type:
Type: String
version:
Type: String
Resources:
Deployment:
Type: AWS::ApiGateway::Deployment
Properties:
RestApiId: !Ref RestApi
DependsOn:
- Method
DocumentationPart:
Type: AWS::ApiGateway::DocumentationPart
Properties:
Location:
Type: !Ref type
RestApiId: !Ref RestApi
Property: !Ref property
DocumentationVersion:
Type: AWS::ApiGateway::DocumentationVersion
Properties:
Description: !Ref description
DocumentationVersion: !Ref version
RestApiId: !Ref RestApi
DependsOn: DocumentationPart
Method:
Type: AWS::ApiGateway::Method
Properties:
AuthorizationType: NONE
HttpMethod: POST
ResourceId: !GetAtt
- RestApi
- RootResourceId
RestApiId: !Ref RestApi
Integration:
Type: MOCK
RestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: !Ref apiName
Stage:
Type: AWS::ApiGateway::Stage
Properties:
DeploymentId: !Ref Deployment
DocumentationVersion: !Ref version
RestApiId: !Ref RestApi
StageName: !Ref stageName
DependsOn: DocumentationVersion

API Version 2010-05-15
537

AWS CloudFormation User Guide
AWS::ApiGateway::DomainName

AWS::ApiGateway::DomainName
The AWS::ApiGateway::DomainName resource speciﬁes a custom domain name for your API in
Amazon API Gateway (API Gateway).
You can use a custom domain name to provide a URL that's more intuitive and easier to recall. For more
information about using custom domain names, see Use Custom Domain Name as API Gateway API Host
Name in the API Gateway Developer Guide.
Topics
• Syntax (p. 538)
• Properties (p. 538)
• Return Values (p. 539)
• Examples (p. 540)
• See Also (p. 545)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::ApiGateway::DomainName",
"Properties": {
"CertificateArn": String,
"DomainName": String,
"EndpointConfiguration" : EndpointConfiguration (p. 1604),
"RegionalCertificateArn" : String
}

YAML
Type: AWS::ApiGateway::DomainName
Properties:
CertificateArn: String
DomainName: String
EndpointConfiguration:
EndpointConfiguration (p. 1604)
RegionalCertificateArn: String

Properties
CertificateArn
The reference to an AWS-managed certiﬁcate for use by the edge-optimized endpoint for this
domain name. AWS Certiﬁcate Manager is the only supported source. For requirements and
additional information about setting up certiﬁcates, see Get Certiﬁcates Ready in AWS Certiﬁcate
Manager in the API Gateway Developer Guide.
Required: No
Type: String
API Version 2010-05-15
538

AWS CloudFormation User Guide
AWS::ApiGateway::DomainName

Update requires: No interruption (p. 118)
DomainName
The custom domain name for your API in Amazon API Gateway.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
EndpointConfiguration
A list of the endpoint types of the domain name.
Required: No
Type: API Gateway DomainName EndpointConﬁguration (p. 1604)
Update requires: No interruption (p. 118)
RegionalCertificateArn
The reference to an AWS-managed certiﬁcate for use by the regional endpoint for the domain name.
AWS Certiﬁcate Manager is the only supported source.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the domain
name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. This section lists the available attribute
and a sample return value.
DistributionDomainName
The Amazon CloudFront distribution domain name that's mapped to the custom domain name. This
is only applicable for endpoints whose type is EDGE.
Example: d111111abcdef8.cloudfront.net
DistributionHostedZoneId
The region-agnostic Amazon Route 53 Hosted Zone ID of the edge-optimized endpoint. The valid
value is Z2FDTNDATAQYW2 for all the regions.
Example: Z2FDTNDATAQYW2
API Version 2010-05-15
539

AWS CloudFormation User Guide
AWS::ApiGateway::DomainName

RegionalDomainName
The domain name associated with the regional endpoint for this custom domain name. You set
up this association by adding a DNS record that points the custom domain name to this regional
domain name.
RegionalHostedZoneId
The region-speciﬁc Amazon Route 53 Hosted Zone ID of the regional endpoint.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Create Custom Domain
The following example creates a custom domain name of api.mydomain.com.

JSON
"MyDomainName": {
"Type": "AWS::ApiGateway::DomainName",
"Properties": {
"DomainName": "api.mydomain.com",
"CertificateArn": "arn:aws:acm:us-east-1:111122223333:certificate/fb1b9770-a305-495daefb-27e5e101ff3"
}
}

YAML
MyDomainName:
Type: 'AWS::ApiGateway::DomainName'
Properties:
DomainName: api.mydomain.com
CertificateArn: arn:aws:acm:us-east-1:111122223333:certificate/fb1b9770-a305-495daefb-27e5e101ff3

Create Custom Domain from Parameters
The following example creates a custom domain name of example.mydomain.com.

JSON
{

"Parameters": {
"basePath": {
"Type": "String",
"Default": "examplepath"
},
"domainName": {
"Type": "String",
"Default": "example.mydomain.com"
},
"restApiName": {
"Type": "String",
"Default": "exampleapi"
}
},

API Version 2010-05-15
540

AWS CloudFormation User Guide
AWS::ApiGateway::DomainName

}

"Resources": {
"myCertificate": {
"Type": "AWS::CertificateManager::Certificate",
"Properties": {
"DomainName": {
"Ref": "domainName"
}
}
},
"myDomainName": {
"Type": "AWS::ApiGateway::DomainName",
"Properties": {
"CertificateArn": {
"Ref": "myCertificate"
},
"DomainName": {
"Ref": "domainName"
}
}
},
"myMapping": {
"Type": "AWS::ApiGateway::BasePathMapping",
"Properties": {
"BasePath": {
"Ref": "basePath"
},
"DomainName": {
"Ref": "myDomainName"
},
"RestApiId": {
"Ref": "myRestApi"
}
}
},
"myRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": {
"Ref": "restApiName"
}
}
}
},
"Outputs": {
"domainName": {
"Value": {
"Fn::GetAtt": [
"myDomainName",
"DistributionDomainName"
]
}
}
}

YAML
Parameters:
basePath:
Type: String
Default: examplepath
domainName:
Type: String
Default: example.mydomain.com

API Version 2010-05-15
541

AWS CloudFormation User Guide
AWS::ApiGateway::DomainName
restApiName:
Type: String
Default: exampleapi
Resources:
myCertificate:
Type: 'AWS::CertificateManager::Certificate'
Properties:
DomainName: !Ref domainName
myDomainName:
Type: 'AWS::ApiGateway::DomainName'
Properties:
CertificateArn: !Ref myCertificate
DomainName: !Ref domainName
myMapping:
Type: 'AWS::ApiGateway::BasePathMapping'
Properties:
BasePath: !Ref basePath
DomainName: !Ref myDomainName
RestApiId: !Ref myRestApi
myRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: !Ref restApiName
Outputs:
domainName:
Value: !GetAtt
- myDomainName
- DistributionDomainName

The following example creates a custom domain name that speciﬁes a regional certiﬁcate ARN and an
endpoint type.

JSON
{

"Parameters": {
"cfnDomainName": {
"Type": "String"
},
"certificateArn": {
"Type": "String"
},
"type": {
"Type": "String"
}
},
"Resources": {
"myDomainName": {
"Type": "AWS::ApiGateway::DomainName",
"Properties": {
"CertificateArn": {
"Ref": "certificateArn"
},
"DomainName": {
"Ref": "cfnDomainName"
},
"EndpointConfiguration": {
"Types": [
{
"Ref": "type"
}
]
},

API Version 2010-05-15
542

AWS CloudFormation User Guide
AWS::ApiGateway::DomainName
"RegionalCertificateArn": {
"Ref": "certificateArn"
}

}

}

}
},
"DomainName": {
"Value": {
"Ref": "myDomainName"
}
}

YAML
Parameters:
cfnDomainName:
Type: String
certificateArn:
Type: String
type:
Type: String
Resources:
myDomainName:
Type: AWS::ApiGateway::DomainName
Properties:
CertificateArn: !Ref certificateArn
DomainName: !Ref cfnDomainName
EndpointConfiguration:
Types:
- !Ref type
RegionalCertificateArn: !Ref certificateArn
DomainName:
Value: !Ref myDomainName

Create Domain Names and Zone IDs as Outputs
The following example deﬁnes the distribution and regional domain names, as well as the distribution
and regional hosted zone IDs, as outputs from the stack.

JSON
"Resources": {
"myDomainName": {
"Type": "AWS::ApiGateway::DomainName",
"Properties": {
"CertificateArn": {
"Ref": "certificateArn"
},
"DomainName": {
"Ref": "cfnDomainName"
},
"EndpointConfiguration": {
"Types": [
{
"Ref": "type"
}
]
},
"RegionalCertificateArn": {
"Ref": "certificateArn"
}

API Version 2010-05-15
543

AWS CloudFormation User Guide
AWS::ApiGateway::DomainName

}

}

},
"Outputs": {
"DistributionDomainName": {
"Value": {
"Fn::GetAtt": [
"myDomainName",
"DistributionDomainName"
]
}
},
"DistributionHostedZoneId": {
"Value": {
"Fn::GetAtt": [
"myDomainName",
"DistributionHostedZoneId"
]
}
},
"RegionalDomainName": {
"Value": {
"Fn::GetAtt": [
"myDomainName",
"RegionalDomainName"
]
}
},
"RegionalHostedZoneId": {
"Value": {
"Fn::GetAtt": [
"myDomainName",
"RegionalHostedZoneId"
]
}
}
}

YAML
Resources:
myDomainName:
Type: 'AWS::ApiGateway::DomainName'
Properties:
CertificateArn: !Ref certificateArn
DomainName: !Ref cfnDomainName
EndpointConfiguration:
Types:
- !Ref type
RegionalCertificateArn: !Ref certificateArn
Outputs:
DistributionDomainName:
Value: !GetAtt
- myDomainName
- DistributionDomainName
DistributionHostedZoneId:
Value: !GetAtt
- myDomainName
- DistributionHostedZoneId
RegionalDomainName:
Value: !GetAtt
- myDomainName
- RegionalDomainName
RegionalHostedZoneId:

API Version 2010-05-15
544

AWS CloudFormation User Guide
AWS::ApiGateway::GatewayResponse
Value: !GetAtt
- myDomainName
- RegionalHostedZoneId

See Also
• domainname:create operation in the Amazon API Gateway REST API Reference

AWS::ApiGateway::GatewayResponse
The AWS::ApiGateway::GatewayResponse resource creates a custom response for your API Gateway
API. For more information, see API Gateway Responses in the API Gateway Developer Guide.
Topics
• Syntax (p. 545)
• Properties (p. 545)
• Examples (p. 546)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApiGateway::GatewayResponse",
"Properties" : {
"ResponseParameters" : { String:String, ... },
"ResponseTemplates" : { String:String, ... },
"ResponseType" : String,
"RestApiId" : String,
"StatusCode" : String
}

YAML
Type: AWS::ApiGateway::GatewayResponse
Properties:
ResponseParameters:
String: String
ResponseTemplates:
String: String
ResponseType: String
RestApiId: String
StatusCode: String

Properties
ResponseParameters
The response parameters (paths, query strings, and headers) for the response. Duplicates not
allowed.
Required: No
API Version 2010-05-15
545

AWS CloudFormation User Guide
AWS::ApiGateway::GatewayResponse

Type: String to string map
Update requires: No interruption (p. 118)
ResponseTemplates
The response templates for the response. Duplicates not allowed.
Required: No
Type: String to string map
Update requires: No interruption (p. 118)
ResponseType
The response type. For valid values, see GatewayResponse in the API Gateway API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
RestApiId
The identiﬁer of the targeted API entity.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
StatusCode
The HTTP status code for the response.
Required: No
Type: String
Update requires: No interruption (p. 118)

Examples
404 Response
The following example returns a 404 status code for resource not found instead of missing
authentication token for a CORS request (applicable to unsecured/unrestricted APIs).

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": "myRestApi"
}
},
"GatewayResponse": {
"Type": "AWS::ApiGateway::GatewayResponse",

API Version 2010-05-15
546

AWS CloudFormation User Guide
AWS::ApiGateway::GatewayResponse

}

}

}

"Properties": {
"ResponseParameters": {
"gatewayresponse.header.Access-Control-Allow-Origin": "'*'",
"gatewayresponse.header.Access-Control-Allow-Headers": "'*'"
},
"ResponseType": "MISSING_AUTHENTICATION_TOKEN",
"RestApiId": {
"Ref": "RestApi"
},
"StatusCode": "404"
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
RestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: myRestApi
GatewayResponse:
Type: AWS::ApiGateway::GatewayResponse
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: MISSING_AUTHENTICATION_TOKEN
RestApiId: !Ref RestApi
StatusCode: '404'

Parameterized Response
The following example creates a response for an API based on the supplied parameters.

JSON
{

"Parameters": {
"apiName": {
"Type": "String"
},
"responseParameter1": {
"Type": "String"
},
"responseParameter2": {
"Type": "String"
},
"responseType": {
"Type": "String"
},
"statusCode": {
"Type": "String"
}
},
"Resources": {
"RestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": {
"Ref": "apiName"

API Version 2010-05-15
547

AWS CloudFormation User Guide
AWS::ApiGateway::Method

}

}

}

}

},
"GatewayResponse": {
"Type": "AWS::ApiGateway::GatewayResponse",
"Properties": {
"ResponseParameters": {
"gatewayresponse.header.k1": {
"Ref": "responseParameter1"
},
"gatewayresponse.header.k2": {
"Ref": "responseParameter2"
}
},
"ResponseType": {
"Ref": "responseType"
},
"RestApiId": {
"Ref": "RestApi"
},
"StatusCode": {
"Ref": "statusCode"
}
}
}

YAML
Parameters:
apiName :
Type : String
responseParameter1:
Type : String
responseParameter2:
Type : String
responseType:
Type : String
statusCode:
Type : String
Resources :
RestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: !Ref apiName
GatewayResponse:
Type: AWS::ApiGateway::GatewayResponse
Properties:
ResponseParameters:
gatewayresponse.header.k1 : !Ref responseParameter1
gatewayresponse.header.k2 : !Ref responseParameter2
ResponseType: !Ref responseType
RestApiId: !Ref RestApi
StatusCode: !Ref statusCode

AWS::ApiGateway::Method
The AWS::ApiGateway::Method resource creates Amazon API Gateway (API Gateway) methods that
deﬁne the parameters and body that clients must send in their requests.
Topics
API Version 2010-05-15
548

AWS CloudFormation User Guide
AWS::ApiGateway::Method

• Syntax (p. 549)
• Properties (p. 549)
• Return Value (p. 551)
• Examples (p. 552)
• See Also (p. 556)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApiGateway::Method",
"Properties" : {
"ApiKeyRequired" : Boolean,
"AuthorizationType" : String,
"AuthorizerId" : String,
"HttpMethod" : String,
"Integration" : Integration (p. 1604),
"MethodResponses" : [ MethodResponse (p. 1609), ... ],
"OperationName" : String,
"RequestModels" : { String:String, ... },
"RequestParameters" : { String:Boolean, ... },
"RequestValidatorId" : String,
"ResourceId" : String,
"RestApiId" : String
}

YAML
Type: AWS::ApiGateway::Method
Properties:
ApiKeyRequired: Boolean
AuthorizationType: String
AuthorizerId: String
HttpMethod: String
Integration:
Integration (p. 1604)
MethodResponses:
- MethodResponse (p. 1609)
OperationName: String
RequestModels:
String: String
RequestParameters:
String: Boolean
RequestValidatorId: String
ResourceId: String
RestApiId: String

Properties
ApiKeyRequired
Indicates whether the method requires clients to submit a valid API key.
Required: No
API Version 2010-05-15
549

AWS CloudFormation User Guide
AWS::ApiGateway::Method

Type: Boolean
Update requires: No interruption (p. 118)
AuthorizationType
The method's authorization type.
Required: Yes. If you specify the AuthorizerId property, specify CUSTOM for this property.
Type: String
Update requires: No interruption (p. 118)
AuthorizerId
The identiﬁer of the authorizer (p. 522) to use on this method. If you specify this property, specify
CUSTOM for the AuthorizationType property.
Required: No
Type: String
Update requires: No interruption (p. 118)
HttpMethod
The HTTP method that clients use to call this method.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Integration
The backend system that the method calls when it receives a request.
Required: No
Type: Amazon API Gateway Method Integration (p. 1604)
Update requires: No interruption (p. 118)
MethodResponses
The responses that can be sent to the client who calls the method.
Required: No
Type: List of Amazon API Gateway Method MethodResponse (p. 1609) property types.
Update requires: No interruption (p. 118)
OperationName
A friendly operation name for the method. For example, you can assign the OperationName of
ListPets for the GET /pets method.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
550

AWS CloudFormation User Guide
AWS::ApiGateway::Method

RequestModels
The resources that are used for the response's content type. Specify response models as key-value
pairs (string-to-string mapping), with a content type as the key and a Model resource name as the
value.
Required: No
Type: Mapping of key-value pairs
Update requires: No interruption (p. 118)
RequestParameters
The request parameters that API Gateway accepts. Specify request parameters as key-value
pairs (string-to-Boolean mapping), with a source as the key and a Boolean as the value.
The Boolean speciﬁes whether a parameter is required. A source must match the format
method.request.location.name, where the location is querystring, path, or header, and
name is a valid, unique parameter name.
Required: No
Type: Mapping of key-value pairs
Update requires: No interruption (p. 118)
RequestValidatorId
The ID of the associated request validator.
Required: No
Type: String
Update requires: No interruption (p. 118)
ResourceId
The ID of an API Gateway resource (p. 561). For root resource methods, specify the RestApi root
resource ID, such as { "Fn::GetAtt": ["MyRestApi", "RootResourceId"] }.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RestApiId
The ID of the RestApi (p. 563) resource in which API Gateway creates the method.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the method ID,
such as mysta-metho-01234b567890example.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
551

AWS CloudFormation User Guide
AWS::ApiGateway::Method

Examples
Mock Method
The following example creates a mock GET method for the MyApi API.

JSON
"MockMethod": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"RestApiId": { "Ref": "MyApi" },
"ResourceId": { "Fn::GetAtt": ["RestApi", "RootResourceId"] },
"HttpMethod": "GET",
"AuthorizationType": "NONE",
"Integration": { "Type": "MOCK" }
}
}

YAML
MockMethod:
Type: AWS::ApiGateway::Method
Properties:
RestApiId:
Ref: "MyApi"
ResourceId:
Fn::GetAtt:
- "RestApi"
- "RootResourceId"
HttpMethod: "GET"
AuthorizationType: "NONE"
Integration:
Type: "MOCK"

Lambda Proxy
The following example creates a proxy resource to enable clients to call a Lambda function with a single
integration setup on a catch-all ANY method. The Uri property speciﬁes the Lambda function. For more
information about Lambda proxy integration and a sample Lambda function, see Create an API with
Lambda Proxy Integration through a Proxy Resource in the API Gateway Developer Guide.

Note

Use the AWS::Lambda::Permission (p. 1263) resource to grant API Gateway permission to invoke
your Lambda function.

JSON
"ProxyResource": {
"Type": "AWS::ApiGateway::Resource",
"Properties": {
"RestApiId": { "Ref":"LambdaSimpleProxy"},
"ParentId": { "Fn::GetAtt" : [
"LambdaSimpleProxy",
"RootResourceId"
]},
"PathPart": "{proxy+}"
}
},
"ProxyResourceANY": {
"Type": "AWS::ApiGateway::Method",

API Version 2010-05-15
552

AWS CloudFormation User Guide
AWS::ApiGateway::Method
"Properties": {
"RestApiId": {"Ref":"LambdaSimpleProxy"},
"ResourceId": {"Ref":"ProxyResource"},
"HttpMethod": "ANY",
"AuthorizationType": "NONE",
"Integration": {
"Type": "AWS_PROXY",
"IntegrationHttpMethod": "POST",
"Uri": { "Fn::Sub":"arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/
functions/${LambdaForSimpleProxy.Arn}/invocations"}
}
}
}

YAML
ProxyResource:
Type: AWS::ApiGateway::Resource
Properties:
RestApiId: !Ref LambdaSimpleProxy
ParentId: !GetAtt [LambdaSimpleProxy, RootResourceId]
PathPart: '{proxy+}'
ProxyResourceANY:
Type: AWS::ApiGateway::Method
Properties:
RestApiId: !Ref LambdaSimpleProxy
ResourceId: !Ref ProxyResource
HttpMethod: ANY
AuthorizationType: NONE
Integration:
Type: AWS_PROXY
IntegrationHttpMethod: POST
Uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/
${LambdaForSimpleProxy.Arn}/invocations

Associated Request Validator
The following example creates a REST API, method, and request validator, and associates the request
validator with the method. It also lets you specify how to convert the request payload.

JSON
{

"Parameters": {
"contentHandling": {
"Type": "String"
},
"operationName": {
"Type": "String",
"Default": "testoperationName"
},
"restApiName": {
"Type": "String",
"Default": "testrestApiName"
},
"validatorName": {
"Type": "String",
"Default": "testvalidatorName"
},
"validateRequestBody": {
"Type": "String",
"Default": "testvalidateRequestBody"
},

API Version 2010-05-15
553

AWS CloudFormation User Guide
AWS::ApiGateway::Method
"validateRequestParameters": {
"Type": "String",
"Default": true
}

},
"Resources": {
"RestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": {
"Ref": "restApiName"
}
}
},
"Method": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"HttpMethod": "POST",
"ResourceId": {
"Fn::GetAtt": [
"RestApi",
"RootResourceId"
]
},
"RestApiId": {
"Ref": "RestApi"
},
"AuthorizationType": "NONE",
"Integration": {
"Type": "MOCK",
"ContentHandling": {
"Ref": "contentHandling"
},
"IntegrationResponses": [
{
"ContentHandling": {
"Ref": "contentHandling"
},
"StatusCode": 400
}
]
},
"RequestValidatorId": {
"Ref": "RequestValidator"
},
"OperationName": {
"Ref": "operationName"
}
}
},
"RequestValidator": {
"Type": "AWS::ApiGateway::RequestValidator",
"Properties": {
"Name": {
"Ref": "validatorName"
},
"RestApiId": {
"Ref": "RestApi"
},
"ValidateRequestBody": {
"Ref": "validateRequestBody"
},
"ValidateRequestParameters": {
"Ref": "validateRequestParameters"
}
}

API Version 2010-05-15
554

AWS CloudFormation User Guide
AWS::ApiGateway::Method

}

}
},
"Outputs": {
"RootResourceId": {
"Value": {
"Fn::GetAtt": [
"RestApi",
"RootResourceId"
]
}
}
}

YAML
Parameters:
contentHandling:
Type: String
operationName:
Type: String
Default: testoperationName
restApiName:
Type: String
Default: testrestApiName
validatorName:
Type: String
Default: testvalidatorName
validateRequestBody:
Type: String
Default: testvalidateRequestBody
validateRequestParameters:
Type: String
Default: true
Resources:
RestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: !Ref restApiName
Method:
Type: AWS::ApiGateway::Method
Properties:
HttpMethod: POST
ResourceId: !GetAtt RestApi.RootResourceId
RestApiId: !Ref RestApi
AuthorizationType: NONE
Integration:
Type: MOCK
ContentHandling: !Ref contentHandling
IntegrationResponses:
- ContentHandling: !Ref contentHandling
StatusCode: 400
RequestValidatorId: !Ref RequestValidator
OperationName: !Ref operationName
RequestValidator:
Type: AWS::ApiGateway::RequestValidator
Properties:
Name: !Ref validatorName
RestApiId: !Ref RestApi
ValidateRequestBody: !Ref validateRequestBody
ValidateRequestParameters: !Ref validateRequestParameters
Outputs:
RootResourceId:
Value: !GetAtt RestApi.RootResourceId

API Version 2010-05-15
555

AWS CloudFormation User Guide
AWS::ApiGateway::Model

See Also
• Method in the Amazon API Gateway REST API Reference

AWS::ApiGateway::Model
The AWS::ApiGateway::Model resource deﬁnes the structure of a request or response payload for an
Amazon API Gateway (API Gateway) method.
Topics
• Syntax (p. 556)
• Properties (p. 556)
• Return Value (p. 557)
• Example (p. 557)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApiGateway::Model",
"Properties" : {
"ContentType" : String,
"Description" : String,
"Name" : String,
"RestApiId" : String,
"Schema" : JSON object
}

YAML
Type: AWS::ApiGateway::Model
Properties:
ContentType: String
Description: String
Name: String
RestApiId: String
Schema: JSON object

Properties
ContentType
The content type for the model.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
556

AWS CloudFormation User Guide
AWS::ApiGateway::Model

Description
A description that identiﬁes this model.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
A name for the model. If you don't specify a name, AWS CloudFormation generates a unique physical
ID and uses that ID for the model name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
RestApiId
The ID of a REST API with which to associate this model.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Schema
The schema to use to transform data to one or more output formats. Specify null ({}) if you don't
want to specify a schema.
Required: Yes
Type: JSON object
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the model
name, such as myModel.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a model that transforms input data into the described schema.
API Version 2010-05-15
557

AWS CloudFormation User Guide
AWS::ApiGateway::RequestValidator

JSON
"PetsModelNoFlatten": {
"Type": "AWS::ApiGateway::Model",
"Properties": {
"RestApiId": { "Ref": "RestApi" },
"ContentType": "application/json",
"Description": "Schema for Pets example",
"Name": "PetsModelNoFlatten",
"Schema": {
"$schema": "http://json-schema.org/draft-04/schema#",
"title": "PetsModelNoFlatten",
"type": "array",
"items": {
"type": "object",
"properties": {
"number": { "type": "integer" },
"class": { "type": "string" },
"salesPrice": { "type": "number" }
}
}
}
}
}

YAML
PetsModelNoFlatten:
Type: AWS::ApiGateway::Model
Properties:
RestApiId:
Ref: RestApi
ContentType: "application/json"
Description: "Schema for Pets example"
Name: PetsModelNoFlatten
Schema:
"$schema": "http://json-schema.org/draft-04/schema#"
title: PetsModelNoFlatten
type: array
items:
type: object
properties:
number:
type: integer
class:
type: string
salesPrice:
type: number

AWS::ApiGateway::RequestValidator
The AWS::ApiGateway::RequestValidator resource sets up basic validation rules for incoming
requests to your API Gateway API. For more information, see Enable Basic Request Validation for an API
in API Gateway in the API Gateway Developer Guide.
Topics
• Syntax (p. 559)
• Properties (p. 559)
• Return Value (p. 560)
API Version 2010-05-15
558

AWS CloudFormation User Guide
AWS::ApiGateway::RequestValidator

• Example (p. 560)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApiGateway::RequestValidator",
"Properties" : {
"Name" : String,
"RestApiId" : String,
"ValidateRequestBody" : Boolean,
"ValidateRequestParameters" : Boolean
}

YAML
Type: AWS::ApiGateway::RequestValidator
Properties:
Name: String
RestApiId: String
ValidateRequestBody: Boolean
ValidateRequestParameters: Boolean

Properties
Note

For more information about each property, see RequestValidator in the Amazon API Gateway
REST API Reference.
Name
The name of this request validator.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
RestApiId
The identiﬁer of the targeted API entity.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ValidateRequestBody
Indicates whether to validate the request body according to the conﬁgured schema for the targeted
API and method.
Required: No
API Version 2010-05-15
559

AWS CloudFormation User Guide
AWS::ApiGateway::RequestValidator

Type: Boolean
Update requires: No interruption (p. 118)
ValidateRequestParameters
Indicates whether to validate request parameters.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ID of the
request validator, such as abc123.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates an API Gateway API with an associated request validator, based on the
supplied parameters.

JSON
{

"Parameters": {
"apiName": {
"Type": "String"
},
"validatorName": {
"Type": "String"
},
"validateRequestBody": {
"Type": "String"
},
"validateRequestParameters": {
"Type": "String"
}
},
"Resources": {
"RestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": {
"Ref": "apiName"
}
}
},
"RequestValidator": {
"Type": "AWS::ApiGateway::RequestValidator",
"Properties": {
"Name": {
"Ref": "validatorName"

API Version 2010-05-15
560

AWS CloudFormation User Guide
AWS::ApiGateway::Resource

}

}

}

}

},
"RestApiId": {
"Ref": "RestApi"
},
"ValidateRequestBody": {
"Ref": "validateRequestBody"
},
"ValidateRequestParameters": {
"Ref": "validateRequestParameters"
}

YAML
Parameters:
apiName:
Type: String
validatorName:
Type: String
validateRequestBody:
Type: String
validateRequestParameters:
Type: String
Resources:
RestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: !Ref apiName
RequestValidator:
Type: AWS::ApiGateway::RequestValidator
Properties:
Name: !Ref validatorName
RestApiId: !Ref RestApi
ValidateRequestBody: !Ref validateRequestBody
ValidateRequestParameters: !Ref validateRequestParameters

AWS::ApiGateway::Resource
The AWS::ApiGateway::Resource resource creates a resource in an Amazon API Gateway (API
Gateway) API.
Topics
• Syntax (p. 561)
• Properties (p. 562)
• Return Value (p. 562)
• Example (p. 563)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
561

AWS CloudFormation User Guide
AWS::ApiGateway::Resource

}

"Type" : "AWS::ApiGateway::Resource",
"Properties" : {
"ParentId" : String,
"PathPart" : String,
"RestApiId" : String
}

YAML
Type: AWS::ApiGateway::Resource
Properties:
ParentId: String
PathPart: String
RestApiId: String

Properties
ParentId
If you want to create a child resource, the ID of the parent resource. For resources without a
parent, specify the RestApi root resource ID, such as { "Fn::GetAtt": ["MyRestApi",
"RootResourceId"] }.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
PathPart
A path name for the resource.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
RestApiId
The ID of the RestApi resource in which you want to create this resource.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource ID,
such as abc123.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
562

AWS CloudFormation User Guide
AWS::ApiGateway::RestApi

Example
The following example creates a stack resource for the MyApi API.

JSON
"Stack": {
"Type": "AWS::ApiGateway::Resource",
"Properties": {
"RestApiId": { "Ref": "MyApi" },
"ParentId": { "Fn::GetAtt": ["MyApi", "RootResourceId"] },
"PathPart": "stack"
}
}

YAML
Stack:
Type: AWS::ApiGateway::Resource
Properties:
RestApiId:
Ref: "MyApi"
ParentId:
Fn::GetAtt:
- "MyApi"
- "RootResourceId"
PathPart: "stack"

AWS::ApiGateway::RestApi
The AWS::ApiGateway::RestApi resource contains a collection of Amazon API Gateway resources and
methods that can be invoked through HTTPS endpoints. For more information, see restapi:create in the
Amazon API Gateway REST API Reference.

Note

On January 1, 2016, the Swagger Speciﬁcation was donated to the OpenAPI initiative, becoming
the foundation of the OpenAPI Speciﬁcation.
Topics
• Syntax (p. 563)
• Properties (p. 564)
• Return Values (p. 566)
• Examples (p. 567)
• See Also (p. 570)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ApiGateway::RestApi",
"Properties" : {

API Version 2010-05-15
563

AWS CloudFormation User Guide
AWS::ApiGateway::RestApi

}

}

"ApiKeySourceType" : String,
"BinaryMediaTypes" : [ String, ... ],
"Body" : JSON object,
"BodyS3Location" : S3Location (p. 1610),
"CloneFrom" : String,
"Description" : String,
"EndpointConfiguration" : EndpointConfiguration (p. 1611),
"FailOnWarnings" : Boolean,
"MinimumCompressionSize" : Integer,
"Name" : String,
"Parameters" : { String:String, ... },
"Policy" : JSON object

YAML
Type: AWS::ApiGateway::RestApi
Properties:
ApiKeySourceType: String
BinaryMediaTypes:
- String
Body: JSON object
BodyS3Location:
S3Location (p. 1610)
CloneFrom: String
Description: String
EndpointConfiguration: EndpointConfiguration (p. 1611)
FailOnWarnings: Boolean
MinimumCompressionSize: Integer
Name: String
Parameters:
String: String
Policy: JSON object

Properties
ApiKeySourceType
The source of the API key for metering requests according to a usage plan. Valid values are:
• HEADER to read the API key from the X-API-Key header of a request.
• AUTHORIZER to read the API key from the UsageIdentifierKey from a custom authorizer.
Required: No
Type: String
Update requires: No interruption (p. 118)
BinaryMediaTypes
The list of binary media types that are supported by the RestApi resource, such as image/png or
application/octet-stream. By default, RestApi supports only UTF-8-encoded text payloads.
For more information, see Enable Support for Binary Payloads in API Gateway in the API Gateway
Developer Guide. Duplicates are not allowed.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
API Version 2010-05-15
564

AWS CloudFormation User Guide
AWS::ApiGateway::RestApi

Body
An OpenAPI speciﬁcation that deﬁnes a set of RESTful APIs in the JSON format. For YAML templates,
you can also provide the speciﬁcation in the YAML format.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
BodyS3Location
The Amazon Simple Storage Service (Amazon S3) location that points to an OpenAPI ﬁle, which
deﬁnes a set of RESTful APIs in JSON or YAML format.
Required: No
Type: Amazon API Gateway RestApi S3Location (p. 1610)
Update requires: No interruption (p. 118)
CloneFrom
The ID of the API Gateway RestApi resource that you want to clone.
Required: No
Type: String
Update requires: No interruption (p. 118)
Description
A description of the purpose of this API Gateway RestApi resource.
Required: No
Type: String
Update requires: No interruption (p. 118)
EndpointConfiguration
A list of the endpoint types of the API. Use this property when creating an API. When importing an
existing API, specify the endpoint conﬁguration types using the Parameters property.
Required: No
Type: API Gateway RestApi EndpointConﬁguration (p. 1611)
Update requires: No interruption (p. 118)
FailOnWarnings
Indicates whether to roll back the resource if a warning occurs while API Gateway is creating the
RestApi resource.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
API Version 2010-05-15
565

AWS CloudFormation User Guide
AWS::ApiGateway::RestApi

MinimumCompressionSize
A nullable integer that is used to enable compression (with non-negative between 0 and 10485760
(10M) bytes, inclusive) or disable compression (with a null value) on an API. When compression is
enabled, compression or decompression is not applied on the payload if the payload size is smaller
than this value. Setting it to zero allows compression for any payload size.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Name
A name for the API Gateway RestApi resource.
Required: Conditional. Required if you don't specify a OpenAPI deﬁnition.
Type: String
Update requires: No interruption (p. 118)
Parameters
Custom header parameters for the request.
For more information on specifying parameters when importing an API, see import-rest-api
operation in the AWS CLI Command Reference.
Required: No
Type: String to String map
Update requires: No interruption (p. 118)
Policy
A policy document that contains the permissions for this RestApi resource, in JSON format.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the RestApi
ID, such as a1bcdef2gh.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. This section lists the available attribute
and a sample return value.
API Version 2010-05-15
566

AWS CloudFormation User Guide
AWS::ApiGateway::RestApi

RootResourceId
The root resource ID for a RestApi resource, such as a0bc123d4e.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
The following example creates an API Gateway RestApi resource based on an OpenAPI speciﬁcation.

JSON
"MyRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Body": {
OpenAPI specification
}
"Description": "A test API",
"Name": "MyRestAPI"
}
}

YAML
MyRestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Body:
OpenAPI specification
Description: "A test API"
Name: "MyRestAPI"

The following example creates an API Gateway RestApi resource with an endpoint type.

JSON
{

"Parameters": {
"apiName": {
"Type": "String"
},
"type": {
"Type": "String"
}
},
"Resources": {
"MyRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"EndpointConfiguration": {
"Types": [
{
"Ref": "type"
}
]
},
"Name": {

API Version 2010-05-15
567

AWS CloudFormation User Guide
AWS::ApiGateway::RestApi

}

}

}

}

}

"Ref": "apiName"

YAML
Parameters:
apiName:
Type: String
type:
Type: String
Resources:
MyRestApi:
Type: AWS::ApiGateway::RestApi
Properties:
EndpointConfiguration:
Types:
- !Ref type
Name: !Ref apiName

The following example imports an API Gateway RestApi resource with an endpoint type of REGIONAL.

JSON
{

}

"Resources": {
"RestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Body": {
"swagger": 2,
"info": {
"version": "0.0.1",
"title": "test"
},
"basePath": "/pete",
"schemes": [
"https"
],
"definitions": {
"Empty": {
"type": "object"
}
}
},
"Name": "myApi",
"Parameters": {
"endpointConfigurationTypes": "REGIONAL"
}
}
}
}

YAML
Resources :
RestApi :

API Version 2010-05-15
568

AWS CloudFormation User Guide
AWS::ApiGateway::RestApi
Type : AWS::ApiGateway::RestApi
Properties :
Body :
swagger : 2.0
info :
version : 0.0.1
title : test
basePath : /pete
schemes :
- https
definitions:
Empty :
type : object
Name : myApi
Parameters:
endpointConfigurationTypes: REGIONAL

The following example creates an API Gateway RestApi resource with ApiKeySourceType,
BinaryMediaTypes and MinimumCompressionSize.

JSON
{

"Parameters": {
"apiKeySourceType": {
"Type": "String"
},
"apiName": {
"Type": "String"
},
"binaryMediaType1": {
"Type": "String"
},
"binaryMediaType2": {
"Type": "String"
},
"minimumCompressionSize": {
"Type": "String"
}
},
"Resources": {
"MyRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"ApiKeySourceType": {
"Ref": "apiKeySourceType"
},
"BinaryMediaTypes": [
{
"Ref": "binaryMediaType1"
},
{
"Ref": "binaryMediaType2"
}
],
"MinimumCompressionSize": {
"Ref": "minimumCompressionSize"
},
"Name": {
"Ref": "apiName"
}
}
}

API Version 2010-05-15
569

AWS CloudFormation User Guide
AWS::ApiGateway::Stage

}

}

YAML
Parameters:
apiKeySourceType:
Type: String
apiName:
Type: String
binaryMediaType1:
Type: String
binaryMediaType2:
Type: String
minimumCompressionSize:
Type: String
Resources:
MyRestApi:
Type: AWS::ApiGateway::RestApi
Properties:
ApiKeySourceType: !Ref apiKeySourceType
BinaryMediaTypes:
- !Ref binaryMediaType1
- !Ref binaryMediaType2
MinimumCompressionSize: !Ref minimumCompressionSize
Name: !Ref apiName

See Also
• restapi:create operation in the Amazon API Gateway REST API Reference
• import-rest-api operation in the AWS CLI Command Reference

AWS::ApiGateway::Stage
The AWS::ApiGateway::Stage resource creates a stage for an Amazon API Gateway (API Gateway)
deployment.
Topics
• Syntax (p. 570)
• Properties (p. 571)
• Return Value (p. 573)
• Example (p. 573)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ApiGateway::Stage",
"Properties" : {
"CacheClusterEnabled" : Boolean,
"CacheClusterSize" : String,
"ClientCertificateId" : String,

API Version 2010-05-15
570

AWS CloudFormation User Guide
AWS::ApiGateway::Stage

}

}

"DeploymentId" : String,
"Description" : String,
"DocumentationVersion" : String,
"MethodSettings" : [ MethodSetting (p. 1612), ... ],
"RestApiId" : String,
"StageName" : String,
"Variables" : { String:String, ... }

YAML
Type: AWS::ApiGateway::Stage
Properties:
CacheClusterEnabled: Boolean
CacheClusterSize: String
ClientCertificateId: String
DeploymentId: String
Description: String
DocumentationVersion: String
MethodSettings:
- MethodSetting (p. 1612)
RestApiId: String
StageName: String
Variables:
String: String

Properties
CacheClusterEnabled
Indicates whether cache clustering is enabled for the stage.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
CacheClusterSize
The stage's cache cluster size.
Required: No
Type: String
Update requires: No interruption (p. 118)
ClientCertificateId
The identiﬁer of the client certiﬁcate that API Gateway uses to call your integration endpoints in the
stage.
Required: No
Type: String
Update requires: No interruption (p. 118)
DeploymentId
The ID of the deployment that the stage points to.
API Version 2010-05-15
571

AWS CloudFormation User Guide
AWS::ApiGateway::Stage

Required: Yes
Type: String
Update requires: No interruption (p. 118)
Description
A description of the stage's purpose.
Required: No
Type: String
Update requires: No interruption (p. 118)
DocumentationVersion
The version identiﬁer of the API documentation snapshot.
Required: No
Type: String
MethodSettings
Settings for all methods in the stage.
Required: No
Type: List of API Gateway Stage MethodSetting (p. 1612)
Update requires: No interruption (p. 118)
RestApiId
The ID of the RestApi resource that you're deploying with this stage.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
StageName
The name of the stage, which API Gateway uses as the ﬁrst path segment in the invoked Uniform
Resource Identiﬁer (URI).
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Variables
A map (string-to-string map) that deﬁnes the stage variables, where the variable name is the key
and the variable value is the value. Variable names are limited to alphanumeric characters. Values
must match the following regular expression: [A-Za-z0-9-._~:/?#&=,]+.
Required: No
Type: Mapping of key-value pairs
API Version 2010-05-15
572

AWS CloudFormation User Guide
AWS::ApiGateway::Stage

Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the name of the
stage, such as MyTestStage.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a stage for the TestDeployment deployment. The stage also speciﬁes
method settings for the MyRestApi API.

JSON
{

"Resources": {
"Prod": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"RestApiId": {
"Ref": "MyRestApi"
},
"DeploymentId": {
"Ref": "TestDeployment"
},
"DocumentationVersion": {
"Ref": "MyDocumentationVersion"
},
"ClientCertificateId": {
"Ref": "ClientCertificate"
},
"Variables": {
"Stack": "Prod"
},
"MethodSettings": [
{
"ResourcePath": "/",
"HttpMethod": "GET",
"MetricsEnabled": "true",
"DataTraceEnabled": "true"
},
{
"ResourcePath": "/stack",
"HttpMethod": "POST",
"MetricsEnabled": "true",
"DataTraceEnabled": "true",
"ThrottlingBurstLimit": "999"
},
{
"ResourcePath": "/stack",
"HttpMethod": "GET",
"MetricsEnabled": "true",
"DataTraceEnabled": "true",
"ThrottlingBurstLimit": "555"
}

API Version 2010-05-15
573

AWS CloudFormation User Guide
AWS::ApiGateway::UsagePlan

}

}

}

}

]

YAML
Resources:
Prod:
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
Description: Prod Stage
RestApiId: !Ref MyRestApi
DeploymentId: !Ref TestDeployment
DocumentationVersion: !Ref MyDocumentationVersion
ClientCertificateId: !Ref ClientCertificate
Variables:
Stack: Prod
MethodSettings:
- ResourcePath: /
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'true'
- ResourcePath: /stack
HttpMethod: POST
MetricsEnabled: 'true'
DataTraceEnabled: 'true'
ThrottlingBurstLimit: '999'
- ResourcePath: /stack
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'true'
ThrottlingBurstLimit: '555'

AWS::ApiGateway::UsagePlan
The AWS::ApiGateway::UsagePlan resource speciﬁes a usage plan for deployed Amazon API
Gateway (API Gateway) APIs. A usage plan enforces throttling and quota limits on individual client API
keys. For more information, see Creating and Using API Usage Plans in Amazon API Gateway in the API
Gateway Developer Guide.
Topics
• Syntax (p. 574)
• Properties (p. 575)
• Return Value (p. 576)
• Examples (p. 576)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ApiGateway::UsagePlan",

API Version 2010-05-15
574

AWS CloudFormation User Guide
AWS::ApiGateway::UsagePlan

}

"Properties" : {
"ApiStages" : [ ApiStage (p. 1614), ... ],
"Description" : String,
"Quota" : QuotaSettings (p. 1615),
"Throttle" : ThrottleSettings (p. 1615),
"UsagePlanName" : String
}

YAML
Type: AWS::ApiGateway::UsagePlan
Properties:
ApiStages:
- ApiStage (p. 1614)
Description: String
Quota: QuotaSettings (p. 1615)
Throttle: ThrottleSettings (p. 1615)
UsagePlanName: String

Properties
ApiStages
The API stages to associate with this usage plan.
Required: No
Type: List of Amazon API Gateway UsagePlan ApiStage (p. 1614)
Update requires: No interruption (p. 118)
Description
The purpose of this usage plan.
Required: No
Type: String
Update requires: No interruption (p. 118)
Quota
Conﬁgures the number of requests that users can make within a given interval.
Required: No
Type: Amazon API Gateway UsagePlan QuotaSettings (p. 1615)
Update requires: No interruption (p. 118)
Throttle
Conﬁgures the overall request rate (average requests per second) and burst capacity.
Required: No
Type: Amazon API Gateway UsagePlan ThrottleSettings (p. 1615)
Update requires: No interruption (p. 118)
API Version 2010-05-15
575

AWS CloudFormation User Guide
AWS::ApiGateway::UsagePlan

UsagePlanName
A name for this usage plan.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the usage plan
ID, such as MyUsagePlan.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following examples create a usage plan for the Prod API stage, with a quota of 5000 requests per
month and a rate limit of 100 requests per second.

JSON
"usagePlan" : {
"Type" : "AWS::ApiGateway::UsagePlan",
"Properties" : {
"ApiStages" : [ {"ApiId" : { "Ref" : "MyRestApi" }, "Stage" : { "Ref" : "Prod" }} ],
"Description" : "Customer ABC's usage plan",
"Quota" : {
"Limit" : 5000,
"Period" : "MONTH"
},
"Throttle" : {
"BurstLimit" : 200,
"RateLimit" : 100
},
"UsagePlanName" : "Plan_ABC"
}
}

YAML
usagePlan:
Type: AWS::ApiGateway::UsagePlan
Properties:
ApiStages:
- ApiId: !Ref 'MyRestApi'
Stage: !Ref 'Prod'
Description: Customer ABC's usage plan
Quota:
Limit: 5000
Period: MONTH
Throttle:
BurstLimit: 200
RateLimit: 100
UsagePlanName: Plan_ABC

API Version 2010-05-15
576

AWS CloudFormation User Guide
AWS::ApiGateway::UsagePlanKey

AWS::ApiGateway::UsagePlanKey
The AWS::ApiGateway::UsagePlanKey resource associates an Amazon API Gateway API key with an
API Gateway usage plan. This association determines which users the usage plan is applied to.
Topics
• Syntax (p. 577)
• Properties (p. 577)
• Example (p. 578)

Syntax
JSON
{

}

"Type" : "AWS::ApiGateway::UsagePlanKey",
"Properties" : {
"KeyId" : String,
"KeyType" : String,
"UsagePlanId" : String
}

YAML
Type: AWS::ApiGateway::UsagePlanKey
Properties:
KeyId: String
KeyType: String
UsagePlanId: String

Properties
KeyId
The ID of the usage plan key.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
KeyType
The type of usage plan key. Currently, the valid key type is API_KEY.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
UsagePlanId
The value of the usage plan key.
API Version 2010-05-15
577

AWS CloudFormation User Guide
AWS::ApiGateway::VpcLink

Required: Yes
Type: String
Update requires: Replacement (p. 119)

Example
JSON
"usagePlanKey" : {
"Type": "AWS::ApiGateway::UsagePlanKey",
"Properties": {
"KeyId" : {"Ref" : "myApiKey"},
"KeyType" : "API_KEY",
"UsagePlanId" : {"Ref" : "myUsagePlan"}
}
}

YAML
usagePlanKey:
Type: AWS::ApiGateway::UsagePlanKey
Properties :
KeyId: !Ref 'myApiKey'
KeyType: API_KEY
UsagePlanId: !Ref 'myUsagePlan'

AWS::ApiGateway::VpcLink
The AWS::ApiGateway::VpcLink resource speciﬁes an API Gateway VPC link for a
AWS::ApiGateway::RestApi to access resources in an Amazon Virtual Private Cloud (VPC). For more
information, see vpclink:create in the Amazon API Gateway REST API Reference
Topics
• Syntax (p. 578)
• Properties (p. 579)
• Return Value (p. 579)
• Example (p. 579)
• See Also (p. 581)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ApiGateway::VpcLink",
"Properties" : {
"Description" : String,
"Name" : String,
"TargetArns" : [ String, ... ]
}

API Version 2010-05-15
578

AWS CloudFormation User Guide
AWS::ApiGateway::VpcLink
}

YAML
Type: AWS::ApiGateway::VpcLink
Properties:
Description: String
Name: String
TargetArns:
- String

Properties
Description
The description of the VPC link.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name used to label and identify the VPC link.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
TargetArns
The ARNs of network load balancers of the VPC targeted by the VPC link. The network load
balancers must be owned by the same AWS account of the API owner.
Required: Yes
List of Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ID of the
VpcLink.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

API Version 2010-05-15
579

AWS CloudFormation User Guide
AWS::ApiGateway::VpcLink
"Parameters": {
"description": {
"Type": "String"
},
"name": {
"Type": "String"
}
},
"Resources": {
"MyVpcLink": {
"Type": "AWS::ApiGateway::VpcLink",
"Properties": {
"Description": {
"Ref": "description"
},
"Name": {
"Ref": "name"
},
"TargetArns": [
{
"Ref": "MyLoadBalancer"
}
]
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Type": "network",
"Subnets": [
{
"Ref": "MySubnet"
}
]
}
},
"MySubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "MyVPC"
},
"CidrBlock": "10.0.0.0/24"
}
},
"MyVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16"
}
},
"MyInternetGateway": {
"Type": "AWS::EC2::InternetGateway"
},
"MyInternetGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "MyVPC"
},
"InternetGatewayId": {
"Ref": "MyInternetGateway"
}
}
}
}

API Version 2010-05-15
580

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget
}

YAML
Parameters:
description:
Type: String
name:
Type: String
Resources:
MyVpcLink:
Type: AWS::ApiGateway::VpcLink
Properties:
Description: !Ref description
Name: !Ref name
TargetArns:
- !Ref MyLoadBalancer
MyLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Type: network
Subnets:
- !Ref MySubnet
MySubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.0.0/24
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
MyInternetGateway:
Type: AWS::EC2::InternetGateway
MyInternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref MyVPC
InternetGatewayId: !Ref MyInternetGateway

See Also
• vpclink:create in the Amazon API Gateway REST API Reference

AWS::ApplicationAutoScaling::ScalableTarget
The AWS::ApplicationAutoScaling::ScalableTarget resource speciﬁes a resource that
Application Auto Scaling can scale up or down. For more information, see the RegisterScalableTarget
action in the Application Auto Scaling API Reference.
Updates to AWS::DynamoDB::Table resources that are associated with
AWS::ApplicationAutoScaling::ScalableTarget resources will always result in an update failure
and then an update rollback failure. The following ScalableDimension attributes cause this problem
when associated with the table:
•
•
•
•

dynamodb:table:ReadCapacityUnits
dynamodb:table:WriteCapacityUnits
dynamodb:index:ReadCapacityUnits
dynamodb:index:WriteCapacityUnits
API Version 2010-05-15
581

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget

As a workaround, please deregister scalable targets before performing updates to
AWS::DynamoDB::Table resources.
Topics
• Syntax (p. 582)
• Properties (p. 582)
• Return Value (p. 584)
• Examples (p. 584)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : Integer,
"MinCapacity" : Integer,
"ResourceId" : String,
"RoleARN" : String,
"ScalableDimension" : String,
"ScheduledActions" : [ ScheduledAction (p. 1624), ... ],
"ServiceNamespace" : String
}

YAML
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: Integer
MinCapacity: Integer
ResourceId: String
RoleARN: String
ScalableDimension: String
ScheduledActions:
- ScheduledAction (p. 1624)
ServiceNamespace: String

Properties
MaxCapacity
The maximum value that Application Auto Scaling can use to scale a target during a scaling activity.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
MinCapacity
The minimum value that Application Auto Scaling can use to scale a target during a scaling activity.
Required: Yes
API Version 2010-05-15
582

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget

Type: Integer
Update requires: No interruption (p. 118)
ResourceId
The resource identiﬁer to associate with this scalable target. This string consists of the
resource type and unique identiﬁer. For more information, see the ResourceId parameter
for the RegisterScalableTarget action in the Application Auto Scaling API Reference, or see the
ScalableTarget examples (p. 584).
Required: Yes
Type: String
Update requires: Replacement (p. 119)
RoleARN
The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that
allows Application Auto Scaling to modify your scalable target.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ScalableDimension
The scalable dimension that's associated with the scalable target. Specify the service namespace,
resource type, and scaling property—for example, ecs:service:DesiredCount for the
desired task count of an Amazon Elastic Container Service service. For valid values, see the
ScalableDimension content for the ScalingPolicy data type in the Application Auto Scaling API
Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ScheduledActions
The scheduled actions for the scalable target. Duplicates aren't allowed.
Required: No
Type: List of Application Auto Scaling ScalableTarget ScheduledAction (p. 1624) property types
Update requires: No interruption (p. 118)
ServiceNamespace
The namespace of the AWS service that provides the resource or custom-resource for a resource
provided by your own application or service. For valid AWS service namespace values, see the
RegisterScalableTarget action in the Application Auto Scaling API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
583

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the AWS
CloudFormation-generated ID of the resource, such as service/ecsStack-MyECSClusterAB12CDE3F4GH/ecsStack-MyECSService-AB12CDE3F4GH|ecs:service:DesiredCount|ecs.
AWS CloudFormation uses the following format to generate the ID:
service/resource_ID (p. 583)|scalable_dimension|service_namespace.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Number of Tasks
The following example creates a scalable target for an Amazon Elastic Container Service service.
Application Auto Scaling scales the number of tasks at a minimum of 1 task and a maximum of 2.

JSON
"scalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 2,
"MinCapacity" : 1,
"ResourceId" : "service/ecsStack-MyECSCluster-AB12CDE3F4GH/ecsStack-MyECSServiceAB12CDE3F4GH",
"RoleARN" : {"Fn::GetAtt" : ["ApplicationAutoScalingRole", "Arn"] },
"ScalableDimension" : "ecs:service:DesiredCount",
"ServiceNamespace" : "ecs"
}
}

YAML
scalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 2
MinCapacity: 1
ResourceId: service/ecsStack-MyECSCluster-AB12CDE3F4GH/ecsStack-MyECSServiceAB12CDE3F4GH
RoleARN: !GetAtt [ ApplicationAutoScalingRole, Arn ]
ScalableDimension: ecs:service:DesiredCount
ServiceNamespace: ecs

Using Fn::Join and Ref to Construct the ResourceId
The following example uses the Fn::Join and Ref intrinsic functions to construct the ResourceId
property of the scaling target.

JSON
"SpotFleetScalingTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {

API Version 2010-05-15
584

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget

}

}

"MaxCapacity": 2,
"MinCapacity": 1,
"ResourceId": {
"Fn::Join": [
"/",
[
"spot-fleet-request",
{
"Ref": "ECSSpotFleet"
}
]
]
},
"RoleARN": {
"Fn::GetAtt": [
"AutoScalingRole",
"Arn"
]
},
"ScalableDimension": "ec2:spot-fleet-request:TargetCapacity",
"ServiceNamespace": "ec2"

YAML
SpotFleetScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 2
MinCapacity: 1
ResourceId: !Join
- /
- - spot-fleet-request
- !Ref ECSSpotFleet
RoleARN: !GetAtt
- AutoScalingRole
- Arn
ScalableDimension: 'ec2:spot-fleet-request:TargetCapacity'
ServiceNamespace: ec2

Application Auto Scaling Scalable Target with an Amazon DynamoDB Table
This example sets up Application Auto Scaling for an AWS::DynamoDB::Table resource. The template
deﬁnes a TargetTrackingScaling scaling policy that scales up the WriteCapacityUnits
throughput for the table.

JSON
{

"Resources": {
"DDBTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "ArtistId",
"AttributeType": "S"
},
{
"AttributeName": "Concert",
"AttributeType": "S"

API Version 2010-05-15
585

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget
},
{

"AttributeName": "TicketSales",
"AttributeType": "S"

}
],
"KeySchema": [
{
"AttributeName": "ArtistId",
"KeyType": "HASH"
},
{
"AttributeName": "Concert",
"KeyType": "RANGE"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "GSI",
"KeySchema": [
{
"AttributeName": "TicketSales",
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "KEYS_ONLY"
},
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}

}
},
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"MaxCapacity": 15,
"MinCapacity": 5,
"ResourceId": { "Fn::Join": [
"/",
[
"table",
{ "Ref": "DDBTable" }
]
] },
"RoleARN": {
"Fn::GetAtt": ["ScalingRole", "Arn"]
},
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb"
}
},
"ScalingRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{

API Version 2010-05-15
586

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget

]

}

"Effect": "Allow",
"Principal": {
"Service": [
"application-autoscaling.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]

},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:SetAlarmState",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
}
]

}

}

}
},
"WriteScalingPolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "WriteAutoScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration": {
"TargetValue": 50.0,
"ScaleInCooldown": 60,
"ScaleOutCooldown": 60,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "DynamoDBWriteCapacityUtilization"
}
}
}
}

YAML
Resources:
DDBTable:
Type: AWS::DynamoDB::Table

API Version 2010-05-15
587

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget
Properties:
AttributeDefinitions:
AttributeName: "ArtistId"
AttributeType: "S"
AttributeName: "Concert"
AttributeType: "S"
AttributeName: "TicketSales"
AttributeType: "S"
KeySchema:
AttributeName: "ArtistId"
KeyType: "HASH"
AttributeName: "Concert"
KeyType: "RANGE"
GlobalSecondaryIndexes:
IndexName: "GSI"
KeySchema:
AttributeName: "TicketSales"
KeyType: "HASH"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
WriteCapacityScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
ResourceId: !Join
- /
- - table
- !Ref DDBTable
RoleARN: !GetAtt ScalingRole.Arn
ScalableDimension: dynamodb:table:WriteCapacityUnits
ServiceNamespace: dynamodb
ScalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- application-autoscaling.amazonaws.com
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-

API Version 2010-05-15
588

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget
Effect: "Allow"
Action:
- "dynamodb:DescribeTable"
- "dynamodb:UpdateTable"
- "cloudwatch:PutMetricAlarm"
- "cloudwatch:DescribeAlarms"
- "cloudwatch:GetMetricStatistics"
- "cloudwatch:SetAlarmState"
- "cloudwatch:DeleteAlarms"
Resource: "*"
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteAutoScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization

Scheduled Actions
The following example creates a scheduled action for a target.

JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Creating ECS service",
"Parameters": {
"AppName": {
"Type":"String",
"Description": "Name of app requiring ELB exposure",
"Default": "simple-app"
},
"AppContainerPort": {
"Type":"Number",
"Description": "Container port of app requiring ELB exposure",
"Default": "80"
},
"AppHostPort": {
"Type":"Number",
"Description": "Host port of app requiring ELB exposure",
"Default": "80"
}
},
"Resources": {
"scalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"ResourceId": {
"Fn::Join": [
"/",
[
"service",
{
"Ref": "cluster"
},
{
"Fn::GetAtt": [
"service",

API Version 2010-05-15
589

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget

]

}

]

"Name"

]
},
"ServiceNamespace": "ecs",
"ScalableDimension": "ecs:service:DesiredCount",
"RoleARN": {
"Fn::GetAtt": [
"scalingRole",
"Arn"
]
},
"MaxCapacity": "2",
"MinCapacity": "1",
"ScheduledActions": [{
"EndTime": "2018-12-04T22:14:41.951Z",
"ScalableTargetAction": {
"MaxCapacity": "2",
"MinCapacity": "1"
},
"ScheduledActionName": "First",
"StartTime": "2018-11-28T22:14:41.951Z",
"Schedule": "cron(0 0 12 ? * MON *)"
}
]

}
},
"scalingRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["application-autoscaling.amazonaws.com"]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
},
"cluster": {
"Type": "AWS::ECS::Cluster"

API Version 2010-05-15
590

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget

\""

},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Name": {
"Ref": "AppName"
},
"MountPoints": [
{
"SourceVolume": "my-vol",
"ContainerPath": "/var/www/my-vol"
}
],
"Image": "amazon/amazon-ecs-sample",
"Cpu": "10",
"PortMappings": [
{
"ContainerPort": {
"Ref": "AppContainerPort"
},
"HostPort": {
"Ref": "AppHostPort"
}
}
],
"EntryPoint": [
"/usr/sbin/apache2",
"-D",
"FOREGROUND"
],
"Memory": "500",
"Essential": "true"
},
{
"Name": "busybox",
"Image": "busybox",
"Cpu": "10",
"EntryPoint": [
"sh",
"-c"
],
"Memory": "500",
"Command": [
"/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done
],
"Essential": "false",
"VolumesFrom": [
{
"SourceContainer": {
"Ref": "AppName"
}
}
]

}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/docker/vfs/dir/"
},
"Name": "my-vol"
}
]

API Version 2010-05-15
591

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget
}
},
"service": {
"Type": "AWS::ECS::Service",
"Properties": {
"Cluster": {
"Ref": "cluster"
},
"DesiredCount": 0,
"TaskDefinition": {
"Ref": "taskdefinition"
}
}
}

},
"Outputs" : {
"resourceId" : {
"Description" : "ResourceId",
"Value" : {"Fn::Join" : [ "/" , ["service", {"Ref" : "cluster"}, {"Fn::GetAtt" :
["service", "Name"]}]]}
}
}

}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: Creating ECS service
Parameters:
AppName:
Type: String
Description: Name of app requiring ELB exposure
Default: simple-app
AppContainerPort:
Type: Number
Description: Container port of app requiring ELB exposure
Default: '80'
AppHostPort:
Type: Number
Description: Host port of app requiring ELB exposure
Default: '80'
Resources:
scalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
ResourceId: !Join
- /
- - service
- !Ref cluster
- !GetAtt service.Name
ServiceNamespace: ecs
ScalableDimension: 'ecs:service:DesiredCount'
RoleARN: !GetAtt
- scalingRole
- Arn
MaxCapacity: '2'
MinCapacity: '1'
ScheduledActions:
- EndTime: '2018-12-04T22:14:41.951Z'
ScalableTargetAction:
MaxCapacity: '2'
MinCapacity: '1'
ScheduledActionName: First
StartTime: '2018-11-28T22:14:41.951Z'

API Version 2010-05-15
592

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalableTarget
Schedule: cron(0 0 12 ? * MON *)
scalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- application-autoscaling.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
cluster:
Type: AWS::ECS::Cluster
taskdefinition:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Name: !Ref AppName
MountPoints:
- SourceVolume: my-vol
ContainerPath: /var/www/my-vol
Image: amazon/amazon-ecs-sample
Cpu: '10'
PortMappings:
- ContainerPort: !Ref AppContainerPort
HostPort: !Ref AppHostPort
EntryPoint:
- /usr/sbin/apache2
- '-D'
- FOREGROUND
Memory: '500'
Essential: 'true'
- Name: busybox
Image: busybox
Cpu: '10'
EntryPoint:
- sh
- '-c'
Memory: '500'
Command:
- >/bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep
1; done"
Essential: 'false'
VolumesFrom:
- SourceContainer: !Ref AppName
Volumes:
- Host:
SourcePath: /var/lib/docker/vfs/dir/
Name: my-vol
service:
Type: AWS::ECS::Service
Properties:
Cluster: !Ref cluster
DesiredCount: 0

API Version 2010-05-15
593

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalingPolicy
TaskDefinition: !Ref taskdefinition
Outputs:
resourceId:
Description: ResourceId
Value: !Join
- /
- - service
- !Ref cluster
- !GetAtt service.Name

AWS::ApplicationAutoScaling::ScalingPolicy
The AWS::ApplicationAutoScaling::ScalingPolicy resource deﬁnes an Application Auto Scaling
scaling policy that Application Auto Scaling uses to adjust your application resources.
Topics
• Syntax (p. 594)
• Properties (p. 595)
• Return Value (p. 596)
• Examples (p. 596)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : String,
"PolicyType" : String,
"ResourceId" : String,
"ScalableDimension" : String,
"ScalingTargetId" : String,
"ServiceNamespace" : String,
"StepScalingPolicyConfiguration" : StepScalingPolicyConfiguration (p. 1619),
"TargetTrackingScalingPolicyConfiguration" : TargetTrackingScalingPolicyConfiguration (p. 1622)
}

}

YAML
Type : "AWS::ApplicationAutoScaling::ScalingPolicy"
Properties:
PolicyName: String
PolicyType: String
ResourceId: String
ScalableDimension: String
ScalingTargetId: String
ServiceNamespace: String
StepScalingPolicyConfiguration:
StepScalingPolicyConfiguration (p. 1619)
TargetTrackingScalingPolicyConfiguration:
TargetTrackingScalingPolicyConfiguration (p. 1622)

API Version 2010-05-15
594

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalingPolicy

Properties
PolicyName
A name for the scaling policy.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
PolicyType
An Application Auto Scaling policy type.

Note

Amazon DynamoDB and Aurora for Amazon RDS only support TargetTrackingScaling.
Any other service only supports StepScaling.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ResourceId
The unique resource identiﬁer for the scalable target that this scaling policy applies to. For more
information, see the ResourceId parameter for the PutScalingPolicy action in the Application Auto
Scaling API Reference.
Required: Conditional. You must specify either the ScalingTargetId property or the ResourceId,
ScalableDimension, and ServiceNamespace properties. If you specify the ResourceId,
ScalableDimension, and ServiceNamespace properties, don't specify the ScalingTargetId
property.
Type: String
Update requires: Replacement (p. 119)
ScalableDimension
The scalable dimension of the scalable target that this scaling policy applies to. The scalable
dimension contains the service namespace, resource type, and scaling property, such as
ecs:service:DesiredCount for the desired task count of an Amazon ECS service.
Required: Conditional. You must specify either the ScalingTargetId property or the ResourceId,
ScalableDimension, and ServiceNamespace properties. If you specify the ResourceId,
ScalableDimension, and ServiceNamespace properties, don't specify the ScalingTargetId
property.
Type: String
Update requires: Replacement (p. 119)
ServiceNamespace
The AWS service namespace of the scalable target that this scaling policy applies to. For a list of
service namespaces, see AWS Service Namespaces in the AWS General Reference.
Required: Conditional. You must specify either the ScalingTargetId property or the ResourceId,
ScalableDimension, and ServiceNamespace properties. If you specify the ResourceId,
ScalableDimension, and ServiceNamespace properties, don't specify the ScalingTargetId
property.
API Version 2010-05-15
595

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalingPolicy

Type: String
Update requires: Replacement (p. 119)
ScalingTargetId
The AWS CloudFormation-generated ID of an Application Auto Scaling scalable
target. For more information about the ID, see the Return Value section of the
AWS::ApplicationAutoScaling::ScalableTarget (p. 581) resource.
Required: Conditional. You must specify either the ScalingTargetId property or the ResourceId,
ScalableDimension, and ServiceNamespace properties. If you specify this property, don't
specify the ResourceId, ScalableDimension, and ServiceNamespace properties.
Type: String
Update requires: Replacement (p. 119)
StepScalingPolicyConfiguration
A step policy that conﬁgures when Application Auto Scaling scales resources up or down, and by
how much.
Required: No
Type: Application Auto Scaling ScalingPolicy StepScalingPolicyConﬁguration (p. 1619)
Update requires: No interruption (p. 118)
TargetTrackingScalingPolicyConfiguration
Conﬁgures a target tracking scaling policy.
This parameter is required if you are creating a new policy and the policy type is
TargetTrackingScaling.
Required: No
Type: Application Auto Scaling ScalingPolicy TargetTrackingScalingPolicyConﬁguration (p. 1622)
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the Application
Auto Scaling scaling policy Amazon Resource Name (ARN), such as arn:aws:autoscaling:useast-2:123456789012:scalingPolicy:12ab3c4d-56789-0ef1-2345-6ghi7jk8lm90:resource/
ecs/service/ecsStack-MyECSCluster-AB12CDE3F4GH/ecsStack-MyECSServiceAB12CDE3F4GH:policyName/MyStepPolicy.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Application Auto Scaling Scaling Policy with a Step Policy Conﬁguration
The following example creates an Application Auto Scaling scaling policy with a step policy
conﬁguration. When an associated alarm is triggered, the policy increases the desired count of the
scalable target by 200%, with a cooldown period of 60 seconds.
API Version 2010-05-15
596

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalingPolicy

JSON
"scalingPolicy" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : "AStepPolicy",
"PolicyType" : "StepScaling",
"ScalingTargetId" : {"Ref": "scalableTarget"},
"StepScalingPolicyConfiguration" : {
"AdjustmentType" : "PercentChangeInCapacity",
"Cooldown" : 60,
"MetricAggregationType" : "Average",
"StepAdjustments" : [{
"MetricIntervalLowerBound" : 0,
"ScalingAdjustment" : 200
}]
}
}
}

YAML
scalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: AStepPolicy
PolicyType: StepScaling
ScalingTargetId:
Ref: scalableTarget
StepScalingPolicyConfiguration:
AdjustmentType: PercentChangeInCapacity
Cooldown: 60
MetricAggregationType: Average
StepAdjustments:
- MetricIntervalLowerBound: 0
ScalingAdjustment: 200

Application Auto Scaling Scaling Policy with an Amazon DynamoDB Table
This example sets up Application Auto Scaling for a AWS::DynamoDB::Table resource. The template
deﬁnes a TargetTrackingScaling scaling policy that scales up the WriteCapacityUnits
throughput for the table.

JSON
{

"Resources": {
"DDBTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "ArtistId",
"AttributeType": "S"
},
{
"AttributeName": "Concert",
"AttributeType": "S"
},
{
"AttributeName": "TicketSales",
"AttributeType": "S"

API Version 2010-05-15
597

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalingPolicy
}
],
"KeySchema": [
{
"AttributeName": "ArtistId",
"KeyType": "HASH"
},
{
"AttributeName": "Concert",
"KeyType": "RANGE"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "GSI",
"KeySchema": [
{
"AttributeName": "TicketSales",
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "KEYS_ONLY"
},
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}

}
},
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"MaxCapacity": 15,
"MinCapacity": 5,
"ResourceId": { "Fn::Join": [
"/",
[
"table",
{ "Ref": "DDBTable" }
]
] },
"RoleARN": {
"Fn::GetAtt": ["ScalingRole", "Arn"]
},
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb"
}
},
"ScalingRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"application-autoscaling.amazonaws.com"

API Version 2010-05-15
598

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalingPolicy

]

}

]
},
"Action": [
"sts:AssumeRole"
]

},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:SetAlarmState",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
}
]

}

}

}
},
"WriteScalingPolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "WriteAutoScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration": {
"TargetValue": 50.0,
"ScaleInCooldown": 60,
"ScaleOutCooldown": 60,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "DynamoDBWriteCapacityUtilization"
}
}
}
}

YAML
Resources:
DDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
AttributeName: "ArtistId"

API Version 2010-05-15
599

AWS CloudFormation User Guide
AWS::ApplicationAutoScaling::ScalingPolicy

-

AttributeType: "S"
AttributeName: "Concert"
AttributeType: "S"

AttributeName: "TicketSales"
AttributeType: "S"
KeySchema:
AttributeName: "ArtistId"
KeyType: "HASH"
AttributeName: "Concert"
KeyType: "RANGE"
GlobalSecondaryIndexes:
IndexName: "GSI"
KeySchema:
AttributeName: "TicketSales"
KeyType: "HASH"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
WriteCapacityScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
ResourceId: !Join
- /
- - table
- !Ref DDBTable
RoleARN: !GetAtt ScalingRole.Arn
ScalableDimension: dynamodb:table:WriteCapacityUnits
ServiceNamespace: dynamodb
ScalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- application-autoscaling.amazonaws.com
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action:
- "dynamodb:DescribeTable"
- "dynamodb:UpdateTable"

API Version 2010-05-15
600

AWS CloudFormation User Guide
AWS::AppSync::ApiKey
- "cloudwatch:PutMetricAlarm"
- "cloudwatch:DescribeAlarms"
- "cloudwatch:GetMetricStatistics"
- "cloudwatch:SetAlarmState"
- "cloudwatch:DeleteAlarms"
Resource: "*"
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteAutoScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization

AWS::AppSync::ApiKey
The AWS::AppSync::ApiKey resource creates a unique key that you can distribute to clients who are
executing GraphQL operations with AWS AppSync that require an API key.
Topics
• Syntax (p. 601)
• Properties (p. 602)
• Return Values (p. 602)
• Examples (p. 603)
• See Also (p. 604)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::AppSync::ApiKey",
"Properties" : {
"Description" : String,
"Expires" : Number,
"ApiId" : String
}

YAML
Type: "AWS::AppSync::ApiKey"
Properties:
Description: String
Expires: Number
ApiId: String

API Version 2010-05-15
601

AWS CloudFormation User Guide
AWS::AppSync::ApiKey

Properties
Description
Unique description of your API Key.
Required: No
Type: String
Update requires: No interruption (p. 118)
Expires
Expiration time of the API Key in seconds (using Unix Epoch time), with a minimum of 1 day and a
maximum of 365 days.
Required: Yes
Type: Number
Update requires: No interruption (p. 118)
ApiId
Unique AWS AppSync GraphQL API Identiﬁer for this API Key.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::AppSync::ApiKey resource to the intrinsic Ref
function, the function returns the ARN of the API Key, such as arn:aws:appsync:useast-1:123456789012:apis/graphqlapiid/apikey/apikeya1bzhi.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
ApiKey
The API key.
Arn
The Amazon Resource Name (ARN) of the API key, such as arn:aws:appsync:useast-1:123456789012:apis/graphqlapiid/apikey/apikeya1bzhi.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).
API Version 2010-05-15
602

AWS CloudFormation User Guide
AWS::AppSync::ApiKey

Examples
API Key creation example
The following example creates an API Key and associates it with an existing GraphQL API by passing the
GraphQL API Id as a paramater.

JSON
{

}

"Parameters": {
"graphQlApiId": {
"Type": "String"
},
"apiKeyDescription": {
"Type": "String"
},
"apiKeyExpires": {
"Type": "Number"
}
},
"Resources": {
"ApiKey": {
"Type": "AWS::AppSync::ApiKey",
"Properties": {
"ApiId": {
"Ref": "graphQlApiId"
},
"Description": {
"Ref": "apiKeyDescription"
},
"Expires": {
"Ref": "apiKeyExpires"
}
}
}
}

YAML
Parameters:
graphQlApiId:
Type: String
apiKeyDescription:
Type: String
apiKeyExpires:
Type: Number
Resources:
ApiKey:
Type: AWS::AppSync::ApiKey
Properties:
ApiId:
Ref: graphQlApiId
Description:
Ref: apiKeyDescription
Expires:
Ref: apiKeyExpires

API Version 2010-05-15
603

AWS CloudFormation User Guide
AWS::AppSync::DataSource

See Also
• CreateApiKey operation in the AWS AppSync API Reference

AWS::AppSync::DataSource
The AWS::AppSync::DataSource resource creates data sources for resolvers in AWS AppSync to
connect to, such as Amazon DynamoDB, AWS Lambda, and Amazon Elasticserach Service. Resolvers use
these data sources to fetch data when clients make GraphQL calls.
Topics
• Syntax (p. 604)
• Properties (p. 605)
• Return Values (p. 606)
• Examples (p. 606)
• See Also (p. 608)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::AppSync::DataSource",
"Properties" : {
"Type" : String,
"Description" : String,
"ServiceRoleArn" : String,
"LambdaConfig" : LambdaConfig (p. 1629),
"ApiId" : String,
"Name" : String,
"DynamoDBConfig" : DynamoDBConfig (p. 1626),
"ElasticsearchConfig" : ElasticsearchConfig (p. 1628),
"HttpConfig" : HttpConfig (p. 1627)
}

YAML
Type: "AWS::AppSync::DataSource"
Properties:
Type: String
Description: String
ServiceRoleArn: String
LambdaConfig: LambdaConfig (p. 1629)
ApiId: String
Name: String
DynamoDBConfig: DynamoDBConfig (p. 1626)
ElasticsearchConfig: ElasticsearchConfig (p. 1628)
HttpConfig: HttpConfig (p. 1627)

API Version 2010-05-15
604

AWS CloudFormation User Guide
AWS::AppSync::DataSource

Properties
Type
Mandatory resource to return data from in customer AWS account. You can also specify NONE to use
Local Resolvers. See Local Resolvers Tutorial for more information.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Description
Friendly description for this data source.
Required: No
Type: String
Update requires: No interruption (p. 118)
ServiceRoleArn
IAM role ARN which the data source will use to connect to a resource.
Required: No
Type: String
Update requires: No interruption (p. 118)
LambdaConfig
A valid ARN of a Lambda function in your account.
Required: No
Type: AWS AppSync DataSource LambdaConﬁg (p. 1629)
Update requires: No interruption (p. 118)
ApiId
Unique AWS AppSync GraphQL API Identiﬁer where this data source will be created.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Name
Friendly name for you to identify your AppSync data source after creation.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
DynamoDBConfig
AwsRegion and TableName for an Amazon DynamoDB table in your account.
API Version 2010-05-15
605

AWS CloudFormation User Guide
AWS::AppSync::DataSource

Required: No
Type: AWS AppSync DataSource DynamoDBConﬁg (p. 1626)
Update requires: No interruption (p. 118)
ElasticsearchConfig
AwsRegion and Endpoints for an Amazon Elasticsearch Service domain in your account.
Required: No
Type: AWS AppSync DataSource ElasticsearchConﬁg (p. 1628)
Update requires: No interruption (p. 118)
HttpConfig
Endpoints for an HTTP DataSource.
Required: No
Type: AWS AppSync DataSource HttpConﬁg (p. 1627)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::AppSync::DataSource resource to the intrinsic Ref
function, the function returns the ARN of the Data Source, such as arn:aws:appsync:useast-1:123456789012:apis/graphqlapiid/datasources/datasourcename.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
DataSourceArn
The Amazon Resource Name (ARN) of the API key, such as arn:aws:appsync:useast-1:123456789012:apis/graphqlapiid/datasources/datasourcename.
Name
Friendly name for you to identify your AppSync data source after creation.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Data Source creation example
The following example creates a data source and associates it with an existing GraphQL API by passing
the GraphQL API Id as a paramater.
API Version 2010-05-15
606

AWS CloudFormation User Guide
AWS::AppSync::DataSource

JSON
{

}

"Parameters": {
"graphQlApiId": {
"Type": "String"
},
"dataSourceName": {
"Type": "String"
},
"dataSourceDescription": {
"Type": "String"
},
"serviceRoleArn": {
"Type": "String"
},
"lambdaFunctionArn": {
"Type": "String"
}
},
"Resources": {
"DataSource": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
"Ref": "graphQlApiId"
},
"Name": {
"Ref": "dataSourceName"
},
"Description": {
"Ref": "dataSourceDescription"
},
"Type": "AWS_LAMBDA",
"ServiceRoleArn": {
"Ref": "serviceRoleArn"
},
"LambdaConfig": {
"LambdaFunctionArn": {
"Ref": "lambdaFunctionArn"
}
}
}
}
}

YAML
Parameters:
graphQlApiId:
Type: String
dataSourceName:
Type: String
dataSourceDescription:
Type: String
serviceRoleArn:
Type: String
lambdaFunctionArn:
Type: String
Resources:
DataSource:
Type: AWS::AppSync::DataSource
Properties:

API Version 2010-05-15
607

AWS CloudFormation User Guide
AWS::AppSync::GraphQLApi
ApiId:
Ref: graphQlApiId
Name:
Ref: dataSourceName
Description:
Ref: dataSourceDescription
Type: "AWS_LAMBDA"
ServiceRoleArn:
Ref: serviceRoleArn
LambdaConfig:
LambdaFunctionArn:
Ref: lambdaFunctionArn

See Also
• CreateDataSource operation in the AWS AppSync API Reference

AWS::AppSync::GraphQLApi
The AWS::AppSync::GraphQLApi resource will create a new AWS AppSync GraphQL API. This is the
top level construct for your application. For more information see Quickstart Guide.
Topics
• Syntax (p. 608)
• Properties (p. 609)
• Return Values (p. 609)
• Examples (p. 610)
• See Also (p. 611)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::AppSync::GraphQLApi",
"Properties" : {
"UserPoolConfig" : UserPoolConfig (p. 1630),
"OpenIDConnectConfig" : OpenIDConnectConfig (p. 1632),
"Name" : String,
"AuthenticationType" : String,
"LogConfig" : LogConfig (p. 1630)
}

YAML
Type: "AWS::AppSync::GraphQLApi"
Properties:
UserPoolConfig: UserPoolConfig (p. 1630)
OpenIDConnectConfig : OpenIDConnectConfig (p. 1632)
Name: String
AuthenticationType: String
LogConfig: LogConfig (p. 1630)

API Version 2010-05-15
608

AWS CloudFormation User Guide
AWS::AppSync::GraphQLApi

Properties
UserPoolConfig
Optional authorization conﬁguration for using Amazon Cognito User Pools with your GraphQL
endpoint.
Required: No
Type: AWS AppSync GraphQLApi UserPoolConﬁg (p. 1630)
Update requires: No interruption (p. 118)
OpenIDConnectConfig
Optional authorization conﬁguration for using an OpenId Connect compliant service with your
GraphQL endpoint.
Required: No
Type: AWS AppSync GraphQLApi OpenId Connect Conﬁg (p. 1632)
Update requires: No interruption (p. 118)
Name
Friendly name for your GraphQL API in AWS AppSync.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
AuthenticationType
Security conﬁguration for your GraphQL API. For allowed values (such as API_KEY, AWS_IAM, or
AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT), see Security in the AWS AppSync Developer
Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
LogConfig
Logging conﬁguration when writing GraphQL operations and tracing to Amazon Cloudwatch.
Required: No
Type: AWS AppSync GraphQLApi LogConﬁg (p. 1630)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::AppSync::GraphQLApi resource to the intrinsic Ref
function, the function returns the ARN of the GraphQL API, such as arn:aws:appsync:useast-1:123456789012:apis/graphqlapiid.
API Version 2010-05-15
609

AWS CloudFormation User Guide
AWS::AppSync::GraphQLApi

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
GraphQLUrl
The Endpoint URL of your GraphQL API.
Arn
The Amazon Resource Name (ARN) of the API key, such as arn:aws:appsync:useast-1:123456789012:apis/graphqlapiid.
ApiId
Unique AWS AppSync GraphQL API Identiﬁer.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
GraphQL API creation example
The following example creates a GraphQL API

JSON
{

"Parameters": {
"graphQlApiName": {
"Type": "String"
},
"userPoolId": {
"Type": "String"
},
"userPoolAwsRegion": {
"Type": "String"
},
"defaultAction": {
"Type": "String"
}
},
"Resources": {
"GraphQLApi": {
"Type": "AWS::AppSync::GraphQLApi",
"Properties": {
"Name": {
"Ref": "graphQlApiName"
},
"AuthenticationType": "AMAZON_COGNITO_USER_POOLS",
UserPoolConfig": {
"UserPoolId": {
"Ref": "userPoolId"
},
"AwsRegion": {
"Ref": "userPoolAwsRegion"
},
"DefaultAction": {
"Ref": "defaultAction"
}

API Version 2010-05-15
610

AWS CloudFormation User Guide
AWS::AppSync::GraphQLSchema

}

}

}

}

}

YAML
Parameters:
graphQlApiName:
Type: String
userPoolId:
Type: String
userPoolAwsRegion:
Type: String
defaultAction:
Type: String
Resources:
GraphQLApi:
Type: AWS::AppSync::GraphQLApi
Properties:
Name:
Ref: graphQlApiName
AuthenticationType: "AMAZON_COGNITO_USER_POOLS"
"UserPoolConfig":
UserPoolId:
Ref: userPoolId
AwsRegion:
Ref: userPoolAwsRegion
DefaultAction:
Ref: defaultAction

See Also
• CreateGraphqlApi operation in the AWS AppSync API Reference

AWS::AppSync::GraphQLSchema
The AWS::AppSync::GraphQLSchema resource is used for your AWS AppSync GraphQL schema which
controls the data model for your API. Schema ﬁles are text written in Schema Deﬁnition Language (SDL)
format. You can ﬁnd information on schema authoring at Designing a GraphQL API.
Topics
• Syntax (p. 611)
• Properties (p. 612)
• Return Values (p. 612)
• Examples (p. 613)
• See Also (p. 613)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
611

AWS CloudFormation User Guide
AWS::AppSync::GraphQLSchema

}

"Type" : "AWS::AppSync::GraphQLSchema",
"Properties" : {
"Definition" : String,
"DefinitionS3Location" : String,
"ApiId" : String
}

YAML
Type: "AWS::AppSync::GraphQLSchema"
Properties:
Definition: String
DefinitionS3Location: String
ApiId: String

Properties
Definition
The text representation of a GraphQL schema in SDL format.
Required: No
Type: String
Update requires: No interruption (p. 118)
DefinitionS3Location
A location of a GraphQL schema ﬁle on an S3 bucket if you wish to provision with the schema living
in S3 rather than embedded in your CloudFormation template.
Required: No
Type: String
Update requires: No interruption (p. 118)
ApiId
The AWS AppSync GraphQL API identiﬁer to which you will apply this schema.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::AppSync::GraphQLSchema resource to the intrinsic Ref
function, the function returns the GraphQL API id with the literal String GraphQLSchema attached to it.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
612

AWS CloudFormation User Guide
AWS::AppSync::Resolver

Examples
GraphQL Schema creation example
The following example creates a GraphQL Schema and associates it with an existing GraphQL API by
passing the GraphQL API Id as a paramater.

JSON
{

}

"Parameters": {
"graphQlApiId": {
"Type": "String"
},
"graphQlSchemaS3DescriptionLocation": {
"Type": "String"
}
},
"Resources": {
"Schema": {
"Type": "AWS::AppSync::GraphQLSchema",
"Properties": {
"ApiId": {
"Ref": "graphQlApiId"
},
"DefinitionS3Location": {
"Ref": "graphQlSchemaS3DescriptionLocation"
}
}
}
}

YAML
Parameters:
graphQlApiId:
Type: String
graphQlSchemaS3DescriptionLocation:
Type: String
Resources:
Schema:
Type: AWS::AppSync::GraphQLSchema
Properties:
ApiId:
Ref: graphQlApiId
DefinitionS3Location:
Ref: graphQlSchemaS3DescriptionLocation

See Also
• StartSchemaCreation operation in the AWS AppSync API Reference

AWS::AppSync::Resolver
The AWS::AppSync::Resolver resource deﬁnes the logical GraphQL resolver that you will attach
to ﬁelds in a schema. Request and Response templates for resolvers are written in Apache Velocity
Template Language (VTL) format. More information on resolvers can be found in the Resolver Mapping
Template Reference.
API Version 2010-05-15
613

AWS CloudFormation User Guide
AWS::AppSync::Resolver

Topics
• Syntax (p. 614)
• Properties (p. 614)
• Return Values (p. 616)
• Examples (p. 616)
• See Also (p. 617)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::AppSync::Resolver",
"Properties" : {
"ResponseMappingTemplateS3Location" : String,
"TypeName" : String,
"DataSourceName" : String,
"RequestMappingTemplate" : String,
"ResponseMappingTemplate" : String,
"RequestMappingTemplateS3Location" : String,
"ApiId" : String,
"FieldName" : String
}

YAML
Type: "AWS::AppSync::Resolver"
Properties:
ResponseMappingTemplateS3Location: String
TypeName: String
DataSourceName: String
RequestMappingTemplate: String
ResponseMappingTemplate: String
RequestMappingTemplateS3Location: String
ApiId: String
FieldName: String

Properties
ResponseMappingTemplateS3Location
A location of a response mapping template on an S3 bucket if you wish to provision with the
template ﬁle living in S3 rather than embedded in your CloudFormation template.
Required: No
Type: String
Update requires: No interruption (p. 118)
TypeName
The GraphQL type that will invoke this resolver.
Required: Yes
API Version 2010-05-15
614

AWS CloudFormation User Guide
AWS::AppSync::Resolver

Type: String
Update requires: Replacement (p. 119)
DataSourceName
The AWS AppSync data source that this resolver will run against in order to return data to the caller.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RequestMappingTemplate
The resolver’s request mapping template, written in text within the CloudFormation template.
Required: No
Type: String
Update requires: No interruption (p. 118)
ResponseMappingTemplate
The resolver’s response mapping template, written in text within the CloudFormation template.
Required: No
Type: String
Update requires: No interruption (p. 118)
RequestMappingTemplateS3Location
A location of a request mapping template on an S3 bucket if you wish to provision with the template
ﬁle living in S3 rather than embedded in your CloudFormation template.
Required: No
Type: String
Update requires: No interruption (p. 118)
ApiId
The AWS AppSync GraphQL API which you will attach this resolver.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
FieldName
The GraphQL ﬁeld on a type that will invoke the resolver.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
615

AWS CloudFormation User Guide
AWS::AppSync::Resolver

Return Values
Ref
When you pass the logical ID of an AWS::AppSync::Resolver resource to the intrinsic
Ref function, the function returns the ARN of the Resolver, such as arn:aws:appsync:useast-1:123456789012:apis/graphqlapiid/types/typename/resolvers/resolvername.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
TypeName
The GraphQL type that will invoke this resolver.
ResolverArn
ARN of the Resolver, such as arn:aws:appsync:us-east-1:123456789012:apis/
graphqlapiid/types/typename/resolvers/resolvername.
FieldName
The GraphQL ﬁeld on a type that will invoke the resolver.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Resolver creation example
The following example creates a resolver and associates it with an existing GraphQL API and a data
source by passing the GraphQL API Id and data source name as a paramater.

JSON
{

"Parameters": {
"graphQlApiId": {
"Type": "String"
},
"dataSourceName": {
"Type": "String"
},
"fieldName": {
"Type": "String"
},
"typeName": {
"Type": "String"
},
"requestMappingTemplateS3LocationInput": {
"Type": "String"
},
"responseMappingTemplateS3LocationInput": {
"Type": "String"
}

API Version 2010-05-15
616

AWS CloudFormation User Guide
AWS::AppSync::Resolver

}

},
"Resources": {
"Resolver": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
"Ref": "graphQlApiId"
},
"TypeName": {
"Ref": "typeName"
},
"FieldName": {
"Ref": "fieldName"
},
"DataSourceName": {
"Ref": "dataSourceName"
},
"RequestMappingTemplateS3Location": {
"Ref": "requestMappingTemplateS3LocationInput"
},
"ResponseMappingTemplateS3Location": {
"Ref": "responseMappingTemplateS3LocationInput"
}
}
}
}

YAML
Parameters:
graphQlApiId:
Type: String
dataSourceName:
Type: String
fieldName:
Type: String
typeName:
Type: String
requestMappingTemplateS3LocationInput:
Type: String
responseMappingTemplateS3LocationInput:
Type: String
Resources:
Resolver:
Type: AWS::AppSync::Resolver
Properties:
ApiId:
Ref: graphQlApiId
TypeName:
Ref: typeName
FieldName:
Ref: fieldName
DataSourceName:
Ref: dataSourceName
RequestMappingTemplateS3Location:
Ref: requestMappingTemplateS3LocationInput
ResponseMappingTemplateS3Location:
Ref: responseMappingTemplateS3LocationInput

See Also
• CreateResolver operation in the AWS AppSync API Reference
API Version 2010-05-15
617

AWS CloudFormation User Guide
AWS::Athena::NamedQuery

AWS::Athena::NamedQuery
The AWS::Athena::NamedQuery resource creates an Amazon Athena query. For more information, see
CreateNamedQuery in the Amazon Athena Documentation.
Topics
• Syntax (p. 618)
• Properties (p. 618)
• Return Values (p. 619)
• Examples (p. 619)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Athena::NamedQuery",
"Properties" : {
"Description" : String,
"QueryString" : String,
"Database" : String,
"Name" : String
}

YAML
Type: AWS::Athena::NamedQuery
Properties:
Description: String
QueryString: String
Database: String
Name: String

Properties
For constraints, see NamedQuery in the Amazon Athena API Reference.
Description
A brief description of the query.
Required: No
Type: String
Update requires: No interruption (p. 118)
QueryString
The SQL query statements that comprise the query.
Required: Yes
API Version 2010-05-15
618

AWS CloudFormation User Guide
AWS::Athena::NamedQuery

Type: String
Update requires: Replacement (p. 119)
Database
The database to which the query belongs.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Name
The plain-language name of the query.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following example creates a named query.

JSON
{

"Resources": {
"AthenaNamedQuery": {
"Type": "AWS::Athena::NamedQuery",
"Properties": {
"Database": "swfnetadata",
"Description": "A query that selects all aggregated data",
"Name": "MostExpensiveWorkflow",
"QueryString": "SELECT workflowname, AVG(activitytaskstarted) AS AverageWorkflow
FROM swfmetadata WHERE year='17' AND GROUP BY workflowname ORDER BY AverageWorkflow DESC
LIMIT 10"
}
}
}

}

YAML
Resources:
AthenaNamedQuery:

API Version 2010-05-15
619

AWS CloudFormation User Guide
AWS::AutoScaling::AutoScalingGroup
Type: AWS::Athena::NamedQuery
Properties:
Database: "swfnetadata"
Description: "A query that selects all aggregated data"
Name: "MostExpensiveWorkflow"
QueryString: >
SELECT workflowname, AVG(activitytaskstarted) AS AverageWorkflow
FROM swfmetadata
WHERE year='17' AND GROUP BY workflowname
ORDER BY AverageWorkflow DESC LIMIT 10

AWS::AutoScaling::AutoScalingGroup
Creates an Auto Scaling group.
You can add an UpdatePolicy (p. 2255) attribute to your Auto Scaling group to control how
rolling updates are performed when a change has been made to the Auto Scaling group's launch
conﬁguration (p. 628) or subnet group membership (p. 625).
Topics
• Syntax (p. 620)
• Properties (p. 621)
• Return Value (p. 625)
• Examples (p. 626)
• See Also (p. 628)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AutoScalingGroupName (p. 621)" : String,
"AvailabilityZones (p. 621)" : [ String, ... ],
"Cooldown (p. 622)" : String,
"DesiredCapacity (p. 622)" : String,
"HealthCheckGracePeriod (p. 622)" : Integer,
"HealthCheckType (p. 622)" : String,
"InstanceId (p. 622)" : String,
"LaunchConfigurationName (p. 623)" : String,
"LaunchTemplate" : LaunchTemplateSpecification (p. 1639),
"LifecycleHookSpecificationList" : [ LifecycleHookSpecification (p. 1636), ... ],
"LoadBalancerNames (p. 623)" : [ String, ... ],
"MaxSize (p. 624)" : String,
"MetricsCollection" : [ MetricsCollection (p. 1640), ... ],
"MinSize (p. 624)" : String,
"NotificationConfigurations" : [ NotificationConfiguration (p. 1641), ... ],
"PlacementGroup" : String,
"ServiceLinkedRoleARN" : String,
"Tags" : [ TagProperty (p. 1642), ... ],
"TargetGroupARNs" : [ String, ... ],
"TerminationPolicies" : [ String, ... ],
"VPCZoneIdentifier (p. 625)" : [ String, ... ]
}

API Version 2010-05-15
620

AWS CloudFormation User Guide
AWS::AutoScaling::AutoScalingGroup
}

YAML
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
AutoScalingGroupName (p. 621): String
AvailabilityZones (p. 621):
- String
Cooldown (p. 622): String
DesiredCapacity (p. 622): String
HealthCheckGracePeriod (p. 622): Integer
HealthCheckType (p. 622): String
InstanceId (p. 622): String
LaunchConfigurationName (p. 623): String
LaunchTemplate: LaunchTemplateSpecification (p. 1639)
LifecycleHookSpecificationList:
- LifecycleHookSpecification (p. 1636)
LoadBalancerNames (p. 623):
- String
MaxSize (p. 624): String
MetricsCollection:
- MetricsCollection (p. 1640)
MinSize (p. 624): String
NotificationConfigurations:
- NotificationConfiguration (p. 1641)
PlacementGroup: String
ServiceLinkedRoleARN: String
Tags:
- TagProperty (p. 1642)
TargetGroupARNs:
- String
TerminationPolicies:
- String
VPCZoneIdentifier (p. 625):
- String

Properties
AutoScalingGroupName
The name of the Auto Scaling group.
Minimum length of 1. Maximum length of 255. Must follow the following pattern: [\u0020\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: Replacement (p. 119)
AvailabilityZones
Contains a list of availability zones for the group.
Required: Conditional. If you don't specify the VPCZoneIdentifier property, you must specify this
property.
Type: List of String values
Update requires: No interruption (p. 118)
API Version 2010-05-15
621

AWS CloudFormation User Guide
AWS::AutoScaling::AutoScalingGroup

Cooldown
The number of seconds after a scaling activity is completed before any further scaling activities can
start.
Required: No
Type: String
Update requires: No interruption (p. 118)
DesiredCapacity
Speciﬁes the desired capacity for the Auto Scaling group.
If SpotPrice is not set in the AWS::AutoScaling::LaunchConﬁguration (p. 628) for this Auto
Scaling group, then Auto Scaling will begin to bring instances online based on DesiredCapacity.
CloudFormation will not mark the Auto Scaling group as successful (by setting its status to
CREATE_COMPLETE) until the desired capacity is reached.
If SpotPrice is set, then DesiredCapacity will not be used as a criteria for success, since
instances will only be started when the spot price has been matched. After the spot price has been
matched, however, Auto Scaling uses DesiredCapacity as the target capacity for the group.
Required: No
Type: String
Update requires: No interruption (p. 118)
HealthCheckGracePeriod
The length of time in seconds after a new EC2 instance comes into service that Auto Scaling starts
checking its health.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
HealthCheckType
The service you want the health status from, Amazon EC2 or Elastic Load Balancer. Valid values are
EC2 or ELB.
Required: No
Type: String
Update requires: No interruption (p. 118)
InstanceId
The ID of the Amazon EC2 instance you want to use to create the Auto Scaling group. Use this
property if you want to create an Auto Scaling group that uses an existing Amazon EC2 instance
instead of a launch conﬁguration.
When you use an Amazon EC2 instance to create an Auto Scaling group, a new launch conﬁguration
is ﬁrst created and then associated with the Auto Scaling group. The new launch conﬁguration
derives all its properties from the instance, with the exception of BlockDeviceMapping and
AssociatePublicIpAddress.
Required: Conditional. You must specify one of the following: InstanceId,
LaunchConfigurationName, or LaunchTemplate.
API Version 2010-05-15
622

AWS CloudFormation User Guide
AWS::AutoScaling::AutoScalingGroup

Type: String
Update requires: Replacement (p. 119)
LaunchConfigurationName
Speciﬁes the name of the associated AWS::AutoScaling::LaunchConﬁguration (p. 628) resource.

Note

If this resource has a public IP address and is also in a VPC that is deﬁned in the same
template, you must use the DependsOn attribute to declare a dependency on the VPCgateway attachment. For more information, see DependsOn Attribute (p. 2250).
Required: Conditional. You must specify one of the following: InstanceId,
LaunchConfigurationName or LaunchTemplate.
Type: String
Update requires: No interruption (p. 118)

Important

When you update the LaunchConfigurationName, existing Amazon EC2 instances
continue to run with the conﬁguration that they were originally launched with. To update
existing instances, specify an update policy attribute for this Auto Scaling group. For more
information, see UpdatePolicy (p. 2255).
LaunchTemplate
The launch template to use to launch instances.
Required: Conditional. You must specify one of the following: InstanceId,
LaunchConfigurationName, or LaunchTemplate.
Type: Amazon EC2 Auto Scaling AutoScalingGroup LaunchTemplateSpeciﬁcation (p. 1639)
Update requires: No interruption (p. 118)

Important

When you update the LaunchTemplate, existing Amazon EC2 instances continue to run
with the conﬁguration that they were originally launched with. To update existing instances,
specify an update policy attribute for this Auto Scaling group. For more information, see
UpdatePolicy (p. 2255).
LifecycleHookSpecificationList
The lifecycle hooks for the group, which specify actions to perform when Auto Scaling launches or
terminates instances. For more information, see Amazon EC2 Auto Scaling Lifecycle Hooks in the
Amazon EC2 Auto Scaling User Guide.
Required: No
Type: List of Amazon EC2 Auto Scaling AutoScalingGroup LifecycleHookSpeciﬁcation (p. 1636)
Update requires: No interruption (p. 118)
LoadBalancerNames
A list of Classic load balancers associated with this Auto Scaling group. To specify Application load
balancers, use TargetGroupARNs.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
API Version 2010-05-15
623

AWS CloudFormation User Guide
AWS::AutoScaling::AutoScalingGroup

MaxSize
The maximum size of the Auto Scaling group.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
MetricsCollection
Enables the monitoring of group metrics of an Auto Scaling group.
Required: No
Type: A list of Amazon EC2 Auto Scaling AutoScalingGroup MetricsCollection (p. 1640)
Update requires: No interruption (p. 118)
MinSize
The minimum size of the Auto Scaling group.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
NotificationConfigurations
An embedded property that conﬁgures an Auto Scaling group to send notiﬁcations when speciﬁed
events take place.
Required: No
Type: List of Amazon EC2 Auto Scaling AutoScalingGroup NotiﬁcationConﬁguration (p. 1641)
Update requires: No interruption (p. 118)
PlacementGroup
The name of an existing cluster placement group into which you want to launch your instances.
A placement group is a logical grouping of instances within a single Availability Zone. You cannot
specify multiple Availability Zones and a placement group.
Required: No
Type: String
Update requires: No interruption (p. 118)
ServiceLinkedRoleARN
The Amazon Resource Name (ARN) of the service-linked role that the Auto Scaling group uses to
call other AWS services on your behalf. By default, Auto Scaling uses a service-linked role named
AWSServiceRoleForAutoScaling, which it creates if it does not exist.
Length Constraints: Minimum length of 1. Maximum length of 1600.
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
624

AWS CloudFormation User Guide
AWS::AutoScaling::AutoScalingGroup

Tags
The Auto Scaling tags to attach to this resource. For more information about Auto Scaling tags, see
Tagging Auto Scaling Groups and Instances in the Amazon EC2 Auto Scaling User Guide.
Required: No
Type: List of Amazon EC2 Auto Scaling AutoScalingGroup TagProperty (p. 1642)
Update requires: No interruption (p. 118)
TargetGroupARNs
A list of Amazon Resource Names (ARN) of target groups to associate with the Auto Scaling group.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
TerminationPolicies
A policy or a list of policies that are used to select the instances to terminate. The policies are
executed in the order that you list them.
For more information on conﬁguring a termination policy for your Auto Scaling group, see
Controlling Which Auto Scaling Instances Terminate During Scale In in the Amazon EC2 Auto Scaling
User Guide.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
VPCZoneIdentifier
A list of subnet identiﬁers of Amazon Virtual Private Cloud (Amazon VPCs).
If you specify the AvailabilityZones property, the subnets that you specify for this property
must reside in those Availability Zones.
For more information, see Launching Auto Scaling Instances in a VPC in the Amazon EC2 Auto
Scaling User Guide.
Required: Conditional. If you don't specify the AvailabilityZones property, you must specify this
property.
Type: List of String values
Update requires: Some interruptions (p. 119)

Note

When you update VPCZoneIdentiﬁer, the instances are replaced, but not the Auto Scaling
group.

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
In the following sample, the Ref function returns the name of the MyASGroup Auto Scaling group, such
as mystack-myasgroup-NT5EUXTNTXXD.
API Version 2010-05-15
625

AWS CloudFormation User Guide
AWS::AutoScaling::AutoScalingGroup

{ "Ref": "MyASGroup" }

For more information about using the Ref function, see Ref (p. 2311).

Examples
To view more Auto Scaling examples, see Auto Scaling Template Snippets (p. 288).

Auto Scaling Group with an Elastic Load Balancing Load Balancer, Launch
Conﬁguration, and Metric Collection
JSON
"WebServerGroup" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },
"MinSize" : "2",
"MaxSize" : "2",
"LoadBalancerNames" : [ { "Ref" : "ElasticLoadBalancer" } ],
"MetricsCollection": [
{
"Granularity": "1Minute",
"Metrics": [
"GroupMinSize",
"GroupMaxSize"
]
}
]
}
}

YAML
WebServerGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
AvailabilityZones:
Fn::GetAZs: ""
LaunchConfigurationName:
Ref: "LaunchConfig"
MinSize: "2"
MaxSize: "2"
LoadBalancerNames:
- Ref: "ElasticLoadBalancer"
MetricsCollection:
Granularity: "1Minute"
Metrics:
- "GroupMinSize"
- "GroupMaxSize"

Batch Update Instances in an Auto Scaling Group
The following example shows how to conﬁgure updates by including an UpdatePolicy (p. 2255)
attribute. The attribute contains an AutoScalingRollingUpdate embedded object with three
attributes that specify the update policy settings.
API Version 2010-05-15
626

AWS CloudFormation User Guide
AWS::AutoScaling::AutoScalingGroup

"ASG1" : {
"UpdatePolicy" : {
"AutoScalingRollingUpdate" : {
"MinInstancesInService" : "1",
"MaxBatchSize" : "1",
"PauseTime" : "PT12M5S"
}
},
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : { "Ref" : "AWS::Region" } },
"LaunchConfigurationName" : { "Ref" : "ASLC" },
"MaxSize" : "3",
"MinSize" : "1"
}
}

Auto Scaling Group Wait on Signals From New Instances
In the following example, the Auto Scaling group waits for new Amazon EC2 instances to signal the
group before Auto Scaling proceeds to update the next batch of instances. In the UpdatePolicy (p. 2255)
attribute, the WaitOnResourceSignals ﬂag is set to true. You can use the cfn-signal (p. 2331) helper
script on each instance to signal the Auto Scaling group.

JSON
"ASG1" : {
"UpdatePolicy" : {
"AutoScalingRollingUpdate" : {
"MinInstancesInService" : "1",
"MaxBatchSize" : "1",
"PauseTime" : "PT12M5S",
"WaitOnResourceSignals" : "true"
}
},
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : { "Ref" : "AWS::Region" } },
"LaunchConfigurationName" : { "Ref" : "ASLC" },
"MaxSize" : "3",
"MinSize" : "1"
}
}

YAML
ASG1:
UpdatePolicy:
AutoScalingRollingUpdate:
MinInstancesInService: "1"
MaxBatchSize: "1"
PauseTime: "PT12M5S"
WaitOnResourceSignals: "true"
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
AvailabilityZones:
Fn::GetAZs:
Ref: "AWS::Region"
LaunchConfigurationName:
Ref: "ASLC"
MaxSize: "3"

API Version 2010-05-15
627

AWS CloudFormation User Guide
AWS::AutoScaling::LaunchConﬁguration
MinSize: "1"

See Also
• UpdatePolicy (p. 2255)
• UpdateAutoScalingGroup in the Amazon EC2 Auto Scaling API Reference
• AWS CloudFormation Stacks Updates (p. 118)

AWS::AutoScaling::LaunchConﬁguration
Creates an Auto Scaling launch conﬁguration that can be used by an Auto Scaling group to conﬁgure
Auto Scaling instances.

Important

When you update a property of the LaunchConfiguration resource, AWS CloudFormation
deletes that resource and creates a new launch conﬁguration with the updated properties
and a new name. This update action does not deploy any change across the running Amazon
EC2 instances in the auto scaling group. In other words, an update simply replaces the
LaunchConfiguration so that when the auto scaling group launches new instances, they will
get the updated conﬁguration, but existing instances continue to run with the conﬁguration
that they were originally launched with. This works the same way as if you made similar changes
manually to an auto scaling group.
If you want to update existing instances when you update the
LaunchConfiguration resource, you must specify an update policy attribute for
the AWS::AutoScaling::AutoScalingGroup resource. For more information, see
UpdatePolicy (p. 2255).
Topics
• Syntax (p. 628)
• Properties (p. 629)
• Return Value (p. 633)
• Template Examples (p. 633)
• See Also (p. 637)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Properties" : {
"AssociatePublicIpAddress" : Boolean,
"BlockDeviceMappings" : [ BlockDeviceMapping, ... ],
"ClassicLinkVPCId" : String,
"ClassicLinkVPCSecurityGroups" : [ String, ... ],
"EbsOptimized" : Boolean,
"IamInstanceProfile" : String,
"ImageId" : String,
"InstanceId" : String,
"InstanceMonitoring" : Boolean,
"InstanceType" : String,
"KernelId" : String,

API Version 2010-05-15
628

AWS CloudFormation User Guide
AWS::AutoScaling::LaunchConﬁguration

}

}

"KeyName" : String,
"LaunchConfigurationName" : String,
"PlacementTenancy" : String,
"RamDiskId" : String,
"SecurityGroups" : [ SecurityGroup, ... ],
"SpotPrice" : String,
"UserData" : String

YAML
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
AssociatePublicIpAddress: Boolean
BlockDeviceMappings:
- BlockDeviceMapping
ClassicLinkVPCId: String
ClassicLinkVPCSecurityGroups:
- String
EbsOptimized: Boolean
IamInstanceProfile: String
ImageId: String
InstanceId: String
InstanceMonitoring: Boolean
InstanceType: String
KernelId: String
KeyName: String
LaunchConfigurationName: String
PlacementTenancy: String
RamDiskId: String
SecurityGroups:
- SecurityGroup
SpotPrice: String
UserData: String

Properties
AssociatePublicIpAddress
For Amazon EC2 instances in a VPC, indicates whether instances in the Auto Scaling group receive
public IP addresses. If you specify true, each instance in the Auto Scaling receives a unique public IP
address.

Note

If this resource has a public IP address and is also in a VPC that is deﬁned in the same
template, you must use the DependsOn attribute to declare a dependency on the VPCgateway attachment. For more information, see DependsOn Attribute (p. 2250).
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
BlockDeviceMappings
Speciﬁes how block devices are exposed to the instance. You can specify virtual devices and EBS
volumes.
Required: No
Type: A list of BlockDeviceMappings (p. 1633).
API Version 2010-05-15
629

AWS CloudFormation User Guide
AWS::AutoScaling::LaunchConﬁguration

Update requires: Replacement (p. 119)
ClassicLinkVPCId
The ID of a ClassicLink-enabled VPC to link your EC2-Classic instances to. You can specify this
property only for EC2-Classic instances. For more information, see ClassicLink in the Amazon Elastic
Compute Cloud User Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
ClassicLinkVPCSecurityGroups
The IDs of one or more security groups for the VPC that you speciﬁed in the ClassicLinkVPCId
property.
Required: Conditional. If you speciﬁed the ClassicLinkVPCId property, you must specify this
property.
Type: List of String values
Update requires: Replacement (p. 119)
EbsOptimized
Speciﬁes whether the launch conﬁguration is optimized for EBS I/O. This optimization provides
dedicated throughput to Amazon EBS and an optimized conﬁguration stack to provide optimal EBS
I/O performance.
Additional fees are incurred when using EBS-optimized instances. For more information about fees
and supported instance types, see EBS-Optimized Instances in the Amazon EC2 User Guide for Linux
Instances.
Required: No If this property is not speciﬁed, "false" is used.
Type: Boolean
Update requires: Replacement (p. 119)
IamInstanceProfile
Provides the name or the Amazon Resource Name (ARN) of the instance proﬁle associated with the
IAM role for the instance. The instance proﬁle contains the IAM role.
Required: No
Type: String (1–1600 chars)
Update requires: Replacement (p. 119)
ImageId
Provides the unique ID of the Amazon Machine Image (AMI) that was assigned during registration.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
InstanceId
The ID of the Amazon EC2 instance you want to use to create the launch conﬁguration. Use this
property if you want the launch conﬁguration to use settings from an existing Amazon EC2 instance.
API Version 2010-05-15
630

AWS CloudFormation User Guide
AWS::AutoScaling::LaunchConﬁguration

When you use an instance to create a launch conﬁguration, all properties are derived from the
instance with the exception of BlockDeviceMapping and AssociatePublicIpAddress. You can
override any properties from the instance by specifying them in the launch conﬁguration.
Required: No
Type: String
Update requires: Replacement (p. 119)
InstanceMonitoring
Indicates whether detailed instance monitoring is enabled for the Auto Scaling group. By default,
this property is set to true (enabled).
When detailed monitoring is enabled, Amazon CloudWatch (CloudWatch) generates metrics every
minute and your account is charged a fee. When you disable detailed monitoring, CloudWatch
generates metrics every 5 minutes. For more information, see Monitor Your Auto Scaling Groups and
Instances Using Amazon CloudWatch in the Amazon EC2 Auto Scaling User Guide.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
InstanceType
Speciﬁes the instance type of the EC2 instance.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
KernelId
Provides the ID of the kernel associated with the EC2 AMI.
Required: No
Type: String
Update requires: Replacement (p. 119)
KeyName
Provides the name of the EC2 key pair.
Required: No
Type: String
Update requires: Replacement (p. 119)
LaunchConfigurationName
The name of the launch conﬁguration. This name must be unique within the scope of your AWS
account.
Length Constraints: Minimum length of 1. Maximum length of 255.
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
API Version 2010-05-15
631

AWS CloudFormation User Guide
AWS::AutoScaling::LaunchConﬁguration

Type: String
Update requires: Replacement (p. 119)
PlacementTenancy
The tenancy of the instance. An instance with a tenancy of dedicated runs on single-tenant
hardware and can only be launched in a VPC. You must set the value of this parameter to
dedicated if want to launch dedicated instances in a shared tenancy VPC (a VPC with the instance
placement tenancy attribute set to default). For more information, see CreateLaunchConﬁguration in
the Amazon EC2 Auto Scaling API Reference.
If you specify this property, you must specify at least one subnet in the VPCZoneIdentiﬁer property
of the AWS::AutoScaling::AutoScalingGroup (p. 620) resource.
Required: No
Type: String
Update requires: Replacement (p. 119)
RamDiskId
The ID of the RAM disk to select. Some kernels require additional drivers at launch. Check the
kernel requirements for information about whether you need to specify a RAM disk. To ﬁnd kernel
requirements, refer to the AWS Resource Center and search for the kernel ID.
Required: No
Type: String
Update requires: Replacement (p. 119)
SecurityGroups
A list that contains the EC2 security groups to assign to the instances in the Auto Scaling
group. The list can contain the IDs of existing EC2 security groups or references to
AWS::EC2::SecurityGroup resources created in the template.
Required: No
Type: A list of security groups.
Update requires: Replacement (p. 119)
SpotPrice
The spot price for this Auto Scaling group. If a spot price is set, then the Auto Scaling group will
launch when the current spot price is less than the amount speciﬁed in the template.
When you have speciﬁed a spot price for an auto scaling group, the group will only launch when the
spot price has been met, regardless of the setting in the Auto Scaling group's DesiredCapacity.
For more information about conﬁguring a spot price for an Auto Scaling group, see Launching Spot
Instances in your Auto Scaling Group in the Amazon EC2 Auto Scaling User Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)

Note

When you change your bid price by creating a new launch conﬁguration, running instances
will continue to run as long as the bid price for those running instances is higher than the
current Spot price.
API Version 2010-05-15
632

AWS CloudFormation User Guide
AWS::AutoScaling::LaunchConﬁguration

UserData
The user data available to the launched EC2 instances.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "LaunchConfig" }

For the resource with the logical ID LaunchConfig, Ref will return the Auto Scaling launch
conﬁguration name, such as mystack-mylaunchconfig-1DDYF1E3B3I.
For more information about using the Ref function, see Ref (p. 2311).

Template Examples
LaunchConﬁg with block device
This example shows a launch conﬁguration that describes two Amazon Elastic Block Store mappings.

JSON
"LaunchConfig" : {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Properties" : {
"KeyName" : { "Ref" : "KeyName" },
"ImageId" : {
"Fn::FindInMap" : [
"AWSRegionArch2AMI",
{ "Ref" : "AWS::Region" },
{
"Fn::FindInMap" : [
"AWSInstanceType2Arch", { "Ref" : "InstanceType" }, "Arch"
]
}
]
},
"UserData" : { "Fn::Base64" : { "Ref" : "WebServerPort" }},
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"InstanceType" : { "Ref" : "InstanceType" },
"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sda1",
"Ebs" : { "VolumeSize" : "50", "VolumeType" : "io1", "Iops" : 200 }
},
{
"DeviceName" : "/dev/sdm",
"Ebs" : { "VolumeSize" : "100", "DeleteOnTermination" : "true"}
}
]
}

API Version 2010-05-15
633

AWS CloudFormation User Guide
AWS::AutoScaling::LaunchConﬁguration
}

YAML
LaunchConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
KeyName:
Ref: "KeyName"
ImageId:
Fn::FindInMap:
- "AWSRegionArch2AMI"
- Ref: "AWS::Region"
- Fn::FindInMap:
- "AWSInstanceType2Arch"
- Ref: "InstanceType"
- "Arch"
UserData:
Fn::Base64:
Ref: "WebServerPort"
SecurityGroups:
- Ref: "InstanceSecurityGroup"
InstanceType:
Ref: "InstanceType"
BlockDeviceMappings:
- DeviceName: "/dev/sda1"
Ebs:
VolumeSize: "50"
VolumeType: "io1"
Iops: 200
- DeviceName: "/dev/sdm"
Ebs:
VolumeSize: "100"
DeleteOnTermination: "true"

LaunchConﬁg with Spot Price in Autoscaling Group
This example shows a launch conﬁguration that features a spot price in the AutoScaling group. This
launch conﬁguration will only be active if the current spot price is less than the amount in the template
speciﬁcation (0.05).

JSON
"LaunchConfig" : {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Properties" : {
"KeyName" : { "Ref" : "KeyName" },
"ImageId" : {
"Fn::FindInMap" : [
"AWSRegionArch2AMI",
{ "Ref" : "AWS::Region" },
{
"Fn::FindInMap" : [
"AWSInstanceType2Arch", { "Ref" : "InstanceType" }, "Arch"
]
}
]
},
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"SpotPrice" : "0.05",
"InstanceType" : { "Ref" : "InstanceType" }

API Version 2010-05-15
634

AWS CloudFormation User Guide
AWS::AutoScaling::LaunchConﬁguration

}

}

YAML
LaunchConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
KeyName:
Ref: "KeyName"
ImageId:
Fn::FindInMap:
- "AWSRegionArch2AMI"
- Ref: "AWS::Region"
- Fn::FindInMap:
- "AWSInstanceType2Arch"
- Ref: "InstanceType"
- "Arch"
SecurityGroups:
- Ref: "InstanceSecurityGroup"
SpotPrice: "0.05"
InstanceType:
Ref: "InstanceType"

LaunchConﬁg with IAM Instance Proﬁle
Here's a launch conﬁguration using the IamInstanceProﬁle (p. 630) property.
Only the AWS::AutoScaling::LaunchConfiguration speciﬁcation is shown. For the full template,
including the deﬁnition of, and further references from the AWS::IAM::InstanceProﬁle (p. 1188) object
referenced here as "RootInstanceProﬁle", see: auto_scaling_with_instance_proﬁle.template.

JSON
"myLCOne": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSRegionArch2AMI",
{ "Ref": "AWS::Region" },
{
"Fn::FindInMap": [
"AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch"
]
}
]
},
"InstanceType": { "Ref": "InstanceType" },
"IamInstanceProfile": { "Ref": "RootInstanceProfile" }
}
}

YAML
myLCOne:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId:
Fn::FindInMap:

API Version 2010-05-15
635

AWS CloudFormation User Guide
AWS::AutoScaling::LaunchConﬁguration
- "AWSRegionArch2AMI"
- Ref: "AWS::Region"
- Fn::FindInMap:
- "AWSInstanceType2Arch"
- Ref: "InstanceType"
- "Arch"
InstanceType:
Ref: "InstanceType"
IamInstanceProfile:
Ref: "RootInstanceProfile"

EBS-optimized volume with speciﬁed PIOPS
You can create an AWS CloudFormation stack with auto scaled instances that contain EBS-optimized
volumes with a speciﬁed PIOPS. This can increase the performance of your EBS-backed instances as
explained in Increasing EBS Performance in the Amazon Elastic Compute Cloud User Guide.
When you create a launch conﬁguration such as this one, be sure to set the InstanceType to at least
m1.large and set EbsOptimized to true. Your launched instances will contain optimized EBS root
volumes with the PIOPS that you selected when creating the AMI.

Warning

Additional fees are incurred when using EBS-optimized instances. For more information, see
EBS-Optimized Instances in the Amazon Elastic Compute Cloud User Guide.
Because you cannot override PIOPS settings in an auto scaling launch conﬁguration, the AMI in your
launch conﬁguration must have been conﬁgured with a block device mapping that speciﬁes the desired
PIOPS. You can do this by creating your own EC2 AMI with the following characteristics:
• An instance type of m1.large or greater. This is required for EBS optimization.
• An EBS-backed AMI with a volume type of "io1" and the number of IOPS you want for the Auto
Scaling-launched instances.
• The size of the EBS volume must accommodate the IOPS you need. There is a 10 : 1 ratio between
IOPS and Gibibytes (GiB) of storage, so for 100 PIOPS, you need at least 10 GiB storage on the root
volume.
Use this AMI in your Auto Scaling launch conﬁguration. For example, an EBS-optimized AMI with PIOPS
that has the AMI ID ami-7430ba44 would be used in your launch conﬁguration like this:

JSON
"LaunchConfig" : {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Properties" : {
"KeyName" : { "Ref" : "KeyName" },
"ImageId" : "ami-7430ba44",
"UserData" : { "Fn::Base64" : { "Ref" : "WebServerPort" } },
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"InstanceType" : "m1.large",
"EbsOptimized" : "true"
}
}

YAML
LaunchConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
KeyName:

API Version 2010-05-15
636

AWS CloudFormation User Guide
AWS::AutoScaling::LifecycleHook
Ref: "KeyName"
ImageId: "ami-7430ba44"
UserData:
Fn::Base64:
Ref: "WebServerPort"
SecurityGroups:
- Ref: "InstanceSecurityGroup"
InstanceType: "m1.large"
EbsOptimized: "true"

See Also
• Creating Your Own AMIs in the Amazon Elastic Compute Cloud User Guide.
• Block Device Mapping in the Amazon Elastic Compute Cloud User Guide.
• To view more LaunchConﬁguration snippets, see Auto Scaling Launch Conﬁguration Resource (p. 288).

AWS::AutoScaling::LifecycleHook
Controls the state of an instance in an Auto Scaling group after it is launched or terminated. When you
use a lifecycle hook, the Auto Scaling group either pauses the instance after it is launched (before it
is put into service) or pauses the instance as it is terminated (before it is fully terminated). For more
information, see Amazon EC2 Auto Scaling Lifecycle Hooks in the Amazon EC2 Auto Scaling User Guide.
Topics
• Syntax (p. 637)
• Properties (p. 638)
• Return Value (p. 639)
• Example (p. 639)
• See Also (p. 640)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::AutoScaling::LifecycleHook",
"Properties" : {
"AutoScalingGroupName" : String,
"DefaultResult" : String,
"HeartbeatTimeout" : Integer,
"LifecycleHookName" : String,
"LifecycleTransition" : String,
"NotificationMetadata" : String,
"NotificationTargetARN" : String,
"RoleARN" : String
}

YAML
Type: AWS::AutoScaling::LifecycleHook
Properties:

API Version 2010-05-15
637

AWS CloudFormation User Guide
AWS::AutoScaling::LifecycleHook
AutoScalingGroupName: String
DefaultResult: String
HeartbeatTimeout: Integer
LifecycleHookName: String
LifecycleTransition: String
NotificationMetadata: String
NotificationTargetARN: String
RoleARN: String

Properties
For information about valid and default values, see LifecycleHook in the Amazon EC2 Auto Scaling API
Reference.
AutoScalingGroupName
The name of the Auto Scaling group for the lifecycle hook.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
DefaultResult
The action the Auto Scaling group takes when the lifecycle hook timeout elapses or if an unexpected
failure occurs. Valid values are CONTINUE (default) and ABANDON.
Required: No
Type: String
Update requires: No interruption (p. 118)
HeartbeatTimeout
The amount of time that can elapse before the lifecycle hook times out. When the lifecycle hook
times out, Auto Scaling performs the action that you speciﬁed in the DefaultResult property.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
LifecycleHookName
The name of the lifecycle hook. Length Constraints: Minimum length of 1. Maximum length of 255.
Required: No
Type: String
Update requires: Replacement (p. 119)
LifecycleTransition
The state of the Amazon EC2 instance to which you want to attach the lifecycle hook. For valid
values, see the LifecycleTransition content for the LifecycleHook data type in the Amazon EC2
Auto Scaling API Reference.
Required: Yes
Type: String
API Version 2010-05-15
638

AWS CloudFormation User Guide
AWS::AutoScaling::LifecycleHook

Update requires: No interruption (p. 118)
NotificationMetadata
Additional information that you want to include when Auto Scaling sends a message to the
notiﬁcation target.
Required: No
Type: String
Update requires: No interruption (p. 118)
NotificationTargetARN
The Amazon resource name (ARN) of the notiﬁcation target that Auto Scaling uses to notify you
when an instance is in the transition state for the lifecycle hook. You can specify an Amazon SQS
queue or an Amazon SNS topic. The notiﬁcation message includes the following information:
lifecycle action token, user account ID, Auto Scaling group name, lifecycle hook name, instance ID,
lifecycle transition, and notiﬁcation metadata.
Required: No
Type: String
Update requires: No interruption (p. 118)
RoleARN
The ARN of the IAM role that allows the Auto Scaling group to publish to the speciﬁed notiﬁcation
target. The role requires permissions to Amazon SNS and Amazon SQS.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myLifecycleHook" }

Ref returns the lifecycle hook name, such as mylifecyclehookname.
For more information about using the Ref function, see Ref (p. 2311).

Example
In the following template snippet, the Auto Scaling pauses instances before completely terminating
them. While in the pending state, you can, for example, connect to the instance and download logs or
any other data before the instance is terminated.

JSON
"myLifecycleHook": {
"Type": "AWS::AutoScaling::LifecycleHook",
"Properties": {
"AutoScalingGroupName": { "Ref": "myAutoScalingGroup" },

API Version 2010-05-15
639

AWS CloudFormation User Guide
AWS::AutoScaling::ScalingPolicy

}

}

"LifecycleTransition": "autoscaling:EC2_INSTANCE_TERMINATING",
"NotificationTargetARN": { "Ref": "lifecycleHookTopic" },
"RoleARN": { "Fn::GetAtt": [ "lifecycleHookRole", "Arn" ] }

YAML
myLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
AutoScalingGroupName:
Ref: myAutoScalingGroup
LifecycleTransition: "autoscaling:EC2_INSTANCE_TERMINATING"
NotificationTargetARN:
Ref: lifecycleHookTopic
RoleARN:
Fn::GetAtt:
- lifecycleHookRole
- Arn

See Also
• LifecycleHook in the Amazon EC2 Auto Scaling API Reference (for valid values and default values)
• Lifecycle Hooks in the Amazon EC2 Auto Scaling User Guide

AWS::AutoScaling::ScalingPolicy
Adds a scaling policy to an Auto Scaling group. A scaling policy speciﬁes whether to scale the Auto
Scaling group up or down, and by how much. For more information, see Dynamic Scaling in the Amazon
EC2 Auto Scaling User Guide.
You can use a scaling policy together with a CloudWatch alarm. A CloudWatch alarm can automatically
initiate actions on your behalf, based on parameters you specify. A scaling policy is one type of action
that an alarm can initiate. For a snippet showing how to create an Auto Scaling policy that is triggered by
a CloudWatch alarm, see Auto Scaling Policy Triggered by CloudWatch Alarm (p. 289). Note that you can
only associate one scaling policy with an alarm.
This type supports updates. For more information about updating this resource, see PutScalingPolicy in
the Amazon EC2 Auto Scaling API Reference.
Topics
• Syntax (p. 640)
• Properties (p. 641)
• Return Value (p. 643)
• Examples (p. 643)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

API Version 2010-05-15
640

AWS CloudFormation User Guide
AWS::AutoScaling::ScalingPolicy
{

}

"Type" : "AWS::AutoScaling::ScalingPolicy",
"Properties" : {
"AdjustmentType (p. 641)" : String,
"AutoScalingGroupName (p. 641)" : String,
"Cooldown (p. 641)" : String,
"EstimatedInstanceWarmup" : Integer,
"MetricAggregationType" : String,
"MinAdjustmentMagnitude" : Integer,
"PolicyType" : String,
"ScalingAdjustment (p. 642)" : Integer,
"StepAdjustments" : [ StepAdjustments (p. 1647), ... ]
"TargetTrackingConfiguration" : TargetTrackingConfiguration (p. 1648)
}

YAML
Type: AWS::AutoScaling::ScalingPolicy
Properties:
AdjustmentType (p. 641): String
AutoScalingGroupName (p. 641): String
Cooldown (p. 641): String
EstimatedInstanceWarmup: Integer
MetricAggregationType: String
MinAdjustmentMagnitude: Integer
PolicyType: String
ScalingAdjustment (p. 642): Integer
StepAdjustments:
- StepAdjustments (p. 1647)
TargetTrackingConfiguration:
TargetTrackingConfiguration (p. 1648)

Properties
AdjustmentType
Speciﬁes whether the ScalingAdjustment is an absolute number or a percentage
of the current capacity. Valid values are ChangeInCapacity, ExactCapacity, and
PercentChangeInCapacity.
Required: No
Type: String
Update requires: No interruption (p. 118)
AutoScalingGroupName
The name or Amazon Resource Name (ARN) of the Auto Scaling Group that you want to attach the
policy to.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Cooldown
The amount of time, in seconds, after a scaling activity completes before any further trigger-related
scaling activities can start.
API Version 2010-05-15
641

AWS CloudFormation User Guide
AWS::AutoScaling::ScalingPolicy

Do not specify this property if you are using the StepScaling policy type.
Required: No
Type: String
Update requires: No interruption (p. 118)
EstimatedInstanceWarmup
The estimated time, in seconds, until a newly launched instance can send metrics to CloudWatch. By
default, Auto Scaling uses the cooldown period, as speciﬁed in the Cooldown property.
Do not specify this property if you are using the SimpleScaling policy type.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
MetricAggregationType
The aggregation type for the CloudWatch metrics. You can specify Minimum, Maximum, or Average.
By default, AWS CloudFormation speciﬁes Average.
Do not specify this property if you are using the SimpleScaling policy type.
Required: No
Type: String
Update requires: No interruption (p. 118)
MinAdjustmentMagnitude
For the PercentChangeInCapacity adjustment type, the minimum number of instances to scale.
The scaling policy changes the desired capacity of the Auto Scaling group by a minimum of this
many instances. This property replaces the MinAdjustmentStep property.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
PolicyType
An Auto Scaling policy type. You can specify SimpleScaling, StepScaling, or
TargetTrackingScaling. By default, AWS CloudFormation speciﬁes SimpleScaling. For more
information, see Dynamic Scaling in the Amazon EC2 Auto Scaling User Guide.
Required: No
Type: String
Update requires: No interruption (p. 118)
ScalingAdjustment
The number of instances by which to scale. The AdjustmentType property determines if AWS
CloudFormation interprets this number as an absolute number (when the ExactCapacity value
is speciﬁed), increase or decrease capacity by a speciﬁed number (when the ChangeInCapacity
value is speciﬁed), or increase or decrease capacity as a percentage of the existing Auto Scaling
API Version 2010-05-15
642

AWS CloudFormation User Guide
AWS::AutoScaling::ScalingPolicy

group size (when the PercentChangeInCapacity value is speciﬁed). A positive value adds to the
current capacity and a negative value subtracts from the current capacity. For exact capacity, you
must specify a positive value.
Required: Conditional. This property is required if the policy type is SimpleScaling. This property is
not supported with any other policy type.
Type: Integer
Update requires: No interruption (p. 118)
StepAdjustments
A set of adjustments that enable you to scale based on the size of the alarm breach.
Required: Conditional. This property is required if the policy type is StepScaling. This property is
not supported with any other policy type.
Type: List of Amazon EC2 Auto Scaling ScalingPolicy StepAdjustments (p. 1647)
Update requires: No interruption (p. 118)
TargetTrackingConfiguration
Conﬁgures a target tracking scaling policy.
Required: Conditional. This property is required if the policy type is TargetTrackingScaling. This
property is not supported with any other policy type.
Type: Amazon EC2 Auto Scaling ScalingPolicy TargetTrackingConﬁguration (p. 1648)
Update requires: No interruption (p. 118)

Return Value
When you specify an AWS::AutoScaling::ScalingPolicy type as an argument to the
Ref function, AWS CloudFormation returns the policy Amazon Resource Name (ARN), such as
arn:aws:autoscaling:us-east-2:123456789012:scalingPolicy:ab12c4d5-a1b2a1b2-a1b2-ab12c4d56789:autoScalingGroupName/myStack-AutoScalingGroupAB12C4D5E6:policyName/myStack-myScalingPolicy-AB12C4D5E6.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Simple policy type
The following example is a simple scaling policy that increases the number instances by one when it is
triggered.

JSON
"SimpleScaling" : {
"Type" : "AWS::AutoScaling::ScalingPolicy",
"Properties" : {
"AdjustmentType" : "ChangeInCapacity",
"PolicyType" : "SimpleScaling",
"Cooldown" : "60",
"AutoScalingGroupName" : { "Ref" : "ASG" },

API Version 2010-05-15
643

AWS CloudFormation User Guide
AWS::AutoScaling::ScalingPolicy

}

}

"ScalingAdjustment" : 1

YAML
SimpleScaling:
Type: AWS::AutoScaling::ScalingPolicy
Properties:
AdjustmentType: "ChangeInCapacity"
PolicyType: "SimpleScaling"
Cooldown: "60"
AutoScalingGroupName:
Ref: "ASG"
ScalingAdjustment: 1

Step policy type
The following example is a step scaling policy that increases the number instances by one or two,
depending on the size of the alarm breach. For a breach that is less than 50 units than the threshold
value, the policy increases the number of instances by one. For a breach that is 50 units or more higher
than the threshold, the policy increases the number of instances by two.

JSON
"StepScaling" : {
"Type" : "AWS::AutoScaling::ScalingPolicy",
"Properties" : {
"AdjustmentType" : "ChangeInCapacity",
"AutoScalingGroupName" : { "Ref" : "ASG" },
"PolicyType" : "StepScaling",
"MetricAggregationType" : "Average",
"EstimatedInstanceWarmup" : "60",
"StepAdjustments": [
{
"MetricIntervalLowerBound": "0",
"MetricIntervalUpperBound" : "50",
"ScalingAdjustment": "1"
},
{
"MetricIntervalLowerBound": "50",
"ScalingAdjustment": "2"
}
]
}
}

YAML
StepScaling:
Type: AWS::AutoScaling::ScalingPolicy
Properties:
AdjustmentType: "ChangeInCapacity"
AutoScalingGroupName:
Ref: "ASG"
PolicyType: "StepScaling"
MetricAggregationType: "Average"
EstimatedInstanceWarmup: "60"
StepAdjustments:
MetricIntervalLowerBound: "0"

API Version 2010-05-15
644

AWS CloudFormation User Guide
AWS::AutoScaling::ScalingPolicy

-

MetricIntervalUpperBound: "50"
ScalingAdjustment: "1"
MetricIntervalLowerBound: "50"
ScalingAdjustment: "2"

Target tracking scaling policy type
The following example is a target tracking scaling policy based on the ASGAverageCPUUtilization
metric.

JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Parameters" : {
"AMI" : {
"Type" : "String"
},
"Subnets": {
"Type" : "CommaDelimitedList"
},
"AZs": {
"Type" : "CommaDelimitedList"
},
"PolicyTargetValue": {
"Type" : "String"
}
},
"Resources" : {
"LC" : {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Properties" : {
"ImageId" : { "Ref" : "AMI" },
"InstanceType" : "t2.large"
}
},
"POL" : {
"Type" : "AWS::AutoScaling::ScalingPolicy",
"Properties" : {
"AutoScalingGroupName" : {
"Ref" : "ASG"
},
"PolicyType" : "TargetTrackingScaling",
"TargetTrackingConfiguration": {
"PredefinedMetricSpecification": {
"PredefinedMetricType": "ASGAverageCPUUtilization"
},
"TargetValue": {"Ref": "PolicyTargetValue"}
}
}
},
"ASG" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"MaxSize" : "1",
"AvailabilityZones": {
"Ref": "AZs"
},
"VPCZoneIdentifier": {
"Ref" : "Subnets"
},
"MinSize" : "0",
"DesiredCapacity" : "0",

API Version 2010-05-15
645

AWS CloudFormation User Guide
AWS::AutoScaling::ScheduledAction

}

}

}

}

"LaunchConfigurationName" : {
"Ref" : "LC"
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Parameters:
AMI:
Type: String
Subnets:
Type: CommaDelimitedList
AZs:
Type: CommaDelimitedList
PolicyTargetValue:
Type: String
Resources:
LC:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId: !Ref AMI
InstanceType: t2.large
POL:
Type: AWS::AutoScaling::ScalingPolicy
Properties:
AutoScalingGroupName: !Ref ASG
PolicyType: TargetTrackingScaling
TargetTrackingConfiguration:
PredefinedMetricSpecification:
PredefinedMetricType: ASGAverageCPUUtilization
TargetValue: !Ref PolicyTargetValue
ASG:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
MaxSize: '1'
AvailabilityZones: !Ref AZs
VPCZoneIdentifier: !Ref Subnets
MinSize: '0'
DesiredCapacity: '0'
LaunchConfigurationName: !Ref LC

AWS::AutoScaling::ScheduledAction
Creates a scheduled scaling action for an Auto Scaling group, changing the number of servers available
for your application in response to predictable load changes.

Important
• If you have rolling updates enabled, you must suspend scheduled actions before you can
update the Auto Scaling group. You can suspend processes by using the UpdatePolicy
attribute (p. 2255) for the AWS::AutoScaling::AutoScalingGroup resource
(recommended), the AWS CLI, or the Amazon EC2 Auto Scaling API. For more information
about suspending scheduled actions, see Suspending and Resuming Scaling Processes in the
Amazon EC2 Auto Scaling User Guide.
• When you update a stack with an Auto Scaling group and scheduled action,
AWS CloudFormation always sets the min size, max size, and desired capacity
properties of your Auto Scaling group to the values that are deﬁned in the
API Version 2010-05-15
646

AWS CloudFormation User Guide
AWS::AutoScaling::ScheduledAction

AWS::AutoScaling::AutoScalingGroup resource of your template, even if a scheduled
action is in eﬀect. However, you might not want AWS CloudFormation to change any of the
group size property values, such as when you have a scheduled action in eﬀect. You can use
an UpdatePolicy attribute (p. 2255) to prevent AWS CloudFormation from changing the min
size, max size, or desired capacity property values during a stack update unless you modiﬁed
the individual values in your template.
Topics
• Syntax (p. 647)
• Properties (p. 647)
• Return Value (p. 649)
• Auto Scaling Scheduled Action Snippet (p. 649)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::AutoScaling::ScheduledAction",
"Properties" : {
"AutoScalingGroupName" : String,
"DesiredCapacity" : Integer,
"EndTime" : Time stamp,
"MaxSize" : Integer,
"MinSize" : Integer,
"Recurrence" : String,
"StartTime" : Time stamp
}

YAML
Type: AWS::AutoScaling::ScheduledAction
Properties:
AutoScalingGroupName: String
DesiredCapacity: Integer
EndTime: Time stamp
MaxSize: Integer
MinSize: Integer
Recurrence: String
StartTime: Time stamp

Properties
AutoScalingGroupName
The name or ARN of the Auto Scaling group.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
647

AWS CloudFormation User Guide
AWS::AutoScaling::ScheduledAction

DesiredCapacity
The number of Amazon EC2 instances that should be running in the Auto Scaling group. At least one
of MaxSize, MinSize, or DesiredCapacity must be speciﬁed.
Required: Conditional
Type: Integer
Update requires: No interruption (p. 118)
EndTime
The time in UTC for this schedule to end. For example, 2010-06-01T00:00:00Z.
Required: No
Type: Time stamp
Update requires: No interruption (p. 118)
MaxSize
The maximum number of Amazon EC2 instances in the Auto Scaling group. At least one of MaxSize,
MinSize, or DesiredCapacity must be speciﬁed.
Required: Conditional
Type: Integer
Update requires: No interruption (p. 118)
MinSize
The minimum number of Amazon EC2 instances in the Auto Scaling group. At least one of MaxSize,
MinSize, or DesiredCapacity must be speciﬁed.
Required: Conditional
Type: Integer
Update requires: No interruption (p. 118)
Recurrence
The time in UTC when recurring future actions will start. You specify the start time by following the
Unix cron syntax format. For more information about cron syntax, go to http://en.wikipedia.org/
wiki/Cron.
Specifying the StartTime and EndTime properties with Recurrence property forms the start and
stop boundaries of the recurring action.
Required: No
Type: String
Update requires: No interruption (p. 118)
StartTime
The time in UTC for this schedule to start. For example, 2010-06-01T00:00:00Z.
Required: No
API Version 2010-05-15
648

AWS CloudFormation User Guide
AWS::AutoScaling::ScheduledAction

Type: Time stamp
Update requires: No interruption (p. 118)

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "MyScheduledAction" }

For a scheduled Auto Scaling action with the logical ID MyScheduledAction, Ref returns the scheduled
action name. For example:
mystack-myscheduledaction-NT5EUXTNTXXD
For more information about using the Ref function, see Ref (p. 2311).

Auto Scaling Scheduled Action Snippet
The following template snippet includes two scheduled actions that scale the number of instances in an
Auto Scaling group. The ScheduledActionUp action starts at 7 AM every day and sets the Auto Scaling
group to a minimum of ﬁve Amazon EC2 instances with a maximum of 10. The ScheduledActionDown
action starts at 7 PM every day and sets the Auto Scaling group to a minimum and maximum of one
Amazon EC2 instance.

JSON
"ScheduledActionUp": {
"Type": "AWS::AutoScaling::ScheduledAction",
"Properties": {
"AutoScalingGroupName": {
"Ref": "WebServerGroup"
},
"MaxSize": "10",
"MinSize": "5",
"Recurrence": "0 7 * * *"
}
},
"ScheduledActionDown": {
"Type": "AWS::AutoScaling::ScheduledAction",
"Properties": {
"AutoScalingGroupName": {
"Ref": "WebServerGroup"
},
"MaxSize": "1",
"MinSize": "1",
"Recurrence": "0 19 * * *"
}
}

YAML
ScheduledActionUp:
Type: AWS::AutoScaling::ScheduledAction
Properties:
AutoScalingGroupName:

API Version 2010-05-15
649

AWS CloudFormation User Guide
AWS::AutoScalingPlans::ScalingPlan
Ref: "WebServerGroup"
MaxSize: 10
MinSize: 5
Recurrence: "0 7 * * *"
ScheduledActionDown:
Type: AWS::AutoScaling::ScheduledAction
Properties:
AutoScalingGroupName:
Ref: "WebServerGroup"
MaxSize: 1
MinSize: 1
Recurrence: "0 19 * * *"

AWS::AutoScalingPlans::ScalingPlan
Creates a scaling plan for AWS Auto Scaling. For more information, see the AWS Auto Scaling User Guide.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::AutoScalingPlans::ScalingPlan",
"Properties" : {
"ApplicationSource" : ApplicationSource (p. 1649),
"ScalingInstructions" : [ ScalingInstruction (p. 1653), ... ]
}

YAML
Type: "AWS::AutoScalingPlans::ScalingPlan"
Properties:
ApplicationSource: ApplicationSource (p. 1649)
ScalingInstructions:
- ScalingInstruction (p. 1653)

Properties
ApplicationSource
A CloudFormation stack or a set of tags. You can create one scaling plan per application source.
Required: Yes
Type: AWS Auto Scaling ScalingPlan ApplicationSource (p. 1649)
Update requires: No interruption (p. 118)
ScalingInstructions
The scaling instructions.
Required: Yes
Type: List of AWS Auto Scaling ScalingPlan ScalingInstruction (p. 1653) property types
API Version 2010-05-15
650

AWS CloudFormation User Guide
AWS::Batch::ComputeEnvironment

Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::AutoScalingPlans::ScalingPlan resource to the intrinsic
Ref function, the function returns the Amazon Resource Name (ARN) of the scaling plan. The format of
the ARN is as follows:
arn:aws:autoscaling:region:123456789012:scalingPlan:scalingPlanName/planname:scalingPlanVersion/plan-version

For more information about using the Ref function, see Ref (p. 2311).

AWS::Batch::ComputeEnvironment
The AWS::Batch::ComputeEnvironment resource to deﬁne your AWS Batch compute environment.
For more information, see Compute Environments in the AWS Batch User Guide.
Topics
• Syntax (p. 651)
• Properties (p. 652)
• Return Values (p. 652)
• Examples (p. 653)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Batch::ComputeEnvironment",
"Properties" : {
"Type" : String,
"ServiceRole" : String,
"ComputeEnvironmentName" : String,
"ComputeResources" : ComputeResources (p. 1658),
"State" : String
}

YAML
Type: AWS::Batch::ComputeEnvironment
Properties:
Type: String
ServiceRole: String
ComputeEnvironmentName: String
ComputeResources:
ComputeResources (p. 1658)
State: String

API Version 2010-05-15
651

AWS CloudFormation User Guide
AWS::Batch::ComputeEnvironment

Properties
Type
The type of the compute environment.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ServiceRole
The service role associated with the compute environment that allows AWS Batch to make calls to
AWS API operations on your behalf.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ComputeEnvironmentName
The name of the compute environment.
Required: No
Type: String
Update requires: Replacement (p. 119)
ComputeResources
The compute resources deﬁned for the compute environment.
Required: Yes
Type: AWS Batch ComputeEnvironment ComputeResources (p. 1658)
Update requires: No interruption (p. 118)
State
The state of the compute environment. The valid values are ENABLED or DISABLED. An ENABLED
state indicates that you can register instances with the compute environment and that the
associated instances can accept jobs.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::Batch::ComputeEnvironment resource to the intrinsic
Ref function, the function returns the compute environment ARN, such as arn:aws:batch:useast-1:555555555555:compute-environment/M4OnDemand.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
652

AWS CloudFormation User Guide
AWS::Batch::ComputeEnvironment

Examples
Managed Compute Environment
The following example creates a managed compute environment called C4OnDemand that uses C4 OnDemand instances and a custom AMI.

JSON
{

}

"ComputeEnvironment": {
"Type": "AWS::Batch::ComputeEnvironment",
"Properties": {
"Type": "MANAGED",
"ServiceRole": "arn:aws:iam::111122223333:role/service-role/AWSBatchServiceRole",
"ComputeEnvironmentName": "C4OnDemand",
"ComputeResources": {
"MaxvCpus": 128,
"SecurityGroupIds": [
"sg-abcd1234"
],
"Type": "EC2",
"Subnets": [
"subnet-aaaaaaaa",
"subnet-bbbbbbbb",
"subnet-cccccccc"
],
"MinvCpus": 0,
"ImageId": "ami-a1b2c3d4",
"InstanceRole": "ecsInstanceRole",
"InstanceTypes": [
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge"
],
"Ec2KeyPair": "id_rsa",
"Tags": {"Name": "Batch Instance - C4OnDemand"},
"DesiredvCpus": 48
},
"State": "ENABLED"
}
}

YAML
ComputeEnvironment:
Type: AWS::Batch::ComputeEnvironment
Properties:
Type: MANAGED
ServiceRole: arn:aws:iam::111122223333:role/service-role/AWSBatchServiceRole
ComputeEnvironmentName: C4OnDemand
ComputeResources:
MaxvCpus: 128
SecurityGroupIds:
- sg-abcd1234
Type: EC2
Subnets:
- subnet-aaaaaaaa
- subnet-bbbbbbbb
- subnet-cccccccc

API Version 2010-05-15
653

AWS CloudFormation User Guide
AWS::Batch::ComputeEnvironment
MinvCpus: 0
ImageId: ami-a1b2c3d4
InstanceRole: ecsInstanceRole
InstanceTypes:
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
Ec2KeyPair: id_rsa
Tags: {"Name": "Batch Instance - C4OnDemand"}
DesiredvCpus: 48
State: ENABLED

The following example creates a compute environment named my-first-compute-environment and
speciﬁes tags for the compute resources.

JSON
"MyComputeEnv": {
"Type": "AWS::Batch::ComputeEnvironment",
"Properties": {
"Type": "MANAGED",
"ServiceRole": "AWSBatchServiceRole",
"ComputeEnvironmentName": "my-first-compute-environment",
"ComputeResources": {
"MinvCpus": "4",
"MaxvCpus": "256",
"DesiredvCpus": "4",
"SecurityGroupIds": [
"sg-a1b2c3d4",
"sg-4d3c2ba1"
],
"Type": "EC2",
"Subnets": [
"subnet-12345678",
"subnet-87654321"
],
"InstanceRole": "batch-instance-profile",
"InstanceTypes": [
"optimal"
],
"Ec2KeyPair": {
"Ref": "MyKeyPair"
},
"Tags": {
"Owner": "A",
"Project": "B"
}
},
"State": "ENABLED"
}
}

YAML
MyComputeEnv:
Type: AWS::Batch::ComputeEnvironment
Properties:
Type: MANAGED
ServiceRole: AWSBatchServiceRole
ComputeEnvironmentName: my-first-compute-environment

API Version 2010-05-15
654

AWS CloudFormation User Guide
AWS::Batch::JobDeﬁnition
ComputeResources:
MinvCpus: 4
MaxvCpus: 256
DesiredvCpus: 4
SecurityGroupIds:
- sg-a1b2c3d4
- sg-4d3c2ba1
Type: EC2
Subnets:
- subnet-12345678
- subnet-87654321
InstanceRole: batch-instance-profile
InstanceTypes:
- optimal
Ec2KeyPair: !Ref MyKeyPair
Tags:
Owner: A
Project: B
State: ENABLED

AWS::Batch::JobDeﬁnition
The AWS::Batch::JobDefinition resource speciﬁes the parameters for an AWS Batch job deﬁnition.
For more information, see Job Deﬁnitions in the AWS Batch User Guide.
Topics
• Syntax (p. 655)
• Properties (p. 656)
• Return Values (p. 657)
• Examples (p. 657)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Batch::JobDefinition",
"Properties" : {
"Type" : String,
"Parameters" : Json object,
"ContainerProperties" : ContainerProperties (p. 1660),
"Timeout" : Timeout (p. 1666),
"JobDefinitionName" : String,
"RetryStrategy" : RetryStrategy (p. 1665)
}

YAML
Type: AWS::Batch::JobDefinition
Properties:
Type: String
Parameters: Json object
ContainerProperties:
ContainerProperties (p. 1660)
Timeout:

API Version 2010-05-15
655

AWS CloudFormation User Guide
AWS::Batch::JobDeﬁnition
Timeout (p. 1666)
JobDefinitionName: String
RetryStrategy:
RetryStrategy (p. 1665)

Properties
Type
The type of job deﬁnition.
Required: Yes
Type: String
Update requires: No Interruption
Parameters
Default parameters or parameter substitution placeholders that are set in the job deﬁnition.
Parameters are speciﬁed as a key-value pair mapping. For more information about specifying
parameters, see Job Deﬁnition Parameters in the AWS Batch User Guide.
Required: Yes
Type: JSON object
Update requires: No Interruption
JobDefinitionName
The name of the job deﬁnition.
Required: No
Type: String
Update requires: Replacement
ContainerProperties
An object with various properties speciﬁc to container-based jobs.
Required: Yes
Type: AWS Batch JobDeﬁnition ContainerProperties (p. 1660)
Update requires: No Interruption
Timeout
Speciﬁes a job timeout conﬁguration.
Required: No
Type: AWS Batch JobDeﬁnition Timeout (p. 1666)
Update requires: No Interruption
RetryStrategy
The retry strategy to use for failed jobs that are submitted with this job deﬁnition.
Required: No
Type: AWS Batch JobDeﬁnition RetryStrategy (p. 1665)
Update requires: No Interruption
API Version 2010-05-15
656

AWS CloudFormation User Guide
AWS::Batch::JobDeﬁnition

Return Values
Ref
When you pass the logical ID of an AWS::Batch::JobDefinition resource to the intrinsic
Ref function, the function returns the job deﬁnition ARN, such as arn:aws:batch:useast-1:111122223333:job-definition/test-gpu:2.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Test nvidia-smi
The following example tests the nvidia-smi command on a GPU instance to verify that the GPU is
working inside the container. For more information, see Test GPU Functionality in the AWS Batch User
Guide.

JSON
{

}

"JobDefinition": {
"Type": "AWS::Batch::JobDefinition",
"Properties": {
"Type": "container",
"JobDefinitionName": "nvidia-smi",
"ContainerProperties": {
"MountPoints": [
{
"ReadOnly": false,
"SourceVolume": "nvidia",
"ContainerPath": "/usr/local/nvidia"
}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest"
},
"Name": "nvidia"
}
],
"Command": [
"nvidia-smi"
],
"Memory": 2000,
"Privileged": true,
"JobRoleArn": "String",
"ReadonlyRootFilesystem": true,
"Vcpus": 2,
"Image": "nvidia/cuda"
}
}
}

YAML
JobDefinition:
Type: AWS::Batch::JobDefinition

API Version 2010-05-15
657

AWS CloudFormation User Guide
AWS::Batch::JobQueue
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Memory: 2000
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
Vcpus: 2
Image: nvidia/cuda

AWS::Batch::JobQueue
The AWS::Batch::JobQueue resource deﬁnes your AWS Batch job queue. For more information, see
Job Queues in the AWS Batch User Guide.
Topics
• Syntax (p. 658)
• Properties (p. 659)
• Return Values (p. 659)
• Examples (p. 659)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Batch::JobQueue",
"Properties" : {
"ComputeEnvironmentOrder" : [ ComputeEnvironmentOrder (p. 1669), ... ],
"Priority" : Integer,
"State" : String,
"JobQueueName" : String
}

YAML
Type: AWS::Batch::JobQueue
Properties:
ComputeEnvironmentOrder:
- ComputeEnvironmentOrder (p. 1669)
Priority: Integer
State: String
JobQueueName: String

API Version 2010-05-15
658

AWS CloudFormation User Guide
AWS::Batch::JobQueue

Properties
ComputeEnvironmentOrder
The compute environments that are attached to the job queue and the order in which job placement
is preferred. Compute environments are selected for job placement in ascending order.
Required: yes
Type: List of AWS Batch JobQueue ComputeEnvironmentOrder (p. 1669)
Update requires: No Interruption
State
The status of the job queue (for example, CREATING or VALID).
Required: no
Type: String
Update requires: No Interruption
Priority
The priority of the job queue.
Required: yes
Type: Integer
Update requires: No Interruption
JobQueueName
The name of the job queue.
Required: no
Type: String
Update requires: Replacement

Return Values
Ref
When you pass the logical ID of an AWS::Batch::JobQueue resource to the intrinsic Ref function,
the function returns the job queue ARN, such as arn:aws:batch:us-east-1:111122223333:jobqueue/HighPriority.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Job queue with two compute environments
The following example deﬁnes a job queue called HighPriority that has two compute environments
mapped to it.
API Version 2010-05-15
659

AWS CloudFormation User Guide
AWS::Budgets::Budget

JSON
{

}

"JobQueue": {
"Type": "AWS::Batch::JobQueue",
"Properties": {
"ComputeEnvironmentOrder": [
{
"Order": 1,
"ComputeEnvironment": "C4OnDemand"
},
{
"Order": 2,
"ComputeEnvironment": "M4Spot"
}
],
"State": "ENABLED",
"Priority": 1,
"JobQueueName": "HighPriority"
}
}

YAML
JobQueue:
Type: AWS::Batch::JobQueue
Properties:
ComputeEnvironmentOrder:
- Order: 1
ComputeEnvironment: C4OnDemand
- Order: 2
ComputeEnvironment: M4Spot
State: ENABLED
Priority: 1
JobQueueName: HighPriority

AWS::Budgets::Budget
The AWS::Budgets::Budget resource creates, replaces, or deletes budgets for Billing and Cost
Management. For more information, see Managing Your Costs with Budgets in the AWS Billing and Cost
Management User Guide.
Topics
•
•
•
•

Syntax (p. 660)
Properties (p. 661)
Return Values (p. 661)
Examples (p. 661)

• See Also (p. 663)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
660

AWS CloudFormation User Guide
AWS::Budgets::Budget

}

"Type" : "AWS::Budgets::Budget",
"Properties" : {
"NotificationsWithSubscribers" : [ NotificationWithSubscribers (p. 1676), ... ],
"Budget" : BudgetData (p. 1670)
}

YAML
Type: "AWS::Budgets::Budget"
Properties:
NotificationsWithSubscribers:
- NotificationWithSubscribers (p. 1676)
Budget: BudgetData (p. 1670)

Properties
NotificationsWithSubscribers
The notiﬁcation that you want associated with the budget. A budget can have up to ﬁve
notiﬁcations, and each notiﬁcation can have one SNS subscriber and up to ten email subscribers.
Required: No
Type: List of Billing and Cost Management Budget NotiﬁcationWithSubscribers (p. 1676) property
types
Update requires: Replacement (p. 119)
Budget
The budget for tracking your service usage, costs, and RI utilization. Single accounts and master and
member accounts in an organization can, by default, create budgets.
Required: Yes
Type: Billing and Cost Management Budget BudgetData (p. 1670)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::Budgets::Budget resource to the intrinsic Ref function, the
function returns the name of the budget created by the template.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Budget for 100 USD with two notiﬁcations
The following example creates a budget for 100 USD amount of costs, with notiﬁcations for
when you have spent over 80 USD or over 99 USD. The notiﬁcations are sent to the subscribers
email@example.com and email2@example.com.
API Version 2010-05-15
661

AWS CloudFormation User Guide
AWS::Budgets::Budget

JSON
{

"Description": "Basic Budget test",
"Resources": {
"Budget": {
"Type": "AWS::Budgets::Budget",
"Properties": {
"Budget": {
"BudgetLimit": {
"Amount": "100",
"Unit": "USD"
},
"TimeUnit": "MONTHLY",
"TimePeriod": {
"Start": "1225864800",
"End": "1926864800"
},
"BudgetType": "COST",
"CostFilters": {
"AZ": [
"us-east-1",
"us-west-1",
"us-east-2"
]
}
},
"NotificationsWithSubscribers": [
{
"Notification": {
"NotificationType": "ACTUAL",
"ComparisonOperator": "GREATER_THAN",
"Threshold": 99
},
"Subscribers": [
{
"SubscriptionType": "EMAIL",
"Address": "email@example.com"
},
{
"SubscriptionType": "EMAIL",
"Address": "email2@example.com"
}
]
},
{
"Notification": {
"NotificationType": "ACTUAL",
"ComparisonOperator": "GREATER_THAN",
"Threshold": 80
},
"Subscribers": [
{
"SubscriptionType": "EMAIL",
"Address": "email@example.com"
}
]
}
]
}
}
},
"Outputs": {
"BudgetId": {
"Value": "BudgetExample"

API Version 2010-05-15
662

AWS CloudFormation User Guide
AWS::CertiﬁcateManager::Certiﬁcate

}

}

}

YAML
--Description: "Basic Budget test"
Resources:
BudgetExample:
Type: "AWS::Budgets::Budget"
Properties:
Budget:
BudgetLimit:
Amount: 100
Unit: USD
TimeUnit: MONTHLY
TimePeriod:
Start: 1225864800
End: 1926864800
BudgetType: COST
CostFilters:
AZ:
- us-east-1
- us-west-1
- us-east-2
NotificationsWithSubscribers:
- Notification:
NotificationType: ACTUAL
ComparisonOperator: GREATER_THAN
Threshold: 99
Subscribers:
- SubscriptionType: EMAIL
Address: email@example.com
- SubscriptionType: EMAIL
Address: email2@example.com
- Notification:
NotificationType: ACTUAL
ComparisonOperator: GREATER_THAN
Threshold: 80
Subscribers:
- SubscriptionType: EMAIL
Address: email@example.com
Outputs:
BudgetId:
Value: !Ref BudgetExample

See Also
• CreateBudget in the AWS Billing and Cost Management API Reference.

AWS::CertiﬁcateManager::Certiﬁcate
The AWS::CertificateManager::Certificate resource requests an AWS Certiﬁcate Manager
(ACM) certiﬁcate that you can use with AWS services to enable secure connections. For example, you can
deploy an ACM certiﬁcate to an Elastic Load Balancing load balancer to enable HTTPS support. For more
information, see the RequestCertificate action in the AWS Certiﬁcate Manager API Reference.

Important

When you use the AWS::CertificateManager::Certificate resource in an AWS
CloudFormation stack, the stack will remain in the CREATE_IN_PROGRESS state and any further
API Version 2010-05-15
663

AWS CloudFormation User Guide
AWS::CertiﬁcateManager::Certiﬁcate

stack operations will be delayed until you act upon the instructions in the certiﬁcate validation
email.
Topics
• Syntax (p. 664)
• Properties (p. 664)
• Return Value (p. 665)
• Example (p. 666)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CertificateManager::Certificate",
"Properties" : {
"DomainName" : String,
"DomainValidationOptions" : [ DomainValidationOptions (p. 1681), ... ],
"SubjectAlternativeNames" : [ String, ... ],
"Tags" : [ Resource Tag, ... ],
"ValidationMethod" : String
}

YAML
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: String
DomainValidationOptions:
- DomainValidationOptions (p. 1681)
SubjectAlternativeNames:
- String
Tags:
- Resource Tag
ValidationMethod: String

Properties
DomainName
Fully qualiﬁed domain name (FQDN), such as www.example.com, of the site that you want to secure
with the ACM certiﬁcate. To protect several sites in the same domain, use an asterisk (*) to specify
a wildcard. For example, *.example.com protects www.example.com, site.example.com, and
images.example.com.
For constraints, see the DomainName parameter for the RequestCertiﬁcate action in the AWS
Certiﬁcate Manager API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
664

AWS CloudFormation User Guide
AWS::CertiﬁcateManager::Certiﬁcate

DomainValidationOptions
Domain information that domain name registrars use to verify your identity. For more information
and the default values, see Conﬁgure Email for Your Domain and Validate Domain Ownership in the
AWS Certiﬁcate Manager User Guide.
Required: No
Type: List of AWS Certiﬁcate Manager Certiﬁcate DomainValidationOption (p. 1681)
Update requires: Replacement (p. 119)
SubjectAlternativeNames
FQDNs to be included in the Subject Alternative Name extension of the ACM certiﬁcate. For example,
you can add www.example.net to a certiﬁcate for the www.example.com domain name so that
users can reach your site by using either name.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
Tags
An arbitrary set of tags (key–value pairs) for this ACM certiﬁcate.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).
ValidationMethod
The method you want to use if you are requesting a public certiﬁcate to validate that you own or
control a domain. Valid values include EMAIL or DNS. We recommend that you use DNS validation.
The default is EMAIL.
ACM uses CNAME (Canonical Name) records to validate that you own or control a domain. When
you choose DNS validation, ACM provides you one or more CNAME records to insert into your DNS
database. During stack creation, CloudFormation emits a CREATE_IN_PROGRESS event which lists
these CNAME records. They are displayed in the Status reason column on the Events page for the
stack. In order for CloudFormation to complete stack creation, you must add the CNAME records to
your DNS database. For more information, see Use DNS to Validate Domain Ownership in the AWS
Certiﬁcate Manager User Guide.
For more information on email validation, see Use Email to Validate Domain Ownership in the AWS
Certiﬁcate Manager User Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref
returns the certiﬁcate Amazon Resource Name (ARN), such as arn:aws:acm:useast-1:123456789012:certificate/12ab3c4d-56789-0ef1-2345-3dab6fa3ee50.
API Version 2010-05-15
665

AWS CloudFormation User Guide
AWS::Cloud9::EnvironmentEC2

For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates an ACM certiﬁcate for the example.com domain name. ACM sends
validation emails to the email address that is registered to the example.com domain.

JSON
"mycert" : {
"Type" : "AWS::CertificateManager::Certificate",
"Properties" : {
"DomainName" : "example.com",
"DomainValidationOptions" : [{
"DomainName" : "example.com",
"ValidationDomain" : "example.com"
}]
}
}

YAML
mycert:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: example.com
DomainValidationOptions:
- DomainName: example.com
ValidationDomain: example.com

AWS::Cloud9::EnvironmentEC2
The AWS::Cloud9::EnvironmentEC2 resource creates an Amazon EC2 development environment in
AWS Cloud9. For more information, see Creating an Environment in the AWS Cloud9 User Guide.
Topics
• Syntax (p. 666)
• Properties (p. 667)
• Return Values (p. 668)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Cloud9::EnvironmentEC2",
"Properties" : {
"Repositories" : [ Repository (p. 1680), ... ],
"OwnerArn" : String,
"Description" : String,
"AutomaticStopTimeMinutes" : Integer,
"InstanceType" : String,
"Name" : String,
"SubnetId" : String

API Version 2010-05-15
666

AWS CloudFormation User Guide
AWS::Cloud9::EnvironmentEC2

}

}

YAML
Type: AWS::Cloud9::EnvironmentEC2
Properties:
Repositories:
- Repository (p. 1680)
OwnerArn: String
Description: String
AutomaticStopTimeMinutes: Integer
InstanceType: String
Name: String
SubnetId: String

Properties
Repositories
Any AWS CodeCommit source code repositories to be cloned into the development environment.
Required: No
Type: List of AWS Cloud9 EnvironmentEC2 Repository (p. 1680)
Update requires: No interruption (p. 118)
OwnerArn
The Amazon Resource Name (ARN) of the environment owner. If this value is not speciﬁed, the ARN
defaults to this environment's creator.
Required: No
Type: String
Update requires: Replacement (p. 119)
Description
The description of the environment to create.
Required: No
Type: String
Update requires: Replacement (p. 119)
AutomaticStopTimeMinutes
The number of minutes until the running instance is shut down after the environment has last been
used.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
InstanceType
The type of instance to host the environment on (for example, t2.micro).
Required: Yes
API Version 2010-05-15
667

AWS CloudFormation User Guide
AWS::CloudFormation::Authentication

Type: String
Update requires: Replacement (p. 119)
Name
The name of the environment to create.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SubnetId
The ID of the subnet in Amazon Virtual Private Cloud (Amazon VPC) to use.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::Cloud9::EnvironmentEC2 resource to the
intrinsic Ref function, the function returns the ID of the development environment, such as
2bc3642873c342e485f7e0c561234567.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) of the development environment, such as
arn:aws:cloud9:useast-2:123456789012:environment:2bc3642873c342e485f7e0c561234567.
Name
The name of the development environment, such as my-demo-environment.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

AWS::CloudFormation::Authentication
Use the AWS::CloudFormation::Authentication resource to specify authentication credentials for
ﬁles or sources that you specify with the AWS::CloudFormation::Init (p. 677) resource.
To include authentication information for a ﬁle or source that you specify with
AWS::CloudFormation::Init, use the uris property if the source is a URI or the buckets property
if the source is an Amazon S3 bucket. For more information about ﬁles, see Files (p. 683). For more
information about sources, see Sources (p. 689).
API Version 2010-05-15
668

AWS CloudFormation User Guide
AWS::CloudFormation::Authentication

You can also specify authentication information for ﬁles directly in the AWS::CloudFormation::Init
resource. The ﬁles key of the resource contains a property named authentication. You can
use the authentication property to associate authentication information deﬁned in an
AWS::CloudFormation::Authentication resource directly with a ﬁle.
For ﬁles, AWS CloudFormation looks for authentication information in the following order:
1. The authentication property of the AWS::CloudFormation::Init files key.
2. The uris or buckets property of the AWS::CloudFormation::Authentication resource.
For sources, AWS CloudFormation looks for authentication information in the uris or buckets property
of the AWS::CloudFormation::Authentication resource.
Topics
• Syntax (p. 669)
• Properties (p. 670)
• Examples (p. 671)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
You should be aware of the following considerations when using the
AWS::CloudFormation::Authentication type:
• Unlike most AWS CloudFormation resources, the AWS::CloudFormation::Authentication type
does not contain a block called "Properties", but instead contains a list of user-named blocks, each
containing its own authentication properties.
Not all properties pertain to each authentication type; see the type (p. 670) property for more
details.
• Unlike most AWS CloudFormation resources, property names use lower camel case.

JSON
{

}

"Type" : "AWS::CloudFormation::Authentication" {
"String" : {
"accessKeyId (p. 670)" : String,
"buckets (p. 670)" : [ String, ... ],
"password (p. 670)" : String,
"secretKey (p. 670)" : String,
"type (p. 670)" : String,
"uris (p. 670)" : [ String, ... ],
"username (p. 671)" : String,
"roleName (p. 671)" : String
}
}

YAML
Type: AWS::CloudFormation::Authentication
String:
accessKeyId (p. 670): String

API Version 2010-05-15
669

AWS CloudFormation User Guide
AWS::CloudFormation::Authentication
buckets (p. 670):
- String
password (p. 670): String
secretKey (p. 670): String
type (p. 670): String
uris (p. 670):
- String
username (p. 671): String
roleName (p. 671): String

Properties
accessKeyId
Speciﬁes the access key ID for S3 authentication.
Required: Conditional. Can be speciﬁed only if the type property is set to "S3".
Type: String
buckets
A comma-delimited list of Amazon S3 buckets to be associated with the S3 authentication
credentials.
Required: Conditional. Can be speciﬁed only if the type property is set to "S3".
Type: List of String values
password
Speciﬁes the password for basic authentication.
Required: Conditional. Can be speciﬁed only if the type property is set to "basic".
Type: String
secretKey
Speciﬁes the secret key for S3 authentication.
Required: Conditional. Can be speciﬁed only if the type property is set to "S3".
Type: String
type
Speciﬁes whether the authentication scheme uses a user name and password ("basic") or an access
key ID and secret key ("S3").
If you specify "basic", specify the username, password, and uris properties.
If you specify "S3", specify the accessKeyId, secretKey, and buckets (optional) properties.
Required: Yes
Type: String Valid values are "basic" or "S3"
uris
A comma-delimited list of URIs to be associated with the basic authentication credentials. The
authorization applies to the speciﬁed URIs and any more speciﬁc URI. For example, if you specify
http://www.example.com, the authorization will also apply to http://www.example.com/
test.
Required: Conditional. Can be speciﬁed only if the type property is set to "basic".
API Version 2010-05-15
670

AWS CloudFormation User Guide
AWS::CloudFormation::Authentication

Type: List of String values
username
Speciﬁes the user name for basic authentication.
Required: Conditional. Can be speciﬁed only if the type property is set to "basic".
Type: String
roleName
Describes the role for role-based authentication.

Important

This role must be contained within the instance proﬁle that is attached to the EC2 instance.
An instance proﬁle can only contain one IAM role.
Required: Conditional. Can be speciﬁed only if the type property is set to "S3".
Type: String.

Examples
Note

Unlike most resources, the AWS::CloudFormation::Authentication type deﬁnes a list of
user-named blocks, each of which contains authentication properties that use lower camel case
naming.

EC2 Web Server Authentication
This template snippet shows how to get a ﬁle from a private S3 bucket within an EC2 instance. The
credentials used for authentication are deﬁned in the AWS::CloudFormation::Authentication
resource, and referenced by the AWS::CloudFormation::Init resource in the ﬁles section.

JSON
"WebServer": {
"Type": "AWS::EC2::Instance",
"DependsOn" : "BucketPolicy",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
"packages" : { "yum" : { "httpd" : [] } },
"files" : {
"/var/www/html/index.html" : {
"source" : {
"Fn::Join" : [
"", [ "http://s3.amazonaws.com/", { "Ref" : "BucketName" }, "/
index.html" ]
]
},
"mode"
: "000400",
"owner" : "apache",
"group" : "apache",
"authentication" : "S3AccessCreds"
}
},
"services" : {
"sysvinit" : {
"httpd" : { "enabled" : "true", "ensureRunning" : "true" }
}
}

API Version 2010-05-15
671

AWS CloudFormation User Guide
AWS::CloudFormation::Authentication
}
},
"AWS::CloudFormation::Authentication" : {
"S3AccessCreds" : {
"type" : "S3",
"accessKeyId" : { "Ref" : "CfnKeys" },
"secretKey" : { "Fn::GetAtt": [ "CfnKeys", "SecretAccessKey" ] }
}
}

}

},
"Properties": {
EC2 Resource Properties ...
}

YAML
WebServer:
Type: AWS::EC2::Instance
DependsOn: "BucketPolicy"
Metadata:
AWS::CloudFormation::Init:
config:
packages:
yum:
httpd: []
files:
/var/www/html/index.html:
source:
Fn::Join:
- ""
- "http://s3.amazonaws.com/"
- Ref: "BucketName"
- "/index.html"
mode: "000400"
owner: "apache"
group: "apache"
authentication: "S3AccessCreds"
services:
sysvinit:
httpd:
enabled: "true"
ensureRunning: "true"
AWS::CloudFormation::Authentication:
S3AccessCreds:
type: "S3"
accessKeyId:
Ref: "CfnKeys"
secretKey:
Fn::GetAtt:
- "CfnKeys"
- "SecretAccessKey"
Properties:
EC2 Resource Properties ...

Specifying Both Basic and S3 Authentication
The following example template snippet includes both basic and S3 authentication types.

JSON

API Version 2010-05-15
672

AWS CloudFormation User Guide
AWS::CloudFormation::Authentication
"AWS::CloudFormation::Authentication" : {
"testBasic" : {
"type" : "basic",
"username" : { "Ref" : "UserName" },
"password" : { "Ref" : "Password" },
"uris" : [ "http://www.example.com/test" ]
},
"testS3" : {
"type" : "S3",
"accessKeyId" : { "Ref" : "AccessKeyID" },
"secretKey" : { "Ref" : "SecretAccessKeyID" },
"buckets" : [ "myawsbucket" ]
}
}

YAML
AWS::CloudFormation::Authentication:
testBasic:
type: "basic"
username:
Ref: "UserName"
password:
Ref: "Password"
uris:
- "http://www.example.com/test"
testS3:
type: "S3"
accessKeyId:
Ref: "AccessKeyID"
secretKey:
Ref: "SecretAccessKeyID"
buckets:
- "myawsbucket"

IAM Roles
The following example shows how to use IAM roles:
• myRole is an AWS::IAM::Role (p. 1197) resource.
• The Amazon EC2 instance that runs cfn-init is associated with myRole through an instance proﬁle.
• The example speciﬁes the authentication by using the buckets property, like in Amazon S3
authentication. You can also specify authentication by name.

JSON
"AWS::CloudFormation::Authentication": {
"rolebased" : {
"type": "S3",
"buckets": [ "myBucket" ],
"roleName": { "Ref": "myRole" }
}
}

YAML
AWS::CloudFormation::Authentication:
rolebased:
type: "S3"
buckets:

API Version 2010-05-15
673

AWS CloudFormation User Guide
AWS::CloudFormation::CustomResource
- "myBucket"
roleName:
Ref: "myRole"

AWS::CloudFormation::CustomResource
In an AWS CloudFormation template, you use the AWS::CloudFormation::CustomResource or
Custom::String (p. 674) resource type to specify custom resources.
Custom resources provide a way for you to write custom provisioning logic in AWS CloudFormation
template and have AWS CloudFormation run it during a stack operation, such as when you create, update
or delete a stack. For more information, see Custom Resources (p. 432).

Note

If you use the VPC endpoint feature, custom resources in the VPC must have access to AWS
CloudFormation-speciﬁc Amazon Simple Storage Service (Amazon S3) buckets. Custom
resources must send responses to a pre-signed Amazon S3 URL. If they can't send responses to
Amazon S3, AWS CloudFormation won't receive a response and the stack operation fails. For
more information, see AWS CloudFormation and VPC Endpoints (p. 24).
Topics
• Syntax (p. 674)
• Properties (p. 675)
• Return Values (p. 675)
• Examples (p. 675)
• Replacing a Custom Resource During an Update (p. 677)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "Custom::String",
"Version" : "1.0",
"Properties" : {
"ServiceToken" : String,
... provider-defined properties ...
}

YAML
Type: "Custom::String"
Version: "1.0"
Properties:
ServiceToken: String
... provider-defined properties ...

Custom::String
For custom resources, you can specify AWS::CloudFormation::CustomResource as the
resource type, or you can specify your own resource type name. For example, instead of using
AWS::CloudFormation::CustomResource, you can use Custom::MyCustomResourceTypeName.
API Version 2010-05-15
674

AWS CloudFormation User Guide
AWS::CloudFormation::CustomResource

Custom resource type names can include alphanumeric characters and the following characters: _@-. You
can specify a custom resource type name up to a maximum length of 60 characters. You cannot change
the type during an update.
Using your own resource type names helps you quickly diﬀerentiate the types of custom resources
in your stack. For example, if you had two custom resources that conduct two diﬀerent ping tests,
you could name their type as Custom::PingTester to make them easily identiﬁable as ping testers
(instead of using AWS::CloudFormation::CustomResource).

Properties
Note

Only one property is deﬁned by AWS for a custom resource: ServiceToken. All other
properties are deﬁned by the service provider.
ServiceToken
The service token that was given to the template developer by the service provider to access the
service, such as an Amazon SNS topic ARN or Lambda function ARN. The service token must be from
the same region in which you are creating the stack.
Required: Yes
Type: String
Update requires: Updates are not supported.

Return Values
For a custom resource, return values are deﬁned by the custom resource provider, and are retrieved by
calling Fn::GetAtt (p. 2285) on the provider-deﬁned attributes.

Examples
Creating a custom resource deﬁnition in a template
The following example demonstrates how to create a custom resource deﬁnition in a template.
All properties other than ServiceToken, and all Fn::GetAtt resource attributes, are deﬁned by the
custom resource provider.

JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyFrontEndTest" : {
"Type": "Custom::PingTester",
"Version" : "1.0",
"Properties" : {
"ServiceToken": "arn:aws:sns:us-east-1:84969EXAMPLE:CRTest",
"key1" : "string",
"key2" : [ "list" ],
"key3" : { "key4" : "map" }
}
}
},
"Outputs" : {

API Version 2010-05-15
675

AWS CloudFormation User Guide
AWS::CloudFormation::CustomResource

}

}

"CustomResourceAttribute1" : {
"Value" : { "Fn::GetAtt" : ["MyFrontEndTest", "responseKey1"] }
},
"CustomResourceAttribute2" : {
"Value" : { "Fn::GetAtt" : ["MyFrontEndTest", "responseKey2"] }
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyFrontEndTest:
Type: "Custom::PingTester"
Version: "1.0"
Properties:
ServiceToken: "arn:aws:sns:us-east-1:84969EXAMPLE:CRTest"
key1: string
key2:
- list
key3:
key4: map
Outputs:
CustomResourceAttribute1:
Value:
Fn::GetAtt:
- MyFrontEndTest
- responseKey1
CustomResourceAttribute2:
Value:
Fn::GetAtt:
- MyFrontEndTest
- responseKey2

Using an AWS Lambda function in a custom resource
With Lambda functions and custom resources, you can run custom code in response to stack events
(create, update, and delete). The following custom resource invokes a Lambda function and sends it the
StackName property as input. The function uses this property to get outputs from the appropriate stack.

JSON
"MyCustomResource" : {
"Type" : "Custom::TestLambdaCrossStackRef",
"Properties" : {
"ServiceToken": { "Fn::Join": [ "", [ "arn:aws:lambda:", { "Ref": "AWS::Region" }, ":",
{ "Ref": "AWS::AccountId" }, ":function:", {"Ref" : "LambdaFunctionName"} ] ] },
"StackName": {
"Ref": "NetworkStackName"
}
}
}

YAML
MyCustomResource:
Type: "Custom::TestLambdaCrossStackRef"
Properties:
ServiceToken:
!Sub |

API Version 2010-05-15
676

AWS CloudFormation User Guide
AWS::CloudFormation::Init
arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaFunctionName}
StackName:
Ref: "NetworkStackName"

Replacing a Custom Resource During an Update
You can update custom resources that require a replacement of the underlying physical resource. When
you update a custom resource in an AWS CloudFormation template, AWS CloudFormation sends an
update request to that custom resource. If the custom resource requires a replacement, the new custom
resource must send a response with the new physical ID. When AWS CloudFormation receives the
response, it compares the PhysicalResourceId between the old and new custom resources. If they
are diﬀerent, AWS CloudFormation recognizes the update as a replacement and sends a delete request to
the old resource. For a step-by-step walkthrough of this process, see Stack Updates (p. 436).
Note the following:
• You can monitor the progress of the update in the Events tab. For more information, see Viewing
Stack Data and Resources (p. 99).
• For more information about resource behavior during updates, see AWS CloudFormation Stacks
Updates (p. 118).

AWS::CloudFormation::Init
Use the AWS::CloudFormation::Init type to include metadata on an Amazon EC2 instance for the cfn-init
helper script. If your template calls the cfn-init script, the script looks for resource metadata rooted in
the AWS::CloudFormation::Init metadata key. For more information about cfn-init, see cfn-init (p. 2328).
cfn-init supports all metadata types for Linux systems. It supports metadata types for Windows with
conditions that are described in the sections that follow.
For an example of using AWS::CloudFormation::Init and the cfn-init helper script, see Deploying
Applications on Amazon EC2 with AWS CloudFormation (p. 260).
For an example that shows how to use cfn-init to create a Windows stack, see Bootstrapping AWS
CloudFormation Windows Stacks (p. 157).

Syntax
The conﬁguration is separated into sections. The following template snippet shows how you can attach
metadata for cfn-init to an Amazon EC2 instance resource within the template.
The metadata is organized into conﬁg keys, which you can group into conﬁgsets. You can specify a
conﬁgset when you call cfn-init in your template. If you don't specify a conﬁgset, cfn-init looks for a
single conﬁg key named conﬁg.

Note

The cfn-init helper script processes these conﬁguration sections in the following order:
packages, groups, users, sources, ﬁles, commands, and then services. If you require a diﬀerent
order, separate your sections into diﬀerent conﬁg keys, and then use a conﬁgset that speciﬁes
the order in which the conﬁg keys should be processed.

JSON
"Resources": {
"MyInstance": {

API Version 2010-05-15
677

AWS CloudFormation User Guide
AWS::CloudFormation::Init

}

}

"Type": "AWS::EC2::Instance",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
"packages" : {
:
},
"groups" : {
:
},
"users" : {
:
},
"sources" : {
:
},
"files" : {
:
},
"commands" : {
:
},
"services" : {
:
}
}
}
},
"Properties": {
:
}

YAML
Resources:
MyInstance:
Type: AWS::EC2::Instance
Metadata:
AWS::CloudFormation::Init:
config:
packages:
:
groups:
:
users:
:
sources:
:
files:
:
commands:
:
services:
:
Properties:
:

Conﬁgsets
If you want to create more than one conﬁg key and to have cfn-init process them in a speciﬁc order,
create a conﬁgset that contains the conﬁg keys in the desired order.
API Version 2010-05-15
678

AWS CloudFormation User Guide
AWS::CloudFormation::Init

Single Conﬁgset
The following template snippet creates conﬁgsets named ascending and descending that each
contain two conﬁg keys.

JSON
"AWS::CloudFormation::Init" : {
"configSets" : {
"ascending" : [ "config1" , "config2" ],
"descending" : [ "config2" , "config1" ]
},
"config1" : {
"commands" : {
"test" : {
"command" : "echo \"$CFNTEST\" > test.txt",
"env" : { "CFNTEST" : "I come from config1." },
"cwd" : "~"
}
}
},
"config2" : {
"commands" : {
"test" : {
"command" : "echo \"$CFNTEST\" > test.txt",
"env" : { "CFNTEST" : "I come from config2" },
"cwd" : "~"
}
}
}
}

YAML
AWS::CloudFormation::Init:
configSets:
ascending:
- "config1"
- "config2"
descending:
- "config2"
- "config1"
config1:
commands:
test:
command: "echo \"$CFNTEST\" > test.txt"
env:
CFNTEST: "I come from config1."
cwd: "~"
config2:
commands:
test:
command: "echo \"$CFNTEST\" > test.txt"
env:
CFNTEST: "I come from config2"
cwd: "~"

Related cfn-init Calls
The following example calls to cfn-init refer to the preceding example conﬁgsets. The example calls are
abbreviated for clarity, see cfn-init (p. 2328) for the complete syntax.
API Version 2010-05-15
679

AWS CloudFormation User Guide
AWS::CloudFormation::Init

• If a call to cfn-init speciﬁes the ascending conﬁgset:
cfn-init -c ascending

the script processes config1 and then processes config2 and the test.txt ﬁle would contain the text
I come from config2.
• If a call to cfn-init speciﬁes the descending conﬁgset:
cfn-init -c descending

the script processes config2 and then processes config1 and the test.txt ﬁle would contain the text
I come from config1.

Multiple Conﬁgsets
You can create multiple conﬁgsets, and call a series of them using your cfn-init script. Each conﬁgset
can contain a list of conﬁg keys or references to other conﬁgsets. For example, the following template
snippet creates three conﬁgsets. The ﬁrst conﬁgset, test1, contains one conﬁg key named 1. The second
conﬁgset, test2, contains a reference to the test1 conﬁgset and one conﬁg key named 2. The third
conﬁgset, default, contains a reference to the conﬁgset test2.

JSON
"AWS::CloudFormation::Init" : {
"configSets" : {
"test1" : [ "1" ],
"test2" : [ { "ConfigSet" : "test1" }, "2" ],
"default" : [ { "ConfigSet" : "test2" } ]
},
"1" : {
"commands" : {
"test" : {
"command" : "echo \"$MAGIC\" > test.txt",
"env" : { "MAGIC" : "I come from the environment!" },
"cwd" : "~"
}
}
},
"2" : {
"commands" : {
"test" : {
"command" : "echo \"$MAGIC\" >> test.txt",
"env" : { "MAGIC" : "I am test 2!" },
"cwd" : "~"
}
}
}
}

YAML
AWS::CloudFormation::Init:
1:
commands:
test:
command: "echo \"$MAGIC\" > test.txt"
env:
MAGIC: "I come from the environment!"

API Version 2010-05-15
680

AWS CloudFormation User Guide
AWS::CloudFormation::Init

2:

cwd: "~"

commands:
test:
command: "echo \"$MAGIC\" >> test.txt"
env:
MAGIC: "I am test 2!"
cwd: "~"
configSets:
test1:
- "1"
test2:
ConfigSet: "test1"
- "2"
default:
ConfigSet: "test2"

Related cfn-init Calls
The following calls to cfn-init refer to the conﬁgSets declared in the preceding template snippet. The
example calls are abbreviated for clarity, see cfn-init (p. 2328) for the complete syntax.
• If you specify test1 only:
cfn-init -c test1

cfn-init processes conﬁg key 1 only.
• If you specify test2 only:
cfn-init -c test2

cfn-init processes conﬁg key 1 and then processes conﬁg key 2.
• If you specify the default conﬁgset (or no conﬁgsets at all):
cfn-init -c default

you get the same behavior that you would if you specify conﬁgset test2.

Commands
You can use the commands key to execute commands on the EC2 instance. The commands are processed
in alphabetical order by name.
Key

Description

command

Required. Either an array or a string specifying the command to run. If
you use an array, you do not need to escape space characters or enclose
command parameters in quotes. Don't use the array to specify multiple
commands.

env

Optional. Sets environment variables for the command. This property
overwrites, rather than appends, the existing environment.

cwd

Optional. The working directory

API Version 2010-05-15
681

AWS CloudFormation User Guide
AWS::CloudFormation::Init

Key

Description

test

Optional. A test command that determines whether cfn-init runs commands
that are speciﬁed in the command key. If the test passes, cfn-init runs the
commands. The cfn-init script runs the test in a command interpreter, such
as Bash or cmd.exe. Whether a test passes depends on the exit code that
the interpreter returns.
For Linux, the test command must return an exit code of 0 for the test to
pass. For Windows, the test command must return an %ERRORLEVEL% of 0.

ignoreErrors

Optional. A Boolean value that determines whether cfn-init continues to
run if the command in contained in the command key fails (returns a nonzero value). Set to true if you want cfn-init to continue running even if
the command fails. Set to false if you want cfn-init to stop running if the
command fails. The default value is false.

waitAfterCompletion

Optional. For Windows systems only. Speciﬁes how long to wait (in seconds)
after a command has ﬁnished in case the command causes a reboot. The
default value is 60 seconds and a value of "forever" directs cfn-init to exit
and resume only after the reboot is complete. Set this value to 0 if you do
not want to wait for every command.

Example
The following example snippet calls the echo command if the ~/test.txt ﬁle doesn't exist.

JSON
"commands" : {
"test" : {
"command" : "echo \"$MAGIC\" > test.txt",
"env" : { "MAGIC" : "I come from the environment!" },
"cwd" : "~",
"test" : "test ! -e ~/test.txt",
"ignoreErrors" : "false"
},
"test2" : {
"command" : "echo \"$MAGIC2\" > test2.txt",
"env" : { "MAGIC2" : "I come from the environment!" },
"cwd" : "~",
"test" : "test ! -e ~/test2.txt",
"ignoreErrors" : "false"
}
}

YAML
commands:
test:
command: "echo \"$MAGIC\" > test.txt"
env:
MAGIC: "I come from the environment!"
cwd: "~"
test: "test ! -e ~/test.txt"
ignoreErrors: "false"
test2:
command: "echo \"$MAGIC2\" > test2.txt"
env:

API Version 2010-05-15
682

AWS CloudFormation User Guide
AWS::CloudFormation::Init
MAGIC2: "I come from the environment!"
cwd: "~"
test: "test ! -e ~/test2.txt"
ignoreErrors: "false"

Files
You can use the files key to create ﬁles on the EC2 instance. The content can be either inline in the
template or the content can be pulled from a URL. The ﬁles are written to disk in lexicographic order. The
following table lists the supported keys.

Key

Description

content

Either a string or a properly formatted JSON object. If you use a JSON object
as your content, the JSON will be written to a ﬁle on disk. Any intrinsic
functions such as Fn::GetAtt or Ref are evaluated before the JSON object is
written to disk. When you create a symlink, specify the symlink target as the
content.

Note

If you create a symlink, the helper script modiﬁes the permissions
of the target ﬁle. Currently, you can't create a symlink without
modifying the permissions of the target ﬁle.
source

A URL to load the ﬁle from. This option cannot be speciﬁed with the content
key.

encoding

The encoding format. Only used if the content is a string. Encoding is not
applied if you are using a source.
Valid values: plain | base64

group

The name of the owning group for this ﬁle. Not supported for Windows
systems.

owner

The name of the owning user for this ﬁle. Not supported for Windows
systems.

mode

A six-digit octal value representing the mode for this ﬁle. Not supported for
Windows systems. Use the ﬁrst three digits for symlinks and the last three
digits for setting permissions. To create a symlink, specify 120xxx, where
xxx deﬁnes the permissions of the target ﬁle. To specify permissions for a
ﬁle, use the last three digits, such as 000644.

authentication

The name of an authentication method to use. This overrides any default
authentication. You can use this property to select an authentication
method you deﬁne with the AWS::CloudFormation::Authentication (p. 668)
resource.

context

Speciﬁes a context for ﬁles that are to be processed as Mustache templates.
To use this key, you must have installed aws-cfn-bootstrap 1.3-11 or later as
well as pystache.

Examples
The following example snippet creates a ﬁle named setup.mysql as part of a larger installation.
API Version 2010-05-15
683

AWS CloudFormation User Guide
AWS::CloudFormation::Init

Example JSON
"files" : {
"/tmp/setup.mysql" : {
"content" : { "Fn::Join" : ["", [
"CREATE DATABASE ", { "Ref" : "DBName" }, ";\n",
"CREATE USER '", { "Ref" : "DBUsername" }, "'@'localhost' IDENTIFIED BY '",
{ "Ref" : "DBPassword" }, "';\n",
"GRANT ALL ON ", { "Ref" : "DBName" }, ".* TO '", { "Ref" : "DBUsername" },
"'@'localhost';\n",
"FLUSH PRIVILEGES;\n"
]]},
"mode" : "000644",
"owner" : "root",
"group" : "root"
}
}

Example YAML
files:
/tmp/setup.mysql:
content: !Sub |
CREATE DATABASE ${DBName};
CREATE USER '${DBUsername}'@'localhost' IDENTIFIED BY '${DBPassword}';
GRANT ALL ON ${DBName}.* TO '${DBUsername}'@'localhost';
FLUSH PRIVILEGES;
mode: "000644"
owner: "root"
group: "root"

The full template is available at: https://s3.amazonaws.com/cloudformation-templates-us-east-1/
Drupal_Single_Instance.template
The following example snippet creates a symlink /tmp/myfile2.txt that points at an existing ﬁle
/tmp/myfile1.txt. The permissions of the target ﬁle /tmp/myfile1.txt is deﬁned by the mode
value 644.

Example JSON
"files" : {
"/tmp/myfile2.txt" : {
"content" : "/tmp/myfile1.txt",
"mode" : "120644"
}
}

Example YAML
files:
/tmp/myfile2.txt:
content: "/tmp/myfile1.txt"
mode: "120644"

Mustache templates are used primarily to create conﬁguration ﬁles. For example, you can store a
conﬁguration ﬁle in an S3 bucket and interpolate Refs and GetAtts from the template, instead of using
Fn::Join (p. 2302). The following example snippet outputs "Content for test9" to /tmp/test9.txt.
API Version 2010-05-15
684

AWS CloudFormation User Guide
AWS::CloudFormation::Init

Example JSON
"files" : {
"/tmp/test9.txt" : {
"content" : "Content for {{name}}",
"context" : { "name" : "test9" }
}
}

Example YAML
files:
/tmp/test9.txt:
content: "Content for {{name}}"
context:
name: "test9"

When working with Mustache templates, note the following:
• The context key must be present for the ﬁles to be processed.
• The context key must be a key-value map, but it can be nested.
• You can process ﬁles with inline content by using the content key and remote ﬁles by using the source
key.
• Mustache support depends on the pystache version. Version 0.5.2 supports the Mustache 1.1.2
speciﬁcation.

Groups
You can use the groups key to create Linux/UNIX groups and to assign group IDs. The groups key is not
supported for Windows systems.
To create a group, add a new key-value pair that maps a new group name to an optional group ID. The
groups key can contain one or more group names. The following table lists the available keys.
Key

Description

gid

A group ID number.
If a group ID is speciﬁed, and the group already exists by name, the group
creation will fail. If another group has the speciﬁed group ID, the OS may
reject the group creation.
Example: { "gid" : "23" }

Example snippet
The following snippet speciﬁes a group named groupOne without assigning a group ID and a group
named groupTwo that speciﬁed a group ID value of 45.

JSON
"groups" : {
"groupOne" : {},
"groupTwo" : { "gid" : "45" }

API Version 2010-05-15
685

AWS CloudFormation User Guide
AWS::CloudFormation::Init
}

YAML
groups:
groupOne: {}
groupTwo:
gid: "45"

Packages
You can use the packages key to download and install pre-packaged applications and components. On
Windows systems, the packages key supports only the MSI installer.

Supported package formats
The cfn-init script currently supports the following package formats: apt, msi, python, rpm, rubygems,
and yum. Packages are processed in the following order: rpm, yum/apt, and then rubygems and python.
There is no ordering between rubygems and python, and packages within each package manager are not
guaranteed to be installed in any order.

Specifying versions
Within each package manager, each package is speciﬁed as a package name and a list of versions. The
version can be a string, a list of versions, or an empty string or list. An empty string or list indicates that
you want the latest version. For rpm manager, the version is speciﬁed as a path to a ﬁle on disk or a URL.
If you specify a version of a package, cfn-init will attempt to install that version even if a newer version
of the package is already installed on the instance. Some package managers support multiple versions,
but others may not. Please check the documentation for your package manager for more information. If
you do not specify a version and a version of the package is already installed, the cfn-init script will not
install a new version—it will assume that you want to keep and use the existing version.

Example snippets
RPM, yum, and Rubygems
The following snippet speciﬁes a version URL for rpm, requests the latest versions from yum, and version
0.10.2 of chef from rubygems:

JSON
"rpm" : {
"epel" : "http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm"
},
"yum" : {
"httpd" : [],
"php" : [],
"wordpress" : []
},
"rubygems" : {
"chef" : [ "0.10.2" ]
}

YAML
rpm:
epel: "http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm"

API Version 2010-05-15
686

AWS CloudFormation User Guide
AWS::CloudFormation::Init
yum:
httpd: []
php: []
wordpress: []
rubygems:
chef:
- "0.10.2"

MSI Package
The following snippet speciﬁes a URL for an MSI package:

JSON
"msi" : {
"awscli" : "https://s3.amazonaws.com/aws-cli/AWSCLI64.msi"
}

YAML
msi:
awscli: "https://s3.amazonaws.com/aws-cli/AWSCLI64.msi"

Services
You can use the services key to deﬁne which services should be enabled or disabled when the instance is
launched. On Linux systems, this key is supported by using sysvinit. On Windows systems, it is supported
by using the Windows service manager.
The services key also allows you to specify dependencies on sources, packages and ﬁles so that if a
restart is needed due to ﬁles being installed, cfn-init will take care of the service restart. For example,
if you download the Apache HTTP Server package, the package installation will automatically start
the Apache HTTP Server during the stack creation process. However, if the Apache HTTP Server
conﬁguration is updated later in the stack creation process, the update won't take eﬀect unless the
Apache server is restarted. You can use the services key to ensure that the Apache HTTP service is
restarted.
The following table lists the supported keys.
Key

Description

ensureRunning

Set to true to ensure that the service is running after cfn-init ﬁnishes.
Set to false to ensure that the service is not running after cfn-init ﬁnishes.
Omit this key to make no changes to the service state.

enabled

Set to true to ensure that the service will be started automatically upon
boot.
Set to false to ensure that the service will not be started automatically upon
boot.
Omit this key to make no changes to this property.

ﬁles

A list of ﬁles. If cfn-init changes one directly via the ﬁles block, this service
will be restarted
API Version 2010-05-15
687

AWS CloudFormation User Guide
AWS::CloudFormation::Init

Key

Description

sources

A list of directories. If cfn-init expands an archive into one of these
directories, this service will be restarted.

packages

A map of package manager to list of package names. If cfn-init installs or
updates one of these packages, this service will be restarted.

commands

A list of command names. If cfn-init runs the speciﬁed command, this
service will be restarted.

Examples
Linux
The following Linux snippet conﬁgures the services as follows:
• The nginx service will be restarted if either /etc/nginx/nginx.conf or /var/www/html are modiﬁed by
cfn-init.
• The php-fastcgi service will be restarted if cfn-init installs or updates php or spawn-fcgi using yum.
• The sendmail service will be stopped and disabled.

JSON
"services" : {
"sysvinit" : {
"nginx" : {
"enabled" : "true",
"ensureRunning" : "true",
"files" : ["/etc/nginx/nginx.conf"],
"sources" : ["/var/www/html"]
},
"php-fastcgi" : {
"enabled" : "true",
"ensureRunning" : "true",
"packages" : { "yum" : ["php", "spawn-fcgi"] }
},
"sendmail" : {
"enabled" : "false",
"ensureRunning" : "false"
}
}
}

YAML
services:
sysvinit:
nginx:
enabled: "true"
ensureRunning: "true"
files:
- "/etc/nginx/nginx.conf"
sources:
- "/var/www/html"
php-fastcgi:
enabled: "true"
ensureRunning: "true"

API Version 2010-05-15
688

AWS CloudFormation User Guide
AWS::CloudFormation::Init
packages:
yum:
- "php"
- "spawn-fcgi"
sendmail:
enabled: "false"
ensureRunning: "false"

Windows
The following Windows snippet starts the cfn-hup service, sets it to automatic, and restarts the service
if cfn-init modiﬁes the speciﬁed conﬁguration ﬁles:

JSON
"services" : {
"windows" : {
"cfn-hup" : {
"enabled" : "true",
"ensureRunning" : "true",
"files" : ["c:\\cfn\\cfn-hup.conf", "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"]
}
}
}

YAML
services:
windows:
cfn-hup:
enabled: "true"
ensureRunning: "true"
files:
- "c:\\cfn\\cfn-hup.conf"
- "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"

Sources
You can use the sources key to download an archive ﬁle and unpack it in a target directory on the EC2
instance. This key is fully supported for both Linux and Windows systems.
Supported formats
Supported formats are tar, tar+gzip, tar+bz2 and zip.

Examples
GitHub
If you use GitHub as a source control system, you can use cfn-init and the sources package mechanism
to pull a speciﬁc version of your application. GitHub allows you to create a zip or a tar from a speciﬁc
version via a URL as follows:
https://github.com//(zipball|tarball)/

For example, the following snippet pulls down version master as a .tar ﬁle.
API Version 2010-05-15
689

AWS CloudFormation User Guide
AWS::CloudFormation::Init

JSON
"sources" : {
"/etc/puppet" : "https://github.com/user1/cfn-demo/tarball/master"
}

YAML
sources:
/etc/puppet: "https://github.com/user1/cfn-demo/tarball/master"

S3 Bucket
The following example downloads a zip ﬁle from an Amazon S3 bucket and unpacks it into /etc/myapp:

Note

You can use authentication credentials for a source. However, you cannot put an authentication
key in the sources block. Instead, include a buckets key in your S3AccessCreds block. For an
example, see the example template. For more information on Amazon S3 authentication
credentials, see AWS::CloudFormation::Authentication (p. 668).

JSON
"sources" : {
"/etc/myapp" : "https://s3.amazonaws.com/mybucket/myapp.tar.gz"
}

YAML
sources:
/etc/myapp: "https://s3.amazonaws.com/mybucket/myapp.tar.gz"

Users
You can use the users key to create Linux/UNIX users on the EC2 instance. The users key is not supported
for Windows systems.
The following table lists the supported keys.
Key

Description

uid

A user ID. The creation process fails if the user name exists with a diﬀerent
user ID. If the user ID is already assigned to an existing user the operating
system may reject the creation request.

groups

A list of group names. The user will be added to each group in the list.

homeDir

The user's home directory.

Example
Users are created as non-interactive system users with a shell of /sbin/nologin. This is by design and
cannot be modiﬁed.
API Version 2010-05-15
690

AWS CloudFormation User Guide
AWS::CloudFormation::Interface

JSON

"users" : {
"myUser" : {
"groups" : ["groupOne", "groupTwo"],
"uid" : "50",
"homeDir" : "/tmp"
}
}

YAML
users:
myUser:
groups:
- "groupOne"
- "groupTwo"
uid: "50"
homeDir: "/tmp"

AWS::CloudFormation::Interface
AWS::CloudFormation::Interface is a metadata key that deﬁnes how parameters are grouped
and sorted in the AWS CloudFormation console. When you create or update stacks in the console, the
console lists input parameters in alphabetical order by their logical IDs. By using this key, you can deﬁne
your own parameter grouping and ordering so that users can eﬃciently specify parameter values. For
example, you could group all EC2-related parameters in one group and all VPC-related parameters in
another group.
In addition to grouping and ordering parameters, you can deﬁne labels for parameters. A label is a
friendly name or description that the console displays instead of a parameter's logical ID. Labels are
useful for helping users understand the values to specify for each parameter. For example, you could
label a KeyPair parameter Select an EC2 key pair.

Note

Only the AWS CloudFormation console uses the AWS::CloudFormation::Interface
metadata key. AWS CloudFormation CLI and API calls do not use this key.
Topics
• Syntax (p. 691)
• Properties (p. 692)
• Example (p. 692)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
"Metadata" : {
"AWS::CloudFormation::Interface" : {
"ParameterGroups" : [ ParameterGroup, ... ],
"ParameterLabels" : ParameterLabel
}

API Version 2010-05-15
691

AWS CloudFormation User Guide
AWS::CloudFormation::Interface
}

YAML
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- ParameterGroup
ParameterLabels:
ParameterLabel

Properties
ParameterGroups
A list of parameter group types, where you specify group names, the parameters in each group, and
the order in which the parameters are shown.
Required: No
Type: AWS CloudFormation Interface ParameterGroup (p. 1684)
Update requires: No interruption (p. 118)
ParameterLabels
A mapping of parameters and their friendly names that the AWS CloudFormation console shows
when a stack is created or updated.
Required: No
Type: AWS CloudFormation Interface ParameterLabel (p. 1685)
Update requires: No interruption (p. 118)

Example
The following example deﬁnes two parameter groups: Network Configuration and Amazon
EC2 Configuration. The Network Configuration group includes the VPCID, SubnetId, and
SecurityGroupID parameters, which are deﬁned in the Parameters section of the template (not
shown). The order in which the console shows these parameters is deﬁned by the order in which the
parameters are listed, starting with the VPCID parameter. The example similarly groups and orders the
Amazon EC2 Configuration parameters.
The example also deﬁnes a label for the VPCID parameter. The console will show Which VPC should this
be deployed to? instead of the parameter's logical ID (VPCID).

JSON
"Metadata" : {
"AWS::CloudFormation::Interface" : {
"ParameterGroups" : [
{
"Label" : { "default" : "Network Configuration" },
"Parameters" : [ "VPCID", "SubnetId", "SecurityGroupID" ]
},
{
"Label" : { "default":"Amazon EC2 Configuration" },

API Version 2010-05-15
692

AWS CloudFormation User Guide
AWS::CloudFormation::Interface

}

}

}

"Parameters" : [ "InstanceType", "KeyName" ]

],
"ParameterLabels" : {
"VPCID" : { "default" : "Which VPC should this be deployed to?" }
}

YAML
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
Label:
default: "Network Configuration"
Parameters:
- VPCID
- SubnetId
- SecurityGroupID
Label:
default: "Amazon EC2 Configuration"
Parameters:
- InstanceType
- KeyName
ParameterLabels:
VPCID:
default: "Which VPC should this be deployed to?"

Parameter Groups in the Console
Using the metadata key from this example, the following ﬁgure shows how the console displays
parameter groups when a stack is created or updated: Parameter groups in the console

API Version 2010-05-15
693

AWS CloudFormation User Guide
AWS::CloudFormation::Stack

AWS::CloudFormation::Stack
The AWS::CloudFormation::Stack type nests a stack as a resource in a top-level template.
You can add output values from a nested stack within the containing template. You use the
GetAtt (p. 2285) function with the nested stack's logical name and the name of the output value in the
nested stack in the format Outputs.NestedStackOutputName.

Important

We strongly recommend that updates to nested stacks are run from the parent stack.
When you apply template changes to update a top-level stack, AWS CloudFormation updates the toplevel stack and initiates an update to its nested stacks. AWS CloudFormation updates the resources
of modiﬁed nested stacks, but does not update the resources of unmodiﬁed nested stacks. For more
information, see AWS CloudFormation Stacks Updates (p. 118).

Note

You must acknowledge IAM capabilities for nested stacks that contain IAM resources. Also,
verify that you have cancel update stack permissions, which is required if an update rolls back.
For more information about IAM and AWS CloudFormation, see Controlling Access with AWS
Identity and Access Management (p. 9).
Topics
• Syntax (p. 694)
• Properties (p. 695)
• Return Values (p. 696)
• Related Information (p. 696)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CloudFormation::Stack",
"Properties" : {
"NotificationARNs" : [ String, ... ],
"Parameters" : { AWS CloudFormation Stack Parameters },
"Tags" : [ Resource Tag, ... ],
"TemplateURL" : String,
"TimeoutInMinutes" : Integer
}

YAML
Type: AWS::CloudFormation::Stack
Properties:
NotificationARNs:
- String
Parameters:
AWS CloudFormation Stack Parameters
Tags:
- Resource Tag
TemplateURL: String
TimeoutInMinutes: Integer

API Version 2010-05-15
694

AWS CloudFormation User Guide
AWS::CloudFormation::Stack

Properties
NotificationARNs
A list of existing Amazon SNS topics where notiﬁcations about stack events are sent.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Parameters
The set of parameters passed to AWS CloudFormation when this nested stack is created.

Note

If you use the Ref function to pass a parameter value to a nested stack, comma-delimited
list parameters must be of type String. In other words, you cannot pass values that are of
type CommaDelimitedList to nested stacks.
Required: Conditional (required if the nested stack requires input parameters).
Type: AWS CloudFormation Stack Parameters (p. 1682)
Update requires: Whether an update causes interruptions depends on the resources that are being
updated. An update never causes a nested stack to be replaced.
Tags
An arbitrary set of tags (key–value pairs) to describe this stack.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).
TemplateURL
The URL of a template that speciﬁes the stack that you want to create as a resource. Template
ﬁles can use any extension, such as .json, .yaml, .template, or .txt. The template
must be stored on an Amazon S3 bucket, so the URL must have the form: https://
s3.amazonaws.com/.../TemplateName.extension
Required: Yes
Type: String
Update requires: Whether an update causes interruptions depends on the resources that are being
updated. An update never causes a nested stack to be replaced.
TimeoutInMinutes
The length of time, in minutes, that AWS CloudFormation waits for the nested stack to reach the
CREATE_COMPLETE state. The default is no timeout. When AWS CloudFormation detects that
the nested stack has reached the CREATE_COMPLETE state, it marks the nested stack resource as
CREATE_COMPLETE in the parent stack and resumes creating the parent stack. If the timeout period
expires before the nested stack reaches CREATE_COMPLETE, AWS CloudFormation marks the nested
stack as failed and rolls back both the nested stack and parent stack.
Required: No
API Version 2010-05-15
695

AWS CloudFormation User Guide
AWS::CloudFormation::WaitCondition

Type: Integer
Update requires: Updates are not supported.

Return Values
Ref
For AWS::CloudFormation::Stack, Ref returns the Stack ID. For example:
arn:aws:cloudformation:us-east-2:123456789012:stack/mystack-mynestedstacksggfrhxhum7w/f449b250-b969-11e0-a185-5081d0136786
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Outputs.NestedStackOutputName
Returns: The output value from the speciﬁed nested stack where NestedStackOutputName is the
name of the output value.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Related Information
• For sample template snippets, see Nested Stacks in AWS CloudFormation Template Snippets (p. 292).
• If you have nested stacks that are stuck in an in-progress operation, see Troubleshooting Errors in
Troubleshooting AWS CloudFormation (p. 2343).

AWS::CloudFormation::WaitCondition
Important

For Amazon EC2 and Auto Scaling resources, we recommend that you use a CreationPolicy
attribute instead of wait conditions. Add a CreationPolicy attribute to those resources, and
use the cfn-signal helper script to signal when an instance creation process has completed
successfully.
You can use a wait condition for situations like the following:
• To coordinate stack resource creation with conﬁguration actions that are external to the stack creation
• To track the status of a conﬁguration process
For these situations, we recommend that you associate a CreationPolicy (p. 2245) attribute with the wait
condition so that you don't have to use a wait condition handle. For more information and an example,
see Creating Wait Conditions in a Template (p. 276). If you use a CreationPolicy with a wait condition, do
not specify any of the wait condition's properties.

Note

If you use the VPC endpoint feature, resources in the VPC that respond to wait conditions must
have access to AWS CloudFormation-speciﬁc Amazon Simple Storage Service (Amazon S3)
buckets. Resources must send wait condition responses to a pre-signed Amazon S3 URL. If they
can't send responses to Amazon S3, AWS CloudFormation won't receive a response and the
stack operation fails. For more information, see AWS CloudFormation and VPC Endpoints (p. 24).
API Version 2010-05-15
696

AWS CloudFormation User Guide
AWS::CloudFormation::WaitCondition

Topics
• Syntax (p. 697)
• Properties (p. 697)
• Return Values (p. 698)
• Examples (p. 698)
• See Also (p. 699)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CloudFormation::WaitCondition",
"Properties" : {
"Count (p. 697)" : Integer,
"Handle (p. 697)" : String,
"Timeout (p. 698)" : String
}

YAML
Type: AWS::CloudFormation::WaitCondition
Properties:
Count (p. 697): Integer
Handle (p. 697): String
Timeout (p. 698): String

Properties
Count
The number of success signals that AWS CloudFormation must receive before it continues the
stack creation process. When the wait condition receives the requisite number of success signals,
AWS CloudFormation resumes the creation of the stack. If the wait condition does not receive
the speciﬁed number of success signals before the Timeout period expires, AWS CloudFormation
assumes that the wait condition has failed and rolls the stack back.
Required: No
Type: Integer
Update requires: Updates are not supported.
Handle
A reference to the wait condition handle used to signal this wait condition. Use the Ref intrinsic
function to specify an AWS::CloudFormation::WaitConditionHandle (p. 699) resource.
Anytime you add a WaitCondition resource during a stack update, you must associate the wait
condition with a new WaitConditionHandle resource. Do not reuse an old wait condition handle that
has already been deﬁned in the template. If you reuse a wait condition handle, the wait condition
might evaluate old signals from a previous create or update stack command.
API Version 2010-05-15
697

AWS CloudFormation User Guide
AWS::CloudFormation::WaitCondition

Required: Yes
Type: String
Update requires: Updates are not supported.
Timeout
The length of time (in seconds) to wait for the number of signals that the Count property speciﬁes.
Timeout is a minimum-bound property, meaning the timeout occurs no sooner than the time you
specify, but can occur shortly thereafter. The maximum time that can be speciﬁed for this property is
12 hours (43200 seconds).
Required: Yes
Type: String
Update requires: Updates are not supported.

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Data
Returns: A JSON object that contains the UniqueId and Data values from the wait condition
signal(s) for the speciﬁed wait condition. For more information about wait condition signals, see
Wait Condition Signal JSON Format (p. 279).
Example return value for a wait condition with 2 signals:

{ "Signal1" : "Step 1 complete." , "Signal2" : "Step 2 complete." }

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
WaitCondition that waits for the desired number of instances in a web server
group
JSON
"WebServerGroup" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : "" },

API Version 2010-05-15
698

AWS CloudFormation User Guide
AWS::CloudFormation::WaitConditionHandle

},

}

"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },
"MinSize" : "1",
"MaxSize" : "5",
"DesiredCapacity" : { "Ref" : "WebServerCapacity" },
"LoadBalancerNames" : [ { "Ref" : "ElasticLoadBalancer" } ]

"WaitHandle" : {
"Type" : "AWS::CloudFormation::WaitConditionHandle"
},
"WaitCondition" : {
"Type" : "AWS::CloudFormation::WaitCondition",
"DependsOn" : "WebServerGroup",
"Properties" : {
"Handle" : { "Ref" : "WaitHandle" },
"Timeout" : "300",
"Count"
: { "Ref" : "WebServerCapacity" }
}
}

YAML
WebServerGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
AvailabilityZones:
Fn::GetAZs: ""
LaunchConfigurationName:
Ref: "LaunchConfig"
MinSize: "1"
MaxSize: "5"
DesiredCapacity:
Ref: "WebServerCapacity"
LoadBalancerNames:
Ref: "ElasticLoadBalancer"
WaitHandle:
Type: AWS::CloudFormation::WaitConditionHandle
WaitCondition:
Type: AWS::CloudFormation::WaitCondition
DependsOn: "WebServerGroup"
Properties:
Handle:
Ref: "WaitHandle"
Timeout: "300"
Count:
Ref: "WebServerCapacity"

See Also
• Creating Wait Conditions in a Template (p. 276)
• DependsOn Attribute (p. 2250)

AWS::CloudFormation::WaitConditionHandle
Important

For Amazon EC2 and Auto Scaling resources, we recommend that you use a CreationPolicy
attribute instead of wait conditions. Add a CreationPolicy attribute to those resources, and
API Version 2010-05-15
699

AWS CloudFormation User Guide
AWS::CloudFront::Distribution

use the cfn-signal helper script to signal when an instance creation process has completed
successfully.
For more information, see Deploying Applications on Amazon EC2 with AWS
CloudFormation (p. 260).
The AWS::CloudFormation::WaitConditionHandle type has no properties. When you reference the
WaitConditionHandle resource by using the Ref function, AWS CloudFormation returns a presigned
URL. You pass this URL to applications or scripts that are running on your Amazon EC2 instances to send
signals to that URL. An associated AWS::CloudFormation::WaitCondition (p. 696) resource checks the
URL for the required number of success signals or for a failure signal.

Important

Anytime you add a WaitCondition resource during a stack update or update a resource with
a wait condition, you must associate the wait condition with a new WaitConditionHandle
resource. Do not reuse an old wait condition handle that has already been deﬁned in the
template. If you reuse a wait condition handle, the wait condition might evaluate old signals
from a previous create or update stack command.

Note

Updates are not supported for this resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CloudFormation::WaitConditionHandle",
"Properties" : {
}

YAML
Type: AWS::CloudFormation::WaitConditionHandle
Properties:

Related Resources
For information about how to use wait conditions, see Creating Wait Conditions in a Template (p. 276).

AWS::CloudFront::Distribution
Creates an Amazon CloudFront web distribution. For general information about CloudFront distributions,
see the Introduction to Amazon CloudFront in the Amazon CloudFront Developer Guide. For speciﬁc
information about creating CloudFront web distributions, see CreateDistribution in the Amazon
CloudFront API Reference.
Topics
• Syntax (p. 701)
• Properties (p. 701)
• Return Values (p. 701)
• Example (p. 702)
API Version 2010-05-15
700

AWS CloudFormation User Guide
AWS::CloudFront::Distribution

• See Also (p. 703)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CloudFront::Distribution",
"Properties" : {
"DistributionConfig" : DistributionConfig (p. 1695),
"Tags" : [ Tag (p. 1712), ... ]
}

YAML
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
DistributionConfig (p. 1695)
Tags:
- Tag (p. 1712)

Properties
DistributionConfig
The distribution's conﬁguration information.
Required: Yes
Type: DistributionConﬁg (p. 1695) type
Update requires: No interruption (p. 118)
Tags
An arbitrary set of tags (key–value pairs) to associate with a CloudFront distribution.
Required: No
Type: List of ??? (p. 1712)
Update requires: No interruption (p. 118)
Duplicates not allowed.

Return Values
Ref
Returns: The CloudFront distribution ID. For example: E27LVI50CSW06W.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
701

AWS CloudFormation User Guide
AWS::CloudFront::Distribution

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
DomainName
Returns: The domain name of the resource. For example: d2fadu0nynjpfn.cloudfront.net.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example speciﬁes a distribution and assigns it a single tag.

JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"cloudfrontdistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"CacheBehaviors": [
{
"LambdaFunctionAssociations": [
{
"EventType": "string-value",
"LambdaFunctionARN": "string-value"
}
]
}
],
"DefaultCacheBehavior": {
"LambdaFunctionAssociations": [
{
"EventType": "string-value",
"LambdaFunctionARN": "string-value"
}
]
},
"IPV6Enabled": "boolean-value",
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": "integer-value",
"OriginReadTimeout": "integer-value"
}
}
]
},
"Tags": [
{
"Key": "string-value",
"Value": "string-value"
}
]
}
}
}

API Version 2010-05-15
702

AWS CloudFormation User Guide
AWS::CloudFront::CloudFrontOriginAccessIdentity

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
cloudfrontdistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
- LambdaFunctionAssociations:
- EventType: string-value
LambdaFunctionARN: string-value
DefaultCacheBehavior:
LambdaFunctionAssociations:
- EventType: string-value
LambdaFunctionARN: string-value
IPV6Enabled: boolean-value
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: integer-value
OriginReadTimeout: integer-value
Tags:
- Key: string-value
Value: string-value

See Also
• CreateDistribution in the Amazon CloudFront API Reference

AWS::CloudFront::CloudFrontOriginAccessIdentity
The AWS::CloudFront::CloudFrontOriginAccessIdentity resource speciﬁes the CloudFront
origin access identity to associate with the origin of a CloudFront distribution. For more information, see
OriginAccessIdentity in the Amazon CloudFront API Reference.
Topics
• Syntax (p. 703)
• Properties (p. 704)
• Return Values (p. 704)
• Example (p. 704)
• See Also (p. 705)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CloudFront::CloudFrontOriginAccessIdentity",
"Properties" : {
"CloudFrontOriginAccessIdentityConfig" : CloudFrontOriginAccessIdentityConfig (p. 1685)
}

API Version 2010-05-15
703

AWS CloudFormation User Guide
AWS::CloudFront::CloudFrontOriginAccessIdentity

YAML
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig: CloudFrontOriginAccessIdentityConfig

Properties
CloudFrontOriginAccessIdentityConfig
The conﬁguration of the CloudFront origin access identity.
Required: Yes
Type: CloudFrontOriginAccessIdentityConﬁg (p. 1685)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::CloudFront::CloudFrontOriginAccessIdentity
resource to the intrinsic Ref function, the function returns the origin access identity, such as
E15MNIMTCFKK4C.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
S3CanonicalUserId

The Amazon S3 canonical user ID for the origin access identity, used when giving
the origin access identity read permission to an object in Amazon S3. For example:
b970b42360b81c8ddbd79d2f5df0069ba9033c8a79655752abe380cd6d63ba8bcf23384d568fcf89fc49700
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example speciﬁes the comment for an origin access identity.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"cloudfrontoriginaccessidentity": {
"Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
"Properties": {
"CloudFrontOriginAccessIdentityConfig": {
"Comment": "string-value"
}
}

API Version 2010-05-15
704

AWS CloudFormation User Guide
AWS::CloudFront::StreamingDistribution

}

}

}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
cloudfrontoriginaccessidentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: string-value

See Also
• OriginAccessIdentity in the Amazon CloudFront API Reference

AWS::CloudFront::StreamingDistribution
The AWS::CloudFront::StreamingDistribution resource speciﬁes an RMTP distribution for
Amazon CloudFront. An RTMP distribution is similar to a web distribution, but an RTMP distribution
streams media ﬁles using the Adobe Real-Time Messaging Protocol (RTMP) instead of serving ﬁles using
HTTP. For more information, see CreateStreamingDistribution in the Amazon CloudFront API Reference.
Topics
• Syntax (p. 705)
• Properties (p. 706)
• Return Values (p. 706)
• Example (p. 706)
• See Also (p. 707)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CloudFront::StreamingDistribution",
"Properties" : {
"StreamingDistributionConfig" : StreamingDistributionConfig (p. 1710),
"Tags" : [ Tag (p. 1712), ... ]
}

YAML
Type: AWS::CloudFront::StreamingDistribution
Properties:
StreamingDistributionConfig: StreamingDistributionConfig
Tags:
- Tag (p. 1712)

API Version 2010-05-15
705

AWS CloudFormation User Guide
AWS::CloudFront::StreamingDistribution

Properties
StreamingDistributionConfig
Information about the conﬁguration of the RMTP streaming distribution.
Required: Yes
Type: CloudFront StreamingDistribution StreamingDistributionConﬁg (p. 1710)
Update requires: No interruption (p. 118)
Tags
Key-value tags to assign to this streaming distribution.
Required: Yes
Type: List of CloudFront StreamingDistribution Tag (p. 1712)
Update requires: No interruption (p. 118)
Duplicates not allowed.

Return Values
Ref
When you pass the logical ID of an AWS::CloudFront::StreamingDistribution resource to the
intrinsic Ref function, the function returns the streaming distribution ID, such as E1E7FEN9T35R9W.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
DomainName
The domain name of the resource, such as sct27g85mgx04.cloudfront.net.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example speciﬁes a streaming distribution and assigns it a single tag.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"streamingdistribution": {
"Type": "AWS::CloudFront::StreamingDistribution",
"Properties": {
"StreamingDistributionConfig": {
"Aliases": [

API Version 2010-05-15
706

AWS CloudFormation User Guide
AWS::CloudFront::StreamingDistribution
"string-values"
],
"Comment": "string-value",
"Enabled": "boolean-value",
"Logging": {
"Bucket": "string-value",
"Enabled": "boolean-value",
"Prefix": "string-value"
},
"PriceClass": "string-value",
"S3Origin": {
"DomainName": "string-value",
"OriginAccessIdentity": "string-value"
},
"TrustedSigners": {
"Enabled": "boolean-value",
"AwsAccountNumbers": [
"string-values"
]
}

}

}

}

}

},
"Tags": [
{
"Key": "string-value",
"Value": "string-value"
}
]

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
streamingdistribution:
Type: AWS::CloudFront::StreamingDistribution
Properties:
StreamingDistributionConfig:
Aliases:
- string-values
Comment: string-value
Enabled: boolean-value
Logging:
Bucket: string-value
Enabled: boolean-value
Prefix: string-value
PriceClass: string-value
S3Origin:
DomainName: string-value
OriginAccessIdentity: string-value
TrustedSigners:
Enabled: boolean-value
AwsAccountNumbers:
- string-values
Tags:
- Key: string-value
Value: string-value

See Also
• CreateStreamingDistribution in the Amazon CloudFront API Reference
API Version 2010-05-15
707

AWS CloudFormation User Guide
AWS::CloudTrail::Trail

AWS::CloudTrail::Trail
Use the AWS::CloudTrail::Trail resource to create a trail and specify where logs are published. An
AWS CloudTrail (CloudTrail) trail can capture AWS API calls made by your AWS account and publish the
logs to an Amazon S3 bucket. For more information, see What is AWS CloudTrail? in the AWS CloudTrail
User Guide.
Topics
• Syntax (p. 708)
• Properties (p. 709)
• Return Values (p. 711)
• Example (p. 711)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CloudTrail::Trail",
"Properties" : {
"CloudWatchLogsLogGroupArn" : String,
"CloudWatchLogsRoleArn" : String,
"EnableLogFileValidation" : Boolean,
"EventSelectors" : [ EventSelector (p. 1714), ... ],
"IncludeGlobalServiceEvents" : Boolean,
"IsLogging" : Boolean,
"IsMultiRegionTrail" : Boolean,
"KMSKeyId" : String,
"S3BucketName" : String,
"S3KeyPrefix" : String,
"SnsTopicName" : String,
"Tags" : [ Resource Tag (p. 2106), ... ],
"TrailName" : String
}

YAML
Type: AWS::CloudTrail::Trail
Properties:
CloudWatchLogsLogGroupArn: String
CloudWatchLogsRoleArn: String
EnableLogFileValidation: Boolean
EventSelectors:
- EventSelector (p. 1714)
IncludeGlobalServiceEvents: Boolean
IsLogging: Boolean
IsMultiRegionTrail: Boolean
KMSKeyId: String
S3BucketName: String
S3KeyPrefix: String
SnsTopicName: String
Tags:
- Resource Tag (p. 2106)
TrailName: String

API Version 2010-05-15
708

AWS CloudFormation User Guide
AWS::CloudTrail::Trail

Properties
For more information and property constraints, see CreateTrail in the AWS CloudTrail API Reference.
CloudWatchLogsLogGroupArn
The Amazon Resource Name (ARN) of a log group to which CloudTrail logs will be delivered.
Required: Conditional. This property is required if you specify the CloudWatchLogsRoleArn
property.
Type: String
Update requires: No interruption (p. 118)
CloudWatchLogsRoleArn
The role ARN that Amazon CloudWatch Logs (CloudWatch Logs) assumes to write logs to a log
group. For more information, see Role Policy Document for CloudTrail to Use CloudWatch Logs for
Monitoring in the AWS CloudTrail User Guide.
Required: No
Type: String
Update requires: No interruption (p. 118)
EnableLogFileValidation
Indicates whether CloudTrail validates the integrity of log ﬁles. By default, AWS CloudFormation sets
this value to false. When you disable log ﬁle integrity validation, CloudTrail stops creating digest
ﬁles. For more information, see CreateTrail in the AWS CloudTrail API Reference.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
EventSelectors
Conﬁgures logging for management and data events.
Required: No
Type: List of CloudTrail Trail EventSelector (p. 1714)
Update requires: No interruption (p. 118)
IncludeGlobalServiceEvents
Indicates whether the trail is publishing events from global services, such as IAM, to the log ﬁles. By
default, AWS CloudFormation sets this value to false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IsLogging
Indicates whether the CloudTrail trail is currently logging AWS API calls.
API Version 2010-05-15
709

AWS CloudFormation User Guide
AWS::CloudTrail::Trail

Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
IsMultiRegionTrail
Indicates whether the CloudTrail trail is created in the region in which you create the stack (false)
or in all regions (true). By default, AWS CloudFormation sets this value to false. For more
information, see How Does CloudTrail Behave Regionally and Globally? in the AWS CloudTrail User
Guide.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
KMSKeyId
The AWS Key Management Service (AWS KMS) key ID that you want to use to encrypt CloudTrail
logs. You can specify an alias name (preﬁxed with alias/), an alias ARN, a key ARN, or a globally
unique identiﬁer.
Required: No
Type: String
Update requires: No interruption (p. 118)
S3BucketName
The name of the Amazon S3 bucket where CloudTrail publishes log ﬁles.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
S3KeyPrefix
An Amazon S3 object key preﬁx that precedes the name of all log ﬁles.
Required: No
Type: String
Update requires: No interruption (p. 118)
SnsTopicName
The name of an Amazon SNS topic that is notiﬁed when new log ﬁles are published.
Required: No
Type: String
Update requires: No interruption (p. 118)
Tags
An arbitrary set of tags (key–value pairs) for this trail.
Required: No
API Version 2010-05-15
710

AWS CloudFormation User Guide
AWS::CloudTrail::Trail

Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).
TrailName
The name of the trail. For constraint information, see CreateTrail in the AWS CloudTrail API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The ARN of the CloudTrail trail, such as arn:aws:cloudtrail:useast-2:123456789012:trail/myCloudTrail.
SnsTopicArn
The ARN of the Amazon SNS topic that's associated with the CloudTrail trail, such as
arn:aws:sns:us-east-2:123456789012:mySNSTopic.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example creates a CloudTrail trail, an Amazon S3 bucket where logs are published, and an
Amazon SNS topic where notiﬁcations are sent. The bucket and topic policies allow CloudTrail (from the
speciﬁed regions) to publish logs to the Amazon S3 bucket and to send notiﬁcations to an email that you
specify. Because CloudTrail automatically writes to the bucket_name/AWSLogs/account_ID/ folder,
the bucket policy grants write privileges for that preﬁx. For information about CloudTrail bucket policies,
see Amazon S3 Bucket Policy in the AWS CloudTrail User Guide.
For more information about the regions that CloudTrail supports, see Supported Regions in the AWS
CloudTrail User Guide.

JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Parameters" : {
"OperatorEmail": {
"Description": "Email address to notify when new logs are published.",

API Version 2010-05-15
711

AWS CloudFormation User Guide
AWS::CloudTrail::Trail

}

"Type": "String"

},
"Resources" : {
"S3Bucket": {
"DeletionPolicy" : "Retain",
"Type": "AWS::S3::Bucket",
"Properties": {
}
},
"BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"Bucket" : {"Ref" : "S3Bucket"},
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": { "Service":"cloudtrail.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref":"S3Bucket"}]]}
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": { "Service":"cloudtrail.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref":"S3Bucket"}, "/
AWSLogs/", {"Ref":"AWS::AccountId"}, "/*"]]},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
}
},
"Topic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [ {
"Endpoint": { "Ref": "OperatorEmail" },
"Protocol": "email" } ]
}
},
"TopicPolicy" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"Topics" : [{"Ref":"Topic"}],
"PolicyDocument" : {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailSNSPolicy",
"Effect": "Allow",
"Principal": { "Service":"cloudtrail.amazonaws.com"},
"Resource": "*",
"Action": "SNS:Publish"
}
]
}
}

API Version 2010-05-15
712

AWS CloudFormation User Guide
AWS::CloudTrail::Trail

}

}

},
"myTrail" : {
"DependsOn" : ["BucketPolicy", "TopicPolicy"],
"Type" : "AWS::CloudTrail::Trail",
"Properties" : {
"S3BucketName" : {"Ref":"S3Bucket"},
"SnsTopicName" : {"Fn::GetAtt":["Topic","TopicName"]},
"IsLogging" : true
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
S3Bucket:
DeletionPolicy: Retain
Type: AWS::S3::Bucket
Properties: {}
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: S3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
Sid: "AWSCloudTrailAclCheck"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource:
!Sub |arn:aws:s3:::${S3Bucket}
Sid: "AWSCloudTrailWrite"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:PutObject"
Resource:
!Sub |arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
Topic:
Type: AWS::SNS::Topic
Properties:
Subscription:
Endpoint:
Ref: OperatorEmail
Protocol: email
TopicPolicy:
Type: AWS::SNS::TopicPolicy

API Version 2010-05-15
713

AWS CloudFormation User Guide
AWS::CloudWatch::Alarm
Properties:
Topics:
- Ref: "Topic"
PolicyDocument:
Version: "2008-10-17"
Statement:
Sid: "AWSCloudTrailSNSPolicy"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Resource: "*"
Action: "SNS:Publish"
myTrail:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: true

AWS::CloudWatch::Alarm
The AWS::CloudWatch::Alarm type creates a CloudWatch alarm.
This type supports updates. For more information about updating this resource, see PutMetricAlarm. For
more information about updating stacks, see AWS CloudFormation Stacks Updates (p. 118).
Topics
• Syntax (p. 714)
• Properties (p. 715)
• Return Values (p. 719)
• Examples (p. 719)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::CloudWatch::Alarm",
"Properties" : {
"ActionsEnabled" : Boolean,
"AlarmActions" : [ String, ... ],
"AlarmDescription" : String,
"AlarmName" : String,
"ComparisonOperator" : String,
"Dimensions" : [ Dimension, ... ],
"EvaluateLowSampleCountPercentile" : String,
"EvaluationPeriods" : Integer,
"ExtendedStatistic" : String,
"InsufficientDataActions" : [ String, ... ],

API Version 2010-05-15
714

AWS CloudFormation User Guide
AWS::CloudWatch::Alarm

}

}

"MetricName" : String,
"Namespace" : String,
"OKActions" : [ String, ... ],
"Period" : Integer,
"Statistic" : String,
"Threshold" : Double,
"TreatMissingData" : String,
"Unit" : String

YAML
Type: AWS::CloudWatch::Alarm
Properties:
ActionsEnabled: Boolean
AlarmActions:
- String
AlarmDescription: String
AlarmName: String
ComparisonOperator: String
Dimensions:
- Dimension
EvaluateLowSampleCountPercentile: String
EvaluationPeriods: Integer
ExtendedStatistic: String
InsufficientDataActions:
- String
MetricName: String
Namespace: String
OKActions:
- String
Period: Integer
Statistic: String
Threshold: Double
TreatMissingData: String
Unit: String

Properties
ActionsEnabled
Indicates whether actions should be executed during changes to the CloudWatch alarm's state.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
AlarmActions
The list of actions to execute when this alarm transitions into an ALARM state from any other state.
Specify each action as an Amazon Resource Name (ARN). For more information about creating
alarms and the actions that you can specify, see PutMetricAlarm in the Amazon CloudWatch API
Reference and Creating Amazon CloudWatch Alarms in the Amazon CloudWatch User Guide.

Note

For Auto Scaling scaling polices, you can specify only one policy. If you associate more than
one policy, Amazon CloudWatch executes only the ﬁrst scaling policy.
Required: No
API Version 2010-05-15
715

AWS CloudFormation User Guide
AWS::CloudWatch::Alarm

Type: List of String values
Update requires: No interruption (p. 118)
AlarmDescription
The description of the alarm.
Required: No
Type: String
Update requires: No interruption (p. 118)
AlarmName
A name for the alarm. If you don't specify a name, AWS CloudFormation generates a unique physical
ID and uses that ID for the alarm name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
ComparisonOperator
The arithmetic operation to use when comparing the speciﬁed Statistic and Threshold. AWS
CloudFormation uses the value of Statistic as the ﬁrst operand.
You can specify the following values: GreaterThanOrEqualToThreshold ,
GreaterThanThreshold, LessThanThreshold, or LessThanOrEqualToThreshold.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Dimensions
The dimensions of the metric for the alarm.
Required: No
Type: List of Metric Dimension (p. 1716)
Update requires: No interruption (p. 118)
EvaluateLowSampleCountPercentile
Used only for alarms that are based on percentiles. Speciﬁes whether to evaluate the data and
potentially change the alarm state if there are too few data points to be statistically signiﬁcant.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
716

AWS CloudFormation User Guide
AWS::CloudWatch::Alarm

EvaluationPeriods
The number of periods over which data is compared to the speciﬁed threshold.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
ExtendedStatistic
The percentile statistic for the metric. Specify a value between p0.0 and p100.
Required: Conditional. You must specify either the ExtendedStatistic or the Statistic
property.
Type: String
Update requires: No interruption (p. 118)
InsufficientDataActions
The list of actions to execute when this alarm transitions into an INSUFFICIENT_DATA state.
Specify each action as an Amazon Resource Number (ARN). Currently, the only action supported is
publishing to an Amazon SNS topic or an Auto Scaling policy.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
MetricName
The name of the metric associated with the alarm. For more information about the metrics that you
can specify, see Amazon CloudWatch Namespaces, Dimensions, and Metrics Reference in the Amazon
CloudWatch User Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Namespace
The namespace of the metric that is associated with the alarm.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
OKActions
The list of actions to execute when this alarm transitions into an OK state. Specify each action as an
Amazon Resource Number (ARN). Currently, the only action supported is publishing to an SNS topic
or an Auto Scaling policy.
Required: No
Type: List of String values
API Version 2010-05-15
717

AWS CloudFormation User Guide
AWS::CloudWatch::Alarm

Update requires: No interruption (p. 118)
Period
The time over which the speciﬁed statistic is applied. Specify time in seconds, in multiples of 60.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
Statistic
The statistic to apply to the alarm's associated metric.
You can specify the following values: SampleCount, Average, Sum, Minimum, or Maximum.
Required: Conditional. You must specify either the ExtendedStatistic or the Statistic
property.
Type: String
Update requires: No interruption (p. 118)
Threshold
The value against which the speciﬁed statistic is compared.
Required: Yes
Type: Double
Update requires: No interruption (p. 118)
TreatMissingData
Sets how this alarm is to handle missing data points. If TreatMissingData is omitted, the
default behavior of missing is used. For more information, see PutMetricAlarm in the Amazon
CloudWatch API Reference and Conﬁguring How CloudWatch Alarms Treats Missing Data in the
Amazon CloudWatch User Guide.
Valid values: breaching, notBreaching, ignore, missing
Required: No
Type: String
Update requires: No interruption (p. 118)
Unit
The unit for the metric that is associated with the alarm.
You can specify the following values: Seconds, Microseconds, Milliseconds, Bytes, Kilobytes,
Megabytes, Gigabytes , Terabytes, Bits, Kilobits, Megabits, Gigabits, Terabits,| Percent , Count,Bytes/
Second , Kilobytes/Second, Megabytes/Second, Gigabytes/Second, Terabytes/Second , Bits/Second,
Kilobits/Second , Megabits/Second , Gigabits/Second , Terabits/Second, Count/Second , or None.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
718

AWS CloudFormation User Guide
AWS::CloudWatch::Dashboard

Return Values
Ref
When you specify an AWS::CloudWatch::Alarm type as an argument to the Ref function, AWS
CloudFormation returns the value of the AlarmName.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) of the CloudWatch alarm, such as arn:aws:cloudwatch:useast-2:123456789012:alarm:myCloudWatchAlarm-CPUAlarm-UXMMZK36R55Z.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
For examples, see Amazon CloudWatch Template Snippets (p. 303).

AWS::CloudWatch::Dashboard
The AWS::CloudWatch::Dashboard resource creates an Amazon CloudWatch dashboard. A dashboard
is a customizable home page in the CloudWatch console that you can use to monitor your AWS resources
in a single view. Each metric, graph, alarm, or text block on a dashboard is called a widget.
This resource supports updates. For more information about updating this resource, see PutDashboard
in the Amazon CloudWatch API Reference. For more information about updating stacks, see AWS
CloudFormation Stacks Updates (p. 118).
Topics
• Syntax (p. 719)
• Properties (p. 720)
• Return Values (p. 720)
• Examples (p. 720)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CloudWatch::Dashboard",
"Properties" : {
"DashboardName" : String,
"DashboardBody" : String,
}

API Version 2010-05-15
719

AWS CloudFormation User Guide
AWS::CodeBuild::Project

YAML
Type: AWS::CloudWatch::Dashboard
Properties:
DashboardName: String
DashboardBody: String

Properties
DashboardName
A name for the dashboard. The name must be between 1 and 255 characters. If you do not specify a
name, one will be generated automatically.
Required: No
Type: String
Update requires: Replacement (p. 119)
DashboardBody
A JSON string that deﬁnes the widgets contained in the dashboard and their location. For
information about how to format this string, see Dashboard Body Structure and Syntax.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you specify an AWS::CloudWatch::Dashboard resource as an argument to the Ref function,
AWS CloudFormation returns the value of the Name.
For more information about using the Ref function, see Ref (p. 2311).

Examples
For examples, see Amazon CloudWatch Template Snippets (p. 303).

AWS::CodeBuild::Project
The AWS::CodeBuild::Project resource conﬁgures how AWS CodeBuild builds your source code. For
example, it tells AWS CodeBuild where to get the source code and which build environment to use.
Topics
• Syntax (p. 721)
• Properties (p. 721)
• Return Values (p. 724)
• Examples (p. 724)
• See Also (p. 729)
API Version 2010-05-15
720

AWS CloudFormation User Guide
AWS::CodeBuild::Project

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CodeBuild::Project",
"Properties" : {
"Artifacts" : Artifacts (p. 1728),
"BadgeEnabled" : Boolean,
"Cache" : ProjectCache (p. 1732),
"Description" : String,
"EncryptionKey" : String,
"Environment" : Environment (p. 1730),
"Name" : String,
"ServiceRole" : String,
"Source" : Source (p. 1733),
"Tags" : [ Resource Tag, ... ],
"TimeoutInMinutes" : Integer,
"Triggers" : Triggers (p. 1736),
"VpcConfig" : VpcConfig (p. 1737)
}

YAML
Type: AWS::CodeBuild::Project
Properties:
Artifacts:
Artifacts (p. 1728)
BadgeEnabled: Boolean
Cache:
ProjectCache (p. 1732)
Description: String
EncryptionKey: String
Environment:
Environment (p. 1730)
Name: String
ServiceRole: String
Source:
Source (p. 1733)
Tags:
- Resource Tag
TimeoutInMinutes: Integer
Triggers: Triggers (p. 1736)
VpcConfig:
VpcConfig (p. 1737)

Properties
Artifacts
The output settings for artifacts that the project generates during a build.
Required: Yes
Type: AWS CodeBuild Project Artifacts (p. 1728)
Update requires: No interruption (p. 118)
API Version 2010-05-15
721

AWS CloudFormation User Guide
AWS::CodeBuild::Project

BadgeEnabled
Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge.
For more information, see Build Badges Sample in the AWS CodeBuild User Guide.

Note

Including build badges with your project is currently not supported if the source type is AWS
CodePipeline. If you specify CODEPIPELINE for the Source property, don't specify the
BadgeEnabled property.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Cache
Settings that AWS CodeBuild uses to store and reuse build dependencies.
Required: No
Type: AWS CodeBuild Project ProjectCache (p. 1732)
Update requires: No interruption (p. 118)
Description
A description of the project. Use the description to identify the purpose of the project.
Required: No
Type: String
Update requires: No interruption (p. 118)
EncryptionKey
The alias or Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS)
customer master key (CMK) that AWS CodeBuild uses to encrypt the build output. If you don't
specify a value, AWS CodeBuild uses the AWS-managed CMK for Amazon Simple Storage Service.
Required: No
Type: String
Update requires: No interruption (p. 118)
Environment
The build environment settings for the project, such as the environment type or the environment
variables to use for the build environment.
Required: Yes
Type: AWS CodeBuild Project Environment (p. 1730)
Update requires: No interruption (p. 118)
Name
A name for the project. The name must be unique across all of the projects in your AWS account.
Required: Yes
Type: String
API Version 2010-05-15
722

AWS CloudFormation User Guide
AWS::CodeBuild::Project

Update requires: Replacement (p. 119)
ServiceRole
The ARN of the service role that AWS CodeBuild uses to interact with services on your behalf.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Source
The source code settings for the project, such as the source code's repository type and location.
Required: Yes
Type: AWS CodeBuild Project Source (p. 1733)
Update requires: No interruption (p. 118)
Tags
An arbitrary set of tags (key-value pairs) for the AWS CodeBuild project.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
TimeoutInMinutes
The number of minutes after which AWS CodeBuild stops the build if it's not complete. For valid
values, see the timeoutInMinutes ﬁeld in the AWS CodeBuild User Guide.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Triggers
For an existing AWS CodeBuild build project that has its source code stored in a GitHub repository,
enables AWS CodeBuild to begin automatically rebuilding the source code every time a code change
is pushed to the repository.
Required: No
Type: AWS CodeBuild Project ProjectTriggers (p. 1736)
Update requires: No interruption (p. 118)
VpcConfig
Settings that enable AWS CodeBuild to access resources in an Amazon VPC. For more information,
see Use AWS CodeBuild with Amazon Virtual Private Cloud in the AWS CodeBuild User Guide.
Required: No
Type: AWS CodeBuild Project VpcConﬁg (p. 1737)
Update requires: No interruption (p. 118)
API Version 2010-05-15
723

AWS CloudFormation User Guide
AWS::CodeBuild::Project

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the name of the
AWS CodeBuild project, such as myProjectName.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. This section lists the available attribute
and a sample return value.
Arn
The ARN of the AWS CodeBuild project, such as arn:aws:codebuild:uswest-2:123456789012:project/myProjectName.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
The following example creates an AWS CodeBuild project.

JSON
{

"Project": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Name": "myProjectName",
"Description": "A description about my project",
"ServiceRole": { "Fn::GetAtt": [ "ServiceRole", "Arn" ] },
"Artifacts": {
"Type": "no_artifacts"
},
"Environment": {
"Type": "LINUX_CONTAINER",
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "aws/codebuild/java:openjdk-8",
"EnvironmentVariables": [
{
"Name": "varName",
"Value": "varValue"
}
]
},
"Source": {
"Location": "codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c",
"Type": "S3"
},
"TimeoutInMinutes": 10,
"Tags": [
{
"Key": "Key1",
"Value": "Value1"
},
{
"Key": "Key2",

API Version 2010-05-15
724

AWS CloudFormation User Guide
AWS::CodeBuild::Project

}

}

}

]

}

"Value": "Value2"

YAML
Project:
Type: AWS::CodeBuild::Project
Properties:
Name: myProjectName
Description: A description about my project
ServiceRole: !GetAtt ServiceRole.Arn
Artifacts:
Type: no_artifacts
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/java:openjdk-8
EnvironmentVariables:
- Name: varName
Value: varValue
Source:
Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
Type: S3
TimeoutInMinutes: 10
Tags:
- Key: Key1
Value: Value1
- Key: Key2
Value: Value2

The following example creates a project that caches build dependencies in Amazon S3 and uses
resources in an Amazon VPC.

JSON
{

"Resources": {
"CodeBuildProject": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"ServiceRole": {
"Ref": "CodeBuildRole"
},
"Artifacts": {
"Type": "CODEPIPELINE"
},
"Environment": {
"Type": "LINUX_CONTAINER",
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "aws/codebuild/ubuntu-base:14.04",
"EnvironmentVariables": [
{
"Name": "varName1",
"Value": "varValue1"
},
{
"Name": "varName2",
"Value": "varValue2",

API Version 2010-05-15
725

AWS CloudFormation User Guide
AWS::CodeBuild::Project
"Type": "PLAINTEXT"

},
{

]

}

"Name": "varName3",
"Value": "/CodeBuild/testParameter",
"Type": "PARAMETER_STORE"

},
"Source": {
"Type": "CODEPIPELINE"
},
"TimeoutInMinutes": 10,
"VpcConfig": {
"VpcId": {
"Ref": "CodeBuildVPC"
},
"Subnets": [
{
"Ref": "CodeBuildSubnet"
}
],
"SecurityGroupIds": [
{
"Ref": "CodeBuildSecurityGroup"
}
]
},
"Cache": {
"Type": "S3",
"Location": "mybucket/prefix"
}

}
},
"CodeBuildRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"codebuild.amazonaws.com"
]
}
}
],
"Version": "2012-10-17"
},
"Path": "/",
"Policies": [
{
"PolicyName": "CodeBuildAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",

API Version 2010-05-15
726

AWS CloudFormation User Guide
AWS::CodeBuild::Project
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeDhcpOptions",
"ec2:DescribeVpcs",
"ec2:CreateNetworkInterfacePermission"

}

}

}

]

}

}

]

}

],
"Effect": "Allow",
"Resource": "*"

},
"CodeBuildVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsSupport": "true",
"EnableDnsHostnames": "true",
"Tags": [
{
"Key": "name",
"Value": "codebuild"
}
]
}
},
"CodeBuildSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "CodeBuildVPC"
},
"CidrBlock": "10.0.1.0/24"
}
},
"CodeBuildSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupName": "Codebuild Internet Group",
"GroupDescription": "CodeBuild SecurityGroup",
"VpcId": {
"Ref": "CodeBuildVPC"
}
}
}

YAML
Resources:
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
ServiceRole: !Ref CodeBuildRole
Artifacts:
Type: CODEPIPELINE
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/ubuntu-base:14.04

API Version 2010-05-15
727

AWS CloudFormation User Guide
AWS::CodeBuild::Project
EnvironmentVariables:
- Name: varName1
Value: varValue1
- Name: varName2
Value: varValue2
Type: PLAINTEXT
- Name: varName3
Value: /CodeBuild/testParameter
Type: PARAMETER_STORE
Source:
Type: CODEPIPELINE
TimeoutInMinutes: 10
VpcConfig:
VpcId: !Ref CodeBuildVPC
Subnets: [!Ref CodeBuildSubnet]
SecurityGroupIds: [!Ref CodeBuildSecurityGroup]
Cache:
Type: S3
Location: mybucket/prefix
CodeBuildRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
Service: [codebuild.amazonaws.com]
Version: '2012-10-17'
Path: /
Policies:
- PolicyName: CodeBuildAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'logs:*'
- 'ec2:CreateNetworkInterface'
- 'ec2:DescribeNetworkInterfaces'
- 'ec2:DeleteNetworkInterface'
- 'ec2:DescribeSubnets'
- 'ec2:DescribeSecurityGroups'
- 'ec2:DescribeDhcpOptions'
- 'ec2:DescribeVpcs'
- 'ec2:CreateNetworkInterfacePermission'
Effect: Allow
Resource: '*'
CodeBuildVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
Tags:
- Key: name
Value: codebuild
CodeBuildSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: CodeBuildVPC
CidrBlock: 10.0.1.0/24
CodeBuildSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: Codebuild Internet Group

API Version 2010-05-15
728

AWS CloudFormation User Guide
AWS::CodeCommit::Repository
GroupDescription: 'CodeBuild SecurityGroup'
VpcId: !Ref CodeBuildVPC

See Also
• CreateProject in the AWS CodeBuild API Reference

AWS::CodeCommit::Repository
The AWS::CodeCommit::Repository resource creates an AWS CodeCommit repository that is hosted
by Amazon Web Services. For more information, see Create an AWS CodeCommit Repository in the AWS
CodeCommit User Guide.
Topics
• Syntax (p. 729)
• Properties (p. 729)
• Return Values (p. 730)
• Example (p. 730)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CodeCommit::Repository",
"Properties" : {
"RepositoryDescription" : String,
"RepositoryName" : String,
"Triggers" : [ Trigger (p. 1738) ]
}

YAML
Type: AWS::CodeCommit::Repository
Properties:
RepositoryDescription: String
RepositoryName: String
Triggers:
- Trigger (p. 1738)

Properties
RepositoryDescription
A description about the AWS CodeCommit repository. For constraints, see the CreateRepository
action in the AWS CodeCommit API Reference.
Required: No
Type: String
API Version 2010-05-15
729

AWS CloudFormation User Guide
AWS::CodeCommit::Repository

Update requires: No interruption (p. 118)
RepositoryName
A name for the AWS CodeCommit repository.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Triggers
Deﬁnes the actions to take in response to events that occur in the repository. For example, you can
send email notiﬁcations when someone pushes to the repository.
Required: No
Type: List of AWS CodeCommit Repository Trigger (p. 1738)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the repository
ID, such as 12a345b6-bbb7-4bb6-90b0-8c9577a2d2b9.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) of the repository, such as arn:aws:codecommit:useast-1:123456789012:MyDemoRepo.
CloneUrlHttp
The URL to use for cloning the repository over HTTPS, such as https://codecommit.useast-1.amazonaws.com/v1/repos/MyDemoRepo.
CloneUrlSsh
The URL to use for cloning the repository over SSH, such as ssh://git-codecommit.useast-1.amazonaws.com/v1/repos//v1/repos/MyDemoRepo.
Name
The name of the repository, such MyDemoRepo.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example creates an AWS CodeCommit repository with a trigger for all events in the
Master branch.
API Version 2010-05-15
730

AWS CloudFormation User Guide
AWS::CodeDeploy::Application

JSON
"MyRepo" : {
"Type" : "AWS::CodeCommit::Repository",
"Properties" : {
"RepositoryName" : "MyRepoName",
"RepositoryDescription" : "a description",
"Triggers" : [
{
"Name" : "MasterTrigger",
"CustomData" : "Project ID 12345",
"DestinationArn" : { "Ref":"SNSarn" },
"Branches" : ["Master"],
"Events" : ["all"]
}
]
}
}

YAML
MyRepo:
Type: AWS::CodeCommit::Repository
Properties:
RepositoryName: MyRepoName
RepositoryDescription: a description
Triggers:
- Name: MasterTrigger
CustomData: Project ID 12345
DestinationArn:
Ref: SNSarn
Branches:
- Master
Events:
- all

AWS::CodeDeploy::Application
The AWS::CodeDeploy::Application resource creates an AWS CodeDeploy application. In
AWS CodeDeploy, an application is a name that functions as a container to ensure that the correct
combination of revision, deployment conﬁguration, and deployment group are referenced during a
deployment. You can use the AWS::CodeDeploy::DeploymentGroup resource to associate the
application with an AWS CodeDeploy deployment group. For more information, see AWS CodeDeploy
Deployments in the AWS CodeDeploy User Guide.
Topics
• Syntax (p. 731)
• Properties (p. 732)
• Return Value (p. 732)
• Examples (p. 732)
• Related Resources (p. 733)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
731

AWS CloudFormation User Guide
AWS::CodeDeploy::Application

JSON
{

}

"Type" : "AWS::CodeDeploy::Application",
"Properties" : {
"ApplicationName" : String,
"ComputePlatform" : String
}

YAML
Type: AWS::CodeDeploy::Application
Properties:
ApplicationName: String
ComputePlatform: String

Properties
ApplicationName
A name for the application. If you don't specify a name, AWS CloudFormation generates a
unique physical ID and uses that ID for the application name. For more information, see Name
Type (p. 2085).
Required: No
Type: String
Update requires: Updates are not supported.
ComputePlatform
The compute platform that AWS CodeDeploy deploys the application to. For valid values see
CreateApplication in the AWS CodeDeploy API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When you pass the logical ID of an AWS::CodeDeploy::Application resource to the intrinsic Ref
function, the function returns the application name, such as myapplication-a123d0d1.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following example creates an AWS CodeDeploy application with a Lambda compute platform.

JSON
"CodeDeployApplication": {
"Type": "AWS::CodeDeploy::Application",

API Version 2010-05-15
732

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentConﬁg

}

"Properties": {
"ComputePlatform": "Lambda"
}

YAML
CodeDeployApplication:
Type: AWS::CodeDeploy::Application
Properties:
ComputePlatform: Lambda

The following example creates an AWS CodeDeploy application with a Server compute platform.

JSON
"CodeDeployApplication": {
"Type": "AWS::CodeDeploy::Application",
"Properties": {
"ComputePlatform": "Server"
}
}

YAML
CodeDeployApplication:
Type: AWS::CodeDeploy::Application
Properties:
ComputePlatform: Server

Related Resources
For conﬁguring your deployment and specifying your application revisions, see
AWS::CodeDeploy::DeploymentConﬁg (p. 733) and AWS::CodeDeploy::DeploymentGroup (p. 735).

AWS::CodeDeploy::DeploymentConﬁg
The AWS::CodeDeploy::DeploymentConfig resource creates a set of deployment rules, deployment
success conditions, and deployment failure conditions that AWS CodeDeploy uses during a deployment.
The deployment conﬁguration speciﬁes, through the use of a MinimumHealthyHosts value, the
number or percentage of instances that must remain available at any time during a deployment.
Topics
• Syntax (p. 733)
• Properties (p. 734)
• Return Value (p. 734)
• Example (p. 735)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
733

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentConﬁg

}

"Type" : "AWS::CodeDeploy::DeploymentConfig",
"Properties" : {
"DeploymentConfigName" : String,
"MinimumHealthyHosts" : MinimumHealthyHosts
}

YAML
Type: AWS::CodeDeploy::DeploymentConfig
Properties:
DeploymentConfigName: String
MinimumHealthyHosts:
MinimumHealthyHosts

Properties
DeploymentConfigName
A name for the deployment conﬁguration. If you don't specify a name, AWS CloudFormation
generates a unique physical ID and uses that ID for the deployment conﬁguration name. For more
information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
MinimumHealthyHosts
The minimum number of healthy instances that must be available at any time during an AWS
CodeDeploy deployment. For example, for a ﬂeet of nine instances, if you specify a minimum of
six healthy instances, AWS CodeDeploy deploys your application up to three instances at a time so
that you always have six healthy instances. The deployment succeeds if your application successfully
deploys to six or more instances; otherwise, the deployment fails.
For more information about instance health, see AWS CodeDeploy Instance Health in the AWS
CodeDeploy User Guide.
Required: Yes
Type: AWS CodeDeploy DeploymentConﬁg MinimumHealthyHosts (p. 1739)
Update requires: Replacement (p. 119)

Return Value
Ref
When you pass the logical ID of an AWS::CodeDeploy::DeploymentConfig resource to the intrinsic
Ref function, the function returns the deployment conﬁguration name, such as mydeploymentconfiga123d0d1.
API Version 2010-05-15
734

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup

For more information about using the Ref function, see Ref (p. 2311).

Example
The following example requires at least 75% of the ﬂeet to be healthy. For example, if you had a ﬂeet of
four instances, the deployment proceeds one instance at a time.

JSON
"TwentyFivePercentAtATime" : {
"Type" : "AWS::CodeDeploy::DeploymentConfig",
"Properties" : {
"MinimumHealthyHosts" : {
"Type" : "FLEET_PERCENT",
"Value" : "75"
}
}
}

YAML
TwentyFivePercentAtATime:
Type: AWS::CodeDeploy::DeploymentConfig
Properties:
MinimumHealthyHosts:
Type: "FLEET_PERCENT"
Value: 75

AWS::CodeDeploy::DeploymentGroup
The AWS::CodeDeploy::DeploymentGroup resource creates an AWS CodeDeploy deployment group
that speciﬁes which instances your application revisions are deployed to, along with other deployment
options. For more information, see CreateDeploymentGroup in the AWS CodeDeploy API Reference.
Topics
• Syntax (p. 735)
• Properties (p. 736)
• Return Value (p. 739)
• Examples (p. 739)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::CodeDeploy::DeploymentGroup",
"Properties" : {
"AlarmConfiguration" : AlarmConfiguration (p. 1740),
"ApplicationName" : String,
"AutoRollbackConfiguration" : AutoRollbackConfiguration (p. 1741),
"AutoScalingGroups" : [ String, ... ],
"Deployment" : Deployment (p. 1742),
"DeploymentConfigName" : String,

API Version 2010-05-15
735

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup

}

}

"DeploymentGroupName" : String,
"DeploymentStyle" : DeploymentStyle (p. 1743),
"Ec2TagFilters" : [ Ec2TagFilter, ... (p. 1751) ],
"LoadBalancerInfo" : LoadBalancerInfo (p. 1746),
"OnPremisesInstanceTagFilters" : [ OnPremisesInstanceTagFilter, ... (p. 1752) ],
"ServiceRoleArn" : String,
"TriggerConfigurations" : [ TriggerConfig, ... (p. 1753) ]

YAML
Type: AWS::CodeDeploy::DeploymentGroup
Properties:
AlarmConfiguration:
AlarmConfiguration (p. 1740)
ApplicationName: String
AutoRollbackConfiguration:
AutoRollbackConfiguration (p. 1741)
AutoScalingGroups:
- String
Deployment:
Deployment (p. 1742)
DeploymentConfigName: String
DeploymentGroupName: String
DeploymentStyle:
DeploymentStyle (p. 1743)
Ec2TagFilters:
- Ec2TagFilters (p. 1751)
LoadBalancerInfo:
LoadBalancerInfo (p. 1746)
OnPremisesInstanceTagFilters:
- OnPremisesInstanceTagFilters (p. 1752)
ServiceRoleArn: String
TriggerConfigurations:
- TriggerConfig (p. 1753)

Properties
AlarmConfiguration
Information about the Amazon CloudWatch alarms that are associated with the deployment group.
Required: No
Type: AWS CodeDeploy DeploymentGroup AlarmConﬁguration (p. 1740)
Update requires: No interruption (p. 118)
ApplicationName
The name of an existing AWS CodeDeploy application to associate this deployment group with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
AutoRollbackConfiguration
Information about the automatic rollback conﬁguration that is associated with the deployment
group. If you specify this property, don't specify the Deployment property.
API Version 2010-05-15
736

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup

Required: No
Type: AWS CodeDeploy DeploymentGroup AutoRollbackConﬁguration (p. 1741)
Update requires: No interruption (p. 118)
AutoScalingGroups
A list of associated Auto Scaling groups that AWS CodeDeploy automatically deploys revisions to
when new instances are created. Duplicates are not allowed.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Deployment
The application revision to deploy to this deployment group. If you specify this property, your target
application revision will be deployed as soon as the provisioning process is complete. If you specify
this property, don't specify the AutoRollbackConfiguration property.
Required: No
Type: AWS CodeDeploy DeploymentGroup Deployment (p. 1742)
Update requires: No interruption (p. 118)
DeploymentConfigName
A deployment conﬁguration name or a predeﬁned conﬁguration name. With predeﬁned
conﬁgurations, you can deploy application revisions to one instance at a time, half of the instances
at a time, or all the instances at once. For more information and valid values, see Working with
Deployment Conﬁgurations in the AWS CodeDeploy User Guide.
Required: No
Type: String
Update requires: No interruption (p. 118)
DeploymentGroupName
A name for the deployment group. If you don't specify a name, AWS CloudFormation generates
a unique physical ID and uses that ID for the deployment group name. For more information, see
Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
DeploymentStyle
Attributes that determine the type of deployment to run and whether to route deployment traﬃc
behind a load balancer.
If you specify this property with a blue/green deployment type, don't specify the
AutoScalingGroups, LoadBalancerInfo, or Deployment properties.
API Version 2010-05-15
737

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup

Note

For blue/green deployments, AWS CloudFormation supports deployments on AWS Lambda
compute platforms only.
Required: No
Type: AWS CodeDeploy DeploymentGroup DeploymentStyle (p. 1743)
Update requires: No interruption (p. 118)
Ec2TagFilters
The EC2 tags that are already applied to EC2 instances that you want to include in the deployment
group. AWS CodeDeploy includes all EC2 instances identiﬁed by any of the tags you specify in this
deployment group. Duplicates are not allowed.
Required: No
Type: List of AWS CodeDeploy DeploymentGroup Ec2TagFilters (p. 1751)
Update requires: No interruption (p. 118)
LoadBalancerInfo
Information about the load balancer used in the deployment. For more information, see Integrating
AWS CodeDeploy with Elastic Load Balancing in the AWS CodeDeploy User Guide.
Required: No
Type: AWS CodeDeploy DeploymentGroup LoadBalancerInfo (p. 1746)
Update requires: No interruption (p. 118)
OnPremisesInstanceTagFilters
The on-premises instance tags already applied to on-premises instances that you want to include in
the deployment group. AWS CodeDeploy includes all on-premises instances identiﬁed by any of the
tags you specify in this deployment group. To register on-premises instances with AWS CodeDeploy,
see Working with On-Premises Instances for AWS CodeDeploy in the AWS CodeDeploy User Guide.
Duplicates are not allowed.
Required: No
Type: List of AWS CodeDeploy DeploymentGroup OnPremisesInstanceTagFilters (p. 1752)
Update requires: No interruption (p. 118)
ServiceRoleArn
A service role Amazon Resource Name (ARN) that grants AWS CodeDeploy permission to make calls
to AWS services on your behalf. For more information, see Create a Service Role for AWS CodeDeploy
in the AWS CodeDeploy User Guide.

Note

In some cases, you might need to add a dependency on the service role's policy. For more
information, see IAM role policy in DependsOn Attribute (p. 2250).
Required: Yes
Type: String
Update requires: No interruption (p. 118)
TriggerConfigurations
Information about the notiﬁcation triggers for the deployment group. Duplicates are not allowed.
API Version 2010-05-15
738

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup

Required: No
Type: List of AWS CodeDeploy DeploymentGroup TriggerConﬁg (p. 1753)
Update requires: No interruption (p. 118)

Return Value
Ref
When you pass the logical ID of an AWS::CodeDeploy::DeploymentGroup resource to the intrinsic
Ref function, the function returns the deployment group name, such as mydeploymentgroupa123d0d1.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Revision in GitHub
The following example creates a deployment group that is associated with Auto Scaling groups and uses
an application revision that is stored in a GitHub repository. You specify the repository information as
input parameters.

JSON
"DeploymentGroup" : {
"Type" : "AWS::CodeDeploy::DeploymentGroup",
"Properties" : {
"ApplicationName" : {"Ref" : "ApplicationName"},
"AutoScalingGroups" : [ {"Ref" : "CodeDeployAutoScalingGroups" } ],
"Deployment" : {
"Description" : "A sample deployment",
"IgnoreApplicationStopFailures" : "true",
"Revision" : {
"RevisionType" : "GitHub",
"GitHubLocation" : {
"CommitId" : {"Ref" : "CommitId"},
"Repository" : {"Ref" : "Repository"}
}
}
},
"ServiceRoleArn" : {
"Fn::GetAtt" : [
"RoleArn",
"Arn"
]
}
}
}

YAML
DeploymentGroup:
Type: AWS::CodeDeploy::DeploymentGroup
Properties:
ApplicationName:
Ref: "ApplicationName"
AutoScalingGroups:

API Version 2010-05-15
739

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup
- Ref: CodeDeployAutoScalingGroups
Deployment:
Description: "A sample deployment"
IgnoreApplicationStopFailures: true
Revision:
RevisionType: GitHub
GitHubLocation:
CommitId:
Ref: CommitId
Repository:
Ref: Repository
ServiceRoleArn:
Fn::GetAtt: [ RoleArn, Arn ]

Associate EC2 Instances
The following example creates a deployment group that uses instance tags to associate EC2 instances
with the deployment group. The deployment group uses an application revision that is stored in an S3
bucket.

JSON
"DeploymentGroup" : {
"Type" : "AWS::CodeDeploy::DeploymentGroup",
"Properties" : {
"ApplicationName" : {"Ref" : "Application"},
"Deployment" : {
"Description" : "First time",
"IgnoreApplicationStopFailures" : "true",
"Revision" : {
"RevisionType" : "S3",
"S3Location" : {
"Bucket" : {"Ref" : "Bucket"},
"Key" : {"Ref" : "Key"},
"BundleType" : "Zip",
"ETag" : {"Ref" : "ETag"},
"Version" : {"Ref" : "Version"}
}
}
},
"Ec2TagFilters" : [{
"Key" : {"Ref" : "TagKey"},
"Value" : {"Ref" : "TagValue"},
"Type" : "KEY_AND_VALUE"
}],
"ServiceRoleArn" : {
"Fn::GetAtt" : [
"RoleArn",
"Arn"
]
}
}
}

YAML
DeploymentGroup:
Type: AWS::CodeDeploy::DeploymentGroup
Properties:
ApplicationName:
Ref: "Application"
Deployment:

API Version 2010-05-15
740

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup
Description: "First time"
IgnoreApplicationStopFailures: true
Revision:
RevisionType: S3
S3Location:
Bucket:
Ref: Bucket
Key:
Ref: Key
BundleType: Zip
ETag:
Ref: ETag
Version:
Ref: Version
Ec2TagFilters:
Key:
Ref: TagKey
Value:
Ref: TagValue
Type: "KEY_AND_VALUE"
ServiceRoleArn:
Fn::GetAtt: [ RoleArn, Arn ]

Alarm and Trigger
The following example conﬁgures a billing alarm and a notiﬁcation trigger for the deployment group.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"EC2TagKey0": {
"Type": "String",
"Default": "ec2TagKey0"
},
"EC2TagValue0": {
"Type": "String",
"Default": "ec2TagValue0"
},
"EC2TagKey1": {
"Type": "String",
"Default": "ec2TagKey1"
},
"EC2TagValue1": {
"Type": "String",
"Default": "ec2TagValue1"
},
"CodeDeployServiceRole": {
"Type": "String"
},
"DeploymentGroupName": {
"Type": "String"
}
},
"Resources": {
"myAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"Namespace": "AWS/Billing",
"MetricName": "EstimatedCharges",
"Statistic": "Maximum",
"Period": "21600",

API Version 2010-05-15
741

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup
"EvaluationPeriods": "1",
"Threshold": 1000,
"ComparisonOperator": "GreaterThanThreshold"

}
},
"mySNSTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {}
},
"Application": {
"Type": "AWS::CodeDeploy::Application"
},
"DeploymentConfig": {
"Type": "AWS::CodeDeploy::DeploymentConfig",
"Properties": {
"MinimumHealthyHosts": {
"Type": "FLEET_PERCENT",
"Value": "25"
}
}
},
"DeploymentGroup": {
"Type": "AWS::CodeDeploy::DeploymentGroup",
"Properties": {
"AlarmConfiguration": {
"Alarms": [
{
"Name": {
"Ref": "myAlarm"
}
}
]
},
"ApplicationName": {
"Ref": "Application"
},
"DeploymentConfigName": {
"Ref": "DeploymentConfig"
},
"DeploymentGroupName": {
"Ref": "DeploymentGroupName"
},
"Ec2TagFilters": [
{
"Key": {
"Ref": "EC2TagKey0"
},
"Value": {
"Ref": "EC2TagValue0"
},
"Type": "KEY_AND_VALUE"
},
{
"Key": {
"Ref": "EC2TagKey1"
},
"Type": "KEY_ONLY"
},
{
"Value": {
"Ref": "EC2TagValue1"
},
"Type": "VALUE_ONLY"
}
],
"ServiceRoleArn": {

API Version 2010-05-15
742

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup
"Fn::GetAtt": [
"CodeDeployServiceRole",
"Arn"
]

}

}

}

}

},
"TriggerConfigurations": [
{
"TriggerEvents": [
"DeploymentSuccess",
"DeploymentRollback"
],
"TriggerName": "MyTarget",
"TriggerTargetArn": {
"Ref": "mySNSTopic"
}
}
]

YAML
AWSTemplateFormatVersion: 2010-09-09
Parameters:
EC2TagKey0:
Type: String
Default: ec2TagKey0
EC2TagValue0:
Type: String
Default: ec2TagValue0
EC2TagKey1:
Type: String
Default: ec2TagKey1
EC2TagValue1:
Type: String
Default: ec2TagValue1
CodeDeployServiceRole:
Type: String
DeploymentGroupName:
Type: String
Resources:
myAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
Namespace: AWS/Billing
MetricName: EstimatedCharges
Statistic: Maximum
Period: '21600'
EvaluationPeriods: '1'
Threshold: 1000
ComparisonOperator: GreaterThanThreshold
mySNSTopic:
Type: AWS::SNS::Topic
Properties: {}
Application:
Type: AWS::CodeDeploy::Application
DeploymentConfig:
Type: AWS::CodeDeploy::DeploymentConfig
Properties:
MinimumHealthyHosts:
Type: FLEET_PERCENT
Value: '25'

API Version 2010-05-15
743

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup
DeploymentGroup:
Type: AWS::CodeDeploy::DeploymentGroup
Properties:
AlarmConfiguration:
Alarms:
- Name: !Ref myAlarm
ApplicationName: !Ref Application
DeploymentConfigName: !Ref DeploymentConfig
DeploymentGroupName: !Ref DeploymentGroupName
Ec2TagFilters:
- Key: !Ref EC2TagKey0
Value: !Ref EC2TagValue0
Type: KEY_AND_VALUE
- Key: !Ref EC2TagKey1
Type: KEY_ONLY
- Value: !Ref EC2TagValue1
Type: VALUE_ONLY
ServiceRoleArn: !GetAtt CodeDeployServiceRole.Arn
TriggerConfigurations:
- TriggerEvents:
- DeploymentSuccess
- DeploymentRollback
TriggerName: MyTarget
TriggerTargetArn: !Ref mySNSTopic

Automatic Rollback Conﬁguration
The following example conﬁgures automatic rollback for the deployment group.

JSON
{

"Parameters": {
"EC2TagKey0": {
"Type": "String",
"Default": "ec2TagKey0"
},
"EC2TagValue0": {
"Type": "String",
"Default": "ec2TagValue0"
},
"EC2TagKey1": {
"Type": "String",
"Default": "ec2TagKey1"
},
"EC2TagValue1": {
"Type": "String",
"Default": "ec2TagValue1"
},
"CodeDeployServiceRole": {
"Type": "String"
},
"DeploymentGroupName": {
"Type": "String"
}
},
"Resources": {
"myAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"Namespace": "AWS/Billing",
"MetricName": "EstimatedCharges",
"Statistic": "Maximum",
"Period": "21600",

API Version 2010-05-15
744

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup
"EvaluationPeriods": "1",
"Threshold": 1000,
"ComparisonOperator": "GreaterThanThreshold"

}
},
"mySNSTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {}
},
"Application": {
"Type": "AWS::CodeDeploy::Application"
},
"DeploymentConfig": {
"Type": "AWS::CodeDeploy::DeploymentConfig",
"Properties": {
"MinimumHealthyHosts": {
"Type": "FLEET_PERCENT",
"Value": "25"
}
}
},
"DeploymentGroup": {
"Type": "AWS::CodeDeploy::DeploymentGroup",
"Properties": {
"AlarmConfiguration": {
"Alarms": [
{
"Name": { "Ref": "myAlarm" }
}
]
},
"ApplicationName": {
"Ref": "Application"
},
"AutoRollbackConfiguration": {
"Enabled": "true",
"Events": [ "DEPLOYMENT_FAILURE" ]
},
"DeploymentConfigName": {
"Ref": "DeploymentConfig"
},
"DeploymentGroupName": {
"Ref": "DeploymentGroupName"
},
"Ec2TagFilters": [
{
"Key": {
"Ref": "EC2TagKey0"
},
"Value": {
"Ref": "EC2TagValue0"
},
"Type": "KEY_AND_VALUE"
},
{
"Key": {
"Ref": "EC2TagKey1"
},
"Type": "KEY_ONLY"
},
{
"Value": {
"Ref": "EC2TagValue1"
},
"Type": "VALUE_ONLY"
}

API Version 2010-05-15
745

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup

}

}

}

}

],
"ServiceRoleArn": {
"Fn::GetAtt": [
"CodeDeployServiceRole",
"Arn"
]
},
"TriggerConfigurations": [
{
"TriggerEvents": [ "DeploymentSuccess", "DeploymentRollback" ],
"TriggerName": "MyTarget",
"TriggerTargetArn": { "Ref": "mySNSTopic" }
}
]

YAML
Parameters:
EC2TagKey0:
Type: String
Default: ec2TagKey0
EC2TagValue0:
Type: String
Default: ec2TagValue0
EC2TagKey1:
Type: String
Default: ec2TagKey1
EC2TagValue1:
Type: String
Default: ec2TagValue1
CodeDeployServiceRole:
Type: String
DeploymentGroupName:
Type: String
Resources:
myAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
Namespace: AWS/Billing
MetricName: EstimatedCharges
Statistic: Maximum
Period: '21600'
EvaluationPeriods: '1'
Threshold: 1000
ComparisonOperator: GreaterThanThreshold
mySNSTopic:
Type: AWS::SNS::Topic
Properties: {}
Application:
Type: AWS::CodeDeploy::Application
DeploymentConfig:
Type: AWS::CodeDeploy::DeploymentConfig
Properties:
MinimumHealthyHosts:
Type: FLEET_PERCENT
Value: '25'
DeploymentGroup:
Type: AWS::CodeDeploy::DeploymentGroup
Properties:
AlarmConfiguration:

API Version 2010-05-15
746

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup
Alarms:
- Name: !Ref myAlarm
ApplicationName: !Ref Application
AutoRollbackConfiguration:
Enabled: 'true'
Events:
- DEPLOYMENT_FAILURE
DeploymentConfigName: !Ref DeploymentConfig
DeploymentGroupName: !Ref DeploymentGroupName
Ec2TagFilters:
- Key: !Ref EC2TagKey0
Value: !Ref EC2TagValue0
Type: KEY_AND_VALUE
- Key: !Ref EC2TagKey1
Type: KEY_ONLY
- Value: !Ref EC2TagValue1
Type: VALUE_ONLY
ServiceRoleArn: !GetAtt CodeDeployServiceRole.Arn
TriggerConfigurations:
- TriggerEvents:
- DeploymentSuccess
- DeploymentRollback
TriggerName: MyTarget
TriggerTargetArn: !Ref mySNSTopic

Load Balancer
The following example conﬁgures an Elastic Load Balancing load balancer for the deployment group.

JSON
{

"Parameters": {
"EC2TagKey0": {
"Type": "String",
"Default": "ec2TagKey0"
},
"EC2TagValue0": {
"Type": "String",
"Default": "ec2TagValue0"
},
"EC2TagKey1": {
"Type": "String",
"Default": "ec2TagKey1"
},
"EC2TagValue1": {
"Type": "String",
"Default": "ec2TagValue1"
},
"CodeDeployServiceRole": {
"Type": "String"
},
"DeploymentGroupName": {
"Type": "String"
},
"VpcCidr": {
"Type": "String"
},
"SubnetCidr": {
"Type": "String"
}
},
"Resources": {
"myVpc": {

API Version 2010-05-15
747

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": { "Ref": "VpcCidr" }
}

},
"mySubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "myVpc" },
"CidrBlock" : { "Ref": "SubnetCidr" }
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway"
},
"AttachGateway" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "myVpc" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"myELB": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"Listeners": [{
"InstancePort": "8000",
"LoadBalancerPort": "80",
"Protocol": "HTTP"
}],
"Subnets": [ { "Ref" : "mySubnet" } ]
}
},
"mySNSTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {}
},
"Application": {
"Type": "AWS::CodeDeploy::Application"
},
"DeploymentConfig": {
"Type": "AWS::CodeDeploy::DeploymentConfig",
"Properties": {
"MinimumHealthyHosts": {
"Type": "FLEET_PERCENT",
"Value": "25"
}
}
},
"DeploymentGroup": {
"Type": "AWS::CodeDeploy::DeploymentGroup",
"Properties": {
"ApplicationName": {
"Ref": "Application"
},
"DeploymentConfigName": {
"Ref": "DeploymentConfig"
},
"DeploymentGroupName": {
"Ref": "DeploymentGroupName"
},
"Ec2TagFilters": [
{
"Key": {
"Ref": "EC2TagKey0"
},

API Version 2010-05-15
748

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup
"Value": {
"Ref": "EC2TagValue0"
},
"Type": "KEY_AND_VALUE"

},
{

"Key": {
"Ref": "EC2TagKey1"
},
"Type": "KEY_ONLY"

}

}

}

}
],
"LoadBalancerInfo": {
"ElbInfoList": [{
"Name": { "Ref" : "myELB" }
}]
},
"DeploymentStyle": {
"DeploymentOption": "WITH_TRAFFIC_CONTROL"
},
"ServiceRoleArn": {
"Fn::GetAtt": [
"CodeDeployServiceRole",
"Arn"
]
},
"TriggerConfigurations": [
{
"TriggerEvents": [ "DeploymentSuccess", "DeploymentFailure" ],
"TriggerName": "MyTarget",
"TriggerTargetArn": { "Ref": "mySNSTopic" }
}
]

},
"Outputs": {
"ELB": {
"Description": "ELB for DeploymentGroup",
"Value" : { "Ref" : "myELB" }
}
}

YAML
Parameters:
EC2TagKey0:
Type: String
Default: ec2TagKey0
EC2TagValue0:
Type: String
Default: ec2TagValue0
EC2TagKey1:
Type: String
Default: ec2TagKey1
EC2TagValue1:
Type: String
Default: ec2TagValue1
CodeDeployServiceRole:
Type: String
DeploymentGroupName:
Type: String
VpcCidr:

API Version 2010-05-15
749

AWS CloudFormation User Guide
AWS::CodeDeploy::DeploymentGroup
Type: String
SubnetCidr:
Type: String
Resources:
myVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcCidr
mySubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref myVpc
CidrBlock: !Ref SubnetCidr
InternetGateway:
Type: AWS::EC2::InternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref myVpc
InternetGatewayId: !Ref InternetGateway
myELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
Listeners:
- InstancePort: '8000'
LoadBalancerPort: '80'
Protocol: HTTP
Subnets:
- !Ref mySubnet
mySNSTopic:
Type: AWS::SNS::Topic
Properties: {}
Application:
Type: AWS::CodeDeploy::Application
DeploymentConfig:
Type: AWS::CodeDeploy::DeploymentConfig
Properties:
MinimumHealthyHosts:
Type: FLEET_PERCENT
Value: '25'
DeploymentGroup:
Type: AWS::CodeDeploy::DeploymentGroup
Properties:
ApplicationName: !Ref Application
DeploymentConfigName: !Ref DeploymentConfig
DeploymentGroupName: !Ref DeploymentGroupName
Ec2TagFilters:
- Key: !Ref EC2TagKey0
Value: !Ref EC2TagValue0
Type: KEY_AND_VALUE
- Key: !Ref EC2TagKey1
Type: KEY_ONLY
LoadBalancerInfo:
ElbInfoList:
- Name: !Ref myELB
DeploymentStyle:
DeploymentOption: WITH_TRAFFIC_CONTROL
ServiceRoleArn: !GetAtt CodeDeployServiceRole.Arn
TriggerConfigurations:
- TriggerEvents:
- DeploymentSuccess
- DeploymentFailure
TriggerName: MyTarget
TriggerTargetArn: !Ref mySNSTopic
Outputs:
ELB:

API Version 2010-05-15
750

AWS CloudFormation User Guide
AWS::CodePipeline::CustomActionType
Description: ELB for DeploymentGroup
Value: !Ref myELB

Target Group Info
The following example speciﬁes the target group to use in a deployment. Instances are registered as
targets in a target group, and traﬃc is routed to the target group.

JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"AppDeploymentGroup": {
"Type": "AWS::CodeDeploy::DeploymentGroup",
"Properties": {
"ApplicationName": "MyApp",
"DeploymentStyle": {
"DeploymentOption": "WITH_TRAFFIC_CONTROL"
},
"LoadBalancerInfo": {
"TargetGroupInfoList": [
{
"Name": { "Fn::GetAtt": ["MyTargetGroup", "TargetGroupName"] }
}
]
},
"ServiceRoleArn": "arn:aws:iam::12345678:role/CodeDeployServiceRole"
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
AppDeploymentGroup:
Type: AWS::CodeDeploy::DeploymentGroup
Properties:
ApplicationName: MyApp
DeploymentStyle:
DeploymentOption: WITH_TRAFFIC_CONTROL
LoadBalancerInfo:
TargetGroupInfoList:
- Name: !GetAtt MyTargetGroup.TargetGroupName
ServiceRoleArn: 'arn:aws:iam::12345678:role/CodeDeployServiceRole'

AWS::CodePipeline::CustomActionType
The AWS::CodePipeline::CustomActionType resource creates a custom action for activities that
aren't included in the AWS CodePipeline default actions, such as running an internally developed build
process or a test suite. You can use these custom actions in the stage of a pipeline (p. 755). For more
information, see Create and Add a Custom Action in AWS CodePipeline in the AWS CodePipeline User
Guide.
Topics
• Syntax (p. 752)
• Properties (p. 752)
API Version 2010-05-15
751

AWS CloudFormation User Guide
AWS::CodePipeline::CustomActionType

• Return Value (p. 753)
• Example (p. 754)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CodePipeline::CustomActionType",
"Properties" : {
"Category" : String,
"ConfigurationProperties" : [ ConfigurationProperties, ... ],
"InputArtifactDetails" : ArtifactDetails,
"OutputArtifactDetails" : ArtifactDetails,
"Provider" : String,
"Settings" : Settings,
"Version" : String
}

YAML
Type: AWS::CodePipeline::CustomActionType
Properties:
Category: String,
ConfigurationProperties:
- ConfigurationProperties
InputArtifactDetails:
ArtifactDetails
OutputArtifactDetails:
ArtifactDetails
Provider: String
Settings:
Settings
Version: String

Properties
Category
The category of the custom action, such as a source action or a build action. For valid values, see
CreateCustomActionType in the AWS CodePipeline API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ConfigurationProperties
The conﬁguration properties for the custom action.
Required: No
Type: List of AWS CodePipeline CustomActionType ConﬁgurationProperties (p. 1754)
API Version 2010-05-15
752

AWS CloudFormation User Guide
AWS::CodePipeline::CustomActionType

Update requires: Replacement (p. 119)
InputArtifactDetails
The input artifact details for this custom action.
Required: Yes
Type: AWS CodePipeline CustomActionType ArtifactDetails (p. 1754)
Update requires: Replacement (p. 119)
OutputArtifactDetails
The output artifact details for this custom action.
Required: Yes
Type: AWS CodePipeline CustomActionType ArtifactDetails (p. 1754)
Update requires: Replacement (p. 119)
Provider
The name of the service provider that AWS CodePipeline uses for this custom action.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Settings
URLs that provide users information about this custom action.
Required: No
Type: AWS CodePipeline CustomActionType Settings (p. 1756)
Update requires: Replacement (p. 119)
Version
The version number of this custom action. For length constraints, see the version parameter of the
CreateCustomActionType action in the AWS CodePipeline API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When you pass the logical ID of an AWS::CodePipeline::CustomActionType resource to
the intrinsic Ref function, the function returns the custom action name, such as custo-MyCusA1BCDEFGHIJ2.
API Version 2010-05-15
753

AWS CloudFormation User Guide
AWS::CodePipeline::CustomActionType

For more information about using the Ref function, see Ref (p. 2311).

Example
The following example is a custom build action that requires users to specify one property: a project
name.

JSON
"MyCustomActionType": {
"Type": "AWS::CodePipeline::CustomActionType",
"Properties": {
"Category": "Build",
"Provider": "My-Build-Provider-Name",
"Version": { "Ref" : "Version" },
"ConfigurationProperties": [
{
"Description": "The name of the build project must be provided when this action is
added to the pipeline.",
"Key": "true",
"Name": "MyProjectName",
"Queryable": "false",
"Required": "true",
"Secret": "false",
"Type": "String"
}
],
"InputArtifactDetails": {
"MaximumCount": "1",
"MinimumCount": "1"
},
"OutputArtifactDetails": {
"MaximumCount": { "Ref" : "MaximumCountForOutputArtifactDetails" },
"MinimumCount": "0"
},
"Settings": {
"EntityUrlTemplate": "https://my-build-instance/job/{Config:ProjectName}/",
"ExecutionUrlTemplate": "https://my-build-instance/job/{Config:ProjectName}/
lastSuccessfulBuild/{ExternalExecutionId}/"
}
}
}

YAML
MyCustomActionType:
Type: AWS::CodePipeline::CustomActionType
Properties:
Category: Build
Provider: "My-Build-Provider-Name"
Version:
Ref: Version
ConfigurationProperties:
Description: "The name of the build project must be provided when this action is
added to the pipeline."
Key: true
Name: MyProjectName
Queryable: false
Required: true
Secret: false
Type: String

API Version 2010-05-15
754

AWS CloudFormation User Guide
AWS::CodePipeline::Pipeline
InputArtifactDetails:
MaximumCount: 1
MinimumCount: 1
OutputArtifactDetails:
MaximumCount:
Ref: MaximumCountForOutputArtifactDetails
MinimumCount: 0
Settings:
EntityUrlTemplate: "https://my-build-instance/job/{Config:ProjectName}/"
ExecutionUrlTemplate: "https://my-build-instance/job/{Config:ProjectName}/
lastSuccessfulBuild/{ExternalExecutionId}/"

AWS::CodePipeline::Pipeline
The AWS::CodePipeline::Pipeline resource creates an AWS CodePipeline pipeline that
describes how software changes go through a release process. For more information, see What Is AWS
CodePipeline? in the AWS CodePipeline User Guide.
Topics
• Syntax (p. 755)
• Properties (p. 756)
• Return Value (p. 757)
• Example (p. 757)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CodePipeline::Pipeline",
"Properties" : {
"ArtifactStore" : ArtifactStore,
"DisableInboundStageTransitions" : [ DisableInboundStageTransitions, ... ],
"Name" : String,
"RestartExecutionOnUpdate" : Boolean,
"RoleArn" : String,
"Stages" : [ Stages, ... ]
}

YAML
Type: AWS::CodePipeline::Pipeline
Properties:
ArtifactStore:
ArtifactStore
DisableInboundStageTransitions:
- DisableInboundStageTransitions
Name: String
RestartExecutionOnUpdate: Boolean
RoleArn: String
Stages:
- Stages

API Version 2010-05-15
755

AWS CloudFormation User Guide
AWS::CodePipeline::Pipeline

Properties
ArtifactStore
The Amazon Simple Storage Service (Amazon S3) location where AWS CodePipeline stores pipeline
artifacts. For more information, see Create an Amazon S3 Bucket for Your Application in the AWS
CodePipeline User Guide.
Required: Yes
Type: AWS CodePipeline Pipeline ArtifactStore (p. 1757)
Update requires: No interruption (p. 118)
DisableInboundStageTransitions
Prevents artifacts in a pipeline from transitioning to the stage that you speciﬁed. This enables you to
manually control transitions.
Required: No
Type: List of AWS CodePipeline Pipeline DisableInboundStageTransitions (p. 1759)
Update requires: No interruption (p. 118)
Name
The name of your AWS CodePipeline pipeline.
Required: No
Type: String
Update requires: Replacement (p. 119)
RestartExecutionOnUpdate
Indicates whether to rerun the AWS CodePipeline pipeline after you update it.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
RoleArn
A service role Amazon Resource Name (ARN) that grants AWS CodePipeline permission to make calls
to AWS services on your behalf. For more information, see AWS CodePipeline Access Permissions
Reference in the AWS CodePipeline User Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Stages
Deﬁnes the AWS CodePipeline pipeline stages.
Required: Yes
Type: AWS CodePipeline Pipeline Stages (p. 1759)
API Version 2010-05-15
756

AWS CloudFormation User Guide
AWS::CodePipeline::Pipeline

Update requires: No interruption (p. 118)

Return Value
Ref
When you pass the logical ID of an AWS::CodePipeline::Pipeline resource to the intrinsic Ref
function, the function returns the pipeline name, such as mysta-MyPipeline-A1BCDEFGHIJ2.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Version
The version of the pipeline.

Note

A new pipeline is always assigned a version number of 1. This number increments when a
pipeline is updated.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example creates a pipeline with a source, beta, and release stage. For the source stage,
AWS CodePipeline detects changes to the application that is stored in the S3 bucket and pulls them into
the pipeline. The beta stage deploys those changes to EC2 instances by using AWS CodeDeploy. For the
release stage, inbound transitions are disabled, which enables you to control when the changes are ready
to be deployed to release.

JSON
"AppPipeline": {
"Type": "AWS::CodePipeline::Pipeline",
"Properties": {
"RoleArn": { "Ref" : "CodePipelineServiceRole" },
"Stages": [
{
"Name": "Source",
"Actions": [
{
"Name": "SourceAction",
"ActionTypeId": {
"Category": "Source",
"Owner": "AWS",
"Version": "1",
"Provider": "S3"
},
"OutputArtifacts": [
{
"Name": "SourceOutput"
}
],
"Configuration": {
"S3Bucket": { "Ref" : "SourceS3Bucket" },

API Version 2010-05-15
757

AWS CloudFormation User Guide
AWS::CodePipeline::Pipeline

]

}

"S3ObjectKey": { "Ref" : "SourceS3ObjectKey" }
},
"RunOrder": 1

},
{

"Name": "Beta",
"Actions": [
{
"Name": "BetaAction",
"InputArtifacts": [
{
"Name": "SourceOutput"
}
],
"ActionTypeId": {
"Category": "Deploy",
"Owner": "AWS",
"Version": "1",
"Provider": "CodeDeploy"
},
"Configuration": {
"ApplicationName": {"Ref" : "ApplicationName"},
"DeploymentGroupName": {"Ref" : "DeploymentGroupName"}
},
"RunOrder": 1
}
]

},
{

"Name": "Release",
"Actions": [
{
"Name": "ReleaseAction",
"InputArtifacts": [
{
"Name": "SourceOutput"
}
],
"ActionTypeId": {
"Category": "Deploy",
"Owner": "AWS",
"Version": "1",
"Provider": "CodeDeploy"
},
"Configuration": {
"ApplicationName": {"Ref" : "ApplicationName"},
"DeploymentGroupName": {"Ref" : "DeploymentGroupName"}
},
"RunOrder": 1
}
]

}

}
],
"ArtifactStore": {
"Type": "S3",
"Location": { "Ref" : "ArtifactStoreS3Location" }
},
"DisableInboundStageTransitions": [
{
"StageName": "Release",
"Reason": "Disabling the transition until integration tests are completed"
}
]

API Version 2010-05-15
758

AWS CloudFormation User Guide
AWS::CodePipeline::Pipeline
}

YAML
AppPipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
RoleArn:
Ref: CodePipelineServiceRole
Stages:
Name: Source
Actions:
Name: SourceAction
ActionTypeId:
Category: Source
Owner: AWS
Version: 1
Provider: S3
OutputArtifacts:
Name: SourceOutput
Configuration:
S3Bucket:
Ref: SourceS3Bucket
S3ObjectKey:
Ref: SourceS3ObjectKey
RunOrder: 1
Name: Beta
Actions:
Name: BetaAction
InputArtifacts:
Name: SourceOutput
ActionTypeId:
Category: Deploy
Owner: AWS
Version: 1
Provider: CodeDeploy
Configuration:
ApplicationName:
Ref: ApplicationName
DeploymentGroupName:
Ref: DeploymentGroupName
RunOrder: 1
Name: Release
Actions:
Name: ReleaseAction
InputArtifacts:
Name: SourceOutput
ActionTypeId:
Category: Deploy
Owner: AWS
Version: 1
Provider: CodeDeploy
Configuration:
ApplicationName:
Ref: ApplicationName

API Version 2010-05-15
759

AWS CloudFormation User Guide
AWS::CodePipeline::Webhook
DeploymentGroupName:
Ref: DeploymentGroupName
RunOrder: 1
ArtifactStore:
Type: S3
Location:
Ref: ArtifactStoreS3Location
DisableInboundStageTransitions:
StageName: Release
Reason: "Disabling the transition until integration tests are completed"

AWS::CodePipeline::Webhook
The AWS::CodePipeline::Webhook resource creates and registers your webhook. After the webhook
is created and registered, it triggers your pipeline to start every time an external event occurs. For more
information, see Conﬁgure Your GitHub Pipelines to Use Webhooks for Change Detection in the AWS
CodePipeline User Guide.
Topics
• Syntax (p. 760)
• Properties (p. 761)
• Return Values (p. 762)
• Example (p. 762)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::CodePipeline::Webhook",
"Properties" : {
"AuthenticationConfiguration" : WebhookAuthConfiguration (p. 1765),
"Filters" : [ WebhookFilterRule (p. 1765), ... ],
"Authentication" : String,
"TargetPipeline" : String,
"TargetAction" : String,
"Name" : String,
"TargetPipelineVersion" : Integer,
"RegisterWithThirdParty" : Boolean
}

YAML
Type: "AWS::CodePipeline::Webhook"
Properties:
AuthenticationConfiguration:
WebhookAuthConfiguration (p. 1765)
Filters:
- WebhookFilterRule (p. 1765)
Authentication: String
TargetPipeline: String
TargetAction: String
Name: String

API Version 2010-05-15
760

AWS CloudFormation User Guide
AWS::CodePipeline::Webhook
TargetPipelineVersion: Integer
RegisterWithThirdParty: Boolean

Properties
Authentication
The type of authentication scheme that allows the trigger request to be accepted. For more
information, see Webhook Deﬁnition in the AWS CodePipeline API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
AuthenticationConfiguration
Properties that conﬁgure the authentication applied to incoming webhook trigger requests. For
more information, see Webhook Deﬁnition in the AWS CodePipeline API Reference.
Required: Yes
Type: AWS CodePipeline Webhook WebhookAuthConﬁguration (p. 1765)
Update requires: No interruption (p. 118)
Filters
A list of rules applied to the body/payload sent in the POST request to a webhook URL. All deﬁned
rules must pass for the request to be accepted and the pipeline started.
Required: Yes
Type: List of AWS CodePipeline Webhook WebhookFilterRule (p. 1765) property types
Update requires: No interruption (p. 118)
Name
The name of the webhook to be created and, if applicable, to register with a supported third party.
Required: No
Type: String
Update requires: Replacement (p. 119)
RegisterWithThirdParty
Indicates whether to register the webhook with a third party. Third party registration conﬁgures
a connection between the webhook that was created and the external tool, such as GitHub, with
events to be detected.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
TargetAction
The name of the action in a pipeline you want to connect to the webhook. The action must be from
the source (ﬁrst) stage of the pipeline.
Required: Yes
API Version 2010-05-15
761

AWS CloudFormation User Guide
AWS::CodePipeline::Webhook

Type: String
Update requires: No interruption (p. 118)
TargetPipeline
The name of the pipeline you want to connect to the webhook.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
TargetPipelineVersion
The version number of the pipeline to be connected to the trigger request.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::CodePipeline::Webhook resource to the intrinsic Ref
function, the function returns the webhook name, such as MyFirstPipeline-SourceAction1Webhook-utb9LrOl24Kk.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Url
The webhook URL generated by AWS CodePipeline, such as https://eucentral-1.webhooks.aws/trigger123456.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example creates a webhook named MyWebhook and registers the webhook for the
pipeline's GitHub source repository. In this example, WebhookPipeline is the logical ID of the pipeline
to which you want to add the webhook.

JSON
{

"Webhook": {
"Type": "AWS: : CodePipeline: : Webhook",
"Properties": {
"AuthenticationConfiguration": {

API Version 2010-05-15
762

AWS CloudFormation User Guide
AWS::Cognito::IdentityPool

}

}

}

"SecretToken": "secret"
},
"Filters": [
{
"JsonPath": "$.ref",
"MatchEquals": "refs/heads/{Branch}"
}
],
"Authentication": "GITHUB_HMAC",
"TargetPipeline": { "Ref" : "WebhookPipeline" },
"TargetAction": "Source",
"Name": "MyWebhook",
"TargetPipelineVersion": { "Fn::GetAtt" : [ "WebhookPipeline", "Version" ] },
"RegisterWithThirdParty": "true"

YAML
Webhook:
Type: 'AWS: : CodePipeline: : Webhook'
Properties:
AuthenticationConfiguration:
SecretToken: secret
Filters:
- JsonPath: "$.ref"
MatchEquals: refs/heads/{Branch}
Authentication: GITHUB_HMAC
TargetPipeline: !Ref WebhookPipeline
TargetAction: Source
Name: MyWebhook
TargetPipelineVersion: !GetAtt WebhookPipeline.Version
RegisterWithThirdParty: 'true'

AWS::Cognito::IdentityPool
The AWS::Cognito::IdentityPool resource creates an Amazon Cognito identity pool.
Topics
• Syntax (p. 763)
• Properties (p. 764)
• Return Value (p. 766)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Cognito::IdentityPool",
"Properties" : {
"IdentityPoolName" : String,
"AllowUnauthenticatedIdentities" : Boolean,
"DeveloperProviderName" : String,
"SupportedLoginProviders" : { String:String, ... },
"CognitoIdentityProviders" : [ CognitoIdentityProvider (p. 1770), ... ],

API Version 2010-05-15
763

AWS CloudFormation User Guide
AWS::Cognito::IdentityPool

}

}

"SamlProviderARNs" : [ String, ... ],
"OpenIdConnectProviderARNs" : [ String, ... ],
"CognitoStreams" : CognitoStreams,
"PushSync" : PushSync,
"CognitoEvents" : { String:String, ... }

YAML
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: String
AllowUnauthenticatedIdentities: Boolean
DeveloperProviderName: String
SupportedLoginProviders:
String: String
CognitoIdentityProviders:
- CognitoIdentityProvider (p. 1770)
SamlProviderARNs:
- String
OpenIdConnectProviderARNs:
- String
CognitoStreams:
- CognitoStreams
PushSync:
- PushSync
CognitoEvents:
String: String

Properties
For more information about each property, including constraints and valid values, see CreateIdentityPool
in the Amazon Cognito Federated Identities API Reference.
IdentityPoolName
The name of your Amazon Cognito identity pool.
Required: No
Type: String
Update requires: No interruption (p. 118)
MinLength: 1
MaxLength: 128
AllowUnauthenticatedIdentities
Speciﬁes whether the identity pool supports unauthenticated logins.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
DeveloperProviderName
The "domain" by which Amazon Cognito will refer to your users. This name acts as a placeholder that
allows your backend and the Amazon Cognito service to communicate about the developer provider.
API Version 2010-05-15
764

AWS CloudFormation User Guide
AWS::Cognito::IdentityPool

For the DeveloperProviderName, you can use letters and periods (.), underscores (_), and dashes
(-).
Required: No
Type: String
Update requires: No interruption (p. 118)
MinLength: 1
MaxLength: 100
SupportedLoginProviders
Key-value pairs that map provider names to provider app IDs.
Required: No
Type: String to String map
Update requires: No interruption (p. 118)
CognitoIdentityProviders
An array of Amazon Cognito user pools and their client IDs.
Required: No
Type: An array of the section called “Amazon Cognito IdentityPool
CognitoIdentityProvider” (p. 1770).
Update requires: No interruption (p. 118)
SamlProviderARNs
A list of Amazon Resource Names (ARNs) of Security Assertion Markup Language (SAML) providers.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
OpenIdConnectProviderARNs
A list of ARNs for the OpendID Connect provider.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
CognitoStreams
Conﬁguration options for conﬁguring Amazon Cognito streams.
Required: No
Type: Amazon Cognito IdentityPool CognitoStreams (p. 1766)
Update requires: No interruption (p. 118)
PushSync
Conﬁguration options to be applied to the identity pool.
API Version 2010-05-15
765

AWS CloudFormation User Guide
AWS::Cognito::IdentityPoolRoleAttachment

Required: No
Type: Amazon Cognito IdentityPool PushSync (p. 1767)
Update requires: No interruption (p. 118)
CognitoEvents
The events to conﬁgure.
Required: No
Type: String to String map
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the
IdentityPoolId, such as us-east-2:0d01f4d7-1305-4408-b437-12345EXAMPLE.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Name
The name of the Amazon Cognito identity pool, returned as a string.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

AWS::Cognito::IdentityPoolRoleAttachment
The AWS::Cognito::IdentityPoolRoleAttachment resource manages the role conﬁguration for an
Amazon Cognito identity pool.
Topics
• Syntax (p. 766)
• Properties (p. 767)
• Return Value (p. 767)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Cognito::IdentityPoolRoleAttachment",

API Version 2010-05-15
766

AWS CloudFormation User Guide
AWS::Cognito::IdentityPoolRoleAttachment

}

"Properties" : {
"IdentityPoolId" : String,
"RoleMappings" : String to RoleMapping object map,
"Roles" : { String:String, ... }
}

YAML
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: String
RoleMappings:
String to RoleMapping object map
Roles:
String:String

Properties
IdentityPoolId
An identity pool ID in the format REGION:GUID.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
RoleMappings
How users for a speciﬁc identity provider are to mapped to roles. This is a string to RoleMapping
object map. The string identiﬁes the identity provider, for example, "graph.facebook.com" or
"cognito-idp-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id"
Required: No
Type: String to Amazon Cognito IdentityPoolRoleAttachment RoleMapping (p. 1768) object map.
Update requires: No interruption (p. 118)
Roles
The map of roles associated with this pool. For a given role, the key will be either "authenticated" or
"unauthenticated" and the value will be the Role ARN.
Required: No
Type: String to string map
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns a generated ID,
such as IdentityPoolRoleAttachment-EXAMPLEwnOR3n.
API Version 2010-05-15
767

AWS CloudFormation User Guide
AWS::Cognito::UserPool

For more information about using the Ref function, see Ref (p. 2311).

AWS::Cognito::UserPool
The AWS::Cognito::UserPool resource creates an Amazon Cognito user pool. For more information
on working with Amazon Cognito user pools, see Amazon Cognito User Pools and CreateUserPool.
Topics
• Syntax (p. 768)
• Properties (p. 769)
• Return Value (p. 772)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Cognito::UserPool",
"Properties" : {
"AdminCreateUserConfig" : AdminCreateUserConfig,
"AliasAttributes" : [ String ],
"AutoVerifiedAttributes" : [ String ],
"DeviceConfiguration" : DeviceConfiguration,
"EmailConfiguration" : EmailConfiguration,
"EmailVerificationMessage" : String,
"EmailVerificationSubject" : String,
"LambdaConfig" : LambdaConfig,
"MfaConfiguration" : String,
"Policies" : Policies,
"Schema" : [ SchemaAttribute (p. 1779) ],
"SmsAuthenticationMessage" : String,
"SmsConfiguration" : SmsConfiguration,
"SmsVerificationMessage" : String,
"UsernameAttributes" : [ String ],
"UserPoolName" : String,
"UserPoolTags" : { String:String, ... }
}

YAML
Type: AWS::Cognito::UserPool
Properties:
AdminCreateUserConfig:
AdminCreateUserConfig
AliasAttributes:
- String
AutoVerifiedAttributes:
- String
DeviceConfiguration:
DeviceConfiguration
EmailConfiguration:
EmailConfiguration
EmailVerificationMessage: String
EmailVerificationSubject: String
LambdaConfig:

API Version 2010-05-15
768

AWS CloudFormation User Guide
AWS::Cognito::UserPool
LambdaConfig
MfaConfiguration: String
Policies:
Policies
Schema:
- SchemaAttribute (p. 1779)
SmsAuthenticationMessage: String
SmsConfiguration:
SmsConfiguration
SmsVerificationMessage: String
UsernameAttributes:
- String
UserPoolName: String
UserPoolTags:
String: String

Properties
AdminCreateUserConfig
The type of conﬁguration for creating a new user proﬁle.
Required: No
Type: Amazon Cognito UserPool AdminCreateUserConﬁg (p. 1772)
Update requires: No interruption (p. 118)
AliasAttributes
Attributes supported as an alias for this user pool. Possible values: phone_number, email, or
preferred_username.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
AutoVerifiedAttributes
The attributes to be auto-veriﬁed. Possible values: email or phone_number.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
DeviceConfiguration
The type of conﬁguration for the user pool's device tracking.
Required: No
Type: Amazon Cognito UserPool DeviceConﬁguration (p. 1773)
Update requires: No interruption (p. 118)
EmailConfiguration
The email conﬁguration.
Required: No
API Version 2010-05-15
769

AWS CloudFormation User Guide
AWS::Cognito::UserPool

Type: Amazon Cognito UserPool EmailConﬁguration (p. 1773)
Update requires: No interruption (p. 118)
EmailVerificationMessage
A string representing the email veriﬁcation message. Must contain {####} in the description.
Required: No
Type: String
Update requires: No interruption (p. 118)
EmailVerificationSubject
A string representing the email veriﬁcation subject.
Required: No
Type: String
Update requires: No interruption (p. 118)
LambdaConfig
The AWS Lambda trigger conﬁguration information for the Amazon Cognito user pool.
Required: No
Type: Amazon Cognito UserPool LambdaConﬁg (p. 1775)
Update requires: No interruption (p. 118)
MfaConfiguration
Speciﬁes multi-factor authentication (MFA) conﬁguration details. Can be one of the following values:
OFF - MFA tokens are not required and cannot be speciﬁed during user registration.
ON - MFA tokens are required for all user registrations. You can only specify required when you are
initially creating a user pool.
OPTIONAL - Users have the option when registering to create an MFA token.
Required: No
Type: String
Update requires: No interruption (p. 118)
Policies
The policies associated with the Amazon Cognito user pool.
Required: No
Type: Amazon Cognito UserPool Policies (p. 1778)
Update requires: No interruption (p. 118)
Schema
A list of schema attributes for the new user pool. These attributes can be standard or custom
attributes.
API Version 2010-05-15
770

AWS CloudFormation User Guide
AWS::Cognito::UserPool

Required: No
Type: List of SchemaAttribute (p. 1779)
Update requires: Replacement (p. 119)
SmsAuthenticationMessage
A string representing the SMS authentication message. Must contain {####} in the message.
Required: No
Type: String
Update requires: No interruption (p. 118)
SmsConfiguration
The Short Message Service (SMS) conﬁguration.
Required: No
Type: Amazon Cognito UserPool SmsConﬁguration (p. 1780)
Update requires: No interruption (p. 118)
SmsVerificationMessage
A string representing the SMS veriﬁcation message. Must contain {####} in the message.
Required: No
Type: String
Update requires: No interruption (p. 118)
UsernameAttributes
Speciﬁes whether email addresses or phone numbers can be speciﬁed as usernames when a user
signs up. Possible values: phone_number or email.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
UserPoolName
A string used to name the user pool.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
UserPoolTags
The cost allocation tags for the user pool. For more information, see Adding Cost Allocation Tags to
Your User Pool in the Amazon Cognito Developer Guide.
Required: No
Type: String to String map
API Version 2010-05-15
771

AWS CloudFormation User Guide
AWS::Cognito::UserPoolClient

Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns a generated ID,
such as us-east-2_zgaEXAMPLE.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
ProviderName
The provider name of the Amazon Cognito user pool, speciﬁed as a String.
ProviderURL
The URL of the provider of the Amazon Cognito user pool, speciﬁed as a String.
Arn
The Amazon Resource Name (ARN) of the user pool, such as arn:aws:cognito-idp:useast-2:123412341234:userpool/us-east-1 _123412341.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

AWS::Cognito::UserPoolClient
The AWS::Cognito::UserPoolClient resource creates an Amazon Cognito user pool client.
Topics
• Syntax (p. 772)
• Properties (p. 773)
• Return Value (p. 774)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Cognito::UserPoolClient",
"Properties" : {
"ClientName" : String,
"ExplicitAuthFlows" : [ String, ... ],
"GenerateSecret" : Boolean,
"ReadAttributes" : [ String, ... ],
"RefreshTokenValidity" : Integer,
"UserPoolId" : String,
"WriteAttributes" : [ String, ... ]

API Version 2010-05-15
772

AWS CloudFormation User Guide
AWS::Cognito::UserPoolClient

}

}

YAML
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: String
ExplicitAuthFlows:
- String
GenerateSecret: Boolean
ReadAttributes:
- String
RefreshTokenValidity: Integer
UserPoolId: String
WriteAttributes:
- String

Properties
ClientName
The client name for the user pool client that you want to create.
Required: No
Type: String
Update requires: No interruption (p. 118)
MinLength: 1
MaxLength: 128
ExplicitAuthFlows
The explicit authentication ﬂows, which can be one of the following: ADMIN_NO_SRP_AUTH or
CUSTOM_AUTH_FLOW_ONLY.
Required: No
Type: List of Strings
Update requires: No interruption (p. 118)
GenerateSecret
Speciﬁes whether you want to generate a secret for the user pool client being created.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
ReadAttributes
The read attributes.
Required: No
Type: List of Strings
API Version 2010-05-15
773

AWS CloudFormation User Guide
AWS::Cognito::UserPoolGroup

Update requires: No interruption (p. 118)
RefreshTokenValidity
The time limit, in days, after which the refresh token is no longer valid.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
UserPoolId
The user pool ID for the user pool where you want to create a client.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
WriteAttributes
The write attributes.
Required: No
Type: List of Strings
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the Amazon
Cognito user pool client ID, such as 1h57kf5cpq17m0eml12EXAMPLE.
For more information about using the Ref function, see Ref (p. 2311).

AWS::Cognito::UserPoolGroup
The AWS::Cognito::UserPoolGroup resource creates a user group in an Amazon Cognito user pool.
Topics
• Syntax (p. 774)
• Properties (p. 775)
• Return Value (p. 776)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Cognito::UserPoolGroup",

API Version 2010-05-15
774

AWS CloudFormation User Guide
AWS::Cognito::UserPoolGroup

}

"Properties" : {
"Description" : String,
"GroupName" : String,
"Precedence" : Number,
"RoleArn" : String,
"UserPoolId" : String
}

YAML
Type: AWS::Cognito::UserPoolGroup
Properties:
Description: String
GroupName: String
Precedence: Number
RoleArn: String
UserPoolId: String

Properties
Description
A description of the user group.
Required: No
Type: String
Update requires: No interruption (p. 118)
MaxLength: 2048
GroupName
The name of the user group. GroupName must be unique.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Precedence
A nonnegative integer value that speciﬁes the precedence of this group relative to the other groups
that a user can belong to in the user pool. Zero is the highest Precedence value. Groups with lower
Precedence values take precedence over groups with higher or null Precedence values. If a user
belongs to two or more groups, the role ARN of the group with the lowest precedence value is used
in the cognito:roles and cognito:preferred_role claims in the user's tokens.
Two groups can have the same Precedence value. If this happens, neither group takes precedence
over the other. If two groups with the same Precedence value have the same role ARN, that role is
used in the cognito:preferred_role claim in tokens for users in each group. If the two groups
have diﬀerent role ARNs, the cognito:preferred_role claim is not set in users' tokens.
The default Precedence value is null.
Required: No
Type: Number
API Version 2010-05-15
775

AWS CloudFormation User Guide
AWS::Cognito::UserPoolUser

Update requires: No interruption (p. 118)
RoleArn
The role ARN for the group.
Required: No
Type: String
Update requires: No interruption (p. 118)
UserPoolId
The user pool ID.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the name of the
user pool group. For example, Admins.
For more information about using the Ref function, see Ref (p. 2311).

AWS::Cognito::UserPoolUser
The AWS::Cognito::UserPoolUser resource creates an Amazon Cognito user pool user.
Topics
• Syntax (p. 776)
• Properties (p. 777)
• Return Value (p. 778)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Cognito::UserPoolUser",
"Properties" : {
"DesiredDeliveryMediums" : [ String, ... ],
"ForceAliasCreation" : Boolean,
"UserAttributes" : [ AttributeType, ... ],
"MessageAction" : String,
"Username" : String,
"UserPoolId" : String,
"ValidationData" : [ AttributeType, ...]
}

API Version 2010-05-15
776

AWS CloudFormation User Guide
AWS::Cognito::UserPoolUser
}

YAML
Type: AWS::Cognito::UserPoolUser
Properties:
DesiredDeliveryMediums:
- String
ForceAliasCreation: Boolean
UserAttributes:
- AttributeType
MessageAction: String
Username: String
UserPoolId: String
ValidationData:
- AttributeType

Properties
DesiredDeliveryMediums
Speciﬁes how the welcome message will be sent. For email, specify EMAIL. To use a phone number,
specify SMS. You can specify more than one value. The default value is SMS.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
ForceAliasCreation
Use this parameter only if the phone_number_verified attribute or the email_verified
attribute is set to True. Otherwise, it is ignored. The default value is False.
If this parameter is set to True and the phone number or email address speciﬁed in the
UserAttributes parameter already exists as an alias with a diﬀerent user, the API call migrates the
alias from the previous user to the newly created user. The previous user can no longer log in using
that alias.
If this parameter is set to False and the alias already exists, the API throws an
AliasExistsException error.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
UserAttributes
A list of name-value pairs that contain user attributes and attribute values to be set for the user
that you are creating. You can create a user without specifying any attributes other than Username.
However, any attributes that you specify as required (in CreateUserPool or in the Attributes tab
of the console) must be supplied either by you (in your call to AdminCreateUser) or by the user
(when signing up in response to your welcome message).
Required: No
Type: List of Amazon Cognito UserPoolUser AttributeType (p. 1782)
API Version 2010-05-15
777

AWS CloudFormation User Guide
AWS::Cognito::UserPoolUser

Update requires: Replacement (p. 119)
MessageAction
Speciﬁes the action you'd like to take for the message. Valid values are RESEND and SUPPRESS.
To resend the invitation message to a user that already exists and reset the expiration limit on the
user's account, set this parameter to RESEND. To suppress sending the message, set it to SUPPRESS.
You can specify only one value.
Required: No
Type: String
Update requires: Replacement (p. 119)
Username
The user name for the user. Username must be unique within the user pool. It must be a UTF-8
string between 1 and 128 characters. You can't change the username.
Required: No
Type: String
Update requires: Replacement (p. 119)
UserPoolId
The ID for the user pool where the user will be created.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ValidationData
The user's validation data. This is a list of name-value pairs that contain user attributes and attribute
values that you can use for custom validation, such as restricting the types of user accounts that can
be registered. For example, you might choose to allow or disallow user sign-up based on the user's
domain.
To conﬁgure custom validation, you must create a Pre Sign-up Lambda trigger for the user pool.
The Lambda trigger receives the validation data and uses it in the validation process. For more
information, see Customizing User Pool Workﬂows by Using AWS Lambda Triggers in the Amazon
Cognito Developer Guide.
Required: No
Type: List of Amazon Cognito UserPoolUser AttributeType (p. 1782)
Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the name of the
user. For example, admin.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
778

AWS CloudFormation User Guide
AWS::Cognito::UserPoolUserToGroupAttachment

AWS::Cognito::UserPoolUserToGroupAttachment
The AWS::Cognito::UserPoolUserToGroupAttachment resource attaches a user to an Amazon
Cognito user pool user group.
Topics
• Syntax (p. 779)
• Properties (p. 779)
• Return Value (p. 780)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Cognito::UserPoolUserToGroupAttachment",
"Properties" : {
"GroupName" : String,
"Username" : String,
"UserPoolId" : String
}

YAML
Type: AWS::Cognito::UserPoolUserToGroupAttachment
Properties:
GroupName: String
Username: String
UserPoolId: String

Properties
GroupName
The name of the group.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Username
The user's user name.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
UserPoolId
The ID of the user pool.
API Version 2010-05-15
779

AWS CloudFormation User Guide
AWS::Conﬁg::AggregationAuthorization

Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns a generated ID,
such as UserToGroupAttachment-YejJvzrEXAMPLE.
For more information about using the Ref function, see Ref (p. 2311).

AWS::Conﬁg::AggregationAuthorization
The AWS::Config::AggregationAuthorization resource to grant permission to an aggregator
account to collect your AWS Conﬁg data.
Topics
• Syntax (p. 780)
• Properties (p. 780)
• Return Values (p. 781)
• Examples (p. 781)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Config::AggregationAuthorization",
"Properties" : {
"AuthorizedAccountId" : String,
"AuthorizedAwsRegion" : String
}

YAML
Type: "AWS::Config::AggregationAuthorization"
Properties:
AuthorizedAccountId: String
AuthorizedAwsRegion: String

Properties
AuthorizedAccountId
The 12 digit account ID of the account authorized to aggregate data.
Required: Yes
API Version 2010-05-15
780

AWS CloudFormation User Guide
AWS::Conﬁg::AggregationAuthorization

Type: String
Update requires: Replacement (p. 119)
AuthorizedAwsRegion
The region authorized to collect aggregated data.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN of the
AggregationAuthorization, for example:
arn:aws:config:us-east-1:123456789012:aggregation-authorization/987654321012/us-west-2

For more information about using the Ref function, see Ref (p. 2311).

Examples
AggregationAuthorization
The following example creates an AggregationAuthorization that authorizes another account to
aggregate your AWS Conﬁg data into a speciﬁc region.

JSON
"AggregationAuthorization": {
"Type": "AWS::Config::AggregationAuthorization",
"Properties": {
"AuthorizedAccountId": 123456789012,
"AuthorizedAwsRegion": "us-west-2"
}
}

YAML
AggregationAuthorization:
Type: "AWS::Config::AggregationAuthorization"
Properties:
AuthorizedAccountId: 123456789012
AuthorizedAwsRegion: us-west-2

The following example enables AWS Conﬁg, creates an AWS Conﬁg rule, an aggregator, and an
authorization.

JSON
{

API Version 2010-05-15
781

AWS CloudFormation User Guide
AWS::Conﬁg::AggregationAuthorization
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Enable AWS Config",
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Configuration Recorder Configuration"
},
"Parameters": [
"GlobalResourceTypesRegion"
]
},
{
"Label": {
"default": "Configuration Aggregator Configuration"
},
"Parameters": [
"AggregatorAccount",
"AggregatorRegion",
"SourceAccounts",
"SourceRegions"
]
}
],
"ParameterLabels": {
"GlobalResourceTypesRegion": {
"default": "Global resource types region"
},
"AggregatorAccount": {
"default": "Aggregator account"
},
"AggregatorRegion": {
"default": "Aggregator account"
},
"SourceAccounts": {
"default": "Source accounts"
},
"SourceRegions": {
"default": "Source regions"
}
}
}
},
"Parameters": {
"GlobalResourceTypesRegion": {
"Type": "String",
"Default": "us-east-1",
"Description": "AWS region used to record global resources types"
},
"AggregatorAccount": {
"Type": "String",
"Description": "Account ID of the aggregator"
},
"AggregatorRegion": {
"Type": "String",
"Default": "us-east-1",
"Description": "AWS region of the aggregator"
},
"SourceAccounts": {
"Type": "CommaDelimitedList",
"Description": "List of source accounts to aggregate"
},
"SourceRegions": {
"Type": "CommaDelimitedList",
"Description": "List of regions to aggregate"

API Version 2010-05-15
782

AWS CloudFormation User Guide
AWS::Conﬁg::AggregationAuthorization
}
},
"Conditions": {
"IncludeGlobalResourceTypes": {
"Fn::Equals": [
{
"Ref": "GlobalResourceTypesRegion"
},
{
"Ref": "AWS::Region"
}
]
},
"CreateAggregator": {
"Fn::And": [
{
"Fn::Equals": [
{
"Ref": "AggregatorAccount"
},
{
"Ref": "AWS::AccountId"
}
]
},
{
"Fn::Equals": [
{
"Ref": "AggregatorRegion"
},
{
"Ref": "AWS::Region"
}
]
}
]
},
"CreateAuthorization": {
"Fn::Not": [
{
"Fn::Equals": [
{
"Ref": "AggregatorAccount"
},
{
"Ref": "AWS::AccountId"
}
]
}
]
}
},
"Resources": {
"ConfigBucket": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket"
},
"ConfigBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "ConfigBucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [

API Version 2010-05-15
783

AWS CloudFormation User Guide
AWS::Conﬁg::AggregationAuthorization
{

},
{

${AWS::AccountId}/*"

}

}

]

}

"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": [
{
"Fn::Sub": "arn:aws:s3:::${ConfigBucket}"
}
]
"Sid": "AWSConfigBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": [
{
"Fn::Sub": "arn:aws:s3:::${ConfigBucket}/AWSLogs/
]

}

},
"ConfigRecorderRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSConfigRole"
]
}
},
"ConfigRecorder": {
"Type": "AWS::Config::ConfigurationRecorder",
"DependsOn": [
"ConfigRecorderRole",
"ConfigBucketPolicy"
],

API Version 2010-05-15
784

AWS CloudFormation User Guide
AWS::Conﬁg::AggregationAuthorization
"Properties": {
"RoleARN": {
"Fn::GetAtt": [
"ConfigRecorderRole",
"Arn"
]
},
"RecordingGroup": {
"AllSupported": true,
"IncludeGlobalResourceTypes": {
"Fn::If": [
"IncludeGlobalResourceTypes",
true,
false
]
}
}
}

},
"DeliveryChannel": {
"Type": "AWS::Config::DeliveryChannel",
"DependsOn": [
"ConfigBucketPolicy"
],
"Properties": {
"Name": "default",
"S3BucketName": {
"Ref": "ConfigBucket"
}
}
},
"S3BucketPublicReadRule": {
"Type": "AWS::Config::ConfigRule",
"DependsOn": [
"ConfigRecorder"
],
"Properties": {
"ConfigRuleName": "stackset-s3-bucket-public-read-prohibited",
"Description": "s3-bucket-public-read-prohibited from stackset",
"Scope": {
"ComplianceResourceTypes": [
"AWS::S3::Bucket"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
}
},
"ConfigAggregator": {
"Type": "AWS::Config::ConfigurationAggregator",
"Condition": "CreateAggregator",
"Properties": {
"Name": "default",
"AccountAggregationSources": [
{
"AccountIds": {
"Ref": "SourceAccounts"
},
"AwsRegions": {
"Ref": "SourceRegions"
}
}
]
}

API Version 2010-05-15
785

AWS CloudFormation User Guide
AWS::Conﬁg::AggregationAuthorization

}

}

},
"AggregationAuthorization": {
"Type": "AWS::Config::AggregationAuthorization",
"Condition": "CreateAuthorization",
"Properties": {
"AuthorizedAccountId": {
"Ref": "AggregatorAccount"
},
"AuthorizedAwsRegion": {
"Ref": "AggregatorRegion"
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: Enable AWS Config
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Configuration Recorder Configuration
Parameters:
- GlobalResourceTypesRegion
- Label:
default: Configuration Aggregator Configuration
Parameters:
- AggregatorAccount
- AggregatorRegion
- SourceAccounts
- SourceRegions
ParameterLabels:
GlobalResourceTypesRegion:
default: Global resource types region
AggregatorAccount:
default: Aggregator account
AggregatorRegion:
default: Aggregator account
SourceAccounts:
default: Source accounts
SourceRegions:
default: Source regions
Parameters:
GlobalResourceTypesRegion:
Type: String
Default: us-east-1
Description: AWS region used to record global resources types
AggregatorAccount:
Type: String
Description: Account ID of the aggregator
AggregatorRegion:
Type: String
Default: us-east-1
Description: AWS region of the aggregator
SourceAccounts:
Type: CommaDelimitedList
Description: List of source accounts to aggregate
SourceRegions:
Type: CommaDelimitedList

API Version 2010-05-15
786

AWS CloudFormation User Guide
AWS::Conﬁg::AggregationAuthorization
Description: List of regions to aggregate
Conditions:
IncludeGlobalResourceTypes: !Equals
- !Ref GlobalResourceTypesRegion
- !Ref AWS::Region
CreateAggregator: !And
- !Equals
- !Ref AggregatorAccount
- !Ref AWS::AccountId
- !Equals
- !Ref AggregatorRegion
- !Ref AWS::Region
CreateAuthorization: !Not
- !Equals
- !Ref AggregatorAccount
- !Ref AWS::AccountId
Resources:
ConfigBucket:
DeletionPolicy: Retain
Type: AWS::S3::Bucket
ConfigBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ConfigBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSConfigBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:GetBucketAcl
Resource:
- !Sub "arn:aws:s3:::${ConfigBucket}"
- Sid: AWSConfigBucketDelivery
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:PutObject
Resource:
- !Sub "arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"
ConfigRecorderRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSConfigRole
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder

API Version 2010-05-15
787

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgRule
DependsOn:
- ConfigRecorderRole
- ConfigBucketPolicy
Properties:
RoleARN: !GetAtt ConfigRecorderRole.Arn
RecordingGroup:
AllSupported: True
IncludeGlobalResourceTypes: !If
- IncludeGlobalResourceTypes
- True
- False
DeliveryChannel:
Type: AWS::Config::DeliveryChannel
DependsOn:
- ConfigBucketPolicy
Properties:
Name: default
S3BucketName: !Ref ConfigBucket
S3BucketPublicReadRule:
Type: AWS::Config::ConfigRule
DependsOn:
- ConfigRecorder
Properties:
ConfigRuleName: stackset-s3-bucket-public-read-prohibited
Description: s3-bucket-public-read-prohibited from stackset
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
ConfigAggregator:
Type: AWS::Config::ConfigurationAggregator
Condition: CreateAggregator
Properties:
Name: default
AccountAggregationSources:
- AccountIds: !Ref SourceAccounts
AwsRegions: !Ref SourceRegions
AggregationAuthorization:
Type: AWS::Config::AggregationAuthorization
Condition: CreateAuthorization
Properties:
AuthorizedAccountId: !Ref AggregatorAccount
AuthorizedAwsRegion: !Ref AggregatorRegion

AWS::Conﬁg::ConﬁgRule
The AWS::Config::ConfigRule resource uses an AWS Lambda (Lambda) function that evaluates
conﬁguration items to assess whether your AWS resources comply with your speciﬁed conﬁgurations.
This function can run when AWS Conﬁg detects a conﬁguration change or delivers a conﬁguration
snapshot. The resources this function evaluates must be in the recording group. For more information,
see Evaluating AWS Resource Conﬁgurations with AWS Conﬁg in the AWS Conﬁg Developer Guide.
Topics
• Syntax (p. 789)
• Properties (p. 789)
• Return Values (p. 790)
API Version 2010-05-15
788

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgRule

• Examples (p. 791)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Config::ConfigRule",
"Properties" : {
"ConfigRuleName" : String,
"Description" : String,
"InputParameters" : { ParameterName : Value },
"MaximumExecutionFrequency" : String,
"Scope" : Scope,
"Source" : Source
}

YAML
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: String
Description: String
InputParameters:
ParameterName : Value
MaximumExecutionFrequency: String
Scope:
Scope
Source:
Source

Properties
ConfigRuleName
A name for the AWS Conﬁg rule. If you don't specify a name, AWS CloudFormation generates
a unique physical ID and uses that ID for the rule name. For more information, see Name
Type (p. 2085).
Required: No
Type: String
Update requires: Replacement (p. 119)
Description
A description about this AWS Conﬁg rule.
Required: No
Type: String
Update requires: No interruption (p. 118)
InputParameters
Input parameter values that are passed to the AWS Conﬁg rule (Lambda function).
API Version 2010-05-15
789

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgRule

Required: No
Type: JSON object
Update requires: No interruption (p. 118)
MaximumExecutionFrequency
The maximum frequency at which the AWS Conﬁg rule runs evaluations. For valid values, see the
ConﬁgRule data type in the AWS Conﬁg API Reference.
If the rule runs an evaluation when AWS Conﬁg delivers a conﬁguration snapshot, the rule cannot
run more frequently than the snapshot delivery frequency. Set an execution frequency value that
is equal to or greater than the value of the snapshot delivery frequency, which is a property the
AWS::Conﬁg::DeliveryChannel (p. 799) resource.
Required: No
Type: String
Update requires: No interruption (p. 118)
Scope
Deﬁnes which AWS resources will trigger an evaluation when their conﬁgurations change. The scope
can include one or more resource types, a combination of a tag key and value, or a combination of
one resource type and one resource ID. Specify a scope to constrain the resources that are evaluated.
If you don't specify a scope, the rule evaluates all resources in the recording group.
Required: No
Type: AWS Conﬁg ConﬁgRule Scope (p. 1783)
Update requires: No interruption (p. 118)
Source
Speciﬁes the rule owner, the rule identiﬁer, and the events that cause the function to evaluate your
AWS resources.
Required: Yes
Type: AWS Conﬁg ConﬁgRule Source (p. 1784)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::Config::ConfigRule resource to the intrinsic Ref function,
the function returns the rule name, such as mystack-MyConfigRule-12ABCFPXHV4OV.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
API Version 2010-05-15
790

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgRule

Arn
The Amazon Resource Name (ARN) of the AWS Conﬁg rule, such as arn:aws:config:useast-1:123456789012:config-rule/config-rule-a1bzhi.
ConfigRuleId
The ID of the AWS Conﬁg rule, such as config-rule-a1bzhi.
Compliance.Type
The compliance status of an AWS Conﬁg rule, such as COMPLIANT or NON_COMPLIANT.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
The following example uses an AWS managed rule that checks whether EC2 volumes resource types have
a CostCenter tag.

JSON
"ConfigRuleForVolumeTags": {
"Type": "AWS::Config::ConfigRule",
"Properties": {
"InputParameters": {"tag1Key": "CostCenter"},
"Scope": {
"ComplianceResourceTypes": ["AWS::EC2::Volume"]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "REQUIRED_TAGS"
}
}
}

YAML
ConfigRuleForVolumeTags:
Type: AWS::Config::ConfigRule
Properties:
InputParameters:
tag1Key: CostCenter
Scope:
ComplianceResourceTypes:
- "AWS::EC2::Volume"
Source:
Owner: AWS
SourceIdentifier: "REQUIRED_TAGS"

Rule Using Lambda Function
The following example creates a custom conﬁguration rule that uses a Lambda function. The function
checks whether an EC2 volume has the AutoEnableIO property set to true. Note that the conﬁguration
rule has a dependency on the Lambda policy so that the rule calls the function only after it's permitted
to do so.

JSON
"ConfigPermissionToCallLambda": {

API Version 2010-05-15
791

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgRule
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": {"Fn::GetAtt": ["VolumeAutoEnableIOComplianceCheck", "Arn"]},
"Action": "lambda:InvokeFunction",
"Principal": "config.amazonaws.com"
}

},
"VolumeAutoEnableIOComplianceCheck": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"ZipFile": {"Fn::Join": ["\n", [
"var aws = require('aws-sdk');",
"var config = new aws.ConfigService();",
"var ec2 = new aws.EC2();",

"exports.handler = function(event, context) {",
"
compliance = evaluateCompliance(event, function(compliance, event) {",
"
var configurationItem =
JSON.parse(event.invokingEvent).configurationItem;",
"
var putEvaluationsRequest = {",
"
Evaluations: [{",
"
ComplianceResourceType: configurationItem.resourceType,",
"
ComplianceResourceId: configurationItem.resourceId,",
"
ComplianceType: compliance,",
"
OrderingTimestamp:
configurationItem.configurationItemCaptureTime",
"
}],",
"
ResultToken: event.resultToken",
"
};",
"
config.putEvaluations(putEvaluationsRequest, function(err, data) {",
"
if (err) context.fail(err);",
"
else context.succeed(data);",
"
});",
"
});",
"};",
"function evaluateCompliance(event, doReturn) {",
"
var configurationItem = JSON.parse(event.invokingEvent).configurationItem;",
"
var status = configurationItem.configurationItemStatus;",
"
if (configurationItem.resourceType !== 'AWS::EC2::Volume' ||
event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered'))",
"
doReturn('NOT_APPLICABLE', event);",
"
else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId,
Attribute: 'autoEnableIO'}, function(err, data) {",
"
if (err) context.fail(err);",
"
else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event);",
"
else doReturn('NON_COMPLIANT', event);",
"
});",
"}"
]]}
},
"Handler": "index.handler",
"Runtime": "nodejs4.3",
"Timeout": "30",
"Role": {"Fn::GetAtt": ["LambdaExecutionRole", "Arn"]}
}
},
"ConfigRuleForVolumeAutoEnableIO": {
"Type": "AWS::Config::ConfigRule",
"Properties": {
"ConfigRuleName": "ConfigRuleForVolumeAutoEnableIO",
"Scope": {
"ComplianceResourceId": {"Ref": "Ec2Volume"},

API Version 2010-05-15
792

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgRule
"ComplianceResourceTypes": ["AWS::EC2::Volume"]
},
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceDetails": [{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}],
"SourceIdentifier": {"Fn::GetAtt": ["VolumeAutoEnableIOComplianceCheck", "Arn"]}
}

}

},
"DependsOn": "ConfigPermissionToCallLambda"

YAML
ConfigPermissionToCallLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName:
Fn::GetAtt:
- VolumeAutoEnableIOComplianceCheck
- Arn
Action: "lambda:InvokeFunction"
Principal: "config.amazonaws.com"
VolumeAutoEnableIOComplianceCheck:
Type: AWS::Lambda::Function
Properties:
Code:
ZipFile:
!Sub |
var aws = require('aws-sdk');
var config = new aws.ConfigService();
var ec2 = new aws.EC2();
exports.handler = function(event, context) {
compliance = evaluateCompliance(event, function(compliance, event) {
var configurationItem =
JSON.parse(event.invokingEvent).configurationItem;
var putEvaluationsRequest = {
Evaluations: [{
ComplianceResourceType: configurationItem.resourceType,
ComplianceResourceId: configurationItem.resourceId,
ComplianceType: compliance,
OrderingTimestamp:
configurationItem.configurationItemCaptureTime
}],
ResultToken: event.resultToken
};
config.putEvaluations(putEvaluationsRequest, function(err, data) {
if (err) context.fail(err);
else context.succeed(data);
});
});
};
function evaluateCompliance(event, doReturn) {
var configurationItem = JSON.parse(event.invokingEvent).configurationItem;
var status = configurationItem.configurationItemStatus;
if (configurationItem.resourceType !== 'AWS::EC2::Volume' ||
event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered'))
doReturn('NOT_APPLICABLE', event);
else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId,
Attribute: 'autoEnableIO'}, function(err, data) {
if (err) context.fail(err);
else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event);

API Version 2010-05-15
793

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgurationAggregator

});

else doReturn('NON_COMPLIANT', event);

}
Handler: "index.handler"
Runtime: nodejs4.3
Timeout: 30
Role:
Fn::GetAtt:
- LambdaExecutionRole
- Arn
ConfigRuleForVolumeAutoEnableIO:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: ConfigRuleForVolumeAutoEnableIO
Scope:
ComplianceResourceId:
Ref: Ec2Volume
ComplianceResourceTypes:
- "AWS::EC2::Volume"
Source:
Owner: "CUSTOM_LAMBDA"
SourceDetails:
EventSource: "aws.config"
MessageType: "ConfigurationItemChangeNotification"
SourceIdentifier:
Fn::GetAtt:
- VolumeAutoEnableIOComplianceCheck
- Arn
DependsOn: ConfigPermissionToCallLambda

AWS::Conﬁg::ConﬁgurationAggregator
The AWS::Config::ConfigurationAggregator resource is an AWS Conﬁg resource type that
collects AWS Conﬁg data from multiple accounts and regions. Use an aggregator to view the resource
conﬁguration and compliance data recorded in AWS Conﬁg for multiple accounts and regions.
Topics
• Syntax (p. 794)
• Properties (p. 795)
• Return Values (p. 795)
• Examples (p. 795)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Config::ConfigurationAggregator",
"Properties" : {
"AccountAggregationSources" : [ AccountAggregationSource (p. 1786), ... ],
"OrganizationAggregationSource" : OrganizationAggregationSource (p. 1787),
"ConfigurationAggregatorName" : String
}

API Version 2010-05-15
794

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgurationAggregator

YAML
Type: "AWS::Config::ConfigurationAggregator"
Properties:
AccountAggregationSources:
- AccountAggregationSource (p. 1786)
OrganizationAggregationSource:
OrganizationAggregationSource (p. 1787)
ConfigurationAggregatorName: String

Properties
AccountAggregationSources
A collection of accounts and regions.
Required: No
Type: List of AWS Conﬁg ConﬁgurationAggregator AccountAggregationSource (p. 1786) property
types
Update requires: No interruption (p. 118)
OrganizationAggregationSource
A collection of regions and IAM role to retrieve AWS Organizations details.
Required: No
Type: AWS Conﬁg ConﬁgurationAggregator OrganizationAggregationSource (p. 1787)
Update requires: No interruption (p. 118)
ConfigurationAggregatorName
The name of the conﬁguration aggregator.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::Config::ConfigurationAggregator resource
to the intrinsic Ref function, the function returns the ConﬁgurationAggregatorName, such as
myConfigurationAggregator.
For more information about using the Ref function, see Ref (p. 2311).

Examples
ConﬁgurationAggregator with multiple accounts and multiple regions.
The following example creates a ConﬁgurationAggregator
API Version 2010-05-15
795

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgurationAggregator

JSON
"ConfigurationAggregator": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"AccountAggregationSources": [
{
"AccountIds": [
"123456789012",
"987654321012"
],
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": false
}
],
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
}

YAML
ConfigurationAggregator:
Type: "AWS::Config::ConfigurationAggregator"
Properties:
AccountAggregationSources:
- AccountIds:
- "123456789012"
- "987654321012"
AwsRegions:
- "us-west-2"
- "us-east-1"
AllAwsRegions: false
ConfigurationAggregatorName: MyConfigurationAggregator

ConﬁgurationAggregator for organization.
The following example creates a ConﬁgurationAggregator for an organization.

JSON
"ConfigurationAggregator": {
"Type": "AWS::Config::ConfigurationAggregator",
"Properties": {
"OrganizationAggregationSource": {
"RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/
organizations.amazonaws.com/AWSServiceRoleForOrganizations",
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": false
}
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
}

YAML
ConfigurationAggregator:

API Version 2010-05-15
796

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgurationRecorder
Type: "AWS::Config::ConfigurationAggregator"
Properties:
OrganizationAggregationSource:
RoleArn: "arn:aws:iam::012345678912:role/aws-service-role/
organizations.amazonaws.com/AWSServiceRoleForOrganizations"
AwsRegions:
- "us-west-2"
- "us-east-1"
AllAwsRegions: false
ConfigurationAggregatorName: MyConfigurationAggregator

AWS::Conﬁg::ConﬁgurationRecorder
The AWS::Config::ConfigurationRecorder resource describes the AWS resource types for which
AWS Conﬁg records conﬁguration changes. The conﬁguration recorder stores the conﬁgurations of the
supported resources in your account as conﬁguration items.

Note

To enable AWS Conﬁg, you must create a conﬁguration recorder and a delivery channel. AWS
Conﬁg uses the delivery channel to deliver the conﬁguration changes to your Amazon S3 bucket
or Amazon SNS topic. For more information, see AWS::Conﬁg::DeliveryChannel (p. 799).
AWS CloudFormation starts the recorder as soon as the delivery channel is available. To stop the
recorder, delete the conﬁguration recorder from your stack.
For more information, see Conﬁguration Recorder in the AWS Conﬁg Developer Guide.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Config::ConfigurationRecorder",
"Properties" : {
"Name" : String,
"RecordingGroup" : Recording group,
"RoleARN" : String
}

YAML
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: String
RecordingGroup:
Recording group
RoleARN: String

Properties
Name
A name for the conﬁguration recorder. If you don't specify a name, AWS CloudFormation generates
a unique physical ID and uses that ID for the conﬁguration recorder name. For more information, see
Name Type (p. 2085).
API Version 2010-05-15
797

AWS CloudFormation User Guide
AWS::Conﬁg::ConﬁgurationRecorder

Note

After you create a conﬁguration recorder, you cannot rename it. If you don't want a name
that AWS CloudFormation generates, specify a value for this property.
Required: No
Type: String
Update requires: Updates are not supported.
RecordingGroup
Indicates whether to record conﬁgurations for all supported resources or for a list of resource types.
The resource types that you list must be supported by AWS Conﬁg.
Required: No
Type: AWS Conﬁg ConﬁgurationRecorder RecordingGroup (p. 1788)
Update requires: No interruption (p. 118)
RoleARN
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role
that is used to make read or write requests to the delivery channel that you specify and to get
conﬁguration details for supported AWS resources. For more information, see Permissions for the
IAM Role Assigned to AWS Conﬁg in the AWS Conﬁg Developer Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::Config::ConfigurationRecorder resource to the intrinsic
Ref function, the function returns the conﬁguration recorder name, such as default.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a conﬁguration recorder for EC2 volumes.

JSON
"ConfigRecorder": {
"Type": "AWS::Config::ConfigurationRecorder",
"Properties": {
"Name": "default",
"RecordingGroup": {
"ResourceTypes": ["AWS::EC2::Volume"]
},
"RoleARN": {"Fn::GetAtt": ["ConfigRole", "Arn"]}
}
}

API Version 2010-05-15
798

AWS CloudFormation User Guide
AWS::Conﬁg::DeliveryChannel

YAML
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
Properties:
Name: default
RecordingGroup:
ResourceTypes:
- "AWS::EC2::Volume"
RoleARN:
Fn::GetAtt:
- ConfigRole
- Arn

AWS::Conﬁg::DeliveryChannel
The AWS::Config::DeliveryChannel resource describes where AWS Conﬁg sends notiﬁcations and
updated conﬁguration states for AWS resources.
When you create the delivery channel, you can specify the following:
• How often AWS Conﬁg delivers conﬁguration snapshots to your Amazon S3 bucket (for example, 24
hours)
• The S3 bucket to which AWS Conﬁg sends conﬁguration snapshots and conﬁguration history ﬁles
• The Amazon SNS topic to which AWS Conﬁg sends notiﬁcations about conﬁguration changes, such
as updated resources, AWS Conﬁg rule evaluations, and when AWS Conﬁg delivers the conﬁguration
snapshot to your S3 bucket.
For more information, see Deliver Conﬁguration Items in the AWS Conﬁg Developer Guide.

Note

To enable AWS Conﬁg, you must create a conﬁguration recorder and a delivery
channel. If you want to create the resources separately, you must create a conﬁguration
recorder before you can create a delivery channel. AWS Conﬁg uses the conﬁguration
recorder to capture conﬁguration changes to your resources. For more information, see
AWS::Conﬁg::ConﬁgurationRecorder (p. 797).
For more information, see Managing the Delivery Channel in the AWS Conﬁg Developer Guide.
Topics
• Syntax (p. 799)
• Properties (p. 800)
• Return Values (p. 801)
• Example (p. 801)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Config::DeliveryChannel",
"Properties" : {
"ConfigSnapshotDeliveryProperties" : Config snapshot delivery properties,

API Version 2010-05-15
799

AWS CloudFormation User Guide
AWS::Conﬁg::DeliveryChannel

}

}

"Name" : String,
"S3BucketName" : String,
"S3KeyPrefix" : String,
"SnsTopicARN" : String

YAML
Type: AWS::Config::DeliveryChannel
Properties:
ConfigSnapshotDeliveryProperties:
Config snapshot delivery properties
Name: String
S3BucketName: String
S3KeyPrefix: String
SnsTopicARN: String

Properties
ConfigSnapshotDeliveryProperties
Provides options for how AWS Conﬁg delivers conﬁguration snapshots to the S3 bucket in your
delivery channel.
Required: No
Type: AWS Conﬁg DeliveryChannel ConﬁgSnapshotDeliveryProperties (p. 1789)
Update requires: No interruption (p. 118)
Name
A name for the delivery channel. If you don't specify a name, AWS CloudFormation generates a
unique physical ID and uses that ID for the delivery channel name. For more information, see Name
Type (p. 2085).
Required: No
Type: String
Update requires: Updates are not supported. To change the name, you must run two separate
updates. In the ﬁrst update, delete this resource, and then recreate it with a new name in the second
update.
S3BucketName
The name of an S3 bucket where you want to store conﬁguration history for the delivery channel.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
S3KeyPrefix
A key preﬁx (folder) for the speciﬁed S3 bucket.
Required: No
Type: String
API Version 2010-05-15
800

AWS CloudFormation User Guide
AWS::DataPipeline::Pipeline

Update requires: No interruption (p. 118)
SnsTopicARN
The Amazon Resource Name (ARN) of the Amazon Simple Notiﬁcation Service (Amazon SNS) topic
that AWS Conﬁg delivers notiﬁcations to.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::Config::DeliveryChannel resource to the intrinsic Ref
function, the function returns the delivery channel name, such as default.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a delivery channel that sends notiﬁcations to the speciﬁed Amazon SNS
topic. The delivery channel also sends conﬁguration changes and snapshots to the speciﬁed S3 bucket.

JSON
"DeliveryChannel": {
"Type": "AWS::Config::DeliveryChannel",
"Properties": {
"ConfigSnapshotDeliveryProperties": {
"DeliveryFrequency": "Six_Hours"
},
"S3BucketName": {"Ref": "ConfigBucket"},
"SnsTopicARN": {"Ref": "ConfigTopic"}
}
}

YAML
DeliveryChannel:
Type: AWS::Config::DeliveryChannel
Properties:
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: "Six_Hours"
S3BucketName:
Ref: ConfigBucket
SnsTopicARN:
Ref: ConfigTopic

AWS::DataPipeline::Pipeline
Creates a data pipeline that you can use to automate the movement and transformation of data. In
each pipeline, you deﬁne pipeline objects, such as activities, schedules, data nodes, and resources. For
information about pipeline objects and components that you can use, see Pipeline Object Reference in
the AWS Data Pipeline Developer Guide.
API Version 2010-05-15
801

AWS CloudFormation User Guide
AWS::DataPipeline::Pipeline

Topics
• Syntax (p. 802)
• Properties (p. 802)
• Return Values (p. 804)
• Example (p. 804)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::DataPipeline::Pipeline",
"Properties" : {
"Activate" : Boolean,
"Description" : String,
"Name" : String,
"ParameterObjects" : [ Parameter object, ... ],
"ParameterValues" : [ Parameter value, ... ],
"PipelineObjects" : [ Pipeline object, ... ],
"PipelineTags" : [ Pipeline tag, ... ]
}

YAML
Type: AWS::DataPipeline::Pipeline
Properties:
Activate: Boolean
Description: String
Name: String
ParameterObjects:
- Parameter object
ParameterValues:
- Parameter value
PipelineObjects:
- Pipeline object
PipelineTags:
- Pipeline tag

Properties
Activate
Indicates whether to validate and start the pipeline or stop an active pipeline. By default, the value is
set to true.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Description
A description for the pipeline.
API Version 2010-05-15
802

AWS CloudFormation User Guide
AWS::DataPipeline::Pipeline

Required: No
Type: String
Update requires: Replacement (p. 119).
Name
A name for the pipeline. Because AWS CloudFormation assigns each new pipeline a unique identiﬁer,
you can use the same name for multiple pipelines that are associated with your AWS account.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ParameterObjects
Deﬁnes the variables that are in the pipeline deﬁnition. For more information, see Creating a
Pipeline Using Parameterized Templates in the AWS Data Pipeline Developer Guide.
Required: No
Type: AWS Data Pipeline Pipeline ParameterObjects (p. 1790)
Update requires: No interruption (p. 118)
ParameterValues
Deﬁnes the values for the parameters that are deﬁned in the ParameterObjects property. For
more information, see Creating a Pipeline Using Parameterized Templates in the AWS Data Pipeline
Developer Guide.
Required: No
Type: AWS Data Pipeline Pipeline ParameterValues (p. 1791)
Update requires: No interruption (p. 118)
PipelineObjects
A list of pipeline objects that make up the pipeline. For more information about pipeline objects and
a description of each object, see Pipeline Object Reference in the AWS Data Pipeline Developer Guide.
Required: Yes
Type: A list of AWS Data Pipeline PipelineObject (p. 1792)
Update requires: Some interruptions (p. 119). Not all objects, ﬁelds, and values can be updated.
Restrictions on what can be updated are documented in Editing Your Pipelines in the AWS Data
Pipeline Developer Guide.
PipelineTags
A list of arbitrary tags (key-value pairs) to associate with the pipeline, which you can use to control
permissions. For more information, see Controlling Access to Pipelines and Resources in the AWS
Data Pipeline Developer Guide.
Required: No
Type: AWS Data Pipeline Pipeline PipelineTags (p. 1795)
Update requires: No interruption (p. 118)
API Version 2010-05-15
803

AWS CloudFormation User Guide
AWS::DataPipeline::Pipeline

Return Values
Ref
When you specify an AWS::DataPipeline::Pipeline resource as an argument to the Ref function,
AWS CloudFormation returns the pipeline ID.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following data pipeline backs up data from an Amazon DynamoDB (DynamoDB) table to an Amazon
Simple Storage Service (Amazon S3) bucket. The pipeline uses the HiveCopyActivity activity to
copy the data, and runs it once a day. The roles for the pipeline and the pipeline resource are declared
elsewhere in the same template.

JSON
"DynamoDBInputS3OutputHive": {
"Type": "AWS::DataPipeline::Pipeline",
"Properties": {
"Name": "DynamoDBInputS3OutputHive",
"Description": "Pipeline to backup DynamoDB data to S3",
"Activate": "true",
"ParameterObjects": [
{
"Id": "myDDBReadThroughputRatio",
"Attributes": [
{
"Key": "description",
"StringValue": "DynamoDB read throughput ratio"
},
{
"Key": "type",
"StringValue": "Double"
},
{
"Key": "default",
"StringValue": "0.2"
}
]
},
{
"Id": "myOutputS3Loc",
"Attributes": [
{
"Key": "description",
"StringValue": "S3 output bucket"
},
{
"Key": "type",
"StringValue": "AWS::S3::ObjectKey"
},
{
"Key": "default",
"StringValue": { "Fn::Join" : [ "", [ "s3://", { "Ref": "S3OutputLoc" } ] ] }
}
]
},
{
"Id": "myDDBTableName",
"Attributes": [

API Version 2010-05-15
804

AWS CloudFormation User Guide
AWS::DataPipeline::Pipeline
{

"Key": "description",
"StringValue": "DynamoDB Table Name "

},
{

]

}

"Key": "type",
"StringValue": "String"

}
],
"ParameterValues": [
{
"Id": "myDDBTableName",
"StringValue": { "Ref": "TableName" }
}
],
"PipelineObjects": [
{
"Id": "S3BackupLocation",
"Name": "Copy data to this S3 location",
"Fields": [
{
"Key": "type",
"StringValue": "S3DataNode"
},
{
"Key": "dataFormat",
"RefValue": "DDBExportFormat"
},
{
"Key": "directoryPath",
"StringValue": "#{myOutputS3Loc}/#{format(@scheduledStartTime, 'YYYY-MM-dd-HHmm-ss')}"
}
]
},
{
"Id": "DDBSourceTable",
"Name": "DDBSourceTable",
"Fields": [
{
"Key": "tableName",
"StringValue": "#{myDDBTableName}"
},
{
"Key": "type",
"StringValue": "DynamoDBDataNode"
},
{
"Key": "dataFormat",
"RefValue": "DDBExportFormat"
},
{
"Key": "readThroughputPercent",
"StringValue": "#{myDDBReadThroughputRatio}"
}
]
},
{
"Id": "DDBExportFormat",
"Name": "DDBExportFormat",
"Fields": [
{
"Key": "type",
"StringValue": "DynamoDBExportDataFormat"

API Version 2010-05-15
805

AWS CloudFormation User Guide
AWS::DataPipeline::Pipeline

]

}

},
{

"Id": "TableBackupActivity",
"Name": "TableBackupActivity",
"Fields": [
{
"Key": "resizeClusterBeforeRunning",
"StringValue": "true"
},
{
"Key": "type",
"StringValue": "HiveCopyActivity"
},
{
"Key": "input",
"RefValue": "DDBSourceTable"
},
{
"Key": "runsOn",
"RefValue": "EmrClusterForBackup"
},
{
"Key": "output",
"RefValue": "S3BackupLocation"
}
]

},
{

"Id": "DefaultSchedule",
"Name": "RunOnce",
"Fields": [
{
"Key": "occurrences",
"StringValue": "1"
},
{
"Key": "startAt",
"StringValue": "FIRST_ACTIVATION_DATE_TIME"
},
{
"Key": "type",
"StringValue": "Default"
},
{
"Key": "period",
"StringValue": "1 Day"
}
]

},
{

"Id": "Default",
"Name": "Default",
"Fields": [
{
"Key": "type",
"StringValue": "Default"
},
{
"Key": "scheduleType",
"StringValue": "cron"
},
{
"Key": "failureAndRerunMode",
"StringValue": "CASCADE"

API Version 2010-05-15
806

AWS CloudFormation User Guide
AWS::DataPipeline::Pipeline
},
{

"Key": "role",
"StringValue": "DataPipelineDefaultRole"

},
{

"Key": "resourceRole",
"StringValue": "DataPipelineDefaultResourceRole"

},
{

]

}

"Key": "schedule",
"RefValue": "DefaultSchedule"

},
{

}

}

]

}

"Id": "EmrClusterForBackup",
"Name": "EmrClusterForBackup",
"Fields": [
{
"Key": "terminateAfter",
"StringValue": "2 Hours"
},
{
"Key": "amiVersion",
"StringValue": "3.3.2"
},
{
"Key": "masterInstanceType",
"StringValue": "m1.medium"
},
{
"Key": "coreInstanceType",
"StringValue": "m1.medium"
},
{
"Key": "coreInstanceCount",
"StringValue": "1"
},
{
"Key": "type",
"StringValue": "EmrCluster"
}
]

YAML
DynamoDBInputS3OutputHive:
Type: AWS::DataPipeline::Pipeline
Properties:
Name: DynamoDBInputS3OutputHive
Description: "Pipeline to backup DynamoDB data to S3"
Activate: true
ParameterObjects:
Id: "myDDBReadThroughputRatio"
Attributes:
Key: "description"
StringValue: "DynamoDB read throughput ratio"

API Version 2010-05-15
807

AWS CloudFormation User Guide
AWS::DataPipeline::Pipeline
-

-

Key: "type"
StringValue: "Double"
Key: "default"
StringValue: "0.2"

Id: "myOutputS3Loc"
Attributes:
Key: "description"
StringValue: "S3 output bucket"
Key: "type"
StringValue: "AWS::S3::ObjectKey"
Key: "default"
StringValue:
Fn::Join:
- ""
- "s3://"
Ref: "S3OutputLoc"

Id: "myDDBTableName"
Attributes:
Key: "description"
StringValue: "DynamoDB Table Name "
Key: "type"
StringValue: "String"
ParameterValues:
Id: "myDDBTableName"
StringValue:
Ref: "TableName"
PipelineObjects:
Id: "S3BackupLocation"
Name: "Copy data to this S3 location"
Fields:
Key: "type"
StringValue: "S3DataNode"
Key: "dataFormat"
RefValue: "DDBExportFormat"
Key: "directoryPath"
StringValue: "#{myOutputS3Loc}/#{format(@scheduledStartTime, 'YYYY-MM-dd-HH-mmss')}"
Id: "DDBSourceTable"
Name: "DDBSourceTable"
Fields:
Key: "tableName"
StringValue: "#{myDDBTableName}"
Key: "type"
StringValue: "DynamoDBDataNode"
Key: "dataFormat"
RefValue: "DDBExportFormat"

API Version 2010-05-15
808

AWS CloudFormation User Guide
AWS::DataPipeline::Pipeline
-

-

-

-

Key: "readThroughputPercent"
StringValue: "#{myDDBReadThroughputRatio}"

Id: "DDBExportFormat"
Name: "DDBExportFormat"
Fields:
Key: "type"
StringValue: "DynamoDBExportDataFormat"
Id: "TableBackupActivity"
Name: "TableBackupActivity"
Fields:
Key: "resizeClusterBeforeRunning"
StringValue: "true"
Key: "type"
StringValue: "HiveCopyActivity"
Key: "input"
RefValue: "DDBSourceTable"
Key: "runsOn"
RefValue: "EmrClusterForBackup"
Key: "output"
RefValue: "S3BackupLocation"
Id: "DefaultSchedule"
Name: "RunOnce"
Fields:
Key: "occurrences"
StringValue: "1"
Key: "startAt"
StringValue: "FIRST_ACTIVATION_DATE_TIME"
Key: "type"
StringValue: "Default"
Key: "period"
StringValue: "1 Day"
Id: "Default"
Name: "Default"
Fields:
Key: "type"
StringValue: "Default"
Key: "scheduleType"
StringValue: "cron"
Key: "failureAndRerunMode"
StringValue: "CASCADE"
Key: "role"
StringValue: "DataPipelineDefaultRole"
Key: "resourceRole"
StringValue: "DataPipelineDefaultResourceRole"
Key: "schedule"

API Version 2010-05-15
809

AWS CloudFormation User Guide
AWS::DAX::Cluster

-

RefValue: "DefaultSchedule"
Id: "EmrClusterForBackup"
Name: "EmrClusterForBackup"
Fields:
Key: "terminateAfter"
StringValue: "2 Hours"
Key: "amiVersion"
StringValue: "3.3.2"
Key: "masterInstanceType"
StringValue: "m1.medium"
Key: "coreInstanceType"
StringValue: "m1.medium"
Key: "coreInstanceCount"
StringValue: "1"
Key: "type"
StringValue: "EmrCluster"

AWS::DAX::Cluster
Use the AWS::DAX::Cluster resource to create a DAX cluster for use with Amazon DynamoDB.
For information about creating a DAX cluster, see Creating a DAX Cluster in the Amazon DynamoDB
Developer Guide and CreateCluster in the Amazon DynamoDB Developer Guide.

Syntax
JSON
{

}

"Type": "AWS::DAX::Cluster",
"Properties": {
"AvailabilityZones": [ String, ... ],
"ClusterName": String,
"Description": String,
"IAMRoleARN": String,
"NodeType": String,
"NotificationTopicARN": String,
"ParameterGroupName": String,
"PreferredMaintenanceWindow": String,
"ReplicationFactor": Integer,
"SecurityGroupIds": [ String, ... ],
"SSESpecification" : SSESpecification (p. 1802),
"SubnetGroupName": String,
"Tags": { String:String, ... }
}

YAML
Type: AWS::DAX::Cluster
Properties:
AvailabilityZones: [ String, ... ]
ClusterName: String
Description: String

API Version 2010-05-15
810

AWS CloudFormation User Guide
AWS::DAX::Cluster
IAMRoleARN: String
NodeType: String
NotificationTopicARN: String
ParameterGroupName: String
PreferredMaintenanceWindow: String
ReplicationFactor: Integer
SecurityGroupIds: [ String, ... ]
SSESpecification:
SSESpecification (p. 1802)
SubnetGroupName: String
Tags: { String:String, ... }

Properties
AvailabilityZones
The Availability Zones (AZs) in which the cluster nodes will be created. All nodes belonging to the
cluster are placed in these Availability Zones. Use this parameter if you want to distribute the nodes
across multiple AZs.
You must specify one AZ per DAX node in the cluster.
Required: No
Type: List of String values
Update requires: Some interruptions (p. 119)
ClusterName
The cluster identiﬁer. This parameter is stored as a lowercase string.
Required: No
Type: String
Update requires: Updates are not supported.
Description
A description of the cluster.
Required: No
Type: String
Update requires: No interruption (p. 118)
IAMRoleARN
A valid Amazon Resource Name (ARN) that identiﬁes an IAM role. At runtime, DAX will assume this
role and use the role's permissions to access DynamoDB on your behalf.
Required: Yes
Type: String
Update requires: Updates are not supported.
NodeType
The compute and memory capacity of the nodes in the cluster.
Required: Yes
API Version 2010-05-15
811

AWS CloudFormation User Guide
AWS::DAX::Cluster

Type: String
Update requires: Updates are not supported.
NotificationTopicARN
The Amazon Resource Name (ARN) of the Amazon SNS topic to which notiﬁcations will be sent.

Note

The Amazon SNS topic owner must be same as the DAX cluster owner.
Required: No
Type: String
Update requires: No interruption (p. 118)
ParameterGroupName
The parameter group to be associated with the DAX cluster.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
PreferredMaintenanceWindow
Speciﬁes the weekly time range during which maintenance on the DAX cluster is performed. It is
speciﬁed as a range in the format ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). The minimum
maintenance window is a 60 minute period. Valid values for ddd are:
• sun
• mon
• tue
• wed
• thu
• fri
• sat
Example: sun:05:00-sun:09:00

Note

If you don't specify a preferred maintenance window when you create or modify a cache
cluster, DAX assigns a 60-minute maintenance window on a randomly selected day of the
week.
Required: No
Type: String
Update requires: No interruption (p. 118)
ReplicationFactor
The number of nodes in the DAX cluster. A replication factor of 1 will create a single-node cluster,
without any read replicas. For additional fault tolerance, you can create a multiple node cluster with
one or more read replicas. To do this, set ReplicationFactor to 2 or more.

Note

AWS recommends that you have at least two read replicas per cluster.
Required: Yes
Type: Integer
API Version 2010-05-15
812

AWS CloudFormation User Guide
AWS::DAX::Cluster

Update requires: Some interruptions (p. 119)
SecurityGroupIds
A list of security group IDs to be assigned to each node in the DAX cluster. (Each of the security
group ID is system-generated.)
If this parameter is not speciﬁed, DAX assigns the default VPC security group to each node.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SSESpecification
Whether server-side encryption is enabled or not.
Required: No
Type: DAX Cluster SSESpeciﬁcation (p. 1802)
Update requires: Replacement (p. 119)
SubnetGroupName
The name of the subnet group to be used for the replication group.

Important

DAX clusters can only run in an Amazon VPC environment. All of the subnets that you
specify in a subnet group must exist in the same VPC.
Required: Yes
Type: String
Update requires: Updates are not supported.
Tags
A map of tags to associate with the DAX cluster.
Required: No
Type: String to String map
Update requires: No interruption (p. 118)

Return Values
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, Ref returns the name of
the created DAX cluster. For example:
{ "Ref": "MyDAXCluster" }

Returns a value similar to the following:
MyDAXCluster

For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
813

AWS CloudFormation User Guide
AWS::DAX::Cluster

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
Returns the ARN of the DAX cluster. For example:
{ "Fn::GetAtt": ["MyDAXCluster", "Arn"] }

Returns a value similar to the following:
arn:aws:dax:us-east-1:111122223333:cache/MyDAXCluster

ClusterDiscoveryEndpoint
Returns the conﬁguation endpoint of the DAX cluster. For example:
{ "Fn::GetAtt": ["MyDAXCluster", "ClusterDiscoveryEndpoint"] }

Returns a value similar to the following:
mydaxcluster.0h3d6x.clustercfg.dax.use1.cache.amazonaws.com:8111

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example creates a DAX cluster.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a DAX cluster",
"Resources": {
"daxCluster": {
"Type": "AWS::DAX::Cluster",
"Properties": {
"ClusterName": "MyDAXCluster",
"NodeType": "dax.r3.large",
"ReplicationFactor": 1,
"IAMRoleARN": "arn:aws:iam::111122223333:role/DaxAccess",
"Description": "DAX cluster created with CloudFormation",
"SubnetGroupName": {"Ref":"subnetGroupClu"}
}
},
"subnetGroupClu": {
"Type": "AWS::DAX::SubnetGroup",
"Properties": {
"SubnetGroupName": "MySubnetGroup",
"Description": "Subnet group for DAX cluster",
"SubnetIds": [
{"Ref":"subnet1"},
{"Ref":"subnet2"}
]

API Version 2010-05-15
814

AWS CloudFormation User Guide
AWS::DAX::Cluster
}
},
"subnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref":"daxVpc"},
"CidrBlock": "172.13.17.0/24",
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
}
}
},
"subnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref":"daxVpc"},
"CidrBlock": "172.13.18.0/24",
"AvailabilityZone": {
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]
}
}
},
"daxVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.13.0.0/16"
}
}

}

},
"Outputs": {
"Cluster": {
"Value": {"Ref":"daxCluster"}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create a DAX cluster"
Resources:
daxCluster:
Type: AWS::DAX::Cluster
Properties:
ClusterName: "MyDAXCluster"
NodeType: "dax.r3.large"
ReplicationFactor: 1
IAMRoleARN: "arn:aws:iam::111122223333:role/DaxAccess"
Description: "DAX cluster created with CloudFormation"
SubnetGroupName: !Ref subnetGroupClu
subnetGroupClu:
Type: AWS::DAX::SubnetGroup
Properties:
SubnetGroupName: "CFNClusterSubnetGrp"

API Version 2010-05-15
815

AWS CloudFormation User Guide
AWS::DAX::ParameterGroup
Description: "Subnet group for DAX cluster"
SubnetIds:
- !Ref subnet1
- !Ref subnet2
subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId:
!Ref daxVpc
CidrBlock: 172.13.17.0/24
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
subnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId:
!Ref daxVpc
CidrBlock: 172.13.18.0/24
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
daxVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 172.13.0.0/16
Outputs:
Cluster:
Value: !Ref daxCluster

AWS::DAX::ParameterGroup
Use the AWS CloudFormation AWS::DAX::ParameterGroup resource to create a parameter group for
use with Amazon DynamoDB.
For more information, see ParameterGroup in the Amazon DynamoDB Developer Guide.

Syntax
JSON
{

}

"Type": "AWS::DAX::ParameterGroup",
"Properties": {
"ParameterGroupName": String,
"Description": String,
"ParameterNameValues": { String:String, ... }
}

YAML
Type: AWS::DAX::ParameterGroup
Properties:
ParameterGroupName: String
Description: String
ParameterNameValues: { String:String, ... }

API Version 2010-05-15
816

AWS CloudFormation User Guide
AWS::DAX::ParameterGroup

Properties
ParameterGroupName
The name of the parameter group.
Required: No
Type: String
Update requires: Updates are not supported.
Description
A description of the parameter group.
Required: No
Type: String
Update requires: No interruption (p. 118);
ParameterNameValues
A map of DAX parameter names and values.
Required: No
Type: String to String map
Update requires: No interruption (p. 118)

Return Values
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, Ref returns the ARN of the
created parameter group. For example:
{ "Ref": "MyDAXParameterGroup" }

Returns a value similar to the following:
my-dax-parameter-group

For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a DAX parameter group.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "DAX parameter group",
"Resources": {
"daxParamGroup": {
"Type": "AWS::DAX::ParameterGroup",

API Version 2010-05-15
817

AWS CloudFormation User Guide
AWS::DAX::SubnetGroup
"Properties": {
"ParameterGroupName": "MyDAXParameterGroup",
"Description": "Description for my DAX parameter group",
"ParameterNameValues": {
"query-ttl-millis": "75000",
"record-ttl-millis": "88000"
}
}

}

}
},
"Outputs": {
"ParameterGroup": {
"Value": {
"Ref": "daxParamGroup"
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Description: "DAX parameter group"
Resources:
daxParamGroup:
Type: AWS::DAX::ParameterGroup
Properties:
ParameterGroupName: "MyDAXParameterGroup"
Description: "Description for my DAX parameter group"
ParameterNameValues:
"query-ttl-millis" : "75000"
"record-ttl-millis" : "88000"
Outputs:
ParameterGroup:
Value: !Ref daxParamGroup

AWS::DAX::SubnetGroup
Use the AWS CloudFormation AWS::DAX::SubnetGroup resource to create a subnet group for use with
DAX (DynamoDB Accelerator).
For more information, see SubnetGroup in the Amazon DynamoDB Developer Guide.

Syntax
JSON
{

}

"Type": "AWS::DAX::SubnetGroup",
"Properties": {
"SubnetGroupName": String,
"Description": String,
"SubnetIds": [ String, ... ]
}

YAML
Type: AWS::DAX::SubnetGroup

API Version 2010-05-15
818

AWS CloudFormation User Guide
AWS::DAX::SubnetGroup
Properties:
SubnetGroupName: String
Description: String
SubnetIds: [ String, ... ]

Properties
SubnetGroupName
The name of the subnet group.
Required: No
Type: String
Update requires: Updates are not supported.
Description
The description of the subnet group.
Required: No
Type: String
Update requires: No interruption (p. 118)
SubnetIds
A list of subnets associated with the subnet group.
Required: No
Type: List of String values;
Update requires: No interruption (p. 118)

Return Values
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, Ref returns the ARN of the
created activity. For example:
{ "Ref": "MyDAXSubnetGroup" }

Returns a value similar to the following:
my-dax-subnet-group

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
API Version 2010-05-15
819

AWS CloudFormation User Guide
AWS::DAX::SubnetGroup

SubnetGroupName
Returns the name of the subnet group. For example:
{ "Fn::GetAtt": ["MyDAXSubnetGroup", "SubnetGroupName"] }

Returns a value similar to the following:
my-dax-subnet-group

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example creates a DAX subnet group.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a DAX subnet group",
"Resources": {
"MyDAXSubnetGroup": {
"Type": "AWS::DAX::SubnetGroup",
"Properties": {
"SubnetGroupName": "my-dax-subnet-group",
"Description": "Description of my DAX subnet group",
"SubnetIds": [
"subnet1",
"subnet2"
]
}
},
"subnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": "daxVPC",
"CidrBlock": "172.13.17.0/24",
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
}
}
},
"subnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": "daxVPC",
"CidrBlock": "172.13.18.0/24",
"AvailabilityZone": {
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]

API Version 2010-05-15
820

AWS CloudFormation User Guide
AWS::DirectoryService::MicrosoftAD

}

}

},
"daxVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.13.0.0/16"
}
}

}

},
"Outputs": {
"ParameterGroup": {
"Value": "MyDAXSubnetGroup"
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Description: "DAX subnet group"
Resources:
MyDAXSubnetGroup:
Type: AWS::DAX::SubnetGroup
Properties:
SubnetGroupName: "my-dax-subnet-group"
Description: "Description of my DAX subnet group"
SubnetIds:
- !Ref subnet1
- !Ref subnet2
subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId:
!Ref daxVpc
CidrBlock: 172.13.17.0/24
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
subnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId:
!Ref daxVpc
CidrBlock: 172.13.18.0/24
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
daxVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 172.13.0.0/16
Outputs:
ParameterGroup:
Value: !Ref MyDAXSubnetGroup

AWS::DirectoryService::MicrosoftAD
The AWS::DirectoryService::MicrosoftAD resource creates an Enterprise Edition Microsoft Active
Directory in AWS so that your directory users and groups can access the AWS Management Console
API Version 2010-05-15
821

AWS CloudFormation User Guide
AWS::DirectoryService::MicrosoftAD

and AWS applications using their existing credentials. At this time, AWS CloudFormation can't create a
Standard Edition Microsoft Active Directory. For more information, see What Is AWS Directory Service? in
the AWS Directory Service Administration Guide.
Topics
• Syntax (p. 822)
• Properties (p. 822)
• Return Values (p. 824)
• Example (p. 824)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::DirectoryService::MicrosoftAD",
"Properties" : {
"CreateAlias" : Boolean,
"Edition" : String,
"EnableSso" : Boolean,
"Name" : String,
"Password" : String,
"ShortName" : String,
"VpcSettings" : VpcSettings
}

YAML
Type: AWS::DirectoryService::MicrosoftAD
Properties:
CreateAlias: Boolean
Edition: String
EnableSso: Boolean
Name: String
Password: String
ShortName: String
VpcSettings:
VpcSettings

Properties
CreateAlias
A unique alias to assign to the Microsoft Active Directory in AWS. AWS Directory Service uses the
alias to construct the access URL for the directory, such as http://alias.awsapps.com. By
default, AWS CloudFormation does not create an alias.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
API Version 2010-05-15
822

AWS CloudFormation User Guide
AWS::DirectoryService::MicrosoftAD

Edition
The AWS Microsoft AD edition. Valid values include Standard and Enterprise. The default is
Enterprise.
Required: No
Type: String
Update requires: Replacement (p. 119)
EnableSso
Whether to enable single sign-on for a Microsoft Active Directory in AWS. Single sign-on allows users
in your directory to access certain AWS services from a computer joined to the directory without
having to enter their credentials separately. If you don't specify a value, AWS CloudFormation
disables single sign-on by default.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Name
The fully qualiﬁed name for the Microsoft Active Directory in AWS, such as corp.example.com.
The name doesn't need to be publicly resolvable; it will resolve inside your VPC only.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Password
The password for the default administrative user, Admin.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ShortName
The NetBIOS name for your domain, such as CORP. If you don't specify a value, AWS Directory
Service uses the ﬁrst part of your directory DNS server name. For example, if your directory DNS
server name is corp.example.com, AWS Directory Service speciﬁes CORP for the NetBIOS name.
Required: No
Type: String
Update requires: Replacement (p. 119)
VpcSettings
Speciﬁes the VPC settings of the Microsoft Active Directory server in AWS.
Required: Yes
Type: AWS Directory Service MicrosoftAD VpcSettings (p. 1800)
API Version 2010-05-15
823

AWS CloudFormation User Guide
AWS::DirectoryService::MicrosoftAD

Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource ID.
In the following sample, the Ref function returns the ID of the myDirectory directory, such as
d-12345ab592.
{ "Ref": "myDirectory" }

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Alias
The alias for a directory. For example: d-12373a053a or alias4-mydirectory-12345abcgmzsk
(if you have the CreateAlias property set to true).
DnsIpAddresses
The IP addresses of the DNS servers for the directory, such as [ "192.0.2.1", "192.0.2.2" ].
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example creates a Microsoft Active Directory in AWS, where the directory DNS name is
corp.example.com:

JSON
"myDirectory" : {
"Type" : "AWS::DirectoryService::MicrosoftAD",
"Properties" : {
"Name" : "corp.example.com",
"Password" : { "Ref" : "MicrosoftADPW" },
"ShortName" : { "Ref" : "MicrosoftADShortName" },
"VpcSettings" : {
"SubnetIds" : [ { "Ref" : "subnetID1" }, { "Ref" : "subnetID2" } ],
"VpcId" : { "Ref" : "vpcID" }
}
}
}

YAML
myDirectory:
Type: AWS::DirectoryService::MicrosoftAD
Properties:
Name: "corp.example.com"

API Version 2010-05-15
824

AWS CloudFormation User Guide
AWS::DirectoryService::SimpleAD
Password:
Ref: MicrosoftADPW
ShortName:
Ref: MicrosoftADShortName
VpcSettings:
SubnetIds:
- Ref: subnetID1
- Ref: subnetID2
VpcId:
Ref: vpcID

AWS::DirectoryService::SimpleAD
The AWS::DirectoryService::SimpleAD resource creates an AWS Directory Service Simple Active
Directory (Simple AD) in AWS so that your directory users and groups can access the AWS Management
Console and AWS applications using their existing credentials. Simple AD is a Microsoft Active Directory–
compatible directory. For more information, see What Is AWS Directory Service? in the AWS Directory
Service Administration Guide.
Topics
• Syntax (p. 825)
• Properties (p. 826)
• Return Values (p. 827)
• Example (p. 827)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::DirectoryService::SimpleAD",
"Properties" : {
"CreateAlias" : Boolean,
"Description" : String,
"EnableSso" : Boolean,
"Name" : String,
"Password" : String,
"ShortName" : String,
"Size" : String,
"VpcSettings" : VpcSettings
}

YAML
Type: AWS::DirectoryService::SimpleAD
Properties:
CreateAlias: Boolean
Description: String
EnableSso: Boolean
Name: String
Password: String
ShortName: String
Size: String
VpcSettings:

API Version 2010-05-15
825

AWS CloudFormation User Guide
AWS::DirectoryService::SimpleAD
VpcSettings

Properties
CreateAlias
If set to true, creates an alias for a directory and assigns the alias to the directory. AWS
Directory Service uses the alias to construct the access URL for the directory, such as
http://alias.awsapps.com. By default, this property is set to false.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
Description
A description of the directory.
Required: No
Type: String
Update requires: Replacement (p. 119)
EnableSso
Whether to enable single sign-on for a directory. If you don't specify a value, AWS CloudFormation
disables single sign-on by default.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Name
The fully qualiﬁed name for the directory, such as corp.example.com.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Password
The password for the directory administrator. AWS Directory Service creates a directory
administrator account with the user name Administrator and this password.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ShortName
The NetBIOS name of the on-premises directory, such as CORP.
Required: No
Type: String
API Version 2010-05-15
826

AWS CloudFormation User Guide
AWS::DirectoryService::SimpleAD

Update requires: Replacement (p. 119)
Size
The size of the directory. For valid values, see CreateDirectory in the AWS Directory Service API
Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
VpcSettings
Speciﬁes the VPC settings of the directory server.
Required: Yes
Type: AWS Directory Service SimpleAD VpcSettings (p. 1801)
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource ID.
In the following sample, the Ref function returns the ID of the myDirectory directory, such as
d-1a2b3c4d5e.
{ "Ref": "myDirectory" }

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Alias
The alias for a directory. For example: d-12373a053a or alias4-mydirectory-12345abcgmzsk
(if you have the CreateAlias property set to true).
DnsIpAddresses
The IP addresses of the DNS servers for the directory, such as [ "172.31.3.154",
"172.31.63.203" ].
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example creates a Simple AD directory, where the directory DNS name is
corp.example.com:
API Version 2010-05-15
827

AWS CloudFormation User Guide
AWS::DMS::Certiﬁcate

JSON
"myDirectory" : {
"Type" : "AWS::DirectoryService::SimpleAD",
"Properties" : {
"Name" : "corp.example.com",
"Password" : { "Ref" : "SimpleADPW" },
"Size" : "Small",
"VpcSettings" : {
"SubnetIds" : [ { "Ref" : "subnetID1" }, { "Ref" : "subnetID2" } ],
"VpcId" : { "Ref" : "vpcID" }
}
}
}

YAML
myDirectory:
Type: AWS::DirectoryService::SimpleAD
Properties:
Name: "corp.example.com"
Password:
Ref: SimpleADPW
Size: "Small"
VpcSettings:
SubnetIds:
- Ref: subnetID1
- Ref: subnetID2
VpcId:
Ref: vpcID

AWS::DMS::Certiﬁcate
The AWS::DMS::Certificate resource creates an SSL certiﬁcate that encrypts connections between
AWS DMS endpoints and the replication instance.
Topics
• Syntax (p. 828)
• Properties (p. 829)
• Return Value (p. 829)
• Example (p. 829)
• See Also (p. 830)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type": "AWS::DMS::Certificate",
"Properties": {
"CertificateIdentifier": String,
"CertificatePem": String,
"CertificateWallet": String
}

API Version 2010-05-15
828

AWS CloudFormation User Guide
AWS::DMS::Certiﬁcate
}

YAML
Type: AWS::DMS::Certificate
Properties:
CertificateIdentifier: String
CertificatePem: String
CertificateWallet: String

Properties
CertificateIdentifier
The customer-assigned name of the certiﬁcate. Valid characters are A-z and 0-9.
Required: No
Type: String
Update requires: Replacement (p. 119)
CertificatePem
The contents of the .pem X.509 certiﬁcate ﬁle for the certiﬁcate.
Required: No
Type: String
Update requires: Replacement (p. 119)
CertificateWallet
The location of the imported Oracle Wallet certiﬁcate for use with SSL.
Required: No
Type: Base64-encoded binary data object
Update requires: Replacement (p. 119)

Return Value
Ref
When you pass the certiﬁcate of an AWS::DMS::Certificate resource to the intrinsic Ref function,
the function returns the Amazon Resource Name (ARN) of the certiﬁcate.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

"AWSTemplateFormatVersion": "2010-09-09",

API Version 2010-05-15
829

AWS CloudFormation User Guide
AWS::DMS::Endpoint
"Description": "Certificate test",
"Resources": {
"BasicCertificate": {
"Type": "AWS::DMS::Certificate",
"Properties": {
"CertificatePem": "-----BEGIN CERTIFICATE-----\n MIID/
DCCAuSgAwIBAgIBUDANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCVVMx...mqfEEuC7uUoPofXdBp2ObQ==\n
-----END CERTIFICATE-----\n"
}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: Certificate test
Resources:
BasicCertificate:
Type: AWS::DMS::Certificate
Properties:
CertificatePem: |
-----BEGIN CERTIFICATE----MIID/
DCCAuSgAwIBAgABCDEFgkqhkiG9w0BAQsFADCBijEXAMPLE1UEBhMCVVMx...mqfEEuC7uUoPofXdBp2ObQ==
-----END CERTIFICATE-----

See Also
• ImportCertiﬁcate in the AWS Database Migration Service API Reference.
• AWS CloudFormation Stacks Updates (p. 118)

AWS::DMS::Endpoint
The AWS::DMS::Endpoint resource creates an AWS DMS endpoint.
Topics
• Syntax (p. 830)
• Properties (p. 831)
• Return Value (p. 834)
• Example (p. 834)
• See Also (p. 835)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type": "AWS::DMS::Endpoint",
"Properties": {
"CertificateArn": String,
"DatabaseName": String,
"DynamoDbSettings": DynamoDbSettings,

API Version 2010-05-15
830

AWS CloudFormation User Guide
AWS::DMS::Endpoint

}

}

"EndpointIdentifier": String,
"EndpointType": String,
"EngineName": String,
"ExtraConnectionAttributes": String,
"KmsKeyId": String,
"MongoDbSettings": MongoDbSettings,
"Password": String,
"Port": Integer,
"S3Settings": S3Settings,
"ServerName": String,
"SslMode": String,
"Tags": [ Resource Tag, ... ],
"Username": String

YAML
Type: AWS::DMS::Endpoint
Properties:
CertificateArn: String
DatabaseName: String
DynamoDbSettings:
DynamoDbSettings
EndpointIdentifier: String
EndpointType: String
EngineName: String
ExtraConnectionAttributes: String
KmsKeyId: String
MongoDbSettings:
MongoDbSettings
Password: String
Port: Integer
S3Settings:
S3Settings
ServerName: String
SslMode: String
Tags:
- Resource Tag
Username: String

Properties
CertificateArn
The Amazon Resource Number (ARN) for the certiﬁcate.
Required: No
Type: String
Update requires: No interruption (p. 118)
DatabaseName
The name of the endpoint database.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
831

AWS CloudFormation User Guide
AWS::DMS::Endpoint

DynamoDbSettings
Settings in JSON format for the target DynamoDB endpoint. For more information about the
available settings, see the Using Object Mapping to Migrate Data to DynamoDB section at Using
an Amazon DynamoDB Database as a Target for AWS Database Migration Service.
Required: No
Type: AWS DMS Endpoint DynamoDBSettings (p. 1796)
Update requires: No interruption (p. 118)
EndpointIdentifier
The database endpoint identiﬁer. Identiﬁers must begin with a letter; must contain only ASCII
letters, digits, and hyphens; and must not end with a hyphen or contain two consecutive hyphens.
Required: No
Type: String
Update requires: No interruption (p. 118)
EndpointType
The type of endpoint. Valid values are source and target.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
EngineName
The type of engine for the endpoint. Valid values depend on the EndPointType and include
MYSQL, ORACLE, POSTGRES, MARIADB, AURORA, REDSHIFT, S3, SYBASE, DYNAMODB, MONGODB, and
SQLSERVER.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ExtraConnectionAttributes
Additional attributes associated with the connection.
Required: No
Type: String
Update requires: No interruption (p. 118)
KmsKeyId
The KMS key identiﬁer that will be used to encrypt the connection parameters. If you do not specify
a value for the KmsKeyId parameter, then AWS DMS will use your default encryption key. AWS KMS
creates the default encryption key for your AWS account. Your AWS account has a diﬀerent default
encryption key for each AWS region.
Required: No
Type: String
API Version 2010-05-15
832

AWS CloudFormation User Guide
AWS::DMS::Endpoint

Update requires: Replacement (p. 119)
MongoDbSettings
Settings in JSON format for the source MongoDB endpoint. For more information about the
available settings, see the Conﬁguration Properties When Using MongoDB as a Source for AWS
Database Migration Service section at Using Amazon S3 as a Target for AWS Database Migration
Service.
Required: No
Type: AWS DMS Endpoint MongoDbSettings (p. 1797)
Update requires: No interruption (p. 118)
Password
The password to be used to login to the endpoint database. Do not use this parameter directly.
Use Password as an input parameter with noEcho as shown in the Parameters. For best practices
information, see Do Not Embed Credentials in Your Templates.
Required: No
Type: String
Update requires: No interruption (p. 118)
Port
The port used by the endpoint database.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
S3Settings
Settings in JSON format for the target Amazon S3 endpoint. For more information about the
available settings, see the Extra Connection Attributes section at Using Amazon S3 as a Target for
AWS Database Migration Service in the AWS Database Migration Service User Guide.
Required: No
Type: AWS DMS Endpoint S3Settings (p. 1799)
Update requires: No interruption (p. 118)
ServerName
The name of the server where the endpoint database resides.
Required: No
Type: String
Update requires: No interruption (p. 118)
SslMode
The SSL mode to use for the SSL connection.
SSL mode can be one of four values: none, require, verify-ca, verify-full. The default value
is none.
Required: No
API Version 2010-05-15
833

AWS CloudFormation User Guide
AWS::DMS::Endpoint

Type: String
Update requires: No interruption (p. 118)
Tags
The tags that you want to attach to the DMS endpoint.
Required: No
Type: List of resource tags (p. 2106) in key-value format
Update requires: Replacement (p. 119)
Username
The user name to be used to login to the endpoint database.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When you pass the logical ID of an AWS::DMS::Endpoint resource to the intrinsic Ref function, the
function returns the ARN of the endpoint.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myBasicEndpoint": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"EngineName": "mysql",
"EndpointType": "source",
"Username": "username",
"Password": {
"Ref": "PasswordParameter"
},
"ServerName": "source.db.amazon.com",
"Port": 1234,
"DatabaseName": "source-db"
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09

API Version 2010-05-15
834

AWS CloudFormation User Guide
AWS::DMS::EventSubscription
Description: "Endpoint test"
Resources:
BasicEndpoint:
Type: AWS::DMS::Endpoint
Properties:
EngineName: "mysql"
EndpointType: "target"
Username: "username"
Password: !Ref PasswordParameter
ServerName: "server.db.amazon.com"
Port: 1234
DatabaseName: "my-db"
Tags:
- Key: "type"
Value: "new"

See Also
• CreateEndpoint in the AWS Database Migration Service API Reference.
• AWS CloudFormation Stacks Updates (p. 118)

AWS::DMS::EventSubscription
Use the AWS::DMS::EventSubscription resource to get notiﬁcations for AWS Database Migration
Service events through the Amazon Simple Notiﬁcation Service. For more information, see Using AWS
DMS Event Notiﬁcation in the AWS Database Migration Service User Guide.
Topics
• Syntax (p. 835)
• Properties (p. 836)
• Return Value (p. 837)
• Example (p. 837)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::DMS::EventSubscription",
"Properties" : {
"Enabled" : Boolean,
"EventCategories" : [ String, ... ],
"SnsTopicArn" : String,
"SourceIds" : [ String, ... ],
"SourceType" : String,
"SubscriptionName" : [ String, ... ],
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: AWS::DMS::EventSubscription

API Version 2010-05-15
835

AWS CloudFormation User Guide
AWS::DMS::EventSubscription
Properties:
Enabled: Boolean
EventCategories:
- String
SnsTopicArn: String
SourceIds:
- String
SourceType: String
SubscriptionName:
- String
Tags:
- Resource Tag

Properties
Enabled
Indicates whether to activate the subscription. If you don't specify this property, AWS
CloudFormation activates the subscription.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
EventCategories
A list of event categories that you want to subscribe to for a given source type. If you don't specify
this property, you are notiﬁed about all event categories. For more information, see Using AWS DMS
Event Notiﬁcation in the AWS Database Migration Service User Guide.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SnsTopicArn
The Amazon Resource Name (ARN) of an Amazon SNS topic that you want to send event
notiﬁcations to.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
SourceIds
A list of identiﬁers for which AWS DMS provides notiﬁcation events.
If you don't specify a value, notiﬁcations are provided for all sources. If you specify multiple values,
they must be of the same type. For example, if you specify a database instance ID, all other values
must be database instance IDs.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
API Version 2010-05-15
836

AWS CloudFormation User Guide
AWS::DMS::EventSubscription

SourceType
The type of source for which AWS DMS provides notiﬁcation events. For example, if you want to
be notiﬁed of events generated by a database instance, set this parameter to replicationinstance. If you don't specify a value, notiﬁcations are provided for all source types. For valid
values, see the SourceType parameter for the CreateEventSubscription action in the AWS Database
Migration Service API Reference.
Required: Conditional. If you specify the SourceIds or EventCategories property, you must
specify this property.
Type: String
Update requires: No interruption (p. 118)
SubscriptionName
The subscription name.
If you don't specify a value, we create a random value.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
Tags
The tags that you want to attach to the DMS event subscription.
Required: No
Type: List of resource tags (p. 2106) in key-value format
Update requires: Replacement (p. 119)

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myEventSubscription" }

For the resource with the logical ID myEventSubscription, Ref returns the AWS DMS event
subscription name, such as: mystack-myEventSubscription-1DDYF1E3B3I.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following snippet creates an event subscription for an existing replication instance repinstance-1, which is declared elsewhere in the same template.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myEventSubscription": {

API Version 2010-05-15
837

AWS CloudFormation User Guide
AWS::DMS::ReplicationInstance

}

}

}

"Type": "AWS::DMS::EventSubscription",
"Properties": {
"EventCategories": [
"configuration change",
"failure",
"deletion"
],
"SnsTopicArn": "arn:aws:sns:us-west-2:123456789012:example-topic",
"SourceIds": [
"rep-instance-1"
],
"SourceType": "replication-instance",
"Enabled": false
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
myEventSubscription:
Type: AWS::DMS::EventSubscription
Properties:
EventCategories:
- configuration change
- failure
- deletion
SnsTopicArn: 'arn:aws:sns:us-west-2:123456789012:example-topic'
SourceIds:
- rep-instance-1
SourceType: replication-instance
Enabled: false

AWS::DMS::ReplicationInstance
The AWS::DMS::ReplicationInstance resource creates an AWS DMS replication instance.
Topics
• Syntax (p. 838)
• Properties (p. 839)
• Return Value (p. 842)
• Example (p. 842)
• See Also (p. 842)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type": "AWS::DMS::ReplicationInstance",
"Properties": {
"AllocatedStorage": Integer,
"AutoMinorVersionUpgrade": Boolean,

API Version 2010-05-15
838

AWS CloudFormation User Guide
AWS::DMS::ReplicationInstance

}

}

"AvailabilityZone": String,
"EngineVersion": String,
"KmsKeyId": String,
"MultiAZ": Boolean,
"PreferredMaintenanceWindow": String,
"PubliclyAccessible": Boolean,
"ReplicationInstanceClass": String,
"ReplicationInstanceIdentifier": String,
"ReplicationSubnetGroupIdentifier": String,
"Tags": [ Resource Tag, ... ],
"VpcSecurityGroupIds": [ String, ... ]

YAML
Type: AWS::DMS::ReplicationInstance
Properties:
AllocatedStorage: Integer
AutoMinorVersionUpgrade: Boolean
AvailabilityZone: String
EngineVersion: String
KmsKeyId: String
MultiAZ: Boolean
PreferredMaintenanceWindow: String
PubliclyAccessible: Boolean
ReplicationInstanceClass: String
ReplicationInstanceIdentifier: String
ReplicationSubnetGroupIdentifier: String
Tags:
- Resource Tag
VpcSecurityGroupIds:
- String

Properties
AllocatedStorage
The amount of storage (in gigabytes) to be initially allocated for the replication instance.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
AutoMinorVersionUpgrade
Indicates that minor engine upgrades will be applied automatically to the replication instance during
the maintenance window.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
AvailabilityZone
The EC2 Availability Zone that the replication instance will be created in. The default value is a
random, system-chosen Availability Zone in the endpoint's region.
Example: us-east-1d
API Version 2010-05-15
839

AWS CloudFormation User Guide
AWS::DMS::ReplicationInstance

Required: No
Type: String
Update requires: Replacement (p. 119)
EngineVersion
The engine version number of the replication instance.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
KmsKeyId
The KMS key identiﬁer that will be used to encrypt the content on the replication instance. If you
do not specify a value for the KmsKeyId parameter, then AWS DMS will use your default encryption
key. AWS KMS creates the default encryption key for your AWS account. Your AWS account has a
diﬀerent default encryption key for each AWS region.
Required: No
Type: String
Update requires: Replacement (p. 119)
MultiAZ
Speciﬁes if the replication instance is a Multi-AZ deployment. You cannot set the
AvailabilityZone parameter if the MultiAZ parameter is set to true .
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
PreferredMaintenanceWindow
The weekly time range during which system maintenance can occur, in Universal Coordinated Time
(UTC).
Format: ddd:hh24:mi-ddd:hh24:mi
Default: A 30-minute window selected at random from an 8-hour block of time per region, occurring
on a random day of the week.
Valid Values: Mon, Tue, Wed, Thu, Fri, Sat, Sun
Constraints: Minimum 30-minute window
Required: No
Type: String
Update requires: No interruption (p. 118)
PubliclyAccessible
Speciﬁes the accessibility options for the replication instance. A value of true represents an instance
with a public IP address. A value of false represents an instance with a private IP address. The
default value is true .
API Version 2010-05-15
840

AWS CloudFormation User Guide
AWS::DMS::ReplicationInstance

Required: No
Type: Boolean
Update requires: Replacement (p. 119)
ReplicationInstanceClass
The compute and memory capacity of the replication instance as speciﬁed by the replication
instance class.
Valid Values: dms.t2.micro, dms.t2.small, dms.t2.medium , dms.t2.large, dms.c4.large,
dms.c4.xlarge, dms.c4.2xlarge, dms.c4.4xlarge
Required: Yes
Type: String
Update requires: Some interruptions (p. 119)
ReplicationInstanceIdentifier
A name for the replication instance. If you specify a name, AWS CloudFormation converts it to lower
case. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that
ID for the replication instance identiﬁer. For more information, see Name Type.
Constraints:
• Must contain from 1 to 63 alphanumeric characters or hyphens.
• First character must be a letter.
• Cannot end with a hyphen or contain two consecutive hyphens.
Example: myrepinstance
Required: No
Type: String
Update requires: No interruption (p. 118)
ReplicationSubnetGroupIdentifier
A subnet group to associate with the replication instance.
Required: No
Type: String
Update requires: Replacement (p. 119)
Tags
The tags that you want to attach to the DMS endpoint.
Required: No
Type: List of resource tags (p. 2106) in key-value format
Update requires: Replacement (p. 119)
VpcSecurityGroupIds
Speciﬁes the VPC security group to be used with the replication instance. The VPC security group
must work with the VPC containing the replication instance.
API Version 2010-05-15
841

AWS CloudFormation User Guide
AWS::DMS::ReplicationSubnetGroup

Required: No
Type: List of String values
Update requires: No interruption (p. 118)

Return Value
Ref
When you pass the logical ID of an AWS::DMS::ReplicationInstance resource to the intrinsic Ref
function, the function returns the replication instance ARN.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"BasicReplicationInstance": {
"Type": "AWS::DMS::ReplicationInstance",
"Properties": {
"ReplicationInstanceClass": "dms.t2.small"
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
BasicReplicationInstance:
Type: AWS::DMS::ReplicationInstance
Properties:
ReplicationInstanceClass: dms.t2.small

See Also
• CreateReplicationInstance in the AWS Database Migration Service API Reference.
• AWS CloudFormation Stacks Updates (p. 118)

AWS::DMS::ReplicationSubnetGroup
The AWS::DMS::ReplicationSubnetGroup resource creates an AWS DMS replication subnet group.
Subnet groups must contain at least two subnets in two diﬀerent Availability Zones in the same region.

Note

Resource creation will fail if the dms-vpc-role IAM role doesn't already exist. For more
information, see Creating the IAM Roles to Use With the AWS CLI and AWS DMS API in the AWS
Database Migration Service User Guide.
API Version 2010-05-15
842

AWS CloudFormation User Guide
AWS::DMS::ReplicationSubnetGroup

Topics
• Syntax (p. 843)
• Properties (p. 843)
• Return Value (p. 844)
• Example (p. 844)
• See Also (p. 845)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::DMS::ReplicationSubnetGroup",
"Properties" : {
"ReplicationSubnetGroupIdentifier" : String,
"ReplicationSubnetGroupDescription" : String,
"SubnetIds" : [ String, ... ],
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: AWS::DMS::ReplicationSubnetGroup
Properties:
ReplicationSubnetGroupIdentifier: String
ReplicationSubnetGroupDescription: String
SubnetIds:
- String
Tags:
- Resource Tag

Properties
ReplicationSubnetGroupIdentifier
The identiﬁer for the replication subnet group. If you don't specify a name, AWS CloudFormation
generates a unique physical ID and uses that ID for the identiﬁer.
Required: No
Type: String
Update requires: Replacement (p. 119)
ReplicationSubnetGroupDescription
The description for the replication subnet group.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
843

AWS CloudFormation User Guide
AWS::DMS::ReplicationSubnetGroup

SubnetIds
The EC2 subnet IDs for the replication subnet group.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
Tags
The tags that you want to attach to the AWS DMS replication subnet group.
Required: No
Type: A list of resource tags (p. 2106) in key-value format.
Update requires: Replacement (p. 119)

Return Value
Ref
When you pass the logical ID of an AWS::DMS::ReplicationSubnetGroup resource to the intrinsic
Ref function, the function returns the name of the replication subnet group, such as mystackmyrepsubnetgroup-0a12bc456789de0fg.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myReplicationSubnetGroup" : {
"Type" : "AWS::DMS::ReplicationSubnetGroup",
"Properties" : {
"ReplicationSubnetGroupIdentifier" : "identifier",
"ReplicationSubnetGroupDescription" : "description",
"SubnetIds" : [ "subnet-7b5b4112", "subnet-7b5b4115" ],
"Tags" : [ {"Key" : "String", "Value" : "String"} ]
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
myReplicationSubnetGroup:
Type: AWS::DMS::ReplicationSubnetGroup
Properties:
ReplicationSubnetGroupIdentifier: "identifier"
ReplicationSubnetGroupDescription: "description"
SubnetIds:

API Version 2010-05-15
844

AWS CloudFormation User Guide
AWS::DMS::ReplicationTask
- "subnet-7b5b4112"
- "subnet-7b5b4115"
Tags:
Key: "String"
Value: "String"

See Also
• CreateReplicationSubnetGroup in the AWS Database Migration Service API Reference.
• AWS CloudFormation Stacks Updates (p. 118)

AWS::DMS::ReplicationTask
The AWS::DMS::ReplicationTask resource creates an AWS DMS replication task.
Topics
• Syntax (p. 845)
• Properties (p. 846)
• Return Value (p. 847)
• Example (p. 847)
• See Also (p. 848)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::DMS::ReplicationTask",
"Properties": {
"CdcStartTime": Timestamp,
"MigrationType": String,
"ReplicationInstanceArn": String,
"ReplicationTaskIdentifier": String,
"ReplicationTaskSettings": String,
"SourceEndpointArn": String,
"TableMappings": String,
"Tags": [ Resource Tag, ... ],
"TargetEndpointArn": String
}

YAML
Type: AWS::DMS::ReplicationTask
Properties:
CdcStartTime: Timestamp
MigrationType: String
ReplicationInstanceArn: String
ReplicationTaskIdentifier: String
ReplicationTaskSettings: String
SourceEndpointArn: String
TableMappings: String

API Version 2010-05-15
845

AWS CloudFormation User Guide
AWS::DMS::ReplicationTask
Tags:
- Resource Tag
TargetEndpointArn: String

Properties
CdcStartTime
The start time for the Change Data Capture (CDC) operation.
Required: No
Type: Number, epoch value in milliseconds
Update requires: No interruption (p. 118)
MigrationType
The migration type.
Valid Values: full-load, cdc, full-load-and-cdc
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ReplicationInstanceArn
The Amazon Resource Name (ARN) of the replication instance.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ReplicationTaskIdentifier
The ARN string that uniquely identiﬁes the endpoint.
Required: No
Type: String
Update requires: No interruption (p. 118)
ReplicationTaskSettings
Settings for the task, such as target metadata settings. For a complete list of task settings, see Task
Settings for AWS Database Migration Service Tasks in the AWS Database Migration Service User
Guide.
Required: No
Type: String
Update requires: No interruption (p. 118)
SourceEndpointArn
The ARN string that uniquely identiﬁes the endpoint.
Required: Yes
API Version 2010-05-15
846

AWS CloudFormation User Guide
AWS::DMS::ReplicationTask

Type: String
Update requires: Replacement (p. 119)
TableMappings
The JSON that contains additional parameter values.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Tags
The tags that you want to attach to the migration task.
Required: No
Type: List of resource tags (p. 2106) in key-value format
Update requires: Replacement (p. 119)
TargetEndpointArn
The ARN string that uniquely identiﬁes the endpoint.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When you pass the logical ID of an AWS::DMS::ReplicationTask resource to the intrinsic Ref
function, the function returns the replication task ARN.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myReplicationTask": {
"Type": "AWS::DMS::ReplicationTask",
"Properties": {
"SourceEndpointArn": 11,
"TargetEndpointArn": "12ff",
"ReplicationInstanceArn": "ert1",
"MigrationType": "full-load",
"TableMappings": "{ \"rules\": [ { \"rule-type\": \"selection\", \"rule-id\":
\"1\", \"rule-name\": \"1\", \"object-locator\": { \"schema-name\": \"%\", \"table-name\":
\"%\" }, \"rule-action\": \"include\" } ] }"
}

API Version 2010-05-15
847

AWS CloudFormation User Guide
AWS::DynamoDB::Table

}

}

}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
myReplicationTask:
Type: AWS::DMS::ReplicationTask
Properties:
SourceEndpointArn: !Ref SourceEndpoint
TargetEndpointArn: !Ref TargetEndpoint
ReplicationInstanceArn: !Ref ReplicationInstance
MigrationType: "full-load"
TableMappings: "{
\"rules\": [
{
\"rule-type\": \"selection\",
\"rule-id\": \"1\",
\"rule-name\": \"1\",
\"object-locator\": {
\"schema-name\": \"%\",
\"table-name\": \"%\"
},
\"rule-action\": \"include\"
}
]
}"

See Also
• CreateReplicationTask in the AWS Database Migration Service API Reference.
• AWS CloudFormation Stacks Updates (p. 118)

AWS::DynamoDB::Table
The AWS::DynamoDB::Table resource creates a DynamoDB table. For more information, see
CreateTable in the Amazon DynamoDB API Reference.
You should be aware of the following behaviors when working with DynamoDB tables:
• AWS CloudFormation typically creates DynamoDB tables in parallel. However, if your template includes
multiple DynamoDB tables with indexes, you must declare dependencies so that the tables are created
sequentially. Amazon DynamoDB limits the number of tables with secondary indexes that are in
the creating state. If you create multiple tables with indexes at the same time, DynamoDB returns
an error and the stack operation fails. For an example, see DynamoDB Table with a DependsOn
Attribute (p. 856).
• Updates to AWS::DynamoDB::Table resources that are associated with
AWS::ApplicationAutoScaling::ScalableTarget resources will always result in an update
failure and then an update rollback failure. The following ScalableDimension attributes cause this
problem when associated with the table:
• dynamodb:table:ReadCapacityUnits
• dynamodb:table:WriteCapacityUnits
• dynamodb:index:ReadCapacityUnits
• dynamodb:index:WriteCapacityUnits
API Version 2010-05-15
848

AWS CloudFormation User Guide
AWS::DynamoDB::Table

As a workaround, please deregister scalable targets before performing updates to
AWS::DynamoDB::Table resources.
Topics
• Syntax (p. 849)
• Properties (p. 850)
• Return Values (p. 852)
• Examples (p. 852)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::DynamoDB::Table",
"Properties" : {
"AttributeDefinitions" : [ AttributeDefinition, ... ],
"GlobalSecondaryIndexes" : [ GlobalSecondaryIndexes, ... ],
"KeySchema" : [ KeySchema, ... ],
"LocalSecondaryIndexes" : [ LocalSecondaryIndexes, ... ],
"PointInTimeRecoverySpecification" : PointInTimeRecoverySpecification (p. 1806),
"ProvisionedThroughput" : ProvisionedThroughput,
"SSESpecification" : SSESpecification,
"StreamSpecification" : StreamSpecification,
"TableName" : String,
"Tags" : [ Resource Tag, ... ],
"TimeToLiveSpecification" : TimeToLiveSpecification (p. 1810)
}

YAML
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeDefinition
GlobalSecondaryIndexes:
- GlobalSecondaryIndexes
KeySchema:
- KeySchema
LocalSecondaryIndexes:
- LocalSecondaryIndexes
PointInTimeRecoverySpecification:
PointInTimeRecoverySpecification (p. 1806)
ProvisionedThroughput:
ProvisionedThroughput
SSESpecification:
SSESpecification
StreamSpecification:
StreamSpecification
TableName: String
Tags:
- Resource Tag
TimeToLiveSpecification:
TimeToLiveSpecification (p. 1810)

API Version 2010-05-15
849

AWS CloudFormation User Guide
AWS::DynamoDB::Table

Properties
AttributeDefinitions
A list of attributes that describe the key schema for the table and indexes. Duplicates are allowed.
Required: Yes
Type: List of DynamoDB Table AttributeDeﬁnition (p. 1802)
Update requires: Some interruptions (p. 119). Replacement if you edit an existing
AttributeDefinition.
GlobalSecondaryIndexes
Global secondary indexes to be created on the table. You can create up to 5 global secondary
indexes.

Important

If you update a table to include a new global secondary index, AWS CloudFormation
initiates the index creation and then proceeds with the stack update. AWS CloudFormation
doesn't wait for the index to complete creation because the backﬁlling phase can take
a long time, depending on the size of the table. You can't use the index or update the
table until the index's status is ACTIVE. You can track its status by using the DynamoDB
DescribeTable command.
If you add or delete an index during an update, we recommend that you don't update any
other resources. If your stack fails to update and is rolled back while adding a new index,
you must manually delete the index.
Required: No
Type: List of DynamoDB Table GlobalSecondaryIndex (p. 1803)
Update requires: Updates are not supported. The following are exceptions:
• If you update only the provisioned throughput values of global secondary indexes, you can update
the table without interruption (p. 118).
• You can delete or add one global secondary index without interruption (p. 118). If you do both in
the same update (for example, by changing the index's logical ID), the update fails.
KeySchema
Speciﬁes the attributes that make up the primary key for the table. The attributes in the KeySchema
property must also be deﬁned in the AttributeDefinitions property.
Required: Yes
Type: List of DynamoDB Table KeySchema (p. 1804)
Update requires: Replacement (p. 119)
LocalSecondaryIndexes
Local secondary indexes to be created on the table. You can create up to 5 local secondary indexes.
Each index is scoped to a given hash key value. The size of each hash key can be up to 10 gigabytes.
Required: No
Type: List of DynamoDB Table LocalSecondaryIndex (p. 1805)
Update requires: Replacement (p. 119)
PointInTimeRecoverySpecification
The settings used to enable point in time recovery.
API Version 2010-05-15
850

AWS CloudFormation User Guide
AWS::DynamoDB::Table

Required: No
Type: DynamoDB Table PointInTimeRecoverySpeciﬁcation (p. 1806)
Update requires: No interruption (p. 118)
ProvisionedThroughput
Throughput for the speciﬁed table, which consists of values for ReadCapacityUnits and
WriteCapacityUnits. For more information about the contents of a provisioned throughput
structure, see Amazon DynamoDB Table ProvisionedThroughput (p. 1808).
Required: Yes
Type: DynamoDB Table ProvisionedThroughput (p. 1808)
Update requires: No interruption (p. 118)
SSESpecification
Speciﬁes the settings to enable server-side encryption.
Required: No
Type: DynamoDB SSESpeciﬁcation (p. 1809)
Update requires: Some interruptions (p. 119)
StreamSpecification
The settings for the DynamoDB table stream, which capture changes to items stored in the table.
Required: No
Type: DynamoDB Table StreamSpeciﬁcation (p. 1809)
Update requires: No interruption (p. 118) to the table. However, the stream is replaced.
TableName
A name for the table. If you don't specify a name, AWS CloudFormation generates a unique physical
ID and uses that ID for the table name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this table. Use tags to manage
your resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
TimeToLiveSpecification
Speciﬁes the Time to Live (TTL) settings for the table.
API Version 2010-05-15
851

AWS CloudFormation User Guide
AWS::DynamoDB::Table

Required: No
Type: DynamoDB Table TimeToLiveSpeciﬁcation (p. 1810)
Update requires: No interruption (p. 118)

Note

For detailed information about the limits in DynamoDB, see Limits in Amazon DynamoDB in the
Amazon DynamoDB Developer Guide.

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "MyResource" }

For the resource with the logical ID myDynamoDBTable, Ref will return the DynamoDB table name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) of the DynamoDB table, such as arn:aws:dynamodb:useast-2:123456789012:table/myDynamoDBTable.
StreamArn
The ARN of the DynamoDB stream, such as arn:aws:dynamodb:useast-1:123456789012:table/testddbstack-myDynamoDBTable-012A1SL7SMP5Q/
stream/2015-11-30T20:10:00.000.

Note

You must specify the StreamSpecification property to use this attribute.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
DynamoDB Table with Local and Secondary Indexes
The following sample creates an DynamoDB table with Album, Artist, Sales, NumberOfSongs as
attributes. The primary key includes the Album attribute as the hash key and Artist attribute as the
range key. The table also includes two global and one secondary index. For querying the number of sales
for a given artist, the global secondary index uses the Sales attribute as the hash key and the Artist
attribute as the range key.
For querying the sales based on the number of songs, the global secondary index uses the
NumberOfSongs attribute as the hash key and the Sales attribute as the range key.
API Version 2010-05-15
852

AWS CloudFormation User Guide
AWS::DynamoDB::Table

For querying the sales of an album, the local secondary index uses the same hash key as the table but
uses the Sales attribute as the range key.

JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myDynamoDBTable" : {
"Type" : "AWS::DynamoDB::Table",
"Properties" : {
"AttributeDefinitions" : [
{
"AttributeName" : "Album",
"AttributeType" : "S"
},
{
"AttributeName" : "Artist",
"AttributeType" : "S"
},
{
"AttributeName" : "Sales",
"AttributeType" : "N"
},
{
"AttributeName" : "NumberOfSongs",
"AttributeType" : "N"
}
],
"KeySchema" : [
{
"AttributeName" : "Album",
"KeyType" : "HASH"
},
{
"AttributeName" : "Artist",
"KeyType" : "RANGE"
}
],
"ProvisionedThroughput" : {
"ReadCapacityUnits" : "5",
"WriteCapacityUnits" : "5"
},
"TableName" : "myTableName",
"GlobalSecondaryIndexes" : [{
"IndexName" : "myGSI",
"KeySchema" : [
{
"AttributeName" : "Sales",
"KeyType" : "HASH"
},
{
"AttributeName" : "Artist",
"KeyType" : "RANGE"
}
],
"Projection" : {
"NonKeyAttributes" : ["Album","NumberOfSongs"],
"ProjectionType" : "INCLUDE"
},
"ProvisionedThroughput" : {
"ReadCapacityUnits" : "5",
"WriteCapacityUnits" : "5"
}
},

API Version 2010-05-15
853

AWS CloudFormation User Guide
AWS::DynamoDB::Table
{

}

}

}

}

"IndexName" : "myGSI2",
"KeySchema" : [
{
"AttributeName" : "NumberOfSongs",
"KeyType" : "HASH"
},
{
"AttributeName" : "Sales",
"KeyType" : "RANGE"
}
],
"Projection" : {
"NonKeyAttributes" : ["Album","Artist"],
"ProjectionType" : "INCLUDE"
},
"ProvisionedThroughput" : {
"ReadCapacityUnits" : "5",
"WriteCapacityUnits" : "5"
}
}],
"LocalSecondaryIndexes" :[{
"IndexName" : "myLSI",
"KeySchema" : [
{
"AttributeName" : "Album",
"KeyType" : "HASH"
},
{
"AttributeName" : "Sales",
"KeyType" : "RANGE"
}
],
"Projection" : {
"NonKeyAttributes" : ["Artist","NumberOfSongs"],
"ProjectionType" : "INCLUDE"
}
}]

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
myDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
AttributeName: "Album"
AttributeType: "S"
AttributeName: "Artist"
AttributeType: "S"
AttributeName: "Sales"
AttributeType: "N"
AttributeName: "NumberOfSongs"
AttributeType: "N"
KeySchema:

API Version 2010-05-15
854

AWS CloudFormation User Guide
AWS::DynamoDB::Table
-

AttributeName: "Album"
KeyType: "HASH"

AttributeName: "Artist"
KeyType: "RANGE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
TableName: "myTableName"
GlobalSecondaryIndexes:
IndexName: "myGSI"
KeySchema:
AttributeName: "Sales"
KeyType: "HASH"
AttributeName: "Artist"
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Album"
- "NumberOfSongs"
ProjectionType: "INCLUDE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
IndexName: "myGSI2"
KeySchema:
AttributeName: "NumberOfSongs"
KeyType: "HASH"
AttributeName: "Sales"
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Album"
- "Artist"
ProjectionType: "INCLUDE"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
LocalSecondaryIndexes:
IndexName: "myLSI"
KeySchema:
AttributeName: "Album"
KeyType: "HASH"
AttributeName: "Sales"
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Artist"
- "NumberOfSongs"
ProjectionType: "INCLUDE"

API Version 2010-05-15
855

AWS CloudFormation User Guide
AWS::DynamoDB::Table

DynamoDB Table with a DependsOn Attribute
If you include multiple DynamoDB tables with indexes in a single template, you must include
dependencies so that the tables are created sequentially. DynamoDB limits the number of tables with
secondary indexes that are in the creating state. If you create multiple tables with indexes at the same
time, DynamoDB returns an error and the stack operation fails.
The following sample assumes that the myFirstDDBTable table is declared in the same template as the
mySecondDDBTable table, and both tables include a secondary index. The mySecondDDBTable table
includes a dependency on the myFirstDDBTable table so that AWS CloudFormation creates the tables
one at a time.

JSON
"mySecondDDBTable" : {
"Type" : "AWS::DynamoDB::Table",
"DependsOn" : "myFirstDDBTable" ,
"Properties" : {
"AttributeDefinitions" : [
{
"AttributeName" : "ArtistId",
"AttributeType" : "S"
},
{
"AttributeName" : "Concert",
"AttributeType" : "S"
},
{
"AttributeName" : "TicketSales",
"AttributeType" : "S"
}
],
"KeySchema" : [
{
"AttributeName" : "ArtistId",
"KeyType" : "HASH"
},
{
"AttributeName" : "Concert",
"KeyType" : "RANGE"
}
],
"ProvisionedThroughput" : {
"ReadCapacityUnits" : {"Ref" : "ReadCapacityUnits"},
"WriteCapacityUnits" : {"Ref" : "WriteCapacityUnits"}
},
"GlobalSecondaryIndexes" : [{
"IndexName" : "myGSI",
"KeySchema" : [
{
"AttributeName" : "TicketSales",
"KeyType" : "HASH"
}
],
"Projection" : {
"ProjectionType" : "KEYS_ONLY"
},
"ProvisionedThroughput" : {
"ReadCapacityUnits" : {"Ref" : "ReadCapacityUnits"},
"WriteCapacityUnits" : {"Ref" : "WriteCapacityUnits"}
}
}],
"Tags": [
{

API Version 2010-05-15
856

AWS CloudFormation User Guide
AWS::DynamoDB::Table

}

}

]

}

"Key": "foo",
"Value": "bar"

YAML
mySecondDDBTable:
Type: AWS::DynamoDB::Table
DependsOn: "myFirstDDBTable"
Properties:
AttributeDefinitions:
AttributeName: "ArtistId"
AttributeType: "S"
AttributeName: "Concert"
AttributeType: "S"
AttributeName: "TicketSales"
AttributeType: "S"
KeySchema:
AttributeName: "ArtistId"
KeyType: "HASH"
AttributeName: "Concert"
KeyType: "RANGE"
ProvisionedThroughput:
ReadCapacityUnits:
Ref: "ReadCapacityUnits"
WriteCapacityUnits:
Ref: "WriteCapacityUnits"
GlobalSecondaryIndexes:
IndexName: "myGSI"
KeySchema:
AttributeName: "TicketSales"
KeyType: "HASH"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits:
Ref: "ReadCapacityUnits"
WriteCapacityUnits:
Ref: "WriteCapacityUnits"
Tags:
- Key: foo
Value: bar

DynamoDB Table with Application Auto Scaling
This example sets up Application Auto Scaling for a AWS::DynamoDB::Table resource. The template
deﬁnes a TargetTrackingScaling scaling policy that scales up the WriteCapacityUnits
throughput for the table.

JSON
{

API Version 2010-05-15
857

AWS CloudFormation User Guide
AWS::DynamoDB::Table
"Resources": {
"DDBTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "ArtistId",
"AttributeType": "S"
},
{
"AttributeName": "Concert",
"AttributeType": "S"
},
{
"AttributeName": "TicketSales",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "ArtistId",
"KeyType": "HASH"
},
{
"AttributeName": "Concert",
"KeyType": "RANGE"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "GSI",
"KeySchema": [
{
"AttributeName": "TicketSales",
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "KEYS_ONLY"
},
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
},
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"MaxCapacity": 15,
"MinCapacity": 5,
"ResourceId": { "Fn::Join": [
"/",
[
"table",
{ "Ref": "DDBTable" }
]
] },
"RoleARN": {
"Fn::GetAtt": ["ScalingRole", "Arn"]

API Version 2010-05-15
858

AWS CloudFormation User Guide
AWS::DynamoDB::Table
},
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb"

}
},
"ScalingRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"application-autoscaling.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:SetAlarmState",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
}
]
}
},
"WriteScalingPolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "WriteAutoScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration": {
"TargetValue": 50.0,
"ScaleInCooldown": 60,
"ScaleOutCooldown": 60,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "DynamoDBWriteCapacityUtilization"
}
}

API Version 2010-05-15
859

AWS CloudFormation User Guide
AWS::DynamoDB::Table

}

}

}

}

YAML
Resources:
DDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
AttributeName: "ArtistId"
AttributeType: "S"
AttributeName: "Concert"
AttributeType: "S"
AttributeName: "TicketSales"
AttributeType: "S"
KeySchema:
AttributeName: "ArtistId"
KeyType: "HASH"
AttributeName: "Concert"
KeyType: "RANGE"
GlobalSecondaryIndexes:
IndexName: "GSI"
KeySchema:
AttributeName: "TicketSales"
KeyType: "HASH"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
WriteCapacityScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
ResourceId: !Join
- /
- - table
- !Ref DDBTable
RoleARN: !GetAtt ScalingRole.Arn
ScalableDimension: dynamodb:table:WriteCapacityUnits
ServiceNamespace: dynamodb
ScalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:

API Version 2010-05-15
860

AWS CloudFormation User Guide
AWS::EC2::CustomerGateway
Service:
- application-autoscaling.amazonaws.com
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action:
- "dynamodb:DescribeTable"
- "dynamodb:UpdateTable"
- "cloudwatch:PutMetricAlarm"
- "cloudwatch:DescribeAlarms"
- "cloudwatch:GetMetricStatistics"
- "cloudwatch:SetAlarmState"
- "cloudwatch:DeleteAlarms"
Resource: "*"
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteAutoScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization

AWS::EC2::CustomerGateway
Provides information to AWS about your VPN customer gateway device.
Topics
• Syntax (p. 861)
• Properties (p. 862)
• Return Value (p. 863)
• Example (p. 863)
• See Also (p. 863)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::EC2::CustomerGateway",
"Properties" : {
"BgpAsn (p. 862)" : Number,
"IpAddress (p. 862)" : String,

API Version 2010-05-15
861

AWS CloudFormation User Guide
AWS::EC2::CustomerGateway

}

}

"Tags" : [ Resource Tag, ... ],
"Type (p. 862)" : String

YAML
Type: AWS::EC2::CustomerGateway
Properties:
BgpAsn (p. 862): Number
IpAddress (p. 862): String
Tags:
Resource Tag
Type (p. 862): String

Properties
BgpAsn
The customer gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN).
Required: Yes
Type: Number BgpAsn is always an integer value.
Update requires: Replacement (p. 119)
IpAddress
The internet-routable IP address for the customer gateway's outside interface. The address must be
static.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Tags
The tags that you want to attach to the resource.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106).
Update requires: No interruption (p. 118).
Type
The type of VPN connection that this customer gateway supports.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Example: ipsec.1
API Version 2010-05-15
862

AWS CloudFormation User Guide
AWS::EC2::DHCPOptions

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "MyResource" }

For the resource with the logical ID "MyResource", Ref will return the AWS resource name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myCustomerGateway" : {
"Type" : "AWS::EC2::CustomerGateway",
"Properties" : {
"Type" : "ipsec.1",
"BgpAsn" : "64000",
"IpAddress" : "1.1.1.1"
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
myCustomerGateway:
Type: AWS::EC2::CustomerGateway
Properties:
Type: ipsec.1
BgpAsn: 64000
IpAddress: 1.1.1.1

See Also
• CreateCustomerGateway in the Amazon EC2 API Reference.

AWS::EC2::DHCPOptions
Creates a set of DHCP options for your VPC.
For more information, see CreateDhcpOptions in the Amazon EC2 API Reference.
Topics
• Syntax (p. 864)
• Properties (p. 864)
• Conditional Properties (p. 866)
API Version 2010-05-15
863

AWS CloudFormation User Guide
AWS::EC2::DHCPOptions

• Return Values (p. 866)
• Example (p. 866)
• See Also (p. 867)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::DHCPOptions",
"Properties" : {
"DomainName (p. 864)" : String,
"DomainNameServers (p. 864)" : [ String, ... ],
"NetbiosNameServers (p. 865)" : [ String, ... ],
"NetbiosNodeType (p. 865)" : Number,
"NtpServers (p. 865)" : [ String, ... ],
"Tags (p. 865)" : [ Resource Tag, ... ]
}

YAML
Type: AWS::EC2::DHCPOptions
Properties:
DomainName (p. 864): String
DomainNameServers (p. 864):
- String
NetbiosNameServers (p. 865):
- String
NetbiosNodeType (p. 865): Number
NtpServers (p. 865):
- String
Tags (p. 865):
-Resource Tag

Properties
DomainName
A domain name of your choice.
Required: Conditional; see note (p. 866).
Type: String
Update requires: Replacement (p. 119)
Example: "example.com"
DomainNameServers
The IP (IPv4) address of a domain name server. You can specify up to four addresses.
Required: Conditional; see note (p. 866).
API Version 2010-05-15
864

AWS CloudFormation User Guide
AWS::EC2::DHCPOptions

Type: List of String values
Update requires: Replacement (p. 119)
Example: "DomainNameServers" : [ "10.0.0.1", "10.0.0.2" ]
Example: To preserve the order of IP addresses, specify a comma delimited list as a single string:
"DomainNameServers" : [ "10.0.0.1, 10.0.0.2" ]
NetbiosNameServers
The IP address (IPv4) of a NetBIOS name server. You can specify up to four addresses.
Required: Conditional; see note (p. 866).
Type: List of String values
Update requires: Replacement (p. 119)
Example: "NetbiosNameServers" : [ "10.0.0.1", "10.0.0.2" ]
Example: To preserve the order of IP addresses, specify a comma delimited list as a single string:
"NetbiosNameServers" : [ "10.0.0.1, 10.0.0.2" ]
NetbiosNodeType
An integer value indicating the NetBIOS node type:
• 1: Broadcast ("B")
• 2: Point-to-point ("P")
• 4: Mixed mode ("M")
• 8: Hybrid ("H")
For more information about these values and about NetBIOS node types, see RFC 2132, RFC 1001,
and RFC 1002. We recommend that you use only the value 2 at this time (broadcast and multicast
are not currently supported).
Required: Required if NetBiosNameServers is speciﬁed; optional otherwise.
Type: List of numbers
Update requires: Replacement (p. 119)
Example: "NetbiosNodeType" : 2
NtpServers
The IP address (IPv4) of a Network Time Protocol (NTP) server. You can specify up to four addresses.
Required: Conditional; see note (p. 866).
Type: List of String values
Update requires: Replacement (p. 119)
Example: "NtpServers" : [ "10.0.0.1" ]
Example: To preserve the order of IP addresses, specify a comma delimited list as a single string:
"NtpServers" : [ "10.0.0.1, 10.0.0.2" ]
Tags
An arbitrary set of tags (key–value pairs) for this resource.
Required: No
API Version 2010-05-15
865

AWS CloudFormation User Guide
AWS::EC2::DHCPOptions

Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).

Conditional Properties
At least one of the following properties must be speciﬁed:
• DomainNameServers (p. 864)
• NetbiosNameServers (p. 865)
• NtpServers (p. 865)
After this condition has been fulﬁlled, the rest of these properties are optional.
If you specify NetbiosNameServers, then NetbiosNodeType is required.

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myDhcpOptions" : {
"Type" : "AWS::EC2::DHCPOptions",
"Properties" : {
"DomainName" : "example.com",
"DomainNameServers" : [ "AmazonProvidedDNS" ],
"NtpServers" : [ "10.2.5.1" ],
"NetbiosNameServers" : [ "10.2.5.1" ],
"NetbiosNodeType" : 2,
"Tags" : [ { "Key" : "foo", "Value" : "bar" } ]
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
myDhcpOptions:
Type: AWS::EC2::DHCPOptions
Properties:
DomainName: example.com
DomainNameServers:
- AmazonProvidedDNS
NtpServers:

API Version 2010-05-15
866

AWS CloudFormation User Guide
AWS::EC2::EgressOnlyInternetGateway
- 10.2.5.1
NetbiosNameServers:
- 10.2.5.1
NetbiosNodeType: 2
Tags:
Key: foo
Value: bar

See Also
• CreateDhcpOptions in the Amazon EC2 API Reference
• Using Tags in the Amazon Elastic Compute Cloud User Guide.
• RFC 2132 - DHCP Options and BOOTP Vendor Extensions, Network Working Group, 1997
• RFC 1001 - Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods,
Network Working Group, 1987
• RFC 1002 - Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Detailed Speciﬁcations,
Network Working Group, 1987

AWS::EC2::EgressOnlyInternetGateway
The AWS::EC2::EgressOnlyInternetGateway resource creates an egress-only Internet gateway for
your VPC (over IPv6 only). An egress-only Internet gateway enables outbound communication over IPv6
from instances in your VPC to the Internet. It also prevents hosts outside of your VPC from initiating an
IPv6 connection with your instance.
Topics
• Syntax (p. 867)
• Properties (p. 868)
• Return Values (p. 868)
• Example (p. 868)
• More Info (p. 868)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::EC2::EgressOnlyInternetGateway",
"Properties": {
"VpcId": String
}

YAML
Type: AWS::EC2::EgressOnlyInternetGateway
Properties:
VpcId: String

API Version 2010-05-15
867

AWS CloudFormation User Guide
AWS::EC2::EIP

Properties
VpcId
The ID of the VPC for which to create the egress-only Internet gateway.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ID of the
egress-only Internet gateway (the physical resource ID).
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates an egress-only Internet gateway for the speciﬁed VPC.

JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myEgressOnlyInternetGateway": {
"Type": "AWS::EC2::EgressOnlyInternetGateway",
"Properties": {
"VpcId": "vpc-1a2b3c4d"
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
myEgressOnlyInternetGateway:
Type: AWS::EC2::EgressOnlyInternetGateway
Properties:
VpcId: vpc-1a2b3c4d

More Info
• CreateEgressOnlyInternetGateway in the Amazon EC2 API Reference.

AWS::EC2::EIP
The AWS::EC2::EIP resource allocates an Elastic IP (EIP) address and can, optionally, associate it with an
Amazon EC2 instance.
API Version 2010-05-15
868

AWS CloudFormation User Guide
AWS::EC2::EIP

Topics
• Syntax (p. 869)
• Properties (p. 869)
• Return Values (p. 870)
• Examples (p. 870)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::EIP",
"Properties" : {
"InstanceId (p. 869)" : String,
"Domain (p. 869)" : String
}

YAML
Type: AWS::EC2::EIP
Properties:
InstanceId (p. 869): String
Domain (p. 869): String

Properties
InstanceId
The Instance ID of the Amazon EC2 instance that you want to associate with this Elastic IP address.
Required: No
Type: String
Update requires: No interruption (p. 118)
Domain
Set to vpc to allocate the address to your Virtual Private Cloud (VPC). No other values are
supported.

Note

If you deﬁne an Elastic IP address and associate it with a VPC that is deﬁned in the
same template, you must declare a dependency on the VPC-gateway attachment by
using the DependsOn attribute on this resource. For more information, see DependsOn
Attribute (p. 2250).
For more information, see AllocateAddress in the Amazon EC2 API Reference. For more information
about Elastic IP Addresses in VPC, go to IP Addressing in Your VPC in the Amazon VPC User Guide.
Required: Conditional. Required when allocating an address to a VPC
API Version 2010-05-15
869

AWS CloudFormation User Guide
AWS::EC2::EIPAssociation

Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you specify the logical ID of an AWS::EC2::EIP object as an argument to the Ref function, AWS
CloudFormation returns the value of the instance's PublicIp.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
AllocationId
The ID that AWS assigns to represent the allocation of the address for use with Amazon VPC. This is
returned only for VPC elastic IP addresses. Example return value: eipalloc-5723d13e
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
To view AWS::EC2::EIP snippets, see Assigning an Amazon EC2 Elastic IP Using AWS::EC2::EIP
Snippet (p. 339).

AWS::EC2::EIPAssociation
The AWS::EC2::EIPAssociation resource type associates an Elastic IP address with an Amazon EC2
instance. The Elastic IP address can be an existing Elastic IP address or an Elastic IP address allocated
through an AWS::EC2::EIP resource (p. 868).
For more information EC2-Classic and EC2-VPC, see AssociateAddress in the Amazon EC2 API Reference.
Topics
• Syntax (p. 870)
• Properties (p. 871)
• Return Values (p. 872)
• Examples (p. 872)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type": "AWS::EC2::EIPAssociation",

API Version 2010-05-15
870

AWS CloudFormation User Guide
AWS::EC2::EIPAssociation

}

"Properties": {
"AllocationId (p. 871)": String,
"EIP (p. 871)": String,
"InstanceId (p. 871)": String,
"NetworkInterfaceId (p. 872)": String,
"PrivateIpAddress (p. 872)": String
}

YAML
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId (p. 871): String
EIP (p. 871): String
InstanceId (p. 871): String
NetworkInterfaceId (p. 872): String
PrivateIpAddress (p. 872): String

Properties
AllocationId
[EC2-VPC] Allocation ID for the VPC Elastic IP address you want to associate with an Amazon EC2
instance in your VPC.
Required: Conditional. Required for EC2-VPC.
Type: String
Update requires: Replacement (p. 119) if you also change the InstanceId or
NetworkInterfaceId property. If not, update requires No interruption (p. 118).
EIP
Elastic IP address that you want to associate with the Amazon EC2 instance speciﬁed by the
InstanceId property. You can specify an existing Elastic IP address or a reference to an Elastic IP
address allocated with a AWS::EC2::EIP resource (p. 868).
Required: Conditional. Required for EC2-Classic.
Type: String
Update requires: Replacement (p. 119) if you also change the InstanceId or
NetworkInterfaceId property. If not, update requires No interruption (p. 118).
InstanceId
Instance ID of the Amazon EC2 instance that you want to associate with the Elastic IP address
speciﬁed by the EIP property. If the instance has more than one network interface, you must specify
a network interface ID.
Required: Conditional. If you specify the EIP property, you must specify this property. If you specify
the AllocationId property, you must specify this property or the NetworkInterfaceId
property.
Type: String
Update requires: Replacement (p. 119) if you also change the AllocationId or EIP property. If not,
update requires No interruption (p. 118).
API Version 2010-05-15
871

AWS CloudFormation User Guide
AWS::EC2::EIPAssociation

NetworkInterfaceId
[EC2-VPC] The ID of the network interface to associate with the Elastic IP address. If the instance has
more than one network interface, you must specify a network interface ID.
Required: Conditional. If you specify the AllocationId property, you must specify this property or
the InstanceId property.
Type: String
Update requires: Replacement (p. 119) if you also change the AllocationId or EIP property. If not,
update requires No interruption (p. 118).
PrivateIpAddress
[EC2-VPC] The private IP address that you want to associate with the Elastic IP address. The private
IP address is restricted to the primary and secondary private IP addresses that are associated with
the network interface. By default, the private IP address that is associated with the EIP is the primary
private IP address of the network interface.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following example creates an instance with two elastic network interfaces (ENI). The example
assumes that you have an existing VPC.
For additional examples, see Assigning an Amazon EC2 Elastic IP Using AWS::EC2::EIP Snippet (p. 339).

JSON
"Resources" : {
"ControlPortAddress" : {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"Domain" : "vpc"
}
},
"AssociateControlPort" : {
"Type" : "AWS::EC2::EIPAssociation",
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : [ "ControlPortAddress", "AllocationId" ]},
"NetworkInterfaceId" : { "Ref" : "controlXface" }
}
},
"WebPortAddress" : {

API Version 2010-05-15
872

AWS CloudFormation User Guide
AWS::EC2::EIPAssociation
"Type" : "AWS::EC2::EIP",
"Properties" : {
"Domain" : "vpc"
}

},
"AssociateWebPort" : {
"Type" : "AWS::EC2::EIPAssociation",
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : [ "WebPortAddress", "AllocationId" ]},
"NetworkInterfaceId" : { "Ref" : "webXface" }
}
},
"SSHSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : { "Ref" : "VpcId" },
"GroupDescription" : "Enable SSH access via port 22",
"SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" :
"22", "CidrIp" : "0.0.0.0/0" } ]
}
},
"WebSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : { "Ref" : "VpcId" },
"GroupDescription" : "Enable HTTP access via user defined port",
"SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80,
"CidrIp" : "0.0.0.0/0" } ]
}
},
"controlXface" : {
"Type" : "AWS::EC2::NetworkInterface",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetId" },
"Description" :"Interface for control traffic such as SSH",
"GroupSet" : [ {"Ref" : "SSHSecurityGroup"} ],
"SourceDestCheck" : "true",
"Tags" : [ {"Key" : "Network", "Value" : "Control"}]
}
},
"webXface" : {
"Type" : "AWS::EC2::NetworkInterface",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetId" },
"Description" :"Interface for web traffic",
"GroupSet" : [ {"Ref" : "WebSecurityGroup"} ],
"SourceDestCheck" : "true",
"Tags" : [ {"Key" : "Network", "Value" : "Web"}]
}
},
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]},
"KeyName" : { "Ref" : "KeyName" },
"NetworkInterfaces" : [ { "NetworkInterfaceId" : {"Ref" : "controlXface"},
"DeviceIndex" : "0" },
{ "NetworkInterfaceId" : {"Ref" : "webXface"}, "DeviceIndex" : "1" }],
"Tags" : [ {"Key" : "Role", "Value" : "Test Instance"}],
"UserData" : {"Fn::Base64" : { "Fn::Join" : ["",[
"#!/bin/bash -ex","\n",
"\n","yum install ec2-net-utils -y","\n",
"ec2ifup eth1","\n",
"service httpd start"]]}
}
}

API Version 2010-05-15
873

AWS CloudFormation User Guide
AWS::EC2::EIPAssociation

}

}

YAML
Resources:
ControlPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateControlPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: !GetAtt ControlPortAddress.AllocationId
NetworkInterfaceId: !Ref controlXface
WebPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateWebPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: !GetAtt WebPortAddress.AllocationId
NetworkInterfaceId: !Ref webXface
SSHSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VpcId
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 22
IpProtocol: tcp
ToPort: 22
WebSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VpcId
GroupDescription: Enable HTTP access via user defined port
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 80
IpProtocol: tcp
ToPort: 80
controlXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId: !Ref SubnetId
Description: Interface for controlling traffic such as SSH
GroupSet:
- !Ref SSHSecurityGroup
SourceDestCheck: true
Tags:
Key: Network
Value: Control
webXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId: !Ref SubnetId
Description: Interface for controlling traffic such as SSH
GroupSet:
- !Ref WebSecurityGroup
SourceDestCheck: true

API Version 2010-05-15
874

AWS CloudFormation User Guide
AWS::EC2::FlowLog
Tags:
Key: Network
Value: Web
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: !FindInMap [ RegionMap, !Ref 'AWS::Region', AMI ]
KeyName: !Ref KeyName
NetworkInterfaces:
NetworkInterfaceId: !Ref controlXface
DeviceIndex: 0
NetworkInterfaceId: !Ref webXface
DeviceIndex: 1
Tags:
Key: Role
Value: Test Instance
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install ec2-net-utils -y
ec2ifup eth1
service httpd start

AWS::EC2::FlowLog
The AWS::EC2::FlowLog resource creates an Amazon Elastic Compute Cloud (Amazon EC2) ﬂow
log that captures IP traﬃc for a speciﬁed network interface, subnet, or VPC. To view the log data, use
Amazon CloudWatch Logs (CloudWatch Logs) to help troubleshoot connection issues. For example,
you can use a ﬂow log to investigate why certain traﬃc isn't reaching an instance, which can help you
diagnose overly restrictive security group rules. For more information, see VPC Flow Logs in the Amazon
VPC User Guide.
Topics
• Syntax (p. 875)
• Properties (p. 876)
• Return Value (p. 877)
• Example (p. 877)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::FlowLog",
"Properties" : {
"DeliverLogsPermissionArn" : String,
"LogGroupName" : String,
"ResourceId" : String,
"ResourceType" : String,
"TrafficType" : String
}

API Version 2010-05-15
875

AWS CloudFormation User Guide
AWS::EC2::FlowLog

YAML
Type: AWS::EC2::FlowLog
Properties:
DeliverLogsPermissionArn : String
LogGroupName : String
ResourceId : String
ResourceType : String
TrafficType : String

Properties
DeliverLogsPermissionArn
The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that
permits Amazon EC2 to publish ﬂow logs to a CloudWatch Logs log group in your account.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
LogGroupName
The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your ﬂow
logs.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ResourceId
The ID of the subnet, network interface, or VPC for which you want to create a ﬂow log.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ResourceType
The type of resource that you speciﬁed in the ResourceId property. For example, if you speciﬁed
a VPC ID for the ResourceId property, specify VPC for this property. For valid values, see the
ResourceType parameter for the CreateFlowLogs action in the Amazon EC2 API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
TrafficType
The type of traﬃc to log. You can log traﬃc that the resource accepts or rejects, or all traﬃc. For
valid values, see the TrafficType parameter for the CreateFlowLogs action in the Amazon EC2 API
Reference.
Required: Yes
Type: String
API Version 2010-05-15
876

AWS CloudFormation User Guide
AWS::EC2::Host

Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ﬂow log ID,
such as fl-1a23b456.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a ﬂow log for the VPC called MyVPC and logs all traﬃc types. Amazon EC2
publishes the logs to the FlowLogsGroup log group.
"MyFlowLog" : {
"Type" : "AWS::EC2::FlowLog",
"Properties" : {
"DeliverLogsPermissionArn" : { "Fn::GetAtt" : ["FlowLogRole", "Arn"] },
"LogGroupName" : "FlowLogsGroup",
"ResourceId" : { "Ref" : "MyVPC" },
"ResourceType" : "VPC",
"TrafficType" : "ALL"
}
}

AWS::EC2::Host
The AWS::EC2::Host resource allocates a fully dedicated physical server for launching EC2 instances.
Because the host is fully dedicated for your use, it can help you address compliance requirements and
reduce costs by allowing you to use your existing server-bound software licenses. For more information,
see Dedicated Hosts in the Amazon EC2 User Guide for Linux Instances.
Topics
• Syntax (p. 877)
• Properties (p. 878)
• Return Value (p. 878)
• Example (p. 878)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::Host",
"Properties" : {
"AutoPlacement" : String,
"AvailabilityZone" : String,
"InstanceType" : String
}

API Version 2010-05-15
877

AWS CloudFormation User Guide
AWS::EC2::Host

YAML
Type: AWS::EC2::Host
Properties:
AutoPlacement: String
AvailabilityZone: String
InstanceType: String

Properties
AutoPlacement
Indicates if the host accepts EC2 instances with only matching conﬁgurations or if instances
must also specify the host ID. Instances that don't specify a host ID can't launch onto a host with
AutoPlacement set to off. By default, AWS CloudFormation sets this property to on. For more
information, see Understanding Instance Placement and Host Aﬃnity in the Amazon EC2 User Guide
for Linux Instances.
Required: No
Type: String
Update requires: No interruption (p. 118)
AvailabilityZone
The Availability Zone (AZ) in which to launch the dedicated host.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
InstanceType
The instance type that the dedicated host accepts. Only instances of this type can be launched onto
the host. For more information, see Supported Instance Types in the Amazon EC2 User Guide for
Linux Instances.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the host ID,
such as h-0ab123c45d67ef89.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example allocates a dedicated host for c3.large instances in the us-east-1a
Availability Zone.
API Version 2010-05-15
878

AWS CloudFormation User Guide
AWS::EC2::Instance

"Host" : {
"Type" : "AWS::EC2::Host",
"Properties" : {
"AutoPlacement" : "on",
"AvailabilityZone" : "us-east-1a",
"InstanceType" : "c3.large"
}
}

AWS::EC2::Instance
The AWS::EC2::Instance resource creates an EC2 instance.
If an Elastic IP address is attached to your instance, AWS CloudFormation reattaches the Elastic
IP address after it updates the instance. For more information about updating stacks, see AWS
CloudFormation Stacks Updates (p. 118).
Topics
• Syntax (p. 879)
• Properties (p. 880)
• Return Values (p. 887)
• Examples (p. 888)
• See Also (p. 890)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::EC2::Instance",
"Properties" : {
"Affinity" : String,
"AvailabilityZone" : String,
"BlockDeviceMappings" : [ EC2 Block Device Mapping, ... ],
"CreditSpecification" : CreditSpecification,
"DisableApiTermination" : Boolean,
"EbsOptimized" : Boolean,
"ElasticGpuSpecifications" : [ ElasticGpuSpecification, ... ],
"HostId" : String,
"IamInstanceProfile" : String,
"ImageId" : String,
"InstanceInitiatedShutdownBehavior" : String,
"InstanceType" : String,
"Ipv6AddressCount" : Integer,
"Ipv6Addresses" : [ IPv6 Address Type, ... ],
"KernelId" : String,
"KeyName" : String,
"LaunchTemplate" : Amazon EC2 Instance LaunchTemplateSpecification,
"Monitoring" : Boolean,
"NetworkInterfaces" : [ EC2 Network Interface, ... ],
"PlacementGroupName" : String,
"PrivateIpAddress" : String,
"RamdiskId" : String,
"SecurityGroupIds" : [ String, ... ],
"SecurityGroups" : [ String, ... ],

API Version 2010-05-15
879

AWS CloudFormation User Guide
AWS::EC2::Instance

}

}

"SourceDestCheck" : Boolean,
"SsmAssociations" : [ SSMAssociation, ... ],
"SubnetId" : String,
"Tags" : [ Resource Tag, ... ],
"Tenancy" : String,
"UserData" : String,
"Volumes" : [ EC2 MountPoint (p. 1838), ... ],
"AdditionalInfo" : String

YAML
Type: AWS::EC2::Instance
Properties:
Affinity: String
AvailabilityZone: String
BlockDeviceMappings:
- EC2 Block Device Mapping
CreditSpecification: CreditSpecification
DisableApiTermination: Boolean
EbsOptimized: Boolean
ElasticGpuSpecifications: [ ElasticGpuSpecification, ... ]
HostId: String
IamInstanceProfile: String
ImageId: String
InstanceInitiatedShutdownBehavior: String
InstanceType: String
Ipv6AddressCount: Integer
Ipv6Addresses:
- IPv6 Address Type
KernelId: String
KeyName: String
LaunchTemplate: Amazon EC2 Instance LaunchTemplateSpecification
Monitoring: Boolean
NetworkInterfaces:
- EC2 Network Interface
PlacementGroupName: String
PrivateIpAddress: String
RamdiskId: String
SecurityGroupIds:
- String
SecurityGroups:
- String
SourceDestCheck: Boolean
SsmAssociations:
- SSMAssociation
SubnetId: String
Tags:
- Resource Tag
Tenancy: String
UserData: String
Volumes:
- EC2 MountPoint
AdditionalInfo: String

Properties
Affinity
Indicates whether Amazon Elastic Compute Cloud (Amazon EC2) always associates the instance with
a dedicated host (p. 882). If you want Amazon EC2 to always restart the instance (if it was stopped)
API Version 2010-05-15
880

AWS CloudFormation User Guide
AWS::EC2::Instance

onto the same host on which it was launched, specify host. If you want Amazon EC2 to restart the
instance on any available host, but to try to launch the instance onto the last host it ran on (on a
best-eﬀort basis), specify default.
Required: No
Type: String
Update requires: No interruption (p. 118)
AvailabilityZone
Speciﬁes the name of the Availability Zone in which the instance is located.
For more information about AWS regions and Availability Zones, see Regions and Availability Zones
in the Amazon EC2 User Guide.
Required: No. If not speciﬁed, an Availability Zone will be automatically chosen for you based on the
load balancing criteria for the region.
Type: String
Update requires: Replacement (p. 119)
BlockDeviceMappings
Deﬁnes a set of Amazon Elastic Block Store block device mappings, ephemeral instance store block
device mappings, or both. For more information, see Amazon Elastic Block Store or Amazon EC2
Instance Store in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: A list of Amazon EC2 Block Device Mapping Property (p. 1811).
Update requires: Replacement (p. 119). If you change only the DeleteOnTermination property for
one or more block devices, update requires No interruption (p. 118).
CreditSpecification
Speciﬁes the credit option for CPU usage of a T2 instance.
Required: No
Type: Amazon EC2 Instance CreditSpeciﬁcation (p. 1814).
Update requires: No interruption (p. 118)
DisableApiTermination
Speciﬁes whether the instance can be terminated through the API.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
EbsOptimized
Speciﬁes whether the instance is optimized for Amazon Elastic Block Store I/O. This optimization
provides dedicated throughput to Amazon EBS and an optimized conﬁguration stack to provide
optimal EBS I/O performance.
For more information about the instance types that can be launched as Amazon EBS optimized
instances, see Amazon EBS-Optimized Instances in the Amazon Elastic Compute Cloud User Guide.
Additional fees are incurred when using Amazon EBS-optimized instances.
API Version 2010-05-15
881

AWS CloudFormation User Guide
AWS::EC2::Instance

Required: No. By default, AWS CloudFormation speciﬁes false.
Type: Boolean
Update requires:
• Update requires: Some interruptions (p. 119) for Amazon EBS-backed instances
• Update requires: Replacement (p. 119) for instance store-backed instances
ElasticGpuSpecifications
Speciﬁes the Elastic GPUs. An Elastic GPU is a GPU resource that you can attach to your instance to
accelerate the graphics performance of your applications. For more information, see Amazon EC2
Elastic GPUs in the Amazon EC2 User Guide for Windows Instances. Duplicates are not allowed.
Required: No
Type: List of Amazon EC2 Instance ElasticGpuSpeciﬁcation (p. 1815)
Update requires: Replacement (p. 119)
HostId
If you specify host for the Affinity property, the ID of a dedicated host that the instance is
associated with. If you don't specify an ID, Amazon EC2 launches the instance onto any available,
compatible dedicated host in your account. This type of launch is called an untargeted launch. Note
that for untargeted launches, you must have a compatible, dedicated host available to successfully
launch instances.
Required: No
Type: String
Update requires: No interruption (p. 118)
IamInstanceProfile
The name of an instance proﬁle or a reference to an AWS::IAM::InstanceProﬁle (p. 1188) resource.
For more information about IAM roles, see Working with Roles in the AWS Identity and Access
Management User Guide.
Required: No
Type: String
Update requires: No interruption (p. 118)
ImageId
Provides the unique ID of the Amazon Machine Image (AMI) that was assigned during registration.
Required: No
Type: String
Update requires: Replacement (p. 119)
InstanceInitiatedShutdownBehavior
Indicates whether an instance stops or terminates when you shut down the instance from the
instance's operating system shutdown command. You can specify stop or terminate. For more
information, see the RunInstances command in the Amazon EC2 API Reference.
Required: No
API Version 2010-05-15
882

AWS CloudFormation User Guide
AWS::EC2::Instance

Type: String
Update requires: No interruption (p. 118)
InstanceType
The instance type, such as t2.micro. The default type is m1.small. For a list of instance types, see
Instance Families and Types.
Required: No
Type: String
Update requires:
• Update requires: Some interruptions (p. 119) for Amazon EBS-backed instances
• Update requires: Replacement (p. 119) for instance store-backed instances
Ipv6AddressCount
The number of IPv6 addresses to associate with the instance's primary network interface. Amazon
EC2 automatically selects the IPv6 addresses from the subnet range. To specify speciﬁc IPv6
addresses, use the Ipv6Addresses property and don't specify this property.
For restrictions on which instance types support IPv6 addresses, see the RunInstances action in the
Amazon EC2 API Reference.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
Ipv6Addresses
One or more speciﬁc IPv6 addresses from the IPv6 CIDR block range of your subnet to associate
with the instance's primary network interface. To specify a number of IPv6 addresses, use the
Ipv6AddressCount property and don't specify this property.
For information about restrictions on which instance types support IPv6 addresses, see the
RunInstances action in the Amazon EC2 API Reference.
Required: No
Type: List of EC2 NetworkInterface Ipv6Addresses (p. 1844)
Update requires: Replacement (p. 119)
KernelId
The kernel ID.
Required: No
Type: String
Update requires:
• Update requires: Some interruptions (p. 119) for Amazon EBS-backed instances
• Update requires: Replacement (p. 119) for instance store-backed instances
KeyName
Provides the name of the Amazon EC2 key pair.
API Version 2010-05-15
883

AWS CloudFormation User Guide
AWS::EC2::Instance

Required: No
Type: String
Update requires: Replacement (p. 119)
LaunchTemplate
The launch template to use.
Required: No
Type: Amazon EC2 Instance LaunchTemplateSpeciﬁcation (p. 1816)
Update requires: Replacement (p. 119)
Monitoring
Speciﬁes whether detailed monitoring is enabled for the instance.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
NetworkInterfaces
A list of embedded objects that describes the network interfaces to associate with this instance.

Note

If you use this property to point to a network interface, you must terminate the original
interface before attaching a new one to allow the update of the instance to succeed.
If this resource has a public IP address and is also in a VPC that is deﬁned in the same
template, you must use the DependsOn attribute to declare a dependency on the VPCgateway attachment. For more information, see DependsOn Attribute (p. 2250).
Required: No
Type: A list of EC2 NetworkInterface Embedded Property Type (p. 1840)
Update requires: Replacement (p. 119)
PlacementGroupName
The name of an existing placement group that you want to launch the instance into (for cluster
instances).
Required: No
Type: String
Update requires: Replacement (p. 119)
PrivateIpAddress
The private IP address for this instance.

Important

If you make an update to an instance that requires replacement, you must assign a new
private IP address. During a replacement, AWS CloudFormation creates a new instance
but doesn't delete the old instance until the stack has successfully updated. If the stack
update fails, AWS CloudFormation uses the old instance in order to roll back the stack to
the previous working state. The old and new instances cannot have the same private IP
address.
API Version 2010-05-15
884

AWS CloudFormation User Guide
AWS::EC2::Instance

(Optional) If you're using Amazon VPC, you can use this parameter to assign the instance a speciﬁc
available IP address from the subnet (for example, 10.0.0.25). By default, Amazon VPC selects an IP
address from the subnet for the instance.
Required: No
Type: String
Update requires: Replacement (p. 119)
RamdiskId
The ID of the RAM disk to select. Some kernels require additional drivers at launch. Check the
kernel requirements for information about whether you need to specify a RAM disk. To ﬁnd kernel
requirements, go to the AWS Resource Center and search for the kernel ID.
Required: No
Type: String
Update requires:
• Update requires: Some interruptions (p. 119) for Amazon EBS-backed instances
• Update requires: Replacement (p. 119) for instance store-backed instances
SecurityGroupIds
A list that contains the security group IDs for VPC security groups to assign to the Amazon EC2
instance. If you speciﬁed the NetworkInterfaces property, do not specify this property.
Required: Conditional. Required for VPC security groups.
Type: List of String values
Update requires:
• Update requires: No interruption (p. 118) for instances that are in a VPC.
• Update requires: Replacement (p. 119) for instances that are not in a VPC.
SecurityGroups
Valid only for Amazon EC2 security groups. A list that contains the Amazon EC2 security groups
to assign to the Amazon EC2 instance. The list can contain both the name of existing Amazon EC2
security groups or references to AWS::EC2::SecurityGroup resources created in the template.
Required: No
Type: List of String values
Update requires: Replacement (p. 119).
SourceDestCheck
Controls whether source/destination checking is enabled on the instance. Also determines if an
instance in a VPC will perform network address translation (NAT).
A value of "true" means that source/destination checking is enabled, and a value of "false"
means that checking is disabled. For the instance to perform NAT, the value must be "false". For
more information, see NAT Instances in the Amazon Virtual Private Cloud User Guide.
Required: No
Type: Boolean
API Version 2010-05-15
885

AWS CloudFormation User Guide
AWS::EC2::Instance

Update requires: No interruption (p. 118)
SsmAssociations
The SSM document (p. 1507) and parameter values in AWS Systems Manager to associate with this
instance. To use this property, you must specify an IAM instance proﬁle role for the instance. For
more information, see Create an Instance Proﬁle for Systems Manager in the AWS Systems Manager
User Guide.

Note

You can currently associate only one document with an instance.
Required: No
Type: List of Amazon EC2 Instance SsmAssociations (p. 1818).
Update requires: No interruption (p. 118)
SubnetId
If you're using Amazon VPC, this property speciﬁes the ID of the subnet that you want to launch the
instance into. If you speciﬁed the NetworkInterfaces property, do not specify this property.
Required: No
Type: String
Update requires: Replacement (p. 119)
Tags
An arbitrary set of tags (key–value pairs) for this instance.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).
Tenancy
The tenancy of the instance that you want to launch, such as default, dedicated, or host. If you
specify a tenancy value of dedicated or host, you must launch the instance in a VPC. For more
information, see Dedicated Instances in the Amazon VPC User Guide.
Required: No
Type: String
Update requires:
• Update requires: No interruption (p. 118) if this property was set to dedicated and you change it
to host or vice versa.
• Update requires: Replacement (p. 119) for all other changes.
UserData
Base64-encoded MIME user data that is made available to the instances.
Required: No
Type: String
Update requires:
API Version 2010-05-15
886

AWS CloudFormation User Guide
AWS::EC2::Instance

• Update requires: Some interruptions (p. 119) for Amazon EBS-backed instances.

Note

For EBS-backed instances, changing the UserData stops and then starts the instance;
however, Amazon EC2 doesn't automatically run the updated UserData. To update
conﬁgurations on your instance, use the cfn-hup (p. 2337) helper script.
• Update requires: Replacement (p. 119) for instance store-backed instances.
Volumes
The Amazon EBS volumes to attach to the instance.

Note

Before detaching a volume, unmount any ﬁle systems on the device within your operating
system. If you don't unmount the ﬁle system, a volume might get stuck in a busy state while
detaching.
Required: No
Type: A list of EC2 MountPoints (p. 1838).
Update requires: No interruption (p. 118)
AdditionalInfo
Reserved.
Required: No
Type: String
Update requires:
• Update requires: Some interruptions (p. 119) for Amazon EBS-backed instances
• Update requires: Replacement (p. 119) for instance store-backed instances

Return Values
Ref
When you pass the logical ID of an AWS::EC2::Instance object to the intrinsic Ref function, the object's
InstanceId is returned. For example: i-1234567890abcdef0.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
AvailabilityZone
The Availability Zone where the speciﬁed instance is launched. For example: us-east-1b.
You can retrieve a list of all Availability Zones for a region by using the Fn::GetAZs (p. 2298)
intrinsic function.
PrivateDnsName
The private DNS name of the speciﬁed instance. For example: ip-10-24-34-0.ec2.internal.
API Version 2010-05-15
887

AWS CloudFormation User Guide
AWS::EC2::Instance

PublicDnsName
The public DNS name of the speciﬁed instance. For example:
ec2-107-20-50-45.compute-1.amazonaws.com.
PrivateIp
The private IP address of the speciﬁed instance. For example: 10.24.34.0.
PublicIp
The public IP address of the speciﬁed instance. For example: 192.0.2.0.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
EC2 Instance with an EBS Block Device Mapping
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Ec2 block device mapping",
"Resources" : {
"MyEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "ami-79fd7eee",
"KeyName" : "testkey",
"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sdm",
"Ebs" : {
"VolumeType" : "io1",
"Iops" : "200",
"DeleteOnTermination" : "false",
"VolumeSize" : "20"
}
},
{
"DeviceName" : "/dev/sdk",
"NoDevice" : {}
}
]
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Description: "Ec2 block device mapping"
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: "ami-79fd7eee"
KeyName: "testkey"
BlockDeviceMappings:
- DeviceName: "/dev/sdm"

API Version 2010-05-15
888

AWS CloudFormation User Guide
AWS::EC2::Instance
Ebs:
VolumeType: "io1"
Iops: "200"
DeleteOnTermination: "false"
VolumeSize: "20"
- DeviceName: "/dev/sdk"
NoDevice: {}

Automatically Assign a Public IP Address
You can associate a public IP address with a network interface only if it has a device index of 0 and if it is
a new network interface (not an existing one).

JSON
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]},
"KeyName" : { "Ref" : "KeyName" },
"NetworkInterfaces": [ {
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"GroupSet": [{ "Ref" : "myVPCEC2SecurityGroup" }],
"SubnetId": { "Ref" : "PublicSubnet" }
} ]
}
}

YAML
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId:
Fn::FindInMap:
- "RegionMap"
- Ref: "AWS::Region"
- "AMI"
KeyName:
Ref: "KeyName"
NetworkInterfaces:
- AssociatePublicIpAddress: "true"
DeviceIndex: "0"
GroupSet:
- Ref: "myVPCEC2SecurityGroup"
SubnetId:
Ref: "PublicSubnet"

Other Examples
You can download templates that show how to use AWS::EC2::Instance to create a virtual private
cloud (VPC):
• Single instance in a single subnet
• Multiple subnets with ELB and Auto Scaling group
For more information about an AWS::EC2::Instance that has an IAM instance proﬁle, see: Create an
EC2 instance with an associated instance proﬁle.
API Version 2010-05-15
889

AWS CloudFormation User Guide
AWS::EC2::InternetGateway

For more information about Amazon EC2 template examples, see: Amazon EC2 Template
Snippets (p. 337).

See Also
• RunInstances in the Amazon Elastic Compute Cloud API Reference
• EBS-Optimized Instances in the Amazon Elastic Compute Cloud User Guide

AWS::EC2::InternetGateway
Creates a new Internet gateway in your AWS account. After creating the Internet gateway, you then
attach it to a VPC.
Topics
• Syntax (p. 890)
• Properties (p. 890)
• Return Values (p. 891)
• Example (p. 891)
• Related Information (p. 891)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::InternetGateway",
"Properties" : {
"Tags (p. 890)" : [ Resource Tag, ... ]
}

YAML
Type: AWS::EC2::InternetGateway
Properties:
Tags (p. 890):
- Resource Tag

Properties
Tags
An arbitrary set of tags (key–value pairs) for this resource.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
API Version 2010-05-15
890

AWS CloudFormation User Guide
AWS::EC2::LaunchTemplate

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myInternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
"Properties" : {
"Tags" : [ {"Key" : "foo", "Value" : "bar"}]
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: foo
Value: bar

Related Information
• CreateInternetGateway in the Amazon EC2 API Reference.
• Use the AWS::EC2::VPCGatewayAttachment (p. 965) resource to associate an Internet gateway with a
VPC.

AWS::EC2::LaunchTemplate
The AWS::EC2::LaunchTemplate resource creates a launch template for an Amazon EC2 instance.
A launch template contains the parameters to launch an instance. For more information, see
CreateLaunchTemplate in the Amazon EC2 API Reference.
Topics
• Syntax (p. 892)
• Properties (p. 892)
• Return Values (p. 892)
• See Also (p. 893)
API Version 2010-05-15
891

AWS CloudFormation User Guide
AWS::EC2::LaunchTemplate

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::LaunchTemplate",
"Properties" : {
"LaunchTemplateName" : String,
"LaunchTemplateData" : LaunchTemplateData (p. 1826)
}

YAML
Type: "AWS::EC2::LaunchTemplate"
Properties:
LaunchTemplateName: String
LaunchTemplateData: LaunchTemplateData (p. 1826)

Properties
LaunchTemplateName
A name for the launch template.
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: [a-zA-Z0-9\(\)\.-/_]+
Required: No
Type: String
Update requires: Replacement (p. 119)
LaunchTemplateData
The information for the launch template.
Required: No
Type: Amazon EC2 LaunchTemplate LaunchTemplateData (p. 1826)
Update requires: No interruption (p. 118)

Return Values
Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
LatestVersionNumber
The latest version of the launch template, such as 5.
API Version 2010-05-15
892

AWS CloudFormation User Guide
AWS::EC2::NatGateway

DefaultVersionNumber
The default version of the launch template, such as 2.

Note

The default version of a launch template cannot be speciﬁed in AWS CloudFormation. The
default version can be set in the Amazon EC2 Console or by using the modify-launchtemplate AWS CLI command.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Ref
When you pass the logical ID of an AWS::EC2::LaunchTemplate resource to the intrinsic Ref function,
Ref returns the ID of the launch template, such as lt-01238c059e3466abc.
For more information about using the Ref function, see Ref (p. 2311).

See Also
• CreateLaunchTemplate in the Amazon EC2 API Reference

AWS::EC2::NatGateway
The AWS::EC2::NatGateway resource creates a network address translation (NAT) gateway in the
speciﬁed public subnet. Use a NAT gateway to allow instances in a private subnet to connect to the
Internet or to other AWS services, but prevent the Internet from initiating a connection with those
instances. For more information and a sample architectural diagram, see NAT Gateways in the Amazon
VPC User Guide.

Note

If you add a default route (AWS::EC2::Route resource) that points to a NAT gateway, specify
NAT gateway's ID for the route's NatGatewayId property.
Topics
• Syntax (p. 893)
• Properties (p. 894)
• Return Value (p. 894)
• Example (p. 894)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::NatGateway",
"Properties" : {
"AllocationId" : String,
"SubnetId" : String,
"Tags" : [ Resource Tag, ... ]
}

API Version 2010-05-15
893

AWS CloudFormation User Guide
AWS::EC2::NatGateway

YAML
Type: AWS::EC2::NatGateway
Properties:
AllocationId: String
SubnetId: String
Tags:
- Resource Tag

Properties
AllocationId
The allocation ID of an Elastic IP address to associate with the NAT gateway. If the Elastic IP address
is associated with another resource, you must ﬁrst disassociate it.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SubnetId
The public subnet in which to create the NAT gateway.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this resource. Use tags to
manage your resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Value
Ref
When you pass the logical ID of an AWS::EC2::NatGateway resource to the intrinsic Ref function, the
function returns the ID of the NAT gateway, such as nat-0a12bc456789de0fg.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a NAT gateway and a route that associates the NAT gateway with a route
table. The route table must be associated with an Internet gateway so that the NAT gateway can connect
to the Internet.
API Version 2010-05-15
894

AWS CloudFormation User Guide
AWS::EC2::NetworkAcl

JSON
"NAT" : {
"DependsOn" : "VPCGatewayAttach",
"Type" : "AWS::EC2::NatGateway",
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : ["EIP", "AllocationId"]},
"SubnetId" : { "Ref" : "Subnet"},
"Tags" : [ {"Key" : "foo", "Value" : "bar" } ]
}
},
"EIP" : {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"Domain" : "vpc"
}
},
"Route" : {
"Type" : "AWS::EC2::Route",
"Properties" : {
"RouteTableId" : { "Ref" : "RouteTable" },
"DestinationCidrBlock" : "0.0.0.0/0",
"NatGatewayId" : { "Ref" : "NAT" }
}
}

YAML
NAT:
DependsOn: VPCGatewayAttach
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- EIP
- AllocationId
SubnetId:
Ref: Subnet
Tags:
- Key: foo
Value: bar
EIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
Route:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: RouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: NAT

AWS::EC2::NetworkAcl
Creates a new network ACL in a VPC.
Topics
• Syntax (p. 896)
• Properties (p. 896)
API Version 2010-05-15
895

AWS CloudFormation User Guide
AWS::EC2::NetworkAcl

• Return Values (p. 896)
• Example (p. 897)
• See Also (p. 897)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::NetworkAcl",
"Properties" : {
"Tags (p. 896)" : [ Resource Tag, ... ],
"VpcId (p. 896)" : String
}

YAML
Type: AWS::EC2::NetworkAcl
Properties:
Tags (p. 896):
- Resource Tag
VpcId (p. 896): String

Properties
Tags
An arbitrary set of tags (key–value pairs) for this ACL.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).
VpcId
The ID of the VPC where the network ACL will be created.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
API Version 2010-05-15
896

AWS CloudFormation User Guide
AWS::EC2::NetworkAclEntry

For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myNetworkAcl" : {
"Type" : "AWS::EC2::NetworkAcl",
"Properties" : {
"VpcId" : { "Ref" : "myVPC" },
"Tags" : [ { "Key" : "foo", "Value" : "bar" } ]
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myNetworkAcl:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId:
Ref: myVPC
Tags:
- Key: foo
Value: bar

See Also
• CreateNetworkAcl in the Amazon EC2 API Reference
• Network ACLs in the Amazon Virtual Private Cloud User Guide.

AWS::EC2::NetworkAclEntry
Creates an entry (i.e., a rule) in a network ACL with a rule number you specify. Each network ACL has a
set of numbered ingress rules and a separate set of numbered egress rules.
Topics
• Syntax (p. 897)
• Properties (p. 898)
• Return Values (p. 900)
• Example (p. 900)
• See Also (p. 901)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
897

AWS CloudFormation User Guide
AWS::EC2::NetworkAclEntry

JSON
{

}

"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"CidrBlock (p. 898)" : String,
"Egress (p. 898)" : Boolean,
"Icmp (p. 898)" : EC2 ICMP,
"Ipv6CidrBlock" : String,
"NetworkAclId (p. 899)" : String,
"PortRange (p. 899)" : EC2 PortRange,
"Protocol (p. 899)" : Integer,
"RuleAction (p. 899)" : String,
"RuleNumber (p. 899)" : Integer
}

YAML
Type: AWS::EC2::NetworkAclEntry
Properties:
CidrBlock (p. 898): String
Egress (p. 898): Boolean
Icmp (p. 898):
EC2 ICMP
Ipv6CidrBlock: String
NetworkAclId (p. 899): String
PortRange (p. 899):
EC2 PortRange
Protocol (p. 899): Integer
RuleAction (p. 899) : String
RuleNumber (p. 899) : Integer

Properties
CidrBlock
The IPv4 CIDR range to allow or deny, in CIDR notation (e.g., 172.16.0.0/24).
Required: Conditional. You must specify the CidrBlock or Ipv6CidrBlock property.
Type: String
Update requires: No interruption (p. 118)
Egress
Whether this rule applies to egress traﬃc from the subnet (true) or ingress traﬃc to the subnet
(false). By default, AWS CloudFormation speciﬁes false.
Required: No
Type: Boolean
Update requires: Replacement (p. 119).
Icmp
The Internet Control Message Protocol (ICMP) code and type.
Required: Conditional required if specifying 1 (ICMP) for the protocol parameter.
API Version 2010-05-15
898

AWS CloudFormation User Guide
AWS::EC2::NetworkAclEntry

Type: EC2 NetworkAclEntry Icmp (p. 1842)
Update requires: No interruption (p. 118)
Ipv6CidrBlock
The IPv6 CIDR range to allow or deny, in CIDR notation.
Required: Conditional. You must specify the CidrBlock or Ipv6CidrBlock property.
Type: String
Update requires: No interruption (p. 118)
NetworkAclId
ID of the ACL where the entry will be created.
Required: Yes
Type: String
Update requires: Replacement (p. 119).
PortRange
The range of port numbers for the UDP/TCP protocol.
Required: Conditional Required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.
Type: EC2 NetworkAclEntry PortRange (p. 1843)
Update requires: No interruption (p. 118)
Protocol
The IP protocol that the rule applies to. You must specify -1 or a protocol number (go to Protocol
Numbers at iana.org). You can specify -1 for all protocols.

Note

If you specify -1, all ports are opened and the PortRange property is ignored.
Required: Yes
Type: Number
Update requires: No interruption (p. 118)
RuleAction
Whether to allow or deny traﬃc that matches the rule; valid values are "allow" or "deny".
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RuleNumber
Rule number to assign to the entry, such as 100. ACL entries are processed in ascending order by
rule number. Entries can't use the same rule number unless one is an egress rule and the other
is an ingress rule. For valid values, see the CreateNetworkAclEntry action in the Amazon EC2 API
Reference.
API Version 2010-05-15
899

AWS CloudFormation User Guide
AWS::EC2::NetworkAclEntry

Required: Yes
Type: Number
Update requires: Replacement (p. 119).

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "myNetworkAcl" },
"RuleNumber" : "100",
"Protocol" : "-1",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "172.16.0.0/24",
"Icmp" : { "Code" : "-1", "Type" : "-1" },
"PortRange" : { "From" : "53", "To" : "53" }
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myNetworkAclEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: myNetworkAcl
RuleNumber: '100'
Protocol: "-1"
RuleAction: allow
Egress: 'true'
CidrBlock: 172.16.0.0/24
Icmp:
Code: "-1"
Type: "-1"
PortRange:
From: '53'
To: '53'

API Version 2010-05-15
900

AWS CloudFormation User Guide
AWS::EC2::NetworkInterface

See Also
• NetworkAclEntry in the Amazon EC2 API Reference
• Network ACLs in the Amazon Virtual Private Cloud User Guide.

AWS::EC2::NetworkInterface
Describes a network interface in an Elastic Compute Cloud (EC2) instance for AWS CloudFormation. This
is provided in a list in the NetworkInterfaces property of AWS::EC2::Instance (p. 879).
Topics
• Syntax (p. 901)
• Properties (p. 902)
• Return Values (p. 904)
• Examples (p. 904)
• More Info (p. 906)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::NetworkInterface",
"Properties" : {
"Description" : String,
"GroupSet" : [ String, ... ],
"Ipv6AddressCount" : Integer,
"Ipv6Addresses" : [ Ipv6Address, ... ],
"PrivateIpAddress" : String,
"PrivateIpAddresses" : [ PrivateIpAddressSpecification, ... ],
"SecondaryPrivateIpAddressCount" : Integer,
"SourceDestCheck" : Boolean,
"SubnetId" : String,
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: AWS::EC2::NetworkInterface
Properties:
Description: String
GroupSet:
- String
Ipv6AddressCount: Integer
Ipv6Addresses:
- Ipv6Address
PrivateIpAddress: String
PrivateIpAddresses:
- PrivateIpAddressSpecification
SecondaryPrivateIpAddressCount: Integer
SourceDestCheck: Boolean
SubnetId: String

API Version 2010-05-15
901

AWS CloudFormation User Guide
AWS::EC2::NetworkInterface
Tags:
- Resource Tag

Properties
Description
The description of this network interface.
Required: No
Type: String
Update requires: No interruption (p. 118).
GroupSet
A list of security group IDs associated with this network interface.
Required: No
Type: List of strings.
Update requires: No interruption (p. 118)
Ipv6AddressCount
The number of IPv6 addresses to associate with the network interface. EC2 automatically selects the
IPv6 addresses from the subnet range. To specify speciﬁc IPv6 addresses, use the Ipv6Addresses
property and don't specify this property.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Ipv6Addresses
One or more speciﬁc IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with
the network interface. If you're specifying a number of IPv6 addresses, use the Ipv6AddressCount
property and don't specify this property.
Required: No
Type: List of EC2 NetworkInterface Ipv6Addresses (p. 1844)
Update requires: No interruption (p. 118)
PrivateIpAddress
Assigns a single private IP address to the network interface, which is used as the primary private IP
address. If you want to specify multiple private IP address, use the PrivateIpAddresses property.
Required: No
Type: String
Update requires: Replacement (p. 119).
PrivateIpAddresses
Assigns a list of private IP addresses to the network interface. You can specify a
primary private IP address by setting the value of the Primary property to true in the
API Version 2010-05-15
902

AWS CloudFormation User Guide
AWS::EC2::NetworkInterface

PrivateIpAddressSpecification property. If you want EC2 to automatically assign private
IP addresses, use the SecondaryPrivateIpAddressCount property and do not specify this
property.
For information about the maximum number of private IP addresses, see Private IP Addresses Per
ENI Per Instance Type in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: list of PrivateIpAddressSpeciﬁcation (p. 1844).
Update requires: Replacement (p. 119) if you change the primary private IP address. If not, update
requires No interruption (p. 118).
SecondaryPrivateIpAddressCount
The number of secondary private IP addresses that EC2 automatically assigns to the network
interface. EC2 uses the value of the PrivateIpAddress property as the primary private IP address.
If you don't specify that property, EC2 automatically assigns both the primary and secondary private
IP addresses.
If you want to specify your own list of private IP addresses, use the PrivateIpAddresses property
and do not specify this property.
For information about the maximum number of private IP addresses, see Private IP Addresses Per
ENI Per Instance Type in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: Integer.
Update requires: No interruption (p. 118).
SourceDestCheck
Flag indicating whether traﬃc to or from the instance is validated.
Required: No
Type: Boolean
Update requires: No interruption (p. 118).
SubnetId
The ID of the subnet to associate with the network interface.
Required: Yes
Type: String
Update requires: Replacement (p. 119).
Tags
An arbitrary set of tags (key–value pairs) for this network interface.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).
API Version 2010-05-15
903

AWS CloudFormation User Guide
AWS::EC2::NetworkInterface

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
PrimaryPrivateIpAddress
Returns the primary private IP address of the network interface. For example, 10.0.0.192.
SecondaryPrivateIpAddresses
Returns the secondary private IP addresses of the network interface. For example, ["10.0.0.161",
"10.0.0.162", "10.0.0.163"].
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Tip

For more NetworkInterface template examples, see Elastic Network Interface (ENI) Template
Snippets (p. 340).

Simple Standalone ENI
This is a simple standalone Elastic Network Interface (ENI), using all of the available properties.

JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Simple Standalone ENI",
"Resources" : {
"myENI" : {
"Type" : "AWS::EC2::NetworkInterface",
"Properties" : {
"Tags": [{"Key":"foo","Value":"bar"}],
"Description": "A nice description.",
"SourceDestCheck": "false",
"GroupSet": ["sg-75zzz219"],
"SubnetId": "subnet-3z648z53",
"PrivateIpAddress": "10.0.0.16"
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'

API Version 2010-05-15
904

AWS CloudFormation User Guide
AWS::EC2::NetworkInterface
Description: Simple Standalone ENI
Resources:
myENI:
Type: AWS::EC2::NetworkInterface
Properties:
Tags:
- Key: foo
Value: bar
Description: A nice description.
SourceDestCheck: 'false'
GroupSet:
- sg-75zzz219
SubnetId: subnet-3z648z53
PrivateIpAddress: 10.0.0.16

ENI on an EC2 instance
This is an example of an ENI on an EC2 instance. In this example, one ENI is added to the instance.
If you want to add more than one ENI, you can specify a list for the NetworkInterface property.
However, you can specify multiple ENIs only if all the ENIs have just private IP addresses (no
associated public IP address). If you have an ENI with a public IP address, specify it and then use the
AWS::EC2::NetworkInterfaceAttachment resource to add additional ENIs.

JSON
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]},
"KeyName" : { "Ref" : "KeyName" },
"SecurityGroupIds" : [{ "Ref" : "WebSecurityGroup" }],
"SubnetId" : { "Ref" : "SubnetId" },
"NetworkInterfaces" : [ {
"NetworkInterfaceId" : {"Ref" : "controlXface"}, "DeviceIndex" : "1" } ],
"Tags" : [ {"Key" : "Role", "Value" : "Test Instance"}],
"UserData" : { "Fn::Base64" : { "Ref" : "WebServerPort" }}
}
}

YAML
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- AMI
KeyName:
Ref: KeyName
SecurityGroupIds:
- Ref: WebSecurityGroup
SubnetId:
Ref: SubnetId
NetworkInterfaces:
- NetworkInterfaceId:
Ref: controlXface
DeviceIndex: '1'
Tags:
- Key: Role
Value: Test Instance

API Version 2010-05-15
905

AWS CloudFormation User Guide
AWS::EC2::NetworkInterfaceAttachment
UserData:
Fn::Base64:
Ref: WebServerPort

More Info
• NetworkInterface in the Amazon Elastic Compute Cloud API Reference

AWS::EC2::NetworkInterfaceAttachment
Attaches an elastic network interface (ENI) to an Amazon EC2 instance. You can use this resource type to
attach additional network interfaces to an instances without interruption.
Topics
• Syntax (p. 906)
• Properties (p. 906)
• Return Values (p. 907)
• Example (p. 907)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::NetworkInterfaceAttachment",
"Properties" : {
"DeleteOnTermination (p. 906)": Boolean,
"DeviceIndex (p. 907)": String,
"InstanceId (p. 907)": String,
"NetworkInterfaceId (p. 907)": String
}

YAML
Type: AWS::EC2::NetworkInterfaceAttachment
Properties:
DeleteOnTermination (p. 906): Boolean
DeviceIndex (p. 907): String
InstanceId (p. 907): String
NetworkInterfaceId (p. 907): String

Properties
DeleteOnTermination
Whether to delete the network interface when the instance terminates. By default, this value is set
to True.
Required: No
API Version 2010-05-15
906

AWS CloudFormation User Guide
AWS::EC2::NetworkInterfaceAttachment

Type: Boolean.
Update requires: No interruption (p. 118)
DeviceIndex
The network interface's position in the attachment order. For example, the ﬁrst attached network
interface has a DeviceIndex of 0.
Required: Yes.
Type: String.
Update requires: No interruption (p. 118)
InstanceId
The ID of the instance to which you will attach the ENI.
Required: Yes.
Type: String.
Update requires: No interruption (p. 118)
NetworkInterfaceId
The ID of the ENI that you want to attach.
Required: Yes.
Type: String.
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
Attaching MyNetworkInterface to MyInstance

JSON
"NetworkInterfaceAttachment" : {
"Type" : "AWS::EC2::NetworkInterfaceAttachment",
"Properties" : {
"InstanceId" : {"Ref" : "MyInstance"},
"NetworkInterfaceId" : {"Ref" : "MyNetworkInterface"},
"DeviceIndex" : "1"
}
}

API Version 2010-05-15
907

AWS CloudFormation User Guide
AWS::EC2::NetworkInterfacePermission

YAML
NetworkInterfaceAttachment:
Type: AWS::EC2::NetworkInterfaceAttachment
Properties:
InstanceId:
Ref: MyInstance
NetworkInterfaceId:
Ref: MyNetworkInterface
DeviceIndex: 1

AWS::EC2::NetworkInterfacePermission
The AWS::EC2::NetworkInterfacePermission resource speciﬁes a permission for an Amazon
EC2 network interface. For example, you can grant an AWS authorized partner account permission
to attach the speciﬁed network interface to an instance in their account. For more information, see
CreateNetworkInterfacePermission and NetworkInterfacePermission in the Amazon EC2 API Reference.
Topics
• Syntax (p. 908)
• Properties (p. 908)
• Return Values (p. 909)
• Examples (p. 909)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::NetworkInterfacePermission",
"Properties" : {
"AwsAccountId" : String,
"NetworkInterfaceId" : String,
"Permission" : String
}

YAML
Type: AWS::EC2::NetworkInterfacePermission
Properties:
AwsAccountId: String
NetworkInterfaceId: String
Permission: String

Properties
AwsAccountId
The AWS account ID.
Required: Yes
API Version 2010-05-15
908

AWS CloudFormation User Guide
AWS::EC2::NetworkInterfacePermission

Type: String
Update requires: Replacement (p. 119)
NetworkInterfaceId
The ID of the network interface.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Permission
The type of permission to grant: INSTANCE-ATTACH or EIP-ASSOCIATE.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::EC2::NetworkInterfacePermission resource to the
intrinsic Ref function, the function returns the network interface permission ID. For example, eniperm-055663b682ea24b48.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Grant INSTANCE-ATTACH Permission
The following example creates a permission (INSTANCE-ATTACH) for a speciﬁed network interface and
AWS account.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyNetworkInterfacePermission": {
"Type": "AWS::EC2::NetworkInterfacePermission",
"Properties": {
"NetworkInterfaceId": "eni-030e3xxx",
"AwsAccountId": "11111111111",
"Permission": "INSTANCE-ATTACH"
}
}
},
"Outputs": {
"ReferenceId": {
"Value": {
"Ref": "MyNetworkInterfacePermission"
}
}
}

API Version 2010-05-15
909

AWS CloudFormation User Guide
AWS::EC2::PlacementGroup
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyNetworkInterfacePermission:
Type: AWS::EC2::NetworkInterfacePermission
Properties:
NetworkInterfaceId: eni-030e3xxx
AwsAccountId: '11111111111'
Permission: INSTANCE-ATTACH
Outputs:
ReferenceId:
Value: !Ref MyNetworkInterfacePermission

AWS::EC2::PlacementGroup
The AWS::EC2::PlacementGroup resource is a logical grouping of instances within a single Availability
Zone (AZ) that enables applications to participate in a low-latency, 10 Gbps network. You create a
placement group ﬁrst, and then you can launch instances in the placement group.
Topics
• Syntax (p. 910)
• Properties (p. 910)
• Return Values (p. 911)
• Example (p. 911)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::PlacementGroup",
"Properties" : {
"Strategy" : String
}

YAML
Type: AWS::EC2::PlacementGroup
Properties:
Strategy: String

Properties
Strategy
The placement strategy, which relates to the instance types that can be added to the placement
group. For example, for the cluster strategy, you can cluster C4 instance types but not T2 instance
API Version 2010-05-15
910

AWS CloudFormation User Guide
AWS::EC2::Route

types. For valid values, see CreatePlacementGroup in the Amazon EC2 API Reference. By default, AWS
CloudFormation sets the value of this property to cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a placement group with a cluster placement strategy.

JSON
"PlacementGroup" : {
"Type" : "AWS::EC2::PlacementGroup",
"Properties" : {
"Strategy" : "cluster"
}
}

YAML
PlacementGroup:
Type: AWS::EC2::PlacementGroup
Properties:
Strategy: cluster

AWS::EC2::Route
The AWS::EC2::Route resource creates a new route in a route table within a VPC. The route's target
can be either a gateway attached to the VPC or a NAT instance in the VPC.
Topics
• Syntax (p. 911)
• Properties (p. 912)
• Return Values (p. 914)
• Examples (p. 914)
• More Info (p. 915)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
911

AWS CloudFormation User Guide
AWS::EC2::Route

JSON
{

}

"Type" : "AWS::EC2::Route",
"Properties" : {
"DestinationCidrBlock (p. 912)" : String,
"DestinationIpv6CidrBlock" : String,
"EgressOnlyInternetGatewayId (p. 912)" : String,
"GatewayId (p. 913)" : String,
"InstanceId (p. 913)" : String,
"NatGatewayId" : String,
"NetworkInterfaceId (p. 913)" : String,
"RouteTableId (p. 913)" : String,
"VpcPeeringConnectionId" : String
}

YAML
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock (p. 912): String
DestinationIpv6CidrBlock: String
EgressOnlyInternetGatewayId (p. 912): String
GatewayId (p. 913): String
InstanceId (p. 913): String
NatGatewayId: String
NetworkInterfaceId (p. 913): String
RouteTableId (p. 913): String
VpcPeeringConnectionId: String

Properties
DestinationCidrBlock
The IPv4 CIDR address block used for the destination match. For example, 0.0.0.0/0. Routing
decisions are based on the most speciﬁc match.
Required: Conditional. You must specify the DestinationCidrBlock or
DestinationIpv6CidrBlock property.
Type: String
Update requires: Replacement (p. 119)
DestinationIpv6CidrBlock
The IPv6 CIDR address block used for the destination match. For example, ::/0. Routing decisions
are based on the most speciﬁc match.
Required: Conditional. You must specify the DestinationCidrBlock or
DestinationIpv6CidrBlock property.
Type: String
Update requires: Replacement (p. 119)
EgressOnlyInternetGatewayId
The ID of an egress-only internet gateway that is attached to your VPC (over IPv6 only).
API Version 2010-05-15
912

AWS CloudFormation User Guide
AWS::EC2::Route

Required: Conditional. You must specify only one of the following properties:
EgressOnlyInternetGatewayId, GatewayId, InstanceId, NatGatewayId,
NetworkInterfaceId, or VpcPeeringConnectionId. For an example that uses this property, see
Amazon EC2 Route with Egress-Only Internet Gateway.
Type: String
Update requires: No interruption (p. 118)
GatewayId
The ID of an internet gateway or virtual private gateway that is attached to your VPC. For example:
igw-eaad4883.
For route entries that specify a gateway, you must specify a dependency on the gateway attachment
resource. For more information, see DependsOn Attribute (p. 2250).
Required: Conditional. You must specify only one of the following properties:
EgressOnlyInternetGatewayId, GatewayId, InstanceId, NatGatewayId,
NetworkInterfaceId, or VpcPeeringConnectionId.
Type: String
Update requires: No interruption (p. 118)
InstanceId
The ID of a NAT instance in your VPC. For example, i-1a2b3c4d.
Required: Conditional. You must specify only one of the following properties:
EgressOnlyInternetGatewayId, GatewayId, InstanceId, NatGatewayId,
NetworkInterfaceId, or VpcPeeringConnectionId.
Type: String
Update requires: No interruption (p. 118)
NatGatewayId
The ID of a NAT gateway. For example, nat-0a12bc456789de0fg.
Required: Conditional. You must specify only one of the following properties:
EgressOnlyInternetGatewayId, GatewayId, InstanceId, NatGatewayId,
NetworkInterfaceId, or VpcPeeringConnectionId.
Type: String
Update requires: No interruption (p. 118)
NetworkInterfaceId
Allows the routing of network interface IDs.
Required: Conditional. You must specify only one of the following properties:
EgressOnlyInternetGatewayId, GatewayId, InstanceId, NatGatewayId,
NetworkInterfaceId, or VpcPeeringConnectionId.
Type: String
Update requires: No interruption (p. 118)
RouteTableId
The ID of the route table (p. 915) where the route will be added.
Required: Yes
API Version 2010-05-15
913

AWS CloudFormation User Guide
AWS::EC2::Route

Type: String
Update requires: Replacement (p. 119)
VpcPeeringConnectionId
The ID of a VPC peering connection.
Required: Conditional. You must specify only one of the following properties:
EgressOnlyInternetGatewayId, GatewayId, InstanceId, NatGatewayId,
NetworkInterfaceId, or VpcPeeringConnectionId.
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following example creates a route that is added to a gateway.

JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : "GatewayToInternet",
"Properties" : {
"RouteTableId" : { "Ref" : "myRouteTable" },
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : { "Ref" : "myInternetGateway" }
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myRoute:
Type: AWS::EC2::Route
DependsOn: GatewayToInternet
Properties:
RouteTableId:
Ref: myRouteTable
DestinationCidrBlock: 0.0.0.0/0

API Version 2010-05-15
914

AWS CloudFormation User Guide
AWS::EC2::RouteTable
GatewayId:
Ref: myInternetGateway

More Info
• AWS::EC2::RouteTable (p. 915)
• CreateRoute in the Amazon EC2 API Reference
• Route Tables in the Amazon VPC User Guide

AWS::EC2::RouteTable
Creates a new route table within a VPC. After you create a new route table, you can add routes and
associate the table with a subnet.
Topics
• Syntax (p. 915)
• Properties (p. 915)
• Return Values (p. 916)
• Examples (p. 916)
• See Also (p. 917)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId (p. 915)" : String,
"Tags (p. 916)" : [ Resource Tag, ... ]
}

YAML
Type: AWS::EC2::RouteTable
Properties:
VpcId (p. 915): String
Tags (p. 916):
- Resource Tag

Properties
VpcId
The ID of the VPC where the route table will be created.
Example: vpc-11ad4878
API Version 2010-05-15
915

AWS CloudFormation User Guide
AWS::EC2::RouteTable

Required: Yes
Type: String
Update requires: Replacement (p. 119)
Tags
An arbitrary set of tags (key–value pairs) for this route table.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).

Return Values
Ref
When you specify an AWS::EC2::RouteTable type as an argument to the Ref function, AWS
CloudFormation returns the route table ID, such as rtb-12a34567.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following example snippet uses the VPC ID from a VPC named myVPC that was declared elsewhere
in the same template.

JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : { "Ref" : "myVPC" },
"Tags" : [ { "Key" : "foo", "Value" : "bar" } ]
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: myVPC
Tags:
- Key: foo
Value: bar

API Version 2010-05-15
916

AWS CloudFormation User Guide
AWS::EC2::SecurityGroup

See Also
•
•
•
•

AWS::EC2::Route (p. 911)
CreateRouteTable in the Amazon EC2 API Reference
Route Tables in the Amazon VPC User Guide
Using Tags in the Amazon Elastic Compute Cloud User Guide

AWS::EC2::SecurityGroup
Creates an Amazon EC2 security group. To create a VPC security group, use the VpcId (p. 919) property.
This type supports updates. For more information about updating stacks, see AWS CloudFormation
Stacks Updates (p. 118).

Important

If you want to cross-reference two security groups in the ingress and egress rules
of those security groups, use the AWS::EC2::SecurityGroupEgress (p. 921) and
AWS::EC2::SecurityGroupIngress (p. 925) resources to deﬁne your rules. Do not use the
embedded ingress and egress rules in the AWS::EC2::SecurityGroup. Doing so creates a
circular dependency, which AWS CloudFormation doesn't allow.
Topics
• Syntax (p. 917)
• Properties (p. 918)
• Return Values (p. 919)
• Examples (p. 919)
• More Info (p. 921)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupName (p. 918)" : String,
"GroupDescription (p. 918)" : String,
"SecurityGroupEgress (p. 918)" : [ Security Group Rule, ... ],
"SecurityGroupIngress (p. 918)" : [ Security Group Rule, ... ],
"Tags" : [ Resource Tag, ... ],
"VpcId (p. 919)" : String
}

YAML
Type: AWS::EC2::SecurityGroup
Properties:
GroupName (p. 918): String
GroupDescription (p. 918): String
SecurityGroupEgress (p. 918):

API Version 2010-05-15
917

AWS CloudFormation User Guide
AWS::EC2::SecurityGroup
- Security Group Rule
SecurityGroupIngress (p. 918):
- Security Group Rule
Tags:
- Resource Tag
VpcId (p. 919): String

Properties
GroupName
The name of the security group. For valid values, see the GroupName parameter of the
CreateSecurityGroup action in the Amazon EC2 API Reference.
If you don't specify a GroupName, AWS CloudFormation generates a unique physical ID and uses that
ID for the group name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
GroupDescription
A description of the security group.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SecurityGroupEgress
A list of Amazon EC2 security group egress rules.
Required: No
Type: List of EC2 Security Group Rule (p. 1845)
Update requires: No interruption (p. 118)
SecurityGroupIngress
A list of Amazon EC2 security group ingress rules.
Required: No
Type: List of EC2 Security Group Rule (p. 1845)
Update requires: No interruption (p. 118)
Tags
The tags that you want to attach to the resource.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106).
API Version 2010-05-15
918

AWS CloudFormation User Guide
AWS::EC2::SecurityGroup

Update requires: No interruption (p. 118)
VpcId
The physical ID of the VPC. You can obtain the physical ID by using a reference to an
AWS::EC2::VPC (p. 950), such as: { "Ref" : "myVPC" }.
For more information about using the Ref function, see Ref (p. 2311).
Required: Yes, for VPC security groups without a default VPC
Type: String
Update requires: Replacement (p. 119)

Note

For more information about VPC security groups, see Security Groups in the Amazon VPC
User Guide.

Return Values
Ref
When you specify an AWS::EC2::SecurityGroup type as an argument to the Ref function, AWS
CloudFormation returns the security group name or the security group ID (for EC2-VPC security groups
that are not in a default VPC).
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
GroupId
The group ID of the speciﬁed security group, such as sg-94b3a1f6.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Deﬁne Basic Ingress and Egress Rules
The following example deﬁnes a security group with an ingress and egress rule.

JSON
"InstanceSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Allow http to client host",
"VpcId" : {"Ref" : "myVPC"},
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : 80,
"ToPort" : 80,
"CidrIp" : "0.0.0.0/0"
}],

API Version 2010-05-15
919

AWS CloudFormation User Guide
AWS::EC2::SecurityGroup

}

}

"SecurityGroupEgress" : [{
"IpProtocol" : "tcp",
"FromPort" : 80,
"ToPort" : 80,
"CidrIp" : "0.0.0.0/0"
}]

YAML
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0

Remove Default Rule
When you create a VPC security group, Amazon EC2 creates a default egress rule that allows egress
traﬃc on all ports and IP protocols to any location. The default rule is removed only when you specify
one or more egress rules. If you want to remove the default rule and limit egress traﬃc to just the
localhost (127.0.0.1/32), use the following example.

JSON
"sgwithoutegress": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Limits security group egress traffic",
"SecurityGroupEgress": [
{
"CidrIp": "127.0.0.1/32",
"IpProtocol": "-1"
}
],
"VpcId": { "Ref": "myVPC"}
}
}

YAML
sgwithoutegress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Limits security group egress traffic
SecurityGroupEgress:
- CidrIp: 127.0.0.1/32
IpProtocol: "-1"
VpcId:

API Version 2010-05-15
920

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupEgress
Ref: myVPC

More Info
• Using Security Groups in the Amazon EC2 User Guide for Linux Instances.
• Security Groups in the Amazon VPC User Guide.

AWS::EC2::SecurityGroupEgress
The AWS::EC2::SecurityGroupEgress resource adds an egress rule to an Amazon VPC security
group. When you use the AWS::EC2::SecurityGroupEgress resource, the default rule is removed
from the security group.

Important

Use AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress
only when necessary, typically to allow security groups to reference each other in
ingress and egress rules. Otherwise, use the embedded ingress and egress rules of
AWS::EC2::SecurityGroup (p. 917). For more information, see Amazon EC2 Security Groups.
Topics
• Syntax (p. 921)
• Properties (p. 922)
• Return Values (p. 923)
• VPC Security Groups Example (p. 923)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::SecurityGroupEgress",
"Properties" : {
"CidrIp" : String,
"CidrIpv6" : String,
"Description" : String,
"DestinationPrefixListId" : String,
"DestinationSecurityGroupId" : String,
"FromPort" : Integer,
"GroupId" : String,
"IpProtocol" : String,
"ToPort" : Integer
}

YAML
Type: AWS::EC2::SecurityGroupEgress
Properties:
CidrIp: String
CidrIpv6: String
Description: String
DestinationPrefixListId: String

API Version 2010-05-15
921

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupEgress
DestinationSecurityGroupId:
FromPort: Integer
GroupId: String
IpProtocol: String
ToPort: Integer

String

Properties
For more information about adding egress rules to VPC security groups, go to
AuthorizeSecurityGroupEgress in the Amazon EC2 API Reference.

Note

If you change this resource's logical ID, you must also update a property value in order to trigger
an update for this resource.
CidrIp
An IPv4 CIDR range.
Required: Conditional. You must specify a destination security group (DestinationPrefixListId
or DestinationSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
Type: String
Update requires: Replacement (p. 119)
CidrIpv6
An IPv6 CIDR range.
Type: String
Required: Conditional. You must specify a destination security group (DestinationPrefixListId
or DestinationSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
Update requires: Replacement (p. 119)
Description
Description of the egress rule.
Required: No
Type: String
Update requires: No interruption (p. 118)
DestinationPrefixListId
The AWS service preﬁx of an Amazon VPC endpoint. For more information, see VPC Endpoints in the
Amazon VPC User Guide.
Required: Conditional. You must specify a destination security group (DestinationPrefixListId
or DestinationSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
Type: String
Update requires: Replacement (p. 119)
DestinationSecurityGroupId
Speciﬁes the group ID of the destination Amazon VPC security group.
Required: Conditional. You must specify a destination security group (DestinationPrefixListId
or DestinationSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
API Version 2010-05-15
922

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupEgress

Type: String
Update requires: Replacement (p. 119)
FromPort
Start of port range for the TCP and UDP protocols, or an ICMP type number. If you specify icmp for
the IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP type number).
Required: Yes
Type: Integer
Update requires: Replacement (p. 119)
GroupId
ID of the Amazon VPC security group to modify. This value can be a reference to an
AWS::EC2::SecurityGroup (p. 917) resource that has a valid VpcId property or the ID of an existing
Amazon VPC security group.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
IpProtocol
IP protocol name or number. For valid values, see the IpProtocol parameter in
AuthorizeSecurityGroupIngress
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ToPort
End of port range for the TCP and UDP protocols, or an ICMP code. If you specify icmp for the
IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP code).
Required: Yes
Type: Integer
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

VPC Security Groups Example
In some cases, you might have an originating (source) security group to which you want to add an
outbound rule that allows traﬃc to a destination (target) security group. The target security group also
API Version 2010-05-15
923

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupEgress

needs an inbound rule that allows traﬃc from the source security group. Note that you cannot use the
Ref function to specify the outbound and inbound rules for each security group. Doing so creates a
circular dependency; you cannot have two resources that depend on each other. Instead, use the egress
and ingress resources to declare these outbound and inbound rules, as shown in the following template
snippet.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SourceSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId" : "vpc-e063f789",
"GroupDescription": "Sample source security group"
}
},
"TargetSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId" : "vpc-e063f789",
"GroupDescription": "Sample target security group"
}
},
"OutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties":{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
}
}
},
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties":{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
}
}

API Version 2010-05-15
924

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupIngress

}

}

}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
SourceSG:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: vpc-e063f789
GroupDescription: Sample source security group
TargetSG:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: vpc-e063f789
GroupDescription: Sample target security group
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId

AWS::EC2::SecurityGroupIngress
The AWS::EC2::SecurityGroupIngress resource adds an ingress rule to an Amazon EC2 or Amazon
VPC security group.

Important

Use AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress
only when necessary, typically to allow security groups to reference each other in
ingress and egress rules. Otherwise, use the embedded ingress and egress rules of
AWS::EC2::SecurityGroup (p. 917). For more information, see Amazon EC2 Security Groups.
Topics
• Syntax (p. 926)
• Properties (p. 926)
API Version 2010-05-15
925

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupIngress

• Examples (p. 928)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::SecurityGroupIngress",
"Properties" : {
"CidrIp" : String,
"CidrIpv6" : String,
"Description" : String,
"FromPort" : Integer,
"GroupId" : String,
"GroupName" : String,
"IpProtocol" : String,
"SourceSecurityGroupName" : String,
"SourceSecurityGroupId" : String,
"SourceSecurityGroupOwnerId" : String,
"ToPort" : Integer
}

YAML
Type: AWS::EC2::SecurityGroupIngress
Properties:
CidrIp: String
CidrIpv6: String
Description: String
FromPort: Integer
GroupId: String
GroupName: String
IpProtocol: String
SourceSecurityGroupName: String
SourceSecurityGroupId: String
SourceSecurityGroupOwnerId: String
ToPort: Integer

Properties
For more information about adding ingress rules to Amazon EC2 or VPC security groups, see
AuthorizeSecurityGroupIngress in the Amazon EC2 API Reference.

Note

If you change this resource's logical ID, you must also update a property value in order to trigger
an update for this resource.
CidrIp
An IPv4 CIDR range.
For an overview of CIDR ranges, go to the Wikipedia Tutorial.
Type: String
API Version 2010-05-15
926

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupIngress

Required: Conditional. You must specify a source security group (SourceSecurityGroupName or
SourceSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
Update requires: Replacement (p. 119)
CidrIpv6
An IPv6 CIDR range.
Type: String
Required: Conditional. You must specify a source security group (SourceSecurityGroupName or
SourceSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
Update requires: Replacement (p. 119)
Description
Description of the ingress rule.
Required: No
Type: String
Update requires: No interruption (p. 118)
FromPort
Start of port range for the TCP and UDP protocols, or an ICMP type number. If you specify icmp for
the IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP type number).
Type: Integer
Required: Yes, for ICMP and any protocol that uses ports.
Update requires: Replacement (p. 119)
GroupId
ID of the Amazon EC2 or VPC security group to modify. The group must belong to your account.
Type: String
Required: Conditional. You must specify the GroupName property or the GroupId property. For
security groups that are in a VPC, you must use the GroupId property. For example, EC2-VPC
accounts must use the GroupId property.
Update requires: Replacement (p. 119)
GroupName
Name of the Amazon EC2 security group (non-VPC security group) to modify. This value can be a
reference to an AWS::EC2::SecurityGroup (p. 917) resource or the name of an existing Amazon EC2
security group.
Type: String
Required: Conditional. You must specify the GroupName property or the GroupId property. For
security groups that are in a VPC, you must use the GroupId property. For example, EC2-VPC
accounts must use the GroupId property.
Update requires: Replacement (p. 119)
IpProtocol
IP protocol name or number. For valid values, see the IpProtocol parameter in
AuthorizeSecurityGroupIngress
API Version 2010-05-15
927

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupIngress

Type: String
Required: Yes
Update requires: Replacement (p. 119)
SourceSecurityGroupId
Speciﬁes the ID of the source security group or uses the Ref intrinsic function to refer to the logical
ID of a security group deﬁned in the same template.
Type: String
Required: Conditional. You must specify a source security group (SourceSecurityGroupName or
SourceSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
Update requires: Replacement (p. 119)
SourceSecurityGroupName
Speciﬁes the name of the Amazon EC2 security group (non-VPC security group) to allow access
or use the Ref intrinsic function to refer to the logical ID of a security group deﬁned in the same
template. For instances in a VPC, specify the SourceSecurityGroupId property.
Type: String
Required: Conditional. You must specify a source security group (SourceSecurityGroupName or
SourceSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
Update requires: Replacement (p. 119)
SourceSecurityGroupOwnerId
Speciﬁes the AWS Account ID of the owner of the Amazon EC2 security group speciﬁed in the
SourceSecurityGroupName property.
Type: String
Required: Conditional. If you specify SourceSecurityGroupName and that security group
is owned by a diﬀerent account than the account creating the stack, you must specify the
SourceSecurityGroupOwnerId; otherwise, this property is optional.
Update requires: Replacement (p. 119)
ToPort
End of port range for the TCP and UDP protocols, or an ICMP code. If you specify icmp for the
IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP code).
Type: Integer
Required: Yes, for ICMP and any protocol that uses ports.
Update requires: Replacement (p. 119)

Examples
EC2 Security Group and Ingress Rule
To create an Amazon EC2 (non-VPC) security group and an ingress rule, use the
SourceSecurityGroupName property in the ingress rule.
The following template snippet creates an EC2 security group with an ingress rule that allows incoming
traﬃc on port 80 from any other host in the security group. The snippet uses the intrinsic function
Ref (p. 2311) to specify the value for SourceSecurityGroupName.
API Version 2010-05-15
928

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupIngress

JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SGBase": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Base Security Group",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": 22,
"ToPort": 22
}
]
}
},
"SGBaseIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupName": {
"Ref": "SGBase"
},
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"SourceSecurityGroupName": {
"Ref": "SGBase"
}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
SGBase:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Base Security Group
SecurityGroupIngress:
- IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: 22
ToPort: 22
SGBaseIngress:
Type: 'AWS::EC2::SecurityGroupIngress'
Properties:
GroupName: !Ref SGBase
IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupName: !Ref SGBase

VPC Security Groups with Egress and Ingress Rules
In some cases, you might have an originating (source) security group to which you want to add an
outbound rule that allows traﬃc to a destination (target) security group. The target security group also
needs an inbound rule that allows traﬃc from the source security group. Note that you cannot use the
API Version 2010-05-15
929

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupIngress

Ref function to specify the outbound and inbound rules for each security group. Doing so creates a
circular dependency; you cannot have two resources that depend on each other. Instead, use the egress
and ingress resources to declare these outbound and inbound rules, as shown in the following template
snippet.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SourceSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId" : "vpc-e063f789",
"GroupDescription": "Sample source security group"
}
},
"TargetSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId" : "vpc-e063f789",
"GroupDescription": "Sample target security group"
}
},
"OutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties":{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
}
}
},
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties":{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
}
}
}
}

API Version 2010-05-15
930

AWS CloudFormation User Guide
AWS::EC2::SecurityGroupIngress
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
SourceSG:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: vpc-e063f789
GroupDescription: Sample source security group
TargetSG:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: vpc-e063f789
GroupDescription: Sample target security group
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId

Allow Ping Requests
To allow ping requests, add the ICMP protocol type and specify 8 (echo request) for the ICMP type and
either 0 or -1 (all) for the ICMP code.

JSON
"SGPing" : {
"Type" : "AWS::EC2::SecurityGroup",
"DependsOn": "VPC",
"Properties" : {
"GroupDescription" : "SG to test ping",
"VpcId" : {"Ref" : "VPC"},
"SecurityGroupIngress" : [
{ "IpProtocol" : "tcp", "FromPort" : 22, "ToPort" : 22, "CidrIp" : "10.0.0.0/24" },
{ "IpProtocol" : "icmp", "FromPort" : 8, "ToPort" : -1, "CidrIp" : "10.0.0.0/24" }
]

API Version 2010-05-15
931

AWS CloudFormation User Guide
AWS::EC2::SpotFleet

}

}

YAML
SGPing:
Type: AWS::EC2::SecurityGroup
DependsOn: VPC
Properties:
GroupDescription: SG to test ping
VpcId:
Ref: VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 10.0.0.0/24
- IpProtocol: icmp
FromPort: 8
ToPort: -1
CidrIp: 10.0.0.0/24

AWS::EC2::SpotFleet
The AWS::EC2::SpotFleet resource creates a request for a collection of Spot instances. The Spot ﬂeet
attempts to launch the number of Spot instances to meet the target capacity that you speciﬁed. For
more information, see Spot Instances in the Amazon EC2 User Guide for Linux Instances.
Topics
• Syntax (p. 932)
• Properties (p. 933)
• Return Values (p. 933)
• Example (p. 933)
• Related Resources (p. 934)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::SpotFleet",
"Properties" : {
"SpotFleetRequestConfigData" : SpotFleetRequestConfigData
}

YAML
Type: AWS::EC2::SpotFleet
Properties:
SpotFleetRequestConfigData:
SpotFleetRequestConfigData

API Version 2010-05-15
932

AWS CloudFormation User Guide
AWS::EC2::SpotFleet

Properties
SpotFleetRequestConfigData
The conﬁguration for a Spot ﬂeet request.
Required: Yes
Type: Amazon EC2 SpotFleet SpotFleetRequestConﬁgData (p. 1850)
Update requires: Some interruptions (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a Spot ﬂeet with two launch speciﬁcations. The weighted capacities
are the same, so Amazon EC2 launches the same number of instances for each speciﬁcation. For more
information, see How Spot Fleet Works in the Amazon EC2 User Guide for Linux Instances.

JSON
"SpotFleet": {
"Type": "AWS::EC2::SpotFleet",
"Properties": {
"SpotFleetRequestConfigData": {
"IamFleetRole": { "Fn::GetAtt": [ "IAMFleetRole", "Arn"] },
"SpotPrice": "1000",
"TargetCapacity": { "Ref": "TargetCapacity" },
"LaunchSpecifications": [
{
"EbsOptimized": "false",
"InstanceType": { "Ref": "InstanceType" },
"ImageId": { "Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" },
{ "Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref":
"InstanceType" }, "Arch" ] }
]},
"SubnetId": { "Ref": "Subnet1" },
"WeightedCapacity": "8"
},
{
"EbsOptimized": "true",
"InstanceType": { "Ref": "InstanceType" },
"ImageId": { "Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" },
{ "Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref":
"InstanceType" }, "Arch" ] }
]},
"Monitoring": { "Enabled": "true" },
"SecurityGroups": [ { "GroupId": { "Fn::GetAtt": [ "SG0", "GroupId" ] } } ],
"SubnetId": { "Ref": "Subnet0" },
"IamInstanceProfile": { "Arn": { "Fn::GetAtt": [ "RootInstanceProfile",
"Arn" ] } },
"WeightedCapacity": "8"
}

API Version 2010-05-15
933

AWS CloudFormation User Guide
AWS::EC2::SpotFleet

}

}

}

]

YAML
SpotFleet:
Type: AWS::EC2::SpotFleet
Properties:
SpotFleetRequestConfigData:
IamFleetRole: !GetAtt [IAMFleetRole, Arn]
SpotPrice: '1000'
TargetCapacity:
Ref: TargetCapacity
LaunchSpecifications:
- EbsOptimized: 'false'
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
SubnetId:
Ref: Subnet1
WeightedCapacity: '8'
- EbsOptimized: 'true'
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
Monitoring:
Enabled: 'true'
SecurityGroups:
- GroupId:
Fn::GetAtt:
- SG0
- GroupId
SubnetId:
Ref: Subnet0
IamInstanceProfile:
Arn:
Fn::GetAtt:
- RootInstanceProfile
- Arn
WeightedCapacity: '8'

Related Resources
To use Application Auto Scaling to scale an Amazon ECS service in response to
CloudWatch alarms, use the AWS::ApplicationAutoScaling::ScalableTarget (p. 581) and
AWS::ApplicationAutoScaling::ScalingPolicy (p. 594) resources.
API Version 2010-05-15
934

AWS CloudFormation User Guide
AWS::EC2::Subnet

AWS::EC2::Subnet
Creates a subnet in an existing VPC.
Topics
• Syntax (p. 935)
• Properties (p. 935)
• Return Values (p. 937)
• Example (p. 937)
• More Info (p. 938)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::Subnet",
"Properties" : {
"AssignIpv6AddressOnCreation" : Boolean,
"AvailabilityZone (p. 936)" : String,
"CidrBlock (p. 936)" : String,
"Ipv6CidrBlock" : String,
"MapPublicIpOnLaunch" : Boolean,
"Tags (p. 936)" : [ Resource Tag, ... ],
"VpcId (p. 937)" : String
}

YAML
Type: AWS::EC2::Subnet
Properties:
AssignIpv6AddressOnCreation: Boolean
AvailabilityZone (p. 936): String
CidrBlock (p. 936): String
Ipv6CidrBlock: String
MapPublicIpOnLaunch: Boolean
Tags (p. 936):
- Resource Tag
VpcId (p. 937): String

Properties
AssignIpv6AddressOnCreation
Indicates whether a network interface created in this subnet receives an IPv6 address. The default
value is false.
Required: Conditional. If you specify a true or false value for AssignIpv6AddressOnCreation,
Ipv6CidrBlock must also be speciﬁed.
Type: Boolean
Update requires: No interruption (p. 118)
API Version 2010-05-15
935

AWS CloudFormation User Guide
AWS::EC2::Subnet

Note

If AssignIpv6AddressOnCreation is speciﬁed, MapPublicIpOnLaunch cannot be
speciﬁed.
AvailabilityZone
The availability zone in which you want the subnet. Default: AWS selects a zone for you
(recommended).
Required: No
Type: String
Update requires: Replacement (p. 119)

Note

If you update this property, you must also update the CidrBlock property.
CidrBlock
The CIDR block that you want the subnet to cover (for example, "10.0.0.0/24").
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Note

If you update this property, you must also update the AvailabilityZone property.
Ipv6CidrBlock
The IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 preﬁx
length.
Required: Conditional. If you specify a true or false value for AssignIpv6AddressOnCreation,
Ipv6CidrBlock must be speciﬁed.
Type: String
Update requires: No interruption (p. 118)
MapPublicIpOnLaunch
Indicates whether instances that are launched in this subnet receive a public IP address. By default,
the value is false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)

Note

If MapPublicIpOnLaunch is speciﬁed. AssignIpv6AddressOnCreation cannot be
speciﬁed.
Tags
An arbitrary set of tags (key–value pairs) for this subnet.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
API Version 2010-05-15
936

AWS CloudFormation User Guide
AWS::EC2::Subnet

VpcId
A Ref structure that contains the ID of the VPC on which you want to create the subnet. The VPC ID
is provided as the value of the "Ref" property, as: { "Ref": "VPCID" }.
Required: Yes
Type: Ref ID
Update requires: Replacement (p. 119)

Note

If you update this property, you must also update the CidrBlock property.

Return Values
You can pass the logical ID of the resource to an intrinsic function to get a value back from the resource.
The value that is returned depends on the function that you used.

Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource ID,
such as subnet-e19f0178.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
AvailabilityZone
Returns the availability zone (for example, "us-east-1a") of this subnet.
Example:

{ "Fn::GetAtt" : [ "mySubnet", "AvailabilityZone" ] }

Ipv6CidrBlocks
A list of IPv6 CIDR blocks that are associated with the subnet, such as
[ 2001:db8:1234:1a00::/64 ].
NetworkAclAssociationId
The ID of the network ACL that is associated with the subnet's VPC, such as acl-5fb85d36.
VpcId
The ID of the subnet's VPC, such as vpc-11ad4878.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example snippet uses the VPC ID from a VPC named myVPC that was declared elsewhere
in the same template.
API Version 2010-05-15
937

AWS CloudFormation User Guide
AWS::EC2::SubnetCidrBlock

JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"mySubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "myVPC" },
"CidrBlock" : "10.0.0.0/24",
"AvailabilityZone" : "us-east-1a",
"Tags" : [ { "Key" : "foo", "Value" : "bar" } ]
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
mySubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: "us-east-1a"
Tags:
- Key: foo
Value: bar

More Info
• CreateSubnet in the Amazon EC2 API Reference
• Using Tags in the Amazon Elastic Compute Cloud User Guide

AWS::EC2::SubnetCidrBlock
The AWS::EC2::SubnetCidrBlock resource associates a single IPv6 CIDR block with an Amazon VPC
subnet.
Topics
• Syntax (p. 938)
• Properties (p. 939)
• Example (p. 939)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
938

AWS CloudFormation User Guide
AWS::EC2::SubnetCidrBlock

}

"Type" : "AWS::EC2::SubnetCidrBlock",
"Properties" : {
"Ipv6CidrBlock" : String,
"SubnetId" : String
}

YAML
Type: AWS::EC2::SubnetCidrBlock
Properties:
Ipv6CidrBlock: String
SubnetId: String

Properties
Ipv6CidrBlock
The IPv6 CIDR block for the subnet. The CIDR block must have a preﬁx length of /64.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SubnetId
The ID of the subnet to associate the IPv6 CIDR block with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Example
The following example associates an IPv6 CIDR block (with a preﬁx length of /64) with the
Ipv6TestSubnet subnet.

JSON
{

}

"Ipv6TestSubnetCidrBlock": {
"Type": "AWS::EC2::SubnetCidrBlock",
"Properties": {
"Ipv6CidrBlock": { "Ref" : "Ipv6SubnetCidrBlock" },
"SubnetId": { "Ref" : "Ipv6TestSubnet" }
}
}

YAML
Ipv6TestSubnetCidrBlock:
Type: AWS::EC2::SubnetCidrBlock
Properties:
Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock

API Version 2010-05-15
939

AWS CloudFormation User Guide
AWS::EC2::SubnetNetworkAclAssociation
SubnetId: !Ref Ipv6TestSubnet

AWS::EC2::SubnetNetworkAclAssociation
Associates a subnet with a network ACL. For more information, see ReplaceNetworkAclAssociation in the
Amazon EC2 API Reference.
When AWS::EC2::SubnetNetworkAclAssociation resources are created during create or update
operations, AWS CloudFormation adopts existing resources that share the same key properties
(the properties that contribute to uniquely identify the resource). However, if the operation fails
and rolls back, AWS CloudFormation deletes the previously out-of-band resources. You can protect
against this behavior by using Retain deletion policies. For more information, see DeletionPolicy
Attribute (p. 2248).

Note

The EC2 API Reference refers to the SubnetId parameter as the AssociationId.
Topics
• Syntax (p. 940)
• Properties (p. 940)
• Return Values (p. 941)
• Template Examples (p. 941)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId (p. 940)" : String,
"NetworkAclId (p. 941)" : String
}

YAML
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId (p. 940): String
NetworkAclId (p. 941): String

Properties
SubnetId
The ID representing the current association between the original network ACL and the subnet.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
940

AWS CloudFormation User Guide
AWS::EC2::SubnetNetworkAclAssociation

NetworkAclId
The ID of the new ACL to associate with the subnet.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
AssociationId
Returns the value of this object's SubnetId (p. 940) property.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Template Examples
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"mySubnetNetworkAclAssociation" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "mySubnet" },
"NetworkAclId" : { "Ref" : "myNetworkAcl" }
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
mySubnetNetworkAclAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId:
Ref: mySubnet
NetworkAclId:

API Version 2010-05-15
941

AWS CloudFormation User Guide
AWS::EC2::SubnetRouteTableAssociation
Ref: myNetworkAcl

AWS::EC2::SubnetRouteTableAssociation
Associates a subnet with a route table.
When AWS::EC2::SubnetRouteTableAssociation resources are created during create or update
operations, AWS CloudFormation adopts existing resources that share the same key properties
(the properties that contribute to uniquely identify the resource). However, if the operation fails
and rolls back, AWS CloudFormation deletes the previously out-of-band resources. You can protect
against this behavior by using Retain deletion policies. For more information, see DeletionPolicy
Attribute (p. 2248).
Topics
• Syntax (p. 942)
• Properties (p. 942)
• Return Value (p. 943)
• Example (p. 943)
• See Also (p. 944)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"RouteTableId (p. 942)" : String,
"SubnetId (p. 943)" : String
}

YAML
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId (p. 942): String
SubnetId (p. 943): String

Properties
RouteTableId
The ID of the route table. This is commonly written as a reference to a route table declared
elsewhere in the template. For example:
"RouteTableId" : { "Ref" : "myRouteTable" }

Required: Yes
Type: String
API Version 2010-05-15
942

AWS CloudFormation User Guide
AWS::EC2::SubnetRouteTableAssociation

Update requires: No interruption (p. 118). However, the physical ID changes when the route table ID
is changed.
SubnetId
The ID of the subnet. This is commonly written as a reference to a subnet declared elsewhere in the
template. For example:
"SubnetId" : { "Ref" : "mySubnet" }

Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:

{ "Ref": "MyRTA" }

For the subnet route table association with the logical ID "MyRTA", Ref will return the AWS resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"mySubnetRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "mySubnet" },
"RouteTableId" : { "Ref" : "myRouteTable" }
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
mySubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: mySubnet
RouteTableId:
Ref: myRouteTable

API Version 2010-05-15
943

AWS CloudFormation User Guide
AWS::EC2::Volume

See Also
• AssociateRouteTable in the Amazon EC2 API Reference

AWS::EC2::Volume
The AWS::EC2::Volume type creates a new Amazon Elastic Block Store (Amazon EBS) volume.

Important

When you use AWS CloudFormation to update an Amazon EBS volume that modiﬁes
Iops, Size, or VolumeType, there is a cooldown period before another operation
can occur. This can cause your stack to report being in UPDATE_IN_PROGRESS or
UPDATE_ROLLBACK_IN_PROGRESS for long periods of time.
Some common scenarios when you might encounter a cooldown period for Amazon EBS include:
• You successfully update an Amazon EBS volume and the update succeeds. When you attempt another
update within the cooldown window, that update will be subject to a cooldown period.
• You successfully update an Amazon EBS volume and the update succeeds but another change in your
update-stack call fails. The rollback will be subject to a cooldown period.
For more information on the cooldown period, see Considerations for Modifying EBS Volumes in the
Amazon EBS Developer Guide.
To control how AWS CloudFormation handles the volume when the stack is deleted, set a deletion policy
for your volume. You can choose to retain the volume, to delete the volume, or to create a snapshot of
the volume. For more information, see DeletionPolicy Attribute (p. 2248).

Note

If you set a deletion policy that creates a snapshot, all tags on the volume are included in the
snapshot.

Important

Amazon EBS does not support sizing down an Amazon EBS volume. AWS CloudFormation will
not attempt to modify an Amazon EBS volume to a smaller size on rollback.

Note

Amazon EBS does not support modifying a Magnetic volume. For more information, see
Considerations for Modifying EBS Volumes.
Topics
• Syntax (p. 944)
• Properties (p. 945)
• Return Values (p. 947)
• Examples (p. 947)
• More Info (p. 947)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
944

AWS CloudFormation User Guide
AWS::EC2::Volume

}

"Type":"AWS::EC2::Volume",
"Properties" : {
"AutoEnableIO" : Boolean,
"AvailabilityZone (p. 945)" : String,
"Encrypted" : Boolean,
"Iops (p. 946)" : Number,
"KmsKeyId" : String,
"Size (p. 946)" : Integer,
"SnapshotId (p. 946)" : String,
"Tags (p. 946)" : [ Resource Tag, ... ],
"VolumeType (p. 947)" : String
}

YAML
Type: AWS::EC2::Volume
Properties:
AutoEnableIO: Boolean
AvailabilityZone (p. 945): String
Encrypted: Boolean
Iops (p. 946): Number
KmsKeyId: String
Size (p. 946): Integer
SnapshotId (p. 946): String
Tags (p. 946):
- Resource Tag
VolumeType (p. 947): String

Properties
AutoEnableIO
Indicates whether the volume is auto-enabled for I/O operations. By default, Amazon EBS disables I/
O to the volume from attached EC2 instances when it determines that a volume's data is potentially
inconsistent. If the consistency of the volume is not a concern, and you prefer that the volume be
made available immediately if it's impaired, you can conﬁgure the volume to automatically enable I/
O. For more information, see Working with the AutoEnableIO Volume Attribute in the Amazon EC2
User Guide for Linux Instances.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
AvailabilityZone
The Availability Zone in which to create the new volume.
Required: Yes
Type: String
Update requires: Updates are not supported.
Encrypted
Indicates whether the volume is encrypted. You can attach encrypted Amazon EBS volumes only
to instance types that support Amazon EBS encryption. Volumes that are created from encrypted
snapshots are automatically encrypted. You can't create an encrypted volume from an unencrypted
API Version 2010-05-15
945

AWS CloudFormation User Guide
AWS::EC2::Volume

snapshot, or vice versa. If your AMI uses encrypted volumes, you can launch the AMI only on
supported instance types. For more information, see Amazon EBS encryption in the Amazon EC2
User Guide for Linux Instances.
Required: Conditional. If you specify the KmsKeyId property, you must enable encryption.
Type: Boolean
Update requires: Updates are not supported.
Iops
The number of I/O operations per second (IOPS) that the volume supports. For more information
about the valid sizes for each volume type, see the Iops parameter for the CreateVolume action in
the Amazon EC2 API Reference.
Required: Conditional. Required when the volume type is io1; not used with other volume types.
Type: Number
Update requires: No interruption (p. 118)
KmsKeyId
The Amazon Resource Name (ARN) of the AWS Key Management Service master key that is used
to create the encrypted volume, such as arn:aws:kms:us-east-2:012345678910:key/
abcd1234-a123-456a-a12b-a123b4cd56ef. If you create an encrypted volume and don't specify
this property, AWS CloudFormation uses the default master key.
Required: No
Type: String
Update requires: Updates are not supported.
Size
The size of the volume, in gibibytes (GiBs). For more information about the valid sizes for each
volume type, see the Size parameter for the CreateVolume action in the Amazon EC2 API
Reference.
If you specify the SnapshotId property, specify a size that is equal to or greater than the size of the
snapshot. If you don't specify a size, EC2 uses the size of the snapshot as the volume size.
Required: Conditional. If you don't specify a value for the SnapshotId property, you must specify
this property.
Type: Integer
Update requires: No interruption (p. 118)
SnapshotId
The snapshot from which to create the new volume.
Required: No
Type: String
Update requires: Updates are not supported.
Tags
An arbitrary set of tags (key–value pairs) for this volume.
Required: No
API Version 2010-05-15
946

AWS CloudFormation User Guide
AWS::EC2::Volume

Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
VolumeType
The volume type. If you set the type to io1, you must also set the Iops property. For valid values,
see the VolumeType parameter for the CreateVolume action in the Amazon EC2 API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you specify an AWS::EC2::Volume type as an argument to the Ref function, AWS
CloudFormation returns the volume's physical ID. For example: vol-5cb85026.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Example Encrypted Amazon EBS Volume with DeletionPolicy to Make a Snapshot on Delete
"NewVolume" : {
"Type" : "AWS::EC2::Volume",
"Properties" : {
"Size" : "100",
"Encrypted" : "true",
"AvailabilityZone" : { "Fn::GetAtt" : [ "Ec2Instance", "AvailabilityZone" ] },
"Tags" : [ {
"Key" : "MyTag",
"Value" : "TagValue"
} ]
},
"DeletionPolicy" : "Snapshot"
}

Example Amazon EBS Volume with 100 Provisioned IOPS
"NewVolume" : {
"Type" : "AWS::EC2::Volume",
"Properties" : {
"Size" : "100",
"VolumeType" : "io1",
"Iops" : "100",
"AvailabilityZone" : { "Fn::GetAtt" : [ "EC2Instance", "AvailabilityZone" ] }
}
}

More Info
• CreateVolume in the Amazon Elastic Compute Cloud API Reference
API Version 2010-05-15
947

AWS CloudFormation User Guide
AWS::EC2::VolumeAttachment

• DeletionPolicy Attribute (p. 2248)

AWS::EC2::VolumeAttachment
Attaches an Amazon EBS volume to a running instance and exposes it to the instance with the speciﬁed
device name.

Important

Before this resource can be deleted (and therefore the volume detached), you must ﬁrst
unmount the volume in the instance. Failure to do so results in the volume being stuck in the
busy state while it is trying to detach, which could possibly damage the ﬁle system or the data it
contains.
If an Amazon EBS volume is the root device of an instance, it cannot be detached while the
instance is in the "running" state. To detach the root volume, stop the instance ﬁrst.
If the root volume is detached from an instance with an AWS Marketplace product code, then
the AWS Marketplace product codes from that volume are no longer associated with the
instance.
Topics
• Syntax (p. 948)
• Properties (p. 948)
• Example (p. 949)
• See Also (p. 949)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type":"AWS::EC2::VolumeAttachment",
"Properties" : {
"Device (p. 948)" : String,
"InstanceId (p. 949)" : String,
"VolumeId (p. 949)" : String
}

YAML
Type: AWS::EC2::VolumeAttachment
Properties:
Device (p. 948): String
InstanceId (p. 949): String
VolumeId (p. 949): String

Properties
Device
How the device is exposed to the instance (e.g., /dev/sdh, or xvdh).
API Version 2010-05-15
948

AWS CloudFormation User Guide
AWS::EC2::VolumeAttachment

Required: Yes
Type: String
Update requires: Updates are not supported.
InstanceId
The ID of the instance to which the volume attaches. This value can be a reference to an
AWS::EC2::Instance (p. 879) resource, or it can be the physical ID of an existing EC2 instance.
Required: Yes
Type: String
Update requires: Updates are not supported.
VolumeId
The ID of the Amazon EBS volume. The volume and instance must be within the same Availability
Zone. This value can be a reference to an AWS::EC2::Volume (p. 944) resource, or it can be the
volume ID of an existing Amazon EBS volume.
Required: Yes
Type: String
Update requires: Updates are not supported.

Example
This example attaches an EC2 EBS volume to the EC2 instance with the logical name "Ec2Instance".

"NewVolume" : {
"Type" : "AWS::EC2::Volume",
"Properties" : {
"Size" : "100",
"AvailabilityZone" : { "Fn::GetAtt" : [ "Ec2Instance", "AvailabilityZone" ] },
"Tags" : [ {
"Key" : "MyTag",
"Value" : "TagValue"
} ]
}
},
"MountPoint" : {
"Type" : "AWS::EC2::VolumeAttachment",
"Properties" : {
"InstanceId" : { "Ref" : "Ec2Instance" },
"VolumeId" : { "Ref" : "NewVolume" },
"Device" : "/dev/sdh"
}
}

See Also
• Amazon Elastic Block Store (Amazon EBS) in the Amazon Elastic Compute Cloud User Guide.
• Attaching a Volume to an Instance in the Amazon Elastic Compute Cloud User Guide
• Detaching an Amazon EBS Volume from an Instance in the Amazon Elastic Compute Cloud User Guide
API Version 2010-05-15
949

AWS CloudFormation User Guide
AWS::EC2::VPC

• AttachVolume in the Amazon Elastic Compute Cloud API Reference
• DetachVolume in the Amazon Elastic Compute Cloud API Reference

AWS::EC2::VPC
Creates a Virtual Private Cloud (VPC) with the CIDR block that you specify. To name a VPC resource, use
the Tags property and specify a value for the Name key.
Topics
• Syntax (p. 950)
• Properties (p. 950)
• Return Values (p. 951)
• Example (p. 952)
• More Info (p. 953)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock (p. 950)" : String,
"EnableDnsSupport (p. 951)" : Boolean,
"EnableDnsHostnames (p. 951)" : Boolean,
"InstanceTenancy (p. 951)" : String,
"Tags (p. 951)" : [ Resource Tag, ... ]
}

YAML
Type: AWS::EC2::VPC
Properties:
CidrBlock (p. 950): String
EnableDnsSupport (p. 951): Boolean
EnableDnsHostnames (p. 951): Boolean
InstanceTenancy (p. 951): String
Tags (p. 951):
- Resource Tag

Properties
CidrBlock
The CIDR block you want the VPC to cover. For example: "10.0.0.0/16".
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
950

AWS CloudFormation User Guide
AWS::EC2::VPC

EnableDnsSupport
Speciﬁes whether DNS resolution is supported for the VPC. If this attribute is true, the Amazon DNS
server resolves DNS hostnames for your instances to their corresponding IP addresses; otherwise, it
does not. By default the value is set to true.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
EnableDnsHostnames
Speciﬁes whether the instances launched in the VPC get DNS hostnames. If this attribute
is true, instances in the VPC get DNS hostnames; otherwise, they do not. You can only set
EnableDnsHostnames to true if you also set the EnableDnsSupport attribute to true. By
default, the value is set to false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
InstanceTenancy
The allowed tenancy of instances launched into the VPC.
• "default": Instances can be launched with any tenancy.
• "dedicated": Any instance launched into the VPC automatically has dedicated tenancy, unless
you launch it with the default tenancy.
Update: Conditional. Updating InstanceTenancy requires no replacement only if you are updating
its value from "dedicated" to "default". Updating InstanceTenancy from "default" to
"dedicated" requires replacement.
Required: No
Type: String
Valid values: "default" or "dedicated"
Update requires: No interruption (p. 118)
Tags
An arbitrary set of tags (key–value pairs) for this VPC. To name a VPC resource, specify a value for
the Name key.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource ID,
such as vpc-18ac277d.
API Version 2010-05-15
951

AWS CloudFormation User Guide
AWS::EC2::VPC

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
CidrBlock
The set of IP addresses for the VPC. For example, 10.0.0.0/16.
CidrBlockAssociations
A list of IPv4 CIDR block association IDs for the VPC. For example, [ vpc-cidrassoc-0280ab6b ].
DefaultNetworkAcl
The default network ACL ID that is associated with the VPC. For example, acl-814dafe3.
DefaultSecurityGroup
The default security group ID that is associated with the VPC. For example, sg-b178e0d3.
Ipv6CidrBlocks
A list of IPv6 CIDR blocks that are associated with the VPC, such as
[ 2001:db8:1234:1a00::/56 ].
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myVPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "10.0.0.0/16",
"EnableDnsSupport" : "false",
"EnableDnsHostnames" : "false",
"InstanceTenancy" : "dedicated",
"Tags" : [ {"Key" : "foo", "Value" : "bar"} ]
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: 'false'

API Version 2010-05-15
952

AWS CloudFormation User Guide
AWS::EC2::VPCCidrBlock
EnableDnsHostnames: 'false'
InstanceTenancy: dedicated
Tags:
- Key: foo
Value: bar

More Info
• CreateVpc in the Amazon EC2 API Reference.

AWS::EC2::VPCCidrBlock
The AWS::EC2::VPCCidrBlock resource associates a single Amazon-provided IPv6 CIDR block or a
single user-speciﬁed IPv4 CIDR block with a Virtual Private Cloud (VPC).
Topics
• Syntax (p. 953)
• Properties (p. 953)
• Examples (p. 954)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPCCidrBlock",
"Properties" : {
"AmazonProvidedIpv6CidrBlock" : Boolean,
"CidrBlock" : String,
"VpcId" : String
}

YAML
Type: AWS::EC2::VPCCidrBlock
Properties:
AmazonProvidedIpv6CidrBlock: Boolean
CidrBlock: String
VpcId: String

Properties
AmazonProvidedIpv6CidrBlock
Whether to request an Amazon-provided IPv6 CIDR block with a /56 preﬁx length for the VPC. You
can't specify the range of IPv6 addresses or the size of the CIDR block.
Required: No
Type: Boolean
API Version 2010-05-15
953

AWS CloudFormation User Guide
AWS::EC2::VPCCidrBlock

Update requires: Replacement (p. 119)
CidrBlock
An IPv4 CIDR block to associate with the VPC.
Required: No
Type: String
Update requires: Replacement (p. 119)
VpcId
The ID of the VPC to associate the Amazon-provided IPv6 CIDR block with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Examples
Associate an Amazon-provided IPv6 CIDR block
The following snippet associates an Amazon-provided IPv6 CIDR block (with a preﬁx length of /56) with
the TestVPCIpv6 VPC.

JSON
{

}

"Ipv6VPCCidrBlock": {
"Type": "AWS::EC2::VPCCidrBlock",
"Properties": {
"AmazonProvidedIpv6CidrBlock": true,
"VpcId": { "Ref" : "TestVPCIpv6" }
}
}

YAML
Ipv6VPCCidrBlock:
Type: AWS::EC2::VPCCidrBlock
Properties:
AmazonProvidedIpv6CidrBlock: true
VpcId: !Ref TestVPCIpv6

Associate an IPv4 CIDR block and Amazon-provided IPv6 CIDR block
The following example associates an IPv4 CIDR block and an Amazon-provided IPv6 CIDR block with a
VPC. It also outputs the list of IPv4 CIDR block association IDs and IPv6 CIDR blocks that are associated
with the VPC.

JSON
{

API Version 2010-05-15
954

AWS CloudFormation User Guide
AWS::EC2::VPCCidrBlock
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/24"
}
},
"VpcCidrBlock": {
"Type": "AWS::EC2::VPCCidrBlock",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "192.0.0.0/24"
}
},
"VpcCidrBlockIpv6": {
"Type": "AWS::EC2::VPCCidrBlock",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"AmazonProvidedIpv6CidrBlock": true
}
}
},
"Outputs": {
"VpcId": {
"Value": {
"Ref": "VPC"
}
},
"PrimaryCidrBlock": {
"Value": {
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
}
},
"Ipv6CidrBlock": {
"Value": {
"Fn::Select": [
0,
{
"Fn::GetAtt": [
"VPC",
"Ipv6CidrBlocks"
]
}
]
}
},
"CidrBlockAssociation": {
"Value": {
"Fn::Select": [
0,
{
"Fn::GetAtt": [
"VPC",
"CidrBlockAssociations"
]
}
]
}
}

API Version 2010-05-15
955

AWS CloudFormation User Guide
AWS::EC2::VPCDHCPOptionsAssociation

}

}

YAML
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/24
VpcCidrBlock:
Type: AWS::EC2::VPCCidrBlock
Properties:
VpcId: !Ref VPC
CidrBlock: 192.0.0.0/24
VpcCidrBlockIpv6:
Type: AWS::EC2::VPCCidrBlock
Properties:
VpcId: !Ref VPC
AmazonProvidedIpv6CidrBlock: true
Outputs:
VpcId:
Value: !Ref VPC
PrimaryCidrBlock:
Value: !GetAtt VPC.CidrBlock
Ipv6CidrBlock:
Value: !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ]
CidrBlockAssociation:
Value: !Select [ 0, !GetAtt VPC.CidrBlockAssociations ]

AWS::EC2::VPCDHCPOptionsAssociation
Associates a set of DHCP options (that you've previously created) with the speciﬁed VPC.
Topics
• Syntax (p. 956)
• Properties (p. 957)
• Return Values (p. 957)
• Example (p. 957)
• See Also (p. 958)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPCDHCPOptionsAssociation",
"Properties" : {
"DhcpOptionsId (p. 957)" : String,
"VpcId (p. 957)" : String
}

API Version 2010-05-15
956

AWS CloudFormation User Guide
AWS::EC2::VPCDHCPOptionsAssociation

YAML
Type: AWS::EC2::VPCDHCPOptionsAssociation
Properties:
DhcpOptionsId (p. 957): String
VpcId (p. 957): String

Properties
DhcpOptionsId
The ID of the DHCP options you want to associate with the VPC. Specify default if you want the
VPC to use no DHCP options.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
VpcId
The ID of the VPC to associate with this DHCP options set.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following snippet uses the Ref intrinsic function to associate the myDHCPOptions DHCP
options with the myVPC VPC. The VPC and DHCP options can be declared in the same template or
added as input parameters. For more information about the VPC or the DHCP options resources, see
AWS::EC2::VPC (p. 950) or AWS::EC2::DHCPOptions (p. 863).

JSON
"myVPCDHCPOptionsAssociation" : {
"Type" : "AWS::EC2::VPCDHCPOptionsAssociation",
"Properties" : {
"VpcId" : {"Ref" : "myVPC"},
"DhcpOptionsId" : {"Ref" : "myDHCPOptions"}
}
}

API Version 2010-05-15
957

AWS CloudFormation User Guide
AWS::EC2::VPCEndpoint

YAML
myVPCDHCPOptionsAssociation:
Type: AWS::EC2::VPCDHCPOptionsAssociation
Properties:
VpcId:
Ref: myVPC
DhcpOptionsId:
Ref: myDHCPOptions

See Also
• AssociateDhcpOptions in the Amazon EC2 API Reference.

AWS::EC2::VPCEndpoint
Creates a VPC endpoint that you can use to establish a private connection between your VPC and
another AWS service without requiring access over the Internet, a VPN connection, or AWS Direct
Connect. For more information, see CreateVpcEndpoint.
Topics
• Syntax (p. 958)
• Properties (p. 959)
• Return Value (p. 960)
• Example (p. 960)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPCEndpoint",
"Properties" : {
"VpcId" : String,
"RouteTableIds" : [ String, ... ],
"ServiceName" : String,
"PolicyDocument" : String,
"VpcEndpointType" : String,
"PrivateDnsEnabled" : Boolean,
"SubnetIds" : [ String, ... ],
"SecurityGroupIds" : [ String, ... ]
}

YAML
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: String
RouteTableIds:
- String

API Version 2010-05-15
958

AWS CloudFormation User Guide
AWS::EC2::VPCEndpoint
ServiceName: String
PolicyDocument: String
VpcEndpointType: String
PrivateDnsEnabled: Boolean
SubnetIds:
- String
SecurityGroupIds:
- String

Properties
PrivateDnsEnabled
[Interface endpoint] Indicates whether to associate a private hosted zone with the speciﬁed VPC.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
PolicyDocument
[Gateway endpoint] A policy to attach to the endpoint that controls access to the service. The policy
must be valid JSON. The default policy allows full access to the AWS service. For more information,
see Controlling Access to Services in the Amazon VPC User Guide.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
RouteTableIds
One or more route table IDs that are used by the VPC to reach the endpoint.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SecurityGroupIds
[Interface endpoint] The ID of one or more security groups to associate with the endpoint network
interface.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
ServiceName
The name of the service. To get a list of available services, use DescribeVpcEndpointServices or get
the name from the service provider.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
959

AWS CloudFormation User Guide
AWS::EC2::VPCEndpoint

SubnetIds
[Interface endpoint] The ID of one or more subnets in which to create an endpoint network
interface.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
VpcEndpointType
The type of endpoint. Valid values are Interface and Gateway.
Required: No
Type: String
Update requires: No interruption (p. 118)
VpcId
The ID of the VPC in which the endpoint will be used.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When you pass the logical ID of an AWS::EC2::VPCEndpoint resource to the intrinsic Ref function, the
function returns the endpoint ID, such as vpce-a123d0d1.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a VPC endpoint that allows only the s3:GetObject action on the
examplebucket bucket. Traﬃc to S3 within subnets that are associated with the routetableA and
routetableB route tables is automatically routed through the VPC endpoint.

JSON
"S3Endpoint" : {
"Type" : "AWS::EC2::VPCEndpoint",
"Properties" : {
"PolicyDocument" : {
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}]
},

API Version 2010-05-15
960

AWS CloudFormation User Guide
AWS::EC2::VPCEndpointConnectionNotiﬁcation
"RouteTableIds" : [ {"Ref" : "routetableA"}, {"Ref" : "routetableB"} ],
"ServiceName" : { "Fn::Join": [ "", [ "com.amazonaws.", { "Ref": "AWS::Region" },
".s3" ] ] },
"VpcId" : {"Ref" : "VPCID"}
}

}

YAML
S3Endpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: '*'
Action:
- 's3:GetObject'
Resource:
- 'arn:aws:s3:::examplebucket/*'
RouteTableIds:
- !Ref routetableA
- !Ref routetableB
ServiceName: !Join
- ''
- - com.amazonaws.
- !Ref 'AWS::Region'
- .s3
VpcId: !Ref VPCID

AWS::EC2:: VPCEndpointConnectionNotiﬁcation
Creates a connection notiﬁcation for the speciﬁed VPC endpoint or VPC endpoint service. A connection
notiﬁcation notiﬁes you of speciﬁc endpoint events. You must create an SNS topic to receive
notiﬁcations. For more information, see CreateVpcEndpointConnectionNotiﬁcation.
Topics
• Syntax (p. 961)
• Properties (p. 962)
• Return Values (p. 962)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPCEndpointConnectionNotification",
"Properties" : {
"ConnectionEvents" : [ String, ... ],
"VPCEndpointId" : String,
"ServiceId" : String,
"ConnectionNotificationArn" : String
}

API Version 2010-05-15
961

AWS CloudFormation User Guide
AWS::EC2::VPCEndpointConnectionNotiﬁcation

YAML
Type: "AWS::EC2::VPCEndpointConnectionNotification"
Properties:
ConnectionEvents:
- String
VPCEndpointId: String
ServiceId: String
ConnectionNotificationArn: String

Properties
ConnectionEvents
One or more endpoint events for which to receive notiﬁcations. Valid values are Accept, Connect,
Delete, and Reject.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
ConnectionNotificationArn
The ARN of the SNS topic for the notiﬁcations.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ServiceId
The ID of the endpoint service.
Required: No
Type: String
Update requires: No interruption (p. 118)
VPCEndpointId
The ID of the endpoint.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::EC2::VPCEndpointConnectionNotification resource to
the intrinsic Ref function, the function returns the ID of the connection notiﬁcation.
API Version 2010-05-15
962

AWS CloudFormation User Guide
AWS::EC2::VPCEndpointService

For more information about using the Ref function, see Ref (p. 2311).

AWS::EC2::VPCEndpointService
Creates a VPC endpoint service conﬁguration to which service consumers (AWS accounts, IAM users,
and IAM roles) can connect. Service consumers can create an interface VPC endpoint to connect to your
service. For more information, see CreateVpcEndpointServiceConﬁguration.
Topics
• Syntax (p. 963)
• Properties (p. 963)
• Return Values (p. 964)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPCEndpointService",
"Properties" : {
"NetworkLoadBalancerArns" : [ String, ... ],
"AcceptanceRequired" : Boolean
}

YAML
Type: "AWS::EC2::VPCEndpointService"
Properties:
NetworkLoadBalancerArns:
- String
AcceptanceRequired: Boolean

Properties
AcceptanceRequired
Indicate whether requests from service consumers to create an endpoint to your service must be
accepted. To accept a request, use AcceptVpcEndpointConnections.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
NetworkLoadBalancerArns
The Amazon Resource Names (ARNs) of one or more Network Load Balancers for your service.
Required: Yes
Type: List of String values
API Version 2010-05-15
963

AWS CloudFormation User Guide
AWS::EC2::VPCEndpointServicePermissions

Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::EC2::VPCEndpointService resource to the intrinsic Ref
function, the function returns the ID of the VPC endpoint service conﬁguration.
For more information about using the Ref function, see Ref (p. 2311).

AWS::EC2::VPCEndpointServicePermissions
Grant or revoke permissions for service consumers (IAM users, IAM roles, and AWS accounts) to connect
to the VPC endpoint service. For more information, see ModifyVpcEndpointServicePermissions in the
Amazon EC2 API Reference.
If you grant permissions to all principals, the service is public. Any users who know the name of a public
service can send a request to attach an endpoint. If the service does not require manual approval,
attachments are automatically approved.
Topics
• Syntax (p. 964)
• Properties (p. 964)
• Return Values (p. 965)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPCEndpointServicePermissions",
"Properties" : {
"AllowedPrincipals" : [ String, ... ],
"ServiceId" : String
}

YAML
Type: "AWS::EC2::VPCEndpointServicePermissions"
Properties:
AllowedPrincipals:
- String
ServiceId: String

Properties
AllowedPrincipals
The Amazon Resource Names (ARN) of one or more principals (IAM users, IAM roles, and AWS
accounts). Permissions are granted to the principals in this list. To grant permissions to all principals,
API Version 2010-05-15
964

AWS CloudFormation User Guide
AWS::EC2::VPCGatewayAttachment

specify an asterisk (*). Permissions are revoked for principals not in this list. If the list is empty, then
all permissions are revoked.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
ServiceId
The ID of the VPC endpoint service.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::EC2::VPCEndpointServicePermissions resource to the
intrinsic Ref function, the function returns the ID of the VPC endpoint service.
For more information about using the Ref function, see Ref (p. 2311).

AWS::EC2::VPCGatewayAttachment
Attaches a gateway to a VPC.
Topics
• Syntax (p. 965)
• Properties (p. 966)
• Return Values (p. 966)
• Examples (p. 966)
• See Also (p. 967)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"InternetGatewayId (p. 966)" : String,
"VpcId (p. 966)" : String,
"VpnGatewayId (p. 966)" : String
}

API Version 2010-05-15
965

AWS CloudFormation User Guide
AWS::EC2::VPCGatewayAttachment

YAML
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId (p. 966): String
VpcId (p. 966): String
VpnGatewayId (p. 966): String

Properties
InternetGatewayId
The ID of the Internet gateway.
Required: Conditional You must specify either InternetGatewayId or VpnGatewayId, but not
both.
Type: String
Update requires: No interruption (p. 118)
VpcId
The ID of the VPC to associate with this gateway.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
VpnGatewayId
The ID of the virtual private network (VPN) gateway to attach to the VPC.
Required: Conditional You must specify either InternetGatewayId or VpnGatewayId, but not
both.
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Examples
To attach both an Internet gateway and a VPN gateway to a VPC, you must specify two separate
AWS::EC2::VPCGatewayAttachment resources:

JSON

API Version 2010-05-15
966

AWS CloudFormation User Guide
AWS::EC2::VPCPeeringConnection
"AttachGateway" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "myInternetGateway" }
}
},
"AttachVpnGateway" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"VpnGatewayId" : { "Ref" : "myVPNGateway" }
}
}

YAML
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: myInternetGateway
AttachVpnGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
VpnGatewayId:
Ref: myVPNGateway

See Also
• AttachVpnGateway in the Amazon EC2 API Reference.

AWS::EC2::VPCPeeringConnection
A VPC peering connection enables a network connection between two virtual private clouds (VPCs) so
that you can route traﬃc between them using a private IP address. For more information about VPC
peering and its limitations, see VPC Peering Overview in the Amazon VPC Peering Guide.

Note

You can create a peering connection with another AWS account. For a detailed walkthrough, see
Walkthrough: Peer with an Amazon VPC in Another AWS Account (p. 241).
Topics
• Syntax (p. 967)
• Properties (p. 968)
• Return Values (p. 969)
• Examples (p. 969)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
967

AWS CloudFormation User Guide
AWS::EC2::VPCPeeringConnection

JSON
{

}

"Type" : "AWS::EC2::VPCPeeringConnection",
"Properties" : {
"PeerVpcId" : String,
"Tags" : [ Resource Tag, ... ],
"VpcId" : String,
"PeerOwnerId" : String,
"PeerRegion" : String,
"PeerRoleArn" : String
}

YAML
Type: AWS::EC2::VPCPeeringConnection
Properties:
PeerVpcId: String
Tags:
- Resource Tag
VpcId: String
PeerOwnerId: String
PeerRegion: String
PeerRoleArn: String

Properties
PeerVpcId
The ID of the VPC with which you are creating the peering connection.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Tags
An arbitrary set of tags (key–value pairs) for this resource.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).
VpcId
The ID of the VPC that is requesting a peering connection.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
PeerOwnerId
The AWS account ID of the owner of the VPC that you want to peer with.
API Version 2010-05-15
968

AWS CloudFormation User Guide
AWS::EC2::VPCPeeringConnection

Required: No
Type: String
Update requires: Replacement (p. 119)
PeerRegion
The region code for the accepter VPC, if the accepter VPC is located in a region other than the region
in which you make the request. The default is the region in which you make the request.
Required: No
Type: String
Update requires: Replacement (p. 119)
PeerRoleArn
The Amazon Resource Name (ARN) of the VPC peer role for the peering connection in another AWS
account.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following example template creates two VPCs to demonstrate how to conﬁgure a peering
connection. For a VPC peering connection, you must create a VPC peering route for each VPC route table,
as shown in the example by PeeringRoute1 and PeeringRoute2. If you launch the template, you
can connect to the myInstance instance using SSH, and then ping the myPrivateInstance instance
although both instances are in separate VPCs.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates a VPC that and then creates a peering connection with an
existing VPC that you specify.",
"Parameters": {
"EC2KeyPairName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the
instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription" : "must be the name of an existing EC2 KeyPair."
},
"InstanceType": {
"Description": "EC2 instance type",
"Type": "String",

API Version 2010-05-15
969

AWS CloudFormation User Guide
AWS::EC2::VPCPeeringConnection
"Default": "t1.micro",
"AllowedValues": [
"t1.micro",
"m1.small",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge"
],
"ConstraintDescription": "must be a valid EC2 instance type."

},
"myVPCIDCIDRRange": {
"Description": "The IP address range for your new VPC.",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.1.0.0/16",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\
\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"myPrivateVPCIDCIDRRange": {
"Description": "The IP address range for your new Private VPC.",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.0.0.0/16",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\
\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"EC2SubnetCIDRRange": {
"Description": "The IP address range for a subnet in myPrivateVPC.",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.0.0.0/24",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\
\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"EC2PublicSubnetCIDRRange": {
"Description": "The IP address range for a subnet in myVPC.",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.1.0.0/24",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\
\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
}
},
"Mappings": {
"AWSRegionToAMI": {
"us-east-1": {
"64": "ami-fb8e9292"
},
"us-west-2": {
"64": "ami-043a5034"
},
"us-west-1": {

API Version 2010-05-15
970

AWS CloudFormation User Guide
AWS::EC2::VPCPeeringConnection
"64": "ami-7aba833f"
},
"eu-west-1": {
"64": "ami-2918e35e"
},
"ap-southeast-1": {
"64": "ami-b40d5ee6"
},
"ap-southeast-2": {
"64": "ami-3b4bd301"
},
"ap-northeast-1": {
"64": "ami-c9562fc8"
},
"sa-east-1": {
"64": "ami-215dff3c"
}

}
},
"Resources": {
"myPrivateVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {"Ref": "myPrivateVPCIDCIDRRange"},
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"myPrivateEC2Subnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "myPrivateVPC" },
"CidrBlock" : {"Ref": "EC2SubnetCIDRRange"}
}
},
"RouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : {"Ref" : "myPrivateVPC"}
}
},
"PeeringRoute1" : {
"Type" : "AWS::EC2::Route",
"Properties" : {
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId" : { "Ref" : "RouteTable" },
"VpcPeeringConnectionId" : { "Ref" : "myVPCPeeringConnection" }
}
},
"SubnetRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "myPrivateEC2Subnet" },
"RouteTableId" : { "Ref" : "RouteTable" }
}
},
"myVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {"Ref": "myVPCIDCIDRRange"},
"EnableDnsSupport": true,
"EnableDnsHostnames": true,
"InstanceTenancy": "default"
}
},

API Version 2010-05-15
971

AWS CloudFormation User Guide
AWS::EC2::VPCPeeringConnection
"PublicSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {"Ref": "EC2PublicSubnetCIDRRange"},
"VpcId": {
"Ref": "myVPC"
}
}
},
"myInternetGateway": {
"Type": "AWS::EC2::InternetGateway"
},
"AttachGateway": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "myVPC"
},
"InternetGatewayId": {
"Ref": "myInternetGateway"
}
}
},
"PublicRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "myVPC"
}
}
},
"PeeringRoute2" : {
"Type" : "AWS::EC2::Route",
"Properties" : {
"DestinationCidrBlock": { "Ref" : "myPrivateVPCIDCIDRRange" },
"RouteTableId" : { "Ref" : "PublicRouteTable" },
"VpcPeeringConnectionId" : { "Ref" : "myVPCPeeringConnection" }
}
},
"PublicRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": "AttachGateway",
"Properties": {
"RouteTableId": {
"Ref": "PublicRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "myInternetGateway"
}
}
},
"PublicSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnet"
},
"RouteTableId": {
"Ref": "PublicRouteTable"
}
}
},
"myPrivateVPCEC2SecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {

API Version 2010-05-15
972

AWS CloudFormation User Guide
AWS::EC2::VPCPeeringConnection

"0.0.0.0/0"}
}

"GroupDescription": "Private instance security group",
"VpcId" : { "Ref" : "myPrivateVPC" },
"SecurityGroupIngress" : [
{"IpProtocol" : "-1", "FromPort" : "0", "ToPort" : "65535", "CidrIp" :
]

},
"myVPCEC2SecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription": "Public instance security group",
"VpcId" : { "Ref" : "myVPC" },
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" :
"0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" :
"0.0.0.0/0"}
]
}
},
"myPrivateInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"SecurityGroupIds" : [{ "Ref" : "myPrivateVPCEC2SecurityGroup" }],
"SubnetId" : { "Ref" : "myPrivateEC2Subnet" },
"KeyName": {
"Ref": "EC2KeyPairName"
},
"ImageId": {
"Fn::FindInMap": [
"AWSRegionToAMI",
{"Ref": "AWS::Region"},
"64"
]
}
}
},
"myInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"NetworkInterfaces": [ {
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"GroupSet": [{ "Ref" : "myVPCEC2SecurityGroup" }],
"SubnetId": { "Ref" : "PublicSubnet" }
} ],
"KeyName": {
"Ref": "EC2KeyPairName"
},
"ImageId": {
"Fn::FindInMap": [
"AWSRegionToAMI",
{"Ref": "AWS::Region"},
"64"
]
}
}
},
"myVPCPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"VpcId": {"Ref": "myVPC"},
"PeerVpcId": {"Ref": "myPrivateVPC"}
}
}

API Version 2010-05-15
973

AWS CloudFormation User Guide
AWS::EC2::VPCPeeringConnection

}

}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Description: Creates a VPC that and then creates a peering connection with an existing
VPC that you specify.
Parameters:
EC2KeyPairName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
InstanceType:
Description: EC2 instance type
Type: String
Default: t1.micro
AllowedValues:
- t1.micro
- m1.small
- m3.medium
- m3.large
- m3.xlarge
- m3.2xlarge
- c3.large
- c3.xlarge
- c3.2xlarge
- c3.4xlarge
- c3.8xlarge
ConstraintDescription: must be a valid EC2 instance type.
myVPCIDCIDRRange:
Description: The IP address range for your new VPC.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.1.0.0/16
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
myPrivateVPCIDCIDRRange:
Description: The IP address range for your new Private VPC.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.0.0.0/16
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
EC2SubnetCIDRRange:
Description: The IP address range for a subnet in myPrivateVPC.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.0.0.0/24
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
EC2PublicSubnetCIDRRange:
Description: The IP address range for a subnet in myVPC.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.1.0.0/24
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Mappings:
AWSRegionToAMI:

API Version 2010-05-15
974

AWS CloudFormation User Guide
AWS::EC2::VPCPeeringConnection
us-east-1:
'64': ami-fb8e9292
us-west-2:
'64': ami-043a5034
us-west-1:
'64': ami-7aba833f
eu-west-1:
'64': ami-2918e35e
ap-southeast-1:
'64': ami-b40d5ee6
ap-southeast-2:
'64': ami-3b4bd301
ap-northeast-1:
'64': ami-c9562fc8
sa-east-1:
'64': ami-215dff3c
Resources:
myPrivateVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock:
Ref: myPrivateVPCIDCIDRRange
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: default
myPrivateEC2Subnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: myPrivateVPC
CidrBlock:
Ref: EC2SubnetCIDRRange
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: myPrivateVPC
PeeringRoute1:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
RouteTableId:
Ref: RouteTable
VpcPeeringConnectionId:
Ref: myVPCPeeringConnection
SubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: myPrivateEC2Subnet
RouteTableId:
Ref: RouteTable
myVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock:
Ref: myVPCIDCIDRRange
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock:
Ref: EC2PublicSubnetCIDRRange
VpcId:

API Version 2010-05-15
975

AWS CloudFormation User Guide
AWS::EC2::VPCPeeringConnection
Ref: myVPC
myInternetGateway:
Type: AWS::EC2::InternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: myVPC
InternetGatewayId:
Ref: myInternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: myVPC
PeeringRoute2:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock:
Ref: myPrivateVPCIDCIDRRange
RouteTableId:
Ref: PublicRouteTable
VpcPeeringConnectionId:
Ref: myVPCPeeringConnection
PublicRoute:
Type: AWS::EC2::Route
DependsOn: AttachGateway
Properties:
RouteTableId:
Ref: PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: myInternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: PublicSubnet
RouteTableId:
Ref: PublicRouteTable
myPrivateVPCEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Private instance security group
VpcId:
Ref: myPrivateVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: '0'
ToPort: '65535'
CidrIp: 0.0.0.0/0
myVPCEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Public instance security group
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0

API Version 2010-05-15
976

AWS CloudFormation User Guide
AWS::EC2::VPNConnection
myPrivateInstance:
Type: AWS::EC2::Instance
Properties:
SecurityGroupIds:
- Ref: myPrivateVPCEC2SecurityGroup
SubnetId:
Ref: myPrivateEC2Subnet
KeyName:
Ref: EC2KeyPairName
ImageId:
Fn::FindInMap:
- AWSRegionToAMI
- Ref: AWS::Region
- '64'
myInstance:
Type: AWS::EC2::Instance
Properties:
NetworkInterfaces:
- AssociatePublicIpAddress: 'true'
DeviceIndex: '0'
GroupSet:
- Ref: myVPCEC2SecurityGroup
SubnetId:
Ref: PublicSubnet
KeyName:
Ref: EC2KeyPairName
ImageId:
Fn::FindInMap:
- AWSRegionToAMI
- Ref: AWS::Region
- '64'
myVPCPeeringConnection:
Type: AWS::EC2::VPCPeeringConnection
Properties:
VpcId:
Ref: myVPC
PeerVpcId:
Ref: myPrivateVPC

AWS::EC2::VPNConnection
Creates a new VPN connection between an existing virtual private gateway and a VPN customer gateway.
For more information, see CreateVpnConnection in the Amazon EC2 API Reference.
Topics
• Syntax (p. 977)
• Properties (p. 978)
• Return Value (p. 979)
• Template Example (p. 979)
• See Also (p. 980)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
977

AWS CloudFormation User Guide
AWS::EC2::VPNConnection

}

"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type (p. 978)" : String,
"CustomerGatewayId (p. 978)" : GatewayID,
"StaticRoutesOnly (p. 978)" : Boolean,
"Tags" : [ Resource Tag, ... ],
"VpnGatewayId (p. 979)" : GatewayID,
"VpnTunnelOptionsSpecifications" : [ VpnTunnelOptionsSpecification (p. 1868), ... ]
}

YAML
Type: AWS::EC2::VPNConnection
Properties:
Type (p. 978): String
CustomerGatewayId (p. 978):
GatewayID
StaticRoutesOnly (p. 978): Boolean
Tags:
- Resource Tag
VpnGatewayId (p. 979):
GatewayID
VpnTunnelOptionsSpecifications:
- VpnTunnelOptionsSpecification (p. 1868)

Properties
Type
The type of VPN connection this virtual private gateway supports.
Example: "ipsec.1"
Required: Yes
Type: String
Update requires: Replacement (p. 119)
CustomerGatewayId
The ID of the customer gateway. This can either be an embedded JSON object or a reference to a
Gateway ID.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
StaticRoutesOnly
Indicates whether the VPN connection requires static routes.
Required: Conditional. If you are creating a VPN connection for a device that does not support Border
Gateway Protocol (BGP), you must specify true.
Type: Boolean
Update requires: Replacement (p. 119)
API Version 2010-05-15
978

AWS CloudFormation User Guide
AWS::EC2::VPNConnection

Tags
The tags that you want to attach to the resource.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106).
Update requires: No interruption (p. 118)
VpnGatewayId
The ID of the virtual private gateway. This can either be an embedded JSON object or a reference to
a Gateway ID.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
VpnTunnelOptionsSpecifications
The tunnel options for the VPN connection. Duplicates not allowed.
Required: No
Type: List of EC2 VPNConnection VpnTunnelOptionsSpeciﬁcation (p. 1868)
Update requires: Replacement (p. 119)

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "MyVPNConnection" }

For the VPNConnection with the logical ID "MyVPNConnection", Ref will return the VPN connection's
resource name.
For more information about using the Ref function, see Ref (p. 2311).

Template Example
JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myVPNConnection" : {
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type" : "ipsec.1",
"StaticRoutesOnly" : "true",
"CustomerGatewayId" : {"Ref" : "myCustomerGateway"},
"VpnGatewayId" : {"Ref" : "myVPNGateway"}
}
}

API Version 2010-05-15
979

AWS CloudFormation User Guide
AWS::EC2::VPNConnectionRoute

}

}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
myVPNConnection:
Type: AWS::EC2::VPNConnection
Properties:
Type: ipsec.1
StaticRoutesOnly: true
CustomerGatewayId:
!Ref myCustomerGateway
VpnGatewayId:
!Ref myVPNGateway

See Also
• VpnConnection in the Amazon EC2 API Reference

AWS::EC2::VPNConnectionRoute
A static route that is associated with a VPN connection between an existing virtual private gateway and
a VPN customer gateway. The static route allows traﬃc to be routed from the virtual private gateway to
the VPN customer gateway.
Topics
• Syntax (p. 980)
• Properties (p. 981)
• Return Values (p. 981)
• Example (p. 981)
• See Also (p. 981)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPNConnectionRoute",
"Properties" : {
"DestinationCidrBlock (p. 981)" : String,
"VpnConnectionId (p. 981)" : String
}

YAML
Type: AWS::EC2::VPNConnectionRoute
Properties:
DestinationCidrBlock (p. 981): String

API Version 2010-05-15
980

AWS CloudFormation User Guide
AWS::EC2::VPNConnectionRoute
VpnConnectionId (p. 981): String

Properties
DestinationCidrBlock
The CIDR block that is associated with the local subnet of the customer network.
Required: Yes.
Type: String
Update requires: Replacement (p. 119)
VpnConnectionId
The ID of the VPN connection.
Required: Yes.
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
"MyConnectionRoute0" : {
"Type" : "AWS::EC2::VPNConnectionRoute",
"Properties" : {
"DestinationCidrBlock" : "10.0.0.0/16",
"VpnConnectionId" : {"Ref" : "Connection0"}
}
}

YAML
MyConnectionRoute0:
Type: AWS::EC2::VPNConnectionRoute
Properties:
DestinationCidrBlock: 10.0.0.0/16
VpnConnectionId:
!Ref Connection0

See Also
• CreateVpnConnectionRoute in the Amazon EC2 API Reference.
API Version 2010-05-15
981

AWS CloudFormation User Guide
AWS::EC2::VPNGateway

AWS::EC2::VPNGateway
Creates a virtual private gateway. A virtual private gateway is the VPC-side endpoint for your VPN
connection.
Topics
• Syntax (p. 982)
• Properties (p. 982)
• Return Value (p. 983)
• Example (p. 983)
• See Also (p. 983)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPNGateway",
"Properties" : {
"AmazonSideAsn" : Long,
"Type (p. 982)" : String,
"Tags (p. 983)" : [ Resource Tag, ... ]
}

YAML
Type: AWS::EC2::VPNGateway
Properties:
AmazonSideAsn: Long
Type (p. 982): String
Tags (p. 983):
Resource Tag

Properties
AmazonSideAsn
The private Autonomous System Number (ASN) for the Amazon side of a BGP session.
Required: No
Type: Long
Update requires: No interruption (p. 118)
Type
The type of VPN connection this virtual private gateway supports. The only valid value is
"ipsec.1".
Required: Yes
API Version 2010-05-15
982

AWS CloudFormation User Guide
AWS::EC2::VPNGateway

Type: String
Update requires: Replacement (p. 119)
Tags
An arbitrary set of tags (key–value pairs) for this resource.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "MyVPNGateway" }

For the VPN gateway with the logical ID "MyVPNGateway", Ref will return the gateway's resource name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myVPNGateway" : {
"Type" : "AWS::EC2::VPNGateway",
"Properties" : {
"Type" : "ipsec.1",
"Tags" : [ { "Key" : "Use", "Value" : "Test" } ]
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
myVPNGateway:
Type: AWS::EC2::VPNGateway
Properties:
Type: ipsec.1
Tags:
Key: Use
Value: Test

See Also
• CreateVpnGateway in the Amazon EC2 API Reference.
API Version 2010-05-15
983

AWS CloudFormation User Guide
AWS::EC2::VPNGatewayRoutePropagation

AWS::EC2::VPNGatewayRoutePropagation
Enables a virtual private gateway (VGW) to propagate routes to the routing tables of a VPC.

Note

If you reference a VPN gateway that is in the same template as your VPN gateway route
propagation, you must explicitly declare a dependency on the VPN gateway attachment.
The AWS::EC2::VPNGatewayRoutePropagation resource cannot use the VPN gateway
until it has successfully attached to the VPC. Add a DependsOn (p. 2250) attribute in the
AWS::EC2::VPNGatewayRoutePropagation resource to explicitly declare a dependency on
the VPN gateway attachment.
Topics
• Syntax (p. 984)
• Properties (p. 984)
• Return Value (p. 985)
• Example (p. 985)
• See Also (p. 985)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EC2::VPNGatewayRoutePropagation",
"Properties" : {
"RouteTableIds (p. 984)" : [ String, ... ],
"VpnGatewayId (p. 985)" : String
}

YAML
Type: AWS::EC2::VPNGatewayRoutePropagation
Properties:
RouteTableIds (p. 984):
- String
VpnGatewayId (p. 985): String

Properties
RouteTableIds
A list of routing table IDs that are associated with a VPC. The routing tables must be associated with
the same VPC that the virtual private gateway is attached to.
Required: Yes
Type: List of route table IDs
Update requires: No interruption (p. 118)
API Version 2010-05-15
984

AWS CloudFormation User Guide
AWS::ECR::Repository

VpnGatewayId
The ID of the virtual private gateway that is attached to a VPC. The virtual private gateway must be
attached to the same VPC that the routing tables are associated with.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myVPNGatewayRouteProp" }

For the VPN gateway with the logical ID myVPNGatewayRouteProp, Ref will return the gateway's
resource name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
"myVPNGatewayRouteProp" : {
"Type" : "AWS::EC2::VPNGatewayRoutePropagation",
"Properties" : {
"RouteTableIds" : [{"Ref" : "PrivateRouteTable"}],
"VpnGatewayId" : {"Ref" : "VPNGateway"}
}
}

YAML
myVPNGatewayRouteProp:
Type: AWS::EC2::VPNGatewayRoutePropagation
Properties:
RouteTableIds:
- !Ref PrivateRouteTable
VpnGatewayId:
!Ref VPNGateway

See Also
• EnableVgwRoutePropagation in the Amazon EC2 API Reference.

AWS::ECR::Repository
The AWS::ECR::Repository resource creates an Amazon Elastic Container Registry (Amazon ECR)
repository, where users can push and pull Docker images. For more information, see Amazon ECR
Repositories in the Amazon Elastic Container Registry User Guide.
API Version 2010-05-15
985

AWS CloudFormation User Guide
AWS::ECR::Repository

Topics
• Syntax (p. 986)
• Properties (p. 986)
• Return Values (p. 987)
• Examples (p. 987)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ECR::Repository",
"Properties" : {
"LifecyclePolicy" : LifecyclePolicy (p. 1870),
"RepositoryName" : String,
"RepositoryPolicyText" : JSON object
}

YAML
Type: AWS::ECR::Repository
Properties:
LifecyclePolicy:
LifecyclePolicy (p. 1870)
RepositoryName: String
RepositoryPolicyText: JSON object

Properties
LifecyclePolicy
A lifecycle policy for the repository.
Required: No
Type: Amazon ECR Repository LifecyclePolicy (p. 1870)
Update requires: No interruption (p. 118)
RepositoryName
A name for the image repository. If you don't specify a name, AWS CloudFormation generates
a unique physical ID and uses that ID for the repository name. For more information, see Name
Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
986

AWS CloudFormation User Guide
AWS::ECR::Repository

RepositoryPolicyText
A policy that controls who has access to the repository and which actions they can perform on it. For
more information, see Amazon ECR Repository Policies in the Amazon Elastic Container Registry User
Guide.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name, such as test-repository.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
Returns the Amazon Resource Name (ARN) for the speciﬁed AWS::ECR::Repository resource. For
example, arn:aws:ecr:eu-west-1:123456789012:repository/test-repository.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
The following example creates a repository named test-repository. Its policy permits the users Bob
and Alice to push and pull images. Note that the IAM users actually need to exist, or stack creation will
fail.

JSON
"MyRepository": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName" : "test-repository",
"RepositoryPolicyText" : {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/Bob",
"arn:aws:iam::123456789012:user/Alice"
]
},
"Action": [

API Version 2010-05-15
987

AWS CloudFormation User Guide
AWS::ECR::Repository

}

}

}

]

}

]

"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"

YAML
MyRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName: "test-repository"
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
Sid: AllowPushPull
Effect: Allow
Principal:
AWS:
- "arn:aws:iam::123456789012:user/Bob"
- "arn:aws:iam::123456789012:user/Alice"
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"

The following example creates a repository with a lifecycle policy.

JSON
{

"Parameters": {
"lifecyclePolicyText": {
"Type": "String"
},
"repositoryName": {
"Type": "String"
},
"registryId": {
"Type": "String"
}
},
"Resources": {
"MyRepository": {
"Type": "AWS::ECR::Repository",
"Properties": {
"LifecyclePolicy": {
"LifecyclePolicyText": {
"Ref": "lifecyclePolicyText"

API Version 2010-05-15
988

AWS CloudFormation User Guide
AWS::ECS::Cluster
},
"RegistryId": {
"Ref": "registryId"
}

}

}

}

},
"RepositoryName": {
"Ref": "repositoryName"
}

},
"Outputs": {
"Arn": {
"Value": {
"Fn::GetAtt": [
"MyRepository",
"Arn"
]
}
}
}

YAML
Parameters:
lifecyclePolicyText:
Type: String
repositoryName:
Type: String
registryId:
Type: String
Resources:
MyRepository:
Type: AWS::ECR::Repository
Properties:
LifecyclePolicy:
LifecyclePolicyText: !Ref lifecyclePolicyText
RegistryId: !Ref registryId
RepositoryName: !Ref repositoryName
Outputs:
Arn:
Value: !GetAtt MyRepository.Arn

AWS::ECS::Cluster
The AWS::ECS::Cluster resource creates an Amazon Elastic Container Service (Amazon ECS) cluster.
This resource has no properties; use the Amazon ECS container agent to connect to the cluster. For more
information, see Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide.
Topics
• Syntax (p. 989)
• Properties (p. 990)
• Return Values (p. 990)
• Example (p. 991)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
989

AWS CloudFormation User Guide
AWS::ECS::Cluster

JSON
{

}

"Type" : "AWS::ECS::Cluster",
"Properties" : {
"ClusterName" : String
}

YAML
Type: AWS::ECS::Cluster
Properties:
ClusterName: String

Properties
ClusterName
A name for the cluster. If you don't specify a name, AWS CloudFormation generates a unique
physical ID for the name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
In the following sample, the Ref function returns the name of the MyECSCluster cluster, such as
MyStack-MyECSCluster-NT5EUXTNTXXD.
{ "Ref": "MyECSCluster" }

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) of the Amazon ECS cluster, such as arn:aws:ecs:useast-2:123456789012:cluster/MyECSCluster.
API Version 2010-05-15
990

AWS CloudFormation User Guide
AWS::ECS::Service

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following sample declares an Amazon ECS cluster:

JSON
"MyCluster": {
"Type": "AWS::ECS::Cluster"
}

YAML
MyCluster:
Type: AWS::ECS::Cluster

AWS::ECS::Service
The AWS::ECS::Service resource creates an Amazon Elastic Container Service (Amazon ECS) service
that runs and maintains the requested number of tasks and associated load balancers.
Topics
• Syntax (p. 991)
• Properties (p. 992)
• Return Values (p. 995)
• Examples (p. 995)
• More Info (p. 1001)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ECS::Service",
"Properties" : {
"Cluster" : String,
"DeploymentConfiguration" : DeploymentConfiguration,
"DesiredCount" : Integer,
"HealthCheckGracePeriodSeconds" : Integer,
"LaunchType" : String,
"LoadBalancers" : [ Load Balancer Objects, ... ],
"NetworkConfiguration" : NetworkConfiguration (p. 1872),
"PlacementConstraints" : [ PlacementConstraints, ... ],
"Role" : String,
"PlacementStrategies" : [ PlacementStrategies, ... ],
"PlatformVersion" : String,
"ServiceName" : String,
"ServiceRegistries" : [ ServiceRegistry (p. 1875), ... ,
"TaskDefinition" : String
}

API Version 2010-05-15
991

AWS CloudFormation User Guide
AWS::ECS::Service

YAML
Type: AWS::ECS::Service
Properties:
Cluster: String
DeploymentConfiguration:
DeploymentConfiguration
DesiredCount: Integer
HealthCheckGracePeriodSeconds: Integer
LaunchType: String
LoadBalancers:
- Load Balancer Objects, ...
NetworkConfiguration:
NetworkConfiguration (p. 1872)
PlacementConstraints:
- PlacementConstraints, ...
PlacementStrategies:
- PlacementStrategies, ...
PlatformVersion: String
Role: String
ServiceName: String
ServiceRegistries:
- ServiceRegistry (p. 1875)
TaskDefinition: String

Properties
For more information on properties and valid parameters, see CreateService in the Amazon Elastic
Container Service API Reference.

Note

When you use Auto Scaling or Amazon Elastic Compute Cloud (Amazon EC2) to create container
instances for an Amazon ECS cluster, the Amazon ECS service resource must have a dependency
on the Auto Scaling group or the Amazon EC2 instances. This makes the container instances
available and associates them with the Amazon ECS cluster before AWS CloudFormation creates
the Amazon ECS service.
Cluster
The name or Amazon Resource Name (ARN) of the cluster that you want to run your Amazon ECS
service on. If you do not specify a cluster, Amazon ECS uses the default cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)
DeploymentConfiguration
Conﬁgures how many tasks run during a deployment.
Required: No
Type: Amazon Elastic Container Service Service DeploymentConﬁguration (p. 1871)
Update requires: No interruption (p. 118)
DesiredCount
The number of simultaneous tasks that you want to run on the cluster. Specify the tasks with the
TaskDefinition property.
API Version 2010-05-15
992

AWS CloudFormation User Guide
AWS::ECS::Service

Required: Conditional. Required only when creating an Amazon ECS Service.
Type: Integer
Update requires: No interruption (p. 118)
HealthCheckGracePeriodSeconds
The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic
Load Balancing target health checks after a task has ﬁrst started.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
LaunchType
The launch type on which to run your service. If one is not speciﬁed, EC2 will be used by default.
Valid values include EC2 and FARGATE.
Required: No
Type: String
Update requires: Replacement (p. 119)
LoadBalancers
A list of load balancer objects to associate with the cluster. If you specify the Role property,
LoadBalancers must be speciﬁed as well. For information about the number of load balancers
that you can specify per service, see Service Load Balancing in the Amazon Elastic Container Service
Developer Guide.
Required: Conditional
Type: List of Amazon Elastic Container Service Service LoadBalancers (p. 1874)
Update requires: Replacement (p. 119)
NetworkConfiguration
The network conﬁguration for the service. This parameter is required for task deﬁnitions that use
the awsvpc network mode to receive their own Elastic Network Interface, and it is not supported for
other network modes. For more information, see Task Networking in the Amazon Elastic Container
Service Developer Guide.
Required: No
Type: Amazon ECS Service NetworkConﬁguration (p. 1872)
Update requires: No interruption (p. 118)
PlacementConstraints
The placement constraints for the tasks in the service.
Required: No
Type: Amazon Elastic Container Service Service PlacementConstraint (p. 1872)
Update requires: Replacement (p. 119)
PlacementStrategies
The placement strategies that determine how tasks for the service are placed.
API Version 2010-05-15
993

AWS CloudFormation User Guide
AWS::ECS::Service

Required: No
Type: Amazon Elastic Container Service Service PlacementStrategies (p. 1873)
Update requires: Replacement (p. 119)
PlatformVersion
The platform version on which to run your service. If one is not speciﬁed, the latest version will be
used by default.
Required: No
Type: String
Update requires: Replacement (p. 119)
Role
The name or ARN of an AWS Identity and Access Management (IAM) role that allows your Amazon
ECS container agent to make calls to your load balancer.

Note

In some cases, you might need to add a dependency on the service role's policy. For more
information, see IAM role policy in DependsOn Attribute (p. 2250).
Required: No
Type: String
Update requires: Replacement (p. 119)
ServiceName
The name of your service. The name is limited to 255 letters (uppercase and lowercase), numbers,
hyphens, and underscores. Service names must be unique within a cluster, but you can have similarly
named services in multiple clusters within a region or across multiple regions.
Required: No
Type: String
Update requires: Replacement (p. 119)
ServiceRegistries
Details of the service registry.
Required: No
Type: Amazon ECS Service ServiceRegistry (p. 1875)
Update requires: No interruption (p. 118)
TaskDefinition
The ARN of the task deﬁnition (including the revision number) that you want to run on the cluster,
such as arn:aws:ecs:us-east-1:123456789012:task-definition/mytask:3. You can't use
:latest to specify a revision because it's ambiguous. For example, if AWS CloudFormation needed
to roll back an update, it wouldn't know which revision to roll back to.
Required: Yes
Type: String
API Version 2010-05-15
994

AWS CloudFormation User Guide
AWS::ECS::Service

Update requires: Some interruptions (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN.
In the following sample, the Ref function returns the ARN of the MyECSService service, such as
arn:aws:ecs:us-west-2:123456789012:service/sample-webapp.
{ "Ref": "MyECSService" }

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Name
The name of the Amazon ECS service, such as sample-webapp.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Deﬁne a Basic Amazon ECS Service
The following examples deﬁne an Amazon ECS service that uses a cluster and task deﬁnition that are
declared elsewhere in the same template.

JSON
"WebApp": {
"Type": "AWS::ECS::Service",
"Properties" : {
"Cluster": { "Ref": "cluster" },
"DesiredCount": { "Ref": "desiredcount" },
"TaskDefinition" : { "Ref": "taskdefinition" }
}
}

YAML
WebApp:
Type: AWS::ECS::Service
Properties:
Cluster:
Ref: "cluster"
DesiredCount:
Ref: "desiredcount"
TaskDefinition:
Ref: "taskdefinition"

API Version 2010-05-15
995

AWS CloudFormation User Guide
AWS::ECS::Service

Associate an Application Load Balancer with a Service
The following example associates an Application Load Balancer with an Amazon ECS service by
referencing an AWS::ElasticLoadBalancingV2::TargetGroup resource.

Note

The Amazon ECS service requires an explicit dependency on the Application load balancer
listener rule and the Application load balancer listener. This prevents the service from starting
before the listener is ready.

JSON
"service" : {
"Type" : "AWS::ECS::Service",
"DependsOn": ["Listener"],
"Properties" : {
"Role" : { "Ref" : "ECSServiceRole" },
"TaskDefinition" : { "Ref" : "taskdefinition" },
"DesiredCount" : "1",
"LoadBalancers" : [{
"TargetGroupArn" : { "Ref" : "TargetGroup" },
"ContainerPort" : "80",
"ContainerName" : "sample-app"
}],
"Cluster" : { "Ref" : "ECSCluster" }
}
}

YAML
service:
Type: AWS::ECS::Service
DependsOn:
- Listener
Properties:
Role:
Ref: ECSServiceRole
TaskDefinition:
Ref: taskdefinition
DesiredCount: 1
LoadBalancers:
- TargetGroupArn:
Ref: TargetGroup
ContainerPort: 80
ContainerName: sample-app
Cluster:
Ref: ECSCluster

Deﬁne a Service with a Health Check Grace Period
The following example deﬁnes a service with a parameter that enables users to specify how many
seconds that the Amazon ECS service scheduler should ignore unhealthy Elastic Load Balancing target
health checks after a task has ﬁrst started.

JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Creating ECS service",
"Parameters": {
"AppName": {

API Version 2010-05-15
996

AWS CloudFormation User Guide
AWS::ECS::Service
"Type":"String",
"Description": "Name of app requiring ELB exposure",
"Default": "simple-app"

},
"AppContainerPort": {
"Type":"Number",
"Description": "Container port of app requiring ELB exposure",
"Default": "80"
},
"AppHostPort": {
"Type":"Number",
"Description": "Host port of app requiring ELB exposure",
"Default": "80"
},
"ServiceName": {
"Type": "String"
},
"LoadBalancerName": {
"Type": "String"
},
"HealthCheckGracePeriodSeconds": {
"Type": "String"
}

},
"Resources": {
"cluster": {
"Type": "AWS::ECS::Cluster"
},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties" : {
"ContainerDefinitions" : [
{
"Name": {"Ref": "AppName"},
"MountPoints": [
{
"SourceVolume": "my-vol",
"ContainerPath": "/var/www/my-vol"
}
],
"Image":"amazon/amazon-ecs-sample",
"Cpu": "10",
"PortMappings":[
{
"ContainerPort": {"Ref":"AppContainerPort"},
"HostPort": {"Ref":"AppHostPort"}
}
],
"EntryPoint": [
"/usr/sbin/apache2",
"-D",
"FOREGROUND"
],
"Memory":"500",
"Essential": "true"
},
{
"Name": "busybox",
"Image": "busybox",
"Cpu": "10",
"EntryPoint": [
"sh",
"-c"
],
"Memory": "500",
"Command": [

API Version 2010-05-15
997

AWS CloudFormation User Guide
AWS::ECS::Service

\""

"/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done
],
"Essential" : "false",
"VolumesFrom": [
{
"SourceContainer": {"Ref":"AppName"}
}
]

}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/docker/vfs/dir/"
},
"Name": "my-vol"
}
]

}
},
"service": {
"Type": "AWS::ECS::Service",
"Properties" : {
"Cluster": {"Ref": "cluster"},
"DeploymentConfiguration": {
"MaximumPercent": 200,
"MinimumHealthyPercent": 100
},
"DesiredCount": 0,
"HealthCheckGracePeriodSeconds": {"Ref": "HealthCheckGracePeriodSeconds"},
"LoadBalancers": [{
"ContainerName": {"Ref" : "AppName"},
"ContainerPort": {"Ref":"AppContainerPort"},
"LoadBalancerName": {"Ref": "elb"}
}],
"PlacementStrategies": [{
"Type" : "binpack",
"Field": "memory"
}, {
"Type": "spread",
"Field": "host"
}],
"PlacementConstraints": [{
"Type": "memberOf",
"Expression": "attribute:ecs.availability-zone != us-east-1d"
}, {
"Type": "distinctInstance"
}],
"TaskDefinition" : {"Ref":"taskdefinition"},
"ServiceName": {"Ref": "ServiceName"},
"Role": {"Ref": "Role"}
}
},
"elb": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"LoadBalancerName": {"Ref": "LoadBalancerName"},
"Listeners": [{
"InstancePort": {"Ref": "AppHostPort"},
"LoadBalancerPort": "80",
"Protocol": "HTTP"
}],
"Subnets": [{"Ref":"Subnet1"}]
},
"DependsOn": "GatewayAttachment"

API Version 2010-05-15
998

AWS CloudFormation User Guide
AWS::ECS::Service
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/24"
}
},
"Subnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": { "Ref": "VPC" },
"CidrBlock": "10.0.0.0/25"
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway"
},
"GatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": {"Ref": "InternetGateway"},
"VpcId": {"Ref": "VPC"}
}
},
"Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/
AmazonEC2ContainerServiceRole"]
}
}
},
"Outputs" : {
"Cluster": {
"Value": {"Ref" : "cluster"}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: Creating ECS service
Parameters:
AppName:
Type: String
Description: Name of app requiring ELB exposure
Default: simple-app
AppContainerPort:
Type: Number
Description: Container port of app requiring ELB exposure

API Version 2010-05-15
999

AWS CloudFormation User Guide
AWS::ECS::Service
Default: '80'
AppHostPort:
Type: Number
Description: Host port of app requiring ELB exposure
Default: '80'
ServiceName:
Type: String
LoadBalancerName:
Type: String
HealthCheckGracePeriodSeconds:
Type: String
Resources:
cluster:
Type: AWS::ECS::Cluster
taskdefinition:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Name: !Ref AppName
MountPoints:
- SourceVolume: my-vol
ContainerPath: /var/www/my-vol
Image: amazon/amazon-ecs-sample
Cpu: '10'
PortMappings:
- ContainerPort: !Ref AppContainerPort
HostPort: !Ref AppHostPort
EntryPoint:
- /usr/sbin/apache2
- '-D'
- FOREGROUND
Memory: '500'
Essential: 'true'
- Name: busybox
Image: busybox
Cpu: '10'
EntryPoint:
- sh
- '-c'
Memory: '500'
Command:
- >/bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep
1; done"
Essential: 'false'
VolumesFrom:
- SourceContainer: !Ref AppName
Volumes:
- Host:
SourcePath: /var/lib/docker/vfs/dir/
Name: my-vol
service:
Type: AWS::ECS::Service
Properties:
Cluster: !Ref cluster
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 100
DesiredCount: 0
HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds
LoadBalancers:
- ContainerName: !Ref AppName
ContainerPort: !Ref AppContainerPort
LoadBalancerName: !Ref elb
PlacementStrategies:
- Type: binpack

API Version 2010-05-15
1000

AWS CloudFormation User Guide
AWS::ECS::Service
Field: memory
- Type: spread
Field: host
PlacementConstraints:
- Type: memberOf
Expression: 'attribute:ecs.availability-zone != us-east-1d'
- Type: distinctInstance
TaskDefinition: !Ref taskdefinition
ServiceName: !Ref ServiceName
Role: !Ref Role

elb:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
LoadBalancerName: !Ref LoadBalancerName
Listeners:
- InstancePort: !Ref AppHostPort
LoadBalancerPort: '80'
Protocol: HTTP
Subnets:
- !Ref Subnet1
DependsOn: GatewayAttachment
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/24
Subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.0.0/25
InternetGateway:
Type: AWS::EC2::InternetGateway
GatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ecs.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole'
Outputs:
Cluster:
Value: !Ref cluster

More Info
• To use Application Auto Scaling to scale an Amazon ECS service in response to Amazon
CloudWatch alarms, use the AWS::ApplicationAutoScaling::ScalableTarget (p. 581) and
AWS::ApplicationAutoScaling::ScalingPolicy (p. 594) resources.
• To use an Application Load Balancer to distribute incoming application traﬃc across
multiple targets, use the AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088),
AWS::ElasticLoadBalancingV2::Listener (p. 1074),

API Version 2010-05-15
1001

AWS CloudFormation User Guide
AWS::ECS::TaskDeﬁnition

AWS::ElasticLoadBalancingV2::ListenerRule (p. 1080), and
AWS::ElasticLoadBalancingV2::LoadBalancer (p. 1082) resources.
• For a complete sample template that shows how you can create an Amazon ECS cluster and service,
see Amazon Elastic Container Service Template Snippets (p. 353).

AWS::ECS::TaskDeﬁnition
The AWS::ECS::TaskDefinition resource describes the container and volume deﬁnitions of an
Amazon Elastic Container Service (Amazon ECS) task. You can specify which Docker images to use, the
required resources, and other conﬁgurations related to launching the task deﬁnition through an Amazon
ECS service or task.
Topics
• Syntax (p. 1002)
• Properties (p. 1003)
• Return Value (p. 1005)
• Examples (p. 1005)
• See Also (p. 1009)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ECS::TaskDefinition",
"Properties" : {
"Volumes" : [ Volume Definition, ... ],
"Cpu" : String,
"ExecutionRoleArn" : String,
"Family" : String,
"Memory" : String,
"NetworkMode" : String,
"PlacementConstraints" : [ TaskDefinitionPlacementConstraint, ... ],
"RequiresCompatibilities" : [ String, ... ],
"TaskRoleArn" : String,
"ContainerDefinitions" : [ Container Definition, ... ]
}

YAML
Type: AWS::ECS::TaskDefinition
Properties:
Volumes:
- Volume Definition
Cpu: String
ExecutionRoleArn: String
Family: String
Memory: String
NetworkMode: String
PlacementConstraints:
- TaskDefinitionPlacementConstraint
RequiresCompatibilities:

API Version 2010-05-15
1002

AWS CloudFormation User Guide
AWS::ECS::TaskDeﬁnition
- String
TaskRoleArn: String
ContainerDefinitions:
- Container Definition

Properties
For more information on properties and valid parameters, see RegisterTaskDeﬁnition in the Amazon
Elastic Container Service API Reference.
ContainerDefinitions
A list of container deﬁnitions in JSON format that describes the containers that make up your task.
Required: Yes
Type: List of Amazon Elastic Container Service TaskDeﬁnition ContainerDeﬁnition (p. 1878)
Update requires: Replacement (p. 119)
Cpu
The number of cpu units used by the task. If using the EC2 launch type, this ﬁeld is optional.
Supported values are between 128 CPU units (0.125 vCPUs) and 10240 CPU units (10 vCPUs). If
you are using the Fargate launch type, this ﬁeld is required and you must use one of the following
values, which determines your range of valid values for the memory parameter:
• 256 (.25 vCPU) - Available memory values: 0.5GB, 1GB, 2GB
• 512 (.5 vCPU) - Available memory values: 1GB, 2GB, 3GB, 4GB
• 1024 (1 vCPU) - Available memory values: 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB
• 2048 (2 vCPU) - Available memory values: Between 4GB and 16GB in 1GB increments
• 4096 (4 vCPU) - Available memory values: Between 8GB and 30GB in 1GB increments
Required: No
Type: String
Update requires: Replacement (p. 119)
ExecutionRoleArn
The Amazon Resource Name (ARN) of the task execution role that containers in this task can assume.
All containers in this task are granted the permissions that are speciﬁed in this role.
Required: No
Type: String
Update requires: Replacement (p. 119)
Family
The name of a family that this task deﬁnition is registered to. A family groups multiple versions of a
task deﬁnition. Amazon ECS gives the ﬁrst task deﬁnition that you registered to a family a revision
number of 1. Amazon ECS gives sequential revision numbers to each task deﬁnition that you add.

Note

To use revision numbers when you update a task deﬁnition, specify this property. If you
don't specify a value, AWS CloudFormation generates a new task deﬁnition each time that
you update it.
Required: No
API Version 2010-05-15
1003

AWS CloudFormation User Guide
AWS::ECS::TaskDeﬁnition

Type: String
Update requires: Replacement (p. 119)
Memory
The amount (in MiB) of memory used by the task. If using the EC2 launch type, this ﬁeld is optional
and any value can be used. If you are using the Fargate launch type, this ﬁeld is required and you
must use one of the following values, which determines your range of valid values for the cpu
parameter:
• 0.5GB, 1GB, 2GB - Available cpu values: 256 (.25 vCPU)
• 1GB, 2GB, 3GB, 4GB - Available cpu values: 512 (.5 vCPU)
• 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB - Available cpu values: 1024 (1 vCPU)
• Between 4GB and 16GB in 1GB increments - Available cpu values: 2048 (2 vCPU)
• Between 8GB and 30GB in 1GB increments - Available cpu values: 4096 (4 vCPU)
Required: No
Type: String
Update requires: Replacement (p. 119)
NetworkMode
The Docker networking mode to use for the containers in the task, such as none, bridge, or host.
For information about network modes, see NetworkMode in the Task Deﬁnition Parameters topic in
the Amazon Elastic Container Service Developer Guide.
For Fargate launch types, you can specify awsvpc only. The none, bridge, or host option won't
work for Fargate launch types.
Required: No
Type: String
Update requires: Replacement (p. 119)
PlacementConstraints
The placement constraints for the tasks in the service.
Required: No
Type: Amazon Elastic Container Service Service PlacementConstraint (p. 1892)
Update requires: Replacement (p. 119)
RequiresCompatibilities
The launch type the task requires. If no value is speciﬁed, it will default to EC2. Valid values include
EC2 and FARGATE.
Required: No
Type: List of Strings
Update requires: Replacement (p. 119)
TaskRoleArn
The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that
grants containers in the task permission to call AWS APIs on your behalf. For more information, see
IAM Roles for Tasks in the Amazon Elastic Container Service Developer Guide.
API Version 2010-05-15
1004

AWS CloudFormation User Guide
AWS::ECS::TaskDeﬁnition

Required: No
Type: String
Update requires: Replacement (p. 119)
Volumes
A list of volume deﬁnitions in JSON format for the volumes that you can use in your container
deﬁnitions.
Required: No
Type: List of Amazon Elastic Container Service TaskDeﬁnition Volumes (p. 1893)
Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the Amazon
Resource Name (ARN).
In the following example, the Ref function returns the ARN of the MyTaskDefinition task, such as
arn:aws:ecs:us-west-2:123456789012:task/1abf0f6d-a411-4033-b8eb-a4eed3ad252a.
{ "Ref": "MyTaskDefinition" }

For more information about using the Ref function, see Ref (p. 2311).

Examples
The following example deﬁnes an Amazon ECS task deﬁnition, which includes two container deﬁnitions
and one volume deﬁnition.

JSON
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties" : {
"ContainerDefinitions" : [
{
"Name": {"Ref": "AppName"},
"MountPoints": [
{
"SourceVolume": "my-vol",
"ContainerPath": "/var/www/my-vol"
}
],
"Image":"amazon/amazon-ecs-sample",
"Cpu": "10",
"PortMappings":[
{
"ContainerPort": {"Ref":"AppContainerPort"},
"HostPort": {"Ref":"AppHostPort"}
}
],
"EntryPoint": [

API Version 2010-05-15
1005

AWS CloudFormation User Guide
AWS::ECS::TaskDeﬁnition
"/usr/sbin/apache2",
"-D",
"FOREGROUND"

],
"Memory":"500",
"Essential": "true"

},
{

}

}

"Name": "busybox",
"Image": "busybox",
"Cpu": "10",
"EntryPoint": [
"sh",
"-c"
],
"Memory": "500",
"Command": [
"/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\""
],
"Essential" : "false",
"VolumesFrom": [
{
"SourceContainer": {"Ref":"AppName"}
}
]
}],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/docker/vfs/dir/"
},
"Name": "my-vol"
}]

YAML
taskdefinition:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
Name:
Ref: "AppName"
MountPoints:
SourceVolume: "my-vol"
ContainerPath: "/var/www/my-vol"
Image: "amazon/amazon-ecs-sample"
Cpu: "10"
PortMappings:
ContainerPort:
Ref: "AppContainerPort"
HostPort:
Ref: "AppHostPort"
EntryPoint:
- "/usr/sbin/apache2"
- "-D"
- "FOREGROUND"
Memory: "500"
Essential: "true"
-

API Version 2010-05-15
1006

AWS CloudFormation User Guide
AWS::ECS::TaskDeﬁnition
Name: "busybox"
Image: "busybox"
Cpu: "10"
EntryPoint:
- "sh"
- "-c"
Memory: "500"
Command:
- "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\""
Essential: "false"
VolumesFrom:
SourceContainer:
Ref: "AppName"
Volumes:
Host:
SourcePath: "/var/lib/docker/vfs/dir/"
Name: "my-vol"

The following example deﬁnes an Amazon ECS task deﬁnition that speciﬁes EC2 and FARGATE as
required compatibilities.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"RequiresCompatibilities": [
"EC2",
"FARGATE"
],
"ContainerDefinitions": [
{
"Name": "my-app",
"MountPoints": [
{
"SourceVolume": "my-vol",
"ContainerPath": "/var/www/my-vol"
}
],
"Image": "amazon/amazon-ecs-sample",
"Cpu": "10",
"EntryPoint": [
"/usr/sbin/apache2",
"-D",
"FOREGROUND"
],
"Memory": "500",
"Essential": "true"
},
{
"Name": "busybox",
"Image": "busybox",
"Cpu": "10",
"EntryPoint": [
"sh",
"-c"
],
"Memory": "500",

API Version 2010-05-15
1007

AWS CloudFormation User Guide
AWS::ECS::TaskDeﬁnition
"Command": [
"/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done

\""

}

}

],
"Essential": "false",
"VolumesFrom": [
{
"SourceContainer": "my-app"
}
]

}

}

}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/docker/vfs/dir/"
},
"Name": "my-vol"
}
]

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
taskdefinition:
Type: AWS::ECS::TaskDefinition
Properties:
RequiresCompatibilities:
- "EC2"
- "FARGATE"
ContainerDefinitions:
Name: "my-app"
MountPoints:
SourceVolume: "my-vol"
ContainerPath: "/var/www/my-vol"
Image: "amazon/amazon-ecs-sample"
Cpu: "10"
EntryPoint:
- "/usr/sbin/apache2"
- "-D"
- "FOREGROUND"
Memory: "500"
Essential: "true"
Name: "busybox"
Image: "busybox"
Cpu: "10"
EntryPoint:
- "sh"
- "-c"
Memory: "500"
Command:
- "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done
\""
Essential: "false"
VolumesFrom:
-

API Version 2010-05-15
1008

AWS CloudFormation User Guide
AWS::EFS::FileSystem
SourceContainer: "my-app"
Volumes:
Host:
SourcePath: "/var/lib/docker/vfs/dir/"
Name: "my-vol"

See Also
For a complete sample template that shows how you can create an Amazon ECS cluster and service, see
Amazon Elastic Container Service Template Snippets (p. 353).

AWS::EFS::FileSystem
The AWS::EFS::FileSystem resource creates a new, empty ﬁle system in Amazon Elastic File
System (Amazon EFS). You must create a mount target (AWS::EFS::MountTarget (p. 1013)) to mount
your Amazon EFS ﬁle system on an Amazon Elastic Compute Cloud (Amazon EC2) instance. For more
information, see the CreateFileSystem API in the Amazon Elastic File System User Guide.
Topics
• Syntax (p. 1009)
• Properties (p. 1010)
• Return Value (p. 1011)
• Example (p. 1011)
• Additional Resources (p. 1013)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EFS::FileSystem",
"Properties" : {
"Encrypted" : Boolean,
"FileSystemTags" : [ FileSystemTags, ... ],
"KmsKeyId" : String,
"PerformanceMode" : String,
"ProvisionedThroughputInMibps" : Double,
"ThroughputMode" : String
}

YAML
Type: AWS::EFS::FileSystem
Properties:
Encrypted: Boolean
FileSystemTags:
- FileSystemTags
KmsKeyId: String
PerformanceMode: String
ProvisionedThroughputInMibps: Double
ThroughputMode: String

API Version 2010-05-15
1009

AWS CloudFormation User Guide
AWS::EFS::FileSystem

Properties
FileSystemTags
Tags to associate with the ﬁle system.
Required: No
Type: Amazon Elastic File System FileSystem FileSystemTags (p. 1895)
Update requires: No interruption (p. 118)
Encrypted
A boolean value that, if true, creates an encrypted ﬁle system. For more information, see
CreateFileSystem in the Amazon Elastic File System User Guide.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
KmsKeyId
The ID of the AWS KMS customer master key (CMK) to use to protect the encrypted ﬁle system.
This parameter is only required if you want to use a non-default CMK. For more information, see
CreateFileSystem in the Amazon Elastic File System User Guide.
Required: Conditional. This parameter is required if you use a non-default CMK.
Type: String
Update requires: Replacement (p. 119)
PerformanceMode
The performance mode of the ﬁle system. For valid values, see the PerformanceMode parameter
for the CreateFileSystem action in the Amazon Elastic File System User Guide.
For more information about performance modes, see Amazon EFS Performance in the Amazon
Elastic File System User Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
ProvisionedThroughputInMibps
The throughput, measured in MiB/s, that you want to provision for a ﬁle system that you're creating.
The limit on throughput is 1024 MiB/s. You can get these limits increased by contacting AWS
Support. For more information, see Amazon EFS Limits That You Can Increase in the Amazon Elastic
File System User Guide.
Valid Range: Minimum value of 0.0.
Required: No
Type: Double
API Version 2010-05-15
1010

AWS CloudFormation User Guide
AWS::EFS::FileSystem

Update requires: No interruption (p. 118)
ThroughputMode
The throughput mode for the ﬁle system to be created. There are two throughput modes to choose
from for your ﬁle system: bursting and provisioned. You can decrease your ﬁle system's
throughput in Provisioned Throughput mode or change between the throughput modes as long as
it’s been more than 24 hours since the last decrease or throughput mode change.
Valid Values: bursting and provisioned.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource ID,
such as fs-47a2c22e.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example declares an encrypted ﬁle system:

JSON
{

"Resources": {
"filesystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"Encrypted": true,
"KmsKeyId": {
"Fn::GetAtt": [
"key",
"Arn"
]
}
}
},
"key": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[

API Version 2010-05-15
1011

AWS CloudFormation User Guide
AWS::EFS::FileSystem

]

}

}

}

]

}

]

"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":root"

}
},
"Action": [
"kms:*"
],
"Resource": "*"

}
},
"Outputs": {
"KeyId": {
"Value": {
"Fn::GetAtt": [
"key",
"Arn"
]
}
}
}

YAML
Resources:
filesystem:
Type: AWS::EFS::FileSystem
Properties:
Encrypted: true
KmsKeyId: !GetAtt
- key
- Arn
key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':root'
Action:
- 'kms:*'
Resource: '*'
Outputs:
KeyId:
Value: !GetAtt
- key
- Arn

API Version 2010-05-15
1012

AWS CloudFormation User Guide
AWS::EFS::MountTarget

Additional Resources
For a complete sample template, see Amazon Elastic File System Sample Template (p. 369).

AWS::EFS::MountTarget
The AWS::EFS::MountTarget resource creates a mount target for an Amazon Elastic File System
(Amazon EFS) ﬁle system (AWS::EFS::FileSystem (p. 1009)). Use the mount target to mount ﬁle systems
on Amazon Elastic Compute Cloud (Amazon EC2) instances.
For more information on creating a mount target for a ﬁle system, see CreateMountTarget in the Amazon
Elastic File System User Guide. For a detailed overview of deploying EC2 instances associated with an
Amazon EFS ﬁle system, see Amazon Elastic File System Sample Template (p. 369).

Note

EC2 instances and the mount target that they connect to must be in a VPC with DNS enabled.
Topics
• Syntax (p. 1013)
• Properties (p. 1013)
• Return Values (p. 1015)
• Template Example (p. 1015)
• Additional Resources (p. 1015)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EFS::MountTarget",
"Properties" : {
"FileSystemId" : String,
"IpAddress" : String,
"SecurityGroups" : [ String, ... ],
"SubnetId" : String
}

YAML
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: String
IpAddress: String
SecurityGroups:
[ String, ... ]
SubnetId: String

Properties
FileSystemId
The ID of the ﬁle system for which you want to create the mount target.
API Version 2010-05-15
1013

AWS CloudFormation User Guide
AWS::EFS::MountTarget

Required: Yes
Type: String
Update requires: Replacement (p. 119)
Before updating this property, stop EC2 instances that are using this mount target, and then restart
them after the update is complete. This allows the instances to unmount the ﬁle system before the
mount target is replaced. If you don't stop and restart them, instances or applications that are using
those mounts might be disrupted when the mount target is deleted (uncommitted writes might be
lost).
IpAddress
An IPv4 address that is within the address range of the subnet that is speciﬁed in the SubnetId
property. If you don't specify an IP address, Amazon EFS automatically assigns an address that is
within the range of the subnet.
Required: No
Type: String
Update requires: Replacement (p. 119)
Before updating this property, stop EC2 instances that are using this mount target, and then restart
them after the update is complete. This allows the instances to unmount the ﬁle system before the
mount target is replaced. If you don't stop and restart them, instances or applications that are using
those mounts might be disrupted when the mount target is deleted (uncommitted writes might be
lost).
SecurityGroups
A maximum of ﬁve VPC security group IDs that are in the same VPC as the subnet that is speciﬁed
in the SubnetId property. For more information about security groups and mount targets, see
Security in the Amazon Elastic File System User Guide.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
SubnetId
The ID of the subnet in which you want to add the mount target.

Note

For each ﬁle system, you can create only one mount target per Availability Zone (AZ). All
EC2 instances in an AZ share a single mount target for a ﬁle system. If you create multiple
mount targets for a single ﬁle system, do not specify a subnet that is an AZ that already has
a mount target associated with the same ﬁle system.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Before updating this property, stop EC2 instances that are using this mount target and then restart
them after the update is complete. That way the instances can unmount the ﬁle system before the
mount target is replaced. If you don't stop and restart them, instances or applications that are using
those mounts might be disrupted when the mount target is deleted (uncommitted writes might be
lost).
API Version 2010-05-15
1014

AWS CloudFormation User Guide
AWS::EKS::Cluster

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource ID,
such as fsmt-55a4413c.
For more information about using the Ref function, see Ref (p. 2311).

Template Example
The following example declares a mount target that is associated with a ﬁle system, subnet, and
security group, which are all declared in the same template. EC2 instances that are in the same AZ as the
mount target can use the mount target to connect to the associated ﬁle system. For information about
mounting ﬁle systems on EC2 instances, see Mounting File Systems in the Amazon Elastic File System
User Guide.

JSON
"MountTarget": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": { "Ref": "FileSystem" },
"SubnetId": { "Ref": "Subnet" },
"SecurityGroups": [ { "Ref": "MountTargetSecurityGroup" } ]
}
}

YAML
MountTarget:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: "FileSystem"
SubnetId:
Ref: "Subnet"
SecurityGroups:
Ref: "MountTargetSecurityGroup"

Additional Resources
For a complete sample template, see Amazon Elastic File System Sample Template (p. 369).

AWS::EKS::Cluster
The AWS::EKS::Cluster resource creates an Amazon EKS cluster control plane. The Amazon EKS
cluster control plane consists of control plane instances that run the Kubernetes software, like etcd and
the Kubernetes API server. The control plane runs in an account managed by AWS, and the Kubernetes
API is exposed via the Amazon EKS endpoint associated with your cluster. For more information, see
Clusters in the Amazon EKS User Guide.
Topics
• Syntax (p. 1016)
• Properties (p. 1016)
API Version 2010-05-15
1015

AWS CloudFormation User Guide
AWS::EKS::Cluster

• Return Values (p. 1017)
• Examples (p. 1017)
• See Also (p. 1018)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EKS::Cluster",
"Properties" : {
"Name" : String,
"ResourcesVpcConfig" : EKS Cluster ResourcesVpcConfig,
"RoleArn" : String,
"Version" : String
}

YAML
Type: "AWS::EKS::Cluster"
Properties:
Name: String
ResourcesVpcConfig: EKS Cluster ResourcesVpcConfig
RoleArn: String
Version: String

Properties
Name
The name of the cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)
ResourcesVpcConfig
The VPC subnets and security groups used by the cluster control plane. Amazon EKS VPC resources
have speciﬁc requirements to work properly with Kubernetes. For more information, see Cluster VPC
Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide.
Required: Yes
Type: EKS Cluster ResourcesVpcConﬁg (p. 1895)
Update requires: Replacement (p. 119)
RoleArn
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes
control plane to make calls to AWS API operations on your behalf.
Required: Yes
API Version 2010-05-15
1016

AWS CloudFormation User Guide
AWS::EKS::Cluster

Type: String
Update requires: Replacement (p. 119)
Version
The Kubernetes server version for the cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::EKS::Cluster resource to the intrinsic Ref function, the
function returns the name of the cluster, such as EKSCluster-NT5EUXTNTXXD.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The ARN of the cluster, such as arn:aws:eks:us-west-2:666666666666:cluster/prod.
CertificateAuthorityData
The certificate-authority-data for your cluster.
Endpoint
The endpoint for your Kubernetes API server, such as
https://5E1D0CEXAMPLEA591B746AFC5AB30262.yl4.us-west-2.eks.amazonaws.com
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Create a Cluster
The following example creates an Amazon EKS cluster called prod.

JSON
{

"Type": "AWS::EKS::Cluster",
"Properties": {
"Name": "prod",
"Version": "1.10",
"RoleArn": "arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKSEXAMPLEBQ4PI",
"ResourcesVpcConfig": {

API Version 2010-05-15
1017

AWS CloudFormation User Guide
AWS::ElastiCache::CacheCluster

}

}

}

"SecurityGroupIds": [
"sg-6979fe18"
],
"SubnetIds": [
"subnet-6782e71e",
"subnet-e7e761ac"
]

YAML
Type: "AWS::EKS::Cluster"
Properties:
Name: "prod"
Version: "1.10"
RoleArn: "arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKSEXAMPLEBQ4PI"
ResourcesVpcConfig:
SecurityGroupIds: ["sg-6979fe18"]
SubnetIds: ["subnet-6782e71e", "subnet-e7e761ac"]

See Also
• Clusters in the Amazon EKS User Guide.
• CreateCluster in the Amazon EKS API Reference.

AWS::ElastiCache::CacheCluster
The AWS::ElastiCache::CacheCluster type creates an Amazon ElastiCache cache cluster.
Topics
• Syntax (p. 1018)
• Properties (p. 1019)
• Return Values (p. 1023)
• Template Snippets (p. 1024)
• See Also (p. 1026)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ElastiCache::CacheCluster",
"Properties" :
{
"AutoMinorVersionUpgrade (p. 1019)" : Boolean,
"AZMode" : String,
"CacheNodeType (p. 1020)" : String,
"CacheParameterGroupName (p. 1020)" : String,
"CacheSecurityGroupNames (p. 1020)" : [ String, ... ],

API Version 2010-05-15
1018

AWS CloudFormation User Guide
AWS::ElastiCache::CacheCluster

}

}

"CacheSubnetGroupName (p. 1020)" : String,
"ClusterName" : String,
"Engine (p. 1021)" : String,
"EngineVersion (p. 1021)" : String,
"NotificationTopicArn (p. 1021)" : String,
"NumCacheNodes (p. 1021)" : Integer,
"Port (p. 1021)" : Integer,
"PreferredAvailabilityZone (p. 1022)" : String,
"PreferredAvailabilityZones" : [String, ... ],
"PreferredMaintenanceWindow (p. 1022)" : String,
"SnapshotArns (p. 1022)" : [String, ... ],
"SnapshotName" : String,
"SnapshotRetentionLimit" : Integer,
"SnapshotWindow" : String,
"Tags" : [Resource Tag, ...],
"VpcSecurityGroupIds (p. 1023)" : [String, ...]

YAML
Type: AWS::ElastiCache::CacheCluster
Properties:
AutoMinorVersionUpgrade (p. 1019): Boolean
AZMode: String
CacheNodeType (p. 1020): String
CacheParameterGroupName (p. 1020): String
CacheSecurityGroupNames (p. 1020):
- String
CacheSubnetGroupName (p. 1020): String
ClusterName: String
Engine (p. 1021): String
EngineVersion (p. 1021): String
NotificationTopicArn (p. 1021): String
NumCacheNodes (p. 1021): Integer
Port (p. 1021): Integer
PreferredAvailabilityZone (p. 1022): String
PreferredAvailabilityZones:
- String
PreferredMaintenanceWindow (p. 1022): String
SnapshotArns (p. 1022):
- String
SnapshotName: String
SnapshotRetentionLimit: Integer
SnapshotWindow: String
Tags:
- Resource Tag
VpcSecurityGroupIds (p. 1023):
- String

Properties
For valid values, see CreateCacheCluster in the Amazon ElastiCache API Reference.
AutoMinorVersionUpgrade
Indicates that minor engine upgrades will be applied automatically to the cache cluster during the
maintenance window.
Required: No
Type: Boolean
API Version 2010-05-15
1019

AWS CloudFormation User Guide
AWS::ElastiCache::CacheCluster

Default: true
Update requires: No interruption (p. 118)
AZMode
For Memcached cache clusters, indicates whether the nodes are created in a single Availability Zone
or across multiple Availability Zones in the cluster's region. For valid values, see CreateCacheCluster
in the Amazon ElastiCache API Reference.
Required: Conditional. If you specify multiple Availability Zones in the
PreferredAvailabilityZones property, you must specify cross Availability Zones for this
property.
Type: String
Update requires: No interruption (p. 118)
CacheNodeType
The compute and memory capacity of nodes in a cache cluster.
Required: Yes
Type: String
Update requires: Some interruptions (p. 119)
CacheParameterGroupName
The name of the cache parameter group that is associated with this cache cluster.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
CacheSecurityGroupNames
A list of cache security group names that are associated with this cache cluster. If your cache cluster
is in a VPC, specify the VpcSecurityGroupIds property instead.
Required: Conditional: If your cache cluster isn't in a VPC, you must specify this property.
Type: List of String values
Update requires: No interruption (p. 118)
CacheSubnetGroupName
The cache subnet group that you associate with a cache cluster.
Required: Conditional. If you speciﬁed the VpcSecurityGroupIds property, you must specify this
property.
Type: String
Update requires: Replacement (p. 119)
ClusterName
A name for the cache cluster. If you don't specify a name, AWS CloudFormation generates a unique
physical ID and uses that ID for the cache cluster. For more information, see Name Type (p. 2085).
API Version 2010-05-15
1020

AWS CloudFormation User Guide
AWS::ElastiCache::CacheCluster

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
The name must contain 1 to 20 alphanumeric characters or hyphens. The name must start with a
letter and cannot end with a hyphen or contain two consecutive hyphens.
Required: No
Type: String
Update requires: Replacement (p. 119)
Engine
The name of the cache engine to be used for this cache cluster, such as memcached or redis.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
EngineVersion
The version of the cache engine to be used for this cluster.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
NotificationTopicArn
The Amazon Resource Name (ARN) of the Amazon Simple Notiﬁcation Service (SNS) topic to which
notiﬁcations will be sent.
Required: No
Type: String
Update requires: No interruption (p. 118)
NumCacheNodes
The number of cache nodes that the cache cluster should have.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118). However, if the PreferredAvailabilityZone and
PreferredAvailabilityZones properties were not previously speciﬁed and you don't specify
any new values, an update requires replacement (p. 119).
Port
The port number on which each of the cache nodes will accept connections.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
API Version 2010-05-15
1021

AWS CloudFormation User Guide
AWS::ElastiCache::CacheCluster

PreferredAvailabilityZone
The Amazon EC2 Availability Zone in which the cache cluster is created.
Required: No
Type: String
Update requires: Replacement (p. 119)
PreferredAvailabilityZones
For Memcached cache clusters, the list of Availability Zones in which cache nodes are created. The
number of Availability Zones listed must equal the number of cache nodes. For example, if you want
to create three nodes in two diﬀerent Availability Zones, you can specify ["us-east-1a", "useast-1a", "us-east-1b"], which would create two nodes in us-east-1a and one node in useast-1b.
If you specify a subnet group and you're creating your cache cluster in a VPC, you must specify
Availability Zones that are associated with the subnets in the subnet group that you've chosen.
If you want all the nodes in the same Availability Zone, use the PreferredAvailabilityZone
property or repeat the Availability Zone multiple times in the list.
Required: No
Type: List of String values
If you specify an Availability Zone that was previously speciﬁed in the template, such as in the
PreferredAvailabilityZone property, the update requires some interruptions (p. 119). Also,
if the PreferredAvailabilityZones property was already speciﬁed and you're updating its
values (regardless of whether you specify the same Availability Zones), the update requires some
interruptions (p. 119).
All other updates require replacement (p. 119).
PreferredMaintenanceWindow
The weekly time range (in UTC) during which system maintenance can occur.
Required: No
Type: String
Update requires: No interruption (p. 118)
SnapshotArns
The ARN of the snapshot ﬁle that you want to use to seed a new Redis cache cluster. If you manage
a Redis instance outside of Amazon ElastiCache, you can create a new cache cluster in ElastiCache by
using a snapshot ﬁle that is stored in an Amazon S3 bucket.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
SnapshotName
The name of a snapshot from which to restore data into a new Redis cache cluster.
Required: No
Type: String
API Version 2010-05-15
1022

AWS CloudFormation User Guide
AWS::ElastiCache::CacheCluster

Update requires: Replacement (p. 119)
SnapshotRetentionLimit
For Redis cache clusters, the number of days for which ElastiCache retains automatic snapshots
before deleting them. For example, if you set the value to 5, a snapshot that was taken today will be
retained for 5 days before being deleted.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
SnapshotWindow
For Redis cache clusters, the daily time range (in UTC) during which ElastiCache will begin taking a
daily snapshot of your node group. For example, you can specify 05:00-09:00.
Required: No
Type: String
Update requires: No interruption (p. 118)
Tags
An arbitrary set of tags (key–value pairs) for this cache cluster.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).
VpcSecurityGroupIds
A list of VPC security group IDs. If your cache cluster isn't in a VPC, specify the
CacheSecurityGroupNames property instead.

Note

You must use the AWS::EC2::SecurityGroup resource instead of the
AWS::ElastiCache::SecurityGroup resource in order to specify an ElastiCache security
group that is in a VPC. In addition, if you use the default VPC for your AWS account, you
must use the Fn::GetAtt function and the GroupId attribute to retrieve security group
IDs (instead of the Ref function). To see a sample template, see the Template Snippet
section.
Required: Conditional: If your cache cluster is in a VPC, you must specify this property.
Type: List of String values
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
1023

AWS CloudFormation User Guide
AWS::ElastiCache::CacheCluster

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
ConfigurationEndpoint.Address
The DNS address of the conﬁguration endpoint for the Memcached cache cluster.
ConfigurationEndpoint.Port
The port number of the conﬁguration endpoint for the Memcached cache cluster.
RedisEndpoint.Address
The DNS address of the conﬁguration endpoint for the Redis cache cluster.
RedisEndpoint.Port
The port number of the conﬁguration endpoint for the Redis cache cluster.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Template Snippets
Cluster in a Default VPC
The following snippet describes an ElastiCache cluster in a security group that is in a default VPC.
Usually, a security group in a VPC requires the VPC ID to be speciﬁed. In this case, no VPC ID is needed
because the security group uses the default VPC. If you want to specify a VPC for the security group,
specify its VpcId property.
For the cache cluster, the VpcSecurityGroupIds property is used to associate the cluster with the
security group. Because the VpcSecurityGroupIds property requires security group IDs (not security
group names), the template snippet uses the Fn::GetAtt function instead of a Ref function on the
ElasticacheSecurityGroup resource. The Ref function will return the security group name. If you
specify a VPC ID for the security group, Ref returns the security group ID.
Note that InstanceSecurityGroup refers to the logical name of a security group that is not
actually deﬁned in this snippet. To learn more about the SourceSecurityGroupName property, see
AWS::EC2::SecurityGroupIngress (p. 925).

JSON
"ElasticacheSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Elasticache Security Group",
"SecurityGroupIngress": [ {
"IpProtocol": "tcp",
"FromPort": "11211",
"ToPort": "11211",
"SourceSecurityGroupName": {"Ref": "InstanceSecurityGroup"}
} ]
}
},
"ElasticacheCluster": {
"Type": "AWS::ElastiCache::CacheCluster",
"Properties": {
"AutoMinorVersionUpgrade": "true",
"Engine": "memcached",
"CacheNodeType": "cache.t2.micro",

API Version 2010-05-15
1024

AWS CloudFormation User Guide
AWS::ElastiCache::CacheCluster

}

}

"NumCacheNodes": "1",
"VpcSecurityGroupIds": [{"Fn::GetAtt": [ "ElasticacheSecurityGroup", "GroupId"]}]

YAML
ElasticacheSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Elasticache Security Group"
SecurityGroupIngress:
IpProtocol: "tcp"
FromPort: "11211"
ToPort: "11211"
SourceSecurityGroupName:
Ref: "InstanceSecurityGroup"
ElasticacheCluster:
Type: AWS::ElastiCache::CacheCluster
Properties:
AutoMinorVersionUpgrade: "true"
Engine: "memcached"
CacheNodeType: "cache.t2.micro"
NumCacheNodes: "1"
VpcSecurityGroupIds:
Fn::GetAtt:
- "ElasticacheSecurityGroup"
- "GroupId"

Memcached Nodes in Multiple Availability Zones
The following example launches a cache cluster with three nodes, where two nodes are created in uswest-2a and one is created in us-west-2b.

JSON
"myCacheCluster" : {
"Type": "AWS::ElastiCache::CacheCluster",
"Properties" : {
"AZMode" : "cross-az",
"CacheNodeType" : "cache.m3.medium",
"Engine" : "memcached",
"NumCacheNodes" : "3",
"PreferredAvailabilityZones" : [ "us-west-2a", "us-west-2a", "us-west-2b" ]
}
}

YAML
myCacheCluster:
Type: AWS::ElastiCache::CacheCluster
Properties:
AZMode: "cross-az"
CacheNodeType: "cache.m3.medium"
Engine: "memcached"
NumCacheNodes: "3"
PreferredAvailabilityZones:
- "us-west-2a"
- "us-west-2a"

API Version 2010-05-15
1025

AWS CloudFormation User Guide
AWS::ElastiCache::ParameterGroup
- "us-west-2b"

See Also
• CreateCacheCluster in the Amazon ElastiCache API Reference Guide
• ModifyCacheCluster in the Amazon ElastiCache API Reference Guide

AWS::ElastiCache::ParameterGroup
The AWS::ElastiCache::ParameterGroup type creates a new cache parameter group. Cache parameter
groups control the parameters for a cache cluster.
Topics
• Syntax (p. 1026)
• Properties (p. 1026)
• Return Values (p. 1027)
• Example (p. 1027)
• See Also (p. 1028)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::ElastiCache::ParameterGroup",
"Properties": {
"CacheParameterGroupFamily" : String,
"Description" : String,
"Properties" : { String:String, ... }
}

YAML
Type: AWS::ElastiCache::ParameterGroup
Properties:
CacheParameterGroupFamily: String
Description: String
Properties:
String: String

Properties
CacheParameterGroupFamily
The name of the cache parameter group family that the cache parameter group can be used with.
Required: Yes
Type: String
API Version 2010-05-15
1026

AWS CloudFormation User Guide
AWS::ElastiCache::ParameterGroup

Update requires: Updates are not supported.
Description
The description for the Cache Parameter Group.
Required: Yes
Type: String
Update requires: Updates are not supported.
Properties
A comma-delimited list of parameter name/value pairs. For more information, go to
ModifyCacheParameterGroup in the Amazon ElastiCache API Reference Guide.
Example:

"Properties" : {
"cas_disabled" : "1",
"chunk_size_growth_factor" : "1.02"
}

Required: No
Type: Mapping of key-value pairs
Update requires: Updates are not supported.

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
"MyParameterGroup": {
"Type": "AWS::ElastiCache::ParameterGroup",
"Properties": {
"Description": "MyNewParameterGroup",
"CacheParameterGroupFamily": "memcached1.4",
"Properties" : {
"cas_disabled" : "1",
"chunk_size_growth_factor" : "1.02"
}
}
}

YAML
MyParameterGroup:

API Version 2010-05-15
1027

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup
Type: AWS::ElastiCache::ParameterGroup
Properties:
Description: "MyNewParameterGroup"
CacheParameterGroupFamily: "memcached1.4"
Properties:
cas_disabled: "1"
chunk_size_growth_factor: "1.02"

See Also
• CreateCacheParameterGroup in the Amazon ElastiCache API Reference Guide
• ModifyCacheParameterGroup in the Amazon ElastiCache API Reference Guide
• AWS CloudFormation Stacks Updates (p. 118)

AWS::ElastiCache::ReplicationGroup
The AWS::ElastiCache::ReplicationGroup resource creates an Amazon ElastiCache Redis
replication group. A replication group is a collection of cache clusters, where one of the clusters is a
primary read-write cluster and the others are read-only replicas.
Topics
• Syntax (p. 1028)
• Properties (p. 1029)
• Return Values (p. 1036)
• Examples (p. 1037)
• See Also (p. 1039)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ElastiCache::ReplicationGroup",
"Properties" : {
"AtRestEncryptionEnabled" : Boolean,
"AuthToken" : String,
"AutomaticFailoverEnabled" : Boolean,
"AutoMinorVersionUpgrade" : Boolean,
"CacheNodeType" : String,
"CacheParameterGroupName" : String,
"CacheSecurityGroupNames" : [ String, ... ],
"CacheSubnetGroupName" : String,
"Engine" : String,
"EngineVersion" : String,
"NodeGroupConfiguration" : [ NodeGroupConfiguration (p. 1905) ],
"NotificationTopicArn" : String,
"NumCacheClusters" : Integer,
"NumNodeGroups" : Integer,
"Port" : Integer,
"PreferredCacheClusterAZs" : [ String, ... ],
"PreferredMaintenanceWindow" : String,
"PrimaryClusterId" : String,
"ReplicasPerNodeGroup" : Integer,
"ReplicationGroupDescription" : String,

API Version 2010-05-15
1028

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup

}

}

"ReplicationGroupId" : String,
"SecurityGroupIds" : [ String, ... ],
"SnapshotArns" : [ String, ... ],
"SnapshotName" : String,
"SnapshotRetentionLimit" : Integer,
"SnapshottingClusterId" : String,
"SnapshotWindow" : String,
"Tags" : Resource Tag, ...,
"TransitEncryptionEnabled" : Boolean

YAML
Type: AWS::ElastiCache::ReplicationGroup
Properties:
AtRestEncryptionEnabled: Boolean
AuthToken: String
AutomaticFailoverEnabled: Boolean
AutoMinorVersionUpgrade: Boolean
CacheNodeType: String
CacheParameterGroupName: String
CacheSecurityGroupNames:
- String
CacheSubnetGroupName: String
Engine: String
EngineVersion: String
NodeGroupConfiguration:
- NodeGroupConfiguration (p. 1905)
NotificationTopicArn: String
NumCacheClusters: Integer
NumNodeGroups: Integer
Port: Integer
PreferredCacheClusterAZs:
- String
PreferredMaintenanceWindow: String
PrimaryClusterId: String
ReplicasPerNodeGroup: Integer
ReplicationGroupDescription: String
ReplicationGroupId: String
SecurityGroupIds:
- String
SnapshotArns:
- String
SnapshotName: String
SnapshotRetentionLimit: Integer
SnapshottingClusterId: String
SnapshotWindow: String
Tags
- Resource Tag
TransitEncryptionEnabled: Boolean

Properties
For more information about each property and valid values, see CreateReplicationGroup in the Amazon
ElastiCache API Reference.
AtRestEncryptionEnabled
Indicates whether to enable encryption at rest. The default value is false. For more information
about how you can use this property, see CreateReplicationGroup in the Amazon ElastiCache API
Reference.
API Version 2010-05-15
1029

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup

Required: No
Type: Boolean
Update requires: Replacement (p. 119)
AuthToken
The password that's used to access a password-protected server. For constraints, see
CreateReplicationGroup in the Amazon ElastiCache API Reference.
AuthToken can be speciﬁed only on replication groups where TransitEncryptionEnabled is
true.

Important

For HIPAA compliance, you must specify TransitEncryptionEnabled as true, an
AuthToken, and a CacheSubnetGroupName.
Required: No
Type: String
Update requires: Replacement (p. 119)
AutomaticFailoverEnabled
Indicates whether Multi-AZ is enabled. When Multi-AZ is enabled, a read-only replica is
automatically promoted to a read-write primary cluster if the existing primary cluster fails. If you
specify true, you must specify a value greater than 1 for the NumCacheClusters property. By
default, AWS CloudFormation sets the value to true.
For Redis (clustered mode enabled) replication groups, you must enable automatic failover.
For information about Multi-AZ constraints, see Replication with Multi-AZ and Automatic Failover
(Redis) in the Amazon ElastiCache User Guide.

Note

You cannot enable automatic failover for Redis versions earlier than 2.8.6 or for T1 cache
node types. Automatic failover is supported on T2 node types only if you are running Redis
version 3.2.4 or later with cluster mode enabled.

Important

If you specify the PrimaryClusterId, you can use only the following additional
parameters:
• AutomaticFailoverEnabled
• NodeGroupConfiguration
• NumCacheClusters
• NumNodeGroups
• PreferredCacheClusterAZs
• ReplicationGroupDescription
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
AutoMinorVersionUpgrade
Currently, this property isn't used by ElastiCache.
Required: No
API Version 2010-05-15
1030

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup

Type: Boolean
Update requires: No interruption (p. 118)
CacheNodeType
The compute and memory capacity of nodes in the node group. For valid values, see
CreateReplicationGroup in the Amazon ElastiCache API Reference Guide.
Required: No
Type: String
Update requires: No interruption (p. 118)
CacheParameterGroupName
The name of the parameter group to associate with this replication group. For valid and default
values, see CreateReplicationGroup in the Amazon ElastiCache API Reference Guide.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
CacheSecurityGroupNames
A list of cache security group names to associate with this replication group.

Important

If you specify the CacheSecurityGroupNames property, don't also specify the
SecurityGroupIds property.
The SecurityGroupIds property is only for Amazon Virtual Private Cloud (Amazon VPC)
security groups. If you specify an Amazon VPC security group, the deployment fails.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
CacheSubnetGroupName
The name of a cache subnet group to use for this replication group.
Required: No
Type: String
Update requires: Replacement (p. 119)
Engine
The name of the cache engine to use for the cache clusters in this replication group. Currently, you
can specify only redis.
Required: No
Type: String
Update requires: No interruption (p. 118)
EngineVersion
The version number of the cache engine to use for the cache clusters in this replication group.
API Version 2010-05-15
1031

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup

Required: No
Type: String
Update requires: No interruption (p. 118)
NodeGroupConfiguration
Conﬁguration options for the node group (shard).

Important

If you specify the PrimaryClusterId, you can use only the following additional
parameters:
• AutomaticFailoverEnabled
• NodeGroupConfiguration
• NumCacheClusters
• NumNodeGroups
• PreferredCacheClusterAZs
• ReplicationGroupDescription
Required: No
Type: List of Amazon ElastiCache ReplicationGroup NodeGroupConﬁguration (p. 1905)
Update requires: Replacement (p. 119)
NotificationTopicArn
The Amazon Resource Name (ARN) of the Amazon Simple Notiﬁcation Service topic to which
notiﬁcations are sent.
Required: No
Type: String
Update requires: No interruption (p. 118)
NumCacheClusters
The number of cache clusters for this replication group. If automatic failover is enabled, you
must specify a value greater than 1. For valid values, see CreateReplicationGroup in the Amazon
ElastiCache API Reference Guide.
If you specify more than one node group (shard), this property is ignored. Use the
ReplicasPerNodeGroup property instead.

Important

If you specify the PrimaryClusterId, you can use only the following additional
parameters:
• AutomaticFailoverEnabled
• NodeGroupConfiguration
• NumCacheClusters
• NumNodeGroups
• PreferredCacheClusterAZs
• ReplicationGroupDescription
Required: No
Type: Integer
API Version 2010-05-15
1032

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup

Update requires: No interruption (p. 118)
NumNodeGroups
The number of node groups (shards) for this Redis (clustered mode enabled) replication group. For
Redis (clustered mode disabled), either omit this property or set it to 1.

Important

If you specify the PrimaryClusterId, you can use only the following additional
parameters:
• AutomaticFailoverEnabled
• NodeGroupConfiguration
• NumCacheClusters
• NumNodeGroups
• PreferredCacheClusterAZs
• ReplicationGroupDescription
Required: No
Type: Integer
Update requires: Replacement (p. 119)
Port
The port number on which each member of the replication group accepts connections.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
PreferredCacheClusterAZs
A list of Availability Zones in which the cache clusters in this replication group are created.

Important

If you specify the PrimaryClusterId, you can use only the following additional
parameters:
• AutomaticFailoverEnabled
• NodeGroupConfiguration
• NumCacheClusters
• NumNodeGroups
• PreferredCacheClusterAZs
• ReplicationGroupDescription
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
PreferredMaintenanceWindow
The weekly time range during which system maintenance can occur. Use the following format to
specify a time range: ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). For example, you can specify
sun:22:00-sun:23:30 for Sunday from 10 PM to 11:30 PM.
Required: No
API Version 2010-05-15
1033

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup

Type: String
Update requires: No interruption (p. 118)
PrimaryClusterId
The cache cluster that ElastiCache uses as the primary cluster for the replication group. The cache
cluster must have a status of available.

Important

If you specify the PrimaryClusterId, you can use only the following additional
parameters:
• AutomaticFailoverEnabled
• NodeGroupConfiguration
• NumCacheClusters
• NumNodeGroups
• PreferredCacheClusterAZs
• ReplicationGroupDescription
Required: Conditional. This property is optional if you specify the NumCacheClusters,
NumNodeGroups, or ReplicasPerNodeGroup properties.
Type: String
Update requires: No interruption (p. 118)
ReplicasPerNodeGroup
The number of replica nodes in each node group (shard). For valid values, see
CreateReplicationGroup in the Amazon ElastiCache API Reference Guide.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
ReplicationGroupDescription
A description of the replication group.

Important

If you specify the PrimaryClusterId, you can use only the following additional
parameters:
• AutomaticFailoverEnabled
• NodeGroupConfiguration
•
•
•
•

NumCacheClusters
NumNodeGroups
PreferredCacheClusterAZs
ReplicationGroupDescription

Required: Yes
Type: String
Update requires: No interruption (p. 118)
ReplicationGroupId
An ID for the replication group. If you don't specify an ID, AWS CloudFormation generates a unique
physical ID. For more information, see Name Type (p. 2085).
API Version 2010-05-15
1034

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup

Required: No
Type: String
Update requires: Replacement (p. 119)
SecurityGroupIds
A list of Amazon Virtual Private Cloud (Amazon VPC) security groups to associate with this
replication group.

Important

If you specify the SecurityGroupIds property, don't also specify the
CacheSecurityGroupNames property.
The CacheSecurityGroupNames property is only for EC2-Classic security groups. If you
specify an EC2-Classic security group, the deployment fails.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SnapshotArns
A single-element string list that speciﬁes an ARN of a Redis .rdb snapshot ﬁle that is stored
in Amazon Simple Storage Service (Amazon S3). The snapshot ﬁle populates the node group.
The Amazon S3 object name in the ARN cannot contain commas. For example, you can specify
arn:aws:s3:::my_bucket/snapshot1.rdb.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
SnapshotName
The name of a snapshot from which to restore data into the replication group.
Required: No
Type: String
Update requires: Replacement (p. 119)
SnapshotRetentionLimit
The number of days that ElastiCache retains automatic snapshots before deleting them.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
SnapshottingClusterId
The ID of the cache cluster that ElastiCache uses as the daily snapshot source for the replication
group.
Required: No
Type: String
API Version 2010-05-15
1035

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup

Update requires: No interruption (p. 118)
SnapshotWindow
The time range (in UTC) when ElastiCache takes a daily snapshot of the node group that you
speciﬁed in the SnapshottingClusterId property. For example, you can specify 05:00-09:00.
Required: No
Type: String
Update requires: No interruption (p. 118)
Tags
An arbitrary set of tags (key–value pairs) for this replication group.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
TransitEncryptionEnabled
Indicates whether to enable in-transit encryption. The default value is false. For more information
about how you can use this property, see CreateReplicationGroup in the Amazon ElastiCache API
Reference.
If you enable TransitEncryptionEnabled, then you must also specify CacheSubnetGroupName.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
In the following example, the Ref function returns the name of the myReplicationGroup replication
group, such as abc12xmy3d1w3hv6.
{ "Ref": "myReplicationGroup" }

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
ConfigurationEndPoint.Address
The DNS hostname of the cache node.
API Version 2010-05-15
1036

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup

Note

Redis (cluster mode disabled) replication groups don't have this attribute. Therefore,
Fn::GetAtt returns a value for this attribute only if the replication group is clustered.
Otherwise, Fn::GetAtt fails.
ConfigurationEndPoint.Port
The port number that the cache engine is listening on.
PrimaryEndPoint.Address
The DNS address of the primary read-write cache node.
PrimaryEndPoint.Port
The number of the port that the primary read-write cache engine is listening on.
ReadEndPoint.Addresses
A string with a list of endpoints for the read-only replicas. The order of the addresses maps to the
order of the ports from the ReadEndPoint.Ports attribute.
ReadEndPoint.Ports
A string with a list of ports for the read-only replicas. The order of the ports maps to the order of the
addresses from the ReadEndPoint.Addresses attribute.
ReadEndPoint.Addresses.List
A list of endpoints for the read-only replicas. The order of the addresses maps to the order of the
ports from the ReadEndPoint.Ports.List attribute.
ReadEndPoint.Ports.List
A list of ports for the read-only replicas. The order of the ports maps to the order of the addresses
from the ReadEndPoint.Addresses.List attribute.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Declare a Replication Group with Two Nodes
The following example declares a replication group with two nodes and automatic failover enabled.

JSON
"myReplicationGroup" : {
"Type": "AWS::ElastiCache::ReplicationGroup",
"Properties": {
"ReplicationGroupDescription" : "my description",
"NumCacheClusters" : "2",
"Engine" : "redis",
"CacheNodeType" : "cache.m3.medium",
"AutoMinorVersionUpgrade" : "true",
"AutomaticFailoverEnabled" : "true",
"CacheSubnetGroupName" : "subnetgroup",
"EngineVersion" : "2.8.6",
"PreferredMaintenanceWindow" : "wed:09:25-wed:22:30",
"SnapshotRetentionLimit" : "4",
"SnapshotWindow" : "03:30-05:30"
}
}

API Version 2010-05-15
1037

AWS CloudFormation User Guide
AWS::ElastiCache::ReplicationGroup

YAML
myReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupDescription: "my description"
NumCacheClusters: "2"
Engine: "redis"
CacheNodeType: "cache.m3.medium"
AutoMinorVersionUpgrade: "true"
AutomaticFailoverEnabled: "true"
CacheSubnetGroupName: "subnetgroup"
EngineVersion: "2.8.6"
PreferredMaintenanceWindow: "wed:09:25-wed:22:30"
SnapshotRetentionLimit: "4"
SnapshotWindow: "03:30-05:30"

Declare a Replication Group with Two Node Groups
The following example declares a replication group with two nodes groups (shards) with three replicas in
each group.

JSON
"BasicReplicationGroup" : {
"Type" : "AWS::ElastiCache::ReplicationGroup",
"Properties" : {
"AutomaticFailoverEnabled" : true,
"AutoMinorVersionUpgrade" : true,
"CacheNodeType" : "cache.r3.large",
"CacheSubnetGroupName" : { "Ref" : "CacheSubnetGroup" },
"Engine" : "redis",
"EngineVersion" : "3.2",
"NumNodeGroups" : "2",
"ReplicasPerNodeGroup" : "3",
"Port" : 6379,
"PreferredMaintenanceWindow" : "sun:05:00-sun:09:00",
"ReplicationGroupDescription" : "A sample replication group",
"SecurityGroupIds" : [
{ "Ref" : "ReplicationGroupSG" }
],
"SnapshotRetentionLimit" : 5,
"SnapshotWindow" : "10:00-12:00"
}
}

YAML
BasicReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
AutomaticFailoverEnabled: true
AutoMinorVersionUpgrade: true
CacheNodeType: cache.r3.large
CacheSubnetGroupName:
Ref: CacheSubnetGroup
Engine: redis
EngineVersion: '3.2'
NumNodeGroups: '2'
ReplicasPerNodeGroup: '3'
Port: 6379
PreferredMaintenanceWindow: sun:05:00-sun:09:00

API Version 2010-05-15
1038

AWS CloudFormation User Guide
AWS::ElastiCache::SecurityGroup
ReplicationGroupDescription: A sample replication group
SecurityGroupIds:
- Ref: ReplicationGroupSG
SnapshotRetentionLimit: 5
SnapshotWindow: 10:00-12:00

See Also
• CreateReplicationGroup in the Amazon ElastiCache API Reference

AWS::ElastiCache::SecurityGroup
The AWS::ElastiCache::SecurityGroup resource creates a cache security group. For more
information about cache security groups, go to Cache Security Groups in the Amazon ElastiCache User
Guide or go to CreateCacheSecurityGroup in the Amazon ElastiCache API Reference Guide.
To create an ElastiCache cluster in a VPC, use the AWS::EC2::SecurityGroup (p. 917) resource. For more
information, see the VpcSecurityGroupIds property in the AWS::ElastiCache::CacheCluster (p. 1018)
resource.
Topics
• Syntax (p. 1039)
• Properties (p. 1039)
• Return Values (p. 1040)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ElastiCache::SecurityGroup",
"Properties" :
{
"Description" : String
}

YAML
Type: AWS::ElastiCache::SecurityGroup
Properties:
Description: String

Properties
Description
A description for the cache security group.
Type: String
Required: No
API Version 2010-05-15
1039

AWS CloudFormation User Guide
AWS::ElastiCache::SecurityGroupIngress

Update requires: Updates are not supported.

Return Values
Ref
When you specify the AWS::ElastiCache::SecurityGroup resource as an argument to the Ref
function, AWS CloudFormation returns the CacheSecurityGroupName property of the cache security
group.
For more information about using the Ref function, see Ref (p. 2311).

AWS::ElastiCache::SecurityGroupIngress
The AWS::ElastiCache::SecurityGroupIngress type authorizes ingress to a cache security group from hosts
in speciﬁed Amazon EC2 security groups. For more information about ElastiCache security group ingress,
go to AuthorizeCacheSecurityGroupIngress in the Amazon ElastiCache API Reference Guide.
Topics
• Syntax (p. 1040)
• Properties (p. 1040)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ElastiCache::SecurityGroupIngress",
"Properties" :
{
"CacheSecurityGroupName" : String,
"EC2SecurityGroupName" : String,
"EC2SecurityGroupOwnerId" : String
}

YAML
Type: AWS::ElastiCache::SecurityGroupIngress
Properties:
CacheSecurityGroupName: String
EC2SecurityGroupName: String
EC2SecurityGroupOwnerId: String

Properties
CacheSecurityGroupName
The name of the Cache Security Group to authorize.
Type: String
Required: Yes
API Version 2010-05-15
1040

AWS CloudFormation User Guide
AWS::ElastiCache::SubnetGroup

Update requires: Updates are not supported.
EC2SecurityGroupName
Name of the EC2 Security Group to include in the authorization.
Type: String
Required: Yes
Update requires: Updates are not supported.
EC2SecurityGroupOwnerId
Speciﬁes the AWS Account ID of the owner of the EC2 security group speciﬁed in the
EC2SecurityGroupName property. The AWS access key ID is not an acceptable value.
Type: String
Required: No
Update requires: Updates are not supported.

AWS::ElastiCache::SubnetGroup
Creates a cache subnet group. For more information about cache subnet groups, go to Cache Subnet
Groups in the Amazon ElastiCache User Guide or go to CreateCacheSubnetGroup in the Amazon
ElastiCache API Reference Guide.
Topics
• Syntax (p. 1041)
• Properties (p. 1042)
• Return Value (p. 1042)
• Example (p. 1042)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ElastiCache::SubnetGroup",
"Properties" : {
"CacheSubnetGroupName" : String,
"Description (p. 1042)" : String,
"SubnetIds (p. 1042)" : [ String, ... ]
}

YAML
Type: AWS::ElastiCache::SubnetGroup
Properties:
CacheSubnetGroupName: String
Description (p. 1042): String
SubnetIds (p. 1042):

API Version 2010-05-15
1041

AWS CloudFormation User Guide
AWS::ElastiCache::SubnetGroup
- String

Properties
CacheSubnetGroupName
A name for the cache subnet group. If you don't specify a name, AWS CloudFormation generates a
unique physical ID. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
Description
The description for the cache subnet group.
Type: String
Required: Yes
Update requires: No interruption (p. 118)
SubnetIds
The Amazon EC2 subnet IDs for the cache subnet group.
Type: String list
Required: Yes
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
"SubnetGroup" : {
"Type" : "AWS::ElastiCache::SubnetGroup",
"Properties" : {
"Description" : "Cache Subnet Group",
"SubnetIds" : [ { "Ref" : "Subnet1" }, { "Ref" : "Subnet2" } ]
}
}

API Version 2010-05-15
1042

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Application

YAML
SubnetGroup:
Type: AWS::ElastiCache::SubnetGroup
Properties:
Description: "Cache Subnet Group"
SubnetIds:
- Ref: "Subnet1"
- Ref: "Subnet2"

AWS::ElasticBeanstalk::Application
Creates an Elastic Beanstalk application.
Topics
• Syntax (p. 1043)
• Properties (p. 1043)
• Return Values (p. 1044)
• Example (p. 1044)
• See Also (p. 1045)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ElasticBeanstalk::Application",
"Properties" : {
"ApplicationName" : String,
"Description" : String,
"ResourceLifecycleConfig" : ApplicationResourceLifecycleConfig (p. 1896)
}

YAML
Type: AWS::ElasticBeanstalk::Application
Properties:
ApplicationName: String
Description: String
ResourceLifecycleConfig:
ApplicationResourceLifecycleConfig (p. 1896)

Properties
ApplicationName
A name for the Elastic Beanstalk application. If you don't specify a name, AWS CloudFormation
generates a unique physical ID and uses that ID for the application name. For more information, see
Name Type (p. 2085).
API Version 2010-05-15
1043

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Application

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
Description
An optional description of this application.
Required: No
Type: String
Update requires: No interruption (p. 118)
ResourceLifecycleConfig
Deﬁnes lifecycle settings for resources that belong to the application, and the service role that
Elastic Beanstalk assumes in order to apply lifecycle settings.
Required: No
Type: Elastic Beanstalk Application ApplicationResourceLifecycleConﬁg (p. 1896)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"Type" : "AWS::ElasticBeanstalk::Application",
"Properties" : {
"ApplicationName" : "SampleAWSElasticBeanstalkApplication",
"Description" : "AWS Elastic Beanstalk PHP Sample Application"
}

YAML
Type: AWS::ElasticBeanstalk::Application
Properties:
ApplicationName: "SampleAWSElasticBeanstalkApplication"
Description: "AWS Elastic Beanstalk PHP Sample Application"

API Version 2010-05-15
1044

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::ApplicationVersion

See Also
• For a complete Elastic Beanstalk sample template, see Elastic Beanstalk Template Snippets (p. 384).

AWS::ElasticBeanstalk::ApplicationVersion
Creates an application version, an iteration of deployable code, for an Elastic Beanstalk application.
Topics
• Syntax (p. 1045)
• Members (p. 1045)
• Return Values (p. 1046)
• Example (p. 1046)
• See Also (p. 1047)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties" : {
"ApplicationName" : String,
"Description" : String,
"SourceBundle" : { SourceBundle }
}

YAML
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName: String
Description: String
SourceBundle:
SourceBundle

Members
ApplicationName
Name of the Elastic Beanstalk application that is associated with this application version.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Description
A description of this application version.
API Version 2010-05-15
1045

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::ApplicationVersion

Required: No
Type: String
Update requires: Some interruptions (p. 119)
SourceBundle
The location of the source bundle for this version.
Required: Yes
Type: Source Bundle (p. 1904)
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
"myAppVersion" :{
"Type" : "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties" : {
"ApplicationName" : {"Ref" : "myApp"},
"Description" : "my sample version",
"SourceBundle" : {
"S3Bucket" : { "Fn::Join" :
["-", [ "elasticbeanstalk-samples", { "Ref" : "AWS::Region" } ] ] },
"S3Key" : "php-newsample-app.zip"
}
}
}

YAML
myAppVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName:
Ref: "myApp"
Description: "my sample version"
SourceBundle:
S3Bucket:
Fn::Join:
- "-"
- "elasticbeanstalk-samples"
- Ref: "AWS::Region"
S3Key: "php-newsample-app.zip"

API Version 2010-05-15
1046

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::ConﬁgurationTemplate

See Also
• For a complete Elastic Beanstalk sample template, see Elastic Beanstalk Template Snippets (p. 384).

AWS::ElasticBeanstalk::ConﬁgurationTemplate
Creates a conﬁguration template for an Elastic Beanstalk application. You can use conﬁguration
templates to deploy diﬀerent versions of an application by using the conﬁguration settings that you
deﬁne in the conﬁguration template.
Topics
• Syntax (p. 1047)
• Properties (p. 1047)
• Return Values (p. 1049)
• Example (p. 1049)
• See Also (p. 1050)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties" : {
"ApplicationName" : String,
"Description" : String,
"EnvironmentId" : String,
"OptionSettings" : [ ConfigurationOptionSetting (p. 1900), ... ],
"PlatformArn" : String,
"SolutionStackName" : String,
"SourceConfiguration" : SourceConfiguration (p. 1901)
}

YAML
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName: String
Description: String
EnvironmentId: String
OptionSettings:
- ConfigurationOptionSetting (p. 1900)
PlatformArn: String
SolutionStackName: String
SourceConfiguration:
SourceConfiguration (p. 1901)

Properties
For more information, see CreateConﬁgurationTemplate in the AWS Elastic Beanstalk API Reference.
API Version 2010-05-15
1047

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::ConﬁgurationTemplate

ApplicationName
Name of the Elastic Beanstalk application that is associated with this conﬁguration template.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Description
An optional description for this conﬁguration.
Type: String
Required: No
Update requires: Some interruptions (p. 119)
EnvironmentId
An environment whose settings you want to use to create the conﬁguration template. You must
specify this property if you don't specify the SolutionStackName or SourceConfiguration
properties.
Type: String
Required: Conditional
Update requires: Replacement (p. 119)
OptionSettings
The options for the Elastic Beanstalk conﬁguration, such as the instance type. For a complete list of
Elastic Beanstalk conﬁguration options, see Option Values, in the AWS Elastic Beanstalk Developer
Guide.
Type: List of Elastic Beanstalk ConﬁgurationTemplate ConﬁgurationOptionSetting (p. 1900)
Required: No
Update requires: Some interruptions (p. 119)
PlatformArn
The Amazon Resource Name (ARN) of the custom platform. For more information, see Custom
Platforms in the AWS Elastic Beanstalk Developer Guide.

Note

If you specify PlatformArn, then don't specify SolutionStackName.
Required: No
Type: String
Update requires: Replacement (p. 119)
SolutionStackName
The name of an Elastic Beanstalk solution stack that this conﬁguration will use. A solution stack
speciﬁes the operating system, architecture, and application server for a conﬁguration template,
such as 64bit Amazon Linux 2013.09 running Tomcat 7 Java 7. For more information,
see Supported Platforms in the AWS Elastic Beanstalk Developer Guide.
API Version 2010-05-15
1048

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::ConﬁgurationTemplate

You must specify this property if you don't specify the PlatformArn, EnvironmentId, or
SourceConfiguration properties.
Type: String
Required: Conditional
Update requires: Replacement (p. 119)
SourceConfiguration
A conﬁguration template that is associated with another Elastic Beanstalk application. If you
specify the SolutionStackName property and the SourceConfiguration property, the
solution stack in the source conﬁguration template must match the value that you speciﬁed for the
SolutionStackName property.
You must specify this property if you don't specify the EnvironmentId or SolutionStackName
properties.
Type: Elastic Beanstalk ConﬁgurationTemplate SourceConﬁguration (p. 1901)
Required: Conditional
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
This example of an ElasticBeanstalk ConfigurationTemplate is found in the AWS CloudFormation
sample template ElasticBeanstalkSample.template, which also provides an example of its use within an
AWS::ElasticBeanstalk::Application.

JSON
"myConfigTemplate" : {
"Type" : "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties" : {
"ApplicationName" :{"Ref" : "myApp"},
"Description" : "my sample configuration template",
"EnvironmentId" : "",
"SourceConfiguration" : {
"ApplicationName" : {"Ref" : "mySecondApp"},
"TemplateName" : {"Ref" : "mySourceTemplate"}
},
"SolutionStackName" : "64bit Amazon Linux running PHP 5.3",
"OptionSettings" : [ {
"Namespace" : "aws:autoscaling:launchconfiguration",
"OptionName" : "EC2KeyName",
"Value" : { "Ref" : "KeyName" }
} ]
}

API Version 2010-05-15
1049

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment
}

YAML
myConfigTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: "myApp"
Description: "my sample configuration template"
EnvironmentId: ""
SourceConfiguration:
ApplicationName:
Ref: "mySecondApp"
TemplateName:
Ref: "mySourceTemplate"
SolutionStackName: "64bit Amazon Linux running PHP 5.3"
OptionSettings:
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "EC2KeyName"
Value:
Ref: "KeyName"

See Also
• AWS::ElasticBeanstalk::Application (p. 1043)
• Option Values in the AWS Elastic Beanstalk Developer Guide
• For a complete Elastic Beanstalk sample template, see Elastic Beanstalk Template Snippets (p. 384).

AWS::ElasticBeanstalk::Environment
Creates or updates an AWS Elastic Beanstalk environment.
Topics
• Syntax (p. 1050)
• Properties (p. 1051)
• Return Values (p. 1053)
• Examples (p. 1054)
• See Also (p. 1063)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ElasticBeanstalk::Environment",
"Properties" : {
"ApplicationName (p. 1051)" : String,
"CNAMEPrefix (p. 1051)" : String,
"Description (p. 1051)" : String,
"EnvironmentName" : String,

API Version 2010-05-15
1050

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment

}

}

"OptionSettings (p. 1052)" : [ OptionSetting, ... ],
"PlatformArn" : String,
"SolutionStackName (p. 1052)" : String,
"Tags" : [ Resource Tag, ... ],
"TemplateName (p. 1053)" : String,
"Tier" : Environment Tier,
"VersionLabel (p. 1053)" : String

YAML
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName (p. 1051): String
CNAMEPrefix (p. 1051): String
Description (p. 1051): String
EnvironmentName: String
OptionSettings (p. 1052):
- OptionSetting
PlatformArn: String
SolutionStackName (p. 1052): String
Tags:
- Resource Tag, ...
TemplateName (p. 1053): String
Tier:
Environment Tier
VersionLabel (p. 1053): String

Properties
For more information, see CreateEnvironment in the AWS Elastic Beanstalk API Reference.
ApplicationName
The name of the application that is associated with this environment.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
CNAMEPrefix
A preﬁx for your Elastic Beanstalk environment URL.
Required: No
Type: String
Update requires: Replacement (p. 119)
Description
A description that helps you identify this environment.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1051

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment

EnvironmentName
A name for the Elastic Beanstalk environment. If you don't specify a name, AWS CloudFormation
generates a unique physical ID and uses that ID for the environment name. For more information,
see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
OptionSettings
Key-value pairs deﬁning conﬁguration options for this environment, such as the instance type.
These options override the values that are deﬁned in the solution stack or the conﬁguration
template (p. 1047). If you remove any options during a stack update, the removed options revert to
default values.
Required: Yes. The IamInstanceProfile and ServiceRole options are required.
Type: List of Elastic Beanstalk Environment OptionSetting (p. 1903)
Update requires: Some interruptions (p. 119)
PlatformArn
The Amazon Resource Name (ARN) of the custom platform to use with the environment. For more
information, see Custom Platforms in the AWS Elastic Beanstalk Developer Guide.

Note

If you specify PlatformArn, then don't specify SolutionStackName.
Required: No
Type: String
Update requires: No interruption (p. 118)
Example: "PlatformArn": "arn:aws:elasticbeanstalk:us-east-1::platform/PHP 5.4
running on 64bit Amazon Linux/2.4.4"
SolutionStackName
The name of an Elastic Beanstalk solution stack that this conﬁguration will use. For more
information, see Supported Platforms in the AWS Elastic Beanstalk Developer Guide.

Note

If you specify SolutionStackName, then don't specify PlatformArn or TemplateName.
Required: No
Type: String
Update requires: Replacement (p. 119)
Tags
An arbitrary set of tags (key–value pairs) for this environment.
API Version 2010-05-15
1052

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment

Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: You can update tags only if you update another property that requires that the
environment be replaced, such as the ApplicationName property.
TemplateName
The name of the Elastic Beanstalk conﬁguration template to use with the environment.

Note

If you specify TemplateName, then don't specify SolutionStackName.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
Tier
Speciﬁes the tier to use in creating this environment. The environment tier that you choose
determines whether Elastic Beanstalk provisions resources to support a web application that handles
HTTP(S) requests or a web application that handles background-processing tasks.
Required: No
Type: Elastic Beanstalk Environment Tier Property Type (p. 1902)
Update requires: See Elastic Beanstalk Environment Tier Property Type (p. 1902)
VersionLabel
The version to associate with the environment.
Required: No
Type: String
Update requires: Some interruptions (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
EndpointURL
For load-balanced, autoscaling environments, the URL to the load balancer. For single-instance
environments, the IP address of the instance.
Example load balancer URL:
API Version 2010-05-15
1053

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment

awseb-myst-myen-132MQC4KRLAMD-1371280482.us-east-2.elb.amazonaws.com
Example instance IP address:
192.0.2.0
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Simple Environment
JSON
{

}

"Type" : "AWS::ElasticBeanstalk::Environment",
"Properties" : {
"ApplicationName" : { "Ref" : "sampleApplication" },
"Description" : "AWS Elastic Beanstalk Environment running PHP Sample Application",
"EnvironmentName" : "SamplePHPEnvironment",
"TemplateName" : "DefaultConfiguration",
"VersionLabel" : "Initial Version"
}

YAML
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName:
Ref: sampleApplication
Description: "AWS Elastic Beanstalk Environment running PHP Sample Application"
EnvironmentName: SamplePHPEnvironment
TemplateName: DefaultConfiguration
VersionLabel: "Initial Version"

Environment with Embedded Option Settings
JSON
{

"Type" : "AWS::ElasticBeanstalk::Environment",
"Properties" : {
"ApplicationName" : { "Ref" : "sampleApplication" },
"Description" : "AWS Elastic Beanstalk Environment running Python Sample
Application",
"EnvironmentName" : "SamplePythonEnvironment",
"SolutionStackName" : "64bit Amazon Linux 2017.03 v2.5.0 running Python 2.7",
"OptionSettings" : [ {
"Namespace" : "aws:autoscaling:launchconfiguration",
"OptionName" : "EC2KeyName",
"Value" : { "Ref" : "KeyName" }
} ],
"VersionLabel" : "Initial Version"
}

}

API Version 2010-05-15
1054

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment

YAML
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName:
Ref: sampleApplication
Description: "AWS Elastic Beanstalk Environment running Python Sample Application"
EnvironmentName: SamplePythonEnvironment
SolutionStackName: "64bit Amazon Linux 2017.03 v2.5.0 running Python 2.7"
OptionSettings:
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: EC2KeyName
Value:
Ref: KeyName
VersionLabel: "Initial Version"

Custom or Supported Platform
The following example contains parameters that enable specifying PlatformArn for a custom platform
or SolutionStackName for a supported platform when creating the stack.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Elasticbeanstalk test template",
"Parameters": {
"BeanstalkService": {
"Type": "String"
},
"Ec2Service": {
"Type": "String"
},
"Partition":{
"Type": "String"
},
"SolutionStackName": {
"Type": "String"
},
"PlatformArn": {
"Type": "String"
}
},
"Resources": {
"Application": {
"Properties": {
"ApplicationVersions": [
{
"Description": "Version 1.0",
"SourceBundle": {
"S3Bucket": {
"Fn::Join": ["", ["elasticbeanstalk-samples-", {"Ref": "AWS::Region"}]]
},
"S3Key": "python-sample-20150402.zip"
},
"VersionLabel": "Initial Version"
}
],
"Description": "AWS Elastic Beanstalk Python Sample Application"
},
"Type": "AWS::ElasticBeanstalk::Application"
},

API Version 2010-05-15
1055

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment
"Environment": {
"Properties": {
"ApplicationName": {
"Ref": "Application"
},
"Description": "AWS Elastic Beanstalk Environment running Python Sample
Application",
"PlatformArn": { "Ref" : "PlatformArn"},
"SolutionStackName": {
"Ref": "SolutionStackName"
},
"VersionLabel": "Initial Version",
"OptionSettings": [
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": {
"Ref": "InstanceProfile"
}
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "ServiceRole",
"Value": {
"Ref": "ServiceRole"
}
}
]
},
"Type": "AWS::ElasticBeanstalk::Environment"
},
"ServiceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": {"Ref": "BeanstalkService"}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "elasticbeanstalk"
}
}
}
]
},
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeInstanceHealth",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:GetConsoleOutput",
"ec2:AssociateAddress",

API Version 2010-05-15
1056

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment
"ec2:DescribeAddresses",
"ec2:DescribeSecurityGroups",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeNotificationConfigurations"

}

}

]

}

],
"Resource": [
"*"
]

],
"Path": "/"

}
},
"InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "InstanceProfileRole"
}
]
}
},
"InstanceProfileRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
{"Ref": "Ec2Service"}
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketAccess",
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
{

API Version 2010-05-15
1057

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "Partition"
},
":s3:::elasticbeanstalk-*-",
{
"Ref": "AWS::AccountId"
}
]
]

},
{

"Fn::Join": [
"",
[
"arn:",
{
"Ref": "Partition"
},
":s3:::elasticbeanstalk-*-",
{
"Ref": "AWS::AccountId"
},
"/*"
]
]

},
{

"Fn::Join": [
"",
[
"arn:",
{
"Ref": "Partition"
},
":s3:::elasticbeanstalk-*-",
{
"Ref": "AWS::AccountId"
},
"-*"
]
]

},
{

]

}

"Fn::Join": [
"",
[
"arn:",
{
"Ref": "Partition"
},
":s3:::elasticbeanstalk-*-",
{
"Ref": "AWS::AccountId"
},
"-*/*"
]
]

},
{

"Sid": "ECSAccess",

API Version 2010-05-15
1058

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment
"Effect": "Allow",
"Action": [
"ecs:StartTask",
"ecs:StopTask",
"ecs:RegisterContainerInstance",
"ecs:DeregisterContainerInstance",
"ecs:DescribeContainerInstances",
"ecs:DiscoverPollEndpoint",
"ecs:Submit*",
"ecs:Poll"
],
"Resource": "*"

},
{

"Sid": "QueueAccess",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": "*"

},
{

"Sid": "DynamoPeriodicTasks",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "Partition"
},
":dynamodb:*:",
{
"Ref": "AWS::AccountId"
},
":table/*-stack-AWSEBWorkerCronLeaderRegistry*"
]
]
}
]

},
{

}

]

}

"Sid": "MetricsAccess",
"Action": [
"cloudwatch:PutMetricData"
],
"Effect": "Allow",
"Resource": "*"

API Version 2010-05-15
1059

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment

}

}

}

}

}
],
"Path": "/"

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: Elasticbeanstalk test template
Parameters:
BeanstalkService:
Type: String
Ec2Service:
Type: String
Partition:
Type: String
SolutionStackName:
Type: String
PlatformArn:
Type: String
Resources:
Application:
Properties:
ApplicationVersions:
- Description: Version 1.0
SourceBundle:
S3Bucket: !Join
- ''
- - elasticbeanstalk-samples- !Ref 'AWS::Region'
S3Key: python-sample-20150402.zip
VersionLabel: Initial Version
Description: AWS Elastic Beanstalk Python Sample Application
Type: AWS::ElasticBeanstalk::Application
Environment:
Properties:
ApplicationName: !Ref Application
Description: AWS Elastic Beanstalk Environment running Python Sample Application
PlatformArn: !Ref PlatformArn
SolutionStackName: !Ref SolutionStackName
VersionLabel: Initial Version
OptionSettings:
- Namespace: 'aws:autoscaling:launchconfiguration'
OptionName: IamInstanceProfile
Value: !Ref InstanceProfile
- Namespace: 'aws:elasticbeanstalk:environment'
OptionName: ServiceRole
Value: !Ref ServiceRole
Type: AWS::ElasticBeanstalk::Environment
ServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Ref BeanstalkService
Action: 'sts:AssumeRole'
Condition:

API Version 2010-05-15
1060

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment
StringEquals:
'sts:ExternalId': elasticbeanstalk
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'elasticloadbalancing:DescribeInstanceHealth'
- 'ec2:DescribeInstances'
- 'ec2:DescribeInstanceStatus'
- 'ec2:GetConsoleOutput'
- 'ec2:AssociateAddress'
- 'ec2:DescribeAddresses'
- 'ec2:DescribeSecurityGroups'
- 'sqs:GetQueueAttributes'
- 'sqs:GetQueueUrl'
- 'autoscaling:DescribeAutoScalingGroups'
- 'autoscaling:DescribeAutoScalingInstances'
- 'autoscaling:DescribeScalingActivities'
- 'autoscaling:DescribeNotificationConfigurations'
Resource:
- '*'
Path: /
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref InstanceProfileRole
InstanceProfileRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- !Ref Ec2Service
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: BucketAccess
Action:
- 's3:Get*'
- 's3:List*'
- 's3:PutObject'
Effect: Allow
Resource:
- !Join
- ''
- - 'arn:'
- !Ref Partition
- ':s3:::elasticbeanstalk-*-'
- !Ref 'AWS::AccountId'
- !Join
- ''
- - 'arn:'
- !Ref Partition
- ':s3:::elasticbeanstalk-*-'

API Version 2010-05-15
1061

AWS CloudFormation User Guide
AWS::ElasticBeanstalk::Environment

-

-

-

-

Path: /

- !Ref 'AWS::AccountId'
- /*
- !Join
- ''
- - 'arn:'
- !Ref Partition
- ':s3:::elasticbeanstalk-*-'
- !Ref 'AWS::AccountId'
- '-*'
- !Join
- ''
- - 'arn:'
- !Ref Partition
- ':s3:::elasticbeanstalk-*-'
- !Ref 'AWS::AccountId'
- '-*/*'
Sid: ECSAccess
Effect: Allow
Action:
- 'ecs:StartTask'
- 'ecs:StopTask'
- 'ecs:RegisterContainerInstance'
- 'ecs:DeregisterContainerInstance'
- 'ecs:DescribeContainerInstances'
- 'ecs:DiscoverPollEndpoint'
- 'ecs:Submit*'
- 'ecs:Poll'
Resource: '*'
Sid: QueueAccess
Action:
- 'sqs:ChangeMessageVisibility'
- 'sqs:DeleteMessage'
- 'sqs:ReceiveMessage'
- 'sqs:SendMessage'
Effect: Allow
Resource: '*'
Sid: DynamoPeriodicTasks
Action:
- 'dynamodb:BatchGetItem'
- 'dynamodb:BatchWriteItem'
- 'dynamodb:DeleteItem'
- 'dynamodb:GetItem'
- 'dynamodb:PutItem'
- 'dynamodb:Query'
- 'dynamodb:Scan'
- 'dynamodb:UpdateItem'
Effect: Allow
Resource:
- !Join
- ''
- - 'arn:'
- !Ref Partition
- ':dynamodb:*:'
- !Ref 'AWS::AccountId'
- ':table/*-stack-AWSEBWorkerCronLeaderRegistry*'
Sid: MetricsAccess
Action:
- 'cloudwatch:PutMetricData'
Effect: Allow
Resource: '*'

API Version 2010-05-15
1062

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer

See Also
• Launching New Environments in the AWS Elastic Beanstalk Developer Guide
• Managing Environments in the AWS Elastic Beanstalk Developer Guide
• For another complete Elastic Beanstalk sample template, see Elastic Beanstalk Template
Snippets (p. 384).

AWS::ElasticLoadBalancing::LoadBalancer
The AWS::ElasticLoadBalancing::LoadBalancer type creates a LoadBalancer.

Note

If this resource has a public IP address and is also in a VPC that is deﬁned in the same template,
you must use the DependsOn attribute to declare a dependency on the VPC-gateway
attachment. For more information, see DependsOn Attribute (p. 2250).
Topics
• Syntax (p. 1063)
• Properties (p. 1064)
• Return Values (p. 1067)
• Examples (p. 1068)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AccessLoggingPolicy" : AccessLoggingPolicy,
"AppCookieStickinessPolicy (p. 1064)" : [ AppCookieStickinessPolicy, ... ],
"AvailabilityZones (p. 1064)" : [ String, ... ],
"ConnectionDrainingPolicy" : ConnectionDrainingPolicy,
"ConnectionSettings" : ConnectionSettings,
"CrossZone" : Boolean,
"HealthCheck (p. 1065)" : HealthCheck,
"Instances (p. 1065)" : [ String, ... ],
"LBCookieStickinessPolicy (p. 1065)" : [ LBCookieStickinessPolicy, ... ],
"Listeners (p. 1066)" : [ Listener, ... ],
"LoadBalancerName (p. 1066)" : String,
"Policies (p. 1066)" : [ ElasticLoadBalancing Policy, ... ],
"Scheme (p. 1066)" : String,
"SecurityGroups (p. 1067)" : [ Security Group, ... ],
"Subnets (p. 1067)" : [ String, ... ],
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: AWS::ElasticLoadBalancing::LoadBalancer

API Version 2010-05-15
1063

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AccessLoggingPolicy:
AccessLoggingPolicy
AppCookieStickinessPolicy (p. 1064):
- AppCookieStickinessPolicy
AvailabilityZones (p. 1064):
- String
ConnectionDrainingPolicy:
ConnectionDrainingPolicy
ConnectionSettings:
ConnectionSettings
CrossZone: Boolean
HealthCheck (p. 1065):
HealthCheck
Instances (p. 1065):
- String
LBCookieStickinessPolicy (p. 1065):
- LBCookieStickinessPolicy
LoadBalancerName (p. 1066): String
Listeners (p. 1066):
- Listener
Policies (p. 1066):
- ElasticLoadBalancing Policy
Scheme (p. 1066): String,
SecurityGroups (p. 1067):
- Security Group
Subnets (p. 1067):
- String
Tags:
- Resource Tag

Properties
AccessLoggingPolicy
Captures detailed information for all requests made to your load balancer, such as the time a request
was received, client’s IP address, latencies, request path, and server responses.
Required: No
Type: Elastic Load Balancing AccessLoggingPolicy (p. 1906)
Update requires: No interruption (p. 118)
AppCookieStickinessPolicy
Generates one or more stickiness policies with sticky session lifetimes that follow that of an
application-generated cookie. These policies can be associated only with HTTP/HTTPS listeners.
Required: No
Type: A list of AppCookieStickinessPolicy (p. 1907) objects.
Update requires: No interruption (p. 118)
AvailabilityZones
The Availability Zones in which to create the load balancer. You can specify the
AvailabilityZones or Subnets property, but not both.

Note

For load balancers that are in a VPC, specify the Subnets property.
Required: No
API Version 2010-05-15
1064

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer

Type: List of String values
Update requires: Replacement (p. 119) if you did not have an Availability Zone speciﬁed and
you are adding one or if you are removing all Availability Zones. Otherwise, update requires no
interruption (p. 118).
ConnectionDrainingPolicy
Whether deregistered or unhealthy instances can complete all in-ﬂight requests.
Required: No
Type: Elastic Load Balancing ConnectionDrainingPolicy (p. 1908)
Update requires: No interruption (p. 118)
ConnectionSettings
Speciﬁes how long front-end and back-end connections of your load balancer can remain idle.
Required: No
Type: Elastic Load Balancing ConnectionSettings (p. 1909)
Update requires: No interruption (p. 118)
CrossZone
Whether cross-zone load balancing is enabled for the load balancer. With cross-zone load balancing,
your load balancer nodes route traﬃc to the back-end instances across all Availability Zones. By
default the CrossZone property is false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
HealthCheck
Application health check for the instances.
Required: No
Type: ElasticLoadBalancing LoadBalancer HealthCheck (p. 1910).
Update requires: Replacement (p. 119) if you did not have a health check speciﬁed and
you are adding one or if you are removing a health check. Otherwise, update requires no
interruption (p. 118).
Instances
A list of EC2 instance IDs for the load balancer.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
LBCookieStickinessPolicy
Generates a stickiness policy with sticky session lifetimes controlled by the lifetime of the browser
(user-agent), or by a speciﬁed expiration period. This policy can be associated only with HTTP/HTTPS
listeners.
API Version 2010-05-15
1065

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer

Required: No
Type: A list of LBCookieStickinessPolicy (p. 1911) objects.
Update requires: No interruption (p. 118)
Listeners
One or more listeners for this load balancer. Each listener must be registered for a speciﬁc port, and
you cannot have more than one listener for a given port.

Important

If you update the property values for a listener speciﬁed by the Listeners property, AWS
CloudFormation will delete the existing listener and create a new one with the updated
properties. During the time that AWS CloudFormation is performing this action, clients will
not be able to connect to the load balancer.
Required: Yes
Type: A list of ElasticLoadBalancing Listener Property Type (p. 1912) objects.
Update requires: No interruption (p. 118)
LoadBalancerName
A name for the load balancer. For valid values, see the LoadBalancerName parameter for the
CreateLoadBalancer action in the Elastic Load Balancing API Reference version 2012-06-01.
If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for
the load balancer. The name must be unique within your set of load balancers. For more information,
see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
Policies
A list of elastic load balancing policies to apply to this elastic load balancer. Specify only back-end
server policies. For more information, see DescribeLoadBalancerPolicyTypes in the Elastic Load
Balancing API Reference version 2012-06-01.
Required: No
Type: A list of ElasticLoadBalancing policy (p. 1914) objects.
Update requires: No interruption (p. 118)
Scheme
For load balancers attached to an Amazon VPC, this parameter can be used to specify the type of
load balancer to use. Specify internal to create an internal load balancer with a DNS name that
resolves to private IP addresses or internet-facing to create a load balancer with a publicly
resolvable DNS name, which resolves to public IP addresses.

Note

If you specify internal, you must specify subnets to associate with the load balancer, not
Availability Zones.
API Version 2010-05-15
1066

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer

Required: No
Type: String
Update requires: Replacement (p. 119)
SecurityGroups
Required: No
Type: A list of security groups assigned to your load balancer within your virtual private cloud (VPC).
Update requires: No interruption (p. 118)
Subnets
A list of subnet IDs in your virtual private cloud (VPC) to attach to your load balancer. Do not specify
multiple subnets that are in the same Availability Zone. You can specify the AvailabilityZones or
Subnets property, but not both.
For more information about using Elastic Load Balancing in a VPC, see How Do I Use Elastic Load
Balancing in Amazon VPC in the Elastic Load Balancing Developer Guide.
Required: No
Type: List of String values
Update requires: Replacement (p. 119) if you did not have an subnet speciﬁed and you are adding
one or if you are removing all subnets. Otherwise, update requires no interruption (p. 118). To
update the load balancer to another subnet that is in the same Availability Zone, you must do two
updates. You must ﬁrst update the load balancer to use a subnet in diﬀerent Availability Zone.
After the update is complete, update the load balancer to use the new subnet that is in the original
Availability Zone.
Tags
An arbitrary set of tags (key-value pairs) for this load balancer.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example, mystack-myelb-1WQN7BJGDB5YQ.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
CanonicalHostedZoneName
The name of the Route 53 hosted zone that is associated with the load balancer.
API Version 2010-05-15
1067

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer

Important

If you specify internal for the Elastic Load Balancing scheme, use DNSName instead. For
an internal scheme, the load balancer doesn't have a CanonicalHostedZoneName
value.
Example: mystack-myelb-15HMABG9ZCN57-1013119603.us-east-2.elb.amazonaws.com
CanonicalHostedZoneNameID
The ID of the Route 53 hosted zone name that is associated with the load balancer.
Example: Z3DZXE0Q79N41H
DNSName
The DNS name for the load balancer.
Example: mystack-myelb-15HMABG9ZCN57-1013119603.us-east-2.elb.amazonaws.com
SourceSecurityGroup.GroupName
The security group that you can use as part of your inbound rules for your load balancer's back-end
Amazon EC2 application instances.
Example: amazon-elb
SourceSecurityGroup.OwnerAlias
The owner of the source security group.
Example: amazon-elb-sg
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
A load balancer with a health check and access logs
JSON
"ElasticLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"Instances" : [ { "Ref" : "Ec2Instance1" },{ "Ref" : "Ec2Instance2" } ],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : { "Ref" : "WebServerPort" },
"Protocol" : "HTTP"
} ],
"HealthCheck" : {
"Target" : {
"Fn::Join" : [ "", [ "HTTP:", { "Ref" : "WebServerPort" }, "/" ] ]
},
"HealthyThreshold" : "3",
"UnhealthyThreshold" : "5",
"Interval" : "30",
"Timeout" : "5"
},
"AccessLoggingPolicy": {
"S3BucketName": {
"Ref": "S3LoggingBucket"
},

API Version 2010-05-15
1068

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer
"S3BucketPrefix": "MyELBLogs",
"Enabled": "true",
"EmitInterval" : "60"

}

},
"DependsOn": "S3LoggingBucketPolicy"
}

YAML
ElasticLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
Fn::GetAZs: ''
Instances:
- Ref: Ec2Instance1
- Ref: Ec2Instance2
Listeners:
- LoadBalancerPort: '80'
InstancePort:
Ref: WebServerPort
Protocol: HTTP
HealthCheck:
Target:
Fn::Join:
- ''
- - 'HTTP:'
- Ref: WebServerPort
- "/"
HealthyThreshold: '3'
UnhealthyThreshold: '5'
Interval: '30'
Timeout: '5'
AccessLoggingPolicy:
S3BucketName:
Ref: S3LoggingBucket
S3BucketPrefix: MyELBLogs
Enabled: 'true'
EmitInterval: '60'
DependsOn: S3LoggingBucketPolicy

A load balancer with access logging enabled
The following sample snippet creates an Amazon S3 bucket with a bucket policy that allows the load
balancer to store information in the Logs/AWSLogs/AWS account number/ folder. The load balancer
also includes an explicit dependency on the bucket policy, which is required before the load balancer can
write to the bucket.

JSON
"S3LoggingBucket": {
"Type": "AWS::S3::Bucket"
},
"S3LoggingBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3LoggingBucket"
},
"PolicyDocument": {
"Version": "2012-10-17",

API Version 2010-05-15
1069

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer

}

}

"Statement": [ {
"Sid": "ELBAccessLogs20130930",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{ "Ref": "S3LoggingBucket" },
"/",
"Logs",
"/AWSLogs/",
{ "Ref": "AWS::AccountId" },
"/*"
]
]
},
"Principal": { "Ref": "ElasticLoadBalancingAccountID" },
"Action": [
"s3:PutObject"
]
} ]

},
"ElasticLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": { "Fn::GetAZs": "" },
"Listeners": [{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP"
}],
"HealthCheck": {
"Target": "HTTP:80/",
"HealthyThreshold": "3",
"UnhealthyThreshold": "5",
"Interval": "30",
"Timeout": "5"
},
"AccessLoggingPolicy": {
"S3BucketName": {
"Ref": "S3LoggingBucket"
},
"S3BucketPrefix": "Logs",
"Enabled": "true",
"EmitInterval" : "60"
}
},
"DependsOn": "S3LoggingBucketPolicy"
}

YAML
S3LoggingBucket:
Type: AWS::S3::Bucket
S3LoggingBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: S3LoggingBucket
PolicyDocument:
Version: '2012-10-17'

API Version 2010-05-15
1070

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer
Statement:
- Sid: ELBAccessLogs20130930
Effect: Allow
Resource:
Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: S3LoggingBucket
- "/"
- Logs
- "/AWSLogs/"
- Ref: AWS::AccountId
- "/*"
Principal:
Ref: ElasticLoadBalancingAccountID
Action:
- s3:PutObject
ElasticLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
Fn::GetAZs: ''
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '3'
UnhealthyThreshold: '5'
Interval: '30'
Timeout: '5'
AccessLoggingPolicy:
S3BucketName:
Ref: S3LoggingBucket
S3BucketPrefix: Logs
Enabled: 'true'
EmitInterval: '60'
DependsOn: S3LoggingBucketPolicy

A load balancer with a connection draining policy
The following snippet enables a connection draining policy that ends connections to a deregistered or
unhealthy instance after 60 seconds.

JSON
"ElasticLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"Instances" : [ { "Ref" : "Ec2Instance1" },{ "Ref" : "Ec2Instance2" } ],
"Listeners": [{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP"
}],
"HealthCheck": {
"Target": "HTTP:80/",
"HealthyThreshold": "3",
"UnhealthyThreshold": "5",
"Interval": "30",
"Timeout": "5"
},

API Version 2010-05-15
1071

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer

}

}

"ConnectionDrainingPolicy": {
"Enabled" : "true",
"Timeout" : "60"
}

YAML
ElasticLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
Fn::GetAZs: ''
Instances:
- Ref: Ec2Instance1
- Ref: Ec2Instance2
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '3'
UnhealthyThreshold: '5'
Interval: '30'
Timeout: '5'
ConnectionDrainingPolicy:
Enabled: 'true'
Timeout: '60'

A load balancer with multiple policies
The following snippet creates a load balancer with listeners on port 80 and 443. The snippet applies a
proxy on port 80 and a back-end server authentication policy on port 443.

JSON
"ElasticLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"SecurityGroups" : { "Ref" : "SecurityGroups" },
"Scheme" : "internet-facing",
"AvailabilityZones": { "Fn::GetAZs": "" },
"Listeners": [
{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "TCP",
"InstanceProtocol" : "TCP"
},
{
"LoadBalancerPort": "443",
"InstancePort": "443",
"Protocol": "HTTPS",
"SSLCertificateId" : { "Ref" : "CertARN" },
"PolicyNames" : ["MySSLNegotiationPolicy", "MyAppCookieStickinessPolicy"]
}
],
"Policies" : [
{
"PolicyName" : "MySSLNegotiationPolicy",

API Version 2010-05-15
1072

AWS CloudFormation User Guide
AWS::ElasticLoadBalancing::LoadBalancer
:
:
:
:
:
:

"PolicyName"
"PolicyType"
"Attributes"
{ "Name" :
]

: "MyAppCookieStickinessPolicy",
: "AppCookieStickinessPolicyType",
: [
"CookieName", "Value" : "MyCookie" }

},
{

"PolicyType"
"Attributes"
{ "Name"
{ "Name"
{ "Name"
{ "Name"
]

"SSLNegotiationPolicyType",
[
"Protocol-TLSv1", "Value" : "true" },
"Protocol-SSLv2", "Value" : "true" },
"Protocol-SSLv3", "Value" : "false" },
"DHE-RSA-AES256-SHA", "Value" : "true" }

},
{

"PolicyName" : "MyPublicKeyPolicy",
"PolicyType" : "PublicKeyPolicyType",
"Attributes" : [
{ "Name" : "PublicKey", "Value" : { "Fn::Join" : [ "\n", [
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh/51Aohx5VrpmlfGHZCzciMBa",
"fkHve+MQYYJcxmNUKMdsWnz9WtVfKxxWUU7Cfor4lorYmENGCG8FWqCoLDMFs7pN",
"yGEtpsrlKhzZWtgY1d7eGrUrBil03bI90E2KW0j4qAwGYAC8xixOkNClicojeEz4",
"f4rr3sUf+ZBSsuMEuwIDAQAB" ] ] }
}
]

},
{

"PolicyName" : "MyBackendServerAuthenticationPolicy",
"PolicyType" : "BackendServerAuthenticationPolicyType",
"Attributes" : [
{ "Name" : "PublicKeyPolicyName", "Value" : "MyPublicKeyPolicy" }
],
"InstancePorts" : [ "443" ]

},
{

}

}

]

}

"PolicyName" : "EnableProxyProtocol",
"PolicyType" : "ProxyProtocolPolicyType",
"Attributes" : [
{ "Name" : "ProxyProtocol", "Value" : "true" }
],
"InstancePorts" : ["80"]

YAML
ElasticLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
SecurityGroups:
Ref: SecurityGroups
Scheme: internet-facing
AvailabilityZones:
Fn::GetAZs: ''
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: TCP
InstanceProtocol: TCP
- LoadBalancerPort: '443'
InstancePort: '443'

API Version 2010-05-15
1073

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::Listener
Protocol: HTTPS
SSLCertificateId:
Ref: CertARN
PolicyNames:
- MySSLNegotiationPolicy
- MyAppCookieStickinessPolicy
Policies:
- PolicyName: MySSLNegotiationPolicy
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Protocol-TLSv1
Value: 'true'
- Name: Protocol-SSLv2
Value: 'true'
- Name: Protocol-SSLv3
Value: 'false'
- Name: DHE-RSA-AES256-SHA
Value: 'true'
- PolicyName: MyAppCookieStickinessPolicy
PolicyType: AppCookieStickinessPolicyType
Attributes:
- Name: CookieName
Value: MyCookie
- PolicyName: MyPublicKeyPolicy
PolicyType: PublicKeyPolicyType
Attributes:
- Name: PublicKey
Value:
Fn::Join:
- "\n"
- - MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh/51Aohx5VrpmlfGHZCzciMBa
- fkHve+MQYYJcxmNUKMdsWnz9WtVfKxxWUU7Cfor4lorYmENGCG8FWqCoLDMFs7pN
- yGEtpsrlKhzZWtgY1d7eGrUrBil03bI90E2KW0j4qAwGYAC8xixOkNClicojeEz4
- f4rr3sUf+ZBSsuMEuwIDAQAB
- PolicyName: MyBackendServerAuthenticationPolicy
PolicyType: BackendServerAuthenticationPolicyType
Attributes:
- Name: PublicKeyPolicyName
Value: MyPublicKeyPolicy
InstancePorts:
- '443'
- PolicyName: EnableProxyProtocol
PolicyType: ProxyProtocolPolicyType
Attributes:
- Name: ProxyProtocol
Value: 'true'
InstancePorts:
- '80'

Additional Examples
You can view additional examples from the AWS CloudFormation sample template collection: Sample
Templates (p. 2342).

AWS::ElasticLoadBalancingV2::Listener
The AWS::ElasticLoadBalancingV2::Listener resource creates a listener for an Elastic Load
Balancing Application or Network load balancer. The listener checks for connection requests and
forwards them to one or more target groups. For more information, see Getting Started in the Elastic
Load Balancing User Guide.
Topics
API Version 2010-05-15
1074

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::Listener

• Syntax (p. 1075)
• Properties (p. 1075)
• Return Value (p. 1076)
• Example (p. 1077)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ElasticLoadBalancingV2::Listener",
"Properties" : {
"Certificates" : [ Certificate (p. 1916) ],
"DefaultActions" : [ Action (p. 1917), ... ],
"LoadBalancerArn" : String,
"Port" : Integer,
"Protocol" : String,
"SslPolicy" : String
}

YAML
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
Certificates:
- Certificate (p. 1916)
DefaultActions:
- Action (p. 1917)
LoadBalancerArn: String
Port: Integer
Protocol: String
SslPolicy: String

Properties
Certificates
The SSL server certiﬁcate for the listener. With a certiﬁcate, you can encrypt traﬃc between the load
balancer and the clients that initiate HTTPS sessions, and traﬃc between the load balancer and your
targets.
This property represents the default certiﬁcate for the listener. You can specify only one certiﬁcate
for the AWS::ElasticLoadBalancingV2::Listener resource.
Required: Conditional. If you specify HTTPS for the Protocol property, specify a certiﬁcate.
Type: List of Elastic Load Balancing Listener Certiﬁcate (p. 1916)
Update requires: No interruption (p. 118)
DefaultActions
The default actions that the listener takes when handling incoming requests.
API Version 2010-05-15
1075

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::Listener

Required: Yes
Type: List of Elastic Load Balancing Listener Action (p. 1917)
Update requires: No interruption (p. 118)
LoadBalancerArn
The Amazon Resource Name (ARN) of the load balancer to associate with the listener.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Port
The port on which the listener listens for requests.
For valid values, see the Port parameter for the CreateListener action in the Elastic Load Balancing
API Reference version 2015-12-01.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
Protocol
The protocol that clients must use to send requests to the listener.
For valid values, see the Protocol parameter for the CreateListener action in the Elastic Load
Balancing API Reference version 2015-12-01.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
SslPolicy
The security policy that deﬁnes the ciphers and protocols that the load balancer supports.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the listener's
ARN, such as arn:aws:elasticloadbalancing:us-west-2:123456789012:listener/app/myload-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
1076

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::ListenerCertiﬁcate

Example
The following example creates a listener for the myLoadBalancer resource. The listener's default action
is to forward requests to the myTargetGroup target group.

JSON
"Listener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [{
"Type": "forward",
"TargetGroupArn": { "Ref": "myTargetGroup" }
}],
"LoadBalancerArn": { "Ref": "myLoadBalancer" },
"Port": "8000",
"Protocol": "HTTP"
}
}

YAML
Listener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn:
Ref: myTargetGroup
LoadBalancerArn:
Ref: myLoadBalancer
Port: '8000'
Protocol: HTTP

AWS::ElasticLoadBalancingV2::ListenerCertiﬁcate
The AWS::ElasticLoadBalancingV2::ListenerCertificate resource speciﬁes certiﬁcates for
an Elastic Load Balancing secure listener. For more information, see Getting Started in the Elastic Load
Balancing User Guide.
Topics
• Syntax (p. 1077)
• Properties (p. 1078)
• Example (p. 1078)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ElasticLoadBalancingV2::ListenerCertificate",
"Properties" : {
"Certificates" : [ Certificate (p. 1917), ... ]
"ListenerArn" : String

API Version 2010-05-15
1077

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::ListenerCertiﬁcate

}

}

YAML
Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
Properties:
Certificates:
- Certificate (p. 1917)
ListenerArn: String

Properties
Certificates
Certiﬁcates speciﬁed for the listener. Duplicates not allowed.
Required: Yes
Type: List of Elastic Load Balancing ListenerCertiﬁcate Certiﬁcate (p. 1917)
Update requires: Replacement (p. 119)
ListenerArn
The Amazon Resource Name (ARN) of the listener.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Example
The following example speciﬁes a listener certiﬁcate, containing a single certiﬁcate, for a load balancer
listener.

JSON
{

"Parameters": {
"CertificateArn1": {
"Type": "String"
},
"CertificateArn2": {
"Type": "String"
},
"LoadBalancerArn": {
"Type": "String"
},
"TargetGroupArn": {
"Type": "String"
}
},
"Resources": {
"ListenerCertificate": {
"Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate",
"Properties": {
"Certificates": [

API Version 2010-05-15
1078

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::ListenerCertiﬁcate
{

"CertificateArn": {
"Ref": "CertificateArn1"
}

}
],
"ListenerArn": {
"Ref": "Listener"
}

}

}

}
},
"Listener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": {
"Ref": "TargetGroupArn"
}
}
],
"LoadBalancerArn": {
"Ref": "LoadBalancerArn"
},
"Port": "8000",
"Protocol": "HTTPS",
"Certificates": [
{
"CertificateArn": {
"Ref": "CertificateArn2"
}
}
]
}
}

YAML
Parameters:
CertificateArn1:
Type: String
CertificateArn2:
Type: String
LoadBalancerArn:
Type: String
TargetGroupArn:
Type: String
Resources:
ListenerCertificate:
Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
Properties:
Certificates:
- CertificateArn: !Ref CertificateArn1
ListenerArn: !Ref Listener
Listener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref TargetGroupArn
LoadBalancerArn: !Ref LoadBalancerArn

API Version 2010-05-15
1079

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::ListenerRule
Port: '8000'
Protocol: HTTPS
Certificates:
- CertificateArn: !Ref CertificateArn2

AWS::ElasticLoadBalancingV2::ListenerRule
The AWS::ElasticLoadBalancingV2::ListenerRule resource deﬁnes which requests an Elastic
Load Balancing listener takes action on and the action that it takes. For more information, see Getting
Started in the Elastic Load Balancing User Guide.
Topics
• Syntax (p. 1080)
• Properties (p. 1080)
• Return Value (p. 1081)
• Example (p. 1081)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ElasticLoadBalancingV2::ListenerRule",
"Properties" : {
"Actions" : [ Actions (p. 1918), ... ],
"Conditions" : [ Conditions (p. 1919), ... ],
"ListenerArn" : String,
"Priority" : Integer
}

YAML
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- Actions (p. 1918)
Conditions:
- Conditions (p. 1919)
ListenerArn: String
Priority: Integer

Properties
Actions
The action that the listener takes when a request meets the speciﬁed condition.
Required: Yes
Type: List of Elastic Load Balancing ListenerRule Actions (p. 1918)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1080

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::ListenerRule

Conditions
The conditions under which a rule takes eﬀect.
Required: Yes
Type: List of Elastic Load Balancing ListenerRule Conditions (p. 1919)
Update requires: No interruption (p. 118)
ListenerArn
The Amazon Resource Name (ARN) of the listener that the rule applies to.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Priority
The priority for the rule. Elastic Load Balancing evaluates rules in priority order, from the lowest
value to the highest value. If a request satisﬁes a rule, Elastic Load Balancing ignores all subsequent
rules.

Note

A listener can have only one rule with a given priority.
For valid values, see the Priority parameter for the CreateRule action in the Elastic Load Balancing
API Reference version 2015-12-01.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the rule's ARN,
such as arn:aws:elasticloadbalancing:us-west-2:123456789012:listener-rule/app/myload-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2/9683b2d02a6cabee.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a rule that forwards requests to the TargetGroup target group if the
request URL contains the /img/* pattern.

JSON
"ListenerRule": {
"Type": "AWS::ElasticLoadBalancingV2::ListenerRule",
"Properties": {

API Version 2010-05-15
1081

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::LoadBalancer

}

}

"Actions": [{
"Type": "forward",
"TargetGroupArn": { "Ref": "TargetGroup" }
}],
"Conditions": [{
"Field": "path-pattern",
"Values": [ "/img/*" ]
}],
"ListenerArn": { "Ref": "Listener" },
"Priority": 1

YAML
ListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- Type: forward
TargetGroupArn:
Ref: TargetGroup
Conditions:
- Field: path-pattern
Values:
- "/img/*"
ListenerArn:
Ref: Listener
Priority: 1

AWS::ElasticLoadBalancingV2::LoadBalancer
The AWS::ElasticLoadBalancingV2::LoadBalancer resource creates an Elastic Load Balancing
Application or Network Load Balancer. For more information, see Getting Started in the Elastic Load
Balancing User Guide.

Note

AWS CloudFormation does not automatically create tags (key–value pairs) for an Elastic Load
Balancing load balancer. You must use the Tags (p. 1085) property to create tags to associate
with the load balancer.
Topics
• Syntax (p. 1082)
• Properties (p. 1083)
• Return Values (p. 1085)
• Examples (p. 1086)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {

API Version 2010-05-15
1082

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::LoadBalancer

}

}

"LoadBalancerAttributes" : [ LoadBalancerAttributes (p. 1919), ... ],
"Name" : String,
"Scheme" : String,
"SecurityGroups" : [ String, ... ],
"SubnetMappings" : [ SubnetMapping (p. 1920), ... ],
"Subnets" : [ String, ... ],
"Tags" : [ Resource Tag, ... ],
"Type" : String,
"IpAddressType" : String

YAML
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
LoadBalancerAttributes:
- LoadBalancerAttributes (p. 1919)
Name: String
Scheme: String
SecurityGroups:
- String
SubnetMappings:
- SubnetMapping (p. 1920)
Subnets:
- String
Tags:
- Resource Tag
Type: String
IpAddressType: String

Properties
For more information and valid parameter values, see the see the CreateLoadBalancer action in the
Elastic Load Balancing API Reference version 2015-12-01.
LoadBalancerAttributes
Speciﬁes the load balancer conﬁguration.
Required: No
Type: A list of Elastic Load Balancing LoadBalancer LoadBalancerAttributes (p. 1919)
Update requires: No interruption (p. 118)
Name
Speciﬁes a name for the load balancer. This name must be unique within your AWS account and
can have a maximum of 32 alphanumeric characters and hyphens. A name can't begin or end with a
hyphen.

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
API Version 2010-05-15
1083

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::LoadBalancer

Update requires: Replacement (p. 119)
Scheme
Speciﬁes whether the load balancer is internal or Internet-facing. Valid values are internetfacing and internal. The default is internet-facing.
The nodes of an Internet-facing load balancer have public IP addresses. The DNS name of an
Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes.
Therefore, Internet-facing load balancers can route requests from clients over the Internet.
The nodes of an internal load balancer have only private IP addresses. The DNS name of an internal
load balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load
balancers can only route requests from clients with access to the VPC for the load balancer.
Required: No
Type: String
Update requires: Replacement (p. 119)
SecurityGroups
[Application Load Balancers] Speciﬁes a list of the IDs of the security groups to assign to the load
balancer.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SubnetMappings
The subnets to attach to the load balancer, speciﬁed as a list of SubnetMapping property types.
You can specify only one subnet per Availability Zone. You must specify either subnets or subnet
mappings.
[Application Load Balancers] The load balancer is allocated one static IP address per subnet. You
cannot specify your own Elastic IP addresses.
[Network Load Balancers] You can specify one Elastic IP address per subnet.
Required: No
Type: List of Elastic Load Balancing LoadBalancer SubnetMapping (p. 1920)
Update requires: Replacement (p. 119)
Subnets
The subnets to attach to the load balancer, speciﬁed as a list of subnet IDs. You can specify only one
subnet per Availability Zone. You must specify either subnets or subnet mappings.
[Application Load Balancers] You must specify subnets from at least two Availability Zones.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
API Version 2010-05-15
1084

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::LoadBalancer

Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this load balancer. Use tags to
manage your resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
Type
Speciﬁes the type of load balancer to create. Valid values are application and network.The
default is application.
Required: No
Type: String
Update requires: Replacement (p. 119)
IpAddressType
[Application Load Balancers] The type of IP addresses that are used by the load balancer's subnets,
such as ipv4 (for IPv4 addresses) or dualstack (for IPv4 and IPv6 addresses). For valid values, see
the IpAddressType parameter for the CreateLoadBalancer action in the Elastic Load Balancing
API Reference version 2015-12-01. The default value is ipv4.
Required: No
Type: String
Update requires: No interruption (p. 118)

Note

If Scheme is internal, then IpAddressType must be ipv4.

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN of the
load balancer, for example:
arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-internal-loadbalancer/50dc6c495c0c9188

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for the following attributes.
DNSName
The DNS name for the load balancer, for example my-load-balancer-424835706.uswest-2.elb.amazonaws.com.
API Version 2010-05-15
1085

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::LoadBalancer

CanonicalHostedZoneID
The ID of the Amazon Route 53 hosted zone associated with the load balancer, for example
Z2P70J7EXAMPLE.
LoadBalancerFullName
The full name of the load balancer, for example app/my-load-balancer/50dc6c495c0c9188.
LoadBalancerName
The name of the load balancer, for example my-load-balancer.
SecurityGroups
The IDs of the security groups for the load balancer, for example sg-123456a.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Load balancer with idle timeout period speciﬁed
The following example creates an internal load balancer with an idle timeout period of 50 seconds.

JSON
"loadBalancer" : {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Scheme" : "internal",
"Subnets" : [ {"Ref": "SubnetAZ1"}, {"Ref" : "SubnetAZ2"}],
"LoadBalancerAttributes" : [
{ "Key" : "idle_timeout.timeout_seconds", "Value" : "50" }
],
"SecurityGroups": [{"Ref": "SecurityGroup1"}, {"Ref" : "SecurityGroup2"}],
"Tags" : [
{ "Key" : "key", "Value" : "value" },
{ "Key" : "key2", "Value" : "value2" }
]
}
}

YAML
loadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internal
Subnets:
- Ref: SubnetAZ1
- Ref: SubnetAZ2
LoadBalancerAttributes:
- Key: idle_timeout.timeout_seconds
Value: '50'
SecurityGroups:
- Ref: SecurityGroup1
- Ref: SecurityGroup2
Tags:
- Key: key
Value: value
- Key: key2
Value: value2

API Version 2010-05-15
1086

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::LoadBalancer

Load balancer with subnets
The following example creates a load balancer with two mapped subnets.

JSON
{

"Parameters": {
"FirstSubnet": {
"Type": "String"
},
"SecondSubnet": {
"Type": "String"
},
"ELBType": {
"Type": "String"
},
"ELBIpAddressType": {
"Type": "String"
}
},
"Resources": {
"loadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SubnetMappings": [
{
"AllocationId": {
"Fn::GetAtt": [
"FirstEIP",
"AllocationId"
]
},
"SubnetId": {
"Ref": "FirstSubnet"
}
},
{
"AllocationId": {
"Fn::GetAtt": [
"SecondEIP",
"AllocationId"
]
},
"SubnetId": {
"Ref": "SecondSubnet"
}
}
],
"Type": {
"Ref": "ELBType"
},
"IpAddressType": {
"Ref": "ELBIpAddressType"
}
}
},
"FirstEIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"SecondEIP": {
"Type": "AWS::EC2::EIP",

API Version 2010-05-15
1087

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::TargetGroup

}

}

}

"Properties": {
"Domain": "vpc"
}

YAML
Parameters:
FirstSubnet:
Type: String
SecondSubnet:
Type: String
ELBType:
Type: String
ELBIpAddressType:
Type: String
Resources:
loadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
SubnetMappings:
- AllocationId: !GetAtt
- FirstEIP
- AllocationId
SubnetId: !Ref FirstSubnet
- AllocationId: !GetAtt
- SecondEIP
- AllocationId
SubnetId: !Ref SecondSubnet
Type: !Ref ELBType
IpAddressType: !Ref ELBIpAddressType
FirstEIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
SecondEIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc

AWS::ElasticLoadBalancingV2::TargetGroup
The AWS::ElasticLoadBalancingV2::TargetGroup resource creates an Elastic Load Balancing
target group that routes requests to one or more registered targets, such as EC2 instances. For more
information, see Getting Started in the Elastic Load Balancing User Guide.
Topics
• Syntax (p. 1088)
• Properties (p. 1089)
• Return Values (p. 1092)
• Examples (p. 1093)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1088

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::TargetGroup

JSON
{

}

"Type" : "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties" : {
"HealthCheckIntervalSeconds" : Integer,
"HealthCheckPath" : String,
"HealthCheckPort" : String,
"HealthCheckProtocol" : String,
"HealthCheckTimeoutSeconds" : Integer,
"HealthyThresholdCount" : Integer,
"Matcher" : Matcher (p. 1921),
"Name" : String,
"Port" : Integer,
"Protocol" : String,
"Tags" : [ Resource Tag (p. 2106), ... ],
"TargetGroupAttributes" : [ TargetGroupAttributes (p. 1922), ... ],
"Targets" : [ TargetDescription (p. 1922), ... ],
"TargetType" : String,
"UnhealthyThresholdCount" : Integer,
"VpcId" : String
}

YAML
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: Integer
HealthCheckPath: String
HealthCheckPort: String
HealthCheckProtocol: String
HealthCheckTimeoutSeconds: Integer
HealthyThresholdCount: Integer
Matcher: Matcher (p. 1921)
Name: String
Port: Integer
Protocol: String
Tags:
- Resource Tag (p. 2106)
TargetGroupAttributes:
- TargetGroupAttributes (p. 1922)
Targets:
- TargetDescription (p. 1922)
TargetType: String
UnhealthyThresholdCount: Integer
VpcId: String

Properties
HealthCheckIntervalSeconds
The approximate number of seconds between health checks for an individual target.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
HealthCheckPath
The ping path destination where Elastic Load Balancing sends health check requests.
API Version 2010-05-15
1089

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::TargetGroup

Required: No
Type: String
Update requires: No interruption (p. 118)
HealthCheckPort
The port that the load balancer uses when performing health checks on the targets.
For valid and default values, see the HealthCheckPort parameter for the CreateTargetGroup
action in the Elastic Load Balancing API Reference version 2015-12-01.
Required: No
Type: String
Update requires: No interruption (p. 118)
HealthCheckProtocol
The protocol that the load balancer uses when performing health checks on the targets, such as
HTTP or HTTPS.
For valid and default values, see the HealthCheckProtocol parameter for the CreateTargetGroup
action in the Elastic Load Balancing API Reference version 2015-12-01.
Required: No
Type: String
Update requires: No interruption (p. 118)
HealthCheckTimeoutSeconds
The number of seconds to wait for a response before considering that a health check has failed.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
HealthyThresholdCount
The number of consecutive successful health checks that are required before an unhealthy target is
considered healthy.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Matcher
The HTTP codes that a healthy target uses when responding to a health check. If you specify TCP for
the Protocol property, you must specify the range 200-399 for the Matcher property.
For more information about specifying this property, see Matcher in the Elastic Load Balancing API
Reference version 2015-12-01.
Required: No
API Version 2010-05-15
1090

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::TargetGroup

Type: Elastic Load Balancing TargetGroup Matcher (p. 1921)
Update requires: No interruption (p. 118)
Name
A name for the target group.

Important

This name must be unique per account, per region.
The target group name should be shorter than 32 characters because AWS CloudFormation
uses the target group name to create the name of the load balancer.
Required: No
Type: String
Update requires: Replacement (p. 119)
Port
The port on which the targets receive traﬃc.
Required: Yes
Type: Integer
Update requires: Replacement (p. 119)
Protocol
The protocol to use for routing traﬃc to the targets.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Tags
An arbitrary set of tags (key–value pairs) for the target group. Use tags to help manage resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118).
TargetGroupAttributes
Target group conﬁgurations.
Required: No
Type: List of Elastic Load Balancing TargetGroup TargetGroupAttributes (p. 1922)
Update requires: No interruption (p. 118)
Targets
The targets to add to this target group.
Required: No
API Version 2010-05-15
1091

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::TargetGroup

Type: List of Elastic Load Balancing TargetGroup TargetDescription (p. 1922)
Update requires: No interruption (p. 118)
TargetType
The registration type of the targets in this target group. Valid values are instance and ip. The
default is instance.
Required: No
Type: String
Update requires: Replacement (p. 119)
UnhealthyThresholdCount
The number of consecutive failed health checks that are required before a target is considered
unhealthy.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
VpcId
The ID of the VPC in which your targets are located.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the
target group's Amazon Resource Name (ARN), such as arn:aws:elasticloadbalancing:uswest-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
LoadBalancerArns
A list of Amazon Resource Names (ARNs) of the load balancers that route traﬃc to this target group,
such as [ "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/
app/my-load-balancer/50dc6c495c0c9188" ].
TargetGroupFullName
The full name of the target group, such as targetgroup/my-target-group/
cbf133c568e0d028.
API Version 2010-05-15
1092

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::TargetGroup

TargetGroupName
The name of the target group, such as my-target-group. This is the value of the target group's
Name property.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Create a Target Group with EC2 Instances as Targets
The following examples creates a target group that includes the Instance1 and Instance2 EC2
instances as targets. The instances must respond with a 200 status code to pass health check requests.

JSON
"TargetGroup" : {
"Type" : "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties" : {
"HealthCheckIntervalSeconds": 30,
"HealthCheckProtocol": "HTTPS",
"HealthCheckTimeoutSeconds": 10,
"HealthyThresholdCount": 4,
"Matcher" : {
"HttpCode" : "200"
},
"Name": "MyTargets",
"Port": 10,
"Protocol": "HTTPS",
"TargetGroupAttributes": [{
"Key": "deregistration_delay.timeout_seconds",
"Value": "20"
}],
"Targets": [
{ "Id": {"Ref" : "Instance1"}, "Port": 80 },
{ "Id": {"Ref" : "Instance2"}, "Port": 80 }
],
"UnhealthyThresholdCount": 3,
"VpcId": {"Ref" : "VPC"},
"Tags" : [
{ "Key" : "key", "Value" : "value" },
{ "Key" : "key2", "Value" : "value2" }
]
}
}

YAML
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 30
HealthCheckProtocol: HTTPS
HealthCheckTimeoutSeconds: 10
HealthyThresholdCount: 4
Matcher:
HttpCode: '200'
Name: MyTargets
Port: 10
Protocol: HTTPS
TargetGroupAttributes:

API Version 2010-05-15
1093

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::TargetGroup
- Key: deregistration_delay.timeout_seconds
Value: '20'
Targets:
- Id:
Ref: Instance1
Port: 80
- Id:
Ref: Instance2
Port: 80
UnhealthyThresholdCount: 3
VpcId:
Ref: VPC
Tags:
- Key: key
Value: value
- Key: key2
Value: value2

Relate an Elastic Load Balancing Load Balancer to an Elastic Load Balancing
Target Group
The following example creates an Elastic Load Balancing listener, associates it with a target group and a
load balancer, and sets a target group attribute.

JSON
"ALBListener" : {
"Type" : "AWS::ElasticLoadBalancingV2::Listener",
"Properties" : {
"DefaultActions" : [{
"Type" : "forward",
"TargetGroupArn" : { "Ref" : "ALBTargetGroup" }
}],
"LoadBalancerArn" : { "Ref" : "ApplicationLoadBalancer" },
"Port" : "80",
"Protocol" : "HTTP"
}
},
"ApplicationLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {
"Scheme" : "internet-facing",
"Subnets" : [ {"Ref" : "PublicSubnetAz1"}, {"Ref" : "PublicSubnetAz2"}],
"SecurityGroups" : [{"Ref": "ALBSecurityGroup"}]
}
},
"ALBTargetGroup" : {
"Type" : "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties" : {
"HealthCheckIntervalSeconds" : 60,
"UnhealthyThresholdCount" : 10,
"HealthCheckPath" : "/",
"Name" : "MyTargetGroup",
"Port" : 80,
"Protocol" : "HTTP",
"VpcId" : { "Ref": "MyVpc" }
"TargetGroupAttributes" : [
{
"Key" : deregistration_delay.timeout_seconds,
"Value" : 60
}
]
}

API Version 2010-05-15
1094

AWS CloudFormation User Guide
AWS::ElasticLoadBalancingV2::TargetGroup
}

YAML
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
Type: forward
TargetGroupArn:
Ref: ALBTargetGroup
LoadBalancerArn:
Ref: ApplicationLoadBalancer
Port: 80
Protocol: HTTP
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
Subnets:
Ref: PublicSubnetAz1
Ref: PublicSubnetAz2
SecurityGroups:
Ref: ALBSecurityGroup
ALBTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 60
UnhealthyThresholdCount: 10
HealthCheckPath: /
Name: MyTargetGroup
Port: 80
Protocol: HTTP
VpcId:
Ref: MyVpc
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: 60

Specify the Elastic Load Balancing Target Group type
The following example speciﬁes the target group type as instance.

JSON
{

"Parameters": {
"CidrBlockForVPC": {
"Type": "String"
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Ref": "CidrBlockForVPC"
}
}
},
"TargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {

API Version 2010-05-15
1095

AWS CloudFormation User Guide
AWS::Elasticsearch::Domain

}

}

}

}

"Port": 1000,
"Protocol": "HTTPS",
"TargetType": "instance",
"VpcId": {
"Ref": "VPC"
}

YAML
Parameters:
CidrBlockForVPC:
Type: String
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref CidrBlockForVPC
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Port: 1000
Protocol: HTTPS
TargetType: instance
VpcId: !Ref VPC

AWS::Elasticsearch::Domain
The AWS::Elasticsearch::Domain resource creates an Amazon Elasticsearch Service (Amazon
ES) domain that encapsulates the Amazon ES engine instances. For more information, see
CreateElasticsearchDomain in the Amazon Elasticsearch Service Developer Guide.
Topics
• Syntax (p. 1096)
• Properties (p. 1097)
• Return Values (p. 1099)
• Examples (p. 1099)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Elasticsearch::Domain",
"Properties" : {
"AccessPolicies" : JSON object,
"AdvancedOptions" : { String:String, ... },
"DomainName" : String,
"EBSOptions" : EBSOptions (p. 1923),
"ElasticsearchClusterConfig" : ElasticsearchClusterConfig (p. 1924),
"ElasticsearchVersion" : String,
"EncryptionAtRestOptions" : EncryptionAtRestOptions (p. 1926),

API Version 2010-05-15
1096

AWS CloudFormation User Guide
AWS::Elasticsearch::Domain

}

}

"SnapshotOptions" : SnapshotOptions (p. 1927),
"Tags" : [ Resource Tag, ... ],
"VPCOptions" : VPCOptions (p. 1927)

YAML
Type: AWS::Elasticsearch::Domain
Properties:
AccessPolicies: JSON object
AdvancedOptions:
String: String
DomainName: String
EBSOptions:
EBSOptions (p. 1923)
ElasticsearchClusterConfig:
ElasticsearchClusterConfig (p. 1924)
ElasticsearchVersion: String
EncryptionAtRestOptions:
EncryptionAtRestOptions (p. 1926)
SnapshotOptions:
SnapshotOptions (p. 1927)
Tags:
- Resource Tag
VPCOptions:
VPCOptions (p. 1927)

Properties
AccessPolicies
An AWS Identity and Access Management (IAM) policy document that speciﬁes who can access the
Amazon ES domain and their permissions. For more information, see Conﬁguring Access Policies in
the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
AdvancedOptions
Additional options to specify for the Amazon ES domain. For more information, see Conﬁguring
Advanced Options in the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: A JSON object that consists of a string key-value pair, such as:
{
}

"rest.action.multi.allow_explicit_index": "true"

Update requires: Replacement (p. 119)
DomainName
A name for the Amazon ES domain. For valid values, see the DomainName data type in the Amazon
Elasticsearch Service Developer Guide.
API Version 2010-05-15
1097

AWS CloudFormation User Guide
AWS::Elasticsearch::Domain

If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for
the domain name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
EBSOptions
The conﬁgurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data
nodes in the Amazon ES domain. For more information, see Conﬁguring EBS-based Storage in the
Amazon Elasticsearch Service Developer Guide.
Required: No
Type: Amazon ES Domain EBSOptions (p. 1923)
Update requires: No interruption (p. 118)
ElasticsearchClusterConfig
The cluster conﬁguration for the Amazon ES domain. You can specify options such as the instance
type and the number of instances. For more information, see Conﬁguring Amazon ES Domains in the
Amazon Elasticsearch Service Developer Guide.
Required: No
Type: Amazon ES Domain ElasticsearchClusterConﬁg (p. 1924)
Update requires: No interruption (p. 118)
ElasticsearchVersion
The version of Elasticsearch to use, such as 2.3. For information about the versions that Amazon ES
supports, see the Elasticsearch-Version parameter for the CreateElasticsearchDomain action in
the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
EncryptionAtRestOptions
Whether the domain should encrypt data at rest, and if so, the AWS Key Management Service (KMS)
key to use. Can only be used to create a new domain, not update an existing one.
Required: No
Type: Amazon ES Domain EncryptionAtRestOptions (p. 1926)
Update requires: Replacement (p. 118)
SnapshotOptions
The automated snapshot conﬁguration for the Amazon ES domain indices.
Required: No
API Version 2010-05-15
1098

AWS CloudFormation User Guide
AWS::Elasticsearch::Domain

Type: Amazon ES Domain SnapshotOptions (p. 1927)
Update requires: No interruption (p. 118)
Tags
An arbitrary set of tags (key–value pairs) to associate with the Amazon ES domain.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
VPCOptions
The virtual private cloud (VPC) conﬁguration for the Amazon ES domain. For more information,
see VPC Support for Amazon Elasticsearch Service Domains in the Amazon Elasticsearch Service
Developer Guide.
Required: No
Type: Amazon ES Domain VPCOptions (p. 1927)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name, such as mystack-elasticsea-abc1d2efg3h4.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) of the domain, such as arn:aws:es:uswest-2:123456789012:domain/mystack-elasti-1ab2cdefghij.
DomainArn (deprecated)
This attribute has been deprecated. Use the Arn attribute instead.
DomainEndpoint
The domain-speciﬁc endpoint that's used to submit index, search, and data upload
requests to an Amazon ES domain, such as search-mystack-elasti-1ab2cdefghijab1c2deckoyb3hofw7wpqa3cm.us-west-2.es.amazonaws.com.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
The following examples create an Amazon ES domain that contains two data nodes and three master
nodes. Automated snapshots of the indices are taken daily between midnight and 1:00 AM (UTC). The
API Version 2010-05-15
1099

AWS CloudFormation User Guide
AWS::Elasticsearch::Domain

access policy permits the IAM user es-user to take all Amazon ES actions on the domain, such as
es:UpdateElasticsearchDomainConfig.

JSON
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "test",
"ElasticsearchClusterConfig": {
"DedicatedMasterEnabled": "true",
"InstanceCount": "2",
"ZoneAwarenessEnabled": "true",
"InstanceType": "m3.medium.elasticsearch",
"DedicatedMasterType": "m3.medium.elasticsearch",
"DedicatedMasterCount": "3"
},
"EBSOptions": {
"EBSEnabled": true,
"Iops": 0,
"VolumeSize": 20,
"VolumeType": "gp2"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": "0"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/es-user"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*"
}]
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true"
}
}
}

YAML
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: "test"
ElasticsearchClusterConfig:
DedicatedMasterEnabled: "true"
InstanceCount: "2"
ZoneAwarenessEnabled: "true"
InstanceType: "m3.medium.elasticsearch"
DedicatedMasterType: "m3.medium.elasticsearch"
DedicatedMasterCount: "3"
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 20
VolumeType: "gp2"
SnapshotOptions:
AutomatedSnapshotStartHour: "0"
AccessPolicies:

API Version 2010-05-15
1100

AWS CloudFormation User Guide
AWS::Elasticsearch::Domain
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::123456789012:user/es-user"
Action: "es:*"
Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*"
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"

The following example creates a domain with VPC options.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ElasticsearchDomain resource",
"Parameters": {
"DomainName" : {
"Description" : "User defined Elasticsearch Domain name",
"Type" : "String"
},
"ElasticsearchVersion" : {
"Description" : "User defined Elasticsearch Version",
"Type" : "String"
},
"InstanceType" : {
"Type" : "String"
},
"AvailabilityZone" : {
"Type" : "String"
},
"CidrBlock" : {
"Type" : "String"
},
"GroupDescription" : {
"Type" : "String"
},
"SGName" : {
"Type" : "String"
}
},
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": { "Ref": "DomainName" },
"ElasticsearchVersion": { "Ref": "ElasticsearchVersion" },
"ElasticsearchClusterConfig": {
"InstanceCount": "1",
"InstanceType": { "Ref": "InstanceType" }
},
"EBSOptions": {
"EBSEnabled" : "true",
"Iops" : 0,
"VolumeSize" : 10,
"VolumeType" : "standard"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": "0"
},
"AccessPolicies": {
"Version": "2012-10-17",

API Version 2010-05-15
1101

AWS CloudFormation User Guide
AWS::Elasticsearch::Domain
"Statement": [{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "*"
}]

},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true"
},
"Tags": [{
"Key": "foo",
"Value": "bar"
}],
"VPCOptions" : {
"SubnetIds" : [
{"Ref" : "subnet"}
],
"SecurityGroupIds" : [
{"Ref" : "mySecurityGroup"}
]
}

}
},
"vpc" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "10.0.0.0/16"
}
},
"subnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : {"Ref": "vpc"},
"CidrBlock" : {"Ref" : "CidrBlock"},
"AvailabilityZone" : {"Ref" : "AvailabilityZone"}
}
},
"mySecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": {"Ref" : "GroupDescription"},
"VpcId" : {"Ref" : "vpc"},
"GroupName": {"Ref" : "SGName"},
"SecurityGroupIngress": [
{
"FromPort": "443",
"IpProtocol": "tcp",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
}
]
}
}

},
"Outputs": {
"DomainArn": {
"Value": {
"Fn::GetAtt": ["ElasticsearchDomain", "DomainArn"]
}
},
"DomainEndpoint": {
"Value": {
"Fn::GetAtt": ["ElasticsearchDomain", "DomainEndpoint"]

API Version 2010-05-15
1102

AWS CloudFormation User Guide
AWS::Elasticsearch::Domain

}

}

}
},
"SecurityGroupId": {
"Value": {
"Ref": "mySecurityGroup"
}
},
"SubnetId": {
"Value": {
"Ref": "subnet"
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: ElasticsearchDomain resource
Parameters:
DomainName:
Description: User defined Elasticsearch Domain name
Type: String
ElasticsearchVersion:
Description: User defined Elasticsearch Version
Type: String
InstanceType:
Type: String
AvailabilityZone:
Type: String
CidrBlock:
Type: String
GroupDescription:
Type: String
SGName:
Type: String
Resources:
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: !Ref DomainName
ElasticsearchVersion: !Ref ElasticsearchVersion
ElasticsearchClusterConfig:
InstanceCount: '1'
InstanceType: !Ref InstanceType
EBSOptions:
EBSEnabled: 'true'
Iops: 0
VolumeSize: 10
VolumeType: standard
SnapshotOptions:
AutomatedSnapshotStartHour: '0'
AccessPolicies:
Version: 2012-10-17
Statement:
- Effect: Deny
Principal:
AWS: '*'
Action: 'es:*'
Resource: '*'
AdvancedOptions:
rest.action.multi.allow_explicit_index: 'true'
Tags:
- Key: foo

API Version 2010-05-15
1103

AWS CloudFormation User Guide
AWS::EMR::Cluster
Value: bar
VPCOptions:
SubnetIds:
- !Ref subnet
SecurityGroupIds:
- !Ref mySecurityGroup

vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
subnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref vpc
CidrBlock: !Ref CidrBlock
AvailabilityZone: !Ref AvailabilityZone
mySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Ref GroupDescription
VpcId: !Ref vpc
GroupName: !Ref SGName
SecurityGroupIngress:
- FromPort: '443'
IpProtocol: tcp
ToPort: '443'
CidrIp: 0.0.0.0/0
Outputs:
DomainArn:
Value: !GetAtt ElasticsearchDomain.DomainArn
DomainEndpoint:
Value: !GetAtt ElasticsearchDomain.DomainEndpoint
SecurityGroupId:
Value: !Ref mySecurityGroup
SubnetId:
Value: !Ref subnet

AWS::EMR::Cluster
The AWS::EMR::Cluster resource creates an Amazon EMR cluster. This cluster is a collection of EC2
instances that you can run big data frameworks on to process and analyze vast amounts of data. For
more information, see Plan an Amazon EMR Cluster in the Amazon EMR Management Guide.
Topics
• Syntax (p. 1104)
• Properties (p. 1105)
• Return Values (p. 1109)
• Examples (p. 1109)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::EMR::Cluster",
"Properties" : {
"AdditionalInfo" : JSON object,

API Version 2010-05-15
1104

AWS CloudFormation User Guide
AWS::EMR::Cluster

}

}

"Applications" : [ Applications, ... ],
"AutoScalingRole" : String,
"BootstrapActions" [ Bootstrap Actions, ... ],
"Configurations" : [ Configurations, ... ],
"CustomAmiId" : String,
"EbsRootVolumeSize" : Integer,
"Instances" : JobFlowInstancesConfig,
"JobFlowRole" : String,
"KerberosAttributes" : Amazon EMR Cluster
KerberosAttributes,
"LogUri" : String,
"Name" : String,
"ReleaseLabel" : String,
"ScaleDownBehavior" : String,
"SecurityConfiguration" : String,
"ServiceRole" : String,
"Tags" : [ Resource Tag, ... ],
"VisibleToAllUsers" : Boolean

YAML
Type: AWS::EMR::Cluster
Properties:
AdditionalInfo: JSON object
Applications:
- Applications
AutoScalingRole: String
BootstrapActions:
- Bootstrap Actions
Configurations:
- Configurations
CustomAmiId: String
EbsRootVolumeSize: Integer
Instances:
JobFlowInstancesConfig
JobFlowRole: String
KerberosAttributes" :
Amazon EMR Cluster
KerberosAttributes
LogUri: String
Name: String
ReleaseLabel: String
ScaleDownBehavior: String
SecurityConfiguration: String
ServiceRole: String
Tags:
- Resource Tag
VisibleToAllUsers: Boolean

Properties
Note

For more information about the constraints and valid values of each property, see the Cluster
data type in the Amazon EMR API Reference.
AdditionalInfo
(Intended for advanced uses only.) Additional features that you want to select. This is meta
information about third-party applications that third-party vendors use for testing purposes.
Required: No
API Version 2010-05-15
1105

AWS CloudFormation User Guide
AWS::EMR::Cluster

Type: JSON object
Update requires: Replacement (p. 119)
Applications
The software applications to deploy on the cluster, and the arguments that Amazon EMR passes to
those applications.
Required: No
Type: List of Amazon EMR Cluster Application (p. 1928) property types
Update requires: Replacement (p. 119)
AutoScalingRole
An AWS Identity and Access Management (IAM) role for automatic scaling policies. The default role
is EMR_AutoScaling_DefaultRole. The IAM role provides permissions that the automatic scaling
feature requires to launch and terminate Amazon EC2 instances in an instance group.
Required: No
Type: String
Update requires: Replacement (p. 119)
BootstrapActions
A list of bootstrap actions that Amazon EMR runs before starting applications on the cluster.
Required: No
Type: List of Amazon EMR Cluster BootstrapActionConﬁg (p. 1930) property types
Update requires: Replacement (p. 119)
Configurations
The software conﬁguration of the Amazon EMR cluster.
Required: No
Type: List of Amazon EMR Cluster Conﬁgurations (p. 1933) property types
Update requires: Replacement (p. 119)
CustomAmiId
A custom Amazon Linux AMI for the cluster (instead of an EMR-owned AMI). For more information,
see Using a Custom AMI in the Amazon EMR Management Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
Example: "CustomAmiId" : "ami-7fb3bc69"
EbsRootVolumeSize
The size, in GiB, of the EBS root device volume of the Linux AMI that's used for each EC2 instance.
Currently, AWS CloudFormation supports only Amazon EMR 4.0 and later software releases.
API Version 2010-05-15
1106

AWS CloudFormation User Guide
AWS::EMR::Cluster

Required: No
Type: Integer
Update requires: Replacement (p. 119)
Instances
Conﬁgures the EC2 instances that run jobs in the Amazon EMR cluster.
Required: Yes
Type: Amazon EMR Cluster JobFlowInstancesConﬁg (p. 1939)
Update requires: Some interruptions (p. 119)
JobFlowRole
(Also called instance proﬁle and EC2 role.) Accepts an instance proﬁle that's associated with the role
that you want to use. All EC2 instances in the cluster assume this role. For more information, see
Create and Use IAM Roles for Amazon EMR in the Amazon EMR Management Guide.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
KerberosAttributes
Attributes for Kerberos conﬁguration when Kerberos authentication is enabled using a security
conﬁguration.
Required: No
Type: Amazon EMR Cluster KerberosAttributes (p. 1950)
Update requires: Replacement (p. 119)
LogUri
An S3 bucket location that Amazon EMR writes logs ﬁles to from a job ﬂow. If you don't specify a
value, Amazon EMR doesn't write any log ﬁles.
Required: No
Type: String
Update requires: Replacement (p. 119)
Name
A name for the Amazon EMR cluster.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ReleaseLabel
The Amazon EMR software release label. A release is a set of software applications and components
that you can install and conﬁgure on an Amazon EMR cluster. For more information, see About
Amazon EMR Releases in the Amazon EMR Release Guide.
API Version 2010-05-15
1107

AWS CloudFormation User Guide
AWS::EMR::Cluster

Currently, AWS CloudFormation supports only Amazon EMR 4.0 and later software releases.
Required: Conditional. If you specify the Applications property, you must specify this property.
Type: String
Update requires: Replacement (p. 119)
ScaleDownBehavior
Indicates how individual EC2 instances terminate when an automatic scale-in activity occurs or an
instance group is resized. For more information, see Cluster in the Amazon EMR API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
SecurityConfiguration
The name of the security conﬁguration that's applied to the cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)
ServiceRole
The IAM role that Amazon EMR assumes to access AWS resources on your behalf. For more
information, see Conﬁgure IAM Roles for Amazon EMR in the Amazon EMR Management Guide.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Tags
An arbitrary set of tags (key–value pairs) to help you identify the Amazon EMR cluster.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
VisibleToAllUsers
Indicates whether the instances in the cluster are visible to all IAM users in the AWS account. If you
specify true, all IAM users can view and (if they have permissions) manage the instances. If you
specify false, only the IAM user that created the cluster can view and manage it.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Default value: false
API Version 2010-05-15
1108

AWS CloudFormation User Guide
AWS::EMR::Cluster

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the cluster ID,
such as j-1ABCD123AB1A.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
MasterPublicDNS
The public DNS name of the master node (instance), such as ec2-12-123-123-123.uswest-2.compute.amazonaws.com.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Create a Cluster with Two Core Nodes
The following example creates an Amazon EMR cluster with one master node and two core nodes. The
speciﬁed IAM roles are the default roles provided by Amazon EMR. The example also assumes that
the cluster is launched in an AWS Region with a default VPC and subnet. If you don't have these, use
the Ec2SubnetId (p. 1939) property to specify the VPC and subnet for the cluster. Otherwise, AWS
CloudFormation can't launch the cluster and returns the following status message: ElasticMapReduce
Cluster failed to stabilize.

JSON
"TestCluster": {
"Type": "AWS::EMR::Cluster",
"Properties": {
"Instances": {
"MasterInstanceGroup": {
"InstanceCount": 1,
"InstanceType": "m3.xlarge",
"Market": "ON_DEMAND",
"Name": "Master"
},
"CoreInstanceGroup": {
"InstanceCount": 2,
"InstanceType": "m3.xlarge",
"Market": "ON_DEMAND",
"Name": "Core"
},
"TerminationProtected" : true
},
"Name": "TestCluster",
"JobFlowRole": "EMR_EC2_DefaultRole",
"ServiceRole": "EMR_DefaultRole",
"ReleaseLabel": "emr-4.2.0",
"Tags": [
{
"Key": "IsTest",
"Value": "True"

API Version 2010-05-15
1109

AWS CloudFormation User Guide
AWS::EMR::Cluster

}

}

]

}

YAML
TestCluster:
Type: AWS::EMR::Cluster
Properties:
Instances:
MasterInstanceGroup:
InstanceCount: 1
InstanceType: "m3.xlarge"
Market: "ON_DEMAND"
Name: "Master"
CoreInstanceGroup:
InstanceCount: 2
InstanceType: "m3.xlarge"
Market: "ON_DEMAND"
Name: "Core"
TerminationProtected: true
Name: "TestCluster"
JobFlowRole: "EMR_EC2_DefaultRole"
ServiceRole: "EMR_DefaultRole"
ReleaseLabel: "emr-4.2.0"
Tags:
Key: "IsTest"
Value: "True"

Create a Cluster with a Bootstrap Action
The following example creates an Amazon EMR cluster with a bootstrap action.

JSON
"TestCluster": {
"Type": "AWS::EMR::Cluster",
"Properties": {
"BootstrapActions": [{
"Name": "SomeBootStrapAction",
"ScriptBootstrapAction": {
"Path": "/path/to/s3"
}
}],
"Instances": {
"MasterInstanceGroup": {
"InstanceCount": 1,
"InstanceType": "m3.xlarge",
"Market": "ON_DEMAND",
"Name": "Master"
},
"CoreInstanceGroup": {
"InstanceCount": 2,
"InstanceType": "m3.xlarge",
"Market": "ON_DEMAND",
"Name": "Core"
},
"TerminationProtected": true
},
"Name": "TestCluster",
"JobFlowRole": "EMR_EC2_DefaultRole",

API Version 2010-05-15
1110

AWS CloudFormation User Guide
AWS::EMR::Cluster

}

}

"ScaleDownBehavior": "TERMINATE_AT_TASK_COMPLETION",
"ServiceRole": "EMR_DefaultRole",
"ReleaseLabel": "emr-4.2.0",
"Tags": [
{
"Key": "IsTest",
"Value": "True"
}
]

YAML
TestCluster:
Type: AWS::EMR::Cluster
Properties:
BootstrapActions:
Name: "SomeBootStrapAction"
ScriptBootstrapAction:
Path: "/path/to/s3"
Instances:
MasterInstanceGroup:
InstanceCount: 1
InstanceType: "m3.xlarge"
Market: "ON_DEMAND"
Name: "Master"
CoreInstanceGroup:
InstanceCount: 2
InstanceType: "m3.xlarge"
Market: "ON_DEMAND"
Name: "Core"
TerminationProtected: true
Name: "TestCluster"
JobFlowRole: "EMR_EC2_DefaultRole"
ScaleDownBehavior: "TERMINATE_AT_TASK_COMPLETION"
ServiceRole: "EMR_DefaultRole"
ReleaseLabel: "emr-4.2.0"
Tags:
Key: "IsTest"
Value: "True"

Create a Cluster with a Custom AMI
The following example template a custom Amazon Linux AMI when creating an Amazon EMR cluster.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"CustomAmiId" : {
"Type" : "String"
},
"InstanceType" : {
"Type" : "String"
},
"ReleaseLabel" : {
"Type" : "String"
},
"SubnetId" : {

API Version 2010-05-15
1111

AWS CloudFormation User Guide
AWS::EMR::Cluster
"Type" : "String"
},
"TerminationProtected" : {
"Type" : "String",
"Default" : "false"
},
"ElasticMapReducePrincipal" : {
"Type" : "String"
},
"Ec2Principal" : {
"Type" : "String"
}

},
"Resources": {
"cluster": {
"Type": "AWS::EMR::Cluster",
"Properties": {
"CustomAmiId" : {"Ref" : "CustomAmiId"},
"Instances": {
"MasterInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnMaster"
},
"CoreInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnCore"
},
"TerminationProtected" : {"Ref" : "TerminationProtected"},
"Ec2SubnetId" : {"Ref" : "SubnetId"}
},
"Name": "CFNtest",
"JobFlowRole" : {"Ref": "emrEc2InstanceProfile"},
"ServiceRole" : {"Ref": "emrRole"},
"ReleaseLabel" : {"Ref" : "ReleaseLabel"},
"VisibleToAllUsers" : true,
"Tags": [
{
"Key": "key1",
"Value": "value1"
}
]
}
},
"emrRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": {"Ref" : "ElasticMapReducePrincipal"}
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/
AmazonElasticMapReduceRole"]

API Version 2010-05-15
1112

AWS CloudFormation User Guide
AWS::EMR::Cluster
}
},
"emrEc2Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": {"Ref" : "Ec2Principal"}
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/
AmazonElasticMapReduceforEC2Role"]
}
},
"emrEc2InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "emrEc2Role"
} ]
}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Parameters:
CustomAmiId:
Type: String
InstanceType:
Type: String
ReleaseLabel:
Type: String
SubnetId:
Type: String
TerminationProtected:
Type: String
Default: 'false'
ElasticMapReducePrincipal:
Type: String
Ec2Principal:
Type: String
Resources:
cluster:
Type: AWS::EMR::Cluster
Properties:
CustomAmiId: !Ref CustomAmiId
Instances:
MasterInstanceGroup:
InstanceCount: 1
InstanceType: !Ref InstanceType
Market: ON_DEMAND

API Version 2010-05-15
1113

AWS CloudFormation User Guide
AWS::EMR::Cluster
Name: cfnMaster
CoreInstanceGroup:
InstanceCount: 1
InstanceType: !Ref InstanceType
Market: ON_DEMAND
Name: cfnCore
TerminationProtected: !Ref TerminationProtected
Ec2SubnetId: !Ref SubnetId
Name: CFNtest
JobFlowRole: !Ref emrEc2InstanceProfile
ServiceRole: !Ref emrRole
ReleaseLabel: !Ref ReleaseLabel
VisibleToAllUsers: true
Tags:
- Key: key1
Value: value1
emrRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Ref ElasticMapReducePrincipal
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole'
emrEc2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Ref Ec2Principal
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role'
emrEc2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref emrEc2Role

Specify Root Volume Size
The following example template enables you to specify the size of the EBS root volume for an Amazon
EMR cluster.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"InstanceType" : {
"Type" : "String"
},

API Version 2010-05-15
1114

AWS CloudFormation User Guide
AWS::EMR::Cluster
"ReleaseLabel" : {
"Type" : "String"
},
"SubnetId" : {
"Type" : "String"
},
"TerminationProtected" : {
"Type" : "String",
"Default" : "false"
},
"EbsRootVolumeSize" : {
"Type" : "String"
}

},
"Resources": {
"cluster": {
"Type": "AWS::EMR::Cluster",
"Properties": {
"EbsRootVolumeSize" : {"Ref" : "EbsRootVolumeSize"},
"Instances": {
"MasterInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnMaster"
},
"CoreInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnCore"
},
"TerminationProtected" : {"Ref" : "TerminationProtected"},
"Ec2SubnetId" : {"Ref" : "SubnetId"}
},
"Name": "CFNtest",
"JobFlowRole" : {"Ref": "emrEc2InstanceProfile"},
"ServiceRole" : {"Ref": "emrRole"},
"ReleaseLabel" : {"Ref" : "ReleaseLabel"},
"VisibleToAllUsers" : true,
"Tags": [
{
"Key": "key1",
"Value": "value1"
}
]
}
},
"emrRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "elasticmapreduce.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",

API Version 2010-05-15
1115

AWS CloudFormation User Guide
AWS::EMR::Cluster
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/
AmazonElasticMapReduceRole"]
}
},
"emrEc2Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/
AmazonElasticMapReduceforEC2Role"]
}
},
"emrEc2InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "emrEc2Role"
} ]
}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Parameters:
InstanceType:
Type: String
ReleaseLabel:
Type: String
SubnetId:
Type: String
TerminationProtected:
Type: String
Default: 'false'
EbsRootVolumeSize:
Type: String
Resources:
cluster:
Type: AWS::EMR::Cluster
Properties:
EbsRootVolumeSize: !Ref EbsRootVolumeSize
Instances:
MasterInstanceGroup:
InstanceCount: 1
InstanceType: !Ref InstanceType
Market: ON_DEMAND
Name: cfnMaster
CoreInstanceGroup:

API Version 2010-05-15
1116

AWS CloudFormation User Guide
AWS::EMR::Cluster
InstanceCount: 1
InstanceType: !Ref InstanceType
Market: ON_DEMAND
Name: cfnCore
TerminationProtected: !Ref TerminationProtected
Ec2SubnetId: !Ref SubnetId
Name: CFNtest
JobFlowRole: !Ref emrEc2InstanceProfile
ServiceRole: !Ref emrRole
ReleaseLabel: !Ref ReleaseLabel
VisibleToAllUsers: true
Tags:
- Key: key1
Value: value1
emrRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: elasticmapreduce.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole'
emrEc2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role'
emrEc2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref emrEc2Role

Create a Cluster with Kerberos Authentication
The following example template enables you to specify the Kerberos authentication conﬁguration for an
Amazon EMR cluster.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"CrossRealmTrustPrincipalPassword" : {
"Type" : "String"
},
"KdcAdminPassword" : {
"Type" : "String"

API Version 2010-05-15
1117

AWS CloudFormation User Guide
AWS::EMR::Cluster
},
"Realm" : {
"Type" : "String"
},
"InstanceType" : {
"Type" : "String"
},
"ReleaseLabel" : {
"Type" : "String"
},
"SubnetId" : {
"Type" : "String"
}

},
"Resources": {
"cluster": {
"Type": "AWS::EMR::Cluster",
"Properties": {
"Instances": {
"MasterInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnMaster"
},
"CoreInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnCore"
},
"Ec2SubnetId" : {"Ref" : "SubnetId"}
},
"Name": "CFNtest2",
"JobFlowRole" : {"Ref": "emrEc2InstanceProfile"},
"KerberosAttributes" : {
"CrossRealmTrustPrincipalPassword" : "CfnIntegrationTest-1",
"KdcAdminPassword" : "CfnIntegrationTest-1",
"Realm": "EC2.INTERNAL"
},
"ServiceRole" : {"Ref": "emrRole"},
"ReleaseLabel" : {"Ref" : "ReleaseLabel"},
"SecurityConfiguration" : {"Ref" : "securityConfiguration"},
"VisibleToAllUsers" : true,
"Tags": [
{
"Key": "key1",
"Value": "value1"
}
]
}
},
"key" : {
"Type" : "AWS::KMS::Key",
"Properties" : {
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": { "Fn::GetAtt" : ["emrEc2Role", "Arn"]}
},
"Action": "kms:*",

API Version 2010-05-15
1118

AWS CloudFormation User Guide
AWS::EMR::Cluster
"Resource": "*"

},
{

"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": { "Fn::Join" : ["" , ["arn:aws:iam::", {"Ref" :
"AWS::AccountId"} ,":root" ]] }
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"securityConfiguration": {
"Type" : "AWS::EMR::SecurityConfiguration",
"Properties" : {
"SecurityConfiguration" : {
"AuthenticationConfiguration": {
"KerberosConfiguration": {
"Provider": "ClusterDedicatedKdc",
"ClusterDedicatedKdcConfiguration": {
"TicketLifetimeInHours": 24,
"CrossRealmTrustConfiguration": {
"Realm": "AD.DOMAIN.COM",
"Domain": "ad.domain.com",
"AdminServer": "ad.domain.com",
"KdcServer": "ad.domain.com"
}
}
}
}
}
}
},
"emrRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "elasticmapreduce.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/
AmazonElasticMapReduceRole"]
}
},
"emrEc2Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",

API Version 2010-05-15
1119

AWS CloudFormation User Guide
AWS::EMR::Cluster

]

}

"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"

},
"Path": "/",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/
AmazonElasticMapReduceforEC2Role"]
}
},
"emrEc2InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "emrEc2Role"
} ]
}
}
},
"Outputs" : {
"keyArn" : {
"Value" : {"Fn::GetAtt" : ["key", "Arn"]}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Parameters:
CrossRealmTrustPrincipalPassword:
Type: String
KdcAdminPassword:
Type: String
Realm:
Type: String
InstanceType:
Type: String
ReleaseLabel:
Type: String
SubnetId:
Type: String
Resources:
cluster:
Type: 'AWS::EMR::Cluster'
Properties:
Instances:
MasterInstanceGroup:
InstanceCount: 1
InstanceType: !Ref InstanceType
Market: ON_DEMAND
Name: cfnMaster
CoreInstanceGroup:
InstanceCount: 1
InstanceType: !Ref InstanceType
Market: ON_DEMAND
Name: cfnCore
Ec2SubnetId: !Ref SubnetId
Name: CFNtest2
JobFlowRole: !Ref emrEc2InstanceProfile

API Version 2010-05-15
1120

AWS CloudFormation User Guide
AWS::EMR::Cluster
KerberosAttributes:
CrossRealmTrustPrincipalPassword: CfnIntegrationTest-1
KdcAdminPassword: CfnIntegrationTest-1
Realm: EC2.INTERNAL
ServiceRole: !Ref emrRole
ReleaseLabel: !Ref ReleaseLabel
SecurityConfiguration: !Ref securityConfiguration
VisibleToAllUsers: true
Tags:
- Key: key1
Value: value1

key:
Type: 'AWS::KMS::Key'
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !GetAtt
- emrEc2Role
- Arn
Action: 'kms:*'
Resource: '*'
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':root'
Action: 'kms:*'
Resource: '*'
securityConfiguration:
Type: 'AWS::EMR::SecurityConfiguration'
Properties:
SecurityConfiguration:
AuthenticationConfiguration:
KerberosConfiguration:
Provider: ClusterDedicatedKdc
ClusterDedicatedKdcConfiguration:
TicketLifetimeInHours: 24
CrossRealmTrustConfiguration:
Realm: AD.DOMAIN.COM
Domain: ad.domain.com
AdminServer: ad.domain.com
KdcServer: ad.domain.com
emrRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: elasticmapreduce.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole'
emrEc2Role:
Type: 'AWS::IAM::Role'

API Version 2010-05-15
1121

AWS CloudFormation User Guide
AWS::EMR::InstanceFleetConﬁg
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role'
emrEc2InstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Path: /
Roles:
- !Ref emrEc2Role
Outputs:
keyArn:
Value: !GetAtt
- key
- Arn

AWS::EMR::InstanceFleetConﬁg
Use the AWS::EMR::InstanceFleetConfig resource to conﬁgure a Spot Instance ﬂeet for an Amazon
EMR cluster. For more information, see Conﬁgure Instance Fleets in the Amazon EMR Management Guide.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.
Topics
• Syntax (p. 1122)
• Properties (p. 1123)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EMR::InstanceFleetConfig",
"Properties" : {
"ClusterId" : String,
"InstanceFleetType" : String,
"InstanceTypeConfigs" : [ InstanceTypeConfig (p. 1958), ... ],
"LaunchSpecifications" : InstanceFleetProvisioningSpecifications (p. 1957),
"Name" : String,
"TargetOnDemandCapacity" : Integer,
"TargetSpotCapacity" : Integer
}

YAML
Type: AWS::EMR::InstanceFleetConfig

API Version 2010-05-15
1122

AWS CloudFormation User Guide
AWS::EMR::InstanceFleetConﬁg
Properties:
ClusterId: String
InstanceFleetType: String
InstanceTypeConfigs:
- InstanceTypeConfig (p. 1958)
LaunchSpecifications:
InstanceFleetProvisioningSpecifications (p. 1957)
Name: String
TargetOnDemandCapacity: Integer
TargetSpotCapacity: Integer

Properties
For more information about each property, including constraints and valid values, see
InstanceFleetConﬁg in the Amazon EMR API Reference.
ClusterId
The ID of the target cluster.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
InstanceFleetType
The node type that the instance ﬂeet hosts. Valid values are MASTER, CORE, and TASK.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
InstanceTypeConfigs
The instance type conﬁgurations that deﬁne the EC2 instances in the instance ﬂeet. Duplicates not
allowed.
Required: No
Type: List of Amazon EMR InstanceFleetConﬁg InstanceTypeConﬁg (p. 1958)
Update requires: Replacement (p. 119)
LaunchSpecifications
The launch speciﬁcation for the instance ﬂeet.
Required: No
Type: Amazon EMR InstanceFleetConﬁg InstanceFleetProvisioningSpeciﬁcations (p. 1957)
Update requires: Replacement (p. 119)
Name
The friendly name of the instance ﬂeet. For constraints, see InstanceFleetConﬁg in the Amazon EMR
API Reference.
Required: No
Type: String
API Version 2010-05-15
1123

AWS CloudFormation User Guide
AWS::EMR::InstanceGroupConﬁg

Update requires: Replacement (p. 119)
TargetOnDemandCapacity
The target capacity of On-Demand units for the instance ﬂeet. This determines how many OnDemand Instances to provision. For more information, see InstanceFleetConﬁg in the Amazon EMR
API Reference.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
TargetSpotCapacity
The target capacity of Spot units for the instance ﬂeet. This determines how many Spot Instances to
provision. For more information, see InstanceFleetConﬁg in the Amazon EMR API Reference.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

AWS::EMR::InstanceGroupConﬁg
The AWS::EMR::InstanceGroupConfig resource conﬁgures a task instance group for an Amazon EMR
cluster.

Note

You can't delete an instance group. If you remove an instance group, AWS CloudFormation sets
the instance count to zero (0).
Topics
• Syntax (p. 1124)
• Properties (p. 1125)
• Return Values (p. 1127)
• Example (p. 1127)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::EMR::InstanceGroupConfig",
"Properties" : {
"AutoScalingPolicy" : AutoScalingPolicy,
"BidPrice" : String,
"Configurations" : [ Configuration, ... ],
"EbsConfiguration" : EBSConfiguration,
"InstanceCount" : Integer,
"InstanceRole" : String,
"InstanceType" : String,
"JobFlowId": String,
"Market" : String,
"Name" : String
}

API Version 2010-05-15
1124

AWS CloudFormation User Guide
AWS::EMR::InstanceGroupConﬁg
}

YAML
Type: AWS::EMR::InstanceGroupConfig
Properties:
AutoScalingPolicy:
AutoScalingPolicy
BidPrice: String
Configurations:
- Configuration
EbsConfiguration" :
EBSConfiguration
InstanceCount" : Integer
InstanceRole" : String
InstanceType" : String
JobFlowId": String
Market" : String
Name" : String

Properties
Note

For more information about the constraints and valid values of each property, see the
InstanceGroupConﬁg in the Amazon EMR API Reference.
AutoScalingPolicy
An automatic scaling policy for a core instance group or task instance group in an Amazon
EMR cluster. An automatic scaling policy deﬁnes how an instance group dynamically adds and
terminates EC2 instances in response to the value of a CloudWatch metric. For more information, see
PutAutoScalingPolicy in the Amazon EMR API Reference.
Required: No
Type: Amazon EMR InstanceGroupConﬁg AutoScalingPolicy (p. 1962)
Update requires: No interruption (p. 118)
BidPrice
The bid price in USD for each Amazon EC2 instance in the instance group when launching instances
(nodes) as Spot Instances.
Required: No
Type: String
Update requires: Replacement (p. 119)
Configurations
A list of conﬁgurations to apply to this instance group. For more information see, Conﬁguring
Applications in the Amazon EMR Release Guide.
Required: No
Type: List of Amazon EMR Cluster Conﬁgurations (p. 1933)
Update requires: Replacement (p. 119)
EbsConfiguration
Conﬁgures Amazon Elastic Block Store (Amazon EBS) storage volumes to attach to your instances.
API Version 2010-05-15
1125

AWS CloudFormation User Guide
AWS::EMR::InstanceGroupConﬁg

Required: No
Type: Amazon EMR EbsConﬁguration (p. 1952)
Update requires: Replacement (p. 119)
InstanceCount
The number of instances to launch in the instance group.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
InstanceRole
The role of the servers in the Amazon EMR cluster, such as TASK. For more information, see Instance
Groups in the Amazon EMR Management Guide.

Note

Currently, the only valid value is TASK. You conﬁgure the master and core instance groups
as part of the AWS::EMR::Cluster (p. 1104) resource.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
InstanceType
The EC2 instance type for all instances in the instance group. For more information, see Instance
Conﬁgurations in the Amazon EMR Management Guide.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
JobFlowId
The ID of an Amazon EMR cluster that you want to associate this instance group with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Market
The type of marketplace from which your instances are provisioned into this group, either
ON_DEMAND or SPOT. For more information, see Amazon EC2 Purchasing Options.
Required: No
Type: String
Update requires: Replacement (p. 119)
Name
A name for the instance group.
Required: No
API Version 2010-05-15
1126

AWS CloudFormation User Guide
AWS::EMR::SecurityConﬁguration

Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the instance
group ID, such as ig-ABC12DEF3456.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example adds a task instance group to the TestCluster cluster. The instance group
contains two m3.xlarge instances.

JSON
"TestInstanceGroupConfig": {
"Type": "AWS::EMR::InstanceGroupConfig",
"Properties": {
"InstanceCount": 2,
"InstanceType": "m3.xlarge",
"InstanceRole": "TASK",
"Market": "ON_DEMAND",
"Name": "cfnTask2",
"JobFlowId": {
"Ref": "cluster"
}
}
}

YAML
TestInstanceGroupConfig:
Type: AWS::EMR::InstanceGroupConfig
Properties:
InstanceCount: 2
InstanceType: "m3.xlarge"
InstanceRole: "TASK"
Market: "ON_DEMAND"
Name: "cfnTask2"
JobFlowId:
Ref: "cluster"

AWS::EMR::SecurityConﬁguration
The AWS::EMR::SecurityConfiguration resource creates a security conﬁguration that is stored in
the Amazon EMR web service. You can specify the security conﬁguration when creating a cluster. For
more information, see Specifying Amazon EMR Encryption Options Using a Security Conﬁguration in the
Amazon EMR Release Guide.
Topics
• Syntax (p. 1128)
• Properties (p. 1128)
API Version 2010-05-15
1127

AWS CloudFormation User Guide
AWS::EMR::SecurityConﬁguration

• Return Values (p. 1128)
• Example (p. 1129)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::EMR::SecurityConfiguration",
"Properties" : {
"Name" : String,
"SecurityConfiguration" : String
}

YAML
Type: AWS::EMR::SecurityConfiguration
Properties:
Name: String
SecurityConfiguration: String

Properties
For more information about each property, including constraints and valid values, see
CreateSecurityConﬁguration in the Amazon EMR API Reference.
Name
The name of the security conﬁguration. For a list of valid parameters for encryption settings, see
AWS CLI Security Conﬁguration JSON Reference in the Amazon EMR Release Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
SecurityConfiguration
The security conﬁguration details in JSON format.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the security
conﬁguration name, such as mySecurityConfiguration.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
1128

AWS CloudFormation User Guide
AWS::EMR::SecurityConﬁguration

Example
The following example enables both in-transit data encryption and local disk encryption, as well as
specifying Kerberos attributes. For additional encryption conﬁguration examples, see Creating a Security
Conﬁguration Using the AWS CLI in the Amazon EMR Release Guide.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"securityConfiguration": {
"Type": "AWS::EMR::SecurityConfiguration",
"Properties": {
"SecurityConfiguration": {
"EncryptionConfiguration": {
"EnableInTransitEncryption": true,
"EnableAtRestEncryption": true,
"InTransitEncryptionConfiguration": {
"TLSCertificateConfiguration": {
"CertificateProviderType": "PEM",
"S3Object": "arn:aws:s3:::MyConfigStore/artifacts/
MyCerts.zip"
}
},
"AtRestEncryptionConfiguration": {
"S3EncryptionConfiguration": {
"EncryptionMode": "SSE-KMS",
"AwsKmsKey": "arn:aws:kms:useast-1:123456789012:key/12345678-1234-1234-1234-123456789012"
},
"LocalDiskEncryptionConfiguration": {
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "arn:aws:kms:useast-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
}
},
"AuthenticationConfiguration": {
"KerberosConfiguration": {
"Provider": "ClusterDedicatedKdc",
"ClusterDedicatedKdcConfiguration": {
"TicketLifetimeInHours": 24,
"CrossRealmTrustConfiguration": {
"Realm": "AD.DOMAIN.COM",
"Domain": "ad.domain.com",
"AdminServer": "ad.domain.com",
"KdcServer": "ad.domain.com"
}
}
}
}
}
}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:

API Version 2010-05-15
1129

AWS CloudFormation User Guide
AWS::EMR::Step
securityConfiguration:
Type: AWS::EMR::SecurityConfiguration
Properties:
SecurityConfiguration:
EncryptionConfiguration:
EnableInTransitEncryption: true
EnableAtRestEncryption: true
InTransitEncryptionConfiguration:
TLSCertificateConfiguration:
CertificateProviderType: PEM
S3Object: 'arn:aws:s3:::MyConfigStore/artifacts/MyCerts.zip'
AtRestEncryptionConfiguration:
S3EncryptionConfiguration:
EncryptionMode: SSE-KMS
AwsKmsKey: >arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
LocalDiskEncryptionConfiguration:
EncryptionKeyProviderType: AwsKms
AwsKmsKey: >arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
AuthenticationConfiguration:
KerberosConfiguration:
Provider: ClusterDedicatedKdc
ClusterDedicatedKdcConfiguration:
TicketLifetimeInHours: 24
CrossRealmTrustConfiguration:
Realm: AD.DOMAIN.COM
Domain: ad.domain.com
AdminServer: ad.domain.com
KdcServer: ad.domain.com

AWS::EMR::Step
The AWS::EMR::Step resource creates a unit of work (a job ﬂow step) that you submit to an Amazon
EMR (Amazon EMR) cluster. The job ﬂow step contains instructions for processing data on the cluster.

Note

You can't delete work ﬂow steps. During a stack update, if you remove a step, AWS
CloudFormation takes no action.
Topics
• Syntax (p. 1130)
• Properties (p. 1131)
• Return Values (p. 1132)
• Example (p. 1132)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::EMR::Step",
"Properties" : {
"ActionOnFailure" : String,
"HadoopJarStep" : HadoopJarStepConfig,
"JobFlowId" : String,
"Name" : String

API Version 2010-05-15
1130

AWS CloudFormation User Guide
AWS::EMR::Step

}

}

YAML
Type: AWS::EMR::Step
Properties:
ActionOnFailure: String
HadoopJarStep:
HadoopJarStepConfig
JobFlowId: String
Name: String

Properties
ActionOnFailure
The action to take if the job ﬂow step fails. Currently, AWS CloudFormation supports CONTINUE and
CANCEL_AND_WAIT.
• TERMINATE_CLUSTER indicates that all associated cluster resources terminate if the step fails,
and no subsequent steps or jobs are attempted.
• CANCEL_AND_WAIT indicates that the step is canceled, and all subsequent steps and jobs are
attempted.
For more information, see Managing Cluster Termination in the Amazon EMR Management Guide.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
HadoopJarStep
The JAR ﬁle that includes the main function that Amazon EMR executes.
Required: Yes
Type: Amazon EMR Step HadoopJarStepConﬁg (p. 1972)
Update requires: Replacement (p. 119)
JobFlowId
The ID of a cluster in which you want to run this job ﬂow step.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Name
A name for the job ﬂow step.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1131

AWS CloudFormation User Guide
AWS::Events::Rule

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the step ID,
such as s-1A2BC3D4EFG56.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a step that submits work to the TestCluster cluster. The step runs
the pi program in the hadoop-mapreduce-examples-2.6.0.jar ﬁle with 5 maps and 10 samples,
speciﬁed in the Args property.

JSON
"TestStep": {
"Type": "AWS::EMR::Step",
"Properties": {
"ActionOnFailure": "CONTINUE",
"HadoopJarStep": {
"Args": [
"5",
"10"
],
"Jar": "s3://emr-cfn-test/hadoop-mapreduce-examples-2.6.0.jar",
"MainClass": "pi"
},
"Name": "TestStep",
"JobFlowId": {
"Ref": "TestCluster"
}
}
}

YAML
TestStep:
Type: AWS::EMR::Step
Properties:
ActionOnFailure: "CONTINUE"
HadoopJarStep:
Args:
- "5"
- "10"
Jar: "s3://emr-cfn-test/hadoop-mapreduce-examples-2.6.0.jar"
MainClass: "pi"
Name: "TestStep"
JobFlowId:
Ref: "TestCluster"

AWS::Events::Rule
The AWS::Events::Rule resource creates a rule that matches incoming Amazon CloudWatch
Events (CloudWatch Events) events and routes them to one or more targets for processing. For more
information, see Using CloudWatch Events in the Amazon CloudWatch User Guide.
Topics
API Version 2010-05-15
1132

AWS CloudFormation User Guide
AWS::Events::Rule

• Syntax (p. 1133)
• Properties (p. 1133)
• Return Value (p. 1134)
• Examples (p. 1135)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Events::Rule",
"Properties" : {
"Description" : String,
"EventPattern" : JSON object,
"Name" : String,
"ScheduleExpression" : String,
"State" : String,
"Targets" : [ Target (p. 1722), ... ]
}

YAML
Type: AWS::Events::Rule
Properties:
Description: String
EventPattern: JSON object
Name: String
ScheduleExpression: String
State: String
Targets:
- Target (p. 1722)

Properties
Description
A description of the rule's purpose.
Required: No
Type: String
Update requires: No interruption (p. 118)
EventPattern
Describes which events CloudWatch Events routes to the speciﬁed target. These routed events are
matched events. For more information, see Events and Event Patterns in the Amazon CloudWatch
User Guide.
Required: Conditional. You must specify this property, the ScheduleExpression property, or both.
Type: JSON object
Update requires: No interruption (p. 118)
API Version 2010-05-15
1133

AWS CloudFormation User Guide
AWS::Events::Rule

Name
A name for the rule. If you don't specify a name, AWS CloudFormation generates a unique physical
ID and uses that ID for the rule name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
ScheduleExpression
The schedule or rate (frequency) that determines when CloudWatch Events runs the rule. For more
information, see Schedule Expression Syntax for Rules in the Amazon CloudWatch User Guide.
Required: Conditional. You must specify this property, the EventPattern property, or both.
Type: String
Update requires: No interruption (p. 118)
State
Indicates whether the rule is enabled. For valid values, see the State parameter for the PutRule
action in the Amazon CloudWatch Events API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
Targets
The resources, such as Lambda functions or Kinesis streams, that CloudWatch Events routes events
to and invokes when the rule is triggered. For information about valid targets, see the PutTargets
action in the Amazon CloudWatch Events API Reference.

Note

Creating rules with built-in targets is supported only in the AWS Management Console.
Required: No
Type: List of Amazon CloudWatch Events Rule Target (p. 1722)
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the event rule
ID, such as mystack-ScheduledRule-ABCDEFGHIJK.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
1134

AWS CloudFormation User Guide
AWS::Events::Rule

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The event rule Amazon Resource Name (ARN), such as arn:aws:events:useast-2:123456789012:rule/example.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Regularly Invoke Lambda Function
The following example creates a rule that invokes the speciﬁed Lambda function every 10 minutes. The
PermissionForEventsToInvokeLambda resource grants CloudWatch Events permission to invoke the
associated function.

JSON
"ScheduledRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"Description": "ScheduledRule",
"ScheduleExpression": "rate(10 minutes)",
"State": "ENABLED",
"Targets": [{
"Arn": { "Fn::GetAtt": ["LambdaFunction", "Arn"] },
"Id": "TargetFunctionV1"
}]
}
},
"PermissionForEventsToInvokeLambda": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": { "Ref": "LambdaFunction" },
"Action": "lambda:InvokeFunction",
"Principal": "events.amazonaws.com",
"SourceArn": { "Fn::GetAtt": ["ScheduledRule", "Arn"] }
}
}

YAML
ScheduledRule:
Type: AWS::Events::Rule
Properties:
Description: "ScheduledRule"
ScheduleExpression: "rate(10 minutes)"
State: "ENABLED"
Targets:
Arn:
Fn::GetAtt:
- "LambdaFunction"
- "Arn"
Id: "TargetFunctionV1"
PermissionForEventsToInvokeLambda:

API Version 2010-05-15
1135

AWS CloudFormation User Guide
AWS::Events::Rule
Type: AWS::Lambda::Permission
Properties:
FunctionName:
Ref: "LambdaFunction"
Action: "lambda:InvokeFunction"
Principal: "events.amazonaws.com"
SourceArn:
Fn::GetAtt:
- "ScheduledRule"
- "Arn"

Invoke Lambda Function in Response to an Event
The following example creates a rule that invokes the speciﬁed Lambda function when any EC2
instance's state changes to stopping.

JSON
"EventRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"Description": "EventRule",
"EventPattern": {
"source": [
"aws.ec2"
],
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [
"stopping"
]
}
},
"State": "ENABLED",
"Targets": [{
"Arn": { "Fn::GetAtt": ["LambdaFunction", "Arn"] },
"Id": "TargetFunctionV1"
}]
}
},
"PermissionForEventsToInvokeLambda": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": { "Ref": "LambdaFunction" },
"Action": "lambda:InvokeFunction",
"Principal": "events.amazonaws.com",
"SourceArn": { "Fn::GetAtt": ["EventRule", "Arn"] }
}
}

YAML
EventRule:
Type: AWS::Events::Rule
Properties:
Description: "EventRule"
EventPattern:
source:
- "aws.ec2"
detail-type:
- "EC2 Instance State-change Notification"

API Version 2010-05-15
1136

AWS CloudFormation User Guide
AWS::Events::Rule
detail:
state:
- "stopping"
State: "ENABLED"
Targets:
Arn:
Fn::GetAtt:
- "LambdaFunction"
- "Arn"
Id: "TargetFunctionV1"
PermissionForEventsToInvokeLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName:
Ref: "LambdaFunction"
Action: "lambda:InvokeFunction"
Principal: "events.amazonaws.com"
SourceArn:
Fn::GetAtt:
- "EventRule"
- "Arn"

Notify a Topic in Response to a Log Entry
The following example creates a rule that notiﬁes an Amazon Simple Notiﬁcation Service topic if an AWS
CloudTrail log entry contains a call by the Root user.

JSON
"OpsEventRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"Description": "EventRule",
"EventPattern": {
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"userIdentity": {
"type": [ "Root" ]
}
}
},
"State": "ENABLED",
"Targets": [
{
"Arn": { "Ref": "MySNSTopic" },
"Id": "OpsTopic"
}
]
}
}

YAML
OpsEventRule:
Type: AWS::Events::Rule
Properties:
Description: "EventRule"
EventPattern:
detail-type:
- "AWS API Call via CloudTrail"
detail:
userIdentity:

API Version 2010-05-15
1137

AWS CloudFormation User Guide
AWS::GameLift::Alias
type:
- "Root"
State: "ENABLED"
Targets:
Arn:
Ref: "MySNSTopic"
Id: "OpsTopic"

AWS::GameLift::Alias
The AWS::GameLift::Alias resource creates an alias for an Amazon GameLift (GameLift) ﬂeet, which
you can use to anonymize your ﬂeet. You can reference the alias instead of a speciﬁc ﬂeet when you
create game sessions. For more information, see the CreateAlias action in the Amazon GameLift API
Reference.
Topics
• Syntax (p. 1138)
• Properties (p. 1138)
• Return Value (p. 1139)
• Example (p. 1139)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::GameLift::Alias",
"Properties" : {
"Name" : String,
"Description" : String,
"RoutingStrategy" : RoutingStrategy (p. 1974)
}

YAML
Type: AWS::GameLift::Alias
Properties:
Name: String
Description: String
RoutingStrategy:
RoutingStrategy (p. 1974)

Properties
Description
Information that helps you identify the purpose of this alias.
Required: No
Type: String
API Version 2010-05-15
1138

AWS CloudFormation User Guide
AWS::GameLift::Alias

Update requires: No interruption (p. 118)
Name
An identiﬁer to associate with this alias. Alias names don't need to be unique.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RoutingStrategy
A routing conﬁguration that speciﬁes where traﬃc is directed for this alias, such as to a ﬂeet or to a
message.
Required: Yes
Type: Amazon GameLift Alias RoutingStrategy (p. 1974)
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the alias ID,
such as myalias-a01234b56-7890-1de2-f345-g67h8i901j2k.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a terminal alias named TerminalAlias with a generic terminal message.

JSON
"AliasResource": {
"Type": "AWS::GameLift::Alias",
"Properties": {
"Name": "TerminalAlias",
"Description": "A terminal alias",
"RoutingStrategy": {
"Type": "TERMINAL",
"Message": "Terminal routing strategy message"
}
}
}

YAML
AliasResource:
Type: AWS::GameLift::Alias
Properties:
Name: "TerminalAlias"
Description: "A terminal alias"
RoutingStrategy:
Type: "TERMINAL"
Message: "Terminal routing strategy message"

API Version 2010-05-15
1139

AWS CloudFormation User Guide
AWS::GameLift::Build

AWS::GameLift::Build
The AWS::GameLift::Build resource creates a build that includes all of the components to run your
game server in an Amazon GameLift (GameLift) ﬂeet.
Topics
• Syntax (p. 1140)
• Properties (p. 1140)
• Return Value (p. 1141)
• Example (p. 1141)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::GameLift::Build",
"Properties" : {
"Name" : String,
"StorageLocation" : StorageLocation (p. 1975),
"Version" : String
}

YAML
Type: AWS::GameLift::Build
Properties:
Name: String
StorageLocation:
StorageLocation (p. 1975)
Version: String

Properties
Name
An identiﬁer to associate with this build. Build names don't need to be unique.
Required: No
Type: String
Update requires: No interruption (p. 118)
StorageLocation
The Amazon Simple Storage Service (Amazon S3) location where your build package ﬁles are
located.
Required: No, but we recommend that you specify a location. If you don't specify this property, you
must manually upload your build package ﬁles to GameLift.
Type: Amazon GameLift Build StorageLocation (p. 1975)
API Version 2010-05-15
1140

AWS CloudFormation User Guide
AWS::GameLift::Build

Update requires: Replacement (p. 119)
Version
A version to associate with this build. Version is useful if you want to track updates to your build
package ﬁles. Versions don't need to be unique.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the build ID,
such as mybuild-a01234b56-7890-1de2-f345-g67h8i901j2k.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a GameLift build named MyGameServerBuild. The build package is
located in an S3 bucket, speciﬁed by the S3Bucket and S3Key input parameters. The example also
creates the AWS Identity and Access Management (IAM) role that GameLift assumes so that it has
permissions to download the build package ﬁles.

JSON
"BuildResource": {
"Type": "AWS::GameLift::Build",
"Properties": {
"Name": "MyGameServerBuild",
"Version": "v15",
"StorageLocation": {
"Bucket": "mybucket",
"Key": "buildpackagefiles/",
"RoleArn": { "Fn::GetAtt": [ "IAMRole", "Arn" ] }
}
}
},
"IAMRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "gamelift.amazonaws.com" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "gamelift-s3-access-policy",
"PolicyDocument": {
"Version": "2012-10-17",

API Version 2010-05-15
1141

AWS CloudFormation User Guide
AWS::GameLift::Fleet

}

}

]

}

}

"Statement": [
{
"Effect": "Allow",
"Action": [ "s3:GetObject" ],
"Resource": [ "arn:aws:s3:::mybucket/*" ]
}
]

YAML
BuildResource:
Type: AWS::GameLift::Build
Properties:
Name: "MyGameServerBuild"
Version: "v15"
StorageLocation:
Bucket: "mybucket"
Key: "buildpackagefiles/"
RoleArn:
Fn::GetAtt:
- "IAMRole"
- "Arn"
IAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "gamelift.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "gamelift-s3-access-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action:
- "s3:GetObject"
Resource:
- "arn:aws:s3:::mybucket/*"

AWS::GameLift::Fleet
The AWS::GameLift::Fleet resource creates an Amazon GameLift (GameLift) ﬂeet to host game
servers. A ﬂeet is a set of EC2 instances, each of which is a host in the ﬂeet. For more information, see
the CreateFleet action in the Amazon GameLift API Reference.
Topics
• Syntax (p. 1143)
API Version 2010-05-15
1142

AWS CloudFormation User Guide
AWS::GameLift::Fleet

• Properties (p. 1143)
• Return Value (p. 1145)
• Example (p. 1145)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::GameLift::Fleet",
"Properties" : {
"BuildId" : String,
"Description" : String,
"DesiredEC2Instances" : Integer,
"EC2InboundPermissions" : [ EC2InboundPermission (p. 1976), ... ],
"EC2InstanceType" : String,
"LogPaths" : [ String, ... ],
"MaxSize" : Integer,
"MinSize" : Integer,
"Name" : String,
"ServerLaunchParameters" : String,
"ServerLaunchPath" : String
}

YAML
Type: AWS::GameLift::Fleet
Properties:
BuildId: String
Description: String
DesiredEC2Instances: Integer
EC2InboundPermissions:
- EC2InboundPermission (p. 1976)
EC2InstanceType: String
LogPaths:
[ String, ... ]
MaxSize: Integer
MinSize: Integer
Name: String
ServerLaunchParameters: String
ServerLaunchPath: String

Properties
BuildId
The unique identiﬁer for the build that you want to use with this ﬂeet.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Description
Information that helps you identify the purpose of this ﬂeet.
API Version 2010-05-15
1143

AWS CloudFormation User Guide
AWS::GameLift::Fleet

Required: No
Type: String
Update requires: No interruption (p. 118)
DesiredEC2Instances
The number of EC2 instances that you want in this ﬂeet.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
EC2InboundPermissions
The incoming traﬃc, expressed as IP ranges and port numbers, that is permitted to access the game
server. If you don't specify values, no traﬃc is permitted to your game servers.
Required: No
Type: List of Amazon GameLift Fleet EC2InboundPermission (p. 1976)
Update requires: No interruption (p. 118)
EC2InstanceType
The type of EC2 instances that the ﬂeet uses. EC2 instance types deﬁne the CPU, memory, storage,
and networking capacity of the ﬂeet's hosts. For more information about the instance types that are
supported by GameLift, see the EC2InstanceType parameter in the Amazon GameLift API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
LogPaths
The path to game-session log ﬁles that are generated by your game server, with the slashes (\)
escaped. After a game session has been terminated, GameLift captures and stores the logs in an S3
bucket.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
MaxSize
The maximum number of EC2 instances that you want to allow in this ﬂeet. By default, AWS
CloudFormation, sets this property to 1.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
MinSize
The minimum number of EC2 instances that you want to allow in this ﬂeet. By default, AWS
CloudFormation, sets this property to 0.
API Version 2010-05-15
1144

AWS CloudFormation User Guide
AWS::GameLift::Fleet

Required: No
Type: Integer
Update requires: No interruption (p. 118)
Name
An identiﬁer to associate with this ﬂeet. Fleet names don't need to be unique.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ServerLaunchParameters
The parameters that are required to launch your game server. Specify these parameters as a string of
command-line parameters, such as +sv_port 33435 +start_lobby.
Required: No
Type: String
Update requires: Replacement (p. 119)
ServerLaunchPath
The location of your game server that GameLift launches. You must escape the slashes (\) and use
the following pattern: C:\\game\\launchpath. For example, if your game server ﬁles are in the
MyGame folder, the path should be C:\\game\\MyGame\\server.exe.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ﬂeet ID,
such as myfleet-a01234b56-7890-1de2-f345-g67h8i901j2k.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a GameLift ﬂeet named MyGameFleet with two inbound permissions.
The ﬂeet uses a Ref intrinsic function to specify a build, which can be declared elsewhere in the same
template. For the log path and server launch path, the example uses the escape character (\) to escape
the slashes (\).

JSON
"FleetResource": {
"Type": "AWS::GameLift::Fleet",
"Properties": {
"Name": "MyGameFleet",
"Description": "A fleet for my game",

API Version 2010-05-15
1145

AWS CloudFormation User Guide
AWS::Glue::Classiﬁer

}

}

"BuildId": { "Ref": "BuildResource" },
"ServerLaunchPath": "c:\\game\\TestApplicationServer.exe",
"LogPaths": [
"c:\\game\\testlog.log",
"c:\\game\\testlog2.log"
],
"EC2InstanceType": "t2.small",
"DesiredEC2Instances": "2",
"EC2InboundPermissions": [
{
"FromPort": "1234",
"ToPort": "1324",
"IpRange": "0.0.0.0/24",
"Protocol": "TCP"
},
{
"FromPort": "1356",
"ToPort": "1578",
"IpRange": "192.168.0.0/24",
"Protocol": "UDP"
}
]

YAML
FleetResource:
Type: AWS::GameLift::Fleet
Properties:
Name: "MyGameFleet"
Description: "A fleet for my game"
BuildId:
Ref: "BuildResource"
ServerLaunchPath: "c:\\game\\TestApplicationServer.exe"
LogPaths:
- "c:\\game\\testlog.log"
- "c:\\game\\testlog2.log"
EC2InstanceType: "t2.small"
DesiredEC2Instances: "2"
EC2InboundPermissions:
FromPort: "1234"
ToPort: "1324"
IpRange: "0.0.0.0/24"
Protocol: "TCP"
FromPort: "1356"
ToPort: "1578"
IpRange: "192.168.0.0/24"
Protocol: "UDP"

AWS::Glue::Classiﬁer
The AWS::Glue::Classifier resource creates an AWS Glue classiﬁer that categorizes data sources
and speciﬁes schemas. For more information, see Adding Classiﬁers to a Crawler and Classiﬁer Structure
in the AWS Glue Developer Guide.
Topics
• Syntax (p. 1147)
• Properties (p. 1147)
API Version 2010-05-15
1146

AWS CloudFormation User Guide
AWS::Glue::Connection

• Return Values (p. 1147)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Glue::Classifier",
"Properties" : {
"GrokClassifier" : GrokClassifier (p. 1977)
}

YAML
Type: AWS::Glue::Classifier
Properties:
GrokClassifier:
GrokClassifier (p. 1977)

Properties
GrokClassifier
A classiﬁer that uses grok.
Required: No
Type: AWS Glue Classiﬁer GrokClassiﬁer (p. 1977)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

AWS::Glue::Connection
The AWS::Glue::Connection resource speciﬁes an AWS Glue connection to a data source. For more
information, see Adding a Connection to Your Data Store and Connection Structure in the AWS Glue
Developer Guide.
Topics
• Syntax (p. 1148)
• Properties (p. 1148)
• Return Values (p. 1148)
API Version 2010-05-15
1147

AWS CloudFormation User Guide
AWS::Glue::Connection

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Glue::Connection",
"Properties" : {
"ConnectionInput" : ConnectionInput (p. 1978),
"CatalogId" : String
}

YAML
Type: AWS::Glue::Connection
Properties:
ConnectionInput:
ConnectionInput (p. 1978)
CatalogId: String

Properties
ConnectionInput
The connection that you want to create.
Required: Yes
Type: AWS Glue Connection ConnectionInput (p. 1978)
Update requires: No interruption (p. 118)
CatalogId
The ID of the data catalog to create the catalog object in. Currently, this should be the AWS account
ID.

Note

To specify the account ID, you can use the Ref intrinsic function with the AWS::AccountId
pseudo parameter—for example !Ref AWS::AccountId.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the
ConnectionInput name.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
1148

AWS CloudFormation User Guide
AWS::Glue::Crawler

AWS::Glue::Crawler
The AWS::Glue::Crawler resource speciﬁes an AWS Glue crawler. For more information, see
Cataloging Tables with a Crawler and Crawler Structure in the AWS Glue Developer Guide.
Topics
• Syntax (p. 1149)
• Properties (p. 1149)
• Return Values (p. 1151)
• Examples (p. 1151)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Glue::Crawler",
"Properties" : {
"Role" : String,
"Classifiers" : [ String, ... ],
"Description" : String,
"SchemaChangePolicy" : SchemaChangePolicy (p. 1983),
"Schedule" : Schedule (p. 1982),
"DatabaseName" : String,
"Targets" : Targets (p. 1984),
"TablePrefix" : String,
"Name" : String
}

YAML
Type: AWS::Glue::Crawler
Properties:
Role: String
Classifiers:
- String
Description: String
SchemaChangePolicy:
SchemaChangePolicy (p. 1983)
Schedule:
Schedule (p. 1982)
DatabaseName: String
Targets:
Targets (p. 1984)
TablePrefix: String
Name: String

Properties
Role
The Amazon Resource Name (ARN) of an IAM role that's used to access customer resources, such as
Amazon S3 data.
API Version 2010-05-15
1149

AWS CloudFormation User Guide
AWS::Glue::Crawler

Required: Yes
Type: String
Update requires: No interruption (p. 118)
Classifiers
A list of UTF-8 strings that specify the custom classiﬁers that are associated with the crawler.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Description
A description of the crawler and where it should be used. It must match the URI address multi-line
string pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
SchemaChangePolicy
The policy that speciﬁes update and delete behaviors for the crawler.
Required: No
Type: AWS Glue Crawler SchemaChangePolicy (p. 1983)
Update requires: No interruption (p. 118)
Schedule
The schedule for the crawler.
Required: No
Type: AWS Glue Crawler Schedule (p. 1982)
Update requires: No interruption (p. 118)
DatabaseName
The name of the database where the crawler's output is stored.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Targets
The crawler targets.
Required: Yes
Type: AWS Glue Crawler Targets (p. 1984)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1150

AWS CloudFormation User Guide
AWS::Glue::Crawler

TablePrefix
The table preﬁx that's used for catalog tables that are created.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the crawler. Must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following example creates a crawler for an Amazon S3 target.

JSON
{

"Description": "AWS Glue Crawler Test",
"Resources": {
"MyRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"glue.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [

API Version 2010-05-15
1151

AWS CloudFormation User Guide
AWS::Glue::Crawler
{

]

}

"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}

}
},
"MyDatabase": {
"Type": "AWS::Glue::Database",
"Properties": {
"CatalogId": {
"Ref": "AWS::AccountId"
},
"DatabaseInput": {
"Name": "dbCrawler",
"Description": "TestDatabaseDescription",
"LocationUri": "TestLocationUri",
"Parameters": {
"key1": "value1",
"key2": "value2"
}
}
}
},
"MyClassifier": {
"Type": "AWS::Glue::Classifier",
"Properties": {
"GrokClassifier": {
"Name": "CrawlerClassifier",
"Classification": "wikiData",
"GrokPattern": "%{NOTSPACE:language} %{NOTSPACE:page_title}
%{NUMBER:hits:long} %{NUMBER:retrieved_size:long}"
}
}
},
"MyS3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "crawlertesttarget",
"AccessControl": "BucketOwnerFullControl"
}
},
"MyCrawler2": {
"Type": "AWS::Glue::Crawler",
"Properties": {
"Name": "testcrawler1",
"Role": {
"Fn::GetAtt": [
"MyRole",
"Arn"
]
},
"DatabaseName": {
"Ref": "MyDatabase"
},
"Classifiers": [
{

API Version 2010-05-15
1152

AWS CloudFormation User Guide
AWS::Glue::Crawler

}

}

}

}

}

"Ref": "MyClassifier"

],
"Targets": {
"S3Targets": [
{
"Path": {
"Ref": "MyS3Bucket"
}
}
]
},
"SchemaChangePolicy": {
"UpdateBehavior": "UPDATE_IN_DATABASE",
"DeleteBehavior": "LOG"
},
"Schedule": {
"ScheduleExpression": "cron(0/10 * ? * MON-FRI *)"
}

YAML
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "glue.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"
MyDatabase:
Type: AWS::Glue::Database
Properties:
CatalogId: !Ref AWS::AccountId
DatabaseInput:
Name: "dbCrawler"
Description: "TestDatabaseDescription"
LocationUri: "TestLocationUri"
Parameters:
key1 : "value1"
key2 : "value2"

API Version 2010-05-15
1153

AWS CloudFormation User Guide
AWS::Glue::Database
MyClassifier:
Type: AWS::Glue::Classifier
Properties:
GrokClassifier:
Name: "CrawlerClassifier"
Classification: "wikiData"
GrokPattern: "%{NOTSPACE:language} %{NOTSPACE:page_title} %{NUMBER:hits:long}
%{NUMBER:retrieved_size:long}"
MyS3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: "crawlertesttarget"
AccessControl: "BucketOwnerFullControl"
MyCrawler2:
Type: AWS::Glue::Crawler
Properties:
Name: "testcrawler1"
Role: !GetAtt MyRole.Arn
DatabaseName: !Ref MyDatabase
Classifiers:
- !Ref MyClassifier
Targets:
S3Targets:
- Path: !Ref MyS3Bucket
SchemaChangePolicy:
UpdateBehavior: "UPDATE_IN_DATABASE"
DeleteBehavior: "LOG"
Schedule:
ScheduleExpression: "cron(0/10 * ? * MON-FRI *)"

AWS::Glue::Database
The AWS::Glue::Database resource speciﬁes a logical grouping of tables in AWS Glue. For more
information, see Deﬁning a Database in Your Data Catalog and Database Structure in the AWS Glue
Developer Guide.
Topics
• Syntax (p. 1154)
• Properties (p. 1155)
• Return Values (p. 1155)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Glue::Database",
"Properties" : {
"DatabaseInput" : DatabaseInput (p. 1985),
"CatalogId" : String
}

API Version 2010-05-15
1154

AWS CloudFormation User Guide
AWS::Glue::DevEndpoint

YAML
Type: AWS::Glue::Database
Properties:
DatabaseInput:
DatabaseInput (p. 1985)
CatalogId: String

Properties
DatabaseInput
The metadata of the database.
Required: Yes
Type: AWS Glue Database DatabaseInput (p. 1985)
Update requires: No interruption (p. 118)
CatalogId
The ID of the data catalog to create the catalog object in. Currently, this should be the AWS account
ID.

Note

To specify the account ID, you can use the Ref intrinsic function with the AWS::AccountId
pseudo parameter—for example !Ref AWS::AccountId.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the
DatabaseInput name.
For more information about using the Ref function, see Ref (p. 2311).

AWS::Glue::DevEndpoint
The AWS::Glue::DevEndpoint resource speciﬁes a development endpoint where a developer can
remotely debug ETL scripts for AWS Glue. For more information, see DevEndpoint Structure in the AWS
Glue Developer Guide.
Topics
• Syntax (p. 1155)
• Properties (p. 1156)
• See Also (p. 1157)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1155

AWS CloudFormation User Guide
AWS::Glue::DevEndpoint

JSON
{

}

"Type" : "AWS::Glue::DevEndpoint",
"Properties" : {
"EndpointName" : String,
"ExtraJarsS3Path" : String,
"ExtraPythonLibsS3Path" : String,
"NumberOfNodes" : Integer,
"PublicKey" : String,
"RoleArn" : String,
"SecurityGroupIds" : [ String, ... ],
"SubnetId" : String
}

YAML
Type: AWS::Glue::DevEndpoint
Properties:
EndpointName: String
ExtraJarsS3Path: String
ExtraPythonLibsS3Path: String
NumberOfNodes: Integer
PublicKey: String
RoleArn: String
SecurityGroupIds:
- String
SubnetId: String

Properties
EndpointName
The name of the endpoint.
Required: No
Type: String
Update requires: Replacement (p. 119)
ExtraJarsS3Path
The path to one or more Java Jars in an Amazon S3 bucket to load in your endpoint.

Note

You can currently use only pure Java/Scala libraries on a DevEndpoint.
Required: No
Type: String
Update requires: No interruption (p. 118)
ExtraPythonLibsS3Path
The path to one or more Python libraries in an Amazon S3 bucket to load in your endpoint.

Note

You can currently use only pure Python libraries on a DevEndpoint. Libraries that rely on C
extensions, such as the pandas Python data analysis library, aren't supported yet.
Required: No
API Version 2010-05-15
1156

AWS CloudFormation User Guide
AWS::Glue::Job

Type: String
Update requires: No interruption (p. 118)
NumberOfNodes
The number of nodes that the endpoint uses.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
PublicKey
The public key for the endpoint to use for authentication.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RoleArn
The Amazon Resource Name (ARN) of the IAM role for the endpoint. It must match the AWS ARN
string pattern: arn:aws:iam::\d{12}:role/.*
Required: Yes
Type: String
Update requires: No interruption (p. 118)
SecurityGroupIds
A list of UTF-8 strings that specify the security group IDs for the endpoint.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SubnetId
The subnet ID for the endpoint.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• DevEndpoint Structure in the AWS Glue Developer Guide

AWS::Glue::Job
The AWS::Glue::Job resource speciﬁes an AWS Glue job in the data catalog. For more information, see
Adding Jobs in AWS Glue and Job Structure in the AWS Glue Developer Guide.
API Version 2010-05-15
1157

AWS CloudFormation User Guide
AWS::Glue::Job

Topics
• Syntax (p. 1158)
• Properties (p. 1158)
• Return Values (p. 1160)
• Examples (p. 1161)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Glue::Job",
"Properties" : {
"Role" : String,
"DefaultArguments" : JSON object,
"Connections" : ConnectionsList (p. 1986),
"MaxRetries" : Double,
"Description" : String,
"LogUri" : String,
"Command" : JobCommand (p. 1987),
"AllocatedCapacity" : Double,
"ExecutionProperty" : ExecutionProperty (p. 1987),
"Name" : String
}

YAML
Type: AWS::Glue::Job
Properties:
Role: String
DefaultArguments: JSON object
Connections:
ConnectionsList (p. 1986)
MaxRetries: Double
Description: String
LogUri: String
Command:
JobCommand (p. 1987)
AllocatedCapacity: Double
ExecutionProperty:
ExecutionProperty (p. 1987)
Name: String

Properties
Role
The role that's associated with the job.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1158

AWS CloudFormation User Guide
AWS::Glue::Job

DefaultArguments
UTF-8 string–to–UTF-8 string key-value pairs that specify the default parameters for the job.
You can specify arguments here that your own job-execution script consumes, as well as arguments
that AWS Glue itself consumes. For information about how to specify and consume your own
Job arguments, see the Passing and Accessing Python Parameters in AWS Glue in the AWS Glue
Developer Guide.
AWS Glue consumes the following arguments to set up the Job script environment:
• --scriptLocation — The Amazon S3 location where your ETL script is located (in a form like
s3://path/to/my/script.py).
• --extra-py-files — Amazon S3 path(s) to additional Python modules that AWS Glue adds to
the Python path before executing your script. Multiple values must be complete paths separated
by a comma (,). Note that only pure Python modules will work currently. Extension modules
written in C or other languages are not supported.
• --extra-jars — Amazon S3 path(s) to additional Java .jar ﬁle(s) that AWS Glue adds to the
Java classpath before executing your script. Multiple values must be complete paths separated by
a comma (,).
• --extra-files — Amazon S3 path(s) to additional ﬁles such as conﬁguration ﬁles) that AWS
Glue copies to the working directory of your script before executing it. Multiple values must be
complete paths separated by a comma (,).
There are several argument names used by AWS Glue internally that you should never set:
• --conf — Internal to AWS Glue. Do not set!
• --debug — Internal to AWS Glue. Do not set!
• --mode — Internal to AWS Glue. Do not set!
• --JOB_NAME — Internal to AWS Glue. Do not set!
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
Connections
The connections that are used by the job.
Required: No
Type: AWS Glue Job ConnectionsList (p. 1986)
Update requires: No interruption (p. 118)
MaxRetries
The maximum number of times to retry this job if it fails.
Required: No
Type: Double
Update requires: No interruption (p. 118)
Description
The description of the job.
Required: No
API Version 2010-05-15
1159

AWS CloudFormation User Guide
AWS::Glue::Job

Type: String
Update requires: No interruption (p. 118)
LogUri
The location of the logs for the job.
Required: No
Type: String
Update requires: No interruption (p. 118)
Command
The code that executes a job.
Required: Yes
Type: AWS Glue Job JobCommand (p. 1987)
Update requires: No interruption (p. 118)
AllocatedCapacity
The number of capacity units that are allocated to this job.
Required: No
Type: Double
Update requires: No interruption (p. 118)
ExecutionProperty
The execution property of the job, which speciﬁes the maximum number of concurrent runs that are
allowed for the job.
Required: No
Type: AWS Glue Job ExecutionProperty (p. 1987)
Update requires: No interruption (p. 118)
Name
The name of the job. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
API Version 2010-05-15
1160

AWS CloudFormation User Guide
AWS::Glue::Job

For more information about using the Ref function, see Ref (p. 2311).

Examples
The following example creates a job with an associated role.

JSON
{

"Description": "AWS Glue Job Test",
"Resources": {
"MyJobRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"glue.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
},
"MyJob": {
"Type": "AWS::Glue::Job",
"Properties": {
"Command": {
"Name": "glueetl",
"ScriptLocation": "s3://aws-glue-scripts//prod-job1"
},
"DefaultArguments": {
"--continuation-option": "continuation-enabled"
},
"ExecutionProperty": {
"MaxConcurrentRuns": 2
},
"MaxRetries": 0,
"Name": "cf-job1",

API Version 2010-05-15
1161

AWS CloudFormation User Guide
AWS::Glue::Partition

}

}

}

}

"Role": {
"Ref": "MyJobRole"
}

YAML
--Description: "AWS Glue Job Test"
Resources:
MyJobRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "glue.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"
MyJob:
Type: AWS::Glue::Job
Properties:
Command:
Name: glueetl
ScriptLocation: "s3://aws-glue-scripts//prod-job1"
DefaultArguments:
"--continuation-option": continuation-enabled
ExecutionProperty:
MaxConcurrentRuns: 2
MaxRetries: 0
Name: cf-job1
Role: !Ref MyJobRole

AWS::Glue::Partition
The AWS::Glue::Partition resource creates an AWS Glue partition, which represents a slice of table
data. For more information, see CreatePartition Action and Partition Structure in the AWS Glue Developer
Guide.
Topics
• Syntax (p. 1163)
• Properties (p. 1163)
API Version 2010-05-15
1162

AWS CloudFormation User Guide
AWS::Glue::Partition

• See Also (p. 1164)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Glue::Partition",
"Properties" : {
"TableName" : String,
"DatabaseName" : String,
"CatalogId" : String,
"PartitionInput" : PartitionInput (p. 1990)
}

YAML
Type: AWS::Glue::Partition
Properties:
TableName: String
DatabaseName: String
CatalogId: String
PartitionInput:
PartitionInput (p. 1990)

Properties
TableName
The name of the metadata table to create the partition in.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
DatabaseName
The name of the catalog database to create the partition in. It must match the single-line string
pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: Yes
Type: String
Update requires: Replacement (p. 119)
CatalogId
The ID of the data catalog to create the catalog object in. Currently, this should be the AWS account
ID.

Note

To specify the account ID, you can use the Ref intrinsic function with the AWS::AccountId
pseudo parameter—for example !Ref AWS::AccountId.
API Version 2010-05-15
1163

AWS CloudFormation User Guide
AWS::Glue::Table

Required: Yes
Type: String
Update requires: No interruption (p. 118)
PartitionInput
The metadata of the partition.
Required: Yes
Type: AWS Glue Partition PartitionInput (p. 1990)
Update requires: Some interruptions (p. 119)

See Also
• CreatePartition Action in the AWS Glue Developer Guide
• Partition Structure in the AWS Glue Developer Guide

AWS::Glue::Table
The AWS::Glue::Table resource speciﬁes tabular data in the AWS Glue data catalog. For more
information, see Deﬁning Tables in the AWS Glue Data Catalog and Table Structure in the AWS Glue
Developer Guide.
Topics
• Syntax (p. 1164)
• Properties (p. 1165)
• Return Values (p. 1165)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Glue::Table",
"Properties" : {
"TableInput" : TableInput (p. 2003),
"DatabaseName" : String,
"CatalogId" : String
}

YAML
Type: AWS::Glue::Table
Properties:
TableInput:
TableInput (p. 2003)
DatabaseName: String

API Version 2010-05-15
1164

AWS CloudFormation User Guide
AWS::Glue::Trigger
CatalogId: String

Properties
TableInput
The metadata of the table.
Required: Yes
Type: AWS Glue Table TableInput (p. 2003)
Update requires: Some interruptions (p. 119)
DatabaseName
The name of the catalog database for the table. It must match the single-line string pattern:
[\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: Yes
Type: String
Update requires: Replacement (p. 119)
CatalogId
The ID of the data catalog to create the catalog object in. Currently, this should be the AWS account
ID.

Note

To specify the account ID, you can use the Ref intrinsic function with the AWS::AccountId
pseudo parameter—for example !Ref AWS::AccountId.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the
TableInput name.
For more information about using the Ref function, see Ref (p. 2311).

AWS::Glue::Trigger
The AWS::Glue::Trigger resource speciﬁes triggers that run AWS Glue jobs. For more information,
see Triggering Jobs in AWS Glue and Trigger Structure in the AWS Glue Developer Guide.
Topics
• Syntax (p. 1166)
• Properties (p. 1166)
• Return Values (p. 1167)
API Version 2010-05-15
1165

AWS CloudFormation User Guide
AWS::Glue::Trigger

• Examples (p. 1167)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Glue::Trigger",
"Properties" : {
"Type" : String,
"Description" : String,
"Actions" : [ Action (p. 2006), ... ],
"Schedule" : String,
"Name" : String,
"Predicate" : Predicate (p. 2008)
}

YAML
Type: AWS::Glue::Trigger
Properties:
Type: String
Description: String
Actions:
- Action (p. 2006)
Schedule: String
Name: String
Predicate:
Predicate (p. 2008)

Properties
Type
The type of job trigger. Valid values are SCHEDULED, CONDITIONAL, or ON_DEMAND.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Description
The description of the job trigger.
Required: No
Type: String
Update requires: No interruption (p. 118)
Actions
The actions that the job trigger initiates when it ﬁres.
Required: Yes
API Version 2010-05-15
1166

AWS CloudFormation User Guide
AWS::Glue::Trigger

Type: List of AWS Glue Trigger Action (p. 2006)
Update requires: No interruption (p. 118)
Schedule
The cron schedule expression for the job trigger.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the job trigger.
Required: No
Type: String
Update requires: Replacement (p. 119)
Predicate
The predicate of the job trigger, which determines when the trigger ﬁres.
Required: No
Type: AWS Glue Trigger Predicate (p. 2008)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Examples
On-Demand Trigger
The following example creates an on-demand trigger that triggers one job.

JSON
{

"Resources": {
"OnDemandJobTrigger": {
"Type": "AWS::Glue::Trigger",
"Properties": {
"Type": "ON_DEMAND",
"Description": "DESCRIPTION_ON_DEMAND",
"Actions": [
{
"JobName": "prod-job2"

API Version 2010-05-15
1167

AWS CloudFormation User Guide
AWS::Glue::Trigger

}

}

}

}

}
],
"Name": "prod-trigger1-ondemand"

YAML
Resources:
OnDemandJobTrigger:
Type: AWS::Glue::Trigger
Properties:
Type: ON_DEMAND
Description: DESCRIPTION_ON_DEMAND
Actions:
- JobName: prod-job2
Name: prod-trigger1-ondemand

Scheduled Trigger
The following example creates a scheduled trigger that runs every two hours and triggers two jobs. Note
that it declares an argument for prod-job3.

JSON
{

}

"Resources": {
"ScheduledJobTrigger": {
"Type": "AWS::Glue::Trigger",
"Properties": {
"Type": "SCHEDULED",
"Description": "DESCRIPTION_SCHEDULED",
"Schedule": "cron(0 */2 * * ? *)",
"Actions": [
{
"JobName": "prod-job2"
},
{
"JobName": "prod-job3",
"Arguments": {
"--job-bookmark-option": "job-bookmark-enable"
}
}
],
"Name": "prod-trigger1-scheduled"
}
}
}

YAML
Resources:
ScheduledJobTrigger:
Type: AWS::Glue::Trigger
Properties:
Type: SCHEDULED
Description: DESCRIPTION_SCHEDULED
Schedule: cron(0 */2 * * ? *)

API Version 2010-05-15
1168

AWS CloudFormation User Guide
AWS::Glue::Trigger
Actions:
- JobName: prod-job2
- JobName: prod-job3
Arguments:
'--job-bookmark-option': job-bookmark-enable
Name: prod-trigger1-scheduled

Conditional Trigger
The following example creates a conditional trigger that starts a job based on the successful completion
of the job run.

JSON
{

"Description": "AWS Glue Trigger Test",
"Resources": {
"MyJobTriggerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"glue.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
},
"MyJob": {
"Type": "AWS::Glue::Job",
"Properties": {
"Name": "MyJobTriggerJob",
"LogUri": "wikiData",
"Role": {
"Ref": "MyJobTriggerRole"
},
"Command": {
"Name": "glueetl",

API Version 2010-05-15
1169

AWS CloudFormation User Guide
AWS::Glue::Trigger
"ScriptLocation": "s3://testdata-bucket/s3-target/create-delete-job-xtf-ETL-s3json-to-csv.py"
},
"DefaultArguments": {
"--continuation-option": "continuation-enabled"
},
"MaxRetries": 0
}
},
"MyJobTrigger": {
"Type": "AWS::Glue::Trigger",
"Properties": {
"Name": "MyJobTrigger",
"Type": "CONDITIONAL",
"Description": "Description for a conditional job trigger",
"Actions": [
{
"JobName": {
"Ref": "MyJob"
},
"Arguments": {
"--job-bookmark-option": "job-bookmark-enable"
}
}
],
"Predicate": {
"Conditions": [
{
"LogicalOperator": "EQUALS",
"JobName": {
"Ref": "MyJob"
},
"State": "SUCCEEDED"
}
]
}
}
}
}
}

YAML
--Description: "AWS Glue Trigger Test"
Resources:
MyJobTriggerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "glue.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:

API Version 2010-05-15
1170

AWS CloudFormation User Guide
AWS::GuardDuty::Detector
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"

MyJob:
Type: AWS::Glue::Job
Properties:
Name: "MyJobTriggerJob"
LogUri: "wikiData"
Role: !Ref MyJobTriggerRole
Command:
Name: "glueetl"
ScriptLocation: "s3://testdata-bucket/s3-target/create-delete-job-xtf-ETL-s3-jsonto-csv.py"
DefaultArguments:
"--continuation-option": "continuation-enabled"
MaxRetries: 0
MyJobTrigger:
Type: AWS::Glue::Trigger
Properties:
Name: "MyJobTrigger"
Type: "CONDITIONAL"
Description: "Description for a conditional job trigger"
Actions:
- JobName: !Ref MyJob
Arguments:
"--job-bookmark-option": "job-bookmark-enable"
Predicate:
Conditions:
- LogicalOperator: EQUALS
JobName: !Ref MyJob
State: SUCCEEDED

AWS::GuardDuty::Detector
The AWS::GuardDuty::Detector resource creates a single Amazon GuardDuty detector. A detector is
an object that represents the GuardDuty service. You must create a detector for GuardDuty to become
operational.
Topics
• Syntax (p. 1171)
• Properties (p. 1172)
• Return Values (p. 1172)
• Examples (p. 1172)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::GuardDuty::Detector",
"Properties" : {
"Enable" : Boolean
}

API Version 2010-05-15
1171

AWS CloudFormation User Guide
AWS::GuardDuty::Filter
}

YAML
Type: AWS::GuardDuty::Detector
Properties:
Enable: Boolean

Properties
Enable
A Boolean value that speciﬁes whether the detector is to be enabled.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::GuardDuty::Detector resource to the intrinsic Ref function,
the function returns the unique ID of the created detector.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Declaring a GuardDuty Detector Resource
The following example shows how to declare an AWS::GuardDuty::Detector resource to create a
GuardDuty detector.

JSON
"mydetector": {
"Type": "AWS::GuardDuty::Detector",
"Properties": {
"Enable": true
}
}

YAML
mydetector:
Type: AWS::GuardDuty::Detector
Properties:
Enable: true

AWS::GuardDuty::Filter
You can use the AWS::GuardDuty::Filter resource to create a GuardDuty ﬁlter using the speciﬁed
ﬁnding criteria.
API Version 2010-05-15
1172

AWS CloudFormation User Guide
AWS::GuardDuty::Filter

Topics
• Syntax (p. 1173)
• Properties (p. 1173)
• Return Values (p. 1174)
• Examples (p. 1174)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::GuardDuty::Filter",
"Properties" : {
"Action" : String,
"Description" : String,
"DetectorId" : String,
"FindingCriteria" : FindingCriteria (p. 2009),
"Rank" : Integer,
"Name" : String
}

YAML
Type: "AWS::GuardDuty::Filter"
Properties:
Action: String
Description: String
DetectorId: String
FindingCriteria: FindingCriteria (p. 2009)
Rank: Integer
Name: String

Properties
Action
Speciﬁes the action that is to be applied to the ﬁndings that match the ﬁlter. Valid values are: NOOP
| ARCHIVE
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Description
The description of the ﬁlter.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1173

AWS CloudFormation User Guide
AWS::GuardDuty::Filter

DetectorId
The ID of the detector that speciﬁes the GuardDuty service whose ﬁndings you want to ﬁlter.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
FindingCriteria
Represents the criteria to be used in the ﬁlter for querying ﬁndings.
Required: Yes
Type: GuardDuty Filter FindingCriteria (p. 2009)
Update requires: No interruption (p. 118)
Rank
Speciﬁes the position of the ﬁlter in the list of current ﬁlters. Also speciﬁes the order in which this
ﬁlter is applied to the ﬁndings.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
Name
The name of the ﬁlter.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::GuardDuty::Filter resource to the intrinsic Ref function,
the function returns the name of the created ﬁlter, such as SampleFilter.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Declaring a GuardDuty Member Resource
The following example shows how to declare an AWS::GuardDuty::Filter resource to create a ﬁlter for
your GuardDuty ﬁndings.

JSON

API Version 2010-05-15
1174

AWS CloudFormation User Guide
AWS::GuardDuty::Master
{

}

"Type": "AWS::GuardDuty::Filter",
"Properties": {
"Action": "Archive",
"Description": "SampleFilter",
"DetectorId": "a12abc34d567e8fa901bc2d34e56789f0",
"FindingCriteria": {
"Criterion": {
"updatedAt": {
"Gte": 0
}
}
},
"Rank": 1,
"Name": "SampleFilter"
}

YAML
Type: "AWS::GuardDuty::Filter"
Properties:
Action : "Archive"
Description : "SampleFilter"
DetectorId : "a12abc34d567e8fa901bc2d34e56789f0"
FindingCriteria :
Criterion:
"updatedAt":
Gte: 0
Rank : 1
Name : "SampleFilter"

AWS::GuardDuty::Master
You can use the AWS::GuardDuty::Master resource in a GuardDuty member account to accept
an invitation to be managed by a GuardDuty master account. The GuardDuty master account
must have already invited the current account (by calling the InviteMembers API operation or
by creating an AWS::GuardDuty::Member resource) before the current account can use the
AWS::GuardDuty::Master resource to accept the master account's invitation.
Topics
• Syntax (p. 1175)
• Properties (p. 1176)
• Return Values (p. 1177)
• Examples (p. 1177)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::GuardDuty::Master",

API Version 2010-05-15
1175

AWS CloudFormation User Guide
AWS::GuardDuty::Master

}

"Properties" : {
"DetectorId" : String,
"MasterId" : String,
"InvitationId" : String
}

YAML
Type: AWS::GuardDuty::Master
Properties:
DetectorId: String
MasterId: String
InvitationId: String

Properties
DetectorId
The detector ID of the AWS account that is accepting an invitation to become a GuardDuty member
account.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
MasterId
The account ID of the master GuardDuty account whose invitation you're accepting.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
InvitationId
The ID of the invitation that is sent to the AWS account by the GuardDuty master account. There are
several ways to retrieve the invitationId:
• By calling the ListInvitation API operation with the GuardDuty member account's credentials.
(You can also run the following CLI command: aws guardduty list-invitations.) In the
returned results, locate the invitation details (including the invitationID) from the GuardDuty
master account ID that you would like to accept.
• The email account associated with the GuardDuty member account should have received an
invitation email from the master account when they invited the current account. This email
contains an acceptance link which has the invitationId.
• If you access the member account’s Personal Health Dashboard, you can also see the same
invitation email from the master account (with the invitationId included as part of the invitation
acceptance link).
• If the value for InvitationId is not speciﬁed, it can be retrieved by calling ListInvitations and
receiving the invitation from the given master account ID.
Required: No
Type: String
API Version 2010-05-15
1176

AWS CloudFormation User Guide
AWS::GuardDuty::Member

Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::GuardDuty::Master resource to the intrinsic Ref function,
the function returns the unique ID of the GuardDuty master account, such as 012345678901.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Declaring a GuardDuty Master Resource
The following example shows how to declare an AWS::GuardDuty::Master resource to create a
GuardDuty master account.

JSON
"GDmaster": {
"Type": "AWS::GuardDuty::Master",
"Properties": {
"DetectorId": "a12abc34d567e8fa901bc2d34e56789f0",
"MasterId": "012345678901",
"InvitationId": "84b097800250d17d1872b34c4daadcf5"
}
}

YAML
GDmaster:
Type: AWS::GuardDuty::Master
Properties:
DetectorId: "a12abc34d567e8fa901bc2d34e56789f0"
MasterId: "012345678901"
InvitationId: "84b097800250d17d1872b34c4daadcf5"

AWS::GuardDuty::Member
You can use the AWS::GuardDuty::Member resource to add an AWS account as a GuardDuty member
account to the current GuardDuty master account. If the value of the Status property is not provided or
set to CREATED, a member account is only created. If the value of the Status property is set to INVITED,
a member account is created and invited. AWS::GuardDuty::Member resource has to be created with
the Status property set to INVITED before the AWS::GuardDuty::Master resource can be created in a
GuardDuty member account.
Topics
• Syntax (p. 1178)
• Properties (p. 1178)
• Return Values (p. 1179)
API Version 2010-05-15
1177

AWS CloudFormation User Guide
AWS::GuardDuty::Member

• Examples (p. 1179)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::GuardDuty::Member",
"Properties" : {
"Status" : String,
"MemberId" : String,
"Email" : String,
"Message" : String,
"DetectorId" : String,
"DisableEmailNotification" : Boolean
}

YAML
Type: AWS::GuardDuty::Member
Properties:
Status: String
MemberId: String
Email: String
Message: String
DetectorId: String
DisableEmailNotification: Boolean

Properties
Status
You can use this property to update the status of the relationship between the member account
and its master account. Valid values are CREATED | INVITED | DISABLED | ENABLED | REMOVED |
RESIGNED. If the value for this property is not provided or set to CREATED, a member account is only
created. If the value of this property is set to INVITED, a member account is created and invited.
Required: No
Type: String
Update requires: No interruption (p. 118)
MemberId
The account ID of the member GuardDuty account.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Email
The email address of the GuardDuty member account.
API Version 2010-05-15
1178

AWS CloudFormation User Guide
AWS::GuardDuty::Member

Required: Yes
Type: String
Update requires: Replacement (p. 119)
Message
The invitation message that you want to send to the account that you invite to GuardDuty as a
member.
Required: No
Type: String
Update requires: No interruption (p. 118)
DetectorId
The unique ID of the detector in a GuardDuty master account.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
DisableEmailNotification
Speciﬁes whether an email notiﬁcation is sent to the accounts that you want to invite to GuardDuty
as members. When set to 'True', email notiﬁcation is not sent to the invitees.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::GuardDuty::Member resource to the intrinsic Ref function,
the function returns the unique ID of the GuardDuty member account, such as 012345678901.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Declaring a GuardDuty Member Resource
The following example shows how to declare an AWS::GuardDuty::Member resource to create a
GuardDuty member account.

JSON
"GDmaster": {
"Type": "AWS::GuardDuty::Member",
"Properties": {
"Status": "Invited",
"MemberId": "012345678901",

API Version 2010-05-15
1179

AWS CloudFormation User Guide
AWS::GuardDuty::IPSet

}

"Email": "guarddutymember@amazon.com",
"Message": "You are invited to enable Amazon Guardduty.",
"DetectorId": "a12abc34d567e8fa901bc2d34e56789f0",
"DisableEmailNotification": true
}

YAML
GDmaster:
Type: AWS::GuardDuty::Member
Properties:
Status: "Invited"
MemberId: "012345678901"
Email: "guarddutymember@amazon.com"
Message: "You are invited to enable Amazon Guardduty."
DetectorId: "a12abc34d567e8fa901bc2d34e56789f0"
DisableEmailNotification: true

AWS::GuardDuty::IPSet
The AWS::GuardDuty::IPSet resource creates an Amazon GuardDuty IP set. An IP set is a list of
trusted IP addresses that have been whitelisted for secure communication with your AWS environment.
Topics
• Syntax (p. 1180)
• Properties (p. 1181)
• Return Values (p. 1181)
• Examples (p. 1182)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::GuardDuty::IPSet",
"Properties" : {
"Activate" : Boolean,
"DetectorId" : String,
"Format" : String,
"Location" : String,
"Name" : String
}

YAML
Type: AWS::GuardDuty::IPSet
Properties:
Activate: Boolean
DetectorId: String

API Version 2010-05-15
1180

AWS CloudFormation User Guide
AWS::GuardDuty::IPSet
Format: String
Location: String
Name: String

Properties
Activate
A Boolean value that indicates whether GuardDuty is to start using the uploaded IP set.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
DetectorId
The detector ID that speciﬁes the GuardDuty service for which an IP set is to be created.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Format
The format of the ﬁle that contains the IP set. Valid values are TXT, STIX, and OTX_CSV.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Location
The URI of the ﬁle that contains the IP set.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Name
The friendly name to identify the IP set. This name is displayed in all ﬁndings that are triggered by
activity that involves IP addresses included in this IP set.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::GuardDuty::IPSet resource to the intrinsic Ref function, the
function returns the unique ID of the created IP set.
API Version 2010-05-15
1181

AWS CloudFormation User Guide
AWS::GuardDuty::ThreatIntelSet

For more information about using the Ref function, see Ref (p. 2311).

Examples
Declaring a GuardDuty IPSet Resource
The following example shows how to declare an AWS::GuardDuty::IPSet resource to create a GuardDuty
IP set.

JSON
"myipset”: {
"Type": "AWS::GuardDuty::IPSet",
"Properties": {
"Activate": true,
"DetectorId": "12abc34d567e8f4912ab3d45e67891f2",
"Format": "TXT",
"Location": "https://s3-us-west-2.amazonaws.com/mybucket/myipset.txt",
"Name": "MyIPSet"
}
}

YAML
myipset:
Type: AWS::GuardDuty::IPSet
Properties:
Activate: true
DetectorId: "12abc34d567e8f4912ab3d45e67891f2"
Format: "TXT"
Location: "https://s3-us-west-2.amazonaws.com/mybucket/myipset.txt"
Name: "MyIPSet"

AWS::GuardDuty::ThreatIntelSet
The AWS::GuardDuty::ThreatIntelSet resource creates a ThreatIntelSet. A ThreatIntelSet consists
of known malicious IP addresses. GuardDuty generates ﬁndings based on ThreatIntelSets.
Topics
• Syntax (p. 1182)
• Properties (p. 1183)
• Return Values (p. 1184)
• Examples (p. 1184)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::GuardDuty::ThreatIntelSet",
"Properties" : {
"Activate" : Boolean,
"DetectorId" : String,

API Version 2010-05-15
1182

AWS CloudFormation User Guide
AWS::GuardDuty::ThreatIntelSet

}

}

"Format" : String,
"Location" : String,
"Name" : String

YAML
Type: AWS::GuardDuty::ThreatIntelSet
Properties:
Activate: Boolean
DetectorId: String
Format: String
Location: String
Name: String

Properties
Activate
A Boolean value that indicates whether GuardDuty should start using the uploaded ThreatIntelSet.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
DetectorId
The detector ID that speciﬁes the GuardDuty service for which an ThreatIntelSet is to be created.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Format
The format of the ﬁle that contains the ThreatIntelSet. Valid values are TXT, STIX, OTX_CSV,
ALIEN_VAULT, PROOF_POINT, and FIRE_EYE.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Location
The URI of the ﬁle that contains the ThreatIntelSet.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Name
A friendly ThreatIntelSet name that is displayed in all ﬁndings generated by activity that involves IP
addresses included in this ThreatIntelSet.
API Version 2010-05-15
1183

AWS CloudFormation User Guide
AWS::IAM::AccessKey

Required: No
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::GuardDuty::ThreatIntelSet resource to the intrinsic Ref
function, the function returns the unique ID of the created threatIntelSet.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Declaring a GuardDuty ThreatIntelSet resource
The following example shows how to declare an AWS::GuardDuty::ThreatIntelSet resource to create a
GuardDuty ThreatIntelSet.

JSON
"mythreatintelset": {
"Type": "AWS::GuardDuty::ThreatIntelSet",
"Properties": {
"Activate": true,
"DetectorId": "12abc34d567e8f4912ab3d45e67891f2",
"Format": "TXT",
"Location": "https://s3-us-west-2.amazonaws.com/mybucket/mythreatintelset.txt",
"Name": "MyThreatIntelSet"
}
}

YAML
mythreatintelset:
Type: AWS::GuardDuty::ThreatIntelSet
Properties:
Activate: true
DetectorId: "12abc34d567e8f4912ab3d45e67891f2"
Format: "TXT"
Location: "https://s3-us-west-2.amazonaws.com/mybucket/mythreatintelset.txt"
Name: "MyThreatIntelSet"

AWS::IAM::AccessKey
The AWS::IAM::AccessKey resource type generates a secret access key and assigns it to an IAM user or
AWS account.
This type supports updates. For more information about updating stacks, see AWS CloudFormation
Stacks Updates (p. 118).
Topics
• Syntax (p. 1185)
API Version 2010-05-15
1184

AWS CloudFormation User Guide
AWS::IAM::AccessKey

• Properties (p. 1185)
• Return Values (p. 1186)
• Template Examples (p. 1186)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::IAM::AccessKey",
"Properties": {
"Serial (p. 1185)": Integer,
"Status (p. 1185)": String,
"UserName (p. 1185)": String
}

YAML
Type: AWS::IAM::AccessKey
Properties:
Serial (p. 1185): Integer
Status (p. 1185): String
UserName (p. 1185): String

Properties
Serial
This value is speciﬁc to AWS CloudFormation and can only be incremented. Incrementing this value
notiﬁes AWS CloudFormation that you want to rotate your access key. When you update your stack,
AWS CloudFormation will replace the existing access key with a new key.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
Status
The status of the access key. By default, AWS CloudFormation sets this property value to Active.
Required: No
Type: String
Valid values: Active or Inactive
Update requires: No interruption (p. 118)
UserName
The name of the user that the new key will belong to.
API Version 2010-05-15
1185

AWS CloudFormation User Guide
AWS::IAM::Group

Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
Specifying this resource ID to the intrinsic Ref function will return the AccessKeyId. For example:
AKIAIOSFODNN7EXAMPLE.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
SecretAccessKey
Returns the secret access key for the speciﬁed AWS::IAM::AccessKey resource. For example:
wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Template Examples
To view AWS::IAM::AccessKey snippets, see Declaring an IAM Access Key Resource (p. 389).

AWS::IAM::Group
The AWS::IAM::Group resource creates an AWS Identity and Access Management (IAM) group.
This type supports updates. For more information about updating stacks, see AWS CloudFormation
Stacks Updates (p. 118).
Topics
• Syntax (p. 1186)
• Properties (p. 1187)
• Return Values (p. 1188)
• Template Examples (p. 1188)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type": "AWS::IAM::Group",

API Version 2010-05-15
1186

AWS CloudFormation User Guide
AWS::IAM::Group

}

"Properties": {
"GroupName": String,
"ManagedPolicyArns": [ String, ... ],
"Path": String,
"Policies": [ Policies, ... ]
}

YAML
Type: AWS::IAM::Group
Properties:
GroupName: String
ManagedPolicyArns: [ String, ... ]
Path: String
Policies:
- Policies

Properties
GroupName
A name for the IAM group. For valid values, see the GroupName parameter for the CreateGroup
action in the IAM API Reference. If you don't specify a name, AWS CloudFormation generates a
unique physical ID and uses that ID for the group name.

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge
your template's capabilities. For more information, see Acknowledging IAM Resources in AWS
CloudFormation Templates (p. 15).

Warning

Naming an IAM resource can cause an unrecoverable error if you reuse the same template
in multiple regions. To prevent this, we recommend using Fn::Join and AWS::Region
to create a region-speciﬁc name, as in the following example: {"Fn::Join": ["",
[{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.
Required: No
Type: String
Update requires: Replacement (p. 119)
ManagedPolicyArns
One or more managed policy ARNs to attach to this group.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Path
The path to the group. For more information about paths, see IAM Identiﬁers in the IAM User Guide.
API Version 2010-05-15
1187

AWS CloudFormation User Guide
AWS::IAM::InstanceProﬁle

Required: No
Type: String
Update requires: No interruption (p. 118)
Policies
The policies to associate with this group. For information about policies, see Overview of IAM
Policies in the IAM User Guide.
Required: No
Type: List of IAM Policies (p. 2011)
Update requires: No interruption (p. 118)

Return Values
Ref
Specifying this resource ID to the intrinsic Ref function will return the GroupName. For example:
mystack-mygroup-1DZETITOWEKVO.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
Returns the Amazon Resource Name (ARN) for the AWS::IAM::Group resource. For example:
arn:aws:iam::123456789012:group/mystack-mygroup-1DZETITOWEKVO.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Template Examples
To view AWS::IAM::Group snippets, see Declaring an IAM Group Resource (p. 391)

AWS::IAM::InstanceProﬁle
The AWS::IAM::InstanceProfile resource creates an AWS Identity and Access Management (IAM)
instance proﬁle that can be used with IAM roles for EC2 instances.
For more information about IAM roles, see Working with Roles in the AWS Identity and Access
Management User Guide.
Topics
• Syntax (p. 1189)
• Properties (p. 1189)
• Return Values (p. 1190)
API Version 2010-05-15
1188

AWS CloudFormation User Guide
AWS::IAM::InstanceProﬁle

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path (p. 1189)": String,
"Roles (p. 1189)": [ IAM Roles ],
"InstanceProfileName (p. 1189)": String
}

YAML
Type: AWS::IAM::InstanceProfile
Properties:
Path (p. 1189): String
Roles (p. 1189):
- IAM Roles
InstanceProfileName (p. 1189): String

Properties
Path
The path associated with this IAM instance proﬁle. For information about IAM paths, see Friendly
Names and Paths in the AWS Identity and Access Management User Guide.
By default, AWS CloudFormation speciﬁes / for the path.
Required: No
Type: String
Update requires: Replacement (p. 119)
Roles
The name of an existing IAM role to associate with this instance proﬁle. Currently, you can assign a
maximum of one role to an instance proﬁle.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
InstanceProfileName
The name of the instance proﬁle that you want to create. This parameter allows (per its regex
pattern) a string consisting of upper and lowercase alphanumeric characters with no spaces. You can
also include any of the following characters: = , . @ -.
Required: No
Type: String
API Version 2010-05-15
1189

AWS CloudFormation User Guide
AWS::IAM::ManagedPolicy

Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "MyProfile" }

For the IAM::InstanceProfile with the logical ID MyProfile, Ref returns the resource name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
Returns the Amazon Resource Name (ARN) for the instance proﬁle. For example:
{"Fn::GetAtt" : ["MyProfile", "Arn"] }

This returns a value such as “arn:aws:iam::1234567890:instance-profile/MyProfileASDNSDLKJ”.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

AWS::IAM::ManagedPolicy
AWS::IAM::ManagedPolicy creates an AWS Identity and Access Management (IAM) managed policy
for your AWS account, which you can use to apply permissions to IAM users, groups, and roles. For more
information about managed policies, see Managed Policies and Inline Policies in the IAM User Guide
guide.
Topics
• Syntax (p. 1190)
• Properties (p. 1191)
• Return Values (p. 1192)
• Example (p. 1193)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type": "AWS::IAM::ManagedPolicy",
"Properties": {

API Version 2010-05-15
1190

AWS CloudFormation User Guide
AWS::IAM::ManagedPolicy

}

}

"Description" : String,
"Groups" : [ String, ... ],
"Path" : String,
"PolicyDocument" : JSON object,
"Roles" : [ String, ... ],
"Users" : [ String, ... ],
"ManagedPolicyName" : String

YAML
Type: AWS::IAM::ManagedPolicy
Properties:
Description: String
Groups:
- String
Path: String
PolicyDocument: JSON object
Roles:
- String
Users:
- String
ManagedPolicyName: String

Properties
Description
A description of the IAM policy. For example, describe the permissions that are deﬁned in the policy.
Required: No
Type: String
Update requires: Replacement (p. 119)
Groups
The names of IAM groups to attach to this policy.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Path
The path for the IAM policy. By default, the path is /. For more information, see IAM Identiﬁers in the
IAM User Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
PolicyDocument
Policies that deﬁne the permissions for this managed policy. For more information about policy
syntax, see IAM Policy Elements Reference in IAM User Guide.
Required: Yes
API Version 2010-05-15
1191

AWS CloudFormation User Guide
AWS::IAM::ManagedPolicy

Type: JSON object

Note

AWS Identity and Access Management (IAM) requires that policies be in JSON format.
However, for templates formatted in YAML, you can create an IAM policy in either JSON
or YAML format. AWS CloudFormation always converts a policy to JSON format before
submitting it to IAM.
Update requires: No interruption (p. 118)
Roles
The names of IAM roles to attach to this policy.

Note

If a policy has a Ref to a role and if a resource (such as AWS::ECS::Service) also
has a Ref to the same role, add a DependsOn attribute to the resource so that the
resource depends on the policy. This dependency ensures that the role's policy is
available throughout the resource's lifecycle. For example, when you delete a stack
with an AWS::ECS::Service resource, the DependsOn attribute ensures that the
AWS::ECS::Service resource can complete its deletion before its role's policy is deleted.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Users
The names of users to attach to this policy.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
ManagedPolicyName
A custom, friendly name for your IAM managed policy. For valid values, see the PolicyName
parameter of the CreatePolicy action in the IAM API Reference.
If you don't specify a PolicyName, AWS CloudFormation generates a unique physical ID and uses
that ID for the policy name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN.
API Version 2010-05-15
1192

AWS CloudFormation User Guide
AWS::IAM::ManagedPolicy

In the following sample, the Ref function returns the ARN of the CreateTestDBPolicy
managed policy, such as arn:aws:iam::123456789012:policy/teststackCreateTestDBPolicy-16M23YE3CS700.
{ "Ref": "CreateTestDBPolicy" }

For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a managed policy and associates it with the TestDBGroup group. The
managed policy grants users permission to create t2.micro database instances. The database must use
the MySQL database engine and the instance name must include the preﬁx test.

JSON
"CreateTestDBPolicy" : {
"Type" : "AWS::IAM::ManagedPolicy",
"Properties" : {
"Description" : "Policy for creating a test database",
"Path" : "/",
"PolicyDocument" :
{
"Version":"2012-10-17",
"Statement" : [{
"Effect" : "Allow",
"Action" : "rds:CreateDBInstance",
"Resource" : {"Fn::Join" : [ "", [ "arn:aws:rds:", { "Ref" : "AWS::Region" }, ":",
{ "Ref" : "AWS::AccountId" }, ":db:test*" ] ]},
"Condition" : {
"StringEquals" : { "rds:DatabaseEngine" : "mysql" }
}
},
{
"Effect" : "Allow",
"Action" : "rds:CreateDBInstance",
"Resource" : {"Fn::Join" : [ "", [ "arn:aws:rds:", { "Ref" : "AWS::Region" }, ":",
{ "Ref" : "AWS::AccountId" }, ":db:test*" ] ]},
"Condition" : {
"StringEquals" : { "rds:DatabaseClass" : "db.t2.micro" }
}
}]
},
"Groups" : ["TestDBGroup"]
}
}

YAML
CreateTestDBPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: "Policy for creating a test database"
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "rds:CreateDBInstance"
Resource:

API Version 2010-05-15
1193

AWS CloudFormation User Guide
AWS::IAM::Policy

-

Fn::Join:
- ""
- "arn:aws:rds:"
Ref: "AWS::Region"
- ":"
Ref: "AWS::AccountId"
- ":db:test*"
Condition:
StringEquals:
rds:DatabaseEngine: "mysql"

Effect: "Allow"
Action: "rds:CreateDBInstance"
Resource:
Fn::Join:
- ""
- "arn:aws:rds:"
Ref: "AWS::Region"
- ":"
Ref: "AWS::AccountId"
- ":db:test*"
Condition:
StringEquals:
rds:DatabaseClass: "db.t2.micro"
Groups:
- "TestDBGroup"

AWS::IAM::Policy
The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles, or groups. For more
information about IAM policies, see Overview of IAM Policies in the IAM User Guide guide.
Topics
• Syntax (p. 1194)
• Properties (p. 1195)
• Return Values (p. 1196)
• Examples (p. 1196)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::IAM::Policy",
"Properties" : {
"Groups (p. 1195)" : [ String, ... ],
"PolicyDocument (p. 1195)" : JSON object,
"PolicyName (p. 1195)" : String,
"Roles (p. 1195)" : [ String, ... ],
"Users (p. 1196)" : [ String, ... ]
}

API Version 2010-05-15
1194

AWS CloudFormation User Guide
AWS::IAM::Policy
}

YAML
Type: AWS::IAM::Policy
Properties:
Groups (p. 1195):
- String
PolicyDocument (p. 1195): JSON object
PolicyName (p. 1195): String
Roles (p. 1195):
- String
Users (p. 1196):
- String

Properties
Groups
The names of groups to which you want to add the policy.
Required: Conditional. You must specify at least one of the following properties: Groups, Roles, or
Users.
Type: List of String values
Update requires: No interruption (p. 118)
PolicyDocument
A policy document that contains permissions to add to the speciﬁed users or groups.
Required: Yes
Type: JSON object

Note

AWS Identity and Access Management (IAM) requires that policies be in JSON format.
However, for templates formatted in YAML, you can create an IAM policy in either JSON
or YAML format. AWS CloudFormation always converts a policy to JSON format before
submitting it to IAM.
Update requires: No interruption (p. 118)
PolicyName
The name of the policy. If you specify multiple policies for an entity, specify unique names. For
example, if you specify a list of policies for an IAM role, each policy must have a unique name.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Roles
The names of AWS::IAM::Role (p. 1197)s to which this policy will be attached.

Note

If a policy has a Ref to a role and if a resource (such as AWS::ECS::Service) also
has a Ref to the same role, add a DependsOn attribute to the resource so that the
resource depends on the policy. This dependency ensures that the role's policy is
API Version 2010-05-15
1195

AWS CloudFormation User Guide
AWS::IAM::Policy

available throughout the resource's lifecycle. For example, when you delete a stack
with an AWS::ECS::Service resource, the DependsOn attribute ensures that the
AWS::ECS::Service resource can complete its deletion before its role's policy is deleted.
Required: Conditional. You must specify at least one of the following properties: Groups, Roles, or
Users.
Type: List of String values
Update requires: No interruption (p. 118)
Users
The names of users for whom you want to add the policy.
Required: Conditional. You must specify at least one of the following properties: Groups, Roles, or
Users.
Type: List of String values
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Examples
IAM Policy with policy group
JSON
{

}

"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "CFNUsers",
"PolicyDocument" : {
"Version" : "2012-10-17",
"Statement": [ {
"Effect"
: "Allow",
"Action"
: [
"cloudformation:Describe*",
"cloudformation:List*",
"cloudformation:Get*"
],
"Resource" : "*"
} ]
},
"Groups" : [ { "Ref" : "CFNUserGroup" } ]
}

YAML
Type: AWS::IAM::Policy

API Version 2010-05-15
1196

AWS CloudFormation User Guide
AWS::IAM::Role
Properties:
PolicyName: "CFNUsers"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action:
- "cloudformation:Describe*"
- "cloudformation:List*"
- "cloudformation:Get*"
Resource: "*"
Groups:
Ref: "CFNUserGroup"

IAM Policy with speciﬁed role
JSON
{

}

"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [
{ "Effect": "Allow", "Action": "*", "Resource": "*" }
]
},
"Roles": [ { "Ref": "RootRole" } ]
}

YAML
Type: AWS::IAM::Policy
Properties:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"
Roles:
Ref: "RootRole"

AWS::IAM::Role
Creates an AWS Identity and Access Management (IAM) role. Use an IAM role to enable applications
running on an EC2 instance to securely access your AWS resources.
For more information about IAM roles, see Working with Roles in the AWS Identity and Access
Management User Guide.
Topics
• Syntax (p. 1198)
API Version 2010-05-15
1197

AWS CloudFormation User Guide
AWS::IAM::Role

• Properties (p. 1198)
• Return Values (p. 1200)
• Template Examples (p. 1201)
• See Also (p. 1203)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument (p. 1198)": { JSON },
"ManagedPolicyArns": [ String, ... ],
"MaxSessionDuration (p. 1199)": Integer,
"Path (p. 1199)": String,
"Policies (p. 1199)": [ Policies, ... ],
"RoleName": String
}

YAML
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument (p. 1198):
JSON object
ManagedPolicyArns:
- String
MaxSessionDuration (p. 1199): Integer
Path (p. 1199): String
Policies (p. 1199):
- Policies
RoleName: String

Properties
AssumeRolePolicyDocument
The trust policy that is associated with this role. You can associate only one assume role policy
with a role. For an example of an assume role policy, see Template Examples (p. 1201). For more
information about the elements that you can use in an IAM policy, see IAM Policy Elements
Reference in the IAM User Guide.
Required: Yes
Type: A JSON policy document

Note

AWS Identity and Access Management (IAM) requires that policies be in JSON format.
However, for templates formatted in YAML, you can create an IAM policy in either JSON
or YAML format. AWS CloudFormation always converts a policy to JSON format before
submitting it to IAM.
Update requires: No interruption (p. 118)
API Version 2010-05-15
1198

AWS CloudFormation User Guide
AWS::IAM::Role

ManagedPolicyArns
One or more managed policy ARNs to attach to this role.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
MaxSessionDuration
The maximum session duration (in seconds) for the speciﬁed role. Anyone who uses the AWS CLI
or API to assume the role can specify the duration using the optional DurationSeconds API
parameter or duration-seconds CLI parameter. Minimum value of 3600. Maximum value of
43200.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Path
The path associated with this role. For information about IAM paths, see Friendly Names and Paths
in IAM User Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
Policies
The policies to associate with this role. For sample templates, see Template Examples (p. 1201).

Important

The name of each policy for a role, user, or group must be unique. If you don't, updates to
the IAM role will fail.

Note

If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy) has
a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to the
same role, add a DependsOn attribute to the resource to make the resource depend on the
external policy. This dependency ensures that the role's policy is available throughout the
resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service
resource, the DependsOn attribute ensures that AWS CloudFormation deletes the
AWS::ECS::Service resource before deleting its role's policy.
Required: No
Type: List of IAM Policies (p. 2011)
Update requires: No interruption (p. 118)
RoleName
A name for the IAM role. For valid values, see the RoleName parameter for the CreateRole action
in the IAM API Reference. If you don't specify a name, AWS CloudFormation generates a unique
physical ID and uses that ID for the group name.
API Version 2010-05-15
1199

AWS CloudFormation User Guide
AWS::IAM::Role

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge
your template's capabilities. For more information, see Acknowledging IAM Resources in AWS
CloudFormation Templates (p. 15).

Warning

Naming an IAM resource can cause an unrecoverable error if you reuse the same template
in multiple regions. To prevent this, we recommend using Fn::Join and AWS::Region
to create a region-speciﬁc name, as in the following example: {"Fn::Join": ["",
[{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.
Required: No
Type: String
Update requires: Replacement (p. 119)

Notes on policies for IAM roles
For general information about IAM policies and policy documents, see How to Write a Policy in IAM User
Guide.

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "RootRole" }

For the IAM::Role with the logical ID "RootRole", Ref will return the resource name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
Returns the Amazon Resource Name (ARN) for the instance proﬁle. For example:
{"Fn::GetAtt" : ["MyRole", "Arn"] }

This will return a value such as “arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF”.
RoleId
Returns the stable and unique string identifying the role. For example, AIDAJQABLZS4A3QDU576Q.
For more information about IDs, see IAM Identiﬁers in the IAM User Guide.
API Version 2010-05-15
1200

AWS CloudFormation User Guide
AWS::IAM::Role

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Template Examples
IAM Role with Embedded Policy and Instance Proﬁles
This example shows an embedded Policy in the IAM::Role. The policy is speciﬁed inline in the IAM::Role
Policies property.

JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/",
"Policies": [ {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
}
} ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "RootRole"
} ]
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"

API Version 2010-05-15
1201

AWS CloudFormation User Guide
AWS::IAM::Role
Statement:
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"
RootInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
Ref: "RootRole"

IAM Role with External Policy and Instance Proﬁles
In this example, the Policy and InstanceProﬁle resources are speciﬁed externally to the IAM Role. They
refer to the role by specifying its name, "RootRole", in their respective Roles properties.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]

API Version 2010-05-15
1202

AWS CloudFormation User Guide
AWS::IAM::Role
},
"Roles": [ {
"Ref": "RootRole"
} ]

}

}

}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "RootRole"
} ]
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
RootRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
RolePolicies:
Type: "AWS::IAM::Policy"
Properties:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"
Roles:
Ref: "RootRole"
RootInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
Ref: "RootRole"

See Also
• AWS Identity and Access Management Template Snippets (p. 387)
• AWS::IAM::InstanceProﬁle (p. 1188)
API Version 2010-05-15
1203

AWS CloudFormation User Guide
AWS::IAM::ServiceLinkedRole

AWS::IAM::ServiceLinkedRole
The AWS::IAM::ServiceLinkedRole resource creates a service-linked role in AWS Identity and
Access Management (IAM). A service-linked role is a unique type of IAM role that is linked directly to an
AWS service. Service-linked roles are predeﬁned by the service and include all the permissions that the
service requires to call other AWS services on your behalf. The linked service also deﬁnes how you create,
modify, and delete a service-linked role. For more information, see CreateServiceLinkedRole in the IAM
API Reference or Using Service-Linked Roles in the IAM User Guide.
Topics
• Syntax (p. 1204)
• Properties (p. 1204)
• Examples (p. 1205)
• See Also (p. 1205)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::IAM::ServiceLinkedRole",
"Properties" : {

}

"AWSServiceName" : String,
"CustomSuffix" : String,
"Description" : String

YAML
Type: "AWS::IAM::ServiceLinkedRole"
Properties:
AWSServiceName: String
CustomSuffix: String
Description: String

Properties
AWSServiceName
The service principal for the AWS service to which this role is attached. You use a string similar to a
URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com.
Service principals are unique and case sensitive. To ﬁnd the exact service principal for your servicelinked role, see AWS Services That Work with IAM in the IAM User Guide. Look for the services that
have Yes in the Service-Linked Role column. Choose the Yes link to view the service-linked role
documentation for that service.
Required: Yes
Type: String
API Version 2010-05-15
1204

AWS CloudFormation User Guide
AWS::IAM::User

Update requires: Replacement (p. 119)
CustomSuffix
A string that you provide, which is combined with the service-provided preﬁx to form the complete
role name. If you make multiple requests for the same service, then you must supply a diﬀerent
CustomSuffix for each request. Otherwise the request fails with a duplicate role name error. For
example, you could add -1 or -debug to the suﬃx.
Some services do not support the CustomSuffix parameter. If you provide an optional suﬃx and
the operation fails, try the operation again without the suﬃx.
Required: No
Type: String
Update requires: Replacement (p. 119)
Description
The description of the role.
Required: No
Type: String
Update requires: No interruption (p. 118)

Examples
Create an IAM Service-Linked Role for Auto Scaling
The following example creates a service-linked role that can be assumed by the Auto Scaling service.

YAML
--Description: "SLR resource create test - Auto Scaling"
Resources:
BasicSLR:
Type: "AWS::IAM::ServiceLinkedRole"
Properties:
AWSServiceName: "autoscaling.amazonaws.com"
Description: "Test SLR description"
CustomSuffix: "TestSuffix"
Outputs:
SLRId:
Value: !Ref BasicSLR

See Also
• CreateServiceLinkedRole in the IAM API Reference
• Using Service-Linked Roles in the IAM User Guide

AWS::IAM::User
The AWS::IAM::User type creates a user.
API Version 2010-05-15
1205

AWS CloudFormation User Guide
AWS::IAM::User

Topics
• Syntax (p. 1206)
• Properties (p. 1206)
• Return Values (p. 1208)
• Template Examples (p. 1208)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::IAM::User",
"Properties": {
"Groups (p. 1206)": [ String, ... ],
"LoginProfile (p. 1206)": LoginProfile Type,
"ManagedPolicyArns": [ String, ... ],
"Path (p. 1207)": String,
"Policies (p. 1207)": [ Policies, ... ],
"UserName": String
}

YAML
Type: AWS::IAM::User
Properties:
Groups (p. 1206):
- String
LoginProfile (p. 1206):
LoginProfile Type
ManagedPolicyArns:
- String
Path (p. 1207): String
Policies (p. 1207):
- Policies
UserName: String

Properties
Groups
A name of a group to which you want to add the user.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
LoginProfile
Creates a login proﬁle so that the user can access the AWS Management Console.
Required: No
API Version 2010-05-15
1206

AWS CloudFormation User Guide
AWS::IAM::User

Type: IAM User LoginProﬁle (p. 2012)
Update requires: No interruption (p. 118)
ManagedPolicyArns
One or more managed policy ARNs to attach to this user.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Path
The path for the user name. For more information about paths, see IAM Identiﬁers in the IAM User
Guide.
Required: No
Type: String
Update requires: No interruption (p. 118)
Policies
The policies to associate with this user. For information about policies, see Overview of IAM Policies
in the IAM User Guide.

Note

If you specify multiple polices, specify unique values for the policy name. If you don't,
updates to the IAM user will fail.
Required: No
Type: List of IAM Policies (p. 2011)
Update requires: No interruption (p. 118)
UserName
A name for the IAM user. For valid values, see the UserName parameter for the CreateUser action
in the IAM API Reference. If you don't specify a name, AWS CloudFormation generates a unique
physical ID and uses that ID for the user name.

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge
your template's capabilities. For more information, see Acknowledging IAM Resources in AWS
CloudFormation Templates (p. 15).

Warning

Naming an IAM resource can cause an unrecoverable error if you reuse the same template
in multiple regions. To prevent this, we recommend using Fn::Join and AWS::Region
to create a region-speciﬁc name, as in the following example: {"Fn::Join": ["",
[{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.
Required: No
Type: String
API Version 2010-05-15
1207

AWS CloudFormation User Guide
AWS::IAM::UserToGroupAddition

Update requires: Replacement (p. 119)

Return Values
Ref
Specifying this resource ID to the intrinsic Ref function will return the UserName. For example:
mystack-myuser-1CCXAFG2H2U4D.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
Returns the Amazon Resource Name (ARN) for the speciﬁed AWS::IAM::User resource. For example:
arn:aws:iam::123456789012:user/mystack-myuser-1CCXAFG2H2U4D.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Template Examples
To view AWS::IAM::User snippets, see: Declaring an IAM User Resource (p. 388).

AWS::IAM::UserToGroupAddition
The AWS::IAM::UserToGroupAddition type adds AWS Identity and Access Management (IAM) users
to a group.
This type supports updates. For more information about updating stacks, see AWS CloudFormation
Stacks Updates (p. 118).
Topics
• Syntax (p. 1208)
• Properties (p. 1209)
• Return Value (p. 1209)
• Template Examples (p. 1209)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type": "AWS::IAM::UserToGroupAddition",
"Properties": {
"GroupName (p. 1209)": String,
"Users (p. 1209)": [ User1, ... ]

API Version 2010-05-15
1208

AWS CloudFormation User Guide
AWS::Inspector::AssessmentTarget

}

}

YAML
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName (p. 1209): String
Users (p. 1209):
- User1

Properties
GroupName
The name of group to add users to.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Users
Required: Yes
Type: List of users
Update requires: No interruption (p. 118)

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "MyUserToGroupAddition" }

For the AWS::IAM::UserToGroupAddition with the logical ID "MyUserToGroupAddition", Ref will
return the AWS resource name.
For more information about using the Ref function, see Ref (p. 2311).

Template Examples
To view AWS::IAM::UserToGroupAddition snippets, see Adding Users to a Group (p. 392).

AWS::Inspector::AssessmentTarget
The AWS::Inspector::AssessmentTarget resource creates an Amazon Inspector assessment target
- a resource that contains information about an Amazon Inspector application.
Topics
• Syntax (p. 1210)
• Properties (p. 1210)
API Version 2010-05-15
1209

AWS CloudFormation User Guide
AWS::Inspector::AssessmentTarget

• Return Values (p. 1210)
• Examples (p. 1211)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Inspector::AssessmentTarget",
"Properties" : {
"AssessmentTargetName" : String,
"ResourceGroupArn" : String
}

YAML
Type: AWS::Inspector::AssessmentTarget
Properties:
AssessmentTargetName: String
ResourceGroupArn: String

Properties
AssessmentTargetName
The name of the Amazon Inspector assessment target.
Required: No
Type: String
Update requires: Replacement (p. 119)
ResourceGroupArn
The ARN that speciﬁes the resource group that is associated with the assessment target.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) that speciﬁes the assessment target that is created.
API Version 2010-05-15
1210

AWS CloudFormation User Guide
AWS::Inspector::AssessmentTemplate

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Declaring an Amazon Inspector Assessment Target Resource
The following example shows how to declare an AWS::Inspector::AssessmentTarget resource to create an
Amazon Inspector assessment target.

JSON

"myassessmenttarget": {
"Type": "AWS::Inspector::AssessmentTarget",
"Properties": {
"AssessmentTargetName" : "MyAssessmentTarget",
"ResourceGroupArn" : "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0AB6DMKnv"
}
}

YAML

myassessmenttarget:
Type: AWS::Inspector::AssessmentTarget
Properties:
AssessmentTargetName : "MyAssessmentTarget"
ResourceGroupArn : "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv"

AWS::Inspector::AssessmentTemplate
The AWS::Inspector::AssessmentTemplate resource creates an Amazon Inspector assessment
template - a resource that contains information about an Amazon Inspector assessment template.
Topics
• Syntax (p. 1211)
• Properties (p. 1212)
• Return Values (p. 1213)
• Examples (p. 1213)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Inspector::AssessmentTemplate",
"Properties" : {
"AssessmentTargetArn" : String,
"DurationInSeconds" : Integer,

API Version 2010-05-15
1211

AWS CloudFormation User Guide
AWS::Inspector::AssessmentTemplate

}

}

"AssessmentTemplateName" : String,
"RulesPackageArns" : [ String, ... ],
"UserAttributesForFindings" : [ Resource Tag, ... ]

YAML
Type: AWS::Inspector::AssessmentTemplate
Properties:
AssessmentTargetArn: String
DurationInSeconds: Integer
AssessmentTemplateName: String
RulesPackageArns:
- String
UserAttributesForFindings:
- Resource Tag

Properties
AssessmentTargetArn
The ARN of the assessment target that corresponds to this assessment template.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
DurationInSeconds
The duration in seconds speciﬁed for this assessment tempate. The default value is 3600 seconds
(one hour). The maximum value is 86400 seconds (one day).
Required: Yes
Type: Integer
Update requires: Replacement (p. 119)
AssessmentTemplateName
The name of the assessment template.
Required: No
Type: String
Update requires: Replacement (p. 119)
RulesPackageArns
The rules packages that are speciﬁed for this assessment template.
Required: Yes
Type: List of String values
Update requires: Replacement (p. 119)
API Version 2010-05-15
1212

AWS CloudFormation User Guide
AWS::Inspector::AssessmentTemplate

UserAttributesForFindings
The user-deﬁned attributes that are assigned to every generated ﬁnding from the assessment run
that uses this assessment template.
Required: No
Type: List of AWS CloudFormation Resource Tags (p. 2106)
Update requires: Replacement (p. 119)

Return Values
Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) that speciﬁes the assessment template that is created.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Declaring an Amazon Inspector Assessment Template Resource
The following example shows how to declare an AWS::Inspector::AssessmentTemplate resource to create
an Amazon Inspector assessment template.

JSON
"myassessmenttemplate": {
"Type": "AWS::Inspector::AssessmentTemplate",
"Properties": {
"AssessmentTargetArn" : "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX",
"DurationInSeconds" : 180,
"AssessmentTemplateName" : "MyAssessmentTemplate",
"RulesPackageArns" : [ "arn:aws:inspector:uswest-2:758058086616:rulespackage/0-11B9DBXp" ],
"UserAttributesForFindings" : [
{
"key": "Example",
"value": "example"
}
]
}
}

YAML
myassessmenttemplate:

API Version 2010-05-15
1213

AWS CloudFormation User Guide
AWS::Inspector::ResourceGroup
Properties:
AssessmentTargetArn: "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX"
AssessmentTemplateName: MyAssessmentTemplate
DurationInSeconds: 180
RulesPackageArns:
- "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-11B9DBXp"
UserAttributesForFindings:
Key: Example
Value: example
Type: AWS::Inspector::AssessmentTemplate

AWS::Inspector::ResourceGroup
The AWS::Inspector::ResourceGroup resource is used to create Amazon Inspector resource groups.
A resource group deﬁnes a set of tags that, when queried, identify the AWS resources that make up the
assessment target.
Topics
• Syntax (p. 1214)
• Properties (p. 1214)
• Return Values (p. 1215)
• Examples (p. 1215)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Inspector::ResourceGroup",
"Properties" : {
"ResourceGroupTags" : [ Resource Tag, ... ]
}

YAML
Type: AWS::Inspector::ResourceGroup
Properties:
ResourceGroupTags:
- Resource Tag

Properties
ResourceGroupTags
The tags (key and value pairs) of the resource group.
Required: Yes
Type: List of AWS CloudFormation Resource Tags (p. 2106)
Update requires: Replacement (p. 119)
API Version 2010-05-15
1214

AWS CloudFormation User Guide
AWS::IoT::Certiﬁcate

Return Values
Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) that speciﬁes the resource group that is created.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Declaring an Amazon Inspector Assessment Resource Group Resource
The following example shows how to declare an AWS::Inspector::ResourceGroup resource to create an
Amazon Inspector resource group.

JSON
"myresourcegroup": {
"Type": "AWS::Inspector::ResourceGroup",
"Properties": {
"ResourceGroupTags": [
{
"Key": "Name",
"Value": "example"
}
]
}
}

YAML
myresourcegroup:
Type: "AWS::Inspector::ResourceGroup"
Properties:
ResourceGroupTags:
- Key: "Name"
Value: "example"

AWS::IoT::Certiﬁcate
Use the AWS::IoT::Certificate resource to declare an X.509 certiﬁcate.
For information about working with X.509 certiﬁcates, see Authentication in AWS IoT in the AWS IoT
Developer Guide.

Syntax
JSON
{

API Version 2010-05-15
1215

AWS CloudFormation User Guide
AWS::IoT::Certiﬁcate

}

"Type": "AWS::IoT::Certificate",
"Properties": {
"CertificateSigningRequest": String,
"Status": String
}

YAML
Type: AWS::IoT::Certificate
Properties:
CertificateSigningRequest: String
Status: String

Properties
CertificateSigningRequest
The certiﬁcate signing request (CSR).
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Status
The status of the certiﬁcate.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, Ref returns the certiﬁcate
ID. For example:
{ "Ref": "MyCertificate" }

A value similar to the following is returned:
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
API Version 2010-05-15
1216

AWS CloudFormation User Guide
AWS::IoT::Certiﬁcate

Arn
Returns the Amazon Resource Name (ARN) for the instance proﬁle. For example:
{ "Fn::GetAtt": ["MyCertificate", "Arn"] }

A value similar to the following is returned:
arn:aws:iot:ap-southeast-2:123456789012:cert/
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example declares an X.509 certiﬁcate and its status.

JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyCertificate": {
"Type": "AWS::IoT::Certificate",
"Properties": {
"CertificateSigningRequest": {
"Ref": "CSRParameter"
},
"Status": {
"Ref": "StatusParameter"
}
}
}
},
"Parameters": {
"CSRParameter": {
"Type": "String"
},
"StatusParameter": {
"Type": "String"
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyCertificate:
Type: AWS::IoT::Certificate
Properties:
CertificateSigningRequest:
Ref: "CSRParameter"
Status:
Ref: "StatusParameter"
Parameters:
CSRParameter:
Type: "String"
StatusParameter:

API Version 2010-05-15
1217

AWS CloudFormation User Guide
AWS::IoT::Policy
Type: "String"

AWS::IoT::Policy
Use the AWS::IoT::Policy resource to declare an AWS IoT policy.
For information about working with AWS IoT policies, see Authorization in the AWS IoT Developer Guide.

Syntax
JSON
{

}

"Type": "AWS::IoT::Policy",
"Properties": {
"PolicyDocument": JSON object,
"PolicyName": String
}

YAML
Type: AWS::IoT::Policy
Properties:
PolicyDocument: JSON object
PolicyName: String

Properties
PolicyDocument
The JSON document that describes the policy.
Required: Yes
Type: JSON object
Update requires: Replacement (p. 119)
PolicyName
The name (the physical ID) of the AWS IoT policy.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, Ref returns the policy
name. For example:
{ "Ref": "MyPolicy" }

API Version 2010-05-15
1218

AWS CloudFormation User Guide
AWS::IoT::Policy

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) of the AWS IoT policy, such as arn:aws:iot:useast-2:123456789012:policy/MyPolicy.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example declares an AWS IoT policy.

JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyPolicy": {
"Type": "AWS::IoT::Policy",
"Properties": {
"PolicyName": {
"Ref": "NameParameter"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"*"
]
}]
}
}
}
},
"Parameters": {
"NameParameter": {
"Type": "String"
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyPolicy:
Type: AWS::IoT::Policy
Properties:
PolicyName:
Ref: "NameParameter"

API Version 2010-05-15
1219

AWS CloudFormation User Guide
AWS::IoT::PolicyPrincipalAttachment
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action:
- "iot:Connect"
Resource:
- "*"
Parameters:
NameParameter:
Type: "String"

AWS::IoT::PolicyPrincipalAttachment
Use the AWS::IoT::PolicyPrincipalAttachment resource to attach an AWS IoT policy to a
principal (an X.509 certiﬁcate or other credential).
For information about working with AWS IoT policies and principals, see Authorization in the AWS IoT
Developer Guide.

Syntax
JSON
{

}

"Type": "AWS::IoT::PolicyPrincipalAttachment",
"Properties": {
"PolicyName": String,
"Principal": String
}

YAML
Type: AWS::IoT::PolicyPrincipalAttachment
Properties:
PolicyName: String
Principal: String

Properties
PolicyName
The name of the policy.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Principal
The principal, which can be a certiﬁcate ARN (as returned from the CreateCertificate operation)
or an Amazon Cognito ID.
Required: Yes
API Version 2010-05-15
1220

AWS CloudFormation User Guide
AWS::IoT::Thing

Type: String
Update requires: Replacement (p. 119)

Example
The following example attaches a policy to a principal.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyPolicyPrincipalAttachment": {
"Type": "AWS::IoT::PolicyPrincipalAttachment",
"Properties": {
"PolicyName": {
"Ref": "NameParameter"
},
"Principal": "arn:aws:iot:ap-southeast-2:123456789012:cert/
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2"
}
}
},
"Parameters": {
"NameParameter": {
"Type": "String"
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyPolicyPrincipalAttachment:
Type: AWS::IoT::PolicyPrincipalAttachment
Properties:
PolicyName:
Ref: "NameParameter"
Principal: "arn:aws:iot:ap-southeast-2:123456789012:cert/
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2"
Parameters:
NameParameter:
Type: "String"

AWS::IoT::Thing
Use the AWS::IoT::Thing resource to declare an AWS IoT thing.
For information about working with things, see How AWS IoT Works and Device Registry for AWS IoT in
the AWS IoT Developer Guide.

Syntax
JSON
{

API Version 2010-05-15
1221

AWS CloudFormation User Guide
AWS::IoT::Thing

}

"Type": "AWS::IoT::Thing",
"Properties": {
"AttributePayload": AttributePayload (p. 2027)
"ThingName": String
}

YAML
Type: AWS::IoT::Thing
Properties:
AttributePayload:
AttributePayload (p. 2027)
ThingName: String

Properties
AttributePayload
The attribute payload.
Required: No
Type: AWS IoT Thing AttributePayload (p. 2027)
Update requires: No interruption (p. 118)
ThingName
The name (the physical ID) of the AWS IoT thing.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, Ref returns the thing
name. For example:
{ "Ref": "MyThing" }

For a stack named MyStack, a value similar to the following is returned:
MyStack-MyThing-AB1CDEFGHIJK

For more information about using the Ref function, see Ref (p. 2311).

Example
The following example declares a thing and the values of its attributes.
API Version 2010-05-15
1222

AWS CloudFormation User Guide
AWS::IoT::Thing

JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyThing": {
"Type": "AWS::IoT::Thing",
"Properties": {
"ThingName": {
"Ref": "NameParameter"
},
"AttributePayload": {
"Attributes": {
"myAttributeA": {
"Ref": "MyAttributeValueA"
},
"myAttributeB": {
"Ref": "MyAttributeValueB"
},
"myAttributeC": {
"Ref": "MyAttributeValueC"
}
}
}
}
}
},
"Parameters": {
"NameParameter": {
"Type": "String"
},
"MyAttributeValueA": {
"Type": "String",
"Default": "myStringA123"
},
"MyAttributeValueB": {
"Type": "String",
"Default": "myStringB123"
},
"MyAttributeValueC": {
"Type": "String",
"Default": "myStringC123"
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyThing:
Type: AWS::IoT::Thing
Properties:
ThingName:
Ref: "NameParameter"
AttributePayload:
Attributes:
myAttributeA:
Ref: "MyAttributeValueA"
myAttributeB:
Ref: "MyAttributeValueB"
myAttributeC:
Ref: "MyAttributeValueC"

API Version 2010-05-15
1223

AWS CloudFormation User Guide
AWS::IoT::ThingPrincipalAttachment
Parameters:
NameParameter:
Type: "String"
MyAttributeValueA:
Type: "String"
Default: "myStringA123"
MyAttributeValueB:
Type: "String"
Default: "myStringB123"
MyAttributeValueC:
Type: "String"
Default: "myStringC123"

AWS::IoT::ThingPrincipalAttachment
Use the AWS::IoT::ThingPrincipalAttachment resource to attach a principal (an X.509 certiﬁcate
or another credential) to a thing.
For information about working with AWS IoT things and principals, see Authorization in the AWS IoT
Developer Guide.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::IoT::ThingPrincipalAttachment",
"Properties": {
"Principal": String,
"ThingName": String
}

YAML
Type: AWS::IoT::ThingPrincipalAttachment
Properties:
Principal: String
ThingName: String

Properties
Principal
The principal, which can be a certiﬁcate ARN (as returned from the CreateCertificate operation)
or an Amazon Cognito ID.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ThingName
The name of the AWS IoT thing.
Required: Yes
API Version 2010-05-15
1224

AWS CloudFormation User Guide
AWS::IoT::TopicRule

Type: String
Update requires: Replacement (p. 119)

Example
The following example attaches a principal to a thing.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyThingPrincipalAttachment": {
"Type": "AWS::IoT::ThingPrincipalAttachment",
"Properties": {
"ThingName": {
"Ref": "NameParameter"
},
"Principal": "arn:aws:iot:ap-southeast-2:123456789012:cert/
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2"
}
}
},
"Parameters": {
"NameParameter": {
"Type": "String"
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyThingPrincipalAttachment:
Type: AWS::IoT::ThingPrincipalAttachment
Properties:
ThingName:
Ref: "NameParameter"
Principal: "arn:aws:iot:ap-southeast-2:123456789012:cert/
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2"
Parameters:
NameParameter:
Type: "String"

AWS::IoT::TopicRule
Use the AWS::IoT::TopicRule resource to declare an AWS IoT rule.
For information about working with AWS IoT rules, see Rules for AWS IoT in the AWS IoT Developer Guide.

Syntax
JSON
{

API Version 2010-05-15
1225

AWS CloudFormation User Guide
AWS::IoT::TopicRule

}

"Type": "AWS::IoT::TopicRule",
"Properties": {
"RuleName": String,
"TopicRulePayload": TopicRulePayLoad
}

YAML
Type: AWS::IoT::TopicRule
Properties:
RuleName: String
TopicRulePayload: TopicRulePayLoad

Properties
RuleName
The name (the physical ID) of the AWS IoT rule.
Required: No
Type: String
Update requires: Replacement (p. 119)
TopicRulePayload
The actions associated with the AWS IoT rule.
Required: Yes
Type: TopicRulePayload (p. 2028) object
Update requires: No interruption (p. 118)

Return Values
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, Ref returns the topic rule
name. For example:
{ "Ref": "MyTopicRule" }

For a stack named My-Stack (the – character is omitted), a value similar to the following is returned:
MyStackMyTopicRule12ABC3D456EFG

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
API Version 2010-05-15
1226

AWS CloudFormation User Guide
AWS::IoT::TopicRule

Arn
The Amazon Resource Name (ARN) of the AWS IoT rule, such as arn:aws:iot:useast-2:123456789012:rule/MyIoTRule.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example declares an AWS IoT rule.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyTopicRule": {
"Type": "AWS::IoT::TopicRule",
"Properties": {
"RuleName": {
"Ref": "NameParameter"
},
"TopicRulePayload": {
"RuleDisabled": "true",
"Sql": "SELECT temp FROM 'SomeTopic' WHERE temp > 60",
"Actions": [{
"S3": {
"BucketName": {
"Ref": "MyBucket"
},
"RoleArn": {
"Fn::GetAtt": ["MyRole", "Arn"]
},
"Key": "MyKey.txt"
}
}]
}
}
},
"MyBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {}
},
"MyRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": [
"iot.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}]
}
}
}
},

API Version 2010-05-15
1227

AWS CloudFormation User Guide
AWS::Kinesis::Stream

}

"Parameters": {
"NameParameter": {
"Type": "String"
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyTopicRule:
Type: AWS::IoT::TopicRule
Properties:
RuleName:
Ref: "NameParameter"
TopicRulePayload:
RuleDisabled: "true"
Sql: >Select temp FROM 'SomeTopic' WHERE temp > 60
Actions:
S3:
BucketName:
Ref: "MyBucket"
RoleArn:
Fn::GetAtt:
- "MyRole"
- "Arn"
Key: "MyKey.txt"
MyBucket:
Type: AWS::S3::Bucket
Properties:
MyRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "iot.amazonaws.com"
Action:
- "sts:AssumeRole"
Parameters:
NameParameter:
Type: "String"

AWS::Kinesis::Stream
Creates an Kinesis stream that captures and transports data records that are emitted from data sources.
For information about creating streams, see CreateStream in the Amazon Kinesis API Reference.
Topics
• Syntax (p. 1229)
• Properties (p. 1229)
• Return Values (p. 1230)
• Example (p. 1230)
API Version 2010-05-15
1228

AWS CloudFormation User Guide
AWS::Kinesis::Stream

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Kinesis::Stream",
"Properties" : {
"Name" : String,
"RetentionPeriodHours" : Integer,
"ShardCount" : Integer,
"StreamEncryption" : Kinesis StreamEncryption,
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: AWS::Kinesis::Stream
Properties:
Name: String
RetentionPeriodHours: Integer
ShardCount: Integer
StreamEncryption: Kinesis StreamEncryption
Tags:
- Resource Tag

Properties
Note

For more information about constraints and values for each property, see CreateStream in the
Amazon Kinesis API Reference and Amazon Kinesis Data Streams Limits in the Amazon Kinesis
Developer Guide.
Name
The name of the Kinesis stream. If you don't specify a name, AWS CloudFormation generates
a unique physical ID and uses that ID for the stream name. For more information, see Name
Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
RetentionPeriodHours
The number of hours for the data records that are stored in shards to remain accessible. The
default value is 24. For more information about the stream retention period, see Changing the Data
Retention Period in the Amazon Kinesis Developer Guide.
Required: No
Type: Integer
API Version 2010-05-15
1229

AWS CloudFormation User Guide
AWS::Kinesis::Stream

Update requires: No interruption (p. 118)
ShardCount
The number of shards that the stream uses. For greater provisioned throughput, increase the
number of shards.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
StreamEncryption
Enables or updates server-side encryption using an AWS KMS key for a speciﬁed stream.
Required: No
Type: Kinesis StreamEncryption (p. 2029)
Update requires: No interruption (p. 118)
Tags
An arbitrary set of tags (key–value pairs) to associate with the Kinesis stream. For information about
constraints for this property, see Tag Restrictions in the Amazon Kinesis Developer Guide.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Values
Ref
When you specify an AWS::Kinesis::Stream resource as an argument to the Ref function, AWS
CloudFormation returns the stream name (physical ID).
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for the Arn attribute.
Arn
The Amazon resource name (ARN) of the Kinesis stream, such as arn:aws:kinesis:useast-2:123456789012:stream/mystream.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example creates a Stream resource that uses three shards, sets a seven-day retention
period, and speciﬁes the KMS key for server-side encryption.

JSON
"MyStream": {

API Version 2010-05-15
1230

AWS CloudFormation User Guide
AWS::KinesisAnalytics::Application

}

"Type": "AWS::Kinesis::Stream",
"Properties": {
"Name": "MyKinesisStream",
"RetentionPeriodHours" : 168,
"ShardCount": 3,
"StreamEncryption":
{
"EncryptionType": "KMS",
"KeyId": "!Ref myKey"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
}
]
}

YAML
MyStream:
Type: AWS::Kinesis::Stream
Properties:
Name: MyKinesisStream
RetentionPeriodHours: 168
ShardCount: 3
StreamEncryption:
EncryptionType: KMS
KeyId: !Ref myKey
Tags:
Key: Environment
Value: Production

AWS::KinesisAnalytics::Application
The AWS::KinesisAnalytics::Application resource creates an Amazon Kinesis Data Analytics
application. For more information, see the Amazon Kinesis Data Analytics Developer Guide.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::KinesisAnalytics::Application",
"Properties" : {
"ApplicationName" : String,
"ApplicationDescription" : String,
"ApplicationCode" : String,
"Inputs" : [ Input (p. 2031), ... ]
}

YAML
Type: AWS::KinesisAnalytics::Application

API Version 2010-05-15
1231

AWS CloudFormation User Guide
AWS::KinesisAnalytics::Application
Properties:
ApplicationName: String
ApplicationDescription: String
ApplicationCode: String
Inputs:
- Input (p. 2031)

Properties
ApplicationName
The name of your Amazon Kinesis Data Analytics application.
Required: No
Type: String
Update requires: Replacement (p. 119)
ApplicationDescription
The summary description of the application.
Required: No
Type: String
Update requires: No interruption (p. 118)
ApplicationCode
One or more SQL statements that read input data, transform it, and generate output.
Required: No
Type: String
Update requires: No interruption (p. 118)
Inputs
Use this parameter to conﬁgure the application input.
Required: Yes
Type: List of Kinesis Data Analytics Application Input (p. 2031)
Update requires: No interruption (p. 118)

Example
Creating an Amazon Kinesis Data Analytics Application
The following example demonstrates how to create and conﬁgure a Kinesis Data Analytics application.

YAML
--Description: "Sample KinesisAnalytics via CloudFormation"
Resources:
BasicApplication:
Type: AWS::KinesisAnalytics::Application
Properties:

API Version 2010-05-15
1232

AWS CloudFormation User Guide
AWS::KinesisAnalytics::Application
ApplicationName: "sampleApplication"
ApplicationDescription: "SampleApp"
ApplicationCode: "Example Application Code"
Inputs:
- NamePrefix: "exampleNamePrefix"
InputSchema:
RecordColumns:
- Name: "example"
SqlType: "VARCHAR(16)"
Mapping: "$.example"
RecordFormat:
RecordFormatType: "JSON"
MappingParameters:
JSONMappingParameters:
RecordRowPath: "$"
KinesisStreamsInput:
ResourceARN: !GetAtt InputKinesisStream.Arn
RoleARN: !GetAtt KinesisAnalyticsRole.Arn
InputKinesisStream:
Type: AWS::Kinesis::Stream
Properties:
ShardCount: 1
KinesisAnalyticsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: kinesisanalytics.amazonaws.com
Action: "sts:AssumeRole"
Path: "/"
Policies:
- PolicyName: Open
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
BasicApplicationOutputs:
Type: AWS::KinesisAnalytics::ApplicationOutput
DependsOn: BasicApplication
Properties:
ApplicationName: !Ref BasicApplication
Output:
Name: "exampleOutput"
DestinationSchema:
RecordFormatType: "CSV"
KinesisStreamsOutput:
ResourceARN: !GetAtt OutputKinesisStream.Arn
RoleARN: !GetAtt KinesisAnalyticsRole.Arn
OutputKinesisStream:
Type: AWS::Kinesis::Stream
Properties:
ShardCount: 1
ApplicationReferenceDataSource:
Type: AWS::KinesisAnalytics::ApplicationReferenceDataSource
DependsOn: BasicApplicationOutputs
Properties:
ApplicationName: !Ref BasicApplication
ReferenceDataSource:
TableName: "exampleTable"
ReferenceSchema:
RecordColumns:

API Version 2010-05-15
1233

AWS CloudFormation User Guide
AWS::KinesisAnalytics::ApplicationOutput
- Name: "example"
SqlType: "VARCHAR(16)"
Mapping: "$.example"
RecordFormat:
RecordFormatType: "JSON"
MappingParameters:
JSONMappingParameters:
RecordRowPath: "$"
S3ReferenceDataSource:
BucketARN: !GetAtt S3Bucket.Arn
FileKey: 'fakeKey'
ReferenceRoleARN: !GetAtt KinesisAnalyticsRole.Arn
S3Bucket:
Type: AWS::S3::Bucket
Outputs:
ApplicationPhysicalResourceId:
Value: !Ref BasicApplication

AWS::KinesisAnalytics::ApplicationOutput
The AWS::KinesisAnalytics::ApplicationOutput resource adds an external destination to your
Amazon Kinesis Data Analytics application. For more information, see AddApplicationOutput in the
Amazon Kinesis Data Analytics Developer Guide.
Topics
• Syntax (p. 1234)
• Properties (p. 1234)
• Examples (p. 1235)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::KinesisAnalytics::ApplicationOutput",
"Properties" : {
"ApplicationName" : String,
"Output" : Output (p. 2045)
}

YAML
Type: AWS::KinesisAnalytics::ApplicationOutput
Properties:
ApplicationName: String
Output:
Output (p. 2045)

Properties
ApplicationName
The name of the application to which you want to add the output conﬁguration.
API Version 2010-05-15
1234

AWS CloudFormation User Guide
AWS::KinesisAnalytics::ApplicationReferenceDataSource

Required: Yes
Type: String
Update requires: Replacement (p. 119)
Output
An array of objects, each describing one output conﬁguration.
Required: Yes
Type: Kinesis Data Analytics ApplicationOutput Output (p. 2045)
Update requires: No interruption (p. 118)

Examples
Adding an ApplicationOutput Resource
The following example adds an ApplicationOutput resource to an Amazon Kinesis Data Analytics
application.

YAML
Type: AWS::KinesisAnalytics::ApplicationOutput
Properties:
ApplicationName: !Ref BasicApplication
Output:
Name: "exampleOutput"
DestinationSchema:
RecordFormatType: "CSV"
KinesisStreamsOutput:
ResourceARN: !GetAtt OutputKinesisStream.Arn
RoleARN: !GetAtt KinesisAnalyticsRole.Arn

AWS::KinesisAnalytics::ApplicationReferenceDataSource
Use the AWS CloudFormation AWS::KinesisAnalytics::ApplicationReferenceDataSource
resource to add a reference data source to an existing Amazon Kinesis Data Analytics application. For
more information, see AddApplicationReferenceDataSource in the Amazon Kinesis Data Analytics
Developer Guide.
Topics
• Syntax (p. 1235)
• Properties (p. 1236)
• Examples (p. 1236)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::KinesisAnalytics::ApplicationReferenceDataSource",

API Version 2010-05-15
1235

AWS CloudFormation User Guide
AWS::KinesisAnalytics::ApplicationReferenceDataSource

}

"Properties" : {
"ApplicationName" : String,
"ReferenceDataSource" : ReferenceDataSource (p. 2051),
}

YAML
Type: AWS::KinesisAnalytics::ApplicationReferenceDataSource
Properties:
ApplicationName: String
ReferenceDataSource:
ReferenceDataSource (p. 2051)

Properties
ApplicationName
The name of an existing application.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ReferenceDataSource
The reference data source, which is an object in your Amazon Simple Storage Service (Amazon S3)
bucket.
Required: Yes
Type: Kinesis Data Analytics ApplicationReferenceDataSource ReferenceDataSource (p. 2051)
Update requires: No interruption (p. 118)

Examples
Creating an ApplicationReferenceDataSource Resource
The following example creates an ApplicationReferenceDataSource resource:

YAML
ApplicationReferenceDataSource:
Type: AWS::KinesisAnalytics::ApplicationReferenceDataSource
Properties:
ApplicationName: !Ref BasicApplication
ReferenceDataSource:
TableName: "exampleTable"
ReferenceSchema:
RecordColumns:
- Name: "example"
SqlType: "VARCHAR(16)"
Mapping: "$.example"
RecordFormat:
RecordFormatType: "JSON"
MappingParameters:

API Version 2010-05-15
1236

AWS CloudFormation User Guide
AWS::KinesisFirehose::DeliveryStream
JSONMappingParameters:
RecordRowPath: "$"
S3ReferenceDataSource:
BucketARN: !GetAtt S3Bucket.Arn
FileKey: 'fakeKey'
ReferenceRoleARN: !GetAtt KinesisAnalyticsRole.Arn

AWS::KinesisFirehose::DeliveryStream
The AWS::KinesisFirehose::DeliveryStream resource creates an Amazon Kinesis Data Firehose
(Kinesis Data Firehose) delivery stream that delivers real-time streaming data to an Amazon Simple
Storage Service (Amazon S3), Amazon Redshift, or Amazon Elasticsearch Service (Amazon ES)
destination. For more information, see Creating an Amazon Kinesis Data Firehose Delivery Stream in the
Amazon Kinesis Data Firehose Developer Guide.
Topics
• Syntax (p. 1237)
• Properties (p. 1238)
• Return Values (p. 1239)
• Examples (p. 1239)
• See Also (p. 1245)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::KinesisFirehose::DeliveryStream",
"Properties" : {
"DeliveryStreamName" : String,
"DeliveryStreamType" : String,
"ElasticsearchDestinationConfiguration" : ElasticsearchDestinationConfiguration (p. 2058),
"ExtendedS3DestinationConfiguration" : ExtendedS3DestinationConfiguration (p. 2061),
"KinesisStreamSourceConfiguration" : KinesisStreamSourceConfiguration (p. 2064),
"RedshiftDestinationConfiguration" : RedshiftDestinationConfiguration (p. 2068),
"S3DestinationConfiguration" : S3DestinationConfiguration (p. 2070),
"SplunkDestinationConfiguration" : SplunkDestinationConfiguration (p. 2072)
}

}

YAML
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
DeliveryStreamName: String
DeliveryStreamType: String
ElasticsearchDestinationConfiguration:
ElasticsearchDestinationConfiguration (p. 2058)
ExtendedS3DestinationConfiguration:
ExtendedS3DestinationConfiguration (p. 2061)
KinesisStreamSourceConfiguration:
KinesisStreamSourceConfiguration (p. 2064)
RedshiftDestinationConfiguration:

API Version 2010-05-15
1237

AWS CloudFormation User Guide
AWS::KinesisFirehose::DeliveryStream
RedshiftDestinationConfiguration (p. 2068)
S3DestinationConfiguration:
S3DestinationConfiguration (p. 2070)
SplunkDestinationConfiguration:
SplunkDestinationConfiguration (p. 2072)

Properties
DeliveryStreamName
A name for the delivery stream.
Required: No
Type: String
Update requires: Replacement (p. 119)
DeliveryStreamType
The delivery stream type. This property can be one of the following values:
• DirectPut: Provider applications access the delivery stream directly.
• KinesisStreamAsSource: The delivery stream uses a Kinesis stream as a source.
Required: No
Type: String
Update requires: Replacement (p. 119)
ElasticsearchDestinationConfiguration
An Amazon ES destination for the delivery stream.
Required: Conditional. You must specify only one destination conﬁguration.
Type: Kinesis Data Firehose DeliveryStream ElasticsearchDestinationConﬁguration (p. 2058)
Update requires: No interruption (p. 118). If you change the delivery stream destination from an
Amazon ES destination to an Amazon S3 or Amazon Redshift destination, update requires some
interruptions (p. 119).
ExtendedS3DestinationConfiguration
An Amazon S3 destination for the delivery stream.
Required: Conditional. You must specify only one destination conﬁguration.
Type: Kinesis Data Firehose DeliveryStream ExtendedS3DestinationConﬁguration (p. 2061)
Update requires: No interruption (p. 118). If you change the delivery stream destination
from an Amazon Redshift destination to an Amazon ES destination, update requires some
interruptions (p. 119).
KinesisStreamSourceConfiguration
When a Kinesis stream is used as the source for the delivery stream, a Kinesis Data Firehose
DeliveryStream KinesisStreamSourceConﬁguration (p. 2064) containing the Kinesis stream ARN and
the role ARN for the source stream.
Required: No
Type: Kinesis Data Firehose DeliveryStream KinesisStreamSourceConﬁguration (p. 2064)
API Version 2010-05-15
1238

AWS CloudFormation User Guide
AWS::KinesisFirehose::DeliveryStream

Update requires: No interruption (p. 118)
RedshiftDestinationConfiguration
An Amazon Redshift destination for the delivery stream.
Required: Conditional. You must specify only one destination conﬁguration.
Type: Kinesis Data Firehose DeliveryStream RedshiftDestinationConﬁguration (p. 2068)
Update requires: No interruption (p. 118). If you change the delivery stream destination
from an Amazon Redshift destination to an Amazon ES destination, update requires some
interruptions (p. 119).
S3DestinationConfiguration
An Amazon S3 destination for the delivery stream.
Required: Conditional. You must specify only one destination conﬁguration.
Type: Kinesis Data Firehose DeliveryStream S3DestinationConﬁguration (p. 2070)
Update requires: No interruption (p. 118). If you change the delivery stream destination from an
Amazon S3 destination to an Amazon ES destination, update requires some interruptions (p. 119).
SplunkDestinationConfiguration
The conﬁguration of a destination in Splunk for the delivery stream.
Required: No
Type: Kinesis Data Firehose DeliveryStream SplunkDestinationConﬁguration (p. 2072)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the delivery
stream name, such as mystack-deliverystream-1ABCD2EF3GHIJ.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon Resource Name (ARN) of the delivery stream, such as arn:aws:firehose:useast-2:123456789012:deliverystream/delivery-stream-name.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
The following example creates a Kinesis Data Firehose delivery stream that delivers data to an Amazon
ES destination. Kinesis Data Firehose backs up all data sent to the destination in an Amazon S3 bucket.
API Version 2010-05-15
1239

AWS CloudFormation User Guide
AWS::KinesisFirehose::DeliveryStream

JSON
"ElasticSearchDeliveryStream": {
"Type": "AWS::KinesisFirehose::DeliveryStream",
"Properties": {
"ElasticsearchDestinationConfiguration": {
"BufferingHints": {
"IntervalInSeconds": 60,
"SizeInMBs": 50
},
"CloudWatchLoggingOptions": {
"Enabled": true,
"LogGroupName": "deliverystream",
"LogStreamName": "elasticsearchDelivery"
},
"DomainARN": { "Ref" : "MyDomainARN" },
"IndexName": { "Ref" : "MyIndexName" },
"IndexRotationPeriod": "NoRotation",
"TypeName" : "fromFirehose",
"RetryOptions": {
"DurationInSeconds": "60"
},
"RoleARN": { "Fn::GetAtt" : ["ESdeliveryRole", "Arn"] },
"S3BackupMode": "AllDocuments",
"S3Configuration": {
"BucketARN": { "Ref" : "MyBackupBucketARN" },
"BufferingHints": {
"IntervalInSeconds": "60",
"SizeInMBs": "50"
},
"CompressionFormat": "UNCOMPRESSED",
"Prefix": "firehose/",
"RoleARN": { "Fn::GetAtt" : ["S3deliveryRole", "Arn"] },
"CloudWatchLoggingOptions" : {
"Enabled" : true,
"LogGroupName" : "deliverystream",
"LogStreamName" : "s3Backup"
}
}
}
}
}

YAML
ElasticSearchDeliveryStream:
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
ElasticsearchDestinationConfiguration:
BufferingHints:
IntervalInSeconds: 60
SizeInMBs: 50
CloudWatchLoggingOptions:
Enabled: true
LogGroupName: "deliverystream"
LogStreamName: "elasticsearchDelivery"
DomainARN:
Ref: "MyDomainARN"
IndexName:
Ref: "MyIndexName"
IndexRotationPeriod: "NoRotation"
TypeName: "fromFirehose"
RetryOptions:
DurationInSeconds: "60"

API Version 2010-05-15
1240

AWS CloudFormation User Guide
AWS::KinesisFirehose::DeliveryStream
RoleARN:
Fn::GetAtt:
- "ESdeliveryRole"
- "Arn"
S3BackupMode: "AllDocuments"
S3Configuration:
BucketARN:
Ref: "MyBackupBucketARN"
BufferingHints:
IntervalInSeconds: "60"
SizeInMBs: "50"
CompressionFormat: "UNCOMPRESSED"
Prefix: "firehose/"
RoleARN:
Fn::GetAtt:
- "S3deliveryRole"
- "Arn"
CloudWatchLoggingOptions:
Enabled: true
LogGroupName: "deliverystream"
LogStreamName: "s3Backup"

The following example uses the ExtendedS3DestinationConfiguration property to specify an
Amazon S3 destination for the delivery stream.

JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Stack for Firehose DeliveryStream S3 Destination.",
"Resources": {
"deliverystream": {
"DependsOn": ["deliveryPolicy"],
"Type": "AWS::KinesisFirehose::DeliveryStream",
"Properties": {
"ExtendedS3DestinationConfiguration": {
"BucketARN": {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref":"s3bucket"}]]},
"BufferingHints": {
"IntervalInSeconds": "60",
"SizeInMBs": "50"
},
"CompressionFormat": "UNCOMPRESSED",
"Prefix": "firehose/",
"RoleARN": {"Fn::GetAtt" : ["deliveryRole", "Arn"] },
"ProcessingConfiguration" : {
"Enabled": "true",
"Processors": [
{
"Parameters": [
{
"ParameterName": "LambdaArn",
"ParameterValue": {"Fn::GetAtt" : ["myLambda", "Arn"] }
}],
"Type": "Lambda"
}]
}
}
}
},
"s3bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"VersioningConfiguration": {

API Version 2010-05-15
1241

AWS CloudFormation User Guide
AWS::KinesisFirehose::DeliveryStream

}

}

}

"Status": "Enabled"

}
},
"deliveryRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {"Ref":"AWS::AccountId"}
}
}
}
]
}
}
},
"deliveryPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "firehose_delivery_policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
{"Fn::Join": ["", ["arn:aws:s3:::", {"Ref":"s3bucket"}]]},
{"Fn::Join": ["", ["arn:aws:s3:::", {"Ref":"s3bucket"}, "*"]]}
]
}
]
},
"Roles": [{"Ref": "deliveryRole"}]
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: Stack for Firehose DeliveryStream S3 Destination.
Resources:
deliverystream:
DependsOn:

API Version 2010-05-15
1242

AWS CloudFormation User Guide
AWS::KinesisFirehose::DeliveryStream
- deliveryPolicy
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
ExtendedS3DestinationConfiguration:
BucketARN: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref s3bucket
BufferingHints:
IntervalInSeconds: '60'
SizeInMBs: '50'
CompressionFormat: UNCOMPRESSED
Prefix: firehose/
RoleARN: !GetAtt deliveryRole.Arn
ProcessingConfiguration:
Enabled: 'true'
Processors:
- Parameters:
- ParameterName: LambdaArn
ParameterValue: !GetAtt myLambda.Arn
Type: Lambda
s3bucket:
Type: AWS::S3::Bucket
Properties:
VersioningConfiguration:
Status: Enabled
deliveryRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref 'AWS::AccountId'
deliveryPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: firehose_delivery_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 's3:AbortMultipartUpload'
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:ListBucketMultipartUploads'
- 's3:PutObject'
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref s3bucket
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref s3bucket
- '*'
Roles:

API Version 2010-05-15
1243

AWS CloudFormation User Guide
AWS::KinesisFirehose::DeliveryStream
- !Ref deliveryRole

The following example uses the KinesisStreamSourceConfiguration property to specify a Kinesis
stream as the source for the delivery stream.

JSON
{

}

"Parameters": {
"deliveryRoleArn": {
"Type": "String"
},
"deliveryStreamName": {
"Type": "String"
},
"kinesisStreamARN": {
"Type": "String"
},
"kinesisStreamRoleArn": {
"Type": "String"
},
"s3bucketArn": {
"Type": "String"
}
},
"Resources": {
"Deliverystream": {
"Type": "AWS::KinesisFirehose::DeliveryStream",
"Properties": {
"DeliveryStreamName": {
"Ref": "deliveryStreamName"
},
"DeliveryStreamType": "KinesisStreamAsSource",
"KinesisStreamSourceConfiguration": {
"KinesisStreamARN": {
"Ref": "kinesisStreamARN"
},
"RoleARN": {
"Ref": "kinesisStreamRoleArn"
}
},
"ExtendedS3DestinationConfiguration": {
"BucketARN": {
"Ref": "s3bucketArn"
},
"BufferingHints": {
"IntervalInSeconds": 60,
"SizeInMBs": 50
},
"CompressionFormat": "UNCOMPRESSED",
"Prefix": "firehose/",
"RoleARN": {
"Ref": "deliveryRoleArn"
}
}
}
}
}

YAML
Parameters:

API Version 2010-05-15
1244

AWS CloudFormation User Guide
AWS::KMS::Alias
deliveryRoleArn:
Type: String
deliveryStreamName:
Type: String
kinesisStreamARN :
Type : String
kinesisStreamRoleArn:
Type : String
s3bucketArn:
Type: String
Resources :
Deliverystream:
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
DeliveryStreamName: !Ref deliveryStreamName
DeliveryStreamType: KinesisStreamAsSource
KinesisStreamSourceConfiguration:
KinesisStreamARN: !Ref kinesisStreamARN
RoleARN: !Ref kinesisStreamRoleArn
ExtendedS3DestinationConfiguration:
BucketARN: !Ref s3bucketArn
BufferingHints:
IntervalInSeconds: 60
SizeInMBs: 50
CompressionFormat: UNCOMPRESSED
Prefix: firehose/
RoleARN: !Ref deliveryRoleArn

See Also
• CreateDeliveryStream in the Amazon Kinesis Data Firehose API Reference

AWS::KMS::Alias
The AWS::KMS::Alias resource creates a display name for a customer master key (CMK) in AWS Key
Management Service (AWS KMS). Using an alias to refer to a key can help you simplify key management.
For example, when rotating keys, you can just update the alias mapping instead of tracking and changing
key IDs. For more information, see Working with Aliases in the AWS Key Management Service Developer
Guide.
Topics
• Syntax (p. 1245)
• Properties (p. 1246)
• Return Value (p. 1246)
• Examples (p. 1246)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::KMS::Alias",
"Properties" : {
"AliasName" : String,
"TargetKeyId" : String

API Version 2010-05-15
1245

AWS CloudFormation User Guide
AWS::KMS::Alias

}

}

YAML
Type: AWS::KMS::Alias
Properties:
AliasName: String
TargetKeyId: String

Properties
AliasName
The name of the alias. The name must start with alias followed by a forward slash, such as
alias/. You can't specify aliases that begin with alias/AWS. These aliases are reserved.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
TargetKeyId
The ID of the key for which you are creating the alias. Specify the key's globally unique identiﬁer or
Amazon Resource Name (ARN). You can't specify another alias.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the alias name,
such as alias/myKeyAlias.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following examples create the alias/myKeyAlias alias for the myKey AWS KMS key.

JSON
"myKeyAlias" : {
"Type" : "AWS::KMS::Alias",
"Properties" : {
"AliasName" : "alias/myKeyAlias",
"TargetKeyId" : {"Ref":"myKey"}
}
}

API Version 2010-05-15
1246

AWS CloudFormation User Guide
AWS::KMS::Key

YAML
myKeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/myKeyAlias
TargetKeyId:
Ref: myKey

AWS::KMS::Key
The AWS::KMS::Key resource creates a customer master key (CMK) in AWS Key Management Service
(AWS KMS). Users (customers) can use the master key to encrypt their data stored in AWS services that
are integrated with AWS KMS or within their applications. For more information, see What is the AWS
Key Management Service? in the AWS Key Management Service Developer Guide.
Topics
• Syntax (p. 1247)
• Properties (p. 1247)
• Return Values (p. 1248)
• Examples (p. 1249)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::KMS::Key",
"Properties" : {
"Description" : String,
"Enabled" : Boolean,
"EnableKeyRotation" : Boolean,
"KeyPolicy" : JSON object
"Tags" : [ Resource Tag, ... ],
}

YAML
Type: AWS::KMS::Key
Properties:
Description: String
Enabled: Boolean
EnableKeyRotation: Boolean
KeyPolicy: JSON object
Tags:
- Resource Tag

Properties
Description
A description of the key. Use a description that helps your users decide whether the key is
appropriate for a particular task.
API Version 2010-05-15
1247

AWS CloudFormation User Guide
AWS::KMS::Key

Required: No
Type: String
Update requires: No interruption (p. 118)
Enabled
Indicates whether the key is available for use. AWS CloudFormation sets this value to true by
default.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
EnableKeyRotation
Indicates whether AWS KMS rotates the key. AWS CloudFormation sets this value to false by
default.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
KeyPolicy
An AWS KMS key policy to attach to the key. Use a policy to specify who has permission to use the
key and which actions they can perform. For more information, see Key Policies in the AWS Key
Management Service Developer Guide.
Required: Yes
Type: JSON object
Update requires: No interruption (p. 118)
Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this key. Use tags to manage
your resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Values
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, it returns the key ID, such
as 123ab456-a4c2-44cb-95fd-b781f32fbb37.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
1248

AWS CloudFormation User Guide
AWS::KMS::Key

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The ARN of the AWS KMS key, such as arn:aws:kms:uswest-2:123456789012:key/12a34567-8c90-1defg-af84-0bf06c1747f3.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
The following example creates a custom CMK, which permits the IAM user Alice to administer the key
and allows Bob to use the key for encrypting and decrypting data.

JSON
"myKey" : {
"Type" : "AWS::KMS::Key",
"Properties" : {
"Description" : "A sample key",
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:user/Alice" },
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:user/Bob" },
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]

API Version 2010-05-15
1249

AWS CloudFormation User Guide
AWS::KMS::Key

}

}

}

YAML
myKey:
Type: AWS::KMS::Key
Properties:
Description: "A sample key"
KeyPolicy:
Version: "2012-10-17"
Id: "key-default-1"
Statement:
Sid: "Allow administration of the key"
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::123456789012:user/Alice"
Action:
- "kms:Create*"
- "kms:Describe*"
- "kms:Enable*"
- "kms:List*"
- "kms:Put*"
- "kms:Update*"
- "kms:Revoke*"
- "kms:Disable*"
- "kms:Get*"
- "kms:Delete*"
- "kms:ScheduleKeyDeletion"
- "kms:CancelKeyDeletion"
Resource: "*"
Sid: "Allow use of the key"
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::123456789012:user/Bob"
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:DescribeKey"
Resource: "*"

The following example creates a custom CMK with a single tag.

JSON
{

"Resources" : {
"myKey" : {
"Type" : "AWS::KMS::Key",
"Properties" : {
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",

API Version 2010-05-15
1250

AWS CloudFormation User Guide
AWS::Lambda::EventSourceMapping
"Principal": {
"AWS": { "Fn::Join" : ["" , ["arn:aws:iam::", {"Ref" :
"AWS::AccountId"} ,":root" ]] }
},
"Action": "kms:*",
"Resource": "*"
}
]
},
"Tags" : [
{
"Key" : {"Ref" : "Key"},
"Value" : {"Ref" : "Value"}
}
]
}
}
},
"Parameters" : {
"Key" : {
"Type" : "String"
},
"Value" : {
"Type" : "String"
}
}

}

YAML
Resources:
myKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':root'
Action: 'kms:*'
Resource: '*'
Tags:
- Key: !Ref Key
Value: !Ref Value
Parameters:
Key:
Type: String
Value:
Type: String

AWS::Lambda::EventSourceMapping
The AWS::Lambda::EventSourceMapping resource speciﬁes a stream as an event source for an AWS
Lambda (Lambda) function. Lambda invokes the associated function when records are posted to the
stream. For more information, see CreateEventSourceMapping in the AWS Lambda Developer Guide.
API Version 2010-05-15
1251

AWS CloudFormation User Guide
AWS::Lambda::EventSourceMapping

Topics
• Syntax (p. 1252)
• Properties (p. 1252)
• Return Values (p. 1253)
• Example (p. 1253)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Lambda::EventSourceMapping",
"Properties" : {
"BatchSize" : Integer,
"Enabled" : Boolean,
"EventSourceArn" : String,
"FunctionName" : String,
"StartingPosition" : String
}

YAML
Type: AWS::Lambda::EventSourceMapping
Properties:
BatchSize: Integer
Enabled: Boolean
EventSourceArn: String
FunctionName: String
StartingPosition: String

Properties
BatchSize
The largest number of records that Lambda retrieves from your event source when invoking your
function. Your function receives an event with all the retrieved records. For the default and valid
values, see CreateEventSourceMapping in the AWS Lambda Developer Guide.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Enabled
Indicates whether Lambda begins polling the event source.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
API Version 2010-05-15
1252

AWS CloudFormation User Guide
AWS::Lambda::EventSourceMapping

EventSourceArn
The Amazon Resource Name (ARN) of the event source. Any record added to this stream can invoke
the Lambda function. For more information, see CreateEventSourceMapping in the AWS Lambda
Developer Guide.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
FunctionName
The name or ARN of a Lambda function to invoke when Lambda detects an event on the stream.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
StartingPosition
The position in a DynamoDB or Kinesis stream where Lambda starts reading. Not required is you set
an Amazon SQS queue as the event source. The AT_TIMESTAMP value is supported only for Kinesis
streams. For valid values, see CreateEventSourceMapping in the AWS Lambda Developer Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example associates an Kinesis stream with a Lambda function.

JSON
"EventSourceMapping": {
"Type": "AWS::Lambda::EventSourceMapping",
"Properties": {
"EventSourceArn" : { "Fn::Join" : [ "", [ "arn:aws:kinesis:", { "Ref" :
"AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":stream/", { "Ref" :
"KinesisStream" }] ] },
"FunctionName" : { "Fn::GetAtt" : ["LambdaFunction", "Arn"] },
"StartingPosition" : "TRIM_HORIZON"
}

API Version 2010-05-15
1253

AWS CloudFormation User Guide
AWS::Lambda::Alias
}

YAML
EventSourceMapping:
Type: AWS::Lambda::EventSourceMapping
Properties:
EventSourceArn:
Fn::Join:
- ""
- "arn:aws:kinesis:"
Ref: "AWS::Region"
- ":"
Ref: "AWS::AccountId"
- ":stream/"
Ref: "KinesisStream"
FunctionName:
Fn::GetAtt:
- "LambdaFunction"
- "Arn"
StartingPosition: "TRIM_HORIZON"

AWS::Lambda::Alias
The AWS::Lambda::Alias resource creates an alias that points to the version of an AWS Lambda
(Lambda) function that you specify. Use aliases when you want to control which version of your function
other services or applications invoke. Those services or applications can use your function's alias so
that they don't need to be updated whenever you release a new version of your function. For more
information, see Introduction to AWS Lambda Aliases in the AWS Lambda Developer Guide.
Topics
• Syntax (p. 1254)
• Properties (p. 1255)
• Return Value (p. 1256)
• Examples (p. 1256)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Lambda::Alias",
"Properties" : {
"Description" : String,
"FunctionName" : String,
"FunctionVersion" : String,
"Name" : String,
"RoutingConfig" : AliasRoutingConfiguration (p. 2075)
}

API Version 2010-05-15
1254

AWS CloudFormation User Guide
AWS::Lambda::Alias

YAML
Type: AWS::Lambda::Alias
Properties:
Description: String
FunctionName: String
FunctionVersion: String
Name: String
RoutingConfig:
AliasRoutingConfiguration

Properties
Description
Information about the alias, such as its purpose or the Lambda function that is associated with it.
Required: No
Type: String
Update requires: No interruption (p. 118)
FunctionName
The Lambda function that you want to associate with this alias. You can specify the function's name
or its Amazon Resource Name (ARN).
Required: Yes
Type: String
Update requires: Replacement (p. 119)
FunctionVersion
The version of the Lambda function that you want to associate with this alias.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Name
A name for the alias.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
RoutingConfig
Use this parameter to point your alias to two diﬀerent function versions, allowing you to dictate
what percentage of traﬃc will invoke each version. For more information, see Routing Traﬃc to
Diﬀerent Function Versions Using Aliases in the AWS Lambda Developer Guide.
Required: No
Type: AWS Lambda Alias AliasRoutingConﬁguration (p. 2075)
API Version 2010-05-15
1255

AWS CloudFormation User Guide
AWS::Lambda::Alias

Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN of the
Lambda alias.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Lambda Alias
The following example creates an alias named TestingForMyApp. The alias points to the
TestingNewFeature version of the MyFunction Lambda function.

JSON
"AliasForMyApp" : {
"Type" : "AWS::Lambda::Alias",
"Properties" : {
"FunctionName" : { "Ref" : "MyFunction" },
"FunctionVersion" : { "Fn::GetAtt" : [ "TestingNewFeature", "Version" ] },
"Name" : "TestingForMyApp"
}
}

YAML
AliasForMyApp:
Type: AWS::Lambda::Alias
Properties:
FunctionName:
Ref: "MyFunction"
FunctionVersion:
Fn::GetAtt:
- "TestingNewFeature"
- "Version"
Name: "TestingForMyApp"

Lambda Alias Update Policy
The following example deﬁnes an update policy for an alias.

JSON
"Alias": {
"Type": "AWS::Lambda::Alias",
"Properties": {
"FunctionName": {
"Ref": "LambdaFunction"
},
"FunctionVersion": {
"Fn::GetAtt": [
"FunctionVersionTwo",
"Version"

API Version 2010-05-15
1256

AWS CloudFormation User Guide
AWS::Lambda::Function
]
},
"Name": "MyAlias"

}

},
"UpdatePolicy": {
"CodeDeployLambdaAliasUpdate": {
"ApplicationName": {
"Ref": "CodeDeployApplication"
},
"DeploymentGroupName": {
"Ref": "CodeDeployDeploymentGroup"
},
"BeforeAllowTrafficHook": {
"Ref": "PreHookLambdaFunction"
},
"AfterAllowTrafficHook": {
"Ref": "PreHookLambdaFunction"
}
}
}

YAML
Alias:
Type: AWS::Lambda::Alias
Properties:
FunctionName: !Ref LambdaFunction
FunctionVersion: !GetAtt FunctionVersionTwo.Version
Name: MyAlias
UpdatePolicy:
CodeDeployLambdaAliasUpdate:
ApplicationName: !Ref CodeDeployApplication
DeploymentGroupName: !Ref CodeDeployDeploymentGroup
BeforeAllowTrafficHook: !Ref PreHookLambdaFunction
AfterAllowTrafficHook: !Ref PreHookLambdaFunction

AWS::Lambda::Function
The AWS::Lambda::Function resource creates an AWS Lambda (Lambda) function that can run code
in response to events. For more information, see CreateFunction in the AWS Lambda Developer Guide.
Topics
• Syntax (p. 1257)
• Properties (p. 1258)
• Return Values (p. 1261)
• Example (p. 1262)
• Related Resources (p. 1262)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Lambda::Function",

API Version 2010-05-15
1257

AWS CloudFormation User Guide
AWS::Lambda::Function

}

"Properties" : {
"Code" : Code,
"DeadLetterConfig" : DeadLetterConfig (p. 2077),
"Description" : String,
"Environment" : Environment (p. 2077),
"FunctionName" : String,
"Handler" : String,
"KmsKeyArn" : String,
"MemorySize" : Integer,
"ReservedConcurrentExecutions" : Integer,
"Role" : String,
"Runtime" : String,
"Timeout" : Integer,
"TracingConfig" : TracingConfig (p. 2084),
"VpcConfig" : VPCConfig (p. 2085),
"Tags (p. 1261)" : [ Resource Tag, ... ]
}

YAML
Type: "AWS::Lambda::Function"
Properties:
Code:
Code
DeadLetterConfig:
DeadLetterConfig (p. 2077)
Description: String
Environment:
Environment (p. 2077)
FunctionName: String
Handler: String
KmsKeyArn: String
MemorySize: Integer
ReservedConcurrentExecutions: Integer
Role: String
Runtime: String
Timeout: Integer
TracingConfig:
TracingConfig (p. 2084)
VpcConfig:
VPCConfig (p. 2085)
Tags (p. 1261):
Resource Tag

Properties
Code
The source code of your Lambda function. You can point to a ﬁle in an Amazon Simple Storage
Service (Amazon S3) bucket or specify your source code as inline text.
Required: Yes
Type: AWS Lambda Function Code (p. 2078)
Update requires: No interruption (p. 118)
DeadLetterConfig
Conﬁgures how Lambda handles events that it can't process. If you don't specify a Dead Letter
Queue (DLQ) conﬁguration, Lambda discards events after the maximum number of retries. For more
information, see Dead Letter Queues in the AWS Lambda Developer Guide.
API Version 2010-05-15
1258

AWS CloudFormation User Guide
AWS::Lambda::Function

Required: No
Type: AWS Lambda Function DeadLetterConﬁg (p. 2077)
Update requires: No interruption (p. 118)
Description
A description of the function.
Required: No
Type: String
Update requires: No interruption (p. 118)
Environment
Key-value pairs that Lambda caches and makes available for your Lambda functions. Use
environment variables to apply conﬁguration changes, such as test and production environment
conﬁgurations, without changing your Lambda function source code.
Required: No
Type: AWS Lambda Function Environment (p. 2077)
Update requires: No interruption (p. 118)
FunctionName
A name for the function. If you don't specify a name, AWS CloudFormation generates a unique
physical ID and uses that ID for the function's name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
Handler
The name of the function (within your source code) that Lambda calls to start running your code. For
more information, see the Handler property in the AWS Lambda Developer Guide.

Note

If you specify your source code as inline text by specifying the ZipFile property within the
Code property, specify index.function_name as the handler.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
KmsKeyArn
The Amazon Resource Name (ARN) of an AWS Key Management Service (AWS KMS) key that Lambda
uses to encrypt and decrypt environment variable values.
Type: String
API Version 2010-05-15
1259

AWS CloudFormation User Guide
AWS::Lambda::Function

Required: No
Update requires: No interruption (p. 118)
MemorySize
The amount of memory, in MB, that is allocated to your Lambda function. Lambda uses this value to
proportionally allocate the amount of CPU power. For more information, see Resource Model in the
AWS Lambda Developer Guide.
Your function use case determines your CPU and memory requirements. For example, a database
operation might need less memory than an image processing function. You must specify a value that
is greater than or equal to 128, and it must be a multiple of 64. You cannot specify a size larger than
3008. The default value is 128 MB.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
ReservedConcurrentExecutions
The maximum of concurrent executions you want reserved for the function. For more information on
reserved concurrency limits, see Managing Concurrency in the AWS Lambda Developer Guide.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Role
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) execution role
that Lambda assumes when it runs your code to access AWS services.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Runtime
The runtime environment for the Lambda function that you are uploading. For valid values, see the
Runtime property in the AWS Lambda Developer Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Note

Because Node.js 0.10.32 has been deprecated, you can no longer roll back a template that
uses Node.js 0.10.32. If you update a stack to Node.js 0.10.32 and the update fails, AWS
CloudFormation won't roll it back.
Timeout
The function execution time (in seconds) after which Lambda terminates the function. Because
the execution time aﬀects cost, set this value based on the function's expected execution time. By
default, Timeout is set to 3 seconds. For more information, see the FAQs.
Required: No
API Version 2010-05-15
1260

AWS CloudFormation User Guide
AWS::Lambda::Function

Type: Integer
Update requires: No interruption (p. 118)
TracingConfig
The parent object that contains your Lambda function's tracing settings. By default, the Mode
property is set to PassThrough. For valid values, see the TracingConﬁg data type in the AWS
Lambda Developer Guide.
Required: No
Type: AWS Lambda Function TracingConﬁg (p. 2084)
Update requires: No interruption (p. 118)
VpcConfig
If the Lambda function requires access to resources in a VPC, specify a VPC conﬁguration that
Lambda uses to set up an elastic network interface (ENI). The ENI enables your function to connect
to other resources in your VPC, but it doesn't provide public Internet access. If your function requires
Internet access (for example, to access AWS services that don't have VPC endpoints), conﬁgure a
Network Address Translation (NAT) instance inside your VPC or use an Amazon Virtual Private Cloud
(Amazon VPC) NAT gateway. For more information, see NAT Gateways in the Amazon VPC User
Guide.

Note

When you specify this property, AWS CloudFormation might not be able to delete the stack
if another resource in the template (such as a security group) requires the attached ENI to
be deleted before it can be deleted. We recommend that you run AWS CloudFormation with
the ec2:DescribeNetworkInterfaces permission, which enables AWS CloudFormation
to monitor the state of the ENI and to wait (up to 40 minutes) for Lambda to delete the ENI.
Required: No
Type: AWS Lambda Function VpcConﬁg (p. 2085)
Update requires: No interruption (p. 118)
Tags
An arbitrary set of tags (key–value pairs) for this Lambda function.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
In the following sample, the Ref function returns the name of the AMILookUp function, such as
MyStack-AMILookUp-NT5EUXTNTXXD.
{ "Ref": "AMILookUp" }

API Version 2010-05-15
1261

AWS CloudFormation User Guide
AWS::Lambda::Function

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The ARN of the Lambda function, such as arn:aws:lambda:uswest-2:123456789012:MyStack-AMILookUp-NT5EUXTNTXXD.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example uses a packaged ﬁle in an S3 bucket to create a Lambda function.

JSON
"AMIIDLookup": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.handler",
"Role": { "Fn::GetAtt" : ["LambdaExecutionRole", "Arn"] },
"Code": {
"S3Bucket": "lambda-functions",
"S3Key": "amilookup.zip"
},
"Runtime": "nodejs4.3",
"Timeout": 25,
"TracingConfig": {
"Mode": "Active"
}
}
}

YAML
AMIIDLookup:
Type: "AWS::Lambda::Function"
Properties:
Handler: "index.handler"
Role:
Fn::GetAtt:
- "LambdaExecutionRole"
- "Arn"
Code:
S3Bucket: "lambda-functions"
S3Key: "amilookup.zip"
Runtime: "nodejs4.3"
Timeout: 25
TracingConfig:
Mode: "Active"

Related Resources
For more information about how you can use a Lambda function with AWS CloudFormation custom
resources, see AWS Lambda-backed Custom Resources (p. 439).
API Version 2010-05-15
1262

AWS CloudFormation User Guide
AWS::Lambda::Permission

For a sample template, see AWS Lambda Template (p. 400).

AWS::Lambda::Permission
The AWS::Lambda::Permission resource associates a policy statement with a speciﬁc AWS Lambda
(Lambda) function's access policy. The function policy grants a speciﬁc AWS service or application
permission to invoke the function. For more information, see AddPermission in the AWS Lambda
Developer Guide.
Topics
• Syntax (p. 1263)
• Properties (p. 1263)
• Example (p. 1265)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Lambda::Permission",
"Properties" : {
"Action" : String,
"EventSourceToken" : String,
"FunctionName" : String,
"Principal" : String,
"SourceAccount" : String,
"SourceArn" : String
}

YAML
Type: AWS::Lambda::Permission
Properties:
Action: String
EventSourceToken: String
FunctionName: String
Principal: String
SourceAccount: String
SourceArn: String

Properties
For more information and current valid values, see AddPermission in the AWS Lambda Developer Guide.
Action
The Lambda actions that you want to allow in this statement. For example, you can specify
lambda:CreateFunction to specify a certain action, or use a wildcard (lambda:*) to grant
permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for
AWS Lambda in the IAM User Guide.
Required: Yes
API Version 2010-05-15
1263

AWS CloudFormation User Guide
AWS::Lambda::Permission

Type: String
Update requires: Replacement (p. 119)
EventSourceToken
A unique token that must be supplied by the principal invoking the function.
Required: No
Type: String
Update requires: Replacement (p. 119)
FunctionName
The name (physical ID), Amazon Resource Name (ARN), or alias ARN of the Lambda function that you
want to associate with this statement. Lambda adds this statement to the function's access policy.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Principal
The entity for which you are granting permission to invoke the Lambda function. This entity can be
any valid AWS service principal, such as s3.amazonaws.com or sns.amazonaws.com, or, if you
are granting cross-account permission, an AWS account ID. For example, you might want to allow a
custom application in another AWS account to push events to Lambda by invoking your function.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SourceAccount
The AWS account ID (without hyphens) of the source owner. For example, if you specify an S3 bucket
in the SourceArn property, this value is the bucket owner's account ID. You can use this property to
ensure that all source principals are owned by a speciﬁc account.

Important

This property is not supported by all event sources. For more information, see the
SourceAccount parameter for the AddPermission action in the AWS Lambda Developer
Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
SourceArn
The ARN of a resource that is invoking your function. When granting Amazon Simple Storage Service
(Amazon S3) permission to invoke your function, specify this property with the bucket ARN as its
value. This ensures that events generated only from the speciﬁed bucket, not just any bucket from
any AWS account that creates a mapping to your function, can invoke the function.

Important

This property is not supported by all event sources. For more information, see the
SourceArn parameter for the AddPermission action in the AWS Lambda Developer Guide.
API Version 2010-05-15
1264

AWS CloudFormation User Guide
AWS::Lambda::Version

Required: No
Type: String
Update requires: Replacement (p. 119)

Example
The following example grants an S3 bucket permission to invoke a Lambda function.

JSON
"LambdaInvokePermission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": {
"Fn::GetAtt": [
"MyLambdaFunction",
"Arn"
]
},
"Action": "lambda:InvokeFunction",
"Principal": "s3.amazonaws.com",
"SourceAccount": {
"Ref": "AWS::AccountId"
},
"SourceArn": {
"Fn::GetAtt": [
"MyBucket",
"Arn"
]
}
}
}

YAML
LambdaInvokePermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt
- MyLambdaFunction
- Arn
Action: 'lambda:InvokeFunction'
Principal: s3.amazonaws.com
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: !GetAtt
- MyBucket
- Arn

AWS::Lambda::Version
The AWS::Lambda::Version resource publishes a speciﬁed version of an AWS Lambda (Lambda)
function. When publishing a new version of your function, Lambda copies the latest version of your
function. For more information, see Introduction to AWS Lambda Versioning in the AWS Lambda
Developer Guide.
Topics
API Version 2010-05-15
1265

AWS CloudFormation User Guide
AWS::Lambda::Version

• Syntax (p. 1266)
• Properties (p. 1266)
• Return Values (p. 1267)
• Example (p. 1267)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Lambda::Version",
"Properties" : {
"CodeSha256" : String,
"Description" : String,
"FunctionName" : String
}

YAML
Type: AWS::Lambda::Version
Properties:
CodeSha256 : String
Description : String
FunctionName : String

Properties
CodeSha256
The SHA-256 hash of the deployment package that you want to publish. This value must match the
SHA-256 hash of the $LATEST version of the function. Specify this property to validate that you are
publishing the correct package.
Required: No
Type: String
Update requires: Updates are not supported.
Description
A description of the version you are publishing. If you don't specify a value, Lambda copies the
description from the $LATEST version of the function.
Required: No
Type: String
Update requires: Updates are not supported.
FunctionName
The Lambda function for which you want to publish a version. You can specify the function's name
or its Amazon Resource Name (ARN).
API Version 2010-05-15
1266

AWS CloudFormation User Guide
AWS::Logs::Destination

Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the ARN of the
Lambda version, such as arn:aws:lambda:us-west-2:123456789012:function:helloworld:1.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of the speciﬁed resource type.
Version
The published version of a Lambda version, such as 1.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example publishes a new version of the MyFunction Lambda function.

JSON
"TestingNewFeature" : {
"Type" : "AWS::Lambda::Version",
"Properties" : {
"FunctionName" : { "Ref" : "MyFunction" },
"Description" : "A test version of MyFunction"
}
}

YAML
TestingNewFeature:
Type: AWS::Lambda::Version
Properties:
FunctionName:
Ref: "MyFunction"
Description: "A test version of MyFunction"

AWS::Logs::Destination
The AWS::Logs::Destination resource creates an Amazon CloudWatch Logs (CloudWatch Logs)
destination, which enables you to specify a physical resource (such as an Kinesis stream) that subscribes
to CloudWatch Logs log events from another AWS account. For more information, see Cross-Account Log
Data Sharing with Subscriptions in the Amazon CloudWatch User Guide.
Topics
API Version 2010-05-15
1267

AWS CloudFormation User Guide
AWS::Logs::Destination

• Syntax (p. 1268)
• Properties (p. 1268)
• Return Values (p. 1269)
• Example (p. 1269)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Logs::Destination",
"Properties" : {
"DestinationName" : String,
"DestinationPolicy" : String,
"RoleArn" : String,
"TargetArn" : String
}

YAML
Type: AWS::Logs::Destination
Properties:
DestinationName: String
DestinationPolicy: String
RoleArn: String
TargetArn: String

Properties
DestinationName
The name of the CloudWatch Logs destination.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
DestinationPolicy
An AWS Identity and Access Management (IAM) policy that speciﬁes who can write to your
destination.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RoleArn
The Amazon Resource Name (ARN) of an IAM role that permits CloudWatch Logs to send data to the
speciﬁed AWS resource (TargetArn).
API Version 2010-05-15
1268

AWS CloudFormation User Guide
AWS::Logs::Destination

Required: Yes
Type: String
Update requires: No interruption (p. 118)
TargetArn
The ARN of the AWS resource that receives log events. Currently, you can specify only an Kinesis
stream.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name, such as TestDestination.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The ARN of the CloudWatch Logs destination, such as arn:aws:logs:useast-2:123456789012:destination:MyDestination.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
In the following example, the target stream (TestStream) can receive log events from the logger IAM
user that is in the 234567890123 AWS account. The user can call only the PutSubscriptionFilter
action against the TestDestination destination.

JSON
"DestinationWithName" : {
"Type" : "AWS::Logs::Destination",
"Properties" : {
"DestinationName": "TestDestination",
"RoleArn": "arn:aws:iam::123456789012:role/LogKinesisRole",
"TargetArn": "arn:aws:kinesis:us-east-1:123456789012:stream/TestStream",
"DestinationPolicy": "{\"Version\" : \"2012-10-17\",\"Statement\" : [{\"Effect\" :
\"Allow\", \"Principal\" : {\"AWS\" : \"arn:aws:iam::234567890123:user/logger\"},
\"Action\" : \"logs:PutSubscriptionFilter\", \"Resource\" : \"arn:aws:logs:useast-1:123456789012:destination:TestDestination\"}]}"
}
}

API Version 2010-05-15
1269

AWS CloudFormation User Guide
AWS::Logs::LogGroup

YAML
DestinationWithName:
Type: AWS::Logs::Destination
Properties:
DestinationName: "TestDestination"
RoleArn: "arn:aws:iam::123456789012:role/LogKinesisRole"
TargetArn: "arn:aws:kinesis:us-east-1:123456789012:stream/TestStream"
DestinationPolicy: >
{"Version" : "2012-10-17","Statement" : [{"Effect" : "Allow", "Principal" : {"AWS" :
"arn:aws:iam::234567890123:user/logger"},"Action" : "logs:PutSubscriptionFilter",
"Resource" : "arn:aws:logs:us-east-1:123456789012:destination:TestDestination"}]}

AWS::Logs::LogGroup
The AWS::Logs::LogGroup resource creates an Amazon CloudWatch Logs log group that deﬁnes
common properties for log streams, such as their retention and access control rules. Each log stream
must belong to one log group.
Topics
• Syntax (p. 1270)
• Properties (p. 1270)
• Return Values (p. 1271)
• Examples (p. 1271)
• Additional Information (p. 1272)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Logs::LogGroup",
"Properties" : {
"LogGroupName" : String,
"RetentionInDays" : Integer
}

YAML
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: String
RetentionInDays: Integer

Properties
LogGroupName
A name for the log group. If you don't specify a name, AWS CloudFormation generates a unique
physical ID and uses that ID for the log group. For more information, see Name Type (p. 2085).
API Version 2010-05-15
1270

AWS CloudFormation User Guide
AWS::Logs::LogGroup

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
RetentionInDays
The number of days log events are kept in CloudWatch Logs. When a log event expires, CloudWatch
Logs automatically deletes it. For valid values, see PutRetentionPolicy in the Amazon CloudWatch
Logs API Reference.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
The Amazon resource name (ARN) of the CloudWatch Logs log group, such as arn:aws:logs:useast-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
The following example creates a CloudWatch Logs log group that retains events for 7 days.

JSON
"myLogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 7
}
}

API Version 2010-05-15
1271

AWS CloudFormation User Guide
AWS::Logs::LogStream

YAML
myLogGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 7

Additional Information
For an additional sample template, see Amazon CloudWatch Logs Template Snippets (p. 307).

AWS::Logs::LogStream
The AWS::Logs::LogStream resource creates an Amazon CloudWatch Logs log stream in a log group.
A log stream represents the sequence of events coming from an application instance or resource that you
are monitoring. For more information, see Monitoring Log Files in the Amazon CloudWatch User Guide.
Topics
• Syntax (p. 1272)
• Properties (p. 1272)
• Return Values (p. 1273)
• Example (p. 1273)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Logs::LogStream",
"Properties" : {
"LogGroupName" : String,
"LogStreamName" : String
}

YAML
Type: AWS::Logs::LogStream
Properties:
LogGroupName: String
LogStreamName: String

Properties
LogGroupName
The name of the log group where the log stream is created.
Required: Yes
Type: String
API Version 2010-05-15
1272

AWS CloudFormation User Guide
AWS::Logs::MetricFilter

Update requires: Replacement (p. 119)
LogStreamName
The name of the log stream to create. The name must be unique within the log group.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name, such as MyAppLogStream.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a CloudWatch Logs log stream named MyAppLogStream in the
exampleLogGroup log group.

JSON
"LogStream": {
"Type": "AWS::Logs::LogStream",
"Properties": {
"LogGroupName" : "exampleLogGroup",
"LogStreamName": "MyAppLogStream"
}
}

YAML
LogStream:
Type: AWS::Logs::LogStream
Properties:
LogGroupName: "exampleLogGroup"
LogStreamName: "MyAppLogStream"

AWS::Logs::MetricFilter
The AWS::Logs::MetricFilter resource creates a metric ﬁlter that describes how Amazon
CloudWatch Logs extracts information from logs that you specify and transforms it into Amazon
CloudWatch metrics. If you have multiple metric ﬁlters that are associated with a log group, all the ﬁlters
are applied to the log streams in that group.
Topics
•
•
•
•

Syntax (p. 1274)
Properties (p. 1274)
Examples (p. 1275)
Additional Information (p. 1275)
API Version 2010-05-15
1273

AWS CloudFormation User Guide
AWS::Logs::MetricFilter

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::Logs::MetricFilter",
"Properties": {
"FilterPattern": String,
"LogGroupName": String,
"MetricTransformations": [ MetricTransformations, ... ]
}

YAML
Type: AWS::Logs::MetricFilter
Properties:
FilterPattern: String
LogGroupName: String
MetricTransformations:
MetricTransformations

Properties
Note

For more information about constraints and values for each property, see PutMetricFilter in the
Amazon CloudWatch Logs API Reference.
FilterPattern
Describes the pattern that CloudWatch Logs follows to interpret each entry in a log. A log entry
might contain ﬁelds such as timestamps, IP addresses, error codes, bytes transferred, and so on. You
use the pattern to specify those ﬁelds and to specify what to look for in the log ﬁle. For example, if
you're interested in error codes that begin with 1234, your ﬁlter pattern might be [timestamps,
ip_addresses, error_codes = 1234*, size, ...]. For more information, see Filter and
Pattern Syntax in the Amazon CloudWatch User Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
LogGroupName
The name of an existing log group that you want to associate with this metric ﬁlter.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
MetricTransformations
Describes how to transform data from a log into a CloudWatch metric.
Required: Yes
API Version 2010-05-15
1274

AWS CloudFormation User Guide
AWS::Logs::SubscriptionFilter

Type: A list of CloudWatch Logs MetricFilter MetricTransformation Property (p. 1727)

Important

Currently, you can specify only one metric transformation for each metric ﬁlter. If you want
to specify multiple metric transformations, you must specify multiple metric ﬁlters.
Update requires: No interruption (p. 118)

Examples
The following example sends a value of 1 to the 404Count metric whenever the status code ﬁeld
includes a 404 value.

JSON
"404MetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": { "Ref": "myLogGroup" },
"FilterPattern": "[ip, identity, user_id, timestamp, request, status_code = 404,
size]",
"MetricTransformations": [
{
"MetricValue": "1",
"MetricNamespace": "WebServer/404s",
"MetricName": "404Count"
}
]
}
}

YAML
404MetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName:
Ref: "myLogGroup"
FilterPattern: "[ip, identity, user_id, timestamp, request, status_code = 404, size]"
MetricTransformations:
MetricValue: "1"
MetricNamespace: "WebServer/404s"
MetricName: "404Count"

Additional Information
For an additional sample template, see Amazon CloudWatch Logs Template Snippets (p. 307).

AWS::Logs::SubscriptionFilter
The AWS::Logs::SubscriptionFilter resource creates an Amazon CloudWatch Logs (CloudWatch
Logs) subscription ﬁlter that deﬁnes which log events are delivered to your Kinesis stream or AWS
Lambda (Lambda) function and where to send them.
Topics
• Syntax (p. 1276)
API Version 2010-05-15
1275

AWS CloudFormation User Guide
AWS::Logs::SubscriptionFilter

• Properties (p. 1276)
• Return Values (p. 1277)
• Example (p. 1277)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Logs::SubscriptionFilter",
"Properties" : {
"DestinationArn" : String,
"FilterPattern" : String,
"LogGroupName" : String,
"RoleArn" : String
}

YAML
Type: AWS::Logs::SubscriptionFilter
Properties:
DestinationArn: String
FilterPattern: String
LogGroupName: String
RoleArn: String

Properties
DestinationArn
The Amazon Resource Name (ARN) of the Kinesis stream, Kinesis Data Firehose delivery stream, or
Lambda function that you want to use as the subscription feed destination.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
FilterPattern
The ﬁltering expressions that restrict what gets delivered to the destination AWS resource. For more
information about the ﬁlter pattern syntax, see Filter and Pattern Syntax in the Amazon CloudWatch
User Guide.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
LogGroupName
The log group to associate with the subscription ﬁlter. All log events that are uploaded to this log
group are ﬁltered and delivered to the speciﬁed AWS resource if the ﬁlter pattern matches the log
events.
API Version 2010-05-15
1276

AWS CloudFormation User Guide
AWS::Logs::SubscriptionFilter

Required: Yes
Type: String
Update requires: Replacement (p. 119)
RoleArn
An IAM role that grants CloudWatch Logs permission to put data into the speciﬁed Kinesis stream.
For Lambda and CloudWatch Logs destinations, don't specify this property because CloudWatch
Logs gets the necessary permissions from the destination resource.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example sends log events that are associated with the Root user to an Kinesis stream.

JSON
"SubscriptionFilter" : {
"Type" : "AWS::Logs::SubscriptionFilter",
"Properties" : {
"RoleArn" : { "Fn::GetAtt" : [ "CloudWatchIAMRole", "Arn" ] },
"LogGroupName" : { "Ref" : "LogGroup" },
"FilterPattern" : "{$.userIdentity.type = Root}",
"DestinationArn" : { "Fn::GetAtt" : [ "KinesisStream", "Arn" ] }
}
}

YAML
SubscriptionFilter:
Type: AWS::Logs::SubscriptionFilter
Properties:
RoleArn:
Fn::GetAtt:
- "CloudWatchIAMRole"
- "Arn"
LogGroupName:
Ref: "LogGroup"
FilterPattern: "{$.userIdentity.type = Root}"
DestinationArn:
Fn::GetAtt:
- "KinesisStream"
- "Arn"

API Version 2010-05-15
1277

AWS CloudFormation User Guide
AWS::Neptune::DBCluster

AWS::Neptune::DBCluster
The AWS::Neptune::DBCluster resource creates an Amazon Neptune DB cluster. Neptune is a fully
managed graph database.

Note

Currently, you can create this resource only in AWS Regions in which Amazon Neptune is
supported.
The default DeletionPolicy for AWS::Neptune::DBCluster resources is Snapshot. For more
information about how AWS CloudFormation deletes resources, see DeletionPolicy Attribute (p. 2248).
Topics
• Syntax (p. 1278)
• Properties (p. 1279)
• Return Values (p. 1281)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Neptune::DBCluster",
"Properties" :
{
"AvailabilityZones" : [ String, ... ],
"BackupRetentionPeriod" : Integer,
"DBClusterIdentifier" : String,
"DBClusterParameterGroupName" : String,
"DBSubnetGroupName" : String,
"IamAuthEnabled" : Boolean,
"KmsKeyId" : String,
"Port" : Integer,
"PreferredBackupWindow" : String,
"PreferredMaintenanceWindow" : String,
"SnapshotIdentifier" : String,
"StorageEncrypted" : Boolean,
"Tags" : [ Resource Tag, ... ],
"VpcSecurityGroupIds" : [ String, ... ]
}

YAML
Type: "AWS::Neptune::DBCluster"
Properties:
AvailabilityZones:
- String
BackupRetentionPeriod: Integer
DBClusterIdentifier: String
DBClusterParameterGroupName: String
DBSubnetGroupName: String
IamAuthEnabled: Boolean
KmsKeyId: String
Port: Integer
PreferredBackupWindow: String

API Version 2010-05-15
1278

AWS CloudFormation User Guide
AWS::Neptune::DBCluster
PreferredMaintenanceWindow: String
SnapshotIdentifier: String
StorageEncrypted: Boolean
Tags:
- Resource Tag
VpcSecurityGroupIds:
- String

Properties
AvailabilityZones
A list of Availability Zones in which DB instances in the cluster can be created.
Required: No
Type: String
Update requires: Replacement (p. 119)
BackupRetentionPeriod
The number of days for which automatic backups are retained. For more information, see
CreateDBCluster in the Amazon Neptune User Guide.
Required: No
Type: Integer
Update requires: No interruption (p. 118) or some interruption (p. 119). For more information, see
ModifyDBInstance in the Amazon Neptune User Guide.
DBClusterIdentifier
The DB cluster identiﬁer. This parameter is stored as a lowercase string.
Constraints:
• Must contain from 1 to 63 letters, numbers, or hyphens.
• First character must be a letter.
• Cannot end with a hyphen or contain two consecutive hyphens.
Required: No
Type: String
Update requires: Replacement (p. 119)
DBClusterParameterGroupName
The name of the DB cluster parameter group to associate with this DB cluster.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
DBSubnetGroupName
A DB subnet group that you want to associate with this DB cluster.
Required: No
API Version 2010-05-15
1279

AWS CloudFormation User Guide
AWS::Neptune::DBCluster

Type: String
Update requires: Replacement (p. 119)
IamAuthEnabled
Enable IAM authentication and authorization on this cluster.
Type: Boolean
Update requires: No interruption (p. 118)
KmsKeyId
The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) master key
that is used to encrypt the database instances in the DB cluster, such as arn:aws:kms:useast-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef. If you enable the
StorageEncrypted property but don't specify this property, the default master key is used. If you
specify this property, you must set the StorageEncrypted property to true.
If you specify the SnapshotIdentifier, do not specify this property. The value is inherited from
the snapshot DB cluster.
Required: No
Type: String
Update requires: Replacement (p. 119).
Port
The port number on which the DB instances in the cluster can accept connections.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
PreferredBackupWindow
If automated backups are enabled (see the BackupRetentionPeriod property), the daily time
range in UTC during which you want to create automated backups.
For valid values, see the PreferredBackupWindow parameter of the CreateDBInstance action.
Required: No
Type: String
Update requires: No interruption (p. 118)
PreferredMaintenanceWindow
The weekly time range (in UTC) during which system maintenance can occur.
For valid values, see the PreferredMaintenanceWindow parameter of the CreateDBInstance
action.
Required: No
Type: String
Update requires: No interruption (p. 118) or some interruption (p. 119). For more information, see
ModifyDBInstance.
API Version 2010-05-15
1280

AWS CloudFormation User Guide
AWS::Neptune::DBCluster

SnapshotIdentifier
The identiﬁer for the DB cluster snapshot from which you want to restore.
Required: No
Type: String
Update requires: Replacement (p. 119)
StorageEncrypted
Indicates whether the DB instances in the cluster are encrypted.
If you specify the SnapshotIdentifier property, do not specify this property. The value is
inherited from the snapshot DB cluster.
Required: Conditional. If you specify the KmsKeyId property, you must enable encryption.
Type: Boolean
Update requires: Replacement (p. 119)
Tags
The tags that you want to attach to this DB cluster.
Required: No
Type: A list of resource tags (p. 2106).
Update requires: No interruption (p. 118)
VpcSecurityGroupIds
A list of VPC security groups to associate with this DB cluster.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Endpoint
The connection endpoint for the DB cluster. For example: mystackmydbcluster-1apw1j4phylrk.cg034hpkmmjt.us-east-2.rds.amazonaws.com
API Version 2010-05-15
1281

AWS CloudFormation User Guide
AWS::Neptune::DBClusterParameterGroup

Port
The port number on which the DB cluster accepts connections. For example: 8182
ReadEndpoint
The reader endpoint for the DB cluster. For example: mystack-mydbclusterro-1apw1j4phylrk.cg034hpkmmjt.us-east-2.rds.amazonaws.com
ClusterResourceId
The resource id for the DB cluster; for example: cluster-ABCD1234EFGH5678IJKL90MNOP. The
cluster ID uniquely identiﬁes the cluster and is used in things like IAM authentication policies.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

AWS::Neptune::DBClusterParameterGroup
The AWS::Neptune::DBClusterParameterGroup resource creates a new Amazon Neptune DB cluster
parameter group.

Note

Applying a parameter group to a DB cluster might require instances to reboot, resulting in a
database outage while the instances reboot.
Topics
• Syntax (p. 1282)
• Properties (p. 1283)
• Return Values (p. 1284)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Neptune::DBClusterParameterGroup",
"Properties" : {
"Description" : String,
"Parameters" : DBParameters,
"Family" : String,
"Tags" : [ Resource Tag, ... ],
"Name" : String
}

YAML
Type: "AWS::Neptune::DBClusterParameterGroup"
Properties:
Description: String
Parameters: DBParameters
Family : String
Tags:
Resource Tag
Name : String

API Version 2010-05-15
1282

AWS CloudFormation User Guide
AWS::Neptune::DBClusterParameterGroup

Properties
Description
A friendly description for this DB cluster parameter group.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Parameters
The parameters to set for this DB cluster parameter group.
Changes to dynamic parameters are applied immediately. Changes to static parameters require a
reboot without failover to the DB instance that is associated with the parameter group before the
change can take eﬀect.
Required: Yes
Type: A JSON object consisting of string key-value pairs, as shown in the following example:
"Parameters" : {
"Key1" : "Value1",
"Key2" : "Value2",
"Key3" : "Value3"
}

Update requires: No interruption (p. 118) or some interruption (p. 119), depending on the parameters
that you update.
Family
Must be neptune1.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Tags
The tags that you want to attach to this parameter group.
Required: No
Type: A list of resource tags (p. 2106)
Update requires: Updates are not supported.
Name
A friendly name for the cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1283

AWS CloudFormation User Guide
AWS::Neptune::DBInstance

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

AWS::Neptune::DBInstance
The AWS::Neptune::DBInstance type creates an Amazon Neptune DB instance.

Important

If a DB instance is deleted or replaced during an update, AWS CloudFormation deletes all
automated snapshots. However, it retains manual DB snapshots. During an update that requires
replacement, you can apply a stack policy to prevent DB instances from being replaced. For
more information, see Prevent Updates to Stack Resources (p. 141).
Topics
• Syntax (p. 1284)
• Properties (p. 1285)
• Updating and Deleting AWS::Neptune::DBInstance Resources (p. 1287)
• Return Values (p. 1288)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Neptune::DBInstance",
"Properties" :
{
"AllowMajorVersionUpgrade" : Boolean,
"AutoMinorVersionUpgrade (p. 1285)" : Boolean,
"AvailabilityZone (p. 1285)" : String,
"DBClusterIdentifier" : String,
"DBInstanceClass (p. 1285)" : String,
"DBInstanceIdentifier" : String,
"DBParameterGroupName (p. 1286)" : String,
"DBSnapshotIdentifier (p. 1286)" : String,
"DBSubnetGroupName (p. 1286)" : String,
"PreferredMaintenanceWindow (p. 1287)" : String,
"Tags (p. 1287)" : [ Resource Tag, ... ]
}

YAML
Type: "AWS::Neptune::DBInstance"
Properties:
AllowMajorVersionUpgrade: Boolean
AutoMinorVersionUpgrade (p. 1285): Boolean

API Version 2010-05-15
1284

AWS CloudFormation User Guide
AWS::Neptune::DBInstance
AvailabilityZone (p. 1285): String
DBClusterIdentifier: String
DBInstanceClass (p. 1285): String
DBInstanceIdentifier: String
DBParameterGroupName (p. 1286): String
DBSnapshotIdentifier (p. 1286): String
DBSubnetGroupName (p. 1286): String
PreferredMaintenanceWindow (p. 1287) : String
Tags (p. 1287):
Resource Tag

Properties
AllowMajorVersionUpgrade
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
AutoMinorVersionUpgrade
Indicates that minor engine upgrades are applied automatically to the DB instance during the
maintenance window. The default value is true.
Required: No
Type: Boolean
Update requires: No interruption (p. 118) or some interruption (p. 119).
AvailabilityZone
The name of the Availability Zone where the DB instance is located. You can't set the
AvailabilityZone parameter if the MultiAZ parameter is set to true.
Required: No
Type: String
Update requires: Replacement (p. 119)
DBClusterIdentifier
The name of an existing DB cluster that this instance is associated with.
Neptune assigns the ﬁrst DB instance in the cluster as the primary, and additional DB instances as
replicas.
If you specify this property, the default deletion policy is Delete. Otherwise, the default deletion
policy is Snapshot.
Required: No
Type: String
Update requires: Replacement (p. 119)
DBInstanceClass
The name of the compute and memory capacity classes of the DB instance.
API Version 2010-05-15
1285

AWS CloudFormation User Guide
AWS::Neptune::DBInstance

Required: Yes
Type: String
Update requires: Some interruptions (p. 119)
DBInstanceIdentifier
A name for the DB instance. If you specify a name, AWS CloudFormation converts it to lowercase. If
you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for
the DB instance. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
DBParameterGroupName
The name of an existing DB parameter group or a reference to an
AWS::Neptune::DBParameterGroup (p. 1288) resource created in the template.
Required: No
Type: String
Update requires: No interruption (p. 118) or some interruption (p. 119). If any of the data members
of the referenced parameter group are changed during an update, the DB instance might need to
be restarted, which causes some interruption. If the parameter group contains static parameters,
whether they were changed or not, an update triggers a reboot.
DBSnapshotIdentifier
The name or Amazon Resource Name (ARN) of the DB snapshot that's used to restore the DB
instance. If you're restoring from a shared manual DB snapshot, you must specify the ARN of the
snapshot.
By specifying this property, you can create a DB instance from the speciﬁed DB snapshot. If the
DBSnapshotIdentifier property is an empty string or the AWS::Neptune::DBInstance
declaration has no DBSnapshotIdentifier property, AWS CloudFormation creates a new
database. If the property contains a value (other than an empty string), AWS CloudFormation creates
a database from the speciﬁed snapshot. If a snapshot with the speciﬁed name doesn't exist, AWS
CloudFormation can't create the database and it rolls back the stack.
Required: No
Type: String
Update requires: Replacement (p. 119)
DBSubnetGroupName
A DB subnet group to associate with the DB instance. If you update this value, the new subnet group
must be a subnet group in a new virtual private cloud (VPC).
Required: No
API Version 2010-05-15
1286

AWS CloudFormation User Guide
AWS::Neptune::DBInstance

Type: String
Update requires: Replacement (p. 119)
PreferredMaintenanceWindow
The weekly time range (in UTC) during which system maintenance can occur. For valid values, see
the PreferredMaintenanceWindow parameter for the CreateDBInstance action in the Amazon
Neptune User Guide.

Note

This property applies when AWS CloudFormation initially creates the DB instance. If you use
AWS CloudFormation to update the DB instance, those updates are applied immediately.
Required: No
Type: String
Update requires: No interruption (p. 118) or some interruption (p. 119). For more information, see
ModifyDBInstance in the Amazon Neptune User Guide.
StorageEncrypted
Indicates whether the DB instance is encrypted.
If you specify the DBClusterIdentifier, DBSnapshotIdentifier, or
SourceDBInstanceIdentifier property, don't specify this property. The value is inherited from
the cluster, snapshot, or source DB instance.
Required: Conditional. If you specify the KmsKeyId property, you must enable encryption.
Type: Boolean
Update requires: Replacement (p. 119)
Tags
An arbitrary set of tags (key–value pairs) for this DB instance.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Updating and Deleting AWS::Neptune::DBInstance Resources
Updating DB Instances
When properties labeled "Update requires: Replacement (p. 119)" are updated, AWS CloudFormation ﬁrst
creates a replacement DB instance, changes references from other dependent resources to point to the
replacement DB instance, and ﬁnally deletes the old DB instance.

Important

We highly recommend that you take a snapshot of the database before updating the stack. If
you don't, you lose the data when AWS CloudFormation replaces your DB instance. To preserve
your data, perform the following procedure:
1. Deactivate any applications that are using the DB instance so that there's no activity on the
DB instance.
2. Create a snapshot of the DB instance.
API Version 2010-05-15
1287

AWS CloudFormation User Guide
AWS::Neptune::DBParameterGroup

3. If you want to restore your instance using a DB snapshot, modify the updated template with
your DB instance changes and add the DBSnapshotIdentifier property with the ID of the
DB snapshot that you want to use.
4. Update the stack.

Deleting DB Instances
You can set a deletion policy for your DB instance to control how AWS CloudFormation handles the
instance when the stack is deleted. For Neptune DB instances, you can choose to retain the instance, to
delete the instance, or to create a snapshot of the instance. The default AWS CloudFormation behavior
depends on the DBClusterIdentifier property:
• For AWS::Neptune::DBInstance resources that don't specify the DBClusterIdentifier
property, AWS CloudFormation saves a snapshot of the DB instance.
• For AWS::Neptune::DBInstance resources that do specify the DBClusterIdentifier property,
AWS CloudFormation deletes the DB instance.
For more information, see DeletionPolicy Attribute (p. 2248).

Return Values
Ref
When you provide the Neptune DB instance's logical name to the Ref intrinsic function, Ref returns the
DBInstanceIdentifier. For example: mystack-mydb-ea5ugmfvuaxg.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
• Endpoint
The connection endpoint for the database. For example: mystackmydb-1apw1j4phylrk.cg034hpkmmjt.us-east-2.rds.amazonaws.com.
• Port
The port number on which the database accepts connections. For example: 8182.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

AWS::Neptune::DBParameterGroup
Creates a custom parameter group for DB instances.
This type can be declared in a template and referenced in the DBParameterGroupName parameter of
AWS::Neptune::DBInstance (p. 1284).

Note

Applying a parameter group to a DB instance might require the instance to reboot, resulting in a
database outage for the duration of the reboot.
Topics
API Version 2010-05-15
1288

AWS CloudFormation User Guide
AWS::Neptune::DBParameterGroup

• Syntax (p. 1289)
• Properties (p. 1289)
• Return Values (p. 1290)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Neptune::DBParameterGroup",
"Properties" : {
"Description (p. 1289)" : String,
"Parameters (p. 1289)" : DBParameters,
"Family" : String,
"Tags" : [ Resource Tag, ... ],
"Name" : String
}

YAML
Type: "AWS::Neptune::DBParameterGroup"
Properties:
Description (p. 1289): String
Parameters (p. 1289):
DBParameters
Family : String
Tags:
- Resource Tag
Name : String

Properties
Description
A friendly description of the DB parameter group. For example, "My Parameter Group".
Required: Yes
Type: String
Update requires: Updates are not supported.
Parameters
The parameters to set for this DB parameter group.
Required: No
Type: A JSON object consisting of string key-value pairs, as shown in the following example:

"Parameters" : {
"Key1" : "Value1",
"Key2" : "Value2",

API Version 2010-05-15
1289

AWS CloudFormation User Guide
AWS::Neptune::DBSubnetGroup

}

"Key3" : "Value3"

Update requires: No interruption (p. 118) or some interruption (p. 119). Changes to dynamic
parameters are applied immediately. During an update, if you have static parameters (whether they
were changed or not), it triggers AWS CloudFormation to reboot the associated DB instance without
failover.
Family
Must be neptune1.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Tags
The tags that you want to attach to the DB parameter group.
Required: No
Type: A list of resource tags (p. 2106).
Update requires: No interruption (p. 118)
Name
A friendly name for the cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "MyDBParameterGroup" }

For the RDS::DBParameterGroup with the logical ID "MyDBParameterGroup," Ref returns the
resource name.
For more information about using the Ref function, see Ref (p. 2311).

AWS::Neptune::DBSubnetGroup
The AWS::Neptune::DBSubnetGroup type creates an Amazon Neptune DB subnet group. Subnet
groups must contain at least two subnets in two diﬀerent Availability Zones in the same AWS Region.
Topics
• Syntax (p. 1291)
API Version 2010-05-15
1290

AWS CloudFormation User Guide
AWS::Neptune::DBSubnetGroup

• Properties (p. 1291)
• Return Value (p. 1292)
• Example (p. 1292)
• See Also (p. 1293)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Neptune::DBSubnetGroup",
"Properties" : {
"DBSubnetGroupDescription (p. 1291)" : String,
"DBSubnetGroupName (p. 1291)" : String,
"SubnetIds (p. 1292)" : [ String, ... ],
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: "AWS::Neptune::DBSubnetGroup"
Properties:
DBSubnetGroupDescription (p. 1291): String
DBSubnetGroupName (p. 1291): String
SubnetIds (p. 1292):
- String
Tags:
- Resource Tag

Properties
DBSubnetGroupDescription
The description for the DB subnet group.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
DBSubnetGroupName
The name for the DB subnet group. This value is stored as a lowercase string.
Constraints: Must contain no more than 255 letters, numbers, periods, underscores, spaces, or
hyphens. Must not be default.
Required: No
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1291

AWS CloudFormation User Guide
AWS::Neptune::DBSubnetGroup

SubnetIds
The Amazon EC2 subnet IDs for the DB subnet group.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
Tags
The tags that you want to attach to the Amazon RDS database subnet group.
Required: No
Type: A list of resource tags (p. 2106) in key-value format.
Update requires: No interruption (p. 118)

Return Value
Ref
When you pass the logical ID of an AWS::Neptune::DBSubnetGroup resource to the intrinsic
Ref function, the function returns the name of the DB subnet group, such as mystackmydbsubnetgroup-0a12bc456789de0fg.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myDBSubnetGroup" : {
"Type" : "AWS::Neptune::DBSubnetGroup",
"Properties" : {
"DBSubnetGroupDescription" : "description",
"SubnetIds" : [ "subnet-7b5b4112", "subnet-7b5b4115" ],
"Tags" : [ {"Key" : "String", "Value" : "String"} ]
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
myDBSubnetGroup:
Type: "AWS::Neptune::DBSubnetGroup"
Properties:
DBSubnetGroupDescription: "description"
SubnetIds:
- "subnet-7b5b4112"
- "subnet-7b5b4115"

API Version 2010-05-15
1292

AWS CloudFormation User Guide
AWS::OpsWorks::App
Tags:
Key: "String"
Value: "String"

See Also
• AWS CloudFormation Stacks Updates (p. 118)

AWS::OpsWorks::App
Deﬁnes an AWS OpsWorks app for an AWS OpsWorks stack. The app speciﬁes the code that you want to
run on an application server.
Topics
• Syntax (p. 1293)
• Properties (p. 1294)
• Return Values (p. 1296)
• Template Snippet (p. 1296)
• More Info (p. 1296)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::OpsWorks::App",
"Properties": {
"AppSource" : Source,
"Attributes" : { String:String, ... },
"DataSources" : [ DataSource (p. 2087), ... ],
"Description" : String,
"Domains" : [ String, ... ],
"EnableSsl" : Boolean,
"Environment" : [ Environment, ... ],
"Name" : String,
"Shortname" : String,
"SslConfiguration" : { SslConfiguration },
"StackId" : String,
"Type" : String
}

YAML
Type: "AWS::OpsWorks::App"
Properties:
AppSource:
Source
Attributes:
String: String
Description: String
DataSources:

API Version 2010-05-15
1293

AWS CloudFormation User Guide
AWS::OpsWorks::App
- DataSource (p. 2087)
Domains:
- String
EnableSsl: Boolean
Environment:
- Environment
Name: String
Shortname: String
SslConfiguration:
SslConfiguration
StackId: String
Type: String

Properties
AppSource
The information required to retrieve an app from a repository.
Required: No
Type: AWS OpsWorks Source Type (p. 2097)
Update requires: No interruption (p. 118)
Attributes
One or more user-deﬁned key-value pairs to be added to the app attributes bag.
Required: No
Type: A list of key-value pairs
Update requires: No interruption (p. 118)
Description
A description of the app.
Required: No
Type: String
Update requires: No interruption (p. 118)
DataSources
A list of databases to associate with the AWS OpsWorks app.
Required: No
Type: List of AWS OpsWorks App DataSource (p. 2087)
Update requires: No interruption (p. 118)
Domains
The app virtual host settings, with multiple domains separated by commas. For example,
'www.example.com, example.com'.
Required: No
Type: List of String values
API Version 2010-05-15
1294

AWS CloudFormation User Guide
AWS::OpsWorks::App

Update requires: No interruption (p. 118)
EnableSsl
Whether to enable SSL for this app.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Environment
The environment variables to associate with the AWS OpsWorks app.
Required: No
Type: List of AWS OpsWorks App Environment (p. 2088)
Update requires: No interruption (p. 118)
Name
The name of the AWS OpsWorks app.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Shortname
The app short name, which is used internally by AWS OpsWorks and by Chef recipes.
Required: No
Type: String
Update requires: Replacement (p. 119)
SslConfiguration
The SSL conﬁguration
Required: No
Type: AWS OpsWorks SslConﬁguration Type (p. 2099)
Update requires: No interruption (p. 118)
StackId
The ID of the AWS OpsWorks stack to associate this app with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Type
The app type. Each supported type is associated with a particular layer. For more information, see
CreateApp in the AWS OpsWorks Stacks API Reference.
API Version 2010-05-15
1295

AWS CloudFormation User Guide
AWS::OpsWorks::App

Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myApp" }

For the AWS OpsWorks stack myApp, Ref returns the ID of the AWS OpsWorks app.
For more information about using the Ref function, see Ref (p. 2311).

Template Snippet
The following snippet creates an AWS OpsWorks app that uses a PHP application in a Git repository:

JSON
"myApp" : {
"Type" : "AWS::OpsWorks::App",
"Properties" : {
"StackId" : {"Ref":"myStack"},
"Type" : "php",
"Name" : "myPHPapp",
"AppSource" : {
"Type" : "git",
"Url" : "git://github.com/amazonwebservices/opsworks-demo-php-simple-app.git",
"Revision" : "version1"
}
}
}

YAML
myApp:
Type: "AWS::OpsWorks::App"
Properties:
StackId:
Ref: "myStack"
Type: "php"
Name: "myPHPapp"
AppSource:
Type: "git"
Url: "git://github.com/amazonwebservices/opsworks-demo-php-simple-app.git"
Revision: "version1"

More Info
• AWS::OpsWorks::Stack (p. 1316)
API Version 2010-05-15
1296

AWS CloudFormation User Guide
AWS::OpsWorks::ElasticLoadBalancerAttachment

• AWS::OpsWorks::Layer (p. 1305)
• AWS::OpsWorks::Instance (p. 1298)

AWS::OpsWorks::ElasticLoadBalancerAttachment
Attaches an Elastic Load Balancing load balancer to an AWS OpsWorks layer that you specify.
Topics
• Syntax (p. 1297)
• Properties (p. 1297)
• Template Snippet (p. 1298)
• See Also (p. 1298)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::OpsWorks::ElasticLoadBalancerAttachment",
"Properties": {
"ElasticLoadBalancerName" : String,
"LayerId" : String
}

YAML
Type: "AWS::OpsWorks::ElasticLoadBalancerAttachment"
Properties:
ElasticLoadBalancerName: String
LayerId: String

Properties
ElasticLoadBalancerName
Elastic Load Balancing load balancer name.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
LayerId
The AWS OpsWorks layer ID that the Elastic Load Balancing load balancer will be attached to.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1297

AWS CloudFormation User Guide
AWS::OpsWorks::Instance

Template Snippet
The following snippet speciﬁes a load balancer attachment to an AWS OpsWorks layer, both of which
would be described elsewhere in the same template:

JSON
"ELBAttachment" : {
"Type" : "AWS::OpsWorks::ElasticLoadBalancerAttachment",
"Properties" : {
"ElasticLoadBalancerName" : { "Ref" : "ELB" },
"LayerId" : { "Ref" : "Layer" }
}
}

YAML
ELBAttachment:
Type: "AWS::OpsWorks::ElasticLoadBalancerAttachment"
Properties:
ElasticLoadBalancerName:
Ref: "ELB"
LayerId:
Ref: "Layer"

See Also
• AWS::OpsWorks::Layer (p. 1305)

AWS::OpsWorks::Instance
Creates an Amazon Elastic Compute Cloud (Amazon EC2) instance for an AWS OpsWorks stack. Instances
for AWS OpsWorks stacks handle the work of serving applications and balancing traﬃc, for example.
Topics
• Syntax (p. 1298)
• Properties (p. 1299)
• Return Values (p. 1303)
• Examples (p. 1304)
• More Info (p. 1305)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type": "AWS::OpsWorks::Instance",
"Properties": {
"AgentVersion" : String,
"AmiId" : String,
"Architecture" : String,

API Version 2010-05-15
1298

AWS CloudFormation User Guide
AWS::OpsWorks::Instance

}

}

"AutoScalingType" : String,
"AvailabilityZone" : String,
"BlockDeviceMappings" : [ BlockDeviceMapping (p. 2093), ... ],
"EbsOptimized" : Boolean,
"ElasticIps" : [ String, ... ],
"Hostname" : String,
"InstallUpdatesOnBoot" : Boolean,
"InstanceType" : String,
"LayerIds" : [ String, ... ],
"Os" : String,
"RootDeviceType" : String,
"SshKeyName" : String,
"StackId" : String,
"SubnetId" : String,
"Tenancy" : String,
"TimeBasedAutoScaling" : TimeBasedAutoScaling (p. 2102),
"VirtualizationType" : String,
"Volumes" : [ String, ... ]

YAML
Type: "AWS::OpsWorks::Instance"
Properties:
AgentVersion: String
AmiId: String
Architecture: String
AutoScalingType: String
AvailabilityZone: String
BlockDeviceMappings:
- BlockDeviceMapping (p. 2093)
EbsOptimized: Boolean
ElasticIps:
- String
Hostname: String
InstallUpdatesOnBoot: Boolean
InstanceType: String
LayerIds:
- String
Os: String
RootDeviceType: String
SshKeyName: String
StackId: String
SubnetId: String
Tenancy: String
TimeBasedAutoScaling:
TimeBasedAutoScaling (p. 2102)
VirtualizationType: String
Volumes:
- String

Properties
AgentVersion
The version of the AWS OpsWorks agent that AWS OpsWorks installs on each instance. AWS
OpsWorks sends commands to the agent to performs tasks on your instances, such as starting Chef
runs. For valid values, see the AgentVersion parameter for the CreateInstance action in the AWS
OpsWorks Stacks API Reference.
Required: No
API Version 2010-05-15
1299

AWS CloudFormation User Guide
AWS::OpsWorks::Instance

Type: String
Update requires: No interruption (p. 118)
AmiId
The ID of the custom Amazon Machine Image (AMI) to be used to create the instance. For more
information about custom AMIs, see Using Custom AMIs in the AWS OpsWorks User Guide.

Note

If you specify this property, you must set the Os property to Custom.
Required: No
Type: String
Update requires: Updates are not supported.
Architecture
The instance architecture.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
AutoScalingType
For scaling instances, the type of scaling. If you specify load-based scaling, do not specify a timebased scaling conﬁguration. For valid values, see CreateInstance in the AWS OpsWorks Stacks API
Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
AvailabilityZone
The instance Availability Zone.
Required: No
Type: String
Update requires: Replacement (p. 119)
BlockDeviceMappings
A list of block devices that are mapped to the AWS OpsWorks instance. For more information, see
the BlockDeviceMappings parameter for the CreateInstance action in the AWS OpsWorks Stacks
API Reference.
Required: No
Type: List of AWS OpsWorks Instance BlockDeviceMapping (p. 2093)
Update requires: Replacement (p. 119)
EbsOptimized
Whether the instance is optimized for Amazon Elastic Block Store (Amazon EBS) I/O. If you specify
an Amazon EBS-optimized instance type, AWS OpsWorks enables EBS optimization by default. For
API Version 2010-05-15
1300

AWS CloudFormation User Guide
AWS::OpsWorks::Instance

more information, see Amazon EBS–Optimized Instances in the Amazon EC2 User Guide for Linux
Instances.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
ElasticIps
A list of Elastic IP addresses to associate with the instance.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Hostname
The name of the instance host.
Required: No
Type: String
Update requires: No interruption (p. 118)
InstallUpdatesOnBoot
Whether to install operating system and package updates when the instance boots.
Required: No
Type: Boolean
Update requires: Some interruptions (p. 119)
InstanceType
The instance type, which must be supported by AWS OpsWorks. For more information, see
CreateInstance in the AWS OpsWorks Stacks API Reference.
If you specify an Amazon EBS-optimized instance type, AWS OpsWorks enables EBS optimization
by default. For more information about Amazon EBS-optimized instance types, see Amazon EBS–
Optimized Instances in the Amazon EC2 User Guide for Linux Instances.
Required: Yes
Type: String
Update requires: Some interruptions (p. 119)
LayerIds
The IDs of the AWS OpsWorks layers to associate with this instance.
Required: Yes
Type: List of String values
Update requires: Some interruptions (p. 119)
API Version 2010-05-15
1301

AWS CloudFormation User Guide
AWS::OpsWorks::Instance

Os
The instance operating system. For more information, see CreateInstance in the AWS OpsWorks
Stacks API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
RootDeviceType
The root device type of the instance.
Required: No
Type: String
Update requires: Replacement (p. 119)
SshKeyName
The SSH key name of the instance.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
StackId
The ID of the AWS OpsWorks stack that this instance will be associated with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SubnetId
The ID of the instance's subnet. If the stack is running in a VPC, you can use this parameter to
override the stack's default subnet ID value and direct AWS OpsWorks to launch the instance in a
diﬀerent subnet.
Required: No
Type: String
Update requires: Replacement (p. 119)
Tenancy
The tenancy of the instance. For more information, see the Tenancy parameter for the
CreateInstance action in the AWS OpsWorks Stacks API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
TimeBasedAutoScaling
The time-based scaling conﬁguration for the instance.
API Version 2010-05-15
1302

AWS CloudFormation User Guide
AWS::OpsWorks::Instance

Required: No
Type: AWS OpsWorks TimeBasedAutoScaling Type (p. 2102)
Update requires: Replacement (p. 119)
VirtualizationType
The instance's virtualization type, paravirtual or hvm.
Required: No
Type: String
Update requires: Replacement (p. 119)
Volumes
A list of AWS OpsWorks volume IDs to associate with the instance. For more information, see
AWS::OpsWorks::Volume (p. 1329).
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myInstance1" }

For the AWS OpsWorks instance myInstance1, Ref returns the AWS OpsWorks instance ID.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
• AvailabilityZone
The Availability Zone of the AWS OpsWorks instance, such as us-east-2a.
• PrivateDnsName
The private DNS name of the AWS OpsWorks instance.
• PrivateIp
The private IP address of the AWS OpsWorks instance, such as 192.0.2.0.
• PublicDnsName
The public DNS name of the AWS OpsWorks instance.
• PublicIp
The public IP address of the AWS OpsWorks instance, such as 192.0.2.0.
API Version 2010-05-15
1303

AWS CloudFormation User Guide
AWS::OpsWorks::Instance

Note

Use this attribute only when the AWS OpsWorks instance is in an AWS OpsWorks layer that
auto-assigns public IP addresses.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Create Basic AWS OpsWorks Instances
The following example creates two AWS OpsWorks instances that are associated with the myStack AWS
OpsWorks stack and the myLayer AWS OpsWorks layer:

JSON
"myInstance1" : {
"Type" : "AWS::OpsWorks::Instance",
"Properties" : {
"StackId" : {"Ref":"myStack"},
"LayerIds" : [{"Ref":"myLayer"}],
"InstanceType" : "m1.small"
}
},
"myInstance2" : {
"Type" : "AWS::OpsWorks::Instance",
"Properties" : {
"StackId" : {"Ref":"myStack"},
"LayerIds" : [{"Ref":"myLayer"}],
"InstanceType" : "m1.small"
}
}

YAML
myInstance1:
Type: "AWS::OpsWorks::Instance"
Properties:
StackId:
Ref: "myStack"
LayerIds:
Ref: "myLayer"
InstanceType: "m1.small"
myInstance2:
Type: "AWS::OpsWorks::Instance"
Properties:
StackId:
Ref: "myStack"
LayerIds:
Ref: "myLayer"
InstanceType: "m1.small"

Deﬁne a Time-based Auto Scaling Instance
In the following example, the DBInstance instance is online for four hours from UTC 1200-1600 on
Friday, Saturday, and Sunday. The instance is oﬄine for all other times and days.
API Version 2010-05-15
1304

AWS CloudFormation User Guide
AWS::OpsWorks::Layer

JSON
"DBInstance" : {
"Type" : "AWS::OpsWorks::Instance",
"Properties" : {
"AutoScalingType" : "timer",
"StackId" : {"Ref":"Stack"},
"LayerIds" : [{"Ref":"DBLayer"}],
"InstanceType" : "m1.small",
"TimeBasedAutoScaling" : {
"Friday" : { "12" : "on", "13" : "on", "14" : "on", "15" : "on" },
"Saturday" : { "12" : "on", "13" : "on", "14" : "on", "15" : "on" },
"Sunday" : { "12" : "on", "13" : "on", "14" : "on", "15" : "on" }
}
}
}

YAML
DBInstance:
Type: "AWS::OpsWorks::Instance"
Properties:
AutoScalingType: "timer"
StackId:
Ref: "Stack"
LayerIds:
- Ref: "DBLayer"
InstanceType: "m1.small"
TimeBasedAutoScaling:
Friday:
12: "on"
13: "on"
14: "on"
15: "on"
Saturday:
12: "on"
13: "on"
14: "on"
15: "on"
Sunday:
12: "on"
13: "on"
14: "on"
15: "on"

More Info
• AWS::OpsWorks::Stack (p. 1316)
• AWS::OpsWorks::Layer (p. 1305)
• AWS::OpsWorks::App (p. 1293)

AWS::OpsWorks::Layer
Creates an AWS OpsWorks layer. A layer deﬁnes, for example, which packages and applications are
installed and how they are conﬁgured.
Topics
• Syntax (p. 1306)
API Version 2010-05-15
1305

AWS CloudFormation User Guide
AWS::OpsWorks::Layer

• Properties (p. 1307)
• Return Values (p. 1310)
• Template Examples (p. 1310)
• See Also (p. 1316)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type": "AWS::OpsWorks::Layer",
"Properties": {
"Attributes" : { String:String },
"AutoAssignElasticIps" : Boolean,
"AutoAssignPublicIps" : Boolean,
"CustomInstanceProfileArn" : String,
"CustomJson" : JSON object,
"CustomRecipes" : Recipes,
"CustomSecurityGroupIds" : [ String, ... ],
"EnableAutoHealing" : Boolean,
"InstallUpdatesOnBoot" : Boolean,
"LifecycleEventConfiguration" : LifeCycleEventConfiguration,
"LoadBasedAutoScaling" : LoadBasedAutoScaling,
"Name" : String,
"Packages" : [ String, ... ],
"Shortname" : String,
"StackId" : String,
"Tags" : [ Tags (p. 2106), ... ],
"Type" : String,
"VolumeConfigurations" : [ VolumeConfiguration, ... ]
}

YAML
Type: "AWS::OpsWorks::Layer"
Properties:
Attributes:
String:String
AutoAssignElasticIps: Boolean
AutoAssignPublicIps: Boolean
CustomInstanceProfileArn: String
CustomRecipes:
Recipes
CustomJson:
JSON object
CustomSecurityGroupIds:
- String
EnableAutoHealing: Boolean
InstallUpdatesOnBoot: Boolean
LifecycleEventConfiguration:
LifeCycleEventConfiguration
LoadBasedAutoScaling:
LoadBasedAutoScaling
Name: String
Packages:
- String
Shortname: String

API Version 2010-05-15
1306

AWS CloudFormation User Guide
AWS::OpsWorks::Layer
StackId: String
Tags:
- Tags (p. 2106)
Type: String
VolumeConfigurations:
- VolumeConfiguration

Properties
Attributes
One or more user-deﬁned key-value pairs to be added to the stack attributes bag.
Required: No
Type: A list of key-value pairs
Update requires: No interruption (p. 118)
AutoAssignElasticIps
Whether to automatically assign an Elastic IP address to Amazon EC2 instances in this layer.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
AutoAssignPublicIps
For AWS OpsWorks stacks that are running in a VPC, whether to automatically assign a public IP
address to Amazon EC2 instances in this layer.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
CustomInstanceProfileArn
The Amazon Resource Name (ARN) of an IAM instance proﬁle that is to be used for the Amazon EC2
instances in this layer.
Required: No
Type: String
Update requires: No interruption (p. 118)
CustomJson
A custom stack conﬁguration and deployment attributes that AWS OpsWorks installs on the layer's
instances. For more information, see the CustomJson parameter for the CreateLayer action in the
AWS OpsWorks Stacks API Reference.
Required: No
Type: JSON object
CustomRecipes
Custom event recipes for this layer.
API Version 2010-05-15
1307

AWS CloudFormation User Guide
AWS::OpsWorks::Layer

Required: No
Type: AWS OpsWorks Recipes Type (p. 2096)
Update requires: No interruption (p. 118)
CustomSecurityGroupIds
Custom security group IDs for this layer.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
EnableAutoHealing
Whether to automatically heal Amazon EC2 instances that have become disconnected or timed out.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
InstallUpdatesOnBoot
Whether to install operating system and package updates when the instance boots.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
LifecycleEventConfiguration
The lifecycle events for the AWS OpsWorks layer.
Required: No
Type: AWS OpsWorks Layer LifeCycleConﬁguration (p. 2091)
Update requires: No interruption (p. 118)
LoadBasedAutoScaling
The load-based scaling conﬁguration for the AWS OpsWorks layer.
Required: No
Type: AWS OpsWorks LoadBasedAutoScaling Type (p. 2092)
Update requires: No interruption (p. 118)
Name
The AWS OpsWorks layer name.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1308

AWS CloudFormation User Guide
AWS::OpsWorks::Layer

Packages
The packages for this layer.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Shortname
The layer short name, which is used internally by AWS OpsWorks and by Chef recipes. The short
name is also used as the name for the directory where your app ﬁles are installed.
The name can have a maximum of 200 characters, which are limited to the alphanumeric characters,
'-', '_', and '.'.

Important

If you update a property that requires the layer to be replaced, you must specify a new
short name. You cannot have multiple layers with the same short name.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
StackId
The ID of the AWS OpsWorks stack that this layer will be associated with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this AWS OpsWorks layer. Use
tags to manage your resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
Type
The layer type. A stack cannot have more than one layer of the same type, except for the custom
type. You can have any number of custom types. For more information, see CreateLayer in the AWS
OpsWorks Stacks API Reference.

Important

If you update a property that requires the layer to be replaced, you must specify a new type
unless you have a custom type. You can have any number of custom types.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1309

AWS CloudFormation User Guide
AWS::OpsWorks::Layer

VolumeConfigurations
Describes the Amazon EBS volumes for this layer.
Required: No
Type: A list of AWS OpsWorks VolumeConﬁguration Type (p. 2103)
Update requires: Some interruptions (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myLayer" }

For the AWS OpsWorks layer myLayer, Ref returns the AWS OpsWorks layer ID.
For more information about using the Ref function, see Ref (p. 2311).

Template Examples
AWS OpsWorks PHP Layer
The following snippet creates an AWS OpsWorks PHP layer that is associated with the myStack AWS
OpsWorks stack. The layer is dependent on the myApp AWS OpsWorks application.

JSON
"myLayer": {
"Type": "AWS::OpsWorks::Layer",
"DependsOn": "myApp",
"Properties": {
"StackId": {"Ref": "myStack"},
"Type": "php-app",
"Shortname" : "php-app",
"EnableAutoHealing" : "true",
"AutoAssignElasticIps" : "false",
"AutoAssignPublicIps" : "true",
"Name": "MyPHPApp"
}
}

YAML
myLayer:
Type: "AWS::OpsWorks::Layer"
DependsOn: "myApp"
Properties:
StackId:
Ref: "myStack"
Type: "php-app"
Shortname: "php-app"
EnableAutoHealing: "true"
AutoAssignElasticIps: "false"

API Version 2010-05-15
1310

AWS CloudFormation User Guide
AWS::OpsWorks::Layer
AutoAssignPublicIps: "true"
Name: "MyPHPApp"

Load-based Auto Scaling Layer
The following snippet creates a load-based automatic scaling AWS OpsWorks PHP layer that is
associated with the myStack AWS OpsWorks stack.

JSON
"myLayer": {
"Type": "AWS::OpsWorks::Layer",
"DependsOn": "myApp",
"Properties": {
"StackId": {"Ref": "myStack"},
"Type": "php-app",
"Shortname" : "php-app",
"EnableAutoHealing" : "true",
"AutoAssignElasticIps" : "false",
"AutoAssignPublicIps" : "true",
"Name": "MyPHPApp",
"LoadBasedAutoScaling" : {
"Enable" : "true",
"UpScaling" : {
"InstanceCount" : 1,
"ThresholdsWaitTime" : 1,
"IgnoreMetricsTime" : 1,
"CpuThreshold" : 70.0,
"MemoryThreshold" : 30.0,
"LoadThreshold" : 0.7
},
"DownScaling" : {
"InstanceCount" : 1,
"ThresholdsWaitTime" : 1,
"IgnoreMetricsTime" : 1,
"CpuThreshold" : 30.0,
"MemoryThreshold" : 70.0,
"LoadThreshold" : 0.3
}
}
}
}

YAML
myLayer:
Type: "AWS::OpsWorks::Layer"
DependsOn: "myApp"
Properties:
StackId:
Ref: "myStack"
Type: "php-app"
Shortname: "php-app"
EnableAutoHealing: "true"
AutoAssignElasticIps: "false"
AutoAssignPublicIps: "true"
Name: "MyPHPApp"
LoadBasedAutoScaling:
Enable: "true"
UpScaling:
InstanceCount: 1
ThresholdsWaitTime: 1

API Version 2010-05-15
1311

AWS CloudFormation User Guide
AWS::OpsWorks::Layer
IgnoreMetricsTime: 1
CpuThreshold: 70
MemoryThreshold: 30
LoadThreshold: 0.7
DownScaling:
InstanceCount: 1
ThresholdsWaitTime: 1
IgnoreMetricsTime: 1
CpuThreshold: 30
MemoryThreshold: 70
LoadThreshold: 0.3

Specify tags for layers and stacks
The following complete template example speciﬁes tags for an AWS OpsWorks layer and stack that
reference parameter values.

JSON
{

"Resources": {
"ServiceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
{
"Ref": "OpsServicePrincipal"
}
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "opsworks-service",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:PassRole",
"cloudwatch:GetMetricStatistics",
"elasticloadbalancing:*"
],
"Resource": "*"
}
]
}
}
]
}
},
"OpsWorksEC2Role": {

API Version 2010-05-15
1312

AWS CloudFormation User Guide
AWS::OpsWorks::Layer
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
{
"Ref": "Ec2ServicePrincipal"
}
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/"
}

},
"InstanceRole": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "OpsWorksEC2Role"
}
]
}
},
"myStack": {
"Type": "AWS::OpsWorks::Stack",
"Properties": {
"Name": "TestStack",
"ServiceRoleArn": {
"Fn::GetAtt": [
"ServiceRole",
"Arn"
]
},
"DefaultInstanceProfileArn": {
"Fn::GetAtt": [
"InstanceRole",
"Arn"
]
},
"Tags": [
{
"Key": {
"Ref": "StackKey"
},
"Value": {
"Ref": "StackValue"
}
}
]
}
},
"myLayer": {
"Type": "AWS::OpsWorks::Layer",
"Properties": {
"EnableAutoHealing": "true",
"AutoAssignElasticIps": "false",

API Version 2010-05-15
1313

AWS CloudFormation User Guide
AWS::OpsWorks::Layer

}

}

}

"AutoAssignPublicIps": "true",
"StackId": {
"Ref": "myStack"
},
"Type": "custom",
"Shortname": "shortname",
"Name": "name",
"Tags": [
{
"Key": {
"Ref": "LayerKey"
},
"Value": {
"Ref": "LayerValue"
}
}
]

},
"Parameters": {
"StackKey": {
"Type": "String"
},
"LayerKey": {
"Type": "String"
},
"StackValue": {
"Type": "String"
},
"LayerValue": {
"Type": "String"
},
"OpsServicePrincipal": {
"Type": "String"
},
"Ec2ServicePrincipal": {
"Type": "String"
}
}

YAML
Resources:
ServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- !Ref OpsServicePrincipal
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: opsworks-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ec2:*'

API Version 2010-05-15
1314

AWS CloudFormation User Guide
AWS::OpsWorks::Layer
- 'iam:PassRole'
- 'cloudwatch:GetMetricStatistics'
- 'elasticloadbalancing:*'
Resource: '*'
OpsWorksEC2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- !Ref Ec2ServicePrincipal
Action:
- 'sts:AssumeRole'
Path: /
InstanceRole:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref OpsWorksEC2Role
myStack:
Type: AWS::OpsWorks::Stack
Properties:
Name: TestStack
ServiceRoleArn: !GetAtt
- ServiceRole
- Arn
DefaultInstanceProfileArn: !GetAtt
- InstanceRole
- Arn
Tags:
- Key: !Ref StackKey
Value: !Ref StackValue
myLayer:
Type: AWS::OpsWorks::Layer
Properties:
EnableAutoHealing: 'true'
AutoAssignElasticIps: 'false'
AutoAssignPublicIps: 'true'
StackId: !Ref myStack
Type: custom
Shortname: shortname
Name: name
Tags:
- Key: !Ref LayerKey
Value: !Ref LayerValue
Parameters:
StackKey:
Type: String
LayerKey:
Type: String
StackValue:
Type: String
LayerValue:
Type: String
OpsServicePrincipal:
Type: String
Ec2ServicePrincipal:
Type: String

API Version 2010-05-15
1315

AWS CloudFormation User Guide
AWS::OpsWorks::Stack

See Also
• AWS::OpsWorks::Stack (p. 1316)
• AWS::OpsWorks::App (p. 1293)
• AWS::OpsWorks::Instance (p. 1298)

AWS::OpsWorks::Stack
Creates an AWS OpsWorks stack. An AWS OpsWorks stack represents a set of instances that you want to
manage collectively, typically because they have a common purpose such as serving PHP applications.
Topics
• Syntax (p. 1316)
• Properties (p. 1317)
• Return Values (p. 1322)
• Template Examples (p. 1322)
• Additional Information (p. 1326)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::OpsWorks::Stack",
"Properties" : {
"AgentVersion" : String,
"Attributes" : { String:String, ... },
"ChefConfiguration" : { ChefConfiguration },
"CloneAppIds" : [ String, ... ],
"ClonePermissions" : Boolean,
"ConfigurationManager" : { StackConfigurationManager },
"CustomCookbooksSource" : { Source },
"CustomJson" : JSON,
"DefaultAvailabilityZone" : String,
"DefaultInstanceProfileArn" : String,
"DefaultOs" : String,
"DefaultRootDeviceType" : String,
"DefaultSshKeyName" : String,
"DefaultSubnetId" : String,
"EcsClusterArn" : String,
"ElasticIps" : [ ElasticIp (p. 2099), ... ],
"HostnameTheme" : String,
"Name" : String,
"RdsDbInstances" : [ RdsDbInstance (p. 2100), ... ],
"ServiceRoleArn" : String,
"SourceStackId" : String,
"Tags" : [ Tags (p. 2106), ... ],
"UseCustomCookbooks" : Boolean,
"UseOpsworksSecurityGroups" : Boolean,
"VpcId" : String
}

API Version 2010-05-15
1316

AWS CloudFormation User Guide
AWS::OpsWorks::Stack

YAML
Type: "AWS::OpsWorks::Stack"
Properties:
AgentVersion: String
Attributes:
String:String
ChefConfiguration:
ChefConfiguration
CloneAppIds:
- String
ClonePermissions: Boolean
ConfigurationManager:
StackConfigurationManager
CustomCookbooksSource:
Source
CustomJson: JSON
DefaultAvailabilityZone: String
DefaultInstanceProfileArn: String
DefaultOs: String
DefaultRootDeviceType: String
DefaultSshKeyName: String
DefaultSubnetId: String
EcsClusterArn: String
ElasticIps:
- ElasticIp (p. 2099)
HostnameTheme: String
Name: String
RdsDbInstances:
- RdsDbInstance (p. 2100)
ServiceRoleArn: String
SourceStackId: String
Tags:
- Tags (p. 2106)
UseCustomCookbooks: Boolean
UseOpsworksSecurityGroups: Boolean
VpcId: String

Properties
AgentVersion
The AWS OpsWorks agent version that you want to use. The agent communicates with the service
and handles tasks such as initiating Chef runs in response to lifecycle events. For valid values, see the
AgentVersion parameter for the CreateStack action in the AWS OpsWorks Stacks API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
Attributes
One or more user-deﬁned key-value pairs to be added to the stack attributes bag.
Required: No
Type: A list of key-value pairs
Update requires: No interruption (p. 118)
API Version 2010-05-15
1317

AWS CloudFormation User Guide
AWS::OpsWorks::Stack

ChefConfiguration
Describes the Chef conﬁguration. For more information, see the CreateStack ChefConﬁguration
parameter in the AWS OpsWorks Stacks API Reference.

Note

To enable Berkshelf, you must select a Chef version in the ConfigurationManager
property that supports Berkshelf.
Required: No
Type: AWS OpsWorks ChefConﬁguration Type (p. 2090)
Update requires: No interruption (p. 118)
CloneAppIds
If you're cloning an AWS OpsWorks stack, a list of AWS OpsWorks application stack IDs from the
source stack to include in the cloned stack.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
ClonePermissions
If you're cloning an AWS OpsWorks stack, indicates whether to clone the source stack's permissions.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
ConfigurationManager
Describes the conﬁguration manager. When you create a stack, you use the conﬁguration manager
to specify the Chef version. For supported Chef versions, see the CreateStack ConﬁgurationManager
parameter in the AWS OpsWorks Stacks API Reference.
Required: No
Type: AWS OpsWorks StackConﬁgurationManager Type (p. 2101)
Update requires: No interruption (p. 118)
CustomCookbooksSource
Contains the information required to retrieve a cookbook from a repository.
Required: No
Type: AWS OpsWorks Source Type (p. 2097)
Update requires: No interruption (p. 118)
CustomJson
A user-deﬁned custom JSON object. The custom JSON is used to override the corresponding default
stack conﬁguration JSON values. For more information, see CreateStack in the AWS OpsWorks Stacks
API Reference.
API Version 2010-05-15
1318

AWS CloudFormation User Guide
AWS::OpsWorks::Stack

Important

AWS CloudFormation submits all JSON attributes as strings, including any Boolean or
number attributes. If you have recipes that expect booleans or numbers, you must modify
the recipes to accept strings and to interpret those strings as booleans or numbers.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
DefaultAvailabilityZone
The stack's default Availability Zone, which must be in the speciﬁed region.
Required: No
Type: String
Update requires: No interruption (p. 118)
DefaultInstanceProfileArn
The Amazon Resource Name (ARN) of an IAM instance proﬁle that is the default proﬁle for all of the
stack's Amazon EC2 instances.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
DefaultOs
The stack's default operating system. For more information, see CreateStack in the AWS OpsWorks
Stacks API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
DefaultRootDeviceType
The default root device type. This value is used by default for all instances in the stack, but you can
override it when you create an instance. For more information, see CreateStack in the AWS OpsWorks
Stacks API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
DefaultSshKeyName
A default SSH key for the stack instances. You can override this value when you create or update an
instance.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1319

AWS CloudFormation User Guide
AWS::OpsWorks::Stack

DefaultSubnetId
The stack's default subnet ID. All instances are launched into this subnet unless you specify another
subnet ID when you create the instance.
Required: Conditional. If you specify the VpcId property, you must specify this property.
Type: String
Update requires: No interruption (p. 118)
EcsClusterArn
The Amazon Resource Name (ARN) of the Amazon Elastic Container Service (Amazon ECS) cluster to
register with the AWS OpsWorks stack.

Note

If you specify a cluster that's registered with another AWS OpsWorks stack, AWS
CloudFormation deregisters the existing association before registering the cluster.
Required: No
Type: String
Update requires: No interruption (p. 118)
ElasticIps
A list of Elastic IP addresses to register with the AWS OpsWorks stack.

Note

If you specify an IP address that's registered with another AWS OpsWorks stack, AWS
CloudFormation deregisters the existing association before registering the IP address.
Required: No
Type: List of AWS OpsWorks Stack ElasticIp (p. 2099)
Update requires: No interruption (p. 118)
HostnameTheme
The stack's host name theme, with spaces replaced by underscores. The theme is used to generate
host names for the stack's instances. For more information, see CreateStack in the AWS OpsWorks
Stacks API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the AWS OpsWorks stack.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RdsDbInstances
The Amazon Relational Database Service (Amazon RDS) DB instance to register with the AWS
OpsWorks stack.
API Version 2010-05-15
1320

AWS CloudFormation User Guide
AWS::OpsWorks::Stack

Note

If you specify a DB instance that's registered with another AWS OpsWorks stack, AWS
CloudFormation deregisters the existing association before registering the DB instance.
Required: No
Type: List of AWS OpsWorks Stack RdsDbInstance (p. 2100)
Update requires: No interruption (p. 118)
ServiceRoleArn
The AWS Identity and Access Management (IAM) role that AWS OpsWorks uses to work with AWS
resources on your behalf. You must specify an Amazon Resource Name (ARN) for an existing IAM
role.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SourceStackId
If you're cloning an AWS OpsWorks stack, the stack ID of the source AWS OpsWorks stack to clone.
Required: No
Type: String
Update requires: Replacement (p. 119)
Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this AWS OpsWorks stack. Use
tags to manage your resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
UseCustomCookbooks
Whether the stack uses custom cookbooks.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
UseOpsworksSecurityGroups
Whether to associate the AWS OpsWorks built-in security groups with the stack's layers.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
VpcId
The ID of the VPC that the stack is to be launched into, which must be in the speciﬁed region.
All instances are launched into this VPC. If you specify this property, you must specify the
DefaultSubnetId property.
API Version 2010-05-15
1321

AWS CloudFormation User Guide
AWS::OpsWorks::Stack

Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myStack" }

For the AWS OpsWorks stack myStack, Ref returns the AWS OpsWorks stack ID.
For more information about using the Ref function, see Ref (p. 2311).

Template Examples
The following snippet creates an AWS OpsWorks stack that uses the default service role and Amazon EC2
role, which are created after you use AWS OpsWorks for the ﬁrst time:

JSON
"myStack" : {
"Type" : "AWS::OpsWorks::Stack",
"Properties" : {
"Name" : {"Ref":"OpsWorksStackName"},
"ServiceRoleArn" : { "Fn::Join": ["", ["arn:aws:iam::", {"Ref":"AWS::AccountId"},
":role/aws-opsworks-service-role"]] },
"DefaultInstanceProfileArn" : { "Fn::Join": ["", ["arn:aws:iam::",
{"Ref":"AWS::AccountId"}, ":instance-profile/aws-opsworks-ec2-role"]] },
"DefaultSshKeyName" : {"Ref":"KeyName"}
}
}

YAML
myStack:
Type: "AWS::OpsWorks::Stack"
Properties:
Name:
Ref: "OpsWorksStackName"
ServiceRoleArn:
Fn::Join:
- ""
- "arn:aws:iam::"
Ref: "AWS::AccountId"
- ":role/aws-opsworks-service-role"
DefaultInstanceProfileArn:
Fn::Join:
- ""
- "arn:aws:iam::"

API Version 2010-05-15
1322

AWS CloudFormation User Guide
AWS::OpsWorks::Stack
-

Ref: "AWS::AccountId"
- ":instance-profile/aws-opsworks-ec2-role"
DefaultSshKeyName:
Ref: "KeyName"

Specify tags for layers and stacks
The following complete template example speciﬁes tags for an AWS OpsWorks layer and stack that
reference parameter values.

JSON
{

"Resources": {
"ServiceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
{
"Ref": "OpsServicePrincipal"
}
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "opsworks-service",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"iam:PassRole",
"cloudwatch:GetMetricStatistics",
"elasticloadbalancing:*"
],
"Resource": "*"
}
]
}
}
]
}
},
"OpsWorksEC2Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",

API Version 2010-05-15
1323

AWS CloudFormation User Guide
AWS::OpsWorks::Stack

]

}

"Principal": {
"Service": [
{
"Ref": "Ec2ServicePrincipal"
}
]
},
"Action": [
"sts:AssumeRole"
]

},
"Path": "/"

}
},
"InstanceRole": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "OpsWorksEC2Role"
}
]
}
},
"myStack": {
"Type": "AWS::OpsWorks::Stack",
"Properties": {
"Name": "TestStack",
"ServiceRoleArn": {
"Fn::GetAtt": [
"ServiceRole",
"Arn"
]
},
"DefaultInstanceProfileArn": {
"Fn::GetAtt": [
"InstanceRole",
"Arn"
]
},
"Tags": [
{
"Key": {
"Ref": "StackKey"
},
"Value": {
"Ref": "StackValue"
}
}
]
}
},
"myLayer": {
"Type": "AWS::OpsWorks::Layer",
"Properties": {
"EnableAutoHealing": "true",
"AutoAssignElasticIps": "false",
"AutoAssignPublicIps": "true",
"StackId": {
"Ref": "myStack"
},
"Type": "custom",
"Shortname": "shortname",

API Version 2010-05-15
1324

AWS CloudFormation User Guide
AWS::OpsWorks::Stack

}

}

}

"Name": "name",
"Tags": [
{
"Key": {
"Ref": "LayerKey"
},
"Value": {
"Ref": "LayerValue"
}
}
]

},
"Parameters": {
"StackKey": {
"Type": "String"
},
"LayerKey": {
"Type": "String"
},
"StackValue": {
"Type": "String"
},
"LayerValue": {
"Type": "String"
},
"OpsServicePrincipal": {
"Type": "String"
},
"Ec2ServicePrincipal": {
"Type": "String"
}
}

YAML
Resources:
ServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- !Ref OpsServicePrincipal
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: opsworks-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ec2:*'
- 'iam:PassRole'
- 'cloudwatch:GetMetricStatistics'
- 'elasticloadbalancing:*'
Resource: '*'
OpsWorksEC2Role:
Type: AWS::IAM::Role

API Version 2010-05-15
1325

AWS CloudFormation User Guide
AWS::OpsWorks::Stack
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- !Ref Ec2ServicePrincipal
Action:
- 'sts:AssumeRole'
Path: /
InstanceRole:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref OpsWorksEC2Role
myStack:
Type: AWS::OpsWorks::Stack
Properties:
Name: TestStack
ServiceRoleArn: !GetAtt
- ServiceRole
- Arn
DefaultInstanceProfileArn: !GetAtt
- InstanceRole
- Arn
Tags:
- Key: !Ref StackKey
Value: !Ref StackValue
myLayer:
Type: AWS::OpsWorks::Layer
Properties:
EnableAutoHealing: 'true'
AutoAssignElasticIps: 'false'
AutoAssignPublicIps: 'true'
StackId: !Ref myStack
Type: custom
Shortname: shortname
Name: name
Tags:
- Key: !Ref LayerKey
Value: !Ref LayerValue
Parameters:
StackKey:
Type: String
LayerKey:
Type: String
StackValue:
Type: String
LayerValue:
Type: String
OpsServicePrincipal:
Type: String
Ec2ServicePrincipal:
Type: String

Additional Information
• For a complete sample AWS OpsWorks template, see AWS OpsWorks Template Snippets (p. 404).
• AWS::OpsWorks::Layer (p. 1305)
• AWS::OpsWorks::App (p. 1293)
• AWS::OpsWorks::Instance (p. 1298)
API Version 2010-05-15
1326

AWS CloudFormation User Guide
AWS::OpsWorks::UserProﬁle

AWS::OpsWorks::UserProﬁle
The AWS::OpsWorks::UserProfile resource conﬁgures SSH access for users who require access to
instances in an AWS OpsWorks stack.
Topics
• Syntax (p. 1327)
• Properties (p. 1327)
• Return Value (p. 1328)
• Example (p. 1328)

Syntax
JSON
{

}

"Type" : "AWS::OpsWorks::UserProfile",
"Properties" : {
"AllowSelfManagement" : Boolean,
"IamUserArn" : String,
"SshPublicKey" : String,
"SshUsername" : String
}

YAML
Type: "AWS::OpsWorks::UserProfile"
Properties:
AllowSelfManagement: Boolean
IamUserArn: String
SshPublicKey: String
SshUsername: String

Properties
AllowSelfManagement
Indicates whether users can use the AWS OpsWorks My Settings page to specify their own SSH
public key. For more information, see Setting an IAM User's Public SSH Key in the AWS OpsWorks
User Guide.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IamUserArn
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) user to
associate with this conﬁguration.
Required: Yes
Type: String
API Version 2010-05-15
1327

AWS CloudFormation User Guide
AWS::OpsWorks::UserProﬁle

Update requires: Replacement (p. 119)
SshPublicKey
The public SSH key that is associated with the IAM user. To access instances, the IAM user must have
or be given the corresponding private key.
Required: No
Type: String
Update requires: No interruption (p. 118)
SshUsername
The user's SSH user name.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the IAM user
ARN, such as arn:aws:iam::123456789012:user/opsworksuser.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
• SshUsername
The user's SSH user name, as a string.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example registers a public key to the testUser IAM user. The user can also use selfmanagement to specify his or her own public key.

JSON
"userProfile": {
"Type": "AWS::OpsWorks::UserProfile",
"Properties": {
"IamUserArn": {
"Fn::GetAtt": ["testUser", "Arn"]
},
"AllowSelfManagement": "true",
"SshPublicKey": "xyz1234567890"

API Version 2010-05-15
1328

AWS CloudFormation User Guide
AWS::OpsWorks::Volume

}

}

YAML
userProfile:
Type: AWS::OpsWorks::UserProfile
Properties:
IamUserArn: !GetAtt [testUser, Arn]
AllowSelfManagement: 'true'
SshPublicKey: xyz1234567890

AWS::OpsWorks::Volume
The AWS::OpsWorks::Volume resource registers an Amazon Elastic Block Store (Amazon EBS) volume
with an AWS OpsWorks stack.
Topics
• Syntax (p. 1329)
• Properties (p. 1329)
• Return Value (p. 1330)
• Example (p. 1330)

Syntax
JSON
{

}

"Type" : "AWS::OpsWorks::Volume",
"Properties" : {
"Ec2VolumeId" : String,
"MountPoint" : String,
"Name" : String,
"StackId" : String
}

YAML
Type: "AWS::OpsWorks::Volume"
Properties:
Ec2VolumeId: String
MountPoint: String
Name: String
StackId: String

Properties
Ec2VolumeId
The ID of the Amazon EBS volume to register with the AWS OpsWorks stack.
Required: Yes
API Version 2010-05-15
1329

AWS CloudFormation User Guide
AWS::OpsWorks::Volume

Type: String
Update requires: Replacement (p. 119)
MountPoint
The mount point for the Amazon EBS volume, such as /mnt/disk1.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
A name for the Amazon EBS volume.
Required: No
Type: String
Update requires: No interruption (p. 118)
StackId
The ID of the AWS OpsWorks stack that AWS OpsWorks registers the volume to.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the AWS
OpsWorks volume ID, such as 1ab23cd4-92ff-4501-b37c-example.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example registers the ec2volume volume with the opsworksstack stack, both of which
are declared elsewhere in the same template.

JSON
"opsworksVolume": {
"Type": "AWS::OpsWorks::Volume",
"Properties": {
"Ec2VolumeId": { "Ref": "ec2volume" },
"MountPoint": "/dev/sdb",
"Name": "testOpsWorksVolume",
"StackId": { "Ref": "opsworksstack" }
}
}

API Version 2010-05-15
1330

AWS CloudFormation User Guide
AWS::RDS::DBCluster

YAML
opsworksVolume:
Type: AWS::OpsWorks::Volume
Properties:
Ec2VolumeId: !Ref 'ec2volume'
MountPoint: /dev/sdb
Name: testOpsWorksVolume
StackId: !Ref 'opsworksstack'

AWS::RDS::DBCluster
The AWS::RDS::DBCluster resource creates a cluster, such as an Aurora for Amazon RDS (Amazon
Aurora) DB cluster. Amazon Aurora is a fully managed, MySQL-compatible, relational database engine.
For more information, see Aurora on Amazon RDS in the Amazon RDS User Guide.

Note

Currently, you can create this resource only in regions in which Amazon Aurora is supported.
The default DeletionPolicy for AWS::RDS::DBCluster resources is Snapshot. For more information
about how AWS CloudFormation deletes resources, see DeletionPolicy Attribute (p. 2248).
Topics
• Syntax (p. 1331)
• Properties (p. 1332)
• Return Values (p. 1336)
• Example (p. 1336)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::RDS::DBCluster",
"Properties" :
{
"AvailabilityZones" : [ String, ... ],
"BackupRetentionPeriod" : Integer,
"DatabaseName" : String,
"DBClusterIdentifier" : String,
"DBClusterParameterGroupName" : String,
"DBSubnetGroupName" : String,
"Engine" : String,
"EngineVersion" : String,
"KmsKeyId" : String,
"MasterUsername" : String,
"MasterUserPassword" : String,
"Port" : Integer,
"PreferredBackupWindow" : String,
"PreferredMaintenanceWindow" : String,
"ReplicationSourceIdentifier" : String,
"SnapshotIdentifier" : String,
"StorageEncrypted" : Boolean,
"Tags" : [ Resource Tag, ... ],
"VpcSecurityGroupIds" : [ String, ... ]

API Version 2010-05-15
1331

AWS CloudFormation User Guide
AWS::RDS::DBCluster

}

}

YAML
Type: "AWS::RDS::DBCluster"
Properties:
AvailabilityZones:
- String
BackupRetentionPeriod: Integer
DatabaseName: String
DBClusterIdentifier: String
DBClusterParameterGroupName: String
DBSubnetGroupName: String
Engine: String
EngineVersion: String
KmsKeyId: String
MasterUsername: String
MasterUserPassword: String
Port: Integer
PreferredBackupWindow: String
PreferredMaintenanceWindow: String
ReplicationSourceIdentifier: String
SnapshotIdentifier: String
StorageEncrypted: Boolean
Tags:
- Resource Tag
VpcSecurityGroupIds:
- String

Properties
AvailabilityZones
A list of Availability Zones (AZs) in which DB instances in the cluster can be created.
Required: No
Type: String
Update requires: Replacement (p. 119)
BackupRetentionPeriod
The number of days for which automatic backups are retained. For more information, see
CreateDBCluster in the Amazon RDS API Reference.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
DatabaseName
The name of your database. If you don't provide a name, Amazon Relational Database Service
(Amazon RDS) won't create a database in this DB cluster. For naming constraints, see Naming
Constraints in Amazon RDS in the Amazon RDS User Guide.
Required: No
Type: String
API Version 2010-05-15
1332

AWS CloudFormation User Guide
AWS::RDS::DBCluster

Update requires: Replacement (p. 119)
DBClusterIdentifier
The DB cluster identiﬁer. This parameter is stored as a lowercase string.
Constraints:
• Must contain from 1 to 63 letters, numbers, or hyphens.
• First character must be a letter.
• Cannot end with a hyphen or contain two consecutive hyphens.
For additional information, see the DBClusterIdentifier parameter of the CreateDBCluster
action in the Amazon RDS API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
DBClusterParameterGroupName
The name of the DB cluster parameter group to associate with this DB cluster.

Note

If this argument is omitted, default.aurora5.6 is used. If default.aurora5.6 is used,
specifying aurora-mysql or aurora-postgresql for the Engine property might result
in an error.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
DBSubnetGroupName
A DB subnet group that you want to associate with this DB cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)
Engine
The name of the database engine that you want to use for this DB cluster.
For valid values, see the Engine parameter of the CreateDBCluster action in the Amazon RDS API
Reference.

Note

If you don't specify a value for the DBClusterParameterGroupName property and
default.aurora5.6 is used, specifying aurora.mysql or aurora-postgresql for this
property might result in an error.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1333

AWS CloudFormation User Guide
AWS::RDS::DBCluster

EngineVersion
The version number of the database engine that you want to use.
Required: No
Type: String
Update requires: Replacement (p. 119)
KmsKeyId
The Amazon Resource Name (ARN) of the AWS Key Management Service master key that
is used to encrypt the database instances in the DB cluster, such as arn:aws:kms:useast-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef. If you enable the
StorageEncrypted property but don't specify this property, the default master key is used. If you
specify this property, you must set the StorageEncrypted property to true.
If you specify the SnapshotIdentifier, do not specify this property. The value is inherited from
the snapshot DB cluster.
Required: No
Type: String
Update requires: Replacement (p. 119).
MasterUsername
The master user name for the DB instance.
Required: Conditional. You must specify this property unless you specify the SnapshotIdentifier
property. In that case, do not specify this property.
Type: String
Update requires: Replacement (p. 119).
MasterUserPassword
The password for the master database user.
Required: Conditional. You must specify this property unless you specify the SnapshotIdentifier
property. In that case, do not specify this property.
Type: String
Update requires: No interruption (p. 118)
Port
The port number on which the DB instances in the cluster can accept connections. If this argument is
omitted, 3306 is used.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
PreferredBackupWindow
if automated backups are enabled (see the BackupRetentionPeriod property), the daily time
range in UTC during which you want to create automated backups.
API Version 2010-05-15
1334

AWS CloudFormation User Guide
AWS::RDS::DBCluster

For valid values, see the PreferredBackupWindow parameter of the CreateDBInstance action in
the Amazon RDS API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
PreferredMaintenanceWindow
The weekly time range (in UTC) during which system maintenance can occur.
For valid values, see the PreferredMaintenanceWindow parameter of the CreateDBInstance
action in the Amazon RDS API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118) or some interruptions (p. 119). For more information, see
ModifyDBInstance in the Amazon RDS API Reference.
ReplicationSourceIdentifier
The Amazon Resource Name (ARN) of the source Amazon RDS DB instance or DB cluster, if this DB
cluster is created as a Read Replica.
Required: No
Type: String
Update requires: No interruption (p. 118)
SnapshotIdentifier
The identiﬁer for the DB cluster snapshot from which you want to restore.
Required: No
Type: String
Update requires: Replacement (p. 119)
StorageEncrypted
Indicates whether the DB instances in the cluster are encrypted.
If you specify the SnapshotIdentifier property, do not specify this property. The value is
inherited from the snapshot DB cluster.
Required: Conditional. If you specify the KmsKeyId property, you must enable encryption.
Type: Boolean
Update requires: Replacement (p. 119).
Tags
The tags that you want to attach to this DB cluster.
Required: No
Type: A list of resource tags (p. 2106)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1335

AWS CloudFormation User Guide
AWS::RDS::DBCluster

VpcSecurityGroupIds
A list of VPC security groups to associate with this DB cluster.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Endpoint.Address
The connection endpoint for the DB cluster. For example: mystackmydbcluster-1apw1j4phylrk.cg034hpkmmjt.us-east-2.rds.amazonaws.com.
Endpoint.Port
The port number that will accept connections on this DB cluster. For example: 5439.
ReadEndpoint.Address
The reader endpoint for the DB cluster. For example: mystack-mydbclusterro-1apw1j4phylrk.cg034hpkmmjt.us-east-2.rds.amazonaws.com.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following snippet creates an Amazon Aurora DB cluster and adds two DB instances to it. Because
Amazon RDS automatically assigns a writer and reader DB instances in the cluster, use the cluster
endpoint to read and write data, not the individual DB instance endpoints.

JSON
"RDSCluster" : {
"Type" : "AWS::RDS::DBCluster",
"Properties" : {
"MasterUsername" : { "Ref" : "username" },
"MasterUserPassword" : { "Ref" : "password" },
"Engine" : "aurora",
"DBSubnetGroupName" : { "Ref" : "DBSubnetGroup" },
"DBClusterParameterGroupName" : { "Ref" : "RDSDBClusterParameterGroup" }
}
},
"RDSDBInstance1" : {
"Type" : "AWS::RDS::DBInstance",

API Version 2010-05-15
1336

AWS CloudFormation User Guide
AWS::RDS::DBCluster
"Properties" : {
"DBSubnetGroupName" : {
"Ref" : "DBSubnetGroup"
},
"DBParameterGroupName" :{"Ref": "RDSDBParameterGroup"},
"Engine" : "aurora",
"DBClusterIdentifier" : {
"Ref" : "RDSCluster"
},
"PubliclyAccessible" : "true",
"AvailabilityZone" : { "Fn::GetAtt" : [ "Subnet1", "AvailabilityZone" ] },
"DBInstanceClass" : "db.r3.xlarge"
}

},
"RDSDBInstance2" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"DBSubnetGroupName" : {
"Ref" : "DBSubnetGroup"
},
"DBParameterGroupName" :{"Ref": "RDSDBParameterGroup"},
"Engine" : "aurora",
"DBClusterIdentifier" : {
"Ref" : "RDSCluster"
},
"PubliclyAccessible" : "true",
"AvailabilityZone" : { "Fn::GetAtt" : [ "Subnet2", "AvailabilityZone" ] },
"DBInstanceClass" : "db.r3.xlarge"
}
},
"RDSDBClusterParameterGroup" : {
"Type": "AWS::RDS::DBClusterParameterGroup",
"Properties" : {
"Description" : "CloudFormation Sample Aurora Cluster Parameter Group",
"Family" : "aurora5.6",
"Parameters" : {
"time_zone" : "US/Eastern"
}
}
},
"RDSDBParameterGroup": {
"Type": "AWS::RDS::DBParameterGroup",
"Properties" : {
"Description" : "CloudFormation Sample Aurora Parameter Group",
"Family" : "aurora5.6",
"Parameters" : {
"sql_mode": "IGNORE_SPACE"
}
}
}

YAML
RDSCluster:
Type: AWS::RDS::DBCluster
Properties:
MasterUsername:
Ref: username
MasterUserPassword:
Ref: password
Engine: aurora
DBSubnetGroupName:
Ref: DBSubnetGroup
DBClusterParameterGroupName:

API Version 2010-05-15
1337

AWS CloudFormation User Guide
AWS::RDS::DBClusterParameterGroup
Ref: RDSDBClusterParameterGroup
RDSDBInstance1:
Type: AWS::RDS::DBInstance
Properties:
DBSubnetGroupName:
Ref: DBSubnetGroup
DBParameterGroupName:
Ref: RDSDBParameterGroup
Engine: aurora
DBClusterIdentifier:
Ref: RDSCluster
PubliclyAccessible: 'true'
AvailabilityZone:
Fn::GetAtt:
- Subnet1
- AvailabilityZone
DBInstanceClass: db.r3.xlarge
RDSDBInstance2:
Type: AWS::RDS::DBInstance
Properties:
DBSubnetGroupName:
Ref: DBSubnetGroup
DBParameterGroupName:
Ref: RDSDBParameterGroup
Engine: aurora
DBClusterIdentifier:
Ref: RDSCluster
PubliclyAccessible: 'true'
AvailabilityZone:
Fn::GetAtt:
- Subnet2
- AvailabilityZone
DBInstanceClass: db.r3.xlarge
RDSDBClusterParameterGroup:
Type: AWS::RDS::DBClusterParameterGroup
Properties:
Description: CloudFormation Sample Aurora Cluster Parameter Group
Family: aurora5.6
Parameters:
time_zone: US/Eastern
RDSDBParameterGroup:
Type: AWS::RDS::DBParameterGroup
Properties:
Description: CloudFormation Sample Aurora Parameter Group
Family: aurora5.6
Parameters:
sql_mode: IGNORE_SPACE

AWS::RDS::DBClusterParameterGroup
The AWS::RDS::DBClusterParameterGroup resource creates a new Amazon Relational Database
Service (Amazon RDS) database (DB) cluster parameter group. For more information about DB cluster
parameter groups, see Appendix: DB Cluster and DB Instance Parameters in the Amazon RDS User Guide.

Note

Applying a parameter group to a DB cluster might require instances to reboot, resulting in a
database outage while the instances reboot.
Topics
• Syntax (p. 1339)
• Properties (p. 1339)
• Return Values (p. 1340)
API Version 2010-05-15
1338

AWS CloudFormation User Guide
AWS::RDS::DBClusterParameterGroup

• Example (p. 1340)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::RDS::DBClusterParameterGroup",
"Properties" : {
"Description" : String,
"Family" : String,
"Parameters" : DBParameters,
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: "AWS::RDS::DBClusterParameterGroup"
Properties:
Description: String
Family: String
Parameters: DBParameters
Tags:
Resource Tag

Properties
Description
A friendly description for this DB cluster parameter group.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Family
The database family of this DB cluster parameter group, such as aurora5.6.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Parameters
The parameters to set for this DB cluster parameter group. For a list of parameter keys, see
Appendix: DB Cluster and DB Instance Parameters in the Amazon RDS User Guide.
Changes to dynamic parameters are applied immediately. Changes to static parameters require a
reboot without failover to the DB instance that is associated with the parameter group before the
change can take eﬀect.
API Version 2010-05-15
1339

AWS CloudFormation User Guide
AWS::RDS::DBClusterParameterGroup

Required: Yes
Type: A JSON object consisting of string key-value pairs, as shown in the following example:
"Parameters" : {
"Key1" : "Value1",
"Key2" : "Value2",
"Key3" : "Value3"
}

Update requires: No interruption (p. 118) or some interruptions (p. 119), depending on the
parameters that you update.
Tags
The tags that you want to attach to this parameter group.
Required: No
Type: A list of resource tags (p. 2106)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following snippet creates a parameter group that sets the character set database to UTF32:

JSON
"RDSDBClusterParameterGroup" : {
"Type" : "AWS::RDS::DBClusterParameterGroup",
"Properties" : {
"Parameters" : {
"character_set_database" : "utf32"
},
"Family" : "aurora5.6",
"Description" : "A sample parameter group"
}
}

YAML
RDSDBClusterParameterGroup:
Type: "AWS::RDS::DBClusterParameterGroup"
Properties:
Parameters:
character_set_database: "utf32"
Family: "aurora5.6"
Description: "A sample parameter group"

API Version 2010-05-15
1340

AWS CloudFormation User Guide
AWS::RDS::DBInstance

AWS::RDS::DBInstance
The AWS::RDS::DBInstance type creates an Amazon Relational Database Service (Amazon RDS) DB
instance. For detailed information about conﬁguring RDS DB instances, see CreateDBInstance.

Important

If a DB instance is deleted or replaced during an update, AWS CloudFormation deletes all
automated snapshots. However, it retains manual DB snapshots. During an update that requires
replacement, you can apply a stack policy to prevent DB instances from being replaced. For
more information, see Prevent Updates to Stack Resources (p. 141).
Topics
• Syntax (p. 1341)
• Properties (p. 1342)
• Updating and Deleting AWS::RDS::DBInstance Resources (p. 1287)
• Return Values (p. 1354)
• Examples (p. 1354)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::RDS::DBInstance",
"Properties" :
{
"AllocatedStorage (p. 1342)" : String,
"AllowMajorVersionUpgrade" : Boolean,
"AutoMinorVersionUpgrade (p. 1343)" : Boolean,
"AvailabilityZone (p. 1343)" : String,
"BackupRetentionPeriod (p. 1343)" : String,
"CharacterSetName" : String,
"CopyTagsToSnapshot" : Boolean,
"DBClusterIdentifier" : String,
"DBInstanceClass (p. 1344)" : String,
"DBInstanceIdentifier" : String,
"DBName (p. 1345)" : String,
"DBParameterGroupName (p. 1345)" : String,
"DBSecurityGroups (p. 1345)" : [ String, ... ],
"DBSnapshotIdentifier (p. 1346)" : String,
"DBSubnetGroupName (p. 1347)" : String,
"Domain" : String,
"DomainIAMRoleName" : String,
"Engine (p. 1347)" : String,
"EngineVersion (p. 1348)" : String,
"Iops (p. 1348)" : Number,
"KmsKeyId" : String,
"LicenseModel (p. 1349)" : String,
"MasterUsername (p. 1349)" : String,
"MasterUserPassword (p. 1349)" : String,
"MonitoringInterval (p. 1349)" : Integer,
"MonitoringRoleArn (p. 1350)" : String,
"MultiAZ (p. 1350)" : Boolean,
"OptionGroupName" : String,
"Port (p. 1350)" : String,
"PreferredBackupWindow (p. 1350)" : String,
"PreferredMaintenanceWindow (p. 1350)" : String,

API Version 2010-05-15
1341

AWS CloudFormation User Guide
AWS::RDS::DBInstance

}

}

"PubliclyAccessible" : Boolean,
"SourceDBInstanceIdentifier" : String,
"SourceRegion" : String,
"StorageEncrypted" : Boolean,
"StorageType" : String,
"Tags (p. 1352)" : [ Resource Tag, ... ],
"Timezone" : String,
"VPCSecurityGroups (p. 1353)" : [ String, ... ]

YAML
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage (p. 1342): String
AllowMajorVersionUpgrade: Boolean
AutoMinorVersionUpgrade (p. 1343): Boolean
AvailabilityZone (p. 1343): String
BackupRetentionPeriod (p. 1343): String
CharacterSetName: String
CopyTagsToSnapshot: Boolean
DBClusterIdentifier: String
DBInstanceClass (p. 1344): String
DBInstanceIdentifier: String
DBName (p. 1345): String
DBParameterGroupName (p. 1345): String
DBSecurityGroups (p. 1345):
- String
DBSnapshotIdentifier (p. 1346): String
DBSubnetGroupName (p. 1347): String
Domain: String
DomainIAMRoleName: String
Engine (p. 1347): String
EngineVersion (p. 1348): String
Iops (p. 1348): Number
KmsKeyId: String
LicenseModel (p. 1349): String
MasterUsername (p. 1349): String
MasterUserPassword (p. 1349): String
MonitoringInterval (p. 1349): Integer
MonitoringRoleArn (p. 1350): String
MultiAZ (p. 1350): Boolean
OptionGroupName: String
Port (p. 1350): String
PreferredBackupWindow (p. 1350): String
PreferredMaintenanceWindow (p. 1350): String
PubliclyAccessible: Boolean
SourceDBInstanceIdentifier: String
SourceRegion: String
StorageEncrypted: Boolean
StorageType: String
Tags (p. 1352):
Resource Tag
Timezone: String
VPCSecurityGroups (p. 1353):
- String

Properties
AllocatedStorage
The allocated storage size, speciﬁed in gigabytes (GB).
API Version 2010-05-15
1342

AWS CloudFormation User Guide
AWS::RDS::DBInstance

If any value is set in the Iops parameter, AllocatedStorage must be at least 100 GB, which
corresponds to the minimum Iops value of 1,000. If you increase the Iops value (in 1,000 IOPS
increments), then you must also increase the AllocatedStorage value (in 100-GB increments).
Required: Conditional. This property is required except when you specify the
DBClusterIdentifier property or when you create a read replica from AWS CloudFormation by
using the AWS::RDS::DBInstance resource. In these cases, don't specify this property.
Type: String
Update requires: No interruption (p. 118)
AllowMajorVersionUpgrade
If you update the EngineVersion property to a version that's diﬀerent from the DB instance's
current major version, set this property to true. For more information, see ModifyDBInstance in the
Amazon RDS API Reference.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
AutoMinorVersionUpgrade
Indicates that minor engine upgrades are applied automatically to the DB instance during the
maintenance window. The default value is true.
Required: No
Type: Boolean
Update requires: No interruption (p. 118) or some interruptions (p. 119). For more information, see
ModifyDBInstance in the Amazon RDS API Reference.
AvailabilityZone
The name of the Availability Zone where the DB instance is located. You can't set the
AvailabilityZone parameter if the MultiAZ parameter is set to true.
Required: No
Type: String
Update requires: Replacement (p. 119)
BackupRetentionPeriod
The number of days during which automatic DB snapshots are retained.

Important

If this DB instance is deleted or replaced during an update, AWS CloudFormation deletes all
automated snapshots. However, it retains manual DB snapshots.
Required: No
Type: String
Update requires: No interruption (p. 118) or some interruptions (p. 119). For more information, see
ModifyDBInstance in the Amazon RDS API Reference.
CharacterSetName
For supported engines, speciﬁes the character set to associate with the DB instance. For more
information, see Appendix: Oracle Character Sets Supported in Amazon RDS in the Amazon RDS User
Guide.
API Version 2010-05-15
1343

AWS CloudFormation User Guide
AWS::RDS::DBInstance

If you specify the DBSnapshotIdentifier or SourceDBInstanceIdentifier property, don't
specify this property. The value is inherited from the snapshot or source DB instance.
Required: No
Type: String
Update requires: Replacement (p. 119)
CopyTagsToSnapshot
Indicates whether to copy all of the user-deﬁned tags from the DB instance to snapshots of the DB
instance. By default, Amazon RDS doesn't copy tags to snapshots. Amazon RDS doesn't copy tags
with the aws:: preﬁx unless it's the DB instance's ﬁnal snapshot (the snapshot when you delete the
DB instance).
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
DBClusterIdentifier
The name of an existing DB cluster that this instance is associated with. If you
specify this property, specify aurora for the Engine property and don't specify
any of the following properties: AllocatedStorage, BackupRetentionPeriod,
CharacterSetName, DBName, DBSecurityGroups, MasterUsername, MasterUserPassword,
OptionGroupName, PreferredBackupWindow, PreferredMaintenanceWindow, Port,
SourceDBInstanceIdentifier, StorageType, or VPCSecurityGroups.
Amazon RDS assigns the ﬁrst DB instance in the cluster as the primary, and additional DB instances
as replicas.
If you specify this property, the default deletion policy is Delete. Otherwise, the default deletion
policy is Snapshot.
Required: No
Type: String
Update requires: Replacement (p. 119)
DBInstanceClass
The name of the compute and memory capacity classes of the DB instance.
Required: Yes
Type: String
Update requires: Some interruptions (p. 119)
DBInstanceIdentifier
A name for the DB instance. If you specify a name, AWS CloudFormation converts it to lowercase. If
you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for
the DB instance. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
API Version 2010-05-15
1344

AWS CloudFormation User Guide
AWS::RDS::DBInstance

Required: No
Type: String
Update requires: Replacement (p. 119)
DBName
The name of the DB instance that was provided at the time of creation, if one was speciﬁed. This
same name is returned for the life of the DB instance.

Important

If you specify the DBSnapshotIdentifier (p. 1346) property, AWS CloudFormation
ignores this property.
If you restore DB instances from snapshots, this property doesn't apply to the MySQL,
PostgreSQL, or MariaDB engines.
Required: No
Type: String
Update requires: Replacement (p. 119)
DBParameterGroupName
The name of an existing DB parameter group or a reference to an
AWS::RDS::DBParameterGroup (p. 1357) resource created in the template.
Required: No
Type: String
Update requires: No interruption (p. 118) or some interruptions (p. 119). If any of the data members
of the referenced parameter group are changed during an update, the DB instance might need to
be restarted, which causes some interruption. If the parameter group contains static parameters,
whether they were changed or not, an update triggers a reboot.
DBSecurityGroups
A list of the DB security groups to assign to the DB instance. The list can include both the name of
existing DB security groups or references to AWS::RDS::DBSecurityGroup (p. 1360) resources created
in the template.
If you set DBSecurityGroups, you must not set VPCSecurityGroups (p. 1353), and vice versa. Also,
note that the EC2VpcId property exists only for backwards compatibility with older regions and
is no longer recommended for providing security information to an RDS DB instance. Instead, use
VPCSecurityGroups.

Important

If you specify this property, AWS CloudFormation sends only the following properties (if
speciﬁed) to Amazon RDS during create operations:
• AllocatedStorage
• AutoMinorVersionUpgrade
• AvailabilityZone
• BackupRetentionPeriod
• CharacterSetName
• DBInstanceClass
• DBName
• DBParameterGroupName
API Version 2010-05-15
1345

AWS CloudFormation User Guide
AWS::RDS::DBInstance

• DBSecurityGroups
• DBSubnetGroupName
• Engine
• EngineVersion
• Iops
• LicenseModel
• MasterUsername
• MasterUserPassword
• MultiAZ
• OptionGroupName
• PreferredBackupWindow
• PreferredMaintenanceWindow
If you specify this property, AWS CloudFormation sends only the following properties (if
speciﬁed) to Amazon RDS during updates:
• AllocatedStorage
• AutoMinorVersionUpgrade
• AllowMajorVersionUpgrade
• BackupRetentionPeriod
• DBInstanceClass
• DBParameterGroupName
• DBSecurityGroups
• DBInstanceIdentifier
• EngineVersion
• Iops
• MasterUserPassword
• MultiAZ
• OptionGroupName
• PreferredBackupWindow
• PreferredMaintenanceWindow
All other properties are ignored. Specify a virtual private cloud (VPC) security group if
you want to submit other properties, such as StorageType, StorageEncrypted, or
KmsKeyId. If you're already using the DBSecurityGroups property, you can't use these
other properties by updating your DB instance to use a VPC security group. You must
recreate the DB instance.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
DBSnapshotIdentifier
The name or Amazon Resource Name (ARN) of the DB snapshot that's used to restore the DB
instance. If you're restoring from a shared manual DB snapshot, you must specify the ARN of the
snapshot.
By specifying this property, you can create a DB instance from the speciﬁed DB snapshot. If the
DBSnapshotIdentifier property is an empty string or the AWS::RDS::DBInstance declaration
has no DBSnapshotIdentifier property, AWS CloudFormation creates a new database. If
the property contains a value (other than an empty string), AWS CloudFormation creates a
API Version 2010-05-15
1346

AWS CloudFormation User Guide
AWS::RDS::DBInstance

database from the speciﬁed snapshot. If a snapshot with the speciﬁed name doesn't exist, AWS
CloudFormation can't create the database and it rolls back the stack.
Some DB instance properties aren't valid when you restore from a snapshot, such as the
MasterUsername and MasterUserPassword properties. For information about the properties
that you can specify, see the RestoreDBInstanceFromDBSnapshot action in the Amazon RDS API
Reference.

Important

If you specify this property, AWS CloudFormation ignores the DBName (p. 1345) property.
Required: No
Type: String
Update requires: Replacement (p. 119)
DBSubnetGroupName
A DB subnet group to associate with the DB instance. If you update this value, the new subnet group
must be a subnet group in a new VPC.
If there's no DB subnet group, then the instance isn't a VPC DB instance.
For more information about using Amazon RDS in a VPC, see Using Amazon RDS with Amazon
Virtual Private Cloud (VPC) in the Amazon Relational Database Service Developer Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
Domain
For an Amazon RDS DB instance that's running Microsoft SQL Server, the Active Directory directory
ID to create the instance in. Amazon RDS uses Windows Authentication to authenticate users that
connect to the DB instance. For more information, see Using Windows Authentication with an
Amazon RDS DB Instance Running Microsoft SQL Server in the Amazon RDS User Guide.
If you specify this property, you must specify a SQL Server engine for the Engine property.
Required: No
Type: String
Update requires: No interruption (p. 118)
DomainIAMRoleName
The name of an IAM role that Amazon RDS uses when calling the AWS Directory Service APIs.
Required: No
Type: String
Update requires: No interruption (p. 118)
Engine
The database engine that the DB instance uses. This property is optional when you specify the
DBSnapshotIdentifier property to create DB instances.
For valid values, see the Engine parameter of the CreateDBInstance action in the Amazon RDS API
Reference.
API Version 2010-05-15
1347

AWS CloudFormation User Guide
AWS::RDS::DBInstance

If you specify aurora as the database engine, you must also specify the DBClusterIdentifier
property.

Note

If you've speciﬁed oracle-se or oracle-se1 as the database engine, you can update
the database engine to oracle-se2 without the database instance being replaced. For
information on the deprecation of support for Oracle version 12.1.0.1, see Deprecation of
Oracle 12.1.0.1 in the Amazon Relational Database Service User Guide.
Required: Conditional
Type: String
Update requires: Replacement (p. 119)
EngineVersion
The version number of the database engine that the DB instance uses.

Note

To prevent automatic upgrades, be sure to specify the full version number (for example,
5.6.13). If the default version for the database engine changes and you specify only the
major version (for example, 5.6), your DB instance will be upgraded to use the latest default
version.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
Iops
The number of I/O operations per second (IOPS) that the database provisions. The value must be
equal to or greater than 1000.
If you specify this property, you must follow the range of allowed ratios of your requested IOPS
rate to the amount of storage that you allocate (IOPS to allocated storage). For example, you can
provision an Oracle database instance with 1000 IOPS and 200 GB of storage (a ratio of 5:1), or
specify 2000 IOPS with 200 GB of storage (a ratio of 10:1). For more information, see Amazon RDS
Provisioned IOPS Storage to Improve Performance in the Amazon RDS User Guide.
Required: Conditional. If you specify io1 for the StorageType property, you must specify this
property.
Type: Number
Update requires: No interruption (p. 118)
KmsKeyId
The ARN of the AWS Key Management Service (AWS KMS) master key that's used to encrypt the DB
instance, such as arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12ba123b4cd56ef. If you enable the StorageEncrypted property but don't specify this property,
AWS CloudFormation uses the default master key. If you specify this property, you must set the
StorageEncrypted property to true.
If you specify the SourceDBInstanceIdentifier property, the value is inherited from the source
DB instance if the read replica is created in the same region. If you specify this property when you
create a read replica from an unencrypted DB instance, the read replica is encrypted.
If you create an encrypted read replica in a diﬀerent AWS Region, then you must specify a KMS key
for the destination AWS Region. KMS encryption keys are speciﬁc to the region that they're created
in, and you can't use encryption keys from one region in another region.
API Version 2010-05-15
1348

AWS CloudFormation User Guide
AWS::RDS::DBInstance

If you specify DBSecurityGroups, AWS CloudFormation ignores this property. To specify both a
security group and this property, you must use a VPC security group. For more information about
Amazon RDS and VPC, see Using Amazon RDS with Amazon VPC in the Amazon RDS User Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
LicenseModel
The license model of the DB instance.

Note

If DBSecurityGroups is speciﬁed, updating the license model requires replacement of the
underlying EC2 host. This will incur some interruptions to database availability.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
MasterUsername
The master user name for the DB instance.

Note

If you specify the SourceDBInstanceIdentifier or DBSnapshotIdentifier property,
don't specify this property. The value is inherited from the source DB instance or snapshot.
Required: Conditional
Type: String
Update requires: Replacement (p. 119)
MasterUserPassword
The master password for the DB instance.

Note

If you specify the SourceDBInstanceIdentifier or DBSnapshotIdentifier property,
don't specify this property. The value is inherited from the source DB instance or snapshot.
Required: Conditional
Type: String
Update requires: No interruption (p. 118)
MonitoringInterval
The interval, in seconds, between points when Amazon RDS collects enhanced monitoring metrics
for the DB instance. To disable metrics collection, specify 0.
For default and valid values, see the MonitoringInterval parameter for the CreateDBInstance
action in the Amazon RDS API Reference.
Required: Conditional. If you specify the MonitoringRoleArn property, specify a value other than 0
for MonitoringInterval.
Type: Integer
API Version 2010-05-15
1349

AWS CloudFormation User Guide
AWS::RDS::DBInstance

Update requires: No interruption (p. 118) or some interruptions (p. 119). For more information, see
ModifyDBInstance in the Amazon RDS API Reference.
MonitoringRoleArn
The ARN of the AWS Identity and Access Management (IAM) role that permits Amazon
RDS to send enhanced monitoring metrics to Amazon CloudWatch, for example,
arn:aws:iam::123456789012:role/emaccess. For information on creating a monitoring role,
see To create an IAM role for Amazon RDS Enhanced Monitoring in the Amazon RDS User Guide.
Required: Conditional. If you specify a value other than 0 for the MonitoringInterval property,
specify a value for MonitoringRoleArn.
Type: String
Update requires: No interruption (p. 118)
MultiAZ
Speciﬁes if the database instance is a multiple Availability Zone deployment. You can't set the
AvailabilityZone parameter if the MultiAZ parameter is set to true. Amazon Aurora storage is
replicated across all the Availability Zones and doesn't require the MultiAZ option to be set.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
OptionGroupName
The option group that this DB instance is associated with.
Required: No
Type: String
Update requires: No interruption (p. 118)
Port
The port for the instance.
Required: No
Type: String
Update requires: Replacement (p. 119)
PreferredBackupWindow
The daily time range during which automated backups are performed if automated backups are
enabled, as determined by the BackupRetentionPeriod property. For valid values, see the
PreferredBackupWindow parameter for the CreateDBInstance action in the Amazon RDS API
Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
PreferredMaintenanceWindow
The weekly time range (in UTC) during which system maintenance can occur. For valid values, see the
PreferredMaintenanceWindow parameter for the CreateDBInstance action in the Amazon RDS
API Reference.
API Version 2010-05-15
1350

AWS CloudFormation User Guide
AWS::RDS::DBInstance

Note

This property applies when AWS CloudFormation initially creates the DB instance. If you use
AWS CloudFormation to update the DB instance, those updates are applied immediately.
Required: No
Type: String
Update requires: No interruption (p. 118) or some interruptions (p. 119). For more information, see
ModifyDBInstance in the Amazon RDS API Reference.
PubliclyAccessible
Indicates whether the DB instance is an internet-facing instance. If you specify true, AWS
CloudFormation creates an instance with a publicly resolvable DNS name, which resolves to a public
IP address. If you specify false, AWS CloudFormation creates an internal instance with a DNS name
that resolves to a private IP address.
The default behavior value depends on your VPC setup and the database subnet group. For more
information, see the PubliclyAccessible parameter in CreateDBInstance in the Amazon RDS API
Reference.
If this resource has a public IP address and is also in a VPC that is deﬁned in the same template, you
must use the DependsOn attribute to declare a dependency on the VPC-gateway attachment. For
more information, see DependsOn Attribute (p. 2250).

Note

If you specify DBSecurityGroups, AWS CloudFormation ignores this property. To specify a
security group and this property, you must use a VPC security group. For more information
about Amazon RDS and VPC, see Using Amazon RDS with Amazon VPC in the Amazon RDS
User Guide.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
SourceDBInstanceIdentifier
If you want to create a read replica DB instance, specify the ID of the source DB instance. Each DB
instance can have a limited number of read replicas. For more information, see Working with Read
Replicas in the Amazon Relational Database Service Developer Guide.
The SourceDBInstanceIdentifier property determines whether a DB instance is a read replica.
If you remove the SourceDBInstanceIdentifier property from your template and then update
your stack, AWS CloudFormation deletes the read replica and creates a new DB instance (not a read
replica).

Important
• If you specify a source DB instance that uses VPC security groups, we recommend that
you specify the VPCSecurityGroups property. If you don't specify the property, the
read replica inherits the value of the VPCSecurityGroups property from the source
DB when you create the replica. However, if you update the stack, AWS CloudFormation
reverts the replica's VPCSecurityGroups property to the default value because it's not
deﬁned in the stack's template. This change might cause unexpected issues.
• Read replicas don't support deletion policies. AWS CloudFormation ignores any deletion
policy that's associated with a read replica.
• If you specify SourceDBInstanceIdentifier, don't set the MultiAZ property to
true, and don't specify the DBSnapshotIdentifier property. You can't deploy read
replicas in multiple Availability Zones, and you can't create a read replica from a snapshot.
API Version 2010-05-15
1351

AWS CloudFormation User Guide
AWS::RDS::DBInstance

• Don't set the BackupRetentionPeriod, DBName, MasterUsername,
MasterUserPassword, and PreferredBackupWindow properties. The database
attributes are inherited from the source DB instance, and backups are disabled for read
replicas.
• If the source DB instance is in a diﬀerent region than the read replica, specify an ARN
for a valid DB instance. For more information, see Constructing a Amazon RDS Amazon
Resource Name (ARN) in the Amazon RDS User Guide.
• For DB instances in Amazon Aurora clusters, don't specify this property. Amazon RDS
automatically assigns writer and reader DB instances.
Required: No
Type: String
Update requires: Replacement (p. 119)
SourceRegion
The ID of the region that contains the source DB instance for the read replica.
Required: No
Type: String
Update requires: Replacement (p. 119)
StorageEncrypted
Indicates whether the DB instance is encrypted.
If you specify the DBClusterIdentifier, DBSnapshotIdentifier, or
SourceDBInstanceIdentifier property, don't specify this property. The value is inherited from
the cluster, snapshot, or source DB instance.
Required: Conditional. If you specify the KmsKeyId property, you must enable encryption.
Type: Boolean
Update requires: Replacement (p. 119)
StorageType
The storage type associated with this DB instance.
For the default and valid values, see the StorageType parameter of the CreateDBInstance action in
the Amazon RDS API Reference.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
Tags
An arbitrary set of tags (key–value pairs) for this DB instance.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1352

AWS CloudFormation User Guide
AWS::RDS::DBInstance

Timezone
The time zone of the DB instance, which you can specify to match the time zone of your
applications. To see which engines support time zones, see the Timezone parameter for the
CreateDBInstance action in the Amazon RDS API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
VPCSecurityGroups
A list of the VPC security group IDs to assign to the DB instance. The list can include both the
physical IDs of existing VPC security groups and references to AWS::EC2::SecurityGroup (p. 917)
resources created in the template.
If you set VPCSecurityGroups, you must not set DBSecurityGroups (p. 1345), and vice versa.

Important

You can migrate a DB instance in your stack from an RDS DB security group to a VPC
security group, but keep the following in mind:
• You can't revert to using an RDS security group after you establish a VPC security group
membership.
• When you migrate your DB instance to VPC security groups, if your stack update rolls
back because the DB instance update fails or because an update fails in another AWS
CloudFormation resource, the rollback fails because it can't revert to an RDS security
group.
• To use the properties that are available when you use a VPC security group, you must
recreate the DB instance. If you don't, AWS CloudFormation submits only the property
values that are listed in the DBSecurityGroups (p. 1345) property.
To avoid this situation, migrate your DB instance to using VPC security groups only when
that is the only change in your stack template.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

Updating and Deleting AWS::RDS::DBInstance Resources
Updating DB Instances
When properties labeled "Update requires: Replacement (p. 119)" are updated, AWS CloudFormation ﬁrst
creates a replacement DB instance, then changes references from other dependent resources to point to
the replacement DB instance, and ﬁnally deletes the old DB instance.

Important

We highly recommend that you take a snapshot of the database before updating the stack. If
you don't, you lose the data when AWS CloudFormation replaces your DB instance. To preserve
your data, perform the following procedure:
1. Deactivate any applications that are using the DB instance so that there's no activity on the
DB instance.
2. Create a snapshot of the DB instance. For more information about creating DB snapshots, see
Creating a DB snapshot.
API Version 2010-05-15
1353

AWS CloudFormation User Guide
AWS::RDS::DBInstance

3. If you want to restore your instance using a DB snapshot, modify the updated template with
your DB instance changes and add the DBSnapshotIdentifier property with the ID of the
DB snapshot that you want to use.
4. Update the stack.
For more information about updating other properties of this resource, see ModifyDBInstance. For more
information about updating stacks, see AWS CloudFormation Stacks Updates (p. 118).

Deleting DB Instances
You can set a deletion policy for your DB instance to control how AWS CloudFormation handles the
instance when the stack is deleted. For Amazon RDS DB instances, you can choose to retain the instance,
to delete the instance, or to create a snapshot of the instance. The default AWS CloudFormation behavior
depends on the DBClusterIdentifier property:
• For AWS::RDS::DBInstance resources that don't specify the DBClusterIdentifier property, AWS
CloudFormation saves a snapshot of the DB instance.
• For AWS::RDS::DBInstance resources that do specify the DBClusterIdentifier property, AWS
CloudFormation deletes the DB instance.
For more information, see DeletionPolicy Attribute (p. 2248).

Return Values
Ref
When you provide the RDS DB instance's logical name to the Ref intrinsic function, Ref returns the
DBInstanceIdentifier. For example: mystack-mydb-ea5ugmfvuaxg.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
• Endpoint.Address
The connection endpoint for the database. For example: mystackmydb-1apw1j4phylrk.cg034hpkmmjt.us-east-2.rds.amazonaws.com.
• Endpoint.Port
The port number on which the database accepts connections. For example: 3306.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
DBInstance with a set MySQL version, Tags and DeletionPolicy
This example shows how to set the MySQL version that has a DeletionPolicy Attribute (p. 2248)
set. With the DeletionPolicy set to Snapshot, AWS CloudFormation takes a snapshot of this DB
instance before deleting it during stack deletion. A tag that contains a friendly name for the database is
also set.
API Version 2010-05-15
1354

AWS CloudFormation User Guide
AWS::RDS::DBInstance

JSON
"MyDB" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"DBName" : { "Ref" : "DBName" },
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"DBInstanceClass" : { "Ref" : "DBInstanceClass" },
"Engine" : "MySQL",
"EngineVersion" : "5.6.13",
"MasterUsername" : { "Ref" : "DBUser" },
"MasterUserPassword" : { "Ref" : "DBPassword" },
"Tags" : [ { "Key" : "Name", "Value" : "My SQL Database" } ]
},
"DeletionPolicy" : "Snapshot"
}

YAML
MyDB:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: "DBName"
AllocatedStorage:
Ref: "DBAllocatedStorage"
DBInstanceClass:
Ref: "DBInstanceClass"
Engine: "MySQL"
EngineVersion: "5.6.13"
MasterUsername:
Ref: "DBUser"
MasterUserPassword:
Ref: "DBPassword"
Tags:
Key: "Name"
Value: "My SQL Database"
DeletionPolicy: "Snapshot"

DBInstance with Provisioned IOPS
This example sets a provisioned IOPS value in the Iops (p. 1348) property. Note that the
AllocatedStorage (p. 1342) property is set according to the 10:1 ratio between IOPS and GiBs of storage.

JSON
"MyDB" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "100",
"DBInstanceClass" : "db.m1.small",
"Engine" : "MySQL",
"EngineVersion" : "5.6.13",
"Iops" : "1000",
"MasterUsername" : { "Ref" : "DBUser" },
"MasterUserPassword" : { "Ref" : "DBPassword" }
}
}

API Version 2010-05-15
1355

AWS CloudFormation User Guide
AWS::RDS::DBInstance

YAML
MyDB:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: "100"
DBInstanceClass: "db.m1.small"
Engine: "MySQL"
EngineVersion: "5.6.13"
Iops: "1000"
MasterUsername:
Ref: "DBUser"
MasterUserPassword:
Ref: "DBPassword"

Cross-Region Encrypted Read Replica
The following example creates an encrypted read replica from a cross-region source DB instance.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "RDS Storage Encrypted",
"Parameters": {
"SourceDBInstanceIdentifier": {
"Type": "String"
},
"DBInstanceType" : {
"Type" : "String"
},
"SourceRegion": {
"Type": "String"
}
},
"Resources": {
"MyKey" : {
"Type" : "AWS::KMS::Key",
"Properties" : {
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": { "Fn::Join" : ["" , ["arn:aws:iam::", {"Ref" :
"AWS::AccountId"} ,":root" ]] }
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"MyDBSmall": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceClass": { "Ref" : "DBInstanceType" },
"SourceDBInstanceIdentifier": { "Ref" : "SourceDBInstanceIdentifier" },

API Version 2010-05-15
1356

AWS CloudFormation User Guide
AWS::RDS::DBParameterGroup

}

}

}

"SourceRegion": { "Ref" : "SourceRegion" },
"KmsKeyId" : { "Ref" : "MyKey" }

},
"Outputs" : {
"InstanceId" : {
"Description" : "InstanceId of the newly created RDS Instance",
"Value" : { "Ref" : "MyDBSmall" }
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: RDS Storage Encrypted
Parameters:
SourceDBInstanceIdentifier:
Type: String
DBInstanceType:
Type: String
SourceRegion:
Type: String
Resources:
MyKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':root'
Action: 'kms:*'
Resource: '*'
MyDBSmall:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceClass: !Ref DBInstanceType
SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
SourceRegion: !Ref SourceRegion
KmsKeyId: !Ref MyKey
Outputs:
InstanceId:
Description: InstanceId of the newly created RDS Instance
Value: !Ref MyDBSmall

AWS::RDS::DBParameterGroup
Creates a custom parameter group for an RDS database family. For more information about RDS
parameter groups, see Working with DB Parameter Groups in the Amazon Relational Database Service
User Guide.
This type can be declared in a template and referenced in the DBParameterGroupName parameter of
AWS::RDS::DBInstance (p. 1341).
API Version 2010-05-15
1357

AWS CloudFormation User Guide
AWS::RDS::DBParameterGroup

Note

Applying a ParameterGroup to a DBInstance may require the instance to reboot, resulting in a
database outage for the duration of the reboot.
Topics
• Syntax (p. 1358)
• Properties (p. 1358)
• Return Values (p. 1359)
• Example (p. 1359)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::RDS::DBParameterGroup",
"Properties" : {
"Description (p. 1358)" : String,
"Family (p. 1358)" : String,
"Parameters (p. 1359)" : DBParameters,
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: AWS::RDS::DBParameterGroup
Properties:
Description (p. 1358): String
Family (p. 1358): String
Parameters (p. 1359):
DBParameters
Tags:
- Resource Tag

Properties
Description
A friendly description of the RDS parameter group. For example, "My Parameter Group".
Required: Yes
Type: String
Update requires: Updates are not supported.
Family
The database family of this RDS parameter group. For example, "MySQL5.1".
Required: Yes
Type: String
API Version 2010-05-15
1358

AWS CloudFormation User Guide
AWS::RDS::DBParameterGroup

Update requires: Updates are not supported.
Parameters
The parameters to set for this RDS parameter group.
Required: No
Type: A JSON object consisting of string key-value pairs, as shown in the following example:

"Parameters" : {
"Key1" : "Value1",
"Key2" : "Value2",
"Key3" : "Value3"
}

Update requires: No interruption (p. 118) or Some interruptions (p. 119). Changes to dynamic
parameters are applied immediately. During an update, if you have static parameters (whether they
were changed or not), triggers AWS CloudFormation to reboot the associated DB instance without
failover.
Tags
The tags that you want to attach to the RDS parameter group.
Required: No
Type: A list of resource tags (p. 2106).
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "MyDBParameterGroup" }

For the RDS::DBParameterGroup with the logical ID "MyDBParameterGroup", Ref will return the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following snippet creates a parameter group for an Aurora DB cluster that applies the
IGNORE_SPACE SQL mode.

JSON
"RDSDBParameterGroup": {
"Type": "AWS::RDS::DBParameterGroup",
"Properties" : {
"Description" : "CloudFormation Sample Parameter Group",
"Family" : "aurora5.6",
"Parameters" : {

API Version 2010-05-15
1359

AWS CloudFormation User Guide
AWS::RDS::DBSecurityGroup

}

}

}

"sql_mode": "IGNORE_SPACE"

YAML
RDSDBParameterGroup:
Type: AWS::RDS::DBParameterGroup
Properties:
Description: CloudFormation Sample Parameter Group
Family: aurora5.6
Parameters:
sql_mode: IGNORE_SPACE

AWS::RDS::DBSecurityGroup
The AWS::RDS::DBSecurityGroup type is used to create or update an Amazon RDS DB Security Group.
For more information about DB security groups, see Working with DB Security Groups in the Amazon
Relational Database Service Developer Guide. For details on the settings for DB security groups, see
CreateDBSecurityGroup.

Note

If you use DB security groups, the settings that you can specify for your DB instances are limited.
For more information, see the DBSecurityGroups (p. 1345) property.
When you specify an AWS::RDS::DBSecurityGroup as an argument to the Ref function, AWS
CloudFormation returns the value of the DBSecurityGroupName.
Topics
• Syntax (p. 1360)
• Properties (p. 1361)
• Template Examples (p. 1361)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::RDS::DBSecurityGroup",
"Properties" :
{
"EC2VpcId (p. 1361)" : { "Ref" : "myVPC" },
"DBSecurityGroupIngress (p. 1361)" : [ RDS Security Group Rule (p. 2111) object 1, ...

],

}

}

"GroupDescription (p. 1361)" : String,
"Tags" : [ Resource Tag, ... ]

YAML
Type: AWS::RDS::DBSecurityGroup

API Version 2010-05-15
1360

AWS CloudFormation User Guide
AWS::RDS::DBSecurityGroup
Properties:
EC2VpcId (p. 1361): String
DBSecurityGroupIngress (p. 1361):
- RDS Security Group Rule (p. 2111)
GroupDescription (p. 1361): String
Tags:
- Resource Tag

Properties
EC2VpcId
The Id of the VPC. Indicates which VPC this DB Security Group should belong to.

Important

The EC2VpcId property exists only for backwards compatibility with older regions and is no
longer recommended for providing security information to an RDS DB instance. Instead, use
VPCSecurityGroups.
Type: String
Required: Conditional. Must be speciﬁed to create a DB Security Group for a VPC; may not be
speciﬁed otherwise.
Update requires: Replacement (p. 119)
DBSecurityGroupIngress
Network ingress authorization for an Amazon EC2 security group or an IP address range.
Type: List of RDS Security Group Rules (p. 2111).
Required: Yes
Update requires: No interruption (p. 118)
GroupDescription
Description of the security group.
Type: String
Required: Yes
Update requires: Replacement (p. 119)
Tags
The tags that you want to attach to the Amazon RDS DB security group.
Required: No
Type: A list of resource tags (p. 2106).
Update requires: No interruption (p. 118)

Template Examples
Tip

For more RDS template examples, see Amazon RDS Template Snippets (p. 416).
API Version 2010-05-15
1361

AWS CloudFormation User Guide
AWS::RDS::DBSecurityGroup

Single VPC security group
This template snippet creates/updates a single VPC security group, referred to by
EC2SecurityGroupName.

JSON
"DBSecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"EC2VpcId" : { "Ref" : "VpcId" },
"DBSecurityGroupIngress": [
{"EC2SecurityGroupName": { "Ref": "WebServerSecurityGroup"}}
],
"GroupDescription": "Frontend Access"
}
}

YAML
DBSecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
EC2VpcId:
Ref: "VpcId"
DBSecurityGroupIngress:
EC2SecurityGroupName:
Ref: "WebServerSecurityGroup"
GroupDescription: "Frontend Access"

Multiple VPC security groups
This template snippet creates/updates multiple VPC security groups.

JSON
{

"Resources" : {
"DBinstance" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"DBSecurityGroups" : [ {"Ref" : "DbSecurityByEC2SecurityGroup"} ],
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.m1.small",
"Engine" : "MySQL",
"MasterUsername" : "YourName",
"MasterUserPassword" : "YourPassword"
},
"DeletionPolicy" : "Snapshot"
},
"DbSecurityByEC2SecurityGroup" : {
"Type" : "AWS::RDS::DBSecurityGroup",
"Properties" : {
"GroupDescription" : "Ingress for Amazon EC2 security group",
"DBSecurityGroupIngress" : [ {
"EC2SecurityGroupId" : "sg-b0ff1111",
"EC2SecurityGroupOwnerId" : "111122223333"
}, {

API Version 2010-05-15
1362

AWS CloudFormation User Guide
AWS::RDS::DBSecurityGroupIngress
"EC2SecurityGroupId" : "sg-ffd722222",
"EC2SecurityGroupOwnerId" : "111122223333"

}

}

}

}

} ]

YAML
Resources:
DBinstance:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
Ref: "DbSecurityByEC2SecurityGroup"
AllocatedStorage: "5"
DBInstanceClass: "db.m1.small"
Engine: "MySQL"
MasterUsername: "YourName"
MasterUserPassword: "YourPassword"
DeletionPolicy: "Snapshot"
DbSecurityByEC2SecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: "Ingress for Amazon EC2 security group"
DBSecurityGroupIngress:
EC2SecurityGroupId: "sg-b0ff1111"
EC2SecurityGroupOwnerId: "111122223333"
EC2SecurityGroupId: "sg-ffd722222"
EC2SecurityGroupOwnerId: "111122223333"

AWS::RDS::DBSecurityGroupIngress
The AWS::RDS::DBSecurityGroupIngress type enables ingress to a DBSecurityGroup using one of two
forms of authorization. First, EC2 or VPC security groups can be added to the DBSecurityGroup if the
application using the database is running on EC2 or VPC instances. Second, IP ranges are available if the
application accessing your database is running on the Internet. For more information about DB security
groups, see Working with DB security groups
This type supports updates. For more information about updating stacks, see AWS CloudFormation
Stacks Updates (p. 118).
For details about the settings for DB security group ingress, see AuthorizeDBSecurityGroupIngress.
Topics
• Syntax (p. 1363)
• Properties (p. 1364)
• Return Values (p. 1365)
• See Also (p. 1365)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1363

AWS CloudFormation User Guide
AWS::RDS::DBSecurityGroupIngress

JSON
{

}

"Type" : "AWS::RDS::DBSecurityGroupIngress",
"Properties" : {
"CIDRIP (p. 1364)": String,
"DBSecurityGroupName (p. 1364)": String,
"EC2SecurityGroupId (p. 1364)": String,
"EC2SecurityGroupName (p. 1364)": String,
"EC2SecurityGroupOwnerId (p. 1365)": String

YAML
Type: "AWS::RDS::DBSecurityGroupIngress"
Properties:
CIDRIP (p. 1364): String
DBSecurityGroupName (p. 1364): String
EC2SecurityGroupId (p. 1364): String
EC2SecurityGroupName (p. 1364): String
EC2SecurityGroupOwnerId (p. 1365): String

Properties
CIDRIP
The IP range to authorize.
For an overview of CIDR ranges, go to the Wikipedia Tutorial.
Type: String
Update requires: No interruption (p. 118)
DBSecurityGroupName
The name (ARN) of the AWS::RDS::DBSecurityGroup (p. 1360) to which this ingress will be added.
Type: String
Required: Yes
Update requires: No interruption (p. 118)
EC2SecurityGroupId
The ID of the VPC or EC2 security group to authorize.
For VPC DB security groups, use EC2SecurityGroupId. For EC2 security groups, use
EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId.
Type: String
Required: No
Update requires: No interruption (p. 118)
EC2SecurityGroupName
The name of the EC2 security group to authorize.
For VPC DB security groups, use EC2SecurityGroupId. For EC2 security groups, use
EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId.
API Version 2010-05-15
1364

AWS CloudFormation User Guide
AWS::RDS::DBSubnetGroup

Type: String
Required: No
Update requires: No interruption (p. 118)
EC2SecurityGroupOwnerId
The AWS Account Number of the owner of the EC2 security group speciﬁed in the
EC2SecurityGroupName parameter. The AWS Access Key ID is not an acceptable value.
For VPC DB security groups, use EC2SecurityGroupId. For EC2 security groups, use
EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId.
Type: String
Required: No
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

See Also
• AuthorizeDBSecurityGroupIngress in the Amazon Relational Database Service API Reference

AWS::RDS::DBSubnetGroup
The AWS::RDS::DBSubnetGroup type creates an RDS database subnet group. Subnet groups must contain
at least two subnets in two diﬀerent Availability Zones in the same region.
Topics
• Syntax (p. 1365)
• Properties (p. 1366)
• Return Value (p. 1367)
• Example (p. 1367)
• See Also (p. 1367)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::RDS::DBSubnetGroup",

API Version 2010-05-15
1365

AWS CloudFormation User Guide
AWS::RDS::DBSubnetGroup

}

"Properties" : {
"DBSubnetGroupDescription (p. 1366)" : String,
"DBSubnetGroupName (p. 1366)" : String,
"SubnetIds (p. 1366)" : [ String, ... ],
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: "AWS::RDS::DBSubnetGroup"
Properties:
DBSubnetGroupDescription (p. 1366): String
DBSubnetGroupName (p. 1366): String
SubnetIds (p. 1366):
- String
Tags:
- Resource Tag

Properties
DBSubnetGroupDescription
The description for the DB Subnet Group.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
DBSubnetGroupName
The name for the DB Subnet Group. This value is stored as a lowercase string.
Constraints: Must contain no more than 255 letters, numbers, periods, underscores, spaces, or
hyphens. Must not be default.
Required: No
Type: String
Update requires: Replacement (p. 119)
SubnetIds
The EC2 Subnet IDs for the DB Subnet Group.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
Tags
The tags that you want to attach to the RDS database subnet group.
Required: No
Type: A list of resource tags (p. 2106) in key-value format.
Update requires: No interruption (p. 118)
API Version 2010-05-15
1366

AWS CloudFormation User Guide
AWS::RDS::EventSubscription

Return Value
Ref
When you pass the logical ID of an AWS::RDS::DBSubnetGroup resource to the intrinsic
Ref function, the function returns the name of the DB subnet group, such as mystackmydbsubnetgroup-0a12bc456789de0fg.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myDBSubnetGroup" : {
"Type" : "AWS::RDS::DBSubnetGroup",
"Properties" : {
"DBSubnetGroupDescription" : "description",
"SubnetIds" : [ "subnet-7b5b4112", "subnet-7b5b4115" ],
"Tags" : [ {"Key" : "String", "Value" : "String"} ]
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
myDBSubnetGroup:
Type: "AWS::RDS::DBSubnetGroup"
Properties:
DBSubnetGroupDescription: "description"
SubnetIds:
- "subnet-7b5b4112"
- "subnet-7b5b4115"
Tags:
Key: "String"
Value: "String"

See Also
• CreateDBSubnetGroup in the Amazon Relational Database Service API Reference
• ModifyDBSubnetGroup in the Amazon Relational Database Service API Reference
• AWS CloudFormation Stacks Updates (p. 118)

AWS::RDS::EventSubscription
Use the AWS::RDS::EventSubscription resource to get notiﬁcations for Amazon Relational
Database Service events through the Amazon Simple Notiﬁcation Service. For more information, see
Using Amazon RDS Event Notiﬁcation in the Amazon RDS User Guide.
API Version 2010-05-15
1367

AWS CloudFormation User Guide
AWS::RDS::EventSubscription

Topics
• Syntax (p. 1368)
• Properties (p. 1368)
• Return Value (p. 1369)
• Example (p. 1369)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::RDS::EventSubscription",
"Properties" : {
"Enabled" : Boolean,
"EventCategories" : [ String, ... ],
"SnsTopicArn" : String,
"SourceIds" : [ String, ... ],
"SourceType" : String
}

YAML
Type: "AWS::RDS::EventSubscription"
Properties:
Enabled: Boolean
EventCategories:
- String
SnsTopicArn: String
SourceIds:
- String
SourceType: String

Properties
Enabled
Indicates whether to activate the subscription. If you don't specify this property, AWS
CloudFormation activates the subscription.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
EventCategories
A list of event categories that you want to subscribe to for a given source type. If you don't specify
this property, you are notiﬁed about all event categories. For more information, see Using Amazon
RDS Event Notiﬁcation in the Amazon RDS User Guide.
Required: No
Type: List of String values
API Version 2010-05-15
1368

AWS CloudFormation User Guide
AWS::RDS::EventSubscription

Update requires: No interruption (p. 118)
SnsTopicArn
The Amazon Resource Name (ARN) of an Amazon SNS topic that you want to send event
notiﬁcations to.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SourceIds
A list of identiﬁers for which Amazon RDS provides notiﬁcation events.
If you don't specify a value, notiﬁcations are provided for all sources. If you specify multiple values,
they must be of the same type. For example, if you specify a database instance ID, all other values
must be database instance IDs.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SourceType
The type of source for which Amazon RDS provides notiﬁcation events. For example, if you want
to be notiﬁed of events generated by a database instance, set this parameter to db-instance. If
you don't specify a value, notiﬁcations are provided for all source types. For valid values, see the
SourceType parameter for the CreateEventSubscription action in the Amazon RDS API Reference.
Required: Conditional. If you specify the SourceIds or EventCategories property, you must
specify this property.
Type: String
Update requires: Replacement (p. 119) if you're removing this property after it was previously
speciﬁed. All other updates require no interruption (p. 118).

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myEventSubscription" }

For the resource with the logical ID myEventSubscription, Ref returns the Amazon RDS event
subscription name, such as: mystack-myEventSubscription-1DDYF1E3B3I.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following snippet creates an event subscription for an existing database instance db-instance-1
and a database with the logical ID myDBInstance, which is declared elsewhere in the same template.
API Version 2010-05-15
1369

AWS CloudFormation User Guide
AWS::RDS::OptionGroup

JSON
"myEventSubscription": {
"Type": "AWS::RDS::EventSubscription",
"Properties": {
"EventCategories": ["configuration change", "failure", "deletion"],
"SnsTopicArn": "arn:aws:sns:us-west-2:123456789012:example-topic",
"SourceIds": ["db-instance-1", { "Ref" : "myDBInstance" }],
"SourceType":"db-instance",
"Enabled" : false
}
}

YAML
myEventSubscription:
Type: "AWS::RDS::EventSubscription"
Properties:
EventCategories:
- "configuration change"
- "failure"
- "deletion"
SnsTopicArn: "arn:aws:sns:us-west-2:123456789012:example-topic"
SourceIds:
- "db-instance-1"
Ref: "myDBInstance"
SourceType: "db-instance"
Enabled: false

AWS::RDS::OptionGroup
Use the AWS::RDS::OptionGroup resource to create an option group that can make managing data
and databases easier. For more information about option groups, see Working with Option Groups in the
Amazon Relational Database Service User Guide.
Topics
• Syntax (p. 1370)
• Properties (p. 1371)
• Return Values (p. 1372)
• Examples (p. 1372)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::RDS::OptionGroup",
"Properties" : {
"EngineName" : String,
"MajorEngineVersion" : String,
"OptionGroupDescription" : String,
"OptionConfigurations" : [ OptionConfiguration, ... ],
"Tags" : [ Resource Tag, ... ]

API Version 2010-05-15
1370

AWS CloudFormation User Guide
AWS::RDS::OptionGroup

}

}

YAML
Type: "AWS::RDS::OptionGroup"
Properties:
EngineName: String
MajorEngineVersion: String
OptionGroupDescription: String
OptionConfigurations:
- OptionConfiguration
Tags:
- Resource Tag

Properties
EngineName
The name of the database engine that this option group is associated with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
MajorEngineVersion
The major version number of the database engine that this option group is associated with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
OptionGroupDescription
A description of the option group.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
OptionConfigurations
The conﬁgurations for this option group.
Required: Yes
Type: List of Amazon RDS OptionGroup OptionConﬁguration (p. 2108)
Update requires: Replacement (p. 119)
Tags
An arbitrary set of tags (key–value pairs) for this option group.
Required: No
API Version 2010-05-15
1371

AWS CloudFormation User Guide
AWS::RDS::OptionGroup

Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myOptionGroup" }

For the myOptionGroup resource, Ref returns the name of the option group.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Multiple Option Conﬁgurations
The following snippet creates an option group with two option conﬁgurations (OEM and APEX):

JSON
"OracleOptionGroup": {
"Type": "AWS::RDS::OptionGroup",
"Properties": {
"EngineName": "oracle-ee",
"MajorEngineVersion": "12.1",
"OptionGroupDescription": "A test option group",
"OptionConfigurations":[
{
"OptionName": "OEM",
"DBSecurityGroupMemberships": ["default"],
"Port": "5500"
},
{
"OptionName": "APEX"
}
]
}
}

YAML
OracleOptionGroup:
Type: "AWS::RDS::OptionGroup"
Properties:
EngineName: "oracle-ee"
MajorEngineVersion: "12.1"
OptionGroupDescription: "A test option group"
OptionConfigurations:
OptionName: "OEM"
DBSecurityGroupMemberships:
- "default"
Port: "5500"

API Version 2010-05-15
1372

AWS CloudFormation User Guide
AWS::Redshift::Cluster
-

OptionName: "APEX"

Multiple Settings
The following snippet creates an option group that speciﬁes two option settings for the MEMCACHED
option:

JSON
"SQLOptionGroup": {
"Type": "AWS::RDS::OptionGroup",
"Properties": {
"EngineName": "mysql",
"MajorEngineVersion": "5.6",
"OptionGroupDescription": "A test option group",
"OptionConfigurations":[
{
"OptionName": "MEMCACHED",
"VpcSecurityGroupMemberships": ["sg-a1238db7"],
"Port": "1234",
"OptionSettings": [
{"Name": "CHUNK_SIZE", "Value": "32"},
{"Name": "BINDING_PROTOCOL", "Value": "ascii"}
]
}
]
}
}

YAML
SQLOptionGroup:
Type: 'AWS::RDS::OptionGroup'
Properties:
EngineName: mysql
MajorEngineVersion: '5.6'
OptionGroupDescription: A test option group
OptionConfigurations:
- OptionName: MEMCACHED
VpcSecurityGroupMemberships:
- sg-a1238db7
Port: '1234'
OptionSettings:
- Name: CHUNK_SIZE
Value: '32'
- Name: BINDING_PROTOCOL
Value: ascii

AWS::Redshift::Cluster
Use the AWS::Redshift::Cluster resource to create an Amazon Redshift cluster. A cluster is a fully
managed data warehouse that consists of a set of compute nodes. For more information about default
and valid values, see CreateCluster in the Amazon Redshift API Reference.
Topics
• Syntax (p. 1374)
• Properties (p. 1375)
• Return Values (p. 1380)
API Version 2010-05-15
1373

AWS CloudFormation User Guide
AWS::Redshift::Cluster

• Example (p. 1380)
• More Info (p. 1381)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Redshift::Cluster",
"Properties" : {
"AllowVersionUpgrade" : Boolean,
"AutomatedSnapshotRetentionPeriod" : Integer,
"AvailabilityZone" : String,
"ClusterIdentifier" : String,
"ClusterParameterGroupName" : String,
"ClusterSecurityGroups" : [ String, ... ],
"ClusterSubnetGroupName" : String,
"ClusterType" : String,
"ClusterVersion" : String,
"DBName" : String,
"ElasticIp" : String,
"Encrypted" : Boolean,
"HsmClientCertificateIdentifier" : String,
"HsmConfigurationIdentifier" : String,
"IamRoles" : [ String, ... ],
"KmsKeyId" : String,
"LoggingProperties" : LoggingProperties (p. 2105),
"MasterUsername" : String,
"MasterUserPassword" : String,
"NodeType" : String,
"NumberOfNodes" : Integer,
"OwnerAccount" : String,
"Port" : Integer,
"PreferredMaintenanceWindow" : String,
"PubliclyAccessible" : Boolean,
"SnapshotClusterIdentifier" : String,
"SnapshotIdentifier" : String,
"Tags" : [ Resource Tag, ... ],
"VpcSecurityGroupIds" : [ String, ... ]
}

YAML
Type: "AWS::Redshift::Cluster"
Properties:
AllowVersionUpgrade: Boolean
AutomatedSnapshotRetentionPeriod: Integer
AvailabilityZone: String
ClusterIdentifier: String
ClusterParameterGroupName: String
ClusterSecurityGroups:
- String
ClusterSubnetGroupName: String
ClusterType: String
ClusterVersion: String
DBName: String
ElasticIp: String
Encrypted: Boolean

API Version 2010-05-15
1374

AWS CloudFormation User Guide
AWS::Redshift::Cluster
HsmClientCertificateIdentifier: String
HsmConfigurationIdentifier: String
IamRoles:
- String
KmsKeyId: String
LoggingProperties:
LoggingProperties (p. 2105)
MasterUsername: String
MasterUserPassword: String
NodeType: String
NumberOfNodes: Integer
OwnerAccount: String
Port: Integer
PreferredMaintenanceWindow: String
PubliclyAccessible: Boolean
SnapshotClusterIdentifier: String
SnapshotIdentifier: String
Tags:
- Resource Tag
VpcSecurityGroupIds:
- String

Properties
For more information about each property, including constraints and valid values, see CreateCluster in
the Amazon Redshift API Reference.
AllowVersionUpgrade
When a new version of Amazon Redshift is released, tells whether upgrades can be applied to the
engine that is running on the cluster. The upgrades are applied during the maintenance window. The
default value is true.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
AutomatedSnapshotRetentionPeriod
The number of days that automated snapshots are retained. The default value is 1. To disable
automated snapshots, set the value to 0.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
AvailabilityZone
The Amazon Elastic Compute Cloud (Amazon EC2) Availability Zone in which you want to provision
your Amazon Redshift cluster. For example, if you have several EC2 instances running in a speciﬁc
Availability Zone, you might want the cluster to be provisioned in the same zone to decrease
network latency.
Required: No
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1375

AWS CloudFormation User Guide
AWS::Redshift::Cluster

ClusterIdentifier
The unique identiﬁer of the cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)
ClusterParameterGroupName
The name of the parameter group that you want to associate with this cluster.
Required: No
Type: String
Update requires: Some interruptions (p. 119)
ClusterSecurityGroups
A list of security groups that you want to associate with this cluster. Applies to EC2-Classic.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
ClusterSubnetGroupName
The name of a cluster subnet group that you want to associate with this cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)
ClusterType
The type of cluster. Specify single-node or multi-node (default).
Required: Yes
Type: String
Update requires: Some interruptions (p. 119)
ClusterVersion
The version of the Amazon Redshift engine that you want to deploy on the cluster.
Required: No
Type: String
Update requires: No interruption (p. 118)
DBName
The name of the ﬁrst database that will be created when the cluster is created.
Required: Yes
API Version 2010-05-15
1376

AWS CloudFormation User Guide
AWS::Redshift::Cluster

Type: String
Update requires: Replacement (p. 119)
ElasticIp
The Elastic IP (EIP) address for the cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)
Encrypted
Indicates whether the data in the cluster is encrypted at rest. The default value is false.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
HsmClientCertificateIdentifier
Speciﬁes the name of the hardware security module (HSM) client certiﬁcate that the Amazon
Redshift cluster uses to retrieve the data encryption keys stored in an HSM.
Required: No
Type: String
Update requires: No interruption (p. 118)
HsmConfigurationIdentifier
The name of the HSM conﬁguration that contains the information that the Amazon Redshift cluster
can use to retrieve and store keys in an HSM.
Required: No
Type: String
Update requires: No interruption (p. 118)
IamRoles
A list of AWS Identity and Access Management (IAM) roles that the cluster can use to access other
AWS services. Supply the IAM roles by their Amazon Resource Name (ARN). You can provide a
maximum of 10 IAM roles in a single request. A cluster can have a maximum of 10 IAM roles
associated with it at a time.
Required: No
Type: String
Update requires: No interruption (p. 118)
KmsKeyId
The ID of the AWS Key Management Service (AWS KMS) key that you want to use to encrypt data in
the cluster.
API Version 2010-05-15
1377

AWS CloudFormation User Guide
AWS::Redshift::Cluster

Required: No
Type: String
Update requires: Replacement (p. 119)
LoggingProperties
Conﬁgures Amazon Redshift to create audit log ﬁles, containing logging information such as queries
and connection attempts, for this cluster.
Required: No
Type: Amazon Redshift LoggingProperties (p. 2105)
Update requires: No interruption (p. 118)
MasterUsername
The user name that is associated with the master user account for this cluster.
You must specify values for MasterUserName and MasterUserPassword. However, if you're
restoring from an Amazon Redshift snapshot, AWS CloudFormation ignores the speciﬁed values and
uses the values that are stored in the snapshot.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
MasterUserPassword
The password associated with the master user account for this cluster.
You must specify values for MasterUserName and MasterUserPassword. However, if you're
restoring from an Amazon Redshift snapshot, AWS CloudFormation ignores the speciﬁed values and
uses the values that are stored in the snapshot.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
NodeType
The node type that is provisioned for this cluster.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
NumberOfNodes
The number of compute nodes in the cluster. If you specify multi-node for the ClusterType
parameter, you must specify a number greater than 1.

Important

You can't specify this parameter for a single-node cluster.
Required: Conditional
API Version 2010-05-15
1378

AWS CloudFormation User Guide
AWS::Redshift::Cluster

Type: Integer
Update requires: Some interruptions (p. 119)
OwnerAccount
When you restore from a snapshot from another AWS account, the 12-digit AWS account ID that
contains that snapshot.
Required: No
Type: String
Update requires: Replacement (p. 119)
Port
The port number on which the cluster accepts incoming connections. The default value is 5439.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
PreferredMaintenanceWindow
The weekly time range (in UTC) during which automated cluster maintenance can occur. The format
of the time range is ddd:hh24:mi-ddd:hh24:mi.
Required: No
Type: String
Update requires: No interruption (p. 118)
PubliclyAccessible
Indicates whether the cluster can be accessed from a public network.
Required: No
Type: Boolean
Update requires: Some interruptions (p. 119)
SnapshotClusterIdentifier
The name of the cluster that the source snapshot was created from. For more information about
restoring from a snapshot, see the RestoreFromClusterSnapshot action in the Amazon Redshift API
Reference.
Required: No
Required: Conditional. This property is required if your IAM policy includes a restriction on the cluster
name and the resource element speciﬁes anything other than the wildcard character (*) for the
cluster name.
Update requires: Replacement (p. 119)
SnapshotIdentifier
The name of the snapshot from which to create a new cluster.
API Version 2010-05-15
1379

AWS CloudFormation User Guide
AWS::Redshift::Cluster

Required: Conditional. If you speciﬁed the SnapshotClusterIdentifier property, you must
specify this property.
Type: String
Update requires: Replacement (p. 119)
Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this cluster. Use tags to manage
your resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
VpcSecurityGroupIds
A list of VPC security groups that are associated with this cluster.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myCluster" }

For the Amazon Redshift cluster myCluster, Ref returns the name of the cluster.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Endpoint.Address
The connection endpoint for the Amazon Redshift cluster. For example:
examplecluster.cg034hpkmmjt.us-east-1.redshift.amazonaws.com .
Endpoint.Port
The port number on which the Amazon Redshift cluster accepts connections. For example: 5439.

Example
The following example describes a single-node Amazon Redshift cluster. The master user password is
referenced from an input parameter that is in the same template.
API Version 2010-05-15
1380

AWS CloudFormation User Guide
AWS::Redshift::ClusterParameterGroup

JSON
"myCluster": {
"Type": "AWS::Redshift::Cluster",
"Properties": {
"DBName": "mydb",
"MasterUsername": "master",
"MasterUserPassword": { "Ref" : "MasterUserPassword" },
"NodeType": "ds2.xlarge",
"ClusterType": "single-node",
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
]
}
}

YAML
myCluster:
Type: "AWS::Redshift::Cluster"
Properties:
DBName: "mydb"
MasterUsername: "master"
MasterUserPassword:
Ref: "MasterUserPassword"
NodeType: "ds2.xlarge"
ClusterType: "single-node"
Tags:
- Key: foo
Value: bar

More Info
For a complete example template, see Amazon Redshift Template Snippets (p. 410).

AWS::Redshift::ClusterParameterGroup
Creates an Amazon Redshift parameter group that you can associate with an Amazon Redshift cluster.
The parameters in the group apply to all the databases that you create in the cluster.
Topics
• Syntax (p. 1381)
• Properties (p. 1382)
• Return Values (p. 1383)
• Examples (p. 1383)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1381

AWS CloudFormation User Guide
AWS::Redshift::ClusterParameterGroup

}

"Type" : "AWS::Redshift::ClusterParameterGroup",
"Properties" : {
"Description" : String,
"ParameterGroupFamily" : String,
"Parameters" : [ Parameter, ... ],
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: "AWS::Redshift::ClusterParameterGroup"
Properties:
Description: String
ParameterGroupFamily: String
Parameters:
- Parameter
Tags:
- Resource Tag

Properties
Description
A description of the parameter group.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ParameterGroupFamily
The Amazon Redshift engine version that applies to this cluster parameter group. The cluster engine
version determines the set of parameters that you can specify in the Parameters property.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Parameters
A list of parameter names and values that are allowed by the Amazon Redshift engine version that
you speciﬁed in the ParameterGroupFamily property. For more information, see Amazon Redshift
Parameter Groups in the Amazon Redshift Cluster Management Guide.
Required: No
Type: Amazon Redshift Parameter Type (p. 2104)
Update requires: No interruption (p. 118)
Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this parameter group. Use tags
to manage your resources.
Required: No
API Version 2010-05-15
1382

AWS CloudFormation User Guide
AWS::Redshift::ClusterParameterGroup

Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myClusterParameterGroup" }

For the Amazon Redshift cluster parameter group myClusterParameterGroup, Ref returns the name
of the cluster parameter group.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Single Parameter
The following example describes a parameter group with one parameter that is speciﬁed:

JSON
"myClusterParameterGroup" : {
"Type" : "AWS::Redshift::ClusterParameterGroup",
"Properties" : {
"Description" : "My parameter group",
"ParameterGroupFamily" : "redshift-1.0",
"Parameters" : [ {
"ParameterName" : "enable_user_activity_logging",
"ParameterValue" : "true"
}]
}
}

YAML
myClusterParameterGroup:
Type: "AWS::Redshift::ClusterParameterGroup"
Properties:
Description: "My parameter group"
ParameterGroupFamily: "redshift-1.0"
Parameters:
ParameterName: "enable_user_activity_logging"
ParameterValue: "true"

Workload Management Conﬁguration
The following example modiﬁes the workload management conﬁguration using the
wlm_json_configuration parameter. The parameter value is a JSON object that must be passed as a
string enclosed in quotation marks (").
API Version 2010-05-15
1383

AWS CloudFormation User Guide
AWS::Redshift::ClusterSecurityGroup

JSON
"RedshiftClusterParameterGroup": {
"Type": "AWS::Redshift::ClusterParameterGroup",
"Properties": {
"Description": "Cluster parameter group",
"ParameterGroupFamily": "redshift-1.0",
"Parameters": [{
"ParameterName": "wlm_json_configuration",
"ParameterValue": "[{\"user_group\":[\"example_user_group1\"],\"query_group\":
[\"example_query_group1\"],\"query_concurrency\":7},{\"query_concurrency\":5}]"
}],
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
]
}
}

YAML
RedshiftClusterParameterGroup:
Type: "AWS::Redshift::ClusterParameterGroup"
Properties:
Description: "Cluster parameter group"
ParameterGroupFamily: "redshift-1.0"
Parameters:
ParameterName: "wlm_json_configuration"
ParameterValue: "[{\"user_group\":[\"example_user_group1\"],\"query_group\":
[\"example_query_group1\"],\"query_concurrency\":7},{\"query_concurrency\":5}]"
Tags:
- Key: foo
Value: bar

AWS::Redshift::ClusterSecurityGroup
Creates an Amazon Redshift security group. You use security groups to control access to Amazon
Redshift clusters that are not in a VPC.
Topics
• Syntax (p. 1384)
• Properties (p. 1385)
• Return Values (p. 1385)
• Example (p. 1385)
• See Also (p. 1386)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1384

AWS CloudFormation User Guide
AWS::Redshift::ClusterSecurityGroup

}

"Type" : "AWS::Redshift::ClusterSecurityGroup",
"Properties" : {
"Description" : String,
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: "AWS::Redshift::ClusterSecurityGroup"
Properties:
Description: String
Tags:
- Resource Tag

Properties
Description
A description of the security group.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this security group. Use tags to
manage your resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myClusterSecurityGroup" }

For the Amazon Redshift cluster security group myClusterSecurityGroup, Ref returns the name of
the cluster security group.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates an Amazon Redshift cluster security group that you can associate cluster
security group ingress rules with:
API Version 2010-05-15
1385

AWS CloudFormation User Guide
AWS::Redshift::ClusterSecurityGroupIngress

JSON
"myClusterSecurityGroup": {
"Type": "AWS::Redshift::ClusterSecurityGroup",
"Properties": {
"Description": "Security group to determine where connections to the Amazon Redshift
cluster can come from",
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
]
}
}

YAML
myClusterSecurityGroup:
Type: "AWS::Redshift::ClusterSecurityGroup"
Properties:
Description: "Security group to determine where connections to the Amazon Redshift
cluster can come from"
Tags:
- Key: foo
Value: bar

See Also
• AWS::Redshift::ClusterSecurityGroupIngress (p. 1386)

AWS::Redshift::ClusterSecurityGroupIngress
Speciﬁes inbound (ingress) rules for an Amazon Redshift security group.
Topics
• Syntax (p. 1386)
• Properties (p. 1387)
• Template Snippet (p. 1387)
• See Also (p. 1388)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Redshift::ClusterSecurityGroupIngress",
"Properties" : {
"ClusterSecurityGroupName" : String,
"CIDRIP" : String,
"EC2SecurityGroupName" : String,
"EC2SecurityGroupOwnerId" : String

API Version 2010-05-15
1386

AWS CloudFormation User Guide
AWS::Redshift::ClusterSecurityGroupIngress

}

}

YAML
Type: "AWS::Redshift::ClusterSecurityGroupIngress"
Properties:
ClusterSecurityGroupName: String
CIDRIP: String
EC2SecurityGroupName: String
EC2SecurityGroupOwnerId: String

Properties
ClusterSecurityGroupName
The name of the Amazon Redshift security group that will be associated with the ingress rule.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
CIDRIP
The IP address range that has inbound access to the Amazon Redshift security group.
Required: No
Type: String
Update requires: Replacement (p. 119)
EC2SecurityGroupName
The Amazon EC2 security group that will be added the Amazon Redshift security group.
Required: No
Type: String
Update requires: Replacement (p. 119)
EC2SecurityGroupOwnerId
The 12-digit AWS account number of the owner of the Amazon EC2 security group that is speciﬁed
by the EC2SecurityGroupName parameter.
Required: Conditional. If you specify the EC2SecurityGroupName property, you must specify this
property.
Type: String
Update requires: Replacement (p. 119)

Template Snippet
The following snippet describes a ingress rules for an Amazon Redshift cluster security group:
API Version 2010-05-15
1387

AWS CloudFormation User Guide
AWS::Redshift::ClusterSubnetGroup

JSON
"myClusterSecurityGroupIngressIP" : {
"Type": "AWS::Redshift::ClusterSecurityGroupIngress",
"Properties": {
"ClusterSecurityGroupName" : {"Ref":"myClusterSecurityGroup"},
"CIDRIP" : "10.0.0.0/16"
}
}

YAML
myClusterSecurityGroupIngressIP:
Type: "AWS::Redshift::ClusterSecurityGroupIngress"
Properties:
ClusterSecurityGroupName:
Ref: "myClusterSecurityGroup"
CIDRIP: "10.0.0.0/16"

See Also
• AWS::Redshift::ClusterSecurityGroup (p. 1384)

AWS::Redshift::ClusterSubnetGroup
Creates an Amazon Redshift subnet group. You must provide a list of one or more subnets in your
existing Amazon VPC when creating an Amazon Redshift subnet group.
Topics
• Syntax (p. 1388)
• Properties (p. 1389)
• Return Values (p. 1389)
• Example (p. 1389)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Redshift::ClusterSubnetGroup",
"Properties" : {
"Description" : String,
"SubnetIds" : [ String, ... ],
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: "AWS::Redshift::ClusterSubnetGroup"

API Version 2010-05-15
1388

AWS CloudFormation User Guide
AWS::Redshift::ClusterSubnetGroup
Properties:
Description: String
SubnetIds:
- String
Tags:
- Resource Tag

Properties
Description
A description of the subnet group.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
SubnetIds
A list of VPC subnet IDs. You can modify a maximum of 20 subnets.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this subnet group. Use tags to
manage your resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myClusterSubnetGroup" }

For the Amazon Redshift cluster subnet group myClusterSubnetGroup, Ref returns the name of the
cluster subnet group.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example speciﬁes one subnet for an Amazon Redshift cluster subnet group.
API Version 2010-05-15
1389

AWS CloudFormation User Guide
AWS::Route53::HealthCheck

JSON
"myClusterSubnetGroup": {
"Type": "AWS::Redshift::ClusterSubnetGroup",
"Properties": {
"Description": "My ClusterSubnetGroup",
"SubnetIds": [
"subnet-7fbc2813"
],
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
]
}
}

YAML
myClusterSubnetGroup:
Type: 'AWS::Redshift::ClusterSubnetGroup'
Properties:
Description: My ClusterSubnetGroup
SubnetIds:
- subnet-7fbc2813
Tags:
- Key: foo
Value: bar

AWS::Route53::HealthCheck
Use the AWS::Route53::HealthCheck resource to check the health of your resources before Amazon
Route 53 responds to a DNS query. For more information, see How Health Checks Work in Simple
Amazon Route 53 Conﬁgurations in the Amazon Route 53 Developer Guide.
Topics
• Syntax (p. 1390)
• Properties (p. 1391)
• Return Value (p. 1391)
• Example (p. 1391)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Route53::HealthCheck",
"Properties" : {
"HealthCheckConfig" : HealthCheckConfig,
"HealthCheckTags" : [ HealthCheckTags, ... ]
}

API Version 2010-05-15
1390

AWS CloudFormation User Guide
AWS::Route53::HealthCheck

YAML
Type: "AWS::Route53::HealthCheck"
Properties:
HealthCheckConfig:
HealthCheckConfig
HealthCheckTags:
- HealthCheckTags

Properties
HealthCheckConfig
An Amazon Route 53 health check.
Required: Yes
Type: Route 53 HealthCheck HealthCheckConﬁg (p. 2114)
Update requires: No interruption (p. 118)
HealthCheckTags
An arbitrary set of tags (key–value pairs) for this health check.
Required: No
Type: A list of Amazon Route 53 HealthCheck HealthCheckTags (p. 2118)
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the health
check ID, such as e0a123b4-4dba-4650-935e-example.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates an Amazon Route 53 health check that sends request to the speciﬁed
endpoint.

JSON
"myHealthCheck": {
"Type": "AWS::Route53::HealthCheck",
"Properties": {
"HealthCheckConfig": {
"IPAddress": "000.000.000.000",
"Port": "80",
"Type": "HTTP",
"ResourcePath": "/example/index.html",
"FullyQualifiedDomainName": "example.com",
"RequestInterval": "30",
"FailureThreshold": "3"

API Version 2010-05-15
1391

AWS CloudFormation User Guide
AWS::Route53::HostedZone

}

}

},
"HealthCheckTags" : [{
"Key": "SampleKey1",
"Value": "SampleValue1"
},
{
"Key": "SampleKey2",
"Value": "SampleValue2"
}]

YAML
myHealthCheck:
Type: "AWS::Route53::HealthCheck"
Properties:
HealthCheckConfig:
IPAddress: "000.000.000.000"
Port: "80"
Type: "HTTP"
ResourcePath: "/example/index.html"
FullyQualifiedDomainName: "example.com"
RequestInterval: "30"
FailureThreshold: "3"
HealthCheckTags:
Key: "SampleKey1"
Value: "SampleValue1"
Key: "SampleKey2"
Value: "SampleValue2"

AWS::Route53::HostedZone
The AWS::Route53::HostedZone resource creates a hosted zone, which can contain a collection
of record sets for a domain. You cannot create a hosted zone for a top-level domain (TLD). For more
information, see POST CreateHostedZone or POST CreateHostedZone (Private) in the Amazon Route 53
API Reference.
Topics
• Syntax (p. 1392)
• Properties (p. 1393)
• Return Values (p. 1394)
• Example (p. 1394)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::Route53::HostedZone",
"Properties" : {
"HostedZoneConfig" : HostedZoneConfig,
"HostedZoneTags" : [ HostedZoneTags, ... ],

API Version 2010-05-15
1392

AWS CloudFormation User Guide
AWS::Route53::HostedZone

}

}

"Name" : String,
"QueryLoggingConfig" : String,
"VPCs" : [ HostedZoneVPCs, ... ]

YAML
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
HostedZoneConfig
HostedZoneTags:
- HostedZoneTags
Name: String
QueryLoggingConfig: String
VPCs:
- HostedZoneVPCs

Properties
HostedZoneConfig
A complex type that contains an optional comment about your hosted zone.
Required: No
Type: Route 53 HostedZoneConﬁg Property (p. 2119)
Update requires: No interruption (p. 118)
HostedZoneTags
An arbitrary set of tags (key–value pairs) for this hosted zone.
Required: No
Type: List of Amazon Route 53 HostedZoneTags (p. 2120)
Update requires: No interruption (p. 118)
Name
The name of the domain. For resource record types that include a domain name, specify a fully
qualiﬁed domain name.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
QueryLoggingConfig
The conﬁguration for DNS query logging.
Required: No
Type: Route 53 QueryLoggingConﬁg (p. 2120)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1393

AWS CloudFormation User Guide
AWS::Route53::HostedZone

VPCs
One or more VPCs that you want to associate with this hosted zone. When you specify this property,
AWS CloudFormation creates a private hosted zone.
Required: No
Type: List of Route 53 HostedZoneVPCs (p. 2121)
If this property was speciﬁed previously and you're modifying values, updates require no
interruption (p. 118). If this property wasn't speciﬁed and you add values, updates require
replacement (p. 119). Also, if this property was speciﬁed and you remove all values, updates require
replacement (p. 119).

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "myHostedZone" }

Ref returns the hosted zone ID, such as Z23ABC4XYZL05B.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
NameServers
Returns the set of name servers for the speciﬁc hosted zone. For example: ns1.example.com.
This attribute is not supported for private hosted zones.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following template snippet creates a private hosted zone for the example.com domain.

JSON
"DNS": {
"Type": "AWS::Route53::HostedZone",
"Properties": {
"HostedZoneConfig": {
"Comment": "My hosted zone for example.com"
},
"Name": "example.com",
"VPCs": [{
"VPCId": "vpc-abcd1234",
"VPCRegion": "ap-northeast-1"

API Version 2010-05-15
1394

AWS CloudFormation User Guide
AWS::Route53::RecordSet
},
{

}

}

"VPCId": "vpc-efgh5678",
"VPCRegion": "us-west-2"
}],
"HostedZoneTags" : [{
"Key": "SampleKey1",
"Value": "SampleValue1"
},
{
"Key": "SampleKey2",
"Value": "SampleValue2"
}]

YAML
DNS:
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
Comment: "My hosted zone for example.com"
Name: "example.com"
VPCs:
VPCId: "vpc-abcd1234"
VPCRegion: "ap-northeast-1"
VPCId: "vpc-efgh5678"
VPCRegion: "us-west-2"
HostedZoneTags:
Key: "SampleKey1"
Value: "SampleValue1"
Key: "SampleKey2"
Value: "SampleValue2"

AWS::Route53::RecordSet
The AWS::Route53::RecordSet type can be used as a standalone resource or as
an embedded property in the AWS::Route53::RecordSetGroup (p. 1401) type. Note
that some AWS::Route53::RecordSet properties are valid only when used within
AWS::Route53::RecordSetGroup.
For more information about constraints and values for each property, see POST CreateHostedZone for
hosted zones and POST ChangeResourceRecordSet for resource record sets.
Topics
•
•
•
•

Syntax (p. 1395)
Properties (p. 1396)
Return Value (p. 1400)
Example (p. 1400)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1395

AWS CloudFormation User Guide
AWS::Route53::RecordSet

JSON
{

}

"Type" : "AWS::Route53::RecordSet",
"Properties" : {
"AliasTarget (p. 1396)" : AliasTarget (p. 2112),
"Comment" : String,
"Failover" : String,
"GeoLocation" : GeoLocation,
"HealthCheckId" : String,
"HostedZoneId (p. 1397)" : String,
"HostedZoneName (p. 1398)" : String,
"Name (p. 1398)" : String,
"Region (p. 1398)" : String,
"ResourceRecords (p. 1398)" : [ String ],
"SetIdentifier (p. 1399)" : String,
"TTL (p. 1399)" : String,
"Type (p. 1399)" : String,
"Weight (p. 1399)" : Integer
}

YAML
Type: AWS::Route53::RecordSet
Properties:
AliasTarget (p. 1396):
AliasTarget (p. 2112)
Comment: String
Failover: String
GeoLocation:
GeoLocation
HealthCheckId: String
HostedZoneId (p. 1397): String
HostedZoneName (p. 1398): String
Name (p. 1398): String
Region (p. 1398): String
ResourceRecords (p. 1398):
- String
SetIdentifier (p. 1399): String
TTL (p. 1399): String
Type (p. 1399): String
Weight (p. 1399): Integer

Properties
AliasTarget
Alias resource record sets only: Information about the domain to which you are redirecting traﬃc.
If you specify this property, do not specify the TTL property. The alias uses a TTL value from the
alias target record.
For more information about alias resource record sets, see Creating Alias Resource Record Sets in the
Route 53 Developer Guide and POST ChangeResourceRecordSets in the Route 53 API reference.
Required: Conditional. Required if you are creating an alias resource record set.
Type: AliasTarget (p. 2112)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1396

AWS CloudFormation User Guide
AWS::Route53::RecordSet

Comment
Any comments that you want to include about the hosted zone.

Important

If the record set is part of a record set group, this property isn't valid. Don't specify this
property.
Required: No
Type: String
Update requires: No interruption (p. 118)
Failover
Designates the record set as a PRIMARY or SECONDARY failover record set. When you have more than
one resource performing the same function, you can conﬁgure Route 53 to check the health of your
resources and use only health resources to respond to DNS queries. You cannot create nonfailover
resource record sets that have the same Name and Type property values as failover resource record
sets. For more information, see the Failover content in the Amazon Route 53 API Reference.
If you specify this property, you must specify the SetIdentifier property.
Required: No
Type: String
Update requires: No interruption (p. 118)
GeoLocation
Describes how Route 53 responds to DNS queries based on the geographic origin of the query. This
property is not compatible with the Region property.
Required: No
Type: Route 53 Record Set GeoLocation Property (p. 2113)
Update requires: No interruption (p. 118)
HealthCheckId
The health check ID that you want to apply to this record set. Route 53 returns this resource record
set in response to a DNS query only while record set is healthy.
Required: No
Type: String
Update requires: No interruption (p. 118)
HostedZoneId
The ID of the hosted zone.
Required: Conditional. You must specify either the HostedZoneName or HostedZoneId, but you
cannot specify both. If this record set is part of a record set group, do not specify this property.
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1397

AWS CloudFormation User Guide
AWS::Route53::RecordSet

HostedZoneName
The name of the domain for the hosted zone where you want to add the record set.
When you create a stack using an AWS::Route53::RecordSet that speciﬁes HostedZoneName,
AWS CloudFormation attempts to ﬁnd a hosted zone whose name matches the HostedZoneName.
If AWS CloudFormation cannot ﬁnd a hosted zone with a matching domain name, or if there is more
than one hosted zone with the speciﬁed domain name, AWS CloudFormation will not create the
stack.
If you have multiple hosted zones with the same domain name, you must explicitly specify the
hosted zone using HostedZoneId.
Required: Conditional. You must specify either the HostedZoneName or HostedZoneId, but you
cannot specify both. If this record set is part of a record set group, do not specify this property.
Type: String
Update requires: Replacement (p. 119)
Name
The name of the domain. You must specify a fully qualiﬁed domain name that ends with a period as
the last label indication. If you omit the ﬁnal period, Route 53 adds it.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Region
Latency resource record sets only: The Amazon EC2 region where the resource that is speciﬁed in
this resource record set resides. The resource typically is an AWS resource, for example, Amazon
EC2 instance or an Elastic Load Balancing load balancer, and is referred to by an IP address or a DNS
domain name, depending on the record type.
When Route 53 receives a DNS query for a domain name and type for which you have created
latency resource record sets, Route 53 selects the latency resource record set that has the lowest
latency between the end user and the associated Amazon EC2 region. Route 53 then returns the
value that is associated with the selected resource record set.
The following restrictions must be followed:
• You can only specify one resource record per latency resource record set.
• You can only create one latency resource record set for each Amazon EC2 region.
• You are not required to create latency resource record sets for all Amazon EC2 regions. Route 53
will choose the region with the best latency from among the regions for which you create latency
resource record sets.
• You cannot create both weighted and latency resource record sets that have the same values for
the Name and Type elements.
• This property is not compatible with the GeoLocation property.
To see a list of regions by service, see Regions and Endpoints in the AWS General Reference.
ResourceRecords
List of resource records to add. Each record should be in the format appropriate for the record
type speciﬁed by the Type property. For information about diﬀerent record types and their record
formats, see Values for Basic Resource Record Sets and Appendix: Domain Name Format in the
Route 53 Developer Guide.
API Version 2010-05-15
1398

AWS CloudFormation User Guide
AWS::Route53::RecordSet

Required: Conditional. If you don't specify the AliasTarget property, you must specify this
property. If you are creating an alias resource record set, do not specify this property.
Type: List of String values
Update requires: No interruption (p. 118)
SetIdentifier
A unique identiﬁer that diﬀerentiates among multiple resource record sets that have the same
combination of DNS name and type.
Required: Conditional. Required if you are creating a weighted, latency, failover, or geolocation
resource record set.
For more information, see the SetIdentiﬁer content in the Route 53 Developer Guide.
Type: String
Update requires: No interruption (p. 118)
TTL
The resource record cache time to live (TTL), in seconds. If you specify this property, do not specify
the AliasTarget property. For alias target records, the alias uses a TTL value from the target.
If you specify this property, you must specify the ResourceRecords property.
Required: Conditional. If you don't specify the AliasTarget property, you must specify this
property. If you are creating an alias resource record set, do not specify this property.
Type: String
Update requires: No interruption (p. 118)
Type
The type of records to add. For valid values, see the Type content in the Amazon Route 53 API
Reference.
In AWS CloudFormation, you cannot modify the NS and SOA records for a hosted zone created
automatically by Route 53. Speciﬁcally, you can't create or delete NS or SOA records for the root
domain of your hosted zone, but you can create them for subdomains to delegate. For example, for
hosted zone mydomain.net, you cannot create an NS record for mydomain.net but you can create
an NS record for nnnn.mydomain.net for delegation.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Weight
Weighted resource record sets only: Among resource record sets that have the same combination of
DNS name and type, a value that determines what portion of traﬃc for the current resource record
set is routed to the associated location.
For more information about weighted resource record sets, see Setting Up Weighted Resource
Record Sets in the Route 53 Developer Guide.
Required: Conditional. Required if you are creating a weighted resource record set.
API Version 2010-05-15
1399

AWS CloudFormation User Guide
AWS::Route53::RecordSet

Type: Number. Weight expects integer values.
Update requires: No interruption (p. 118)

Return Value
When you specify an AWS::Route53::RecordSet type as an argument to the Ref function, AWS
CloudFormation returns the value of the domain name of the record set.
For more information about using the Ref function, see Ref (p. 2311).

Example
Mapping a Route 53 A record to the public IP of an Amazon EC2 instance
JSON
"Resources" : {
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [
"RegionMap", { "Ref" : "AWS::Region" }, "AMI"
] }
}
},
"myDNSRecord" : {
"Type" : "AWS::Route53::RecordSet",
"Properties" : {
"HostedZoneName" : { "Ref" : "HostedZoneResource" },
"Comment" : "DNS name for my instance.",
"Name" : {
"Fn::Join" : [ "", [
{"Ref" : "Ec2Instance"}, ".",
{"Ref" : "AWS::Region"}, ".",
{"Ref" : "HostedZone"} ,"."
] ]
},
"Type" : "A",
"TTL" : "900",
"ResourceRecords" : [
{ "Fn::GetAtt" : [ "Ec2Instance", "PublicIp" ] }
]
}
}
}

YAML
Resources:
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: !FindInMap [RegionMap, !Ref 'AWS::Region', AMI]
myDNSRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneName: !Ref 'HostedZoneResource'
Comment: DNS name for my instance.

API Version 2010-05-15
1400

AWS CloudFormation User Guide
AWS::Route53::RecordSetGroup
Name: !Join ['', [!Ref 'Ec2Instance', ., !Ref 'AWS::Region', ., !Ref
'HostedZone', .]]
Type: A
TTL: '900'
ResourceRecords:
- !GetAtt Ec2Instance.PublicIp

Additional Information
For additional AWS::Route53::RecordSet snippets, see Route 53 Template Snippets (p. 422) .

AWS::Route53::RecordSetGroup
The AWS::Route53::RecordSetGroup resource creates record sets for a hosted zone. For more
information about constraints and values for each property, see POST CreateHostedZone for hosted
zones and POST ChangeResourceRecordSet for resource record sets.
Topics
• Syntax (p. 1401)
• Properties (p. 1401)
• Return Value (p. 1403)
• Examples (p. 1403)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::Route53::RecordSetGroup",
"Properties" : {
"Comment (p. 1401)" : String,
"HostedZoneId (p. 1402)" : String,
"HostedZoneName (p. 1402)" : String,
"RecordSets (p. 1402)" : [ RecordSet1, ... ]
}

YAML
Type: AWS::Route53::RecordSetGroup
Properties:
Comment (p. 1401): String
HostedZoneId (p. 1402): String
HostedZoneName (p. 1402): String
RecordSets (p. 1402):
- RecordSet1

Properties
Comment
Any comments you want to include about the hosted zone.
API Version 2010-05-15
1401

AWS CloudFormation User Guide
AWS::Route53::RecordSetGroup

Required: No
Type: String
Update requires: No interruption (p. 118)
HostedZoneId
The ID of the hosted zone.
Required: Conditional: You must specify either the HostedZoneName or HostedZoneId, but you
cannot specify both.
Type: String
Update requires: Replacement (p. 119)
HostedZoneName
The name of the domain for the hosted zone where you want to add the record set.
When you create a stack using an AWS::Route53::RecordSet that speciﬁes HostedZoneName,
AWS CloudFormation attempts to ﬁnd a hosted zone whose name matches the HostedZoneName.
If AWS CloudFormation cannot ﬁnd a hosted zone with a matching domain name, or if there is more
than one hosted zone with the speciﬁed domain name, AWS CloudFormation will not create the
stack.
If you have multiple hosted zones with the same domain name, you must explicitly specify the
hosted zone using HostedZoneId.
Required: Conditional. You must specify either the HostedZoneName or HostedZoneId, but you
cannot specify both.
Type: String
Update requires: Replacement (p. 119)
RecordSets
List of resource record sets to add. The maximum number of records is 1,000.
Required: Yes
Type:: List of AWS::Route53::RecordSet (p. 1395) objects, as shown in the following example:
"RecordSets" : [
{
"Name" : "mysite.example.com.",
"Type" : "CNAME",
"TTL" : "900",
"SetIdentifier" : "Frontend One",
"Weight" : "4",
"ResourceRecords" : ["example-ec2.amazonaws.com"]
},
{
"Name" : "mysite.example.com.",
"Type" : "CNAME",
"TTL" : "900",
"SetIdentifier" : "Frontend Two",
"Weight" : "6",
"ResourceRecords" : ["example-ec2-larger.amazonaws.com"]
}
]

API Version 2010-05-15
1402

AWS CloudFormation User Guide
AWS::S3::Bucket

Update requires: No interruption (p. 118)

Return Value
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example:
{ "Ref": "MyRecordSetGroup" }

For the resource with the logical ID "MyRecordSetGroup", Ref will return the AWS resource name.
For more information about using the Ref function, see Ref (p. 2311).

Examples
For AWS::Route53::RecordSetGroup snippets, see Route 53 Template Snippets (p. 422).

AWS::S3::Bucket
The AWS::S3::Bucket resource creates an Amazon Simple Storage Service (Amazon S3) bucket in the
same AWS Region where you create the AWS CloudFormation stack.
To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a
deletion policy for your bucket. For Amazon S3 buckets, you can choose to retain the bucket or to delete
the bucket. For more information, see DeletionPolicy Attribute (p. 2248).

Important

You can only delete empty buckets. Deletion fails for buckets that have contents.
Topics
• Syntax (p. 1403)
• Properties (p. 1404)
• Return Values (p. 1407)
• Examples (p. 1408)
• More Info (p. 1419)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::S3::Bucket",
"Properties" : {
"AccessControl" : String,
"AccelerateConfiguration" : AccelerateConfiguration (p. 2122),
"AnalyticsConfigurations" : [ AnalyticsConfiguration (p. 2124), ... ],
"BucketEncryption" : BucketEncryption (p. 2125),
"BucketName" : String,
"CorsConfiguration" : CorsConfiguration,
"InventoryConfigurations" : [ InventoryConfiguration (p. 2131), ... ],
"LifecycleConfiguration" : LifecycleConfiguration,
"LoggingConfiguration" : LoggingConfiguration,
"MetricsConfigurations" : [ MetricsConfiguration (p. 2136), ... ]

API Version 2010-05-15
1403

AWS CloudFormation User Guide
AWS::S3::Bucket

}

}

"NotificationConfiguration" : NotificationConfiguration,
"ReplicationConfiguration" : ReplicationConfiguration,
"Tags" : [ Resource Tag, ... ],
"VersioningConfiguration" : VersioningConfiguration,
"WebsiteConfiguration" : WebsiteConfiguration

YAML
Type: AWS::S3::Bucket
Properties:
AccessControl: String
AccelerateConfiguration:
AccelerateConfiguration (p. 2122)
AnalyticsConfigurations:
- AnalyticsConfiguration (p. 2124)
BucketEncryption:
BucketEncryption (p. 2125)
BucketName: String
CorsConfiguration:
CorsConfiguration
InventoryConfigurations:
- InventoryConfiguration (p. 2131)
LifecycleConfiguration:
LifecycleConfiguration
LoggingConfiguration:
LoggingConfiguration
MetricsConfigurations:
- MetricsConfiguration (p. 2136)
NotificationConfiguration:
NotificationConfiguration
ReplicationConfiguration:
ReplicationConfiguration
Tags:
- Resource Tag
VersioningConfiguration:
VersioningConfiguration
WebsiteConfiguration:
WebsiteConfiguration

Properties
AccessControl
A canned access control list (ACL) that grants predeﬁned permissions to the bucket. For more
information about canned ACLs, see Canned ACLs in the Amazon S3 documentation in the Amazon
Simple Storage Service Developer Guide.
Required: No
Type: String
Valid values: AuthenticatedRead | AwsExecRead | BucketOwnerRead |
BucketOwnerFullControl | LogDeliveryWrite | Private | PublicRead | PublicReadWrite
Update requires: No interruption (p. 118)
AccelerateConfiguration
Conﬁguration for the transfer acceleration state. For more information, see Amazon S3 Transfer
Acceleration in the Amazon Simple Storage Service Developer Guide.
API Version 2010-05-15
1404

AWS CloudFormation User Guide
AWS::S3::Bucket

Required: No
Type: Amazon S3 Bucket AccelerateConﬁguration (p. 2122)
Update requires: No interruption (p. 118)
AnalyticsConfigurations
The conﬁguration and any analyses for the analytics ﬁlter of an Amazon S3 bucket. Duplicates not
allowed.
Required: No
Type: List of Amazon S3 Bucket AnalyticsConﬁguration (p. 2124)
Update requires: No interruption (p. 118)
BucketEncryption
Speciﬁes default encryption for a bucket using server-side encryption with either Amazon S3managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
Required: No
Type: Amazon S3 Bucket BucketEncryption (p. 2125)
Update requires: No interruption (p. 118)
BucketName
A name for the bucket. If you don't specify a name, AWS CloudFormation generates a unique
physical ID and uses that ID for the bucket name. For more information, see Name Type (p. 2085).
The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
CorsConfiguration
Rules that deﬁne cross-origin resource sharing of objects in this bucket. For more information, see
Enabling Cross-Origin Resource Sharing in the Amazon Simple Storage Service Developer Guide.
Required: No
Type: Amazon S3 Bucket CorsConﬁguration (p. 2126)
Update requires: No interruption (p. 118)
InventoryConfigurations
The inventory conﬁguration for an Amazon S3 bucket. Duplicates not allowed.
Required: No
Type: List of Amazon S3 Bucket InventoryConﬁguration (p. 2131)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1405

AWS CloudFormation User Guide
AWS::S3::Bucket

LifecycleConfiguration
Rules that deﬁne how Amazon S3 manages objects during their lifetime. For more information, see
Object Lifecycle Management in the Amazon Simple Storage Service Developer Guide.
Required: No
Type: Amazon S3 Bucket LifecycleConﬁguration (p. 2135)
Update requires: No interruption (p. 118)
LoggingConfiguration
Settings that deﬁne where logs are stored.
Required: No
Type: Amazon S3 Bucket LoggingConﬁguration (p. 2135)
Update requires: No interruption (p. 118)
MetricsConfigurations
Settings that deﬁne a metrics conﬁguration for the CloudWatch request metrics from the bucket.
Required: No
Type: List of Amazon S3 Bucket MetricsConﬁguration (p. 2136)
Update requires: No interruption (p. 118)
Duplicates not allowed.
NotificationConfiguration
Conﬁguration that deﬁnes how Amazon S3 handles bucket notiﬁcations.
Required: No
Type: Amazon S3 Bucket NotiﬁcationConﬁguration (p. 2138)
Update requires: No interruption (p. 118)
ReplicationConfiguration
Conﬁguration for replicating objects in an S3 bucket. To enable replication, you must also enable
versioning by using the VersioningConfiguration property.
Amazon S3 can store replicated objects in only one destination (S3 bucket). The destination bucket
must already exist and be in a diﬀerent AWS Region than your source bucket.
Required: No
Type: Amazon S3 Bucket ReplicationConﬁguration (p. 2141)
Update requires: No interruption (p. 118)
Tags
An arbitrary set of tags (key-value pairs) for this S3 bucket.

Important

We recommend limiting the number of tags to seven. Applying more than seven tags
prevents the AWS CLI and the AWS CloudFormation console and API actions from listing the
tags for the S3 bucket.
Required: No
API Version 2010-05-15
1406

AWS CloudFormation User Guide
AWS::S3::Bucket

Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)
VersioningConfiguration
Enables multiple variants of all objects in this bucket. You might enable versioning to prevent
objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve
previous versions of them.
Required: No
Type: Amazon S3 Bucket VersioningConﬁguration (p. 2154)
Update requires: No interruption (p. 118)
WebsiteConfiguration
Information used to conﬁgure the bucket as a static website. For more information, see Hosting
Websites on Amazon S3.
Required: No
Type: Website Conﬁguration Type (p. 2154)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
Example: mystack-mybucket-kdwwxmddtr2g.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
Returns the Amazon Resource Name (ARN) of the speciﬁed bucket.
Example: arn:aws:s3:::mybucket
DomainName
Returns the IPv4 DNS name of the speciﬁed bucket.
Example: mystack-mybucket-kdwwxmddtr2g.s3.amazonaws.com
DualStackDomainName
Returns the IPv6 DNS name of the speciﬁed bucket.
Example: mystack-mybucket-kdwwxmddtr2g.s3.dualstack.us-east-2.amazonaws.com/
For more information about dual-stack endpoints, see Using Amazon S3 Dual-Stack Endpoints.
API Version 2010-05-15
1407

AWS CloudFormation User Guide
AWS::S3::Bucket

WebsiteURL
Returns the Amazon S3 website endpoint for the speciﬁed bucket.
Example (IPv4): http://mystack-mybucket-kdwwxmddtr2g.s3-website-useast-2.amazonaws.com/
Example (IPv6): http://mystack-mybucket-kdwwxmddtr2g.s3.dualstack.useast-2.amazonaws.com/
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Associate a Replication Conﬁguration IAM Role with an S3 Bucket
The following example creates an S3 bucket and grants it permission to write to a replication bucket
by using an AWS Identity and Access Management (IAM) role. To avoid a circular dependency, the role's
policy is declared as a separate resource. The bucket depends on the WorkItemBucketBackupRole
role. If the policy is included in the role, the role also depends on the bucket.

JSON
"RecordServiceS3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain",
"Properties": {
"ReplicationConfiguration": {
"Role": {
"Fn::GetAtt": [
"WorkItemBucketBackupRole",
"Arn"
]
},
"Rules": [{
"Destination": {
"Bucket": {
"Fn::Join": [ "", [
"arn:aws:s3:::", {
"Fn::Join": [ "-", [
{ "Ref": "AWS::Region" },
{ "Ref": "AWS::StackName" },
"replicationbucket"
]]
}
]]
},
"StorageClass": "STANDARD"
},
"Id": "Backup",
"Prefix": "",
"Status": "Enabled"
}]
},
"VersioningConfiguration": {
"Status": "Enabled"
}
}
},
"WorkItemBucketBackupRole": {
"Type": "AWS::IAM::Role",

API Version 2010-05-15
1408

AWS CloudFormation User Guide
AWS::S3::Bucket
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [{
"Action": [ "sts:AssumeRole" ],
"Effect": "Allow",
"Principal": {
"Service": [ "s3.amazonaws.com" ]
}
}]
}
}

},
"BucketBackupPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [{
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [{
"Fn::Join": [ "", [
"arn:aws:s3:::", {
"Ref": "RecordServiceS3Bucket"
}
]
]
}]
},{
"Action": [
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl"
],
"Effect": "Allow",
"Resource": [{
"Fn::Join": [ "", [
"arn:aws:s3:::", {
"Ref": "RecordServiceS3Bucket"
},
"/*"
]
]
}]
}, {
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Effect": "Allow",
"Resource": [{
"Fn::Join": [ "", [
"arn:aws:s3:::", {
"Fn::Join": [ "-", [
{ "Ref": "AWS::Region" },
{ "Ref": "AWS::StackName" },
"replicationbucket"
]]
},
"/*"
]]
}]
}]
},
"PolicyName": "BucketBackupPolicy",

API Version 2010-05-15
1409

AWS CloudFormation User Guide
AWS::S3::Bucket

}

}

"Roles": [{
"Ref": "WorkItemBucketBackupRole"
}]

YAML
RecordServiceS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
ReplicationConfiguration:
Role: !GetAtt [WorkItemBucketBackupRole, Arn]
Rules:
- Destination:
Bucket: !Join ['', ['arn:aws:s3:::', !Join ['-', [!Ref 'AWS::Region', !Ref
'AWS::StackName',
replicationbucket]]]]
StorageClass: STANDARD
Id: Backup
Prefix: ''
Status: Enabled
VersioningConfiguration:
Status: Enabled
WorkItemBucketBackupRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
Service: [s3.amazonaws.com]
BucketBackupPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: ['s3:GetReplicationConfiguration', 's3:ListBucket']
Effect: Allow
Resource:
- !Join ['', ['arn:aws:s3:::', !Ref 'RecordServiceS3Bucket']]
- Action: ['s3:GetObjectVersion', 's3:GetObjectVersionAcl']
Effect: Allow
Resource:
- !Join ['', ['arn:aws:s3:::', !Ref 'RecordServiceS3Bucket', /*]]
- Action: ['s3:ReplicateObject', 's3:ReplicateDelete']
Effect: Allow
Resource:
- !Join ['', ['arn:aws:s3:::', !Join ['-', [!Ref 'AWS::Region', !Ref
'AWS::StackName',
replicationbucket]], /*]]
PolicyName: BucketBackupPolicy
Roles: [!Ref 'WorkItemBucketBackupRole']

Conﬁgure a Static Website with a Routing Rule
In this example, AWS::S3::Bucket's Fn::GetAtt values are used to provide outputs. If an HTTP
404 error occurs, the routing rule redirects requests to an EC2 instance and inserts the object key preﬁx
report-404/ in the redirect. For example, if you request a page called ExamplePage.html and it
results in an HTTP 404 error, the request is routed to a page called report-404/ExamplePage.html
on the speciﬁed instance. For all other HTTP error codes, error.html is returned.
API Version 2010-05-15
1410

AWS CloudFormation User Guide
AWS::S3::Bucket

JSON
"Resources" : {
"S3Bucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"AccessControl" : "PublicRead",
"BucketName" : "PublicBucket",
"WebsiteConfiguration" : {
"IndexDocument" : "index.html",
"ErrorDocument" : "error.html",
"RoutingRules": [
{
"RoutingRuleCondition": {
"HttpErrorCodeReturnedEquals": "404",
"KeyPrefixEquals": "out1/"
},
"RedirectRule": {
"HostName": "ec2-11-22-333-44.compute-1.amazonaws.com",
"ReplaceKeyPrefixWith": "report-404/"
}
}
]
}
},
"DeletionPolicy" : "Retain"
}
},
"Outputs" : {
"WebsiteURL" : {
"Value" : { "Fn::GetAtt" : [ "S3Bucket", "WebsiteURL" ] },
"Description" : "URL for website hosted on S3"
},
"S3BucketSecureURL" : {
"Value" : { "Fn::Join" : [
"", [ "https://", { "Fn::GetAtt" : [ "S3Bucket", "DomainName" ] } ]
] },
"Description" : "Name of S3 bucket to hold website content"
}
}

YAML
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
BucketName: PublicBucket
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
RoutingRules:
- RoutingRuleCondition:
HttpErrorCodeReturnedEquals: '404'
KeyPrefixEquals: out1/
RedirectRule:
HostName: ec2-11-22-333-44.compute-1.amazonaws.com
ReplaceKeyPrefixWith: report-404/
DeletionPolicy: Retain
Outputs:
WebsiteURL:
Value: !GetAtt [S3Bucket, WebsiteURL]

API Version 2010-05-15
1411

AWS CloudFormation User Guide
AWS::S3::Bucket
Description: URL for website hosted on S3
S3BucketSecureURL:
Value: !Join ['', ['https://', !GetAtt [S3Bucket, DomainName]]]
Description: Name of S3 bucket to hold website content

Enable Cross-Origin Resource Sharing
The following example template shows an S3 bucket with two cross-origin resource sharing rules.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicReadWrite",
"CorsConfiguration": {
"CorsRules": [
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"*"
],
"ExposedHeaders": [
"Date"
],
"Id": "myCORSRuleId1",
"MaxAge": "3600"
},
{
"AllowedHeaders": [
"x-amz-*"
],
"AllowedMethods": [
"DELETE"
],
"AllowedOrigins": [
"http://www.example1.com",
"http://www.example2.com"
],
"ExposedHeaders": [
"Connection",
"Server",
"Date"
],
"Id": "myCORSRuleId2",
"MaxAge": "1800"
}
]
}
}
}
},
"Outputs": {
"BucketName": {
"Value": {
"Ref": "S3Bucket"

API Version 2010-05-15
1412

AWS CloudFormation User Guide
AWS::S3::Bucket

}

}

}

},
"Description": "Name of the sample Amazon S3 bucket with CORS enabled."

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicReadWrite
CorsConfiguration:
CorsRules:
- AllowedHeaders: ['*']
AllowedMethods: [GET]
AllowedOrigins: ['*']
ExposedHeaders: [Date]
Id: myCORSRuleId1
MaxAge: '3600'
- AllowedHeaders: [x-amz-*]
AllowedMethods: [DELETE]
AllowedOrigins: ['http://www.example1.com', 'http://www.example2.com']
ExposedHeaders: [Connection, Server, Date]
Id: myCORSRuleId2
MaxAge: '1800'
Outputs:
BucketName:
Value: !Ref 'S3Bucket'
Description: Name of the sample Amazon S3 bucket with CORS enabled.

Manage the Lifecycle for Amazon S3 Objects
The following example template shows an S3 bucket with a lifecycle conﬁguration rule. The rule applies
to all objects with the glacier key preﬁx. The objects are transitioned to Amazon Glacier after one day,
and deleted after one year.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicReadWrite",
"LifecycleConfiguration": {
"Rules": [
{
"Id": "GlacierRule",
"Prefix": "glacier",
"Status": "Enabled",
"ExpirationInDays": "365",
"Transitions": [
{
"TransitionInDays": "1",
"StorageClass": "Glacier"
}
]
}

API Version 2010-05-15
1413

AWS CloudFormation User Guide
AWS::S3::Bucket

}

}

}

]

},
"Outputs": {
"BucketName": {
"Value": {
"Ref": "S3Bucket"
},
"Description": "Name of the sample Amazon S3 bucket with a lifecycle
configuration."
}
}

}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicReadWrite
LifecycleConfiguration:
Rules:
- Id: GlacierRule
Prefix: glacier
Status: Enabled
ExpirationInDays: '365'
Transitions:
- TransitionInDays: '1'
StorageClass: Glacier
Outputs:
BucketName:
Value: !Ref 'S3Bucket'
Description: Name of the sample Amazon S3 bucket with a lifecycle configuration.

Log Access Requests for a Speciﬁc S3 Bucket
The following example template creates two S3 buckets. The LoggingBucket bucket store the logs
from the S3Bucket bucket. To receive logs from the S3Bucket bucket, the logging bucket requires log
delivery write permissions.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicRead",
"LoggingConfiguration": {
"DestinationBucketName": {"Ref" : "LoggingBucket"},
"LogFilePrefix": "testing-logs"
}
}
},
"LoggingBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {

API Version 2010-05-15
1414

AWS CloudFormation User Guide
AWS::S3::Bucket

}

"AccessControl": "LogDeliveryWrite"

}
},
"Outputs": {
"BucketName": {
"Value": {
"Ref": "S3Bucket"
},
"Description": "Name of the sample Amazon S3 bucket with a logging
configuration."
}
}

}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
LoggingConfiguration:
DestinationBucketName: !Ref 'LoggingBucket'
LogFilePrefix: testing-logs
LoggingBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: LogDeliveryWrite
Outputs:
BucketName:
Value: !Ref 'S3Bucket'
Description: Name of the sample Amazon S3 bucket with a logging configuration.

Receive S3 Bucket Notiﬁcations to an SNS Topic
The following example template shows an S3 bucket with a notiﬁcation conﬁguration that sends an
event to the speciﬁed SNS topic when Amazon S3 has lost all replicas of an object.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicReadWrite",
"NotificationConfiguration": {
"TopicConfigurations": [
{
"Topic": "arn:aws:sns:us-east-1:123456789012:TestTopic",
"Event": "s3:ReducedRedundancyLostObject"
}
]
}
}
}
},
"Outputs": {
"BucketName": {
"Value": {

API Version 2010-05-15
1415

AWS CloudFormation User Guide
AWS::S3::Bucket
"Ref": "S3Bucket"
},
"Description": "Name of the sample Amazon S3 bucket with a notification
configuration."
}
}

}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicReadWrite
NotificationConfiguration:
TopicConfigurations:
- Topic: arn:aws:sns:us-east-1:123456789012:TestTopic
Event: s3:ReducedRedundancyLostObject
Outputs:
BucketName:
Value: !Ref 'S3Bucket'
Description: Name of the sample Amazon S3 bucket with a notification configuration.

Replicate Objects and Store Them in Another S3 Bucket
The following example includes two replication rules. Amazon S3 replicates objects with the MyPrefix
or MyOtherPrefix preﬁxes and stores them in the my-replication-bucket bucket, which must be
in a diﬀerent AWS Region than the S3Bucket bucket.

JSON
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"VersioningConfiguration":{
"Status":"Enabled"
},
"ReplicationConfiguration": {
"Role": "arn:aws:iam::123456789012:role/replication_role",
"Rules": [
{
"Id": "MyRule1",
"Status": "Enabled",
"Prefix": "MyPrefix",
"Destination": {
"Bucket": "arn:aws:s3:::my-replication-bucket",
"StorageClass": "STANDARD"
}
},
{
"Status": "Enabled",
"Prefix": "MyOtherPrefix",
"Destination": {
"Bucket": "arn:aws:s3:::my-replication-bucket"
}
}
]
}
}
}

API Version 2010-05-15
1416

AWS CloudFormation User Guide
AWS::S3::Bucket

YAML
S3Bucket:
Type: AWS::S3::Bucket
Properties:
VersioningConfiguration:
Status: Enabled
ReplicationConfiguration:
Role: arn:aws:iam::123456789012:role/replication_role
Rules:
- Id: MyRule1
Status: Enabled
Prefix: MyPrefix
Destination:
Bucket: arn:aws:s3:::my-replication-bucket
StorageClass: STANDARD
- Status: Enabled
Prefix: MyOtherPrefix
Destination:
Bucket: arn:aws:s3:::my-replication-bucket

Specify Analytics and Inventory Conﬁgurations for an Amazon S3 Bucket
The following example speciﬁes analytics and inventory results to be generated for an S3 bucket,
including the format of the results and the bucket to which they are published. The inventory list is
enabled to generate weekly, and only includes the current version of each object.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "S3 Bucket with Inventory and Analytics Configurations",
"Resources": {
"Helper": {
"Type": "AWS::S3::Bucket"
},
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AnalyticsConfigurations": [
{
"Id": "AnalyticsConfigurationId",
"StorageClassAnalysis": {
"DataExport": {
"Destination": {
"BucketArn": {
"Fn::GetAtt": [
"Helper",
"Arn"
]
},
"Format": "CSV",
"Prefix": "AnalyticsDestinationPrefix"
},
"OutputSchemaVersion": "V_1"
}
},
"Prefix": "AnalyticsConfigurationPrefix",
"TagFilters": [
{
"Key": "AnalyticsTagKey",
"Value": "AnalyticsTagValue"
}

API Version 2010-05-15
1417

AWS CloudFormation User Guide
AWS::S3::Bucket

}

}

}

}

}

]

],
"InventoryConfigurations": [
{
"Id": "InventoryConfigurationId",
"Destination": {
"BucketArn": {
"Fn::GetAtt": [
"Helper",
"Arn"
]
},
"Format": "CSV",
"Prefix": "InventoryDestinationPrefix"
},
"Enabled": "true",
"IncludedObjectVersions": "Current",
"Prefix": "InventoryConfigurationPrefix",
"ScheduleFrequency": "Weekly"
}
]

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: S3 Bucket with Inventory and Analytics Configurations
Resources:
Helper:
Type: AWS::S3::Bucket
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AnalyticsConfigurations:
- Id: AnalyticsConfigurationId
StorageClassAnalysis:
DataExport:
Destination:
BucketArn: !GetAtt
- Helper
- Arn
Format: CSV
Prefix: AnalyticsDestinationPrefix
OutputSchemaVersion: V_1
Prefix: AnalyticsConfigurationPrefix
TagFilters:
- Key: AnalyticsTagKey
Value: AnalyticsTagValue
InventoryConfigurations:
- Id: InventoryConfigurationId
Destination:
BucketArn: !GetAtt
- Helper
- Arn
Format: CSV
Prefix: InventoryDestinationPrefix
Enabled: 'true'
IncludedObjectVersions: Current
Prefix: InventoryConfigurationPrefix
ScheduleFrequency: Weekly

API Version 2010-05-15
1418

AWS CloudFormation User Guide
AWS::S3::BucketPolicy

More Info
• For more examples, see Amazon S3 Template Snippets (p. 426).
• DeletionPolicy Attribute (p. 2248)
• Access Control List (ACL) Overview in the Amazon Simple Storage Service Developer Guide
• Hosting a Static Website on Amazon S3 in the Amazon Simple Storage Service Developer Guide

AWS::S3::BucketPolicy
The AWS::S3::BucketPolicy type applies an Amazon S3 bucket policy to an Amazon S3 bucket.
AWS::S3::BucketPolicy Snippet: Declaring an Amazon S3 Bucket Policy (p. 393)
Topics
• Syntax (p. 1419)
• Properties (p. 1419)
• Examples (p. 1420)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"Bucket" : String,
"PolicyDocument" : JSON
}

YAML
Type: AWS::S3::BucketPolicy
Properties:
Bucket: String
PolicyDocument: JSON

Properties
Bucket
The name of the Amazon S3 bucket to which the policy applies.
Required: Yes
Type: String
You cannot update this property. If you want to add or remove a bucket from a bucket policy, you
must modify your AWS CloudFormation template by creating a new bucket policy resource and
removing the old one. Then use the modiﬁed template to update your AWS CloudFormation stack.
API Version 2010-05-15
1419

AWS CloudFormation User Guide
AWS::S3::BucketPolicy

PolicyDocument
A policy document containing permissions to add to the speciﬁed bucket. For more information, see
Access Policy Language Overview in the Amazon Simple Storage Service Developer Guide.
Required: Yes
Type: JSON object
Update requires: No interruption (p. 118)

Examples
Bucket policy that allows GET requests from speciﬁc referers
The following sample is a bucket policy that is attached to the myExampleBucket bucket and allows
GET requests that originate from www.example.com and example.com:

JSON
"SampleBucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"Bucket" : {"Ref" : "myExampleBucket"},
"PolicyDocument": {
"Statement":[{
"Action":["s3:GetObject"],
"Effect":"Allow",
"Resource": { "Fn::Join" : ["", ["arn:aws:s3:::", { "Ref" : "myExampleBucket" } , "/
*" ]]},
"Principal":"*",
"Condition":{
"StringLike":{
"aws:Referer":[
"http://www.example.com/*",
"http://example.com/*"
]
}
}
}]
}
}
}

YAML
SampleBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: "myExampleBucket"
PolicyDocument:
Statement:
Action:
- "s3:GetObject"
Effect: "Allow"
Resource:
Fn::Join:
- ""

API Version 2010-05-15
1420

AWS CloudFormation User Guide
AWS::SageMaker::Endpoint
-

- "arn:aws:s3:::"
Ref: "myExampleBucket"
- "/*"
Principal: "*"
Condition:
StringLike:
aws:Referer:
- "http://www.example.com/*"
- "http://example.com/*"

AWS::SageMaker::Endpoint
Use the AWS::SageMaker::Endpoint resource to create an endpoint using the speciﬁed conﬁguration
in the request. Amazon SageMaker uses the endpoint to provision resources and deploy models. You
create the endpoint conﬁguration with the AWS::SageMaker::EndpointConﬁg (p. 1425) resource. For
more information, see Deploying a Model on Amazon SageMaker Hosting Services in the SageMaker
Developer Guide.
Topics
• Syntax (p. 1421)
• Properties (p. 1421)
• Return Values (p. 1422)
• Examples (p. 1422)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SageMaker::Endpoint",
"Properties" : {
"EndpointName" : String,
"EndpointConfigName" : String,
"Tags" : [ Tag (p. 2159), ... ]
}

YAML
Type: "AWS::SageMaker::Endpoint"
Properties:
EndpointName: String
EndpointConfigName: String
Tags:
- Tag (p. 2159)

Properties
EndpointName
The name of the endpoint.
API Version 2010-05-15
1421

AWS CloudFormation User Guide
AWS::SageMaker::Endpoint

Required: No
Type: String
Update requires: Replacement (p. 119)
EndpointConfigName
The name of the AWS::SageMaker::EndpointConﬁg (p. 1425) resource that speciﬁes the
conﬁguration for the endpoint.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Tags
An array of key-value pairs. For more information, see Using Cost Allocation Tags in the AWS Billing
and Cost Management User Guide.
Required: Yes
Type: List of Amazon SageMaker Endpoint Tag (p. 2159)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::SageMaker::Endpoint resource to the intrinsic
Ref function, the function returns the Amazon Resource Name (ARN) of the endpoint, such as
arn:aws:sagemaker:us-west-2:012345678901:endpoint/myendpoint.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
EndpointName
The name of the endpoint, such as MyEndpoint.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
SageMaker Endpoint Example
The following example creates an endpoint conﬁguration from a trained model, and then creates an
endpoint.

JSON
{

API Version 2010-05-15
1422

AWS CloudFormation User Guide
AWS::SageMaker::Endpoint
"Description": "Basic Hosting entities test. We need models to create endpoint
configs.",
"Mappings": {
"RegionMap": {
"us-west-2": {
"NullTransformer": "12345678901.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
},
"us-east-2": {
"NullTransformer": "12345678901.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
},
"us-east-1": {
"NullTransformer": "12345678901.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
},
"eu-west-1": {
"NullTransformer": "12345678901.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
},
"ap-northeast-1": {
"NullTransformer": "12345678901.dkr.ecr.ap-northeast-1.amazonaws.com/
mymodel:latest"
},
"ap-northeast-2": {
"NullTransformer": "12345678901.dkr.ecr.ap-northeast-2.amazonaws.com/
mymodel:latest"
},
"ap-southeast-2": {
"NullTransformer": "12345678901.dkr.ecr.ap-southeast-2.amazonaws.com/
mymodel:latest"
},
"eu-central-1": {
"NullTransformer": "12345678901.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
}
}
},
"Resources": {
"Endpoint": {
"Type": "AWS::SageMaker::Endpoint",
"Properties": {
"EndpointConfigName": { "Fn::GetAtt" : ["EndpointConfig", "EndpointConfigName" ] }
}
},
"EndpointConfig": {
"Type": "AWS::SageMaker::EndpointConfig",
"Properties": {
"ProductionVariants": [
{
"InitialInstanceCount": 1,
"InitialVariantWeight": 1,
"InstanceType": "ml.t2.large",
"ModelName": { "Fn::GetAtt" : ["Model", "ModelName" ] },
"VariantName": { "Fn::GetAtt" : ["Model", "ModelName" ] }
}
]
}
},
"Model": {
"Type": "AWS::SageMaker::Model",
"Properties": {
"PrimaryContainer": {
"Image": { "Fn::FindInMap" : [ "AWS::Region", "NullTransformer"] }
},
"ExecutionRoleArn": { "Fn::GetAtt" : [ "ExecutionRole", "Arn" ] }
}
},
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {

API Version 2010-05-15
1423

AWS CloudFormation User Guide
AWS::SageMaker::Endpoint

}

}

"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]

},
"Outputs": {
"EndpointId": {
"Value": { "Ref" : "Endpoint" }
},
"EndpointName": {
"Value": { "Fn::GetAtt" : [ "Endpoint", "EndpointName" ] }
}
},
}

YAML

Description: "Basic Hosting entities test. We need models to create endpoint configs."
Mappings:
RegionMap:
"us-west-2":
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
"us-east-2":
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
"us-east-1":
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
"eu-west-1":
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
"ap-northeast-1":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
"ap-northeast-2":

API Version 2010-05-15
1424

AWS CloudFormation User Guide
AWS::SageMaker::EndpointConﬁg
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
"ap-southeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"
"eu-central-1":
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
Resources:
Endpoint:
Type: "AWS::SageMaker::Endpoint"
Properties:
EndpointConfigName:
!GetAtt EndpointConfig.EndpointConfigName
EndpointConfig:
Type: "AWS::SageMaker::EndpointConfig"
Properties:
ProductionVariants:
- InitialInstanceCount: 1
InitialVariantWeight: 1.0
InstanceType: ml.t2.large
ModelName: !GetAtt Model.ModelName
VariantName: !GetAtt Model.ModelName
Model:
Type: "AWS::SageMaker::Model"
Properties:
PrimaryContainer:
Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"]
ExecutionRoleArn: !GetAtt ExecutionRole.Arn
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
EndpointId:
Value: !Ref Endpoint
EndpointName:
Value: !GetAtt Endpoint.EndpointName

AWS::SageMaker::EndpointConﬁg
The AWS::SageMaker::EndpointConfig resource creates a conﬁguration for an Amazon SageMaker
endpoint. For more information, see CreateEndpointConﬁg in the SageMaker Developer Guide.
Topics
API Version 2010-05-15
1425

AWS CloudFormation User Guide
AWS::SageMaker::EndpointConﬁg

• Syntax (p. 1426)
• Properties (p. 1426)
• Return Values (p. 1427)
• Examples (p. 1427)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SageMaker::EndpointConfig",
"Properties" : {
"Tags" : [ ProductionVariants (p. 2160), ... ]
"EndpointConfigName" : String,
"KmsKeyId" : String,
"Tags" : [ Tag (p. 2161), ... ]
}

YAML
Type: "AWS::SageMaker::EndpointConfig"
Properties:
ProductionVariants:
- ProductionVariants (p. 2160)
EndpointConfigName: String
KmsKeyId: String
Tags:
- Tag (p. 2161)

Properties
ProductionVariants
A list of the production variants that specify the models you want to host at this endpoint.
Required: Yes
Type: List of Amazon SageMaker EndpointConﬁg ProductionVariant (p. 2160)
Update requires: Replacement (p. 119)
EndpointConfigName
The name of the endpoint conﬁguration.
Required: No
Type: String
Update requires: Replacement (p. 119)
KmsKeyId
If you provide a AWS KMS key ID, Amazon SageMaker uses it to encrypt data at rest on the ML
storage volume that is attached to your notebook instance.
API Version 2010-05-15
1426

AWS CloudFormation User Guide
AWS::SageMaker::EndpointConﬁg

Required: No
Type: String
Update requires: Replacement (p. 119)
Tags
An array of key-value pairs. For more information, see Using Cost Allocation Tags in the AWS Billing
and Cost Management User Guide.
Required: Yes
Type: List of Amazon SageMaker EndpointConﬁg Tag (p. 2161)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::SageMaker::EndpointConfig resource to the intrinsic Ref
function, the function returns the Amazon Resource Name (ARN) of the endpoint conﬁguration, such as
arn:aws:sagemaker:us-west-2:012345678901:endpoint-config/myendpointconfig.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
EndpointConfigName
The name of the endpoint confugration, such as MyEndpointConfiguration.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
SageMaker Endpoint Example
The following example creates an endpoint conﬁguration from a trained model, and then creates an
endpoint.

JSON
{

"Description": "Basic Hosting entities test. We need models to create endpoint
configs.",
"Mappings": {
"RegionMap": {
"us-west-2": {
"NullTransformer": "12345678901.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
},
"us-east-2": {
"NullTransformer": "12345678901.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
},
"us-east-1": {

API Version 2010-05-15
1427

AWS CloudFormation User Guide
AWS::SageMaker::EndpointConﬁg
"NullTransformer": "12345678901.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
},
"eu-west-1": {
"NullTransformer": "12345678901.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
},
"ap-northeast-1": {
"NullTransformer": "12345678901.dkr.ecr.ap-northeast-1.amazonaws.com/
mymodel:latest"
},
"ap-northeast-2": {
"NullTransformer": "12345678901.dkr.ecr.ap-northeast-2.amazonaws.com/
mymodel:latest"
},
"ap-southeast-2": {
"NullTransformer": "12345678901.dkr.ecr.ap-southeast-2.amazonaws.com/
mymodel:latest"
},
"eu-central-1": {
"NullTransformer": "12345678901.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
}
}
},
"Resources": {
"Endpoint": {
"Type": "AWS::SageMaker::Endpoint",
"Properties": {
"EndpointConfigName": { "Fn::GetAtt" : ["EndpointConfig", "EndpointConfigName" ] }
}
},
"EndpointConfig": {
"Type": "AWS::SageMaker::EndpointConfig",
"Properties": {
"ProductionVariants": [
{
"InitialInstanceCount": 1,
"InitialVariantWeight": 1,
"InstanceType": "ml.t2.large",
"ModelName": { "Fn::GetAtt" : ["Model", "ModelName" ] },
"VariantName": { "Fn::GetAtt" : ["Model", "ModelName" ] }
}
]
}
},
"Model": {
"Type": "AWS::SageMaker::Model",
"Properties": {
"PrimaryContainer": {
"Image": { "Fn::FindInMap" : [ "AWS::Region", "NullTransformer"] }
},
"ExecutionRoleArn": { "Fn::GetAtt" : [ "ExecutionRole", "Arn" ] }
}
},
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [

API Version 2010-05-15
1428

AWS CloudFormation User Guide
AWS::SageMaker::EndpointConﬁg

]

}

}

}

]

"sts:AssumeRole"

},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]

},
"Outputs": {
"EndpointId": {
"Value": { "Ref" : "Endpoint" }
},
"EndpointName": {
"Value": { "Fn::GetAtt" : [ "Endpoint", "EndpointName" ] }
}
},
}

YAML

Description: "Basic Hosting entities test. We need models to create endpoint configs."
Mappings:
RegionMap:
"us-west-2":
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
"us-east-2":
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
"us-east-1":
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
"eu-west-1":
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
"ap-northeast-1":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
"ap-northeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
"ap-southeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"
"eu-central-1":
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
Resources:
Endpoint:
Type: "AWS::SageMaker::Endpoint"
Properties:
EndpointConfigName:
!GetAtt EndpointConfig.EndpointConfigName

API Version 2010-05-15
1429

AWS CloudFormation User Guide
AWS::SageMaker::Model
EndpointConfig:
Type: "AWS::SageMaker::EndpointConfig"
Properties:
ProductionVariants:
- InitialInstanceCount: 1
InitialVariantWeight: 1.0
InstanceType: ml.t2.large
ModelName: !GetAtt Model.ModelName
VariantName: !GetAtt Model.ModelName
Model:
Type: "AWS::SageMaker::Model"
Properties:
PrimaryContainer:
Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"]
ExecutionRoleArn: !GetAtt ExecutionRole.Arn
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
EndpointId:
Value: !Ref Endpoint
EndpointName:
Value: !GetAtt Endpoint.EndpointName

AWS::SageMaker::Model
The AWS::SageMaker::Model resource to create a model to host at an Amazon SageMaker endpoint.
For more information, see Deploying a Model on Amazon SageMaker Hosting Services in the Amazon
SageMaker Developer Guide.
Topics
• Syntax (p. 1431)
• Properties (p. 1431)
• Return Values (p. 1432)
• Examples (p. 1432)

API Version 2010-05-15
1430

AWS CloudFormation User Guide
AWS::SageMaker::Model

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SageMaker::Model",
"Properties" : {
"ExecutionRoleArn" : String,
"PrimaryContainer" : Tag (p. 2164),
"ModelName" : String,
"VpcConfig" : Tag (p. 2162),
"Tags" : [ Tag (p. 2165), ... ]
}

YAML
Type: "AWS::SageMaker::Model"
Properties:
ExecutionRoleArn: String
PrimaryContainer: Tag (p. 2164)
ModelName: String
VpcConfig: Tag (p. 2162)
Tags:
- Tag (p. 2165)

Properties
ExecutionRoleArn
The Amazon Resource Name (ARN) of the IAM role that Amazon SageMaker can assume to access
model artifacts and docker image for deployment on ML compute instances. Deploying on ML
compute instances is part of model hosting. For more information, see Amazon SageMaker Roles.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
PrimaryContainer
The location of the primary docker image containing inference code, associated artifacts, and
custom environment map that the inference code uses when the model is deployed into production.
Required: Yes
Type: Amazon SageMaker Model ContainerDeﬁnition (p. 2164)
Update requires: Replacement (p. 119)
ModelName
The name of the model.
Required: No
Type: String
API Version 2010-05-15
1431

AWS CloudFormation User Guide
AWS::SageMaker::Model

Update requires: Replacement (p. 119)
VpcConfig
A VpcConﬁg object that speciﬁes the VPC that you want your model to connect to. Control access to
and from your model container by conﬁguring the VPC. For more information, see Protect Models by
Using an Amazon Virtual Private Cloud.
Required: No
Type: Amazon SageMaker Model VpcConﬁg (p. 2166)
Update requires: Replacement (p. 119)
Tags
An array of key-value pairs. For more information, see Using Cost Allocation Tags in the AWS Billing
and Cost Management User Guide.
Required: No
Type: List of Amazon SageMaker Model Tag (p. 2165)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::SageMaker::Model resource to the intrinsic Ref function, the
function returns the Amazon Resource Name (ARN) of the model, such as arn:aws:sagemaker:uswest-2:012345678901:model/mymodel.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
ModelName
The name of the model, such as MyModel.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
SageMaker Endpoint Example
The following example creates an endpoint conﬁguration from a trained model, and then creates an
endpoint.

JSON
{

"Description": "Basic Hosting entities test.
configs.",
"Mappings": {

We need models to create endpoint

API Version 2010-05-15
1432

AWS CloudFormation User Guide
AWS::SageMaker::Model
"RegionMap": {
"us-west-2": {
"NullTransformer": "12345678901.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
},
"us-east-2": {
"NullTransformer": "12345678901.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
},
"us-east-1": {
"NullTransformer": "12345678901.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
},
"eu-west-1": {
"NullTransformer": "12345678901.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
},
"ap-northeast-1": {
"NullTransformer": "12345678901.dkr.ecr.ap-northeast-1.amazonaws.com/
mymodel:latest"
},
"ap-northeast-2": {
"NullTransformer": "12345678901.dkr.ecr.ap-northeast-2.amazonaws.com/
mymodel:latest"
},
"ap-southeast-2": {
"NullTransformer": "12345678901.dkr.ecr.ap-southeast-2.amazonaws.com/
mymodel:latest"
},
"eu-central-1": {
"NullTransformer": "12345678901.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
}
}
},
"Resources": {
"Endpoint": {
"Type": "AWS::SageMaker::Endpoint",
"Properties": {
"EndpointConfigName": { "Fn::GetAtt" : ["EndpointConfig", "EndpointConfigName" ] }
}
},
"EndpointConfig": {
"Type": "AWS::SageMaker::EndpointConfig",
"Properties": {
"ProductionVariants": [
{
"InitialInstanceCount": 1,
"InitialVariantWeight": 1,
"InstanceType": "ml.t2.large",
"ModelName": { "Fn::GetAtt" : ["Model", "ModelName" ] },
"VariantName": { "Fn::GetAtt" : ["Model", "ModelName" ] }
}
]
}
},
"Model": {
"Type": "AWS::SageMaker::Model",
"Properties": {
"PrimaryContainer": {
"Image": { "Fn::FindInMap" : [ "AWS::Region", "NullTransformer"] }
},
"ExecutionRoleArn": { "Fn::GetAtt" : [ "ExecutionRole", "Arn" ] }
}
},
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [

API Version 2010-05-15
1433

AWS CloudFormation User Guide
AWS::SageMaker::Model
{

]

}

}

}

"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]

},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]

},
"Outputs": {
"EndpointId": {
"Value": { "Ref" : "Endpoint" }
},
"EndpointName": {
"Value": { "Fn::GetAtt" : [ "Endpoint", "EndpointName" ] }
}
},
}

YAML

Description: "Basic Hosting entities test. We need models to create endpoint configs."
Mappings:
RegionMap:
"us-west-2":
"NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest"
"us-east-2":
"NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest"
"us-east-1":
"NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest"
"eu-west-1":
"NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest"
"ap-northeast-1":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest"
"ap-northeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest"
"ap-southeast-2":
"NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest"

API Version 2010-05-15
1434

AWS CloudFormation User Guide
AWS::SageMaker::NotebookInstance
"eu-central-1":
"NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest"
Resources:
Endpoint:
Type: "AWS::SageMaker::Endpoint"
Properties:
EndpointConfigName:
!GetAtt EndpointConfig.EndpointConfigName
EndpointConfig:
Type: "AWS::SageMaker::EndpointConfig"
Properties:
ProductionVariants:
- InitialInstanceCount: 1
InitialVariantWeight: 1.0
InstanceType: ml.t2.large
ModelName: !GetAtt Model.ModelName
VariantName: !GetAtt Model.ModelName
Model:
Type: "AWS::SageMaker::Model"
Properties:
PrimaryContainer:
Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"]
ExecutionRoleArn: !GetAtt ExecutionRole.Arn
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
EndpointId:
Value: !Ref Endpoint
EndpointName:
Value: !GetAtt Endpoint.EndpointName

AWS::SageMaker::NotebookInstance
The AWS::SageMaker::NotebookInstance resource Creates an Amazon SageMaker notebook
instance. A notebook instance is a machine learning (ML) compute instance running on a Jupyter
notebook. For more information, see Using Notebook Instances in the Amazon SageMaker Developer
Guide.
Topics
• Syntax (p. 1436)
API Version 2010-05-15
1435

AWS CloudFormation User Guide
AWS::SageMaker::NotebookInstance

• Properties (p. 1436)
• Return Values (p. 1438)
• Examples (p. 1438)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SageMaker::NotebookInstance",
"Properties" : {
"KmsKeyId" : String,
"DirectInternetAccess" : String,
"SubnetId" : String,
"NotebookInstanceName" : String,
"InstanceType" : String,
"LifecycleConfigName" : String,
"SecurityGroupIds" : [ String, ... ],
"RoleArn" : String,
"Tags" : [ Tag (p. 2162), ... ]
}

YAML
Type: "AWS::SageMaker::NotebookInstance"
Properties:
KmsKeyId: String
DirectInternetAccess: String
SubnetId: String
NotebookInstanceName: String
InstanceType: String
LifecycleConfigName: String
SecurityGroupIds:
- String
RoleArn: String
Tags:
- Tag (p. 2162)

Properties
KmsKeyId
If you provide a AWS KMS key ID, Amazon SageMaker uses it to encrypt data at rest on the ML
storage volume that is attached to your notebook instance.
Required: No
Type: String
Update requires: Replacement (p. 119)
DirectInternetAccess
Sets whether Amazon SageMaker provides internet access to the notebook instance. If you set this
to Disabled this notebook instance will be able to access resources only in your VPC, and will not
API Version 2010-05-15
1436

AWS CloudFormation User Guide
AWS::SageMaker::NotebookInstance

be able to connect to Amazon SageMaker training and endpoint services unless your conﬁgure a
NAT Gateway in your VPC. For more information, see Notebook Instances Are Enabled with Internet
Access by Default. You can set the value of this parameter to Disabled only if you set a value for the
SubnetId parameter.
Required: No
Type: String
Update requires: Replacement (p. 119)
SubnetId
The ID of the subnet in a VPC to which you would like to have a connectivity from your ML compute
instance.
Required: No
Type: String
Update requires: Replacement (p. 119)
NotebookInstanceName
The name of the notebook instance.
Required: No
Type: String
Update requires: Replacement (p. 119)
InstanceType
The type of ML compute instance to launch for the notebook instance.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
LifecycleConfigName
The name of a lifecycle conﬁguration to associate with the notebook instance. For information about
lifestyle conﬁgurations, see Customize a Notebook Instance in the Amazon SageMaker Developer
Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
SecurityGroupIds
The VPC security group IDs, in the form sg-xxxxxxxx. The security groups must be for the same VPC
as speciﬁed in the subnet.
Required: No
Type: List of Strings
Update requires: Replacement (p. 119)
API Version 2010-05-15
1437

AWS CloudFormation User Guide
AWS::SageMaker::NotebookInstance

RoleArn
When you send any requests to AWS resources from the notebook instance, Amazon SageMaker
assumes this role to perform tasks on your behalf. You must grant this role necessary permissions so
Amazon SageMaker can perform these tasks. The policy must allow the Amazon SageMaker service
principal (sagemaker.amazonaws.com) permissions to assume this role. For more information, see
Amazon SageMaker Roles.
Required: Yes
Type:
Update requires: No interruption (p. 118)
Tags
A list of tags to associate with the notebook instance.
Required: No
Type: List of Amazon SageMaker NotebookInstance Tag (p. 2162)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::SageMaker::NotebookInstance resource to the intrinsic
Ref function, the function returns the Amazon Resource Name (ARN) of the notebook instance, such as
arn:aws:sagemaker:us-west-2:012345678901:notebook-instance/mynotebookinstance.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
NotebookInstanceName
The name of the notebook instance, such as MyNotebookInstance.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
SageMaker Notebook Instance Example
The following example creates a notebook instance.

JSON
{

"Description": "Basic NotebookInstance test update to a different instance type",
"Resources": {
"BasicNotebookInstance": {
"Type": "AWS::SageMaker::NotebookInstance",

API Version 2010-05-15
1438

AWS CloudFormation User Guide
AWS::SageMaker::NotebookInstance
"Properties": {
"InstanceType": "ml.t2.large",
"RoleArn": { "Fn::GetAtt" : [ "ExecutionRole", "Arn" ] }
}

},
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
}

},
"Outputs": {
"BasicNotebookInstanceId": {
"Value": { "Ref" : "BasicNotebookInstance" }
}
},
}

YAML

Description: "Basic NotebookInstance test update to a different instance type"
Resources:
BasicNotebookInstance:
Type: "AWS::SageMaker::NotebookInstance"
Properties:
InstanceType: "ml.t2.large"
RoleArn: !GetAtt ExecutionRole.Arn
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:

API Version 2010-05-15
1439

AWS CloudFormation User Guide
AWS::SageMaker::NotebookInstanceLifecycleConﬁg
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
BasicNotebookInstanceId:
Value: !Ref BasicNotebookInstance

AWS::SageMaker::NotebookInstanceLifecycleConﬁg
The AWS::SageMaker::NotebookInstanceLifecycleConfig resource speciﬁes shell scripts that
run when you create and/or start a notebook instance. For more information, see Customize a Notebook
Instance in the Amazon SageMaker Developer Guide.
Topics
• Syntax (p. 1440)
• Properties (p. 1441)
• Return Values (p. 1441)
• Examples (p. 1442)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SageMaker::NotebookInstanceLifecycleConfig",
"Properties" : {
"OnStart" : [ NotebookInstanceLifecycleHook (p. 2163), ... ],
"NotebookInstanceLifecycleConfigName" : String,
"OnCreate" : [ NotebookInstanceLifecycleHook (p. 2163), ... ]
}

YAML
Type: "AWS::SageMaker::NotebookInstanceLifecycleConfig"
Properties:
OnStart:

API Version 2010-05-15
1440

AWS CloudFormation User Guide
AWS::SageMaker::NotebookInstanceLifecycleConﬁg
- NotebookInstanceLifecycleHook (p. 2163)
NotebookInstanceLifecycleConfigName: String
OnCreate:
- NotebookInstanceLifecycleHook (p. 2163)

Properties
OnStart
A shell script that runs once when you create a notebook instance, and then each time you start the
notebook instance.
Required: No
Type: List of Amazon SageMaker NotebookInstanceLifecycleConﬁg
NotebookInstanceLifecycleHook (p. 2163)
Update requires: No interruption (p. 118)
NotebookInstanceLifecycleConfigName
The name of the lifecycle conﬁguration.
Required: No
Type: String
Update requires: Replacement (p. 119)
OnCreate
A shell script that runs only once, when you create a notebook instance.
Required: No
Type: List of Amazon SageMaker NotebookInstanceLifecycleConﬁg
NotebookInstanceLifecycleHook (p. 2163)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::SageMaker::NotebookInstanceLifecycleConfig
resource to the intrinsic Ref function, the function returns the Amazon Resource Name (ARN) of the
lifecycle conﬁguration, such as arn:aws:sagemaker:us-west-2:012345678901:notebookinstance-lifecycle-config/mylifecycleconfig.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
NotebookInstanceLifecycleConfigName
The name of the lifecycle conﬁguration, such as MyLifecycleConfig.
API Version 2010-05-15
1441

AWS CloudFormation User Guide
AWS::SageMaker::NotebookInstanceLifecycleConﬁg

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
Notebook Instance Lifecycle Conﬁg Example
The following example creates a notebook instance with an associated lifecycle conﬁguration.

JSON
{

"Description": "Basic NotebookInstance test",
"Resources": {
"BasicNotebookInstance": {
"Type": "AWS::SageMaker::NotebookInstance",
"Properties": {
"InstanceType": "ml.t2.medium",
"RoleArn": { "Fn::GetAtt" : [ "ExecutionRole", "Arn" ] },
"LifecycleConfigName": { "Fn::GetAtt" : [ "BasicNotebookInstanceLifecycleConfig",
"NotebookInstanceLifecycleConfigName" ] }
},
"BasicNotebookInstanceLifecycleConfig": {
"Type": "AWS::SageMaker::NotebookInstanceLifecycleConfig",
"Properties": {
"OnStart": [
{
"Content": {
"Fn::Base64": "echo 'hello'"
}
}
]
}
},
"ExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}

API Version 2010-05-15
1442

AWS CloudFormation User Guide
AWS::SageMaker::NotebookInstanceLifecycleConﬁg

}

}

}

]

}

}

]

},
"Outputs": {
"BasicNotebookInstanceId": {
"Value": { "Ref" : "BasicNotebookInstance" }
},
"BasicNotebookInstanceLifecycleConfigId": {
"Value": { "Ref" : "BasicNotebookInstanceLifecycleConfig" }
}
},

YAML
Description: "Basic NotebookInstance test"
Resources:
BasicNotebookInstance:
Type: "AWS::SageMaker::NotebookInstance"
Properties:
InstanceType: "ml.t2.medium"
RoleArn: !GetAtt ExecutionRole.Arn
LifecycleConfigName: !GetAtt
BasicNotebookInstanceLifecycleConfig.NotebookInstanceLifecycleConfigName
BasicNotebookInstanceLifecycleConfig:
Type: "AWS::SageMaker::NotebookInstanceLifecycleConfig"
Properties:
OnStart:
- Content:
Fn::Base64: "echo 'hello'"
ExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Principal:
Service:
- "sagemaker.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: "Allow"
Action: "*"
Resource: "*"
Outputs:
BasicNotebookInstanceId:
Value: !Ref BasicNotebookInstance
BasicNotebookInstanceLifecycleConfigId:
Value: !Ref BasicNotebookInstanceLifecycleConfig

API Version 2010-05-15
1443

AWS CloudFormation User Guide
AWS::SDB::Domain

AWS::SDB::Domain
Use the AWS::SDB::Domain resource to declare an Amazon SimpleDB domain. When you specify
AWS::SDB::Domain as an argument in a Ref function, AWS CloudFormation returns the value of the
DomainName.

Important

The AWS::SDB::Domain resource does not allow any updates, including metadata updates.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SDB::Domain",
"Properties" : {
"Description" : String
}

YAML
Type: AWS::SDB::Domain
Properties:
Description: String

Properties
Description
Information about the Amazon SimpleDB domain.
Required: No
Type: String
Update requires: Updates are not supported.

AWS::ServiceCatalog::AcceptedPortfolioShare
Accepts an oﬀer to share the speciﬁed portfolio for AWS Service Catalog. For more information, see
AcceptPortfolioShare in the AWS Service Catalog Developer Guide.
Topics
• Syntax (p. 1444)
• Properties (p. 1445)
• Return Values (p. 1445)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1444

AWS CloudFormation User Guide
AWS::ServiceCatalog::CloudFormationProduct

JSON
{

}

"Type" : "AWS::ServiceCatalog::AcceptedPortfolioShare",
"Properties" : {
"AcceptLanguage" : String,
"PortfolioId" : String
}

YAML
Type: "AWS::ServiceCatalog::AcceptedPortfolioShare"
Properties:
AcceptLanguage: String
PortfolioId: String

Properties
AcceptLanguage
The language code.
Required: No
Type: String
Update requires: Replacement (p. 119)
PortfolioId
The portfolio identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::AcceptedPortfolioShare resource to
the intrinsic Ref function, the function returns a unique identiﬁer.
For more information about using the Ref function, see Ref (p. 2311).

AWS::ServiceCatalog::CloudFormationProduct
Creates the speciﬁed product for AWS Service Catalog. For more information, see CreateProduct in the
AWS Service Catalog Developer Guide.
Topics
• Syntax (p. 1446)
• Properties (p. 1446)
API Version 2010-05-15
1445

AWS CloudFormation User Guide
AWS::ServiceCatalog::CloudFormationProduct

• Return Values (p. 1448)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ServiceCatalog::CloudFormationProduct",
"Properties" : {
"Owner" : String,
"SupportDescription" : String,
"Description" : String,
"Distributor" : String,
"SupportEmail" : String,
"AcceptLanguage" : String,
"SupportUrl" : String,
"Tags" : [ Resource Tag (p. 2106), ... ],
"Name" : String,
"ProvisioningArtifactParameters" : [ ProvisioningArtifactProperties (p. 2167), ... ]
}

YAML
Type: "AWS::ServiceCatalog::CloudFormationProduct"
Properties:
Owner: String
SupportDescription: String
Description: String
Distributor: String
SupportEmail: String
AcceptLanguage: String
SupportUrl: String
Tags:
- Resource Tag (p. 2106)
Name: String
ProvisioningArtifactParameters:
- ProvisioningArtifactProperties (p. 2167)

Properties
AcceptLanguage
The language code.
Required: No
Type: String
Update requires: No interruption (p. 118)
Description
The description of the product.
Required: No
Type: String
API Version 2010-05-15
1446

AWS CloudFormation User Guide
AWS::ServiceCatalog::CloudFormationProduct

Update requires: No interruption (p. 118)
Distributor
The distributor of the product.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the product.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Owner
The owner of the product.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ProvisioningArtifactParameters
The conﬁguration of the provisioning artifact (also known as a version) for a product.
Required: Yes
Type: List of AWS Service Catalog CloudFormationProduct ProvisioningArtifactProperties (p. 2167)
property types
Update requires: No interruption (p. 118)
SupportDescription
The support information about the product.
Required: No
Type: String
Update requires: No interruption (p. 118)
SupportEmail
The contact email for product support.
Required: No
Type: String
Update requires: No interruption (p. 118)
SupportUrl
The contact URL for product support.
API Version 2010-05-15
1447

AWS CloudFormation User Guide
AWS::ServiceCatalog::CloudFormationProvisionedProduct

Required: No
Type: String
Update requires: No interruption (p. 118)
Tags
One or more tags.
Required: No
Type: List of Resource Tag (p. 2106) property types
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::CloudFormationProduct resource
to the intrinsic Ref function, the function returns the ID of the provisioning artifact, such as prodnd24wbqkm4pju.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes.
ProductName
The name of the product.
ProvisioningArtifactIds
The IDs of the provisioning artifacts.
ProvisioningArtifactNames
The names of the provisioning artifacts.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

AWS::ServiceCatalog::CloudFormationProvisionedProduct
Provisions the speciﬁed product for AWS Service Catalog. For more information, see ProvisionProduct in
the AWS Service Catalog Developer Guide.
Topics
• Syntax (p. 1448)
• Properties (p. 1449)
• Return Values (p. 1452)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1448

AWS CloudFormation User Guide
AWS::ServiceCatalog::CloudFormationProvisionedProduct

JSON
{

}

"Type" : "AWS::ServiceCatalog::CloudFormationProvisionedProduct",
"Properties" : {
"PathId" : String,
"ProvisioningParameters" : [ ProvisioningParameter (p. 2168), ... ],
"ProductName" : String,
"ProvisioningArtifactName" : String,
"NotificationArns" : [ String, ... ],
"AcceptLanguage" : String,
"ProductId" : String,
"Tags" : [ Tag (p. 2106), ... ],
"ProvisionedProductName" : String,
"ProvisioningArtifactId" : String
}

YAML
Type: "AWS::ServiceCatalog::CloudFormationProvisionedProduct"
Properties:
PathId: String
ProvisioningParameters:
- ProvisioningParameter (p. 2168)
ProductName: String
ProvisioningArtifactName: String
NotificationArns:
- String
AcceptLanguage: String
ProductId: String
Tags:
- Tag (p. 2106)
ProvisionedProductName: String
ProvisioningArtifactId: String

Properties
AcceptLanguage
The language code.
Required: No
Type: String
Update requires: No interruption (p. 118)
NotificationArns
The SNS topic ARNs for stack-related events.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
PathId
The path identiﬁer of the product.
Required: No
API Version 2010-05-15
1449

AWS CloudFormation User Guide
AWS::ServiceCatalog::CloudFormationProvisionedProduct

Type: String
Update requires: No interruption (p. 118)
ProductId
The product identiﬁer. You must specify either the ID or the name of the product, but not both.
Required: No
Type: String
Update requires: Replacement (p. 119)
ProductName
The product name. This name must be unique for the user. You must specify either the name or the
ID of the product, but not both.
Required: No
Type: String
Update requires: Replacement (p. 119)
ProvisionedProductName
A user-friendly name for the provisioned product. This name must be unique for the AWS account
and cannot be updated after the product is provisioned.
Required: No
Type: String
Update requires: Replacement (p. 119)
ProvisioningArtifactId
The identiﬁer of the provisioning artifact (also known as a version) for the product. You must specify
either the ID or the name of the provisioning artifact, but not both.
Required: No
Type: String
Update requires: No interruption (p. 118)
ProvisioningArtifactName
The name of the provisioning artifact (also known as a version) for the product. This name must be
unique for the product. You must specify either the name or the ID of the provisioning artifact, but
not both.
Required: No
Type: String
Update requires: No interruption (p. 118)
ProvisioningParameters
Parameters speciﬁed by the administrator that are required for provisioning the product.
Required: No
Type: List of AWS Service Catalog CloudFormationProvisionedProduct
ProvisioningParameter (p. 2168) property types
API Version 2010-05-15
1450

AWS CloudFormation User Guide
AWS::ServiceCatalog::CloudFormationProvisionedProduct

Update requires: No interruption (p. 118)
Tags
One or more tags.
Required: No
Type: List of
You can use the AWS CloudFormation Resource Tags property to apply tags to
resources, which can help you identify and categorize those resources. You can tag
only resources for which AWS CloudFormation supports tagging. For information
about which resources you can tag with AWS CloudFormation, see the individual
resources in AWS Resource Types Reference (p. 499).

Note

Tagging implementations might vary by resource. For example,
AWS::AutoScaling::AutoScalingGroup provides an additional, required
PropagateAtLaunch property as part of its tagging scheme.
In addition to any tags you deﬁne, AWS CloudFormation automatically creates the
following stack-level tags with the preﬁx aws::
• aws:cloudformation:logical-id
• aws:cloudformation:stack-id
• aws:cloudformation:stack-name
All stack-level tags, including automatically created tags, are propagated to
resources that AWS CloudFormation supports. Currently, tags are not propagated to
Amazon EBS volumes that are created from block device mappings.

Syntax
JSON
{
"Key (p. 2107)" : String,
"Value (p. 2107)" : String
}

YAML
Key (p. 2107): String
Value (p. 2107): String

Properties
Key
The key name of the tag. You can specify a value that is 1 to 127 Unicode
characters in length and cannot be preﬁxed with aws:. You can use any of the
following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +,
and -.
API Version 2010-05-15
Required: Yes
Type: String

1451

AWS CloudFormation User Guide
AWS::ServiceCatalog::CloudFormationProvisionedProduct

Value

The value for the tag. You can specify a value that is 1 to 255 Unicode characters
in length and cannot be preﬁxed with aws:. You can use any of the following
characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
Required: Yes
Type: String

Example

This example shows a Tags property. You specify this property within the
Properties section of a resource that supports it. When the resource is created, it
is tagged with the tags you declare.

JSON
"Tags" : [
{
"Key" : "keyname1",
"Value" : "value1"
},
{
"Key" : "keyname2",
"Value" : "value2"
}
]

YAML
Tags:
Key: "keyname1"
Value: "value1"
Key: "keyname2"
Value: "value2"

See Also
API Version 2010-05-15
• Setting Stack Options1452
(p. 95)

• Viewing Stack Data and Resources (p. 99)
(p. 2106) property types

AWS CloudFormation User Guide
AWS::ServiceCatalog::LaunchNotiﬁcationConstraint

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
CloudformationStackArn
The Amazon Resource Name (ARN) of the CloudFormation stack, such as
arn:aws:cloudformation:eu-west-1:123456789012:stack/SC-499278721343-pphfyszaotincww/8f3df460-346a-11e8-9444-503abe701c29.
RecordId
The ID of the record, such as rec-rjeatvy434trk.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

AWS::ServiceCatalog::LaunchNotiﬁcationConstraint
Creates a notiﬁcation constraint for AWS Service Catalog. For more information, see CreateConstraint in
the AWS Service Catalog Developer Guide.
Topics
• Syntax (p. 1453)
• Properties (p. 1454)
• Return Values (p. 1454)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ServiceCatalog::LaunchNotificationConstraint",
"Properties" : {
"Description" : String,
"NotificationArns" : [ String, ... ],
"AcceptLanguage" : String,
"PortfolioId" : String,
"ProductId" : String
}

YAML
Type: "AWS::ServiceCatalog::LaunchNotificationConstraint"
Properties:
Description: String
NotificationArns:
- String
AcceptLanguage: String
PortfolioId: String
ProductId: String

API Version 2010-05-15
1453

AWS CloudFormation User Guide
AWS::ServiceCatalog::LaunchNotiﬁcationConstraint

Properties
AcceptLanguage
The language code.
Required: No
Type: String
Update requires: No interruption (p. 118)
Description
The description of the constraint.
Required: No
Type: String
Update requires: No interruption (p. 118)
NotificationArns
The notiﬁcation ARNs.
Required: Yes
Type: List of String values
Update requires: Replacement (p. 119)
PortfolioId
The portfolio identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ProductId
The product identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::LaunchNotificationConstraint
resource to the intrinsic Ref function, the function returns the identiﬁer of the constraint.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
1454

AWS CloudFormation User Guide
AWS::ServiceCatalog::LaunchRoleConstraint

AWS::ServiceCatalog::LaunchRoleConstraint
Creates a launch constraint for AWS Service Catalog. For more information, see CreateConstraint in the
AWS Service Catalog Developer Guide.
Topics
• Syntax (p. 1455)
• Properties (p. 1455)
• Return Values (p. 1456)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ServiceCatalog::LaunchRoleConstraint",
"Properties" : {
"Description" : String,
"AcceptLanguage" : String,
"PortfolioId" : String,
"ProductId" : String,
"RoleArn" : String
}

YAML
Type: "AWS::ServiceCatalog::LaunchRoleConstraint"
Properties:
Description: String
AcceptLanguage: String
PortfolioId: String
ProductId: String
RoleArn: String

Properties
AcceptLanguage
The language code.
Required: No
Type: String
Update requires: No interruption (p. 118)
Description
The description of the constraint.
Required: No
Type: String
API Version 2010-05-15
1455

AWS CloudFormation User Guide
AWS::ServiceCatalog::LaunchTemplateConstraint

Update requires: No interruption (p. 118)
PortfolioId
The portfolio identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ProductId
The product identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
RoleArn
The ARN of the launch role.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::LaunchRoleConstraint resource to the
intrinsic Ref function, the function returns the identiﬁer of the constraint.
For more information about using the Ref function, see Ref (p. 2311).

AWS::ServiceCatalog::LaunchTemplateConstraint
Creates a template constraint for AWS Service Catalog. For more information, see CreateConstraint in the
AWS Service Catalog Developer Guide.
Topics
• Syntax (p. 1456)
• Properties (p. 1457)
• Return Values (p. 1458)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1456

AWS CloudFormation User Guide
AWS::ServiceCatalog::LaunchTemplateConstraint

}

"Type" : "AWS::ServiceCatalog::LaunchTemplateConstraint",
"Properties" : {
"Description" : String,
"AcceptLanguage" : String,
"PortfolioId" : String,
"ProductId" : String,
"Rules" : String
}

YAML
Type: "AWS::ServiceCatalog::LaunchTemplateConstraint"
Properties:
Description: String
AcceptLanguage: String
PortfolioId: String
ProductId: String
Rules: String

Properties
AcceptLanguage
The language code.
Required: No
Type: String
Update requires: No interruption (p. 118)
Description
The description of the constraint.
Required: No
Type: String
Update requires: No interruption (p. 118)
PortfolioId
The portfolio identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ProductId
The product identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1457

AWS CloudFormation User Guide
AWS::ServiceCatalog::Portfolio

Rules
The constraint rules.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::LaunchTemplateConstraint resource
to the intrinsic Ref function, the function returns the identiﬁer of the constraint.
For more information about using the Ref function, see Ref (p. 2311).

AWS::ServiceCatalog::Portfolio
Creates a portfolio for AWS Service Catalog. For more information, see CreatePortfolio in the AWS
Service Catalog Developer Guide.
Topics
• Syntax (p. 1458)
• Properties (p. 1459)
• Return Values (p. 1459)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ServiceCatalog::Portfolio",
"Properties" : {
"ProviderName" : String,
"Description" : String,
"DisplayName" : String,
"AcceptLanguage" : String,
"Tags" : [ Resource Tag (p. 2106), ... ]
}

YAML
Type: "AWS::ServiceCatalog::Portfolio"
Properties:
ProviderName: String
Description: String
DisplayName: String
AcceptLanguage: String
Tags:
- Resource Tag (p. 2106)

API Version 2010-05-15
1458

AWS CloudFormation User Guide
AWS::ServiceCatalog::Portfolio

Properties
AcceptLanguage
The language code.
Required: No
Type: String
Update requires: No interruption (p. 118)
Description
The description of the portfolio.
Required: No
Type: String
Update requires: No interruption (p. 118)
DisplayName
The name to use for display purposes.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ProviderName
The name of the portfolio provider.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Tags
One or more tags.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::Portfolio resource to the intrinsic Ref
function, the function returns the portfolio identiﬁer.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
API Version 2010-05-15
1459

AWS CloudFormation User Guide
AWS::ServiceCatalog::PortfolioPrincipalAssociation

PortfolioName
The name of the portfolio.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

AWS::ServiceCatalog::PortfolioPrincipalAssociation
Associates the speciﬁed principal with the speciﬁed portfolio for AWS Service Catalog. For more
information, see AssociatePrincipalWithPortfolio in the AWS Service Catalog Developer Guide.
Topics
• Syntax (p. 1460)
• Properties (p. 1460)
• Return Values (p. 1461)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ServiceCatalog::PortfolioPrincipalAssociation",
"Properties" : {
"PrincipalARN" : String,
"AcceptLanguage" : String,
"PortfolioId" : String,
"PrincipalType" : String
}

YAML
Type: "AWS::ServiceCatalog::PortfolioPrincipalAssociation"
Properties:
PrincipalARN: String
AcceptLanguage: String
PortfolioId: String
PrincipalType: String

Properties
AcceptLanguage
The language code.
Required: No
Type: String
Update requires: Replacement (p. 119)
PortfolioId
The portfolio identiﬁer.
API Version 2010-05-15
1460

AWS CloudFormation User Guide
AWS::ServiceCatalog::PortfolioProductAssociation

Required: Yes
Type: String
Update requires: Replacement (p. 119)
PrincipalARN
The ARN of the principal (IAM user, role, or group).
Required: Yes
Type: String
Update requires: Replacement (p. 119)
PrincipalType
The principal type (IAM).
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::PortfolioPrincipalAssociation
resource to the intrinsic Ref function, the function returns a unique identiﬁer for the association.
For more information about using the Ref function, see Ref (p. 2311).

AWS::ServiceCatalog::PortfolioProductAssociation
Associates the speciﬁed product with the speciﬁed portfolio for AWS Service Catalog. For more
information, see AssociateProductWithPortfolio in the AWS Service Catalog Developer Guide.
Topics
• Syntax (p. 1461)
• Properties (p. 1462)
• Return Values (p. 1462)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ServiceCatalog::PortfolioProductAssociation",
"Properties" : {
"SourcePortfolioId" : String,
"AcceptLanguage" : String,
"PortfolioId" : String,
"ProductId" : String
}

API Version 2010-05-15
1461

AWS CloudFormation User Guide
AWS::ServiceCatalog::PortfolioProductAssociation
}

YAML
Type: "AWS::ServiceCatalog::PortfolioProductAssociation"
Properties:
SourcePortfolioId: String
AcceptLanguage: String
PortfolioId: String
ProductId: String

Properties
AcceptLanguage
The language code.
Required: No
Type: String
Update requires: Replacement (p. 119)
PortfolioId
The portfolio identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ProductId
The product identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SourcePortfolioId
The identiﬁer of the source portfolio.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::PortfolioProductAssociation
resource to the intrinsic Ref function, the function returns a unique identiﬁer for the association.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
1462

AWS CloudFormation User Guide
AWS::ServiceCatalog::PortfolioShare

AWS::ServiceCatalog::PortfolioShare
Shares the speciﬁed portfolio for AWS Service Catalog with the speciﬁed account. For more information,
see CreatePortfolioShare in the AWS Service Catalog Developer Guide.
Topics
• Syntax (p. 1463)
• Properties (p. 1463)
• Return Values (p. 1464)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ServiceCatalog::PortfolioShare",
"Properties" : {
"AccountId" : String,
"AcceptLanguage" : String,
"PortfolioId" : String
}

YAML
Type: "AWS::ServiceCatalog::PortfolioShare"
Properties:
AccountId: String
AcceptLanguage: String
PortfolioId: String

Properties
AccountId
The AWS account ID.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
AcceptLanguage
The language code.
Required: No
Type: String
Update requires: Replacement (p. 119)
PortfolioId
The portfolio identiﬁer.
API Version 2010-05-15
1463

AWS CloudFormation User Guide
AWS::ServiceCatalog::TagOption

Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::PortfolioShare resource to the
intrinsic Ref function, the function returns the identiﬁer of the portfolio share.
For more information about using the Ref function, see Ref (p. 2311).

AWS::ServiceCatalog::TagOption
A TagOption is a key-value pair managed by AWS Service Catalog that serves as a template for creating
an AWS tag. For more information, see AWS Service Catalog TagOptionLibrary in the AWS Service Catalog
Administrator Guide.
Topics
• Syntax (p. 1464)
• Properties (p. 1464)
• Return Values (p. 1465)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ServiceCatalog::TagOption",
"Properties" : {
"Active" : Boolean,
"Value" : String,
"Key" : String
}

YAML
Type: "AWS::ServiceCatalog::TagOption"
Properties:
Active: Boolean
Value: String
Key: String

Properties
Active
Indicates whether the TagOption is active.
API Version 2010-05-15
1464

AWS CloudFormation User Guide
AWS::ServiceCatalog::TagOptionAssociation

Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Key
The TagOption key.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Value
The TagOption value.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::TagOption resource to the intrinsic Ref
function, the function returns the TagOption identiﬁer.
For more information about using the Ref function, see Ref (p. 2311).

AWS::ServiceCatalog::TagOptionAssociation
Associates the speciﬁed TagOption with the speciﬁed AWS Service Catalog resource. For more
information, see AWS Service Catalog TagOptionLibrary in the AWS Service Catalog Administrator Guide.
Topics
• Syntax (p. 1465)
• Properties (p. 1466)
• Return Values (p. 1466)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ServiceCatalog::TagOptionAssociation",
"Properties" : {
"TagOptionId" : String,
"ResourceId" : String
}

API Version 2010-05-15
1465

AWS CloudFormation User Guide
AWS::ServiceDiscovery::Instance

YAML
Type: "AWS::ServiceCatalog::TagOptionAssociation"
Properties:
TagOptionId: String
ResourceId: String

Properties
ResourceId
The resource identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
TagOptionId
The TagOption identiﬁer.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceCatalog::TagOptionAssociation resource to the
intrinsic Ref function, the function returns an identiﬁer for the association.
For more information about using the Ref function, see Ref (p. 2311).

AWS::ServiceDiscovery::Instance
The AWS::ServiceDiscovery::Instance resource speciﬁes information about an instance that
Amazon Route 53 creates. For more information, see Instance in the Amazon Route 53 API Reference.
Topics
• Syntax (p. 1466)
• Properties (p. 1467)
• Return Values (p. 1468)
• See Also (p. 1468)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1466

AWS CloudFormation User Guide
AWS::ServiceDiscovery::Instance

}

"Type" : "AWS::ServiceDiscovery::Instance",
"Properties" : {
"InstanceAttributes" : JSON object,
"InstanceId" : String,
"ServiceId" : String
}

YAML
Type: "AWS::ServiceDiscovery::Instance"
Properties:
InstanceAttributes: JSON object
InstanceId: String
ServiceId: String

Properties
InstanceAttributes
A string map that contains attribute keys and values. Supported attribute keys include the following:
• AWS_INSTANCE_PORT: The port on the endpoint that you want Route 53 to perform health
checks on. This value is also used for the port value in an SRV record if the service that you specify
includes an SRV record. You can also specify a default port that is applied to all instances in the
Service conﬁguration. For more information, see CreateService in the Amazon Route 53 API
Reference.
• AWS_INSTANCE_IPV4: If the service that you specify contains a resource record set template for
an A record, the IPv4 address that you want Route 53 to use for the value of the A record.
• AWS_INSTANCE_IPV6: If the service that you specify contains a resource record set template for
an AAAA record, the IPv6 address that you want Route 53 to use for the value of the AAAA record.
Required: Yes
Type: JSON object
Update requires: No interruption (p. 118)
InstanceId
An identiﬁer that you want to associate with the instance. Note the following:
• You can use this value to update an existing instance.
• To associate a new instance, you must specify a value that is unique among instances that you
associate by using the same service.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ServiceId
The ID of the service that you want to use for settings for the resource record sets and health check
that Route 53 will create.
Required: Yes
Type: String
API Version 2010-05-15
1467

AWS CloudFormation User Guide
AWS::ServiceDiscovery::PrivateDnsNamespace

Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceDiscovery::Instance resource to the intrinsic Ref
function, the function returns the value of Id for the instance.
For more information about using the Ref function, see Ref (p. 2311).

See Also
• Using Autonaming for Service Discovery in the Amazon Route 53 API Reference
• RegisterInstance in the Amazon Route 53 API Reference
• CreateService in the Amazon Route 53 API Reference

AWS::ServiceDiscovery::PrivateDnsNamespace
The AWS::ServiceDiscovery::PrivateDnsNamespace resource speciﬁes information about a
private namespace for Amazon Route 53. Use a private namespace when you want to route traﬃc inside
an Amazon VPC. For more information, see CreatePrivateDnsNamespace in the Amazon Route 53 API
Reference.
Topics
• Syntax (p. 1468)
• Properties (p. 1469)
• Return Values (p. 1469)
• See Also (p. 1469)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ServiceDiscovery::PrivateDnsNamespace",
"Properties" : {
"Description" : String,
"Vpc" : String,
"Name" : String
}

YAML
Type: "AWS::ServiceDiscovery::PrivateDnsNamespace"
Properties:
Description: String
Vpc: String
Name: String

API Version 2010-05-15
1468

AWS CloudFormation User Guide
AWS::ServiceDiscovery::PrivateDnsNamespace

Properties
Description
A description for the namespace.
Required: No
Type: String
Update requires: Replacement (p. 119)
Vpc
The ID of the Amazon VPC that you want to associate the namespace with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Name
The name that you want to assign to this namespace. When you create a namespace, Route 53
automatically creates a hosted zone that has the same name as the namespace.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceDiscovery::PrivateDnsNamespace resource to
the intrinsic Ref function, the function returns the value of Id for the namespace.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Id
The ID of the private namespace.
Arn
The Amazon Resource Name (ARN) of the private namespace.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

See Also
• Using Autonaming for Service Discovery in the Amazon Route 53 API Reference
• CreatePrivateDnsNamespace in the Amazon Route 53 API Reference
API Version 2010-05-15
1469

AWS CloudFormation User Guide
AWS::ServiceDiscovery::PublicDnsNamespace

AWS::ServiceDiscovery::PublicDnsNamespace
The AWS::ServiceDiscovery::PublicDnsNamespace resource speciﬁes information about a public
namespace for Amazon Route 53. Use a public namespace when you want to route internet traﬃc to
your resources. For more information, see CreatePublicDnsNamespace in the Amazon Route 53 API
Reference.
Topics
• Syntax (p. 1470)
• Properties (p. 1470)
• Return Values (p. 1471)
• See Also (p. 1471)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::ServiceDiscovery::PublicDnsNamespace",
"Properties" : {
"Description" : String,
"Name" : String
}

YAML
Type: "AWS::ServiceDiscovery::PublicDnsNamespace"
Properties:
Description: String
Name: String

Properties
Description
A description for the namespace.
Required: No
Type: String
Update requires: Replacement (p. 119)
Name
The name that you want to assign to this namespace. When you create a namespace, Route 53
automatically creates a hosted zone that has the same name as the namespace.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1470

AWS CloudFormation User Guide
AWS::ServiceDiscovery::Service

Return Values
Ref
When you pass the logical ID of an AWS::ServiceDiscovery::PublicDnsNamespace resource to the
intrinsic Ref function, the function returns the value of Id for the namespace.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Id
The ID of the public namespace.
Arn
The Amazon Resource Name (ARN) of the public namespace.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

See Also
• Using Autonaming for Service Discovery in the Amazon Route 53 API Reference
• CreatePublicDnsNamespace in the Amazon Route 53 API Reference

AWS::ServiceDiscovery::Service
The AWS::ServiceDiscovery::Service resource deﬁnes a template for up to ﬁve records and an
optional health check that you want Amazon Route 53 to create when you register an instance. For more
information, see CreateService in the Amazon Route 53 API Reference.
Topics
• Syntax (p. 1471)
• Properties (p. 1472)
• Return Values (p. 1473)
• See Also (p. 1473)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::ServiceDiscovery::Service",
"Properties" : {
"Description" : String,
"DnsConfig" : DnsConfig (p. 2169),
"HealthCheckConfig" : HealthCheckConfig (p. 2171),
"HealthCheckCustomConfig" : HealthCheckCustomConfig (p. 2172),
"Name" : String

API Version 2010-05-15
1471

AWS CloudFormation User Guide
AWS::ServiceDiscovery::Service

}

}

YAML
Type: "AWS::ServiceDiscovery::Service"
Properties:
Description: String
DnsConfig:
DnsConfig (p. 2169)
HealthCheckConfig:
HealthCheckConfig (p. 2171)
HealthCheckCustomConfig:
HealthCheckCustomConfig (p. 2172)
Name: String

Properties
Description
A description for the service.
Required: No
Type: String
Update requires: No interruption (p. 118)
DnsConfig
A complex type that contains information about the resource record sets that you want Route 53 to
create when you register an instance.
Required: Yes
Type: Amazon Route 53 ServiceDiscovery DnsConﬁg (p. 2169)
Update requires: No interruption (p. 118)
HealthCheckConfig
A complex type that contains settings for an optional health check. If you specify settings for a
health check, Route 53 associates the health check with all the resource record sets that you specify
in DnsConfig.
If you specify a health check conﬁguration, you can specify either HealthCheckCustomConfig or
HealthCheckConfig but not both.
Required: No
Type: Amazon Route 53 ServiceDiscovery HealthCheckConﬁg (p. 2171)
Update requires: No interruption (p. 118)
HealthCheckCustomConfig
Speciﬁes information about an optional custom health check.
If you specify a health check conﬁguration, you can specify either HealthCheckCustomConfig or
HealthCheckConfig but not both.
Required: No
Type: Route 53 ServiceDiscovery Service HealthCheckCustomConﬁg (p. 2172)
API Version 2010-05-15
1472

AWS CloudFormation User Guide
AWS::SES::ConﬁgurationSet

Update requires: No interruption (p. 118)
Name
The name that you want to assign to the service.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::ServiceDiscovery::Service resource to the intrinsic Ref
function, the function returns the value of Id for the service.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Id
The ID of the service.
Arn
The Amazon Resource Name (ARN) of the service.
Name
The name that you assigned to the service.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

See Also
• Using Autonaming for Service Discovery in the Amazon Route 53 API Reference
• CreateService in the Amazon Route 53 API Reference

AWS::SES::ConﬁgurationSet
The AWS::SES::ConfigurationSet resource lets you create groups of rules that you can apply to
the emails you send using Amazon SES. For more information about using conﬁguration sets, see Using
Amazon SES Conﬁguration Sets in the Amazon Simple Email Service Developer Guide.
Conﬁguration sets
Topics
• Syntax (p. 1474)
• Properties (p. 1474)
• Example (p. 1474)
• See Also (p. 1475)
API Version 2010-05-15
1473

AWS CloudFormation User Guide
AWS::SES::ConﬁgurationSet

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SES::ConfigurationSet",
"Properties" : {
"Name" : String
}

YAML
Type: "AWS::SES::ConfigurationSet"
Properties:
Name: String

Properties
Name
The name of the conﬁguration set. The name must meet the following requirements:
• Contain only letters (a-z, A-Z), numbers (0-9), underscores (_), or dashes (-).
• Contain 64 characters or fewer.
Required: No
Type: String
Update requires: Replacement (p. 119)

Example
JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS SES ConfigurationSet Sample Template",
"Parameters": {
"ConfigSetName": {
"Type": "String"
}
},
"Resources": {
"ConfigSet": {
"Type": "AWS::SES::ConfigurationSet",
"Properties": {
"Name": {
"Ref": "ConfigSetName"
}
}
}
}

API Version 2010-05-15
1474

AWS CloudFormation User Guide
AWS::SES::ConﬁgurationSetEventDestination

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: "AWS SES ConfigurationSet Sample Template"
Parameters:
ConfigSetName:
Type: String
Resources:
ConfigSet:
Type: AWS::SES::ConfigurationSet
Properties:
Name: !Ref ConfigSetName

See Also
• Using Amazon SES Conﬁguration Sets in the Amazon Simple Email Service Developer Guide
• ConﬁgurationSet in the Amazon Simple Email Service API Reference

AWS::SES::ConﬁgurationSetEventDestination
The AWS::SES::ConfigurationSetEventDestination resource speciﬁes a conﬁguration set event
destination for Amazon SES. For more information, see CreateConﬁgurationSetEventDestination in the
Amazon Simple Email Service API Reference.

Note

When you create or update an event destination, you must provide one, and only one,
destination. The destination can be Amazon CloudWatch or Amazon Kinesis Data Firehose.
An event destination is the AWS service to which Amazon SES publishes the email sending events
associated with a conﬁguration set. For information, see Using Amazon SES Conﬁguration Sets in the
Amazon Simple Email Service Developer Guide.
Topics
• Syntax (p. 1475)
• Properties (p. 1476)
• Example (p. 1476)
• See Also (p. 1478)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SES::ConfigurationSetEventDestination",
"Properties" : {
"ConfigurationSetName" : String,
"EventDestination" : EventDestination (p. 2175)
}

YAML
Type: "AWS::SES::ConfigurationSetEventDestination"

API Version 2010-05-15
1475

AWS CloudFormation User Guide
AWS::SES::ConﬁgurationSetEventDestination
Properties:
ConfigurationSetName: String
EventDestination: EventDestination (p. 2175)

Properties
ConfigurationSetName
The name of the conﬁguration set that the event destination should be associated with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
EventDestination
The AWS service that email sending event information will be published to.
Required: Yes
Type: Amazon SES ConﬁgurationSetEventDestination EventDestination (p. 2175)
Update requires: No interruption (p. 118)

Example
JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS SES ConfigurationSetEventDestination Sample Template",
"Parameters": {
"ConfigSetName": {
"Type": "String"
},
"EventDestinationName": {
"Type": "String"
},
"EventType1": {
"Type": "String"
},
"EventType2": {
"Type": "String"
},
"EventType3": {
"Type": "String"
},
"DimensionName1": {
"Type": "String"
},
"DimensionValueSource1": {
"Type": "String"
},
"DefaultDimensionValue1": {
"Type": "String"
},
"DimensionName2": {
"Type": "String"
},

API Version 2010-05-15
1476

AWS CloudFormation User Guide
AWS::SES::ConﬁgurationSetEventDestination
"DimensionValueSource2": {
"Type": "String"
},
"DefaultDimensionValue2": {
"Type": "String"
}

},
"Resources": {
"ConfigSet": {
"Type": "AWS::SES::ConfigurationSet",
"Properties": {
"Name": {
"Ref": "ConfigSetName"
}
}
},
"CWEventDestination": {
"Type": "AWS::SES::ConfigurationSetEventDestination",
"Properties": {
"ConfigurationSetName": {
"Ref": "ConfigSet"
},
"EventDestination": {
"Name": {
"Ref": "EventDestinationName"
},
"Enabled": true,
"MatchingEventTypes": [
{
"Ref": "EventType1"
},
{
"Ref": "EventType2"
},
{
"Ref": "EventType3"
}
],
"CloudWatchDestination": {
"DimensionConfigurations": [
{
"DimensionName": {
"Ref": "DimensionName1"
},
"DimensionValueSource": {
"Ref": "DimensionValueSource1"
},
"DefaultDimensionValue": {
"Ref": "DefaultDimensionValue1"
}
},
{
"DimensionName": {
"Ref": "DimensionName2"
},
"DimensionValueSource": {
"Ref": "DimensionValueSource2"
},
"DefaultDimensionValue": {
"Ref": "DefaultDimensionValue2"
}
}
]
}
}
}

API Version 2010-05-15
1477

AWS CloudFormation User Guide
AWS::SES::ConﬁgurationSetEventDestination

}

}

}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: 'AWS SES ConfigurationSetEventDestination Sample Template'
Parameters:
ConfigSetName:
Type: String
EventDestinationName:
Type: String
EventType1:
Type: String
EventType2:
Type: String
EventType3:
Type: String
DimensionName1:
Type: String
DimensionValueSource1:
Type: String
DefaultDimensionValue1:
Type: String
DimensionName2:
Type: String
DimensionValueSource2:
Type: String
DefaultDimensionValue2:
Type: String
Resources:
ConfigSet:
Type: AWS::SES::ConfigurationSet
Properties:
Name: !Ref ConfigSetName
CWEventDestination:
Type: AWS::SES::ConfigurationSetEventDestination
Properties:
ConfigurationSetName: !Ref ConfigSet
EventDestination:
Name: !Ref EventDestinationName
Enabled: true
MatchingEventTypes:
- !Ref EventType1
- !Ref EventType2
- !Ref EventType3
CloudWatchDestination:
DimensionConfigurations:
- DimensionName: !Ref DimensionName1
DimensionValueSource: !Ref DimensionValueSource1
DefaultDimensionValue: !Ref DefaultDimensionValue1
- DimensionName: !Ref DimensionName2
DimensionValueSource: !Ref DimensionValueSource2
DefaultDimensionValue: !Ref DefaultDimensionValue2

See Also
• Using Amazon SES Conﬁguration Sets in the Amazon Simple Email Service Developer Guide
• CreateConﬁgurationSetEventDestination in the Amazon Simple Email Service API Reference
API Version 2010-05-15
1478

AWS CloudFormation User Guide
AWS::SES::ReceiptFilter

AWS::SES::ReceiptFilter
The AWS::SES::ReceiptFilter resource whether to accept or reject mail originating from an IP
address or range of IP addresses for Amazon SES. For more information, see Creating IP Address Filters
for Amazon SES Email Receiving in the Amazon Simple Email Service Developer Guide.
Topics
• Syntax (p. 1479)
• Properties (p. 1479)
• Example (p. 1479)
• See Also (p. 1480)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SES::ReceiptFilter",
"Properties" : {
"Filter" : Filter (p. 2178)
}

YAML
Type: "AWS::SES::ReceiptFilter"
Properties:
Filter: Filter (p. 2178)

Properties
Filter
The IP addresses to block or allow, and whether to block or allow incoming mail from them.
Required: Yes
Type: Amazon SES ReceiptFilter Filter (p. 2178)
Update requires: Replacement (p. 119)

Example
JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS SES ReceiptFilter Sample Template",
"Parameters": {
"FilterName": {
"Type": "String"
},

API Version 2010-05-15
1479

AWS CloudFormation User Guide
AWS::SES::ReceiptRule
"Policy": {
"Type": "String"
},
"Cidr": {
"Type": "String"
}

}

},
"Resources": {
"ReceiptFilter": {
"Type": "AWS::SES::ReceiptFilter",
"Properties": {
"Filter": {
"Name": {
"Ref": "FilterName"
},
"IpFilter": {
"Policy": {
"Ref": "Policy"
},
"Cidr": {
"Ref": "Cidr"
}
}
}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: 'AWS SES ReceiptFilter Sample Template'
Parameters:
FilterName:
Type: String
Policy:
Type: String
Cidr:
Type: String
Resources:
ReceiptFilter:
Type: AWS::SES::ReceiptFilter
Properties:
Filter:
Name: !Ref FilterName
IpFilter:
Policy: !Ref Policy
Cidr: !Ref Cidr

See Also
• Creating IP Address Filters for Amazon SES Email Receiving in the Amazon Simple Email Service
Developer Guide
• ReceiptFilter in the Amazon Simple Email Service API Reference

AWS::SES::ReceiptRule
The AWS::SES::ReceiptRule resource speciﬁes which actions Amazon SES should take when it
receives mail on behalf of one or more email addresses or domains that you own. For more information,
API Version 2010-05-15
1480

AWS CloudFormation User Guide
AWS::SES::ReceiptRule

see Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide.
Topics
• Syntax (p. 1481)
• Properties (p. 1481)
• Return Values (p. 1482)
• Example (p. 1482)
• See Also (p. 1484)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SES::ReceiptRule",
"Properties" : {
"After" : String,
"Rule" : Rule (p. 2186),
"RuleSetName" : String
}

YAML
Type: "AWS::SES::ReceiptRule"
Properties:
After: String
Rule: Rule (p. 2186)
RuleSetName: String

Properties
After
The name of an existing rule after which the new rule will be placed. If this parameter is null, the
new rule will be inserted at the beginning of the rule list.
Required: No
Type: String
Update requires: No interruption (p. 118)
Rule
The speciﬁed rule's name, actions, recipients, domains, enabled status, scan status, and TLS policy.
Required: Yes
Type: Amazon SES ReceiptRule Rule (p. 2186)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1481

AWS CloudFormation User Guide
AWS::SES::ReceiptRule

RuleSetName
The name of the rule set that the receipt rule will be added to.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS SES ReceiptRule Sample Template",
"Parameters": {
"RuleSetName": {
"Type": "String"
},
"ReceiptRuleName1": {
"Type": "String"
},
"ReceiptRuleName2": {
"Type": "String"
},
"TlsPolicy": {
"Type": "String"
},
"HeaderName": {
"Type": "String"
},
"HeaderValue": {
"Type": "String"
}
},
"Resources": {
"ReceiptRule1": {
"Type": "AWS::SES::ReceiptRule",
"Properties": {
"RuleSetName": {
"Ref": "RuleSetName"
},
"Rule": {
"Name": {
"Ref": "ReceiptRuleName1"
},
"Enabled": true,
"ScanEnabled": true,
"TlsPolicy": {
"Ref": "TlsPolicy"

API Version 2010-05-15
1482

AWS CloudFormation User Guide
AWS::SES::ReceiptRule

}

}

}

}

},
"Actions": [
{
"AddHeaderAction": {
"HeaderName": {
"Ref": "HeaderName"
},
"HeaderValue": {
"Ref": "HeaderValue"
}
}
}
]

},
"ReceiptRule2": {
"Type": "AWS::SES::ReceiptRule",
"Properties": {
"RuleSetName": {
"Ref": "RuleSetName"
},
"After": {
"Ref": "ReceiptRule1"
},
"Rule": {
"Name": {
"Ref": "ReceiptRuleName2"
}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: 'AWS SES ReceiptRule Sample Template'
Parameters:
RuleSetName:
Type: String
ReceiptRuleName1:
Type: String
ReceiptRuleName2:
Type: String
TlsPolicy:
Type: String
HeaderName:
Type: String
HeaderValue:
Type: String
Resources:
ReceiptRule1:
Type: AWS::SES::ReceiptRule
Properties:
RuleSetName: !Ref RuleSetName
Rule:
Name: !Ref ReceiptRuleName1
Enabled: true
ScanEnabled: true
TlsPolicy: !Ref TlsPolicy
Actions:

API Version 2010-05-15
1483

AWS CloudFormation User Guide
AWS::SES::ReceiptRuleSet
- AddHeaderAction:
HeaderName: !Ref HeaderName
HeaderValue: !Ref HeaderValue
ReceiptRule2:
Type: AWS::SES::ReceiptRule
Properties:
RuleSetName: !Ref RuleSetName
After: !Ref ReceiptRule1
Rule:
Name: !Ref ReceiptRuleName2

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
• CreateReceiptRule in the Amazon Simple Email Service API Reference
• ReceiptRule in the Amazon Simple Email Service API Reference

AWS::SES::ReceiptRuleSet
The AWS::SES::ReceiptRuleSet resource speciﬁes an empty rule set for Amazon SES. For more
information, see CreateReceiptRuleSet in the Amazon Simple Email Service API Reference.
Topics
• Syntax (p. 1484)
• Properties (p. 1485)
• Example (p. 1485)
• See Also (p. 1485)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SES::ReceiptRuleSet",
"Properties" : {
"RuleSetName" : String
}

YAML
Type: "AWS::SES::ReceiptRuleSet"
Properties:
RuleSetName: String

API Version 2010-05-15
1484

AWS CloudFormation User Guide
AWS::SES::ReceiptRuleSet

Properties
RuleSetName
The name of the rule set to create. The name must:
• Contain only ASCII letters (a-z, A-Z), numbers (0-9), underscores (_), or dashes (-).
• Start and end with a letter or number.
• Contain less than 64 characters.
Required: No
Type: String
Update requires: Replacement (p. 119)

Example
JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS SES ReceiptRuleSet Sample Template",
"Parameters": {
"ReceiptRuleSetName": {
"Type": "String"
}
},
"Resources": {
"ReceiptRuleSet": {
"Type": "AWS::SES::ReceiptRuleSet",
"Properties": {
"RuleSetName": {
"Ref": "ReceiptRuleSetName"
}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: 'AWS SES ReceiptRuleSet Sample Template'
Parameters:
ReceiptRuleSetName:
Type: String
Resources:
ReceiptRuleSet:
Type: AWS::SES::ReceiptRuleSet
Properties:
RuleSetName: !Ref ReceiptRuleSetName

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
API Version 2010-05-15
1485

AWS CloudFormation User Guide
AWS::SES::Template

• CreateReceiptRuleSet in the Amazon Simple Email Service API Reference

AWS::SES::Template
The AWS::SES::Template resource speciﬁes the content of an email (composed of a subject line, an
HTML part, and a text-only part) for Amazon SES. For more information, see Template in the Amazon
Simple Email Service API Reference.
Topics
• Syntax (p. 1486)
• Properties (p. 1486)
• Example (p. 1486)
• See Also (p. 1487)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SES::Template",
"Properties" : {
"Template" : Template (p. 2194)
}

YAML
Type: "AWS::SES::Template"
Properties:
Template: Template (p. 2194)

Properties
Template
The content of the email, composed of a subject line, an HTML part, and a text-only part.
Required: No
Type: Amazon SES Template Template (p. 2194)
Update requires: No interruption (p. 118)

Example
JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS SES Template Sample Template",

API Version 2010-05-15
1486

AWS CloudFormation User Guide
AWS::SES::Template

}

"Parameters": {
"TemplateName": {
"Type": "String"
},
"SubjectPart": {
"Type": "String"
},
"TextPart": {
"Type": "String"
},
"HtmlPart": {
"Type": "String"
}
},
"Resources": {
"Template": {
"Type": "AWS::SES::Template",
"Properties": {
"Template": {
"TemplateName": {
"Ref": "TemplateName"
},
"SubjectPart": {
"Ref": "SubjectPart"
},
"TextPart": {
"Ref": "TextPart"
},
"HtmlPart": {
"Ref": "HtmlPart"
}
}
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: 'AWS SES Template Sample Template'
Parameters:
TemplateName:
Type: String
SubjectPart:
Type: String
TextPart:
Type: String
HtmlPart:
Type: String
Resources:
Template:
Type: AWS::SES::Template
Properties:
Template:
TemplateName: !Ref TemplateName
SubjectPart: !Ref SubjectPart
TextPart: !Ref TextPart
HtmlPart: !Ref HtmlPart

See Also
• Template in the Amazon Simple Email Service API Reference
API Version 2010-05-15
1487

AWS CloudFormation User Guide
AWS::SNS::Subscription

AWS::SNS::Subscription
The AWS::SNS::Subscription resource subscribes an endpoint to an Amazon Simple Notiﬁcation
Service (Amazon SNS) topic. The owner of the endpoint must conﬁrm the subscription before Amazon
SNS creates the subscription.
Topics
• Syntax (p. 1488)
• Properties (p. 1488)
• Example (p. 1489)

Syntax
JSON
{

}

"Type" : "AWS::SNS::Subscription",
"Properties" : {
"DeliveryPolicy" : JSON object,
"Endpoint" : String,
"FilterPolicy" : JSON object,
"Protocol" : String,
"RawMessageDelivery" : Boolean,
"Region" : String,
"TopicArn" : String
}

YAML
Type: "AWS::SNS::Subscription"
Properties:
DeliveryPolicy: JSON object
Endpoint: String
FilterPolicy: JSON object
Protocol: String
RawMessageDelivery: Boolean,
Region: String
TopicArn: String

Properties
DeliveryPolicy
The JSON serialization of the subscription's delivery policy. For more information, see
GetSubscriptionAttributes in the Amazon Simple Notiﬁcation Service API Reference.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
Endpoint
The endpoint that receives notiﬁcations from the Amazon SNS topic. The endpoint value depends
on the protocol that you specify. For more information, see the Subscribe Endpoint parameter in the
Amazon Simple Notiﬁcation Service API Reference.
API Version 2010-05-15
1488

AWS CloudFormation User Guide
AWS::SNS::Subscription

Required: No
Type: String
Update requires: Replacement (p. 119)
FilterPolicy
The ﬁlter policy JSON that is assigned to the subscription. For more information, see
GetSubscriptionAttributes in the Amazon Simple Notiﬁcation Service API Reference.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
Protocol
The subscription's protocol. For more information, see the Subscribe Protocol parameter in the
Amazon Simple Notiﬁcation Service API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
RawMessageDelivery
true if raw message delivery is enabled for the subscription. Raw messages are free of JSON
formatting and can be sent to HTTP/S and Amazon SQS endpoints. For more information, see
GetSubscriptionAttributes in the Amazon Simple Notiﬁcation Service API Reference.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Region
The region in which the topic resides.
Required: No
Type: String
Update requires: Replacement (p. 119)
TopicArn
The Amazon Resource Name (ARN) of the topic to subscribe to.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Example
Create a subscription with mandatory attributes
The following example creates a subscription with Endpoint, Protocol and TopicArn only.
API Version 2010-05-15
1489

AWS CloudFormation User Guide
AWS::SNS::Subscription

JSON
"MySubscription" : {
"Type" : "AWS::SNS::Subscription",
"Properties" : {
"Endpoint" : "test@email.com",
"Protocol" : "email",
"TopicArn" : {"Ref" : "MySNSTopic"}
}
}

YAML
MySubscription:
Type: AWS::SNS::Subscription
Properties:
Endpoint: test@email.com
Protocol: email
TopicArn: !Ref 'MySNSTopic'

Create a subscription with optional attributes
The following example creates a subscription with FilterPolicy, DeliveryPolicy and RawMessageDelivery.
Note that SNS subscription attributes can be set on standalone SNS subscriptions only, as opposed to
SNS subscriptions nested in SNS topics.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"CarSalesTopic": {
"Type": "AWS::SNS::Topic"
},
"ERPSubscription": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"TopicArn": {
"Ref": "CarSalesTopic"
},
"Endpoint": {
"Fn::GetAtt": ["ERPIntegrationQueue", "Arn"]
},
"Protocol": "sqs",
"RawMessageDelivery": "true"
}
},
"CRMSubscription": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"TopicArn": {
"Ref": "CarSalesTopic"
},
"Endpoint": {
"Fn::GetAtt": ["CRMIntegrationQueue", "Arn"]
},
"Protocol": "sqs",
"RawMessageDelivery": "true",
"FilterPolicy": {
"buyer-class": [
"vip"

API Version 2010-05-15
1490

AWS CloudFormation User Guide
AWS::SNS::Subscription

}

]

}
},
"SCMSubscription": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"TopicArn": {
"Ref": "CarSalesTopic"
},
"Endpoint": {
"Ref": "myHttpEndpoint"
},
"Protocol": "https",
"DeliveryPolicy": {
"healthyRetryPolicy": {
"numRetries": 20,
"minDelayTarget": 10,
"maxDelayTarget": 30,
"numMinDelayRetries": 3,
"numMaxDelayRetries": 17,
"numNoDelayRetries": 0,
"backoffFunction": "exponential"
}
}
}
},
"ERPIntegrationQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {}
},
"CRMIntegrationQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {}
}

}

},
"Parameters": {
"myHttpEndpoint": {
"Type": "String"
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
CarSalesTopic:
Type: 'AWS::SNS::Topic'
ERPSubscription:
Type: 'AWS::SNS::Subscription'
Properties:
TopicArn: !Ref CarSalesTopic
Endpoint: !GetAtt
- ERPIntegrationQueue
- Arn
Protocol: sqs
RawMessageDelivery: 'true'
CRMSubscription:
Type: 'AWS::SNS::Subscription'
Properties:
TopicArn: !Ref CarSalesTopic
Endpoint: !GetAtt
- CRMIntegrationQueue

API Version 2010-05-15
1491

AWS CloudFormation User Guide
AWS::SNS::Topic
- Arn
Protocol: sqs
RawMessageDelivery: 'true'
FilterPolicy:
buyer-class:
- vip
SCMSubscription:
Type: 'AWS::SNS::Subscription'
Properties:
TopicArn: !Ref CarSalesTopic
Endpoint: !Ref myHttpEndpoint
Protocol: https
DeliveryPolicy:
healthyRetryPolicy:
numRetries: 20
minDelayTarget: 10
maxDelayTarget: 30
numMinDelayRetries: 3
numMaxDelayRetries: 17
numNoDelayRetries: 0
backoffFunction: exponential
ERPIntegrationQueue:
Type: 'AWS::SQS::Queue'
Properties: {}
CRMIntegrationQueue:
Type: 'AWS::SQS::Queue'
Properties: {}
Parameters:
myHttpEndpoint:
Type: String

AWS::SNS::Topic
The AWS::SNS::Topic type creates an Amazon Simple Notiﬁcation Service (Amazon SNS) topic.
Topics
• Syntax (p. 1492)
• Properties (p. 1493)
• Return Values (p. 1493)
• Examples (p. 1494)
• See Also (p. 1494)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SNS::Topic",
"Properties" : {
"DisplayName" : String,
"Subscription" : [ SNS Subscription, ... ],
"TopicName" : String
}

API Version 2010-05-15
1492

AWS CloudFormation User Guide
AWS::SNS::Topic

YAML
Type: AWS::SNS::Topic
Properties:
DisplayName: String
Subscription:
SNS Subscription
TopicName: String

Properties
DisplayName
A developer-deﬁned string that can be used to identify this SNS topic.
Required: No
Type: String
Update requires: No interruption (p. 118)
Subscription
The SNS subscriptions (endpoints) for this topic.
Required: No
Type: List of SNS Subscriptions (p. 2211)
Update requires: No interruption (p. 118)
TopicName
A name for the topic. If you don't specify a name, AWS CloudFormation generates a unique physical
ID and uses that ID for the topic name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
For the AWS::SNS::Topic resource, the Ref intrinsic function returns the topic ARN, for example:
arn:aws:sns:us-east-1:123456789012:mystack-mytopic-NZJ5JSMVGFIE.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
API Version 2010-05-15
1493

AWS CloudFormation User Guide
AWS::SNS::TopicPolicy

TopicName
Returns the name for an Amazon SNS topic.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
An example of an SNS topic subscribed to by two SQS queues:

JSON
"MySNSTopic" : {
"Type" : "AWS::SNS::Topic",
"Properties" : {
"Subscription" : [
{ "Endpoint" : { "Fn::GetAtt" : [ "MyQueue1", "Arn" ] }, "Protocol" : "sqs" },
{ "Endpoint" : { "Fn::GetAtt" : [ "MyQueue2", "Arn" ] }, "Protocol" : "sqs" }
],
"TopicName" : "SampleTopic"
}
}

YAML
MySNSTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
Endpoint:
Fn::GetAtt:
- "MyQueue1"
- "Arn"
Protocol: "sqs"
Endpoint:
Fn::GetAtt:
- "MyQueue2"
- "Arn"
Protocol: "sqs"
TopicName: "SampleTopic"

See Also
• Using an AWS CloudFormation Template to Create a Topic that Sends Messages to Amazon SQS
Queues in the Amazon Simple Notiﬁcation Service Developer Guide

AWS::SNS::TopicPolicy
The AWS::SNS::TopicPolicy resource associates Amazon SNS topics with a policy.
Topics
• Syntax (p. 1495)
• Properties (p. 1495)
API Version 2010-05-15
1494

AWS CloudFormation User Guide
AWS::SQS::Queue

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SNS::TopicPolicy",
"Properties" :
{
"PolicyDocument" : PolicyDocument,
"Topics" : [ List of SNS topic ARNs, ... ]
}

YAML
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument: PolicyDocument
Topics:
- List of SNS topic ARNs

Properties
PolicyDocument
A policy document that contains permissions to add to the speciﬁed SNS topics.
Required: Yes
JSON or YAML
Update requires: No interruption (p. 118)
Topics
The Amazon Resource Names (ARN) of the topics to which you want to add the policy. You can use
the Ref function (p. 2311) to specify an AWS::SNS::Topic (p. 1492) resource.
Required: Yes
Type: A list of Amazon SNS topics ARNs
Update requires: No interruption (p. 118)
For sample AWS::SNS::TopicPolicy snippets, see Declaring an Amazon SNS Topic Policy (p. 394).

AWS::SQS::Queue
The AWS::SQS::Queue resource creates an Amazon Simple Queue Service (Amazon SQS) queue.
For more information about creating FIFO (ﬁrst-in-ﬁrst-out) queues, see the tutorial Create a queue using
AWS CloudFormation in the Amazon Simple Queue Service Developer Guide.
Topics
• Syntax (p. 1496)
API Version 2010-05-15
1495

AWS CloudFormation User Guide
AWS::SQS::Queue

• Properties (p. 1496)
• Return Values (p. 1499)
• Examples (p. 1499)
• See Also (p. 1503)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SQS::Queue",
"Properties" : {
"ContentBasedDeduplication" : Boolean,
"DelaySeconds": Integer,
"FifoQueue" : Boolean,
"KmsMasterKeyId": String,
"KmsDataKeyReusePeriodSeconds": Integer,
"MaximumMessageSize": Integer,
"MessageRetentionPeriod": Integer,
"QueueName": String,
"ReceiveMessageWaitTimeSeconds": Integer,
"RedrivePolicy": RedrivePolicy,
"Tags" : [ Resource Tag, ... ],
"VisibilityTimeout": Integer
}

YAML
Type: AWS::SQS::Queue
Properties:
ContentBasedDeduplication: Boolean
DelaySeconds: Integer
FifoQueue: Boolean
KmsMasterKeyId: String
KmsDataKeyReusePeriodSeconds: Integer
MaximumMessageSize: Integer
MessageRetentionPeriod: Integer
QueueName: String
ReceiveMessageWaitTimeSeconds: Integer
RedrivePolicy:
RedrivePolicy
Tags:
Resource Tag
VisibilityTimeout: Integer

Properties
ContentBasedDeduplication
For ﬁrst-in-ﬁrst-out (FIFO) queues, speciﬁes whether to enable content-based deduplication.
During the deduplication interval, Amazon SQS treats messages that are sent with identical
content as duplicates and delivers only one copy of the message. For more information, see the
ContentBasedDeduplication attribute for the CreateQueue action in the Amazon Simple Queue
Service API Reference.
API Version 2010-05-15
1496

AWS CloudFormation User Guide
AWS::SQS::Queue

Required: No
Type: Boolean
Update requires: No interruption (p. 118)
DelaySeconds
The time in seconds that the delivery of all messages in the queue is delayed. You can specify an
integer value of 0 to 900 (15 minutes). The default value is 0.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
FifoQueue
Indicates whether this queue is a FIFO queue. For more information, see FIFO (First-In-First-Out)
Queues in the Amazon Simple Queue Service Developer Guide.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
KmsMasterKeyId
The ID of an AWS managed customer master key (CMK) for Amazon SQS or a custom CMK. To use
the AWS managed CMK for Amazon SQS, specify the alias alias/aws/sqs. For more information,
see CreateQueue in the Amazon Simple Queue Service API Reference, Protecting Data Using ServerSide Encryption (SSE) and AWS KMS in the Amazon Simple Queue Service Developer Guide, or
Customer Master Keys in the AWS Key Management Service Best Practices whitepaper.
Required: No
Type: String
Update requires: No interruption (p. 118)
KmsDataKeyReusePeriodSeconds
The length of time in seconds that Amazon SQS can reuse a data key to encrypt or decrypt messages
before calling AWS KMS again. The value must be an integer between 60 (1 minute) and 86,400 (24
hours). The default is 300 (5 minutes).

Note

A shorter time period provides better security, but results in more calls to AWS KMS, which
might incur charges after Free Tier. For more information, see How Does the Data Key
Reuse Period Work? in the Amazon Simple Queue Service Developer Guide.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
MaximumMessageSize
The limit of how many bytes that a message can contain before Amazon SQS rejects it. You can
specify an integer value from 1024 bytes (1 KiB) to 262144 bytes (256 KiB). The default value is
262144 (256 KiB).
API Version 2010-05-15
1497

AWS CloudFormation User Guide
AWS::SQS::Queue

Required: No
Type: Integer
Update requires: No interruption (p. 118)
MessageRetentionPeriod
The number of seconds that Amazon SQS retains a message. You can specify an integer value from
60 seconds (1 minute) to 1209600 seconds (14 days). The default value is 345600 seconds (4 days).
Required: No
Type: Integer
Update requires: No interruption (p. 118)
QueueName
A name for the queue. To create a FIFO queue, the name of your FIFO queue must end with the
.fifo suﬃx. For more information, see FIFO (First-In-First-Out) Queues in the Amazon Simple Queue
Service Developer Guide.
If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for
the queue name. For more information, see Name Type (p. 2085).

Important

If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement (p. 119)
ReceiveMessageWaitTimeSeconds
Speciﬁes the duration, in seconds, that the ReceiveMessage action call waits until a message is
in the queue in order to include it in the response, as opposed to returning an empty response if a
message isn't yet available. You can specify an integer from 1 to 20. The short polling is used as the
default or when you specify 0 for this property. For more information, see Amazon SQS Long Poll.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
RedrivePolicy
Speciﬁes an existing dead letter queue to receive messages after the source queue (this queue) fails
to process a message a speciﬁed number of times.
Required: No
Type: Amazon SQS RedrivePolicy (p. 2212)
Update requires: No interruption (p. 118)
Tags
The tags that you want to attach to this queue.
API Version 2010-05-15
1498

AWS CloudFormation User Guide
AWS::SQS::Queue

Required: No
Type: A list of resource tags (p. 2106)
Update requires: No interruption (p. 118)
VisibilityTimeout
The length of time during which a message will be unavailable after a message is delivered from
the queue. This blocks other components from receiving the same message and gives the initial
component time to process and delete the message from the queue.
Values must be from 0 to 43200 seconds (12 hours). If you don't specify a value, AWS
CloudFormation uses the default value of 30 seconds.
For more information about Amazon SQS queue visibility timeouts, see Visibility Timeout in the
Amazon Simple Queue Service Developer Guide.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

Return Values
Ref
The AWS::SQS::Queue type returns the queue URL. For example: https://sqs.useast-2.amazonaws.com/123456789012/aa4-MyQueue-Z5NOSZO2PZE9.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Arn
Returns the Amazon Resource Name (ARN) of the queue. For example: arn:aws:sqs:useast-2:123456789012:mystack-myqueue-15PG5C2FC1CW8.
QueueName
Returns the queue name. For example:
mystack-myqueue-1VF9BKQH5BJVI

Examples
SQS Queue with Cloudwatch Alarms
JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",

API Version 2010-05-15
1499

AWS CloudFormation User Guide
AWS::SQS::Queue
"Description" :
template showing
**WARNING** This
alarms. You will
template.",

"AWS CloudFormation Sample Template SQS_With_CloudWatch_Alarms: Sample
how to create an SQS queue with Amazon CloudWatch alarms on queue depth.
template creates an Amazon SQS queue and one or more Amazon CloudWatch
be billed for the AWS resources used if you create a stack from this

"Parameters" : {
"AlarmEmail": {
"Default": "nobody@amazon.com",
"Description": "Email address to notify if operational problems arise",
"Type": "String"
}
},
"Resources" : {
"MyQueue" : {
"Type" : "AWS::SQS::Queue",
"Properties" : {
"QueueName" : "SampleQueue"
}
},
"AlarmTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [{
"Endpoint": { "Ref": "AlarmEmail" },
"Protocol": "email"
}]
}
},
"QueueDepthAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Alarm if queue depth grows beyond 10 messages",
"Namespace": "AWS/SQS",
"MetricName": "ApproximateNumberOfMessagesVisible",
"Dimensions": [{
"Name": "QueueName",
"Value" : { "Fn::GetAtt" : ["MyQueue", "QueueName"] }
}],
"Statistic": "Sum",
"Period": "300",
"EvaluationPeriods": "1",
"Threshold": "10",
"ComparisonOperator": "GreaterThanThreshold",
"AlarmActions": [{
"Ref": "AlarmTopic"
}],
"InsufficientDataActions": [{
"Ref": "AlarmTopic"
}]
}
}
},
"Outputs" : {
"QueueURL" : {
"Description" : "URL of newly created SQS Queue",
"Value" : { "Ref" : "MyQueue" }
},
"QueueARN" : {
"Description" : "ARN of newly created SQS Queue",
"Value" : { "Fn::GetAtt" : ["MyQueue", "Arn"]}
},
"QueueName" : {
"Description" : "Name newly created SQS Queue",
"Value" : { "Fn::GetAtt" : ["MyQueue", "QueueName"]}

API Version 2010-05-15
1500

AWS CloudFormation User Guide
AWS::SQS::Queue

}

}

}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Description: "AWS CloudFormation Sample Template SQS_With_CloudWatch_Alarms: Sample
template showing how to create an SQS queue with Amazon CloudWatch alarms on queue depth.
**WARNING** This template creates an Amazon SQS queue and one or more Amazon CloudWatch
alarms. You will be billed for the AWS resources used if you create a stack from this
template."
Parameters:
AlarmEmail:
Default: "nobody@amazon.com"
Description: "Email address to notify if operational problems arise"
Type: "String"
Resources:
MyQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: "SampleQueue"
AlarmTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
Endpoint:
Ref: "AlarmEmail"
Protocol: "email"
QueueDepthAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: "Alarm if queue depth grows beyond 10 messages"
Namespace: "AWS/SQS"
MetricName: "ApproximateNumberOfMessagesVisible"
Dimensions:
Name: "QueueName"
Value:
Fn::GetAtt:
- "MyQueue"
- "QueueName"
Statistic: "Sum"
Period: "300"
EvaluationPeriods: "1"
Threshold: "10"
ComparisonOperator: "GreaterThanThreshold"
AlarmActions:
Ref: "AlarmTopic"
InsufficientDataActions:
Ref: "AlarmTopic"
Outputs:
QueueURL:
Description: "URL of newly created SQS Queue"
Value:
Ref: "MyQueue"
QueueARN:
Description: "ARN of newly created SQS Queue"
Value:
Fn::GetAtt:
- "MyQueue"

API Version 2010-05-15
1501

AWS CloudFormation User Guide
AWS::SQS::Queue
- "Arn"
QueueName:
Description: "Name newly created SQS Queue"
Value:
Fn::GetAtt:
- "MyQueue"
- "QueueName"

SQS Queue with a Dead Letter Queue
The following sample creates a source queue and a dead letter queue. Because the source queue
speciﬁes the dead letter queue in its redrive policy, the source queue is dependent on the creation of the
dead letter queue.

JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MySourceQueue" : {
"Type" : "AWS::SQS::Queue",
"Properties" : {
"RedrivePolicy": {
"deadLetterTargetArn" : {"Fn::GetAtt" : [ "MyDeadLetterQueue" , "Arn" ]},
"maxReceiveCount" : 5
}
}
},
"MyDeadLetterQueue" : {
"Type" : "AWS::SQS::Queue"
}
},

}

"Outputs" : {
"SourceQueueURL" : {
"Description" : "URL of the source queue",
"Value" : { "Ref" : "MySourceQueue" }
},
"SourceQueueARN" : {
"Description" : "ARN of the source queue",
"Value" : { "Fn::GetAtt" : ["MySourceQueue", "Arn"]}
},
"DeadLetterQueueURL" : {
"Description" : "URL of the dead letter queue",
"Value" : { "Ref" : "MyDeadLetterQueue" }
},
"DeadLetterQueueARN" : {
"Description" : "ARN of the dead letter queue",
"Value" : { "Fn::GetAtt" : ["MyDeadLetterQueue", "Arn"]}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MySourceQueue:
Type: AWS::SQS::Queue
Properties:
RedrivePolicy:
deadLetterTargetArn:

API Version 2010-05-15
1502

AWS CloudFormation User Guide
AWS::SQS::QueuePolicy
Fn::GetAtt:
- "MyDeadLetterQueue"
- "Arn"
maxReceiveCount: 5
MyDeadLetterQueue:
Type: AWS::SQS::Queue
Outputs:
SourceQueueURL:
Description: "URL of the source queue"
Value:
Ref: "MySourceQueue"
SourceQueueARN:
Description: "ARN of the source queue"
Value:
Fn::GetAtt:
- "MySourceQueue"
- "Arn"
DeadLetterQueueURL:
Description: "URL of the dead letter queue"
Value:
Ref: "MyDeadLetterQueue"
DeadLetterQueueARN:
Description: "ARN of the dead letter queue"
Value:
Fn::GetAtt:
- "MyDeadLetterQueue"
- "Arn"

See Also
• CreateQueue in the Amazon Simple Queue Service API Reference
• What is Amazon Simple Queue Service? in the Amazon Simple Queue Service Developer Guide

AWS::SQS::QueuePolicy
The AWS::SQS::QueuePolicy type applies a policy to Amazon SQS queues.
AWS::SQS::QueuePolicy Snippet: Declaring an Amazon SQS Policy (p. 395)
Topics
• Syntax (p. 1503)
• Properties (p. 1504)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SQS::QueuePolicy",
"Properties" : {
"PolicyDocument" : JSON,
"Queues" : [ String, ... ]
}

API Version 2010-05-15
1503

AWS CloudFormation User Guide
AWS::SSM::Association

YAML
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument: JSON
Queues:
- String

Properties
PolicyDocument
A policy document that contains the permissions for the speciﬁed Amazon SQS queues. For more
information about Amazon SQS policies, see Creating Custom Policies Using the Access Policy
Language in the Amazon Simple Queue Service Developer Guide.
Required: Yes
Type: JSON object
Update requires: No interruption (p. 118)
Queues
The URLs of the queues to which you want to add the policy. You can use the Ref function (p. 2311)
to specify an AWS::SQS::Queue (p. 1495) resource.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)

AWS::SSM::Association
The AWS::SSM::Association resource associates an SSM document in AWS Systems Manager with
EC2 instances that contain a conﬁguration agent to process the document.
Topics
• Syntax (p. 1504)
• Properties (p. 1505)
• Example (p. 1506)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::SSM::Association",
"Properties" : {
"AssociationName" : String,
"DocumentVersion" : String,
"InstanceId" : String,
"Name" : String,

API Version 2010-05-15
1504

AWS CloudFormation User Guide
AWS::SSM::Association

}

}

"OutputLocation" : InstanceAssociationOutputLocation (p. 2195) ,
"Parameters" : { String: [String, ...] },
"ScheduleExpression" : String,
"Targets" : [ Targets (p. 2196) ]

YAML
Type: "AWS::SSM::Association"
Properties:
AssociationName: String
DocumentVersion: String
InstanceId: String
Name: String
OutputLocation: InstanceAssociationOutputLocation (p. 2195)
Parameters:
String:
- String
ScheduleExpression: String
Targets:
- Targets (p. 2196)

Properties
AssociationName
The name of the association.
Required: No
Type: String
Update requires: No interruption (p. 118)
DocumentVersion
The version of the SSM document to associate with the target.
Required: No
Type: String
Update requires: No interruption (p. 118)
InstanceId
The ID of the instance that the SSM document is associated with.
Required: Conditional. You must specify the InstanceId or Targets property.
Type: String
Update requires: Replacement (p. 119)
Name
The name of the SSM document.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1505

AWS CloudFormation User Guide
AWS::SSM::Association

OutputLocation
An Amazon S3 bucket where you want to store the results of this request.
Required: No
Type: Systems Manager Association InstanceAssociationOutputLocation (p. 2195)
Update requires: No interruption (p. 118)
Parameters
Parameter values that the SSM document uses at runtime.
Required: No
Type: String to list-of-strings map
Update requires: No interruption (p. 118)
ScheduleExpression
A Cron expression that speciﬁes when the association is applied to the target. For more on working
with Cron expressions, see Working with Cron and Rate Expressions for Systems Manager.
Required: No
Type: String
Update requires: No interruption (p. 118)
Targets
The targets that the SSM document sends commands to.
Required: Conditional. You must specify the InstanceId or Targets property.
Type: List of AWS Systems Manager Association Targets (p. 2196)
Update requires: Replacement (p. 119)

Example
The following example associates an SSM document with a speciﬁc instance. The ID of the instance is
speciﬁed by the myInstanceId parameter.

JSON
"association": {
"Type": "AWS::SSM::Association",
"Properties": {
"Name": {
"Ref": "document"
},
"Parameters": {
"Directory": ["myWorkSpace"]
},
"Targets": [{
"Key": "InstanceIds",
"Values": [{
"Ref": "myInstanceId"
}]
}]
}

API Version 2010-05-15
1506

AWS CloudFormation User Guide
AWS::SSM::Document
}

YAML
association:
Type: AWS::SSM::Association
Properties:
Name: !Ref 'document'
Parameters:
Directory: [FakeDirectory]
Targets:
- Key: InstanceIds
Values: [!Ref 'myInstanceId']

AWS::SSM::Document
The AWS::SSM::Document resource creates an SSM document in AWS Systems Manager that describes
an instance conﬁguration, which you can use to set up and run commands on your instances.
Topics
• Syntax (p. 1507)
• Properties (p. 1507)
• Return Value (p. 1508)
• Examples (p. 1508)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SSM::Document",
"Properties" : {
"Content" : JSON object,
"DocumentType" : String,
"Tags" : [ Resource Tag, ... ]
}

YAML
Type: "AWS::SSM::Document"
Properties:
Content: JSON object
DocumentType: String
Tags:
- Resource Tag

Properties
Content
A JSON object that describes an instance conﬁguration. For more information, see Creating Systems
Manager Documents in the AWS Systems Manager User Guide.
API Version 2010-05-15
1507

AWS CloudFormation User Guide
AWS::SSM::Document

Note

The Content property is a non-stringiﬁed property. For more information about
automation actions, see Systems Manager Automation Document Reference in the AWS
Systems Manager User Guide.
Required: Yes
Type: JSON object
Update requires: Replacement (p. 119)
DocumentType
The type of document to create that relates to the purpose of your document, such as running
commands, bootstrapping software, or automating tasks. For valid values, see the CreateDocument
action in the AWS Systems Manager API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
Tags
AWS CloudFormation resource tags to apply to the document, which can help you identify and
categorize these resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Return Value
Ref
When you pass the logical ID of an AWS::SSM::Document resource to the intrinsic Ref function,
the function returns the Systems Manager document name, such as ssm-myinstanceconfigABCNPH3XCAO6.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following Systems Manager document joins instances to a directory in AWS Directory Service. The
three runtime conﬁguration parameters specify which directory the instance joins. You specify these
parameter values when you associate the document with an instance.

JSON
"document" : {
"Type" : "AWS::SSM::Document",
"Properties" : {
"Content" : {
"schemaVersion":"1.2",
"description":"Join instances to an AWS Directory Service domain.",

API Version 2010-05-15
1508

AWS CloudFormation User Guide
AWS::SSM::Document
"parameters":{
"directoryId":{
"type":"String",
"description":"(Required) The ID of the AWS Directory Service directory."
},
"directoryName":{
"type":"String",
"description":"(Required) The name of the directory; for example,
test.example.com"
},
"dnsIpAddresses":{
"type":"StringList",
"default":[
],
"description":"(Optional) The IP addresses of the DNS servers in the directory.
Required when DHCP is not configured. Learn more at http://docs.aws.amazon.com/
directoryservice/latest/simple-ad/join_get_dns_addresses.html",
"allowedPattern":"((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4]
[0-9]|[01]?[0-9][0-9]?)"
}
},
"runtimeConfig":{
"aws:domainJoin":{
"properties":{
"directoryId":"{{ directoryId }}",
"directoryName":"{{ directoryName }}",
"dnsIpAddresses":"{{ dnsIpAddresses }}"
}
}
}
}
}
}

YAML
document:
Type: "AWS::SSM::Document"
Properties:
Content:
schemaVersion: "1.2"
description: "Join instances to an AWS Directory Service domain."
parameters:
directoryId:
type: "String"
description: "(Required) The ID of the AWS Directory Service directory."
directoryName:
type: "String"
description: "(Required) The name of the directory; for example,
test.example.com"
dnsIpAddresses:
type: "StringList"
default: []
description: "(Optional) The IP addresses of the DNS servers in the directory.
Required when DHCP is not configured. Learn more at http://docs.aws.amazon.com/
directoryservice/latest/simple-ad/join_get_dns_addresses.html"
allowedPattern: "((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4]
[0-9]|[01]?[0-9][0-9]?)"
runtimeConfig:
aws:domainJoin:
properties:
directoryId: "{{ directoryId }}"
directoryName: "{{ directoryName }}"
dnsIpAddresses: "{{ dnsIpAddresses }}"

API Version 2010-05-15
1509

AWS CloudFormation User Guide
AWS::SSM::Document

The following example shows how to associate the SSM document with an instance. The DocumentName
property speciﬁes the SSM document and the AssociationParameters property speciﬁes values for
the runtime conﬁguration parameters.

JSON
"myEC2" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : {"Ref" : "myImageId"},
"InstanceType" : "t2.micro",
"SsmAssociations" : [ {
"DocumentName" : {"Ref" : "document"},
"AssociationParameters" : [
{ "Key" : "directoryId", "Value" : [ { "Ref" : "myDirectory" } ] },
{ "Key" : "directoryName", "Value" : ["testDirectory.example.com"] },
{ "Key" : "dnsIpAddresses", "Value" : { "Fn::GetAtt" : ["myDirectory",
"DnsIpAddresses"] } }
]
} ],
"IamInstanceProfile" : {"Ref" : "myInstanceProfile"},
"NetworkInterfaces" : [ {
"DeviceIndex" : "0",
"AssociatePublicIpAddress" : "true",
"SubnetId" : {"Ref" : "mySubnet"}
} ],
"KeyName" : {"Ref" : "myKeyName"}
}
}

YAML
myEC2:
Type: "AWS::EC2::Instance"
Properties:
ImageId:
Ref: "myImageId"
InstanceType: "t2.micro"
SsmAssociations:
DocumentName:
Ref: "document"
AssociationParameters:
Key: "directoryId"
Value:
Ref: "myDirectory"
Key: "directoryName"
Value:
- "testDirectory.example.com"
Key: "dnsIpAddresses"
Value:
Fn::GetAtt:
- "myDirectory"
- "DnsIpAddresses"
IamInstanceProfile:
Ref: "myInstanceProfile"
NetworkInterfaces:
-

API Version 2010-05-15
1510

AWS CloudFormation User Guide
AWS::SSM::MaintenanceWindow
DeviceIndex: "0"
AssociatePublicIpAddress: "true"
SubnetId:
Ref: "mySubnet"
KeyName:
Ref: "myKeyName"

AWS::SSM::MaintenanceWindow
The AWS::SSM::MaintenanceWindow resource represents general information about a Maintenance
Window for AWS Systems Manager. Maintenance Windows let you deﬁne a schedule for when to perform
potentially disruptive actions on your instances—such as patching an operating system (OS), updating
drivers, or installing software. Each Maintenance Window has a schedule, a duration, a set of registered
targets, and a set of registered tasks. For more information, see Systems Manager Maintenance Windows
in the AWS Systems Manager User Guide and CreateMaintenanceWindow in the AWS Systems Manager
API Reference.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SSM::MaintenanceWindow",
"Properties" : {
"Description" : String,
"AllowUnassociatedTargets" : Boolean,
"Cutoff" : Integer,
"Schedule" : String,
"Duration" : Integer,
"Name" : String
}

YAML
Type: "AWS::SSM::MaintenanceWindow"
Properties:
Description: String
AllowUnassociatedTargets: Boolean
Cutoff: Integer
Schedule: String
Duration: Integer
Name: String

Properties
Description
A description of the Maintenance Window.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1511

AWS CloudFormation User Guide
AWS::SSM::MaintenanceWindow

AllowUnassociatedTargets
Enables a Maintenance Window task to execute on managed instances, even if you haven't registered
those instances as targets. If this is enabled, then you must specify the unregistered instances (by
instance ID) when you register a task with the Maintenance Window.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
Cutoff
The number of hours before the end of the Maintenance Window that Systems Manager stops
scheduling new tasks for execution.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
Schedule
The schedule of the Maintenance Window in the form of a cron or rate expression.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Duration
The duration of the Maintenance Window in hours.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
Name
The name of the Maintenance Window.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::SSM::MaintenanceWindow resource to the intrinsic Ref
function, the function returns the physical ID of the resource, such as mw-abcde1234567890yz.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
1512

AWS CloudFormation User Guide
AWS::SSM::MaintenanceWindowTarget

See Also
• AWS::SSM::MaintenanceWindowTarget (p. 1513)
• AWS::SSM::MaintenanceWindowTask (p. 1515)
• CreateMaintenanceWindow in the AWS Systems Manager API Reference

AWS::SSM::MaintenanceWindowTarget
The AWS::SSM::MaintenanceWindowTarget resource registers a target with a Maintenance Window
for AWS Systems Manager. For more information, see RegisterTargetWithMaintenanceWindow in the
AWS Systems Manager API Reference.
Topics
• Syntax (p. 1513)
• Properties (p. 1513)
• Return Values (p. 1514)
• See Also (p. 1515)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SSM::MaintenanceWindowTarget",
"Properties" : {
"OwnerInformation" : String,
"Description" : String,
"WindowId" : String,
"ResourceType" : String,
"Targets" : [ Targets (p. 2197), ... ],
"Name" : String
}

YAML
Type: "AWS::SSM::MaintenanceWindowTarget"
Properties:
OwnerInformation: String
Description: String
WindowId: String
ResourceType: String
Targets:
- Targets (p. 2197)
Name: String

Properties
OwnerInformation
A user-provided value to include in any events in CloudWatch Events that are raised while running
tasks for these targets in this Maintenance Window.
API Version 2010-05-15
1513

AWS CloudFormation User Guide
AWS::SSM::MaintenanceWindowTarget

Required: No
Type: String
Update requires: No interruption (p. 118)
Description
A description for the target.
Required: No
Type: String
Update requires: No interruption (p. 118)
WindowId
The ID of the Maintenance Window to register the target with.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
ResourceType
The type of target that's being registered with the Maintenance Window.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Targets
The targets, either instances or tags.
• Specify instances by using Key=instanceids,Values=instanceid1,instanceid2.
• Specify tags by using Key=tag name,Values=tag value.
Required: Yes
Type: List of Systems Manager MaintenanceWindowTarget Targets (p. 2197)
Update requires: No interruption (p. 118)
Name
An optional name for the target.
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::SSM::MaintenanceWindowTarget resource to the
intrinsic Ref function, the function returns the physical ID of the resource, such as 12a345b6bbb7-4bb6-90b0-8c9577a2d2b9.
API Version 2010-05-15
1514

AWS CloudFormation User Guide
AWS::SSM::MaintenanceWindowTask

For more information about using the Ref function, see Ref (p. 2311).

See Also
• AWS::SSM::MaintenanceWindow (p. 1511)
• AWS::SSM::MaintenanceWindowTask (p. 1515)
• RegisterTargetWithMaintenanceWindow in the AWS Systems Manager API Reference

AWS::SSM::MaintenanceWindowTask
The AWS::SSM::MaintenanceWindowTask resource deﬁnes information about a
task for a Maintenance Window for AWS Systems Manager. For more information, see
RegisterTaskWithMaintenanceWindow in the AWS Systems Manager API Reference.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SSM::MaintenanceWindowTask",
"Properties" : {
"MaxErrors" : String,
"Description" : String,
"ServiceRoleArn" : String,
"Priority" : Integer,
"MaxConcurrency" : String,
"Targets" : [ Target (p. 2205), ... ],
"Name" : String,
"TaskArn" : String,
"TaskInvocationParameters" : TaskInvocationParameters (p. 2206),
"WindowId" : String,
"TaskParameters" : JSON object,
"TaskType" : String,
"LoggingInfo" : LoggingInfo (p. 2198)
}

YAML
Type: "AWS::SSM::MaintenanceWindowTask"
Properties:
MaxErrors: String
Description: String
ServiceRoleArn: String
Priority: Integer
MaxConcurrency: String
Targets:
- Target (p. 2205)
Name: String
TaskArn: String
TaskInvocationParameters:
TaskInvocationParameters (p. 2206)
WindowId: String
TaskParameters:
JSON object
TaskType: String

API Version 2010-05-15
1515

AWS CloudFormation User Guide
AWS::SSM::MaintenanceWindowTask
LoggingInfo:
LoggingInfo (p. 2198)

Properties
MaxErrors
The maximum number of errors allowed before this task stops being scheduled.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Description
A description of the task.
Required: No
Type: String
Update requires: No interruption (p. 118)
ServiceRoleArn
The role that's used when the task is executed.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Priority
The priority of the task in the Maintenance Window. The lower the number, the higher the priority.
Tasks that have the same priority are scheduled in parallel.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
MaxConcurrency
The maximum number of targets that you can run this task for, in parallel.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Targets
The targets, either instances or tags.
• Specify instances using Key=instanceids,Values=instanceid1,instanceid2.
• Specify tags using Key=tag name,Values=tag value.
Required: Yes
API Version 2010-05-15
1516

AWS CloudFormation User Guide
AWS::SSM::MaintenanceWindowTask

Type: List of Systems Manager MaintenanceWindowTask Target (p. 2205)
Update requires: No interruption (p. 118)
Name
The task name.
Required: No
Type: String
Update requires: No interruption (p. 118)
TaskArn
The resource that the task uses during execution.
For RUN_COMMAND and AUTOMATION task types, TaskArn is the SSM document name or Amazon
Resource Name (ARN).
For LAMBDA tasks, TaskArn is the function name or ARN.
For STEP_FUNCTION tasks, TaskArn is the state machine ARN.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
TaskInvocationParameters
The parameters for task execution.
Required: No
Type: Systems Manager MaintenanceWindowTask TaskInvocationParameters (p. 2206)
Update requires: No interruption (p. 118)
WindowId
The ID of the Maintenance Window where the task is registered.
Required: No
Type: String
Update requires: Replacement (p. 119)
TaskParameters
The parameters to pass to the task when it's executed.

Note

TaskParameters has been deprecated. To specify parameters to pass to a task when it
runs, instead use the Parameters option in the TaskInvocationParameters structure.
For information about how Systems Manager handles these options for the supported
Maintenance Window task types, see AWS Systems Manager MaintenanceWindowTask
TaskInvocationParameters (p. 2206).
Required: No
Type: JSON object
API Version 2010-05-15
1517

AWS CloudFormation User Guide
AWS::SSM::Parameter

Update requires: No interruption (p. 118)
TaskType
The type of task. Valid values: RUN_COMMAND, AUTOMATION, LAMBDA, STEP_FUNCTION.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
LoggingInfo
Information about an Amazon S3 bucket to write task-level logs to.

Note

LoggingInfo has been deprecated. To specify an S3 bucket to contain logs,
instead use the OutputS3BucketName and OutputS3KeyPrefix options in the
TaskInvocationParameters structure. For information about how Systems Manager
handles these options for the supported Maintenance Window task types, see AWS Systems
Manager MaintenanceWindowTask TaskInvocationParameters (p. 2206).
Required: No
Type: Systems Manager MaintenanceWindowTask LoggingInfo (p. 2198)
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::SSM::MaintenanceWindowTask resource to the
intrinsic Ref function, the function returns the physical ID of the resource, such as 12a345b6bbb7-4bb6-90b0-8c9577a2d2b9.
For more information about using the Ref function, see Ref (p. 2311).

See Also
• AWS::SSM::MaintenanceWindow (p. 1511)
• AWS::SSM::MaintenanceWindowTarget (p. 1513)
• RegisterTaskWithMaintenanceWindow in the AWS Systems Manager API Reference

AWS::SSM::Parameter
The AWS::SSM::Parameter resource creates an SSM parameter in AWS Systems Manager Parameter
Store.
For information about valid values for parameters, see Requirements and Constraints for Parameter
Names in the AWS Systems Manager User Guide and PutParameter in the AWS Systems Manager API
Reference.
Topics
• Syntax (p. 1519)
• Properties (p. 1519)
API Version 2010-05-15
1518

AWS CloudFormation User Guide
AWS::SSM::Parameter

• Return Value (p. 1520)
• Examples (p. 1520)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SSM::Parameter",
"Properties" : {
"Name" : String,
"Description" : String,
"Type" : String,
"Value" : String,
"AllowedPattern" : String
}

YAML
Type: "AWS::SSM::Parameter"
Properties:
Name: String
Description: String
Type: String
Value: String
AllowedPattern: String

Properties
Name
The name of the parameter.
For information about valid values for parameter names, see Requirements and Constraints for
Parameter Names in the AWS Systems Manager User Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)
Description
Information about the parameter that you want to add to the system.
Required: No
Type: String
Update requires: No interruption (p. 118)
Type
The type of parameter. Valid values include the following: String or StringList.
API Version 2010-05-15
1519

AWS CloudFormation User Guide
AWS::SSM::Parameter

Note

AWS CloudFormation doesn't support the SecureString parameter type.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Value
The parameter value. Value must not nest another parameter. Do not use {{}} in the value.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
AllowedPattern
A regular expression used to validate the parameter value. For example, for String types with values
restricted to numbers, you can specify the following: AllowedPattern=^\d+$
Required: No
Type: String
Update requires: No interruption (p. 118)

Return Value
Ref
When you pass the logical ID of an AWS::SSM::Parameter resource to the intrinsic Ref function, the
function returns the Name of the SSM parameter. For example, ssm-myparameter-ABCNPH3XCAO6.
For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Type
Returns the type of the parameter. Valid values are String or StringList.
Value
Returns the value of the parameter.
For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
SSM Parameter (String) Example
The following example snippet creates an SSM parameter in Parameter Store.
API Version 2010-05-15
1520

AWS CloudFormation User Guide
AWS::SSM::Parameter

JSON
{

}

"Description": "Create SSM Parameter",
"Resources": {
"BasicParameter": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": "command",
"Type": "String",
"Value": "date",
"Description": "SSM Parameter for running date command.",
"AllowedPattern" : "^[a-zA-Z]{1,10}$"
}
}
}

YAML
Description: "Create SSM Parameter"
Resources:
BasicParameter:
Type: "AWS::SSM::Parameter"
Properties:
Name: "command"
Type: "String"
Value: "date"
Description: "SSM Parameter for running date command."
AllowedPattern: "^[a-zA-Z]{1,10}$"

SSM Parameter (StringList) Example
The following example creates an SSM parameter with a StringList type.

JSON
{

}

"Description": "Create SSM Parameter",
"Resources": {
"BasicParameter": {
"Type": "AWS::SSM::Parameter",
"Properties": {
"Name": "commands",
"Type": "StringList",
"Value": "date,ls",
"Description": "SSM Parameter of type StringList.",
"AllowedPattern" : "^[a-zA-Z]{1,10}$"
}
}
}

YAML
Description: "Create SSM Parameter"
Resources:
BasicParameter:
Type: "AWS::SSM::Parameter"
Properties:
Name: "commands"

API Version 2010-05-15
1521

AWS CloudFormation User Guide
AWS::SSM::PatchBaseline
Type: "StringList"
Value: "date,ls"
Description: "SSM Parameter of type StringList."
AllowedPattern: "^[a-zA-Z]{1,10}$"

AWS::SSM::PatchBaseline
The AWS::SSM::PatchBaseline resource deﬁnes the basic information for an AWS Systems Manager
patch baseline. A patch baseline deﬁnes which patches are approved for installation on your instances.
For more information, see CreatePatchBaseline in the AWS Systems Manager API Reference.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SSM::PatchBaseline",
"Properties" : {
"OperatingSystem" : String,
"ApprovedPatches" : [ String, ... ],
"PatchGroups" : [ String, ... ],
"Description" : String,
"ApprovedPatchesComplianceLevel" : String,
"ApprovalRules" : RuleGroup (p. 2211),
"GlobalFilters" : PatchFilterGroup (p. 2208),
"Name" : String,
"RejectedPatches" : [ String, ... ]
}

YAML
Type: "AWS::SSM::PatchBaseline"
Properties:
OperatingSystem: String
ApprovedPatches:
- String
PatchGroups:
- String
Description: String
ApprovedPatchesComplianceLevel: String
ApprovalRules:
RuleGroup (p. 2211)
GlobalFilters:
PatchFilterGroup (p. 2208)
Name: String
RejectedPatches:
- String

Properties
OperatingSystem
Deﬁnes the operating system that the patch baseline applies to. Supported operating systems
include WINDOWS, AMAZON_LINUX, UBUNTU, REDHAT_ENTERPRISE_LINUX, SUSE, and CENTOS. The
default value is WINDOWS.
API Version 2010-05-15
1522

AWS CloudFormation User Guide
AWS::SSM::PatchBaseline

Required: No
Type: String
Update requires: Replacement (p. 119)
ApprovedPatches
A list of explicitly approved patches for the baseline.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
PatchGroups
The names of the patch groups to register with the patch baseline.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Description
A description of the patch baseline.
Required: No
Type: String
Update requires: No interruption (p. 118)
ApprovedPatchesComplianceLevel
The compliance level for approved patches. This means that if an approved patch is reported as
missing, this is the severity of the compliance violation. Valid compliance severity levels include the
following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, and UNSPECIFIED. The default value is
UNSPECIFIED.
Required: No
Type: String
Update requires: No interruption (p. 118)
ApprovalRules
A set of rules that are used to include patches in the baseline.
Required: No
Type: Systems Manager PatchBaseline RuleGroup (p. 2211)
Update requires: No interruption (p. 118)
GlobalFilters
A set of global ﬁlters that are used to exclude patches from the baseline.
Required: No
API Version 2010-05-15
1523

AWS CloudFormation User Guide
AWS::SSM::ResourceDataSync

Type: Systems Manager PatchBaseline PatchFilterGroup (p. 2208)
Update requires: No interruption (p. 118)
Name
The name of the patch baseline.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RejectedPatches
A list of explicitly rejected patches for the baseline.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

Return Values
Ref
When you pass the logical ID of an AWS::SSM::PatchBaseline resource to the intrinsic Ref function,
the function returns the physical ID of the resource, such as pb-abcde1234567890yz.

Note

The ID of the default patch baseline provided by AWS is an ARN—for example
arn:aws:ssm:us-west-2:123456789012:patchbaseline/abcde1234567890yz.
For more information about using the Ref function, see Ref (p. 2311).

See Also
• CreatePatchBaseline in the AWS Systems Manager API Reference

AWS::SSM::ResourceDataSync
The AWS::SSM::ResourceDataSync resource creates or deletes a Resource Data Sync for Systems
Manager Inventory. You can use Resource Data Sync to send Inventory data collected from all of your
Systems Manager managed instances to a single Amazon S3 bucket that you have already created in your
account. Resource Data Sync then automatically updates the centralized data when new Inventory data
is collected. For more information, see Conﬁguring Resource Data Sync for Inventory in the AWS Systems
Manager User Guide.
Topics
• Syntax (p. 1525)
• Properties (p. 1525)
• Return Values (p. 1526)
• Examples (p. 1526)
API Version 2010-05-15
1524

AWS CloudFormation User Guide
AWS::SSM::ResourceDataSync

• See Also (p. 1527)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::SSM::ResourceDataSync",
"Properties" : {
"KMSKeyArn" : String,
"BucketName" : String,
"BucketRegion" : String,
"SyncFormat" : String,
"SyncName" : String,
"BucketPrefix" : String
}

YAML
Type: "AWS::SSM::ResourceDataSync"
Properties:
KMSKeyArn: String
BucketName: String
BucketRegion: String
SyncFormat: String
SyncName: String
BucketPrefix: String

Properties
KMSKeyArn
The ARN of an encryption key for a destination in Amazon S3. You can use a KMS key to encrypt
inventory data in Amazon S3. You must specify a key that exist in the same region as the destination
Amazon S3 bucket.
Required: No
Type: String
Update requires: Replacement (p. 119)
BucketName
The name of the Amazon S3 bucket where the aggregated data is stored.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
BucketRegion
The AWS Region with the Amazon S3 bucket targeted by the Resource Data Sync.
Required: Yes
API Version 2010-05-15
1525

AWS CloudFormation User Guide
AWS::SSM::ResourceDataSync

Type: String
Update requires: Replacement (p. 119)
SyncFormat
The format in which Resource Data Sync output will be stored in Amazon S3. The following format is
currently supported: JsonSerDe
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SyncName
A name for the Resource Data Sync.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
BucketPrefix
An Amazon S3 preﬁx for the bucket.
Required: No
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you pass the logical ID of an AWS::SSM::ResourceDataSync resource to the intrinsic Ref
function, the function returns the name of the Resource Data Sync, such as TestResourceDataSync.
For more information about using the Ref function, see Ref (p. 2311).

Examples
AWS Systems Manager Resource Data Sync
The following examples send Inventory data collected from all of your managed instances in the US East
(Ohio) Region (us-east-2) to a single Amazon S3 bucket. Resource Data Sync then automatically updates
the centralized data when new Inventory data is collected.

JSON
{

"Description": "Create a Resource Data Sync for Systems Manager Inventory",
"Resources": {
"BasicResourceDataSync": {
"Type": "AWS::SSM::ResourceDataSync",

API Version 2010-05-15
1526

AWS CloudFormation User Guide
AWS::StepFunctions::Activity

}

}

}

"Properties": {
"SyncName": "My-USEAST2-Resource-Data-Sync",
"BucketName": "my-us-east-2-rds-bucket",
"BucketRegion": "us-east-2",
"SyncFormat": "JsonSerDe",
"BucketPrefix": "rds"
}

YAML
--Description: "Create a Resource Data Sync for Systems Manager Inventory"
Resources:
BasicResourceDataSync:
Type: "AWS::SSM::ResourceDataSync"
Properties:
SyncName: "My-USEAST2-Resource-Data-Sync"
BucketName: "my-us-east-2-rds-bucket"
BucketRegion: "us-east-2"
SyncFormat: "JsonSerDe"
BucketPrefix: "rds"

See Also
• What is Systems Manager?
• AWS Systems Manager Inventory Manager
• Conﬁguring Inventory Collection

AWS::StepFunctions::Activity
Use the AWS::StepFunctions::Activity resource to create an AWS Step Functions activity.
For information about creating an activity and creating a state machine with an activity, see Tutorial: An
Activity State Machine in the AWS Step Functions Developer Guide and CreateActivity in the AWS Step
Functions API Reference.

Syntax
JSON
{

}

"Type": "AWS::StepFunctions::Activity",
"Properties": {
"Name": String
}

YAML
Type: "AWS::StepFunctions::Activity"
Properties:
Name: String

API Version 2010-05-15
1527

AWS CloudFormation User Guide
AWS::StepFunctions::Activity

Properties
Name
The name of the activity to create. This name must be unique for your AWS account and region.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, Ref returns the ARN of the
created activity. For example:
{ "Ref": "MyActivity" }

Returns a value similar to the following:
arn:aws:states:us-east-1:111122223333:activity:myActivity

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Name
Returns the name of the activity. For example:
{ "Fn::GetAtt": ["MyActivity", "Name"] }

Returns a value similar to the following:
myActivity

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Example
The following example creates a Step Functions activity.

JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "An example template for a Step Functions activity.",

API Version 2010-05-15
1528

AWS CloudFormation User Guide
AWS::StepFunctions::StateMachine

}

"Resources" : {
"MyActivity" : {
"Type" : "AWS::StepFunctions::Activity",
"Properties" : {
"Name" : "myActivity"
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Description: "A sample template for a Step Functions activity"
Resources:
MyActivity:
Type: "AWS::StepFunctions::Activity"
Properties:
Name: myActivity

AWS::StepFunctions::StateMachine
Use the AWS::StepFunctions::StateMachine resource to create an AWS Step Functions state
machine.
For information about creating state machines, see Tutorial: A Lambda State Machine in the AWS Step
Functions Developer Guide and CreateStateMachine in the AWS Step Functions API Reference.

Syntax
JSON
{

}

"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"StateMachineName": String,
"DefinitionString": String,
"RoleArn": String
}

YAML
Type: "AWS::StepFunctions::StateMachine"
Properties:
StateMachineName: String
DefinitionString: String
RoleArn: String

Properties
StateMachineName
The name of the state machine. If you do not specify a name one will be generated that is similar
to MyStateMachine-1234abcdefgh. For more information on creating a valid name see Request
Parameters in the AWS Step Functions API Reference.
API Version 2010-05-15
1529

AWS CloudFormation User Guide
AWS::StepFunctions::StateMachine

Required: No
Type: String
Update requires: Replacement (p. 119)
DefinitionString
The Amazon States Language deﬁnition of the state machine. For more information, see Amazon
States Language in the AWS Step Functions Developer Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RoleArn
The Amazon Resource Name (ARN) of the IAM role to use for this state machine.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Return Values
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, Ref returns the ARN of the
created state machine. For example:
{ "Ref": "MyStateMachine" }

Returns a value similar to the following:
arn:aws:states:us-east-1:111122223333:stateMachine:HelloWorld-StateMachine

For more information about using the Ref function, see Ref (p. 2311).

Fn::GetAtt
Fn::GetAtt returns a value for a speciﬁed attribute of this type. The following are the available
attributes and sample return values.
Name
Returns the name of the state machine. For example:
{ "Fn::GetAtt": ["MyStateMachine", "Name"] }

Returns the name of your state machine:
HelloWorld-StateMachine

If you did not specify the name it will be similar to the following:
API Version 2010-05-15
1530

AWS CloudFormation User Guide
AWS::StepFunctions::StateMachine

MyStateMachine-1234abcdefgh

For more information about using Fn::GetAtt, see Fn::GetAtt (p. 2285).

Examples
The following examples create a Step Functions state machine.

JSON
Using a Single-Line Property
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "An example template for a Step Functions state machine.",
"Resources" : {
"MyStateMachine" : {
"Type" : "AWS::StepFunctions::StateMachine",
"Properties" : {
"StateMachineName" : "HelloWorld-StateMachine",
"DefinitionString" : "{\"StartAt\": \"HelloWorld\", \"States\":
{\"HelloWorld\": {\"Type\": \"Task\", \"Resource\": \"arn:aws:lambda:useast-1:111122223333:function:HelloFunction\", \"End\": true}}}",
"RoleArn" : "arn:aws:iam::111122223333:role/service-role/StatesExecutionRoleus-east-1"
}
}
}
}

Using the Fn::Join Intrinsic Function
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "An example template for a Step Functions state machine.",
"Resources": {
"MyStateMachine": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"StateMachineName" : "HelloWorld-StateMachine",
"DefinitionString" : {
"Fn::Join": [
"\n",
[
"{",
"
\"StartAt\": \"HelloWorld\",",
"
\"States\" : {",
"
\"HelloWorld\" : {",
"
\"Type\" : \"Task\", ",
"
\"Resource\" : \"arn:aws:lambda:useast-1:111122223333:function:HelloFunction\",",
"
\"End\" : true",
"
}",
"
}",
"}"
]
]
},
"RoleArn" : "arn:aws:iam::111122223333:role/service-role/StatesExecutionRole-useast-1"

API Version 2010-05-15
1531

AWS CloudFormation User Guide
AWS::WAF::ByteMatchSet

}

}

}

}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Description: An example template for a Step Functions state machine.
Resources:
MyStateMachine:
Type: AWS::StepFunctions::StateMachine
Properties:
StateMachineName: HelloWorld-StateMachine
DefinitionString: |{
"StartAt": "HelloWorld",
"States": {
"HelloWorld": {
"Type": "Task",
"Resource": "arn:aws:lambda:us-east-1:111122223333:function:HelloFunction",
"End": true
}
}
}
RoleArn: arn:aws:iam::111122223333:role/service-role/StatesExecutionRole-us-east-1

AWS::WAF::ByteMatchSet
The AWS::WAF::ByteMatchSet resource creates an AWS WAF ByteMatchSet that identiﬁes a part of
a web request that you want to inspect. For more information, see CreateByteMatchSet in the AWS WAF
API Reference.
Topics
• Syntax (p. 1532)
• Properties (p. 1533)
• Return Values (p. 1533)
• Examples (p. 1533)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAF::ByteMatchSet",
"Properties" : {
"ByteMatchTuples" : [ Byte match tuple, ... ],
"Name" : String
}

YAML

API Version 2010-05-15
1532

AWS CloudFormation User Guide
AWS::WAF::ByteMatchSet
Type: "AWS::WAF::ByteMatchSet"
Properties:
ByteMatchTuples:
- Byte match tuple
Name: String

Properties
ByteMatchTuples
Settings for the ByteMatchSet, such as the bytes (typically a string that corresponds with ASCII
characters) that you want AWS WAF to search for in web requests.
Required: No
Type: List of AWS WAF ByteMatchSet ByteMatchTuples (p. 2213)
Update requires: No interruption (p. 118)
Name
A friendly name or description of the ByteMatchSet.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Examples
HTTP Referers
The following example deﬁnes a set of HTTP referers to match.

JSON
"BadReferers": {
"Type": "AWS::WAF::ByteMatchSet",
"Properties": {
"Name": "ByteMatch for matching bad HTTP referers",
"ByteMatchTuples": [
{
"FieldToMatch" : {
"Type": "HEADER",
"Data": "referer"
},
"TargetString" : "badrefer1",
"TextTransformation" : "NONE",
"PositionalConstraint" : "CONTAINS"

API Version 2010-05-15
1533

AWS CloudFormation User Guide
AWS::WAF::ByteMatchSet
},
{

}

}

]

}

"FieldToMatch" : {
"Type": "HEADER",
"Data": "referer"
},
"TargetString" : "badrefer2",
"TextTransformation" : "NONE",
"PositionalConstraint" : "CONTAINS"

YAML
BadReferers:
Type: "AWS::WAF::ByteMatchSet"
Properties:
Name: "ByteMatch for matching bad HTTP referers"
ByteMatchTuples:
FieldToMatch:
Type: "HEADER"
Data: "referer"
TargetString: "badrefer1"
TextTransformation: "NONE"
PositionalConstraint: "CONTAINS"
FieldToMatch:
Type: "HEADER"
Data: "referer"
TargetString: "badrefer2"
TextTransformation: "NONE"
PositionalConstraint: "CONTAINS"

Associate a ByteMatchSet with a Web ACL Rule
The following example associates the BadReferers byte match set with a web access control list (ACL)
rule.

JSON
"BadReferersRule" : {
"Type": "AWS::WAF::Rule",
"Properties": {
"Name": "BadReferersRule",
"MetricName" : "BadReferersRule",
"Predicates": [
{
"DataId" : { "Ref" : "BadReferers" },
"Negated" : false,
"Type" : "ByteMatch"
}
]
}
}

YAML
BadReferersRule:

API Version 2010-05-15
1534

AWS CloudFormation User Guide
AWS::WAF::IPSet
Type: "AWS::WAF::Rule"
Properties:
Name: "BadReferersRule"
MetricName: "BadReferersRule"
Predicates:
DataId:
Ref: "BadReferers"
Negated: false
Type: "ByteMatch"

Create a Web ACL
The following example associates the BadReferersRule rule with a web ACL. The web ACL allows all
requests except for ones with referers that match the BadReferersRule rule.

JSON
"MyWebACL": {
"Type": "AWS::WAF::WebACL",
"Properties": {
"Name": "WebACL to block blacklisted IP addresses",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "MyWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "BadReferersRule" }
}
]
}
}

YAML
MyWebACL:
Type: "AWS::WAF::WebACL"
Properties:
Name: "WebACL to block blacklisted IP addresses"
DefaultAction:
Type: "ALLOW"
MetricName: "MyWebACL"
Rules:
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "BadReferersRule"

AWS::WAF::IPSet
The AWS::WAF::IPSet resource creates an AWS WAF IPSet that speciﬁes which web requests to
permit or block based on the IP addresses from which the requests originate. For more information, see
CreateIPSet in the AWS WAF API Reference.
API Version 2010-05-15
1535

AWS CloudFormation User Guide
AWS::WAF::IPSet

Topics
• Syntax (p. 1536)
• Properties (p. 1536)
• Return Values (p. 1537)
• Examples (p. 1537)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAF::IPSet",
"Properties" : {
"IPSetDescriptors" : [ IPSet descriptor, ... ],
"Name" : String
}

YAML
Type: "AWS::WAF::IPSet"
Properties:
IPSetDescriptors:
- IPSet descriptor
Name: String

Properties
IPSetDescriptors
The IP address type and IP address range (in CIDR notation) from which web requests originate. If
you associate the IPSet with a web ACL (p. 1547) that is associated with a Amazon CloudFront
(CloudFront) distribution, this descriptor is the value of one of the following ﬁelds in the CloudFront
access logs:
c-ip
If the viewer did not use an HTTP proxy or a load balancer to send the request
x-forwarded-for
If the viewer did use an HTTP proxy or a load balancer to send the request
Required: No
Type: List of AWS WAF IPSet IPSetDescriptors (p. 2215)
Update requires: No interruption (p. 118)
Name
A friendly name or description of the IPSet.
Required: Yes
Type: String
API Version 2010-05-15
1536

AWS CloudFormation User Guide
AWS::WAF::IPSet

Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Deﬁne IP Addresses
The following example deﬁnes a set of IP addresses for a web access control list (ACL) rule.

JSON
"MyIPSetBlacklist": {
"Type": "AWS::WAF::IPSet",
"Properties": {
"Name": "IPSet for blacklisted IP adresses",
"IPSetDescriptors": [
{
"Type" : "IPV4",
"Value" : "192.0.2.44/32"
},
{
"Type" : "IPV4",
"Value" : "192.0.7.0/24"
}
]
}
}

YAML
MyIPSetBlacklist:
Type: "AWS::WAF::IPSet"
Properties:
Name: "IPSet for blacklisted IP adresses"
IPSetDescriptors:
Type: "IPV4"
Value: "192.0.2.44/32"
Type: "IPV4"
Value: "192.0.7.0/24"

Associate an IPSet with a Web ACL Rule
The following example associates the MyIPSetBlacklist IP Set with a web ACL rule.

JSON
"MyIPSetRule" : {

API Version 2010-05-15
1537

AWS CloudFormation User Guide
AWS::WAF::IPSet

}

"Type": "AWS::WAF::Rule",
"Properties": {
"Name": "MyIPSetRule",
"MetricName" : "MyIPSetRule",
"Predicates": [
{
"DataId" : { "Ref" : "MyIPSetBlacklist" },
"Negated" : false,
"Type" : "IPMatch"
}
]
}

YAML
MyIPSetRule:
Type: "AWS::WAF::Rule"
Properties:
Name: "MyIPSetRule"
MetricName: "MyIPSetRule"
Predicates:
DataId:
Ref: "MyIPSetBlacklist"
Negated: false
Type: "IPMatch"

Create a Web ACL
The following example associates the MyIPSetRule rule with a web ACL. The web ACL allows requests
that originate from all IP addresses except for addresses that are deﬁned in the MyIPSetRule.

JSON
"MyWebACL": {
"Type": "AWS::WAF::WebACL",
"Properties": {
"Name": "WebACL to block blacklisted IP addresses",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "MyWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "MyIPSetRule" }
}
]
}
}

YAML
MyWebACL:
Type: "AWS::WAF::WebACL"
Properties:
Name: "WebACL to block blacklisted IP addresses"

API Version 2010-05-15
1538

AWS CloudFormation User Guide
AWS::WAF::Rule
DefaultAction:
Type: "ALLOW"
MetricName: "MyWebACL"
Rules:
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "MyIPSetRule"

AWS::WAF::Rule
The AWS::WAF::Rule resource creates an AWS WAF rule that speciﬁes a combination of IPSet,
ByteMatchSet, and SqlInjectionMatchSet objects that identify the web requests to allow, block, or
count. To implement rules, you must associate them with a web ACL (p. 1547).
For more information, see CreateRule in the AWS WAF API Reference.
Topics
• Syntax (p. 1539)
• Properties (p. 1539)
• Return Value (p. 1540)
• Example (p. 1540)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAF::Rule",
"Properties" : {
"MetricName" : String,
"Name" : String,
"Predicates" : [ Predicate, ... ]
}

YAML
Type: "AWS::WAF::Rule"
Properties:
MetricName: String
Name: String
Predicates:
- Predicate

Properties
MetricName
A friendly name or description for the metrics of the rule. For valid values, see the MetricName
parameter for the CreateRule action in the AWS WAF API Reference.
API Version 2010-05-15
1539

AWS CloudFormation User Guide
AWS::WAF::Rule

Required: Yes
Type: String
Update requires: Replacement (p. 119)
Name
A friendly name or description of the rule.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Predicates
The ByteMatchSet, IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet
objects to include in a rule. If you add more than one predicate to a rule, a request must match all
conditions in order to be allowed or blocked.
Required: No
Type: List of AWS WAF Rule Predicates (p. 2216)
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Example
Associate an IPSet with a Web ACL Rule
The following example associates the MyIPSetBlacklist IPSet object with a web ACL rule.

JSON
"MyIPSetRule" : {
"Type": "AWS::WAF::Rule",
"Properties": {
"Name": "MyIPSetRule",
"MetricName" : "MyIPSetRule",
"Predicates": [
{
"DataId" : { "Ref" : "MyIPSetBlacklist" },
"Negated" : false,
"Type" : "IPMatch"
}
]
}
}

API Version 2010-05-15
1540

AWS CloudFormation User Guide
AWS::WAF::SizeConstraintSet

YAML
MyIPSetRule:
Type: "AWS::WAF::Rule"
Properties:
Name: "MyIPSetRule"
MetricName: "MyIPSetRule"
Predicates:
DataId:
Ref: "MyIPSetBlacklist"
Negated: false
Type: "IPMatch"

AWS::WAF::SizeConstraintSet
The AWS::WAF::SizeConstraintSet resource speciﬁes a size constraint that AWS WAF uses to
check the size of a web request and which parts of the request to check. For more information, see
CreateSizeConstraintSet in the AWS WAF API Reference.
Topics
• Syntax (p. 1541)
• Properties (p. 1541)
• Return Value (p. 1542)
• Examples (p. 1542)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAF::SizeConstraintSet",
"Properties" : {
"Name" : String,
"SizeConstraints" : [ SizeConstraint, ... ]
}

YAML
Type: "AWS::WAF::SizeConstraintSet"
Properties:
Name: String
SizeConstraints:
- SizeConstraint

Properties
Name
A friendly name or description for the SizeConstraintSet.
Required: Yes
API Version 2010-05-15
1541

AWS CloudFormation User Guide
AWS::WAF::SizeConstraintSet

Type: String
Update requires: Replacement (p. 119)
SizeConstraints
The size constraint and the part of the web request to check.
Required: Yes
Type: List of AWS WAF SizeConstraintSet SizeConstraint (p. 2217)
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Examples
The following examples show you how to deﬁne a size constraint, add it to a rule, and add the rule to a
web access control list (ACL).

Deﬁne a Size Constraint
The following example checks that the body of an HTTP request equals 4096 bytes.

JSON
"MySizeConstraint": {
"Type": "AWS::WAF::SizeConstraintSet",
"Properties": {
"Name": "SizeConstraints",
"SizeConstraints": [
{
"ComparisonOperator": "EQ",
"FieldToMatch": {
"Type": "BODY"
},
"Size": "4096",
"TextTransformation": "NONE"
}
]
}
}

YAML
MySizeConstraint:
Type: "AWS::WAF::SizeConstraintSet"
Properties:
Name: "SizeConstraints"
SizeConstraints:

API Version 2010-05-15
1542

AWS CloudFormation User Guide
AWS::WAF::SizeConstraintSet
-

ComparisonOperator: "EQ"
FieldToMatch:
Type: "BODY"
Size: "4096"
TextTransformation: "NONE"

Associate a SizeConstraintSet with a Web ACL Rule
The following example associates the MySizeConstraint object with a web ACL rule.

JSON
"SizeConstraintRule" : {
"Type": "AWS::WAF::Rule",
"Properties": {
"Name": "SizeConstraintRule",
"MetricName" : "SizeConstraintRule",
"Predicates": [
{
"DataId" : { "Ref" : "MySizeConstraint" },
"Negated" : false,
"Type" : "SizeConstraint"
}
]
}
}

YAML
SizeConstraintRule:
Type: "AWS::WAF::Rule"
Properties:
Name: "SizeConstraintRule"
MetricName: "SizeConstraintRule"
Predicates:
DataId:
Ref: "MySizeConstraint"
Negated: false
Type: "SizeConstraint"

Create a Web ACL
The following example associates the SizeConstraintRule rule with a web ACL. The web ACL blocks
all requests except for requests with a body size equal to 4096 bytes.

JSON
"MyWebACL": {
"Type": "AWS::WAF::WebACL",
"Properties": {
"Name": "Web ACL to allow requests with a specific size",
"DefaultAction": {
"Type": "BLOCK"
},
"MetricName" : "SizeConstraintWebACL",
"Rules": [
{
"Action" : {

API Version 2010-05-15
1543

AWS CloudFormation User Guide
AWS::WAF::SqlInjectionMatchSet

}

}

]

}

"Type" : "ALLOW"
},
"Priority" : 1,
"RuleId" : { "Ref" : "SizeConstraintRule" }

YAML
MyWebACL:
Type: "AWS::WAF::WebACL"
Properties:
Name: "Web ACL to allow requests with a specific size"
DefaultAction:
Type: "BLOCK"
MetricName: "SizeConstraintWebACL"
Rules:
Action:
Type: "ALLOW"
Priority: 1
RuleId:
Ref: "SizeConstraintRule"

AWS::WAF::SqlInjectionMatchSet
The AWS::WAF::SqlInjectionMatchSet resource creates an AWS WAF SqlInjectionMatchSet,
which you use to allow, block, or count requests that contain malicious SQL code in a speciﬁc part of web
requests. For more information, see CreateSqlInjectionMatchSet in the AWS WAF API Reference.
Topics
• Syntax (p. 1544)
• Properties (p. 1545)
• Return Values (p. 1545)
• Examples (p. 1545)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAF::SqlInjectionMatchSet",
"Properties" : {
"Name" : String,
"SqlInjectionMatchTuples" : [ SqlInjectionMatchTuple, ... ]
}

YAML
Type: "AWS::WAF::SqlInjectionMatchSet"

API Version 2010-05-15
1544

AWS CloudFormation User Guide
AWS::WAF::SqlInjectionMatchSet
Properties:
Name: String
SqlInjectionMatchTuples:
- SqlInjectionMatchTuple

Properties
Name
A friendly name or description of the SqlInjectionMatchSet.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SqlInjectionMatchTuples
The parts of web requests that you want AWS WAF to inspect for malicious SQL code and, if you
want AWS WAF to inspect a header, the name of the header.
Required: No
Type: List of AWS WAF SqlInjectionMatchSet SqlInjectionMatchTuples (p. 2219)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Find SQL Injections
The following example looks for snippets of SQL code in the query string of an HTTP request.

JSON
"SqlInjDetection": {
"Type": "AWS::WAF::SqlInjectionMatchSet",
"Properties": {
"Name": "Find SQL injections in the query string",
"SqlInjectionMatchTuples": [
{
"FieldToMatch" : {
"Type": "QUERY_STRING"
},
"TextTransformation" : "URL_DECODE"
}
]
}

API Version 2010-05-15
1545

AWS CloudFormation User Guide
AWS::WAF::SqlInjectionMatchSet
}

YAML
SqlInjDetection:
Type: "AWS::WAF::SqlInjectionMatchSet"
Properties:
Name: "Find SQL injections in the query string"
SqlInjectionMatchTuples:
FieldToMatch:
Type: "QUERY_STRING"
TextTransformation: "URL_DECODE"

Associate a SQL Injection Match Set with a Web ACL Rule
The following example associates the SqlInjDetection match set with a web access control list (ACL)
rule.

JSON
"SqlInjRule" : {
"Type": "AWS::WAF::Rule",
"Properties": {
"Name": "SqlInjRule",
"MetricName" : "SqlInjRule",
"Predicates": [
{
"DataId" : { "Ref" : "SqlInjDetection" },
"Negated" : false,
"Type" : "SqlInjectionMatch"
}
]
}
}

YAML
SqlInjRule:
Type: "AWS::WAF::Rule"
Properties:
Name: "SqlInjRule"
MetricName: "SqlInjRule"
Predicates:
DataId:
Ref: "SqlInjDetection"
Negated: false
Type: "SqlInjectionMatch"

Create a Web ACL
The following example associates the SqlInjRule rule with a web ACL. The web ACL allows all requests
except for ones with SQL code in the query string of a request.

JSON
"MyWebACL": {
"Type": "AWS::WAF::WebACL",

API Version 2010-05-15
1546

AWS CloudFormation User Guide
AWS::WAF::WebACL

}

"Properties": {
"Name": "Web ACL to block SQL injection in the query string",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "SqlInjWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "SqlInjRule" }
}
]
}

YAML
MyWebACL:
Type: "AWS::WAF::WebACL"
Properties:
Name: "Web ACL to block SQL injection in the query string"
DefaultAction:
Type: "ALLOW"
MetricName: "SqlInjWebACL"
Rules:
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "SqlInjRule"

AWS::WAF::WebACL
The AWS::WAF::WebACL resource creates an AWS WAF web access control group (ACL) containing the
rules that identify the Amazon CloudFront (CloudFront) web requests that you want to allow, block, or
count. For more information, see CreateWebACL in the AWS WAF API Reference.
Topics
• Syntax (p. 1547)
• Properties (p. 1548)
• Return Values (p. 1549)
• Examples (p. 1549)
• Associate a Web ACL with a CloudFront Distribution (p. 1550)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Type" : "AWS::WAF::WebACL",
"Properties" : {

API Version 2010-05-15
1547

AWS CloudFormation User Guide
AWS::WAF::WebACL

}

}

"DefaultAction" : Action,
"MetricName" : String,
"Name" : String,
"Rules" : [ Rule, ... ]

YAML
Type: "AWS::WAF::WebACL"
Properties:
DefaultAction:
Action
MetricName: String
Name: String
Rules:
- Rule

Properties
DefaultAction
The action that you want AWS WAF to take when a request doesn't match the criteria in any of the
rules that are associated with the web ACL.
Required: Yes
Type: AWS WAF WebACL Action (p. 2222)
Update requires: No interruption (p. 118)
MetricName
A friendly name or description for the Amazon CloudWatch metric of this web ACL. For valid values,
see the MetricName parameter of the CreateWebACL action in the AWS WAF API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Name
A friendly name or description of the web ACL.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Rules
The rules to associate with the web ACL and the settings for each rule.
Required: No
Type: List of AWS WAF WebACL ActivatedRule (p. 2223)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1548

AWS CloudFormation User Guide
AWS::WAF::WebACL

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Create a Web ACL
The following example deﬁnes a web ACL that allows, by default, any web request. However, if the
request matches any rule, AWS WAF blocks the request. AWS WAF evaluates each rule in priority order,
starting with the lowest value.

JSON
"MyWebACL": {
"Type": "AWS::WAF::WebACL",
"Properties": {
"Name": "WebACL to with three rules",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "MyWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "MyRule" }
},
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 2,
"RuleId" : { "Ref" : "BadReferersRule" }
},
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 3,
"RuleId" : { "Ref" : "SqlInjRule" }
}
]
}
}

YAML
MyWebACL:
Type: "AWS::WAF::WebACL"
Properties:
Name: "WebACL to with three rules"
DefaultAction:

API Version 2010-05-15
1549

AWS CloudFormation User Guide
AWS::WAF::WebACL
Type: "ALLOW"
MetricName: "MyWebACL"
Rules:
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "MyRule"
Action:
Type: "BLOCK"
Priority: 2
RuleId:
Ref: "BadReferersRule"
Action:
Type: "BLOCK"
Priority: 3
RuleId:
Ref: "SqlInjRule"

Associate a Web ACL with a CloudFront Distribution
The follow example associates the MyWebACL web ACL with a CloudFront distribution. The web ACL
restricts which requests can access content served by CloudFront.

JSON
"myDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"WebACLId": { "Ref" : "MyWebACL" },
"Origins": [
{
"DomainName": "test.example.com",
"Id": "myCustomOrigin",
"CustomOriginConfig": {
"HTTPPort": "80",
"HTTPSPort": "443",
"OriginProtocolPolicy": "http-only"
}
}
],
"Enabled": "true",
"Comment": "TestDistribution",
"DefaultRootObject": "index.html",
"DefaultCacheBehavior": {
"TargetOriginId": "myCustomOrigin",
"SmoothStreaming" : "false",
"ForwardedValues": {
"QueryString": "false",
"Cookies" : { "Forward" : "all" }
},
"ViewerProtocolPolicy": "allow-all"
},
"CustomErrorResponses" : [
{
"ErrorCode" : "404",
"ResponsePagePath" : "/error-pages/404.html",
"ResponseCode" : "200",
"ErrorCachingMinTTL" : "30"

API Version 2010-05-15
1550

AWS CloudFormation User Guide
AWS::WAF::XssMatchSet

}

}

}

}
],
"PriceClass" : "PriceClass_200",
"Restrictions" : {
"GeoRestriction" : {
"RestrictionType" : "whitelist",
"Locations" : [ "AQ", "CV" ]
}
},
"ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" }

YAML
myDistribution:
Type: "AWS::CloudFront::Distribution"
Properties:
DistributionConfig:
WebACLId:
Ref: "MyWebACL"
Origins:
DomainName: "test.example.com"
Id: "myCustomOrigin"
CustomOriginConfig:
HTTPPort: "80"
HTTPSPort: "443"
OriginProtocolPolicy: "http-only"
Enabled: "true"
Comment: "TestDistribution"
DefaultRootObject: "index.html"
DefaultCacheBehavior:
TargetOriginId: "myCustomOrigin"
SmoothStreaming: "false"
ForwardedValues:
QueryString: "false"
Cookies:
Forward: "all"
ViewerProtocolPolicy: "allow-all"
CustomErrorResponses:
ErrorCode: "404"
ResponsePagePath: "/error-pages/404.html"
ResponseCode: "200"
ErrorCachingMinTTL: "30"
PriceClass: "PriceClass_200"
Restrictions:
GeoRestriction:
RestrictionType: "whitelist"
Locations:
- "AQ"
- "CV"
ViewerCertificate:
CloudFrontDefaultCertificate: "true"

AWS::WAF::XssMatchSet
The AWS::WAF::XssMatchSet resource speciﬁes the parts of web requests that you want AWS WAF to
inspect for cross-site scripting attacks and the name of the header to inspect. For more information, see
XssMatchSet in the AWS WAF API Reference.
API Version 2010-05-15
1551

AWS CloudFormation User Guide
AWS::WAF::XssMatchSet

Topics
• Syntax (p. 1552)
• Properties (p. 1552)
• Return Value (p. 1552)
• Examples (p. 1553)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAF::XssMatchSet",
"Properties" : {
"Name" : String,
"XssMatchTuples" : [ XssMatchTuple, ... ]
}

YAML
Type: "AWS::WAF::XssMatchSet"
Properties:
Name: String
XssMatchTuples:
- XssMatchTuple

Properties
Name
A friendly name or description for the XssMatchSet.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
XssMatchTuples
The parts of web requests that you want to inspect for cross-site scripting attacks.
Required: No
Type: List of AWS WAF XssMatchSet XssMatchTuple (p. 2220)
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
API Version 2010-05-15
1552

AWS CloudFormation User Guide
AWS::WAF::XssMatchSet

For more information about using the Ref function, see Ref (p. 2311).

Examples
Deﬁne Which Part of a Request to Check for Cross-site Scripting
The following example looks for cross-site scripting in the URI or query string of an HTTP request.

JSON
"DetectXSS": {
"Type": "AWS::WAF::XssMatchSet",
"Properties": {
"Name": "XssMatchSet",
"XssMatchTuples": [
{
"FieldToMatch": {
"Type": "URI"
},
"TextTransformation": "NONE"
},
{
"FieldToMatch": {
"Type": "QUERY_STRING"
},
"TextTransformation": "NONE"
}
]
}
}

YAML
DetectXSS:
Type: "AWS::WAF::XssMatchSet"
Properties:
Name: "XssMatchSet"
XssMatchTuples:
FieldToMatch:
Type: "URI"
TextTransformation: "NONE"
FieldToMatch:
Type: "QUERY_STRING"
TextTransformation: "NONE"

Associate an XssMatchSet with a Web ACL Rule
The following example associates the DetectXSS match set with a web access control list (ACL) rule.

JSON
"XSSRule" : {
"Type": "AWS::WAF::Rule",
"Properties": {
"Name": "XSSRule",
"MetricName" : "XSSRule",
"Predicates": [
{

API Version 2010-05-15
1553

AWS CloudFormation User Guide
AWS::WAF::XssMatchSet

}

}

]

}

"DataId" : { "Ref" : "DetectXSS" },
"Negated" : false,
"Type" : "XssMatch"

YAML
XSSRule:
Type: "AWS::WAF::Rule"
Properties:
Name: "XSSRule"
MetricName: "XSSRule"
Predicates:
DataId:
Ref: "DetectXSS"
Negated: false
Type: "XssMatch"

Create a Web ACL
The following example associates the XSSRule rule with a web ACL. The web ACL allows all requests
except for ones that contain cross-site scripting in the URI or query string of an HTTP request.

JSON
"MyWebACL": {
"Type": "AWS::WAF::WebACL",
"Properties": {
"Name": "Web ACL to block cross-site scripting",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "DetectXSSWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "XSSRule" }
}
]
}
}

YAML
MyWebACL:
Type: "AWS::WAF::WebACL"
Properties:
Name: "Web ACL to block cross-site scripting"
DefaultAction:
Type: "ALLOW"
MetricName: "DetectXSSWebACL"
Rules:
Action:

API Version 2010-05-15
1554

AWS CloudFormation User Guide
AWS::WAFRegional::ByteMatchSet
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "XSSRule"

AWS::WAFRegional::ByteMatchSet
The AWS::WAFRegional::ByteMatchSet resource creates an AWS WAF Regional ByteMatchSet
that identiﬁes a part of a web request that you want to inspect. For more information, see
CreateByteMatchSet in the AWS WAF Regional API Reference.
Topics
• Syntax (p. 1555)
• Properties (p. 1555)
• Return Values (p. 1556)
• Examples (p. 1556)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAFRegional::ByteMatchSet",
"Properties" : {
"ByteMatchTuples" : [ Byte match tuple, ... ],
"Name" : String
}

YAML
Type: "AWS::WAFRegional::ByteMatchSet"
Properties:
ByteMatchTuples:
- Byte match tuple
Name: String

Properties
ByteMatchTuples
Settings for the ByteMatchSet, such as the bytes (typically a string that corresponds with ASCII
characters) that you want AWS WAF to search for in web requests.
Required: No
Type: List of AWS WAF Regional ByteMatchSet ByteMatchTuples (p. 2224)
Update requires: No interruption (p. 118)
Name
A friendly name or description of the ByteMatchSet.
API Version 2010-05-15
1555

AWS CloudFormation User Guide
AWS::WAFRegional::ByteMatchSet

Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Examples
HTTP Referers
The following example deﬁnes a set of HTTP referers to match.

JSON
"BadReferers": {
"Type": "AWS::WAFRegional::ByteMatchSet",
"Properties": {
"Name": "ByteMatch for matching bad HTTP referers",
"ByteMatchTuples": [
{
"FieldToMatch" : {
"Type": "HEADER",
"Data": "referer"
},
"TargetString" : "badrefer1",
"TextTransformation" : "NONE",
"PositionalConstraint" : "CONTAINS"
},
{
"FieldToMatch" : {
"Type": "HEADER",
"Data": "referer"
},
"TargetString" : "badrefer2",
"TextTransformation" : "NONE",
"PositionalConstraint" : "CONTAINS"
}
]
}
}

YAML
BadReferers:
Type: "AWS::WAFRegional::ByteMatchSet"
Properties:
Name: "ByteMatch for matching bad HTTP referers"
ByteMatchTuples:
FieldToMatch:
Type: "HEADER"

API Version 2010-05-15
1556

AWS CloudFormation User Guide
AWS::WAFRegional::ByteMatchSet

-

Data: "referer"
TargetString: "badrefer1"
TextTransformation: "NONE"
PositionalConstraint: "CONTAINS"
FieldToMatch:
Type: "HEADER"
Data: "referer"
TargetString: "badrefer2"
TextTransformation: "NONE"
PositionalConstraint: "CONTAINS"

Associate a ByteMatchSet with a Web ACL Rule
The following example associates the BadReferers byte match set with a web access control list (ACL)
rule.

JSON
"BadReferersRule" : {
"Type": "AWS::WAFRegional::Rule",
"Properties": {
"Name": "BadReferersRule",
"MetricName" : "BadReferersRule",
"Predicates": [
{
"DataId" : { "Ref" : "BadReferers" },
"Negated" : false,
"Type" : "ByteMatch"
}
]
}
}

YAML
BadReferersRule:
Type: "AWS::WAFRegional::Rule"
Properties:
Name: "BadReferersRule"
MetricName: "BadReferersRule"
Predicates:
DataId:
Ref: "BadReferers"
Negated: false
Type: "ByteMatch"

Create a Web ACL
The following example associates the BadReferersRule rule with a web ACL. The web ACL allows all
requests except for ones with referers that match the BadReferersRule rule.

JSON
"MyWebACL": {
"Type": "AWS::WAFRegional::WebACL",
"Properties": {
"Name": "WebACL to block blacklisted IP addresses",
"DefaultAction": {

API Version 2010-05-15
1557

AWS CloudFormation User Guide
AWS::WAFRegional::IPSet

}

}

"Type": "ALLOW"
},
"MetricName" : "MyWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "BadReferersRule" }
}
]

YAML
MyWebACL:
Type: "AWS::WAFRegional::WebACL"
Properties:
Name: "WebACL to block blacklisted IP addresses"
DefaultAction:
Type: "ALLOW"
MetricName: "MyWebACL"
Rules:
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "BadReferersRule"

AWS::WAFRegional::IPSet
The AWS::WAFRegional::IPSet resource creates an AWS WAF Regional IPSet that speciﬁes which
web requests to permit or block based on the IP addresses from which the requests originate. For more
information, see CreateIPSet in the AWS WAF Regional API Reference.
Topics
• Syntax (p. 1558)
• Properties (p. 1559)
• Return Values (p. 1559)
• Examples (p. 1559)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAFRegional::IPSet",
"Properties" : {
"IPSetDescriptors" : [ IPSet descriptor, ... ],
"Name" : String
}

API Version 2010-05-15
1558

AWS CloudFormation User Guide
AWS::WAFRegional::IPSet

YAML
Type: "AWS::WAFRegional::IPSet"
Properties:
IPSetDescriptors:
- IPSet descriptor
Name: String

Properties
IPSetDescriptors
The IP address type and IP address range (in CIDR notation) from which web requests originate. If
you associate the IPSet with a web ACL (p. 1570) that is associated with a Amazon CloudFront
(CloudFront) distribution, this descriptor is the value of one of the following ﬁelds in the CloudFront
access logs:
c-ip
If the viewer did not use an HTTP proxy or a load balancer to send the request
x-forwarded-for
If the viewer did use an HTTP proxy or a load balancer to send the request
Required: No
Type: List of AWS WAF Regional IPSet IPSetDescriptors (p. 2226)
Update requires: No interruption (p. 118)
Name
A friendly name or description of the IPSet.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Deﬁne IP Addresses
The following example deﬁnes a set of IP addresses for a web access control list (ACL) rule.

JSON
"MyIPSetBlacklist": {
"Type": "AWS::WAFRegional::IPSet",

API Version 2010-05-15
1559

AWS CloudFormation User Guide
AWS::WAFRegional::IPSet

}

"Properties": {
"Name": "IPSet for blacklisted IP addresses",
"IPSetDescriptors": [
{
"Type" : "IPV4",
"Value" : "192.0.2.44/32"
},
{
"Type" : "IPV4",
"Value" : "192.0.7.0/24"
}
]
}

YAML
MyIPSetBlacklist:
Type: "AWS::WAFRegional::IPSet"
Properties:
Name: "IPSet for blacklisted IP addresses"
IPSetDescriptors:
Type: "IPV4"
Value: "192.0.2.44/32"
Type: "IPV4"
Value: "192.0.7.0/24"

Associate an IPSet with a Web ACL Rule
The following example associates the MyIPSetBlacklist IP Set with a web ACL rule.

JSON
"MyIPSetRule" : {
"Type": "AWS::WAFRegional::Rule",
"Properties": {
"Name": "MyIPSetRule",
"MetricName" : "MyIPSetRule",
"Predicates": [
{
"DataId" : { "Ref" : "MyIPSetBlacklist" },
"Negated" : false,
"Type" : "IPMatch"
}
]
}
}

YAML
MyIPSetRule:
Type: "AWS::WAFRegional::Rule"
Properties:
Name: "MyIPSetRule"
MetricName: "MyIPSetRule"
Predicates:
DataId:
Ref: "MyIPSetBlacklist"

API Version 2010-05-15
1560

AWS CloudFormation User Guide
AWS::WAFRegional::Rule
Negated: false
Type: "IPMatch"

Create a Web ACL
The following example associates the MyIPSetRule rule with a web ACL. The web ACL allows requests
that originate from all IP addresses except for addresses that are deﬁned in the MyIPSetRule.

JSON
"MyWebACL": {
"Type": "AWS::WAFRegional::WebACL",
"Properties": {
"Name": "WebACL to block blacklisted IP addresses",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "MyWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "MyIPSetRule" }
}
]
}
}

YAML
MyWebACL:
Type: "AWS::WAFRegional::WebACL"
Properties:
Name: "WebACL to block blacklisted IP addresses"
DefaultAction:
Type: "ALLOW"
MetricName: "MyWebACL"
Rules:
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "MyIPSetRule"

AWS::WAFRegional::Rule
The AWS::WAFRegional::Rule resource creates an AWS WAF Regional rule that speciﬁes a
combination of IPSet, ByteMatchSet, and SqlInjectionMatchSet objects that identify the
web requests to allow, block, or count. To implement rules, you must associate them with a web
ACL (p. 1570).
For more information, see CreateRule in the AWS WAF Regional API Reference.
Topics
• Syntax (p. 1562)
• Properties (p. 1562)
API Version 2010-05-15
1561

AWS CloudFormation User Guide
AWS::WAFRegional::Rule

• Return Value (p. 1563)
• Example (p. 1563)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAFRegional::Rule",
"Properties" : {
"MetricName" : String,
"Name" : String,
"Predicates" : [ Predicate, ... ]
}

YAML
Type: "AWS::WAFRegional::Rule"
Properties:
MetricName: String
Name: String
Predicates:
- Predicate

Properties
MetricName
A friendly name or description for the metrics of the rule. For valid values, see the MetricName
parameter for the CreateRule action in the AWS WAF Regional API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Name
A friendly name or description of the rule.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Predicates
The ByteMatchSet, IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet
objects to include in a rule. If you add more than one predicate to a rule, a request must match all
conditions in order to be allowed or blocked.
Required: No
Type: List of AWS WAF Regional Rule Predicates (p. 2227)
API Version 2010-05-15
1562

AWS CloudFormation User Guide
AWS::WAFRegional::SizeConstraintSet

Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Example
Associate an IPSet with a Web ACL Rule
The following example associates the MyIPSetBlacklist IPSet object with a web ACL rule.

JSON
"MyIPSetRule" : {
"Type": "AWS::WAFRegional::Rule",
"Properties": {
"Name": "MyIPSetRule",
"MetricName" : "MyIPSetRule",
"Predicates": [
{
"DataId" : { "Ref" : "MyIPSetBlacklist" },
"Negated" : false,
"Type" : "IPMatch"
}
]
}
}

YAML
MyIPSetRule:
Type: "AWS::WAFRegional::Rule"
Properties:
Name: "MyIPSetRule"
MetricName: "MyIPSetRule"
Predicates:
DataId:
Ref: "MyIPSetBlacklist"
Negated: false
Type: "IPMatch"

AWS::WAFRegional::SizeConstraintSet
The AWS::WAFRegional::SizeConstraintSet resource speciﬁes a size constraint that AWS WAF
uses to check the size of a web request and which parts of the request to check. For more information,
see CreateSizeConstraintSet in the AWS WAF Regional API Reference.
Topics
• Syntax (p. 1564)
API Version 2010-05-15
1563

AWS CloudFormation User Guide
AWS::WAFRegional::SizeConstraintSet

• Properties (p. 1564)
• Return Value (p. 1564)
• Examples (p. 1565)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAFRegional::SizeConstraintSet",
"Properties" : {
"Name" : String,
"SizeConstraints" : [ SizeConstraint, ... ]
}

YAML
Type: "AWS::WAFRegional::SizeConstraintSet"
Properties:
Name: String
SizeConstraints:
- SizeConstraint

Properties
Name
A friendly name or description for the SizeConstraintSet.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SizeConstraints
The size constraint and the part of the web request to check.
Required: Yes
Type: List of AWS WAF Regional SizeConstraintSet SizeConstraint (p. 2228)
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).
API Version 2010-05-15
1564

AWS CloudFormation User Guide
AWS::WAFRegional::SizeConstraintSet

Examples
The following examples show you how to deﬁne a size constraint, add it to a rule, and add the rule to a
web access control list (ACL).

Deﬁne a Size Constraint
The following example checks that the body of an HTTP request equals 4096 bytes.

JSON
"MySizeConstraint": {
"Type": "AWS::WAFRegional::SizeConstraintSet",
"Properties": {
"Name": "SizeConstraints",
"SizeConstraints": [
{
"ComparisonOperator": "EQ",
"FieldToMatch": {
"Type": "BODY"
},
"Size": "4096",
"TextTransformation": "NONE"
}
]
}
}

YAML
MySizeConstraint:
Type: "AWS::WAFRegional::SizeConstraintSet"
Properties:
Name: "SizeConstraints"
SizeConstraints:
ComparisonOperator: "EQ"
FieldToMatch:
Type: "BODY"
Size: "4096"
TextTransformation: "NONE"

Associate a SizeConstraintSet with a Web ACL Rule
The following example associates the MySizeConstraint object with a web ACL rule.

JSON
"SizeConstraintRule" : {
"Type": "AWS::WAFRegional::Rule",
"Properties": {
"Name": "SizeConstraintRule",
"MetricName" : "SizeConstraintRule",
"Predicates": [
{
"DataId" : { "Ref" : "MySizeConstraint" },
"Negated" : false,
"Type" : "SizeConstraint"
}
]

API Version 2010-05-15
1565

AWS CloudFormation User Guide
AWS::WAFRegional::SizeConstraintSet

}

}

YAML
SizeConstraintRule:
Type: "AWS::WAFRegional::Rule"
Properties:
Name: "SizeConstraintRule"
MetricName: "SizeConstraintRule"
Predicates:
DataId:
Ref: "MySizeConstraint"
Negated: false
Type: "SizeConstraint"

Create a Web ACL
The following example associates the SizeConstraintRule rule with a web ACL. The web ACL blocks
all requests except for requests with a body size equal to 4096 bytes.

JSON
"MyWebACL": {
"Type": "AWS::WAFRegional::WebACL",
"Properties": {
"Name": "Web ACL to allow requests with a specific size",
"DefaultAction": {
"Type": "BLOCK"
},
"MetricName" : "SizeConstraintWebACL",
"Rules": [
{
"Action" : {
"Type" : "ALLOW"
},
"Priority" : 1,
"RuleId" : { "Ref" : "SizeConstraintRule" }
}
]
}
}

YAML
MyWebACL:
Type: "AWS::WAFRegional::WebACL"
Properties:
Name: "Web ACL to allow requests with a specific size"
DefaultAction:
Type: "BLOCK"
MetricName: "SizeConstraintWebACL"
Rules:
Action:
Type: "ALLOW"
Priority: 1
RuleId:
Ref: "SizeConstraintRule"

API Version 2010-05-15
1566

AWS CloudFormation User Guide
AWS::WAFRegional::SqlInjectionMatchSet

AWS::WAFRegional::SqlInjectionMatchSet
The AWS::WAFRegional::SqlInjectionMatchSet resource creates an AWS WAF Regional
SqlInjectionMatchSet, which you use to allow, block, or count requests that contain malicious SQL
code in a speciﬁc part of web requests. For more information, see CreateSqlInjectionMatchSet in the AWS
WAF Regional API Reference.
Topics
• Syntax (p. 1567)
• Properties (p. 1567)
• Return Values (p. 1568)
• Examples (p. 1568)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAFRegional::SqlInjectionMatchSet",
"Properties" : {
"Name" : String,
"SqlInjectionMatchTuples" : [ SqlInjectionMatchTuple, ... ]
}

YAML
Type: "AWS::WAFRegional::SqlInjectionMatchSet"
Properties:
Name: String
SqlInjectionMatchTuples:
- SqlInjectionMatchTuple

Properties
Name
A friendly name or description of the SqlInjectionMatchSet.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
SqlInjectionMatchTuples
The parts of web requests that you want AWS WAF to inspect for malicious SQL code and, if you
want AWS WAF to inspect a header, the name of the header.
Required: No
Type: List of AWS WAF Regional SqlInjectionMatchSet SqlInjectionMatchTuples (p. 2230)
API Version 2010-05-15
1567

AWS CloudFormation User Guide
AWS::WAFRegional::SqlInjectionMatchSet

Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Find SQL Injections
The following example looks for snippets of SQL code in the query string of an HTTP request.

JSON
"SqlInjDetection": {
"Type": "AWS::WAFRegional::SqlInjectionMatchSet",
"Properties": {
"Name": "Find SQL injections in the query string",
"SqlInjectionMatchTuples": [
{
"FieldToMatch" : {
"Type": "QUERY_STRING"
},
"TextTransformation" : "URL_DECODE"
}
]
}
}

YAML
SqlInjDetection:
Type: "AWS::WAFRegional::SqlInjectionMatchSet"
Properties:
Name: "Find SQL injections in the query string"
SqlInjectionMatchTuples:
FieldToMatch:
Type: "QUERY_STRING"
TextTransformation: "URL_DECODE"

Associate a SQL Injection Match Set with a Web ACL Rule
The following example associates the SqlInjDetection match set with a web access control list (ACL)
rule.

JSON
"SqlInjRule" : {
"Type": "AWS::WAFRegional::Rule",
"Properties": {
"Name": "SqlInjRule",

API Version 2010-05-15
1568

AWS CloudFormation User Guide
AWS::WAFRegional::SqlInjectionMatchSet

}

}

"MetricName" : "SqlInjRule",
"Predicates": [
{
"DataId" : { "Ref" : "SqlInjDetection" },
"Negated" : false,
"Type" : "SqlInjectionMatch"
}
]

YAML
SqlInjRule:
Type: "AWS::WAFRegional::Rule"
Properties:
Name: "SqlInjRule"
MetricName: "SqlInjRule"
Predicates:
DataId:
Ref: "SqlInjDetection"
Negated: false
Type: "SqlInjectionMatch"

Create a Web ACL
The following example associates the SqlInjRule rule with a web ACL. The web ACL allows all requests
except for ones with SQL code in the query string of a request.

JSON
"MyWebACL": {
"Type": "AWS::WAFRegional::WebACL",
"Properties": {
"Name": "Web ACL to block SQL injection in the query string",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "SqlInjWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "SqlInjRule" }
}
]
}
}

YAML
MyWebACL:
Type: "AWS::WAFRegional::WebACL"
Properties:
Name: "Web ACL to block SQL injection in the query string"
DefaultAction:
Type: "ALLOW"
MetricName: "SqlInjWebACL"

API Version 2010-05-15
1569

AWS CloudFormation User Guide
AWS::WAFRegional::WebACL
Rules:
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "SqlInjRule"

AWS::WAFRegional::WebACL
The AWS::WAFRegional::WebACL resource creates an AWS WAF Regional web access control group
(ACL) containing the rules that identify the Amazon CloudFront (CloudFront) web requests that you
want to allow, block, or count. For more information, see CreateWebACL in the AWS WAF Regional API
Reference.
Topics
• Syntax (p. 1570)
• Properties (p. 1570)
• Return Values (p. 1571)
• Examples (p. 1571)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAFRegional::WebACL",
"Properties" : {
"DefaultAction" : Action,
"MetricName" : String,
"Name" : String,
"Rules" : [ Rule, ... ]
}

YAML
Type: "AWS::WAFRegional::WebACL"
Properties:
DefaultAction:
Action
MetricName: String
Name: String
Rules:
- Rule

Properties
DefaultAction
The action that you want AWS WAF to take when a request doesn't match the criteria in any of the
rules that are associated with the web ACL.
API Version 2010-05-15
1570

AWS CloudFormation User Guide
AWS::WAFRegional::WebACL

Required: Yes
Type: AWS WAF Regional WebACL Action (p. 2233)
Update requires: No interruption (p. 118)
MetricName
A friendly name or description for the Amazon CloudWatch metric of this web ACL. For valid values,
see the MetricName parameter of the CreateWebACL action in the AWS WAF Regional API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Name
A friendly name or description of the web ACL.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Rules
The rules to associate with the web ACL and the settings for each rule.
Required: No
Type: List of AWS WAF Regional WebACL Rules (p. 2234)
Update requires: No interruption (p. 118)

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref (p. 2311).

Examples
Create a Web ACL
The following example deﬁnes a web ACL that allows, by default, any web request. However, if the
request matches any rule, AWS WAF blocks the request. AWS WAF evaluates each rule in priority order,
starting with the lowest value.

JSON
"MyWebACL": {
"Type": "AWS::WAFRegional::WebACL",
"Properties": {
"Name": "WebACL to with three rules",

API Version 2010-05-15
1571

AWS CloudFormation User Guide
AWS::WAFRegional::WebACL

}

}

"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "MyWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "MyRule" }
},
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 2,
"RuleId" : { "Ref" : "BadReferersRule" }
},
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 3,
"RuleId" : { "Ref" : "SqlInjRule" }
}
]

YAML
MyWebACL:
Type: "AWS::WAFRegional::WebACL"
Properties:
Name: "WebACL to with three rules"
DefaultAction:
Type: "ALLOW"
MetricName: "MyWebACL"
Rules:
Action:
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "MyRule"
Action:
Type: "BLOCK"
Priority: 2
RuleId:
Ref: "BadReferersRule"
Action:
Type: "BLOCK"
Priority: 3
RuleId:
Ref: "SqlInjRule"

Associate a Web ACL with a CloudFront Distribution
The follow example associates the MyWebACL web ACL with a CloudFront distribution. The web ACL
restricts which requests can access content served by CloudFront.
API Version 2010-05-15
1572

AWS CloudFormation User Guide
AWS::WAFRegional::WebACL

JSON
"myDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"WebACLId": { "Ref" : "MyWebACL" },
"Origins": [
{
"DomainName": "test.example.com",
"Id": "myCustomOrigin",
"CustomOriginConfig": {
"HTTPPort": "80",
"HTTPSPort": "443",
"OriginProtocolPolicy": "http-only"
}
}
],
"Enabled": "true",
"Comment": "TestDistribution",
"DefaultRootObject": "index.html",
"DefaultCacheBehavior": {
"TargetOriginId": "myCustomOrigin",
"SmoothStreaming" : "false",
"ForwardedValues": {
"QueryString": "false",
"Cookies" : { "Forward" : "all" }
},
"ViewerProtocolPolicy": "allow-all"
},
"CustomErrorResponses" : [
{
"ErrorCode" : "404",
"ResponsePagePath" : "/error-pages/404.html",
"ResponseCode" : "200",
"ErrorCachingMinTTL" : "30"
}
],
"PriceClass" : "PriceClass_200",
"Restrictions" : {
"GeoRestriction" : {
"RestrictionType" : "whitelist",
"Locations" : [ "AQ", "CV" ]
}
},
"ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" }
}
}
}

YAML
myDistribution:
Type: "AWS::CloudFront::Distribution"
Properties:
DistributionConfig:
WebACLId:
Ref: "MyWebACL"
Origins:
DomainName: "test.example.com"
Id: "myCustomOrigin"
CustomOriginConfig:
HTTPPort: "80"

API Version 2010-05-15
1573

AWS CloudFormation User Guide
AWS::WAFRegional::WebACLAssociation
HTTPSPort: "443"
OriginProtocolPolicy: "http-only"
Enabled: "true"
Comment: "TestDistribution"
DefaultRootObject: "index.html"
DefaultCacheBehavior:
TargetOriginId: "myCustomOrigin"
SmoothStreaming: "false"
ForwardedValues:
QueryString: "false"
Cookies:
Forward: "all"
ViewerProtocolPolicy: "allow-all"
CustomErrorResponses:
ErrorCode: "404"
ResponsePagePath: "/error-pages/404.html"
ResponseCode: "200"
ErrorCachingMinTTL: "30"
PriceClass: "PriceClass_200"
Restrictions:
GeoRestriction:
RestrictionType: "whitelist"
Locations:
- "AQ"
- "CV"
ViewerCertificate:
CloudFrontDefaultCertificate: "true"

AWS::WAFRegional::WebACLAssociation
The AWS::WAFRegional::WebACLAssociation resource associates an AWS WAF Regional web
access control group (ACL) with a resource. For more information, see AssociateWebACL in the AWS WAF
Regional API Reference.
Topics
• Syntax (p. 1574)
• Properties (p. 1575)
• Example (p. 1575)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAFRegional::WebACLAssociation",
"Properties" : {
"ResourceArn" : String,
"WebACLId" : String
}

YAML
Type: "AWS::WAFRegional::WebACLAssociation"
Properties:

API Version 2010-05-15
1574

AWS CloudFormation User Guide
AWS::WAFRegional::XssMatchSet
ResourceArn: String
WebACLId: String

Properties
Note

For more information about constraints and values for each property, see AssociateWebACL in
the AWS WAF Regional API Reference.
ResourceArn
The Amazon Resource Name (ARN) of the resource to protect with the web ACL.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
WebACLId
A unique identiﬁer (ID) for the web ACL.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Example
The following example associates an Application load balancer resource with a web ACL.

JSON
"MyWebACLAssociation": {
"Type": "AWS::WAFRegional::WebACLAssociation",
"Properties": {
"ResourceArn": { "Ref": "MyLoadBalancer" },
"WebACLId": { "Ref": "MyWebACL" }
}
}

YAML
MyWebACLAssociation:
Type: "AWS::WAFRegional::WebACLAssociation"
Properties:
ResourceArn:
Ref: MyLoadBalancer
WebACLId:
Ref: MyWebACL

AWS::WAFRegional::XssMatchSet
The AWS::WAFRegional::XssMatchSet resource speciﬁes the parts of web requests that you want
AWS WAF to inspect for cross-site scripting attacks and the name of the header to inspect. For more
information, see XssMatchSet in the AWS WAF Regional API Reference.
API Version 2010-05-15
1575

AWS CloudFormation User Guide
AWS::WAFRegional::XssMatchSet

Topics
• Syntax (p. 1576)
• Properties (p. 1576)
• Return Value (p. 1576)
• Examples (p. 1577)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WAFRegional::XssMatchSet",
"Properties" : {
"Name" : String,
"XssMatchTuples" : [ XssMatchTuple, ... ]
}

YAML
Type: "AWS::WAFRegional::XssMatchSet"
Properties:
Name: String
XssMatchTuples:
- XssMatchTuple

Properties
Name
A friendly name or description for the XssMatchSet.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
XssMatchTuples
The parts of web requests that you want to inspect for cross-site scripting attacks.
Required: No
Type: List of AWS WAF Regional XssMatchSet XssMatchTuple (p. 2231)
Update requires: No interruption (p. 118)

Return Value
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
API Version 2010-05-15
1576

AWS CloudFormation User Guide
AWS::WAFRegional::XssMatchSet

For more information about using the Ref function, see Ref (p. 2311).

Examples
Deﬁne Which Part of a Request to Check for Cross-site Scripting
The following example looks for cross-site scripting in the URI or query string of an HTTP request.

JSON
"DetectXSS": {
"Type": "AWS::WAFRegional::XssMatchSet",
"Properties": {
"Name": "XssMatchSet",
"XssMatchTuples": [
{
"FieldToMatch": {
"Type": "URI"
},
"TextTransformation": "NONE"
},
{
"FieldToMatch": {
"Type": "QUERY_STRING"
},
"TextTransformation": "NONE"
}
]
}
}

YAML
DetectXSS:
Type: "AWS::WAFRegional::XssMatchSet"
Properties:
Name: "XssMatchSet"
XssMatchTuples:
FieldToMatch:
Type: "URI"
TextTransformation: "NONE"
FieldToMatch:
Type: "QUERY_STRING"
TextTransformation: "NONE"

Associate an XssMatchSet with a Web ACL Rule
The following example associates the DetectXSS match set with a web access control list (ACL) rule.

JSON
"XSSRule" : {
"Type": "AWS::WAFRegional::Rule",
"Properties": {
"Name": "XSSRule",
"MetricName" : "XSSRule",
"Predicates": [
{

API Version 2010-05-15
1577

AWS CloudFormation User Guide
AWS::WAFRegional::XssMatchSet

}

}

]

}

"DataId" : { "Ref" : "DetectXSS" },
"Negated" : false,
"Type" : "XssMatch"

YAML
XSSRule:
Type: "AWS::WAFRegional::Rule"
Properties:
Name: "XSSRule"
MetricName: "XSSRule"
Predicates:
DataId:
Ref: "DetectXSS"
Negated: false
Type: "XssMatch"

Create a Web ACL
The following example associates the XSSRule rule with a web ACL. The web ACL allows all requests
except for ones that contain cross-site scripting in the URI or query string of an HTTP request.

JSON
"MyWebACL": {
"Type": "AWS::WAFRegional::WebACL",
"Properties": {
"Name": "Web ACL to block cross-site scripting",
"DefaultAction": {
"Type": "ALLOW"
},
"MetricName" : "DetectXSSWebACL",
"Rules": [
{
"Action" : {
"Type" : "BLOCK"
},
"Priority" : 1,
"RuleId" : { "Ref" : "XSSRule" }
}
]
}
}

YAML
MyWebACL:
Type: "AWS::WAFRegional::WebACL"
Properties:
Name: "Web ACL to block cross-site scripting"
DefaultAction:
Type: "ALLOW"
MetricName: "DetectXSSWebACL"
Rules:
Action:

API Version 2010-05-15
1578

AWS CloudFormation User Guide
AWS::WorkSpaces::Workspace
Type: "BLOCK"
Priority: 1
RuleId:
Ref: "XSSRule"

AWS::WorkSpaces::Workspace
The AWS::WorkSpaces::Workspace resource creates an Amazon WorkSpaces workspace, which is
a cloud-based desktop experience for end users. Before creating a Workspace in CloudFormation, you
must register a Directory Service directory with Workspaces. This process is documented at Register a
Directory with Amazon WorkSpaces. For more information, see the Amazon WorkSpaces Administration
Guide.
Topics
• Syntax (p. 1579)
• Properties (p. 1579)
• Return Values (p. 1581)
• Example (p. 1581)

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : "AWS::WorkSpaces::Workspace",
"Properties" : {
"BundleId" : String,
"DirectoryId" : String,
"UserName" : String,
"RootVolumeEncryptionEnabled" : Boolean,
"UserVolumeEncryptionEnabled" : Boolean,
"VolumeEncryptionKey" : String
}

YAML
Type: "AWS::WorkSpaces::Workspace"
Properties:
BundleId: String
DirectoryId: String
UserName: String
RootVolumeEncryptionEnabled: Boolean
UserVolumeEncryptionEnabled: Boolean
VolumeEncryptionKey: String

Properties
BundleId
The identiﬁer of the bundle from which you want to create the workspace. A bundle speciﬁes
the details of the workspace, such as the installed applications and the size of CPU, memory, and
storage. Use the DescribeWorkspaceBundles action to list the bundles that AWS oﬀers.
API Version 2010-05-15
1579

AWS CloudFormation User Guide
AWS::WorkSpaces::Workspace

Required: Yes
Type: String
Update requires: Updates are not supported.. To update this property, you must also update another
property that triggers a replacement, such as the UserName property.
DirectoryId
The identiﬁer of the AWS Directory Service directory in which you want to create the
workspace. The directory must already be registered with Amazon WorkSpaces. Use the
DescribeWorkspaceDirectories action to list the directories that are available.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
UserName
The name of the user to which the workspace is assigned. This user name must exist in the speciﬁed
AWS Directory Service directory.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
RootVolumeEncryptionEnabled
Indicates whether Amazon WorkSpaces encrypts data stored on the root volume (C: drive).
Required: No
Type: Boolean
Update requires: Updates are not supported.. To update this property, you must also update another
property that triggers a replacement, such as the UserName property.
UserVolumeEncryptionEnabled
Indicates whether Amazon WorkSpaces encrypts data stored on the user volume (D: drive).
Required: No
Type: Boolean
Update requires: Updates are not supported.. To update this property, you must also update another
property that triggers a replacement, such as the UserName property.
VolumeEncryptionKey
The AWS Key Management Service (AWS KMS) key ID that Amazon WorkSpaces uses to encrypt data
stored on your workspace.
Required: No
Type: String
Update requires: Updates are not supported.. To update this property, you must also update another
property that triggers a replacement, such as the UserName property.
API Version 2010-05-15
1580

AWS CloudFormation User Guide
Resource Property Types

Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name.
For more information about using the Ref function, see Ref (p. 2311).

Example
The following example creates a workspace for user test. The bundle and directory IDs are speciﬁed as
parameters in the same template.

JSON
"workspace1" : {
"Type" : "AWS::WorkSpaces::Workspace",
"Properties" : {
"BundleId" : {"Ref" : "BundleId"},
"DirectoryId" : {"Ref" : "DirectoryId"},
"UserName" : "test"
}
}

YAML
workspace1:
Type: "AWS::WorkSpaces::Workspace"
Properties:
BundleId:
Ref: "BundleId"
DirectoryId:
Ref: "DirectoryId"
UserName: "test"

Resource Property Types Reference
This section details the resource-speciﬁc properties for the resources supported by AWS CloudFormation.
Topics
• Amazon MQ Broker ConﬁgurationId (p. 1594)
• Amazon MQ Broker MaintenanceWindow (p. 1595)
• Amazon MQ Broker User (p. 1596)
• Amazon API Gateway ApiKey StageKey (p. 1597)
•
•
•
•
•

Amazon API Gateway Deployment StageDescription (p. 1598)
Amazon API Gateway Deployment MethodSetting (p. 1600)
Amazon API Gateway DocumentationPart Location (p. 1602)
Amazon API Gateway DomainName EndpointConﬁguration (p. 1604)
Amazon API Gateway Method Integration (p. 1604)

• Amazon API Gateway Method Integration IntegrationResponse (p. 1607)
• Amazon API Gateway Method MethodResponse (p. 1609)
API Version 2010-05-15
1581

AWS CloudFormation User Guide
Resource Property Types

• Amazon API Gateway RestApi S3Location (p. 1610)
• Amazon API Gateway RestApi EndpointConﬁguration (p. 1611)
• Amazon API Gateway Stage MethodSetting (p. 1612)
• Amazon API Gateway UsagePlan ApiStage (p. 1614)
• Amazon API Gateway UsagePlan QuotaSettings (p. 1615)
• Amazon API Gateway UsagePlan ThrottleSettings (p. 1615)
• Application Auto Scaling ScalingPolicy CustomizedMetricSpeciﬁcation (p. 1616)
• Application Auto Scaling ScalingPolicy MetricDimension (p. 1618)
• Application Auto Scaling ScalingPolicy PredeﬁnedMetricSpeciﬁcation (p. 1618)
• Application Auto Scaling ScalingPolicy StepScalingPolicyConﬁguration (p. 1619)
• Application Auto Scaling ScalingPolicy StepScalingPolicyConﬁguration StepAdjustment (p. 1621)
• Application Auto Scaling ScalingPolicy TargetTrackingScalingPolicyConﬁguration (p. 1622)
• Application Auto Scaling ScalableTarget ScalableTargetAction (p. 1624)
• Application Auto Scaling ScalableTarget ScheduledAction (p. 1624)
• AWS AppSync DataSource DynamoDBConﬁg (p. 1626)
• AWS AppSync DataSource HttpConﬁg (p. 1627)
• AWS AppSync DataSource ElasticsearchConﬁg (p. 1628)
• AWS AppSync DataSource LambdaConﬁg (p. 1629)
• AWS AppSync GraphQLApi LogConﬁg (p. 1630)
• AWS AppSync GraphQLApi UserPoolConﬁg (p. 1630)
• AWS AppSync GraphQLApi OpenId Connect Conﬁg (p. 1632)
• Amazon EC2 Auto Scaling Block Device Mapping Property Type (p. 1633)
• Amazon EC2 Auto Scaling EBS Block Device Property Type (p. 1634)
• Amazon EC2 Auto Scaling AutoScalingGroup LifecycleHookSpeciﬁcation (p. 1636)
• Amazon EC2 Auto Scaling AutoScalingGroup LaunchTemplateSpeciﬁcation (p. 1639)
• Amazon EC2 Auto Scaling AutoScalingGroup MetricsCollection (p. 1640)
• Amazon EC2 Auto Scaling AutoScalingGroup NotiﬁcationConﬁguration (p. 1641)
• Amazon EC2 Auto Scaling AutoScalingGroup TagProperty (p. 1642)
• Amazon EC2 Auto Scaling ScalingPolicy CustomizedMetricSpeciﬁcation (p. 1644)
• Amazon EC2 Auto Scaling ScalingPolicy MetricDimension (p. 1645)
• Amazon EC2 Auto Scaling ScalingPolicy PredeﬁnedMetricSpeciﬁcation (p. 1646)
• Amazon EC2 Auto Scaling ScalingPolicy StepAdjustments (p. 1647)
• Amazon EC2 Auto Scaling ScalingPolicy TargetTrackingConﬁguration (p. 1648)
• AWS Auto Scaling ScalingPlan ApplicationSource (p. 1649)
• AWS Auto Scaling ScalingPlan CustomizedScalingMetricSpeciﬁcation (p. 1650)
• AWS Auto Scaling ScalingPlan MetricDimension (p. 1652)
• AWS Auto Scaling ScalingPlan PredeﬁnedScalingMetricSpeciﬁcation (p. 1652)
• AWS Auto Scaling ScalingPlan ScalingInstruction (p. 1653)
• AWS Auto Scaling ScalingPlan TagFilter (p. 1655)
• AWS Auto Scaling ScalingPlan TargetTrackingConﬁguration (p. 1656)
• AWS Batch ComputeEnvironment ComputeResources (p. 1658)
• AWS Batch JobDeﬁnition ContainerProperties (p. 1660)
• AWS Batch JobDeﬁnition Environment (p. 1664)
• AWS Batch JobDeﬁnition MountPoints (p. 1664)
• AWS Batch JobDeﬁnition RetryStrategy (p. 1665)
• AWS Batch JobDeﬁnition Timeout (p. 1666)
API Version 2010-05-15
1582

AWS CloudFormation User Guide
Resource Property Types

• AWS Batch JobDeﬁnition Ulimit (p. 1667)
• AWS Batch JobDeﬁnition Volumes (p. 1668)
• AWS Batch JobDeﬁnition VolumesHost (p. 1668)
• AWS Batch JobQueue ComputeEnvironmentOrder (p. 1669)
• AWS Billing and Cost Management Budget BudgetData (p. 1670)
• AWS Billing and Cost Management Budget CostTypes (p. 1672)
• AWS Billing and Cost Management Budget Notiﬁcation (p. 1675)
• AWS Billing and Cost Management Budget NotiﬁcationWithSubscribers (p. 1676)
• AWS Billing and Cost Management Budget Spend (p. 1677)
• AWS Billing and Cost Management Budget Subscriber (p. 1678)
• AWS Billing and Cost Management Budget TimePeriod (p. 1679)
• AWS Cloud9 EnvironmentEC2 Repository (p. 1680)
• AWS Certiﬁcate Manager Certiﬁcate DomainValidationOption (p. 1681)
• AWS CloudFormation Stack Parameters (p. 1682)
• AWS CloudFormation Interface Label (p. 1683)
• AWS CloudFormation Interface ParameterGroup (p. 1684)
• AWS CloudFormation Interface ParameterLabel (p. 1685)
• Amazon CloudFront CloudFrontOriginAccessIdentity CloudFrontOriginAccessIdentityConﬁg (p. 1685)
• CloudFront Distribution CacheBehavior (p. 1686)
• CloudFront Distribution Cookies (p. 1689)
• CloudFront Distribution CustomErrorResponse (p. 1690)
• CloudFront Distribution CustomOriginConﬁg (p. 1691)
• CloudFront Distribution DefaultCacheBehavior (p. 1692)
• CloudFront Distribution DistributionConﬁg (p. 1695)
• CloudFront Distribution ForwardedValues (p. 1699)
• CloudFront Distribution GeoRestriction (p. 1700)
• Amazon CloudFront Distribution LambdaFunctionAssociation (p. 1701)
• CloudFront Distribution Logging (p. 1702)
• CloudFront Distribution Origin (p. 1703)
• CloudFront Distribution OriginCustomHeader (p. 1705)
• CloudFront Distribution Restrictions (p. 1705)
• CloudFront Distribution S3Origin (p. 1706)
• CloudFront Distribution ViewerCertiﬁcate (p. 1707)
• Amazon CloudFront StreamingDistribution Logging (p. 1708)
• Amazon CloudFront StreamingDistribution S3Origin (p. 1709)
• Amazon CloudFront StreamingDistribution StreamingDistributionConﬁg (p. 1710)
• Amazon CloudFront StreamingDistribution Tag (p. 1712)
• Amazon CloudFront StreamingDistribution TrustedSigners (p. 1713)
• AWS CloudTrail Trail EventSelector (p. 1714)
• AWS CloudTrail Trail DataResource (p. 1715)
• CloudWatch Metric Dimension Property Type (p. 1716)
• Amazon CloudWatch Events Rule EcsParameters (p. 1718)
• Amazon CloudWatch Events Rule InputTransformer (p. 1719)
• Amazon CloudWatch Events Rule KinesisParameters (p. 1720)
• Amazon CloudWatch Events Rule RunCommandParameters (p. 1720)
• Amazon CloudWatch Events Rule RunCommandTarget (p. 1721)
API Version 2010-05-15
1583

AWS CloudFormation User Guide
Resource Property Types

• Amazon CloudWatch Events Rule Target (p. 1722)
• CloudWatch Logs MetricFilter MetricTransformation Property (p. 1727)
• AWS CodeBuild Project Artifacts (p. 1728)
• AWS CodeBuild Project Environment (p. 1730)
• AWS CodeBuild Project EnvironmentVariable (p. 1731)
• AWS CodeBuild Project ProjectCache (p. 1732)
• AWS CodeBuild Project Source (p. 1733)
• AWS CodeBuild Project SourceAuth (p. 1735)
• AWS CodeBuild Project ProjectTriggers (p. 1736)
• AWS CodeBuild Project VpcConﬁg (p. 1737)
• AWS CodeCommit Repository Trigger (p. 1738)
• AWS CodeDeploy DeploymentConﬁg MinimumHealthyHosts (p. 1739)
• AWS CodeDeploy DeploymentGroup Alarm (p. 1740)
• AWS CodeDeploy DeploymentGroup AlarmConﬁguration (p. 1740)
• AWS CodeDeploy DeploymentGroup AutoRollbackConﬁguration (p. 1741)
• AWS CodeDeploy DeploymentGroup Deployment (p. 1742)
• AWS CodeDeploy DeploymentGroup DeploymentStyle (p. 1743)
• AWS CodeDeploy DeploymentGroup ELBInfo (p. 1745)
• AWS CodeDeploy DeploymentGroup LoadBalancerInfo (p. 1746)
• AWS CodeDeploy DeploymentGroup TargetGroupInfo (p. 1747)
• AWS CodeDeploy DeploymentGroup Deployment Revision (p. 1748)
• AWS CodeDeploy DeploymentGroup Deployment Revision GitHubLocation (p. 1749)
• AWS CodeDeploy DeploymentGroup Deployment Revision S3Location (p. 1750)
• AWS CodeDeploy DeploymentGroup Ec2TagFilters (p. 1751)
• AWS CodeDeploy DeploymentGroup OnPremisesInstanceTagFilters (p. 1752)
• AWS CodeDeploy DeploymentGroup TriggerConﬁg (p. 1753)
• AWS CodePipeline CustomActionType ArtifactDetails (p. 1754)
• AWS CodePipeline CustomActionType ConﬁgurationProperties (p. 1754)
• AWS CodePipeline CustomActionType Settings (p. 1756)
• AWS CodePipeline Pipeline ArtifactStore (p. 1757)
• AWS CodePipeline Pipeline ArtifactStore EncryptionKey (p. 1758)
• AWS CodePipeline Pipeline DisableInboundStageTransitions (p. 1759)
• AWS CodePipeline Pipeline Stages (p. 1759)
• AWS CodePipeline Pipeline Stages Actions (p. 1760)
• AWS CodePipeline Pipeline Stages Actions ActionTypeId (p. 1762)
• AWS CodePipeline Pipeline Stages Actions InputArtifacts (p. 1763)
• AWS CodePipeline Pipeline Stages Actions OutputArtifacts (p. 1763)
• AWS CodePipeline Pipeline Stages Blockers (p. 1764)
• AWS CodePipeline Webhook WebhookAuthConﬁguration (p. 1765)
• AWS CodePipeline Webhook WebhookFilterRule (p. 1765)
• Amazon Cognito IdentityPool CognitoStreams (p. 1766)
• Amazon Cognito IdentityPool PushSync (p. 1767)
• Amazon Cognito IdentityPoolRoleAttachment RoleMapping (p. 1768)
• Amazon Cognito IdentityPoolRoleAttachment MappingRule (p. 1769)
• Amazon Cognito IdentityPool CognitoIdentityProvider (p. 1770)
• Amazon Cognito IdentityPoolRoleAttachment RoleMapping RulesConﬁguration (p. 1771)
API Version 2010-05-15
1584

AWS CloudFormation User Guide
Resource Property Types

• Amazon Cognito UserPool AdminCreateUserConﬁg (p. 1772)
• Amazon Cognito UserPool DeviceConﬁguration (p. 1773)
• Amazon Cognito UserPool EmailConﬁguration (p. 1773)
• Amazon Cognito UserPool InviteMessageTemplate (p. 1774)
• Amazon Cognito UserPool LambdaConﬁg (p. 1775)
• Amazon Cognito UserPool NumberAttributeConstraints (p. 1776)
• Amazon Cognito UserPool PasswordPolicy (p. 1777)
• Amazon Cognito UserPool Policies (p. 1778)
• Amazon Cognito UserPool SchemaAttribute (p. 1779)
• Amazon Cognito UserPool SmsConﬁguration (p. 1780)
• Amazon Cognito UserPool StringAttributeConstraints (p. 1781)
• Amazon Cognito UserPoolUser AttributeType (p. 1782)
• Amazon Cognito UserPool InviteMessageTemplate (p. 1782)
• AWS Conﬁg ConﬁgRule Scope (p. 1783)
• AWS Conﬁg ConﬁgRule Source (p. 1784)
• AWS Conﬁg ConﬁgRule SourceDetails (p. 1785)
• AWS Conﬁg ConﬁgurationAggregator AccountAggregationSource (p. 1786)
• AWS Conﬁg ConﬁgurationAggregator OrganizationAggregationSource (p. 1787)
• AWS Conﬁg ConﬁgurationRecorder RecordingGroup (p. 1788)
• AWS Conﬁg DeliveryChannel ConﬁgSnapshotDeliveryProperties (p. 1789)
• AWS Data Pipeline Pipeline ParameterObjects (p. 1790)
• AWS Data Pipeline Parameter Objects Attributes (p. 1791)
• AWS Data Pipeline Pipeline ParameterValues (p. 1791)
• AWS Data Pipeline PipelineObject (p. 1792)
• AWS Data Pipeline Pipeline Field (p. 1794)
• AWS Data Pipeline Pipeline PipelineTags (p. 1795)
• AWS DMS Endpoint DynamoDBSettings (p. 1796)
• AWS DMS Endpoint MongoDbSettings (p. 1797)
• AWS DMS Endpoint S3Settings (p. 1799)
• AWS Directory Service MicrosoftAD VpcSettings (p. 1800)
• AWS Directory Service SimpleAD VpcSettings (p. 1801)
• DynamoDB Accelerator Cluster SSESpeciﬁcation (p. 1802)
• Amazon DynamoDB Table AttributeDeﬁnition (p. 1802)
• Amazon DynamoDB Table GlobalSecondaryIndex (p. 1803)
• Amazon DynamoDB Table KeySchema (p. 1804)
• Amazon DynamoDB Table LocalSecondaryIndex (p. 1805)
• DynamoDB Table PointInTimeRecoverySpeciﬁcation (p. 1806)
• Amazon DynamoDB Table Projection (p. 1807)
• Amazon DynamoDB Table ProvisionedThroughput (p. 1808)
• DynamoDB SSESpeciﬁcation (p. 1809)
• Amazon DynamoDB Table StreamSpeciﬁcation (p. 1809)
• Amazon DynamoDB Table TimeToLiveSpeciﬁcation (p. 1810)
• Amazon EC2 Block Device Mapping Property (p. 1811)
• Amazon Elastic Block Store Block Device Property (p. 1813)
• Amazon EC2 Instance CreditSpeciﬁcation (p. 1814)
• Amazon EC2 Instance ElasticGpuSpeciﬁcation (p. 1815)
API Version 2010-05-15
1585

AWS CloudFormation User Guide
Resource Property Types

• Amazon EC2 Instance LaunchTemplateSpeciﬁcation (p. 1816)
• Amazon EC2 Instance SsmAssociations AssociationParameters (p. 1817)
• Amazon EC2 Instance SsmAssociations (p. 1818)
• Amazon EC2 LaunchTemplate BlockDeviceMapping (p. 1818)
• Amazon EC2 LaunchTemplate CreditSpeciﬁcation (p. 1820)
• Amazon EC2 LaunchTemplate Ebs (p. 1820)
• Amazon EC2 LaunchTemplate ElasticGpuSpeciﬁcation (p. 1822)
• Amazon EC2 LaunchTemplate IamInstanceProﬁle (p. 1823)
• Amazon EC2 LaunchTemplate InstanceMarketOptions (p. 1824)
• Amazon EC2 LaunchTemplate Ipv6Add (p. 1825)
• Amazon EC2 LaunchTemplate LaunchTemplateData (p. 1826)
• Amazon EC2 LaunchTemplate Monitoring (p. 1830)
• Amazon EC2 LaunchTemplate NetworkInterface (p. 1831)
• Amazon EC2 LaunchTemplate Placement (p. 1834)
• Amazon EC2 LaunchTemplate PrivateIpAdd (p. 1835)
• Amazon EC2 LaunchTemplate SpotOptions (p. 1836)
• Amazon EC2 LaunchTemplate TagSpeciﬁcation (p. 1837)
• EC2 MountPoint Property Type (p. 1838)
• EC2 NetworkInterface Embedded Property Type (p. 1840)
• EC2 NetworkAclEntry Icmp (p. 1842)
• EC2 NetworkAclEntry PortRange (p. 1843)
• EC2 NetworkInterface Ipv6Addresses (p. 1844)
• EC2 Network Interface Private IP Speciﬁcation (p. 1844)
• EC2 Security Group Rule Property Type (p. 1845)
• Amazon EC2 SpotFleet SpotFleetRequestConﬁgData (p. 1850)
• Amazon Elastic Compute Cloud SpotFleet LaunchSpeciﬁcations (p. 1853)
• Amazon Elastic Compute Cloud SpotFleet BlockDeviceMappings (p. 1856)
• Amazon Elastic Compute Cloud SpotFleet Ebs (p. 1857)
• Amazon Elastic Compute Cloud SpotFleet FleetLaunchTemplateSpeciﬁcation (p. 1859)
• Amazon Elastic Compute Cloud SpotFleet IamInstanceProﬁle (p. 1860)
• Amazon Elastic Compute Cloud SpotFleet LaunchTemplateConﬁg (p. 1860)
• Amazon Elastic Compute Cloud SpotFleet LaunchTemplateOverrides (p. 1861)
• Amazon EC2 SpotFleet Monitoring (p. 1862)
• Amazon Elastic Compute Cloud SpotFleet NetworkInterfaces (p. 1863)
• Amazon Elastic Compute Cloud SpotFleet NetworkInterfaces PrivateIpAddresses (p. 1865)
• Amazon Elastic Compute Cloud SpotFleet Placement (p. 1866)
• Amazon Elastic Compute Cloud SpotFleet SecurityGroups (p. 1866)
• Amazon Elastic Compute Cloud SpotFleet SpotFleetTagSpeciﬁcation (p. 1867)
• Amazon EC2 VPNConnection VpnTunnelOptionsSpeciﬁcation (p. 1868)
• Amazon Elastic Container Service Service AwsVpcConﬁguration (p. 1869)
• Amazon Elastic Container Registry Repository LifecyclePolicy (p. 1870)
• Amazon Elastic Container Service Service DeploymentConﬁguration (p. 1871)
• Amazon Elastic Container Service Service NetworkConﬁguration (p. 1872)
• Amazon Elastic Container Service Service PlacementConstraint (p. 1872)
• Amazon Elastic Container Service Service PlacementStrategies (p. 1873)
• Amazon Elastic Container Service Service LoadBalancers (p. 1874)
API Version 2010-05-15
1586

AWS CloudFormation User Guide
Resource Property Types

• Amazon Elastic Container Service Service ServiceRegistry (p. 1875)
• Amazon Elastic Container Service TaskDeﬁnition HealthCheck (p. 1876)
• Amazon Elastic Container Service TaskDeﬁnition ContainerDeﬁnition (p. 1878)
• Amazon Elastic Container Service TaskDeﬁnition Device (p. 1883)
• Amazon Elastic Container Service TaskDeﬁnition HostEntry (p. 1884)
• Amazon Elastic Container Service TaskDeﬁnition KernelCapabilities (p. 1885)
• Amazon Elastic Container Service TaskDeﬁnition KeyValuePair (p. 1886)
• Amazon Elastic Container Service TaskDeﬁnition LinuxParameters (p. 1887)
• Amazon Elastic Container Service TaskDeﬁnition LogConﬁguration (p. 1888)
• Amazon Elastic Container Service TaskDeﬁnition MountPoint (p. 1889)
• Amazon Elastic Container Service TaskDeﬁnition PortMapping (p. 1890)
• Amazon Elastic Container Service TaskDeﬁnition Ulimit (p. 1891)
• Amazon Elastic Container Service TaskDeﬁnition VolumeFrom (p. 1891)
• Amazon Elastic Container Service Service PlacementConstraint (p. 1892)
• Amazon Elastic Container Service TaskDeﬁnition Volumes (p. 1893)
• Amazon Elastic Container Service TaskDeﬁnition Volumes Host (p. 1894)
• Amazon Elastic File System FileSystem FileSystemTags (p. 1895)
• EKS Cluster ResourcesVpcConﬁg (p. 1895)
• AWS Elastic Beanstalk Application ApplicationResourceLifecycleConﬁg (p. 1896)
• AWS Elastic Beanstalk Application ApplicationVersionLifecycleConﬁg (p. 1897)
• AWS Elastic Beanstalk Application MaxAgeRule (p. 1898)
• AWS Elastic Beanstalk Application MaxCountRule (p. 1899)
• AWS Elastic Beanstalk ConﬁgurationTemplate ConﬁgurationOptionSetting (p. 1900)
• AWS Elastic Beanstalk ConﬁgurationTemplate SourceConﬁguration (p. 1901)
• Elastic Beanstalk Environment Tier Property Type (p. 1902)
• AWS Elastic Beanstalk Environment OptionSetting (p. 1903)
• Elastic Beanstalk SourceBundle Property Type (p. 1904)
• Amazon ElastiCache ReplicationGroup NodeGroupConﬁguration (p. 1905)
• Elastic Load Balancing AccessLoggingPolicy (p. 1906)
• ElasticLoadBalancing AppCookieStickinessPolicy Type (p. 1907)
• Elastic Load Balancing ConnectionDrainingPolicy (p. 1908)
• Elastic Load Balancing ConnectionSettings (p. 1909)
• ElasticLoadBalancing LoadBalancer HealthCheck (p. 1910)
• ElasticLoadBalancing LBCookieStickinessPolicy Type (p. 1911)
• ElasticLoadBalancing Listener Property Type (p. 1912)
• ElasticLoadBalancing Policy Type (p. 1914)
• Elastic Load Balancing Listener Certiﬁcate (p. 1916)
• Elastic Load Balancing ListenerCertiﬁcate Certiﬁcate (p. 1917)
• Elastic Load Balancing Listener Action (p. 1917)
• Elastic Load Balancing ListenerRule Actions (p. 1918)
• Elastic Load Balancing ListenerRule Conditions (p. 1919)
• Elastic Load Balancing LoadBalancer LoadBalancerAttributes (p. 1919)
• Elastic Load Balancing LoadBalancer SubnetMapping (p. 1920)
• Elastic Load Balancing TargetGroup Matcher (p. 1921)
• Elastic Load Balancing TargetGroup TargetDescription (p. 1922)
• Elastic Load Balancing TargetGroup TargetGroupAttributes (p. 1922)
API Version 2010-05-15
1587

AWS CloudFormation User Guide
Resource Property Types

• Amazon Elasticsearch Service Domain EBSOptions (p. 1923)
• Amazon Elasticsearch Service Domain ElasticsearchClusterConﬁg (p. 1924)
• Amazon Elasticsearch Service Domain EncryptionAtRestOptions (p. 1926)
• Amazon Elasticsearch Service Domain SnapshotOptions (p. 1927)
• Amazon Elasticsearch Service Domain VPCOptions (p. 1927)
• Amazon EMR Cluster Application (p. 1928)
• Amazon EMR Cluster AutoScalingPolicy (p. 1929)
• Amazon EMR Cluster BootstrapActionConﬁg (p. 1930)
• Amazon EMR Cluster CloudWatchAlarmDeﬁnition (p. 1931)
• Amazon EMR Cluster Conﬁgurations (p. 1933)
• Amazon EMR Cluster InstanceFleetConﬁg (p. 1934)
• Amazon EMR Cluster InstanceFleetProvisioningSpeciﬁcations (p. 1935)
• Amazon EMR Cluster InstanceGroupConﬁg (p. 1936)
• Amazon EMR Cluster InstanceTypeConﬁg (p. 1938)
• Amazon EMR Cluster JobFlowInstancesConﬁg (p. 1939)
• Amazon EMR Cluster MetricDimension (p. 1943)
• Amazon EMR Cluster PlacementType (p. 1944)
• Amazon EMR Cluster ScalingAction (p. 1944)
• Amazon EMR Cluster ScalingConstraints (p. 1945)
• Amazon EMR Cluster ScalingRule (p. 1946)
• Amazon EMR Cluster ScalingTrigger (p. 1947)
• Amazon EMR Cluster ScriptBootstrapActionConﬁg (p. 1947)
• Amazon EMR Cluster SimpleScalingPolicyConﬁguration (p. 1948)
• Amazon EMR Cluster SpotProvisioningSpeciﬁcation (p. 1949)
• Amazon EMR Cluster KerberosAttributes (p. 1950)
• Amazon EMR EbsConﬁguration (p. 1952)
• Amazon EMR EbsConﬁguration EbsBlockDeviceConﬁgs (p. 1953)
• Amazon EMR EbsConﬁguration EbsBlockDeviceConﬁg VolumeSpeciﬁcation (p. 1954)
• Amazon EMR InstanceFleetConﬁg Conﬁguration (p. 1955)
• Amazon EMR InstanceFleetConﬁg EbsBlockDeviceConﬁg (p. 1956)
• Amazon EMR InstanceFleetConﬁg EbsConﬁguration (p. 1957)
• Amazon EMR InstanceFleetConﬁg InstanceFleetProvisioningSpeciﬁcations (p. 1957)
• Amazon EMR InstanceFleetConﬁg InstanceTypeConﬁg (p. 1958)
• Amazon EMR InstanceFleetConﬁg SpotProvisioningSpeciﬁcation (p. 1960)
• Amazon EMR InstanceFleetConﬁg VolumeSpeciﬁcation (p. 1961)
• Amazon EMR InstanceGroupConﬁg AutoScalingPolicy (p. 1962)
• Amazon EMR InstanceGroupConﬁg CloudWatchAlarmDeﬁnition (p. 1965)
• Amazon EMR InstanceGroupConﬁg MetricDimension (p. 1967)
• Amazon EMR InstanceGroupConﬁg ScalingAction (p. 1968)
• Amazon EMR InstanceGroupConﬁg ScalingConstraints (p. 1969)
• Amazon EMR InstanceGroupConﬁg ScalingRule (p. 1970)
• Amazon EMR InstanceGroupConﬁg ScalingTrigger (p. 1971)
• Amazon EMR InstanceGroupConﬁg SimpleScalingPolicyConﬁguration (p. 1971)
• Amazon EMR Step HadoopJarStepConﬁg (p. 1972)
• Amazon EMR Step KeyValue (p. 1973)
• Amazon GameLift Alias RoutingStrategy (p. 1974)
API Version 2010-05-15
1588

AWS CloudFormation User Guide
Resource Property Types

• Amazon GameLift Build StorageLocation (p. 1975)
• Amazon GameLift Fleet EC2InboundPermission (p. 1976)
• AWS Glue Classiﬁer GrokClassiﬁer (p. 1977)
• AWS Glue Connection ConnectionInput (p. 1978)
• AWS Glue Connection PhysicalConnectionRequirements (p. 1980)
• AWS Glue Crawler JdbcTarget (p. 1981)
• AWS Glue Crawler S3Target (p. 1982)
• AWS Glue Crawler Schedule (p. 1982)
• AWS Glue Crawler SchemaChangePolicy (p. 1983)
• AWS Glue Crawler Targets (p. 1984)
• AWS Glue Database DatabaseInput (p. 1985)
• AWS Glue Job ConnectionsList (p. 1986)
• AWS Glue Job ExecutionProperty (p. 1987)
• AWS Glue Job JobCommand (p. 1987)
• AWS Glue Partition Column (p. 1988)
• AWS Glue Partition Order (p. 1989)
• AWS Glue Partition PartitionInput (p. 1990)
• AWS Glue Partition SerdeInfo (p. 1991)
• AWS Glue Partition SkewedInfo (p. 1992)
• AWS Glue Partition StorageDescriptor (p. 1993)
• AWS Glue Table Column (p. 1996)
• AWS Glue Table Order (p. 1997)
• AWS Glue Table SerdeInfo (p. 1998)
• AWS Glue Table SkewedInfo (p. 1999)
• AWS Glue Table StorageDescriptor (p. 2000)
• AWS Glue Table TableInput (p. 2003)
• AWS Glue Trigger Action (p. 2006)
• AWS Glue Trigger Condition (p. 2007)
• AWS Glue Trigger Predicate (p. 2008)
• GuardDuty Filter FindingCriteria (p. 2009)
• GuardDuty Filter Condition (p. 2009)
• IAM Policies (p. 2011)
• IAM User LoginProﬁle (p. 2012)
• AWS IoT TopicRule Action (p. 2012)
• AWS IoT TopicRule CloudwatchAlarmAction (p. 2015)
• AWS IoT TopicRule CloudwatchMetricAction (p. 2016)
• AWS IoT TopicRule DynamoDBAction (p. 2017)
• AWS IoT TopicRule DynamoDBv2Action (p. 2019)
• AWS IoT TopicRule ElasticsearchAction (p. 2020)
• AWS IoT TopicRule FirehoseAction (p. 2021)
• AWS IoT TopicRule KinesisAction (p. 2022)
• AWS IoT TopicRule LambdaAction (p. 2022)
• AWS IoT TopicRule PutItemInput (p. 2023)
• AWS IoT TopicRule RepublishAction (p. 2024)
• AWS IoT TopicRule S3Action (p. 2024)
• AWS IoT TopicRule SnsAction (p. 2025)
API Version 2010-05-15
1589

AWS CloudFormation User Guide
Resource Property Types

• AWS IoT TopicRule SqsAction (p. 2026)
• AWS IoT Thing AttributePayload (p. 2027)
• AWS IoT TopicRule TopicRulePayload (p. 2028)
• Kinesis StreamEncryption (p. 2029)
• Amazon Kinesis Data Analytics Application CSVMappingParameters (p. 2030)
• Amazon Kinesis Data Analytics Application Input (p. 2031)
• Amazon Kinesis Data Analytics Application InputLambdaProcessor (p. 2033)
• Amazon Kinesis Data Analytics Application InputParallelism (p. 2033)
• Amazon Kinesis Data Analytics Application InputProcessingConﬁguration (p. 2034)
• Amazon Kinesis Data Analytics Application InputSchema (p. 2035)
• Amazon Kinesis Data Analytics Application JSONMappingParameters (p. 2036)
• Amazon Kinesis Data Analytics Application KinesisFirehoseInput (p. 2037)
• Amazon Kinesis Data Analytics Application KinesisStreamsInput (p. 2037)
• Amazon Kinesis Data Analytics Application MappingParameters (p. 2038)
• Amazon Kinesis Data Analytics Application RecordColumn (p. 2039)
• Amazon Kinesis Data Analytics Application RecordFormat (p. 2040)
• Amazon Kinesis Data Analytics ApplicationOutput DestinationSchema (p. 2041)
• Amazon Kinesis Data Analytics ApplicationOutput KinesisFirehoseOutput (p. 2042)
• Amazon Kinesis Data Analytics ApplicationOutput KinesisStreamsOutput (p. 2043)
• Amazon Kinesis Data Analytics ApplicationOutput LambdaOutput (p. 2044)
• Amazon Kinesis Data Analytics ApplicationOutput Output (p. 2045)
• Amazon Kinesis Data Analytics ApplicationReferenceDataSource CSVMappingParameters (p. 2046)
• Amazon Kinesis Data Analytics ApplicationReferenceDataSource JSONMappingParameters (p. 2047)
• Amazon Kinesis Data Analytics ApplicationReferenceDataSource MappingParameters (p. 2048)
• Amazon Kinesis Data Analytics ApplicationReferenceDataSource RecordColumn (p. 2049)
• Amazon Kinesis Data Analytics ApplicationReferenceDataSource RecordFormat (p. 2050)
• Amazon Kinesis Data Analytics ApplicationReferenceDataSource ReferenceDataSource (p. 2051)
• Amazon Kinesis Data Analytics ApplicationReferenceDataSource ReferenceSchema (p. 2052)
• Amazon Kinesis Data Analytics ApplicationReferenceDataSource S3ReferenceDataSource (p. 2053)
• Amazon Kinesis Data Firehose DeliveryStream BuﬀeringHints (p. 2054)
• Amazon Kinesis Data Firehose DeliveryStream CloudWatchLoggingOptions (p. 2055)
• Amazon Kinesis Data Firehose DeliveryStream CopyCommand (p. 2056)
• Amazon Kinesis Data Firehose DeliveryStream ElasticsearchBuﬀeringHints (p. 2057)
• Amazon Kinesis Data Firehose DeliveryStream ElasticsearchDestinationConﬁguration (p. 2058)
• Amazon Kinesis Data Firehose DeliveryStream ElasticsearchRetryOptions (p. 2060)
• Amazon Kinesis Data Firehose DeliveryStream EncryptionConﬁguration (p. 2061)
• Amazon Kinesis Data Firehose DeliveryStream ExtendedS3DestinationConﬁguration (p. 2061)
• Amazon Kinesis Data Firehose DeliveryStream KinesisStreamSourceConﬁguration (p. 2064)
• Amazon Kinesis Data Firehose DeliveryStream KMSEncryptionConﬁg (p. 2065)
• Amazon Kinesis Data Firehose DeliveryStream ProcessingConﬁguration (p. 2065)
• Amazon Kinesis Data Firehose DeliveryStream Processor (p. 2066)
• Amazon Kinesis Data Firehose DeliveryStream ProcessorParameter (p. 2067)
• Amazon Kinesis Data Firehose DeliveryStream RedshiftDestinationConﬁguration (p. 2068)
• Amazon Kinesis Data Firehose DeliveryStream S3DestinationConﬁguration (p. 2070)
• Amazon Kinesis Data Firehose DeliveryStream SplunkDestinationConﬁguration (p. 2072)
• Amazon Kinesis Data Firehose DeliveryStream SplunkRetryOptions (p. 2074)
API Version 2010-05-15
1590

AWS CloudFormation User Guide
Resource Property Types

• AWS Lambda Alias AliasRoutingConﬁguration (p. 2075)
• AWS Lambda Alias VersionWeight (p. 2076)
• AWS Lambda Function DeadLetterConﬁg (p. 2077)
• AWS Lambda Function Environment (p. 2077)
• AWS Lambda Function Code (p. 2078)
• AWS Lambda Function TracingConﬁg (p. 2084)
• AWS Lambda Function VpcConﬁg (p. 2085)
• Name Type (p. 2085)
• AWS OpsWorks App DataSource (p. 2087)
• AWS OpsWorks App Environment (p. 2088)
• AWS OpsWorks AutoScalingThresholds Type (p. 2089)
• AWS OpsWorks ChefConﬁguration Type (p. 2090)
• AWS OpsWorks Layer LifeCycleConﬁguration (p. 2091)
• AWS OpsWorks Layer LifeCycleConﬁguration ShutdownEventConﬁguration (p. 2092)
• AWS OpsWorks LoadBasedAutoScaling Type (p. 2092)
• AWS OpsWorks Instance BlockDeviceMapping (p. 2093)
• AWS OpsWorks Instance BlockDeviceMapping EbsBlockDevice (p. 2094)
• AWS OpsWorks Recipes Type (p. 2096)
• AWS OpsWorks Source Type (p. 2097)
• AWS OpsWorks SslConﬁguration Type (p. 2099)
• AWS OpsWorks Stack ElasticIp (p. 2099)
• AWS OpsWorks Stack RdsDbInstance (p. 2100)
• AWS OpsWorks StackConﬁgurationManager Type (p. 2101)
• AWS OpsWorks TimeBasedAutoScaling Type (p. 2102)
• AWS OpsWorks VolumeConﬁguration Type (p. 2103)
• Amazon Redshift Parameter Type (p. 2104)
• Amazon Redshift LoggingProperties (p. 2105)
• AWS CloudFormation Resource Tags Type (p. 2106)
• Amazon Relational Database Service OptionGroup OptionConﬁguration (p. 2108)
• Amazon Relational Database Service OptionGroup OptionSetting (p. 2110)
• Amazon RDS Security Group Rule (p. 2111)
• Route 53 AliasTarget Property (p. 2112)
• Route 53 Record Set GeoLocation Property (p. 2113)
• Route 53 HealthCheck HealthCheckConﬁg (p. 2114)
• Amazon Route 53 HealthCheck AlarmIdentiﬁer (p. 2118)
• Amazon Route 53 HealthCheck HealthCheckTags (p. 2118)
• Route 53 HostedZoneConﬁg Property (p. 2119)
• Amazon Route 53 HostedZoneTags (p. 2120)
• Route 53 QueryLoggingConﬁg (p. 2120)
• Route 53 HostedZoneVPCs (p. 2121)
• Amazon S3 Bucket AbortIncompleteMultipartUpload (p. 2122)
• Amazon S3 Bucket AccelerateConﬁguration (p. 2122)
• Amazon S3 Bucket AccessControlTranslation (p. 2124)
• Amazon S3 Bucket AnalyticsConﬁguration (p. 2124)
• Amazon S3 Bucket BucketEncryption (p. 2125)
• Amazon S3 Bucket CorsConﬁguration (p. 2126)
API Version 2010-05-15
1591

AWS CloudFormation User Guide
Resource Property Types

• Amazon S3 Bucket CorsRule (p. 2127)
• Amazon S3 Bucket DataExport (p. 2128)
• Amazon S3 Bucket Destination (p. 2129)
• Amazon S3 Bucket EncryptionConﬁguration (p. 2130)
• Amazon S3 Bucket FilterRule (p. 2131)
• Amazon S3 Bucket InventoryConﬁguration (p. 2131)
• Amazon Simple Storage Service Bucket LambdaConﬁguration (p. 2133)
• Amazon S3 Bucket LifecycleConﬁguration (p. 2135)
• Amazon S3 Bucket LoggingConﬁguration (p. 2135)
• Amazon S3 Bucket MetricsConﬁguration (p. 2136)
• Amazon S3 Bucket NoncurrentVersionTransition (p. 2137)
• Amazon S3 Bucket NotiﬁcationConﬁguration (p. 2138)
• Amazon S3 Bucket NotiﬁcationFilter (p. 2139)
• Amazon Simple Storage Service Bucket QueueConﬁguration (p. 2140)
• Amazon S3 Bucket ReplicationConﬁguration (p. 2141)
• Amazon S3 Bucket ReplicationDestination (p. 2141)
• Amazon S3 Bucket ReplicationRule (p. 2143)
• Amazon S3 Bucket Rule (p. 2144)
• Amazon S3 Bucket S3KeyFilter (p. 2147)
• Amazon S3 Bucket ServerSideEncryptionRule (p. 2148)
• Amazon S3 Bucket ServerSideEncryptionByDefault (p. 2148)
• Amazon S3 Bucket SseKmsEncryptedObjects (p. 2149)
• Amazon S3 Bucket SourceSelectionCriteria (p. 2150)
• Amazon S3 Bucket StorageClassAnalysis (p. 2150)
• Amazon S3 Bucket TagFilter (p. 2151)
• Amazon Simple Storage Service Bucket TopicConﬁguration (p. 2152)
• Amazon S3 Bucket Transition (p. 2153)
• Amazon S3 Bucket VersioningConﬁguration (p. 2154)
• Amazon S3 Website Conﬁguration Property (p. 2154)
• Amazon S3 Website Conﬁguration Redirect All Requests To Property (p. 2156)
• Amazon S3 Website Conﬁguration Routing Rules Property (p. 2156)
• Amazon S3 Website Conﬁguration Routing Rules Redirect Rule Property (p. 2157)
• Amazon S3 Website Conﬁguration Routing Rules Routing Rule Condition Property (p. 2158)
• Amazon SageMaker Endpoint Tag (p. 2159)
• Amazon SageMaker EndpointConﬁg ProductionVariant (p. 2160)
• Amazon SageMaker EndpointConﬁg Tag (p. 2161)
• Amazon SageMaker NotebookInstance Tag (p. 2162)
• Amazon SageMaker NotebookInstanceLifecycleConﬁg NotebookInstanceLifecycleHook (p. 2163)
• Amazon SageMaker Model ContainerDeﬁnition (p. 2164)
• Amazon SageMaker Model Tag (p. 2165)
• Amazon SageMaker Model VpcConﬁg (p. 2166)
• AWS Service Catalog CloudFormationProduct ProvisioningArtifactProperties (p. 2167)
• AWS Service Catalog CloudFormationProvisionedProduct ProvisioningParameter (p. 2168)
• Amazon Route 53 ServiceDiscovery DnsConﬁg (p. 2169)
• Amazon Route 53 ServiceDiscovery DnsRecord (p. 2170)
• Amazon Route 53 ServiceDiscovery HealthCheckConﬁg (p. 2171)
API Version 2010-05-15
1592

AWS CloudFormation User Guide
Resource Property Types

• Route 53 ServiceDiscovery Service HealthCheckCustomConﬁg (p. 2172)
• Amazon Simple Email Service ConﬁgurationSetEventDestination CloudWatchDestination (p. 2173)
• Amazon Simple Email Service ConﬁgurationSetEventDestination DimensionConﬁguration (p. 2174)
• Amazon Simple Email Service ConﬁgurationSetEventDestination EventDestination (p. 2175)
• Amazon Simple Email Service ConﬁgurationSetEventDestination
KinesisFirehoseDestination (p. 2177)
• Amazon Simple Email Service ReceiptFilter Filter (p. 2178)
• Amazon Simple Email Service ReceiptFilter IpFilter (p. 2179)
• Amazon Simple Email Service ReceiptRule Action (p. 2180)
• Amazon Simple Email Service ReceiptRule AddHeaderAction (p. 2182)
• Amazon Simple Email Service ReceiptRule BounceAction (p. 2183)
• Amazon Simple Email Service ReceiptRule LambdaAction (p. 2185)
• Amazon Simple Email Service ReceiptRule Rule (p. 2186)
• Amazon Simple Email Service ReceiptRule S3Action (p. 2188)
• Amazon Simple Email Service ReceiptRule SNSAction (p. 2190)
• Amazon Simple Email Service ReceiptRule StopAction (p. 2192)
• Amazon Simple Email Service ReceiptRule WorkmailAction (p. 2193)
• Amazon Simple Email Service Template Template (p. 2194)
• AWS Systems Manager Association InstanceAssociationOutputLocation (p. 2195)
• AWS Systems Manager Association S3OutputLocation (p. 2196)
• AWS Systems Manager Association Targets (p. 2196)
• AWS Systems Manager MaintenanceWindowTarget Targets (p. 2197)
• AWS Systems Manager MaintenanceWindowTask LoggingInfo (p. 2198)
• AWS Systems Manager MaintenanceWindowTask
MaintenanceWindowAutomationParameters (p. 2199)
• AWS Systems Manager MaintenanceWindowTask MaintenanceWindowLambdaParameters (p. 2200)
• AWS Systems Manager MaintenanceWindowTask
MaintenanceWindowRunCommandParameters (p. 2201)
• AWS Systems Manager MaintenanceWindowTask
MaintenanceWindowStepFunctionsParameters (p. 2203)
• AWS Systems Manager MaintenanceWindowTask NotiﬁcationConﬁg (p. 2204)
• AWS Systems Manager MaintenanceWindowTask Target (p. 2205)
• AWS Systems Manager MaintenanceWindowTask TaskInvocationParameters (p. 2206)
• AWS Systems Manager PatchBaseline PatchFilterGroup (p. 2208)
• AWS Systems Manager PatchBaseline Rule (p. 2208)
• AWS Systems Manager PatchBaseline PatchFilter (p. 2210)
• AWS Systems Manager PatchBaseline RuleGroup (p. 2211)
• Amazon SNS Subscription Property Type (p. 2211)
• Amazon SQS RedrivePolicy (p. 2212)
• AWS WAF ByteMatchSet ByteMatchTuples (p. 2213)
• AWS WAF ByteMatchSet ByteMatchTuples FieldToMatch (p. 2214)
• AWS WAF IPSet IPSetDescriptors (p. 2215)
• AWS WAF Rule Predicates (p. 2216)
• AWS WAF SizeConstraintSet SizeConstraint (p. 2217)
• AWS WAF SizeConstraintSet SizeConstraint FieldToMatch (p. 2218)
• AWS WAF SqlInjectionMatchSet SqlInjectionMatchTuples (p. 2219)
API Version 2010-05-15
1593

AWS CloudFormation User Guide
Amazon MQ Broker ConﬁgurationId

• AWS WAF SqlInjectionMatchSet SqlInjectionMatchTuples FieldToMatch (p. 2220)
• AWS WAF XssMatchSet XssMatchTuple (p. 2220)
• AWS WAF XssMatchSet XssMatchTuple FieldToMatch (p. 2221)
• AWS WAF WebACL Action (p. 2222)
• AWS WAF WebACL ActivatedRule (p. 2223)
• AWS WAF Regional ByteMatchSet ByteMatchTuples (p. 2224)
• AWS WAF Regional ByteMatchSet ByteMatchTuples FieldToMatch (p. 2225)
• AWS WAF Regional IPSet IPSetDescriptors (p. 2226)
• AWS WAF Regional Rule Predicates (p. 2227)
• AWS WAF Regional SizeConstraintSet SizeConstraint (p. 2228)
• AWS WAF Regional SizeConstraintSet SizeConstraint FieldToMatch (p. 2229)
• AWS WAF Regional SqlInjectionMatchSet SqlInjectionMatchTuples (p. 2230)
• AWS WAF Regional SqlInjectionMatchSet SqlInjectionMatchTuples FieldToMatch (p. 2231)
• AWS WAF Regional XssMatchSet XssMatchTuple (p. 2231)
• AWS WAF Regional XssMatchSet XssMatchTuple FieldToMatch (p. 2232)
• AWS WAF Regional WebACL Action (p. 2233)
• AWS WAF Regional WebACL Rules (p. 2234)

Amazon MQ Broker ConﬁgurationId
The ConfigurationId property type speciﬁes the unique ID that Amazon MQ generates for the
conﬁguration.
ConfigurationId is a property of the AWS::AmazonMQ::Broker (p. 506) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Id" : String,
"Revision" : Integer

YAML
Id: String
Revision: Integer

Properties
Id
The unique ID that Amazon MQ generates for the conﬁguration.
Required: Yes
Type: String
API Version 2010-05-15
1594

AWS CloudFormation User Guide
Amazon MQ Broker MaintenanceWindow

Update requires: Some interruptions (p. 119)
Revision
The revision number of the conﬁguration.
Required: Yes
Type: Integer
Update requires: Some interruptions (p. 119)

Amazon MQ Broker MaintenanceWindow
The MaintenanceWindow property type speciﬁes the parameters that determine the
WeeklyStartTime for an Amazon MQ broker.
MaintenanceWindow is a property of the AWS::AmazonMQ::Broker (p. 506) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"DayOfWeek" : String,
"TimeOfDay" : String,
"TimeZone" : String

YAML
DayOfWeek: String
TimeOfDay: String
TimeZone: String

Properties
DayOfWeek
The day of the week, for example MONDAY, TUESDAY.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
TimeOfDay
The time, in 24-hour format.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1595

AWS CloudFormation User Guide
Amazon MQ Broker User

TimeZone
The time zone, UTC by default, in either the Country/City format, or the UTC oﬀset format.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Amazon MQ Broker User
The User property type speciﬁes the details for an Amazon MQ user.
User is a property of the AWS::AmazonMQ::Broker (p. 506) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"ConsoleAccess" : Boolean,
"Groups" : [ String, ... ],
"Password" : String,
"Username" : String

YAML
ConsoleAccess: Boolean
Groups:
- String
Password: String
Username: String

Properties
ConsoleAccess
Enables access to the ActiveMQ Web Console for the ActiveMQ user.
Required: No
Type: Boolean
Update requires: Some interruptions (p. 119)
Groups
The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only
alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be
2-100 characters long.
Required: No
Type: List of String values
API Version 2010-05-15
1596

AWS CloudFormation User Guide
API Gateway ApiKey StageKey

Update requires: Some interruptions (p. 119)
Password
The password of the user. This value must be at least 12 characters long, must contain at least 4
unique characters, and must not contain commas.
Required: Yes
Type: String
Update requires: Some interruptions (p. 119)
Username
The username of the ActiveMQ user. This value can contain only alphanumeric characters, dashes,
periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.
Required: Yes
Type: String
Update requires: Some interruptions (p. 119)

Amazon API Gateway ApiKey StageKey
StageKey is a property of the AWS::ApiGateway::ApiKey (p. 518) resource that speciﬁes the Amazon
API Gateway (API Gateway) stage to associate with the API key. This association allows only clients with
the key to make requests to methods in that stage.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"RestApiId" : String,
"StageName" : String

YAML
RestApiId: String
StageName: String

Properties
RestApiId
The ID of a RestApi resource that includes the stage with which you want to associate the API key.
Required: No
Type: String
StageName
The name of the stage with which to associate the API key. The stage must be included in the
RestApi resource that you speciﬁed in the RestApiId property.
API Version 2010-05-15
1597

AWS CloudFormation User Guide
API Gateway Deployment StageDescription

Required: No
Type: String

Amazon API Gateway Deployment StageDescription
StageDescription is a property of the AWS::ApiGateway::Deployment (p. 528) resource that
conﬁgures an Amazon API Gateway (API Gateway) deployment stage.

Syntax
JSON
{

}

"CacheClusterEnabled" : Boolean,
"CacheClusterSize" : String,
"CacheDataEncrypted" : Boolean,
"CacheTtlInSeconds" : Integer,
"CachingEnabled" : Boolean,
"ClientCertificateId" : String,
"DataTraceEnabled" : Boolean,
"Description" : String,
"DocumentationVersion" : String,
"LoggingLevel" : String,
"MethodSettings" : [ MethodSetting (p. 1600), ... ],
"MetricsEnabled" : Boolean,
"ThrottlingBurstLimit" : Integer,
"ThrottlingRateLimit" : Number,
"Variables" : { String:String, ... }

YAML
CacheClusterEnabled: Boolean
CacheClusterSize: String
CacheDataEncrypted: Boolean
CacheTtlInSeconds: Integer
CachingEnabled: Boolean
ClientCertificateId: String
DataTraceEnabled: Boolean
Description: String
LoggingLevel: String
MethodSettings:
- MethodSetting (p. 1600)
MetricsEnabled: Boolean
ThrottlingBurstLimit: Integer
ThrottlingRateLimit: Number
Variables:
String: String

Properties
CacheClusterEnabled
Indicates whether cache clustering is enabled for the stage.
Required: No
Type: Boolean
API Version 2010-05-15
1598

AWS CloudFormation User Guide
API Gateway Deployment StageDescription

CacheClusterSize
The size of the stage's cache cluster.
Required: No
Type: String
CacheDataEncrypted
Indicates whether the cached responses are encrypted.
Required: No
Type: Boolean
CacheTtlInSeconds
The time-to-live (TTL) period, in seconds, that speciﬁes how long API Gateway caches responses.
Required: No
Type: Integer
CachingEnabled
Indicates whether responses are cached and returned for requests. You must enable a cache cluster
on the stage to cache responses. For more information, see Enable API Gateway Caching in a Stage
to Enhance API Performance in the API Gateway Developer Guide.
Required: No
Type: Boolean
ClientCertificateId
The identiﬁer of the client certiﬁcate that API Gateway uses to call your integration endpoints in the
stage.
Required: No
Type: String
DataTraceEnabled
Indicates whether data trace logging is enabled for methods in the stage. API Gateway pushes these
logs to Amazon CloudWatch Logs.
Required: No
Type: Boolean
Description
A description of the purpose of the stage.
Required: No
Type: String
DocumentationVersion
The version identiﬁer of the API documentation snapshot.
Required: No
API Version 2010-05-15
1599

AWS CloudFormation User Guide
API Gateway Deployment MethodSetting

Type: String
LoggingLevel
The logging level for this method. For valid values, see the loggingLevel property of the Stage
resource in the Amazon API Gateway API Reference.
Required: No
Type: String
MethodSettings
Conﬁgures settings for all of the stage's methods.
Required: No
Type: List of API Gateway Deployment MethodSetting (p. 1600)
MetricsEnabled
Indicates whether Amazon CloudWatch metrics are enabled for methods in the stage.
Required: No
Type: Boolean
ThrottlingBurstLimit
The number of burst requests per second that API Gateway permits across all APIs, stages, and
methods in your AWS account. For more information, see Manage API Request Throttling in the API
Gateway Developer Guide.
Required: No
Type: Integer
ThrottlingRateLimit
The number of steady-state requests per second that API Gateway permits across all APIs, stages,
and methods in your AWS account. For more information, see Manage API Request Throttling in the
API Gateway Developer Guide.
Required: No
Type: Number
Variables
A map that deﬁnes the stage variables. Variable names must consist of alphanumeric characters, and
the values must match the following regular expression: [A-Za-z0-9-._~:/?#&=,]+.
Required: No
Type: Mapping of key-value pairs

Amazon API Gateway Deployment MethodSetting
The MethodSetting property type conﬁgures settings for all methods in an Amazon API Gateway (API
Gateway) stage.
The MethodSettings property of the Amazon API Gateway Deployment StageDescription (p. 1598)
property type contains a list of MethodSetting property types.
API Version 2010-05-15
1600

AWS CloudFormation User Guide
API Gateway Deployment MethodSetting

Syntax
JSON
{

}

"CacheDataEncrypted" : Boolean,
"CacheTtlInSeconds" : Integer,
"CachingEnabled" : Boolean,
"DataTraceEnabled" : Boolean,
"HttpMethod" : String,
"LoggingLevel" : String,
"MetricsEnabled" : Boolean,
"ResourcePath" : String,
"ThrottlingBurstLimit" : Integer,
"ThrottlingRateLimit" : Number

YAML
CacheDataEncrypted: Boolean
CacheTtlInSeconds: Integer
CachingEnabled: Boolean
DataTraceEnabled: Boolean
HttpMethod: String
LoggingLevel: String
MetricsEnabled: Boolean
ResourcePath: String
ThrottlingBurstLimit: Integer
ThrottlingRateLimit: Number

Properties
CacheDataEncrypted
Indicates whether the cached responses are encrypted.
Required: No
Type: Boolean
CacheTtlInSeconds
The time-to-live (TTL) period, in seconds, that speciﬁes how long API Gateway caches responses.
Required: No
Type: Integer
CachingEnabled
Indicates whether responses are cached and returned for requests. You must enable a cache cluster
on the stage to cache responses. For more information, see Enable API Gateway Caching in a Stage
to Enhance API Performance in the API Gateway Developer Guide.
Required: No
Type: Boolean
DataTraceEnabled
Indicates whether data trace logging is enabled for methods in the stage. API Gateway pushes these
logs to Amazon CloudWatch Logs.
API Version 2010-05-15
1601

AWS CloudFormation User Guide
API Gateway DocumentationPart Location

Required: No
Type: Boolean
HttpMethod
The HTTP method.
Required: No
Type: String
LoggingLevel
The logging level for this method. For valid values, see the loggingLevel property of the Stage
resource in the Amazon API Gateway API Reference.
Required: No
Type: String
MetricsEnabled
Indicates whether Amazon CloudWatch metrics are enabled for methods in the stage.
Required: No
Type: Boolean
ResourcePath
The resource path for this method. Forward slashes (/) are encoded as ~1 and the initial slash must
include a forward slash. For example, the path value /resource/subresource must be encoded
as /~1resource~1subresource. To specify the root path, use only a slash (/).
Required: No
Type: String
ThrottlingBurstLimit
The number of burst requests per second that API Gateway permits across all APIs, stages, and
methods in your AWS account. For more information, see Manage API Request Throttling in the API
Gateway Developer Guide.
Required: No
Type: Integer
ThrottlingRateLimit
The number of steady-state requests per second that API Gateway permits across all APIs, stages,
and methods in your AWS account. For more information, see Manage API Request Throttling in the
API Gateway Developer Guide.
Required: No
Type: Number

Amazon API Gateway DocumentationPart Location
The Location property speciﬁes the location of the Amazon API Gateway
API entity that the documentation applies to. Location is a property of the
AWS::ApiGateway::DocumentationPart (p. 531) resource.
API Version 2010-05-15
1602

AWS CloudFormation User Guide
API Gateway DocumentationPart Location

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Method" : String,
"Name" : String,
"Path" : String,
"StatusCode" : String,
"Type" : String

YAML
Method: String
Name: String
Path: String
StatusCode: String
Type: String

Properties
Note

For more information about each property, including constraints and valid values, see
DocumentationPart in the Amazon API Gateway REST API Reference.
Method
The HTTP verb of a method.
Required: No
Type: String
Update requires: Replacement (p. 119)
Name
The name of the targeted API entity.
Required: No
Type: String
Update requires: Replacement (p. 119)
Path
The URL path of the target.
Required: No
Type: String
Update requires: Replacement (p. 119)
StatusCode
The HTTP status code of a response.
Required: No
API Version 2010-05-15
1603

AWS CloudFormation User Guide
API Gateway DomainName EndpointConﬁguration

Type: String
Update requires: Replacement (p. 119)
Type
The type of API entity that the documentation content applies to.
Required: No
Type: String
Update requires: Replacement (p. 119)

Amazon API Gateway DomainName
EndpointConﬁguration
The EndpointConfiguration property type speciﬁes the endpoint types of an Amazon API Gateway
domain name.
EndpointConfiguration is a property of the AWS::ApiGateway::DomainName (p. 538) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Types" : [ String, ... ]

YAML
Types:
- String

Properties
Types
A list of endpoint types of an API or its custom domain name. For an edge-optimized API and its
custom domain name, the endpoint type is EDGE. For a regional API and its custom domain name,
the endpoint type is REGIONAL.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

Amazon API Gateway Method Integration
Integration is a property of the AWS::ApiGateway::Method (p. 548) resource that speciﬁes
information about the target backend that an Amazon API Gateway (API Gateway) method calls.
API Version 2010-05-15
1604

AWS CloudFormation User Guide
API Gateway Method Integration

Syntax
JSON
{

}

"CacheKeyParameters" : [ String, ... ],
"CacheNamespace" : String,
"ContentHandling" : String,
"Credentials" : String,
"IntegrationHttpMethod" : String,
"IntegrationResponses" : [ IntegrationResponse (p. 1607), ... ],
"PassthroughBehavior" : String,
"RequestParameters" : { String:String, ... },
"RequestTemplates" : { String:String, ... },
"Type" : String,
"Uri" : String

YAML
CacheKeyParameters:
- String
CacheNamespace: String
ContentHandling: String
Credentials: String
IntegrationHttpMethod: String
IntegrationResponses:
IntegrationResponse (p. 1607)
PassthroughBehavior: String
RequestParameters:
String: String
RequestTemplates:
String: String
Type: String
Uri: String

Properties
CacheKeyParameters
A list of request parameters whose values API Gateway caches.
Required: No
Type: List of String values
CacheNamespace
An API-speciﬁc tag group of related cached parameters.
Required: No
Type: String
ContentHandling
Speciﬁes how to handle request payload content type conversions. Valid values are:
• CONVERT_TO_BINARY: Converts a request payload from a base64-encoded string to a binary blob.
• CONVERT_TO_TEXT: Converts a request payload from a binary blob to a base64-encoded string.
API Version 2010-05-15
1605

AWS CloudFormation User Guide
API Gateway Method Integration

If this property isn't deﬁned, the request payload is passed through from the method request to the
integration request without modiﬁcation, provided that the PassthroughBehaviors property is
conﬁgured to support payload pass-through.
Required: No
Type: String
Update requires: No interruption (p. 118)
Credentials
The credentials that are required for the integration. To specify an AWS Identity and Access
Management (IAM) role that API Gateway assumes, specify the role's Amazon Resource
Name (ARN). To require that the caller's identity be passed through from the request, specify
arn:aws:iam::*:user/*.
To use resource-based permissions on the AWS Lambda (Lambda) function, don't specify this
property. Use the AWS::Lambda::Permission (p. 1263) resource to permit API Gateway to call the
function. For more information, see Allow Amazon API Gateway to Invoke a Lambda Function in the
AWS Lambda Developer Guide.
Required: No
Type: String
IntegrationHttpMethod
The integration's HTTP method type.
Required: Conditional. For the Type property, if you specify MOCK, this property is optional. For all
other types, you must specify this property.
Type: String
IntegrationResponses
The response that API Gateway provides after a method's backend completes processing a request.
API Gateway intercepts the response from the backend so that you can control how API Gateway
surfaces backend responses. For example, you can map the backend status codes to codes that you
deﬁne.
Required: No
Type: List of Amazon API Gateway Method Integration IntegrationResponse (p. 1607) property types
PassthroughBehavior
Indicates when API Gateway passes requests to the targeted backend. This behavior depends on the
request's Content-Type header and whether you deﬁned a mapping template for it.
For more information and valid values, see the passthroughBehavior ﬁeld in the API Gateway API
Reference.
Required: No
Type: String
RequestParameters
The request parameters that API Gateway sends with the backend request. Specify request
parameters as key-value pairs (string-to-string mappings), with a destination as the key and a source
as the value.
Specify the destination by using the following pattern integration.request.location.name,
where location is querystring, path, or header, and name is a valid, unique parameter name.
API Version 2010-05-15
1606

AWS CloudFormation User Guide
API Gateway Method Integration IntegrationResponse

The source must be an existing method request parameter or a static value. You must enclose static
values in single quotation marks and pre-encode these values based on their destination in the
request.
Required: No
Type: Mapping of key-value pairs
RequestTemplates
A map of Apache Velocity templates that are applied on the request payload. The template that API
Gateway uses is based on the value of the Content-Type header that's sent by the client. The content
type value is the key, and the template is the value (speciﬁed as a string), such as the following
snippet:
"application/json": "{\n

\"statusCode\": \"200\"\n}"

For more information about templates, see API Gateway API Request and Response PayloadMapping Template Reference in the API Gateway Developer Guide.
Required: No
Type: Mapping of key-value pairs
Type
The type of backend that your method is running, such as HTTP or MOCK. For all of the valid values,
see the type property for the Integration resource in the Amazon API Gateway REST API
Reference.
Required: Yes
Type: String
Uri
The Uniform Resource Identiﬁer (URI) for the integration.
If you specify HTTP for the Type property, specify the API endpoint URL.
If you specify MOCK for the Type property, don't specify this property.
If you specify AWS for the Type property, specify an AWS service that follows this
form: arn:aws:apigateway:region:subdomain.service|service:path|
action/service_api. For example, a Lambda function URI follows this form:
arn:aws:apigateway:region:lambda:path/path. The path is usually in the form
/2015-03-31/functions/LambdaFunctionARN/invocations. For more information, see the
uri property of the Integration resource in the Amazon API Gateway REST API Reference.
Required: Conditional. If you speciﬁed HTTP or AWS for the Type property, you must specify this
property.
Type: String

Amazon API Gateway Method Integration
IntegrationResponse
IntegrationResponse is a property of the Amazon API Gateway Method Integration (p. 1604)
property type that speciﬁes the response that Amazon API Gateway (API Gateway) sends after a
method's backend ﬁnishes processing a request.
API Version 2010-05-15
1607

AWS CloudFormation User Guide
API Gateway Method Integration IntegrationResponse

Syntax
JSON
{

}

"ContentHandling" : String,
"ResponseParameters" : { String:String, ... },
"ResponseTemplates" : { String:String, ... },
"SelectionPattern" : String,
"StatusCode" : String

YAML
ContentHandling: String
ResponseParameters:
String: String
ResponseTemplates:
String: String
SelectionPattern: String
StatusCode: String

Properties
ContentHandling
Speciﬁes how to handle request payload content type conversions. Valid values are:
• CONVERT_TO_BINARY: Converts a request payload from a base64-encoded string to a binary blob.
• CONVERT_TO_TEXT: Converts a request payload from a binary blob to a base64-encoded string.
If this property isn't deﬁned, the request payload is passed through from the method request to the
integration request without modiﬁcation.
Required: No
Type: String
Update requires: No interruption (p. 118)
ResponseParameters
The response parameters from the backend response that API Gateway sends to the method
response. Specify response parameters as key-value pairs (string-to-string mappings (p. 182)).
Use the destination as the key and the source as the value:
• The destination must be an existing response parameter in the MethodResponse (p. 1609)
property.
• The source must be an existing method request parameter or a static value. You must enclose
static values in single quotation marks and pre-encode these values based on the destination
speciﬁed in the request.
For more information, see API Gateway API Request and Response Parameter-Mapping Reference in
the API Gateway Developer Guide.
Required: No
Type: Mapping of key-value pairs
API Version 2010-05-15
1608

AWS CloudFormation User Guide
API Gateway Method MethodResponse

ResponseTemplates
The templates that are used to transform the integration response body. Specify templates as keyvalue pairs (string-to-string mappings), with a content type as the key and a template as the value.
For more information, see API Gateway API Request and Response Payload-Mapping Template
Reference in the API Gateway Developer Guide.
Required: No
Type: Mapping of key-value pairs
SelectionPattern
A regular expression (p. 458) that speciﬁes which error strings or status codes from the backend map
to the integration response.
Required: No
Type: String
StatusCode
The status code that API Gateway uses to map the integration response to a
MethodResponse (p. 1609) status code.
Required: Yes
Type: String

Amazon API Gateway Method MethodResponse
MethodResponse is a property of the AWS::ApiGateway::Method (p. 548) resource that deﬁnes the
responses that can be sent to the client who calls an Amazon API Gateway (API Gateway) method.

Syntax
JSON
{

}

"ResponseModels" : { String:String, ... },
"ResponseParameters" : { String:Boolean, ... },
"StatusCode" : String

YAML
ResponseModels:
String: String
ResponseParameters:
String: Boolean
StatusCode: String

Properties
ResponseModels
The resources used for the response's content type. Specify response models as key-value pairs
(string-to-string maps), with a content type as the key and a Model (p. 556) resource name as the
value.
API Version 2010-05-15
1609

AWS CloudFormation User Guide
API Gateway RestApi S3Location

Required: No
Type: Mapping of key-value pairs
ResponseParameters
Response parameters that API Gateway sends to the client that called a method. Specify
response parameters as key-value pairs (string-to-Boolean maps), with a destination as
the key and a Boolean as the value. Specify the destination using the following pattern:
method.response.header.name, where the name is a valid, unique header name. The Boolean
speciﬁes whether a parameter is required.
Required: No
Type: Mapping of key-value pairs
StatusCode
The method response's status code, which you map to an IntegrationResponse (p. 1607).
Required: Yes
Type: String

Amazon API Gateway RestApi S3Location
S3Location is a property of the AWS::ApiGateway::RestApi (p. 563) resource that speciﬁes the
Amazon Simple Storage Service (Amazon S3) location of a OpenAPI (formerly Swagger) ﬁle that deﬁnes
a set of RESTful APIs in JSON or YAML for an Amazon API Gateway (API Gateway) RestApi.

Note

On January 1, 2016, the Swagger Speciﬁcation was donated to the OpenAPI initiative, becoming
the foundation of the OpenAPI Speciﬁcation.

Syntax
JSON
{

}

"Bucket" : String,
"ETag" : String,
"Key" : String,
"Version" : String

YAML
Bucket: String
ETag: String
Key: String
Version: String

Properties
Bucket
The name of the S3 bucket where the OpenAPI ﬁle is stored.
API Version 2010-05-15
1610

AWS CloudFormation User Guide
API Gateway RestApi EndpointConﬁguration

Required: No
Type: String
ETag
The Amazon S3 ETag (a ﬁle checksum) of the OpenAPI ﬁle. If you don't specify a value, API Gateway
skips ETag validation of your OpenAPI ﬁle.
Required: No
Type: String
Key
The ﬁle name of the OpenAPI ﬁle (Amazon S3 object name).
Required: No
Type: String
Version
For versioning-enabled buckets, a speciﬁc version of the OpenAPI ﬁle.
Required: No
Type: String

Amazon API Gateway RestApi EndpointConﬁguration
The EndpointConfiguration property type speciﬁes the endpoint types of an Amazon API Gateway
REST API.
EndpointConfiguration is a property of the AWS::ApiGateway::RestApi (p. 563) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Types" : [ String, ... ]

YAML
Types:
- String

Properties
Types
A list of endpoint types of an API or its custom domain name. Valid values include:
• EDGE: For an edge-optimized API and its custom domain name.
API Version 2010-05-15
1611

AWS CloudFormation User Guide
API Gateway Stage MethodSetting

• REGIONAL: For a regional API and its custom domain name.
• PRIVATE : For a private API and its custom domain name.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

See Also
• endpointConﬁguration in the API Gateway API Reference

Amazon API Gateway Stage MethodSetting
The MethodSetting property type conﬁgures settings for all methods in an Amazon API Gateway (API
Gateway) stage.
The MethodSettings property of the AWS::ApiGateway::Stage (p. 570) resource contains a list of
MethodSetting property types.

Syntax
JSON
{

}

"CacheDataEncrypted" : Boolean,
"CacheTtlInSeconds" : Integer,
"CachingEnabled" : Boolean,
"DataTraceEnabled" : Boolean,
"HttpMethod" : String,
"LoggingLevel" : String,
"MetricsEnabled" : Boolean,
"ResourcePath" : String,
"ThrottlingBurstLimit" : Integer,
"ThrottlingRateLimit" : Number

YAML
CacheDataEncrypted: Boolean
CacheTtlInSeconds: Integer
CachingEnabled: Boolean
DataTraceEnabled: Boolean
HttpMethod: String
LoggingLevel: String
MetricsEnabled: Boolean
ResourcePath: String
ThrottlingBurstLimit: Integer
ThrottlingRateLimit: Number

Properties
CacheDataEncrypted
Indicates whether the cached responses are encrypted.
API Version 2010-05-15
1612

AWS CloudFormation User Guide
API Gateway Stage MethodSetting

Required: No
Type: Boolean
CacheTtlInSeconds
The time-to-live (TTL) period, in seconds, that speciﬁes how long API Gateway caches responses.
Required: No
Type: Integer
CachingEnabled
Indicates whether responses are cached and returned for requests. You must enable a cache cluster
on the stage to cache responses.
Required: No
Type: Boolean
DataTraceEnabled
Indicates whether data trace logging is enabled for methods in the stage. API Gateway pushes these
logs to Amazon CloudWatch Logs.
Required: No
Type: Boolean
HttpMethod
The HTTP method.
Required: Yes
Type: String
LoggingLevel
The logging level for this method. For valid values, see the loggingLevel property of the Stage
resource in the Amazon API Gateway API Reference.
Required: No
Type: String
MetricsEnabled
Indicates whether Amazon CloudWatch metrics are enabled for methods in the stage.
Required: No
Type: Boolean
ResourcePath
The resource path for this method. Forward slashes (/) are encoded as ~1 and the initial slash must
include a forward slash. For example, the path value /resource/subresource must be encoded
as /~1resource~1subresource. To specify the root path, use only a slash (/). You can use * as a
wildcard to apply method settings to multiple methods.
Required: Yes
Type: String
API Version 2010-05-15
1613

AWS CloudFormation User Guide
API Gateway UsagePlan ApiStage

ThrottlingBurstLimit
The number of burst requests per second that API Gateway permits across all APIs, stages, and
methods in your AWS account. For more information, see Manage API Request Throttling in the API
Gateway Developer Guide.
Required: No
Type: Integer
ThrottlingRateLimit
The number of steady-state requests per second that API Gateway permits across all APIs, stages,
and methods in your AWS account. For more information, see Manage API Request Throttling in the
API Gateway Developer Guide.
Required: No
Type: Number

Amazon API Gateway UsagePlan ApiStage
ApiStage is a property of the AWS::ApiGateway::UsagePlan (p. 574) resource that speciﬁes which
Amazon API Gateway (API Gateway) stages and APIs to associate with a usage plan.

Syntax
JSON
{
}

"ApiId" : String,
"Stage" : String

YAML
ApiId: String
Stage: String

Properties
ApiId
The ID of an API that is in the speciﬁed Stage property that you want to associate with the usage
plan.
Required: No
Type: String
Stage
The name of an API Gateway stage to associate with the usage plan.
Required: No
Type: String
API Version 2010-05-15
1614

AWS CloudFormation User Guide
API Gateway UsagePlan QuotaSettings

Amazon API Gateway UsagePlan QuotaSettings
QuotaSettings is a property of the AWS::ApiGateway::UsagePlan (p. 574) resource that speciﬁes the
maximum number of requests users can make to your Amazon API Gateway (API Gateway) APIs.

Syntax
JSON
{

}

"Limit" : Integer,
"Offset" : Integer,
"Period" : String

YAML
Limit: Integer
Offset: Integer
Period: String

Properties
Limit
The maximum number of requests that users can make within the speciﬁed time period.
Required: No
Type: Integer
Offset
For the initial time period, the number of requests to subtract from the speciﬁed limit. When you
ﬁrst implement a usage plan, the plan might start in the middle of the week or month. With this
property, you can decrease the limit for this initial time period.
Required: No
Type: Integer
Period
The time period for which the maximum limit of requests applies, such as DAY or WEEK. For valid
values, see the period property for the UsagePlan resource in the Amazon API Gateway REST API
Reference.
Required: No
Type: String

Amazon API Gateway UsagePlan ThrottleSettings
ThrottleSettings is a property of the AWS::ApiGateway::UsagePlan (p. 574) resource that speciﬁes
the overall request rate (average requests per second) and burst capacity when users call your Amazon
API Gateway (API Gateway) APIs.
API Version 2010-05-15
1615

AWS CloudFormation User Guide
Application Auto Scaling ScalingPolicy
CustomizedMetricSpeciﬁcation

Syntax
JSON
{
}

"BurstLimit" : Integer,
"RateLimit" : Number

YAML
BurstLimit: Integer
RateLimit: Number

Properties
BurstLimit
The maximum API request rate limit over a time ranging from one to a few seconds. The maximum
API request rate limit depends on whether the underlying token bucket is at its full capacity. For
more information about request throttling, see Manage API Request Throttling in the API Gateway
Developer Guide.
Required: No
Type: Integer
RateLimit
The API request steady-state rate limit (average requests per second over an extended period of
time). For more information about request throttling, see Manage API Request Throttling in the API
Gateway Developer Guide.
Required: No
Type: Number

Application Auto Scaling ScalingPolicy
CustomizedMetricSpeciﬁcation
The CustomizedMetricSpecification property conﬁgures a customized metric for a target tracking
policy in Application Auto Scaling. CustomizedMetricSpecification is a subproperty of the
Application Auto Scaling ScalingPolicy TargetTrackingScalingPolicyConﬁguration (p. 1622) property.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Dimensions" : [ MetricDimension (p. 1618), ...],
"MetricName" : String,
"Namespace" : String,
"Statistic" : String,

API Version 2010-05-15
1616

AWS CloudFormation User Guide
Application Auto Scaling ScalingPolicy
CustomizedMetricSpeciﬁcation
}

"Unit" : String

YAML
Dimensions:
- MetricDimension (p. 1618)
MetricName: String
Namespace: String
Statistic: String
Unit: String

Properties
Dimensions
The dimensions of the metric. Duplicates not allowed.
Required: No
Type: List of Application Auto Scaling ScalingPolicy MetricDimension (p. 1618)
Update requires: No interruption (p. 118)
MetricName
The name of the metric.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Namespace
The namespace of the metric.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Statistic
The statistic of the metric.
For valid values, see CustomizedMetricSpeciﬁcation in the Application Auto Scaling API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Unit
The unit of the metric.
Required: No
Type: String
API Version 2010-05-15
1617

AWS CloudFormation User Guide
Application Auto Scaling ScalingPolicy MetricDimension

Update requires: No interruption (p. 118)

Application Auto Scaling ScalingPolicy
MetricDimension
Use the MetricDimension property to specify the dimension of a metric for a target tracking policy in
Application Auto Scaling. The Dimensions subproperty of the Application Auto Scaling ScalingPolicy
CustomizedMetricSpeciﬁcation (p. 1616) property contains a list of MetricDimension property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Name" : String,
"Value" : String

YAML
Name: String
Value: String

Properties
Name
The name of the dimension.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Value
The value of the dimension.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Application Auto Scaling ScalingPolicy
PredeﬁnedMetricSpeciﬁcation
Use the PredefinedMetricSpecification property to conﬁgure a predeﬁned metric for a target
tracking policy in Application Auto Scaling. PredefinedMetricSpecification is a subproperty of the
Application Auto Scaling ScalingPolicy TargetTrackingScalingPolicyConﬁguration (p. 1622) property.
API Version 2010-05-15
1618

AWS CloudFormation User Guide
Application Auto Scaling ScalingPolicy
StepScalingPolicyConﬁguration

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"PredefinedMetricType" : String,
"ResourceLabel" : String

YAML
PredefinedMetricType: String
ResourceLabel: String

Properties
For more information about each property, including constraints and valid values, see
PredeﬁnedMetricSpeciﬁcation in the Application Auto Scaling API Reference.
PredefinedMetricType
The metric type.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ResourceLabel
This property is reserved for future use.
Required: No
Type: String
Update requires: No interruption (p. 118)

Application Auto Scaling ScalingPolicy
StepScalingPolicyConﬁguration
StepScalingPolicyConfiguration is a property of the
AWS::ApplicationAutoScaling::ScalingPolicy (p. 594) resource that conﬁgures when Application Auto
Scaling scales resources up or down, and by how much.

Syntax
JSON
{

"AdjustmentType" : String,

API Version 2010-05-15
1619

AWS CloudFormation User Guide
Application Auto Scaling ScalingPolicy
StepScalingPolicyConﬁguration

}

"Cooldown" : Integer,
"MetricAggregationType" : String,
"MinAdjustmentMagnitude" : Integer,
"StepAdjustments" : [ StepAdjustment (p. 1621), ... ]

YAML
AdjustmentType: String
Cooldown: Integer
MetricAggregationType: String
MinAdjustmentMagnitude: Integer
StepAdjustments:
StepAdjustment

Properties
AdjustmentType
Speciﬁes whether the ScalingAdjustment value in the StepAdjustment property is an absolute
number or a percentage of the current capacity. For valid values, see the AdjustmentType content
for the StepScalingPolicyConﬁguration data type in the Application Auto Scaling API Reference.
Required: No
Type: String
Cooldown
The amount of time, in seconds, after a scaling activity completes before any further triggerrelated scaling activities can start. For more information, see the Cooldown content for the
StepScalingPolicyConﬁguration data type in the Application Auto Scaling API Reference.
Required: No
Type: Integer
MetricAggregationType
The aggregation type for the CloudWatch metrics. You can specify Minimum, Maximum, or Average.
By default, AWS CloudFormation speciﬁes Average. For more information, see Aggregation in the
Amazon CloudWatch User Guide.
Required: No
Type: String
MinAdjustmentMagnitude
The minimum number of resources to adjust when a scaling activity is triggered. If you specify
PercentChangeInCapacity for the adjustment type, the scaling policy scales the target by this
amount.
Required: No
Type: Integer
StepAdjustments
A set of adjustments that enable you to scale based on the size of the alarm breach.
Required: No
API Version 2010-05-15
1620

AWS CloudFormation User Guide
Application Auto Scaling ScalingPolicy
StepScalingPolicyConﬁguration StepAdjustment

Type: List of Application Auto Scaling ScalingPolicy StepScalingPolicyConﬁguration
StepAdjustment (p. 1621)

Application Auto Scaling ScalingPolicy
StepScalingPolicyConﬁguration StepAdjustment
StepAdjustment is a property of the Application Auto Scaling ScalingPolicy
StepScalingPolicyConﬁguration (p. 1619) property that conﬁgures a scaling adjustment based on the
diﬀerence between the value of the aggregated CloudWatch metric and the breach threshold that you've
deﬁned for the alarm (the size of the breach). For more information, see Step Adjustments in the Amazon
EC2 Auto Scaling User Guide.

Syntax
JSON
{

}

"MetricIntervalLowerBound" : Number,
"MetricIntervalUpperBound" : Number,
"ScalingAdjustment" : Integer

YAML
MetricIntervalLowerBound: Number
MetricIntervalUpperBound: Number
ScalingAdjustment: Integer

Properties
MetricIntervalLowerBound
The lower bound of the breach size. The lower bound is the diﬀerence between the breach threshold
and the aggregated CloudWatch metric value. If the metric value is within the lower and upper
bounds, Application Auto Scaling triggers this step adjustment.
If the metric value is above the breach threshold, the metric must be greater than or equal to the
threshold plus the lower bound to trigger this step adjustment (the metric value is inclusive). If the
metric value is below the breach threshold, the metric must be greater than the threshold plus the
lower bound to trigger this step adjustment (the metric value is exclusive). A null value indicates
negative inﬁnity.
Required: Conditional. You must specify at least one upper or lower bound.
Type: Number
MetricIntervalUpperBound
The upper bound of the breach size. The upper bound is the diﬀerence between the breach
threshold and the CloudWatch metric value. If the metric value is within the lower and upper
bounds, Application Auto Scaling triggers this step adjustment.
If the metric value is above the breach threshold, the metric must be less than the threshold plus
the upper bound to trigger this step adjustment (the metric value is exclusive). If the metric value is
below the breach threshold, the metric must be less than or equal to the threshold plus the upper
API Version 2010-05-15
1621

AWS CloudFormation User Guide
Application Auto Scaling ScalingPolicy
TargetTrackingScalingPolicyConﬁguration

bound to trigger this step adjustment (the metric value is inclusive). A null value indicates positive
inﬁnity.
Required: Conditional. You must specify at least one upper or lower bound.
Type: Number
ScalingAdjustment
The amount by which to scale. The adjustment is based on the value that you speciﬁed in the
AdjustmentType property (either an absolute number or a percentage). A positive value adds to
the current capacity and a negative number subtracts from the current capacity.
Required: Yes
Type: Integer

Application Auto Scaling ScalingPolicy
TargetTrackingScalingPolicyConﬁguration
Use the TargetTrackingScalingPolicyConfiguration property to conﬁgure
a target tracking scaling policy. Use it to adjust upward or downward in response
to actual workloads, so that capacity utilization remains at or near your target
utilization. TargetTrackingScalingPolicyConfiguration is a property of the
AWS::ApplicationAutoScaling::ScalingPolicy (p. 594) resource. For more information, see
PutScalingPolicy in the Application Auto Scaling API Reference.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"CustomizedMetricSpecification" : CustomizedMetricSpecification (p. 1616),
"DisableScaleIn" : Boolean,
"PredefinedMetricSpecification" : PredefinedMetricSpecification (p. 1618),
"ScaleInCooldown" : Integer,
"ScaleOutCooldown" : Integer,
"TargetValue" : Double

YAML
CustomizedMetricSpecification:
CustomizedMetricSpecification (p. 1616)
PredefinedMetricSpecification:
PredefinedMetricSpecification (p. 1618)
DisableScaleIn: Boolean
ScaleInCooldown: Integer
ScaleOutCooldown: Integer
TargetValue: Double

Properties
For more information about each property, including constraints and valid values, see
TargetTrackingScalingPolicyConﬁguration in the Application Auto Scaling API Reference.
API Version 2010-05-15
1622

AWS CloudFormation User Guide
Application Auto Scaling ScalingPolicy
TargetTrackingScalingPolicyConﬁguration

CustomizedMetricSpecification
This property is reserved for future use.
Required: No
Type: Application Auto Scaling ScalingPolicy CustomizedMetricSpeciﬁcation (p. 1616)
Update requires: No interruption (p. 118)
DisableScaleIn
Indicates whether scale in by the target tracking policy is disabled. If the value is true, scale in is
disabled and the target tracking policy won't remove capacity from the scalable resource. Otherwise,
scale in is enabled and the target tracking policy can remove capacity from the scalable resource.
The default value is false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
PredefinedMetricSpecification
A predeﬁned metric.
Required: No
Type: Application Auto Scaling ScalingPolicy PredeﬁnedMetricSpeciﬁcation (p. 1618)
Update requires: No interruption (p. 118)
ScaleInCooldown
The amount of time, in seconds, after a scale in activity completes before another scale in activity
can start.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
ScaleOutCooldown
The amount of time, in seconds, after a scale out activity completes before another scale out activity
can start.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
TargetValue
The target value for the metric.
Required: Yes
Type: Double
Update requires: No interruption (p. 118)
API Version 2010-05-15
1623

AWS CloudFormation User Guide
Application Auto Scaling
ScalableTarget ScalableTargetAction

Application Auto Scaling ScalableTarget
ScalableTargetAction
The ScalableTargetAction property type speciﬁes the minimum and maximum capacity of a
scheduled action for an Application Auto Scaling scalable target.
ScalableTargetAction is a property of the Application Auto Scaling ScalableTarget
ScheduledAction (p. 1624) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"MaxCapacity" : Integer,
"MinCapacity" : Integer

YAML
MaxCapacity: Integer
MinCapacity: Integer

Properties
MaxCapacity
The maximum capacity.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
MinCapacity
The minimum capacity.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

Application Auto Scaling ScalableTarget
ScheduledAction
The ScheduledAction property type speciﬁes a scheduled action for an Application Auto Scaling
scalable target.
API Version 2010-05-15
1624

AWS CloudFormation User Guide
Application Auto Scaling ScalableTarget ScheduledAction

The ScheduledActions property of the AWS::ApplicationAutoScaling::ScalableTarget (p. 581)
resource contains a list of ScheduledAction property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"EndTime" : Timestamp,
"ScalableTargetAction" : ScalableTargetAction (p. 1624),
"Schedule" : String,
"ScheduledActionName" : String,
"StartTime" : Timestamp

YAML
EndTime: Timestamp
ScalableTargetAction:
ScalableTargetAction (p. 1624)
Schedule: String
ScheduledActionName: String
StartTime: Timestamp

Properties
EndTime
The date and time that the action is scheduled to end.
Required: No
Type: Timestamp
Update requires: No interruption (p. 118)
ScalableTargetAction
The new minimum and maximum capacity. You can set both values or just one. During the scheduled
time, if the current capacity is below the minimum capacity, Application Auto Scaling scales out
to the minimum capacity. If the current capacity is above the maximum capacity, Application Auto
Scaling scales in to the maximum capacity.
Required: No
Type: Application Auto Scaling ScalableTarget ScalableTargetAction (p. 1624)
Update requires: No interruption (p. 118)
Schedule
The schedule for this action. The following formats are supported:
• At expressions - at(yyyy-mm-ddThh:mm:ss)
At expressions are useful for one-time schedules. Specify the time in UTC.
• Rate expressions - rate(value unit)
API Version 2010-05-15
1625

AWS CloudFormation User Guide
AWS AppSync DataSource DynamoDBConﬁg

For rate expressions, value is a positive integer, and unit is minute, minutes, hour, hours,
day, or days.
• Cron expressions - cron(fields)
For more information about cron expressions, see Cron.
For constraints, see the ScheduledAction data type in the Application Auto Scaling API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ScheduledActionName
The name of the scheduled action. For constraints, see the ScheduledAction data type in the
Application Auto Scaling API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
StartTime
The date and time that the action is scheduled to begin.
Required: No
Type: Timestamp
Update requires: No interruption (p. 118)

See Also
• ScheduledAction data type in the Application Auto Scaling API Reference

AWS AppSync DataSource DynamoDBConﬁg
The DynamoDBConfig property type speciﬁes the AwsRegion and TableName for an Amazon DynamoDB
table in your account for an AWS AppSync data source.
DynamoDBConfig is a property of the AWS::AppSync::DataSource (p. 604) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"TableName" : String,
"AwsRegion" : String,
"UseCallerCredentials" : Boolean

API Version 2010-05-15
1626

AWS CloudFormation User Guide
AWS AppSync DataSource HttpConﬁg

YAML
TableName: String
AwsRegion: String
UseCallerCredentials: Boolean

Properties
TableName
The table name.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
AwsRegion
The AWS region.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
UseCallerCredentials
Set to TRUE to use Amazon Cognito credentials with this data source.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)

See Also
• DynamodbDataSourceConﬁg operation in the AWS AppSync API Reference

AWS AppSync DataSource HttpConﬁg
Use the HttpConfig property type to specify HttpConﬁg for an AWS AppSync data source.
HttpConfig is a property of the AWS::AppSync::DataSource (p. 604) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Endpoint" : String

API Version 2010-05-15
1627

AWS CloudFormation User Guide
AWS AppSync DataSource ElasticsearchConﬁg
}

YAML
Endpoint: String

Properties
Endpoint
The endpoint.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• HttpDataSourceConﬁg operation in the AWS AppSync API Reference

AWS AppSync DataSource ElasticsearchConﬁg
The ElasticsearchConfig property type speciﬁes the AwsRegion and Endpoints for an Amazon
Elasticsearch Service domain in your account for an AWS AppSync data source.
ElasticsearchConfig is a property of the AWS::AppSync::DataSource (p. 604) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"AwsRegion" : String,
"Endpoint" : String

YAML
AwsRegion: String
Endpoint: String

Properties
AwsRegion
The AWS region.
Required: Yes
API Version 2010-05-15
1628

AWS CloudFormation User Guide
AWS AppSync DataSource LambdaConﬁg

Type: String
Update requires: No interruption (p. 118)
Endpoint
The endpoint.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• ElasticsearchDataSourceConﬁg operation in the AWS AppSync API Reference

AWS AppSync DataSource LambdaConﬁg
The LambdaConfig property type speciﬁes the Lambda function ARN for an AWS AppSync data source.
LambdaConfig is a property of the AWS::AppSync::DataSource (p. 604) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"LambdaFunctionArn" : String

YAML
LambdaFunctionArn: String

Properties
LambdaFunctionArn
The ARN for the Lambda function.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• LambdaDataSourceConﬁg operation in the AWS AppSync API Reference
API Version 2010-05-15
1629

AWS CloudFormation User Guide
AWS AppSync GraphQLApi LogConﬁg

AWS AppSync GraphQLApi LogConﬁg
The LogConfig property type speciﬁes the logging conﬁguration when writing GraphQL operations and
tracing to Amazon Cloudwatch for a AWS AppSync GraphQL API.
LogConfig is a property of the AWS::AppSync::GraphQLApi (p. 608) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"CloudWatchLogsRoleArn" : String,
"FieldLogLevel" : String

YAML
CloudWatchLogsRoleArn: String
FieldLogLevel: String

Properties
CloudWatchLogsRoleArn
The IAM role that will allow publishing CloudWatch logs into the customer's account.
Required: No
Type: String
Update requires: No interruption (p. 118)
FieldLogLevel
The desired level of logging.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• LogConﬁg operation in the AWS AppSync API Reference

AWS AppSync GraphQLApi UserPoolConﬁg
The UserPoolConfig property type speciﬁes the optional authorization conﬁguration for using
Amazon Cognito User Pools with your GraphQL endpoint for an AWS AppSync GraphQL API.
UserPoolConfig is a property of the AWS::AppSync::GraphQLApi (p. 608) property type.
API Version 2010-05-15
1630

AWS CloudFormation User Guide
AWS AppSync GraphQLApi UserPoolConﬁg

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"AppIdClientRegex" : String,
"UserPoolId" : String,
"AwsRegion" : String,
"DefaultAction" : String

YAML
AppIdClientRegex: String
UserPoolId: String
AwsRegion: String
DefaultAction: String

Properties
AppIdClientRegex
A regular expression for validating the incoming Amazon Cognito User Pool app client ID.
Required: No
Type: String
Update requires: No interruption (p. 118)
UserPoolId
The user pool ID.
Required: No
Type: String
Update requires: No interruption (p. 118)
AwsRegion
The AWS region in which the user pool was created.
Required: No
Type: String
Update requires: No interruption (p. 118)
DefaultAction
The action that you want your GraphQL API to take when a request that uses Amazon Cognito User
Pool authentication doesn't match the Amazon Cognito User Pool conﬁguration.
Required: No
Type: String
API Version 2010-05-15
1631

AWS CloudFormation User Guide
AWS AppSync GraphQLApi OpenId Connect Conﬁg

Update requires: No interruption (p. 118)

See Also
• UserPoolConﬁg operation in the AWS AppSync API Reference

AWS AppSync GraphQLApi OpenId Connect Conﬁg
The OpenIDConnectConfig property type speciﬁes the optional authorization conﬁguration for using
an Open Id Connect compliant service with your GraphQL endpoint for an AWS AppSync GraphQL API.
OpenIDConnectConfig is a property of the AWS::AppSync::GraphQLApi (p. 608) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Issuer" : String,
"ClientId" : String,
"IatTTL" : Number,
"AuthTTL" : Number

YAML
Issuer: String
ClientId: String
IatTTL: Number
AuthTTL: Number

Properties
Issuer
The issuer for the open id connect conﬁguration. The issuer returned by discovery MUST exactly
match the value of iss in the ID Token.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ClientId
The client identiﬁer of the Relying party at the OpenID Provider. This identiﬁer is typically obtained
when the Relying party is registered with the OpenID Provider. You can specify a regular expression
so the AWS AppSync can validate against multiple client identiﬁers at a time
Required: No
Type: String
API Version 2010-05-15
1632

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling Block Device Mapping

Update requires: No interruption (p. 118)
IatTTL
The number of milliseconds a token is valid after being issued to a user.
Required: No
Type: Number
Update requires: No interruption (p. 118)
AuthTTL
The number of milliseconds a token is valid after being authenticated.
Required: No
Type: Number
Update requires: No interruption (p. 118)

See Also
• OpenIDConnectConﬁg operation in the AWS AppSync API Reference

Amazon EC2 Auto Scaling Block Device Mapping
Property Type
The AutoScaling Block Device Mapping type is an embedded property of the
AWS::AutoScaling::LaunchConﬁguration (p. 628) type.

Syntax
JSON
{

}

"DeviceName (p. 1634)" : String,
"Ebs (p. 1634)" : AutoScaling EBS Block Device,
"NoDevice" : Boolean,
"VirtualName (p. 1634)" : String

YAML
DeviceName (p. 1634): String
Ebs (p. 1634):
AutoScaling EBS Block Device
NoDevice: Boolean
VirtualName (p. 1634): String

Properties
Note

For more information about the constraints and valid values of each property, see Ebs in the
Amazon EC2 Auto Scaling API Reference.
API Version 2010-05-15
1633

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling EBS Block Device

DeviceName
The name of the device within Amazon EC2.
Required: Yes
Type: String
Ebs
The Amazon Elastic Block Store volume information.
Required: Conditional You can specify either VirtualName or Ebs, but not both.
Type: Amazon EC2 Auto Scaling EBS Block Device (p. 1634).
NoDevice
Suppresses the device mapping. If NoDevice is set to true for the root device, the instance might fail
the Amazon EC2 health check. Auto Scaling launches a replacement instance if the instance fails the
health check.
Required: No
Type: Boolean
VirtualName
The name of the virtual device. The name must be in the form ephemeralX where X is a number
starting from zero (0), for example, ephemeral0.
Required: Conditional You can specify either VirtualName or Ebs, but not both.
Type: String

Amazon EC2 Auto Scaling EBS Block Device Property
Type
The AutoScaling EBS Block Device type is an embedded property of the Amazon EC2 Auto Scaling Block
Device Mapping (p. 1633) type.

Syntax
JSON
{

}

"DeleteOnTermination" : Boolean,
"Encrypted" : Boolean,
"Iops" : Integer,
"SnapshotId (p. 1635)" : String,
"VolumeSize (p. 1635)" : Integer,
"VolumeType" : String

YAML
DeleteOnTermination: Boolean

API Version 2010-05-15
1634

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling EBS Block Device
Encrypted: Boolean
Iops: Integer
SnapshotId (p. 1635): String
VolumeSize (p. 1635): Integer
VolumeType: String

Properties
DeleteOnTermination
Indicates whether to delete the volume when the instance is terminated. By default, Auto Scaling
uses true.
Required: No
Type: Boolean
Encrypted
Indicates whether the volume is encrypted. Encrypted EBS volumes must be attached to instances
that support Amazon EBS encryption. Volumes that you create from encrypted snapshots are
automatically encrypted. You cannot create an encrypted volume from an unencrypted snapshot or
an unencrypted volume from an encrypted snapshot.
Required: No
Type: Boolean
Iops
The number of I/O operations per second (IOPS) that the volume supports. The maximum ratio of
IOPS to volume size is 30.
Required: No
Type: Integer.
SnapshotId
The snapshot ID of the volume to use.
Required: Conditional If you specify both SnapshotId and VolumeSize, VolumeSize must be
equal or greater than the size of the snapshot.
Type: String
VolumeSize
The volume size, in Gibibytes (GiB). This can be a number from 1 – 1024. If the volume type is EBS
optimized, the minimum value is 10. For more information about specifying the volume type, see
EbsOptimized in AWS::AutoScaling::LaunchConﬁguration (p. 628).
Required: Conditional If you specify both SnapshotId and VolumeSize, VolumeSize must be
equal or greater than the size of the snapshot.
Type: Integer.
Update requires: Some interruptions (p. 119)
VolumeType
The volume type. By default, Auto Scaling uses the standard volume type. For more information,
see Ebs in the Amazon EC2 Auto Scaling API Reference.
API Version 2010-05-15
1635

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling AutoScalingGroup
LifecycleHookSpeciﬁcation

Required: No
Type: String

Examples
For AutoScaling EBS Block Device snippets, see Auto Scaling Launch Conﬁguration Resource (p. 288).

Amazon EC2 Auto Scaling AutoScalingGroup
LifecycleHookSpeciﬁcation
The LifecycleHookSpecification property type deﬁnes lifecycle hooks for an Auto Scaling
group, which specify actions to perform when Auto Scaling launches or terminates instances. For more
information, see Amazon EC2 Auto Scaling Lifecycle Hooks in the Amazon EC2 Auto Scaling User Guide.
The LifecycleHookSpecificationList property of the
AWS::AutoScaling::AutoScalingGroup (p. 620) resource contains a list of
LifecycleHookSpecification property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"DefaultResult" : String,
"HeartbeatTimeout" : Integer,
"LifecycleHookName" : String,
"LifecycleTransition" : String,
"NotificationMetadata" : String,
"NotificationTargetARN" : String,
"RoleARN" : String

YAML
DefaultResult: String
HeartbeatTimeout: Integer
LifecycleHookName: String
LifecycleTransition: String
NotificationMetadata: String
NotificationTargetARN: String
RoleARN: String

Properties
For more information about each property, including constraints, see PutLifecycleHook in the Amazon
EC2 Auto Scaling API Reference.
DefaultResult
The action that the Auto Scaling group should take when the lifecycle hook timeout elapses or if an
unexpected failure occurs.
API Version 2010-05-15
1636

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling AutoScalingGroup
LifecycleHookSpeciﬁcation

Valid values: CONTINUE, ABANDON (default)
Required: No
Type: String
Update requires: No interruption (p. 118)
HeartbeatTimeout
The maximum time, in seconds, that can elapse before the lifecycle hook times out. If the lifecycle
hook times out, Auto Scaling performs the default action.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
LifecycleHookName
The name of the lifecycle hook. For constraints, see PutLifecycleHook in the Amazon EC2 Auto
Scaling API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
LifecycleTransition
The state of the EC2 instance to attach the lifecycle hook to. For a list of lifecycle hook types, see
DescribeLifecycleHookTypes in the Amazon EC2 Auto Scaling API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
NotificationMetadata
Additional information to include when Auto Scaling sends a message to the notiﬁcation target. For
constraints, see PutLifecycleHook in the Amazon EC2 Auto Scaling API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
NotificationTargetARN
The Amazon Resource Name (ARN) of the target that Auto Scaling sends notiﬁcations to when an
instance is in the transition state for the lifecycle hook. The notiﬁcation target can be either an
Amazon SQS queue or an Amazon SNS topic.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1637

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling AutoScalingGroup
LifecycleHookSpeciﬁcation

RoleARN
The ARN of the IAM role that allows the Auto Scaling group to publish to the speciﬁed notiﬁcation
target.
Required: No
Type: String
Update requires: No interruption (p. 118)

Examples
The following snippet speciﬁes a lifecycle hook for an AWS::AutoScaling::AutoScalingGroup
resource.

JSON
{

}

"Resources": {
"ASG": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"AvailabilityZones": [
{
"Ref": "AZParameter"
}
],
"VPCZoneIdentifier": {
"Ref": "Subnets"
},
"DesiredCapacity": "0",
"MaxSize": "0",
"MinSize": "0",
"LaunchConfigurationName": {
"Ref": "LC"
},
"LifecycleHookSpecificationList": [
{
"LifecycleTransition": "autoscaling: EC2_INSTANCE_LAUNCHING",
"LifecycleHookName": "myFirstLifecycleHook",
"HeartbeatTimeout": 4800,
"NotificationTargetARN": {
"Fn::GetAtt": [
"SQS",
"Arn"
]
}
}
]
}
},
"SQS": {
"Type": "AWS::SQS::Queue"
}
}

YAML
Resources:

API Version 2010-05-15
1638

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling AutoScalingGroup
LaunchTemplateSpeciﬁcation
ASG:
Type: 'AWS::AutoScaling::AutoScalingGroup'
Properties:
AvailabilityZones:
- !Ref AZParameter
VPCZoneIdentifier: !Ref Subnets
DesiredCapacity: '0'
MaxSize: '0'
MinSize: '0'
LaunchConfigurationName: !Ref LC
LifecycleHookSpecificationList:
- LifecycleTransition: 'autoscaling:EC2_INSTANCE_LAUNCHING'
LifecycleHookName: 'myFirstLifecycleHook'
HeartbeatTimeout: 4800
NotificationTargetARN: !GetAtt SQS.Arn
SQS:
Type: 'AWS::SQS::Queue'

See Also
• Amazon EC2 Auto Scaling Lifecycle Hooks in the Amazon EC2 Auto Scaling User Guide
• PutLifecycleHook in the Amazon EC2 Auto Scaling API Reference

Amazon EC2 Auto Scaling AutoScalingGroup
LaunchTemplateSpeciﬁcation
LaunchTemplateSpecification is a property of the AWS::AutoScaling::AutoScalingGroup (p. 620)
resource that speciﬁes the launch template to use to launch instances.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"LaunchTemplateId" : String,
"LaunchTemplateName" : String,
"Version" : String

YAML
LaunchTemplateId: String
LaunchTemplateName: String
Version: String

Properties
LaunchTemplateId
The ID of the launch template. You must specify either a template ID or a template name.
Minimum length of 1. Maximum length of 255. IDs must ﬁt the following pattern:
API Version 2010-05-15
1639

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling
AutoScalingGroup MetricsCollection

[\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
LaunchTemplateName
The name of the launch template. You must specify either a template name or a template ID.
Minimum length of 3. Maximum length of 128. Names must ﬁt the following pattern:
[a-zA-Z0-9\(\)\.-/_]+
Required: No
Type: String
Update requires: No interruption (p. 118)
Version
The version number. AWS CloudFormation does not support specifying $Latest, or $Default for
the template version number.
Minimum length of 1. Maximum length of 255. Versions must ﬁt the following pattern:
[\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon EC2 Auto Scaling AutoScalingGroup
MetricsCollection
The MetricsCollection is a property of the AWS::AutoScaling::AutoScalingGroup (p. 620) resource
that describes the group metrics that an Auto Scaling group sends to CloudWatch. These metrics
describe the group rather than any of its instances. For more information, see EnableMetricsCollection in
the Amazon EC2 Auto Scaling API Reference.

Syntax
JSON
{
}

"Granularity" : String,
"Metrics" : [ String, ... ]

YAML
Granularity: String

API Version 2010-05-15
1640

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling
AutoScalingGroup NotiﬁcationConﬁguration
Metrics:
- String

Properties
Granularity
The frequency at which Auto Scaling sends aggregated data to CloudWatch. For example, you can
specify 1Minute to send aggregated data to CloudWatch every minute.
Required: Yes
Type: String
Metrics
The list of metrics to collect. If you don't specify any metrics, all metrics are enabled.
Required: No
Type: List of String values

Amazon EC2 Auto Scaling AutoScalingGroup
NotiﬁcationConﬁguration
The NotificationConfiguration property type speciﬁes the events that the Auto Scaling group
sends notiﬁcations for.
The NotificationConfigurations property of the
AWS::AutoScaling::AutoScalingGroup (p. 620) resource contains a list of
NotificationConfiguration property types.

Syntax
JSON
{
}

"NotificationTypes" : [ String, ... ],
"TopicARN" : String

YAML
NotificationTypes:
- String
TopicARN: String

Properties
NotificationTypes
A list of event types that trigger a notiﬁcation. Event types can include any of the following types:
autoscaling:EC2_INSTANCE_LAUNCH, autoscaling:EC2_INSTANCE_LAUNCH_ERROR,
autoscaling:EC2_INSTANCE_TERMINATE, autoscaling:EC2_INSTANCE_TERMINATE_ERROR,
API Version 2010-05-15
1641

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling AutoScalingGroup TagProperty

and autoscaling:TEST_NOTIFICATION. For more information about event types, see
DescribeAutoScalingNotiﬁcationTypes in the Amazon EC2 Auto Scaling API Reference.
Required: Yes
Type: List of String values
TopicARN
The Amazon Resource Name (ARN) of the Amazon Simple Notiﬁcation Service (SNS) topic.
Required: Yes
Type: String

Examples
For NotiﬁcationConﬁgurations snippets, see Auto Scaling Group with Notiﬁcations (p. 290).

Amazon EC2 Auto Scaling AutoScalingGroup
TagProperty
The TagProperty property type adds tags to all associated instances in an Auto Scaling group.
The Tags property of the AWS::AutoScaling::AutoScalingGroup (p. 620) resource contains a list of
TagProperty property types. For more information about Auto Scaling tags, see Tagging Auto Scaling
Groups and Instances in the Amazon EC2 Auto Scaling User Guide.
AWS CloudFormation adds the following tags to all Auto Scaling groups and associated instances:
• aws:cloudformation:stack-name
• aws:cloudformation:stack-id
• aws:cloudformation:logical-id

Syntax
JSON
{

}

"Key (p. 1642)" : String,
"Value (p. 1643)" : String,
"PropagateAtLaunch (p. 1643)" : Boolean

YAML
Key (p. 1642): String
Value (p. 1643): String
PropagateAtLaunch (p. 1643): Boolean

Properties
Key
The key name of the tag.
API Version 2010-05-15
1642

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling AutoScalingGroup TagProperty

Required: Yes
Type: String
Value
The value for the tag.
Required: Yes
Type: String
PropagateAtLaunch
Set to true if you want AWS CloudFormation to copy the tag to EC2 instances that are launched as
part of the auto scaling group. Set to false if you want the tag attached only to the auto scaling
group and not copied to any instances launched as part of the auto scaling group.
Required: Yes
Type: Boolean

Example
The following example template snippet creates two Auto Scaling tags. The ﬁrst tag, MyTag1, is attached
to an Auto Scaling group named WebServerGroup and is copied to any EC2 instances launched as part
of the Auto Scaling group. The second tag, MyTag2, is attached only to the Auto Scaling group named
WebServerGroup.

JSON
"WebServerGroup" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },
"MinSize" : "1",
"MaxSize" : "2",
"LoadBalancerNames" : [ { "Ref" : "ElasticLoadBalancer" } ],
"Tags" : [ {
"Key" : "MyTag1",
"Value" : "Hello World 1",
"PropagateAtLaunch" : "true"
}, {
"Key" : "MyTag2",
"Value" : "Hello World 2",
"PropagateAtLaunch" : "false"
} ]
}
}

YAML
WebServerGroup:
Type: 'AWS::AutoScaling::AutoScalingGroup'
Properties:
AvailabilityZones: !GetAZs ''
LaunchConfigurationName: !Ref LaunchConfig
MinSize: '1'
MaxSize: '2'

API Version 2010-05-15
1643

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling ScalingPolicy
CustomizedMetricSpeciﬁcation
LoadBalancerNames:
- !Ref ElasticLoadBalancer
Tags:
- Key: MyTag1
Value: Hello World 1
PropagateAtLaunch: 'true'
- Key: MyTag2
Value: Hello World 2
PropagateAtLaunch: 'false'

Amazon EC2 Auto Scaling ScalingPolicy
CustomizedMetricSpeciﬁcation
The CustomizedMetricSpecification property conﬁgures a customized metric for a target tracking
policy in Amazon EC2 Auto Scaling. CustomizedMetricSpecification is a subproperty of the
Amazon EC2 Auto Scaling ScalingPolicy TargetTrackingConﬁguration (p. 1648) property.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Dimensions" : [ MetricDimension (p. 1645), ...],
"MetricName" : String,
"Namespace" : String,
"Statistic" : String,
"Unit" : String

YAML
Dimensions:
- MetricDimension (p. 1645)
MetricName: String
Namespace: String
Statistic: String
Unit: String

Properties
Dimensions
The dimensions of the metric. Duplicates not allowed.
Required: No
Type: List of Amazon EC2 Auto Scaling ScalingPolicy MetricDimension (p. 1645)
Update requires: No interruption (p. 118)
MetricName
The name of the metric.
Required: Yes
API Version 2010-05-15
1644

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling ScalingPolicy MetricDimension

Type: String
Update requires: No interruption (p. 118)
Namespace
The namespace of the metric.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Statistic
The statistic of the metric.
For valid values, see CustomizedMetricSpeciﬁcation in the Amazon EC2 Auto Scaling API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Unit
The unit of the metric.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon EC2 Auto Scaling ScalingPolicy
MetricDimension
Use the MetricDimension property to specify the dimension of a metric for a target tracking policy in
Amazon EC2 Auto Scaling. The Dimensions subproperty of the Amazon EC2 Auto Scaling ScalingPolicy
CustomizedMetricSpeciﬁcation (p. 1644) property contains a list of MetricDimension property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Name" : String,
"Value" : String

YAML
Name: String
Value: String

API Version 2010-05-15
1645

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling ScalingPolicy
PredeﬁnedMetricSpeciﬁcation

Properties
Name
The name of the dimension.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Value
The value of the dimension.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon EC2 Auto Scaling ScalingPolicy
PredeﬁnedMetricSpeciﬁcation
The PredefinedMetricSpecification property conﬁgures a predeﬁned metric for a target tracking
policy in Amazon EC2 Auto Scaling. PredefinedMetricSpecification is a subproperty of the
Amazon EC2 Auto Scaling ScalingPolicy TargetTrackingConﬁguration (p. 1648) property.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"PredefinedMetricType" : String,
"ResourceLabel" : String

YAML
PredefinedMetricType: String
ResourceLabel: String

Properties
For more information about each property, including constraints and valid values, see
PredeﬁnedMetricSpeciﬁcation in the Amazon EC2 Auto Scaling API Reference.
PredefinedMetricType
The metric type.
Required: Yes
API Version 2010-05-15
1646

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling ScalingPolicy StepAdjustments

Type: String
Update requires: No interruption (p. 118)
ResourceLabel
Identiﬁes the resource associated with the metric type.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon EC2 Auto Scaling ScalingPolicy
StepAdjustments
StepAdjustments is a property of the AWS::AutoScaling::ScalingPolicy (p. 640) resource that
describes a scaling adjustment based on the diﬀerence between the value of the aggregated CloudWatch
metric and the breach threshold that you've deﬁned for the alarm. For more information, see
StepAdjustment in the Amazon EC2 Auto Scaling API Reference.

Syntax
JSON
{

}

"MetricIntervalLowerBound" : Number,
"MetricIntervalUpperBound" : Number,
"ScalingAdjustment" : Integer

YAML
MetricIntervalLowerBound: Number
MetricIntervalUpperBound: Number
ScalingAdjustment: Integer

Properties
For more information, such as valid values, constraints, and examples of how to specify each property,
see StepAdjustment in the Amazon EC2 Auto Scaling API Reference.
MetricIntervalLowerBound
The lower bound of the breach size. The lower bound is the diﬀerence between the breach threshold
and the aggregated CloudWatch metric value. If the metric value is within the lower and upper
bounds, Auto Scaling triggers this step adjustment.
If the metric value is above the breach threshold, the metric must be greater than or equal to the
threshold plus the lower bound to trigger this step adjustment (the metric value is inclusive). If the
metric value is below the breach threshold, the metric must be greater than the threshold plus the
lower bound to trigger this step adjustment (the metric value is exclusive). A null value indicates
negative inﬁnity.
Required: Conditional. You must specify at least one upper or lower bound.
API Version 2010-05-15
1647

AWS CloudFormation User Guide
Amazon EC2 Auto Scaling ScalingPolicy
TargetTrackingConﬁguration

Type: Number
MetricIntervalUpperBound
The upper bound of the breach size. The upper bound is the diﬀerence between the breach
threshold and the CloudWatch metric value. If the metric value is within the lower and upper
bounds, Auto Scaling triggers this step adjustment.
If the metric value is above the breach threshold, the metric must be less than the threshold plus
the upper bound to trigger this step adjustment (the metric value is exclusive). If the metric value is
below the breach threshold, the metric must be less than or equal to the threshold plus the upper
bound to trigger this step adjustment (the metric value is inclusive). A null value indicates positive
inﬁnity.
Required: Conditional. You must specify at least one upper or lower bound.
Type: Number
ScalingAdjustment
The amount by which to scale. The adjustment is based on the value that you speciﬁed in the
AdjustmentType property (either an absolute number or a percentage). A positive value adds to
the current capacity and a negative number subtracts from the current capacity.
Required: Yes
Type: Integer

Amazon EC2 Auto Scaling ScalingPolicy
TargetTrackingConﬁguration
The TargetTrackingConfiguration property conﬁgures a target tracking scaling policy.
TargetTrackingConfiguration is a property of the AWS::AutoScaling::ScalingPolicy (p. 640)
resource. For more information, see PutScalingPolicy in the Amazon EC2 Auto Scaling API Reference.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"CustomizedMetricSpecification" : CustomizedMetricSpecification (p. 1644),
"DisableScaleIn" : Boolean,
"PredefinedMetricSpecification" : PredefinedMetricSpecification (p. 1646),
"TargetValue" : Double

YAML
CustomizedMetricSpecification:
CustomizedMetricSpecification (p. 1644)
DisableScaleIn: Boolean
PredefinedMetricSpecification:
PredefinedMetricSpecification (p. 1646)
TargetValue: Double

API Version 2010-05-15
1648

AWS CloudFormation User Guide
AWS Auto Scaling ScalingPlan ApplicationSource

Properties
For more information about each property, including constraints and valid values, see
TargetTrackingConﬁguration in the Amazon EC2 Auto Scaling API Reference.
CustomizedMetricSpecification
A customized metric.
Required: No
Type: Amazon EC2 Auto Scaling ScalingPolicy CustomizedMetricSpeciﬁcation (p. 1644)
Update requires: No interruption (p. 118)
DisableScaleIn
Indicates whether to disable scale-in for the target tracking policy. If true, the target tracking policy
will not scale in the Auto Scaling group. The default value is false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
PredefinedMetricSpecification
A predeﬁned metric.
Required: No
Type: Amazon EC2 Auto Scaling ScalingPolicy PredeﬁnedMetricSpeciﬁcation (p. 1646)
Update requires: No interruption (p. 118)
TargetValue
The target value for the metric.
Required: Yes
Type: Double
Update requires: No interruption (p. 118)

AWS Auto Scaling ScalingPlan ApplicationSource
The ApplicationSource property type speciﬁes the application source for an AWS Auto Scaling
scaling plan. You can create one scaling plan per application source.
ApplicationSource is a property of the AWS::AutoScalingPlans::ScalingPlan (p. 650) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1649

AWS CloudFormation User Guide
AWS Auto Scaling ScalingPlan
CustomizedScalingMetricSpeciﬁcation

}

"CloudFormationStackARN" : String,
"TagFilters" : [ TagFilter (p. 1655), ... ]

YAML
CloudFormationStackARN: String
TagFilters:
- TagFilter (p. 1655)

Properties
CloudFormationStackARN
The Amazon Resource Name (ARN) of a CloudFormation stack.
Required: No
Type: String
Update requires: No interruption (p. 118)
TagFilters
A set of tags (up to 50).
Required: No
Type: List of AWS Auto Scaling ScalingPlan TagFilter (p. 1655)
Update requires: No interruption (p. 118)

AWS Auto Scaling ScalingPlan
CustomizedScalingMetricSpeciﬁcation
The CustomizedScalingMetricSpecification property type speciﬁes a customized metric for a
target tracking policy for an AWS Auto Scaling scaling plan.
CustomizedScalingMetricSpecification is a property of the AWS Auto Scaling ScalingPlan
TargetTrackingConﬁguration (p. 1656) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"MetricName" : String,
"Statistic" : String,
"Dimensions" : [ MetricDimension (p. 1652), ... ],
"Unit" : String,
"Namespace" : String

API Version 2010-05-15
1650

AWS CloudFormation User Guide
AWS Auto Scaling ScalingPlan
CustomizedScalingMetricSpeciﬁcation

YAML
MetricName: String
Statistic: String
Dimensions:
- MetricDimension (p. 1652)
Unit: String
Namespace: String

Properties
Dimensions
The dimensions of the metric.
Required: No
Type: List of AWS Auto Scaling ScalingPlan MetricDimension (p. 1652)
Update requires: No interruption (p. 118)
MetricName
The name of the metric.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Namespace
The namespace of the metric.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Statistic
The statistic of the metric.
Required: Yes
Type: String
Valid Values: Average | Minimum | Maximum | SampleCount | Sum
Update requires: No interruption (p. 118)
Unit
The unit of the metric.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1651

AWS CloudFormation User Guide
AWS Auto Scaling ScalingPlan MetricDimension

AWS Auto Scaling ScalingPlan MetricDimension
The MetricDimension property type speciﬁes a dimension for a customized metric for an AWS Auto
Scaling scaling plan.
MetricDimension is a property of the AWS Auto Scaling ScalingPlan
CustomizedScalingMetricSpeciﬁcation (p. 1650) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Value" : String,
"Name" : String

YAML
Value: String
Name: String

Properties
Name
The name of the dimension.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Value
The value of the dimension.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

AWS Auto Scaling ScalingPlan
PredeﬁnedScalingMetricSpeciﬁcation
The PredefinedScalingMetricSpecification property type speciﬁes a predeﬁned metric for a
target tracking policy for an AWS Auto Scaling scaling plan.
PredefinedScalingMetricSpecification is a property of the AWS Auto Scaling ScalingPlan
TargetTrackingConﬁguration (p. 1656) property type.
API Version 2010-05-15
1652

AWS CloudFormation User Guide
AWS Auto Scaling ScalingPlan ScalingInstruction

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ResourceLabel" : String,
"PredefinedScalingMetricType" : String

YAML
ResourceLabel: String
PredefinedScalingMetricType: String

Properties
PredefinedScalingMetricType
The metric type. For more information, see PredeﬁnedScalingMetricSpeciﬁcation in the AWS Auto
Scaling API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ResourceLabel
Identiﬁes the resource associated with the metric type.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Auto Scaling ScalingPlan ScalingInstruction
The ScalingInstruction property type speciﬁes the scaling conﬁguration for a scalable resource in
an AWS Auto Scaling scaling plan.
ScalingInstruction is a property of the AWS::AutoScalingPlans::ScalingPlan (p. 650) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1653

AWS CloudFormation User Guide
AWS Auto Scaling ScalingPlan ScalingInstruction

}

"ResourceId" : String,
"ServiceNamespace" : String,
"ScalableDimension" : String,
"MinCapacity" : Integer,
"TargetTrackingConfigurations" : [ TargetTrackingConfiguration (p. 1656), ... ],
"MaxCapacity" : Integer

YAML
ResourceId: String
ServiceNamespace: String
ScalableDimension: String
MinCapacity: Integer
TargetTrackingConfigurations:
- TargetTrackingConfiguration (p. 1656)
MaxCapacity: Integer

Properties
MaxCapacity
The maximum value to scale to in response to a scale in event.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
MinCapacity
The minimum value to scale to in response to a scale out event.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
ResourceId
The ID of the resource. For examples, see ScalingInstruction in the AWS Auto Scaling API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ScalableDimension
The scalable dimension associated with the resource. For a list of values, see ScalingInstruction in the
AWS Auto Scaling API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1654

AWS CloudFormation User Guide
AWS Auto Scaling ScalingPlan TagFilter

ServiceNamespace
The namespace of the AWS service. For a list of values, see ScalingInstruction in the AWS Auto
Scaling API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
TargetTrackingConfigurations
The target tracking scaling policies (up to 10).
Required: Yes
Type: List of AWS Auto Scaling ScalingPlan TargetTrackingConﬁguration (p. 1656)
Update requires: No interruption (p. 118)

AWS Auto Scaling ScalingPlan TagFilter
The TagFilter property type speciﬁes a tag for an application source for an AWS Auto Scaling scaling
plan.
TagFilter is a property of the AWS Auto Scaling ScalingPlan ApplicationSource (p. 1649) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Values" : [ String, ... ],
"Key" : String

YAML
Values:
- String
Key: String

Properties
Key
The tag key.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1655

AWS CloudFormation User Guide
AWS Auto Scaling ScalingPlan TargetTrackingConﬁguration

Values
The tag values (0 to 20).
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

AWS Auto Scaling ScalingPlan
TargetTrackingConﬁguration
The TargetTrackingConfiguration property type speciﬁes a target tracking policy for an AWS Auto
Scaling scaling plan.
TargetTrackingConfiguration is a property of the AWS Auto Scaling ScalingPlan
ScalingInstruction (p. 1653) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"ScaleOutCooldown" : Integer,
"TargetValue" : Double,
"PredefinedScalingMetricSpecification" : PredefinedScalingMetricSpecification (p. 1652),
"DisableScaleIn" : Boolean,
"ScaleInCooldown" : Integer,
"EstimatedInstanceWarmup" : Integer,
"CustomizedScalingMetricSpecification" : CustomizedScalingMetricSpecification (p. 1650)

YAML
ScaleOutCooldown: Integer
TargetValue: Double
PredefinedScalingMetricSpecification: PredefinedScalingMetricSpecification (p. 1652)
DisableScaleIn: Boolean
ScaleInCooldown: Integer
EstimatedInstanceWarmup: Integer
CustomizedScalingMetricSpecification: CustomizedScalingMetricSpecification (p. 1650)

Properties
CustomizedScalingMetricSpecification
A customized metric.
Required: No
Type: AWS Auto Scaling ScalingPlan CustomizedScalingMetricSpeciﬁcation (p. 1650)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1656

AWS CloudFormation User Guide
AWS Auto Scaling ScalingPlan TargetTrackingConﬁguration

DisableScaleIn
Indicates whether scale in by the target tracking policy is disabled. If the value is true, scale in is
disabled and the target tracking policy won't remove capacity from the scalable resource. Otherwise,
scale in is enabled and the target tracking policy can remove capacity from the scalable resource.
The default value is false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
EstimatedInstanceWarmup
The estimated time, in seconds, until a newly launched instance can contribute to the CloudWatch
metrics. This value is used only if the resource is an Auto Scaling group.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
PredefinedScalingMetricSpecification
A predeﬁned metric.
Required: No
Type: AWS Auto Scaling ScalingPlan PredeﬁnedScalingMetricSpeciﬁcation (p. 1652)
Update requires: No interruption (p. 118)
ScaleInCooldown
The amount of time, in seconds, after a scale in activity completes before another scale in activity
can start. This value is not used if the scalable resource is an Auto Scaling group.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
ScaleOutCooldown
The amount of time, in seconds, after a scale out activity completes before another scale out activity
can start. This value is not used if the scalable resource is an Auto Scaling group.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
TargetValue
The target value for the metric. The range is 8.515920e-109 to 1.174271e+108 (Base 10) or 2e-360
to 2e360 (Base 2).
Required: Yes
Type: Double
Update requires: No interruption (p. 118)
API Version 2010-05-15
1657

AWS CloudFormation User Guide
AWS Batch ComputeEnvironment ComputeResources

AWS Batch ComputeEnvironment ComputeResources
The ComputeResources property type speciﬁes details of the compute resources managed by the
compute environment. This parameter is required for managed compute environments. For more
information, see Compute Environments in the AWS Batch User Guide.
ComputeResources is a property of the AWS::Batch::ComputeEnvironment (p. 651) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"SpotIamFleetRole" : String,
"MaxvCpus" : Integer,
"BidPercentage" : Integer,
"SecurityGroupIds" : [ String, ... ],
"Subnets" : [ String, ... ],
"Type" : String,
"MinvCpus" : Integer,
"ImageId" : String,
"InstanceRole" : String,
"InstanceTypes" : [ String, ... ],
"Ec2KeyPair" : String,
"Tags" : JSON object,
"DesiredvCpus" : Integer

YAML
SpotIamFleetRole: String
MaxvCpus: Integer
BidPercentage: Integer
SecurityGroupIds:
- String
Subnets:
- String
Type: String
MinvCpus: Integer
ImageId: String
InstanceRole: String
InstanceTypes:
- String
Ec2KeyPair: String
Tags: JSON object
DesiredvCpus: Integer

Properties
For more information about each property, see ComputeResource in the AWS Batch API Reference.
SpotIamFleetRole
The Amazon Resource Name (ARN) of the Amazon EC2 Spot Fleet IAM role applied to a SPOT
compute environment.
Required: No
API Version 2010-05-15
1658

AWS CloudFormation User Guide
AWS Batch ComputeEnvironment ComputeResources

Type: String
Update requires: Replacement (p. 119)
MaxvCpus
The maximum number of EC2 vCPUs that an environment can reach.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
SecurityGroupIds
The EC2 security group that is associated with instances launched in the compute environment.
Required: Yes
Type: List of String values
Update requires: Replacement (p. 119)
BidPercentage
The minimum percentage that a Spot Instance price must be when compared with the On-Demand
price for that instance type before instances are launched. For example, if your bid percentage is
20%, then the Spot price must be below 20% of the current On-Demand price for that EC2 instance.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
Type
The type of compute environment: EC2 or SPOT.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Subnets
The VPC subnets into which the compute resources are launched.
Required: Yes
Type: List of String values
Update requires: Replacement (p. 119)
MinvCpus
The minimum number of EC2 vCPUs that an environment should maintain.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
API Version 2010-05-15
1659

AWS CloudFormation User Guide
AWS Batch JobDeﬁnition ContainerProperties

ImageId
The Amazon Machine Image (AMI) ID used for instances launched in the compute environment.
Required: No
Type: String
Update requires: Replacement (p. 119)
InstanceRole
The Amazon ECS instance proﬁle applied to Amazon EC2 instances in a compute environment.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
InstanceTypes
The instances types that may launched.
Required: Yes
Type: List of String values
Update requires: Replacement (p. 119)
Ec2KeyPair
The EC2 key pair that is used for instances launched in the compute environment.
Required: No
Type: String
Update requires: Replacement (p. 119)
Tags
Key-value pair tags to be applied to instances that are launched in the compute environment. For
AWS Batch, these take the form of "String1": "String2", where String1 is the tag key and
String2 is the tag value—for example, { "Name": "AWS Batch Instance - C4OnDemand" }.
Required: No
Type: JSON object
Update requires: Replacement (p. 119)
DesiredvCpus
The desired number of EC2 vCPUS in the compute environment.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

AWS Batch JobDeﬁnition ContainerProperties
The ContainerProperties property type speciﬁes various properties speciﬁc to container-based jobs.
API Version 2010-05-15
1660

AWS CloudFormation User Guide
AWS Batch JobDeﬁnition ContainerProperties

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"MountPoints" : [ MountPoints (p. 1664), ... ],
"User" : String,
"Volumes" : [ Volumes (p. 1668), ... ],
"Command" : [ String, ... ],
"Memory" : Integer,
"Privileged" : Boolean,
"Environment" : [ Environment (p. 1664), ... ],
"JobRoleArn" : String,
"ReadonlyRootFilesystem" : Boolean,
"Ulimits" : [ Ulimit (p. 1667), ... ],
"Vcpus" : Integer,
"Image" : String

YAML
MountPoints:
- MountPoints (p. 1664)
User: String
Volumes:
- Volumes (p. 1668)
Command:
- String
Memory: Integer
Privileged: Boolean
Environment:
- Environment (p. 1664)
JobRoleArn: String
ReadonlyRootFilesystem: Boolean
Ulimits:
- Ulimit (p. 1667)
Vcpus: Integer
Image: String

Properties
MountPoints
The mount points for data volumes in your container. This parameter maps to Volumes in the
Create a container section of the Docker Remote API and the --volume option to docker run.
Required: no
Type: List of AWS Batch JobDeﬁnition MountPoints (p. 1664)
Update requires: No Interruption
User
The user name to use inside the container. This parameter maps to User in the Create a container
section of the Docker Remote API and the --user option to docker run.
Required: no
API Version 2010-05-15
1661

AWS CloudFormation User Guide
AWS Batch JobDeﬁnition ContainerProperties

Type: String
Update requires: No Interruption
Volumes
A list of data volumes used in a job.
Required: no
Type: List of AWS Batch JobDeﬁnition Volumes (p. 1668)
Update requires: No Interruption
Command
The command that is passed to the container. This parameter maps to Cmd in the Create a container
section of the Docker Remote API and the COMMAND parameter to docker run.
Required: no
Type: List of String values
Update requires: No Interruption
Memory
The hard limit (in MiB) of memory to present to the container. If your container attempts to exceed
the memory speciﬁed here, the container is killed. This parameter maps to Memory in the Create a
container section of the Docker Remote API and the --memory option to docker run.
Required: yes
Type: Integer
Update requires: No Interruption
Privileged
When this parameter is true, the container is given elevated privileges on the host container instance
(similar to the root user). This parameter maps to Privileged in the Create a container section of
the Docker Remote API and the --privileged option to docker run.
Required: no
Type: Boolean
Update requires: No Interruption
JobRoleArn
The Amazon Resource Name (ARN) of the IAM role that the container can assume for AWS
permissions.
Required: no
Type: String
Update requires: No Interruption
Environment
The environment variables to pass to a container. This parameter maps to Env in the Create a
container section of the Docker Remote API and the --env option to docker run.
API Version 2010-05-15
1662

AWS CloudFormation User Guide
AWS Batch JobDeﬁnition ContainerProperties

Important

We do not recommend using plain text environment variables for sensitive information,
such as credential data.
Required: no
Type: List of AWS Batch JobDeﬁnition Environment (p. 1664)
Update requires: No Interruption
ReadonlyRootFilesystem
When this parameter is true, the container is given read-only access to its root ﬁle system. This
parameter maps to ReadonlyRootfs in the Create a container section of the Docker Remote API
and the --read-only option to docker run.
Required: no
Type: Boolean
Update requires: No Interruption
Ulimits
A list of ulimits to set in the container. This parameter maps to Ulimits in the Create a container
section of the Docker Remote API and the --ulimit option to docker run.
Required: no
Type: List of AWS Batch JobDeﬁnition Ulimit (p. 1667)
Update requires: No Interruption
Vcpus
The number of vCPUs reserved for the container. This parameter maps to CpuShares in the Create
a container section of the Docker Remote API and the --cpu-shares option to docker run. Each
vCPU is equivalent to 1,024 CPU shares.
Required: yes
Type: Integer
Update requires: No Interruption
Image
The image used to start a container. This string is passed directly to the Docker daemon. Images
in the Docker Hub registry are available by default. Other repositories are speciﬁed with
repository-url/image:tag . Up to 255 letters (uppercase and lowercase), numbers, hyphens,
underscores, colons, periods, forward slashes, and number signs are allowed. This parameter maps
to Image in the Create a container section of the Docker Remote API and the IMAGE parameter of
docker run.
• Images in Amazon ECR repositories use the full registry and repository URI (for example,
012345678910.dkr.ecr.region-name.amazonaws.com/repository-name).
• Images in oﬃcial repositories on Docker Hub use a single name (for example, ubuntu or mongo).
• Images in other repositories on Docker Hub are qualiﬁed with an organization name (for example,
amazon/amazon-ecs-agent).
• Images in other online repositories are qualiﬁed further by a domain name (for example,
quay.io/assemblyline/ubuntu).
Required: yes
API Version 2010-05-15
1663

AWS CloudFormation User Guide
AWS Batch JobDeﬁnition Environment

Type: String
Update requires: No Interruption

AWS Batch JobDeﬁnition Environment
The Environment property type speciﬁes environment variables to use in a job deﬁnition.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Value" : String,
"Name" : String

YAML
Value: String
Name: String

Properties
Value
The value of the environment variable.
Required: no
Type: String
Update requires: No Interruption
Name
The name of the environment variable.
Required: no
Type: String
Update requires: No Interruption

AWS Batch JobDeﬁnition MountPoints
The MountPoints property type speciﬁes mount points for data volumes in your container. This
parameter maps to Volumes in the Create a container section of the Docker Remote API and the -volume option to docker run.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1664

AWS CloudFormation User Guide
AWS Batch JobDeﬁnition RetryStrategy

JSON
{

}

"ReadOnly" : Boolean,
"SourceVolume" : String,
"ContainerPath" : String

YAML
ReadOnly: Boolean
SourceVolume: String
ContainerPath: String

Properties
ReadOnly
If this value is true, the container has read-only access to the volume; otherwise, the container can
write to the volume. The default value is false.
Required: no
Type: Boolean
Update requires: No Interruption
SourceVolume
The name of the volume to mount.
Required: no
Type: String
Update requires: No Interruption
ContainerPath
The path on the container at which to mount the host volume.
Required: no
Type: String
Update requires: No Interruption

AWS Batch JobDeﬁnition RetryStrategy
The RetryStrategy property type speciﬁes the retry strategy to use for failed jobs that are submitted
with this job deﬁnition.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1665

AWS CloudFormation User Guide
AWS Batch JobDeﬁnition Timeout

}

"Attempts" : Integer

YAML
Attempts: Integer

Properties
Attempts
The number of times to move a job to the RUNNABLE status. You may specify between 1 and
10 attempts. If attempts is greater than one, the job is retried if it fails until it has moved to
RUNNABLE that many times.
Required: no
Type: Integer
Update requires: No Interruption

AWS Batch JobDeﬁnition Timeout
The Timeout property type speciﬁes a job timeout conﬁguration.
Timeout is a property of the AWS::Batch::JobDeﬁnition (p. 655) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"AttemptDurationSeconds" : Integer

YAML
AttemptDurationSeconds: Integer

Properties
AttemptDurationSeconds
The time duration in seconds (measured from the job attempt's startedAt timestamp) after which
AWS Batch terminates your jobs if they have not ﬁnished.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
API Version 2010-05-15
1666

AWS CloudFormation User Guide
AWS Batch JobDeﬁnition Ulimit

See Also
• JobTimeout in the AWS Batch API Reference

AWS Batch JobDeﬁnition Ulimit
The Ulimit property type speciﬁes the ulimits to use in a job deﬁnition.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"SoftLimit" : Integer,
"HardLimit" : Integer,
"Name" : String

YAML
SoftLimit: Integer
HardLimit: Integer
Name: String

Properties
SoftLimit
The soft limit for the ulimit type.
Required: yes
Type: Integer
Update requires: No Interruption
HardLimit
The hard limit for the ulimit type.
Required: yes
Type: Integer
Update requires: No Interruption
Name
The type of the ulimit.
Required: yes
Type: String
Update requires: No Interruption
API Version 2010-05-15
1667

AWS CloudFormation User Guide
AWS Batch JobDeﬁnition Volumes

AWS Batch JobDeﬁnition Volumes
The Volumes property type speciﬁes data volumes for containers to use in a job deﬁnition.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Host" : VolumesHost (p. 1668),
"Name" : String

YAML
Host:
VolumesHost (p. 1668)
Name: String

Properties
Host
The contents of the Host parameter determine whether your data volume persists on the host
container instance and where it is stored. If the host parameter is empty, then the Docker daemon
assigns a host path for your data volume, but the data is not guaranteed to persist after the
containers associated with it stop running.
Required: no
Type: AWS Batch JobDeﬁnition VolumesHost (p. 1668)
Update requires: No Interruption
Name
The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, hyphens, and
underscores are allowed. This name is referenced in the SourceVolume parameter of container
deﬁnition MountPoints.
Required: no
Type: String
Update requires: No Interruption

AWS Batch JobDeﬁnition VolumesHost
The VolumesHost property type speciﬁes whether your data volume persists on the host container
instance and where it is stored. If the host parameter is empty, then the Docker daemon assigns a host
path for your data volume, but the data is not guaranteed to persist after the containers associated with
it stop running.
API Version 2010-05-15
1668

AWS CloudFormation User Guide
AWS Batch JobQueue ComputeEnvironmentOrder

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"SourcePath" : String

YAML
SourcePath: String

Properties
SourcePath
The path on the host container instance that is presented to the container. If this parameter is
empty, then the Docker daemon has assigned a host path for you. If the VolumesHost parameter
contains a SourcePath ﬁle location, then the data volume persists at the speciﬁed location on the
host container instance until you delete it manually. If the SourcePath value does not exist on the
host container instance, the Docker daemon creates it. If the location does exist, the contents of the
source path folder are exported.
Required: no
Type: String
Update requires: No Interruption

AWS Batch JobQueue ComputeEnvironmentOrder
The ComputeEnvironmentOrder property type speciﬁes the order in which compute environments are
tried for job placement within a queue. Compute environments are tried in ascending order. For example,
if two compute environments are associated with a job queue, the compute environment with a lower
order integer value is tried for job placement ﬁrst.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ComputeEnvironment" : String,
"Order" : Integer

YAML
ComputeEnvironment: String

API Version 2010-05-15
1669

AWS CloudFormation User Guide
Billing and Cost Management Budget BudgetData
Order: Integer

Properties
ComputeEnvironment
The Amazon Resource Name (ARN) of the compute environment.
Required: yes
Type: String
Update requires: No Interruption
Order
The order of the compute environment.
Required: yes
Type: Integer
Update requires: No Interruption

AWS Billing and Cost Management Budget
BudgetData
The BudgetData property type speciﬁes all of the parameters that AWS CloudFormation uses to
create the budget. These parameters include the time period that the budget covers, the amount that
the budget is for, the name of the budget, what costs, usage, or RI utilization the Billing and Cost
Management budget is for, and whether the budget tracks what you have spent or what you are forecast
to spend.
BudgetData is a property of the AWS::Budgets::Budget (p. 660) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"BudgetLimit" : Spend (p. 1677),
"TimePeriod" : TimePeriod (p. 1679),
"TimeUnit" : String,
"CostFilters" : Json,
"BudgetName" : String,
"CostTypes" : CostTypes (p. 1672),
"BudgetType" : String

YAML
BudgetLimit: Spend (p. 1677)

API Version 2010-05-15
1670

AWS CloudFormation User Guide
Billing and Cost Management Budget BudgetData
TimePeriod: TimePeriod (p. 1679)
TimeUnit: String
CostFilters: Json
BudgetName: String
CostTypes: CostTypes (p. 1672)
BudgetType: String

Properties
BudgetLimit
The total amount of cost, usage, or RI utilization that you want to track with your budget.
The BudgetLimit is required for cost or usage budgets, but optional for RI utilization budgets. RI
utilization budgets default to the only valid value for RI utilization budgets, which is 100.
Required: No
Type: Billing and Cost Management Budget Spend (p. 1677)
Update requires: No interruption (p. 118)
TimePeriod
The period of time covered by a budget. Has a start date and an end date. The start date must come
before the end date. There are no restrictions on the end date.
If you create your budget and don't specify a start date, AWS defaults to the start of your chosen
time period (i.e. DAILY, MONTHLY, QUARTERLY, ANNUALLY). For example, if you create your budget
on January 24th 2018, choose DAILY, and don't set a start date, AWS sets your start date to
01/24/18 00:00 UTC. If you choose MONTHLY, AWS sets your start date to 01/01/18 00:00
UTC. If you don't specify an end date, AWS sets your end date to 06/15/87 00:00 UTC.
After the end date, AWS deletes the budget and all associated notiﬁcations and subscribers.
Required: No
Type: Billing and Cost Management Budget TimePeriod (p. 1679)
Update requires: No interruption (p. 118)
TimeUnit
The length of time until a budget resets the actual and forecasted spend to zero.
Valid values are: DAILY, MONTHLY, QUARTERLY, and ANNUALLY.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
CostFilters
The cost ﬁlters applied to a budget, such as service or region.
Required: No
Type: Json
Update requires: No interruption (p. 118)
API Version 2010-05-15
1671

AWS CloudFormation User Guide
Billing and Cost Management Budget CostTypes

BudgetName
The name of a budget. Unique within accounts. : and \ characters are not allowed in the
BudgetName. If you do not include a BudgetName in the template, Billing and Cost Management
assigns your budget a randomly generated name.
Required: No
Type: String
Update requires: Replacement (p. 119)
CostTypes
The types of costs included in this budget, such as credits, subscriptions, or taxes.
Required: No
Type: Billing and Cost Management Budget CostTypes (p. 1672)
Update requires: No interruption (p. 118)
BudgetType
Whether this budget tracks monetary costs, usage, or RI utilization.
Valid values are USAGE, COST, RI_UTILIZATION, and RI_COVERAGE.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• Budget in the AWS Billing and Cost Management API Reference.

AWS Billing and Cost Management Budget CostTypes
The CostTypes property type speciﬁes what costs, such as tax or subscriptions, are included in a Billing
and Cost Management budget.
CostTypes is a property of the AWS Billing and Cost Management Budget BudgetData (p. 1670)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"IncludeSupport" : Boolean,
"IncludeOtherSubscription" : Boolean,
"IncludeTax" : Boolean,
"IncludeSubscription" : Boolean,
"UseBlended" : Boolean,
"IncludeUpfront" : Boolean,

API Version 2010-05-15
1672

AWS CloudFormation User Guide
Billing and Cost Management Budget CostTypes

}

"IncludeDiscount" : Boolean,
"IncludeCredit" : Boolean,
"IncludeRecurring" : Boolean,
"UseAmortized" : Boolean,
"IncludeRefund" : Boolean

YAML
IncludeSupport: Boolean
IncludeOtherSubscription: Boolean
IncludeTax: Boolean
IncludeSubscription: Boolean
UseBlended: Boolean
IncludeUpfront: Boolean
IncludeDiscount: Boolean
IncludeCredit: Boolean
IncludeRecurring: Boolean
UseAmortized: Boolean
IncludeRefund: Boolean

Properties
IncludeSupport
Speciﬁes whether a budget includes support subscription fees.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IncludeOtherSubscription
Speciﬁes whether a budget includes non-RI subscription costs.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IncludeTax
Speciﬁes whether a budget includes taxes.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IncludeSubscription
Speciﬁes whether a budget includes subscriptions.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
API Version 2010-05-15
1673

AWS CloudFormation User Guide
Billing and Cost Management Budget CostTypes

UseBlended
Speciﬁes whether a budget uses blended rate.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IncludeUpfront
Speciﬁes whether a budget includes upfront RI costs.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IncludeDiscount
Speciﬁes whether a budget includes discounts.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IncludeCredit
Speciﬁes whether a budget includes credits.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IncludeRecurring
Speciﬁes whether a budget includes recurring fees such as monthly RI fees.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
UseAmortized
Speciﬁes whether a budget uses the amortized rate.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IncludeRefund
Speciﬁes whether a budget includes refunds.
Required: No
API Version 2010-05-15
1674

AWS CloudFormation User Guide
Billing and Cost Management Budget Notiﬁcation

Type: Boolean
Update requires: No interruption (p. 118)

See Also
• CostTypes in the AWS Billing and Cost Management API Reference.

AWS Billing and Cost Management Budget
Notiﬁcation
The Notification property type speciﬁes who to notify for a Billing and Cost Management budget.
Notification is a property of the AWS Billing and Cost Management Budget
NotiﬁcationWithSubscribers (p. 1676) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"ComparisonOperator" : String,
"NotificationType" : String,
"Threshold" : Double,
"ThresholdType" : String

YAML
ComparisonOperator: String
NotificationType: String
Threshold: Double
ThresholdType: String

Properties
ComparisonOperator
The comparison used for this notiﬁcation. Valid Values are GREATER_THAN, LESS_THAN, and
EQUAL_TO.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
NotificationType
Whether the notiﬁcation is for how much you have spent or for how much you are forecasted
to spend. For ACTUAL thresholds, AWS notiﬁes you when you go over the threshold, and for
API Version 2010-05-15
1675

AWS CloudFormation User Guide
Billing and Cost Management
Budget NotiﬁcationWithSubscribers

FORECASTED thresholds AWS notiﬁes you when you are forecasted to go over the threshold. Valid
values are ACTUAL and FORECASTED.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Threshold
The threshold associated with a notiﬁcation. The minimum valid value is 0.1, and the maximum
valid value is 1000000000.
Required: Yes
Type: Double
Update requires: Replacement (p. 119)
ThresholdType
The type of threshold for a notiﬁcation. Valid values are PERCENTAGE and ABSOLUTE_VALUE.
Required: No
Type: String
Update requires: Replacement (p. 119)

See Also
• Notiﬁcation in the AWS Billing and Cost Management API Reference.

AWS Billing and Cost Management Budget
NotiﬁcationWithSubscribers
The NotificationWithSubscribers property type speciﬁes who to notify when a Billing and Cost
Management budget passes or is predicted to pass its threshold.
NotificationWithSubscribers is a property of the AWS::Budgets::Budget (p. 660) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Subscribers" : [ Subscriber (p. 1678), ... ],
"Notification" : Notification (p. 1675)

YAML

API Version 2010-05-15
1676

AWS CloudFormation User Guide
Billing and Cost Management Budget Spend
Subscribers:
- Subscriber (p. 1678)
Notification: Notification (p. 1675)

Properties
Subscribers
A list of subscribers who are subscribed to this notiﬁcation.
Required: Yes
Type: List of Billing and Cost Management Budget Subscriber (p. 1678)
Update requires: Replacement (p. 119)
Notification
A notiﬁcation associated with a budget. A budget can have up to ﬁve notiﬁcations.
Each notiﬁcation must have at least one subscriber. A notiﬁcation can have one SNS subscriber and
up to ten email subscribers, for a total of 11 subscribers.
For example, if you have a budget for 200 dollars and you want to be notiﬁed when you go over 160
dollars, create a notiﬁcation with the following parameters:
• A thresholdType of PERCENTAGE
• A threshold of 80
• A notificationType of ACTUAL
• A comparisonOperator of GREATER_THAN
Required: Yes
Type: Billing and Cost Management Budget Notiﬁcation (p. 1675)
Update requires: Replacement (p. 119)

See Also
• NotiﬁcationWithSubscribers in the AWS Billing and Cost Management API Reference.

AWS Billing and Cost Management Budget Spend
The Spend property type speciﬁes the amount of cost, usage, or RI utilization measured by a Billing and
Cost Management budget.
Spend is a property of the AWS Billing and Cost Management Budget BudgetData (p. 1670) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1677

AWS CloudFormation User Guide
Billing and Cost Management Budget Subscriber

}

"Amount" : Double,
"Unit" : String

YAML
Amount: Double
Unit: String

Properties
Amount
The cost or usage amount associated with a budget forecast, actual spend, or budget threshold.
Required: Yes
Type: Double
Update requires: No interruption (p. 118)
Unit
The unit of measurement used for the budget forecast, actual spend, or budget threshold, such as
USD or GB.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• Spend in the AWS Billing and Cost Management API Reference.

AWS Billing and Cost Management Budget Subscriber
The Subscriber property type speciﬁes who to notify for a Billing and Cost Management budget
notiﬁcation.
Subscriber is a property of the AWS Billing and Cost Management Budget
NotiﬁcationWithSubscribers (p. 1676) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"SubscriptionType" : String,
"Address" : String

API Version 2010-05-15
1678

AWS CloudFormation User Guide
Billing and Cost Management Budget TimePeriod

YAML
SubscriptionType: String
Address: String

Properties
SubscriptionType
The type of notiﬁcation that AWS sends to a subscriber, such as EMAIL or SNS.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Address
The address that AWS sends budget notiﬁcations to, either an SNS topic or an email.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

See Also
• Subscriber in the AWS Billing and Cost Management API Reference.

AWS Billing and Cost Management Budget
TimePeriod
The TimePeriod property type speciﬁes the period of time covered by a Billing and Cost Management
budget.
TimePeriod is a property of the AWS Billing and Cost Management Budget BudgetData (p. 1670)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Start" : String,
"End" : String

YAML

API Version 2010-05-15
1679

AWS CloudFormation User Guide
AWS Cloud9 EnvironmentEC2 Repository
Start: String
End: String

Properties
Start
The start date for a budget. If you create your budget and don't specify a start date, AWS defaults to
the start of your chosen time period (i.e. DAILY, MONTHLY, QUARTERLY, ANNUALLY). For example,
if you create your budget on January 24th 2018, choose DAILY, and don't set a start date, AWS
sets your start date to 01/24/18 00:00 UTC. If you choose MONTHLY, AWS sets your start date
to 01/01/18 00:00 UTC. The defaults are the same for the AWS Billing and Cost Management
console and the API.
You can change your start date with the UpdateBudget API operation.
Required: No
Type: String
Update requires: No interruption (p. 118)
End
The end date for a budget. If you don't specify an end date, AWS sets your end date to 06/15/2087
00:00 UTC. The defaults are the same for the AWS Billing and Cost Management console and the
API.
After the end date, AWS deletes the budget and all associated notiﬁcations and subscribers.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• TimePeriod in the AWS Billing and Cost Management API Reference.

AWS Cloud9 EnvironmentEC2 Repository
The Repository property type speciﬁes an AWS CodeCommit source code repository to be cloned into
an AWS Cloud9 development environment.
The Repositories property of the AWS::Cloud9::EnvironmentEC2 (p. 666) resource contains a list of
Repository property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"PathComponent" : String,
"RepositoryUrl" : String

API Version 2010-05-15
1680

AWS CloudFormation User Guide
ACM Certiﬁcate DomainValidationOption
}

YAML
PathComponent: String
RepositoryUrl: String

Properties
PathComponent
The path within the development environment's default ﬁlesystem location to clone the AWS
CodeCommit repository into. For example, /repository-name would clone the repository into the
/home/ec2-user/environment/repository-name directory in the environment.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RepositoryUrl
The clone URL of the AWS CodeCommit repository to be cloned. For example, for an AWS
CodeCommit repository this might be https://git-codecommit.us-east-2.amazonaws.com/
v1/repos/repository-name.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

AWS Certiﬁcate Manager Certiﬁcate
DomainValidationOption
DomainValidationOption is a property of the AWS::CertiﬁcateManager::Certiﬁcate (p. 663)
resource that speciﬁes the AWS Certiﬁcate Manager (ACM) Certiﬁcate domain that registrars use to send
validation emails.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"DomainName" : String,
"ValidationDomain" : String

YAML
DomainName: String
ValidationDomain: String

API Version 2010-05-15
1681

AWS CloudFormation User Guide
AWS CloudFormation Stack Parameters

Properties
DomainName
Fully Qualiﬁed Domain Name (FQDN) of the Certiﬁcate that you are requesting.
Required: Yes
Type: String
ValidationDomain
The domain that domain name registrars use to send validation emails. Registrars use this value
as the email address suﬃx when sending emails to verify your identity. This value must be the
same as the domain name or a superdomain of the domain name. For more information, see the
ValidationDomain content for the DomainValidationOption data type in the AWS Certiﬁcate
Manager API Reference.
Required: Yes
Type: String

AWS CloudFormation Stack Parameters
The Parameters type is an embedded property of the AWS::CloudFormation::Stack (p. 694) type.
The Parameters type contains a set of value pairs that represent the parameters that will be passed to
the template used to create an AWS::CloudFormation::Stack resource. Each parameter has a name
corresponding to a parameter deﬁned in the embedded template and a value representing the value that
you want to set for the parameter. For example, the sample template EC2ChooseAMI.template contains
the following Parameters section:

JSON
"Parameters" : {
"InstanceType" : {
"Type" : "String",
"Default" : "m1.small",
"Description" : "EC2 instance type, e.g. m1.small, m1.large, etc."
},
"WebServerPort" : {
"Type" : "String",
"Default" : "80",
"Description" : "TCP/IP port of the web server"
},
"KeyName" : {
"Type" : "String",
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to the web
server"
}
}

YAML
Parameters:
InstanceType:
Type: "String"

API Version 2010-05-15
1682

AWS CloudFormation User Guide
AWS CloudFormation Interface Label
Default: "m1.small"
Description: "EC2 instance type, e.g. m1.small, m1.large, etc."
WebServerPort:
Type: "String"
Default: "80"
Description: "TCP/IP port of the web server"
KeyName:
Type: "String"
Description: "Name of an existing EC2 KeyPair to enable SSH access to the web server"

Nested Stack
You could use the following template to embed a stack (myStackWithParams) using the
EC2ChooseAMI.template and use the Parameters property in the AWS::CloudFormation::Stack resource
to specify an InstanceType and KeyName:

JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myStackWithParams" : {
"Type" : "AWS::CloudFormation::Stack",
"Properties" : {
"TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-2/
EC2ChooseAMI.template",
"Parameters" : {
"InstanceType" : "t1.micro",
"KeyName" : "mykey"
}
}
}
}
}

YAML
AWSTemplateFormatVersion: "2010-09-09"
Resources:
myStackWithParams:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "https://s3.amazonaws.com/cloudformation-templates-us-east-2/
EC2ChooseAMI.template"
Parameters:
InstanceType: "t1.micro"
KeyName: "mykey"

AWS CloudFormation Interface Label
Label is a property of the ParameterGroup (p. 1684) and ParameterLabel (p. 1685) properties that
deﬁnes name for a parameter group or parameter.

Syntax
JSON
{

API Version 2010-05-15
1683

AWS CloudFormation User Guide
AWS CloudFormation Interface ParameterGroup

}

"default" : String

YAML
default: String

Properties
default
The default label that the AWS CloudFormation console uses to name a parameter group or
parameter.
Required: No
Type: String

AWS CloudFormation Interface ParameterGroup
ParameterGroup is a property of the AWS::CloudFormation::Interface (p. 691) resource that deﬁnes a
parameter group and the parameters to include in the group.

Syntax
JSON
{
}

"Label" : Label,
"Parameters" : [ String, ... ]

YAML
Label: Label
Parameters:
- String

Properties
Label
A name for the parameter group.
Required: No
Type: AWS CloudFormation Interface Label (p. 1683)
Parameters
A list of case-sensitive parameter logical IDs to include in the group. Parameters must already
be deﬁned in the Parameters section of the template. A parameter can be included in only one
parameter group.
The console lists the parameters that you don't associate with a parameter group in alphabetical
order in the Other parameters group.
API Version 2010-05-15
1684

AWS CloudFormation User Guide
AWS CloudFormation Interface ParameterLabel

Required: No
Type: List of String values

AWS CloudFormation Interface ParameterLabel
ParameterLabel is a property of the AWS::CloudFormation::Interface (p. 691) resource that speciﬁes
a friendly name or description for a parameter that the AWS CloudFormation console shows instead of
the parameter's logical ID.

Syntax
JSON
{
}

"ParameterLogicalID" : Label

YAML
ParameterLogicalID: Label

Properties
ParameterLogicalID
A label for a parameter. The label deﬁnes a friendly name or description that the AWS
CloudFormation console shows on the Specify Parameters page when a stack is created or updated.
The ParameterLogicalID key must be the case-sensitive logical ID of a valid parameter that has
been declared in the Parameters section of the template.
Required: No
Type: AWS CloudFormation Interface Label (p. 1683)

Amazon CloudFront CloudFrontOriginAccessIdentity
CloudFrontOriginAccessIdentityConﬁg
The CloudFrontOriginAccessIdentityConfig property type conﬁgures the CloudFront origin
access identity to associate with the origin of a CloudFront distribution.
CloudFrontOriginAccessIdentityConfig is a property of the
AWS::CloudFront::CloudFrontOriginAccessIdentity (p. 703) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Comment" : String

API Version 2010-05-15
1685

AWS CloudFormation User Guide
CloudFront Distribution CacheBehavior
}

YAML
Comment: String

Properties
Comment
A comment to associate with this CloudFront origin access identity.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

CloudFront Distribution CacheBehavior
CacheBehavior is a property of the DistributionConﬁg (p. 1695) property that describes the Amazon
CloudFront (CloudFront) cache behavior when the requested URL matches a pattern.

Syntax
JSON
{

}

"AllowedMethods" : [ String, ... ],
"CachedMethods" : [ String, ... ],
"Compress" : Boolean,
"DefaultTTL" : Number,
"FieldLevelEncryptionId" : String,
"ForwardedValues" : ForwardedValues,
"LambdaFunctionAssociations" : [ LambdaFunctionAssociation (p. 1701), ... ]
"MaxTTL" : Number,
"MinTTL" : Number,
"PathPattern" : String,
"SmoothStreaming" : Boolean,
"TargetOriginId" : String,
"TrustedSigners" : [ String, ... ],
"ViewerProtocolPolicy" : String

YAML
AllowedMethods:
- String
CachedMethods:
- String
Compress: Boolean
DefaultTTL: Number
FieldLevelEncryptionId : String,
ForwardedValues:
ForwardedValues
LambdaFunctionAssociations:
- LambdaFunctionAssociation (p. 1701)

API Version 2010-05-15
1686

AWS CloudFormation User Guide
CloudFront Distribution CacheBehavior
MaxTTL: Number
MinTTL: Number
PathPattern: String
SmoothStreaming: Boolean
TargetOriginId: String
TrustedSigners:
- String
ViewerProtocolPolicy: String

Properties
Note

For more information about the constraints and valid values of each property, see the
CacheBehavior data type in the Amazon CloudFront API Reference.
AllowedMethods
HTTP methods that CloudFront processes and forwards to your Amazon S3 bucket or your custom
origin. You can specify ["HEAD", "GET"], ["GET", "HEAD", "OPTIONS"], or ["DELETE",
"GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]. If you don't specify a value, AWS
CloudFormation speciﬁes ["HEAD", "GET"].
Required: No
Type: List of String values
CachedMethods
HTTP methods for which CloudFront caches responses. You can specify ["HEAD", "GET"] or
["GET", "HEAD", "OPTIONS"]. If you don't specify a value, AWS CloudFormation speciﬁes
["HEAD", "GET"].
Required: No
Type: List of String values
Compress
Indicates whether CloudFront automatically compresses certain ﬁles for this cache behavior. For
more information, see Serving Compressed Files in the Amazon CloudFront Developer Guide.
Required: No
Type: Boolean
DefaultTTL
The default time in seconds that objects stay in CloudFront caches before CloudFront forwards
another request to your custom origin to determine whether the object has been updated. This value
applies only when your custom origin does not add HTTP headers, such as Cache-Control maxage, Cache-Control s-maxage, and Expires to objects.
By default, AWS CloudFormation speciﬁes 86400 seconds (one day). If the value of the MinTTL
property is greater than the default value, CloudFront uses the minimum Time to Live (TTL) value.
Required: No
Type: Number
FieldLevelEncryptionId
The value of ID for the ﬁeld-level encryption conﬁguration that you want CloudFront to use for
encrypting speciﬁc ﬁelds of data for a cache behavior in your distribution. The default is an empty
string.
API Version 2010-05-15
1687

AWS CloudFormation User Guide
CloudFront Distribution CacheBehavior

Required: No
Type: String
ForwardedValues
Speciﬁes how CloudFront handles query strings or cookies.
Required: Yes
Type: ForwardedValues (p. 1699) type
LambdaFunctionAssociations
Lambda function associations for the Amazon CloudFront distribution.
Required: No
Type: List of CloudFront Distribution LambdaFunctionAssociation (p. 1701)
Update requires: No interruption (p. 118)
MaxTTL
The maximum time in seconds that objects stay in CloudFront caches before CloudFront forwards
another request to your custom origin to determine whether the object has been updated. This value
applies only when your custom origin does not add HTTP headers, such as Cache-Control maxage, Cache-Control s-maxage, and Expires to objects.
By default, AWS CloudFormation speciﬁes 31536000 seconds (one year). If the value of the MinTTL
or DefaultTTL property is greater than the maximum value, CloudFront uses the default TTL value.
Required: No
Type: Number
MinTTL
The minimum amount of time that you want objects to stay in the cache before CloudFront queries
your origin to see whether the object has been updated.
Required: No
Type: Number
PathPattern
The pattern to which this cache behavior applies. For example, you can specify images/*.jpg.
When CloudFront receives an end-user request, CloudFront compares the requested path with path
patterns in the order in which cache behaviors are listed in the template.
Required: Yes
Type: String
SmoothStreaming
Indicates whether to use the origin that is associated with this cache behavior to distribute media
ﬁles in the Microsoft Smooth Streaming format. If you specify true, you can still use this cache
behavior to distribute other content if the content matches the PathPattern value.
Required: No
Type: Boolean
API Version 2010-05-15
1688

AWS CloudFormation User Guide
CloudFront Distribution Cookies

TargetOriginId
The ID value of the origin to which you want CloudFront to route requests when a request matches
the value of the PathPattern property.
Required: Yes
Type: String
TrustedSigners
A list of AWS accounts that can create signed URLs in order to access private content.
Required: No
Type: List of String values
ViewerProtocolPolicy
The protocol that users can use to access the ﬁles in the origin that you speciﬁed in the
TargetOriginId property when a request matches the value of the PathPattern property.
For more information about the valid values, see the ViewerProtocolPolicy content for the
CacheBehavior data type in the Amazon CloudFront API Reference.
Required: Yes
Type: String

CloudFront Distribution Cookies
Cookies is a property of the CloudFront Distribution ForwardedValues (p. 1699) property that describes
which cookies are forwarded to the Amazon CloudFront origin.

Syntax
JSON
{
}

"Forward" : String,
"WhitelistedNames" : [ String, ... ]

YAML
Forward: String
WhitelistedNames:
- String

Properties
Note

For more information about the constraints and valid values of each property, see the
CookiePreference data type in the Amazon CloudFront API Reference.
Forward
The cookies to forward to the origin of the cache behavior. You can specify none, all, or
whitelist.
API Version 2010-05-15
1689

AWS CloudFormation User Guide
CloudFront Distribution CustomErrorResponse

Required: Yes
Type: String
WhitelistedNames
The names of cookies to forward to the origin for the cache behavior.
Required: Conditional. Required if you speciﬁed whitelist for the Forward property.
Type: List of String values

CloudFront Distribution CustomErrorResponse
CustomErrorResponse is a property of the CloudFront Distribution DistributionConﬁg (p. 1695)
resource that deﬁnes custom error messages for certain HTTP status codes.

Syntax
JSON
{

}

"ErrorCachingMinTTL" : Integer,
"ErrorCode" : Integer,
"ResponseCode" : Integer,
"ResponsePagePath" : String

YAML
ErrorCachingMinTTL: Integer
ErrorCode: Integer
ResponseCode: Integer
ResponsePagePath: String

Properties
Note

For more information about the constraints and valid values of each property, see the
CustomErrorResponse data type in the Amazon CloudFront API Reference.
ErrorCachingMinTTL
The minimum amount of time, in seconds, that Amazon CloudFront caches the HTTP status code
that you speciﬁed in the ErrorCode property. The default value is 300.
Required: No
Type: Integer
ErrorCode
An HTTP status code for which you want to specify a custom error page. You can specify 400, 403,
404, 405, 414, 500, 501, 502, 503, or 504.
Required: Yes
Type: Integer
API Version 2010-05-15
1690

AWS CloudFormation User Guide
CloudFront Distribution CustomOriginConﬁg

ResponseCode
The HTTP status code that CloudFront returns to viewer along with the custom error page. You can
specify 200, 400, 403, 404, 405, 414, 500, 501, 502, 503, or 504.
Required: Conditional. Required if you speciﬁed the ResponsePagePath property.
Type: Integer
ResponsePagePath
The path to the custom error page that CloudFront returns to a viewer when your origin returns
the HTTP status code that you speciﬁed in the ErrorCode property. For example, you can specify
/404-errors/403-forbidden.html.
Required: Conditional. Required if you speciﬁed the ResponseCode property.
Type: String

CloudFront Distribution CustomOriginConﬁg
CustomOriginConfig is a property of the Amazon CloudFront Origin (p. 1703) property that describes
an HTTP server.

Syntax
JSON
{

}

"HTTPPort" : Integer,
"HTTPSPort" : Integer,
"OriginKeepaliveTimeout" : Integer,
"OriginProtocolPolicy" : String,
"OriginReadTimeout" : Integer,
"OriginSSLProtocols" : [ String, ... ]

YAML
HTTPPort: Integer
HTTPSPort: Integer
OriginKeepaliveTimeout: Integer
OriginProtocolPolicy: String
OriginReadTimeout: Integer
OriginSSLProtocols:
- String

Properties
Note

For more information about the constraints and valid values of each property, see the
CustomOriginConﬁg data type in the Amazon CloudFront API Reference.
HTTPPort
The HTTP port the custom origin listens on.
Required: No
API Version 2010-05-15
1691

AWS CloudFormation User Guide
CloudFront Distribution DefaultCacheBehavior

Type: Integer
HTTPSPort
The HTTPS port the custom origin listens on.
Required: No
Type: Integer
OriginKeepaliveTimeout
You can create a custom keep-alive timeout. All timeout units are in seconds. The default keep-alive
timeout is 5 seconds, but you can conﬁgure custom timeout lengths. The minimum timeout length is
1 second; the maximum is 60 seconds.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
OriginProtocolPolicy
The origin protocol policy to apply to your origin.
Required: Yes
Type: String
Valid Values: http-only, match-viewer, https-only
OriginReadTimeout
You can create a custom origin read timeout. All timeout units are in seconds. The default origin read
timeout is 30 seconds, but you can conﬁgure custom timeout lengths. The minimum timeout length
is 4 seconds; the maximum is 60 seconds.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
OriginSSLProtocols
The SSL protocols that CloudFront can use when establishing an HTTPS connection with your origin.
By default, AWS CloudFormation speciﬁes the TLSv1 and SSLv3 protocols.
Required: No
Type: List of String values

CloudFront Distribution DefaultCacheBehavior
DefaultCacheBehavior is a property of the DistributionConﬁg (p. 1695) property that describes the
default cache behavior for an Amazon CloudFront distribution.

Syntax
JSON
{

API Version 2010-05-15
1692

AWS CloudFormation User Guide
CloudFront Distribution DefaultCacheBehavior

}

"AllowedMethods" : [ String, ... ],
"CachedMethods" : [ String, ... ],
"Compress" : Boolean,
"DefaultTTL" : Number,
"FieldLevelEncryptionId" : String,
"ForwardedValues" : ForwardedValues,
"LambdaFunctionAssociations" : [ LambdaFunctionAssociation (p. 1701), ... ]
"MaxTTL" : Number,
"MinTTL" : Number,
"SmoothStreaming" : Boolean,
"TargetOriginId" : String,
"TrustedSigners" : [ String, ... ],
"ViewerProtocolPolicy" : String

YAML
AllowedMethods:
- String
CachedMethods:
- String
Compress: Boolean
DefaultTTL: Number
FieldLevelEncryptionId: String,
ForwardedValues:
ForwardedValues
LambdaFunctionAssociations:
- LambdaFunctionAssociation (p. 1701)
MaxTTL: Number
MinTTL: Number
SmoothStreaming: Boolean
TargetOriginId: String
TrustedSigners:
- String
ViewerProtocolPolicy : String

Properties
Note

For more information about the constraints and valid values of each property, see the
DefaultCacheBehavior data type in the Amazon CloudFront API Reference.
AllowedMethods
HTTP methods that CloudFront processes and forwards to your Amazon S3 bucket or your custom
origin. In AWS CloudFormation templates, you can specify ["HEAD", "GET"], ["GET", "HEAD",
"OPTIONS"], or ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]. If
you don't specify a value, AWS CloudFormation speciﬁes ["HEAD", "GET"].
Required: No
Type: List of String values
CachedMethods
HTTP methods for which CloudFront caches responses. In AWS CloudFormation templates, you can
specify ["HEAD", "GET"] or ["GET", "HEAD", "OPTIONS"]. If you don't specify a value, AWS
CloudFormation speciﬁes ["HEAD", "GET"].
Required: No
Type: List of String values
API Version 2010-05-15
1693

AWS CloudFormation User Guide
CloudFront Distribution DefaultCacheBehavior

Compress
Indicates whether CloudFront automatically compresses certain ﬁles for this cache behavior. For
more information, see Serving Compressed Files in the Amazon CloudFront Developer Guide.
Required: No
Type: Boolean
DefaultTTL
The default time in seconds that objects stay in CloudFront caches before CloudFront forwards
another request to your custom origin to determine whether the object has been updated. This value
applies only when your custom origin does not add HTTP headers, such as Cache-Control maxage, Cache-Control s-maxage, and Expires to objects.
By default, AWS CloudFormation speciﬁes 86400 seconds (one day). If the value of the MinTTL
property is greater than the default value, CloudFront uses the minimum Time To Live (TTL) value.
Required: No
Type: Number
FieldLevelEncryptionId
The value of ID for the ﬁeld-level encryption conﬁguration that you want CloudFront to use for
encrypting speciﬁc ﬁelds of data for the default cache behavior in your distribution. The default is an
empty string.
Required: No
Type: String
ForwardedValues
Speciﬁes how CloudFront handles query strings or cookies.
Required: Yes
Type: ForwardedValues (p. 1699) type
LambdaFunctionAssociations
Lambda function associations for the Amazon CloudFront distribution.
Required: No
Type: List of CloudFront Distribution LambdaFunctionAssociation (p. 1701)
Update requires: No interruption (p. 118)
MaxTTL
The maximum time in seconds that objects stay in CloudFront caches before CloudFront forwards
another request to your custom origin to determine whether the object has been updated. This
value applies only when your custom origin adds HTTP headers, such as Cache-Control max-age,
Cache-Control s-maxage, and Expires to objects.
By default, AWS CloudFormation speciﬁes 31536000 seconds (one year). If the value of the MinTTL
or DefaultTTL property is greater than the maximum value, CloudFront uses the default TTL value.
Required: No
Type: Number
API Version 2010-05-15
1694

AWS CloudFormation User Guide
CloudFront Distribution DistributionConﬁg

MinTTL
The minimum amount of time that you want objects to stay in the cache before CloudFront queries
your origin to see whether the object has been updated.
Required: No
Type: Number
SmoothStreaming
Indicates whether to use the origin that is associated with this cache behavior to distribute media
ﬁles in the Microsoft Smooth Streaming format.
Required: No
Type: Boolean
TargetOriginId
The value of ID for the origin that CloudFront routes requests to when the default cache behavior is
applied to a request.
Required: Yes
Type: String
TrustedSigners
A list of AWS accounts that can create signed URLs in order to access private content.
Required: No
Type: List of String values
ViewerProtocolPolicy
The protocol that users can use to access the ﬁles in the origin that you speciﬁed in the
TargetOriginId property when the default cache behavior is applied to a request. For
more information about the valid values, see the ViewerProtocolPolicy content for the
DefaultCacheBehavior data type in the Amazon CloudFront API Reference.
Required: Yes
Type: String

CloudFront Distribution DistributionConﬁg
DistributionConfig is a property of the AWS::CloudFront::Distribution (p. 700) property that
describes which Amazon CloudFront origin servers to get your ﬁles from when users request the ﬁles
through your website or application.

Syntax
JSON
{

"Aliases (p. 1696)" : [ String, ... ],
"CacheBehaviors (p. 1696)" : [ CacheBehavior, ... ],
"Comment (p. 1696)" : String,
"CustomErrorResponses" : [ CustomErrorResponse, ... ],
"DefaultCacheBehavior (p. 1697)" : DefaultCacheBehavior,

API Version 2010-05-15
1695

AWS CloudFormation User Guide
CloudFront Distribution DistributionConﬁg

}

"DefaultRootObject (p. 1697)" : String,
"Enabled (p. 1697)" : Boolean,
"HttpVersion" : String,
"IPV6Enabled" : Boolean,
"Logging (p. 1698)" : Logging,
"Origins (p. 1698)" : [ Origin, ... ],
"PriceClass" : String,
"Restrictions" : Restriction,
"ViewerCertificate" : ViewerCertificate,
"WebACLId" : String

YAML
Aliases (p. 1696):
- String
CacheBehaviors (p. 1696):
- CacheBehavior
Comment (p. 1696): String
CustomErrorResponses:
- CustomErrorResponse
DefaultCacheBehavior (p. 1697):
DefaultCacheBehavior
DefaultRootObject (p. 1697): String
Enabled (p. 1697): Boolean
HttpVersion: String
IPV6Enabled: Boolean
Logging (p. 1698):
Logging
Origins (p. 1698):
- Origin
PriceClass: String
Restrictions:
Restriction
ViewerCertificate:
ViewerCertificate
WebACLId: String

Properties
Aliases
CNAMEs (alternate domain names), if any, for the distribution.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
CacheBehaviors
A list of CacheBehavior types for the distribution.
Required: No
Type: List of CloudFront Distribution CacheBehavior (p. 1686)
Update requires: No interruption (p. 118)
Comment
Any comments that you want to include about the distribution. Optional.
API Version 2010-05-15
1696

AWS CloudFormation User Guide
CloudFront Distribution DistributionConﬁg

When you create a distribution, you can include a comment of up to 128 characters. You can update
the comment at any time.
Required: No
Type: String
Update requires: No interruption (p. 118)
CustomErrorResponses
Whether CloudFront replaces HTTP status codes in the 4xx and 5xx range with custom error
messages before returning the response to the viewer.
Required: No
Type List of CloudFront Distribution CustomErrorResponse (p. 1690)
Update requires: No interruption (p. 118)
DefaultCacheBehavior
The default cache behavior that is triggered if you do not specify the CacheBehavior property or if
ﬁles don't match any of the values of PathPattern in the CacheBehavior property.
Required: Yes
Type: DefaultCacheBehavior type (p. 1692)
Update requires: No interruption (p. 118)
DefaultRootObject
The object (such as index.html) that you want CloudFront to request from your origin when the
root URL for your distribution (such as http://example.com/) is requested.

Note

Specifying a default root object avoids exposing the contents of your distribution.
Required: No
Type: String
Update requires: No interruption (p. 118)
Enabled
Controls whether the distribution is enabled to accept end user requests for content.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
HttpVersion
The latest HTTP version that viewers can use to communicate with CloudFront. Viewers that
don't support the latest version automatically use an earlier HTTP version. By default, AWS
CloudFormation speciﬁes http1.1.
For valid values, see the HttpVersion content for the DistributionConﬁg data type in the Amazon
CloudFront API Reference.
API Version 2010-05-15
1697

AWS CloudFormation User Guide
CloudFront Distribution DistributionConﬁg

Required: No
Type: String
Update requires: No interruption (p. 118)
IPV6Enabled
If you want CloudFront to respond to IPv6 DNS requests with an IPv6 address for your distribution,
specify true. If you specify false, CloudFront responds to IPv6 DNS requests with the DNS
response code NOERROR and with no IP addresses. This allows viewers to submit a second
request, for an IPv4 address for your distribution. For more information and usage guidance, see
CreateDistribution in the Amazon CloudFront API Reference.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Logging
Controls whether access logs are written for the distribution. To turn on access logs, specify this
property.
Required: No
Type: Logging (p. 1702) type
Update requires: No interruption (p. 118)
Origins
A list of origins for this CloudFront distribution. For each origin, you can specify whether it is an
Amazon S3 or custom origin.
Required: Yes
Type: List of Origins (p. 1703).
Update requires: No interruption (p. 118)
PriceClass
The price class that corresponds with the maximum price that you want to pay for the CloudFront
service. For more information, see Choosing the Price Class in the Amazon CloudFront Developer
Guide.
For more information about the valid values, see the PriceClass content for the
DistributionConﬁg data type in the Amazon CloudFront API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
Restrictions
Speciﬁes restrictions on who or how viewers can access your content.
Required: No
Type: CloudFront Distribution Restrictions (p. 1705)
API Version 2010-05-15
1698

AWS CloudFormation User Guide
CloudFront Distribution ForwardedValues

Update requires: No interruption (p. 118)
ViewerCertificate
The certiﬁcate to use when viewers use HTTPS to request objects.
Required: No
Type: CloudFront Distribution ViewerCertiﬁcate (p. 1707)
Update requires: No interruption (p. 118)
WebACLId
The AWS WAF web ACL (p. 1547) to associate with this distribution. AWS WAF is a web application
ﬁrewall that enables you to monitor the HTTP and HTTPS requests that are forwarded to CloudFront
and to control who can access your content. CloudFront permits or forbids requests based on
conditions that you specify, such as the IP addresses from which requests originate or the values of
query strings.
Required: No
Type: String
Update requires: No interruption (p. 118)

CloudFront Distribution ForwardedValues
ForwardedValues is a property of the DefaultCacheBehavior (p. 1692) and CacheBehavior (p. 1686)
properties that indicates whether Amazon CloudFront forwards query strings or cookies.

Syntax
JSON
{

}

"Cookies" : Cookies,
"Headers" : [ String, ... ],
"QueryString" : Boolean,
"QueryStringCacheKeys" : [ String, ... ]

YAML
Cookies:
Cookies
Headers:
- String
QueryString: Boolean
QueryStringCacheKeys:
- String

Properties
Note

For more information about the constraints and valid values of each property, see the
ForwardedValues data type in the Amazon CloudFront API Reference.
API Version 2010-05-15
1699

AWS CloudFormation User Guide
CloudFront Distribution GeoRestriction

Cookies
Forwards speciﬁed cookies to the origin of the cache behavior. For more information, see
Conﬁguring CloudFront to Cache Based on Cookies in the Amazon CloudFront Developer Guide.
Required: No
Type: CloudFront Distribution Cookies (p. 1689)
Headers
Speciﬁes the headers that you want Amazon CloudFront to forward to the origin for this cache
behavior (whitelisted headers). For the headers that you specify, Amazon CloudFront also caches
separate versions of a speciﬁed object that is based on the header values in viewer requests.
For custom origins, if you specify a single asterisk (["*"]), all headers are forwarded. If you don't
specify a value, only the default headers are forwarded. For Amazon S3 origins, you can forward
only selected headers; specifying * is not supported. For more information, see Conﬁguring
CloudFront to Cache Objects Based on Request Headers in the Amazon CloudFront Developer Guide.
Required: No
Type: List of String values
QueryString
Indicates whether you want CloudFront to forward query strings to the origin that is associated
with this cache behavior. If so, specify true; if not, specify false. For more information about
forwarding query strings, see the QueryString parameter for the ForwardedValues type in the
Amazon CloudFront API Reference.
Required: Yes
Type: Boolean
QueryStringCacheKeys
If you forward query strings to the origin, speciﬁes the query string parameters that CloudFront uses
to determine which content to cache. For more information, see Conﬁguring CloudFront to Cache
Based on Query String Parameters in the Amazon CloudFront Developer Guide.
Required: No
Type: List of String values

CloudFront Distribution GeoRestriction
GeoRestriction is a property of the CloudFront Distribution Restrictions (p. 1705) property that
describes the countries in which Amazon CloudFront allows viewers to access your content.

Syntax
JSON
{
}

"Locations" : [ String, ... ],
"RestrictionType" : String

API Version 2010-05-15
1700

AWS CloudFormation User Guide
CloudFront Distribution LambdaFunctionAssociation

YAML
Locations:
- String
RestrictionType: String

Properties
Note

For more information about the constraints and valid values of each property, see the
GeoRestriction data type in the Amazon CloudFront API Reference.
Locations
The two-letter, uppercase country code for a country that you want to include in your blacklist or
whitelist.
Required: Conditional. Required if you speciﬁed blacklist or whitelist for the
RestrictionType property.
Type: List of String values
RestrictionType
The method to restrict distribution of your content:
blacklist
Prevents viewers in the countries that you speciﬁed from accessing your content.
whitelist
Allows viewers in the countries that you speciﬁed to access your content.
none
No distribution restrictions by country.
Required: Yes
Type: String

Amazon CloudFront Distribution
LambdaFunctionAssociation
The LambdaFunctionAssociation property type speciﬁes a Lambda function association for an
Amazon CloudFront distribution.
LambdaFunctionAssociation is a property of the CloudFront Distribution CacheBehavior (p. 1686)
and CloudFront Distribution DefaultCacheBehavior (p. 1692) property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"EventType" : String,

API Version 2010-05-15
1701

AWS CloudFormation User Guide
CloudFront Distribution Logging

}

"LambdaFunctionARN" : String

YAML
EventType: String
LambdaFunctionARN: String

Properties
EventType
Speciﬁes the event type that triggers a Lambda function invocation. For valid values and deﬁnitions,
see LambdaFunctionAssociation in the Amazon CloudFront API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
LambdaFunctionARN
The ARN of the Lambda function. You must specify the ARN of a function version; you can't specify a
Lambda alias or $LATEST.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• LambdaFunctionAssociation in the Amazon CloudFront API Reference

CloudFront Distribution Logging
Logging is a property of the DistributionConﬁg (p. 1695) property that enables Amazon CloudFront to
deliver access logs for each distribution to an Amazon Simple Storage Service (S3) bucket.

Syntax
JSON
{

}

"Bucket" : String,
"IncludeCookies" : Boolean,
"Prefix" : String

YAML
Bucket: String

API Version 2010-05-15
1702

AWS CloudFormation User Guide
CloudFront Distribution Origin
IncludeCookies: Boolean
Prefix: String

Properties
Note

For more information about the constraints and valid values of each property, see the
LoggingConﬁg data type in the Amazon CloudFront API Reference.
Bucket
The Amazon S3 bucket address where access logs are stored, for example,
mybucket.s3.amazonaws.com.
Required: Yes
Type: String
IncludeCookies
Indicates whether CloudFront includes cookies in access logs.
Required: No
Type: Boolean
Prefix
A preﬁx for the access log ﬁle names for this distribution.
Required: No
Type: String

CloudFront Distribution Origin
Origin is a property of the DistributionConﬁg (p. 1695) property that describes an Amazon CloudFront
distribution origin.

Syntax
JSON
{

}

"CustomOriginConfig" : CustomOriginConfig,
"DomainName" : String,
"Id" : String,
"OriginCustomHeaders" : [ OriginCustomHeader, ... ]
"OriginPath" : String,
"S3OriginConfig" : S3 Origin

YAML
CustomOriginConfig:
CustomOriginConfig
DomainName: String
Id: String

API Version 2010-05-15
1703

AWS CloudFormation User Guide
CloudFront Distribution Origin
OriginCustomHeaders:
- OriginCustomHeader
OriginPath: String
S3OriginConfig:
S3 Origin

Properties
Note

For more information about the constraints and valid values of each property, see the Origin
data type in the Amazon CloudFront API Reference.
CustomOriginConfig
Origin information to specify a custom origin.
Required: Conditional. You cannot use CustomOriginConfig and S3OriginConfig in the same
Origin, but you must specify one or the other.
Type: CustomOriginConﬁg (p. 1691) type
DomainName
The DNS name of the Amazon Simple Storage Service (S3) bucket or the HTTP server from which
you want CloudFront to get objects for this origin.
Required: Yes
Type: String
Id
An identiﬁer for the origin. The value of Id must be unique within the distribution.
Required: Yes
Type: String
OriginCustomHeaders
Custom headers that CloudFront includes when it forwards a request to your origin.
Required: No
Type: List of OriginCustomHeader (p. 1705) type
OriginPath
The path that CloudFront uses to request content from an S3 bucket or custom origin. The
combination of the DomainName and OriginPath properties must resolve to a valid path. The
value must start with a slash mark (/) and cannot end with a slash mark.
Required: No
Type: String
S3OriginConfig
Origin information to specify an S3 origin.
Required: Conditional. You cannot use S3OriginConfig and CustomOriginConfig in the same
Origin, but you must specify one or the other.
Type: S3Origin (p. 1706) type
API Version 2010-05-15
1704

AWS CloudFormation User Guide
CloudFront Distribution OriginCustomHeader

CloudFront Distribution OriginCustomHeader
OriginCustomHeader is a property of the Amazon CloudFront Origin (p. 1703) property that speciﬁes
the custom headers CloudFront includes when it forwards requests to your origin.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"HeaderName" : String,
"HeaderValue" : String

YAML
HeaderName: String
HeaderValue: String

Properties
HeaderName
The name of a header that CloudFront forwards to your origin. For more information, see
Forwarding Custom Headers to Your Origin (Web Distributions Only) in the Amazon CloudFront
Developer Guide.
Required: Yes
Type: String
HeaderValue
The value for the header that you speciﬁed in the HeaderName property.
Required: Yes
Type: String

CloudFront Distribution Restrictions
Restrictions is a property of the CloudFront Distribution DistributionConﬁg (p. 1695) property type
that lets you limit which viewers can access your content.

Syntax
JSON
{
}

"GeoRestriction" : GeoRestriction

API Version 2010-05-15
1705

AWS CloudFormation User Guide
CloudFront Distribution S3Origin

YAML
GeoRestriction: GeoRestriction

Properties
Note

For more information about the constraints and valid values of each property, see the
Restrictions data type in the Amazon CloudFront API Reference.
GeoRestriction
The countries in which viewers are able to access your content.
Required: Yes
Type: CloudFront Distribution GeoRestriction (p. 1700)

CloudFront Distribution S3Origin
S3Origin is a property of the Origin (p. 1703) property that describes the Amazon Simple Storage
Service (S3) origin to associate with an Amazon CloudFront origin.

Syntax
JSON
{
}

"OriginAccessIdentity" : String

YAML
OriginAccessIdentity: String

Properties
Note

For more information about the constraints and valid values of each property, see the S3Origin
data type in the Amazon CloudFront API Reference.
OriginAccessIdentity
The CloudFront origin access identity to associate with the origin. You must specify the full origin ID
—for example:
origin-access-identity/cloudfront/E15MNIMTCFKK4C
This is used to conﬁgure the origin so that end users can access objects in an Amazon S3 bucket
through CloudFront only.
Required: No
Type: String
API Version 2010-05-15
1706

AWS CloudFormation User Guide
CloudFront Distribution ViewerCertiﬁcate

CloudFront Distribution ViewerCertiﬁcate
ViewerCertificate is a property of the CloudFront Distribution DistributionConﬁg (p. 1695) property
that speciﬁes which certiﬁcate to use when viewers use HTTPS to request objects.

Syntax
JSON
{

}

"AcmCertificateArn" : String,
"CloudFrontDefaultCertificate" : Boolean,
"IamCertificateId" : String,
"MinimumProtocolVersion" : String,
"SslSupportMethod" : String

YAML
AcmCertificateArn: String
CloudFrontDefaultCertificate: Boolean
IamCertificateId: String
MinimumProtocolVersion: String
SslSupportMethod: String

Properties
AcmCertificateArn
If you're using an alternate domain name, the Amazon Resource Name (ARN) of an AWS Certiﬁcate
Manager (ACM) certiﬁcate. Use the ACM service to provision and manage your certiﬁcates. For more
information, see the AWS Certiﬁcate Manager User Guide.

Note

Currently, you can specify only certiﬁcates that are in the US East (N. Virginia) region.
Required: Conditional. You must specify one of the following properties: AcmCertificateArn,
CloudFrontDefaultCertificate, or IamCertificateId.
Type: String
Update requires: No interruption (p. 118)
CloudFrontDefaultCertificate
Indicates whether to use the default certiﬁcate for your CloudFront domain name when viewers use
HTTPS to request your content.
Required: Conditional. You must specify one of the following properties: AcmCertificateArn,
CloudFrontDefaultCertificate, or IamCertificateId.
Type: Boolean
Update requires: No interruption (p. 118)
IamCertificateId
If you're using an alternate domain name, the ID of a server certiﬁcate that was purchased from
a certiﬁcate authority. This ID is the ServerCertificateId value, which AWS Identity and
API Version 2010-05-15
1707

AWS CloudFormation User Guide
CloudFront StreamingDistribution Logging

Access Management (IAM) returns when the certiﬁcate is added to the IAM certiﬁcate store, such as
ASCACKCEVSQ6CEXAMPLE1.
Required: Conditional. You must specify one of the following properties: AcmCertificateArn,
CloudFrontDefaultCertificate, or IamCertificateId.
Type: String
Update requires: No interruption (p. 118)
MinimumProtocolVersion
The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
CloudFront serves your objects only to browsers or devices that support at least the SSL version that
you specify. For valid values, see the MinimumProtocolVersion content for the ViewerCertiﬁcate
data type in the Amazon CloudFront API Reference.
AWS CloudFormation speciﬁes SSLv3 by default. However, if you specify the IamCertificateId
or AcmCertificateArn property and specify SNI only for the SslSupportMethod property, AWS
CloudFormation speciﬁes TLSv1 for the minimum protocol version.

Note

On the CloudFront console, this setting is called Security policy.
Required: No
Type: String
Update requires: No interruption (p. 118)
SslSupportMethod
Speciﬁes how CloudFront serves HTTPS requests. For valid values, see the SslSupportMethod
content for the ViewerCertiﬁcate data type in the Amazon CloudFront API Reference.
Required: Conditional. Required if you speciﬁed the IamCertificateId or AcmCertificateArn
property.
Type: String
Update requires: No interruption (p. 118)

Amazon CloudFront StreamingDistribution Logging
The Logging property type to control whether access logs are written for a Amazon CloudFront
streaming distribution.
Logging is a property of the CloudFront StreamingDistribution StreamingDistributionConﬁg (p. 1710)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Bucket" : String,
"Enabled" : Boolean,

API Version 2010-05-15
1708

AWS CloudFormation User Guide
CloudFront StreamingDistribution S3Origin

}

"Prefix" : String

YAML
Bucket: String
Enabled: Boolean
Prefix: String

Properties
Bucket
The Amazon S3 bucket to store the access logs in, for example,
myawslogbucket.s3.amazonaws.com.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Enabled
Speciﬁes whether you want CloudFront to save access logs to an Amazon S3 bucket. If you don't
want to enable logging when you create a streaming distribution or if you want to disable logging
for an existing streaming distribution, specify false for Enabled, and specify empty Bucket and
Prefix elements. If you specify false for Enabled but you specify values for Bucket and Prefix,
the values are automatically deleted.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
Prefix
An optional string that you want CloudFront to preﬁx to the access log ﬁlenames for this streaming
distribution, for example, myprefix/. If you want to enable logging, but you don't want to specify a
preﬁx, you still must include an empty Prefix property in the Logging property.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• StreamingLoggingConﬁg in the Amazon CloudFront API Reference

Amazon CloudFront StreamingDistribution S3Origin
The S3Origin property type speciﬁes information about the Amazon S3 bucket from which you want
Amazon CloudFront to get your media ﬁles for distribution. For more information, see S3Origin in the
Amazon CloudFront API Reference.
API Version 2010-05-15
1709

AWS CloudFormation User Guide
CloudFront StreamingDistribution
StreamingDistributionConﬁg

S3Origin is a property of the CloudFront StreamingDistribution StreamingDistributionConﬁg (p. 1710)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"DomainName" : String,
"OriginAccessIdentity" : String

YAML
DomainName: String
OriginAccessIdentity: String

Properties
DomainName
The DNS name of the Amazon S3 origin.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
OriginAccessIdentity
The CloudFront origin access identity to associate with the RTMP distribution. Use an origin access
identity to conﬁgure the distribution so that end users can only access objects in an Amazon S3
bucket through CloudFront. For more information, see the OriginAccessIdentity property for
S3Origin in Amazon CloudFront API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• S3Origin in the Amazon CloudFront API Reference

Amazon CloudFront StreamingDistribution
StreamingDistributionConﬁg
The StreamingDistributionConfig property type speciﬁes the conﬁguration of an RMTP streaming
distribution for Amazon CloudFront.
API Version 2010-05-15
1710

AWS CloudFormation User Guide
CloudFront StreamingDistribution
StreamingDistributionConﬁg

StreamingDistributionConfig is a property of the
AWS::CloudFront::StreamingDistribution (p. 705) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Aliases" : [ String, ... ],
"Comment" : String,
"Enabled" : Boolean,
"Logging" : Logging (p. 1708),
"PriceClass" : String,
"S3Origin" : S3Origin (p. 1709),
"TrustedSigners" : TrustedSigners (p. 1713)

YAML
Aliases:
- String
Comment: String
Enabled: Boolean
Logging:
Logging (p. 1708)
PriceClass: String
S3Origin:
S3Origin (p. 1709)
TrustedSigners:
TrustedSigners (p. 1713)

Properties
For more information and valid property values, see CreateStreamingDistribution in the Amazon
CloudFront API Reference.
Aliases
Lists the CNAMEs (alternate domain names), if any, for this streaming distribution.
Required: No
Type: StringList
Update requires: No interruption (p. 118)
Comment
Any comments you want to include about the streaming distribution.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1711

AWS CloudFormation User Guide
CloudFront StreamingDistribution Tag

Enabled
Whether the streaming distribution is enabled to accept user requests for content.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
Logging
Whether access logs are written for the streaming distribution.
Required: No
Type: CloudFront StreamingDistribution Logging (p. 1708)
Update requires: No interruption (p. 118)
PriceClass
The price class for this streaming distribution.
Valid values include PriceClass_100, PriceClass_200, and PriceClass_All.
Required: No
Type: String
Update requires: No interruption (p. 118)
S3Origin
Information about the Amazon S3 bucket from which you want CloudFront to get your media ﬁles
for distribution.
Required: Yes
Type: CloudFront StreamingDistribution S3Origin (p. 1709)
Update requires: No interruption (p. 118)
TrustedSigners
Speciﬁes any AWS accounts that you want to permit to create signed URLs for private content. If
you want the distribution to use signed URLs, include this element; if you want the distribution to
use public URLs, remove this property. For more information, see Serving Private Content through
CloudFront in the Amazon CloudFront Developer Guide.
Required: Yes
Type: CloudFront StreamingDistribution TrustedSigners (p. 1713)
Update requires: No interruption (p. 118)

See Also
• CreateStreamingDistribution

Amazon CloudFront StreamingDistribution Tag
The Tag property type speciﬁes key-value pairs for an Amazon CloudFront streaming distribution.
API Version 2010-05-15
1712

AWS CloudFormation User Guide
CloudFront StreamingDistribution TrustedSigners

Tag is a property of the AWS::CloudFront::StreamingDistribution (p. 705) resource type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Key" : String,
"Value" : String

YAML
Key: String
Value: String

Properties
Key
A string that contains Tag key.
Required: No
Type: String
Update requires: No interruption (p. 118)
Value
A string that contains an optional Tag value.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• Tag in the Amazon CloudFront API Reference

Amazon CloudFront StreamingDistribution
TrustedSigners
The TrustedSigners property type speciﬁes the AWS accounts, if any, that you want to allow to create
signed URLs for private content for an Amazon CloudFront distribution. For more information, see
TrustedSigners in the Amazon CloudFront API Reference.
TrustedSigners is a property of the CloudFront StreamingDistribution
StreamingDistributionConﬁg (p. 1710) property type.
API Version 2010-05-15
1713

AWS CloudFormation User Guide
CloudTrail Trail EventSelector

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"AwsAccountNumbers" : [ String, ... ]
"Enabled" : Boolean

YAML
AwsAccountNumbers:
- String
Enabled: Boolean

Properties
AwsAccountNumbers
The trusted signers for this cache behavior.
Required: No
Type: StringList
Update requires: No interruption (p. 118)
Enabled
Speciﬁes whether you want to require viewers to use signed URLs to access the ﬁles speciﬁed by
PathPattern and TargetOriginId.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)

See Also
• TrustedSigners in the Amazon CloudFront API Reference

AWS CloudTrail Trail EventSelector
The EventSelector property type conﬁgures logging of management events and data events for an
AWS CloudTrail trail. For more information, see PutEventSelectors in the AWS CloudTrail API Reference.
EventSelector is a property of the AWS::CloudTrail::Trail (p. 708) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1714

AWS CloudFormation User Guide
CloudTrail Trail DataResource

JSON
{

}

"DataResources" : [ DataResource (p. 1715), ... ],
"IncludeManagementEvents" : Boolean,
"ReadWriteType" : String

YAML
DataResources:
- DataResource (p. 1715)
IncludeManagementEvents: Boolean
ReadWriteType: String

Properties
DataResources
The resources for data events. CloudTrail supports logging data events for Amazon S3 objects and
AWS Lambda functions. For more information, see Data Events in the AWS CloudTrail User Guide.
Required: No
Type: List of CloudTrail Trail DataResource (p. 1715)
Update requires: No interruption (p. 118)
IncludeManagementEvents
Speciﬁes whether the event selector includes management events for the trail. The default value is
true. For more information, see Management Events in the AWS CloudTrail User Guide.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
ReadWriteType
Speciﬁes whether to log read-only events, write-only events, or all events. The default value is All.
Required: No
Type: String
Valid values: ReadOnly | WriteOnly | All
Update requires: No interruption (p. 118)

AWS CloudTrail Trail DataResource
The DataResource property type speciﬁes Amazon S3 objects for event selectors in a CloudTrail
trail. Data events are object-level API operations that access Amazon S3 objects, such as GetObject,
DeleteObject, and PutObject. You can specify up to 250 Amazon S3 buckets and object preﬁxes for a
trail. For more information, see DataResource in the AWS CloudTrail API Reference.
DataResource is a property of the CloudTrail Trail EventSelector (p. 1714) property type.
API Version 2010-05-15
1715

AWS CloudFormation User Guide
CloudWatch Metric Dimension

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Type" : String,
"Values" : [ String, ... ]

YAML
Type: String
Values:
- String

Properties
Type
The resource type to log data events for. You can specify only the following value:
AWS::S3::Object.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Values
A list of ARN-like strings for the speciﬁed Amazon S3 objects.
To log data events for all objects in all Amazon S3 buckets in your AWS account, specify the preﬁx as
arn:aws:s3:::.
To log data events for all objects in an Amazon S3 bucket, specify the bucket and an empty object
preﬁx such as arn:aws:s3:::bucket-1/. The trail logs data events for all objects in this Amazon
S3 bucket.
To log data events for speciﬁc objects, specify the Amazon S3 bucket and object preﬁx such as
arn:aws:s3:::bucket-1/example-images. The trail logs data events for objects in the bucket
that match the preﬁx.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

CloudWatch Metric Dimension Property Type
The Metric Dimension is an embedded property of the AWS::CloudWatch::Alarm (p. 714) type.
Dimensions are arbitrary name/value pairs that can be associated with a CloudWatch metric. You can
specify a maximum of 10 dimensions for a given metric.
API Version 2010-05-15
1716

AWS CloudFormation User Guide
CloudWatch Metric Dimension

Syntax
JSON
{
}

"Name" : String,
"Value" : String

YAML
Name: String
Value: String

Properties
Name
The name of the dimension, from 1–255 characters in length.
Required: Yes
Type: String
Value
The value representing the dimension measurement, from 1–255 characters in length.
Required: Yes
Type: String

Examples
Two CloudWatch alarms with dimension values supplied by the Ref function
The Ref (p. 2311) and Fn::GetAtt (p. 2285) intrinsic functions are often used to supply values for
CloudWatch metric dimensions. Here is an example using the Ref function.
"CPUAlarmHigh": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Scale-up if CPU is greater than 90% for 10 minutes",
"MetricName": "CPUUtilization",
"Namespace": "AWS/EC2",
"Statistic": "Average",
"Period": "300",
"EvaluationPeriods": "2",
"Threshold": "90",
"AlarmActions": [ { "Ref": "WebServerScaleUpPolicy" } ],
"Dimensions": [
{
"Name": "AutoScalingGroupName",
"Value": { "Ref": "WebServerGroup" }
}
],
"ComparisonOperator": "GreaterThanThreshold"

API Version 2010-05-15
1717

AWS CloudFormation User Guide
CloudWatch Events Rule EcsParameters
}
},
"CPUAlarmLow": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Scale-down if CPU is less than 70% for 10 minutes",
"MetricName": "CPUUtilization",
"Namespace": "AWS/EC2",
"Statistic": "Average",
"Period": "300",
"EvaluationPeriods": "2",
"Threshold": "70",
"AlarmActions": [ { "Ref": "WebServerScaleDownPolicy" } ],
"Dimensions": [
{
"Name": "AutoScalingGroupName",
"Value": { "Ref": "WebServerGroup" }
}
],
"ComparisonOperator": "LessThanThreshold"
}
}

See Also
• Dimension in the Amazon CloudWatch API Reference
• Amazon CloudWatch Metrics, Namespaces, and Dimensions Reference in the Amazon CloudWatch
Developer Guide

Amazon CloudWatch Events Rule EcsParameters
The EcsParameters property type speciﬁes information about an Amazon Elastic Container Service
(Amazon ECS) task target.
EcsParameters is a property of the CloudWatch Events Rule Target (p. 1722) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"TaskCount" : Integer,
"TaskDefinitionArn" : String

YAML
TaskCount: Integer
TaskDefinitionArn: String

Properties
For more information, including constraints and valid values, see EcsParameters in the Amazon
CloudWatch Events API Reference.
API Version 2010-05-15
1718

AWS CloudFormation User Guide
CloudWatch Events Rule InputTransformer

TaskCount
The number of tasks to create based on the task deﬁnition. The default is 1.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
TaskDefinitionArn
The Amazon Resource Name (ARN) of the task deﬁnition to use.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon CloudWatch Events Rule InputTransformer
The InputTransformer property type speciﬁes settings that provide custom input to an Amazon
CloudWatch Events rule target based on certain event data.
InputTransformer is a property of the CloudWatch Events Rule Target (p. 1722) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"InputPathsMap" : { String:String, ... },
"InputTemplate" : String

YAML
InputPathsMap:
String: String
InputTemplate: String

Properties
For more information, including constraints, see InputTransformer in the Amazon CloudWatch Events API
Reference.
InputPathsMap
The map of JSON paths to extract from the event, as key-value pairs where each value is a JSON
path. You must use JSON dot notation, not bracket notation. Duplicates aren't allowed.
Required: No
Type: String-to-string map
Update requires: No interruption (p. 118)
API Version 2010-05-15
1719

AWS CloudFormation User Guide
CloudWatch Events Rule KinesisParameters

InputTemplate
The input template where you can use the values of the keys from InputPathsMap to customize
the data that's sent to the target.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon CloudWatch Events Rule KinesisParameters
The KinesisParameters property type speciﬁes settings that control shard assignment for a Kinesis
stream target.
KinesisParameters is a property of the CloudWatch Events Rule Target (p. 1722) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"PartitionKeyPath" : String

YAML
PartitionKeyPath: String

Properties
For more information, including constraints, see KinesisParameters in the Amazon CloudWatch Events API
Reference.
PartitionKeyPath
The JSON path to extract from the event and use as the partition key. The default is to use the
eventId as the partition key. For more information, see Amazon Kinesis Streams Key Concepts in
the Kinesis Streams Developer Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon CloudWatch Events Rule
RunCommandParameters
The RunCommandParameters property type speciﬁes the parameters to use when an Amazon
CloudWatch Events rule invokes the AWS Systems Manager Run Command.
API Version 2010-05-15
1720

AWS CloudFormation User Guide
CloudWatch Events Rule RunCommandTarget

RunCommandParameters is a property of the CloudWatch Events Rule Target (p. 1722) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"RunCommandTargets" : [ RunCommandTarget (p. 1721), ... ]

YAML
RunCommandTargets:
- RunCommandTarget (p. 1721)

Properties
For more information, including constraints and valid values, see RunCommandParameters in the
Amazon CloudWatch Events API Reference.
RunCommandTargets
The criteria (either InstanceIds or a tag) that speciﬁes which EC2 instances the command is sent to.

Note

Currently, you can include only one RunCommandTarget block, which speciﬁes a list of
InstanceIds or a tag.
Required: Yes
Type: List of CloudWatch Events Rule RunCommandTarget (p. 1721)
Update requires: No interruption (p. 118)

Amazon CloudWatch Events Rule
RunCommandTarget
The RunCommandTarget property type speciﬁes information about the Amazon EC2 instances that the
Run Command is sent to. A RunCommandTarget block can include only one key, but the key can specify
multiple values.
The RunCommandTargets property of the CloudWatch Events Rule RunCommandParameters (p. 1720)
property type contains a list of RunCommandTarget property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Key" : String,

API Version 2010-05-15
1721

AWS CloudFormation User Guide
CloudWatch Events Rule Target

}

"Values" : [ String, ... ]

YAML
Key: String
Values:
- String

Properties
For more information, including constraints, see RunCommandTarget in the Amazon CloudWatch Events
API Reference.
Key
The key, either tag: tag-key or InstanceIds.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Values
A list of tag values or EC2 instance IDs.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)

Amazon CloudWatch Events Rule Target
The Target property type speciﬁes a target, such as AWS Lambda (Lambda) functions or Kinesis
streams, that CloudWatch Events invokes when a rule is triggered.
The Targets property of the AWS::Events::Rule (p. 1132) resource contains a list of one or more
Target property types.

Syntax
JSON
{

}

"Arn" : String,
"EcsParameters" : EcsParameters (p. 1718),
"Id" : String,
"Input" : String,
"InputPath" : String,
"InputTransformer" : InputTransformer (p. 1719),
"KinesisParameters" : KinesisParameters (p. 1720),
"RoleArn" : String,
"RunCommandParameters" : RunCommandParameters (p. 1720)

API Version 2010-05-15
1722

AWS CloudFormation User Guide
CloudWatch Events Rule Target

YAML
Arn: String
EcsParameters:
EcsParameters (p. 1718)
Id: String
Input: String
InputPath: String
InputTransformer:
InputTransformer (p. 1719)
KinesisParameters:
KinesisParameters (p. 1720)
RoleArn: String
RunCommandParameters:
RunCommandParameters (p. 1720)

Properties
Note

For more information about each property, including constraints and valid values, see Amazon
CloudWatch Events Rule Target in the Amazon CloudWatch Events API Reference.
Arn
The Amazon Resource Name (ARN) of the target.
Required: Yes
Type: String
EcsParameters
The Amazon ECS task deﬁnition and task count to use, if the event target is an Amazon ECS task.
Required: No
Type: CloudWatch Events Rule EcsParameters (p. 1718)
Id
A unique, user-deﬁned identiﬁer for the target. Acceptable values include alphanumeric characters,
periods (.), hyphens (-), and underscores (_).
Required: Yes
Type: String
Input
A JSON-formatted text string that is passed to the target. This value overrides the matched event.
Required: No. If you don't specify both this property and the InputPath property, CloudWatch
Events passes the entire matched event to the target.
Type: String
InputPath
When you don't want to pass the entire matched event, the JSONPath that describes which part of
the event to pass to the target.
Required: No. If you don't specify both this property and the Input property, CloudWatch Events
passes the entire matched event to the target.
API Version 2010-05-15
1723

AWS CloudFormation User Guide
CloudWatch Events Rule Target

Type: String
InputTransformer
Settings that provide custom input to a target based on certain event data. You can extract one or
more key-value pairs from the event, and then use that data to send customized input to the target.
Required: No
Type: CloudWatch Events Rule InputTransformer (p. 1719)
KinesisParameters
Settings that control shard assignment, when the target is a Kinesis stream. If you don't include this
parameter, eventId is used as the partition key.
Required: No
Type: CloudWatch Events Rule KinesisParameters (p. 1720)
RoleArn
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to use
for this target when the rule is triggered. If one rule triggers multiple targets, you can use a diﬀerent
IAM role for each target.

Note

CloudWatch Events needs appropriate permissions to make API calls against the resources
you own. For Kinesis streams, CloudWatch Events relies on IAM roles. For Lambda, Amazon
SNS, and Amazon SQS resources, CloudWatch Events relies on resource-based policies. For
more information, see Using Resource-Based Policies for CloudWatch Events in the Amazon
CloudWatch User Guide.
Required: No
Type: String
RunCommandParameters
Parameters used when the rule invokes the AWS Systems Manager Run Command.
Required: No
Type: CloudWatch Events Rule RunCommandParameters (p. 1720)

Examples
The following examples deﬁne targets for an AWS::Events::Rule resource. For more examples, see
PutTargets in the Amazon CloudWatch Events API Reference.

Target with KinesisParameters
The following snippet creates a Kinesis stream target.

JSON
"MyEventsRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"Description": "Events Rule with KinesisParameters",
"EventPattern": {

API Version 2010-05-15
1724

AWS CloudFormation User Guide
CloudWatch Events Rule Target
"source": [
"aws.ec2"
]

}

}

},
"RoleArn": {
"Fn::GetAtt": [
"EventsInvokeKinesisTargetRole",
"Arn"
]
},
"ScheduleExpression": "rate(5 minutes)",
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"MyFirstStream",
"Arn"
]
},
"Id": "Id123",
"RoleArn": {
"Fn::GetAtt": [
"EventsInvokeKinesisTargetRole",
"Arn"
]
},
"KinesisParameters": {
"PartitionKeyPath": "$"
}
}
]

YAML
MyEventsRule:
Type: AWS::Events::Rule
Properties:
Description: Events Rule with KinesisParameters
EventPattern:
source:
- aws.ec2
RoleArn: !GetAtt
- EventsInvokeKinesisTargetRole
- Arn
ScheduleExpression: rate(5 minutes)
State: ENABLED
Targets:
- Arn: !GetAtt
- MyFirstStream
- Arn
Id: Id123
RoleArn: !GetAtt
- EventsInvokeKinesisTargetRole
- Arn
KinesisParameters:
PartitionKeyPath: $

Target with EcsParameters
The following snippet creates an Amazon ECS task target.
API Version 2010-05-15
1725

AWS CloudFormation User Guide
CloudWatch Events Rule Target

JSON
"MyEventsRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"Description": "Events Rule with EcsParameters",
"EventPattern": {
"source": [
"aws.ec2"
],
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [
"stopping"
]
}
},
"ScheduleExpression": "rate(15 minutes)",
"State": "DISABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"MyCluster",
"Arn"
]
},
"RoleArn": {
"Fn::GetAtt": [
"ECSTaskRole",
"Arn"
]
},
"Id": "Id345",
"EcsParameters": {
"TaskCount": 1,
"TaskDefinitionArn": {
"Ref": "MyECSTask"
}
}
}
]
}
}

YAML
MyEventsRule:
Type: AWS::Events::Rule
Properties:
Description: Events Rule with EcsParameters
EventPattern:
source:
- aws.ec2
detail-type:
- EC2 Instance State-change Notification
detail:
state:
- stopping
ScheduleExpression: rate(15 minutes)
State: DISABLED
Targets:

API Version 2010-05-15
1726

AWS CloudFormation User Guide
CloudWatch Logs MetricFilter
MetricTransformation Property
- Arn: !GetAtt
- MyCluster
- Arn
RoleArn: !GetAtt
- ECSTaskRole
- Arn
Id: Id345
EcsParameters:
TaskCount: 1
TaskDefinitionArn: !Ref MyECSTask

CloudWatch Logs MetricFilter MetricTransformation
Property
MetricTransformation is a property of the AWS::Logs::MetricFilter (p. 1273) resource that describes
how to transform log streams into a CloudWatch metric.

Syntax
JSON
{

}

"DefaultValue": Double,
"MetricName": String,
"MetricNamespace": String,
"MetricValue": String

YAML
DefaultValue: Double
MetricName: String
MetricNamespace: String
MetricValue: String

Properties
Note

For more information about constraints and values for each property, see MetricTransformation
in the Amazon CloudWatch Logs API Reference.
DefaultValue
The value to emit when a ﬁlter pattern does not match a log event. This value can be null.
Required: No
Type: Double
MetricName
The name of the CloudWatch metric to which the log information will be published.
Required: Yes
Type: String
API Version 2010-05-15
1727

AWS CloudFormation User Guide
AWS CodeBuild Project Artifacts

MetricNamespace
The destination namespace of the CloudWatch metric. Namespaces are containers for metrics. For
example, you can add related metrics in the same namespace.
Required: Yes
Type: String
MetricValue
The value that is published to the CloudWatch metric. For example, if you're counting the
occurrences of a particular term like Error, specify 1 for the metric value. If you're counting the
number of bytes transferred, reference the value that is in the log event by using $ followed by the
name of the ﬁeld that you speciﬁed in the ﬁlter pattern, such as $size.
Required: Yes
Type: String

Examples
For samples of the MetricTransformation property, see AWS::Logs::MetricFilter (p. 1273) or Amazon
CloudWatch Logs Template Snippets (p. 307).

AWS CodeBuild Project Artifacts
Artifacts is a property of the AWS::CodeBuild::Project (p. 720) resource that speciﬁes output settings
for artifacts generated by an AWS CodeBuild build.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"EncryptionDisabled" : Boolean,
"Location" : String,
"Name" : String,
"NamespaceType" : String,
"OverrideArtifactName" : Boolean,
"Packaging" : String,
"Path" : String,
"Type" : String

YAML
EncryptionDisabled: Boolean
Name: String
Location: String
Name: String
NamespaceType: String
OverrideArtifactName: Boolean

API Version 2010-05-15
1728

AWS CloudFormation User Guide
AWS CodeBuild Project Artifacts
Packaging: String
Path: String
Type: String

Properties
EncryptionDisabled
If set to true, then the build output artifacts are not encrypted. This option is only valid if your
artifacts type is Amazon S3. If this is set with another artifacts type, an invalidInputException will be
thrown.
Required: No
Type: Boolean
Location
The location where AWS CodeBuild saves the build output artifacts. For valid values, see the
artifacts-location ﬁeld in the AWS CodeBuild User Guide.
Required: Conditional. If you specify CODEPIPELINE or NO_ARTIFACTS for the Type property, don't
specify this property. For all of the other types, you must specify this property.
Type: String
Name
The name of the build output folder where AWS CodeBuild saves the build output artifacts. For .zip
packages, the name of the build output .zip ﬁle that contains the build output artifacts.
Required: Conditional. If you specify CODEPIPELINE or NO_ARTIFACTS for the Type property, don't
specify this property. For all of the other types, you must specify this property.
Type: String
NamespaceType
The information AWS CodeBuild adds to the build output path, such as a build ID. For more
information, see the namespaceType ﬁeld in the AWS CodeBuild User Guide.
Required: No
Type: String
OverrideArtifactName
If set to true a name speciﬁed in the buildspec ﬁle overrides the artifact name. The name speciﬁed in
a buildspec ﬁle is calculated at build time and uses the Shell command language. For example, you
can append a date and time to your artifact name so that it is always unique.
Required: No
Type: Boolean
Packaging
Indicates how AWS CodeBuild packages the build output artifacts. For valid values, see the
packaging ﬁeld in the AWS CodeBuild User Guide.
Required: No
Type: String
API Version 2010-05-15
1729

AWS CloudFormation User Guide
AWS CodeBuild Project Environment

Path
The path to the build output folder where AWS CodeBuild saves the build output artifacts.
Required: No
Type: String
Type
The type of build output artifact. For valid values, see the artifacts-type ﬁeld in the AWS
CodeBuild User Guide.
Required: Yes
Type: String

AWS CodeBuild Project Environment
Environment is a property of the AWS::CodeBuild::Project (p. 720) resource that speciﬁes the
environment for an AWS CodeBuild project.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"ComputeType" : String,
"EnvironmentVariables" : [ EnvironmentVariable (p. 1731) ],
"Image" : String,
"PrivilegedMode" : Boolean,
"Type" : String

YAML
ComputeType: String
EnvironmentVariables:
- EnvironmentVariable (p. 1731)
Image: String
PrivilegedMode: Boolean
Type: String

Properties
ComputeType
The type of compute environment, such as BUILD_GENERAL1_SMALL. The compute type determines
the number of CPU cores and memory the build environment uses. For valid values, see the
computeType ﬁeld in the AWS CodeBuild User Guide.
Required: Yes
Type: String
API Version 2010-05-15
1730

AWS CloudFormation User Guide
AWS CodeBuild Project EnvironmentVariable

EnvironmentVariables
The environment variables that your builds can use. For more information, see the
environmentVariables ﬁeld in the AWS CodeBuild User Guide.
Required: No
Type: List of AWS CodeBuild Project EnvironmentVariable (p. 1731)
Image
The Docker image identiﬁer that the build environment uses. For more information, see the image
ﬁeld in the AWS CodeBuild User Guide.
Required: Yes
Type: String
PrivilegedMode
Indicates how the project builds Docker images. Specify true to enable running the Docker daemon
inside a Docker container.
This value must be set to true only if this build project will be used to build Docker images, and
the speciﬁed build environment image is not one provided by AWS CodeBuild with Docker support.
Otherwise, all associated builds that attempt to interact with the Docker daemon will fail. For more
information, see the privilegedMode ﬁeld in the AWS CodeBuild User Guide.
Required: No
Type: Boolean
Type
The type of build environment. For valid values, see the environment-type ﬁeld in the AWS
CodeBuild User Guide.
Required: Yes
Type: String

AWS CodeBuild Project EnvironmentVariable
The EnvironmentVariable property type speciﬁes the name and value of an environment variable for
an AWS CodeBuild project environment. When you use the environment to run a build, these variables
are available for your builds to use.
The EnvironmentVariables property of the AWS CodeBuild Project Environment (p. 1730) property
type contains a list of EnvironmentVariable property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Name" : String,

API Version 2010-05-15
1731

AWS CloudFormation User Guide
AWS CodeBuild Project ProjectCache

}

"Type" : String,
"Value" : String

YAML
Name: String
Type: String
Value: String

Properties
Name
The name of an environment variable.
Required: Yes
Type: String
Type
The type of environment variable. Valid values are:
• PARAMETER_STORE: An environment variable stored in Systems Manager Parameter Store.
• PLAINTEXT: An environment variable in plaintext format.
Required: No
Type: String
Value
The value of the environment variable.
Required: Yes
Type: String

AWS CodeBuild Project ProjectCache
The ProjectCache property type speciﬁes settings that AWS CodeBuild uses to store and reuse build
dependencies.
ProjectCache is the property type for the Cache property of the AWS::CodeBuild::Project (p. 720)
resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Location" : String,
"Type" : String

API Version 2010-05-15
1732

AWS CloudFormation User Guide
AWS CodeBuild Project Source
}

YAML
Location: String
Type: String

Properties
Location
The Amazon S3 bucket name and preﬁx—for example, mybucket/prefix. This value is ignored
when Type is set to NO_CACHE.
Required: No
Type: String
Update requires: No interruption (p. 118)
Type
The type of cache for the build project to use. Valid values are:
• NO_CACHE: The build project doesn't use any cache.
• S3: The build project reads from and writes to Amazon S3.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• ProjectCache in the AWS CodeBuild API Reference

AWS CodeBuild Project Source
Source is a property of the AWS::CodeBuild::Project (p. 720) resource that speciﬁes the source code
settings for an AWS CodeBuild project.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Auth" : SourceAuth (p. 1735),
"BuildSpec" : String,
"GitCloneDepth" : Integer,
"InsecureSsl" : Boolean,
"Location" : String,
"ReportBuildStatus" : Boolean,

API Version 2010-05-15
1733

AWS CloudFormation User Guide
AWS CodeBuild Project Source

}

"Type" : String

YAML
Auth:
SourceAuth (p. 1735)
BuildSpec: String
GitCloneDepth: Integer
InsecureSsl: Boolean
Location: String
ReportBuildStatus: Boolean
Type: String

Properties
Auth
Information about the authorization settings for AWS CodeBuild to access the source code to be
built.

Note

Your code shouldn't get or set this information directly unless the project's source type is
GITHUB.
Required: No
Type: AWS CodeBuild Project SourceAuth (p. 1735)
Update requires: No interruption (p. 118)
BuildSpec
The build speciﬁcation for the project. If this value is not provided, then the source code must
contain a build spec ﬁle named buildspec.yml at the root level. If this value is provided, it can
be either a single string containing the entire build speciﬁcation, or the path to an alternate build
spec ﬁle relative to the value of the built-in environment variable CODEBUILD_SRC_DIR. The
alternate build spec ﬁle can have a name other than buildspec.yml, for example myspec.yml
or build_spec_qa.yml or similar. For more information, see the Build Spec Reference in the
AWS CodeBuild User Guide.
Required: No
Type: String
GitCloneDepth
The depth of history to download. Minimum value is 0. If this value is 0, greater than 25, or not
provided, then the full history is downloaded with each build project. If your source type is Amazon
S3, this value is not supported.
Required: No
Type: Integer
InsecureSsl
This is used with GitHub Enterprise only. Set to true to ignore SSL warnings while connecting to
your GitHub Enterprise project repository. The default value is false. InsecureSsl should be used
for testing purposes only. It should not be used in a production environment.
API Version 2010-05-15
1734

AWS CloudFormation User Guide
AWS CodeBuild Project SourceAuth

Required: No
Type: Boolean
Location
The location of the source code in the speciﬁed repository type. For more information, see the
source-location ﬁeld in the AWS CodeBuild User Guide.
Required: Conditional. If you specify CODEPIPELINE for the Type property, don't specify this
property. For all of the other types, you must specify this property.
Type: String
ReportBuildStatus
This speciﬁes whether to send your source provider the status of a build's start and completion. If
you set this with a source provider other than GitHub, an invalidInputException is thrown.
Required: No
Type: Boolean
Type
The type of repository that contains your source code. For valid values, see the source-type ﬁeld
in the AWS CodeBuild User Guide.
Required: Yes
Type: String

AWS CodeBuild Project SourceAuth
The SourceAuth property type speciﬁes authorization settings for AWS CodeBuild to access the source
code to be built.
SourceAuth is a property of the AWS CodeBuild Project Source (p. 1733) property type.

Note

Your code shouldn't get or set this information directly unless the project's source type is
GITHUB.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Type" : String,
"Resource" : String

YAML
Type: String

API Version 2010-05-15
1735

AWS CloudFormation User Guide
AWS CodeBuild Project ProjectTriggers
Resource: String

Properties
Type
The authorization type to use. The only valid value is OAUTH, which represents the OAuth
authorization type.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Resource
The resource value that applies to the speciﬁed authorization type.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS CodeBuild Project ProjectTriggers
ProjectTriggers is a property of the AWS::CodeBuild::Project (p. 720) resource that speciﬁes the
environment for an AWS CodeBuild project.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Webhook" : Boolean

YAML
Webhook: Boolean

Properties
Webhook
Speciﬁes whether or not to begin automatically rebuilding the source code every time a code change
is pushed to the repository.
Required: No
Type: Boolean
API Version 2010-05-15
1736

AWS CloudFormation User Guide
AWS CodeBuild Project VpcConﬁg

AWS CodeBuild Project VpcConﬁg
The VpcConfig property type speciﬁes settings that enable AWS CodeBuild to access resources in an
Amazon VPC.
VpcConfig is a property of the AWS::CodeBuild::Project (p. 720) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"SecurityGroupIds" : [ String, ... ],
"Subnets" : [ String, ... ],
"VpcId" : String

YAML
SecurityGroupIds:
- String
Subnets:
- String
VpcId: String

Properties
SecurityGroupIds
The IDs of the security groups in the Amazon VPC. The maximum count is 5.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
Subnets
The IDs of the subnets in the Amazon VPC. The maximum count is 16.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
VpcId
The ID of the Amazon VPC.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1737

AWS CloudFormation User Guide
AWS CodeCommit Repository Trigger

See Also
• VpcConﬁg in the AWS CodeBuild API Reference

AWS CodeCommit Repository Trigger
Trigger is a property of the AWS::CodeCommit::Repository (p. 729) resource that deﬁnes the actions
to take in response to events that occur in the AWS CodeCommit repository.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Branches" : [ String, ... ],
"CustomData" : String,
"DestinationArn" : String,
"Events" : [ String, ... ],
"Name" : String

YAML
Branches:
- String
CustomData: String
DestinationArn: String
Events:
- String
Name: String

Properties
Branches
The names of the branches in the AWS CodeCommit repository that contain events that you want to
include in the trigger. If you don't specify at least one branch, the trigger applies to all branches.
Required: No
Type: List of String values
CustomData
When an event is triggered, additional information that AWS CodeCommit includes when it sends
information to the target.
Required: No
Type: String
DestinationArn
The Amazon Resource Name (ARN) of the resource that is the target for this trigger. For valid targets,
see Manage Triggers for an AWS CodeCommit Repository in the AWS CodeCommit User Guide.
API Version 2010-05-15
1738

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentConﬁg
MinimumHealthyHosts

Required: No
Type: String
Events
The repository events for which AWS CodeCommit sends information to the target, which you
speciﬁed in the DestinationArn property. If you don't specify events, the trigger runs for all
repository events. For valid values, see the RepositoryTrigger data type in the AWS CodeCommit API
Reference.
Required: No
Type: List of String values
Name
A name for the trigger.
Required: Yes
Type: String

AWS CodeDeploy DeploymentConﬁg
MinimumHealthyHosts
MinimumHealthyHosts is a property of the AWS::CodeDeploy::DeploymentConﬁg (p. 733) resource
that deﬁnes how many instances must remain healthy during an AWS CodeDeploy deployment.

Syntax
JSON
{
}

"Type" : String,
"Value" : Integer

YAML
Type: String
Value: Integer

Properties
Type
The type of count to use, such as an absolute value or a percentage of the total number of instances
in the deployment. For valid values, see MinimumHealthyHosts in the AWS CodeDeploy API
Reference.
Required: Yes
Type: String
Value
The minimum number of healthy instances.
API Version 2010-05-15
1739

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup Alarm

Required: Yes
Type: Integer

AWS CodeDeploy DeploymentGroup Alarm
The Alarm property type speciﬁes a CloudWatch alarm to use for an AWS CodeDeploy deployment
group. The Alarm property of the AWS CodeDeploy DeploymentGroup AlarmConﬁguration (p. 1740)
property contains a list of Alarm property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Name" : String

YAML
Name: String

Properties
Name
The name of the alarm. For more information, see Alarm in the AWS CodeDeploy API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS CodeDeploy DeploymentGroup
AlarmConﬁguration
The AlarmConfiguration property type conﬁgures CloudWatch alarms for an
AWS CodeDeploy deployment group. AlarmConfiguration is a property of the
AWS::CodeDeploy::DeploymentGroup (p. 735) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Alarms" : [ Alarm (p. 1740), ... ],
"Enabled" : Boolean,
"IgnorePollAlarmFailure" : Boolean

API Version 2010-05-15
1740

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup
AutoRollbackConﬁguration
}

YAML
Alarms:
- Alarm (p. 1740)
Enabled: Boolean
IgnorePollAlarmFailure: Boolean

Properties
For more information about each property, including constraints and valid values, see
AlarmConﬁguration in the AWS CodeDeploy API Reference.
Alarms
The list of alarms conﬁgured for the deployment group. Duplicates are not allowed.
Required: No
Type: List of AWS CodeDeploy DeploymentGroup Alarm (p. 1740)
Update requires: No interruption (p. 118)
Enabled
Indicates whether the alarm conﬁguration is enabled.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
IgnorePollAlarmFailure
Indicates whether a deployment should continue if information about the current state of alarms
cannot be retrieved from CloudWatch. The default value is false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)

AWS CodeDeploy DeploymentGroup
AutoRollbackConﬁguration
The AutoRollbackConfiguration property type conﬁgures automatic rollback for an AWS
CodeDeploy deployment group when a deployment doesn't complete successfully. For more information,
see Automatic Rollbacks in the AWS CodeDeploy User Guide.
AutoRollbackConfiguration is a property of the AWS::CodeDeploy::DeploymentGroup (p. 735)
resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1741

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup Deployment

JSON
{
}

"Enabled" : Boolean,
"Events" : [ String, ... ]

YAML
Enabled: Boolean
Events:
- String

Properties
Enabled
Indicates whether a deﬁned automatic rollback conﬁguration is currently enabled.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Events
The event type or types that trigger a rollback. Valid values are DEPLOYMENT_FAILURE,
DEPLOYMENT_STOP_ON_ALARM, or DEPLOYMENT_STOP_ON_REQUEST.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

AWS CodeDeploy DeploymentGroup Deployment
Deployment is a property of the AWS::CodeDeploy::DeploymentGroup (p. 735) resource that speciﬁes
an AWS CodeDeploy application revision to be deployed to instances in the deployment group. If you
specify an application revision, your target revision will be deployed as soon as the provisioning process
is complete.

Syntax
JSON
{

}

"Description" : String,
"IgnoreApplicationStopFailures" : Boolean,
"Revision" : Revision

YAML
Description: String

API Version 2010-05-15
1742

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup DeploymentStyle
IgnoreApplicationStopFailures: Boolean
Revision:
Revision

Properties
Description
A description about this deployment.
Required: No
Type: String
IgnoreApplicationStopFailures
Whether to continue the deployment if the ApplicationStop deployment lifecycle event fails.
If you want AWS CodeDeploy to continue the deployment lifecycle even if the ApplicationStop
event fails on an instance, specify true. The deployment continues to the BeforeInstall
deployment lifecycle event. If you want AWS CodeDeploy to stop deployment on the instance if the
ApplicationStop event fails, specify false or do not specify a value.
Required: No
Type: Boolean
Revision
The location of the application revision to deploy.
Required: Yes
Type: AWS CodeDeploy DeploymentGroup Deployment Revision (p. 1748)

AWS CodeDeploy DeploymentGroup
DeploymentStyle
The DeploymentStyle property type speciﬁes the type of AWS CodeDeploy deployment that you want
to run and whether to route deployment traﬃc behind a load balancer.
DeploymentStyle is a property of the AWS::CodeDeploy::DeploymentGroup (p. 735) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"DeploymentOption" : String,
"DeploymentType" : String

YAML
DeploymentOption: String

API Version 2010-05-15
1743

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup DeploymentStyle
DeploymentType: String

Properties
DeploymentOption
Indicates whether to route deployment traﬃc behind a load balancer.
Required: No
Type: String
Valid values: WITH_TRAFFIC_CONTROL or WITHOUT_TRAFFIC_CONTROL
Update requires: No interruption (p. 118)
DeploymentType
Indicates whether to run an in-place or blue/green deployment.
AWS CloudFormation supports blue/green deployments on AWS Lambda compute platforms only.
For more information about deploying on a AWS Lambda compute platform, see Deployments on
an AWS Lambda Compute Platform in the AWS CodeDeploy User Guide.
Required: No
Type: String
Valid values: IN_PLACE or BLUE_GREEN
Update requires: No interruption (p. 118)

See Also
• DeploymentStyle in the AWS CodeDeploy API Reference

Example
The following example creates deployment group with a BLUE_GREEN deployment type.

JSON
"CodeDeployDeploymentGroup": {
"Type": "AWS::CodeDeploy::DeploymentGroup",
"Properties": {
"ApplicationName": {
"Ref": "CodeDeployApplication"
},
"DeploymentConfigName": "CodeDeployDefault.LambdaCanary10Percent5Minutes",
"DeploymentStyle": {
"DeploymentType": "BLUE_GREEN",
"DeploymentOption": "WITH_TRAFFIC_CONTROL"
},
"ServiceRoleArn": {
"Fn::GetAtt": [
"CodeDeployServiceRole",
"Arn"
]

API Version 2010-05-15
1744

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup ELBInfo

}

}

}

YAML
CodeDeployDeploymentGroup:
Type: 'AWS::CodeDeploy::DeploymentGroup'
Properties:
ApplicationName: !Ref CodeDeployApplication
DeploymentConfigName: CodeDeployDefault.LambdaCanary10Percent5Minutes
DeploymentStyle:
DeploymentType: BLUE_GREEN
DeploymentOption: WITH_TRAFFIC_CONTROL
ServiceRoleArn: !GetAtt CodeDeployServiceRole.Arn

See Also
• DeploymentStyle in the AWS CodeDeploy API Reference

AWS CodeDeploy DeploymentGroup ELBInfo
The ELBInfo property type speciﬁes information about the Elastic Load Balancing load balancer used
for an AWS CodeDeploy deployment group.
If you specify the ELBInfo property, the DeploymentStyle.DeploymentOption property must be
set to WITH_TRAFFIC_CONTROL for AWS CodeDeploy to route your traﬃc using the speciﬁed load
balancers.
ELBInfo is a property of the AWS CodeDeploy DeploymentGroup LoadBalancerInfo (p. 1746) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Name" : String

YAML
Name: String

Properties
Name
The name of the load balancer that instances are deregistered from so they are not serving traﬃc
during a deployment, and then re-registered with after the deployment completes. No duplicates
allowed.
API Version 2010-05-15
1745

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup LoadBalancerInfo

Note

AWS CloudFormation supports blue/green deployments on AWS Lambda compute
platforms only.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS CodeDeploy DeploymentGroup
LoadBalancerInfo
The LoadBalancerInfo property type speciﬁes information about the load balancer or target
group used for an AWS CodeDeploy deployment group. For more information, see Integrating AWS
CodeDeploy with Elastic Load Balancing in the AWS CodeDeploy User Guide.
For AWS CloudFormation to use the properties speciﬁed in LoadBalancerInfo, the
DeploymentStyle.DeploymentOption property must be set to WITH_TRAFFIC_CONTROL. If
DeploymentStyle.DeploymentOption is not set to WITH_TRAFFIC_CONTROL, AWS CloudFormation
ignores any settings speciﬁed in LoadBalancerInfo.

Note

AWS CloudFormation supports blue/green deployments on AWS Lambda compute platforms
only.
LoadBalancerInfo is a property of the AWS::CodeDeploy::DeploymentGroup (p. 735) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ElbInfoList" : [ ELBInfo (p. 1745), ... ],
"TargetGroupInfoList" : [ TargetGroupInfo (p. 1747), ... ]

YAML
ElbInfoList:
- ELBInfo (p. 1745)
TargetGroupInfoList:
- TargetGroupInfo (p. 1747)

Properties
ElbInfoList
Information about the Elastic Load Balancing load balancer to use in the deployment.
Conditional: You must specify either ElbInfoList or TargetGroupInfoList, but not both.
Required: No
API Version 2010-05-15
1746

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup TargetGroupInfo

Type: List of AWS CodeDeploy DeploymentGroup ELBInfo (p. 1745)
Update requires: No interruption (p. 118)
TargetGroupInfoList
information about the target groups to use in the deployment. Instances are registered as targets in
a target group, and traﬃc is routed to the target group.
Conditional: You must specify either ElbInfoList or TargetGroupInfoList, but not both.
Required: No
Type: List of AWS CodeDeploy DeploymentGroup TargetGroupInfo (p. 1747)
Update requires: No interruption (p. 118)

AWS CodeDeploy DeploymentGroup TargetGroupInfo
The TargetGroupInfo property type speciﬁes information about a target group in Elastic Load
Balancing to use in a deployment. Instances are registered as targets in a target group, and traﬃc is
routed to the target group. For more information, see TargetGroupInfo in the AWS CodeDeploy API
Reference
If you specify the TargetGroupInfo property, the DeploymentStyle.DeploymentOption property
must be set to WITH_TRAFFIC_CONTROL for AWS CodeDeploy to route your traﬃc using the speciﬁed
target groups.
TargetGroupInfo is a property of the AWS CodeDeploy DeploymentGroup LoadBalancerInfo (p. 1746)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Name" : String

YAML
Name: String

Properties
Name
For blue/green deployments, the name of the target group that instances in the original
environment are deregistered from, and instances in the replacement environment registered with.
For in-place deployments, the name of the target group that instances are deregistered from, so
they are not serving traﬃc during a deployment, and then re-registered with after the deployment
completes. No duplicates allowed.
API Version 2010-05-15
1747

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup Deployment Revision

Note

AWS CloudFormation supports blue/green deployments on AWS Lambda compute
platforms only.
This value can't exceed 32 characters, so you should use the Name property of the target group, or
the TargetGroupName attribute with the Fn::GetAtt intrinsic function, as shown in the following
example. Don't use the group's Amazon Resource Name (ARN) or TargetGroupFullName attribute.
Required: No
Type: String
Update requires: No interruption (p. 118)

Example
The following snippet gets the name of the target group, which AWS CodeDeploy uses to register and
deregister instances from the target group during deployments.

JSON
"LoadBalancerInfo" : {
"TargetGroupInfoList" : [ { "Name": { "Fn::GetAtt": ["MyTargetGroup",
"TargetGroupName"] } } ]
}

YAML
LoadBalancerInfo:
TargetGroupInfoList:
- Name: !GetAtt MyTargetGroup.TargetGroupName

AWS CodeDeploy DeploymentGroup Deployment
Revision
Revision is a property of the AWS::CodeDeploy::DeploymentGroup (p. 735) property that deﬁnes the
location of the AWS CodeDeploy application revision to deploy.

Syntax
JSON
{

}

"GitHubLocation" : GitHubLocation,
"RevisionType" : String,
"S3Location" : S3Location

YAML
GitHubLocation:
GitHubLocation
RevisionType: String

API Version 2010-05-15
1748

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup
Deployment Revision GitHubLocation
S3Location:
S3Location

Properties
GitHubLocation
If your application revision is stored in GitHub, information about the location where it is stored.
Required: No
Type: AWS CodeDeploy DeploymentGroup Deployment Revision GitHubLocation (p. 1749)
RevisionType
The application revision's location, such as in an S3 bucket or GitHub repository. For valid values, see
RevisionLocation in the AWS CodeDeploy API Reference.
Required: No
Type: String
S3Location
If the application revision is stored in an S3 bucket, information about the location.
Required: No
Type: AWS CodeDeploy DeploymentGroup Deployment Revision S3Location (p. 1750)

AWS CodeDeploy DeploymentGroup Deployment
Revision GitHubLocation
GitHubLocation is a property of the AWS CodeDeploy DeploymentGroup Deployment
Revision (p. 1748) property that speciﬁes the location of an application revision that is stored in GitHub.

Syntax
JSON
{
}

"CommitId" : String,
"Repository" : String

YAML
CommitId: String
Repository: String

Properties
CommitId
The SHA1 commit ID of the GitHub commit to use as your application revision.
API Version 2010-05-15
1749

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup
Deployment Revision S3Location

Required: Yes
Type: String
Repository
The GitHub account and repository name that includes the application revision. Specify the value as
account/repository_name.
Required: Yes
Type: String

AWS CodeDeploy DeploymentGroup Deployment
Revision S3Location
S3Location is a property of the AWS CodeDeploy DeploymentGroup Deployment Revision (p. 1748)
property that speciﬁes the location of an application revision that is stored in Amazon Simple Storage
Service (Amazon S3).

Syntax
JSON
{

}

"Bucket" : String,
"BundleType" : String,
"ETag" : String,
"Key" : String,
"Version" : String

YAML
Bucket: String
BundleType: String
ETag: String
Key: String
Version: String

Properties
Bucket
The name of the S3 bucket where the application revision is stored.
Required: Yes
Type: String
BundleType
The ﬁle type of the application revision, such as tar, tgz, or zip. For valid values, see S3Location in
the AWS CodeDeploy API Reference.
Required: Yes
API Version 2010-05-15
1750

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup Ec2TagFilters

Type: String
ETag
The Amazon S3 ETag (a ﬁle checksum) of the application revision. If you don't specify a value, AWS
CodeDeploy skips the ETag validation of your application revision.
Required: No
Type: String
Key
The ﬁle name of the application revision (Amazon S3 object name).
Required: Yes
Type: String
Version
For versioning-enabled buckets, a speciﬁc version of the application revision.
Required: No
Type: String

AWS CodeDeploy DeploymentGroup Ec2TagFilters
Ec2TagFilters is a property of the AWS::CodeDeploy::DeploymentGroup (p. 735) resource that
speciﬁes which EC2 instances to associate with the deployment group.

Syntax
JSON
{

}

"Key" : String,
"Type" : String,
"Value" : String

YAML
Key: String
Type: String
Value: String

Properties
Key
Filter instances with this key.
Required: No
Type: String
API Version 2010-05-15
1751

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup
OnPremisesInstanceTagFilters

Type
The ﬁlter type. For example, you can ﬁlter instances by the key, tag value, or both. For valid values,
see EC2TagFilter in the AWS CodeDeploy API Reference.
Required: Yes
Type: String
Value
Filter instances with this tag value.
Required: No
Type: String

AWS CodeDeploy DeploymentGroup
OnPremisesInstanceTagFilters
OnPremisesInstanceTagFilters is a property of the AWS::CodeDeploy::DeploymentGroup (p. 735)
resource that speciﬁes which on-premises instances to associate with the deployment group. To register
on-premise instances with AWS CodeDeploy, see Conﬁgure Existing On-Premises Instances by Using AWS
CodeDeploy in the AWS CodeDeploy User Guide.

Syntax
JSON
{

}

"Key" : String,
"Type" : String,
"Value" : String

YAML
Key: String
Type: String
Value: String

Properties
Key
Filter on-premises instances with this key.
Required: No
Type: String
Type
The ﬁlter type. For example, you can ﬁlter on-premises instances by the key, tag value, or both. For
valid values, see EC2TagFilter in the AWS CodeDeploy API Reference.
Required: No
API Version 2010-05-15
1752

AWS CloudFormation User Guide
AWS CodeDeploy DeploymentGroup TriggerConﬁg

Type: String
Value
Filter on-premises instances with this tag value.
Required: No
Type: String

AWS CodeDeploy DeploymentGroup TriggerConﬁg
The TriggerConfig property type speciﬁes a notiﬁcation trigger for an AWS CodeDeploy deployment
group. The TriggerConfigurations property of the AWS::CodeDeploy::DeploymentGroup (p. 735)
resource contains a list of TriggerConfig property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"TriggerEvents" : [ String, ... ],
"TriggerName" : String,
"TriggerTargetArn" : String

YAML
TriggerEvents:
- String
TriggerName: String
TriggerTargetArn: String

Properties
For more information about each property, including constraints and valid values, see TriggerConﬁg in
the AWS CodeDeploy API Reference.
TriggerEvents
The event type or types that trigger notiﬁcations.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
TriggerName
The name of the notiﬁcation trigger.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1753

AWS CloudFormation User Guide
AWS CodePipeline CustomActionType ArtifactDetails

TriggerTargetArn
The Amazon Resource Name (ARN) of the Amazon Simple Notiﬁcation Service topic through which
notiﬁcations about deployment or instance events are sent.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS CodePipeline CustomActionType ArtifactDetails
ArtifactDetails is a property of the AWS::CodePipeline::CustomActionType (p. 751) resource
that speciﬁes the details of an artifact for an AWS CodePipeline custom action. For valid values, see
ArtifactDetails in the AWS CodePipeline API Reference.

Syntax
JSON
{
}

"MaximumCount" : Integer,
"MinimumCount" : Integer

Yaml
MaximumCount: Integer
MinimumCount: Integer

Properties
MaximumCount
The maximum number of artifacts allowed for the action type.
Required: Yes
Type: Integer
MinimumCount
The minimum number of artifacts allowed for the action type.
Required: Yes
Type: Integer

AWS CodePipeline CustomActionType
ConﬁgurationProperties
ConfigurationProperties is a property of the AWS::CodePipeline::CustomActionType (p. 751)
resource that deﬁnes a conﬁguration for an AWS CodePipeline custom action.
API Version 2010-05-15
1754

AWS CloudFormation User Guide
AWS CodePipeline CustomActionType
ConﬁgurationProperties

Syntax
JSON
{

}

"Description" : String,
"Key" : Boolean,
"Name" : String,
"Queryable" : Boolean,
"Required" : Boolean,
"Secret" : Boolean,
"Type" : String

YAML
Description: String
Key: Boolean
Name: String
Queryable: Boolean
Required: Boolean
Secret: Boolean
Type: String

Properties
Description
A description of this conﬁguration property that will be displayed to users.
Required: No
Type: String
Key
Indicates whether the conﬁguration property is a key.
Required: Yes
Type: Boolean
Name
A name for this conﬁguration property.
Required: Yes
Type: String
Queryable
Indicates whether the conﬁguration property will be used with the PollForJobs call. A custom
action can have one queryable property. The queryable property must be required (see the
Required property) and must not be secret (see the Secret property). For more information, see
the queryable contents for the ActionConﬁgurationProperty data type in the AWS CodePipeline API
Reference.
Required: No
Type: Boolean
API Version 2010-05-15
1755

AWS CloudFormation User Guide
AWS CodePipeline CustomActionType Settings

Required
Indicates whether the conﬁguration property is a required value.
Required: Yes
Type: Boolean
Secret
Indicates whether the conﬁguration property is secret. Secret conﬁguration properties are hidden
from all AWS CodePipeline calls except for GetJobDetails, GetThirdPartyJobDetails,
PollForJobs, and PollForThirdPartyJobs.
Required: Yes
Type: Boolean
Type
The type of the conﬁguration property, such as String, Number, or Boolean.
Required: No
Type: String

AWS CodePipeline CustomActionType Settings
Settings is a property of the AWS::CodePipeline::CustomActionType (p. 751) resource that provides
URLs that users can access to view information about the AWS CodePipeline custom action.

Syntax
JSON
{

}

"EntityUrlTemplate" : String,
"ExecutionUrlTemplate" : String,
"RevisionUrlTemplate" : String,
"ThirdPartyConfigurationUrl" : String

YAML
EntityUrlTemplate: String
ExecutionUrlTemplate: String
RevisionUrlTemplate: String
ThirdPartyConfigurationUrl: String

Properties
EntityUrlTemplate
The URL that is returned to the AWS CodePipeline console that links to the resources of the external
system, such as the conﬁguration page for an AWS CodeDeploy deployment group.
Required: No
API Version 2010-05-15
1756

AWS CloudFormation User Guide
AWS CodePipeline Pipeline ArtifactStore

Type: String
ExecutionUrlTemplate
The URL that is returned to the AWS CodePipeline console that links to the top-level landing page
for the external system, such as the console page for AWS CodeDeploy.
Required: No
Type: String
RevisionUrlTemplate
The URL that is returned to the AWS CodePipeline console that links to the page where customers
can update or change the conﬁguration of the external action.
Required: No
Type: String
ThirdPartyConfigurationUrl
The URL of a sign-up page where users can sign up for an external service and specify the initial
conﬁgurations for the service's action.
Required: No
Type: String

AWS CodePipeline Pipeline ArtifactStore
ArtifactStore is a property of the AWS::CodePipeline::Pipeline (p. 755) resource that deﬁnes the S3
location where AWS CodePipeline stores pipeline artifacts.

Syntax
JSON
{

}

"EncryptionKey" : EncryptionKey,
"Location" : String,
"Type" : String

YAML
EncryptionKey: EncryptionKey
Location: String
Type: String

Properties
EncryptionKey
The encryption key AWS CodePipeline uses to encrypt the data in the artifact store, such as an AWS
Key Management Service (AWS KMS) key. If you don't specify a key, AWS CodePipeline uses the
default key for Amazon Simple Storage Service (Amazon S3).
Required: No
API Version 2010-05-15
1757

AWS CloudFormation User Guide
AWS CodePipeline Pipeline ArtifactStore EncryptionKey

Type: AWS CodePipeline Pipeline ArtifactStore EncryptionKey (p. 1758)
Location
The location where AWS CodePipeline stores artifacts for a pipeline, such as an S3 bucket.
Required: Yes
Type: String
Type
The type of the artifact store, such as Amazon S3. For valid values, see ArtifactStore in the AWS
CodePipeline API Reference.
Required: Yes
Type: String

AWS CodePipeline Pipeline ArtifactStore
EncryptionKey
EncryptionKey is a property of the AWS CodePipeline Pipeline ArtifactStore (p. 1757) property that
speciﬁes which key AWS CodePipeline uses to encrypt data in the artifact store, such as an AWS Key
Management Service (AWS KMS) key.

Syntax
JSON
{
}

"Id" : String,
"Type" : String

YAML
Id: String
Type: String

Properties
Id
The ID of the key. For an AWS KMS key, specify the key ID or key Amazon Resource Number (ARN).
Required: Yes
Type: String
Type
The type of encryption key, such as KMS. For valid values, see EncryptionKey in the AWS CodePipeline
API Reference.
Required: Yes
Type: String
API Version 2010-05-15
1758

AWS CloudFormation User Guide
AWS CodePipeline Pipeline
DisableInboundStageTransitions

AWS CodePipeline Pipeline
DisableInboundStageTransitions
DisableInboundStageTransitions is a property of the AWS::CodePipeline::Pipeline (p. 755)
resource that speciﬁes which AWS CodePipeline stage to disable transitions to.

Syntax
JSON
{
}

"Reason" : String,
"StageName" : String

YAML
Reason: String
StageName: String

Properties
Reason
An explanation of why the transition between two stages of a pipeline was disabled.
Required: Yes
Type: String
StageName
The name of the stage to which transitions are disabled.
Required: Yes
Type: String

AWS CodePipeline Pipeline Stages
Stages is a property of the AWS::CodePipeline::Pipeline (p. 755) resource that speciﬁes a sequence of
tasks for AWS CodePipeline to complete on an artifact.

Syntax
JSON
{

}

"Actions" : [ Actions, ... ],
"Blockers" : [ Blockers, ... ],
"Name" : String

API Version 2010-05-15
1759

AWS CloudFormation User Guide
AWS CodePipeline Pipeline Stages Actions

YAML
Actions:
- Actions
Blockers:
- Blockers
Name: String

Properties
Actions
The actions to include in this stage.
Required: Yes
Type: List of AWS CodePipeline Pipeline Stages Actions (p. 1760)
Blockers
The gates included in a stage.
Required: No
Type: List of AWS CodePipeline Pipeline Stages Blockers (p. 1764)
Name
A name for this stage.
Required: Yes
Type: String

AWS CodePipeline Pipeline Stages Actions
Actions is a property of the AWS CodePipeline Pipeline Stages (p. 1759) property that speciﬁes an
action for an AWS CodePipeline stage.

Syntax
JSON
{

}

"ActionTypeId" : ActionTypeID,
"Configuration" : { Key : Value },
"InputArtifacts" : [ InputArtifacts, ... ],
"Name" : String,
"OutputArtifacts" : [ OutputArtifacts, ... ],
"RoleArn" : String,
"RunOrder" : Integer

YAML
ActionTypeId:
ActionTypeID
Configuration:

API Version 2010-05-15
1760

AWS CloudFormation User Guide
AWS CodePipeline Pipeline Stages Actions
Key : Value
InputArtifacts:
- InputArtifacts
Name: String
OutputArtifacts:
- OutputArtifacts
RoleArn: String
RunOrder: Integer

Properties
ActionTypeId
Speciﬁes the action type and the provider of the action.
Required: Yes
Type: AWS CodePipeline Pipeline Stages Actions ActionTypeId (p. 1762)
Configuration
The action's conﬁguration. These are key-value pairs that specify input values for an action. For more
information, see Action Structure Requirements in AWS CodePipeline in the AWS CodePipeline User
Guide.
Required: No
Type: JSON object
InputArtifacts
The name or ID of the artifact that the action consumes, such as a test or build artifact.
Required: No
Type: List of AWS CodePipeline Pipeline Stages Actions InputArtifacts (p. 1763)
Name
The action name.
Required: Yes
Type: String
OutputArtifacts
The artifact name or ID that is a result of the action, such as a test or build artifact.
Required: No
Type: List of AWS CodePipeline Pipeline Stages Actions OutputArtifacts (p. 1763)
RoleArn
The Amazon Resource Name (ARN) of a service role that the action uses. The pipeline's role assumes
this role.
Required: No
Type: String
RunOrder
The order in which AWS CodePipeline runs this action.
API Version 2010-05-15
1761

AWS CloudFormation User Guide
AWS CodePipeline Pipeline Stages Actions ActionTypeId

Required: No
Type: Integer

AWS CodePipeline Pipeline Stages Actions
ActionTypeId
ActionTypeId is a property of the AWS CodePipeline Pipeline Stages Actions (p. 1760) property that
speciﬁes the action type and provider for an AWS CodePipeline action.

Syntax
JSON
{

}

"Category" : String,
"Owner" : String,
"Provider" : String,
"Version" : String

YAML
Category: String
Owner: String
Provider: String
Version: String

Properties
Category
A category that deﬁnes which action type the owner (the entity that performs the action) performs.
The category that you select determine the providers that you can specify for the Provider
property. For valid values, see ActionTypeId in the AWS CodePipeline API Reference.
Required: Yes
Type: String
Owner
The entity that performs the action. For valid values, see ActionTypeId in the AWS CodePipeline API
Reference.
Required: Yes
Type: String
Provider
The service provider that the action calls. The providers that you can specify are determined by the
category that you select. For example, a valid provider for the Deploy category is AWS CodeDeploy,
which you would specify as CodeDeploy.
Required: Yes
API Version 2010-05-15
1762

AWS CloudFormation User Guide
AWS CodePipeline Pipeline Stages Actions InputArtifacts

Type: String
Version
A version identiﬁer for this action.
Required: Yes
Type: String

AWS CodePipeline Pipeline Stages Actions
InputArtifacts
InputArtifacts is a property of the AWS CodePipeline Pipeline Stages Actions (p. 1760) property that
speciﬁes an artifact that the AWS CodePipeline action works on, such as a test or build artifact.

Syntax
JSON
{
}

"Name" : String

YAML
Name: String

Properties
Name
The name of the artifact that the AWS CodePipeline action works on, such as My App.The input
artifact of an action must match the output artifact from any preceding action.
Required: Yes
Type: String

AWS CodePipeline Pipeline Stages Actions
OutputArtifacts
OutputArtifacts is a property of the AWS CodePipeline Pipeline Stages Actions (p. 1760) property
that speciﬁes an artifact that is the result of an AWS CodePipeline action, such as a test or build artifact.

Syntax
JSON
{

API Version 2010-05-15
1763

AWS CloudFormation User Guide
AWS CodePipeline Pipeline Stages Blockers

}

"Name" : String

YAML
Name: String

Properties
Name
The name of the artifact that is the result of an AWS CodePipeline action, such as My App. Output
artifact names must be unique within a pipeline.
Required: Yes
Type: String

AWS CodePipeline Pipeline Stages Blockers
Blockers is a property of the AWS CodePipeline Pipeline Stages (p. 1759) property that speciﬁes an
AWS CodePipeline gate declaration.

Syntax
JSON
{
}

"Name" : String,
"Type" : String

YAML
Name: String
Type: String

Properties
Name
The name of the gate declaration.
Required: Yes
Type: String
Type
The type of gate declaration. For valid values, see BlockerDeclaration in the AWS CodePipeline API
Reference.
Required: Yes
API Version 2010-05-15
1764

AWS CloudFormation User Guide
AWS CodePipeline Webhook WebhookAuthConﬁguration

Type: String

AWS CodePipeline Webhook
WebhookAuthConﬁguration
The WebhookAuthConfiguration property type conﬁgures the authentication applied to incoming
webhook trigger requests. For more information, see Webhook Deﬁnition in the AWS CodePipeline API
Reference.
WebhookAuthConfiguration is the property type of the AuthenticationConfiguration property
of the AWS::CodePipeline::Webhook (p. 760) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"AllowedIPRange" : String,
"SecretToken" : String

YAML
AllowedIPRange: String
SecretToken: String

Properties
AllowedIPRange
The property used to conﬁgure acceptance of webhooks within a speciﬁc IP range.
Required: No
Type: String
Update requires: No interruption (p. 118)
SecretToken
The property used to conﬁgure GitHub authentication.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS CodePipeline Webhook WebhookFilterRule
The WebhookFilterRule property type speciﬁes events that will trigger a webhook. For more
information, see Webhook Deﬁnition in the AWS CodePipeline API Reference.
API Version 2010-05-15
1765

AWS CloudFormation User Guide
Amazon Cognito IdentityPool CognitoStreams

The Filters property of the AWS::CodePipeline::Webhook (p. 760) resource contains a list of
WebhookFilterRule property types. The is the list of rules applied to the body/payload sent in the
POST request to a webhook URL.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"JsonPath" : String,
"MatchEquals" : String

YAML
JsonPath: String
MatchEquals: String

Properties
JsonPath
A JsonPath expression that will be applied to the body/payload of the webhook.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
MatchEquals
The value selected by the JsonPath expression must match what is supplied in the MatchEquals ﬁeld,
otherwise the request will be ignored.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon Cognito IdentityPool CognitoStreams
CognitoStreams is a property of the AWS::Cognito::IdentityPool (p. 763) resource that deﬁnes
conﬁguration options for Amazon Cognito streams.

Syntax
JSON
{

"RoleArn" : String,
"StreamingStatus" : String,

API Version 2010-05-15
1766

AWS CloudFormation User Guide
Amazon Cognito IdentityPool PushSync

}

"StreamName" : String

YAML
RoleArn: String
StreamingStatus: String
StreamName: String

Properties
RoleArn
The Amazon Resource Name (ARN) of the role Amazon Cognito can assume to publish to the
stream. This role must grant access to Amazon Cognito (cognito-sync) to invoke PutRecord on your
Amazon Cognito stream.
Type: String
Required: No
StreamingStatus
Status of the Cognito streams. Valid values are: ENABLED or DISABLED.
Type: String
Required: No
StreamName
The name of the Amazon Cognito stream to receive updates. This stream must be in the developer's
account and in the same region as the identity pool.
Type: String
Required: No

Amazon Cognito IdentityPool PushSync
PushSync is a property of the AWS::Cognito::IdentityPool (p. 763) resource that deﬁnes the
conﬁguration options to be applied to an Amazon Cognito identity pool.

Syntax
JSON
{
}

"ApplicationArns" : [ String, ... ],
"RoleArn" : String

YAML
ApplicationArns:
- String

API Version 2010-05-15
1767

AWS CloudFormation User Guide
Amazon Cognito IdentityPoolRoleAttachment RoleMapping
RoleArn: String

Properties
ApplicationArns
List of Amazon SNS platform application ARNs that could be used by clients.
Type: List of String values
Required: No
RoleArn
An IAM role conﬁgured to allow Amazon Cognito to call SNS on behalf of the developer.
Type: String
Required: No

Amazon Cognito IdentityPoolRoleAttachment
RoleMapping
RoleMapping is a property of the AWS::Cognito::IdentityPoolRoleAttachment (p. 766) resource that
deﬁnes the role mapping attributes of an Amazon Cognito identity pool.

Syntax
JSON
{

}

"AmbiguousRoleResolution" : String,
"RulesConfiguration" : RulesConfiguration,
"Type" : String

YAML
AmbiguousRoleResolution: String,
RulesConfiguration: RulesConfiguration,
Type: String

Properties
AmbiguousRoleResolution
Speciﬁes the action to be taken if either no rules match the claim value for the Rules type, or there
is no cognito:preferred_role claim and there are multiple cognito:roles matches for the
Token type. If you specify Token or Rules as the Type, AmbiguousRoleResolution is required.
Valid values are AuthenticatedRole or Deny.
Required: No
Type: String
API Version 2010-05-15
1768

AWS CloudFormation User Guide
Amazon Cognito IdentityPoolRoleAttachment MappingRule

Update requires: No interruption (p. 118)
RulesConfiguration
The rules to be used for mapping users to roles. If you specify Rules as the role mapping type,
RulesConﬁguration is required.
Required: No
Type: Amazon Cognito IdentityPoolRoleAttachment RoleMapping RulesConﬁguration (p. 1771)
Update requires: No interruption (p. 118)
Type
The role mapping type. Token will use cognito:roles and cognito:preferred_role claims
from the Amazon Cognito identity provider token to map groups to roles. Rules will attempt to
match claims from the token to map to a role.
Valid values are Token or Rules.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Cognito IdentityPoolRoleAttachment
MappingRule
MappingRule is a subproperty of the Amazon Cognito IdentityPoolRoleAttachment
RoleMapping (p. 1768) property that deﬁnes how to map a claim to a role arn.

Syntax
JSON
{

}

"Claim" : String,
"MatchType" : String,
"RoleARN" : String,
"Value" : String

YAML
Claim: String,
MatchType: String,
RoleARN: String,
Value: String

Properties
Claim
The claim name that must be present in the token, for example, "isAdmin" or "paid."
API Version 2010-05-15
1769

AWS CloudFormation User Guide
Amazon Cognito IdentityPool CognitoIdentityProvider

Required: Yes
Type: String
Update requires: No interruption (p. 118)
MatchType
The match condition that speciﬁes how closely the claim value in the IdP token must match Value.
Valid values are: Equals, Contains, StartsWith, and NotEqual.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RoleARN
The Amazon Resource Name (ARN) of the role.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Value
A brief string that the claim must match, for example, "paid" or "yes."
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Cognito IdentityPool
CognitoIdentityProvider
CognitoIdentityProvider is a property of the AWS::Cognito::IdentityPool (p. 763) resource that
represents an Amazon Cognito user pool and its client ID.

Syntax
JSON
{

}

"ClientId" : String,
"ProviderName" : String,
"ServerSideTokenCheck" : Boolean

YAML
ClientId: String

API Version 2010-05-15
1770

AWS CloudFormation User Guide
Amazon Cognito IdentityPoolRoleAttachment
RoleMapping RulesConﬁguration
ProviderName: String
ServerSideTokenCheck: Boolean

Properties
ClientId
The client ID for the Amazon Cognito user pool.
Type: String
Required: No
ProviderName
The provider name for an Amazon Cognito user pool. For example, cognito-idp.useast-2.amazonaws.com/us-east-2_123456789.
Type: String
Required: No
ServerSideTokenCheck
TRUE if server-side token validation is enabled for the identity provider’s token.
Once you set ServerSideTokenCheck to TRUE for an identity pool, that identity pool will check
with the integrated user pools to make sure that the user has not been globally signed out or
deleted before the identity pool provides an OIDC token or AWS credentials for the user.
If the user is signed out or deleted, the identity pool will return a 400 Not Authorized error.
Type: Boolean
Required: No

Amazon Cognito IdentityPoolRoleAttachment
RoleMapping RulesConﬁguration
RulesConfiguration is a subproperty of the AWS::Cognito::IdentityPoolRoleAttachment (p. 766)
property that deﬁnes the rules to be used for mapping users to roles.

Syntax
JSON
{
}

"Rules" : [ MappingRule (p. 1769), .. ]

YAML
Rules:
- MappingRule (p. 1769)

API Version 2010-05-15
1771

AWS CloudFormation User Guide
Amazon Cognito UserPool AdminCreateUserConﬁg

Properties
Rules
A list of rules. You can specify up to 25 rules per identity provider.
Required: Yes
Type: List of the section called “Amazon Cognito IdentityPoolRoleAttachment
MappingRule” (p. 1769)

Amazon Cognito UserPool AdminCreateUserConﬁg
AdminCreateUserConfig is a property of the AWS::Cognito::UserPool (p. 768) resource. The
AdminCreateUserConfig property conﬁgures the AdminCreateUser requests for an Amazon
Cognito User Pool.

Syntax
JSON
{

}

"AllowAdminCreateUserOnly" : Boolean,
"InviteMessageTemplate" : MessageTemplateType,
"UnusedAccountValidityDays" : Number

YAML
AllowAdminCreateUserOnly: Boolean
InviteMessageTemplate: MessageTemplateType
UnusedAccountValidityDays: Number

Properties
AllowAdminCreateUserOnly
Set to True if only the administrator is allowed to create user proﬁles. Set to False if users can sign
themselves up via an app.
Type: Boolean
Required: No
InviteMessageTemplate
The message template to be used for the welcome message to new users.
Type: Amazon Cognito UserPool InviteMessageTemplate (p. 1782)
Required: No
UnusedAccountValidityDays
The user account expiration limit, in days, after which the account is no longer usable. To reset the
account after that time limit, you must call AdminCreateUser again, specifying RESEND for the
MessageAction parameter. The default value for this parameter is 7.
API Version 2010-05-15
1772

AWS CloudFormation User Guide
Amazon Cognito UserPool DeviceConﬁguration

Type: Number
Required: No

Amazon Cognito UserPool DeviceConﬁguration
DeviceConfiguration is a property of the AWS::Cognito::UserPool (p. 768) resource that deﬁnes the
device conﬁguration of an Amazon Cognito User Pool.

Syntax
JSON
{
}

"ChallengeRequiredOnNewDevice" : Boolean,
"DeviceOnlyRememberedOnUserPrompt" : Boolean

YAML
ChallengeRequiredOnNewDevice: Boolean
DeviceOnlyRememberedOnUserPrompt: Boolean

Properties
ChallengeRequiredOnNewDevice
Indicates whether a challenge is required on a new device. Only applicable to a new device.
Type: Boolean
Required: No
DeviceOnlyRememberedOnUserPrompt
If true, a device is only remembered on user prompt.
Type: Boolean
Required: No

Amazon Cognito UserPool EmailConﬁguration
EmailConfiguration is a property of the AWS::Cognito::UserPool (p. 768) resource that deﬁnes the
email conﬁguration of an Amazon Cognito User Pool.

Syntax
JSON
{

"ReplyToEmailAddress" : String,

API Version 2010-05-15
1773

AWS CloudFormation User Guide
Amazon Cognito UserPool InviteMessageTemplate

}

"SourceArn" : String

YAML
ReplyToEmailAddress: String
SourceArn: String

Properties
ReplyToEmailAddress
The REPLY-TO email address.
Type: String
Required: No
SourceArn
The Amazon Resource Name (ARN) of the email source.
Type: String
Required: No

Amazon Cognito UserPool InviteMessageTemplate
InviteMessageTemplate is a property of the AWS::Cognito::UserPool (p. 768) resource that deﬁnes
the email invitation message template of an Amazon Cognito User Pool.

Syntax
JSON
{

}

"EmailMessage" : String,
"EmailSubject" : String,
"SMSMessage" : String

YAML
EmailMessage: String
EmailSubject: String
SMSMessage: String

Properties
EmailMessage
The message template for email messages.
Type: String
API Version 2010-05-15
1774

AWS CloudFormation User Guide
Amazon Cognito UserPool LambdaConﬁg

Required: No
EmailSubject
The subject line for email messages.
Type: String
Required: No
SMSMessage
The message template for SMS messages.
Type: String
Required: No

Amazon Cognito UserPool LambdaConﬁg
LambdaConfig is a property of the AWS::Cognito::UserPool (p. 768) resource that deﬁnes the AWS
Lambda conﬁguration of an Amazon Cognito User Pool.

Syntax
JSON
{

}

"CreateAuthChallenge" : String,
"CustomMessage" : String,
"DefineAuthChallenge" : String,
"PostAuthentication" : String,
"PostConfirmation" : String,
"PreAuthentication" : String,
"PreSignUp" : String,
"VerifyAuthChallengeResponse" : String

YAML
CreateAuthChallenge: String
CustomMessage: String
DefineAuthChallenge: String
PostAuthentication: String
PostConfirmation: String
PreAuthentication: String
PreSignUp: String
VerifyAuthChallengeResponse: String

Properties
CreateAuthChallenge
Creates an authentication challenge.
Type: String
Required: No
API Version 2010-05-15
1775

AWS CloudFormation User Guide
Amazon Cognito UserPool NumberAttributeConstraints

CustomMessage
A custom Message AWS Lambda trigger.
Type: String
Required: No
DefineAuthChallenge
Deﬁnes the authentication challenge.
Type: String
Required: No
PostAuthentication
A post-authentication AWS Lambda trigger.
Type: String
Required: No
PostConfirmation
A post-conﬁrmation AWS Lambda trigger.
Type: String
Required: No
PreAuthentication
A pre-authentication AWS Lambda trigger.
Type: String
Required: No
PreSignUp
A pre-registration AWS Lambda trigger.
Type: String
Required: No
VerifyAuthChallengeResponse
Veriﬁes the authentication challenge response.
Type: String
Required: No

Amazon Cognito UserPool
NumberAttributeConstraints
The NumberAttributeConstraints property type deﬁnes the number attribute constraints of an
Amazon Cognito User Pool. NumberAttributeConstraints is a subproperty of the Amazon Cognito
UserPool SchemaAttribute (p. 1779) property type.
API Version 2010-05-15
1776

AWS CloudFormation User Guide
Amazon Cognito UserPool PasswordPolicy

Syntax
JSON
{
}

"MaxValue" : String,
"MinValue" : String

YAML
MaxValue: String
MinValue: String

Properties
MaxValue
The maximum value of an attribute that is of the number data type.
Type: String
Required: No
MinValue
The minimum value of an attribute that is of the number data type.
Type: String
Required: No

Amazon Cognito UserPool PasswordPolicy
PasswordPolicy is a subproperty of the Amazon Cognito UserPool Policies (p. 1778) property that
deﬁnes the password policy of an Amazon Cognito User Pool.

Syntax
JSON
{

}

"MinimumLength" : Integer,
"RequireLowercase" : Boolean,
"RequireNumbers" : Boolean,
"RequireSymbols" : Boolean,
"RequireUppercase" : Boolean

YAML
MinimumLength: Integer
RequireLowercase: Boolean
RequireNumbers: Boolean
RequireSymbols: Boolean

API Version 2010-05-15
1777

AWS CloudFormation User Guide
Amazon Cognito UserPool Policies
RequireUppercase: Boolean

Properties
MinimumLength
The minimum length of the password policy that you have set. Cannot be less than 6.
Type: Integer
Required: No
RequireLowercase
In the password policy that you have set, refers to whether you have required users to use at least
one lowercase letter in their password.
Type: Boolean
Required: No
RequireNumbers
In the password policy that you have set, refers to whether you have required users to use at least
one number in their password.
Type: Boolean
Required: No
RequireSymbols
In the password policy that you have set, refers to whether you have required users to use at least
one symbol in their password.
Type: Boolean
Required: No
RequireUppercase
In the password policy that you have set, refers to whether you have required users to use at least
one uppercase letter in their password.
Type: Boolean
Required: No

Amazon Cognito UserPool Policies
Policies is a property of the AWS::Cognito::UserPool (p. 768) resource that deﬁnes the password
policies of an Amazon Cognito User Pool.

Syntax
JSON
{

"PasswordPolicy" : PasswordPolicy

API Version 2010-05-15
1778

AWS CloudFormation User Guide
Amazon Cognito UserPool SchemaAttribute
}

YAML
PasswordPolicy: PasswordPolicy

Properties
PasswordPolicy
Speciﬁes information about the user pool password policy.
Type: Amazon Cognito UserPool PasswordPolicy (p. 1777)
Required: No

Amazon Cognito UserPool SchemaAttribute
SchemaAttribute is a property of the AWS::Cognito::UserPool (p. 768) resource that deﬁnes the
schema attributes of an Amazon Cognito User Pool.

Syntax
JSON
{

}

"AttributeDataType" : String,
"DeveloperOnlyAttribute" : Boolean,
"Mutable" : Boolean,
"Name" : String,
"NumberAttributeConstraints" : NumberAttributeConstraintsType,
"StringAttributeConstraints" : StringAttributeConstraintsType,
"Required" : Boolean

YAML
AttributeDataType: String
DeveloperOnlyAttribute: Boolean
Mutable: Boolean
Name: String
NumberAttributeConstraints:
NumberAttributeConstraints
StringAttributeConstraints:
StringAttributeConstraints
Required: Boolean

Properties
AttributeDataType
The attribute data type. Can be one of the following: String, Number, DateTime, or Boolean.
Type: String
API Version 2010-05-15
1779

AWS CloudFormation User Guide
Amazon Cognito UserPool SmsConﬁguration

Required: No
DeveloperOnlyAttribute
Speciﬁes whether the attribute type is developer only.
Type: Boolean
Required: No
Mutable
Speciﬁes whether the attribute can be changed after it has been created. True means mutable and
False means immutable.
Type: Boolean
Required: No
Name
A schema attribute of the name type.
Type: String
Required: No
NumberAttributeConstraints
Speciﬁes the constraints for an attribute of the number type.
Type: Amazon Cognito UserPool NumberAttributeConstraints (p. 1776)
Required: No
StringAttributeConstraints
Speciﬁes the constraints for an attribute of the string type.
Type: Amazon Cognito UserPool StringAttributeConstraints (p. 1781)
Required: No
Required
Speciﬁes whether a user pool attribute is required. If the attribute is required and the user does not
provide a value, registration or sign-in fails.
Type: Boolean
Required: No

Amazon Cognito UserPool SmsConﬁguration
SmsConfiguration is a property of the AWS::Cognito::UserPool (p. 768) resource that deﬁnes the
SMS conﬁguration of an Amazon Cognito User Pool.

Syntax
JSON
{

API Version 2010-05-15
1780

AWS CloudFormation User Guide
Amazon Cognito UserPool StringAttributeConstraints

}

"ExternalId" : String,
"SnsCallerArn" : String

YAML
ExternalId: String
SnsCallerArn: String

Properties
ExternalId
The external ID used in IAM role trust relationships.
For more information about using external IDs, see How to Use an External ID When Granting Access
to Your AWS Resources to a Third Party in the AWS Identity and Access Management User Guide.
Type: String
Required: No
SnsCallerArn
The Amazon Resource Name (ARN) of the Amazon Simple Notiﬁcation Service (SNS) caller.
Type: String
Required: Yes

Amazon Cognito UserPool StringAttributeConstraints
The StringAttributeConstraints property type deﬁnes the string attribute constraints of an
Amazon Cognito User Pool. StringAttributeConstraints is a subproperty of the Amazon Cognito
UserPool SchemaAttribute (p. 1779) property type.

Syntax
JSON
{
}

"MaxLength" : String,
"MinLength" : String

YAML
MaxLength: String
MinLength: String

Properties
MaxLength
The maximum value of an attribute that is of the string data type.
API Version 2010-05-15
1781

AWS CloudFormation User Guide
Amazon Cognito UserPoolUser AttributeType

Type: String
Required: No
MinLength
The minimum value of an attribute that is of the string data type.
Type: String
Required: No

Amazon Cognito UserPoolUser AttributeType
AttributeType is a property of the AWS::Cognito::UserPoolUser (p. 776) resource that deﬁnes namevalue pairs for a user in an Amazon Cognito User Pool.

Syntax
JSON
{
}

"Name" : String,
"Value" : String

YAML
Name: String
Value: String

Properties
Name
The name of the attribute.
Type: String
Required: Yes
Value
The value of the attribute.
Type: String
Required: No

Amazon Cognito UserPool InviteMessageTemplate
InviteMessageTemplate is a subproperty of the Amazon Cognito UserPool
AdminCreateUserConﬁg (p. 1772) property that deﬁnes the email and SMS invitation message structure
of an Amazon Cognito User Pool.
API Version 2010-05-15
1782

AWS CloudFormation User Guide
AWS Conﬁg ConﬁgRule Scope

Syntax
JSON
{

}

"EmailMessage" : String,
"EmailSubject" : String,
"SMSMessage" : String

YAML
EmailMessage: String
EmailSubject: String
SMSMessage: String

Properties
EmailMessage
The message template for email messages.
Type: String
Required: No
EmailSubject
The subject line for email messages.
Type: String
Required: No
SMSMessage
The message template for SMS messages.
Type: String
Required: No

AWS Conﬁg ConﬁgRule Scope
Scope is a property of the AWS::Conﬁg::ConﬁgRule (p. 788) resource that speciﬁes which AWS
resources will trigger AWS Conﬁg to run an evaluation when their conﬁgurations change. The scope can
include one or more resource types, a tag key and value, or one resource type and one resource ID. You
cannot specify a tag-key value and a resource ID or type.

Syntax
JSON
{

"ComplianceResourceId" : String,
"ComplianceResourceTypes" : [ String, ... ],
"TagKey" : String,
"TagValue" : String

API Version 2010-05-15
1783

AWS CloudFormation User Guide
AWS Conﬁg ConﬁgRule Source
}

YAML
ComplianceResourceId: String
ComplianceResourceTypes:
- String
TagKey: String
TagValue: String

Properties
ComplianceResourceId
The ID of an AWS resource that you want AWS Conﬁg to evaluate against a rule. If you specify an ID,
you must also specify a resource type for the ComplianceResourceTypes property.
Required: No
Type: String
ComplianceResourceTypes
The types of AWS resources that you want AWS Conﬁg to evaluate against the rule. If you specify
the ComplianceResourceId property, specify only one resource type. For more information, see
Supported Resources, Conﬁguration Items, and Relationships.
Required: Conditional. If you specify a value for the ComplianceResourceId property, you must
also specify this property.
Type: List of String values
TagKey
The tag key that is applied to the AWS resources that you want AWS Conﬁg to evaluate against the
rule.
Required: Conditional. If you specify a tag value, you must specify this property.
Type: String
TagValue
The tag value that is applied to the AWS resources that you want AWS Conﬁg to evaluate against the
rule.
Required: Conditional. If you specify a tag key, you must specify this property.
Type: String

AWS Conﬁg ConﬁgRule Source
Source is a property of the AWS::Conﬁg::ConﬁgRule (p. 788) resource that speciﬁes the rule owner, the
rule identiﬁer, and the events that trigger an AWS Conﬁg evaluation of your AWS resources.

Syntax
JSON
{

API Version 2010-05-15
1784

AWS CloudFormation User Guide
AWS Conﬁg ConﬁgRule SourceDetails

}

"Owner" : String,
"SourceDetails" : [ SourceDetail, ... ],
"SourceIdentifier" : String

YAML
Owner: String
SourceDetails:
- SourceDetail
SourceIdentifier: String

Properties
Owner
Indicates who owns and manages the AWS Conﬁg rule. For valid values, see the Source data type in
the AWS Conﬁg API Reference.
Required: Yes
Type: String
SourceDetails
Provides the source and type of event that triggers AWS Conﬁg to evaluate your AWS resources.
Required: No
Type: List of AWS Conﬁg ConﬁgRule SourceDetails (p. 1785)
SourceIdentifier
For AWS managed rules, the identiﬁer of the rule. For a list of identiﬁers, see AWS Managed Rules in
the AWS Conﬁg Developer Guide.
For customer managed rules, the Amazon Resource Name (ARN) of the rule's Lambda function.
Required: Yes
Type: String

AWS Conﬁg ConﬁgRule SourceDetails
SourceDetails is a property of the AWS Conﬁg ConﬁgRule Source (p. 1784) property that speciﬁes
the source and type of event that triggers AWS Conﬁg to evaluate your AWS resources.

Syntax
JSON
{

}

"EventSource" : String,
"MaximumExecutionFrequency" : String,
"MessageType" : String

API Version 2010-05-15
1785

AWS CloudFormation User Guide
AWS Conﬁg ConﬁgurationAggregator
AccountAggregationSource

YAML
EventSource: String
MaximumExecutionFrequency: String
MessageType: String

Properties
EventSource
The source, such as an AWS service, that generate events, triggering AWS Conﬁg to evaluate your
AWS resources.
Valid Values: aws.config
Required: Yes
Type: String
MaximumExecutionFrequency
The frequency that you want AWS Conﬁg to run evaluations for a custom rule with a periodic trigger.
By default, rules with a periodic trigger are evaluated every 24 hours. If you specify a value for
MaximumExecutionFrequency, then MessageType must use the ScheduledNotification
value.
Valid values: One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours.
Required: No
Type: String
MessageType
The type of Amazon Simple Notiﬁcation Service (Amazon SNS) message that triggers AWS Conﬁg
to run an evaluation. For more information, see the SourceDetail data type in the AWS Conﬁg API
Reference.
Valid Values: ConfigurationItemChangeNotification,
ConfigurationSnapshotDeliveryCompleted, ScheduledNotification,
OversizedConfigurationItemChangeNotification
Required: Yes
Type: String

AWS Conﬁg ConﬁgurationAggregator
AccountAggregationSource
The AccountAggregationSource property type speciﬁes the accounts and regions of AWS Conﬁg
data to aggregate into an AWS Conﬁg conﬁguration aggregator.
The AccountAggregationSources property of the AWS::Conﬁg::ConﬁgurationAggregator (p. 794)
resource contains a list of AccountAggregationSource property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1786

AWS CloudFormation User Guide
AWS Conﬁg ConﬁgurationAggregator
OrganizationAggregationSource

JSON
{

}

"AllAwsRegions" : Boolean,
"AwsRegions" : [ String, ... ],
"AccountIds" : [ String, ... ]

YAML
AllAwsRegions: Boolean
AwsRegions:
- String
AccountIds:
- String

Properties
AllAwsRegions
If true, aggregate existing AWS Conﬁg regions and future regions.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
AwsRegions
The source regions being aggregated.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
AccountIds
The 12 digit account ID of the account being aggregated.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)

AWS Conﬁg ConﬁgurationAggregator
OrganizationAggregationSource
The OrganizationAggregationSource property type speciﬁes the regions of AWS Conﬁg data
to aggregate into an AWS Conﬁg conﬁguration aggregator and the IAM role to use to retrieve AWS
Organizations details.
The OrganizationAggregationSources property of the
AWS::Conﬁg::ConﬁgurationAggregator (p. 794) resource contains a list of
OrganizationAggregationSource property types.
API Version 2010-05-15
1787

AWS CloudFormation User Guide
AWS Conﬁg ConﬁgurationRecorder RecordingGroup

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"AllAwsRegions" : Boolean,
"AwsRegions" : [ String, ... ],
"RoleArn" : String

YAML
AllAwsRegions: Boolean
AwsRegions:
- String
RoleArn:
String

Properties
AllAwsRegions
If true aggreagate existing AWS Conﬁg regions and future regions.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
AwsRegions
The source regions being aggregated.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
RoleArn
The Amazon Resource Name (ARN) of the IAM role used to retreive AWS Organizations details
associated with the aggregator account.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

AWS Conﬁg ConﬁgurationRecorder RecordingGroup
RecordingGroup is property of the AWS::Conﬁg::ConﬁgurationRecorder (p. 797) resource that deﬁnes
which AWS resource types to include in a recording group.
API Version 2010-05-15
1788

AWS CloudFormation User Guide
AWS Conﬁg DeliveryChannel
ConﬁgSnapshotDeliveryProperties

Syntax
JSON
{

}

"AllSupported" : Boolean,
"IncludeGlobalResourceTypes" : Boolean,
"ResourceTypes" : [ String, ... ]

YAML
AllSupported: Boolean
IncludeGlobalResourceTypes: Boolean
ResourceTypes:
- String

Properties
AllSupported
Indicates whether to record all supported resource types. If you specify this property, do not specify
the ResourceTypes property.
Required: No
Type: Boolean
IncludeGlobalResourceTypes
Indicates whether AWS Conﬁg records all supported global resource types. When AWS Conﬁg
supports new global resource types, AWS Conﬁg will automatically start recording them if you
enable this property.

Note

If you set this property to true, you must set the AllSupported property to true.
Required: No
Type: Boolean
ResourceTypes
A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance
or AWS::CloudTrail::Trail. If you specify this property, do not specify the AllSupported
property. For a list of supported resource types, see Supported resource types in the AWS Conﬁg
Developer Guide.
Required: No
Type: List of String values

AWS Conﬁg DeliveryChannel
ConﬁgSnapshotDeliveryProperties
ConfigSnapshotDeliveryProperties is a property of the AWS::Conﬁg::DeliveryChannel (p. 799)
resource that speciﬁes how AWS Conﬁg delivers conﬁguration snapshots to the S3 bucket in your
delivery channel.
API Version 2010-05-15
1789

AWS CloudFormation User Guide
AWS Data Pipeline Pipeline ParameterObjects

Syntax
JSON
{
}

"DeliveryFrequency" : String

YAML
DeliveryFrequency: String

Properties
DeliveryFrequency
The frequency with which AWS Conﬁg delivers conﬁguration snapshots. For valid values, see
ConﬁgSnapshotDeliveryProperties in the AWS Conﬁg API Reference.
Required: No
Type: String

AWS Data Pipeline Pipeline ParameterObjects
ParameterObjects is a property of the AWS::DataPipeline::Pipeline (p. 801) resource that describes
parameters that are used in a pipeline deﬁnition.

Syntax
JSON
{
}

"Attributes" : [ Attribute, ... ],
"Id" : String

YAML
Attributes:
- Attribute
Id: String

Properties
Attributes
Key-value pairs that deﬁne the attributes of the parameter object.
Required: Yes
Type: AWS Data Pipeline Parameter Objects Attributes (p. 1791)
API Version 2010-05-15
1790

AWS CloudFormation User Guide
AWS Data Pipeline Parameter Objects Attributes

Id
The identiﬁer of the parameter object.
Required: Yes
Type: String

AWS Data Pipeline Parameter Objects Attributes
Attribute is a property of the AWS Data Pipeline Pipeline ParameterObjects (p. 1790) property that
deﬁnes the attributes of a parameter object as key-value pairs.

Syntax
JSON
{
}

"Key" : String,
"StringValue" : String

YAML
Key: String
StringValue: String

Properties
Key
Speciﬁes the name of a parameter attribute. To view parameter attributes, see Creating a Pipeline
Using Parameterized Templates in the AWS Data Pipeline Developer Guide.
Required: Yes
Type: String
StringValue
A parameter attribute value.
Required: Conditional if the key that you are using requires it.
Type: String

AWS Data Pipeline Pipeline ParameterValues
ParameterValues is a property of the AWS::DataPipeline::Pipeline (p. 801) resource that sets values
for parameters that are used in a pipeline deﬁnition.

Syntax
JSON
{

API Version 2010-05-15
1791

AWS CloudFormation User Guide
AWS Data Pipeline PipelineObject

}

"Id" : String,
"StringValue" : String

YAML
Id: String
StringValue: String

Properties
Id
The ID of a parameter object.
Required: Yes
Type: String
StringValue
A value to associate with the parameter object.
Required: Yes
Type: String

AWS Data Pipeline PipelineObject
PipelineObjects is a property of the AWS::DataPipeline::Pipeline (p. 801) resource that describes a
data pipeline object.

Syntax
JSON
{

}

"Fields" : [ Field type ],
"Id" : String,
"Name" : String

YAML
Fields:
- Field type
Id: String
Name: String

Properties
Fields
Key-value pairs that deﬁne the properties of the object. Duplicates allowed. You can use the same
key multiple times within a ﬁeld to deﬁne array attributes.
API Version 2010-05-15
1792

AWS CloudFormation User Guide
AWS Data Pipeline PipelineObject

Required: Yes
Type: List of AWS Data Pipeline Pipeline Field (p. 1794)
Id
Identiﬁer of the object.
Required: Yes
Type: String
Name
Name of the object.
Required: Yes
Type: String

Examples
The following snippet shows how to use the same key for ﬁelds in the PipelineObjects property for
an AWS::DataPipeline::Pipeline resource.

JSON
"PipelineObjects": [
{
"Id": "ResourceId_I1mCc",
"Name": "ReleaseLabelCluster",
"Fields": [
{
"Key": "releaseLabel",
"StringValue": "emr-4.1.0"
},
{
"Key": "applications",
"StringValue": "spark"
},
{
"Key": "applications",
"StringValue": "hive"
},
{
"Key": "applications",
"StringValue": "pig"
},
{
"Key": "type",
"StringValue": "EmrCluster"
},
{
"Key": "configuration",
"RefValue": "coresite"
}
]
},
{
"Id": "coresite",
"Name": "coresite",
"Fields": [

API Version 2010-05-15
1793

AWS CloudFormation User Guide
AWS Data Pipeline Pipeline Field
{

"Key": "type",
"StringValue": "EmrConfiguration"

},
{

"Key": "classification",
"StringValue": "core-site"

},
{

"Key": "property",
"RefValue": "io-file-buffer-size"

},
{

]

]

}

"Key": "property",
"RefValue": "fs-s3-block-size"

},
...

YAML
PipelineObjects:
- Id: ResourceId_I1mCc
Name: ReleaseLabelCluster
Fields:
- Key: releaseLabel
StringValue: emr-4.1.0
- Key: applications
StringValue: spark
- Key: applications
StringValue: hive
- Key: applications
StringValue: pig
- Key: type
StringValue: EmrCluster
- Key: configuration
RefValue: coresite
- Id: coresite
Name: coresite
Fields:
- Key: type
StringValue: EmrConfiguration
- Key: classification
StringValue: core-site
- Key: property
RefValue: io-file-buffer-size
- Key: property
RefValue: fs-s3-block-size
...

AWS Data Pipeline Pipeline Field
Key-value pairs that describe the properties of a data pipeline object (p. 1792).

Syntax
JSON
{

API Version 2010-05-15
1794

AWS CloudFormation User Guide
AWS Data Pipeline Pipeline PipelineTags

}

"Key" : String,
"RefValue" : String,
"StringValue" : String

YAML
Key: String
RefValue: String
StringValue: String

Properties
Key
Speciﬁes the name of a ﬁeld for a particular object. To view ﬁelds for a data pipeline object, see
Pipeline Object Reference in the AWS Data Pipeline Developer Guide.
Required: Yes
Type: String
RefValue
A ﬁeld value that you specify as an identiﬁer of another object in the same pipeline deﬁnition.

Note

You can specify the ﬁeld value as either a string value (StringValue) or a reference to
another object (RefValue), but not both.
Required: Conditional if the key that you are using requires it.
Type: String
StringValue
A ﬁeld value that you specify as a string. To view valid values for a particular ﬁeld, see Pipeline
Object Reference in the AWS Data Pipeline Developer Guide.

Note

You can specify the ﬁeld value as either a string value (StringValue) or a reference to
another object (RefValue), but not both.
Required: Conditional if the key that you are using requires it.
Type: String

AWS Data Pipeline Pipeline PipelineTags
PipelineTags is a property of the AWS::DataPipeline::Pipeline (p. 801) resource that deﬁnes arbitrary
key-value pairs for a pipeline.

Syntax
JSON
{

"Key" : String,
"Value" : String

API Version 2010-05-15
1795

AWS CloudFormation User Guide
AWS DMS Endpoint DynamoDBSettings
}

YAML
Key: String
Value: String

Properties
Key
The key name of a tag.
Required: Yes
Type: String
Value
The value to associate with the key name.
Required: Yes
Type: String

AWS DMS Endpoint DynamoDBSettings
Use the DynamoDBSettings property to specify settings for an DynamoDB endpoint for an
AWS::DMS::Endpoint (p. 830) resource.

Syntax
JSON
{
}

"ServiceAccessRoleArn" : String

YAML
ServiceAccessRoleArn: String

Properties
For more information about option settings, see Using an Amazon DynamoDB Database as a Target for
AWS Database Migration Service in the AWS Database Migration Service User Guide
ServiceAccessRoleArn
The Amazon Resource Name (ARN) used by the service access IAM role.
Required: Yes
Type: String
API Version 2010-05-15
1796

AWS CloudFormation User Guide
AWS DMS Endpoint MongoDbSettings

AWS DMS Endpoint MongoDbSettings
Use the MongoDbSettings property to specify settings for a MongoDB endpoint for a
AWS::DMS::Endpoint (p. 830) resource.

Syntax
JSON
{

}

"AuthMechanism" : String,
"AuthSource" : String,
"DatabaseName" : String,
"DocsToInvestigate" : String,
"ExtractDocId" : String,
"KmsKeyId" : String,
"NestingLevel" : String,
"Password" : String,
"Port" : Integer,
"ServerName" : String,
"Username" : String

YAML
AuthMechanism: String
AuthSource: String
DatabaseName: String
DocsToInvestigate: String
ExtractDocId: String
KmsKeyId: String
NestingLevel: String
Password: String
Port: String
ServerName: String
Username: String

Properties
For more information about option settings, see Using a MongoDB Database as a Source for AWS
Database Migration Service in the AWS Database Migration Service User Guide
AuthMechanism
The authentication mechanism you use to access the MongoDB source endpoint.
Valid values: DEFAULT, MONGODB_CR, SCRAM_SHA_1
For MongoDB version 2.x, use MONGODB_CR. For MongoDB version 3.x, use SCRAM_SHA_1. This
attribute is not used when authType=No.
Required: No
Type: String
AuthSource
The authentication type you use to access the MongoDB source endpoint.
API Version 2010-05-15
1797

AWS CloudFormation User Guide
AWS DMS Endpoint MongoDbSettings

Valid values: NO, PASSWORD
When NO is selected, user name and password parameters are not used and can be empty.
Required: No
Type: String
DatabaseName
The database name on the MongoDB source endpoint.
Required: No
Type: String
DocsToInvestigate
Indicates the number of documents to preview to determine the document organization. Use this
attribute when NestingLevel is set to ONE.
Must be a positive value greater than 0. Default value is 1000.
Required: No
Type: String
ExtractDocId
Speciﬁes the document ID. Use this attribute when NestingLevel is set to NONE. Default value is
false.
Required: No
Type: String
KmsKeyId
The ID of the KMS key to be used.
Required: No
Type: String
NestingLevel
Speciﬁes either document or table mode.
Valid values: NONE, ONE
Default value is NONE. Specify NONE to use document mode. Specify ONE to use table mode.
Required: No
Type: String
Password
The password for the user account you use to access the MongoDB source endpoint.
Required: No
Type: String
Port
The port value for the MongoDB source endpoint.
Required: No
API Version 2010-05-15
1798

AWS CloudFormation User Guide
AWS DMS Endpoint S3Settings

Type: Integer
ServerName
The name of the server on the MongoDB source endpoint.
Required: No
Type: String
Username
The user name you use to access the MongoDB source endpoint.
Required: No
Type: String

AWS DMS Endpoint S3Settings
Use the S3Settings property to specify settings for an Amazon S3 endpoint for a
AWS::DMS::Endpoint (p. 830) resource.

Syntax
JSON
{

}

"BucketFolder" : String,
"BucketName" : String,
"CompressionType" : String,
"CsvDelimiter" : String,
"CsvRowDelimiter" : String,
"ExternalTableDefinition" : String,
"ServiceAccessRoleArn" : String

YAML
BucketFolder: String
BucketName: String
CompressionType: String
CsvDelimiter: String
CsvRowDelimiter: String
ExternalTableDefinition: String
ServiceAccessRoleArn: String

Properties
For more information about option settings, see Using Amazon S3 as a Target for AWS Database
Migration Service in the AWS Database Migration Service User Guide
BucketFolder
An optional parameter to set a folder name in the S3 bucket. If provided, tables are created in the
path ///. If this parameter is not speciﬁed, then the
path used is //.
Required: No
API Version 2010-05-15
1799

AWS CloudFormation User Guide
AWS Directory Service MicrosoftAD VpcSettings

Type: String
BucketName
The name of the Amazon S3 bucket.
Required: No
Type: String
CompressionType
An optional parameter to use GZIP to compress the target ﬁles. Set to GZIP to compress the target
ﬁles. Set to NONE (the default) or do not use to leave the ﬁles uncompressed.
Valid Values: NONE | GZIP
Required: No
Type: String
CsvDelimiter
The delimiter used to separate columns in the source ﬁles. The default is a comma.
Required: No
Type: String
CsvRowDelimiter
The delimiter used to separate rows in the source ﬁles. The default is a carriage return (\n).
Required: No
Type: String
ExternalTableDefinition
The deﬁnition of the external table.
Required: No
Type: String
ServiceAccessRoleArn
The Amazon Resource Name (ARN) used by the service access IAM role.
Required: No
Type: String

AWS Directory Service MicrosoftAD VpcSettings
VpcSettings is a property of the AWS::DirectoryService::MicrosoftAD (p. 821) resource that speciﬁes
the VPC settings for a Microsoft directory server.

Syntax
JSON
{

"SubnetIds" : [ String, ... ],

API Version 2010-05-15
1800

AWS CloudFormation User Guide
AWS Directory Service SimpleAD VpcSettings

}

"VpcId" : String

YAML
SubnetIds:
- String
VpcId: String

Properties
SubnetIds
A list of two subnet IDs for the directory servers. Each subnet must be in diﬀerent Availability Zones
(AZs). AWS Directory Service creates a directory server and a DNS server in each subnet.
Required: Yes
Type: List of String values
VpcId
The VPC ID in which to create the Microsoft Active Directory server.
Required: Yes
Type: String

AWS Directory Service SimpleAD VpcSettings
VpcSettings is a property of the AWS::DirectoryService::SimpleAD (p. 825) resource that speciﬁes the
VPC settings for a directory server.

Syntax
JSON
{
}

"SubnetIds" : [ String, ... ],
"VpcId" : String

YAML
SubnetIds:
- String
VpcId: String

Properties
SubnetIds
A list of two subnet IDs for the directory servers. Each subnet must be in diﬀerent Availability Zones
(AZ). AWS Directory Service creates a directory server and a DNS server in each subnet.
Required: Yes
API Version 2010-05-15
1801

AWS CloudFormation User Guide
DAX Cluster SSESpeciﬁcation

Type: List of String values
VpcId
The VPC ID in which to create the Simple AD directory.
Required: Yes
Type: String

DynamoDB Accelerator Cluster SSESpeciﬁcation
The SSESpecification property type speciﬁes whether server-side encryption is enabled or not.
If you do not specify the SSESpecification property type, DAX will create an unencrypted cluster, the
same as if you had speciﬁed the SSESpecification property type with its SSEEnabled property set
to false.
SSESpecification is a property of the AWS::DAX::Cluster (p. 810) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"SSEEnabled" : Boolean

YAML
SSEEnabled: Boolean

Properties
SSEEnabled
Whether server-side encryption is enabled or not.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)

See Also
• SSESpeciﬁcation in the Amazon DynamoDB API Reference

Amazon DynamoDB Table AttributeDeﬁnition
The AttributeDefinition property type represents an attribute for describing the key schema for a
DynamoDB table and indexes.
API Version 2010-05-15
1802

AWS CloudFormation User Guide
DynamoDB Table GlobalSecondaryIndex

Note

AWS CloudFormation uses these attributes to provision the keys for the table. They don't
represent the full schema of the table.
The AttributeDefinition property of the AWS::DynamoDB::Table (p. 848) resource contains a list
of AttributeDefinition property types.

Syntax
JSON
{
}

"AttributeName" : String,
"AttributeType" : String

YAML
AttributeName: String
AttributeType: String

Properties
AttributeName
The name of an attribute. Attribute names can be 1 – 255 characters long and have no character
restrictions.
Required: Yes
Type: String
AttributeType
The data type for the attribute. You can specify S for string data, N for numeric data, or B for binary
data.
Required: Yes
Type: String

Amazon DynamoDB Table GlobalSecondaryIndex
Describes global secondary indexes for the AWS::DynamoDB::Table (p. 848) resource.

Syntax
JSON
{

}

"IndexName" : String,
"KeySchema" : [ KeySchema, ... ],
"Projection" : { Projection },
"ProvisionedThroughput" : { ProvisionedThroughput }

API Version 2010-05-15
1803

AWS CloudFormation User Guide
DynamoDB Table KeySchema

YAML
IndexName: String
KeySchema:
- KeySchema
Projection:
Projection
ProvisionedThroughput:
ProvisionedThroughput

Properties
IndexName
The name of the global secondary index. The index name can be 3 – 255 characters long and must
satisfy the regular expression pattern [a-zA-Z0-9_.-]+.
Required: Yes
Type: String
KeySchema
The complete index key schema for the global secondary index, which consists of one or more pairs
of attribute names and key types.
Required: Yes
Type: List of DynamoDB Table KeySchema (p. 1804)
Projection
Attributes that are copied (projected) from the source table into the index. These attributes are in
addition to the primary key attributes and index key attributes, which are automatically projected.
Required: Yes
Type: DynamoDB Table Projection (p. 1807)
ProvisionedThroughput
The provisioned throughput settings for the index.
Required: Yes
Type: DynamoDB Table ProvisionedThroughput (p. 1808)

Amazon DynamoDB Table KeySchema
Describes a primary key for the AWS::DynamoDB::Table (p. 848) resource or a key schema for an index.
Each element is composed of an AttributeName and KeyType.
For the primary key of an Amazon DynamoDB table that consists of only a hash attribute, specify one
element with a KeyType of HASH. For the primary key of an Amazon DynamoDB table that consists of a
hash and range attributes, specify two elements: one with a KeyType of HASH and one with a KeyType
of RANGE.
For a complete discussion of DynamoDB primary keys, see Primary Key in the Amazon DynamoDB
Developer Guide.
API Version 2010-05-15
1804

AWS CloudFormation User Guide
DynamoDB Table LocalSecondaryIndex

Syntax
JSON
{
}

"AttributeName" : String,
"KeyType" : "HASH or RANGE"

YAML
AttributeName: String
KeyType: HASH or RANGE

Properties
AttributeName
The attribute name that is used as the primary key for this table. Primary key element names can be
1 – 255 characters long and have no character restrictions.
Required: Yes
Type: String
KeyType
Represents the attribute data, consisting of the data type and the attribute value itself. You can
specify HASH or RANGE.
Required: Yes
Type: String

Examples
For an example of a declared key schema, see AWS::DynamoDB::Table (p. 848).

Amazon DynamoDB Table LocalSecondaryIndex
Describes local secondary indexes for the AWS::DynamoDB::Table (p. 848) resource. Each index is
scoped to a given hash key value. Tables with one or more local secondary indexes are subject to an item
collection size limit, where the amount of data within a given item collection cannot exceed 10 GB.

Syntax
JSON
{

}

"IndexName" : String,
"KeySchema" : [ KeySchema, ...],
"Projection" : { Projection }

API Version 2010-05-15
1805

AWS CloudFormation User Guide
DynamoDB Table PointInTimeRecoverySpeciﬁcation

YAML
IndexName: String
KeySchema:
KeySchema
Projection:
Projection

Properties
IndexName
The name of the local secondary index. The index name can be 3 – 255 characters long and have no
character restrictions.
Required: Yes
Type: String
KeySchema
The complete index key schema for the local secondary index, which consists of one or more pairs of
attribute names and key types. For local secondary indexes, the hash key must be the same as that
of the source table.
Required: Yes
Type: List of DynamoDB Table KeySchema (p. 1804)
Projection
Attributes that are copied (projected) from the source table into the index. These attributes are
additions to the primary key attributes and index key attributes, which are automatically projected.
Required: Yes
Type: DynamoDB Table Projection (p. 1807)

Examples
For an example of a declared local secondary index, see AWS::DynamoDB::Table (p. 848).

DynamoDB Table PointInTimeRecoverySpeciﬁcation
The PointInTimeRecoverySpecification property type enables point in time recovery in a
DynamoDB table.
PointInTimeRecoverySpecification is a property of the AWS::DynamoDB::Table (p. 848)
resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"PointInTimeRecoveryEnabled" : Boolean

API Version 2010-05-15
1806

AWS CloudFormation User Guide
DynamoDB Table Projection
}

YAML
PointInTimeRecoveryEnabled: Boolean

Properties
PointInTimeRecoveryEnabled
Indicates whether point in time recovery is enabled (true) or disabled (false) on the table.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)

See Also
• PointInTimeRecoverySpeciﬁcation in the Amazon DynamoDB API Reference

Amazon DynamoDB Table Projection
Attributes that are copied (projected) from the source table into the index. These attributes are additions
to the primary key attributes and index key attributes, which are automatically projected.
Projection is a property of the DynamoDB Table GlobalSecondaryIndex (p. 1803) and DynamoDB Table
LocalSecondaryIndex (p. 1805) property types.

Syntax
JSON
{
}

"NonKeyAttributes" : [ String, ... ],
"ProjectionType" : String

YAML
NonKeyAttributes:
- String
ProjectionType: String

Properties
For more information about each property, including constraints, see Projection in the Amazon
DynamoDB API Reference.
NonKeyAttributes
The non-key attribute names that are projected into the index.
API Version 2010-05-15
1807

AWS CloudFormation User Guide
DynamoDB Table ProvisionedThroughput

For local secondary indexes, the total count of NonKeyAttributes summed across all of the
local secondary indexes must not exceed 20. If you project the same attribute into two diﬀerent
indexes, this counts as two distinct attributes in determining the total. This limit does not apply for
secondary indexes with a ProjectionType of KEYS_ONLY or ALL.
Required: No
Type: List of String values
ProjectionType
The set of attributes that are projected into the index:
KEYS_ONLY
Only the index and primary keys are projected into the index.
INCLUDE
Only the speciﬁed table attributes are projected into the index. The list of projected attributes
are in NonKeyAttributes.
ALL
All of the table attributes are projected into the index.
Required: Yes
Type: String

Amazon DynamoDB Table ProvisionedThroughput
Describes a set of provisioned throughput values for an AWS::DynamoDB::Table (p. 848) resource.
DynamoDB uses these capacity units to allocate suﬃcient resources to provide the requested
throughput.
For a complete discussion of DynamoDB provisioned throughput values, see Specifying Read and Write
Requirements in the DynamoDB Developer Guide.

Syntax
JSON
{
}

"ReadCapacityUnits (p. 1808)" : Number,
"WriteCapacityUnits (p. 1809)" : Number

YAML
ReadCapacityUnits (p. 1808): Number
WriteCapacityUnits (p. 1809): Number

Parameters
ReadCapacityUnits
Sets the desired minimum number of consistent reads of items (up to 1KB in size) per second for the
speciﬁed table before Amazon DynamoDB balances the load.
API Version 2010-05-15
1808

AWS CloudFormation User Guide
DynamoDB SSESpeciﬁcation

Required: Yes
Type: Number
WriteCapacityUnits
Sets the desired minimum number of consistent writes of items (up to 1KB in size) per second for the
speciﬁed table before Amazon DynamoDB balances the load.
Required: Yes
Type: Number

Note

For detailed information about the limits of provisioned throughput values in DynamoDB, see
Limits in Amazon DynamoDB in the DynamoDB Developer Guide.

DynamoDB SSESpeciﬁcation
The SSESpecification property is part of the AWS::DynamoDB::Table (p. 848) resource that speciﬁes
the settings to enable server-side encryption.
If you do not specify the SSESpecification property type, Amazon DynamoDB will create
an unencrypted table, the same as if you had speciﬁed the SSESpecification property type
with its SSEEnabled property set to false. As a best practice, for consistency only specify the
SSESpecification property type (with its SSEEnabled property set to true) if you want DynamoDB
to create an encrypted table.

Syntax
JSON
{
}

"SSEEnabled" : Boolean

YAML
SSEEnabled: Boolean

Properties
SSEEnabled
Whether server-side encryption is enabled or not.
Required: Yes
Type: Boolean
Update requires: Replacement (p. 119)

Amazon DynamoDB Table StreamSpeciﬁcation
StreamSpecification is a property of the AWS::DynamoDB::Table (p. 848) resource that deﬁnes the
settings of a DynamoDB table's stream.
API Version 2010-05-15
1809

AWS CloudFormation User Guide
DynamoDB Table TimeToLiveSpeciﬁcation

Syntax
JSON
{
}

"StreamViewType" : String

YAML
StreamViewType: String

Parameters
StreamViewType
Determines the information that the stream captures when an item in the table is modiﬁed. For valid
values, see StreamSpeciﬁcation in the Amazon DynamoDB API Reference.
Required: Yes
Type: String

Amazon DynamoDB Table TimeToLiveSpeciﬁcation
The TimeToLiveSpecification property speciﬁes the Time to Live (TTL) settings for an
AWS::DynamoDB::Table (p. 848) resource. It is expressed as an attribute on the items in the table. For
more information, see UpdateTimeToLive in the Amazon DynamoDB API Reference.

Syntax
JSON
{
}

"AttributeName" : String,
"Enabled" : Boolean

YAML
AttributeName: String
Enabled: Boolean

Properties
AttributeName
The name of the TTL attribute that stores the expiration time for items in the table. The name can
be 1–255 characters long, and has no character restrictions.
Required: Yes
API Version 2010-05-15
1810

AWS CloudFormation User Guide
Amazon EC2 Block Device Mapping Property

Type: String
Update requires: No interruption (p. 118)
Enabled
Indicates whether to enable (by specifying true) or disable (by specifying false) TTL on the table.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)

Amazon EC2 Block Device Mapping Property
The Amazon EC2 block device mapping property is an embedded property of the
AWS::EC2::Instance (p. 879) resource. For block device mappings for an Auto Scaling launch
conﬁguration, see Amazon EC2 Auto Scaling Block Device Mapping (p. 1633).

Syntax
JSON
{

}

"DeviceName (p. 1811)" : String,
"Ebs (p. 1811)" : EC2 EBS Block Device,
"NoDevice (p. 1811)" : Boolean,
"VirtualName (p. 1812)" : String

YAML
DeviceName (p. 1811): String
Ebs (p. 1811): EC2 EBS Block Device
NoDevice (p. 1811): Boolean
VirtualName (p. 1812): String

Properties
DeviceName
The name of the device within Amazon EC2. For more information, see Device Naming on Linux
Instances in the Amazon EC2 User Guide for Linux Instances.
Required: Yes
Type: String
Ebs
Required: Conditional You can specify either VirtualName or Ebs, but not both.
Type: Amazon Elastic Block Store Block Device Property (p. 1813).
NoDevice
This property can be used to unmap a deﬁned device.
API Version 2010-05-15
1811

AWS CloudFormation User Guide
Amazon EC2 Block Device Mapping Property

Required: No
Type: Boolean
VirtualName
The name of the virtual device. The name must be in the form ephemeralX where X is a number
starting from zero (0); for example, ephemeral0.
Required: Conditional You can specify either VirtualName or Ebs, but not both.
Type: String

Examples
Block Device Mapping with two EBS Volumes
This example sets the EBS-backed root device (/dev/sda1) size to 50 GiB, and another EBS-backed device
mapped to /dev/sdm that is 100 GiB in size.

"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sda1",
"Ebs" : { "VolumeSize" : "50" }
},
{
"DeviceName" : "/dev/sdm",
"Ebs" : { "VolumeSize" : "100" }
}
]

Block Device Mapping with an Ephemeral Drive
This example maps an ephemeral drive to device /dev/sdc.

"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sdc",
"VirtualName" : "ephemeral0"
}
]

Unmapping an AMI-deﬁned Device
To unmap a device deﬁned in the AMI, set the NoDevice property to an empty map, as shown here:

{
}

"DeviceName":"/dev/sde",
"NoDevice": {}

See Also
• Amazon EC2 Instance Store in the Amazon Elastic Compute Cloud User Guide
API Version 2010-05-15
1812

AWS CloudFormation User Guide
Amazon Elastic Block Store Block Device Property

Amazon Elastic Block Store Block Device Property
The Amazon Elastic Block Store block device type is an embedded property of the Amazon EC2 Block
Device Mapping Property (p. 1811) property.

Syntax
JSON
{

}

"DeleteOnTermination (p. 1813)" : Boolean,
"Encrypted" : Boolean,
"Iops (p. 1813)" : Number,
"SnapshotId (p. 1814)" : String,
"VolumeSize (p. 1814)" : String,
"VolumeType (p. 1814)" : String

YAML
DeleteOnTermination (p. 1813): Boolean
Encrypted: Boolean
Iops (p. 1813): Number
SnapshotId (p. 1814): String
VolumeSize (p. 1814): String
VolumeType (p. 1814): String

Properties
DeleteOnTermination
Determines whether to delete the volume on instance termination. The default value is true.
Required: No
Type: Boolean
Encrypted
Indicates whether the volume is encrypted. Encrypted Amazon EBS volumes can only be attached
to instance types that support Amazon EBS encryption. Volumes that are created from encrypted
snapshots are automatically encrypted. You cannot create an encrypted volume from an
unencrypted snapshot or vice versa. If your AMI uses encrypted volumes, you can only launch the
AMI on supported instance types. For more information, see Amazon EBS encryption in the Amazon
EC2 User Guide for Linux Instances.
Required: No
Type: Boolean
Iops
The number of I/O operations per second (IOPS) that the volume supports. This can be an integer
from 100 – 20000.
Required: Conditional Required when the volume type (p. 1814) is io1; not used with other volume
types.
Type: Number
API Version 2010-05-15
1813

AWS CloudFormation User Guide
Amazon EC2 Instance CreditSpeciﬁcation

SnapshotId
The snapshot ID of the volume to use to create a block device.
Required: Conditional If you specify both SnapshotId and VolumeSize, VolumeSize must be
equal or greater than the size of the snapshot.
Type: String
VolumeSize
The volume size, in gibibytes (GiB). For valid values, see the Size parameter for the CreateVolume
action in the Amazon EC2 API Reference.
Required: Conditional If you specify both SnapshotId and VolumeSize, VolumeSize must be
equal or greater than the size of the snapshot.
Type: String
Update requires: Some interruptions (p. 119)
VolumeType
The volume type. If you set the type to io1, you must also set the Iops property. For valid values,
see the VolumeType parameter for the CreateVolume action in the Amazon EC2 API Reference.
Required: No
Type: String

Example
{

}

"DeviceName":"/dev/sdc",
"Ebs":{
"SnapshotId":"snap-xxxxxx",
"VolumeSize":"50",
"VolumeType":"io1",
"Iops":"1000",
"DeleteOnTermination":"false"
}

See Also
• CreateVolume in the Amazon Elastic Compute Cloud API Reference

Amazon EC2 Instance CreditSpeciﬁcation
The CreditSpecification property type speciﬁes the credit option for CPU usage of a T2 instance.
CreditSpecification is a property of the AWS::EC2::Instance (p. 879) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1814

AWS CloudFormation User Guide
Amazon EC2 Instance ElasticGpuSpeciﬁcation

JSON
{
}

"CPUCredits" : String

YAML
CPUCredits: String

Properties
CPUCredits
The credit option for CPU usage of a T2 instance. Valid values are standard and unlimited. By
default, standard is speciﬁed.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon EC2 Instance ElasticGpuSpeciﬁcation
The ElasticGpuSpecification property is part of the AWS::EC2::Instance (p. 879) resource that
speciﬁes the type of Elastic GPU. An Elastic GPU is a GPU resource that you can attach to your Amazon
EC2 instance to accelerate the graphics performance of your applications. For more information, see
Amazon EC2 Elastic GPUs in the Amazon EC2 User Guide for Windows Instances.

Syntax
JSON
{
}

"Type" : String

YAML
Type: String

Properties
Type
The type of Elastic GPU.
Required: Yes
Type: String
API Version 2010-05-15
1815

AWS CloudFormation User Guide
Amazon EC2 Instance LaunchTemplateSpeciﬁcation

Update requires: No interruption (p. 118)

Amazon EC2 Instance LaunchTemplateSpeciﬁcation
The LaunchTemplateSpecification property type speciﬁes the launch template to use. You must
specify either the launch template ID or launch template name.
LaunchTemplateSpecification is a property of the AWS::EC2::Instance (p. 879) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"LaunchTemplateId" : String,
"LaunchTemplateName" : String,
"Version" : String

YAML
LaunchTemplateId: String
LaunchTemplateName: String
Version: String

Properties
LaunchTemplateId
The ID of the launch template. You must specify either a template ID or a template name.
Minimum length of 1. Maximum length of 255. IDs must ﬁt the following pattern:
[\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
LaunchTemplateName
The name of the launch template. You must specify either a template name or a template ID.
Minimum length of 3. Maximum length of 128. Names must ﬁt the following pattern:
[a-zA-Z0-9\(\)\.-/_]+
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1816

AWS CloudFormation User Guide
Amazon EC2 Instance SsmAssociations
AssociationParameters

Version
The version number. AWS CloudFormation does not support specifying $Latest, or $Default for
the template version number.
Minimum length of 1. Maximum length of 255. Versions must ﬁt the following pattern:
[\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• LaunchTemplateSpeciﬁcation in the Amazon EC2 API Reference

Amazon EC2 Instance SsmAssociations
AssociationParameters
AssociationParameters is a property of the Amazon EC2 Instance SsmAssociations (p. 1818)
property that speciﬁes input parameter values for an SSM document in AWS Systems Manager.

Syntax
JSON
{
}

"Key" : String,
"Value" : [ String, ... ]

YAML
Key: String
Value:
- String

Properties
Key
The name of an input parameter that is in the associated SSM document.
Required: Yes
Type: String
Value
The value of an input parameter.
Required: Yes
API Version 2010-05-15
1817

AWS CloudFormation User Guide
Amazon EC2 Instance SsmAssociations

Type: List of String values

Amazon EC2 Instance SsmAssociations
SsmAssociations is a property of the AWS::EC2::Instance (p. 879) resource that speciﬁes the SSM
document and parameter values in AWS Systems Manager to associate with an instance.

Syntax
JSON
{
}

"AssociationParameters" : [ Parameters, ... ],
"DocumentName" : String

YAML
AssociationParameters:
- Parameters
DocumentName: String

Properties
AssociationParameters
The input parameter values to use with the associated SSM document.
Required: No
Type: List of Amazon EC2 Instance SsmAssociations AssociationParameters (p. 1817)
DocumentName
The name of an SSM document to associate with the instance.
Required: Yes
Type: String

Amazon EC2 LaunchTemplate BlockDeviceMapping
The BlockDeviceMapping property type describes a block device mapping for an Amazon EC2 launch
template.
BlockDeviceMapping is a property of the Amazon EC2 LaunchTemplate
LaunchTemplateData (p. 1826) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1818

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate BlockDeviceMapping

}

"Ebs" : Ebs (p. 1820),
"NoDevice" : String,
"VirtualName" : String,
"DeviceName" : String

YAML
Ebs: Ebs (p. 1820)
NoDevice: String
VirtualName: String
DeviceName: String

Properties
DeviceName
The device name (for example, /dev/sdh or xvdh).
Required: No
Type: String
Update requires: No interruption (p. 118)
Ebs
Parameters used to automatically set up EBS volumes when the instance is launched.
Required: No
Type: xxx
Update requires: No interruption (p. 118)
NoDevice
Suppresses the speciﬁed device included in the block device mapping of the AMI.
Required: No
Type: String
Update requires: No interruption (p. 118)
VirtualName
The virtual device name (ephemeralN). Instance store volumes are numbered starting from 0. An
instance type with 2 available instance store volumes can specify mappings for ephemeral0 and
ephemeral1. The number of available instance store volumes depends on the instance type. After
you connect to the instance, you must mount the volume.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• LaunchTemplateBlockDeviceMappingRequest in the Amazon EC2 API Reference
API Version 2010-05-15
1819

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate CreditSpeciﬁcation

Amazon EC2 LaunchTemplate CreditSpeciﬁcation
The CreditSpecification property type speciﬁes the credit option for CPU usage of a T2 instance for
an Amazon EC2 launch template.
CreditSpecification is a property of the Amazon EC2 LaunchTemplate
LaunchTemplateData (p. 1826) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"CpuCredits" : String

YAML
CpuCredits: String

Properties
CpuCredits
The credit option for CPU usage of a T2 instance. Valid values include standard and unlimited.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• CreditSpeciﬁcationRequest in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate Ebs
The Ebs property type speciﬁes parameters for a block device for an EBS volume in a Amazon EC2
launch template.
Ebs is a property of the Amazon EC2 LaunchTemplate BlockDeviceMapping (p. 1818) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1820

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate Ebs

}

"SnapshotId" : String,
"VolumeType" : String,
"KmsKeyId" : String,
"Encrypted" : Boolean,
"Iops" : Integer,
"VolumeSize" : Integer,
"DeleteOnTermination" : Boolean

YAML
SnapshotId: String
VolumeType: String
KmsKeyId: String
Encrypted: Boolean
Iops: Integer
VolumeSize: Integer
DeleteOnTermination: Boolean

Properties
DeleteOnTermination
Indicates whether the EBS volume is deleted on instance termination.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Encrypted
Indicates whether the EBS volume is encrypted. Encrypted volumes can only be attached to
instances that support Amazon EBS encryption. If you are creating a volume from a snapshot, you
can't specify an encryption value.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Iops
The number of I/O operations per second (IOPS) that the volume supports. For io1, this represents
the number of IOPS that are provisioned for the volume. For gp2, this represents the baseline
performance of the volume and the rate at which the volume accumulates I/O credits for bursting.
For more information about General Purpose SSD baseline performance, I/O credits, and bursting,
see Amazon EBS Volume Types in the Amazon EC2 User Guide for Linux Instances.
Condition: This parameter is required for requests to create io1 volumes; it is not used in requests to
create gp2, st1, sc1, or standard volumes.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
API Version 2010-05-15
1821

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate ElasticGpuSpeciﬁcation

KmsKeyId
The ARN of the AWS Key Management Service (AWS KMS) CMK used for encryption.
Required: No
Type: String
Update requires: No interruption (p. 118)
SnapshotId
The ID of the snapshot.
Required: No
Type: String
Update requires: No interruption (p. 118)
VolumeSize
The size of the volume, in GiB.
Default: If you're creating the volume from a snapshot and don't specify a volume size, the default is
the snapshot size.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
VolumeType
The volume type.
Valid values include: standard, io1, gp2, sc1, and st1.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• LaunchTemplateEbsBlockDeviceRequest in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate ElasticGpuSpeciﬁcation
The ElasticGpuSpecification property type speciﬁes a speciﬁcation for an Elastic GPU for an
Amazon EC2 launch template.
ElasticGpuSpecification is a property of the Amazon EC2 LaunchTemplate
LaunchTemplateData (p. 1826) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1822

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate IamInstanceProﬁle

JSON
{
}

"Type" : String

YAML
Type: String

Properties
Type
The type of Elastic GPU.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• ElasticGpuSpeciﬁcation in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate IamInstanceProﬁle
The IamInstanceProfile property type speciﬁes an IAM instance proﬁle for an Amazon EC2 launch
template.
IamInstanceProfile is a property of the Amazon EC2 LaunchTemplate
LaunchTemplateData (p. 1826) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Arn" : String,
"Name" : String

YAML
Arn: String
Name: String

API Version 2010-05-15
1823

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate InstanceMarketOptions

Properties
Arn
The Amazon Resource Name (ARN) of the instance proﬁle.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the instance proﬁle.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• LaunchTemplateIamInstanceProﬁleSpeciﬁcationRequest in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate InstanceMarketOptions
The InstanceMarketOptions property type speciﬁes market (purchasing) option for instances in an
Amazon EC2 launch template.
InstanceMarketOptions is a property of the Amazon EC2 LaunchTemplate
LaunchTemplateData (p. 1826) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"SpotOptions" : SpotOptions (p. 1836),
"MarketType" : String

YAML
SpotOptions: SpotOptions (p. 1836)
MarketType: String

Properties
MarketType
The market type.
API Version 2010-05-15
1824

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate Ipv6Add

Valid values include: spot
Required: No
Type: String
Update requires: No interruption (p. 118)
SpotOptions
The options for Spot Instances.
Required: No
Type: Amazon EC2 LaunchTemplate SpotOptions (p. 1836)
Update requires: No interruption (p. 118)

See Also
• LaunchTemplateInstanceMarketOptionsRequest in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate Ipv6Add
The Ipv6Add property type describes an IPv6 address in an Amazon EC2 launch template.
Ipv6Add is a property of the Amazon EC2 LaunchTemplate NetworkInterface (p. 1831) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Ipv6Address" : String

YAML
Ipv6Address: String

Properties
Ipv6Address
The IPv6 address.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1825

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate LaunchTemplateData

See Also
• InstanceIpv6AddressRequest in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate LaunchTemplateData
The LaunchTemplateData property type speciﬁes the information to include the launch template for
an Amazon EC2 instance.
LaunchTemplateData is a property of the AWS::EC2::LaunchTemplate (p. 891) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"SecurityGroups" : [ String, ... ],
"TagSpecifications" : [ TagSpecification (p. 1837), ... ],
"UserData" : String,
"InstanceInitiatedShutdownBehavior" : String,
"BlockDeviceMappings" : [ BlockDeviceMapping (p. 1818), ... ],
"IamInstanceProfile" : IamInstanceProfile (p. 1823),
"KernelId" : String,
"SecurityGroupIds" : [ String, ... ],
"EbsOptimized" : Boolean,
"KeyName" : String,
"DisableApiTermination" : Boolean,
"ElasticGpuSpecifications" : [ ElasticGpuSpecification (p. 1822), ... ],
"Placement" : Placement (p. 1834),
"InstanceMarketOptions" : InstanceMarketOptions (p. 1824),
"NetworkInterfaces" : [ NetworkInterface (p. 1831), ... ],
"ImageId" : String,
"InstanceType" : String,
"RamDiskId" : String,
"Monitoring" : Monitoring (p. 1830),
"CreditSpecification" : CreditSpecification (p. 1820)

YAML
SecurityGroups:
- String
TagSpecifications:
- TagSpecification (p. 1837)
UserData: String
InstanceInitiatedShutdownBehavior: String
BlockDeviceMappings:
- BlockDeviceMapping (p. 1818)
IamInstanceProfile: IamInstanceProfile (p. 1823)
KernelId: String
SecurityGroupIds:
- String
EbsOptimized: Boolean
KeyName: String
DisableApiTermination: Boolean
ElasticGpuSpecifications:

API Version 2010-05-15
1826

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate LaunchTemplateData
- ElasticGpuSpecification (p. 1822)
Placement: Placement (p. 1834)
InstanceMarketOptions: InstanceMarketOptions (p. 1824)
NetworkInterfaces:
- NetworkInterface (p. 1831)
ImageId: String
InstanceType: String
RamDiskId: String
Monitoring: Monitoring (p. 1830)
CreditSpecification: CreditSpecification (p. 1820)

Properties
BlockDeviceMappings
The block device mapping.
Required: No
Type: List of Amazon EC2 LaunchTemplate BlockDeviceMapping (p. 1818)
Update requires: No interruption (p. 118)
CreditSpecification
The credit option for CPU usage of the instance. Valid for T2 instances only.
Required: No
Type: Amazon EC2 LaunchTemplate CreditSpeciﬁcation (p. 1820)
Update requires: No interruption (p. 118)
DisableApiTermination
If set to true, you can't terminate the instance using the Amazon EC2 console, CLI, or API.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
EbsOptimized
Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides
dedicated throughput to Amazon EBS and an optimized conﬁguration stack to provide optimal
Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional
usage charges apply when using an EBS-optimized instance.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
ElasticGpuSpecifications
An elastic GPU to associate with the instance.
Required: No
Type: List of Amazon EC2 LaunchTemplate ElasticGpuSpeciﬁcation (p. 1822)
Update requires: No interruption (p. 118)
API Version 2010-05-15
1827

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate LaunchTemplateData

IamInstanceProfile
The IAM instance proﬁle.
Required: No
Type: Amazon EC2 LaunchTemplate IamInstanceProﬁle (p. 1823)
Update requires: No interruption (p. 118)
ImageId
The ID of the AMI. For more information, see DescribeImages in the Amazon EC2 API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
InstanceInitiatedShutdownBehavior
Indicates whether an instance stops or terminates when you initiate shutdown from the instance
(using the operating system command for system shutdown).
Valid values include stop and terminate. The default is stop.
Required: No
Type: String
Update requires: No interruption (p. 118)
InstanceMarketOptions
The market (purchasing) option for the instances.
Required: No
Type: Amazon EC2 LaunchTemplate InstanceMarketOptions (p. 1824)
Update requires: No interruption (p. 118)
InstanceType
The instance type. For a list of valid values, see RequestLaunchTemplateData in the Amazon EC2 API
Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
KernelId
The ID of the kernel.

Important

We recommend that you use PV-GRUB instead of kernels and RAM disks. For more
information, see User Provided Kernels in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1828

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate LaunchTemplateData

KeyName
The name of the key pair. For information on creating a key pair, see CreateKeyPair or ImportKeyPair
in the Amazon EC2 API Reference.

Important

If you do not specify a key pair, you can't connect to the instance unless you choose an AMI
that is conﬁgured to allow users another way to log in.
Required: No
Type: String
Update requires: No interruption (p. 118)
Monitoring
The monitoring for the instance.
Required: No
Type: Amazon EC2 LaunchTemplate Monitoring (p. 1830)
Update requires: No interruption (p. 118)
NetworkInterfaces
One or more network interfaces.
Required: No
Type: List of Amazon EC2 LaunchTemplate NetworkInterface (p. 1831)
Update requires: No interruption (p. 118)
Placement
The placement for the instance.
Required: No
Type: Amazon EC2 LaunchTemplate Placement (p. 1834)
Update requires: No interruption (p. 118)
RamDiskId
The ID of the RAM disk.

Important

We recommend that you use PV-GRUB instead of kernels and RAM disks. For more
information, see User Provided Kernels in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: String
Update requires: No interruption (p. 118)
SecurityGroups
[EC2-Classic, default VPC] One or more security group names. For a nondefault VPC, you must use
security group IDs instead. You cannot specify both a security group ID and security name in the
same request.
Required: No
API Version 2010-05-15
1829

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate Monitoring

Type: List of String values
Update requires: No interruption (p. 118)
SecurityGroupIds
One or more security group IDs. You cannot specify both a security group ID and security name
in the same request. For information on creating a security group, see CreateSecurityGroup in the
Amazon EC2 API Reference.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
TagSpecifications
The tags to apply to the resources during launch. You can tag instances and volumes. The speciﬁed
tags are applied to all instances or volumes that are created during launch.
Required: No
Type: List of Amazon EC2 LaunchTemplate TagSpeciﬁcation (p. 1837)
Update requires: No interruption (p. 118)
UserData
The Base64-encoded user data to make available to the instance. For more information, see Running
Commands on Your Linux Instance at Launch in the Amazon EC2 User Guide for Linux Instances and
Adding User Data in the Amazon EC2 User Guide for Windows Instances.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• RequestLaunchTemplateData in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate Monitoring
The Monitoring property type describes the monitoring for the instance of an Amazon EC2 launch
template.
Monitoring is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData (p. 1826) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Enabled" : Boolean

API Version 2010-05-15
1830

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate NetworkInterface
}

YAML
Enabled: Boolean

Properties
Enabled
Specify true to enable detailed monitoring. Otherwise, basic monitoring is enabled.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)

See Also
• LaunchTemplatesMonitoringRequest in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate NetworkInterface
The NetworkInterface property type speciﬁes parameters for a network interface in an Amazon EC2
launch template.
NetworkInterface is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData (p. 1826)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Description" : String,
"PrivateIpAddress" : String,
"PrivateIpAddresses" : [ PrivateIpAdd (p. 1835), ... ],
"SecondaryPrivateIpAddressCount" : Integer,
"Ipv6AddressCount" : Integer,
"Groups" : [ String, ... ],
"DeviceIndex" : Integer,
"SubnetId" : String,
"Ipv6Addresses" : [ Ipv6Add (p. 1825), ... ],
"AssociatePublicIpAddress" : Boolean,
"NetworkInterfaceId" : String,
"DeleteOnTermination" : Boolean

YAML

API Version 2010-05-15
1831

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate NetworkInterface
Description: String
PrivateIpAddress: String
PrivateIpAddresses:
- PrivateIpAdd (p. 1835)
SecondaryPrivateIpAddressCount: Integer
Ipv6AddressCount: Integer
Groups:
- String
DeviceIndex: Integer
SubnetId: String
Ipv6Addresses:
- Ipv6Add (p. 1825)
AssociatePublicIpAddress: Boolean
NetworkInterfaceId: String
DeleteOnTermination: Boolean

Properties
AssociatePublicIpAddress
Associates a public IPv4 address with eth0 for a new network interface.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
DeleteOnTermination
Indicates whether the network interface is deleted when the instance is terminated.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Description
A description for the network interface.
Required: No
Type: String
Update requires: No interruption (p. 118)
DeviceIndex
The device index for the network interface attachment.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Groups
The IDs of one or more security groups.
Required: No
Type: List of String values
API Version 2010-05-15
1832

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate NetworkInterface

Update requires: No interruption (p. 118)
Ipv6AddressCount
The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects
the IPv6 addresses from the subnet range. You can't use this option if specifying speciﬁc IPv6
addresses.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Ipv6Addresses
One or more speciﬁc IPv6 addresses from the IPv6 CIDR block range of your subnet. You can't use
this option if you're specifying a number of IPv6 addresses.
Required: No
Type: List of Amazon EC2 LaunchTemplate Ipv6Add (p. 1825)
Update requires: No interruption (p. 118)
NetworkInterfaceId
The ID of the network interface.
Required: No
Type: String
Update requires: No interruption (p. 118)
PrivateIpAddress
The primary private IPv4 address of the network interface.
Required: No
Type: String
Update requires: No interruption (p. 118)
PrivateIpAddresses
One or more private IPv4 addresses.
Required: No
Type: List of Amazon EC2 LaunchTemplate PrivateIpAdd (p. 1835)
Update requires: No interruption (p. 118)
SecondaryPrivateIpAddressCount
The number of secondary private IPv4 addresses to assign to a network interface.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
SubnetId
The ID of the subnet for the network interface.
API Version 2010-05-15
1833

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate Placement

Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• LaunchTemplateInstanceNetworkInterfaceSpeciﬁcationRequest in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate Placement
The Placement property type speciﬁes the placement for the instance in an Amazon EC2 launch
template.
Placement is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData (p. 1826) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"GroupName" : String,
"Tenancy" : String,
"AvailabilityZone" : String,
"Affinity" : String,
"HostId" : String

YAML
GroupName: String
Tenancy: String
AvailabilityZone: String
Affinity: String
HostId: String

Properties
Affinity
The aﬃnity setting for an instance on a Dedicated Host.
Required: No
Type: String
Update requires: No interruption (p. 118)
AvailabilityZone
The Availability Zone for the instance.
API Version 2010-05-15
1834

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate PrivateIpAdd

Required: No
Type: String
Update requires: No interruption (p. 118)
GroupName
The name of the placement group for the instance.
Required: No
Type: String
Update requires: No interruption (p. 118)
HostId
The ID of the Dedicated Host for the instance.
Required: No
Type: String
Update requires: No interruption (p. 118)
Tenancy
The tenancy of the instance (if the instance is running in a VPC). An instance with a tenancy of
dedicated runs on single-tenant hardware.
Valid values include default, dedicated, and host.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• LaunchTemplatePlacementRequest in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate PrivateIpAdd
The PrivateIpAdd property type describes a private IPv4 address for a network interface in an Amazon
EC2 launch template.
PrivateIpAdd is a property of the Amazon EC2 LaunchTemplate NetworkInterface (p. 1831) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"PrivateIpAddress" : String,

API Version 2010-05-15
1835

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate SpotOptions

}

"Primary" : Boolean

YAML
PrivateIpAddress: String
Primary: Boolean

Properties
Primary
Indicates whether the private IPv4 address is the primary private IPv4 address. Only one IPv4
address can be designated as primary.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
PrivateIpAddress
The private IPv4 address.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• PrivateIpAddressSpeciﬁcation in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate SpotOptions
The SpotOptions property type speciﬁes the options for Spot Instances in an Amazon EC2 launch
template.
SpotOptions is a property of the Amazon EC2 LaunchTemplate InstanceMarketOptions (p. 1824)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"SpotInstanceType" : String,
"InstanceInterruptionBehavior" : String,
"MaxPrice" : String

API Version 2010-05-15
1836

AWS CloudFormation User Guide
Amazon EC2 LaunchTemplate TagSpeciﬁcation

YAML
SpotInstanceType: String
InstanceInterruptionBehavior: String
MaxPrice: String

Properties
InstanceInterruptionBehavior
The behavior when a Spot Instance is interrupted. The default is terminate.
Valid values include: hibernate, stop, and terminate.
Required: No
Type: String
Update requires: No interruption (p. 118)
MaxPrice
The maximum hourly price you're willing to pay for the Spot Instances.
Required: No
Type: String
Update requires: No interruption (p. 118)
SpotInstanceType
The Spot Instance request type.
Valid values include: one-time and persistent.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• LaunchTemplateSpotMarketOptionsRequest in the Amazon EC2 API Reference

Amazon EC2 LaunchTemplate TagSpeciﬁcation
The TagSpecification property type speciﬁes the tags speciﬁcation for an Amazon EC2 launch
template.
TagSpecification is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData (p. 1826)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1837

AWS CloudFormation User Guide
EC2 MountPoint

JSON
{
}

"ResourceType" : String,
"Tags" : [ Tag (p. 2106), ... ]

YAML
ResourceType: String
Tags:
- Tag (p. 2106)

Properties
ResourceType
The type of resource to tag. Currently, the resource types that support tagging on creation are
instance and volume.
For a list of valid values, see LaunchTemplateTagSpeciﬁcationRequest in the Amazon EC2 API
Reference
Required: No
Type: String
Update requires: No interruption (p. 118)
Tags
The tags to apply to the resource.
Required: No
Type: List of AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

See Also
• LaunchTemplateTagSpeciﬁcationRequest in the Amazon EC2 API Reference

EC2 MountPoint Property Type
The EC2 MountPoint property is an embedded property of the AWS::EC2::Instance (p. 879) type.

Syntax
JSON
{
}

"Device (p. 1839)" : String,
"VolumeId (p. 1839)" : String

API Version 2010-05-15
1838

AWS CloudFormation User Guide
EC2 MountPoint

YAML
Device (p. 1839): String,
VolumeId (p. 1839): String

Properties
Device
How the device is exposed to the instance (such as /dev/sdh, or xvdh).
Required: Yes
Type: String
VolumeId
The ID of the Amazon EBS volume. The volume and instance must be within the same Availability
Zone and the instance must be running.
Required: Yes
Type: String

Example
This mount point (speciﬁed in the Volumes property in the EC2 instance) refers to a named EBS volume,
"NewVolume".

"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"AvailabilityZone" : {
"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "TestAz" ]
},
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"KeyName" : { "Ref" : "KeyName" },
"ImageId" : {
"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]
},
"Volumes" : [
{ "VolumeId" : { "Ref" : "NewVolume" }, "Device" : "/dev/sdk" }
]
}
},
"NewVolume" : {
"Type" : "AWS::EC2::Volume",
"Properties" : {
"Size" : "100",
"AvailabilityZone" : {
"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "TestAz" ]
}
}
}

See Also
• AWS::EC2::Instance (p. 879)
• AWS::EC2::Volume (p. 944)
API Version 2010-05-15
1839

AWS CloudFormation User Guide
EC2 Network Interface

EC2 NetworkInterface Embedded Property Type
The EC2 Network Interface type is an embedded property of the AWS::EC2::Instance (p. 879) type.
It speciﬁes a network interface that is to be attached.

Syntax
JSON
{

}

"AssociatePublicIpAddress (p. 1840)" : Boolean,
"DeleteOnTermination (p. 1840)" : Boolean,
"Description (p. 1841)" : String,
"DeviceIndex (p. 1841)" : String,
"GroupSet (p. 1841)" : [ String, ... ],
"NetworkInterfaceId (p. 1841)" : String,
"Ipv6AddressCount" : Integer,
"Ipv6Addresses" : [ IPv6 Address Type, ... ],
"PrivateIpAddress (p. 1841)" : String,
"PrivateIpAddresses (p. 1842)" : [ PrivateIpAddressSpecification, ... ],
"SecondaryPrivateIpAddressCount (p. 1842)" : Integer,
"SubnetId (p. 1842)" : String

YAML
AssociatePublicIpAddress (p. 1840): Boolean
DeleteOnTermination (p. 1840): Boolean
Description (p. 1841): String
DeviceIndex (p. 1841): String
GroupSet (p. 1841):
- String
NetworkInterfaceId (p. 1841): String
Ipv6AddressCount: Integer
Ipv6Addresses:
- IPv6 Address Type
PrivateIpAddress (p. 1841): String
PrivateIpAddresses (p. 1842):
- PrivateIpAddressSpecification
SecondaryPrivateIpAddressCount (p. 1842): Integer
SubnetId (p. 1842): String

Properties
AssociatePublicIpAddress
Indicates whether the network interface receives a public IP address. You can associate a public
IP address with a network interface only if it has a device index of eth0 and if it is a new network
interface (not an existing one). In other words, if you specify true, don't specify a network interface
ID. For more information, see Amazon EC2 Instance IP Addressing.
Required: No
Type: Boolean.
DeleteOnTermination
Whether to delete the network interface when the instance terminates.
Required: No
API Version 2010-05-15
1840

AWS CloudFormation User Guide
EC2 Network Interface

Type: Boolean.
Description
The description of this network interface.
Required: No
Type: String
DeviceIndex
The network interface's position in the attachment order.
Required: Yes
Type: String
GroupSet
A list of security group IDs associated with this network interface.
Required: No
Type: List of strings.
NetworkInterfaceId
An existing network interface ID.
Required: Conditional. If you don't specify the SubnetId property, you must specify this property.
Type: String
Ipv6AddressCount
The number of IPv6 addresses to associate with the network interface. Amazon EC2 automatically
selects the IPv6 addresses from the subnet range. To specify speciﬁc IPv6 addresses, use the
Ipv6Addresses property and don't specify this property.
For restrictions on which instance types support IPv6 addresses, see the RunInstances action in the
Amazon EC2 API Reference.
Required: No
Type: Integer
Ipv6Addresses
One or more speciﬁc IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with
the network interface. To specify a number of IPv6 addresses, use the Ipv6AddressCount property
and don't specify this property.
For information about restrictions on which instance types support IPv6 addresses, see the
RunInstances action in the Amazon EC2 API Reference.
Required: No
Type: List of EC2 NetworkInterface Ipv6Addresses (p. 1844)
PrivateIpAddress
Assigns a single private IP address to the network interface, which is used as the primary private IP
address. If you want to specify multiple private IP address, use the PrivateIpAddresses property.
Required: No
Type: String
API Version 2010-05-15
1841

AWS CloudFormation User Guide
EC2 NetworkAclEntry Icmp

PrivateIpAddresses
Assigns a list of private IP addresses to the network interface. You can specify a
primary private IP address by setting the value of the Primary property to true in the
PrivateIpAddressSpecification property. If you want Amazon EC2 to automatically assign
private IP addresses, use the SecondaryPrivateIpCount property and do not specify this
property.
For information about the maximum number of private IP addresses, see Private IP Addresses Per
ENI Per Instance Type in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: list of PrivateIpAddressSpeciﬁcation (p. 1844)
SecondaryPrivateIpAddressCount
The number of secondary private IP addresses that Amazon EC2 auto assigns to the network
interface. Amazon EC2 uses the value of the PrivateIpAddress property as the primary private
IP address. If you don't specify that property, Amazon EC2 auto assigns both the primary and
secondary private IP addresses.
If you want to specify your own list of private IP addresses, use the PrivateIpAddresses property
and do not specify this property.
For information about the maximum number of private IP addresses, see Private IP Addresses Per
ENI Per Instance Type in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: Integer.
SubnetId
The ID of the subnet to associate with the network interface.
Required: Conditional. If you don't specify the NetworkInterfaceId property, you must specify
this property.
Type: String

EC2 NetworkAclEntry Icmp
The Icmp property is an embedded property of the AWS::EC2::NetworkAclEntry (p. 897) type.

Syntax
JSON
{
}

"Code" : Integer,
"Type" : Integer

YAML
Code: Integer
Type: Integer

API Version 2010-05-15
1842

AWS CloudFormation User Guide
EC2 NetworkAclEntry PortRange

Properties
Code
The Internet Control Message Protocol (ICMP) code. You can use -1 to specify all ICMP codes for the
given ICMP type.
Required: Conditional. Required if you specify 1 (ICMP) for the CreateNetworkAclEntry protocol
parameter.
Type: Integer
Type
The Internet Control Message Protocol (ICMP) type. You can use -1 to specify all ICMP types.
Required: Conditional. Required if you specify 1 (ICMP) for the CreateNetworkAclEntry protocol
parameter.
Type: Integer

EC2 NetworkAclEntry PortRange
The PortRange property is an embedded property of the AWS::EC2::NetworkAclEntry (p. 897) type.

Syntax
JSON
{
}

"From" : Integer,
"To" : Integer

YAML
From: Integer
To: Integer

Properties
From
The ﬁrst port in the range.
Required: Conditional. Required if you specify 6 (TCP) or 17 (UDP) for the protocol parameter.
Type: Integer
To
The last port in the range.
Required: Conditional. Required if you specify 6 (TCP) or 17 (UDP) for the protocol parameter.
Type: Integer
API Version 2010-05-15
1843

AWS CloudFormation User Guide
EC2 NetworkInterface Ipv6Addresses

EC2 NetworkInterface Ipv6Addresses
Ipv6Addresses is a property of the AWS::EC2::NetworkInterface (p. 901) resource that speciﬁes an
IPv6 address to associate with the network interface.

Syntax
JSON
{
}

"Ipv6Address" : String

YAML
Ipv6Address: String

Properties
Ipv6Address
The IPv6 address to associate with the network interface.
Required: Yes
Type: String

EC2 Network Interface Private IP Speciﬁcation
The PrivateIpAddressSpecification type is an embedded property of the
AWS::EC2::NetworkInterface (p. 901) type.

Syntax
JSON
{
}

"PrivateIpAddress" : String,
"Primary" : Boolean

YAML
PrivateIpAddress: String
Primary: Boolean

Properties
PrivateIpAddress
The private IP address of the network interface.
API Version 2010-05-15
1844

AWS CloudFormation User Guide
EC2 Security Group Rule

Required: Yes
Type: String
Primary
Sets the private IP address as the primary private address. You can set only one primary private
IP address. If you don't specify a primary private IP address, Amazon EC2 automatically assigns a
primary private IP address.
Required: Yes
Type: Boolean

EC2 Security Group Rule Property Type
The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup (p. 917) type.

Syntax SecurityGroupIngress
JSON
{

}

"CidrIp (p. 1846)" : String,
"CidrIpv6 (p. 1846)" : String,
"Description (p. 1846)" : String,
"FromPort (p. 1846)" : Integer,
"IpProtocol (p. 1847)" : String,
"SourceSecurityGroupId (p. 1847)" : String,
"SourceSecurityGroupName (p. 1847)" : String,
"SourceSecurityGroupOwnerId (p. 1847)" : String,
"ToPort (p. 1847)" : Integer

YAML
CidrIp (p. 1846): String
CidrIpv6 (p. 1846): String
Description (p. 1846): String
FromPort (p. 1846): Integer
IpProtocol (p. 1847): String
SourceSecurityGroupId (p. 1847): String
SourceSecurityGroupName (p. 1847): String
SourceSecurityGroupOwnerId (p. 1847): String
ToPort (p. 1847): Integer

Syntax SecurityGroupEgress
JSON
{

"CidrIp (p. 1846)" : String,
"CidrIpv6 (p. 1846)" : String,
"Description (p. 1846)" : String,
"DestinationPrefixListId (p. 1846)" : String,
"DestinationSecurityGroupId (p. 1846)" : String,
"FromPort (p. 1846)" : Integer,
"IpProtocol (p. 1847)" : String,

API Version 2010-05-15
1845

AWS CloudFormation User Guide
EC2 Security Group Rule

}

"ToPort (p. 1847)" : Integer

YAML
CidrIp (p. 1846): String
CidrIpv6 (p. 1846): String
Description (p. 1846): String
DestinationPrefixListId (p. 1846): String
DestinationSecurityGroupId (p. 1846): String
FromPort (p. 1846): Integer
IpProtocol (p. 1847): String
ToPort (p. 1847): Integer

Properties
CidrIp
Speciﬁes an IPv4 CIDR range.
Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6,
DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.
Type: String
CidrIpv6
Speciﬁes an IPv6 CIDR range.
Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6,
DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.
Type: String
Description
Description of the security group rule.
Type: String
DestinationPrefixListId (SecurityGroupEgress only)
The AWS service preﬁx of an Amazon VPC endpoint. For more information, see VPC Endpoints in the
Amazon VPC User Guide.
Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6,
DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.
Type: String
DestinationSecurityGroupId (SecurityGroupEgress only)
Speciﬁes the GroupId of the destination Amazon VPC security group.
Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6,
DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.
Type: String
FromPort
The start of port range for the TCP and UDP protocols, or an ICMP type number. An ICMP type
number of -1 indicates a wildcard (i.e., any ICMP type number).
API Version 2010-05-15
1846

AWS CloudFormation User Guide
EC2 Security Group Rule

Required: No
Type: Integer
IpProtocol
An IP protocol name or number. For valid values, go to the IpProtocol parameter in
AuthorizeSecurityGroupIngress
Required: Yes
Type: String
SourceSecurityGroupId (SecurityGroupIngress only)
For VPC security groups only. Speciﬁes the ID of the Amazon EC2 Security Group to allow access. You
can use the Ref intrinsic function to refer to the logical ID of a security group deﬁned in the same
template.
Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6,
DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.
Type: String
SourceSecurityGroupName (SecurityGroupIngress only)
For non-VPC security groups only. Speciﬁes the name of the Amazon EC2 Security Group to use for
access. You can use the Ref intrinsic function to refer to the logical name of a security group that is
deﬁned in the same template.
Required: Conditional. If you specify CidrIp, do not specify SourceSecurityGroupName.
Type: String
SourceSecurityGroupOwnerId (SecurityGroupIngress only)
Speciﬁes the AWS Account ID of the owner of the Amazon EC2 Security Group that is speciﬁed in the
SourceSecurityGroupName property.
Required: Conditional. If you specify SourceSecurityGroupName and that security group
is owned by a diﬀerent account than the account creating the stack, you must specify the
SourceSecurityGroupOwnerId; otherwise, this property is optional.
Type: String
ToPort
The end of port range for the TCP and UDP protocols, or an ICMP code. An ICMP code of -1 indicates
a wildcard (i.e., any ICMP code).
Required: No
Type: Integer

Examples
Security Group with CidrIp
JSON
"InstanceSecurityGroup" : {

API Version 2010-05-15
1847

AWS CloudFormation User Guide
EC2 Security Group Rule

}

"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable SSH access via port 22",
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : 22,
"ToPort" : 22,
"CidrIp" : "0.0.0.0/0"
} ]
}

YAML
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Enable SSH access via port 22"
SecurityGroupIngress:
IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIp: "0.0.0.0/0"

Security Group with Security Group Id
JSON
"InstanceSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access on the configured port",
"VpcId" : { "Ref" : "VpcId" },
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : { "Ref" : "WebServerPort" },
"ToPort" : { "Ref" : "WebServerPort" },
"SourceSecurityGroupId" : { "Ref" : "LoadBalancerSecurityGroup" }
} ]
}
}

YAML
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Enable HTTP access on the configured port"
VpcId:
Ref: "VpcId"
SecurityGroupIngress:
IpProtocol: "tcp"
FromPort:
Ref: "WebServerPort"
ToPort:
Ref: "WebServerPort"
SourceSecurityGroupId:
Ref: "LoadBalancerSecurityGroup"

API Version 2010-05-15
1848

AWS CloudFormation User Guide
EC2 Security Group Rule

Security Group with Multiple Ingress Rules
This snippet grants SSH access with CidrIp, and HTTP access with SourceSecurityGroupName.
Fn::GetAtt is used to derive the values for SourceSecurityGroupName and
SourceSecurityGroupOwnerId from the elastic load balancer.

JSON
"ElasticLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : { "Ref" : "WebServerPort" },
"Protocol" : "HTTP"
} ],
"HealthCheck" : {
"Target" : { "Fn::Join" : [ "", ["HTTP:", { "Ref" : "WebServerPort" }, "/"]]},
"HealthyThreshold" : "3",
"UnhealthyThreshold" : "5",
"Interval" : "30",
"Timeout" : "5"
}
}
},
"InstanceSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Allow SSH access from all IP addresses and HTTP from the load
balancer only",
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : 22,
"ToPort" : 22,
"CidrIp" : "0.0.0.0/0"
}, {
"IpProtocol" : "tcp",
"FromPort" : { "Ref" : "WebServerPort" },
"ToPort" : { "Ref" : "WebServerPort" },
"SourceSecurityGroupOwnerId" : {"Fn::GetAtt" : ["ElasticLoadBalancer",
"SourceSecurityGroup.OwnerAlias"]},
"SourceSecurityGroupName" : {"Fn::GetAtt" : ["ElasticLoadBalancer",
"SourceSecurityGroup.GroupName"]}
} ]
}
}

YAML
ElasticLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
Fn::GetAZs: ""
Listeners:
LoadBalancerPort: "80"
InstancePort:
Ref: "WebServerPort"
Protocol: "HTTP"
HealthCheck:

API Version 2010-05-15
1849

AWS CloudFormation User Guide
Amazon EC2 SpotFleet SpotFleetRequestConﬁgData
Target:
Fn::Join:
- ""
- "HTTP:"
Ref: "WebServerPort"
- "/"
HealthyThreshold: "3"
UnhealthyThreshold: "5"
Interval: "30"
Timeout: "5"
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Allow SSH access from all IP addresses and HTTP from the load
balancer only"
SecurityGroupIngress:
IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIp: "0.0.0.0/0"
IpProtocol: "tcp"
FromPort:
Ref: "WebServerPort"
ToPort:
Ref: "WebServerPort"
SourceSecurityGroupOwnerId:
Fn::GetAtt:
- "ElasticLoadBalancer"
- "SourceSecurityGroup.OwnerAlias"
SourceSecurityGroupName:
Fn::GetAtt:
- "ElasticLoadBalancer"
- "SourceSecurityGroup.GroupName"

See Also
• Amazon EC2 Security Groups in the Amazon EC2 User Guide

Amazon EC2 SpotFleet SpotFleetRequestConﬁgData
SpotFleetRequestConfigData is a property of the AWS::EC2::SpotFleet (p. 932) resource that
deﬁnes the conﬁguration of a Spot ﬂeet request.

Syntax
JSON
{

"AllocationStrategy" : String,
"ExcessCapacityTerminationPolicy" : String,
"IamFleetRole" : String,
"LaunchSpecifications" : [ LaunchSpecifications (p. 1853), ... ],
"LaunchTemplateConfigs" : [ LaunchTemplateConfigs (p. 1860), ... ],
"ReplaceUnhealthyInstances" : Boolean,
"SpotPrice" : String,
"TargetCapacity" : Integer,

API Version 2010-05-15
1850

AWS CloudFormation User Guide
Amazon EC2 SpotFleet SpotFleetRequestConﬁgData

}

"TerminateInstancesWithExpiration" : Boolean,
"Type" : String,
"ValidFrom" : String,
"ValidUntil" : String

YAML
AllocationStrategy: String
ExcessCapacityTerminationPolicy: String
IamFleetRole: String
LaunchSpecifications:
- LaunchSpecifications (p. 1853)
LaunchTemplateConfigs:
- LaunchTemplateConfigs (p. 1860)
ReplaceUnhealthyInstances: Boolean
SpotPrice: String
TargetCapacity: Integer
TerminateInstancesWithExpiration: Boolean
Type: String
ValidFrom: String
ValidUntil: String

Properties
AllocationStrategy
Indicates how to allocate the target capacity across the Spot pools that you speciﬁed in the Spot
ﬂeet request. For valid values, see SpotFleetRequestConﬁgData in the Amazon EC2 API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
ExcessCapacityTerminationPolicy
Indicates whether running Spot instances are terminated if you decrease the target capacity
of the Spot ﬂeet request below the current size of the Spot ﬂeet. For valid values, see
SpotFleetRequestConﬁgData in the Amazon EC2 API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
IamFleetRole
The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that
grants the Spot ﬂeet the ability to bid on, launch, and terminate instances on your behalf. For more
information, see Spot Fleet Prerequisites in the Amazon EC2 User Guide for Linux Instances.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
LaunchSpecifications
The launch speciﬁcations for the Spot ﬂeet request.
API Version 2010-05-15
1851

AWS CloudFormation User Guide
Amazon EC2 SpotFleet SpotFleetRequestConﬁgData

Required: Yes
Type: List of Amazon Elastic Compute Cloud SpotFleet LaunchSpeciﬁcations (p. 1853)
Update requires: Replacement (p. 119)
LaunchTemplateConfigs
Describes a launch template and overrides.
Required: No
Type: List of Amazon EC2 SpotFleet LaunchTemplateConﬁg (p. 1860)
Update requires: Replacement (p. 119)
ReplaceUnhealthyInstances
Indicates whether the Spot ﬂeet should replace unhealthy instances.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
SpotPrice
The bid price per unit hour. For more information, see How Spot Fleet Works in the Amazon EC2 User
Guide for Linux Instances.
Required: No
Type: String
Update requires: Replacement (p. 119)
TargetCapacity
The number of units to request for the spot ﬂeet. You can choose to set the target capacity as
the number of instances or as a performance characteristic that is important to your application
workload, such as vCPUs, memory, or I/O. For more information, see How Spot Fleet Works in the
Amazon EC2 User Guide for Linux Instances.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)
TerminateInstancesWithExpiration
Indicates whether running Spot instances are terminated when the Spot ﬂeet request expires.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
Type
The type of request, which indicates whether the ﬂeet will only request the target capacity or also
attempt to maintain it. For more information, see SpotFleetRequestConﬁgData in the Amazon EC2
API Reference.
Required: No
API Version 2010-05-15
1852

AWS CloudFormation User Guide
Amazon EC2 SpotFleet LaunchSpeciﬁcations

Type: String
Update requires: Replacement (p. 119)
ValidFrom
The start date and time of the request, in UTC format (YYYY-MM-DDTHH:MM:SSZ). By default, Amazon
Elastic Compute Cloud (Amazon EC2 ) starts fulﬁlling the request immediately.
Required: No
Type: String
Update requires: Replacement (p. 119)
ValidUntil
The end date and time of the request, in UTC format (YYYY-MM-DDTHH:MM:SSZ). After the end date
and time, Amazon EC2 doesn't request new Spot instances or enable them to fulﬁll the request.
Required: No
Type: String
Update requires: Replacement (p. 119)

Amazon Elastic Compute Cloud SpotFleet
LaunchSpeciﬁcations
LaunchSpecifications is a property of the Amazon EC2 SpotFleet
SpotFleetRequestConﬁgData (p. 1850) property that deﬁnes the launch speciﬁcations for the Spot ﬂeet
request.

Syntax
JSON
{

}

"BlockDeviceMappings" : [ BlockDeviceMapping, ... ],
"EbsOptimized" : Boolean,
"IamInstanceProfile" : IamInstanceProfile,
"ImageId" : String,
"InstanceType" : String,
"KernelId" : String,
"KeyName" : String,
"Monitoring" : Boolean,
"NetworkInterfaces" : [ NetworkInterface, ... ],
"Placement" : Placement,
"RamdiskId" : String,
"SecurityGroups" : [ SecurityGroup, ... ],
"SpotPrice" : String,
"SubnetId" : String,
"TagSpecifications" : SpotFleetTagSpecification,
"UserData" : String,
"WeightedCapacity" : Number

YAML
BlockDeviceMappings:

API Version 2010-05-15
1853

AWS CloudFormation User Guide
Amazon EC2 SpotFleet LaunchSpeciﬁcations
- BlockDeviceMapping
EbsOptimized: Boolean
IamInstanceProfile:
IamInstanceProfile
ImageId: String
InstanceType: String
KernelId: String
KeyName: String
Monitoring: Boolean
NetworkInterfaces:
- NetworkInterface
Placement:
Placement
RamdiskId: String
SecurityGroups:
- SecurityGroup
SpotPrice: String
SubnetId: String
TagSpecifications:
- SpotFleetTagSpecification
UserData: String
WeightedCapacity: Number

Properties
BlockDeviceMappings
Deﬁnes the block devices that are mapped to the Spot instances.
Required: No
Type: List of Amazon Elastic Compute Cloud SpotFleet BlockDeviceMappings (p. 1856)
EbsOptimized
Indicates whether the instances are optimized for Amazon Elastic Block Store (Amazon EBS) I/O. This
optimization provides dedicated throughput to Amazon EBS and an optimized conﬁguration stack
to provide optimal EBS I/O performance. This optimization isn't available with all instance types.
Additional usage charges apply when you use an Amazon EBS-optimized instance.
Required: No
Type: Boolean
IamInstanceProfile
Deﬁnes the AWS Identity and Access Management (IAM) instance proﬁle to associate with the
instances.
Required: No
Type: Amazon Elastic Compute Cloud SpotFleet IamInstanceProﬁle (p. 1860)
ImageId
The unique ID of the Amazon Machine Image (AMI) to launch on the instances.
Required: Yes
Type: String
InstanceType
Speciﬁes the instance type of the EC2 instances.
API Version 2010-05-15
1854

AWS CloudFormation User Guide
Amazon EC2 SpotFleet LaunchSpeciﬁcations

Required: Yes
Type: String
KernelId
The ID of the kernel that is associated with the Amazon Elastic Compute Cloud (Amazon EC2) AMI.
Required: No
Type: String
KeyName
An Amazon EC2 key pair to associate with the instances.
Required: No
Type: String
Monitoring
Enable or disable monitoring for the instances.
Required: No
Type: Amazon EC2 SpotFleet Monitoring (p. 1862)
NetworkInterfaces
The network interfaces to associate with the instances.
Required: No
Type: List of Amazon Elastic Compute Cloud SpotFleet NetworkInterfaces (p. 1863)
Placement
Deﬁnes a placement group, which is a logical grouping of instances within a single Availability Zone
(AZ).
Required: No
Type: Amazon Elastic Compute Cloud SpotFleet Placement (p. 1866)
RamdiskId
The ID of the RAM disk to select. Some kernels require additional drivers at launch. Check the
kernel requirements for information about whether you need to specify a RAM disk. To ﬁnd kernel
requirements, refer to the AWS Resource Center and search for the kernel ID.
Required: No
Type: String
SecurityGroups
One or more security group IDs to associate with the instances.
Required: No
Type: List of Amazon Elastic Compute Cloud SpotFleet SecurityGroups (p. 1866)
SpotPrice
The bid price per unit hour for the speciﬁed instance type. If you don't specify a value, Amazon EC2
uses the Spot bid price for the ﬂeet. For more information, see How Spot Fleet Works in the Amazon
EC2 User Guide for Linux Instances.
API Version 2010-05-15
1855

AWS CloudFormation User Guide
Amazon EC2 SpotFleet BlockDeviceMappings

Required: No
Type: String
SubnetId
The ID of the subnet in which to launch the instances.
Required: No
Type: String
TagSpecifications
The tags to apply during creation.
Required: No
Type: List of Amazon EC2 SpotFleet SpotFleetTagSpeciﬁcation (p. 1867)
UserData
Base64-encoded MIME user data that instances use when starting up.
Required: No
Type: String
WeightedCapacity
The number of units provided by the speciﬁed instance type. These units are the same units that you
chose to set the target capacity in terms of instances or a performance characteristic, such as vCPUs,
memory, or I/O. For more information, see How Spot Fleet Works in the Amazon EC2 User Guide for
Linux Instances.
If the target capacity divided by this value is not a whole number, Amazon EC2 rounds the number
of instances to the next whole number.
Required: No
Type: Number

Amazon Elastic Compute Cloud SpotFleet
BlockDeviceMappings
BlockDeviceMappings is a property of the Amazon Elastic Compute Cloud SpotFleet
LaunchSpeciﬁcations (p. 1853) property that deﬁnes the block devices that are mapped to an instance.

Syntax
JSON
{

}

"DeviceName" : String,
"Ebs" : EBSBlockDevice,
"NoDevice" : Boolean,
"VirtualName" : String

API Version 2010-05-15
1856

AWS CloudFormation User Guide
Amazon EC2 SpotFleet Ebs

YAML
DeviceName: String
Ebs:
EBSBlockDevice
NoDevice: Boolean
VirtualName: String

Properties
DeviceName
The name of the device within the EC2 instance, such as /dev/dsh or xvdh.
Required: Yes
Type: String
Ebs
The Amazon Elastic Block Store (Amazon EBS) volume information.
Required: Conditional You can specify either the VirtualName or Ebs, but not both.
Type: Amazon Elastic Compute Cloud SpotFleet Ebs (p. 1857)
NoDevice
Suppresses the speciﬁed device that is included in the block device mapping of the Amazon Machine
Image (AMI).
Required: No
Type: Boolean
VirtualName
The name of the virtual device. The name must be in the form ephemeralX where X is a number
equal to or greater than zero (0), for example, ephemeral0.
Required: Conditional You can specify either the VirtualName or Ebs, but not both.
Type: String

Amazon Elastic Compute Cloud SpotFleet Ebs
Ebs is a property of the Amazon Elastic Compute Cloud SpotFleet BlockDeviceMappings (p. 1856)
property that deﬁnes a block device for an Amazon Elastic Block Store (Amazon EBS) volume.

Syntax
JSON
{

"DeleteOnTermination" : Boolean,
"Encrypted" : Boolean,
"Iops" : Integer,
"SnapshotId" : String,
"VolumeSize" : Integer,
"VolumeType" : String

API Version 2010-05-15
1857

AWS CloudFormation User Guide
Amazon EC2 SpotFleet Ebs
}

YAML
DeleteOnTermination: Boolean
Encrypted: Boolean
Iops: Integer
SnapshotId: String
VolumeSize: Integer
VolumeType: String

Properties
DeleteOnTermination
Indicates whether to delete the volume when the instance is terminated.
Required: No
Type: Boolean
Encrypted
Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes can be attached
only to instances that support Amazon EBS encryption.
Required: No
Type: Boolean
Iops
The number of I/O operations per second (IOPS) that the volume supports. For more information,
see Iops for the EbsBlockDevice action in the Amazon EC2 API Reference.
Required: No
Type: Integer
SnapshotId
The snapshot ID of the volume that you want to use. If you specify both the SnapshotId and
VolumeSize properties, VolumeSize must be equal to or greater than the size of the snapshot.
Required: No
Type: String
VolumeSize
The volume size, in Gibibytes (GiB). If you specify both the SnapshotId and VolumeSize
properties, VolumeSize must be equal to or greater than the size of the snapshot. For more
information about specifying the volume size, see VolumeSize for the EbsBlockDevice action in
the Amazon EC2 API Reference.
Required: No
Type: Integer
VolumeType
The volume type. For more information about specifying the volume type, see VolumeType for the
EbsBlockDevice action in the Amazon EC2 API Reference.
API Version 2010-05-15
1858

AWS CloudFormation User Guide
Amazon EC2 SpotFleet FleetLaunchTemplateSpeciﬁcation

Required: No
Type: String

Amazon Elastic Compute Cloud SpotFleet
FleetLaunchTemplateSpeciﬁcation
FleetLaunchTemplateSpecification is a property of the Amazon EC2 SpotFleet
SpotFleetRequestConﬁgData (p. 1850) property that describes a launch template.

Syntax
JSON
{

}

"LaunchTemplateId" : String,
"LaunchTemplateName" : String,
"Version" : String

YAML
LaunchTemplateId: String
LaunchTemplateName: String
Version: String

Properties
LaunchTemplateId
The ID of the launch template. You must specify either a template ID or a template name.
Required: No
Type: String
Update requires: No interruption (p. 118)
LaunchTemplateName
The name of the launch template. You must specify either a template name or a template ID.
Minimum length of 3. Maximum length of 128. Names must match the following pattern: [a-zAZ0-9\(\)\.-/_]+
Required: No
Type: String
Update requires: No interruption (p. 118)
Version
The version number. By default, the default version of the launch template is used.
Required: No
Type: String
API Version 2010-05-15
1859

AWS CloudFormation User Guide
Amazon EC2 SpotFleet IamInstanceProﬁle

Update requires: No interruption (p. 118)

Amazon Elastic Compute Cloud SpotFleet
IamInstanceProﬁle
IamInstanceProfile is a property of the Amazon Elastic Compute Cloud SpotFleet
LaunchSpeciﬁcations (p. 1853) property that speciﬁes the IAM instance proﬁle to associate with the
instances.

Syntax
JSON
{
}

"Arn" : String

YAML
Arn: String

Properties
Arn
The Amazon Resource Name (ARN) of the instance proﬁle to associate with the instances. The
instance proﬁle contains the IAM role that is associated with the instances.
Required: No
Type: String

Amazon Elastic Compute Cloud SpotFleet
LaunchTemplateConﬁg
LaunchTemplateConfig is a property of the Amazon EC2 SpotFleet
SpotFleetRequestConﬁgData (p. 1850) property that describes a launch template and overrides.

Syntax
JSON
{
}

"LaunchTemplateSpecification" : LaunchTemplateSpecification (p. 1859),
"Overrides" : [ LaunchTemplateOverrides (p. 1861), ... ]

YAML
LaunchTemplateSpecification: LaunchTemplateSpecification

API Version 2010-05-15
1860

AWS CloudFormation User Guide
Amazon EC2 SpotFleet LaunchTemplateOverrides
Overrides:
- LaunchTemplateOverrides (p. 1861)

Properties
LaunchTemplateSpecification
The launch template.
Required: No
Type: Amazon EC2 SpotFleet FleetLaunchTemplateSpeciﬁcation (p. 1859)
Update requires: No interruption (p. 118)
Overrides
Any parameters that you specify override the same parameters in the launch template.
Required: No
Type: List of Amazon EC2 SpotFleet LaunchTemplateOverrides (p. 1861)
Update requires: No interruption (p. 118)

Amazon Elastic Compute Cloud SpotFleet
LaunchTemplateOverrides
LaunchTemplateOverrides is a property of the Amazon EC2 SpotFleet
SpotFleetRequestConﬁgData (p. 1850) property that describes overrides for a launch template.

Syntax
JSON
{

}

"AvailabilityZone" : String,
"InstanceType" : String,
"SpotPrice" : String,
"SubnetId" : String,
"WeightedCapacity" : Boolean

YAML
AvailabilityZone: String
InstanceType: String
SpotPrice: String
SubnetId: String
WeightedCapacity: Boolean

Properties
AvailabilityZone
The Availability Zone in which to launch the instances.
API Version 2010-05-15
1861

AWS CloudFormation User Guide
Amazon EC2 SpotFleet Monitoring

Required: No
Type: String
Update requires: No interruption (p. 118)
InstanceType
The instance type.
For a complete list of valid values, see InstanceType in LaunchTemplateOverrides in the Amazon
EC2 API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
SpotPrice
The maximum price per unit hour that you are willing to pay for a Spot Instance.
Required: No
Type: String
Update requires: No interruption (p. 118)
SubnetId
The ID of the subnet in which to launch the instances.
Required: No
Type: String
Update requires: No interruption (p. 118)
WeightedCapacity
The number of units provided by the speciﬁed instance type.
Required: No
Type: Double
Update requires: No interruption (p. 118)

Amazon EC2 SpotFleet Monitoring
Monitoring is a property of the Amazon Elastic Compute Cloud SpotFleet
LaunchSpeciﬁcations (p. 1853) property that enables instance monitoring.

Syntax
JSON
{
}

"Enabled" : Boolean

API Version 2010-05-15
1862

AWS CloudFormation User Guide
Amazon EC2 SpotFleet NetworkInterfaces

YAML
Enabled: Boolean

Properties
Enabled
Indicates whether monitoring is enabled for the instances.
Required: No
Type: Boolean

Amazon Elastic Compute Cloud SpotFleet
NetworkInterfaces
NetworkInterfaces is a property of the Amazon Elastic Compute Cloud SpotFleet
LaunchSpeciﬁcations (p. 1853) property that deﬁnes the network interface of the instances in a Spot
ﬂeet.

Syntax
JSON
{

}

"AssociatePublicIpAddress" : Boolean,
"DeleteOnTermination" : Boolean,
"Description" : String,
"DeviceIndex" : Integer,
"Groups" : [ String, ... ],
"Ipv6AddressCount" : Integer,
"Ipv6Addresses" : [ IPv6 Address Type, ... ],
"NetworkInterfaceId" : String,
"PrivateIpAddresses" : [ PrivateIpAddresses, ... ],
"SecondaryPrivateIpAddressCount" : Integer,
"SubnetId" : String

YAML
AssociatePublicIpAddress: Boolean
DeleteOnTermination: Boolean
Description: String
DeviceIndex: Integer
Groups:
- String
Ipv6AddressCount: Integer
Ipv6Addresses:
- IPv6 Address Type
NetworkInterfaceId: String
PrivateIpAddresses:
- PrivateIpAddresses
SecondaryPrivateIpAddressCount: Integer
SubnetId: String

API Version 2010-05-15
1863

AWS CloudFormation User Guide
Amazon EC2 SpotFleet NetworkInterfaces

Properties
AssociatePublicIpAddress
Indicates whether to assign a public IP address to an instance that you launch in a VPC. You can
assign the public IP address can only to a network interface for eth0, and only to a new network
interface, not an existing one.
Required: No
Type: Boolean
DeleteOnTermination
Indicates whether to delete the network interface when the instance terminates.
Required: No
Type: Boolean
Description
The description of this network interface.
Required: No
Type: String
DeviceIndex
The network interface's position in the attachment order.
Required: No
Type: Integer
Groups
A list of security group IDs to associate with this network interface.
Required: No
Type: List of String values
Ipv6AddressCount
The number of IPv6 addresses to associate with the network interface. Amazon Elastic Compute
Cloud automatically selects the IPv6 addresses from the subnet range. To specify speciﬁc IPv6
addresses, use the Ipv6Addresses property and don't specify this property.
Required: No
Type: Integer
Ipv6Addresses
One or more speciﬁc IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with
the network interface. To specify a number of IPv6 addresses, use the Ipv6AddressCount property
and don't specify this property.
Required: No
Type: List of EC2 NetworkInterface Ipv6Addresses (p. 1844)
NetworkInterfaceId
A network interface ID.
API Version 2010-05-15
1864

AWS CloudFormation User Guide
Amazon EC2 SpotFleet PrivateIpAddresses

Required: No
Type: String
PrivateIpAddresses
One or more private IP addresses to assign to the network interface.
Required: No
Type: List of Amazon Elastic Compute Cloud SpotFleet NetworkInterfaces
PrivateIpAddresses (p. 1865)
SecondaryPrivateIpAddressCount
The number of secondary private IP addresses that Amazon EC2 automatically assigns to the
network interface.
Required: No
Type: Integer
SubnetId
The ID of the subnet to associate with the network interface.
Required: Conditional. If you don't specify the NetworkInterfaceId property, you must specify
this property.
Type: String

Amazon Elastic Compute Cloud SpotFleet
NetworkInterfaces PrivateIpAddresses
PrivateIpAddresses is a property of the Amazon Elastic Compute Cloud SpotFleet
NetworkInterfaces (p. 1863) property that speciﬁes the private IP address that you want to assign to the
network interface.

Syntax
JSON
{
}

"Primary" : Boolean,
"PrivateIpAddress" : String

YAML
Primary: Boolean
PrivateIpAddress: String

Properties
Primary
Indicates whether the private IP address is the primary private IP address. You can designate only
one IP address as primary.
API Version 2010-05-15
1865

AWS CloudFormation User Guide
Amazon EC2 SpotFleet Placement

Required: No
Type: Boolean
PrivateIpAddress
The private IP address.
Required: Yes
Type: String

Amazon Elastic Compute Cloud SpotFleet Placement
Placement is a property of the Amazon Elastic Compute Cloud SpotFleet
LaunchSpeciﬁcations (p. 1853) property that deﬁnes the placement group for the Spot instances.

Syntax
JSON
{
}

"AvailabilityZone" : String,
"GroupName" : String

YAML
AvailabilityZone: String
GroupName: String

Properties
AvailabilityZone
The Availability Zone (AZ) of the placement group.
Required: No
Type: String
GroupName
The name of the placement group (for cluster instances).
Required: No
Type: String

Amazon Elastic Compute Cloud SpotFleet
SecurityGroups
SecurityGroups is a property of the Amazon Elastic Compute Cloud SpotFleet
LaunchSpeciﬁcations (p. 1853) property that speciﬁes a security group to associate with the instances.
API Version 2010-05-15
1866

AWS CloudFormation User Guide
Amazon EC2 SpotFleet SpotFleetTagSpeciﬁcation

Syntax
JSON
{
}

"GroupId" : String

YAML
GroupId: String

Properties
GroupId
The ID of a security group.
Required: Yes
Type: String

Amazon Elastic Compute Cloud SpotFleet
SpotFleetTagSpeciﬁcation
SpotFleetTagSpecification is a property of the Amazon Elastic Compute Cloud SpotFleet
LaunchSpeciﬁcations (p. 1853) property that speciﬁes the tags for a Spot ﬂeet resource.

Syntax
JSON
{
}

"ResourceType" : String,
"Tags" : [ Resource Tag, ... ]

YAML
ResourceType: String
Tags:
- Resource Tag

Properties
ResourceType
The type of resource.
For valid resource types, see SpotFleetTagSpeciﬁcation operation in the Amazon EC2 API Reference
Required: No
API Version 2010-05-15
1867

AWS CloudFormation User Guide
EC2 VPNConnection VpnTunnelOptionsSpeciﬁcation

Type: String
Update requires: No interruption (p. 118)
Tags
Speciﬁes an arbitrary set of tags (key–value pairs) to associate with this spot ﬂeet. Use tags to
manage your resources.
Required: No
Type: AWS CloudFormation Resource Tags (p. 2106)
Update requires: No interruption (p. 118)

Amazon EC2 VPNConnection
VpnTunnelOptionsSpeciﬁcation
The VpnTunnelOptionsSpecification property type conﬁgures tunnel options for an EC2 VPN
connection.
VpnTunnelOptionsSpecification is a property of the AWS::EC2::VPNConnection (p. 977) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"PreSharedKey" : String,
"TunnelInsideCidr" : String

YAML
PreSharedKey: String
TunnelInsideCidr: String

Properties
PreSharedKey
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and
customer gateway.
Constraints: Allowed characters are alphanumeric characters and ._. Must be between 8 and 64
characters in length and cannot start with zero (0).
Required: No
Type: String
Update requires: Replacement (p. 119)
TunnelInsideCidr
The range of inside IP addresses for the tunnel. Any speciﬁed CIDR blocks must be unique across all
VPN connections that use the same virtual private gateway.
API Version 2010-05-15
1868

AWS CloudFormation User Guide
Amazon ECS Service AwsVpcConﬁguration

Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are
reserved and cannot be used:
• 169.254.0.0/30
• 169.254.1.0/30
• 169.254.2.0/30
• 169.254.3.0/30
• 169.254.4.0/30
• 169.254.5.0/30
• 169.254.169.252/30
Required: No
Type: String
Update requires: Replacement (p. 119)

See Also
• VpnTunnelOptionsSpeciﬁcation in the Amazon EC2 API Reference

Amazon Elastic Container Service Service
AwsVpcConﬁguration
AwsVpcConfiguration is a property of the AWS::ECS::Service (p. 991) resource that speciﬁes the
subnets and security groups for an Amazon Elastic Container Service (Amazon ECS) task or service.

Syntax
JSON
{

}

"AssignPublicIp" : String,
"SecurityGroups" : [ String, ... ],
"Subnets" : [ String, ... ]

YAML
AssignPublicIp: String
SecurityGroups:
- String
Subnets:
- String

Properties
AssignPublicIp
Valid values include ENABLED and DISABLED.
Required: No
API Version 2010-05-15
1869

AWS CloudFormation User Guide
Amazon ECR Repository LifecyclePolicy

Type: String
Update requires: No interruption (p. 118)
SecurityGroups
The security groups associated with the task or service. If you do not specify a security group, the
default security group for the VPC is used.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Subnets
The subnets associated with the Amazon ECS task or service.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)

Amazon Elastic Container Registry Repository
LifecyclePolicy
The LifecyclePolicy property type speciﬁes a lifecycle policy for an Amazon Elastic Container
Registry (Amazon ECR) repository.
LifecyclePolicy is a property of the AWS::ECR::Repository (p. 985) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"LifecyclePolicyText" : String,
"RegistryId" : String

YAML
LifecyclePolicyText: String
RegistryId: String

Properties
LifecyclePolicyText
The JSON repository policy text to apply to the repository. The length must be between 100 and
10,240 characters.
Required: No
Type: String
API Version 2010-05-15
1870

AWS CloudFormation User Guide
Amazon ECS Service DeploymentConﬁguration

Update requires: No interruption (p. 118)
RegistryId
The AWS account ID that's associated with the registry that contains the repository. If you don't
specify a registry, the default registry is used.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• Creating a Lifecycle Policy in the Amazon Elastic Container Registry User Guide
• PutLifecyclePolicy in the Amazon Elastic Container Registry API Reference

Amazon Elastic Container Service Service
DeploymentConﬁguration
DeploymentConfiguration is a property of the AWS::ECS::Service (p. 991) resource that conﬁgures
how many tasks run when you update a running Amazon Elastic Container Service (Amazon ECS) service.

Syntax
JSON
{
}

"MaximumPercent" : Integer,
"MinimumHealthyPercent" : Integer

YAML
MaximumPercent: Integer
MinimumHealthyPercent: Integer

Properties
MaximumPercent
The maximum number of tasks, speciﬁed as a percentage of the Amazon ECS service's
DesiredCount value, that can run in a service during a deployment. To calculate the maximum
number of tasks, Amazon ECS uses this formula: the value of DesiredCount * (the value of the
MaximumPercent/100), rounded down to the nearest integer value.
Required: No
Type: Integer
MinimumHealthyPercent
The minimum number of tasks, speciﬁed as a percentage of the Amazon ECS service's
DesiredCount value, that must continue to run and remain healthy during a deployment. To
API Version 2010-05-15
1871

AWS CloudFormation User Guide
Amazon ECS Service NetworkConﬁguration

calculate the minimum number of tasks, Amazon ECS uses this formula: the value of DesiredCount
* (the value of the MinimumHealthyPercent/100), rounded up to the nearest integer value.
Required: No
Type: Integer

Amazon Elastic Container Service Service
NetworkConﬁguration
NetworkConfiguration is a property of the AWS::ECS::Service (p. 991) resource that speciﬁes the
network conﬁguration for an Amazon Elastic Container Service (Amazon ECS) task or service.

Syntax
JSON
{
}

"AwsvpcConfiguration" : AwsVpcConfiguration (p. 1869)

YAML
AwsvpcConfiguration: AwsVpcConfiguration (p. 1869)

Properties
AwsvpcConfiguration
The VPC subnets and security groups associated with a task.
Required: No
Type: Amazon Elastic Container Service Service AwsVpcConﬁguration (p. 1869)
Update requires: No interruption (p. 118)

Amazon Elastic Container Service Service
PlacementConstraint
PlacementConstraint is a property of the AWS::ECS::Service (p. 991) resource that speciﬁes the
placement constraints for the tasks in the service to associate with an Amazon Elastic Container Service
(Amazon ECS) service.

Syntax
JSON
{

"Type" : String,
"Expression" : String

API Version 2010-05-15
1872

AWS CloudFormation User Guide
Amazon ECS Service PlacementStrategies
}

YAML
Type: String
Expression: String

Properties
Type
The type of constraint: distinctInstance or memberOf.
To ensure that each task in a particular group is running on a diﬀerent container instance, use
distinctInstance. To restrict the selection to a group of valid candidates, use memberOf.
distinctInstance is not supported in task deﬁnitions.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Expression
A cluster query language expression to apply to the constraint. If the constraint type is
distinctInstance, you can't specify an expression. For more information, see Cluster Query
Language in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)

Amazon Elastic Container Service Service
PlacementStrategies
The PlacementStrategies property describes how tasks for the Amazon Elastic Container Service
(Amazon ECS) service are placed in an AWS::ECS::Service resource.

Syntax
JSON
{
}

"Type" : String,
"Field" : String,

YAML
Type: String
Field: String

API Version 2010-05-15
1873

AWS CloudFormation User Guide
Amazon ECS Service LoadBalancers

Properties
Type
The type of placement strategy. Can be one of the following values: random, spread, or binpack.
The random placement strategy randomly places tasks on available candidates. The spread
placement strategy spreads placement across available candidates evenly based on the ﬁeld
parameter. The binpack strategy places tasks on available candidates that have the least available
amount of the resource that is speciﬁed with the ﬁeld parameter. For example, if you binpack
on memory, a task is placed on the instance with the least amount of remaining memory (but still
enough to run the task).
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Field
The ﬁeld to apply the placement strategy against. For the spread placement strategy, valid values
are instanceId (or host, which has the same eﬀect), or any platform or custom attribute that is
applied to a container instance, such as attribute:ecs.availability-zone.
For the binpack placement strategy, valid values are cpu and memory.
For the random placement strategy, this ﬁeld is not used.
Required: No
Type: String
Update requires: Replacement (p. 119)

Amazon Elastic Container Service Service
LoadBalancers
LoadBalancers is a property of the AWS::ECS::Service (p. 991) resource that speciﬁes the load
balancer to associate with an Amazon Elastic Container Service (Amazon ECS) service.

Syntax
JSON
{

}

"ContainerName" : String,
"ContainerPort" : Integer,
"LoadBalancerName" : String,
"TargetGroupArn" : String

YAML
ContainerName: String
ContainerPort: Integer
LoadBalancerName: String

API Version 2010-05-15
1874

AWS CloudFormation User Guide
Amazon ECS Service ServiceRegistry
TargetGroupArn: String

Properties
ContainerName
The name of a container to use with the load balancer.
Required: Yes
Type: String
ContainerPort
The port number on the container to direct load balancer traﬃc to. Your container instances must
allow ingress traﬃc on this port.
Required: Yes
Type: Integer
LoadBalancerName
The name of a Classic Load Balancer to associate with the Amazon ECS service.
Required: No
Type: String
TargetGroupArn
An Application load balancer target group Amazon Resource Name (ARN) to associate with the
Amazon ECS service.
Required: No
Type: String

Amazon Elastic Container Service Service
ServiceRegistry
The ServiceRegistry property type speciﬁes details of the service registry.
ServiceRegistry is a property of the AWS::ECS::Service (p. 991) resource.

Syntax
JSON
{
}

"Port" : Integer,
"RegistryArn" : String

YAML
Port: Integer
RegistryArn: String

API Version 2010-05-15
1875

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition HealthCheck

Properties
Port
The port value used if your service discovery service speciﬁed an SRV record.
Required: No
Type: Integer
RegistryArn
The Amazon Resource Name (ARN) of the service registry. The currently supported service registry is
Amazon Route 53 auto naming.
Required: No
Type: String

See Also
• ServiceRegistry in the Amazon Elastic Container Service API Reference

Amazon Elastic Container Service TaskDeﬁnition
HealthCheck
The HealthCheck property type speciﬁes a container health check. Health check parameters that are
speciﬁed in a container deﬁnition override any Docker health checks that exist in the container image
(such as those speciﬁed in a parent image or from the image's Dockerﬁle).
HealthCheck is a property of the Amazon Elastic Container Service TaskDeﬁnition
ContainerDeﬁnition (p. 1878) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Command" : [ String, ... ] ,
"Interval" : Integer,
"Retries" : Integer,
"StartPeriod" : Integer,
"Timeout" : Integer

YAML
Command
- String
Interval: Integer
Retries: Integer
StartPeriod: Integer

API Version 2010-05-15
1876

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition HealthCheck
Timeout: Integer

Properties
Command
A string array representing the command that the container runs to determine if it is healthy. The
string array must start with CMD to execute the command arguments directly, or CMD-SHELL to run
the command with the container's default shell. For example:
[ "CMD-SHELL", "curl -f http://localhost/ || exit 1" ]
An exit code of 0 indicates success, and non-zero exit code indicates failure.
Required: Yes
Type: List of String values
Update requires: Replacement (p. 119)
Interval
The time period in seconds between each health check execution. You may specify between 5 and
300 seconds. The default value is 30 seconds.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
Retries
The number of times to retry a failed health check before the container is considered unhealthy. You
may specify between 1 and 10 retries. The default value is 3 retries.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
StartPeriod
The optional grace period within which to provide containers time to bootstrap before failed health
checks count towards the maximum number of retries. You may specify between 0 and 300 seconds.
The startPeriod is disabled by default.

Note

If a health check succeeds within the startPeriod, then the container is considered healthy
and any subsequent failures count toward the maximum number of retries.
Required: No
Type: String
Update requires: Replacement (p. 119)
Timeout
The time period in seconds to wait for a health check to succeed before it is considered a failure. You
may specify between 2 and 60 seconds. The default value is 5 seconds.
Required: No
API Version 2010-05-15
1877

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition ContainerDeﬁnition

Type: Integer
Update requires: Replacement (p. 119)

See Also
• HealthCheck in the Amazon Elastic Container Service API Reference

Amazon Elastic Container Service TaskDeﬁnition
ContainerDeﬁnition
The ContainerDefinition property type describes the conﬁguration of an Amazon Elastic Container
Service (Amazon ECS) container. The container deﬁnitions are passed to the Docker daemon.
The ContainerDefinitions property of the AWS::ECS::TaskDeﬁnition (p. 1002) resource contains a
list of ContainerDefinition property types.

Syntax
JSON
{

}

"Command" : [ String, ... ],
"Cpu" : Integer,
"DisableNetworking" : Boolean,
"DnsSearchDomains" : [ String, ... ],
"DnsServers" : [ String, ... ],
"DockerLabels" : { String:String, ... },
"DockerSecurityOptions" : [ String, ... ],
"EntryPoint" : [ String, ... ],
"Environment" : [ KeyValuePair (p. 1886), ... ],
"Essential" : Boolean,
"ExtraHosts" : [ HostEntry (p. 1884), ... ],
"HealthCheck" : HealthCheck (p. 1876),
"Hostname" : String,
"Image" : String,
"Links" : [ String, ... ],
"LinuxParameters" : LinuxParameters (p. 1887),
"LogConfiguration" : LogConfiguration (p. 1888),
"Memory" : Integer,
"MemoryReservation" : Integer,
"MountPoints" : [ MountPoint (p. 1889), ... ],
"Name" : String,
"PortMappings" : [ PortMapping (p. 1890), ... ],
"Privileged" : Boolean,
"ReadonlyRootFilesystem" : Boolean,
"Ulimits" : [ Ulimit (p. 1891), ... ],
"User" : String,
"VolumesFrom" : [ VolumeFrom (p. 1891), ... ],
"WorkingDirectory" : String

YAML
Command:
- String
Cpu: Integer

API Version 2010-05-15
1878

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition ContainerDeﬁnition
DisableNetworking: Boolean
DnsSearchDomains:
- String
DnsServers:
- String
DockerLabels:
String: String
DockerSecurityOptions:
- String
EntryPoint:
- String
Environment:
- KeyValuePair (p. 1886)
Essential: Boolean
ExtraHosts:
- HostEntry (p. 1884)
HealthCheck:
HealthCheck (p. 1876)
Hostname: String
Image: String
Links:
- String
LinuxParameters:
LinuxParameters (p. 1887)
LogConfiguration:
LogConfiguration (p. 1888)
Memory: Integer
MemoryReservation: Integer
MountPoints:
- MountPoint (p. 1889)
Name: String
PortMappings:
- PortMapping (p. 1890)
Privileged: Boolean
ReadonlyRootFilesystem: Boolean
Ulimits:
- Ulimit (p. 1891)
User: String
VolumesFrom:
- VolumeFrom (p. 1891)
WorkingDirectory: String

Properties
For more information about each property, see Task Deﬁnition Parameters in the Amazon Elastic
Container Service Developer Guide.
Command
The CMD value to pass to the container. For more information about the Docker CMD parameter, see
https://docs.docker.com/engine/reference/builder/#cmd.
Required: No
Type: List of String values
Cpu
The minimum number of CPU units to reserve for the container. Containers share unallocated CPU
units with other containers on the instance by using the same ratio as their allocated CPU units. For
more information, see the cpu content for the ContainerDeﬁnition data type in the Amazon Elastic
Container Service API Reference.
Required: No
API Version 2010-05-15
1879

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition ContainerDeﬁnition

Type: Integer
DisableNetworking
Indicates whether networking is disabled within the container.
Required: No
Type: Boolean
DnsSearchDomains
A list of DNS search domains that are provided to the container. The domain names that the DNS
logic looks up when a process attempts to access a bare unqualiﬁed hostname.
Required: No
Type: List of String values
DnsServers
A list of DNS servers that Amazon ECS provides to the container.
Required: No
Type: List of String values
DockerLabels
A key-value map of labels for the container.
Required: No
Type: Key-value pairs, with the name of the label as the key and the label value as the value.
DockerSecurityOptions
A list of custom labels for SELinux and AppArmor multi-level security systems. For more information,
see the dockerSecurityOptions content for the ContainerDeﬁnition data type in the Amazon
Elastic Container Service API Reference.
Required: No
Type: List of String values
EntryPoint
The ENTRYPOINT value to pass to the container. For more information about the Docker
ENTRYPOINT parameter, see https://docs.docker.com/engine/reference/builder/#entrypoint.
Required: No
Type: List of String values
Environment
The environment variables to pass to the container.
Required: No
Type: List of Amazon ECS TaskDeﬁnition KeyValuePair (p. 1886) property types
Essential
Indicates whether the task stops if this container fails. If you specify true and the container fails,
all other containers in the task stop. If you specify false and the container fails, none of the other
containers in the task is aﬀected. This value is true by default.
You must have at least one essential container in a task.
API Version 2010-05-15
1880

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition ContainerDeﬁnition

Required: No
Type: Boolean
ExtraHosts
A list of hostnames and IP address mappings to append to the /etc/hosts ﬁle on the container.
Required: No
Type: List of Amazon ECS TaskDeﬁnition HostEntry (p. 1884) property types
HealthCheck
A container health check. Health check parameters that are speciﬁed in a container deﬁnition
override any Docker health checks that exist in the container image (such as those speciﬁed in a
parent image or from the image's Dockerﬁle).
Required: No
Type: AWS Batch JobDeﬁnition Timeout (p. 1876)
Hostname
The name that Docker uses for the container hostname.
Required: No
Type: String
Image
The image to use for a container. The image is passed directly to the Docker daemon. You can use
images in the Docker Hub registry or specify other repositories (repository-url/image:tag).
Required: Yes
Type: String
Links
The name of another container to connect to. With links, containers can communicate with each
other without using port mappings.
Required: No
Type: List of String values
LinuxParameters
The Linux-speciﬁc options that are applied to the container.
Required: No
Type: Amazon ECS TaskDeﬁnition LinuxParameters (p. 1887)
LogConfiguration
Conﬁgures a custom log driver for the container. For more information, see the logConfiguration
content for the ContainerDeﬁnition data type in the Amazon Elastic Container Service API Reference.
Required: No
Type: Amazon ECS TaskDeﬁnition LogConﬁguration (p. 1888)
Memory
The number of MiB of memory to reserve for the container. If your container attempts to exceed the
allocated memory, the container is terminated.
API Version 2010-05-15
1881

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition ContainerDeﬁnition

Required: Conditional. You must specify one or both of the Memory or MemoryReservation
properties. If you specify both, the value for the Memory property must be greater than the value of
the MemoryReservation property.
Type: Integer
MemoryReservation
The number of MiB of memory to reserve for the container. When system memory is under
contention, Docker attempts to keep the container memory within the limit. If the container requires
more memory, it can consume up to the value speciﬁed by the Memory property or all of the
available memory on the container instance—whichever comes ﬁrst. This is called a soft limit.
Required: Conditional. You must specify one or both of the Memory or MemoryReservation
properties. If you specify both, the value for the Memory property must be greater than the value of
the MemoryReservation property.
Type: Integer
MountPoints
The mount points for data volumes in the container.
Required: No
Type: List of Amazon ECS TaskDeﬁnition MountPoint (p. 1889) property types
Name
A name for the container.
Required: Yes
Type: String
PortMappings
A mapping of the container port to a host port. Port mappings enable containers to access ports on
the host container instance to send or receive traﬃc.
Required: No
Type: List of Amazon ECS TaskDeﬁnition ContainerDeﬁnitions PortMapping (p. 1890) property types
Privileged
Indicates whether the container is given full access to the host container instance.
Required: No
Type: Boolean
ReadonlyRootFilesystem
Indicates whether the container's root ﬁle system is mounted as read only.
Required: No
Type: Boolean
Ulimits
A list of ulimits to set in the container. The ulimits set constraints on how many resources a container
can consume so that it doesn't deplete all available resources on the host.
Required: No
API Version 2010-05-15
1882

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition Device

Type: List of Amazon ECS TaskDeﬁnition Ulimit (p. 1891) property types
User
The user name to use inside the container.
Required: No
Type: String
VolumesFrom
The data volumes to mount from another container.
Required: No
Type: List of Amazon ECS TaskDeﬁnition VolumeFrom (p. 1891) property types
WorkingDirectory
The working directory in the container to run commands in.
Required: No
Type: String

See Also
• Task Deﬁnition Parameters in the Amazon Elastic Container Service Developer Guide

Amazon Elastic Container Service TaskDeﬁnition
Device
The Device property type speciﬁes a device on a host container instance.
The Devices property of the Amazon ECS TaskDeﬁnition LinuxParameters (p. 1887) contains a list of
Device property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"ContainerPath" : String,
"HostPath" : String,
"Permissions" : [ String, ... ]

YAML
ContainerPath: String
HostPath: String
Permissions:
- String

API Version 2010-05-15
1883

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition HostEntry

Properties
ContainerPath
The path inside the container to expose the host device to.
Required: No
Type: String
Update requires: Replacement (p. 119)
HostPath
The path for the device on the host container instance.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Permissions
The explicit permissions to provide to the container for the device. By default, the container is able
to read, write, and mknod the device.
Required: No
Type: List of String values
Valid values: read, write, and mknod
Update requires: Replacement (p. 119)

Amazon Elastic Container Service TaskDeﬁnition
HostEntry
HostEntry is a property of the Amazon Elastic Container Service TaskDeﬁnition
ContainerDeﬁnition (p. 1878) property that speciﬁes the hostnames and IP address entries to add to the
Amazon Elastic Container Service (Amazon ECS) container's /etc/hosts ﬁle.

Syntax
JSON
{
}

"Hostname" : String,
"IpAddress" : String

YAML
Hostname: String
IpAddress: String

API Version 2010-05-15
1884

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition KernelCapabilities

Properties
Hostname
The hostname to use in the /etc/hosts ﬁle.
Required: Yes
Type: String
IpAddress
The IP address to use in the /etc/hosts ﬁle.
Required: Yes
Type: String

Amazon Elastic Container Service TaskDeﬁnition
KernelCapabilities
The KernelCapabilities property type speciﬁes the Linux capabilities to add or drop from the
default Docker conﬁguration in an Amazon Elastic Container Service (Amazon ECS) container. For more
information, see KernelCapabilities in the Amazon Elastic Container Service API Reference.
KernelCapabilities is a property of the Amazon ECS TaskDeﬁnition LinuxParameters (p. 1887)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Add" : [ String, ... ],
"Drop" : [ String, ... ]

YAML
Add:
- String
Drop:
- String

Properties
Add
The Linux capabilities to add to the default Docker conﬁguration. This maps to CapAdd in the
Create a container section of the Docker Remote API and the --cap-add option to docker run. For
valid values, see KernelCapabilities in the Amazon Elastic Container Service API Reference.
Required: No
API Version 2010-05-15
1885

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition KeyValuePair

Type: List of String values
Update requires: Replacement (p. 119)
Drop
The Linux capabilities to remove from the default Docker conﬁguration. This maps to CapDrop in
the Create a container section of the Docker Remote API and the --cap-drop option to docker run.
For valid values, see KernelCapabilities in the Amazon Elastic Container Service API Reference.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)

Amazon Elastic Container Service TaskDeﬁnition
KeyValuePair
Environment is a property of the Amazon Elastic Container Service TaskDeﬁnition
ContainerDeﬁnition (p. 1878) property that speciﬁes environment variables for a container.

Syntax
JSON
{
}

"Name" : String,
"Value" : String

YAML
Name: String
Value: String

Properties
For more information about each property, see Task Deﬁnition Parameters in the Amazon Elastic
Container Service Developer Guide.
Name
The name of the environment variable.
Required: Yes
Type: String
Value
The value of the environment variable.
Required: Yes
Type: String
API Version 2010-05-15
1886

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition LinuxParameters

Amazon Elastic Container Service TaskDeﬁnition
LinuxParameters
The LinuxParameters property type speciﬁes Linux-speciﬁc options to apply to an Amazon Elastic
Container Service (Amazon ECS) container.
LinuxParameters is a property of the Amazon Elastic Container Service TaskDeﬁnition
ContainerDeﬁnition (p. 1878) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Capabilities" : KernelCapabilities (p. 1885),
"Devices" : [ Device (p. 1883), ... ],
"InitProcessEnabled" : Boolean

YAML
Capabilities:
KernelCapabilities (p. 1885)
Devices:
- Device (p. 1883)
InitProcessEnabled: Boolean

Properties
Capabilities
The Linux capabilities for the container that are added to or dropped from the default conﬁguration
provided by Docker.
Required: No
Type: Amazon ECS TaskDeﬁnition KernelCapabilities (p. 1885)
Update requires: Replacement (p. 119)
Devices
Any host devices to expose to the container. This maps to Devices in the Create a container section
of the Docker Remote API and the --device option to docker run.
Required: No
Type: List of Amazon ECS TaskDeﬁnition Device (p. 1883) property types
Update requires: Replacement (p. 119)
InitProcessEnabled
Indicates whether to run an init process inside the container that forwards signals and reaps
processes. This maps to the --init option to docker run.
API Version 2010-05-15
1887

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition LogConﬁguration

This property requires at least version 1.25 of the Docker Remote API on your container instance.
To check the API version on your container instance, log in to your container instance and run the
following command: sudo docker version | grep "Server API version"
Required: No
Type: Boolean
Update requires: Replacement (p. 119)

See Also
• LinuxParameters in the Amazon Elastic Container Service API Reference

Amazon Elastic Container Service TaskDeﬁnition
LogConﬁguration
LogConfiguration is a property of the Amazon Elastic Container Service TaskDeﬁnition
ContainerDeﬁnition (p. 1878) property that conﬁgures a custom log driver for an Amazon Elastic
Container Service (Amazon ECS) container.

Syntax
JSON
{
}

"LogDriver" : String,
"Options" : { String:String, ... }

YAML
LogDriver: String
Options:
String: String

Properties
LogDriver
The log driver to use for the container. This parameter requires that your container instance uses
Docker Remote API Version 1.18 or greater. For more information, see the logDriver content for
the LogConﬁguration data type in the Amazon Elastic Container Service API Reference.
Required: Yes
Type: String
Options
The conﬁguration options to send to the log driver. This parameter requires that your container
instance uses Docker Remote API Version 1.18 or greater.
API Version 2010-05-15
1888

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition MountPoint

Required: No
Type: Key-value pairs, with the option name as the key and the option value as the value.

Amazon Elastic Container Service TaskDeﬁnition
MountPoint
MountPoints is a property of the Amazon Elastic Container Service TaskDeﬁnition
ContainerDeﬁnition (p. 1878) property that speciﬁes the mount points for data volumes in a container.

Syntax
JSON
{

}

"ContainerPath" : String,
"SourceVolume" : String,
"ReadOnly" : Boolean

YAML
ContainerPath: String
SourceVolume: String
ReadOnly: Boolean

Properties
For more information about each property, see Task Deﬁnition Parameters in the Amazon Elastic
Container Service Developer Guide.
ContainerPath
The path on the container that indicates where you want to mount the volume.
Required: Yes
Type: String
SourceVolume
The name of the volume to mount.
Required: Yes
Type: String
ReadOnly
Indicates whether the container can write to the volume. If you specify true, the container has readonly access to the volume. If you specify false, the container can write to the volume. By default,
the value is false.
Required: No
Type: Boolean
API Version 2010-05-15
1889

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition
ContainerDeﬁnitions PortMapping

Amazon Elastic Container Service TaskDeﬁnition
PortMapping
PortMappings is a property of the Amazon Elastic Container Service TaskDeﬁnition
ContainerDeﬁnition (p. 1878) property that maps a container port to a host port.

Syntax
JSON
{

}

"ContainerPort" : Integer,
"HostPort" : Integer,
"Protocol" : String

YAML
ContainerPort: Integer
HostPort: Integer
Protocol: String

Properties
For more information about each property, see Task Deﬁnition Parameters in the Amazon Elastic
Container Service Developer Guide.
ContainerPort
The port number on the container bound to the host port.
Required: Yes
Type: Integer
HostPort
The host port number on the container instance that you want to reserve for your container. You
can specify a non-reserved host port for your container port mapping, omit the host port, or set the
host port to 0. If you specify a container port but no host port, your container host port is assigned
automatically .
Don't specify a host port in the 49153 to 65535 port range; these ports are reserved for automatic
assignment. Other reserved ports include 22 for SSH, 2375 and 2376 for Docker, and 51678 for the
Amazon Elastic Container Service container agent. Don't specify a host port that is being used for a
task—that port is reserved while the task is running.
Required: No
Type: Integer
Protocol
The protocol used for the port mapping. For valid values, see the protocol parameter in the
Amazon Elastic Container Service Developer Guide. By default, AWS CloudFormation speciﬁes tcp.
Required: No
Type: String
API Version 2010-05-15
1890

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition Ulimit

Amazon Elastic Container Service TaskDeﬁnition
Ulimit
Ulimit is a property of the Amazon Elastic Container Service TaskDeﬁnition
ContainerDeﬁnition (p. 1878) property that speciﬁes resource limits for an Amazon Elastic Container
Service (Amazon ECS) container.

Syntax
JSON
{

}

"HardLimit" : Integer,
"Name" : String,
"SoftLimit" : Integer

YAML
HardLimit: Integer
Name: String
SoftLimit: Integer

Properties
HardLimit
The hard limit for the ulimit type.
Required: Yes
Type: Integer
Name
The type of ulimit. For valid values, see the name content for the Ulimit data type in the Amazon
Elastic Container Service API Reference.
Required: No
Type: String
SoftLimit
The soft limit for the ulimit type.
Required: Yes
Type: Integer

Amazon Elastic Container Service TaskDeﬁnition
VolumeFrom
VolumesFrom is a property of the Amazon Elastic Container Service TaskDeﬁnition
ContainerDeﬁnition (p. 1878) property that mounts data volumes from other containers.
API Version 2010-05-15
1891

AWS CloudFormation User Guide
Amazon ECS Service PlacementConstraint

Syntax
JSON
{
}

"SourceContainer" : String,
"ReadOnly" : Boolean

YAML
SourceContainer: String
ReadOnly: Boolean

Properties
For more information about each property, see Task Deﬁnition Parameters in the Amazon Elastic
Container Service Developer Guide.
SourceContainer
The name of the container that has the volumes to mount.
Required: Yes
Type: String
ReadOnly
Indicates whether the container can write to the volume. If you specify true, the container has readonly access to the volume. If you specify false, the container can write to the volume. By default,
the value is false.
Required: No
Type: Boolean

Amazon Elastic Container Service Service
PlacementConstraint
PlacementConstraint is a property of the AWS::ECS::Service (p. 991) resource that speciﬁes the
placement constraints for the tasks in the service to associate with an Amazon Elastic Container Service
(Amazon ECS) service.

Syntax
JSON
{
}

"Type" : String,
"Expression" : String

API Version 2010-05-15
1892

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition Volumes

YAML
Type: String
Expression: String

Properties
Type
The type of constraint: distinctInstance or memberOf.
To ensure that each task in a particular group is running on a diﬀerent container instance,
use distinctInstance. To restrict selection to a group of valid candidates, use memberOf.
distinctInstance is not supported in task deﬁnitions.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
Expression
A cluster query language expression to apply to the constraint. If the constraint type is
distinctInstance, you can't specify an expression. For more information, see Cluster Query
Language in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: String
Update requires: Replacement (p. 119)

Amazon Elastic Container Service TaskDeﬁnition
Volumes
Volumes is a property of the AWS::ECS::TaskDeﬁnition (p. 1002) resource that speciﬁes a list of data
volumes, which your containers can then access.

Syntax
JSON
{
}

"Name" : String,
"Host" : Host

YAML
Name: String
Host:
Host

API Version 2010-05-15
1893

AWS CloudFormation User Guide
Amazon ECS TaskDeﬁnition Volumes Host

Properties
For more information about each property, see Task Deﬁnition Parameters in the Amazon Elastic
Container Service Developer Guide.
Name
The name of the volume. To specify mount points in your container deﬁnitions, use the value of this
property.
Required: Yes
Type: String
Host
Determines whether your data volume persists on the host container instance and at the location
where it is stored.
Required: No
Type: Amazon Elastic Container Service TaskDeﬁnition Volumes Host (p. 1894)

Amazon Elastic Container Service TaskDeﬁnition
Volumes Host
Host is a property of the Amazon Elastic Container Service TaskDeﬁnition Volumes (p. 1893) property
that speciﬁes the data volume path on the host container instance.

Syntax
JSON
{
}

"SourcePath" : String

YAML
SourcePath: String

Properties
For more information about each property, see Task Deﬁnition Parameters in the Amazon Elastic
Container Service Developer Guide.
SourcePath
The data volume path on the host container instance.
If you don't specify this parameter, the Docker daemon assigns a path for you, but the data volume
might not persist after the associated container stops running. If you do specify a path, the data
volume persists at that location on the host container instance until you manually delete it.
Required: No
API Version 2010-05-15
1894

AWS CloudFormation User Guide
Amazon Elastic File System FileSystem FileSystemTags

Type: String

Amazon Elastic File System FileSystem
FileSystemTags
FileSystemTags is a property of the AWS::EFS::FileSystem (p. 1009) resource that associates key-value
pairs with a ﬁle system. You can use any of the following Unicode characters for keys and values: letters,
digits, whitespace, _, ., /, =, +, and -.

Syntax
JSON
{
}

"Key" : String,
"Value" : String

YAML
Key: String
Value: String

Properties
Key
The key name of the tag. You can specify a value that is from 1 to 128 Unicode characters in length,
but you cannot use the preﬁx aws:.
Required: No
Type: String
Value
The value of the tag key. You can specify a value that is from 0 to 128 Unicode characters in length.
Required: No
Type: String

EKS Cluster ResourcesVpcConﬁg
The ResourcesVpcConfig property type speciﬁes the VPC subnets and security groups used by the
Amazon EKS cluster control plane. Amazon EKS VPC resources have speciﬁc requirements to work
properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security
Group Considerations in the Amazon EKS User Guide.
ResourcesVpcConfig is a property of the AWS::EKS::Cluster (p. 1015) resource type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1895

AWS CloudFormation User Guide
Elastic Beanstalk Application
ApplicationResourceLifecycleConﬁg

JSON
{
}

"SecurityGroupIds" : [ String, ... ] ,
"SubnetIds" : [ String, ... ]

YAML
SecurityGroupIds
- String
SubnetIds
- String

Properties
SecurityGroupIds
Specify one or more security groups for the cross-account elastic network interfaces that Amazon
EKS creates to use to allow communication between your worker nodes and the Kubernetes control
plane.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SubnetIds
Specify at least 2 subnets for your Amazon EKS worker nodes. Amazon EKS creates cross-account
elastic network interfaces in these subnets to allow communication between your worker nodes and
the Kubernetes control plane.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)

See Also
• Clusters in the Amazon EKS User Guide.
• CreateCluster in the Amazon EKS API Reference.

AWS Elastic Beanstalk Application
ApplicationResourceLifecycleConﬁg
The ApplicationResourceLifecycleConfig property type speciﬁes lifecycle settings for resources
that belong to the application, and the service role that AWS Elastic Beanstalk assumes in order to apply
lifecycle settings.
ApplicationResourceLifecycleConfig is a property of the
AWS::ElasticBeanstalk::Application (p. 1043) resource.
API Version 2010-05-15
1896

AWS CloudFormation User Guide
Elastic Beanstalk Application
ApplicationVersionLifecycleConﬁg

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ServiceRole" : String,
"VersionLifecycleConfig" : ApplicationVersionLifecycleConfig (p. 1897)

YAML
ServiceRole: String
VersionLifecycleConfig:
ApplicationVersionLifecycleConfig

Properties
ServiceRole
The ARN of an IAM service role that Elastic Beanstalk has permission to assume.
Required: No
Type: String
Update requires: No interruption (p. 118)
VersionLifecycleConfig
Deﬁnes lifecycle settings for application versions.
Required: No
Type: Elastic Beanstalk Application ApplicationVersionLifecycleConﬁg (p. 1897)
Update requires: No interruption (p. 118)

AWS Elastic Beanstalk Application
ApplicationVersionLifecycleConﬁg
The ApplicationVersionLifecycleConfig property type speciﬁes the application version lifecycle
settings for an AWS Elastic Beanstalk application. It deﬁnes the rules that Elastic Beanstalk applies to an
application's versions in order to avoid hitting the per-region limit for application versions.
When Elastic Beanstalk deletes an application version from its database, you can no longer deploy that
version to an environment. The source bundle remains in S3 unless you conﬁgure the rule to delete it.
ApplicationVersionLifecycleConfig is a property of the Elastic Beanstalk Application
ApplicationResourceLifecycleConﬁg (p. 1896) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1897

AWS CloudFormation User Guide
Elastic Beanstalk Application MaxAgeRule

JSON
{
}

"MaxAgeRule" : MaxAgeRule (p. 1898),
"MaxCountRule" : MaxCountRule (p. 1899)

YAML
MaxAgeRule: MaxAgeRule
MaxCountRule: MaxCountRule

Properties
MaxAgeRule
Speciﬁes a max age rule to restrict the length of time that application versions are retained for an
application.
Required: No
Type: Elastic Beanstalk Application MaxAgeRule (p. 1898)
Update requires: No interruption (p. 118)
MaxCountRule
Speciﬁes a max count rule to restrict the number of application versions that are retained for an
application.
Required: No
Type: Elastic Beanstalk Application MaxCountRule (p. 1899)
Update requires: No interruption (p. 118)

AWS Elastic Beanstalk Application MaxAgeRule
The MaxAgeRule property type speciﬁes a lifecycle rule that deletes application versions after the
speciﬁed number of days for an AWS Elastic Beanstalk application.
MaxAgeRule is a property of the Elastic Beanstalk Application
ApplicationVersionLifecycleConﬁg (p. 1897) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"DeleteSourceFromS3" : Boolean,
"Enabled" : Boolean,
"MaxAgeInDays" : Integer

API Version 2010-05-15
1898

AWS CloudFormation User Guide
Elastic Beanstalk Application MaxCountRule

YAML
DeleteSourceFromS3: Boolean
Enabled: Boolean
MaxAgeInDays: Integer

Properties
DeleteSourceFromS3
Set to true to delete a version's source bundle from Amazon S3 when Elastic Beanstalk deletes the
application version.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Enabled
Specify true to apply the rule, or false to disable it.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
MaxAgeInDays
Specify the number of days to retain an application versions.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

AWS Elastic Beanstalk Application MaxCountRule
The MaxCountRule property type speciﬁes a lifecycle rule that deletes the oldest application version
when the maximum count is exceeded for an AWS Elastic Beanstalk application.
MaxCountRule is a property of the Elastic Beanstalk Application
ApplicationVersionLifecycleConﬁg (p. 1897) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"DeleteSourceFromS3" : Boolean,
"Enabled" : Boolean,
"MaxCount" : Integer

API Version 2010-05-15
1899

AWS CloudFormation User Guide
Elastic Beanstalk ConﬁgurationTemplate
ConﬁgurationOptionSetting

YAML
DeleteSourceFromS3: Boolean
Enabled: Boolean
MaxCount: Integer

Properties
DeleteSourceFromS3
Set to true to delete a version's source bundle from Amazon S3 when Elastic Beanstalk deletes the
application version.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Enabled
Specify true to apply the rule, or false to disable it.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
MaxCount
Specify the maximum number of application versions to retain.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

AWS Elastic Beanstalk ConﬁgurationTemplate
ConﬁgurationOptionSetting
The ConfigurationOptionSetting property type speciﬁes an option for an AWS Elastic Beanstalk
conﬁguration template.
The OptionSettings property of the AWS::ElasticBeanstalk::ConﬁgurationTemplate (p. 1047) resource
contains a list of ConfigurationOptionSetting property types.

Syntax
JSON
{

"Namespace" : String,
"OptionName" : String,
"ResourceName" : String,
"Value" : String

API Version 2010-05-15
1900

AWS CloudFormation User Guide
Elastic Beanstalk ConﬁgurationTemplate
SourceConﬁguration
}

YAML
Namespace: String
OptionName: String
ResourceName: String
Value: String

Properties
Namespace
A unique namespace that identiﬁes the option's associated AWS resource. For a list of namespaces
that you can use, see Conﬁguration Options in the AWS Elastic Beanstalk Developer Guide.
Required: Yes
Type: String
OptionName
The name of the conﬁguration option. For a list of options that you can use, see Conﬁguration
Options in the AWS Elastic Beanstalk Developer Guide.
Required: Yes
Type: String
ResourceName
A unique resource name for the option setting. Use this property for a time–based scaling
conﬁguration option.
Required: No
Type: String
Value
The current value for the conﬁguration option.
Required: No
Type: String

See Also
• ConﬁgurationOptionSetting in the AWS Elastic Beanstalk Developer Guide
• Conﬁguration Options in the AWS Elastic Beanstalk Developer Guide

AWS Elastic Beanstalk ConﬁgurationTemplate
SourceConﬁguration
Use settings from another Elastic Beanstalk conﬁguration template for the
AWS::ElasticBeanstalk::ConﬁgurationTemplate (p. 1047) resource type.
API Version 2010-05-15
1901

AWS CloudFormation User Guide
Elastic Beanstalk Environment Tier

Syntax
JSON
{
}

"ApplicationName" : String,
"TemplateName" : String

YAML
ApplicationName: String
TemplateName: String

Properties
ApplicationName
The name of the Elastic Beanstalk application that contains the conﬁguration template that you
want to use.
Required: Yes
Type: String
TemplateName
The name of the conﬁguration template.
Required: Yes
Type: String

Elastic Beanstalk Environment Tier Property Type
Describes the environment tier for an AWS::ElasticBeanstalk::Environment (p. 1050) resource. For more
information, see Environment Tiers in the AWS Elastic Beanstalk Developer Guide.

Syntax
JSON
{

}

"Name" : String,
"Type" : String,
"Version" : String

YAML
Name: String
Type: String

API Version 2010-05-15
1902

AWS CloudFormation User Guide
Elastic Beanstalk Environment OptionSetting
Version: String

Members
Name
The name of the environment tier. You can specify WebServer or Worker.
Required: No
Type: String
Update requires: Replacement (p. 119)
Type
The type of this environment tier. You can specify Standard for the WebServer tier or SQS/HTTP
for the Worker tier.
Required: No
Type: String
Update requires: Replacement (p. 119)
Version
The version of this environment tier. If you don't specify this member, the latest compatible worker
tier version is used.

Note

This member is deprecated. Any speciﬁc version that you specify may become outdated. We
recommend leaving this unspeciﬁed.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Elastic Beanstalk Environment OptionSetting
The OptionSetting property type speciﬁes an option for an AWS Elastic Beanstalk environment.
The OptionSettings property of the AWS::ElasticBeanstalk::Environment (p. 1050) resource contains a
list of OptionSetting property types.

Syntax
JSON
{

}

"Namespace (p. 1904)" : String,
"OptionName (p. 1904)" : String,
"ResourceName" : String,
"Value (p. 1904)" : String

API Version 2010-05-15
1903

AWS CloudFormation User Guide
Elastic Beanstalk SourceBundle Property Type

YAML
Namespace (p. 1904): String
OptionName (p. 1904): String
ResourceName: String
Value (p. 1904): String

Properties
Namespace
A unique namespace that identiﬁes the option's associated AWS resource. For a list of namespaces
that you can use, see Conﬁguration Options in the AWS Elastic Beanstalk Developer Guide.
Required: Yes
Type: String
OptionName
The name of the conﬁguration option. For a list of options that you can use, see Conﬁguration
Options in the AWS Elastic Beanstalk Developer Guide.
Required: Yes
Type: String
ResourceName
A unique resource name for the option setting. Use this property for a time–based scaling
conﬁguration option.
Required: No
Type: String
Value
The current value for the conﬁguration option.
Required: No
Type: String

See Also
• ConﬁgurationOptionSetting in the AWS Elastic Beanstalk Developer Guide
• Option Values in the AWS Elastic Beanstalk Developer Guide

Elastic Beanstalk SourceBundle Property Type
The SourceBundle property is an embedded property of the
AWS::ElasticBeanstalk::ApplicationVersion (p. 1045) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1904

AWS CloudFormation User Guide
ElastiCache ReplicationGroup NodeGroupConﬁguration

JSON
{
}

"S3Bucket (p. 1905)" : String,
"S3Key (p. 1905)" : String

YAML
S3Bucket (p. 1905): String
S3Key (p. 1905): String

Members
S3Bucket
The Amazon S3 bucket where the data is located.
Required: Yes
Type: String
S3Key
The Amazon S3 key where the data is located.
Required: Yes
Type: String

Amazon ElastiCache ReplicationGroup
NodeGroupConﬁguration
NodeGroupConfiguration is a property of the AWS::ElastiCache::ReplicationGroup (p. 1028) resource
that conﬁgures an Amazon ElastiCache (ElastiCache) Redis cluster node group.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"PrimaryAvailabilityZone" : String,
"ReplicaAvailabilityZones" : [ String, ... ],
"ReplicaCount" : Integer,
"Slots" : String

YAML
PrimaryAvailabilityZone: String
ReplicaAvailabilityZones:

API Version 2010-05-15
1905

AWS CloudFormation User Guide
Elastic Load Balancing AccessLoggingPolicy
- String
ReplicaCount: Integer
Slots: String

Properties
PrimaryAvailabilityZone
The Availability Zone where ElastiCache launches the node group's primary node.
Required: No
Type: String
ReplicaAvailabilityZones
A list of Availability Zones where ElastiCache launches the read replicas. The number of Availability
Zones must match the value of the ReplicaCount property or, if you don't specify the
ReplicaCount property, the replication group's ReplicasPerNodeGroup property.
Required: No
Type: List of String values
ReplicaCount
The number of read replica nodes in the node group.
Required: No
Type: Integer
Slots
A string of comma-separated values where the ﬁrst set of values are the slot numbers (zero based),
and the second set of values are the keyspaces for each slot. The following example speciﬁes three
slots (numbered 0, 1, and 2): 0,1,2,0-4999,5000-9999,10000-16,383.
If you don't specify a value, ElastiCache allocates keys equally among each slot.
Required: No
Type: String

Elastic Load Balancing AccessLoggingPolicy
The AccessLoggingPolicy property describes where and how access logs are stored for the
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063) resource.

Syntax
JSON
{

"EmitInterval" : Integer,
"Enabled" : Boolean,
"S3BucketName" : String,
"S3BucketPrefix" : String

API Version 2010-05-15
1906

AWS CloudFormation User Guide
AppCookieStickinessPolicy
}

YAML
EmitInterval: Integer
Enabled: Boolean
S3BucketName: String
S3BucketPrefix: String

Properties
EmitInterval
The interval for publishing access logs in minutes. You can specify an interval of either 5 minutes or
60 minutes.
Required: No
Type: Integer
Enabled
Whether logging is enabled for the load balancer.
Required: Yes
Type: Boolean
S3BucketName
The name of an Amazon S3 bucket where access log ﬁles are stored.
Required: Yes
Type: String
S3BucketPrefix
A preﬁx for the all log object keys, such as my-load-balancer-logs/prod. If you store log ﬁles
from multiple sources in a single bucket, you can use a preﬁx to distinguish each log ﬁle and its
source.
Required: No
Type: String

ElasticLoadBalancing AppCookieStickinessPolicy Type
The AppCookieStickinessPolicy type is an embedded property of the
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063) type.

Syntax
JSON
{

"CookieName (p. 1908)" : String,

API Version 2010-05-15
1907

AWS CloudFormation User Guide
Elastic Load Balancing ConnectionDrainingPolicy

}

"PolicyName (p. 1908)" : String

YAML
CookieName (p. 1908): String
PolicyName (p. 1908): String

Properties
CookieName
Name of the application cookie used for stickiness.
Required: Yes
Type: String
PolicyName
The name of the policy being created. The name must be unique within the set of policies for this
Load Balancer.

Note

To associate this policy with a listener, include the policy name in the listener's
PolicyNames (p. 1912) property.
Required: Yes
Type: String

See Also
• Sample template snippets in the Examples section of
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063).
• CreateAppCookieStickinessPolicyin the Elastic Load Balancing API Reference version 2012-06-01

Elastic Load Balancing ConnectionDrainingPolicy
The ConnectionDrainingPolicy property describes how deregistered or unhealthy instances handle
in-ﬂight requests for the AWS::ElasticLoadBalancing::LoadBalancer (p. 1063) resource. Connection
draining ensures that the load balancer completes serving all in-ﬂight requests made to a registered
instance when the instance is deregistered or becomes unhealthy. Without connection draining, the load
balancer closes connections to deregistered or unhealthy instances, and any in-ﬂight requests are not
completed.
For more information about connection draining and default values, see Enable or Disable Connection
Draining for Your Load Balancer in the Elastic Load Balancing User Guide.

Syntax
JSON
{

API Version 2010-05-15
1908

AWS CloudFormation User Guide
Elastic Load Balancing ConnectionSettings

}

"Enabled" : Boolean,
"Timeout" : Integer

YAML
Enabled: Boolean
Timeout: Integer

Properties
Enabled
Whether or not connection draining is enabled for the load balancer.
Required: Yes
Type: Boolean
Timeout
The time in seconds after the load balancer closes all connections to a deregistered or unhealthy
instance.
Required: No
Type: Integer

Elastic Load Balancing ConnectionSettings
ConnectionSettings is a property of the AWS::ElasticLoadBalancing::LoadBalancer (p. 1063) resource
that describes how long the front-end and back-end connections of your load balancer can remain idle.
For more information, see Conﬁgure Idle Connection Timeout in the Elastic Load Balancing User Guide.

Syntax
JSON
{
}

"IdleTimeout" : Integer

YAML
IdleTimeout: Integer

Properties
IdleTimeout
The time (in seconds) that a connection to the load balancer can remain idle, which means no data is
sent over the connection. After the speciﬁed time, the load balancer closes the connection.
Required: Yes
API Version 2010-05-15
1909

AWS CloudFormation User Guide
ElasticLoadBalancing LoadBalancer HealthCheck

Type: Integer

ElasticLoadBalancing LoadBalancer HealthCheck
The HealthCheck property conﬁgures health checks for the availability of your EC2 instances. For more
information, see Conﬁgure Health Checks for Your Classic Load Balancer in the User Guide for Classic
Load Balancers.
HealthCheck is a property of the AWS::ElasticLoadBalancing::LoadBalancer (p. 1063) resource.

Syntax
JSON
{

}

"HealthyThreshold (p. 1910)" : String,
"Interval (p. 1910)" : String,
"Target (p. 1910)" : String,
"Timeout (p. 1911)" : String,
"UnhealthyThreshold (p. 1911)" : String

YAML
HealthyThreshold (p. 1910): String
Interval (p. 1910): String
Target (p. 1910): String
Timeout (p. 1911): String
UnhealthyThreshold (p. 1911): String

Properties
HealthyThreshold
Speciﬁes the number of consecutive health probe successes required before moving the instance to
the Healthy state.
Required: Yes
Type: String
Interval
Speciﬁes the approximate interval, in seconds, between health checks of an individual instance. Valid
values are 5 to 300. The default is 30.
Required: Yes
Type: String
Target
Speciﬁes the instance's protocol and port to check. The protocol can be TCP, HTTP, HTTPS, or SSL.
The range of valid ports is 1 through 65535.
Required: Yes
Type: String
API Version 2010-05-15
1910

AWS CloudFormation User Guide
LBCookieStickinessPolicy

Note

For TCP and SSL, you specify a port pair. For example, you can specify TCP:5000 or
SSL:5000. The health check attempts to open a TCP or SSL connection to the instance on
the port that you specify. If the health check fails to connect within the conﬁgured timeout
period, the instance is considered unhealthy.
For HTTP or HTTPS, you specify a port and a path to ping (HTTP or
HTTPS:port/PathToPing). For example, you can specify HTTP:80/weather/us/wa/
seattle. In this case, an HTTP GET request is issued to the instance on the given port and
path. If the health check receives any response other than 200 OK within the conﬁgured
timeout period, the instance is considered unhealthy. The total length of the HTTP or
HTTPS ping target cannot be more than 1024 16-bit Unicode characters.
Timeout
Speciﬁes the amount of time, in seconds, during which no response means a failed health probe.
This value must be less than the value for Interval.
Required: Yes
Type: String
UnhealthyThreshold
Speciﬁes the number of consecutive health probe failures required before moving the instance to
the Unhealthy state.
Required: Yes
Type: String

ElasticLoadBalancing LBCookieStickinessPolicy Type
The LBCookieStickinessPolicy type is an embedded property of the
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063) type.

Syntax
JSON
{
}

"CookieExpirationPeriod (p. 1911)" : String,
"PolicyName (p. 1912)" : String

YAML
CookieExpirationPeriod (p. 1911): String
PolicyName (p. 1912): String

Properties
CookieExpirationPeriod
The time period, in seconds, after which the cookie should be considered stale. If this parameter isn't
speciﬁed, the sticky session will last for the duration of the browser session.
Required: No
API Version 2010-05-15
1911

AWS CloudFormation User Guide
ElasticLoadBalancing Listener

Type: String
PolicyName
The name of the policy being created. The name must be unique within the set of policies for this
load balancer.

Note

To associate this policy with a listener, include the policy name in the listener's
PolicyNames (p. 1912) property.

See Also
• Sample template snippets in the Examples section of
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063).
• CreateLBCookieStickinessPolicy in the Elastic Load Balancing API Reference version 2012-06-01

ElasticLoadBalancing Listener Property Type
The Listener property is an embedded property of the
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063) type.

Syntax
JSON
{

}

"InstancePort (p. 1912)" : String,
"InstanceProtocol (p. 1913)" : String,
"LoadBalancerPort (p. 1913)" : String,
"PolicyNames (p. 1913)" : [ String, ... ],
"Protocol (p. 1913)" : String,
"SSLCertificateId (p. 1913)" : String

YAML
InstancePort (p. 1912): String
InstanceProtocol (p. 1913): String
LoadBalancerPort (p. 1913): String
PolicyNames (p. 1913):
- String
Protocol (p. 1913): String
SSLCertificateId (p. 1913): String

Properties
InstancePort
Speciﬁes the TCP port on which the instance server listens. You can't modify this property during the
life of the load balancer.
Required: Yes
Type: String
API Version 2010-05-15
1912

AWS CloudFormation User Guide
ElasticLoadBalancing Listener

InstanceProtocol
Speciﬁes the protocol to use for routing traﬃc to back-end instances: HTTP, HTTPS, TCP, or SSL. You
can't modify this property during the life of the load balancer.
Required: No
Type: String

Note
• If the front-end protocol is HTTP or HTTPS, InstanceProtocol must be on the
same protocol layer (HTTP or HTTPS). Likewise, if the front-end protocol is TCP or SSL,
InstanceProtocol must be TCP or SSL. By default, Elastic Load Balancing sets the
instance protocol to HTTP or TCP.
• If there is another Listener with the same InstancePort whose InstanceProtocol
is secure, (using HTTPS or SSL), the InstanceProtocol of the Listener must be
secure (using HTTPS or SSL). If there is another Listener with the same InstancePort
whose InstanceProtocol is HTTP or TCP, the InstanceProtocol of the Listener
must be either HTTP or TCP.
LoadBalancerPort
Speciﬁes the external load balancer port number. You can't modify this property during the life of
the load balancer.
Required: Yes
Type: String
PolicyNames
A list of ElasticLoadBalancing policy (p. 1914) names to associate with the Listener.
Specify only policies that are compatible with a Listener. For more information, see
DescribeLoadBalancerPolicyTypes in the Elastic Load Balancing API Reference version
2012-06-01.

Note

By default, Elastic Load Balancing associates the latest predeﬁned policy with your load
balancer. When a new predeﬁned policy is added, we recommend that you update your
load balancer to use the new predeﬁned policy. Alternatively, you can select a diﬀerent
predeﬁned security policy or create a custom policy. To create a security policy, use the
Policies property of the AWS::ElasticLoadBalancing::LoadBalancer (p. 1063) resource.
Required: No
Type: List of String values
Protocol
Speciﬁes the load balancer transport protocol to use for routing: HTTP, HTTPS, TCP or SSL. You can't
modify this property during the life of the load balancer.
Required: Yes
Type: String
SSLCertificateId
The ARN of the SSL certiﬁcate to use. For more information about SSL certiﬁcates, see Managing
Server Certiﬁcates in the AWS Identity and Access Management User Guide.
Required: No
Type: String
API Version 2010-05-15
1913

AWS CloudFormation User Guide
ElasticLoadBalancing Policy

ElasticLoadBalancing Policy Type
The ElasticLoadBalancing policy type is an embedded property of the
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063) resource. You associate policies with a
listener (p. 1912) by referencing a policy's name in the listener's PolicyNames property.

Syntax
JSON
{

}

"Attributes (p. 1914)" : [ { "Name" : String, "Value" : String }, ... ],
"InstancePorts (p. 1914)" : [ String, ... ],
"LoadBalancerPorts (p. 1914)" : [ String, ... ],
"PolicyName (p. 1915)" : String,
"PolicyType (p. 1915)" : String

YAML
Attributes (p. 1914):
"Name" : String
"Value" : String
InstancePorts (p. 1914):
- String
LoadBalancerPorts (p. 1914):
- String
PolicyName (p. 1915): String
PolicyType (p. 1915): String

Properties
Attributes
A list of arbitrary attributes for this policy. If you don't need to specify any policy attributes, specify
an empty list ([]).
Required: Yes
Type: List of JSON name-value pairs.
InstancePorts
A list of instance ports for the policy. These are the ports associated with the back-end server.
Required: No
Type: List of String values
LoadBalancerPorts
A list of external load balancer ports for the policy.
Required: Only for some policies. For more information, see the Elastic Load Balancing Developer
Guide.
Type: List of String values
API Version 2010-05-15
1914

AWS CloudFormation User Guide
ElasticLoadBalancing Policy

PolicyName
A name for this policy that is unique to the load balancer.
Required: Yes
Type: String
PolicyType
The name of the policy type for this policy. This must be one of the types reported by the Elastic
Load Balancing DescribeLoadBalancerPolicyTypes action.
Required: Yes
Type: String

Examples
This example shows a snippet of the policies section of an elastic load balancer listener.

"Policies" : [
{
"PolicyName" : "MySSLNegotiationPolicy",
"PolicyType" : "SSLNegotiationPolicyType",
"Attributes" : [
{ "Name" : "Protocol-TLSv1", "Value" : "true" },
{ "Name" : "Protocol-SSLv3", "Value" : "false" },
{ "Name" : "DHE-RSA-AES256-SHA", "Value" : "true" } ]
}, {
"PolicyName" : "MyAppCookieStickinessPolicy",
"PolicyType" : "AppCookieStickinessPolicyType",
"Attributes" : [
{ "Name" : "CookieName", "Value" : "MyCookie"} ]
}, {
"PolicyName" : "MyPublicKeyPolicy",
"PolicyType" : "PublicKeyPolicyType",
"Attributes" : [ {
"Name" : "PublicKey",
"Value" : { "Fn::Join" : [
"\n", [
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh/51Aohx5VrpmlfGHZCzciMBa",
"fkHve+MQYYJcxmNUKMdsWnz9WtVfKxxWUU7Cfor4lorYmENGCG8FWqCoLDMFs7pN",
"yGEtpsrlKhzZWtgY1d7eGrUrBil03bI90E2KW0j4qAwGYAC8xixOkNClicojeEz4",
"f4rr3sUf+ZBSsuMEuwIDAQAB" ]
] }
} ]
}, {
"PolicyName" : "MyBackendServerAuthenticationPolicy",
"PolicyType" : "BackendServerAuthenticationPolicyType",
"Attributes" : [
{ "Name" : "PublicKeyPolicyName", "Value" : "MyPublicKeyPolicy" } ],
"InstancePorts" : [ "8443" ]
}
]

This example shows a snippet of the policies section of an elastic load balancer using proxy protocol.
"Policies" : [{
"PolicyName" : "EnableProxyProtocol",
"PolicyType" : "ProxyProtocolPolicyType",

API Version 2010-05-15
1915

AWS CloudFormation User Guide
Elastic Load Balancing Listener Certiﬁcate

}]

"Attributes" : [{
"Name" : "ProxyProtocol",
"Value" : "true"
}],
"InstancePorts" : [{"Ref" : "WebServerPort"}]

In the following snippet, the load balancer uses a predeﬁned security policy. These predeﬁned policies
are provided by Elastic Load Balancing. For more information, see SSL Security Policies in the Elastic Load
Balancing User Guide.
"Policies" : [{
"PolicyName"
"PolicyType"
"Attributes"
"Name" :
"Value" :
}]
}]

: "ELBSecurityPolicyName",
: "SSLNegotiationPolicyType",
: [{
"Reference-Security-Policy",
"ELBSecurityPolicy-2014-10"

See Also
• AWS::ElasticLoadBalancing::LoadBalancer (p. 1063)
• ElasticLoadBalancing AppCookieStickinessPolicy Type (p. 1907)
• ElasticLoadBalancing LBCookieStickinessPolicy Type (p. 1911)

Elastic Load Balancing Listener Certiﬁcate
The Certificate property type speciﬁes the default SSL server certiﬁcate that Elastic Load Balancing
will deploy on an listener. For more information, see Create an HTTPS Listener for Your Application Load
Balancer in the Application Load Balancers Guide.
The Certificates property of the AWS::ElasticLoadBalancingV2::Listener (p. 1074) resource contains a
list of one Certificate property type.

Syntax
JSON
{
}

"CertificateArn" : String

YAML
CertificateArn: String

Properties
CertificateArn
The Amazon Resource Name (ARN) of the certiﬁcate to associate with the listener.
Required: No
API Version 2010-05-15
1916

AWS CloudFormation User Guide
Elastic Load Balancing ListenerCertiﬁcate Certiﬁcate

Type: String

Elastic Load Balancing ListenerCertiﬁcate Certiﬁcate
The Certificate property type speciﬁes a certiﬁcate for an Elastic Load Balancing listener certiﬁcate.
Certificate is a property of the AWS::ElasticLoadBalancingV2::ListenerCertiﬁcate (p. 1077) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"CertificateArn" : String

YAML
CertificateArn: String

Properties
CertificateArn
The Amazon Resource Name (ARN) of the certiﬁcate.
Required: No
Type: String
Update requires: No interruption (p. 118)

Elastic Load Balancing Listener Action
The Action property type speciﬁes the default actions that the Elastic Load Balancing listener takes
when handling incoming requests.
The DefaultActions property of the AWS::ElasticLoadBalancingV2::Listener (p. 1074) resource
contains a list of Action property types.

Syntax
JSON
{
}

"TargetGroupArn" : String,
"Type" : String

YAML
TargetGroupArn: String

API Version 2010-05-15
1917

AWS CloudFormation User Guide
Elastic Load Balancing ListenerRule Actions
Type: String

Properties
TargetGroupArn
The Amazon Resource Name (ARN) of the target group to which Elastic Load Balancing routes the
traﬃc.
Required: Yes
Type: String
Type
The type of action. For valid values, see the Type contents for the Action data type in the Elastic
Load Balancing API Reference version 2015-12-01.
Required: Yes
Type: String

Elastic Load Balancing ListenerRule Actions
Actions is a property of the AWS::ElasticLoadBalancingV2::ListenerRule (p. 1080) resource that
speciﬁes the actions an Elastic Load Balancing listener takes when an incoming request meets a listener
rule's condition.

Syntax
JSON
{
}

"TargetGroupArn" : String,
"Type" : String

YAML
TargetGroupArn: String
Type: String

Properties
TargetGroupArn
The Amazon Resource Name (ARN) of the target group to which Elastic Load Balancing routes the
traﬃc.
Required: Yes
Type: String
Type
The type of action. For valid values, see the Type contents for the Action data type in the Elastic
Load Balancing API Reference version 2015-12-01.
API Version 2010-05-15
1918

AWS CloudFormation User Guide
Elastic Load Balancing ListenerRule Conditions

Required: Yes
Type: String

Elastic Load Balancing ListenerRule Conditions
Conditions is a property of the AWS::ElasticLoadBalancingV2::ListenerRule (p. 1080) resource that
speciﬁes the conditions when an Elastic Load Balancing listener rule takes eﬀect.

Syntax
JSON
{
}

"Field" : String,
"Values" : [ String, ... ]

YAML
Field: String
Values:
- String

Properties
Field
The name of the condition that you want to deﬁne, such as path-pattern (which forwards
requests based on the URL of the request).
For valid values, see the Field contents for the RuleCondition data type in the Elastic Load
Balancing API Reference version 2015-12-01.
Required: No
Type: String
Values
The value for the ﬁeld that you speciﬁed in the Field property.
Required: No
Type: List of String values

Elastic Load Balancing LoadBalancer
LoadBalancerAttributes
LoadBalancerAttributes is a property of the AWS::ElasticLoadBalancingV2::LoadBalancer (p. 1082)
resource that conﬁgures settings for an Elastic Load Balancing Application load balancer. For more
information, see Load Balancer Attributes in the Application Load Balancers Guide.
API Version 2010-05-15
1919

AWS CloudFormation User Guide
Elastic Load Balancing LoadBalancer SubnetMapping

Syntax
JSON
{
}

"Key" : String,
"Value" : String

YAML
Key: String
Value: String

Properties
Key
The name of an attribute that you want to conﬁgure. For the list of attributes that you can
conﬁgure, see the Key contents for the LoadBalancerAttribute data type in the Elastic Load
Balancing API Reference version 2015-12-01.
Required: No
Type: String
Value
A value for the attribute.
Required: No
Type: String

Elastic Load Balancing LoadBalancer SubnetMapping
The SubnetMapping property type speciﬁes the ID of a subnet to attach to an Elastic Load Balancing
Application or Network Load Balancer.
SubnetMappings is a property of the AWS::ElasticLoadBalancingV2::LoadBalancer (p. 1082) resource.

Syntax
JSON
{
}

"SubnetId" : String,
"AllocationId" : String

YAML
SubnetId: String

API Version 2010-05-15
1920

AWS CloudFormation User Guide
Elastic Load Balancing TargetGroup Matcher
AllocationId: String

Properties
SubnetId
The ID of the subnet.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
AllocationId
[Network Load Balancer] The ID that represents the allocation of the Elastic IP address.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Elastic Load Balancing TargetGroup Matcher
Matcher is a property of the AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088) resource that
speciﬁes the HTTP codes that healthy targets must use when responding to an Elastic Load Balancing
health check.

Syntax
JSON
{
}

"HttpCode" : String

YAML
HttpCode: String

Properties
HttpCode
The HTTP codes that a healthy target must use when responding to a health check, such as 200,202
or 200-399.
For valid and default values, see the HttpCode contents for the Matcher data type in the Elastic
Load Balancing API Reference version 2015-12-01.
Required: No
Type: String
API Version 2010-05-15
1921

AWS CloudFormation User Guide
Elastic Load Balancing TargetGroup TargetDescription

Elastic Load Balancing TargetGroup
TargetDescription
TargetDescription is a property of the AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088) resource
that speciﬁes a target to add to an Elastic Load Balancing target group.

Syntax
JSON
{

}

"AvailabilityZone" : String,
"Id" : String,
"Port" : Integer

YAML
AvailabilityZone: String
Id: String
Port: Integer

Properties
AvailabilityZone
The Availability Zone where the IP address is to be registered. For more information, see
TargetDescription in the Elastic Load Balancing API Reference version 2015-12-01.
Required: No
Type: String
Id
The ID of the target, such as an EC2 instance ID. If the target type of the target group is instance,
specify an instance ID. If the target type is ip, specify an IP address.
Required: Yes
Type: String
Port
The port number on which the target is listening for traﬃc.
Required: No
Type: Integer

Elastic Load Balancing TargetGroup
TargetGroupAttributes
TargetGroupAttributes is a property of the AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088)
resource that conﬁgures settings for an Elastic Load Balancing target group. For more information, see
Target Group Attributes in the Application Load Balancers Guide.
API Version 2010-05-15
1922

AWS CloudFormation User Guide
Amazon ES Domain EBSOptions

Syntax
JSON
{
}

"Key" : String,
"Value" : String

YAML
Key: String
Value: String

Properties
Key
The name of the attribute that you want to conﬁgure. For the list of attributes that you can
conﬁgure, see the Key contents for the TargetGroupAttribute data type in the Elastic Load Balancing
API Reference version 2015-12-01.
Required: No
Type: String
Value
A value for the attribute.
Required: No
Type: String

Amazon Elasticsearch Service Domain EBSOptions
EBSOptions is a property of the AWS::Elasticsearch::Domain (p. 1096) resource that conﬁgures the
Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes in the Amazon
Elasticsearch Service (Amazon ES) domain.

Syntax
JSON
{

}

"EBSEnabled" : Boolean,
"Iops" : Integer,
"VolumeSize" : Integer,
"VolumeType" : String

YAML
EBSEnabled: Boolean

API Version 2010-05-15
1923

AWS CloudFormation User Guide
Amazon ES Domain ElasticsearchClusterConﬁg
Iops: Integer
VolumeSize: Integer
VolumeType: String

Properties
EBSEnabled
Speciﬁes whether Amazon EBS volumes are attached to data nodes in the Amazon ES domain.
Required: No
Type: Boolean
Iops
The number of I/O operations per second (IOPS) that the volume supports. This property applies
only to the Provisioned IOPS (SSD) EBS volume type.
Required: No
Type: Integer
VolumeSize
The size of the EBS volume for each data node. The minimum and maximum size of an EBS
volume depends on the EBS volume type and the instance type to which it is attached. For more
information, see Conﬁguring EBS-based Storage in the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: Integer
VolumeType
The EBS volume type to use with the Amazon ES domain, such as standard, gp2, or io1. For more
information about each type, see Amazon EBS Volume Types in the Amazon EC2 User Guide for Linux
Instances.
Required: No
Type: String

Amazon Elasticsearch Service Domain
ElasticsearchClusterConﬁg
ElasticsearchClusterConfig is a property of the AWS::Elasticsearch::Domain (p. 1096) resource
that conﬁgures the cluster of an Amazon Elasticsearch Service (Amazon ES) domain.

Syntax
JSON
{

"DedicatedMasterCount" : Integer,
"DedicatedMasterEnabled" : Boolean,
"DedicatedMasterType" : String,
"InstanceCount" : Integer,

API Version 2010-05-15
1924

AWS CloudFormation User Guide
Amazon ES Domain ElasticsearchClusterConﬁg

}

"InstanceType" : String,
"ZoneAwarenessEnabled" : Boolean

YAML
DedicatedMasterCount: Integer
DedicatedMasterEnabled: Boolean
DedicatedMasterType: String
InstanceCount: Integer
InstanceType: String
ZoneAwarenessEnabled: Boolean

Properties
DedicatedMasterCount
The number of instances to use for the master node.
If you specify this property, you must specify true for the DedicatedMasterEnabled property
Required: No
Type: Integer
DedicatedMasterEnabled
Indicates whether to use a dedicated master node for the Amazon ES domain. A dedicated master
node is a cluster node that performs cluster management tasks, but doesn't hold data or respond
to data upload requests. Dedicated master nodes oﬄoad cluster management tasks to increase the
stability of your search clusters.
Required: No
Type: Boolean
DedicatedMasterType
The hardware conﬁguration of the computer that hosts the dedicated master node, such as
m3.medium.elasticsearch. For valid values, see Conﬁguring Amazon ES Domains in the Amazon
Elasticsearch Service Developer Guide.
If you specify this property, you must specify true for the DedicatedMasterEnabled property
Required: No
Type: String
InstanceCount
The number of data nodes (instances) to use in the Amazon ES domain.
Required: No
Type: Integer
InstanceType
The instance type for your data nodes, such as m3.medium.elasticsearch. For valid values, see
Conﬁguring Amazon ES Domains in the Amazon Elasticsearch Service Developer Guide.
Required: No
API Version 2010-05-15
1925

AWS CloudFormation User Guide
Amazon ES Domain EncryptionAtRestOptions

Type: String
ZoneAwarenessEnabled
Indicates whether to enable zone awareness for the Amazon ES domain. When you enable zone
awareness, Amazon ES allocates the nodes and replica index shards that belong to a cluster across
two Availability Zones (AZs) in the same region to prevent data loss and minimize downtime in the
event of node or data center failure. Don't enable zone awareness if your cluster has no replica index
shards or is a single-node cluster. For more information, see Enabling Zone Awareness in the Amazon
Elasticsearch Service Developer Guide.
Required: No
Type: Boolean

Amazon Elasticsearch Service Domain
EncryptionAtRestOptions
The EncryptionAtRestOptions property type speciﬁes whether the domain should encrypt data at
rest, and if so, the AWS Key Management Service (KMS) key to use. Can only be used to create a new
domain, not update an existing one.
EncryptionAtRestOptions is a property of the AWS::Elasticsearch::Domain (p. 1096) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Enabled" : Boolean,
"KmsKeyId" : String

YAML
Enabled: Boolean
KmsKeyId: String

Properties
Enabled
Specify true to enable encryption at rest.
Required: No
Type: Boolean
Update requires: Replacement (p. 118)
KmsKeyId
The KMS key ID. Takes the form 1a2a3a4-1a2a-3a4a-5a6a-1a2a3a4a5a6a.
API Version 2010-05-15
1926

AWS CloudFormation User Guide
Amazon ES Domain SnapshotOptions

Required: No
Type: String
Update requires: Replacement (p. 118)

See Also
• CreateElasticsearchDomain in the Amazon Elasticsearch Service Developer Guide

Amazon Elasticsearch Service Domain
SnapshotOptions
SnapshotOptions is a property of the AWS::Elasticsearch::Domain (p. 1096) resource that conﬁgures
the automated snapshot of Amazon Elasticsearch Service (Amazon ES) domain indices.

Syntax
JSON
{
}

"AutomatedSnapshotStartHour" : Integer

YAML
AutomatedSnapshotStartHour: Integer

Properties
AutomatedSnapshotStartHour
The hour in UTC during which the service takes an automated daily snapshot of the indices in
the Amazon ES domain. For example, if you specify 0, Amazon ES takes an automated snapshot
everyday between midnight and 1 am. You can specify a value between 0 and 23.
Required: No
Type: Integer

Amazon Elasticsearch Service Domain VPCOptions
The VPCOptions property type speciﬁes a virtual private cloud (VPC) conﬁguration for an Amazon
Elasticsearch Service (Amazon ES) domain.
VPCOptions is a property of the AWS::Elasticsearch::Domain (p. 1096) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1927

AWS CloudFormation User Guide
Amazon EMR Cluster Application

JSON
{
}

"SecurityGroupIds" : [ String, ... ],
"SubnetIds" : [ String, ... ]

YAML
SecurityGroupIds:
- String
SubnetIds:
- String

Properties
SecurityGroupIds
The list of security group IDs that are associated with the VPC endpoints for the domain. If you don't
provide a security group ID, Amazon ES uses the default security group for the VPC. To learn more,
see Security Groups for your VPC in the Amazon VPC User Guide.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SubnetIds
A list of subnet IDs that are associated with the VPC endpoints for the domain. If your domain has
zone awareness enabled, you need to provide two subnet IDs, one per zone. Otherwise, you only
need to provide one. To learn more, see VPCs and Subnets in the Amazon VPC User Guide.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

See Also
• VPC Support for Amazon Elasticsearch Service Domains in the Amazon Elasticsearch Service Developer
Guide

Amazon EMR Cluster Application
Application is a property of the AWS::EMR::Cluster (p. 1104) resource that adds an Amazon EMR
(Amazon EMR) application bundle or third-party software to an Amazon EMR cluster.

Syntax
JSON
{

"AdditionalInfo" : { String:String, ... },

API Version 2010-05-15
1928

AWS CloudFormation User Guide
Amazon EMR Cluster AutoScalingPolicy

}

"Args" : [ String, ... ],
"Name" : String,
"Version" : String

YAML
AdditionalInfo:
String: String
Args:
- String
Name: String
Version: String

Properties
AdditionalInfo
Metadata about third-party applications that third-party vendors use for testing purposes.
Required: No
Type: String-to-string map
Args
Arguments that Amazon EMR passes to the application.
Required: No
Type: List of String values
Name
The name of the application to add to your cluster, such as Hadoop or Hive. For valid values, see the
Applications parameter in the Amazon EMR API Reference.
Required: No
Type: String
Version
The version of the application.
Required: No
Type: String

Amazon EMR Cluster AutoScalingPolicy
AutoScalingPolicy is a subproperty of the Amazon EMR Cluster InstanceGroupConﬁg (p. 1936)
property type that speciﬁes the constraints and rules for an Auto Scaling group policy. For more
information, see PutAutoScalingPolicy in the Amazon EMR API Reference.

Syntax
JSON
{

API Version 2010-05-15
1929

AWS CloudFormation User Guide
Amazon EMR Cluster BootstrapActionConﬁg

}

"Constraints" : ScalingConstraints,
"Rules" : ScalingRule

YAML
Constraints:
- ScalingConstraints
Rules:
- ScalingRule

Properties
Constraints
The upper and lower Amazon EC2 instance limits for an automatic scaling policy. Automatic scaling
activity will not cause an instance group to grow above or below these limits.
Required: Yes
Type: Amazon EMR Cluster ScalingConstraints (p. 1945)
Rules
The scale-in and scale-out rules that comprise the automatic scaling policy.
Required: Yes
Type: Amazon EMR Cluster ScalingRule (p. 1946)

Amazon EMR Cluster BootstrapActionConﬁg
BootstrapActionConfig is a property of the AWS::EMR::Cluster (p. 1104) resource that speciﬁes
bootstrap actions that Amazon EMR (Amazon EMR) runs before it installs applications on the cluster
nodes.

Syntax
JSON
{
}

"Name" : String,
"ScriptBootstrapAction" : ScriptBootstrapAction

YAML
Name: String
ScriptBootstrapAction: ScriptBootstrapAction

Properties
Name
The name of the bootstrap action to add to your cluster.
API Version 2010-05-15
1930

AWS CloudFormation User Guide
Amazon EMR Cluster CloudWatchAlarmDeﬁnition

Required: Yes
Type: String
ScriptBootstrapAction
The script that the bootstrap action runs.
Required: Yes
Type: Amazon EMR Cluster ScriptBootstrapActionConﬁg (p. 1947)

Amazon EMR Cluster CloudWatchAlarmDeﬁnition
CloudWatchAlarmDefinition is a subproperty of the Amazon EMR Cluster ScalingTrigger (p. 1947)
property, which determines when to trigger an automatic scaling activity. Scaling activity begins when
you satisfy the deﬁned alarm conditions.

Syntax
JSON
{

}

"ComparisonOperator" : String,
"Dimensions" : [ MetricDimension, ... ],
"EvaluationPeriods" : Integer,
"MetricName" : String,
"Namespace" : String,
"Period" : Integer,
"Statistic" : String,
"Threshold" : Double,
"Unit" : String

YAML
ComparisonOperator: String
Dimensions:
- MetricDimension
EvaluationPeriods: Integer
MetricName: String
Namespace: String
Period: Integer
Statistic: String
Threshold: Double
Unit: String

Properties
ComparisonOperator
Determines how the metric speciﬁed by MetricName is compared to the value speciﬁed by
Threshold.
Valid values: GREATER_THAN_OR_EQUAL, GREATER_THAN, LESS_THAN, or LESS_THAN_OR_EQUAL.
Required: Yes
API Version 2010-05-15
1931

AWS CloudFormation User Guide
Amazon EMR Cluster CloudWatchAlarmDeﬁnition

Type: String
Dimensions
A list of CloudWatch metric dimensions.
Required: No
Type: List of Amazon EMR Cluster MetricDimension (p. 1943)
EvaluationPeriods
The number of periods, expressed in seconds using Period, during which the alarm condition must
exist before the alarm triggers automatic scaling activity. The default value is 1.
Required: No
Type: Integer
MetricName
The name of the CloudWatch metric that is watched to determine an alarm condition.
Required: Yes
Type: String
Namespace
The namespace for the CloudWatch metric. The default is AWS/ElasticMapReduce.
Required: No
Type: String
Period
The period, in seconds, over which the statistic is applied. EMR CloudWatch metrics are emitted
every ﬁve minutes (300 seconds), so if an EMR CloudWatch metric is speciﬁed, specify 300.
Required: Yes
Type: Integer
Statistic
The statistic to apply to the metric associated with the alarm. The default is AVERAGE.
Valid values: SAMPLE_COUNT, AVERAGE, SUM, MINIMUM, or MAXIMUM.
Required: No
Type: String
Threshold
The value against which the speciﬁed statistic is compared.
Required: Yes
Type: Double
Unit
The unit of measure associated with the CloudWatch metric being watched. The value speciﬁed for
Unit must correspond to the units speciﬁed in the CloudWatch metric.
API Version 2010-05-15
1932

AWS CloudFormation User Guide
Amazon EMR Cluster Conﬁgurations

For more information, see CloudWatchAlarmDeﬁnition in the Amazon Elastic MapReduce
Documentation API Reference.
Required: No
Type: String

Amazon EMR Cluster Conﬁgurations
Configurations is a property of the AWS::EMR::Cluster (p. 1104) resource that speciﬁes the software
conﬁguration of an Amazon EMR (Amazon EMR) cluster. For example conﬁgurations, see Conﬁguring
Applications in the Amazon EMR Release Guide.

Syntax
JSON
{

}

"Classification" : String,
"ConfigurationProperties" : { String:String, ... },
"Configurations" : [ Configuration, ... ]

YAML
Classification: String
ConfigurationProperties:
String: String
Configurations:
- Configuration

Properties
Classification
The name of an application-speciﬁc conﬁguration ﬁle. For more information see, Conﬁguring
Applications in the Amazon EMR Release Guide.
Required: No
Type: String
ConfigurationProperties
The settings that you want to change in the application-speciﬁc conﬁguration ﬁle. For more
information see, Conﬁguring Applications in the Amazon EMR Release Guide.
Required: No
Type: String-to-string map
Configurations
A list of conﬁgurations to apply to this conﬁguration. You can nest conﬁgurations so that a single
conﬁguration can have its own conﬁgurations. In other words, you can conﬁgure a conﬁguration. For
more information see, Conﬁguring Applications in the Amazon EMR Release Guide.
API Version 2010-05-15
1933

AWS CloudFormation User Guide
Amazon EMR Cluster InstanceFleetConﬁg

Required: No
Type: List of Amazon EMR Cluster Conﬁgurations (p. 1933)

Amazon EMR Cluster InstanceFleetConﬁg
The InstanceFleetConfig property type speciﬁes a Spot instance ﬂeet conﬁguration for the
cluster. For more information, see Conﬁgure Instance Fleets in the Amazon EMR Management
Guide. InstanceFleetConfig is the property type for the CoreInstanceFleet and
MasterInstanceFleet subproperties of the Amazon EMR Cluster JobFlowInstancesConﬁg (p. 1939)
property type.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
JSON
{

}

"InstanceTypeConfigs" : [ InstanceTypeConfig (p. 1938) ],
"LaunchSpecifications" : InstanceFleetProvisioningSpecifications (p. 1935),
"Name" : String,
"TargetOnDemandCapacity" : Integer,
"TargetSpotCapacity" : Integer

YAML
InstanceTypeConfigs:
- InstanceTypeConfig (p. 1938)
LaunchSpecifications:
InstanceFleetProvisioningSpecifications (p. 1935)
Name: String
TargetOnDemandCapacity: Integer
TargetSpotCapacity: Integer

Properties
InstanceTypeConfigs
The instance type conﬁgurations that deﬁne the EC2 instances in the instance ﬂeet. Duplicates not
allowed.
Required: No
Type: List of Amazon EMR Cluster InstanceTypeConﬁg (p. 1938)
Update requires: Replacement (p. 119)
LaunchSpecifications
The launch speciﬁcation for the instance ﬂeet.
Required: No
API Version 2010-05-15
1934

AWS CloudFormation User Guide
Amazon EMR Cluster
InstanceFleetProvisioningSpeciﬁcations

Type: Amazon EMR Cluster InstanceFleetProvisioningSpeciﬁcations (p. 1935)
Update requires: Replacement (p. 119)
Name
The friendly name of the instance ﬂeet. For constraints, see InstanceFleetConﬁg in the Amazon EMR
API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
TargetOnDemandCapacity
The target capacity of On-Demand units for the instance ﬂeet, which determines how many OnDemand instances to provision. For more information, see InstanceFleetConﬁg in the Amazon EMR
API Reference.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
TargetSpotCapacity
The target capacity of Spot units for the instance ﬂeet, which determines how many Spot instances
to provision. For more information, see InstanceFleetConﬁg in the Amazon EMR API Reference.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

Amazon EMR Cluster
InstanceFleetProvisioningSpeciﬁcations
The InstanceFleetProvisioningSpecifications property speciﬁes the launch speciﬁcation
for Spot instances in the ﬂeet, which determines the deﬁned duration and provisioning timeout
behavior. InstanceFleetProvisioningSpecifications is the property type for the
LaunchSpecifications property of the Amazon EMR Cluster InstanceFleetConﬁg (p. 1934) property
type.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"SpotSpecification" : SpotProvisioningSpecification (p. 1949)

API Version 2010-05-15
1935

AWS CloudFormation User Guide
Amazon EMR Cluster InstanceGroupConﬁg
}

YAML
SpotSpecification:
SpotProvisioningSpecification (p. 1949)

Properties
SpotSpecification
The launch speciﬁcation for Spot instances in the ﬂeet, which determines the deﬁned duration and
provisioning timeout behavior.
Required: Yes
Type: Amazon EMR Cluster SpotProvisioningSpeciﬁcation (p. 1949)
Update requires: No interruption (p. 118)

Amazon EMR Cluster InstanceGroupConﬁg
InstanceGroupConfig is a property of the CoreInstanceGroup and MasterInstanceGroup
properties of the job ﬂow instances conﬁguration (p. 1939). The InstanceGroupConfig property
speciﬁes the settings for instances (nodes) in the core and master instance groups of an Amazon EMR
cluster.

Syntax
JSON
{

}

"AutoScalingPolicy" : AutoScalingPolicy,
"BidPrice" : String,
"Configurations" : [ Configuration, ... ],
"EbsConfiguration" : EBSConfiguration,
"InstanceCount" : Integer,
"InstanceType" : String,
"Market" : String,
"Name" : String

YAML
AutoScalingPolicy:
AutoScalingPolicy
BidPrice: String
Configurations:
- Configuration
EbsConfiguration:
EBSConfiguration
InstanceCount: Integer
InstanceType: String
Market: String
Name: String

API Version 2010-05-15
1936

AWS CloudFormation User Guide
Amazon EMR Cluster InstanceGroupConﬁg

Properties
AutoScalingPolicy
An automatic scaling policy for a core instance group or task instance group in an Amazon EMR
cluster. An automatic scaling policy deﬁnes how an instance group dynamically adds and terminates
EC2 instances in response to the value of a CloudWatch metric.
Required: No
Update requires: No interruption (p. 118)
Type: Amazon EMR Cluster AutoScalingPolicy (p. 1929)
BidPrice
When launching instances as Spot Instances, the bid price in USD for each EC2 instance in the
instance group.
Required: No
Type: String
Update requires: Replacement (p. 119)
Configurations
A list of conﬁgurations to apply to this instance group. For more information see, Conﬁguring
Applications in the Amazon EMR Release Guide.
Required: No
Type: List of Amazon EMR Cluster Conﬁgurations (p. 1933)
Update requires: Replacement (p. 119)
EbsConfiguration
Conﬁgures Amazon Elastic Block Store (Amazon EBS) storage volumes to attach to your instances.
Required: No
Type: Amazon EMR EbsConﬁguration (p. 1952)
Update requires: Replacement (p. 119)
InstanceCount
The number of instances to launch in the instance group.
Required: Yes
Type: Integer
InstanceType
The EC2 instance type for all instances in the instance group. For more information, see Instance
Conﬁgurations in the Amazon EMR Management Guide.
Required: Yes
Type: String
Market
The type of marketplace from which your instances are provisioned into this group, either
ON_DEMAND or SPOT. For more information, see Amazon EC2 Purchasing Options.
API Version 2010-05-15
1937

AWS CloudFormation User Guide
Amazon EMR Cluster InstanceTypeConﬁg

Required: No
Type: String
Name
A name for the instance group.
Required: No
Type: String

Amazon EMR Cluster InstanceTypeConﬁg
Use the InstanceTypeConfig property to conﬁgure an instance types in an instance ﬂeet. This
propery determines which EC2 instances that Amazon EMR attempts to provision to fulﬁll OnDemand and Spot target capacities. You can conﬁgure a maximum of ﬁve instance types in a ﬂeet. The
InstanceTypeConfigs property of the Amazon EMR Cluster InstanceFleetConﬁg (p. 1934) resource
contains a list of InstanceTypeConfig property types.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"BidPrice" : String,
"BidPriceAsPercentageOfOnDemandPrice" : Double,
"Configurations" : [ Configuration (p. 1933), ...],
"EbsConfiguration" : EbsConfiguration (p. 1952),
"InstanceType" : String,
"WeightedCapacity" : Integer

YAML
BidPrice: String
BidPriceAsPercentageOfOnDemandPrice: Double
Configurations:
- Configuration (p. 1933)
EbsConfiguration:
EbsConfiguration (p. 1952)
InstanceType: String
WeightedCapacity: Integer

Properties
BidPrice
The bid price for each EC2 Spot Instance type, as deﬁned by InstanceType. BidPrice is expressed
in USD. For more information, see InstanceTypeConﬁg in the Amazon EMR API Reference.
Required: No
API Version 2010-05-15
1938

AWS CloudFormation User Guide
Amazon EMR Cluster JobFlowInstancesConﬁg

Type: String
Update requires: Replacement (p. 119)
BidPriceAsPercentageOfOnDemandPrice
The bid price, as a percentage of the On-Demand price, for each EC2 Spot instance as deﬁned by
InstanceType. BidPriceAsPercentageOfOnDemandPriceis expressed as a number. For more
information, see InstanceTypeConﬁg in the Amazon EMR API Reference.
Required: No
Type: Double
Update requires: Replacement (p. 119)
Configurations
A conﬁguration classiﬁcation that applies when provisioning cluster instances. This can include
conﬁgurations for applications and software that run on the cluster. Duplicates are not allowed.
Required: No
Type: List of Amazon EMR Cluster Conﬁgurations (p. 1933)
Update requires: Replacement (p. 119)
EbsConfiguration
The conﬁguration of Amazon Elastic Block Store (Amazon EBS) that is attached to each instance as
deﬁned by InstanceType.
Required: No
Type: Amazon EMR EbsConﬁguration (p. 1952)
Update requires: Replacement (p. 119)
InstanceType
An EC2 instance type, such as m3.xlarge. For constraints, see InstanceTypeConﬁg in the Amazon
EMR API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
WeightedCapacity
The number of units that a provisioned instance of this type provides toward fulﬁlling the target
capacities deﬁned in InstanceFleetConfig. For more information, see InstanceTypeConﬁg in the
Amazon EMR API Reference.
Required: No
Type: Integer
Update requires: Replacement (p. 119)

Amazon EMR Cluster JobFlowInstancesConﬁg
Use theJobFlowInstancesConfig, which is a property of the AWS::EMR::Cluster (p. 1104) resource, to
conﬁgure the EC2 instances (nodes) that will run jobs in an Amazon EMR cluster.
API Version 2010-05-15
1939

AWS CloudFormation User Guide
Amazon EMR Cluster JobFlowInstancesConﬁg

Note

When creating your cluster using EmrManagedMasterSecurityGroup and
EmrManagedSlaveSecurityGroup, to avoid a delete_failed exception, use security groups
created outside of the AWS CloudFormation stack or retain them on deletion.

Syntax
JSON
{

}

"AdditionalMasterSecurityGroups" : [ String, ... ],
"AdditionalSlaveSecurityGroups" : [ String, ... ],
"CoreInstanceFleet" : InstanceFleetConfig,
"CoreInstanceGroup" : InstanceGroupConfig,
"Ec2KeyName" : String,
"Ec2SubnetId" : String,
"EmrManagedMasterSecurityGroup" : String,
"EmrManagedSlaveSecurityGroup" : String,
"HadoopVersion" : String,
"MasterInstanceFleet" : InstanceFleetConfig,
"MasterInstanceGroup" : InstanceGroupConfig,
"Placement" : Placement,
"ServiceAccessSecurityGroup" : String,
"TerminationProtected" : Boolean

YAML
AdditionalMasterSecurityGroups:
- String
AdditionalSlaveSecurityGroups:
- String
CoreInstanceFleet:
InstanceFleetConfig,
CoreInstanceGroup:
InstanceGroupConfig
Ec2KeyName: String
Ec2SubnetId: String
EmrManagedMasterSecurityGroup: String
EmrManagedSlaveSecurityGroup: String
HadoopVersion: String
MasterInstanceFleet:
InstanceFleetConfig
MasterInstanceGroup:
InstanceGroupConfig
Placement:
Placement
ServiceAccessSecurityGroup: String
TerminationProtected: Boolean

Properties
AdditionalMasterSecurityGroups
A list of additional EC2 security group IDs to assign to the master instance (master node) in your
Amazon EMR cluster. Use this property to supplement the rules speciﬁed by the Amazon EMR
managed master security group.
Required: No
API Version 2010-05-15
1940

AWS CloudFormation User Guide
Amazon EMR Cluster JobFlowInstancesConﬁg

Type: List of String values
Update requires: Replacement (p. 119)
AdditionalSlaveSecurityGroups
A list of additional EC2 security group IDs to assign to the slave instances (slave nodes) in your
Amazon EMR cluster. Use this property to supplement the rules speciﬁed by the Amazon EMR
managed slave security group.
Required: No
Type: List of String values
Update requires: Replacement (p. 119)
CoreInstanceFleet
The instance ﬂeet settings for the core instances in your Amazon EMR cluster. Use this property with
the MasterInstanceFleet property.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.
Required: No
Type: Amazon EMR Cluster InstanceFleetConﬁg (p. 1934)
Update requires: Replacement (p. 119)
CoreInstanceGroup
The settings for the core instances in your Amazon EMR cluster. Use this property with the
MasterInstanceGroup property.
Required: No
Type: Amazon EMR Cluster InstanceGroupConﬁg (p. 1936)
Update requires: Replacement (p. 119)
Ec2KeyName
The name of an Amazon Elastic Compute Cloud (Amazon EC2) key pair, which you can use to access
the instances in your Amazon EMR cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)
Ec2SubnetId
The ID of the subnet where you want to launch your instances.
Required: No
Type: String
Update requires: Replacement (p. 119)
EmrManagedMasterSecurityGroup
The ID of an EC2 security group (managed by Amazon EMR) that is assigned to the master instance
(master node) in your Amazon EMR cluster.
API Version 2010-05-15
1941

AWS CloudFormation User Guide
Amazon EMR Cluster JobFlowInstancesConﬁg

Required: No
Type: String
Update requires: Replacement (p. 119)
EmrManagedSlaveSecurityGroup
The ID of an EC2 security group (managed by Amazon EMR) that is assigned to the slave instances
(slave nodes) in your Amazon EMR cluster.
Required: No
Type: String
Update requires: Replacement (p. 119)
HadoopVersion
The Hadoop version for the job ﬂow. For valid values, see the HadoopVersion parameter in the
Amazon EMR API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
MasterInstanceFleet
The instance ﬂeet settings for the master instance (master node).

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.
You must use either MasterInstanceFleet or MasterInstanceGroup in your conﬁguration. If
you use MasterInstanceFleet, then you may also specify the CoreInstanceFleet property.
Required: No
Type: Amazon EMR Cluster InstanceFleetConﬁg (p. 1934)
Update requires: Replacement (p. 119)
MasterInstanceGroup
The settings for the master instance (master node).
You must use either MasterInstanceGroup or MasterInstanceFleet in your conﬁguration. If
you use MasterInstanceGroup, then you may also specify the CoreInstanceGroup property.
Required: No
Type: Amazon EMR Cluster InstanceGroupConﬁg (p. 1936)
Update requires: Replacement (p. 119)
Placement
The Availability Zone (AZ) in which the job ﬂow runs.
Required: No
Type: Amazon EMR Cluster PlacementType (p. 1944)
API Version 2010-05-15
1942

AWS CloudFormation User Guide
Amazon EMR Cluster MetricDimension

Update requires: Replacement (p. 119)
ServiceAccessSecurityGroup
The ID of the EC2 security group (managed by Amazon EMR) that services use to access clusters in
private subnets.
Required: No
Type: String
Update requires: Replacement (p. 119)
TerminationProtected
Indicates whether to prevent the EC2 instances from being terminated by an API call or user
intervention. If you want to delete a stack with protected instances, update this value to false
before you delete the stack. By default, AWS CloudFormation sets this property to false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)

Amazon EMR Cluster MetricDimension
The MetricDimension property type represents a CloudWatch dimension that you
specify using a key–value pair. The Dimensions subproperty of the Amazon EMR Cluster
CloudWatchAlarmDeﬁnition (p. 1931) property contains a list of one or more MetricDimension
property types.

Syntax
JSON
{
}

"Key" : String,
"Value" : String

YAML
Key: String
Value: String

Properties
By default, Amazon EMR uses one dimension whose key (known as a Name in CloudWatch) is JobFlowID
and whose value is a variable representing the cluster ID, which is ${emr.clusterId}. This enables the
rule to bootstrap when the cluster ID becomes available.
Key
The dimension name.
Required: Yes
API Version 2010-05-15
1943

AWS CloudFormation User Guide
Amazon EMR Cluster PlacementType

Type: String
Value
The dimension value.
Required: Yes
Type: String

Amazon EMR Cluster PlacementType
The PlacementType property type speciﬁes the Availability Zone (AZ) in which the job ﬂow runs.
PlacementType is the property type for the Placement subproperty of the Amazon EMR Cluster
JobFlowInstancesConﬁg (p. 1939) property type.

Syntax
JSON
{
}

"AvailabilityZone" : String

YAML
AvailabilityZone: String

Properties
AvailabilityZone
The Amazon Elastic Compute Cloud (Amazon EC2) AZ for the job ﬂow. For more information, see
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html in
the Amazon EC2 User Guide for Linux Instances.
Required: Yes
Type: String

Amazon EMR Cluster ScalingAction
The ScalingAction property type speciﬁes the scaling actions for an Auto Scaling group policy.
ScalingAction is the property type for the Action subproperty of the Amazon EMR Cluster
ScalingRule (p. 1946) property type.

Syntax
JSON
{
}

"Market" : String,
"SimpleScalingPolicyConfiguration" : SimpleScalingPolicyConfiguration

API Version 2010-05-15
1944

AWS CloudFormation User Guide
Amazon EMR Cluster ScalingConstraints

YAML
Market: String
SimpleScalingPolicyConfiguration: SimpleScalingPolicyConfiguration

Properties
Market
Not available for instance groups. Instance groups use the market type speciﬁed for the group.
Valid values: ON_DEMAND or SPOT
Required: No
Type: String
Update requires: No interruption (p. 118)
SimpleScalingPolicyConfiguration
The type of adjustment the automatic scaling activity makes when triggered, and the periodicity of
the adjustment.
Required: Yes
Type: Amazon EMR Cluster SimpleScalingPolicyConﬁguration (p. 1948)
Update requires: No interruption (p. 118)

Amazon EMR Cluster ScalingConstraints
The ScalingConstraints property type speciﬁes the upper and lower Amazon EC2 instance limits
for an automatic scaling policy. ScalingConstraints is the property type for the Constraints
subproperty of the Amazon EMR Cluster AutoScalingPolicy (p. 1929) property type.

Syntax
JSON
{
}

"MaxCapacity" : Integer,
"MinCapacity" : Integer

YAML
MaxCapacity: Integer
MinCapacity: Integer

Properties
MaxCapacity
The upper boundary of EC2 instances in an instance group beyond which scaling activities are not
allowed to grow. Scale-out activities will not add instances beyond this boundary.
API Version 2010-05-15
1945

AWS CloudFormation User Guide
Amazon EMR Cluster ScalingRule

Required: Yes
Type: Integer
MinCapacity
The lower boundary of EC2 instances in an instance group below which scaling activities are not
allowed to shrink. Scale-in activities will not terminate instances below this boundary.
Required: Yes
Type: Integer

Amazon EMR Cluster ScalingRule
The ScalingRule property type represents a scale-in or scale-out rule that deﬁnes scaling activity,
including the CloudWatch metric alarm that triggers activity, how Amazon EC2 instances are added
or removed, and the periodicity of adjustments. The Rules subproperty of the Amazon EMR Cluster
JobFlowInstancesConﬁg (p. 1939) property contains a list of one or more ScalingRule property types.

Syntax
JSON
{

}

"Action" : ScalingAction,
"Description" : String,
"Name" : String,
"Trigger" : ScalingTrigger

YAML
Action: ScalingAction
Description: String
Name: String
Trigger: ScalingTrigger

Properties
Action
The conditions that trigger an automatic scaling activity.
Required: Yes
Type: Amazon EMR Cluster ScalingAction (p. 1944)
Description
A friendly, more verbose description of the automatic scaling rule.
Required: No
Type: String
API Version 2010-05-15
1946

AWS CloudFormation User Guide
Amazon EMR Cluster ScalingTrigger

Name
The name used to identify an automatic scaling rule. Rule names must be unique within a scaling
policy.
Required: Yes
Type: String
Trigger
The CloudWatch alarm deﬁnition that determines when automatic scaling activity is triggered.
Required: Yes
Type: Amazon EMR Cluster ScalingTrigger (p. 1947)

Amazon EMR Cluster ScalingTrigger
The ScalingTrigger property type speciﬁes the conditions that trigger an automatic scaling activity.
ScalingTrigger is the property type for the Trigger subproperty of the Amazon EMR Cluster
ScalingRule (p. 1946) property type.

Syntax
JSON
{
}

"CloudWatchAlarmDefinition" : CloudWatchAlarmDefinition

YAML
CloudWatchAlarmDefinition: CloudWatchAlarmDefinition

Properties
CloudWatchAlarmDefinition
The deﬁnition of a CloudWatch metric alarm. When the deﬁned alarm conditions are met along with
other trigger parameters, scaling activity begins.
Required: Yes
Type: Amazon EMR Cluster CloudWatchAlarmDeﬁnition (p. 1931)
Update requires: No interruption (p. 118)

Amazon EMR Cluster ScriptBootstrapActionConﬁg
ScriptBootstrapActionConfig is a property of the Amazon EMR Cluster
BootstrapActionConﬁg (p. 1930) property that speciﬁes the arguments and location of the bootstrap
script that Amazon EMR (Amazon EMR) runs before it installs applications on the cluster nodes.
API Version 2010-05-15
1947

AWS CloudFormation User Guide
Amazon EMR Cluster SimpleScalingPolicyConﬁguration

Syntax
JSON
{

"Args" : [ String, ... ],
"Path" : String

}

YAML
Args:
- String
Path: String

Properties
Args
A list of command line arguments to pass to the bootstrap action script.
Required: No
Type: List of String values
Path
The location of the script that Amazon EMR runs during a bootstrap action. Specify a location in an
S3 bucket or your local ﬁle system.
Required: Yes
Type: String

Amazon EMR Cluster
SimpleScalingPolicyConﬁguration
SimpleScalingPolicyConfiguration is a subproperty of the Amazon EMR Cluster
ScalingAction (p. 1944) property. It speciﬁes an automatic scaling conﬁguration that describes how the
policy adds or removes instances, the cooldown period, and the number of Amazon EC2 instances that
will be added each time the CloudWatch metric alarm condition is satisﬁed.

Syntax
JSON
{

}

"AdjustmentType" : String,
"CoolDown" : Integer,
"ScalingAdjustment" : String

YAML

API Version 2010-05-15
1948

AWS CloudFormation User Guide
Amazon EMR Cluster SpotProvisioningSpeciﬁcation
AdjustmentType: String
CoolDown: Integer
ScalingAdjustment: String

Properties
Note

For more information about the constraints and valid values of each property, see the
SimpleScalingPolicyConﬁguration data type in the Amazon EMR API Reference.
AdjustmentType
The way in which Amazon EC2 instances are added (if ScalingAdjustment is a positive number)
or terminated (if ScalingAdjustment is a negative number) each time the scaling activity is
triggered. CHANGE_IN_CAPACITY is the default.
Required: No
Type: String
CoolDown
The amount of time, in seconds, after a scaling activity completes before any further trigger-related
scaling activities can start. The default value is 0.
Required: No
Type: Integer
ScalingAdjustment
The amount by which to scale in or scale out, based on the speciﬁed AdjustmentType. A positive
value adds to the instance group's Amazon EC2 instance count while a negative number removes
instances. If AdjustmentType is set to EXACT_CAPACITY, the number should only be a positive
integer. If AdjustmentType is set to PERCENT_CHANGE_IN_CAPACITY, the value should express
the percentage as a decimal.
Required: Yes
Type: Integer

Amazon EMR Cluster SpotProvisioningSpeciﬁcation
The SpotProvisioningSpecification property speciﬁes the duration and timeout behavior
for Spot instances in the instance ﬂeet for Amazon EMR. SpotProvisioningSpecification
is the property type for the SpotSpecification subproperty of the Amazon EMR Cluster
InstanceFleetProvisioningSpeciﬁcations (p. 1935) property type.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1949

AWS CloudFormation User Guide
Amazon EMR Cluster KerberosAttributes

}

"BlockDurationMinutes" : Integer,
"TimeoutAction" : String,
"TimeoutDurationMinutes" : Integer

YAML
BlockDurationMinutes: Integer
TimeoutAction: String
TimeoutDurationMinutes: Integer

Properties
BlockDurationMinutes
The deﬁned duration for Spot instances (also known as Spot blocks) in minutes. For more
information, see SpotProvisioningSpeciﬁcation in the Amazon EMR API Reference.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
TimeoutAction
The action to take when TargetSpotCapacity has not been fulﬁlled when the
TimeoutDurationMinutes has expired. For more information, see SpotProvisioningSpeciﬁcation in
the Amazon EMR API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
TimeoutDurationMinutes
The spot provisioning timeout period in minutes. For more information, see
SpotProvisioningSpeciﬁcation in the Amazon EMR API Reference.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)

Amazon EMR Cluster KerberosAttributes
The KerberosAttributes property type speciﬁes attributes for Kerberos conﬁguration when Kerberos
authentication is enabled using a security conﬁguration.
KerberosAttributes is a property of the AWS::EMR::Cluster (p. 1104) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1950

AWS CloudFormation User Guide
Amazon EMR Cluster KerberosAttributes

JSON
{

}

"ADDomainJoinPassword" : String,
"ADDomainJoinUser" : String,
"CrossRealmTrustPrincipalPassword" : String,
"KdcAdminPassword" : String,
"Realm" : String

YAML
ADDomainJoinPassword: String
ADDomainJoinUser: String
CrossRealmTrustPrincipalPassword: String
KdcAdminPassword: String
Realm: String

Properties
ADDomainJoinPassword
The Active Directory password for ADDomainJoinUser.
Length Constraints: Minimum length of 0. Maximum length of 256.
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
ADDomainJoinUser
Required only when establishing a cross-realm trust with an Active Directory domain. A user with
suﬃcient privileges to join resources to the domain.
Length Constraints: Minimum length of 0. Maximum length of 256.
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
CrossRealmTrustPrincipalPassword
Required only when establishing a cross-realm trust with a KDC in a diﬀerent realm. The cross-realm
principal password, which must be identical across realms.
Length Constraints: Minimum length of 0. Maximum length of 256.
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
API Version 2010-05-15
1951

AWS CloudFormation User Guide
Amazon EMR EbsConﬁguration

Update requires: No interruption (p. 118)
KdcAdminPassword
The password used within the cluster for the kadmin service on the cluster-dedicated KDC, which
maintains Kerberos principals, password policies, and keytabs for the cluster.
Length Constraints: Minimum length of 0. Maximum length of 256.
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Realm
The name of the Kerberos realm to which all nodes in a cluster belong. For example,
EC2.INTERNAL.
Length Constraints: Minimum length of 0. Maximum length of 256.
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• KerberosAttributes in the Amazon EMR API Reference
• Use Kerberos Authentication in the Amazon EMR Management Guide

Amazon EMR EbsConﬁguration
EbsConfiguration is a property of the Amazon EMR Cluster InstanceGroupConﬁg (p. 1936) property
and the AWS::EMR::InstanceGroupConﬁg (p. 1124) resource that deﬁnes Amazon Elastic Block Store
(Amazon EBS) storage volumes to attach to your Amazon EMR (Amazon EMR) instances.

Syntax
JSON
{
}

"EbsBlockDeviceConfigs" : [ EbsBlockDeviceConfig, ... ],
"EbsOptimized" : Boolean

YAML
EbsBlockDeviceConfigs:
- EbsBlockDeviceConfig
EbsOptimized: Boolean

API Version 2010-05-15
1952

AWS CloudFormation User Guide
Amazon EMR EbsConﬁguration EbsBlockDeviceConﬁgs

Properties
EbsBlockDeviceConfigs
Conﬁgures the block storage devices that are associated with your EMR instances.
Required: No
Type: List of Amazon EMR EbsConﬁguration EbsBlockDeviceConﬁgs (p. 1953)
EbsOptimized
Indicates whether the instances are optimized for Amazon EBS I/O. This optimization provides
dedicated throughput to Amazon EBS and an optimized conﬁguration stack to provide optimal
EBS I/O performance. For more information about fees and supported instance types, see EBSOptimized Instances in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: Boolean
Default value: false

Amazon EMR EbsConﬁguration
EbsBlockDeviceConﬁgs
EbsBlockDeviceConfigs is a property of the Amazon EMR EbsConﬁguration (p. 1952) property
that deﬁnes the settings for the Amazon Elastic Block Store (Amazon EBS) volumes that Amazon EMR
(Amazon EMR) associates with your instances.

Syntax
JSON
{
}

"VolumeSpecification" : VolumeSpecification,
"VolumesPerInstance" : Integer

YAML
VolumeSpecification:
VolumeSpecification
VolumesPerInstance: Integer

Properties
VolumeSpecification
The settings for the Amazon EBS volumes.
Required: Yes
Type: Amazon EMR EbsConﬁguration EbsBlockDeviceConﬁg VolumeSpeciﬁcation (p. 1954)
API Version 2010-05-15
1953

AWS CloudFormation User Guide
Amazon EMR EbsConﬁguration
EbsBlockDeviceConﬁg VolumeSpeciﬁcation

VolumesPerInstance
The number of Amazon EBS volumes that you want to create for each instance in the EMR cluster or
instance group. The number cannot be 0.
Required: No
Type: Integer

Amazon EMR EbsConﬁguration EbsBlockDeviceConﬁg
VolumeSpeciﬁcation
VolumeSpecification is a property of the Amazon EMR EbsConﬁguration (p. 1952) property that
conﬁgures the Amazon Elastic Block Store (Amazon EBS) volumes that Amazon EMR (Amazon EMR)
associates with your instances.

Syntax
JSON
{

}

"Iops" : Integer,
"SizeInGB" : Integer,
"VolumeType" : String

YAML
Iops: Integer
SizeInGB: Integer
VolumeType: String

Properties
Iops
The number of I/O operations per second (IOPS) that the volume supports. For more information,
see Iops for the EbsBlockDevice action in the Amazon EC2 API Reference.
Required: No
Type: Integer
SizeInGB
The volume size, in Gibibytes (GiB). For more information about specifying the volume size, see
VolumeSize for the EbsBlockDevice action in the Amazon EC2 API Reference.
Required: Yes
Type: Integer
VolumeType
The volume type, such as standard or io1. For more information about specifying the volume
type, see VolumeType for the EbsBlockDevice action in the Amazon EC2 API Reference.
Required: Yes
API Version 2010-05-15
1954

AWS CloudFormation User Guide
Amazon EMR InstanceFleetConﬁg Conﬁguration

Type: String

Amazon EMR InstanceFleetConﬁg Conﬁguration
Use the Configuration property to conﬁgure ﬂeet instances for Amazon EMR and applications
and software bundled with Amazon EMR. For more information, see Conﬁguring Applications in the
Amazon EMR Release Guide. Configuration is a subproperty of the Amazon EMR InstanceFleetConﬁg
InstanceTypeConﬁg (p. 1958) property.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
"Classification" : String,
"ConfigurationProperties" : { String:String, ... },
"Configurations" : [ Configuration (p. 1955), ... ]

YAML
Classification: String
ConfigurationProperties:
String: String
Configurations:
- Configuration (p. 1955)

Properties
Classification
The application-speciﬁc conﬁguration ﬁle.
Required: No
Type: String
Update requires: Replacement (p. 119)
ConfigurationProperties
Within a conﬁguration classiﬁcation, a set of properties that represent the settings that you want to
change in the conﬁguration ﬁle. Duplicates not allowed.
Required: No
Type: String to String map
Update requires: Replacement (p. 119)
Configurations
The list of additional conﬁgurations to apply within a conﬁguration object. Duplicates not allowed.
Required: No
API Version 2010-05-15
1955

AWS CloudFormation User Guide
Amazon EMR InstanceFleetConﬁg EbsBlockDeviceConﬁg

Type: List of Amazon EMR InstanceFleetConﬁg Conﬁguration (p. 1955)
Update requires: Replacement (p. 119)

Amazon EMR InstanceFleetConﬁg
EbsBlockDeviceConﬁg
Use the EbsBlockDeviceConfig property to specify the settings for the Amazon EBS volumes
that Amazon EMR associates with your instances. The EbsBlockDeviceConfigs subproperty
of the Amazon EMR InstanceFleetConﬁg EbsConﬁguration (p. 1957) property contains a list of
EbsBlockDeviceConfig property types.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"VolumeSpecification" : VolumeSpecification (p. 1961),
"VolumesPerInstance" : Integer

YAML
VolumeSpecification:
VolumeSpecification (p. 1961)
VolumesPerInstance: Integer

Properties
VolumeSpecification
Amazon EBS volume speciﬁcations, such as volume type, IOPS, and size (GiB), for the EBS volume
attached to an EC2 instance in the ﬂeet.
Required: Yes
Type: Amazon EMR InstanceFleetConﬁg VolumeSpeciﬁcation (p. 1961)
Update requires: Replacement (p. 119)
VolumesPerInstance
The number of Amazon EBS volumes with a speciﬁc volume conﬁguration that are associated with
every instance in the ﬂeet.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
API Version 2010-05-15
1956

AWS CloudFormation User Guide
Amazon EMR InstanceFleetConﬁg EbsConﬁguration

Amazon EMR InstanceFleetConﬁg EbsConﬁguration
Use the EbsConfiguration property to specify the Amazon EBS conﬁguration of an Amazon
EMR ﬂeet instance. EbsConfiguration is a subproperty of the Amazon EMR InstanceFleetConﬁg
InstanceTypeConﬁg (p. 1958) property.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"EbsBlockDeviceConfigs" : [ EbsBlockDeviceConfig (p. 1956), ...],
"EbsOptimized" : Boolean

YAML
EbsBlockDeviceConfigs:
- EbsBlockDeviceConfig (p. 1956)
EbsOptimized: Boolean

Properties
EbsBlockDeviceConfigs
A list of Amazon EBS volume speciﬁcations that are attached to an instance. Duplicates not allowed.
Required: No
Type: List of Amazon EMR InstanceFleetConﬁg EbsBlockDeviceConﬁg (p. 1956)
Update requires: Replacement (p. 119)
EbsOptimized
Indicates whether an Amazon EBS volume is EBS-optimized.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)

Amazon EMR InstanceFleetConﬁg
InstanceFleetProvisioningSpeciﬁcations
Use the InstanceFleetProvisioningSpecifications property type to create or modify the launch
speciﬁcation for Spot Instances in the ﬂeet. This determines the deﬁned duration and provisioning
timeout behavior. InstanceFleetProvisioningSpecifications is the property type for the
LaunchSpecifications property of the AWS::EMR::InstanceFleetConﬁg (p. 1122) resource.
API Version 2010-05-15
1957

AWS CloudFormation User Guide
Amazon EMR InstanceFleetConﬁg InstanceTypeConﬁg

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"SpotSpecification" : SpotProvisioningSpecification (p. 1960)

YAML
SpotSpecification:
SpotProvisioningSpecification (p. 1960)

Properties
SpotSpecification
The launch speciﬁcation for Spot Instances in the ﬂeet. This determines the deﬁned duration and
provisioning timeout behavior.
Required: Yes
Type: Amazon EMR InstanceFleetConﬁg SpotProvisioningSpeciﬁcation (p. 1960)
Update requires: No interruption (p. 118)

Amazon EMR InstanceFleetConﬁg
InstanceTypeConﬁg
Use the InstanceTypeConfig property to conﬁgure each instance type in an instance ﬂeet. This
conﬁguration determines which EC2 instances that Amazon EMR attempts to provision to fulﬁll OnDemand and Spot target capacities. You can conﬁgure a maximum of ﬁve instance types in a ﬂeet.
For a list of InstanceTypeConfig property types, see the InstanceTypeConfigs property of the
AWS::EMR::InstanceFleetConﬁg (p. 1122) resource.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"BidPrice" : String,

API Version 2010-05-15
1958

AWS CloudFormation User Guide
Amazon EMR InstanceFleetConﬁg InstanceTypeConﬁg

}

"BidPriceAsPercentageOfOnDemandPrice" : Double,
"Configurations" : [ Configuration (p. 1955), ... ],
"EbsConfiguration" : EbsConfiguration (p. 1957),
"InstanceType" : String,
"WeightedCapacity" : Integer

YAML
BidPrice: String
BidPriceAsPercentageOfOnDemandPrice: Double
Configurations:
- Configuration (p. 1955)
EbsConfiguration:
EbsConfiguration (p. 1957)
InstanceType: String
WeightedCapacity: Integer

Properties
For more information about each property, including constraints and valid values, see see
InstanceTypeConﬁg in the Amazon EMR API Reference.
BidPrice
The bid price for each EC2 Spot Instance type as deﬁned by InstanceType. BidPrice is expressed
in USD. For more information, see InstanceTypeConﬁg in the Amazon EMR API Reference.
Required: No
Type: String
Update requires: Replacement (p. 119)
BidPriceAsPercentageOfOnDemandPrice
The bid price, as a percentage of the On-Demand price, for each EC2 Spot Instance as deﬁned by
InstanceType. BidPriceAsPercentageOfOnDemandPrice is expressed as a number. For more
information, see InstanceTypeConﬁg in the Amazon EMR API Reference.
Required: No
Type: Double
Update requires: Replacement (p. 119)
Configurations
A conﬁguration classiﬁcation that applies when provisioning cluster instances. You can use this
property to conﬁgure applications and software that run on the cluster. Duplicates are not allowed.
Required: No
Type: List of Amazon EMR InstanceFleetConﬁg Conﬁguration (p. 1955)
Update requires: Replacement (p. 119)
EbsConfiguration
The conﬁguration of Amazon Elastic Block Store (Amazon EBS) that is attached to each instance as
deﬁned by InstanceType.
API Version 2010-05-15
1959

AWS CloudFormation User Guide
Amazon EMR InstanceFleetConﬁg
SpotProvisioningSpeciﬁcation

Required: No
Type: Amazon EMR InstanceFleetConﬁg EbsConﬁguration (p. 1957)
Update requires: Replacement (p. 119)
InstanceType
An EC2 instance type, such as m3.xlarge. For constraints, see InstanceTypeConﬁg in the Amazon
EMR API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
WeightedCapacity
The number of units that a provisioned instance of this type provides toward fulﬁlling the target
capacities deﬁned in InstanceFleetConfig. For more information, see InstanceTypeConﬁg in the
Amazon EMR API Reference.
Required: No
Type: Integer
Update requires: Replacement (p. 119)

Amazon EMR InstanceFleetConﬁg
SpotProvisioningSpeciﬁcation
Use the SpotProvisioningSpecification property to specify the duration and timeout behavior
for Spot Instances in the instance ﬂeet for Amazon EMR. SpotProvisioningSpecification is the
property type for the SpotSpecification subproperty of the Amazon EMR InstanceFleetConﬁg
InstanceFleetProvisioningSpeciﬁcations (p. 1957) property type.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"BlockDurationMinutes" : Integer,
"TimeoutAction" : String,
"TimeoutDurationMinutes" : Integer

YAML
BlockDurationMinutes: Integer
TimeoutAction: String
TimeoutDurationMinutes: Integer

API Version 2010-05-15
1960

AWS CloudFormation User Guide
Amazon EMR InstanceFleetConﬁg VolumeSpeciﬁcation

Properties
BlockDurationMinutes
The deﬁned duration for Spot Instances (also known as Spot blocks) in minutes. For more
information, see SpotProvisioningSpeciﬁcation in the Amazon EMR API Reference.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
TimeoutAction
The action to take when the capacity for the target Spot Instance, as speciﬁed
in TargetSpotCapacity, has not been fulﬁlled before the time speciﬁed in
TimeoutDurationMinutes has expired. For more information, see SpotProvisioningSpeciﬁcation
in the Amazon EMR API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
TimeoutDurationMinutes
The timeout period for spot provisioning, in minutes. For more information, see
SpotProvisioningSpeciﬁcation in the Amazon EMR API Reference.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)

Amazon EMR InstanceFleetConﬁg
VolumeSpeciﬁcation
Use the VolumeSpecification property to specify settings—such as volume type, IOPS, and size (GiB)
—for the Amazon EBS volume attached to an EC2 instance in the ﬂeet. VolumeSpecification is a
subproperty of the Amazon EMR InstanceFleetConﬁg EbsBlockDeviceConﬁg (p. 1956) property.

Note

The instance ﬂeet conﬁguration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Iops" : Integer,
"SizeInGB" : Integer,
"VolumeType" : String

API Version 2010-05-15
1961

AWS CloudFormation User Guide
Amazon EMR InstanceGroupConﬁg AutoScalingPolicy

YAML
Iops: Integer
SizeInGB: Integer
VolumeType: String

Properties
Iops
The number of I/O operations per second (IOPS) that the volume supports.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
SizeInGB
The volume size, in gibibytes (GiB). For valid values, see VolumeSpeciﬁcation in the Amazon EMR API
Reference.
Required: Yes
Type: Integer
Update requires: Replacement (p. 119)
VolumeType
The volume type. For valid values, see VolumeSpeciﬁcation in the Amazon EMR API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Amazon EMR InstanceGroupConﬁg AutoScalingPolicy
AutoScalingPolicy is a property of the AWS::EMR::InstanceGroupConﬁg (p. 1124) resource
that speciﬁes the constraints and rules for an Auto Scaling group policy. For more information, see
PutAutoScalingPolicy in the Amazon EMR API Reference.

Syntax
JSON
{
}

"Constraints" : ScalingConstraints,
"Rules" : [ ScalingRule ]

YAML
Constraints:
ScalingConstraints

API Version 2010-05-15
1962

AWS CloudFormation User Guide
Amazon EMR InstanceGroupConﬁg AutoScalingPolicy
Rules:
- ScalingRule

Properties
Constraints
The upper and lower Amazon EC2 instance limits for an automatic scaling policy. Automatic scaling
activity doesn't cause an instance group to grow above or below these limits.
Required: Yes
Type: Amazon EMR InstanceGroupConﬁg ScalingConstraints (p. 1969)
Update requires: No interruption (p. 118)
Rules
The scale-in and scale-out rules that compose the automatic scaling policy.
Required: Yes
Type: List of Amazon EMR InstanceGroupConﬁg ScalingRule (p. 1970)
Update requires: No interruption (p. 118)

Example
The following example deﬁnes an AutoScalingPolicy for an InstanceGroupConfig resource.

JSON
"MyInstanceGroupConfig": {
"Type": "AWS::EMR::InstanceGroupConfig",
"Properties": {
"InstanceCount": 1,
"InstanceType": {
"Ref": "InstanceType"
},
"InstanceRole": "TASK",
"Market": "ON_DEMAND",
"Name": "cfnTask",
"JobFlowId": {
"Ref": "MyCluster"
},
"AutoScalingPolicy": {
"Constraints": {
"MinCapacity": {
"Ref": "MinCapacity"
},
"MaxCapacity": {
"Ref": "MaxCapacity"
}
},
"Rules": [
{
"Name": "Scale-out",
"Description": "Scale-out policy",
"Action": {
"SimpleScalingPolicyConfiguration": {
"AdjustmentType": "CHANGE_IN_CAPACITY",
"ScalingAdjustment": 1,

API Version 2010-05-15
1963

AWS CloudFormation User Guide
Amazon EMR InstanceGroupConﬁg AutoScalingPolicy

}

"CoolDown": 300

},
"Trigger": {
"CloudWatchAlarmDefinition": {
"Dimensions": [
{
"Key": "JobFlowId",
"Value": "${emr.clusterId}"
}
],
"EvaluationPeriods": 1,
"Namespace": "AWS/ElasticMapReduce",
"Period": 300,
"ComparisonOperator": "LESS_THAN",
"Statistic": "AVERAGE",
"Threshold": 15,
"Unit": "PERCENT",
"MetricName": "YARNMemoryAvailablePercentage"
}
}

},
{

}

}

}

]

}

"Name": "Scale-in",
"Description": "Scale-in policy",
"Action": {
"SimpleScalingPolicyConfiguration": {
"AdjustmentType": "CHANGE_IN_CAPACITY",
"ScalingAdjustment": -1,
"CoolDown": 300
}
},
"Trigger": {
"CloudWatchAlarmDefinition": {
"Dimensions": [
{
"Key": "JobFlowId",
"Value": "${emr.clusterId}"
}
],
"EvaluationPeriods": 1,
"Namespace": "AWS/ElasticMapReduce",
"Period": 300,
"ComparisonOperator": "GREATER_THAN",
"Statistic": "AVERAGE",
"Threshold": 75,
"Unit": "PERCENT",
"MetricName": "YARNMemoryAvailablePercentage"
}
}

YAML
MyInstanceGroupConfig:
Type: 'AWS::EMR::InstanceGroupConfig'
Properties:
InstanceCount: 1
InstanceType: !Ref InstanceType
InstanceRole: TASK

API Version 2010-05-15
1964

AWS CloudFormation User Guide
Amazon EMR InstanceGroupConﬁg
CloudWatchAlarmDeﬁnition
Market: ON_DEMAND
Name: cfnTask
JobFlowId: !Ref MyCluster
AutoScalingPolicy:
Constraints:
MinCapacity: !Ref MinCapacity
MaxCapacity: !Ref MaxCapacity
Rules:
- Name: Scale-out
Description: Scale-out policy
Action:
SimpleScalingPolicyConfiguration:
AdjustmentType: CHANGE_IN_CAPACITY
ScalingAdjustment: 1
CoolDown: 300
Trigger:
CloudWatchAlarmDefinition:
Dimensions:
- Key: JobFlowId
Value: '${emr.clusterId}'
EvaluationPeriods: 1
Namespace: AWS/ElasticMapReduce
Period: 300
ComparisonOperator: LESS_THAN
Statistic: AVERAGE
Threshold: 15
Unit: PERCENT
MetricName: YARNMemoryAvailablePercentage
- Name: Scale-in
Description: Scale-in policy
Action:
SimpleScalingPolicyConfiguration:
AdjustmentType: CHANGE_IN_CAPACITY
ScalingAdjustment: -1
CoolDown: 300
Trigger:
CloudWatchAlarmDefinition:
Dimensions:
- Key: JobFlowId
Value: '${emr.clusterId}'
EvaluationPeriods: 1
Namespace: AWS/ElasticMapReduce
Period: 300
ComparisonOperator: GREATER_THAN
Statistic: AVERAGE
Threshold: 75
Unit: PERCENT
MetricName: YARNMemoryAvailablePercentage

Amazon EMR InstanceGroupConﬁg
CloudWatchAlarmDeﬁnition
The CloudWatchAlarmDefinition property speciﬁes the conditions that trigger an automatic scaling
activity. CloudWatchAlarmDefinition is a subproperty of the Amazon EMR InstanceGroupConﬁg
ScalingTrigger (p. 1971) property type.

Syntax
JSON
{

API Version 2010-05-15
1965

AWS CloudFormation User Guide
Amazon EMR InstanceGroupConﬁg
CloudWatchAlarmDeﬁnition

}

"ComparisonOperator" : String,
"Dimensions" : [ MetricDimension, ... ],
"EvaluationPeriods" : Integer,
"MetricName" : String,
"Namespace" : String,
"Period" : Integer,
"Statistic" : String,
"Threshold" : Double,
"Unit" : String

YAML
ComparisonOperator: String
Dimensions:
- MetricDimension
EvaluationPeriods: Integer
MetricName: String
Namespace: String
Period: Integer
Statistic: String
Threshold: Double
Unit: String

Properties
ComparisonOperator
Determines how the metric speciﬁed by MetricName is compared to the value speciﬁed by
Threshold.
Valid values: GREATER_THAN_OR_EQUAL, GREATER_THAN, LESS_THAN, or LESS_THAN_OR_EQUAL.
Required: Yes
Type: String
Dimensions
A list of CloudWatch metric dimensions.
Required: No
Type: List of Amazon EMR InstanceGroupConﬁg MetricDimension (p. 1967)
EvaluationPeriods
The number of periods, expressed in seconds using the Period property, during which the alarm
condition must exist before the alarm triggers automatic scaling activity. The default value is 1.
Required: No
Type: Integer
MetricName
The name of the CloudWatch metric that is watched to determine an alarm condition.
Required: Yes
Type: String
API Version 2010-05-15
1966

AWS CloudFormation User Guide
Amazon EMR InstanceGroupConﬁg MetricDimension

Namespace
The namespace for the CloudWatch metric. The default is AWS/ElasticMapReduce.
Required: No
Type: String
Period
The period, in seconds, over which the statistic for applying the metric associated with the alarm is
applied. You specify the statistic in the Statistic property. CloudWatch metrics for Amazon EMR
are emitted every ﬁve minutes (300 seconds). If you specify a CloudWatch metric for Amazon EMR,
specify 300.
Required: Yes
Type: Integer
Statistic
The statistic to apply to the metric associated with the alarm. The default is AVERAGE.
Valid values: SAMPLE_COUNT, AVERAGE, SUM, MINIMUM, and MAXIMUM.
Required: No
Type: String
Threshold
The value against which the speciﬁed statistic is compared.
Required: Yes
Type: Double
Unit
The unit of measure associated with the CloudWatch metric being watched. Specify the unit
speciﬁed in the CloudWatch metric.
For more information, see CloudWatchAlarmDeﬁnition in the Amazon EMR API Reference.
Required: No
Type: String

Amazon EMR InstanceGroupConﬁg MetricDimension
The MetricDimension property type represents a CloudWatch dimension that you specify
using a key–value pair. The Dimensions subproperty of the Amazon EMR InstanceGroupConﬁg
CloudWatchAlarmDeﬁnition (p. 1965) property contains a list of one or more MetricDimension
property types.

Syntax
JSON
{

"Key" : String,
"Value" : String

API Version 2010-05-15
1967

AWS CloudFormation User Guide
Amazon EMR InstanceGroupConﬁg ScalingAction
}

YAML
Key: String
Value: String

Properties
By default, Amazon EMR uses one dimension whose key (known as a Name in CloudWatch) is JobFlowID
and whose value is a variable representing the cluster ID, which is ${emr.clusterId}. This enables the
rule to bootstrap when the cluster ID becomes available.
Key
The dimension name.
Required: Yes
Type: String
Value
The dimension value.
Required: Yes
Type: String

Amazon EMR InstanceGroupConﬁg ScalingAction
The ScalingAction property type speciﬁes the scaling actions for an Auto Scaling group
policy. ScalingAction is the property type for the Action subproperty of the Amazon EMR
InstanceGroupConﬁg ScalingRule (p. 1970) property type.

Syntax
JSON
{
}

"Market" : String,
"SimpleScalingPolicyConfiguration" : SimpleScalingPolicyConfiguration

YAML
Market: String
SimpleScalingPolicyConfiguration: SimpleScalingPolicyConfiguration

Properties
Market
Not available for instance groups. Instance groups use the market type speciﬁed for the group.
API Version 2010-05-15
1968

AWS CloudFormation User Guide
Amazon EMR InstanceGroupConﬁg ScalingConstraints

Valid values: ON_DEMAND or SPOT.
Required: No
Type: String
SimpleScalingPolicyConfiguration
The type of adjustment that the automatic scaling activity makes when triggered, and the
periodicity of the adjustment.
Required: Yes
Type: Amazon EMR InstanceGroupConﬁg SimpleScalingPolicyConﬁguration (p. 1971)

Amazon EMR InstanceGroupConﬁg
ScalingConstraints
The ScalingConstraints property type speciﬁes the upper and lower EC2 instance limits for an
automatic scaling policy. ScalingConstraints is the property type for the Constraints subproperty
of the Amazon EMR InstanceGroupConﬁg AutoScalingPolicy (p. 1962) property type.

Syntax
JSON
{
}

"MaxCapacity" : Integer,
"MinCapacity" : Integer

YAML
MaxCapacity: Integer
MinCapacity: Integer

Properties
MaxCapacity
For autoscaling, the maximum number of EC2 instances in an instance group. Scale-out activities
add instances only up to this boundary.
Required: Yes
Type: Integer
MinCapacity
For autoscaling, the minimum number of EC2 instances in an instance group. Scale-in activities do
not terminate instances below this boundary.
Required: Yes
Type: Integer
API Version 2010-05-15
1969

AWS CloudFormation User Guide
Amazon EMR InstanceGroupConﬁg ScalingRule

Amazon EMR InstanceGroupConﬁg ScalingRule
The ScalingRule property type represents a scale-in or scale-out rule that deﬁnes scaling activity,
including the CloudWatch metric alarm that triggers activity, how EC2 instances are added or removed,
and the periodicity of adjustments. The Rules subproperty of the Amazon EMR InstanceGroupConﬁg
AutoScalingPolicy (p. 1962) property contains a list of one or more ScalingRule property types.

Syntax
JSON
{

}

"Action" : ScalingAction,
"Description" : String,
"Name" : String,
"Trigger" : ScalingTrigger

YAML
Action: ScalingAction
Description: String
Name: String
Trigger: ScalingTrigger

Properties
Action
The conditions that trigger an automatic scaling activity.
Required: Yes
Type: Amazon EMR InstanceGroupConﬁg ScalingAction (p. 1968)
Description
A friendly, more verbose description of the automatic scaling rule.
Required: No
Type: String
Name
The identiﬁer of the automatic scaling rule. Rule names must be unique within a scaling policy.
Required: Yes
Type: String
Trigger
The CloudWatch alarm deﬁnition that determines when automatic scaling activity is triggered.
Required: Yes
API Version 2010-05-15
1970

AWS CloudFormation User Guide
Amazon EMR InstanceGroupConﬁg ScalingTrigger

Type: Amazon EMR InstanceGroupConﬁg ScalingTrigger (p. 1971)

Amazon EMR InstanceGroupConﬁg ScalingTrigger
The ScalingTrigger property type speciﬁes the conditions that trigger an automatic scaling
activity. ScalingTrigger is the property type for the Trigger subproperty of the Amazon EMR
InstanceGroupConﬁg ScalingRule (p. 1970) property type.

Syntax
JSON
{
}

"CloudWatchAlarmDefinition" : CloudWatchAlarmDefinition

YAML
CloudWatchAlarmDefinition: CloudWatchAlarmDefinition

Properties
CloudWatchAlarmDefinition
The deﬁnition of a CloudWatch metric alarm. When the deﬁned alarm conditions are met along with
other trigger parameters, scaling activity begins.
Required: Yes
Type: Amazon EMR InstanceGroupConﬁg CloudWatchAlarmDeﬁnition (p. 1965)

Amazon EMR InstanceGroupConﬁg
SimpleScalingPolicyConﬁguration
SimpleScalingPolicyConfiguration speciﬁes an automatic scaling conﬁguration
that describes how the policy adds or removes instances, the cooldown period, and the
number of EC2 instances that are added when the CloudWatch metric alarm condition is met.
SimpleScalingPolicyConfiguration is a subproperty of the Amazon EMR InstanceGroupConﬁg
ScalingAction (p. 1968) property type.

Syntax
JSON
{

}

"AdjustmentType" : String,
"CoolDown" : Integer,
"ScalingAdjustment" : String

API Version 2010-05-15
1971

AWS CloudFormation User Guide
Amazon EMR Step HadoopJarStepConﬁg

YAML
AdjustmentType: String
CoolDown: Integer
ScalingAdjustment: String

Properties
Note

For more information about each property, including constraints and valid values, see
SimpleScalingPolicyConﬁguration in the Amazon EMR API Reference.
AdjustmentType
The way in which EC2 instances are added (if ScalingAdjustment is a positive number) or
terminated (if ScalingAdjustment is a negative number) when the scaling activity is triggered.
CHANGE_IN_CAPACITY is the default value.
Required: No
Type: String
CoolDown
The amount of time, in seconds, after a scaling activity completes before any further trigger-related
scaling activities can start. The default value is 0.
Required: No
Type: Integer
ScalingAdjustment
The amount by which to scale the instance group, based on the speciﬁed AdjustmentType.
A positive value adds to the instance group's EC2 instance count. A negative number removes
instances. If AdjustmentType is set to EXACT_CAPACITY, specify only a positive integer. If
AdjustmentType is set to PERCENT_CHANGE_IN_CAPACITY, express the value of the percentage
as a decimal. For example, -0.20 indicates a decrease in 20% increments of cluster capacity.
Required: Yes
Type: Integer

Amazon EMR Step HadoopJarStepConﬁg
HadoopJarStepConfig is a property of the AWS::EMR::Step (p. 1130) resource that speciﬁes a JAR ﬁle
and runtime settings that Amazon EMR (Amazon EMR) executes.

Syntax
JSON
{

"Args" : [ String, ... ],
"Jar" : String,
"MainClass" : String,
"StepProperties" : [ KeyValue, ... ]

API Version 2010-05-15
1972

AWS CloudFormation User Guide
Amazon EMR Step KeyValue
}

YAML
Args:
- String
Jar: String
MainClass: String
StepProperties:
- KeyValue

Properties
Args
A list of command line arguments passed to the JAR ﬁle's main function when the function is
executed.
Required: No
Type: List of String values
Jar
A path to the JAR ﬁle that Amazon EMR runs for the job ﬂow step.
Required: Yes
Type: String
MainClass
The name of the main class in the speciﬁed JAR ﬁle. If you don't specify a value, you must specify a
main class in the JAR ﬁle's manifest ﬁle.
Required: No
Type: String
StepProperties
A list of Java properties that are set when the job ﬂow step runs. You can use these properties to
pass key-value pairs to your main function in the JAR ﬁle.
Required: No
Type: List of Amazon EMR Step KeyValue (p. 1973)

Amazon EMR Step KeyValue
KeyValue is a property of the Amazon EMR Step HadoopJarStepConﬁg (p. 1972) property that speciﬁes
key-value pairs, which are passed to a JAR ﬁle that Amazon EMR (Amazon EMR) executes.

Syntax
JSON
{

"Key" : String,
"Value" : String

API Version 2010-05-15
1973

AWS CloudFormation User Guide
GameLift Alias RoutingStrategy
}

YAML
Key: String
Value: String

Properties
Key
The unique identiﬁer of a key-value pair.
Required: No
Type: String
Value
The value part of the identiﬁed key.
Required: No
Type: String

Amazon GameLift Alias RoutingStrategy
RoutingStrategy is a property of the AWS::GameLift::Alias (p. 1138) resource that conﬁgures
the routing strategy for an Amazon GameLift (GameLift) alias. For more information, see the
RoutingStrategy data type in the Amazon GameLift API Reference.

Syntax
JSON
{

}

"FleetId" : String,
"Message" : String,
"Type" : String

YAML
FleetId: String
Message: String
Type: String

Properties
FleetId
A unique identiﬁer of a GameLift ﬂeet to associate with the alias.
Required: Conditional. If you specify SIMPLE for the Type property, you must specify this property.
Type: String
API Version 2010-05-15
1974

AWS CloudFormation User Guide
GameLift Build StorageLocation

Message
A text message that GameLift displays for the Terminal routing type.
Required: Conditional. If you specify TERMINAL for the Type property, you must specify this
property.
Type: String
Type
The type of routing strategy. For the SIMPLE type, traﬃc is routed to an active GameLift ﬂeet.
For the Terminal type, GameLift returns an exception with the message that you speciﬁed in the
Message property.
Required: Yes
Type: String

Amazon GameLift Build StorageLocation
StorageLocation is a property of the AWS::GameLift::Build (p. 1140) resource that speciﬁes the
location of an Amazon GameLift (GameLift) build package ﬁles, such as the game server binaries. For
more information, see Uploading a Build to Amazon GameLift in the Amazon GameLift Developer Guide.

Syntax
JSON
{

}

"Bucket" : String,
"Key" : String,
"RoleArn" : String

YAML
Bucket: String
Key: String
RoleArn: String

Properties
Bucket
The S3 bucket where the GameLift build package ﬁles are stored.
Required: Yes
Type: String
Key
The preﬁx (folder name) where the GameLift build package ﬁles are located.
Required: Yes
API Version 2010-05-15
1975

AWS CloudFormation User Guide
GameLift Fleet EC2InboundPermission

Type: String
RoleArn
An AWS Identity and Access Management (IAM) role Amazon Resource Name (ARN) that GameLift
can assume to retrieve the build package ﬁles from Amazon Simple Storage Service (Amazon S3).
Required: Yes
Type: String

Amazon GameLift Fleet EC2InboundPermission
EC2InboundPermission is a property of the AWS::GameLift::Fleet (p. 1142) resource that speciﬁes the
traﬃc that is permitted to access your game servers in an Amazon GameLift (GameLift) ﬂeet.

Syntax
JSON
{

}

"FromPort" : Integer,
"IpRange" : String,
"Protocol" : String,
"ToPort" : Integer

YAML
FromPort: Integer
IpRange: String
Protocol: String
ToPort: Integer

Properties
FromPort
The starting value for a range of allowed port numbers. This value must be lower than the ToPort
value.
Required: Yes
Type: Integer
IpRange
The range of allowed IP addresses in CIDR notation.
Required: Yes
Type: String
Protocol
The network communication protocol that is used by the ﬂeet. For valid values, see the IpPermission
data type in the Amazon GameLift API Reference.
API Version 2010-05-15
1976

AWS CloudFormation User Guide
AWS Glue Classiﬁer GrokClassiﬁer

Required: Yes
Type: String
ToPort
The ending value for a range of allowed port numbers. This value must be higher than the
FromPort value.
Required: Yes
Type: Integer

AWS Glue Classiﬁer GrokClassiﬁer
The GrokClassifier property type speciﬁes an AWS Glue classiﬁer that uses grok.
GrokClassifier is a property of the AWS::Glue::Classiﬁer (p. 1146) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"CustomPatterns" : String,
"GrokPattern" : String,
"Classification" : String,
"Name" : String

YAML
CustomPatterns: String
GrokPattern: String
Classification: String
Name: String

Properties
For more information, see GrokClassiﬁer Structure in the AWS Glue Developer Guide.
CustomPatterns
Custom grok patterns that are used by this classiﬁer. It must match the URI address multi-line string
pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
GrokPattern
The grok pattern that's used by this classiﬁer. It must match the Logstash grok string pattern:
[\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\t]*
API Version 2010-05-15
1977

AWS CloudFormation User Guide
AWS Glue Connection ConnectionInput

Required: Yes
Type: String
Update requires: No interruption (p. 118)
Classification
The data form that the classiﬁer matches—such as Twitter, JSON, or Omniture logs.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Name
The name of the classiﬁer. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: Replacement (p. 119)

AWS Glue Connection ConnectionInput
The ConnectionInput property type speciﬁes the AWS Glue connection to create.
ConnectionInput is a property of the AWS::Glue::Connection (p. 1147) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Description" : String,
"ConnectionType" : String,
"MatchCriteria" : [ String, ... ],
"PhysicalConnectionRequirements" : PhysicalConnectionRequirements (p. 1980),
"ConnectionProperties" : JSON object,
"Name" : String

YAML
Description: String
ConnectionType: String
MatchCriteria:
- String
PhysicalConnectionRequirements:
PhysicalConnectionRequirements (p. 1980)
ConnectionProperties: JSON object
Name: String

API Version 2010-05-15
1978

AWS CloudFormation User Guide
AWS Glue Connection ConnectionInput

Properties
For more information, see ConnectionInput Structure in the AWS Glue Developer Guide.
Description
The description of the connection.
Required: No
Type: String
Update requires: No interruption (p. 118)
ConnectionType
The type of the connection. Valid values are JDBC or SFTP.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
MatchCriteria
A list of UTF-8 strings that specify the criteria that you can use in selecting this connection.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
PhysicalConnectionRequirements
A map of physical connection requirements that are needed to make the connection, such as VPC
and SecurityGroup.
Required: Yes
Type: AWS Glue Connection PhysicalConnectionRequirements (p. 1980)
Update requires: No interruption (p. 118)
ConnectionProperties
UTF-8 string–to–UTF-8 string key-value pairs that specify the parameters for this connection.
Required: Yes
Type: JSON object
Update requires: No interruption (p. 118)
Name
The name of the connection.
Required: No
Type: String
Update requires: Replacement (p. 119)
API Version 2010-05-15
1979

AWS CloudFormation User Guide
AWS Glue Connection PhysicalConnectionRequirements

AWS Glue Connection
PhysicalConnectionRequirements
The PhysicalConnectionRequirements property type speciﬁes the physical connection
requirements that are needed to make an AWS Glue connection, such as VPC and SecurityGroup.
PhysicalConnectionRequirements is a property of the AWS Glue Connection
ConnectionInput (p. 1978) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"AvailabilityZone" : String,
"SecurityGroupIdList" : [ String, ... ],
"SubnetId" : String

YAML
AvailabilityZone: String
SecurityGroupIdList:
- String
SubnetId: String

Properties
For more information, see PhysicalConnectionRequirements Structure in the AWS Glue Developer Guide.
AvailabilityZone
The connection's Availability Zone. It must match the single-line string pattern: [\u0020-\uD7FF
\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: Yes
Type: String
Update requires: No interruption (p. 118)
SecurityGroupIdList
A list of UTF-8 strings that specify the security group IDs that are used by the connection.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
SubnetId
The subnet ID that's used by the connection. It must match the single-line string pattern: [\u0020\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: Yes
API Version 2010-05-15
1980

AWS CloudFormation User Guide
AWS Glue Crawler JdbcTarget

Type: String
Update requires: No interruption (p. 118)

AWS Glue Crawler JdbcTarget
The JdbcTarget property type speciﬁes a JDBC target for an AWS Glue crawl.
The JdbcTargets property of the AWS Glue Crawler Targets (p. 1984) property type contains a list of
JdbcTarget property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"ConnectionName" : String,
"Path" : String,
"Exclusions" : [ String, ... ]

YAML
ConnectionName: String
Path: String
Exclusions:
- String

Properties
For more information, see JdbcTarget Structure in the AWS Glue Developer Guide.
ConnectionName
The name of the connection to use for the JDBC target.
Required: No
Type: String
Update requires: No interruption (p. 118)
Path
The path of the JDBC target.
Required: No
Type: String
Update requires: No interruption (p. 118)
Exclusions
A list of UTF-8 strings that specify the items to exclude from the crawl.
Required: No
API Version 2010-05-15
1981

AWS CloudFormation User Guide
AWS Glue Crawler S3Target

Type: List of String values
Update requires: No interruption (p. 118)

AWS Glue Crawler S3Target
The S3Target property type speciﬁes an Amazon S3 target for an AWS Glue crawl.
The S3Targets property of the AWS Glue Crawler Targets (p. 1984) property type contains a list of
S3Target property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Path" : String,
"Exclusions" : [ String, ... ]

YAML
Path: String
Exclusions:
- String

Properties
For more information, see S3Target Structure in the AWS Glue Developer Guide.
Path
The path to the Amazon S3 target.
Required: No
Type: String
Update requires: No interruption (p. 118)
Exclusions
A list of UTF-8 strings that specify the Amazon S3 objects to exclude from the crawl.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

AWS Glue Crawler Schedule
The Schedule property type schedules an event for an AWS Glue crawler using a cron statement.
API Version 2010-05-15
1982

AWS CloudFormation User Guide
AWS Glue Crawler SchemaChangePolicy

Schedule is a property of the AWS::Glue::Crawler (p. 1149) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ScheduleExpression" : String

YAML
ScheduleExpression: String

Properties
For more information, see Schedule Structure in the AWS Glue Developer Guide.
ScheduleExpression
A cron expression that you can use as an Amazon CloudWatch Events event to schedule something.
For example, to run something every day at 12:15 UTC, you would specify: cron(15 12 * * ? *).
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Glue Crawler SchemaChangePolicy
The SchemaChangePolicy property type speciﬁes update and delete behaviors for an AWS Glue
crawler.
SchemaChangePolicy is a property of the AWS::Glue::Crawler (p. 1149) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"UpdateBehavior" : String,
"DeleteBehavior" : String

YAML
UpdateBehavior: String
DeleteBehavior: String

API Version 2010-05-15
1983

AWS CloudFormation User Guide
AWS Glue Crawler Targets

Properties
For more information, see SchemaChangePolicy Structure in the AWS Glue Developer Guide.
UpdateBehavior
The update behavior. Valid values are LOG or UPDATE_IN_DATABASE.
Required: No
Type: String
Update requires: No interruption (p. 118)
DeleteBehavior
The deletion behavior. Valid values are LOG, DELETE_FROM_DATABASE, or
DEPRECATE_IN_DATABASE.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Glue Crawler Targets
The Targets property type speciﬁes AWS Glue crawler targets.
Targets is a property of the AWS::Glue::Crawler (p. 1149) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"S3Targets" : [ S3Target (p. 1982), ... ],
"JdbcTargets" : [ JdbcTarget (p. 1981), ... ]

YAML
S3Targets:
- S3Target (p. 1982)
JdbcTargets:
- JdbcTarget (p. 1981)

Properties
For more information, see CrawlerTargets Structure in the AWS Glue Developer Guide.
S3Targets
The Amazon S3 crawler targets.
API Version 2010-05-15
1984

AWS CloudFormation User Guide
AWS Glue Database DatabaseInput

Required: No
Type: List of AWS Glue Crawler S3Target (p. 1982)
Update requires: No interruption (p. 118)
JdbcTargets
The JDBC crawler targets.
Required: No
Type: List of AWS Glue Crawler JdbcTarget (p. 1981)
Update requires: No interruption (p. 118)

AWS Glue Database DatabaseInput
The DatabaseInput property type speciﬁes the metadata that is used to create or update an AWS Glue
database.
DatabaseInput is a property of the AWS::Glue::Database (p. 1154) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"LocationUri" : String,
"Description" : String,
"Parameters" : JSON object,
"Name" : String

YAML
LocationUri: String
Description: String
Parameters: JSON object
Name: String

Properties
For more information, see DatabaseInput Structure in the AWS Glue Developer Guide.
LocationUri
The location of the database (for example, an HDFS path). It must match the URI address multi-line
string pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
1985

AWS CloudFormation User Guide
AWS Glue Job ConnectionsList

Description
The description of the database. It must match the URI address multi-line string pattern: [\u0020\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
Parameters
UTF-8 string–to–UTF-8 string key-value pairs that specify the properties that are associated with the
database.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
Name
The name of the database. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: Replacement (p. 119)

AWS Glue Job ConnectionsList
The ConnectionsList property type speciﬁes the connections that are used by an AWS Glue job.
ConnectionsList is the property type for the Connections property of the AWS::Glue::Job (p. 1157)
resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Connections" : [ String, ... ]

YAML
Connections:
- String

Properties
For more information, see ConnectionsList Structure in the AWS Glue Developer Guide.
API Version 2010-05-15
1986

AWS CloudFormation User Guide
AWS Glue Job ExecutionProperty

Connections
A list of UTF-8 strings that speciﬁes the connections that are used by the job.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

AWS Glue Job ExecutionProperty
The ExecutionProperty property type speciﬁes the maximum number of concurrent runs allowed for
an AWS Glue job.
ExecutionProperty is a property of the AWS::Glue::Job (p. 1157) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"MaxConcurrentRuns" : Integer

YAML
MaxConcurrentRuns: Integer

Properties
For more information, see ExecutionProperty Structure in the AWS Glue Developer Guide.
MaxConcurrentRuns
The maximum number of concurrent runs that are allowed for the job.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

AWS Glue Job JobCommand
The JobCommand property type speciﬁes code that executes an AWS Glue job.
JobCommand is the property type for the Command property of the AWS::Glue::Job (p. 1157) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
1987

AWS CloudFormation User Guide
AWS Glue Partition Column

JSON
{
}

"ScriptLocation" : String,
"Name" : String

YAML
ScriptLocation: String
Name: String

Properties
For more information, see JobCommand Structure in the AWS Glue Developer Guide.
ScriptLocation
The location of a script that executes a job.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the job command.
Required: No
Type: String
Valid values: glueetl
Update requires: No interruption (p. 118)

AWS Glue Partition Column
The Column property type speciﬁes a column for an AWS Glue partition.
The Columns property of the AWS Glue Partition StorageDescriptor (p. 1993) property type contains a
list of Column property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Comment" : String,
"Type" : String,
"Name" : String

API Version 2010-05-15
1988

AWS CloudFormation User Guide
AWS Glue Partition Order

YAML
Comment: String
Type: String
Name: String

Properties
Comment
A free-form text comment. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
Type
The data type of the column data. It must match the single-line string pattern: [\u0020-\uD7FF
\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the column. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: Yes
Type: String
Update requires: No interruption (p. 118)

AWS Glue Partition Order
The Order property type speciﬁes the sort order of a column in an AWS Glue partition.
The SortColumns property of the AWS Glue Partition StorageDescriptor (p. 1993) property type
contains a list of Order property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Column" : String,
"SortOrder" : Integer

API Version 2010-05-15
1989

AWS CloudFormation User Guide
AWS Glue Partition PartitionInput
}

YAML
Column: String
SortOrder: Integer

Properties
Column
The name of the column. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: Yes
Type: String
Update requires: No interruption (p. 118)
SortOrder
Indicates whether the column is sorted in ascending order (1) or descending order (0).
Required: No
Type: Integer
Update requires: No interruption (p. 118)

AWS Glue Partition PartitionInput
The PartitionInput property type speciﬁes the metadata that's used to create or update an AWS Glue
partition.
PartitionInput is a property of the AWS::Glue::Partition (p. 1162) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Parameters" : JSON object,
"StorageDescriptor" : StorageDescriptor (p. 1993),
"Values" : [ String, ... ]

YAML
Parameters:
JSON object
StorageDescriptor:
StorageDescriptor (p. 1993)
Values:

API Version 2010-05-15
1990

AWS CloudFormation User Guide
AWS Glue Partition SerdeInfo
- String

Properties
Parameters
UTF-8 string–to–UTF-8 string key-value pairs that specify the parameters for the partition.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
StorageDescriptor
Information about the physical storage of the partition.
Required: No
Type: AWS Glue Partition StorageDescriptor (p. 1993)
Update requires: No interruption (p. 118)
Values
A list of UTF-8 strings that specify the values of the partition.
Required: Yes
Type: List of String values
Update requires: Replacement (p. 119)

See Also
• PartitionInput in the AWS Glue Developer Guide

AWS Glue Partition SerdeInfo
The SerdeInfo property type speciﬁes information about a serialization/deserialization program
(SerDe), which serves as an extractor and loader for an AWS Glue partition.
SerdeInfo is a property of the AWS Glue Partition StorageDescriptor (p. 1993) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Parameters" : JSON object,
"SerializationLibrary" : String,
"Name" : String

API Version 2010-05-15
1991

AWS CloudFormation User Guide
AWS Glue Partition SkewedInfo

YAML
Parameters:
JSON object
SerializationLibrary: String
Name: String

Properties
Parameters
UTF-8 string–to–UTF-8 string key-value pairs that specify the initialization parameters for the SerDe.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
SerializationLibrary
The serialization library. This is usually the class that implements the SerDe, such as
org.apache.hadoop.hive.serde2.columnar.ColumnarSerDe. It must match the single-line
string pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the SerDe. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Glue Partition SkewedInfo
The SkewedInfo property type speciﬁes skewed values (values that occur with very high frequency) in
an AWS Glue partition.
SkewedInfo is a property of the AWS Glue Partition StorageDescriptor (p. 1993) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"SkewedColumnNames" : [ String, ... ],
"SkewedColumnValues" : [ String, ... ],
"SkewedColumnValueLocationMaps" : JSON object

API Version 2010-05-15
1992

AWS CloudFormation User Guide
AWS Glue Partition StorageDescriptor
}

YAML
SkewedColumnNames:
- String
SkewedColumnValues:
- String
SkewedColumnValueLocationMaps:
JSON object

Properties
SkewedColumnNames
A list of UTF-8 strings that specify the names of columns that contain skewed values.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SkewedColumnValues
A list of UTF-8 strings that specify values that appear so frequently that they're considered to be
skewed.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SkewedColumnValueLocationMaps
UTF-8 string–to–UTF-8 string key-value pairs that map skewed values to the columns that contain
them.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)

AWS Glue Partition StorageDescriptor
The StorageDescriptor property type describes the physical storage of AWS Glue partition data.
StorageDescriptor is a property of the AWS Glue Partition PartitionInput (p. 1990) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1993

AWS CloudFormation User Guide
AWS Glue Partition StorageDescriptor

}

"StoredAsSubDirectories" : Boolean,
"Parameters" : JSON object,
"BucketColumns" : [ String, ... ],
"SkewedInfo" : SkewedInfo (p. 1992),
"InputFormat" : String,
"NumberOfBuckets" : Integer,
"OutputFormat" : String,
"Columns" : [ Column (p. 1988), ... ],
"SerdeInfo" : SerdeInfo (p. 1991),
"SortColumns" : [ Order (p. 1989), ... ],
"Compressed" : Boolean,
"Location" : String

YAML
StoredAsSubDirectories: Boolean
Parameters:
JSON object
BucketColumns:
- String
SkewedInfo:
SkewedInfo (p. 1992)
InputFormat: String
NumberOfBuckets: Integer
OutputFormat: String
Columns:
- Column (p. 1988)
SerdeInfo:
SerdeInfo (p. 1991)
SortColumns:
- Order (p. 1989)
Compressed: Boolean
Location: String

Properties
StoredAsSubDirectories
Indicates whether the partition data is stored in subdirectories.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Parameters
UTF-8 string–to–UTF-8 string key-value pairs that specify user-supplied properties.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
BucketColumns
A list of UTF-8 strings that specify reducer grouping columns, clustering columns, and bucketing
columns in the partition.
Required: No
API Version 2010-05-15
1994

AWS CloudFormation User Guide
AWS Glue Partition StorageDescriptor

Type: List of String values
Update requires: No interruption (p. 118)
SkewedInfo
Information about values that appear very frequently in a column (skewed values).
Required: No
Type: AWS Glue Partition SkewedInfo (p. 1992)
Update requires: No interruption (p. 118)
InputFormat
The input format: SequenceFileInputFormat (binary), TextInputFormat, or a custom format.
It must match the single-line string pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
NumberOfBuckets
The number of buckets.
Required: Conditional. You must specify this property if the partition contains any dimension
columns.
Type: Integer
Update requires: No interruption (p. 118)
OutputFormat
The output format: SequenceFileOutputFormat (binary), IgnoreKeyTextOutputFormat, or
a custom format. It must match the single-line string pattern: [\u0020-\uD7FF\uE000-\uFFFD
\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
Columns
The columns in the partition.
Required: No
Type: List of AWS Glue Partition Column (p. 1988)
Update requires: No interruption (p. 118)
SerdeInfo
Information about a serialization/deserialization program (SerDe), which serves as an extractor and
loader.
Required: No
Type: AWS Glue Partition SerdeInfo (p. 1991)
API Version 2010-05-15
1995

AWS CloudFormation User Guide
AWS Glue Table Column

Update requires: No interruption (p. 118)
SortColumns
The sort order of each bucket in the partition.
Required: No
Type: List of AWS Glue Partition Order (p. 1989)
Update requires: No interruption (p. 118)
Compressed
Indicates whether the data in the partition is compressed.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Location
The physical location of the partition. By default, this takes the form of the warehouse location,
followed by the database location in the warehouse, followed by the partition name. It must match
the URI address multi-line string pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00\uDBFF\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Glue Table Column
The Column property type speciﬁes a column for an AWS Glue table.
The PartitionKeys property of the AWS Glue Table TableInput (p. 2003) property type and the
Columns property of the AWS Glue Table StorageDescriptor (p. 2000) property type contain a list of
Column property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Comment" : String,
"Type" : String,
"Name" : String

YAML
Comment: String
Type: String
Name: String

API Version 2010-05-15
1996

AWS CloudFormation User Guide
AWS Glue Table Order

Properties
For more information, see Column Structure in the AWS Glue Developer Guide.
Comment
A free-form text comment. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
Type
The data type of the column data. It must match the single-line string pattern: [\u0020-\uD7FF
\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the column. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• Column Structure in the AWS Glue Developer Guide

AWS Glue Table Order
The Order property type speciﬁes the sort order of a column in an AWS Glue table.
The SortColumns property of the AWS Glue Table StorageDescriptor (p. 2000) property type contains a
list of Order property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Column" : String,
"SortOrder" : Integer

API Version 2010-05-15
1997

AWS CloudFormation User Guide
AWS Glue Table SerdeInfo

YAML
Column: String
SortOrder: Integer

Properties
For more information, see Order Structure in the AWS Glue Developer Guide.
Column
The name of the column. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: Yes
Type: String
Update requires: No interruption (p. 118)
SortOrder
Indicates whether the column is sorted in ascending order (1) or descending order (0).
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)

See Also
• Order Structure in the AWS Glue Developer Guide

AWS Glue Table SerdeInfo
The SerdeInfo property type speciﬁes information about a serialization/deserialization program
(SerDe), which serves as an extractor and loader for an AWS Glue table.
SerdeInfo is a property of the AWS Glue Table StorageDescriptor (p. 2000) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Parameters" : JSON object,
"SerializationLibrary" : String,
"Name" : String

YAML
Parameters: JSON object

API Version 2010-05-15
1998

AWS CloudFormation User Guide
AWS Glue Table SkewedInfo
SerializationLibrary: String
Name: String

Properties
For more information, see SerDeInfo Structure in the AWS Glue Developer Guide.
Parameters
UTF-8 string–to–UTF-8 string key-value pairs that specify the initialization parameters for the SerDe.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
SerializationLibrary
The serialization library. This is usually the class that implements the SerDe, such as
org.apache.hadoop.hive.serde2.columnar.ColumnarSerDe. It must match the single-line
string pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the SerDe. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• SerDeInfo Structure in the AWS Glue Developer Guide

AWS Glue Table SkewedInfo
The SkewedInfo property type speciﬁes skewed values (values that occur with very high frequency) in
an AWS Glue table.
SkewedInfo is a property of the AWS Glue Table StorageDescriptor (p. 2000) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
1999

AWS CloudFormation User Guide
AWS Glue Table StorageDescriptor

}

"SkewedColumnNames" : [ String, ... ],
"SkewedColumnValues" : [ String, ... ],
"SkewedColumnValueLocationMaps" : JSON object

YAML
SkewedColumnNames:
- String
SkewedColumnValues:
- String
SkewedColumnValueLocationMaps: JSON object

Properties
For more information, see SkewedInfo Structure in the AWS Glue Developer Guide.
SkewedColumnNames
A list of UTF-8 strings that specify the names of columns that contain skewed values.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SkewedColumnValues
A list of UTF-8 strings that specify values that appear so frequently that they're considered to be
skewed.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SkewedColumnValueLocationMaps
UTF-8 string–to–UTF-8 string key-value pairs that map skewed values to the columns that contain
them.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)

See Also
• SkewedInfo Structure in the AWS Glue Developer Guide

AWS Glue Table StorageDescriptor
The StorageDescriptor property type describes the physical storage of AWS Glue table data.
StorageDescriptor is a property of the AWS Glue Table TableInput (p. 2003) property type.
API Version 2010-05-15
2000

AWS CloudFormation User Guide
AWS Glue Table StorageDescriptor

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"StoredAsSubDirectories" : Boolean,
"Parameters" : JSON object,
"BucketColumns" : [ String, ... ],
"SkewedInfo" : SkewedInfo (p. 1999),
"InputFormat" : String,
"NumberOfBuckets" : Integer,
"OutputFormat" : String,
"Columns" : [ Column (p. 1996), ... ],
"SerdeInfo" : SerdeInfo (p. 1998),
"SortColumns" : [ Order (p. 1997), ... ],
"Compressed" : Boolean,
"Location" : String

YAML
StoredAsSubDirectories: Boolean
Parameters: JSON object
BucketColumns:
- String
SkewedInfo:
SkewedInfo (p. 1999)
InputFormat: String
NumberOfBuckets: Integer
OutputFormat: String
Columns:
- Column (p. 1996)
SerdeInfo:
SerdeInfo (p. 1998)
SortColumns:
- Order (p. 1997)
Compressed: Boolean
Location: String

Properties
For more information, see StorageDescriptor Structure in the AWS Glue Developer Guide.
StoredAsSubDirectories
Indicates whether the table data is stored in subdirectories.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Parameters
UTF-8 string–to–UTF-8 string key-value pairs that specify user-supplied properties.
Required: No
API Version 2010-05-15
2001

AWS CloudFormation User Guide
AWS Glue Table StorageDescriptor

Type: JSON object
Update requires: No interruption (p. 118)
BucketColumns
A list of UTF-8 strings that specify reducer grouping columns, clustering columns, and bucketing
columns in the table.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
SkewedInfo
Information about values that appear very frequently in a column (skewed values).
Required: No
Type: AWS Glue Table SkewedInfo (p. 1999)
Update requires: No interruption (p. 118)
InputFormat
The input format: SequenceFileInputFormat (binary), TextInputFormat, or a custom format.
It must match the single-line string pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
NumberOfBuckets
The number of buckets.
Required: Conditional. You must specify this property if the table contains any dimension columns.
Type: Integer
Update requires: No interruption (p. 118)
OutputFormat
The output format: SequenceFileOutputFormat (binary), IgnoreKeyTextOutputFormat, or
a custom format. It must match the single-line string pattern: [\u0020-\uD7FF\uE000-\uFFFD
\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
Columns
The columns in the table.
Required: No
Type: List of AWS Glue Table Column (p. 1996)
API Version 2010-05-15
2002

AWS CloudFormation User Guide
AWS Glue Table TableInput

Update requires: No interruption (p. 118)
SerdeInfo
Information about a serialization/deserialization program (SerDe), which serves as an extractor and
loader.
Required: No
Type: AWS Glue Table SerdeInfo (p. 1998)
Update requires: No interruption (p. 118)
SortColumns
The sort order of each bucket in the table.
Required: No
Type: List of AWS Glue Table Order (p. 1997)
Update requires: No interruption (p. 118)
Compressed
Indicates whether the data in the table is compressed.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Location
The physical location of the table. By default, this takes the form of the warehouse location,
followed by the database location in the warehouse, followed by the table name. It must match the
URI address multi-line string pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF
\uDFFF\r\n\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• StorageDescriptor Structure in the AWS Glue Developer Guide

AWS Glue Table TableInput
The TableInput property type speciﬁes the metadata that's used to create or update an AWS Glue
table.
TableInput is a property of the AWS::Glue::Table (p. 1164) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
2003

AWS CloudFormation User Guide
AWS Glue Table TableInput

JSON
{

}

"Owner" : String,
"ViewOriginalText" : String,
"Description" : String,
"TableType" : String,
"Parameters" : JSON object,
"ViewExpandedText" : String,
"StorageDescriptor" : StorageDescriptor (p. 2000),
"PartitionKeys" : [ Column (p. 1996), ... ],
"Retention" : Integer,
"Name" : String

YAML
Owner: String
ViewOriginalText: String
Description: String
TableType: String
Parameters: JSON object
ViewExpandedText: String
StorageDescriptor:
StorageDescriptor (p. 2000)
PartitionKeys:
- Column (p. 1996)
Retention: Integer
Name: String

Properties
For more information, see TableInput Structure in the AWS Glue Developer Guide.
Owner
The owner of the table. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
ViewOriginalText
The original text of the view, if the table is a view. Otherwise, it's null.
Required: No
Type: String
Update requires: No interruption (p. 118)
Description
The description of the table. It must match the URI address multi-line string pattern: [\u0020\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: No
API Version 2010-05-15
2004

AWS CloudFormation User Guide
AWS Glue Table TableInput

Type: String
Update requires: No interruption (p. 118)
TableType
The type of the table, such as EXTERNAL_TABLE or VIRTUAL_VIEW.
Required: No
Type: String
Update requires: No interruption (p. 118)
Parameters
UTF-8 string–to–UTF-8 string key-value pairs that specify the properties that are associated with the
table.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
ViewExpandedText
The expanded text of the view, if the table is a view. Otherwise it's null.
Required: No
Type: String
Update requires: No interruption (p. 118)
StorageDescriptor
Information about the physical storage of the table.
Required: No
Type: AWS Glue Table StorageDescriptor (p. 2000)
Update requires: No interruption (p. 118)
PartitionKeys
The columns in the table.
Required: No
Type: List of AWS Glue Table Column (p. 1996)
Update requires: No interruption (p. 118)
Retention
The retention time for the table.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Name
The name of the table. It must match the single-line string pattern: [\u0020-\uD7FF\uE000\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
API Version 2010-05-15
2005

AWS CloudFormation User Guide
AWS Glue Trigger Action

Required: Yes
Type: String
Update requires: Replacement (p. 119)

AWS Glue Trigger Action
The Action property type speciﬁes the actions that an AWS Glue job trigger initiates when it ﬁres.
Action is a property of the AWS::Glue::Trigger (p. 1165) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"JobName" : String,
"Arguments" : JSON object

YAML
JobName: String
Arguments: JSON object

Properties
JobName
The name of the associated job. It must match the single-line string pattern: [\u0020-\uD7FF
\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
Arguments
UTF-8 string–to–UTF-8 string key-value pairs that specify the arguments for the action.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)

See Also
• Action Structure in the AWS Glue Developer Guide
API Version 2010-05-15
2006

AWS CloudFormation User Guide
AWS Glue Trigger Condition

AWS Glue Trigger Condition
The Condition property type speciﬁes a condition for an AWS Glue job trigger predicate.
The Conditions property of the AWS Glue Trigger Predicate (p. 2008) property type contains a list of
Condition property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"LogicalOperator" : String,
"JobName" : String,
"State" : String

YAML
LogicalOperator: String
JobName: String
State: String

Properties
LogicalOperator
The logical operator for the condition.
Valid values: EQUALS
Required: No
Type: String
Update requires: No interruption (p. 118)
JobName
The name of the associated job. It must match the single-line string pattern: [\u0020-\uD7FF
\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
Required: No
Type: String
Update requires: No interruption (p. 118)
State
The state of the condition.
Valid values: SUCCEEDED
Required: No
API Version 2010-05-15
2007

AWS CloudFormation User Guide
AWS Glue Trigger Predicate

Type: String
Update requires: No interruption (p. 118)

See Also
• Condition Structure in the AWS Glue Developer Guide

AWS Glue Trigger Predicate
The Predicate property type speciﬁes the predicate of an AWS Glue job trigger, which determines
when it ﬁres.
Predicate is a property of the AWS::Glue::Trigger (p. 1165) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Logical" : String,
"Conditions" : [ Condition (p. 2007), ... ]

YAML
Logical: String
Conditions:
- Condition (p. 2007)

Properties
Logical
The logical operator for the predicate.
Valid values: AND
Required: No
Type: String
Update requires: No interruption (p. 118)
Conditions
The conditions that determine when the trigger ﬁres.
Required: No
Type: List of AWS Glue Trigger Condition (p. 2007)
Update requires: No interruption (p. 118)
API Version 2010-05-15
2008

AWS CloudFormation User Guide
GuardDuty Filter FindingCriteria

See Also
• Predicate Structure in the AWS Glue Developer Guide

GuardDuty Filter FindingCriteria
The FindingCriteria property type speciﬁes the attributes to be used in the ﬁlter and the conditions
to be applied to the selected attributes for ﬁltering through your GuardDuty ﬁndings.
FindingCriteria is a property of the AWS::GuardDuty::Filter (p. 1172) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Criterion" : Json,
"ItemType" : Condition (p. 2009)

YAML
Criterion: Json
ItemType: Condition (p. 2009)

Properties
Criterion
Speciﬁes the ﬁnding attributes (for example, region, type, severity, etc.) that you want to include in
the ﬁnding criteria for a ﬁlter.
Required: No
Type: Json
Update requires: No interruption (p. 118)
ItemType
Speciﬁes the condition to be applied to a single ﬁeld when ﬁltering through ﬁndings.
Required: No
Type: GuardDuty Filter Condition (p. 2009)
Update requires: No interruption (p. 118)

GuardDuty Filter Condition
The Condition property type speciﬁes the condition to be applied to a single ﬁeld when ﬁltering
through GuardDuty ﬁndings.
API Version 2010-05-15
2009

AWS CloudFormation User Guide
GuardDuty Filter Condition

Condition is a property of the GuardDuty Filter FindingCriteria (p. 2009) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Lt" : Integer,
"Gte" : Integer,
"Neq" : [ String, ... ],
"Eq" : [ String, ... ],
"Lte" : Integer

YAML
Lt: Integer
Gte: Integer
Neq:
- String
Eq:
- String
Lte: Integer

Properties
Lt
Represents the "less than" condition to be applied to a single ﬁeld when ﬁltering through ﬁndings.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Gte
Represents the "greater than equal" condition to be applied to a single ﬁeld when ﬁltering through
ﬁndings.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Neq
Represents the "not equal to" condition to be applied to a single ﬁeld when ﬁltering through
ﬁndings.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
API Version 2010-05-15
2010

AWS CloudFormation User Guide
IAM Policies

Eq
Represents the "equal to" condition to be applied to a single ﬁeld when ﬁltering through ﬁndings.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
Lte
Represents the "less than equal" condition to be applied to a single ﬁeld when ﬁltering through
ﬁndings.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

IAM Policies
Policies is a property of the AWS::IAM::Role (p. 1197), AWS::IAM::Group (p. 1186), and
AWS::IAM::User (p. 1205) resources. The Policies property describes what actions are allowed on
what resources. For more information about IAM policies, see Overview of Policies and AWS IAM Policy
Reference in the IAM User Guide.

Syntax
JSON
{
}

"PolicyDocument" : JSON,
"PolicyName" : String

YAML
PolicyDocument: JSON
PolicyName: String

Properties
PolicyDocument
A policy document that describes what actions are allowed on which resources.
Required: Yes
Type: JSON object
Update requires: No interruption (p. 118)
PolicyName
The name of the policy.
Required: Yes
API Version 2010-05-15
2011

AWS CloudFormation User Guide
IAM User LoginProﬁle

Type: String
Update requires: No interruption (p. 118)

IAM User LoginProﬁle
LoginProfile is a property of the AWS::IAM::User (p. 1205) resource that creates a login proﬁle for
users so that they can access the AWS Management Console.

Syntax
JSON
{
}

"Password" : String,
"PasswordResetRequired" : Boolean

YAML
Password: String
PasswordResetRequired: Boolean

Properties
Password
The password for the user.
Required: Yes
Type: String
PasswordResetRequired
Speciﬁes whether the user is required to set a new password the next time the user logs in to the
AWS Management Console.
Required: No
Type: Boolean

AWS IoT TopicRule Action
Action is a property of the TopicRulePayload property that describes an action associated with an
AWS IoT rule. For more information, see Rules for AWS IoT.

Syntax
JSON
{

"CloudwatchAlarm": CloudwatchAlarm Action,
"CloudwatchMetric": CloudwatchMetric Action,
"DynamoDB": DynamoDB Action,

API Version 2010-05-15
2012

AWS CloudFormation User Guide
AWS IoT TopicRule Action

}

"DynamoDBv2": DynamoDBv2 Action,
"Elasticsearch": Elasticsearch Action,
"Firehose": Firehose Action,
"Kinesis": Kinesis Action,
"Lambda": Lambda Action,
"Republish": Republish Action,
"S3": S3 Action,
"Sns": Sns Action,
"Sqs": Sqs Action

YAML
CloudwatchAlarm:
CloudwatchAlarm Action
CloudwatchMetric:
CloudwatchMetric Action
DynamoDB:
DynamoDB Action
DynamoDBv2:
DynamoDBv2 Action
Elasticsearch:
Elasticsearch Action
Firehose:
Firehose Action
Kinesis:
Kinesis Action
Lambda:
Lambda Action
Republish:
Republish Action
S3:
S3 Action
Sns:
Sns Action
Sqs:
Sqs Action

Properties
CloudwatchAlarm
Changes the state of a CloudWatch alarm.
Required: No
Type: AWS IoT TopicRule CloudwatchAlarmAction (p. 2015)
CloudwatchMetric
Captures a CloudWatch metric.
Required: No
Type: AWS IoT TopicRule CloudwatchMetricAction (p. 2016)
DynamoDB
Writes data to a DynamoDB table.
Required: No
Type: AWS IoT TopicRule DynamoDBAction (p. 2017)
API Version 2010-05-15
2013

AWS CloudFormation User Guide
AWS IoT TopicRule Action

DynamoDBv2
Writes data to a DynamoDB table.
Required: No
Type: AWS IoT TopicRule DynamoDBv2Action (p. 2019)
Elasticsearch
Writes data to an Elasticsearch domain.
Required: No
Type: AWS IoT TopicRule ElasticsearchAction (p. 2020)
Firehose
Writes data to a Kinesis Data Firehose stream.
Required: No
Type: AWS IoT TopicRule FirehoseAction (p. 2021)
Kinesis
Writes data to an Kinesis stream.
Required: No
Type: AWS IoT TopicRule KinesisAction (p. 2022)
Lambda
Invokes a Lambda function.
Required: No
Type: AWS IoT TopicRule LambdaAction (p. 2022)
Republish
Publishes data to an MQ Telemetry Transport (MQTT) topic diﬀerent from the one currently
speciﬁed.
Required: No
Type: AWS IoT TopicRule RepublishAction (p. 2024)
S3
Writes data to an S3 bucket.
Required: No
Type: AWS IoT TopicRule S3Action (p. 2024)
Sns
Publishes data to an SNS topic.
Required: No
Type: AWS IoT TopicRule SnsAction (p. 2025)
Sqs
Publishes data to an SQS queue.
API Version 2010-05-15
2014

AWS CloudFormation User Guide
AWS IoT TopicRule CloudwatchAlarmAction

Required: No
Type: AWS IoT TopicRule SqsAction (p. 2026)

AWS IoT TopicRule CloudwatchAlarmAction
CloudwatchAlarm is a property of the Actions property that describes an action that updates a
CloudWatch alarm.

Syntax
JSON
{

}

"AlarmName": String,
"RoleArn": String,
"StateReason": String,
"StateValue": String

YAML
AlarmName: String
RoleArn: String
StateReason: String
StateValue: String

Properties
AlarmName
The CloudWatch alarm name.
Required: Yes
Type: String
RoleArn
The IAM role that allows access to the CloudWatch alarm.
Required: Yes
Type: String
StateReason
The reason for the change of the alarm state.
Required: Yes
Type: String
StateValue
The value of the alarm state.
Required: Yes
Type: String
API Version 2010-05-15
2015

AWS CloudFormation User Guide
AWS IoT TopicRule CloudwatchMetricAction

AWS IoT TopicRule CloudwatchMetricAction
CloudwatchMetric is a property of the Actions property that describes an action that captures a
CloudWatch metric.

Syntax
JSON
{

}

"MetricName": String,
"MetricNamespace": String,
"MetricTimestamp": String,
"MetricUnit": String,
"MetricValue": String,
"RoleArn": String

YAML
MetricName: String
MetricNamespace: String
MetricTimestamp: String
MetricUnit: String
MetricValue: String
RoleArn: String

Properties
MetricName
The name of the CloudWatch metric.
Required: Yes
Type: String
MetricNamespace
The name of the CloudWatch metric namespace.
Required: Yes
Type: String
MetricTimestamp
An optional Unix timestamp.
Required: No
Type: String
MetricUnit
The metric unit supported by Amazon CloudWatch.
Required: Yes
Type: String
API Version 2010-05-15
2016

AWS CloudFormation User Guide
AWS IoT TopicRule DynamoDBAction

MetricValue
The value to publish to the metric. For example, if you count the occurrences of a particular term
such as Error, the value will be 1 for each occurrence.
Required: Yes
Type: String
RoleArn
The ARN of the IAM role that grants access to the CloudWatch metric.
Required: Yes
Type: String

AWS IoT TopicRule DynamoDBAction
DynamoDB is a property of the Actions property that describes an AWS IoT action that writes data to a
DynamoDB table.
The HashKeyField, RangeKeyField, and TableName values must match the values you used when
you initially created the table.
The HashKeyValue and RangeKeyValue ﬁelds use the ${sql-expression} substitution template
syntax. You can specify any valid expression in a WHERE or SELECT clause. This expression can include
JSON properties, comparisons, calculations, and functions, for example:
• The "HashKeyValue" : "${topic(3)} ﬁeld uses the third level of the topic.
• The "RangeKeyValue" : "${timestamp()} ﬁeld uses the timestamp.

Syntax
JSON
{

}

"HashKeyField": String,
"HashKeyType": String,
"HashKeyValue": String,
"PayloadField": String,
"RangeKeyField": String,
"RangeKeyType": String,
"RangeKeyValue": String,
"RoleArn": String,
"TableName": String

YAML
HashKeyField: String
HashKeyType: String
HashKeyValue: String
PayloadField: String
RangeKeyField: String
RangeKeyType: String
RangeKeyValue: String
RoleArn: String

API Version 2010-05-15
2017

AWS CloudFormation User Guide
AWS IoT TopicRule DynamoDBAction
TableName: String

Properties
For more information and valid values, see DynamoDB Action in the AWS IoT Developer Guide.
HashKeyField
The name of the hash key.
Required: Yes
Type: String
HashKeyType
The data type of the hash key (also called the partition key). Valid values are: "STRING" or
"NUMBER".
Required: No
Type: String
HashKeyValue
The value of the hash key.
Required: Yes
Type: String
PayloadField
The name of the column in the DynamoDB table that contains the result of the query. You can
customize this name.
Required: No
Type: String
RangeKeyField
The name of the range key.
Required: No
Type: String
RangeKeyType
The data type of the range key (also called the sort key). Valid values are: "STRING" or "NUMBER".
Required: No
Type: String
RangeKeyValue
The value of the range key.
Required: No
Type: String
RoleArn
The ARN of the IAM role that grants access to the DynamoDB table.
API Version 2010-05-15
2018

AWS CloudFormation User Guide
AWS IoT TopicRule DynamoDBv2Action

Required: Yes
Type: String
TableName
The name of the DynamoDB table.
Required: Yes
Type: String

AWS IoT TopicRule DynamoDBv2Action
The DynamoDBv2Action property type is a property of the Actions property that describes an AWS
IoT action that writes data to a DynamoDB table.
DynamoDBv2Action is a property of the AWS IoT TopicRule Action (p. 2012) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"PutItem" : PutItemInput (p. 2023),
"RoleArn" : String

YAML
PutItem:
PutItemInput (p. 2023)
RoleArn: String

Properties
For more information, see DynamoDBv2 Action in the AWS IoT Developer Guide..
PutItem
Speciﬁes the database table to which to write the item for an AWS IoT topic rule.
Required: No
Type: AWS IoT TopicRule PutItemInput (p. 2023)
Update requires: No interruption (p. 118)
RoleArn
The IAM role that allows access to the DynamoDB table. At a minimum, the role must allow the
dynamoDB:PutItem IAM action.
Required: No
Type: String
API Version 2010-05-15
2019

AWS CloudFormation User Guide
AWS IoT TopicRule ElasticsearchAction

Update requires: No interruption (p. 118)

AWS IoT TopicRule ElasticsearchAction
Elasticsearch is a property of the Actions property that describes an action that writes data to an
Elasticsearch domain.

Syntax
JSON
{

}

"Endpoint": String,
"Id": String,
"Index": String,
"RoleArn": String,
"Type": String

YAML
Endpoint: String
Id": String
Index": String
RoleArn": String
Type": String

Properties
Endpoint
The endpoint of your Elasticsearch domain.
Required: Yes
Type: String
Id
A unique identiﬁer for the stored data.
Required: Yes
Type: String
Index
The Elasticsearch index where the data is stored.
Required: Yes
Type: String
RoleArn
The ARN of the IAM role that grants access to Elasticsearch.
Required: Yes
API Version 2010-05-15
2020

AWS CloudFormation User Guide
AWS IoT TopicRule FirehoseAction

Type: String
Type
The type of stored data.
Required: Yes
Type: String

AWS IoT TopicRule FirehoseAction
Firehose is a property of the Actions property that describes an action that writes data to a Kinesis
Data Firehose stream.

Syntax
JSON
{

}

"DeliveryStreamName": String,
"RoleArn": String,
"Separator": String

YAML
DeliveryStreamName: String
RoleArn: String
Separator: String

Properties
DeliveryStreamName
The delivery stream name.
Required: Yes
Type: String
RoleArn
The Amazon Resource Name (ARN) of the IAM role that grants access to the Kinesis Data Firehose
stream.
Required: Yes
Type: String
Separator
A character separator that's used to separate records written to the Kinesis Data Firehose stream. For
valid values, see Firehose Action in the AWS IoT Developer Guide.
Required: No
Type: String
API Version 2010-05-15
2021

AWS CloudFormation User Guide
AWS IoT TopicRule KinesisAction

AWS IoT TopicRule KinesisAction
Kinesis is a property of the Actions property that describes an action that writes data to an Kinesis
stream.

Syntax
JSON
{

}

"PartitionKey": String,
"RoleArn": String,
"StreamName": String

YAML
PartitionKey: String
RoleArn: String
StreamName: String

Properties
PartitionKey
The partition key (the grouping of data by shard within an Kinesis stream).
Required: No
Type: String
RoleArn
The ARN of the IAM role that grants access to an Kinesis stream.
Required: Yes
Type: String
StreamName
The name of the Kinesis stream.
Required: Yes
Type: String

AWS IoT TopicRule LambdaAction
Lambda is a property of the Actions property that describes an action that invokes a Lambda function.

Syntax
JSON
{

API Version 2010-05-15
2022

AWS CloudFormation User Guide
AWS IoT TopicRule PutItemInput

}

"FunctionArn": String

YAML
FunctionArn: String

Properties
FunctionArn
The ARN of the Lambda function.
Required: Yes
Type: String

AWS IoT TopicRule PutItemInput
The PutItemInput property type speciﬁes the database table for an AWS IoT topic rule.
PutItemInput is a property of the AWS IoT TopicRule DynamoDBv2Action (p. 2019) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"TableName" : String

YAML
TableName: String

Properties
TableName
The name of the DynamoDB table.

Note

The MQTT message payload must contain a root-level key that matches the table's primary
partition key and a root-level key that matches the table's primary sort key, if one is
deﬁned. For more information, see DynamoDBv2 Action in the AWS IoT Developer Guide..
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
2023

AWS CloudFormation User Guide
AWS IoT TopicRule RepublishAction

AWS IoT TopicRule RepublishAction
Republish is a property of the Actions property that describes an action that publishes data to an MQ
Telemetry Transport (MQTT) topic diﬀerent from the one currently speciﬁed.

Syntax
JSON
{
}

"RoleArn": String,
"Topic": String

YAML
RoleArn: String
Topic: String

Properties
RoleArn
The ARN of the IAM role that grants publishing access.
Required: Yes
Type: String
Topic
The name of the MQTT topic topic diﬀerent from the one currently speciﬁed.
Required: Yes
Type: String

AWS IoT TopicRule S3Action
S3 is a property of the Actions property that describes an action that writes data to an S3 bucket.

Syntax
JSON
{

}

"BucketName": String,
"Key": String,
"RoleArn": String

YAML
BucketName: String

API Version 2010-05-15
2024

AWS CloudFormation User Guide
AWS IoT TopicRule SnsAction
Key: String
RoleArn: String

Properties
BucketName
The name of the S3 bucket.
Required: Yes
Type: String
Key
The object key (the name of an object in the S3 bucket).
Required: Yes
Type: String
RoleArn
The ARN of the IAM role that grants access to Amazon S3.
Required: Yes
Type: String

AWS IoT TopicRule SnsAction
Sns is a property of the Actions property that describes an action that publishes data to an SNS topic.

Syntax
JSON
{

}

"MessageFormat": String,
"RoleArn": String,
"TargetArn": String

YAML
MessageFormat: String
RoleArn: String
TargetArn: String

Properties
MessageFormat
The format of the published message. Amazon SNS uses this setting to determine whether it should
parse the payload and extract the platform-speciﬁc bits from the payload.
API Version 2010-05-15
2025

AWS CloudFormation User Guide
AWS IoT TopicRule SqsAction

For more information, see Appendix: Message and JSON Formats in the Amazon Simple Notiﬁcation
Service Developer Guide.
Required: No
Type: String
RoleArn
The ARN of the IAM role that grants access to Amazon SNS.
Required: Yes
Type: String
TargetArn
The ARN of the Amazon SNS topic.
Required: Yes
Type: String

AWS IoT TopicRule SqsAction
Sqs is a property of the Actions property that describes an action that publishes data to an SQS queue.

Syntax
JSON
{

}

"QueueUrl": String,
"RoleArn": String,
"UseBase64": Boolean

YAML
QueueUrl: String
RoleArn: String
UseBase64: Boolean

Properties
QueueUrl
The URL of the Amazon Simple Queue Service (Amazon SQS) queue.
Required: Yes
Type: String
RoleArn
The ARN of the IAM role that grants access to Amazon SQS.
API Version 2010-05-15
2026

AWS CloudFormation User Guide
AWS IoT Thing AttributePayload

Required: Yes
Type: String
UseBase64
Speciﬁes whether Base64 encoding should be used.
Required: No
Type: Boolean

AWS IoT Thing AttributePayload
The AttributePayload property speciﬁes up to three attributes for an AWS IoT as key–value pairs.
AttributePayload is a property of the AWS::IoT::Thing (p. 1221) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Attributes" : { String:String, ... }

YAML
Attributes:
String: String

Properties
Attributes
A string that contains up to three key–value pairs. Maximum length of 800. Duplicates not allowed.
Required: No
Type: String to string map
Update requires: No interruption (p. 118)

Example
The following example declares an attribute payload with three attributes.

JSON
"AttributePayload": {
"Attributes": {
"myAttributeA": {
"Ref": "MyAttributeValueA"
},

API Version 2010-05-15
2027

AWS CloudFormation User Guide
AWS IoT TopicRule TopicRulePayload

}

}

"myAttributeB": {
"Ref": "MyAttributeValueB"
},
"myAttributeC": {
"Ref": "MyAttributeValueC"
}

YAML
AttributePayload:
Attributes:
myAttributeA:
Ref: "MyAttributeValueA"
myAttributeB:
Ref: "MyAttributeValueB"
myAttributeC:
Ref: "MyAttributeValueC"

AWS IoT TopicRule TopicRulePayload
TopicRulePayload is a property of the AWS::IoT::TopicRule resource that describes the payload
of an AWS IoT rule.

Syntax
JSON
{

}

"Actions": [ Action, ... ],
"AwsIotSqlVersion": String,
"Description": String,
"RuleDisabled": Boolean,
"Sql": String

YAML
Actions:
- Action
AwsIotSqlVersion: String
Description: String
RuleDisabled: Boolean
Sql: String

Properties
Actions
The actions associated with the rule.
Required: Yes
Type: Array of Action (p. 2012) objects
Update requires: No interruption (p. 118)
API Version 2010-05-15
2028

AWS CloudFormation User Guide
Kinesis StreamEncryption

AwsIotSqlVersion
The version of the SQL rules engine to use when evaluating the rule.
Required: No
Type: String
Update requires: No interruption (p. 118)
Description
The description of the rule.
Required: No
Type: String
Update requires: No interruption (p. 118)
RuleDisabled
Speciﬁes whether the rule is disabled.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
Sql
The SQL statement that queries the topic. For more information, see Rules for AWS IoT in the AWS
IoT Developer Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Kinesis StreamEncryption
The StreamEncryption property is part of the AWS::Kinesis::Stream (p. 1228) resource that enables or
updates server-side encryption using an AWS KMS key for a speciﬁed stream. For more information, see
StartStreamEncryption in the Amazon Kinesis Data Streams API Reference.

Syntax
JSON
{
}

"EncryptionType" : String,
"KeyId" : String

YAML
EncryptionType: String

API Version 2010-05-15
2029

AWS CloudFormation User Guide
Kinesis Data Analytics Application CSVMappingParameters
KeyId: String

Properties
EncryptionType
The encryption type to use. The only valid value is KMS.
Required: Yes
Type: String
KeyId
The GUID for the customer-managed KMS key to use for encryption. This value can be a globally
unique identiﬁer, a fully speciﬁed ARN to either an alias or a key, or an alias name preﬁxed by
"alias/". You can also use a master key owned by Kinesis Streams by specifying the alias aws/
kinesis.
• Key ARN example: arn:aws: kms:useast-1:123456789012:key/12345678-1234-1234-1234-123456789012
• Alias ARN example: arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
• Globally unique key ID example: 12345678-1234-1234-1234-123456789012
• Alias name example: alias/MyAliasName
• Master key owned by Kinesis Streams: alias/aws/kinesis
Required: Yes
Type: String

Amazon Kinesis Data Analytics Application
CSVMappingParameters
The CSVMappingParameters property type speciﬁes additional mapping information when the record
format uses delimiters, such as CSV.
CSVMappingParameters is a property of the Kinesis Data Analytics Application
MappingParameters (p. 2038) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"RecordColumnDelimiter" : String,
"RecordRowDelimiter" : String

YAML
RecordColumnDelimiter: String
RecordRowDelimiter: String

API Version 2010-05-15
2030

AWS CloudFormation User Guide
Kinesis Data Analytics Application Input

Properties
RecordColumnDelimiter
The column delimiter. For example, in a CSV format, a comma (",") is the typical column delimiter.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RecordRowDelimiter
The row delimiter. For example, in a CSV format, "\n" is the typical row delimiter.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics Application Input
When you conﬁgure the application input, you specify the streaming source, the in-application stream
name that is created, and the mapping between the two.
Input is a property of the AWS::KinesisAnalytics::Application (p. 1231) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"NamePrefix" : String,
"InputParallelism" : InputParallelism (p. 2033),
"InputSchema" : InputSchema (p. 2035),
"KinesisFirehoseInput" : KinesisFirehoseInput (p. 2037),
"KinesisStreamsInput" : KinesisStreamsInput (p. 2037),
"InputProcessingConfiguration : InputProcessingConfiguration (p. 2034)

YAML
NamePrefix: String
InputParallelism:
InputParallelism (p. 2033)
InputSchema:
InputSchema (p. 2035)
KinesisFirehoseInput:
KinesisFirehoseInput (p. 2037)
KinesisStreamsInput:
KinesisStreamsInput (p. 2037)
InputProcessingConfiguration:
InputProcessingConfiguration (p. 2034)

API Version 2010-05-15
2031

AWS CloudFormation User Guide
Kinesis Data Analytics Application Input

Properties
NamePrefix
The name preﬁx to use when creating the in-application streams.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
InputParallelism
Describes the number of in-application streams to create.
Required: No
Type: Kinesis Data Analytics Application InputParallelism (p. 2033)
Update requires: No interruption (p. 118)
InputSchema
Describes the format of the data in the streaming source, and how each data element maps to
corresponding columns in the in-application stream that is being created.
Required: Yes
Type: Kinesis Data Analytics Application InputSchema (p. 2035)
Update requires: No interruption (p. 118)
KinesisFirehoseInput
If the streaming source is an Amazon Kinesis Data Firehose delivery stream, identiﬁes the delivery
stream's Amazon Resource Name (ARN) and an IAM role that enables Kinesis Data Analytics to access
the stream on your behalf.
Required: No
Type: Kinesis Data Analytics Application KinesisFirehoseInput (p. 2037)
Update requires: No interruption (p. 118)
KinesisStreamsInput
If the streaming source is an Amazon Kinesis stream, identiﬁes the stream's ARN and an IAM role
that enables Kinesis Data Analytics to access the stream on your behalf.
Required: No
Type: Kinesis Data Analytics Application KinesisStreamsInput (p. 2037)
Update requires: No interruption (p. 118)
InputProcessingConfiguration
The input processing conﬁguration for the input. An input processor transforms records as they
are received from the stream, before the application's SQL code executes. Currently, the only input
processing conﬁguration available is InputLambdaProcessor.
Required: No
Type: Kinesis Data Analytics Application InputProcessingConﬁguration (p. 2034)
Update requires: No interruption (p. 118)
API Version 2010-05-15
2032

AWS CloudFormation User Guide
Kinesis Data Analytics Application InputLambdaProcessor

Amazon Kinesis Data Analytics Application
InputLambdaProcessor
The InputLambdaProcessor property type speciﬁes the Amazon Resource Name (ARN) of a Lambda
function for preprocessing records in a stream before the SQL code for an Amazon Kinesis Data Analytics
application executes.
InputLambdaProcessor is a property of the Kinesis Data Analytics Application Input (p. 2031)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ResourceARN" : String,
"RoleARN" : String

YAML
ResourceARN: String
RoleARN: String

Properties
ResourceARN
The ARN of the AWS Lambda function that operates on records in the stream.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RoleARN
The ARN of the IAM role that is used to access the AWS Lambda function.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics Application
InputParallelism
The InputParallelism property type speciﬁes the number of in-application streams to create for a
given streaming source in an Amazon Kinesis Data Analytics application.
API Version 2010-05-15
2033

AWS CloudFormation User Guide
Kinesis Data Analytics Application
InputProcessingConﬁguration

InputParallelism is a property of the Kinesis Data Analytics Application Input (p. 2031) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Count" : Integer

YAML
Count: Integer

Properties
Count
The number of in-application streams to create.
Required: No
Type: Integer
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics Application
InputProcessingConﬁguration
The InputProcessingConfiguration property type speciﬁes a processing conﬁguration for a Kinesis
Data Analytics Application Input (p. 2031) for an Amazon Kinesis Data Analytics application.
InputProcessingConfiguration is a property of the Kinesis Data Analytics Application
Input (p. 2031) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"InputLambdaProcessor" : InputLambdaProcessor (p. 2033)

YAML
InputLambdaProcessor: InputLambdaProcessor (p. 2033)

API Version 2010-05-15
2034

AWS CloudFormation User Guide
Kinesis Data Analytics Application InputSchema

Properties
InputLambdaProcessor
The InputLambdaProcessor that is used to preprocess the records in the stream before they are
processed by your application code.
Required: No
Type: Kinesis Data Analytics Application InputLambdaProcessor (p. 2033)
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics Application
InputSchema
The InputSchema property type describes the format of the data in the streaming source, and how each
data element maps to corresponding columns that are created in the in-application stream in an Amazon
Kinesis Data Analytics application.
InputSchema is a property of the Kinesis Data Analytics Application Input (p. 2031) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"RecordColumns" : [ RecordColumn (p. 2039), ... ],
"RecordEncoding" : String,
"RecordFormat" : RecordFormat (p. 2040)

YAML
RecordColumns:
- RecordColumn (p. 2039)
RecordEncoding: String
RecordFormat:
RecordFormat (p. 2040)

Properties
RecordColumns
A list of RecordColumn objects.
Required: Yes
Type: List of Kinesis Data Analytics Application RecordColumn (p. 2039)
API Version 2010-05-15
2035

AWS CloudFormation User Guide
Kinesis Data Analytics Application
JSONMappingParameters

Update requires: No interruption (p. 118)
RecordEncoding
Speciﬁes the encoding of the records in the streaming source; for example, UTF-8.
Required: No
Type: String
Update requires: No interruption (p. 118)
RecordFormat
Speciﬁes the format of the records on the streaming source.
Required: Yes
Type: Kinesis Data Analytics Application RecordFormat (p. 2040)
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics Application
JSONMappingParameters
The JSONMappingParameters property type speciﬁes additional mapping information when JSON is
the record format on the streaming source.
JSONMappingParameters is a property of the Kinesis Data Analytics Application
MappingParameters (p. 2038) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"RecordRowPath" : String

YAML
RecordRowPath: String

Properties
RecordRowPath
The path to the top-level parent that contains the records (e.g., "$".)
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
2036

AWS CloudFormation User Guide
Kinesis Data Analytics Application KinesisFirehoseInput

Amazon Kinesis Data Analytics Application
KinesisFirehoseInput
The KinesisFirehoseInput property type identiﬁes an Amazon Kinesis Data Firehose delivery stream
as the streaming source for an Amazon Kinesis Data Analytics application.
KinesisFirehoseInput is a property of the Kinesis Data Analytics Application Input (p. 2031)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ResourceARN" : String,
"RoleARN" : String

YAML
ResourceARN: String
RoleARN: String

Properties
ResourceARN
The Amazon Resource Name (ARN) of the input Kinesis Data Firehose delivery stream.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RoleARN
The ARN of the IAM role that Kinesis Data Analytics can assume to access the stream on your behalf.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics Application
KinesisStreamsInput
The KinesisStreamsInput property type speciﬁes an Amazon Kinesis stream as the streaming source
for an Amazon Kinesis Data Analytics application.
API Version 2010-05-15
2037

AWS CloudFormation User Guide
Kinesis Data Analytics Application MappingParameters

KinesisStreamsInput is a property of the Kinesis Data Analytics Application Input (p. 2031) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ResourceARN" : String,
"RoleARN" : String

YAML
ResourceARN: String
RoleARN: String

Properties
ResourceARN
The Amazon Resource Name (ARN) of the input Amazon Kinesis stream to read.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RoleARN
The ARN of the IAM role that Kinesis Data Analytics can assume to access the stream on your behalf.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics Application
MappingParameters
When conﬁguring application input at the time of creating or updating an application, provides
additional mapping information speciﬁc to the record format (such as JSON, CSV, or record ﬁelds
delimited by some delimiter) on the streaming source.
MappingParameters is a property of the Kinesis Data Analytics Application RecordFormat (p. 2040)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
2038

AWS CloudFormation User Guide
Kinesis Data Analytics Application RecordColumn

JSON
{
}

"CSVMappingParameters" : CSVMappingParameters (p. 2030),
"JSONMappingParameters" : JSONMappingParameters (p. 2036)

YAML
CSVMappingParameters:
CSVMappingParameters (p. 2030)
JSONMappingParameters:
JSONMappingParameters (p. 2036)

Properties
CSVMappingParameters
Provides additional mapping information when the record format uses delimiters (for example, CSV).
Required: No
Type: Kinesis Data Analytics Application CSVMappingParameters (p. 2030)
Update requires: No interruption (p. 118)
JSONMappingParameters
Provides additional mapping information when JSON is the record format on the streaming source.
Required: No
Type: Kinesis Data Analytics Application JSONMappingParameters (p. 2036)
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics Application
RecordColumn
The RecordColumn property type speciﬁes the mapping of each data element in the streaming
source to the corresponding column in the in-application stream in an Amazon Kinesis Data Analytics
application.
RecordColumn is a property of the Kinesis Data Analytics Application InputSchema (p. 2035) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
2039

AWS CloudFormation User Guide
Kinesis Data Analytics Application RecordFormat

}

"Mapping" : String,
"Name" : String,
"SqlType" : String

YAML
Mapping: String
Name: String
SqlType: String

Properties
Mapping
Reference to the data element in the streaming input of the reference data source.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the column created in the in-application input stream or reference table.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
SqlType
The type of column created in the in-application input stream or reference table.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics Application
RecordFormat
The RecordFormat property type describes the record format and relevant mapping information that
should be applied to schematize the records on the stream.
RecordFormat is a property of the AWS::KinesisAnalytics::Application (p. 1231) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
2040

AWS CloudFormation User Guide
Kinesis Data Analytics
ApplicationOutput DestinationSchema

JSON
{
}

"MappingParameters" : MappingParameters (p. 2038),
"RecordFormatType" : String

YAML
MappingParameters:
MappingParameters (p. 2038)
RecordFormatType: String

Properties
MappingParameters
When conﬁguring application input at the time of creating or updating an application, provides
additional mapping information speciﬁc to the record format (such as JSON, CSV, or record ﬁelds
delimited by some delimiter) on the streaming source.
Required: No
Type: Kinesis Data Analytics Application MappingParameters (p. 2038)
Update requires: No interruption (p. 118)
RecordFormatType
The type of record format (e.g CSV or JSON.)
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics ApplicationOutput
DestinationSchema
The DestinationSchema property describes the data format when records are written to the
destination.
DestinationSchema is a property of the Kinesis Data Analytics ApplicationOutput Output (p. 2045)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
2041

AWS CloudFormation User Guide
Kinesis Data Analytics ApplicationOutput
KinesisFirehoseOutput
}

"RecordFormatType" : String

YAML
RecordFormatType: String

Properties
RecordFormatType
Speciﬁes the format of the records on the output stream.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics ApplicationOutput
KinesisFirehoseOutput
The KinesisFirehoseOutput property type speciﬁes an Amazon Kinesis Data Firehose delivery stream
as the destination when you are conﬁguring application output.
KinesisFirehoseOutput is a property of the Kinesis Data Analytics ApplicationOutput
Output (p. 2045) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ResourceARN" : String,
"RoleARN" : String

YAML
ResourceARN: String
RoleARN: String

Properties
ResourceARN
The Amazon Resource Name (ARN) of the destination Amazon Kinesis Data Firehose delivery stream
to write to.
API Version 2010-05-15
2042

AWS CloudFormation User Guide
Kinesis Data Analytics ApplicationOutput
KinesisStreamsOutput

Required: Yes
Type: String
Update requires: No interruption (p. 118)
RoleARN
The ARN of the IAM role that Amazon Kinesis Data Analytics can assume to write to the destination
stream on your behalf.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics ApplicationOutput
KinesisStreamsOutput
The KinesisStreamsOutput property type speciﬁes an Amazon Kinesis stream as the destination
when you are conﬁguring application output.
KinesisStreamsOutput is a property of the Kinesis Data Analytics ApplicationOutput
Output (p. 2045) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ResourceARN" : String,
"RoleARN" : String

YAML
ResourceARN: String
RoleARN: String

Properties
ResourceARN
The Amazon Resource Name (ARN) of the destination Amazon Kinesis stream to write to.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
2043

AWS CloudFormation User Guide
Kinesis Data Analytics ApplicationOutput LambdaOutput

RoleARN
The ARN of the IAM role that Amazon Kinesis Data Analytics can assume to write to the destination
stream on your behalf.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics ApplicationOutput
LambdaOutput
The LambdaOutput property type speciﬁes a Lambda function as the destination when you are
conﬁguring application output.
LambdaOutput is a property of the Kinesis Data Analytics ApplicationOutput Output (p. 2045) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ResourceARN" : String,
"RoleARN" : String

YAML
ResourceARN: String
RoleARN: String

Properties
ResourceARN
The Amazon Resource Name (ARN) of the destination Amazon Lambda function to write to.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RoleARN
The ARN of the IAM role that Amazon Kinesis Data Analytics can assume to write to the destination
function on your behalf.
Required: Yes
API Version 2010-05-15
2044

AWS CloudFormation User Guide
Kinesis Data Analytics ApplicationOutput Output

Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics ApplicationOutput
Output
The Output property type speciﬁes an array of output conﬁguration objects for an Amazon Kinesis Data
Analytics application.
Output is a property of the AWS::KinesisAnalytics::ApplicationOutput (p. 1234) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"DestinationSchema" : DestinationSchema (p. 2041),
"KinesisFirehoseOutput" : KinesisFirehoseOutput (p. 2042),
"KinesisStreamsOutput" : KinesisStreamsOutput (p. 2043),
"LambdaOutput" : LambdaOutput (p. 2044),
"Name" : String

YAML
DestinationSchema:
DestinationSchema (p. 2041)
KinesisFirehoseOutput:
KinesisFirehoseOutput (p. 2042)
KinesisStreamsOutput:
KinesisStreamsOutput (p. 2043)
LambdaOutput:
LambdaOutput (p. 2044)
Name: String

Properties
DestinationSchema
The data format when records are written to the destination.
Required: Yes
Type: Kinesis Data Analytics ApplicationOutput DestinationSchema (p. 2041)
Update requires: No interruption (p. 118)
KinesisFirehoseOutput
Identiﬁes an Amazon Kinesis Data Firehose delivery stream as the destination.
Required: Conditional.
API Version 2010-05-15
2045

AWS CloudFormation User Guide
Kinesis Data Analytics ApplicationReferenceDataSource
CSVMappingParameters

Type: Kinesis Data Analytics ApplicationOutput KinesisFirehoseOutput (p. 2042)
Update requires: No interruption (p. 118)
KinesisStreamsOutput
Identiﬁes an Amazon Kinesis stream as the destination.
Required: Conditional.
Type: Kinesis Data Analytics ApplicationOutput KinesisStreamsOutput (p. 2043)
Update requires: No interruption (p. 118)
LambdaOutput
Identiﬁes a Lambda function as the destination.
Required: Conditional.
Type: Kinesis Data Analytics ApplicationOutput LambdaOutput (p. 2044)
Update requires: No interruption (p. 118)
Name
The name of the in-application stream.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Amazon Kinesis Data Analytics
ApplicationReferenceDataSource
CSVMappingParameters
In AWS CloudFormation, use the CSVMappingParameters property to specify additional mapping
information when the record format uses delimiters, such as CSV.
CSVMappingParameters is a property of the Kinesis Data Analytics ApplicationReferenceDataSource
MappingParameters (p. 2048) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"RecordColumnDelimiter" : String,
"RecordRowDelimiter" : String

YAML

API Version 2010-05-15
2046

AWS CloudFormation User Guide
Kinesis Data Analytics ApplicationReferenceDataSource
JSONMappingParameters
RecordColumnDelimiter: String
RecordRowDelimiter: String

Properties
RecordColumnDelimiter
The column delimiter. For example, in a CSV format, a comma (",") is the typical column delimiter.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
RecordRowDelimiter
The row delimiter. For example, in a CSV format, "\n" is the typical row delimiter.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics
ApplicationReferenceDataSource
JSONMappingParameters
Provides additional mapping information when JSON is the record format on the streaming source.
JSONMappingParameters is a property of the Kinesis Data Analytics ApplicationReferenceDataSource
MappingParameters (p. 2048) parameter.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"RecordRowPath" : String

YAML
RecordRowPath: String

Properties
RecordRowPath
Path to the top-level parent that contains the records (e.g., "$".)
API Version 2010-05-15
2047

AWS CloudFormation User Guide
Kinesis Data Analytics
ApplicationReferenceDataSource MappingParameters

Required: Yes
Type: String;
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics
ApplicationReferenceDataSource MappingParameters
When conﬁguring application input at the time of creating or updating an application, provides
additional mapping information speciﬁc to the record format (such as JSON, CSV, or record ﬁelds
delimited by some delimiter) on the streaming source.
MappingParameters is a property of the Kinesis Data Analytics ApplicationReferenceDataSource
RecordFormat (p. 2050) parameter.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"CSVMappingParameters" : CSVMappingParameters (p. 2046),
"JSONMappingParameters" : JSONMappingParameters (p. 2047)

YAML
CSVMappingParameters:
CSVMappingParameters (p. 2046)
JSONMappingParameters:
JSONMappingParameters (p. 2047)

Properties
CSVMappingParameters
Provides additional mapping information when the record format uses delimiters (for example, CSV).
Required: No
Type: Kinesis Data Analytics ApplicationReferenceDataSource CSVMappingParameters (p. 2046)
Update requires: No interruption (p. 118)
JSONMappingParameters
Provides additional mapping information when JSON is the record format on the streaming source.
Required: No
Type: Kinesis Data Analytics ApplicationReferenceDataSource JSONMappingParameters (p. 2047)
API Version 2010-05-15
2048

AWS CloudFormation User Guide
Kinesis Data Analytics
ApplicationReferenceDataSource RecordColumn

Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics
ApplicationReferenceDataSource RecordColumn
The RecordColumn property type speciﬁes the mapping of each data element in the streaming source
to the corresponding column in the in-application stream.
RecordColumn is a property of the Kinesis Data Analytics ApplicationReferenceDataSource
ReferenceSchema (p. 2052) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Mapping" : String,
"Name" : String,
"SqlType" : String

YAML
Mapping: String
Name: String
SqlType: String

Properties
Mapping
The reference to the data element in the streaming input of the reference data source.
Required: No
Type: String;
Update requires: No interruption (p. 118)
Name
The name of the column created in the in-application input stream or reference table.
Required: Yes
Type: String;
Update requires: No interruption (p. 118)
SqlType
The SQL data type of the column created in the in-application input stream or reference table.
API Version 2010-05-15
2049

AWS CloudFormation User Guide
Kinesis Data Analytics
ApplicationReferenceDataSource RecordFormat

Required: Yes
Type: String;
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics
ApplicationReferenceDataSource RecordFormat
The RecordFormat property type speciﬁes the record format and relevant mapping information that
should be applied to schematize the records on the stream.
RecordFormat is a property of the Kinesis Data Analytics ApplicationReferenceDataSource
ReferenceSchema (p. 2052) parameter.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"MappingParameters" : MappingParameters (p. 2048),
"RecordFormatType" : String

YAML
MappingParameters:
MappingParameters (p. 2048)
RecordFormatType: String

Properties
MappingParameters
When conﬁguring application input at the time of creating or updating an application, provides
additional mapping information speciﬁc to the record format (such as JSON, CSV, or record ﬁelds
delimited by some delimiter) on the streaming source.
Required: No
Type: Kinesis Data Analytics ApplicationReferenceDataSource MappingParameters (p. 2048)
Update requires: No interruption (p. 118)
RecordFormatType
The type of record format (CSV or JSON).
Required: Yes
Type: String;
Update requires: No interruption (p. 118)
API Version 2010-05-15
2050

AWS CloudFormation User Guide
Kinesis Data Analytics
ApplicationReferenceDataSource ReferenceDataSource

Amazon Kinesis Data Analytics
ApplicationReferenceDataSource
ReferenceDataSource
The ReferenceDataSource property type speciﬁes the reference data source by providing the source
information (Amazon S3 bucket name and object key name), the resulting in-application table name
that is created, and the necessary schema to map the data elements in the Amazon S3 object to the inapplication table.
ReferenceDataSource is a property of the
AWS::KinesisAnalytics::ApplicationReferenceDataSource (p. 1235) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"TableName" : String,
"S3ReferenceDataSource" : S3ReferenceDataSource (p. 2053),
"ReferenceSchema" : ReferenceSchema (p. 2052)

YAML
TableName: String
S3ReferenceDataSource:
S3ReferenceDataSource (p. 2053)
ReferenceSchema:
ReferenceSchema (p. 2052)

Properties
TableName
The name of the in-application table to create.
Required: No
Type: String;
Update requires: No interruption (p. 118)
S3ReferenceDataSource
Identiﬁes the Amazon S3 bucket and object that contains the reference data. Also identiﬁes the IAM
role that Amazon Kinesis Data Analytics can assume to read this object on your behalf.
Required: No
Type: Kinesis Data Analytics ApplicationReferenceDataSource S3ReferenceDataSource (p. 2053)
Update requires: No interruption (p. 118)
API Version 2010-05-15
2051

AWS CloudFormation User Guide
Kinesis Data Analytics
ApplicationReferenceDataSource ReferenceSchema

ReferenceSchema
Describes the format of the data in the streaming source, and how each data element maps to
corresponding columns that are created in the in-application stream.
Required: Yes
Type: Kinesis Data Analytics ApplicationReferenceDataSource ReferenceSchema (p. 2052)
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics
ApplicationReferenceDataSource ReferenceSchema
The ReferenceSchema property type speciﬁes the format of the data in the streaming source, and how
each data element maps to corresponding columns created in the in-application stream.
ReferenceSchema is a property of the Kinesis Data Analytics ApplicationReferenceDataSource
ReferenceDataSource (p. 2051) property.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"RecordColumns" : [ RecordColumn (p. 2049), ... ],
"RecordEncoding" : String,
"RecordFormat" : RecordFormat (p. 2050)

YAML
RecordColumns:
- RecordColumn (p. 2049)
RecordEncoding: String
RecordFormat:
RecordFormat (p. 2050)

Properties
RecordColumns
A list of Amazon Kinesis Data Analytics ApplicationReferenceDataSource RecordColumn (p. 2049)
objects.
Required: Yes
Type: List of Kinesis Data Analytics ApplicationReferenceDataSource RecordColumn (p. 2049)
Update requires: No interruption (p. 118)
RecordEncoding
Speciﬁes the encoding of the records in the streaming source; For example, UTF-8.
API Version 2010-05-15
2052

AWS CloudFormation User Guide
Kinesis Data Analytics ApplicationReferenceDataSource
S3ReferenceDataSource

Required: No
Type: String;
Update requires: No interruption (p. 118)
RecordFormat
Speciﬁes the format of the records on the streaming source.
Required: Yes
Type: Kinesis Data Analytics ApplicationReferenceDataSource RecordFormat (p. 2050)
Update requires: No interruption (p. 118)

Amazon Kinesis Data Analytics
ApplicationReferenceDataSource
S3ReferenceDataSource
The S3ReferenceDataSource property type speciﬁes the Amazon S3 bucket and object that contains
the reference data for Amazon Kinesis Data Analytics.
S3ReferenceDataSource is a property of the Kinesis Data Analytics ApplicationReferenceDataSource
ReferenceDataSource (p. 2051) parameter.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"BucketARN" : String,
"FileKey" : String,
"ReferenceRoleARN" : String

YAML
BucketARN: String
FileKey: String
ReferenceRoleARN: String

Properties
BucketARN
The Amazon Resource Name (ARN) of the Amazon S3 bucket.
Required: Yes
Type: String;
API Version 2010-05-15
2053

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream BuﬀeringHints

Update requires: No interruption (p. 118)
FileKey
The object key name containing reference data.
Required: Yes
Type: String;
Update requires: No interruption (p. 118)
ReferenceRoleARN
The ARN of the IAM role that the service can assume to read data on your behalf.
Required: Yes
Type: String;
Update requires: No interruption (p. 118)

Amazon Kinesis Data Firehose DeliveryStream
BuﬀeringHints
The BufferingHints property type speciﬁes how Amazon Kinesis Data Firehose (Kinesis Data Firehose)
buﬀers incoming data before delivering it to the destination. The ﬁrst buﬀer condition that is satisﬁed
triggers Kinesis Data Firehose to deliver the data.
BufferingHints is a property of the Amazon Kinesis Data Firehose DeliveryStream
ExtendedS3DestinationConﬁguration (p. 2061) and Amazon Kinesis Data Firehose DeliveryStream
S3DestinationConﬁguration (p. 2070) property types.

Syntax
JSON
{
}

"IntervalInSeconds" : Integer,
"SizeInMBs" : Integer

YAML
IntervalInSeconds: Integer
SizeInMBs: Integer

Properties
IntervalInSeconds
The length of time, in seconds, that Kinesis Data Firehose buﬀers incoming data before delivering
it to the destination. For valid values, see the IntervalInSeconds content for the BuﬀeringHints
data type in the Amazon Kinesis Data Firehose API Reference.
Required: Yes
API Version 2010-05-15
2054

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
CloudWatchLoggingOptions

Type: Integer
SizeInMBs
The size of the buﬀer, in MBs, that Kinesis Data Firehose uses for incoming data before delivering it
to the destination. For valid values, see the SizeInMBs content for the BuﬀeringHints data type in
the Amazon Kinesis Data Firehose API Reference.
Required: Yes
Type: Integer

Amazon Kinesis Data Firehose DeliveryStream
CloudWatchLoggingOptions
The CloudWatchLoggingOptions property type speciﬁes Amazon CloudWatch Logs (CloudWatch
Logs) logging options that Amazon Kinesis Data Firehose (Kinesis Data Firehose) uses for the delivery
stream.
CloudWatchLoggingOptions is a property of the Amazon Kinesis Data Firehose DeliveryStream
ElasticsearchDestinationConﬁguration (p. 2058), Amazon Kinesis Data Firehose DeliveryStream
ExtendedS3DestinationConﬁguration (p. 2061), Amazon Kinesis Data Firehose DeliveryStream
RedshiftDestinationConﬁguration (p. 2068), Amazon Kinesis Data Firehose DeliveryStream
SplunkDestinationConﬁguration (p. 2072), and Amazon Kinesis Data Firehose DeliveryStream
S3DestinationConﬁguration (p. 2070) property types.

Syntax
JSON
{

}

"Enabled" : Boolean,
"LogGroupName" : String,
"LogStreamName" : String

YAML
Enabled: Boolean
LogGroupName: String
LogStreamName: String

Properties
Enabled
Indicates whether CloudWatch Logs logging is enabled.
Required: No
Type: Boolean
LogGroupName
The name of the CloudWatch Logs log group that contains the log stream that Kinesis Data Firehose
will use.
API Version 2010-05-15
2055

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream CopyCommand

Required: Conditional. If you enable logging, you must specify this property.
Type: String
LogStreamName
The name of the CloudWatch Logs log stream that Kinesis Data Firehose uses to send logs about
data delivery.
Required: Conditional. If you enable logging, you must specify this property.
Type: String

Amazon Kinesis Data Firehose DeliveryStream
CopyCommand
The CopyCommand property type conﬁgures the Amazon Redshift COPY command that Amazon Kinesis
Data Firehose (Kinesis Data Firehose) uses to load data into an Amazon Redshift cluster from an Amazon
S3 bucket.
CopyCommand is a property of the Amazon Kinesis Data Firehose DeliveryStream
RedshiftDestinationConﬁguration (p. 2068) property type.

Syntax
JSON
{

}

"CopyOptions" : String,
"DataTableColumns" : String,
"DataTableName" : String

YAML
CopyOptions: String
DataTableColumns: String
DataTableName: String

Properties
CopyOptions
Parameters to use with the Amazon Redshift COPY command. For examples, see the CopyOptions
content for the CopyCommand data type in the Amazon Kinesis Data Firehose API Reference.
Required: No
Type: String
DataTableColumns
A comma-separated list of the column names in the table that Kinesis Data Firehose copies data to.
Required: No
API Version 2010-05-15
2056

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
ElasticsearchBuﬀeringHints

Type: String
DataTableName
The name of the table where Kinesis Data Firehose adds the copied data.
Required: Yes
Type: String

Amazon Kinesis Data Firehose DeliveryStream
ElasticsearchBuﬀeringHints
The ElasticsearchBufferingHints property type speciﬁes how Amazon Kinesis Data Firehose
(Kinesis Data Firehose) buﬀers incoming data while delivering it to the destination. The ﬁrst buﬀer
condition that is satisﬁed triggers Kinesis Data Firehose to deliver the data.
ElasticsearchBufferingHints is the property type for the BufferingHints property of the
Amazon Kinesis Data Firehose DeliveryStream ElasticsearchDestinationConﬁguration (p. 2058) property
type.

Syntax
JSON
{
}

"IntervalInSeconds" : Integer,
"SizeInMBs" : Integer

YAML
IntervalInSeconds: Integer
SizeInMBs: Integer

Properties
IntervalInSeconds
The length of time, in seconds, that Kinesis Data Firehose buﬀers incoming data before delivering
it to the destination. For valid values, see the IntervalInSeconds content for the BuﬀeringHints
data type in the Amazon Kinesis Data Firehose API Reference.
Required: Yes
Type: Integer
SizeInMBs
The size of the buﬀer, in MBs, that Kinesis Data Firehose uses for incoming data before delivering it
to the destination. For valid values, see the SizeInMBs content for the BuﬀeringHints data type in
the Amazon Kinesis Data Firehose API Reference.
Required: Yes
Type: Integer
API Version 2010-05-15
2057

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
ElasticsearchDestinationConﬁguration

Amazon Kinesis Data Firehose DeliveryStream
ElasticsearchDestinationConﬁguration
The ElasticsearchDestinationConfiguration property type speciﬁes an Amazon Elasticsearch
Service (Amazon ES) domain that Amazon Kinesis Data Firehose (Kinesis Data Firehose) delivers data to.
ElasticsearchDestinationConfiguration is a property of the
AWS::KinesisFirehose::DeliveryStream (p. 1237) resource.

Syntax
JSON
{

}

"BufferingHints" : BufferingHints (p. 2057),
"CloudWatchLoggingOptions" : CloudWatchLoggingOptions (p. 2055),
"DomainARN" : String,
"IndexName" : String,
"IndexRotationPeriod" : String,
"ProcessingConfiguration" : ProcessingConfiguration (p. 2065),
"RetryOptions" : RetryOptions (p. 2060),
"RoleARN" : String,
"S3BackupMode" : String,
"S3Configuration" : S3Configuration (p. 2070),
"TypeName" : String

YAML
BufferingHints:
BufferingHints (p. 2057)
CloudWatchLoggingOptions:
CloudWatchLoggingOptions (p. 2055)
DomainARN: String
IndexName: String
IndexRotationPeriod: String
ProcessingConfiguration:
ProcessingConfiguration (p. 2065)
RetryOptions:
RetryOptions (p. 2060)
RoleARN: String
S3BackupMode: String
S3Configuration:
S3Configuration (p. 2070)
TypeName: String

Properties
BufferingHints
Conﬁgures how Kinesis Data Firehose buﬀers incoming data while delivering it to the Amazon ES
domain.
Required: Yes
Type: Kinesis Data Firehose DeliveryStream ElasticsearchBuﬀeringHints (p. 2057)
API Version 2010-05-15
2058

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
ElasticsearchDestinationConﬁguration

CloudWatchLoggingOptions
The Amazon CloudWatch Logs logging options for the delivery stream.
Required: No
Type: Kinesis Data Firehose DeliveryStream CloudWatchLoggingOptions (p. 2055)
DomainARN
The Amazon Resource Name (ARN) of the Amazon ES domain that Kinesis Data Firehose delivers
data to.
Required: Yes
Type: String
IndexName
The name of the Elasticsearch index to which Kinesis Data Firehose adds data for indexing.
Required: Yes
Type: String
IndexRotationPeriod
The frequency of Elasticsearch index rotation. If you enable index rotation, Kinesis Data Firehose
appends a portion of the UTC arrival timestamp to the speciﬁed index name, and rotates the
appended timestamp accordingly. For more information, see Index Rotation for the Amazon ES
Destination in the Amazon Kinesis Data Firehose Developer Guide.
Required: Yes
Type: String
ProcessingConfiguration
The data processing conﬁguration for the Kinesis Data Firehose delivery stream.
Required: No
Type: Kinesis Data Firehose DeliveryStream ProcessingConﬁguration (p. 2065)
RetryOptions
The retry behavior when Kinesis Data Firehose is unable to deliver data to Amazon ES.
Required: Yes
Type: Kinesis Data Firehose DeliveryStream ElasticsearchRetryOptions (p. 2060)
RoleARN
The ARN of the AWS Identity and Access Management (IAM) role that grants Kinesis Data Firehose
access to your Amazon S3 bucket, AWS KMS (if you enable data encryption), and Amazon
CloudWatch Logs (if you enable logging).
For more information, see Grant Kinesis Data Firehose Access to an Amazon Elasticsearch Service
Destination in the Amazon Kinesis Data Firehose Developer Guide.
Required: Yes
Type: String
S3BackupMode
The condition under which Kinesis Data Firehose delivers data to Amazon Simple Storage Service
(Amazon S3). You can send Amazon S3 all documents (all data) or only the documents that Kinesis
API Version 2010-05-15
2059

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
ElasticsearchRetryOptions

Data Firehose could not deliver to the Amazon ES destination. For more information and valid
values, see the S3BackupMode content for the ElasticsearchDestinationConﬁguration data type in
the Amazon Kinesis Data Firehose API Reference.
Required: Yes
Type: String
S3Configuration
The S3 bucket where Kinesis Data Firehose backs up incoming data.
Required: Yes
Type: Kinesis Data Firehose DeliveryStream S3DestinationConﬁguration (p. 2070)
TypeName
The Elasticsearch type name that Amazon ES adds to documents when indexing data.
Required: Yes
Type: String

Amazon Kinesis Data Firehose DeliveryStream
ElasticsearchRetryOptions
The ElasticsearchRetryOptions property type conﬁgures the retry behavior for when Amazon
Kinesis Data Firehose (Kinesis Data Firehose) can't deliver data to Amazon Elasticsearch Service (Amazon
ES).
RetryOptions is a property of the Amazon Kinesis Data Firehose DeliveryStream
ElasticsearchDestinationConﬁguration (p. 2058) property type.

Syntax
JSON
{
}

"DurationInSeconds" : Integer

YAML
DurationInSeconds: Integer

Properties
DurationInSeconds
After an initial failure to deliver to Amazon ES, the total amount of time during which Kinesis Data
Firehose re-attempts delivery (including the ﬁrst attempt). If Kinesis Data Firehose can't deliver the
data within the speciﬁed time, it writes the data to the backup S3 bucket. For valid values, see the
DurationInSeconds content for the ElasticsearchRetryOptions data type in the Amazon Kinesis
Data Firehose API Reference.
Required: Yes
API Version 2010-05-15
2060

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
EncryptionConﬁguration

Type: Integer

Amazon Kinesis Data Firehose DeliveryStream
EncryptionConﬁguration
The EncryptionConfiguration property type speciﬁes the encryption settings that Amazon Kinesis
Data Firehose (Kinesis Data Firehose) uses when delivering data to Amazon Simple Storage Service
(Amazon S3).
EncryptionConfiguration is a property of the Amazon Kinesis Data Firehose DeliveryStream
S3DestinationConﬁguration (p. 2070) property type.

Syntax
JSON
{
}

"KMSEncryptionConfig" : KMSEncryptionConfig (p. 2065),
"NoEncryptionConfig" : String

YAML
KMSEncryptionConfig:
KMSEncryptionConfig (p. 2065)
NoEncryptionConfig: String

Properties
KMSEncryptionConfig
The AWS Key Management Service (AWS KMS) encryption key that Amazon S3 uses to encrypt your
data.
Required: No
Type: Amazon Kinesis Data Firehose DeliveryStream KMSEncryptionConﬁg (p. 2065)
NoEncryptionConfig
Disables encryption. For valid values, see the NoEncryptionConfig content for the
EncryptionConﬁguration data type in the Amazon Kinesis Data Firehose API Reference.
Required: No
Type: String

Amazon Kinesis Data Firehose DeliveryStream
ExtendedS3DestinationConﬁguration
The ExtendedS3DestinationConfiguration property type conﬁgures an Amazon S3 destination
for an Amazon Kinesis Data Firehose delivery stream. ExtendedS3DestinationConfiguration is a
property of the AWS::KinesisFirehose::DeliveryStream (p. 1237) resource.
API Version 2010-05-15
2061

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
ExtendedS3DestinationConﬁguration

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"BucketARN" : String,
"BufferingHints" : BufferingHints (p. 2054),
"CloudWatchLoggingOptions" : CloudWatchLoggingOptions (p. 2055),
"CompressionFormat" : String,
"EncryptionConfiguration" : EncryptionConfiguration (p. 2061),
"Prefix" : String,
"ProcessingConfiguration" : ProcessingConfiguration (p. 2065),
"RoleARN" : String,
"S3BackupConfiguration" : S3DestinationConfiguration (p. 2070),
"S3BackupMode" : String

YAML
BucketARN: String
BufferingHints:
BufferingHints (p. 2054)
CloudWatchLoggingOptions:
CloudWatchLoggingOptions (p. 2055)
CompressionFormat: String
EncryptionConfiguration:
EncryptionConfiguration (p. 2061)
Prefix: String
ProcessingConfiguration:
ProcessingConfiguration (p. 2065)
RoleARN: String
S3BackupConfiguration:
S3DestinationConfiguration (p. 2070)
S3BackupMode: String

Properties
BucketARN
The Amazon Resource Name (ARN) of the Amazon S3 bucket. For constraints, see
ExtendedS3DestinationConﬁguration in the Amazon Kinesis Data Firehose API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
BufferingHints
The buﬀering option.
Required: Yes
Type: Kinesis Data Firehose DeliveryStream BuﬀeringHints (p. 2054)
Update requires: No interruption (p. 118)
API Version 2010-05-15
2062

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
ExtendedS3DestinationConﬁguration

CloudWatchLoggingOptions
The CloudWatch logging options for the Kinesis Data Firehose delivery stream.
Required: No
Type: Kinesis Data Firehose DeliveryStream CloudWatchLoggingOptions (p. 2055)
Update requires: No interruption (p. 118)
CompressionFormat
The compression format for the Kinesis Data Firehose delivery stream. The default value is
UNCOMPRESSED. For valid values, see ExtendedS3DestinationConﬁguration in the Amazon Kinesis
Data Firehose API Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
EncryptionConfiguration
The encryption conﬁguration for the Kinesis Data Firehose delivery stream. The default value is
NoEncryption.
Required: No
Type: Kinesis Data Firehose DeliveryStream EncryptionConﬁguration (p. 2061)
Update requires: No interruption (p. 118)
Prefix
The YYYY/MM/DD/HH time format preﬁx is automatically used for delivered Amazon S3 ﬁles. For
more information, see ExtendedS3DestinationConﬁguration in the Amazon Kinesis Data Firehose API
Reference.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ProcessingConfiguration
The data processing conﬁguration for the Kinesis Data Firehose delivery stream.
Required: No
Type: Kinesis Data Firehose DeliveryStream ProcessingConﬁguration (p. 2065)
Update requires: No interruption (p. 118)
RoleARN
The ARN of the AWS credentials. For constraints, see ExtendedS3DestinationConﬁguration in the
Amazon Kinesis Data Firehose API Reference.
Required: Yes
Type: String
API Version 2010-05-15
2063

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
KinesisStreamSourceConﬁguration

Update requires: No interruption (p. 118)
S3BackupConfiguration
The conﬁguration for backup in Amazon S3.
Required: No
Type: Kinesis Data Firehose DeliveryStream S3DestinationConﬁguration (p. 2070)
Update requires: No interruption (p. 118)
S3BackupMode
The Amazon S3 backup mode. For valid values, see ExtendedS3DestinationConﬁguration in the
Amazon Kinesis Data Firehose API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Firehose DeliveryStream
KinesisStreamSourceConﬁguration
The KinesisStreamSourceConfiguration property type speciﬁes the stream and role Amazon
Resource Names (ARNs) for a Kinesis stream used as the source for a delivery stream.
KinesisStreamSourceConfiguration is a property of the
AWS::KinesisFirehose::DeliveryStream (p. 1237) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"KinesisStreamARN" : String
"RoleARN" : String

YAML
KinesisStreamARN: String
RoleARN: String

Properties
KinesisStreamARN
The Amazon Resource Name (ARN) of the source Kinesis stream.
Required: Yes
API Version 2010-05-15
2064

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream KMSEncryptionConﬁg

Type: String
Update requires: No interruption (p. 118)
RoleARN
The Amazon Resource Name (ARN) of the role that provides access to the source Kinesis stream.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Firehose DeliveryStream
KMSEncryptionConﬁg
The KMSEncryptionConfig property type speciﬁes the AWS Key Management Service (AWS KMS)
encryption key that Amazon Simple Storage Service (Amazon S3) uses to encrypt data delivered by the
Amazon Kinesis Data Firehose (Kinesis Data Firehose) stream.
KMSEncryptionConfig is a property of the Amazon Kinesis Data Firehose DeliveryStream
KMSEncryptionConﬁg (p. 2065) property type.

Syntax
JSON
{
}

"AWSKMSKeyARN" : String

YAML
AWSKMSKeyARN: String

Properties
AWSKMSKeyARN
The Amazon Resource Name (ARN) of the AWS KMS encryption key that Amazon S3 uses to encrypt
data delivered by the Kinesis Data Firehose stream. The key must belong to the same region as the
destination S3 bucket.
Required: Yes
Type: String

Amazon Kinesis Data Firehose DeliveryStream
ProcessingConﬁguration
The ProcessingConfiguration property conﬁgures data processing for an Amazon Kinesis Data
Firehose delivery stream.
API Version 2010-05-15
2065

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream Processor

ProcessingConfiguration is a property of the Kinesis Data Firehose DeliveryStream
ElasticsearchDestinationConﬁguration (p. 2058), Kinesis Data Firehose DeliveryStream
ExtendedS3DestinationConﬁguration (p. 2061), Kinesis Data Firehose DeliveryStream
RedshiftDestinationConﬁguration (p. 2068), and Kinesis Data Firehose DeliveryStream
SplunkDestinationConﬁguration (p. 2072) property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Enabled" : Boolean,
"Processors" : [ Processor (p. 2066), ... ]

YAML
Enabled: Boolean
Processors:
- Processor (p. 2066)

Properties
Enabled
Indicates whether data processing is enabled (true) or disabled (false).
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Processors
The data processors.
Required: Yes
Type: List of Kinesis Data Firehose DeliveryStream Processor (p. 2066)
Update requires: No interruption (p. 118)

Amazon Kinesis Data Firehose DeliveryStream
Processor
The Processor property speciﬁes a data processor for an Amazon Kinesis Data Firehose
delivery stream. Processor is a property of the Amazon Kinesis Data Firehose DeliveryStream
ProcessingConﬁguration (p. 2065) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
2066

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream ProcessorParameter

JSON
{
}

"Parameters" : [ ProcessorParameter (p. 2067), ... ],
"Type" : String

YAML
Parameters:
- ProcessorParameter (p. 2067)
Type: String

Properties
Parameters
The processor parameters.
Required: Yes
Type: List of Amazon Kinesis Data Firehose DeliveryStream ProcessorParameter (p. 2067)
Update requires: No interruption (p. 118)
Type
The type of processor. Valid values: Lambda.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Firehose DeliveryStream
ProcessorParameter
The ProcessorParameter property speciﬁes a processor parameter in a data processor for an Amazon
Kinesis Data Firehose delivery stream.
ProcessorParameter is a property of the Amazon Kinesis Data Firehose DeliveryStream
Processor (p. 2066) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"ParameterName" : String,
"ParameterValue" : String

API Version 2010-05-15
2067

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
RedshiftDestinationConﬁguration
}

YAML
ParameterName: String
ParameterValue: String

Properties
For more information about each property, including constraints and valid values, see
ProcessorParameter in the Amazon Kinesis Data Firehose API Reference.
ParameterName
The name of the parameter.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ParameterValue
The parameter value.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Kinesis Data Firehose DeliveryStream
RedshiftDestinationConﬁguration
The RedshiftDestinationConfiguration property type speciﬁes an Amazon Redshift cluster to
which Amazon Kinesis Data Firehose (Kinesis Data Firehose) delivers data.
RedshiftDestinationConfiguration is a property of the
AWS::KinesisFirehose::DeliveryStream (p. 1237) resource.

Syntax
JSON
{

}

"CloudWatchLoggingOptions" : CloudWatchLoggingOptions (p. 2055),
"ClusterJDBCURL" : String,
"CopyCommand" : CopyCommand (p. 2056),
"Password" : String,
"ProcessingConfiguration" : ProcessingConfiguration (p. 2065),
"RoleARN" : String,
"S3Configuration" : S3Configuration (p. 2070),
"Username" : String

API Version 2010-05-15
2068

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
RedshiftDestinationConﬁguration

YAML
CloudWatchLoggingOptions:
CloudWatchLoggingOptions (p. 2055)
ClusterJDBCURL: String
CopyCommand:
CopyCommand (p. 2056)
Password: String
ProcessingConfiguration:
ProcessingConfiguration (p. 2065)
RoleARN: String
S3Configuration:
S3Configuration (p. 2070)
Username: String

Properties
CloudWatchLoggingOptions
The Amazon CloudWatch Logs logging options for the delivery stream.
Required: No
Type: Kinesis Data Firehose DeliveryStream CloudWatchLoggingOptions (p. 2055)
ClusterJDBCURL
The connection string that Kinesis Data Firehose uses to connect to the Amazon Redshift cluster.
Required: Yes
Type: String
CopyCommand
Conﬁgures the Amazon Redshift COPY command that Kinesis Data Firehose uses to load data into
the cluster from the Amazon S3 bucket.
Required: Yes
Type: Kinesis Data Firehose DeliveryStream CopyCommand (p. 2056)
Password
The password for the Amazon Redshift user that you speciﬁed in the Username property.
Required: Yes
Type: String
ProcessingConfiguration
The data processing conﬁguration for the Kinesis Data Firehose delivery stream.
Required: No
Type: Kinesis Data Firehose DeliveryStream ProcessingConﬁguration (p. 2065)
RoleARN
The ARN of the AWS Identity and Access Management (IAM) role that grants Kinesis Data Firehose
access to your Amazon S3 bucket and AWS KMS (if you enable data encryption).
For more information, see Grant Kinesis Data Firehose Access to an Amazon Redshift Destination in
the Amazon Kinesis Data Firehose Developer Guide.
API Version 2010-05-15
2069

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
S3DestinationConﬁguration

Required: Yes
Type: String
S3Configuration
The S3 bucket where Kinesis Data Firehose ﬁrst delivers data. After the data is in the bucket, Kinesis
Data Firehose uses the COPY command to load the data into the Amazon Redshift cluster. For the
Amazon S3 bucket's compression format, don't specify SNAPPY or ZIP because the Amazon Redshift
COPY command doesn't support them.
Required: Yes
Type: Kinesis Data Firehose DeliveryStream S3DestinationConﬁguration (p. 2070)
Username
The Amazon Redshift user that has permission to access the Amazon Redshift cluster. This user must
have INSERT privileges for copying data from the Amazon S3 bucket to the cluster.
Required: Yes
Type: String

Amazon Kinesis Data Firehose DeliveryStream
S3DestinationConﬁguration
The S3DestinationConfiguration property type speciﬁes an Amazon Simple Storage Service
(Amazon S3) destination to which Amazon Kinesis Data Firehose (Kinesis Data Firehose) delivers data.
S3DestinationConfiguration is a property of the AWS::KinesisFirehose::DeliveryStream (p. 1237)
resource and the Amazon Kinesis Data Firehose DeliveryStream
ElasticsearchDestinationConﬁguration (p. 2058), Amazon Kinesis Data Firehose DeliveryStream
RedshiftDestinationConﬁguration (p. 2068), and Amazon Kinesis Data Firehose DeliveryStream
SplunkDestinationConﬁguration (p. 2072) property types.

Syntax
JSON
{

}

"BucketARN" : String,
"BufferingHints" : BufferingHints (p. 2054),
"CloudWatchLoggingOptions" : CloudWatchLoggingOptions (p. 2055),
"CompressionFormat" : String,
"EncryptionConfiguration" : EncryptionConfiguration (p. 2061),
"Prefix" : String,
"RoleARN" : String

YAML
BucketARN: String
BufferingHints:
BufferingHints (p. 2054)
CloudWatchLoggingOptions:
CloudWatchLoggingOptions (p. 2055)
CompressionFormat: String

API Version 2010-05-15
2070

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
S3DestinationConﬁguration
EncryptionConfiguration:
EncryptionConfiguration (p. 2061)
Prefix: String
RoleARN: String

Properties
BucketARN
The Amazon Resource Name (ARN) of the Amazon S3 bucket to send data to.
Required: Yes
Type: String
BufferingHints
Conﬁgures how Kinesis Data Firehose buﬀers incoming data while delivering it to the Amazon S3
bucket.
Required: Yes
Type: Kinesis Data Firehose DeliveryStream BuﬀeringHints (p. 2054)
CloudWatchLoggingOptions
The Amazon CloudWatch Logs logging options for the delivery stream.
Required: No
Type: Amazon Kinesis Data Firehose DeliveryStream CloudWatchLoggingOptions (p. 2055)
CompressionFormat
The type of compression that Kinesis Data Firehose uses to compress the data that it delivers
to the Amazon S3 bucket. For valid values, see the CompressionFormat content for the
S3DestinationConﬁguration data type in the Amazon Kinesis Data Firehose API Reference.
Required: Yes
Type: String
EncryptionConfiguration
Conﬁgures Amazon Simple Storage Service (Amazon S3) server-side encryption. Kinesis Data
Firehose uses AWS Key Management Service (AWS KMS) to encrypt the data that it delivers to your
Amazon S3 bucket.
Required: No
Type: Amazon Kinesis Data Firehose DeliveryStream EncryptionConﬁguration (p. 2061)
Prefix
A preﬁx that Kinesis Data Firehose adds to the ﬁles that it delivers to the Amazon S3 bucket. The
preﬁx helps you identify the ﬁles that Kinesis Data Firehose delivered.
Required: No
Type: String
RoleARN
The ARN of an AWS Identity and Access Management (IAM) role that grants Kinesis Data Firehose
access to your Amazon S3 bucket and AWS KMS (if you enable data encryption).
API Version 2010-05-15
2071

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
SplunkDestinationConﬁguration

For more information, see Grant Kinesis Data Firehose Access to an Amazon S3 Destination in the
Amazon Kinesis Data Firehose Developer Guide.
Required: Yes
Type: String

Amazon Kinesis Data Firehose DeliveryStream
SplunkDestinationConﬁguration
The SplunkDestinationConfiguration property type speciﬁes the conﬁguration of a destination in
Splunk for a Kinesis Data Firehose delivery stream.
SplunkDestinationConfiguration is a property of the
AWS::KinesisFirehose::DeliveryStream (p. 1237) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"CloudWatchLoggingOptions" : CloudWatchLoggingOptions (p. 2055),
"HECAcknowledgmentTimeoutInSeconds" : Integer,
"HECEndpoint" : String,
"HECEndpointType" : String,
"HECToken" : String,
"ProcessingConfiguration" : ProcessingConfiguration (p. 2065),
"RetryOptions" : RetryOptions (p. 2074),
"S3BackupMode" : String,
"S3Configuration" : S3Configuration (p. 2070)

YAML
CloudWatchLoggingOptions:
CloudWatchLoggingOptions (p. 2055)
HECAcknowledgmentTimeoutInSeconds: Integer
HECEndpoint: String
HECEndpointType: String
HECToken: String
ProcessingConfiguration:
ProcessingConfiguration (p. 2065)
RetryOptions:
RetryOptions (p. 2074)
S3BackupMode: String
S3Configuration:
S3Configuration (p. 2070)

Properties
CloudWatchLoggingOptions
The CloudWatch logging options for your delivery stream.
Required: No
API Version 2010-05-15
2072

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream
SplunkDestinationConﬁguration

Type: Kinesis Data Firehose DeliveryStream CloudWatchLoggingOptions (p. 2055)
Update requires: No interruption (p. 118)
HECAcknowledgmentTimeoutInSeconds
The amount of time that Kinesis Data Firehose waits to receive an acknowledgment from Splunk
after it sends it data. At the end of the timeout period, Kinesis Data Firehose either tries to send the
data again or considers it an error, based on your retry settings.
Valid Range: Minimum value of 180. Maximum value of 600.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
HECEndpoint
The HTTP Event Collector (HEC) endpoint to which Kinesis Data Firehose sends your data.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
HECEndpointType
This type can be either Raw or Event.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
HECToken
A GUID that you obtain from your Splunk cluster when you create a new HEC endpoint.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
ProcessingConfiguration
The data processing conﬁguration.
Required: No
Type: Kinesis Data Firehose DeliveryStream ProcessingConﬁguration (p. 2065)
Update requires: No interruption (p. 118)
RetryOptions
The retry behavior in case Kinesis Data Firehose is unable to deliver data to Splunk, or if it doesn't
receive an acknowledgment of receipt from Splunk.
Required: No
API Version 2010-05-15
2073

AWS CloudFormation User Guide
Kinesis Data Firehose DeliveryStream SplunkRetryOptions

Type: Kinesis Data Firehose DeliveryStream SplunkRetryOptions (p. 2074)
Update requires: No interruption (p. 118)
S3BackupMode
Deﬁnes how documents should be delivered to Amazon S3. When set to FailedEventsOnly,
Kinesis Data Firehose writes any data that could not be indexed to the conﬁgured Amazon S3
destination. When set to AllEvents, Kinesis Data Firehose delivers all incoming records to Amazon
S3, and also writes failed documents to Amazon S3. Default value is FailedEventsOnly.
Valid values include FailedEventsOnly and AllEvents.
Required: No
Type: String
Update requires: No interruption (p. 118)
S3Configuration
The conﬁguration for the backup Amazon S3 location.
Required: Yes
Type: Kinesis Data Firehose DeliveryStream S3DestinationConﬁguration (p. 2070)
Update requires: No interruption (p. 118)

See Also
• SplunkDestinationConﬁguration in the Amazon Kinesis Data Firehose API Reference

Amazon Kinesis Data Firehose DeliveryStream
SplunkRetryOptions
The SplunkRetryOptions property type speciﬁes retry behavior in case Kinesis Data Firehose is unable
to deliver documents to Splunk or if it doesn't receive an acknowledgment from Splunk.
SplunkRetryOptions is a property of the Amazon Kinesis Data Firehose DeliveryStream
SplunkDestinationConﬁguration (p. 2072) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"DurationInSeconds" : Integer

YAML
DurationInSeconds: Integer

API Version 2010-05-15
2074

AWS CloudFormation User Guide
AWS Lambda Alias AliasRoutingConﬁguration

Properties
DurationInSeconds
The total amount of time that Kinesis Data Firehose spends on retries. This duration starts after the
initial attempt to send data to Splunk fails and doesn't include the periods during which Kinesis Data
Firehose waits for acknowledgment from Splunk after each attempt.
Valid Range: Minimum value of 0. Maximum value of 7200.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)

See Also
• SplunkRetryOptions in the Amazon Kinesis Data Firehose API Reference

AWS Lambda Alias AliasRoutingConﬁguration
The AliasRoutingConfiguration property type speciﬁes two diﬀerent versions of an AWS
Lambda function, allowing you to dictate what percentage of traﬃc will invoke each version. For
more information, see Routing Traﬃc to Diﬀerent Function Versions Using Aliases in the AWS Lambda
Developer Guide.
AliasRoutingConfiguration is a property of the AWS::Lambda::Alias (p. 1254) resource type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"AdditionalVersionWeights" : [ VersionWeight (p. 2076), ... ]

YAML
AdditionalVersionWeights:
- VersionWeight (p. 2076)

Properties
AdditionalVersionWeights
The percentage of traﬃc that will invoke the updated function version.
Required: Yes
Type: List of AWS Lambda Alias VersionWeight (p. 2076)
API Version 2010-05-15
2075

AWS CloudFormation User Guide
AWS Lambda Alias VersionWeight

Update requires: No interruption (p. 118)

See Also
• Routing Traﬃc to Diﬀerent Function Versions Using Aliases in the AWS Lambda Developer Guide
• CreateAlias in the AWS Lambda Developer Guide
• AliasRoutingConﬁguration in the AWS Lambda Developer Guide

AWS Lambda Alias VersionWeight
The VersionWeight property type speciﬁes the percentages of traﬃc that will invoke each function
versions for an AWS Lambda alias. For more information, see Routing Traﬃc to Diﬀerent Function
Versions Using Aliases in the AWS Lambda Developer Guide.
VersionWeight is a property of the AWS::Lambda::Alias (p. 1254) resource type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"FunctionVersion" : String,
"FunctionWeight" : Double

YAML
FunctionVersion: String
FunctionWeight: Double

Properties
FunctionVersion
Function version to which the alias points.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
FunctionWeight
The percentage of traﬃc that will invoke the function version.
Required: Yes
Type: Double
Update requires: No interruption (p. 118)
API Version 2010-05-15
2076

AWS CloudFormation User Guide
AWS Lambda Function DeadLetterConﬁg

See Also
• Routing Traﬃc to Diﬀerent Function Versions Using Aliases in the AWS Lambda Developer Guide
• AliasRoutingConﬁguration in the AWS Lambda Developer Guide

AWS Lambda Function DeadLetterConﬁg
DeadLetterConfig is a property of the AWS::Lambda::Function (p. 1257) resource that speciﬁes a
Dead Letter Queue (DLQ) that AWS Lambda (Lambda) sends events to when it can't process them. For
example, you can send unprocessed events to an Amazon Simple Notiﬁcation Service (Amazon SNS)
topic, where you can take further action.

Syntax
JSON
{
}

"TargetArn" : String

YAML
TargetArn: String

Properties
TargetArn
The Amazon Resource Name (ARN) of a resource where Lambda delivers unprocessed events, such
as an Amazon SNS topic or Amazon Simple Queue Service (Amazon SQS) queue. For the Lambda
function execution role, you must explicitly provide the relevant permissions so that access to your
DLQ resource is part of the execution role for your Lambda function.
Required: No
Type: String

AWS Lambda Function Environment
Environment is a property of the AWS::Lambda::Function (p. 1257) resource that speciﬁes key-value
pairs that the AWS Lambda (Lambda) function can access so that you can apply conﬁguration changes,
such as test and production environment conﬁgurations, without changing the function code.

Syntax
JSON
{
}

"Variables" : { String:String, ... }

API Version 2010-05-15
2077

AWS CloudFormation User Guide
AWS Lambda Function Code

YAML
Variables:
String: String

Properties
Variables
A map of key-value pairs that the Lambda function can access.
Required: No
Type: Mapping of key-value pairs

AWS Lambda Function Code
Code is a property of the AWS::Lambda::Function (p. 1257) resource that enables you to specify the
source code of an AWS Lambda function. Your source code can be located in either the template or a ﬁle
in an Amazon Simple Storage Service (Amazon S3) bucket. For nodejs4.3, nodejs6.10, python2.7,
and python3.6 runtime environments only, you can provide source code as inline text in your template.

Note

To update a Lambda function whose source code is in an Amazon S3 bucket, you must trigger
an update by updating the S3Bucket, S3Key, or S3ObjectVersion property. Updating the
source code alone doesn't update the function.

Syntax
JSON
{

}

"S3Bucket" : String,
"S3Key" : String,
"S3ObjectVersion" : String,
"ZipFile" : String

YAML
S3Bucket: String
S3Key: String
S3ObjectVersion: String
ZipFile: String

Properties
S3Bucket
The name of the Amazon S3 bucket where the .zip ﬁle that contains your deployment package is
stored. This bucket must reside in the same AWS Region that you're creating the Lambda function in.
You can specify a bucket from another AWS account as long as the Lambda function and the bucket
are in the same region.
API Version 2010-05-15
2078

AWS CloudFormation User Guide
AWS Lambda Function Code

Note

The cfn-response module isn't available for source code that's stored in Amazon S3
buckets. To send responses, write your own functions.
Required: Conditional Specify both the S3Bucket and S3Key properties, or specify the ZipFile
property.
Type: String
S3Key
The location and name of the .zip ﬁle that contains your source code. If you specify this property,
you must also specify the S3Bucket property.
Required: Conditional You must specify both the S3Bucket and S3Key properties, or specify the
ZipFile property.
Type: String
S3ObjectVersion
If you have S3 versioning enabled, the version ID of the.zip ﬁle that contains your source code. You
can specify this property only if you specify the S3Bucket and S3Key properties.
Required: No
Type: String
ZipFile
For nodejs4.3, nodejs6.10, python2.7, and python3.6 runtime environments, the source code
of your Lambda function. You can't use this property with other runtime environments.
You can specify up to 4096 characters. You must precede certain special characters in your source
code (such as quotation marks ("), newlines (\n), and tabs (\t)) with a backslash (\). For a list of
special characters, see http://json.org/.
If you specify a function that interacts with an AWS CloudFormation custom resource, you don't have
to write your own functions to send responses to the custom resource that invoked the function.
AWS CloudFormation provides a response module that simpliﬁes sending responses. For more
information, see cfn-response Module (p. 2079).
Required: Conditional You must specify both the S3Bucket and S3Key properties, or specify the
ZipFile property.
Type: String

cfn-response Module
When you use the ZipFile property to specify your function's source code and that function
interacts with an AWS CloudFormation custom resource, you can load the cfn-response module
to send responses to those resources. The module contains a send method, which sends a response
object (p. 448) to a custom resource by way of an Amazon S3 presigned URL (the ResponseURL).
After executing the send method, the Lambda function terminates, so anything you write after that
method is ignored.

Note

The cfn-response module is available only when you use the ZipFile property to write your
source code. It isn't available for source code that's stored in Amazon S3 buckets. For code in
buckets, you must write your own functions to send responses.
API Version 2010-05-15
2079

AWS CloudFormation User Guide
AWS Lambda Function Code

Loading the cfn-response Module
For the nodejs4.3 or nodejs6.10 runtime environment, use the require() function to load the
cfn-response module. For example, the following code example creates a cfn-response object with
the name response:
var response = require('cfn-response');

For python2.7 or python3.6 environments, use the import statement to load the cfnresponse
module, as shown in the following example:

Note

Use this exact import statement. If you use other variants of the import statement, AWS
CloudFormation doesn't include the response module.
import cfnresponse

send Method Parameters
You can use the following parameters with the send method.
event
The ﬁelds in a custom resource request (p. 450).
context
An object, speciﬁc to Lambda functions, that you can use to specify when the function and any
callbacks have completed execution, or to access information from within the Lambda execution
environment. For more information, see Programming Model (Node.js) in the AWS Lambda Developer
Guide.
responseStatus
Whether the function successfully completed. Use the cfnresponse module constants to specify
the status: SUCCESS for successful executions and FAILED for failed executions.
responseData
The Data ﬁeld of a custom resource response object (p. 448). The data is a list of name-value pairs.
noEcho
Optional. Indicates whether to mask the output of the custom resource when it's retrieved by using
the Fn::GetAtt function. If set to true, all returned values are masked with asterisks (*****). By
default, this value is false.
physicalResourceId
Optional. The unique identiﬁer of the custom resource that invoked the function. By default, the
module uses the name of the Amazon CloudWatch Logs log stream that's associated with the
Lambda function.

Examples
Node.js
In the following Node.js example, the inline Lambda function takes an input value and multiplies it by 5.
Inline functions are especially useful for smaller functions because they allow you to specify the source
code directly in the template, instead of creating a package and uploading it to an Amazon S3 bucket.
API Version 2010-05-15
2080

AWS CloudFormation User Guide
AWS Lambda Function Code

The function uses the cfn-response send method to send the result back to the custom resource that
invoked it.

JSON
"ZipFile": { "Fn::Join": ["", [
"var response = require('cfn-response');",
"exports.handler = function(event, context) {",
" var input = parseInt(event.ResourceProperties.Input);",
" var responseData = {Value: input * 5};",
" response.send(event, context, response.SUCCESS, responseData);",
"};"
]]}

YAML
ZipFile: >
var response = require('cfn-response');
exports.handler = function(event, context) {
var input = parseInt(event.ResourceProperties.Input);
var responseData = {Value: input * 5};
response.send(event, context, response.SUCCESS, responseData);
};

Python
As in the preceding example, in the following Python example (the example works in both version 2.7
and 3.6), the inline Lambda function takes an integer value and multiplies it by 5.

JSON
"ZipFile" : { "Fn::Join" : ["\n", [
"import json",
"import cfnresponse",
"def handler(event, context):",
"
responseValue = int(event['ResourceProperties']['Input']) * 5",
"
responseData = {}",
"
responseData['Data'] = responseValue",
"
cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData,
\"CustomResourcePhysicalID\")"
]]}

YAML
ZipFile: |
import json
import cfnresponse
def handler(event, context):
responseValue = int(event['ResourceProperties']['Input']) * 5
responseData = {}
responseData['Data'] = responseValue
cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData,
"CustomResourcePhysicalID")

Module Source Code
The following is the response module source code for the nodejs4.3 or nodejs6.10 runtime
environment. Review it to understand what the module does and for help with implementing your own
response functions.
API Version 2010-05-15
2081

AWS CloudFormation User Guide
AWS Lambda Function Code

/* Copyright 2015 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
This file is licensed to you under the AWS Customer Agreement (the "License").
You may not use this file except in compliance with the License.
A copy of the License is located at http://aws.amazon.com/agreement/ .
This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, express or implied.
See the License for the specific language governing permissions and limitations under
the License. */
exports.SUCCESS = "SUCCESS";
exports.FAILED = "FAILED";
exports.send = function(event, context, responseStatus, responseData, physicalResourceId,
noEcho) {
var responseBody = JSON.stringify({
Status: responseStatus,
Reason: "See the details in CloudWatch Log Stream: " + context.logStreamName,
PhysicalResourceId: physicalResourceId || context.logStreamName,
StackId: event.StackId,
RequestId: event.RequestId,
LogicalResourceId: event.LogicalResourceId,
NoEcho: noEcho || false,
Data: responseData
});
console.log("Response body:\n", responseBody);
var https = require("https");
var url = require("url");
var parsedUrl = url.parse(event.ResponseURL);
var options = {
hostname: parsedUrl.hostname,
port: 443,
path: parsedUrl.path,
method: "PUT",
headers: {
"content-type": "",
"content-length": responseBody.length
}
};
var request = https.request(options, function(response) {
console.log("Status code: " + response.statusCode);
console.log("Status message: " + response.statusMessage);
context.done();
});
request.on("error", function(error) {
console.log("send(..) failed executing https.request(..): " + error);
context.done();
});

}

request.write(responseBody);
request.end();

The following is the response module source code for the python3.6 environment:
#
#
#
#

Copyright 2016 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
This file is licensed to you under the AWS Customer Agreement (the "License").
You may not use this file except in compliance with the License.
A copy of the License is located at http://aws.amazon.com/agreement/ .

API Version 2010-05-15
2082

AWS CloudFormation User Guide
AWS Lambda Function Code
#

This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, express or implied.
# See the License for the specific language governing permissions and limitations under
the License.
from botocore.vendored import requests
import json
SUCCESS = "SUCCESS"
FAILED = "FAILED"
def send(event, context, responseStatus, responseData, physicalResourceId=None,
noEcho=False):
responseUrl = event['ResponseURL']
print(responseUrl)
responseBody = {}
responseBody['Status'] = responseStatus
responseBody['Reason'] = 'See the details in CloudWatch Log Stream: ' +
context.log_stream_name
responseBody['PhysicalResourceId'] = physicalResourceId or context.log_stream_name
responseBody['StackId'] = event['StackId']
responseBody['RequestId'] = event['RequestId']
responseBody['LogicalResourceId'] = event['LogicalResourceId']
responseBody['NoEcho'] = noEcho
responseBody['Data'] = responseData
json_responseBody = json.dumps(responseBody)
print("Response body:\n" + json_responseBody)
headers = {
'content-type' : '',
'content-length' : str(len(json_responseBody))
}
try:

response = requests.put(responseUrl,
data=json_responseBody,
headers=headers)
print("Status code: " + response.reason)
except Exception as e:
print("send(..) failed executing requests.put(..): " + str(e))

The following is the response module source code for the python2.7 environment:
#
#
#
#
#

Copyright 2016 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
This file is licensed to you under the AWS Customer Agreement (the "License").
You may not use this file except in compliance with the License.
A copy of the License is located at http://aws.amazon.com/agreement/ .
This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, express or implied.
# See the License for the specific language governing permissions and limitations under
the License.
from botocore.vendored import requests
import json
SUCCESS = "SUCCESS"
FAILED = "FAILED"
def send(event, context, responseStatus, responseData, physicalResourceId=None,
noEcho=False):
responseUrl = event['ResponseURL']

API Version 2010-05-15
2083

AWS CloudFormation User Guide
AWS Lambda Function TracingConﬁg

print responseUrl
responseBody = {}
responseBody['Status'] = responseStatus
responseBody['Reason'] = 'See the details in CloudWatch Log Stream: ' +
context.log_stream_name
responseBody['PhysicalResourceId'] = physicalResourceId or context.log_stream_name
responseBody['StackId'] = event['StackId']
responseBody['RequestId'] = event['RequestId']
responseBody['LogicalResourceId'] = event['LogicalResourceId']
responseBody['NoEcho'] = noEcho
responseBody['Data'] = responseData
json_responseBody = json.dumps(responseBody)
print "Response body:\n" + json_responseBody
headers = {
'content-type' : '',
'content-length' : str(len(json_responseBody))
}
try:

response = requests.put(responseUrl,
data=json_responseBody,
headers=headers)
print "Status code: " + response.reason
except Exception as e:
print "send(..) failed executing requests.put(..): " + str(e)

AWS Lambda Function TracingConﬁg
TracingConfig is a property of the AWS::Lambda::Function (p. 1257) resource that conﬁgures
tracing settings for your AWS Lambda (Lambda) function. For more information about tracing Lambda
functions, see Tracing Lambda-Based Applications with AWS X-Ray in the AWS Lambda Developer Guide.

Syntax
JSON
{
}

"Mode" : String

YAML
Mode:
String

Properties
Mode
Speciﬁes how Lambda traces a request. The default mode is PassThrough. For more information,
see TracingConfig in the AWS Lambda Developer Guide.
Required: No
API Version 2010-05-15
2084

AWS CloudFormation User Guide
AWS Lambda Function VpcConﬁg

Type: String
Update requires: No interruption (p. 118)

AWS Lambda Function VpcConﬁg
VpcConfig is a property of the AWS::Lambda::Function (p. 1257) resource that enables your AWS
Lambda (Lambda) function to access resources in a VPC. For more information, see Conﬁguring a
Lambda Function to Access Resources in an Amazon VPC in the AWS Lambda Developer Guide.

Syntax
JSON
{
}

"SecurityGroupIds" : [ String, ... ],
"SubnetIds" : [ String, ... ]

YAML
SecurityGroupIds:
- String
SubnetIds:
- String

Properties
SecurityGroupIds
A list of one or more security groups IDs in the VPC that includes the resources to which your
Lambda function requires access.
Required: Yes
Type: List of String values
SubnetIds
A list of one or more subnet IDs in the VPC that includes the resources to which your Lambda
function requires access.
Required: Yes
Type: List of String values

Name Type
For some resources, you can specify a custom name. By default, AWS CloudFormation generates a
unique physical ID to name a resource. For example, AWS CloudFormation might name an Amazon S3
bucket with the following physical ID stack123123123123-s3bucket-abcdefghijk1. With custom
names, you can specify a name that's easier to read and identify, such as production-app-logs or
business-metrics.
API Version 2010-05-15
2085

AWS CloudFormation User Guide
Name Type

Resource names must be unique across all of your active stacks. If you reuse templates to create multiple
stacks, you must change or remove custom names from your template. If you don't specify a name, AWS
CloudFormation generates a unique physical ID to name the resource. Names must begin with a letter;
contain only ASCII letters, digits, and hyphens; and not end with a hyphen or contain two consecutive
hyphens.
Also, do not manage stack resources outside of AWS CloudFormation. For example, if you rename a
resource that's part of a stack without using AWS CloudFormation, you might get an error any time you
try to update or delete that stack.

Important

You can't perform an update that causes a custom-named resource to be replaced. If you must
replace the resource, specify a new name.

Example
If you want to use a custom name, specify a name property for that resource in your AWS
CloudFormation template. Each resource that supports custom names has its own property that you
specify. For example, to name an DynamoDB table, you use the TableName property, as shown in the
following sample:

JSON
"myDynamoDBTable" : {
"Type" : "AWS::DynamoDB::Table",
"Properties" : {
"KeySchema" : {
"HashKeyElement": {
"AttributeName" : "AttributeName1",
"AttributeType" : "S"
},
"RangeKeyElement" : {
"AttributeName" : "AttributeName2",
"AttributeType" : "N"
}
},
"ProvisionedThroughput" : {
"ReadCapacityUnits" : "5",
"WriteCapacityUnits" : "10"
},
"TableName" : "SampleTable"
}
}

YAML
myDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
KeySchema:
HashKeyElement:
AttributeName: "AttributeName1"
AttributeType: "S"
RangeKeyElement:
AttributeName: "AttributeName2"
AttributeType: "N"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "10"
TableName: "SampleTable"

API Version 2010-05-15
2086

AWS CloudFormation User Guide
AWS OpsWorks App DataSource

Supported Resources
The following resource types support custom names:
• AWS::ApiGateway::ApiKey (p. 518)
• AWS::ApiGateway::Model (p. 556)
• AWS::CloudWatch::Alarm (p. 714)
• AWS::DynamoDB::Table (p. 848)
• AWS::ElasticBeanstalk::Application (p. 1043)
• AWS::ElasticBeanstalk::Environment (p. 1050)
• AWS::CodeDeploy::Application (p. 731)
• AWS::CodeDeploy::DeploymentConﬁg (p. 733)
• AWS::CodeDeploy::DeploymentGroup (p. 735)
• AWS::Conﬁg::ConﬁgRule (p. 788)
• AWS::Conﬁg::DeliveryChannel (p. 799)
• AWS::Conﬁg::ConﬁgurationRecorder (p. 797)
• AWS::ElasticLoadBalancing::LoadBalancer (p. 1063)
• AWS::ElasticLoadBalancingV2::LoadBalancer (p. 1082)
• AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088)
• AWS::EC2::SecurityGroup (p. 917)
• AWS::ElastiCache::CacheCluster (p. 1018)
• AWS::ECR::Repository (p. 985)
• AWS::ECS::Cluster (p. 989)
• AWS::Elasticsearch::Domain (p. 1096)
• AWS::Events::Rule (p. 1132)
• AWS::IAM::Group (p. 1186)
• AWS::IAM::ManagedPolicy (p. 1190)
• AWS::IAM::Role (p. 1197)
• AWS::IAM::User (p. 1205)
• AWS::Lambda::Function (p. 1257)
• AWS::RDS::DBInstance (p. 1341)
• AWS::S3::Bucket (p. 1403)
• AWS::SNS::Topic (p. 1492)
• AWS::SQS::Queue (p. 1495)

AWS OpsWorks App DataSource
DataSource is a property of the AWS::OpsWorks::App (p. 1293) resource that speciﬁes a database to
associate with an AWS OpsWorks app.

Syntax
JSON
{

"Arn" : String,
"DatabaseName" : String,

API Version 2010-05-15
2087

AWS CloudFormation User Guide
AWS OpsWorks App Environment

}

"Type" : String

YAML
Arn: String
DatabaseName: String
Type: String

Properties
Arn
The ARN of the data source.
Required: No
Type: String
DatabaseName
The name of the database.
Required: No
Type: String
Type
The type of the data source, such as AutoSelectOpsworksMysqlInstance,
OpsworksMysqlInstance, or RdsDbInstance. For valid values, see the DataSource type in the
AWS OpsWorks Stacks API Reference.
Required: No
Type: String

AWS OpsWorks App Environment
Environment is a property of the AWS::OpsWorks::App (p. 1293) resource that speciﬁes the
environment variable to associate with the AWS OpsWorks app.

Syntax
JSON
{

}

"Key" : String,
"Secure" : Boolean,
"Value" : String

YAML
Key: String
Secure: Boolean

API Version 2010-05-15
2088

AWS CloudFormation User Guide
AWS OpsWorks AutoScalingThresholds Type
Value: String

Properties
Key
The name of the environment variable, which can consist of up to 64 characters. You can use upper
and lowercase letters, numbers, and underscores (_), but the name must start with a letter or
underscore.
Required: Yes
Type: String
Secure
Indicates whether the value of the environment variable is concealed, such as with a DescribeApps
response. To conceal an environment variable's value, set the value to true.
Required: No
Type: Boolean
Value
The value of the environment variable, which can be empty. You can specify a value of up to 256
characters.
Required: Yes
Type: String

AWS OpsWorks AutoScalingThresholds Type
Describes the scaling thresholds for the AWS OpsWorks LoadBasedAutoScaling Type (p. 2092) property.
For more information, see AutoScalingThresholds in the AWS OpsWorks Stacks API Reference.

Syntax
JSON
{

}

"CpuThreshold" : Number,
"IgnoreMetricsTime" : Integer,
"InstanceCount" : Integer,
"LoadThreshold" : Number,
"MemoryThreshold" : Number,
"ThresholdsWaitTime" : Integer

YAML
CpuThreshold: Number
IgnoreMetricsTime: Integer
InstanceCount: Integer
LoadThreshold: Number
MemoryThreshold: Number
ThresholdsWaitTime: Integer

API Version 2010-05-15
2089

AWS CloudFormation User Guide
AWS OpsWorks ChefConﬁguration Type

Properties
CpuThreshold
The percentage of CPU utilization that triggers the starting or stopping of instances (scaling).
Required: No
Type: Number
IgnoreMetricsTime
The amount of time (in minutes) after a scaling event occurs that AWS OpsWorks should ignore
metrics and not start any additional scaling events.
Required: No
Type: Integer
InstanceCount
The number of instances to add or remove when the load exceeds a threshold.
Required: No
Type: Integer
LoadThreshold
The degree of system load that triggers the starting or stopping of instances (scaling). For more
information about how load is computed, see Load (computing).
Required: No
Type: Number
MemoryThreshold
The percentage of memory consumption that triggers the starting or stopping of instances (scaling).
Required: No
Type: Number
ThresholdsWaitTime
The amount of time, in minutes, that the load must exceed a threshold before instances are added or
removed.
Required: No
Type: Integer

AWS OpsWorks ChefConﬁguration Type
Describes the Chef conﬁguration for the AWS::OpsWorks::Stack (p. 1316) resource type. For more
information, see ChefConﬁguration in the AWS OpsWorks Stacks API Reference.

Syntax
JSON
{

API Version 2010-05-15
2090

AWS CloudFormation User Guide
AWS OpsWorks Layer LifeCycleConﬁguration

}

"BerkshelfVersion" : String,
"ManageBerkshelf" : Boolean

YAML
BerkshelfVersion: String
ManageBerkshelf: Boolean

Properties
BerkshelfVersion
The Berkshelf version.
Required: No
Type: String
ManageBerkshelf
Whether to enable Berkshelf.
Required: No
Type: Boolean

AWS OpsWorks Layer LifeCycleConﬁguration
LifeCycleConfiguration is property of the AWS::OpsWorks::Layer (p. 1305) resource that speciﬁes
the lifecycle event conﬁguration for the layer.

Syntax
JSON
{
}

"ShutdownEventConfiguration" : ShutdownEventConfiguration

YAML
ShutdownEventConfiguration:
ShutdownEventConfiguration

Properties
ShutdownEventConfiguration
Speciﬁes the shutdown event conﬁguration for a layer.
Required: No
Type: AWS OpsWorks Layer LifeCycleConﬁguration ShutdownEventConﬁguration (p. 2092)
API Version 2010-05-15
2091

AWS CloudFormation User Guide
AWS OpsWorks Layer LifeCycleConﬁguration
ShutdownEventConﬁguration

AWS OpsWorks Layer LifeCycleConﬁguration
ShutdownEventConﬁguration
ShutdownEventConfiguration is a property of the AWS OpsWorks Layer
LifeCycleConﬁguration (p. 2091) property that speciﬁes the shutdown event conﬁguration for a lifecycle
event.

Syntax
JSON
{
}

"DelayUntilElbConnectionsDrained" : Boolean,
"ExecutionTimeout" : Integer

YAML
DelayUntilElbConnectionsDrained: Boolean
ExecutionTimeout: Integer

Properties
DelayUntilElbConnectionsDrained
Indicates whether to wait for connections to drain from the Elastic Load Balancing load balancers.
Required: No
Type: Boolean
ExecutionTimeout
The time, in seconds, that AWS OpsWorks waits after a shutdown event has been triggered before
shutting down an instance.
Required: No
Type: Integer

AWS OpsWorks LoadBasedAutoScaling Type
Describes the load-based automatic scaling conﬁguration for an AWS::OpsWorks::Layer (p. 1305)
resource type. For more information, see SetLoadBasedAutoScaling in the AWS OpsWorks Stacks API
Reference.

Syntax
JSON
{

API Version 2010-05-15
2092

AWS CloudFormation User Guide
AWS OpsWorks Instance BlockDeviceMapping

}

"DownScaling" : { AutoScalingThresholds },
"Enable" : Boolean,
"UpScaling" : { AutoScalingThresholds }

YAML
DownScaling:
AutoScalingThresholds
Enable: Boolean
UpScaling:
AutoScalingThresholds

Properties
DownScaling
The threshold below which the instances are scaled down (stopped). If the load falls below this
threshold for a speciﬁed amount of time, AWS OpsWorks stops a speciﬁed number of instances.
Required: No
Type: AWS OpsWorks AutoScalingThresholds Type (p. 2089)
Enable
Whether to enable automatic load-based scaling for the layer.
Required: No
Type: Boolean
UpScaling
The threshold above which the instances are scaled up (added). If the load exceeds this thresholds
for a speciﬁed amount of time, AWS OpsWorks starts a speciﬁed number of instances.
Required: No
Type: AWS OpsWorks AutoScalingThresholds Type (p. 2089)

AWS OpsWorks Instance BlockDeviceMapping
BlockDeviceMappings is a property of the AWS::OpsWorks::Instance (p. 1298) resource that deﬁnes
the block devices that are mapped to an AWS OpsWorks instance.

Syntax
JSON
{

}

"DeviceName" : String,
"Ebs" : EbsBlockDevice (p. 2094),
"NoDevice" : String,
"VirtualName" : String

API Version 2010-05-15
2093

AWS CloudFormation User Guide
AWS OpsWorks Instance
BlockDeviceMapping EbsBlockDevice

YAML
DeviceName: String
Ebs:
EbsBlockDevice (p. 2094)
NoDevice: String
VirtualName: String

Properties
DeviceName
The name of the device that is exposed to the instance, such as /dev/dsh or xvdh. For the root
device, you can use the explicit device name or you can set this parameter to ROOT_DEVICE. If you
set the parameter to ROOT_DEVICE, AWS OpsWorks provides the correct device name.
Required: No
Type: String
Ebs
Conﬁguration information about the Amazon Elastic Block Store (Amazon EBS) volume.
Required: Conditional You can specify either the VirtualName or Ebs, but not both.
Type: AWS OpsWorks Instance BlockDeviceMapping EbsBlockDevice (p. 2094)
NoDevice
Suppresses the device that is speciﬁed in the block device mapping of the AWS OpsWorks instance
Amazon Machine Image (AMI).
Required: No
Type: String
VirtualName
The name of the virtual device. The name must be in the form ephemeralX, where X is a number
equal to or greater than zero (0), for example, ephemeral0.
Required: Conditional You can specify either the VirtualName or Ebs, but not both.
Type: String

AWS OpsWorks Instance BlockDeviceMapping
EbsBlockDevice
EbsBlockDevice is a property of the AWS OpsWorks Instance BlockDeviceMapping (p. 2093) property
that deﬁnes a block device for an Amazon Elastic Block Store (Amazon EBS) volume.

Syntax
JSON
{

API Version 2010-05-15
2094

AWS CloudFormation User Guide
AWS OpsWorks Instance
BlockDeviceMapping EbsBlockDevice

}

"DeleteOnTermination" : Boolean,
"Iops" : Integer,
"SnapshotId" : String,
"VolumeSize" : Integer,
"VolumeType" : String

YAML
DeleteOnTermination: Boolean
Iops: Integer
SnapshotId: String
VolumeSize: Integer
VolumeType: String

Properties
DeleteOnTermination
Indicates whether to delete the volume when the instance is terminated.
Required: No
Type: Boolean
Iops
The number of I/O operations per second (IOPS) that the volume supports. For more information,
see Iops for the EbsBlockDevice action in the Amazon EC2 API Reference.
Required: No
Type: Integer
SnapshotId
The snapshot ID of the volume that you want to use. If you specify both the SnapshotId and
VolumeSize properties, VolumeSize must be equal to or greater than the size of the snapshot.
Required: No
Type: String
VolumeSize
The volume size, in Gibibytes (GiB). If you specify both the SnapshotId and VolumeSize
properties, VolumeSize must be equal to or greater than the size of the snapshot. For more
information about specifying volume size, see VolumeSize for the EbsBlockDevice action in the
Amazon EC2 API Reference.
Required: No
Type: Integer
VolumeType
The volume type. For more information about specifying the volume type, see VolumeType for the
EbsBlockDevice action in the Amazon EC2 API Reference.
Required: No
Type: String
API Version 2010-05-15
2095

AWS CloudFormation User Guide
AWS OpsWorks Recipes Type

AWS OpsWorks Recipes Type
Describes custom event recipes for the AWS::OpsWorks::Layer (p. 1305) resource type that AWS
OpsWorks runs after the standard event recipes. For more information, see AWS OpsWorks Lifecycle
Events in the AWS OpsWorks User Guide.

Syntax
JSON
{

}

"Configure" : [ String, ... ],
"Deploy" : [ String, ... ],
"Setup" : [ String, ... ],
"Shutdown" : [ String, ... ],
"Undeploy" : [ String, ... ]

YAML
Configure:
- String
Deploy:
- String
Setup:
- String
Shutdown:
- String
Undeploy:
- String

Properties
Configure
Custom recipe names to be run following a Conﬁgure event. The event occurs on all of the stack's
instances when an instance enters or leaves the online state.
Required: No
Type: List of String values
Deploy
Custom recipe names to be run following a Deploy event. The event occurs when you run a deploy
command, typically to deploy an application to a set of application server instances.
Required: No
Type: List of String values
Setup
Custom recipe names to be run following a Setup event. This event occurs on a new instance after it
successfully boots.
Required: No
Type: List of String values
API Version 2010-05-15
2096

AWS CloudFormation User Guide
AWS OpsWorks Source Type

Shutdown
Custom recipe names to be run following a Shutdown event. This event occurs after you direct
AWS OpsWorks to shut an instance down before the associated Amazon EC2 instance is actually
terminated.
Required: No
Type: List of String values
Undeploy
Custom recipe names to be run following a Undeploy event. This event occurs when you delete an
app or run an undeploy command to remove an app from a set of application server instances.
Required: No
Type: List of String values

AWS OpsWorks Source Type
Describes the information required to retrieve a cookbook or app from a repository for the
AWS::OpsWorks::Stack (p. 1316) or AWS::OpsWorks::App (p. 1293) resource types.
For more information and valid values, see Source in the AWS OpsWorks Stacks API Reference.

Syntax
JSON
{

}

"Password" : String,
"Revision" : String,
"SshKey" : String,
"Type" : String,
"Url" : String,
"Username" : String

YAML
Password: String
Revision: String
SshKey: String
Type: String
Url: String
Username: String

Properties
Password
This parameter depends on the repository type. For Amazon S3 bundles, set Password to the
appropriate IAM secret access key. For HTTP bundles, Git repositories, and Subversion repositories,
set Password to the appropriate password.
Required: No
API Version 2010-05-15
2097

AWS CloudFormation User Guide
AWS OpsWorks Source Type

Type: String
Revision
The application's version. With AWS OpsWorks, you can deploy new versions of an application.
One of the simplest approaches is to have branches or revisions in your repository that represent
diﬀerent versions that can potentially be deployed.
Required: No
Type: String
SshKey
The repository's SSH key. For more information, see Using Git Repository SSH Keys in the AWS
OpsWorks User Guide.
To pass in an SSH key as a parameter, see the following example:
"Parameters" : {
"GitSSHKey" : {
"Description" : "Change SSH key newlines to commas.",
"Type" : "CommaDelimitedList",
"NoEcho" : "true"
},
...
"CustomCookbooksSource": {
"Revision" : { "Ref": "GitRevision"},
"SshKey" : { "Fn::Join" : [ "\n", { "Ref": "GitSSHKey"} ] },
"Type": "git",
"Url": { "Ref": "GitURL"}
}
...

Required: No
Type: String
Type
The repository type.
Required: No
Type: String
Url
The source URL.
Required: No
Type: String
Username
This parameter depends on the repository type. For Amazon S3 bundles, set Username to the
appropriate IAM access key ID. For HTTP bundles, Git repositories, and Subversion repositories, set
Username to the appropriate user name.
Required: No
Type: String
API Version 2010-05-15
2098

AWS CloudFormation User Guide
AWS OpsWorks SslConﬁguration Type

AWS OpsWorks SslConﬁguration Type
Describes an SSL conﬁguration for the AWS::OpsWorks::App (p. 1293) resource type.

Syntax
JSON
{

}

"Certificate" : String,
"Chain" : String,
"PrivateKey" : String

YAML
Certificate: String
Chain: String
PrivateKey: String

Properties
Certificate
The contents of the certiﬁcate's domain.crt ﬁle.
Required: Yes
Type: String
Chain
An intermediate certiﬁcate authority key or client authentication.
Required: No
Type: String
PrivateKey
The private key; the contents of the certiﬁcate's domain.kex ﬁle.
Required: Yes
Type: String

AWS OpsWorks Stack ElasticIp
ElasticIps is a property of the AWS::OpsWorks::Stack (p. 1316) resource that registers an Elastic IP
address with an AWS OpsWorks stack.

Syntax
JSON
{

API Version 2010-05-15
2099

AWS CloudFormation User Guide
AWS OpsWorks Stack RdsDbInstance

}

"Ip" : String,
"Name" : String

YAML
Ip: String
Name: String

Properties
Ip
The Elastic IP address.
Required: Yes
Type: String
Name
A name for the Elastic IP address.
Required: No
Type: String

AWS OpsWorks Stack RdsDbInstance
RdsDbInstance is a property of the AWS::OpsWorks::Stack (p. 1316) resource that registers an Amazon
Relational Database Service (Amazon RDS) DB instance with an AWS OpsWorks stack.

Syntax
JSON
{

}

"DbPassword" : String,
"DbUser" : String,
"RdsDbInstanceArn" : String

YAML
DbPassword: String
DbUser: String
RdsDbInstanceArn: String

Properties
DbPassword
The password of the registered database.
API Version 2010-05-15
2100

AWS CloudFormation User Guide
AWS OpsWorks StackConﬁgurationManager Type

Required: Yes
Type: String
DbUser
The master user name of the registered database.
Required: Yes
Type: String
RdsDbInstanceArn
The Amazon Resource Name (ARN) of the Amazon RDS DB instance to register with the AWS
OpsWorks stack.
Required: Yes
Type: String

AWS OpsWorks StackConﬁgurationManager Type
Describes the stack conﬁguration manager for the AWS::OpsWorks::Stack (p. 1316) resource type. For
more information, see StackConﬁgurationManager in the AWS OpsWorks Stacks API Reference.

Syntax
JSON
{
}

"Name" : String,
"Version" : String

YAML
Name: String
Version: String

Properties
Name
The name of the conﬁguration manager.
Required: No
Type: String
Version
The Chef version.
Required: No
Type: String
API Version 2010-05-15
2101

AWS CloudFormation User Guide
AWS OpsWorks TimeBasedAutoScaling Type

AWS OpsWorks TimeBasedAutoScaling Type
Describes the automatic time-based scaling conﬁguration for an AWS::OpsWorks::Instance (p. 1298)
resource type. For more information, see SetTimeBasedAutoScaling in the AWS OpsWorks Stacks API
Reference.

Syntax
JSON
{

}

"Friday" : { Integer : String, ... },
"Monday" : { Integer : String, ... },
"Saturday" : { Integer : String, ... },
"Sunday" : { Integer : String, ... },
"Thursday" : { Integer : String, ... },
"Tuesday" : { Integer : String, ... },
"Wednesday" : { Integer : String, ... }

YAML
Friday:
Integer:
Monday:
Integer:
Saturday:
Integer:
Sunday:
Integer:
Thursday:
Integer:
Tuesday:
Integer:
Wednesday:
Integer:

String
String
String
String
String
String
String

Properties
For each day of the week, the schedule consists of a set of key–value pairs, where the key is the time
period (a UTC hour) of 0 – 23 and the value indicates whether the instance should be online (on) or
oﬄine (off) for the speciﬁed period.
Friday
The schedule for Friday.
Required: No
Type: String to string map
Monday
The schedule for Monday.
Required: No
Type: String to string map
API Version 2010-05-15
2102

AWS CloudFormation User Guide
AWS OpsWorks VolumeConﬁguration Type

Saturday
The schedule for Saturday.
Required: No
Type: String to string map
Sunday
The schedule for Sunday.
Required: No
Type: String to string map
Thursday
The schedule for Thursday.
Required: No
Type: String to string map
Tuesday
The schedule for Tuesday.
Required: No
Type: String to string map
Wednesday
The schedule for Wednesday.
Required: No
Type: String to string map

AWS OpsWorks VolumeConﬁguration Type
Describes the Amazon EBS volumes for the AWS::OpsWorks::Layer (p. 1305) resource type.

Syntax
JSON
{

}

"Iops" : Integer,
"MountPoint" : String,
"NumberOfDisks" : Integer,
"RaidLevel" : Integer,
"Size" : Integer,
"VolumeType" : String

YAML
Iops: Integer

API Version 2010-05-15
2103

AWS CloudFormation User Guide
Amazon Redshift Parameter Type
MountPoint: String
NumberOfDisks: Integer
RaidLevel: Integer
Size: Integer
VolumeType: String

Properties
Iops
The number of I/O operations per second (IOPS) to provision for the volume.
Required: Conditional. If you specify io1 for the volume type, you must specify this property.
Type: Integer
MountPoint
The volume mount point, such as /dev/sdh.
Required: Yes
Type: String
NumberOfDisks
The number of disks in the volume.
Required: Yes
Type: Integer
RaidLevel
The volume RAID level.
Required: No
Type: Integer
Size
The volume size.
Required: Yes
Type: Integer
VolumeType
The type of volume, such as magnetic or SSD. For valid values, see VolumeConﬁguration in the AWS
OpsWorks Stacks API Reference.
Required: No
Type: String

Amazon Redshift Parameter Type
Describes parameters for the AWS::Redshift::ClusterParameterGroup (p. 1381) resource type.
API Version 2010-05-15
2104

AWS CloudFormation User Guide
Amazon Redshift Cluster LoggingProperties

Syntax
JSON
{
}

"ParameterName" : String,
"ParameterValue" : String

YAML
ParameterName: String
ParameterValue: String

Properties
ParameterName
The name of the parameter.
Required: Yes
Type: String
ParameterValue
The value of the parameter.
Required: Yes
Type: String

Amazon Redshift LoggingProperties
Use the LoggingProperties property of the AWS::Redshift::Cluster (p. 1373) resource to conﬁgure
audit log ﬁles, containing information such as queries and connection attempts, for the cluster.

Syntax
JSON
{
}

"BucketName" : String,
"S3KeyPrefix" : String

YAML
BucketName: String
S3KeyPrefix: String

Properties
For more information and property constraints, see EnableLogging in the Amazon Redshift API Reference.
API Version 2010-05-15
2105

AWS CloudFormation User Guide
AWS CloudFormation Resource Tags

BucketName
The name of an existing S3 bucket where the log ﬁles are to be stored.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
S3KeyPrefix
The preﬁx applied to the log ﬁle names.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS CloudFormation Resource Tags Type
You can use the AWS CloudFormation Resource Tags property to apply tags to resources, which can help
you identify and categorize those resources. You can tag only resources for which AWS CloudFormation
supports tagging. For information about which resources you can tag with AWS CloudFormation, see the
individual resources in AWS Resource Types Reference (p. 499).

Note

Tagging implementations might vary by resource. For example,
AWS::AutoScaling::AutoScalingGroup provides an additional, required PropagateAtLaunch
property as part of its tagging scheme.
In addition to any tags you deﬁne, AWS CloudFormation automatically creates the following stack-level
tags with the preﬁx aws::
• aws:cloudformation:logical-id
• aws:cloudformation:stack-id
• aws:cloudformation:stack-name
All stack-level tags, including automatically created tags, are propagated to resources that AWS
CloudFormation supports. Currently, tags are not propagated to Amazon EBS volumes that are created
from block device mappings.

Syntax
JSON
{
}

"Key (p. 2107)" : String,
"Value (p. 2107)" : String

YAML
Key (p. 2107): String

API Version 2010-05-15
2106

AWS CloudFormation User Guide
AWS CloudFormation Resource Tags
Value (p. 2107): String

Properties
Key
The key name of the tag. You can specify a value that is 1 to 127 Unicode characters in length
and cannot be preﬁxed with aws:. You can use any of the following characters: the set of Unicode
letters, digits, whitespace, _, ., /, =, +, and -.
Required: Yes
Type: String
Value
The value for the tag. You can specify a value that is 1 to 255 Unicode characters in length and
cannot be preﬁxed with aws:. You can use any of the following characters: the set of Unicode
letters, digits, whitespace, _, ., /, =, +, and -.
Required: Yes
Type: String

Example
This example shows a Tags property. You specify this property within the Properties section of a
resource that supports it. When the resource is created, it is tagged with the tags you declare.

JSON
"Tags" : [
{
"Key" :
"Value"
},
{
"Key" :
"Value"
}
]

"keyname1",
: "value1"
"keyname2",
: "value2"

YAML
Tags:
Key: "keyname1"
Value: "value1"
Key: "keyname2"
Value: "value2"

See Also
• Setting Stack Options (p. 95)
• Viewing Stack Data and Resources (p. 99)
API Version 2010-05-15
2107

AWS CloudFormation User Guide
Amazon RDS OptionGroup OptionConﬁguration

Amazon Relational Database Service OptionGroup
OptionConﬁguration
Use the OptionConfigurations property to conﬁgure an option and its settings for an
AWS::RDS::OptionGroup (p. 1370) resource.

Syntax
JSON
{

}

"DBSecurityGroupMemberships" : [ String, ... ],
"OptionName" : String,
"OptionSettings" : [ OptionSetting, ... ],
"OptionVersion" : String,
"Port" : Integer,
"VpcSecurityGroupMemberships" : [ String, ... ]

YAML
DBSecurityGroupMemberships:
- String
OptionName: String
OptionSettings:
- OptionSetting
OptionVersion: String
Port: Integer
VpcSecurityGroupMemberships:
- String

Properties
DBSecurityGroupMemberships
A list of database security group names for this option. If the option requires access to a port,
the security groups must allow access to that port. If you specify this property, don't specify the
VPCSecurityGroupMemberships property.
Required: No
Type: List of String values
OptionName
The name of the option. For more information about options, see Working with Option Groups in
the Amazon Relational Database Service User Guide.
Required: Yes
Type: String
OptionSettings
The settings for this option.
Required: No
API Version 2010-05-15
2108

AWS CloudFormation User Guide
Amazon RDS OptionGroup OptionConﬁguration

Type: List of Amazon RDS OptionGroup OptionSetting (p. 2110)
OptionVersion
The version for the option.
Required: No
Type: String
Port
The port number that this option uses.
Required: No
Type: Integer
VpcSecurityGroupMemberships
A list of VPC security group IDs for this option. If the option requires access to a port, the
security groups must allow access to that port. If you specify this property, don't specify the
DBSecurityGroupMemberships property.
Required: No
Type: List of String values

Examples
The following example template uses OptionName and OptionVersion parameters when creating an
AWS::RDS::OptionGroup resource.

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description":"APEX has a dependency on XMLDB, so, there must be at least one XMLDB when
there is a APEX",
"Parameters" : {
"OptionName" : {
"Type" : "String"
},
"OptionVersion" : {
"Type" : "String"
}
},
"Resources": {
"myOptionGroup": {
"Type": "AWS::RDS::OptionGroup",
"Properties": {
"EngineName": "oracle-ee",
"MajorEngineVersion": "11.2",
"OptionGroupDescription": "testing creating optionGroup with APEX version",
"OptionConfigurations":[
{
"OptionName": "XMLDB"
},
{
"OptionName": {"Ref" : "OptionName"},
"OptionVersion" : {"Ref" : "OptionVersion"}

API Version 2010-05-15
2109

AWS CloudFormation User Guide
Amazon RDS OptionGroup OptionSetting

}

}

}

}

]

}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: >APEX has a dependency on XMLDB, so, there must be at least one XMLDB when
there is a APEX
Parameters:
OptionName:
Type: String
OptionVersion:
Type: String
Resources:
myOptionGroup:
Type: AWS::RDS::OptionGroup
Properties:
EngineName: oracle-ee
MajorEngineVersion: '11.2'
OptionGroupDescription: testing creating optionGroup with APEX version
OptionConfigurations:
- OptionName: XMLDB
- OptionName: !Ref OptionName
OptionVersion: !Ref OptionVersion

See Also
• OptionConﬁguration data type in the Amazon RDS API Reference
• Working with Option Groups in the Amazon RDS User Guide

Amazon Relational Database Service OptionGroup
OptionSetting
Use the OptionSettings property to specify settings for an option in the
OptionConfigurations (p. 2108) property.

Syntax
JSON
{
}

"Name" : String,
"Value" : String

YAML
Name: String
Value: String

API Version 2010-05-15
2110

AWS CloudFormation User Guide
RDS Security Group Rule

Properties
Name
The name of the option setting that you want to specify.
Required: No
Type: String
Value
The value of the option setting.
Required: No
Type: String

See Also
• Working with Option Groups in the Amazon RDS User Guide

Amazon RDS Security Group Rule
The Amazon RDS security group rule is an embedded property of the
AWS::RDS::DBSecurityGroup (p. 1360) type.

Syntax
JSON
{

}

"CIDRIP (p. 2111)": String,
"EC2SecurityGroupId (p. 2112)": String,
"EC2SecurityGroupName (p. 2112)": String,
"EC2SecurityGroupOwnerId (p. 2112)": String

YAML
CIDRIP (p. 2111): String
EC2SecurityGroupId (p. 2112): String
EC2SecurityGroupName (p. 2112): String
EC2SecurityGroupOwnerId (p. 2112): String

Properties
CIDRIP
The IP range to authorize.
For an overview of CIDR ranges, go to the Wikipedia Tutorial.
Type: String
API Version 2010-05-15
2111

AWS CloudFormation User Guide
Route 53 AliasTarget Property

Required: No
Update requires: Replacement (p. 119)
EC2SecurityGroupId
Id of the VPC or EC2 Security Group to authorize.
For VPC DB Security Groups, use EC2SecurityGroupId. For EC2 Security Groups, use
EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId.
Type: String
Required: No
Update requires: Replacement (p. 119)
EC2SecurityGroupName
Name of the EC2 Security Group to authorize.
For VPC DB Security Groups, use EC2SecurityGroupId. For EC2 Security Groups, use
EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId.
Type: String
Required: No
Update requires: Replacement (p. 119)
EC2SecurityGroupOwnerId
AWS Account Number of the owner of the EC2 Security Group speciﬁed in the
EC2SecurityGroupName parameter. The AWS Access Key ID is not an acceptable value.
For VPC DB Security Groups, use EC2SecurityGroupId. For EC2 Security Groups, use
EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId.
Type: String
Required: No
Update requires: Replacement (p. 119)

Route 53 AliasTarget Property
AliasTarget is a property of the AWS::Route53::RecordSet (p. 1395) resource.
For more information about alias resource record sets, see Creating Alias Resource Record Sets in the
Amazon Route 53 Developer Guide.

Syntax
JSON
{

"DNSName" : String,
"EvaluateTargetHealth" : Boolean,
"HostedZoneId" : String

API Version 2010-05-15
2112

AWS CloudFormation User Guide
Route 53 Record Set GeoLocation Property
}

YAML
DNSName: String
EvaluateTargetHealth: Boolean
HostedZoneId: String

Properties
DNSName
The DNS name of the load balancer, the domain name of the CloudFront distribution, the website
endpoint of the Amazon S3 bucket, or another record set in the same hosted zone that is the target
of the alias.
Type: String
Required: Yes
EvaluateTargetHealth
Whether Route 53 checks the health of the resource record sets in the alias target when responding
to DNS queries. For more information about using this property, see EvaluateTargetHealth in the
Amazon Route 53 API Reference.
Type: Boolean
Required: No
HostedZoneId
The hosted zone ID. For load balancers, use the canonical hosted zone ID of the load balancer.
For Amazon S3, use the hosted zone ID for your bucket's website endpoint. For CloudFront, use
Z2FDTNDATAQYW2. For a list of hosted zone IDs of other services, see the relevant service in the AWS
Regions and Endpoints.
Type: String
Required: Yes

Route 53 Record Set GeoLocation Property
The GeoLocation property is part of the AWS::Route53::RecordSet (p. 1395) resource that describes
how Route 53 responds to DNS queries based on the geographic location of the query. This property is
not compatible with the Region property.

Syntax
JSON
{

}

"ContinentCode" : String,
"CountryCode" : String,
"SubdivisionCode" : String

API Version 2010-05-15
2113

AWS CloudFormation User Guide
Route 53 HealthCheck HealthCheckConﬁg

YAML
ContinentCode: String
CountryCode: String
SubdivisionCode: String

Properties
ContinentCode
All DNS queries from the continent that you speciﬁed are routed to this resource record set. If you
specify this property, omit the CountryCode and SubdivisionCode properties.
For valid values, see GeoLocation in the Amazon Route 53 API Reference.
Type: String
Required: Conditional. You must specify this or the CountryCode property.
CountryCode
All DNS queries from the country that you speciﬁed are routed to this resource record set. If you
specify this property, omit the ContinentCode property. To specify the default location, use * for
this property.
For valid values, see GeoLocation in the Amazon Route 53 API Reference.
Type: String
Required: Conditional. You must specify this or the ContinentCode property.
SubdivisionCode
If you speciﬁed US for the country code, you can specify a state in the United States. All DNS queries
from the state that you speciﬁed are routed to this resource record set. If you specify this property,
you must specify US for the CountryCode and omit the ContinentCode property.
For valid values, see GeoLocation in the Amazon Route 53 API Reference.
Type: String
Required: No

Route 53 HealthCheck HealthCheckConﬁg
The HealthCheckConfig property is part of the AWS::Route53::HealthCheck (p. 1390) resource
that describes a health check that Amazon Route 53 uses before responding to a DNS query. For more
information, see HealthCheckConﬁg in the Amazon Route 53 API Reference

Syntax
JSON
{

"AlarmIdentifier" : AlarmIdentifier,
"ChildHealthChecks" : [ String, ... ],
"EnableSNI" : Boolean,
"FailureThreshold" : Integer,

API Version 2010-05-15
2114

AWS CloudFormation User Guide
Route 53 HealthCheck HealthCheckConﬁg

}

"FullyQualifiedDomainName" : String,
"HealthThreshold" : Integer,
"InsufficientDataHealthStatus" : String,
"Inverted" : Boolean,
"IPAddress" : String,
"MeasureLatency" : Boolean,
"Port" : Integer,
"Regions" : [ String, ... ],
"RequestInterval" : Integer,
"ResourcePath" : String,
"SearchString" : String,
"Type" : String

YAML
AlarmIdentifier: AlarmIdentifier
ChildHealthChecks:
- String
EnableSNI: Boolean
FailureThreshold: Integer
FullyQualifiedDomainName: String
HealthThreshold: Integer
InsufficientDataHealthStatus: String
Inverted: Boolean
IPAddress: String
MeasureLatency: Boolean
Port: Integer
Regions:
- String
RequestInterval: Integer
ResourcePath: String
SearchString: String
Type: String

Properties
AlarmIdentifier
Identiﬁes the CloudWatch alarm that you want Route 53 health checkers to use to determine
whether this health check is healthy.
Type: Amazon Route 53 HealthCheck AlarmIdentiﬁer (p. 2118)
Required: No
ChildHealthChecks
(CALCULATED Health Checks Only) A complex type that contains one ChildHealthCheck element
for each health check that you want to associate with a CALCULATED health check.
Required: No
Type: List of String values
EnableSNI
Speciﬁes whether you want Route 53 to send the value of FullyQualifiedDomainName
to the endpoint in the client_hello message during TLS negotiation. This allows the
endpoint to respond to HTTPS health check requests with the applicable SSL/TLS certiﬁcate.
For more information, see http://docs.aws.amazon.com/Route53/latest/APIReference/
API_HealthCheckConﬁg.html.
API Version 2010-05-15
2115

AWS CloudFormation User Guide
Route 53 HealthCheck HealthCheckConﬁg

Required: No
Type: Boolean
FailureThreshold
The number of consecutive health checks that an endpoint must pass or fail for Route 53 to change
the current status of the endpoint from unhealthy to healthy or healthy to unhealthy. For more
information, see How Amazon Route 53 Determines Whether an Endpoint Is Healthy in the Amazon
Route 53 Developer Guide.
Required: No
Type: Integer
FullyQualifiedDomainName
If you speciﬁed the IPAddress property, the value that you want Route 53 to pass in the host
header in all health checks except for TCP health checks. If you don't specify an IP address, the
domain that Route 53 sends a DNS request to. Route 53 uses the IP address that the DNS returns to
check the health of the endpoint.
Required: Conditional
Type: String
HealthThreshold
The number of child health checks that are associated with a CALCULATED health that Route 53
must consider healthy for the CALCULATED health check to be considered healthy.
Required: No
Type: Integer
InsufficientDataHealthStatus
When Amazon CloudWatch has insuﬃcient data about the metric to determine the alarm state,
the status that you want Route 53 to assign to the health check (Healthy, Unhealthy, or
LastKnownStatus).
Required: No
Type: String
Inverted
Speciﬁes whether you want Route 53 to invert the status of a health check, for example, to consider
a health check unhealthy when it otherwise would be considered healthy.
Required: No
Type: Boolean
IPAddress
The IPv4 IP address of the endpoint on which you want Route 53 to perform health checks. If you
don't specify an IP address, Route 53 sends a DNS request to resolve the domain name that you
specify in the FullyQualifiedDomainName property.
Required: No
Type: String
API Version 2010-05-15
2116

AWS CloudFormation User Guide
Route 53 HealthCheck HealthCheckConﬁg

MeasureLatency
Speciﬁes whether you want Route 53 to measure the latency between health checkers in multiple
AWS regions and your endpoint and display CloudWatch latency graphs on the Health Checks page
in the Route 53 console.
Required: No
Type: Boolean
Update requires: Replacement (p. 119)
Port
The port on the endpoint on which you want Route 53 to perform health checks.
Required: Conditional. Required when you specify TCP for the Type property.
Type: Integer
Regions
The regions from which you want Amazon Route 53 health checkers to check the speciﬁed endpoint.
Duplicates are not allowed. For valid values and more information, see HealthCheckConﬁg in the
Amazon Route 53 API Reference.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
RequestInterval
The number of seconds between the time that Route 53 gets a response from your endpoint and
the time that it sends the next health check request. Each Route 53 health checker makes requests
at this interval. For valid values, see the RequestInterval element in the Amazon Route 53 API
Reference.
Required: No
Type: Integer
Update requires: Replacement (p. 119)
ResourcePath
The path that you want Route 53 to request when performing health checks. The path can be any
value for which your endpoint returns an HTTP status code of 2xx or 3xx when the endpoint is
healthy, such as /docs/route53-health-check.html.
Required: No
Type: String
SearchString
If the value of the Type property is HTTP_STR_MATCH or HTTPS_STR_MATCH, the string that you
want Route 53 to search for in the response body from the speciﬁed resource. If the string appears in
the response body, Route 53 considers the resource healthy.
Required: No
Type: String
API Version 2010-05-15
2117

AWS CloudFormation User Guide
Route 53 HealthCheck AlarmIdentiﬁer

Type
The type of health check that you want to create. This indicates how Route 53 determines whether
an endpoint is healthy. You can specify HTTP, HTTPS, HTTP_STR_MATCH, HTTPS_STR_MATCH, TCP,
CLOUDWATCH_METRIC, or CALCULATED. For information about the diﬀerent types, see the Type
element in the Amazon Route 53 API Reference.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Amazon Route 53 HealthCheck AlarmIdentiﬁer
The AlarmIdentifier subproperty describes the name and Region that are associated with an
Route 53 HealthCheck HealthCheckConﬁg (p. 2114) property.

Syntax
JSON
{
}

"Name" : String,
"Region" : String

YAML
Name: String
Region: String

Properties
Name
The name of the Amazon CloudWatch alarm that you want Route 53 health checkers to use to
determine whether this health check is healthy.
Required: Yes
Type: String
Region
A complex type that identiﬁes the CloudWatch alarm that you want Route 53 health checkers to use
to determine whether this health check is healthy. For example, us-west-2.
Required: Yes
Type: String

Amazon Route 53 HealthCheck HealthCheckTags
The HealthCheckTags property describes key-value pairs that are associated with an
AWS::Route53::HealthCheck (p. 1390) resource.
API Version 2010-05-15
2118

AWS CloudFormation User Guide
Route 53 HostedZoneConﬁg Property

Syntax
JSON
{
}

"Key" : String,
"Value" : String

YAML
Key: String
Value: String

Properties
Key
The key name of the tag.
Required: Yes
Type: String
Value
The value for the tag.
Required: Yes
Type: String

Route 53 HostedZoneConﬁg Property
The HostedZoneConfig property is part of the AWS::Route53::HostedZone (p. 1392) resource that can
contain a comment about the hosted zone.

Syntax
JSON
{
}

"Comment" : String

YAML
Comment: String

Properties
Comment
Any comments that you want to include about the hosted zone.
API Version 2010-05-15
2119

AWS CloudFormation User Guide
Amazon Route 53 HostedZoneTags

Type: String
Required: No

Amazon Route 53 HostedZoneTags
The HostedZoneTags property describes key-value pairs that are associated with an
AWS::Route53::HostedZone (p. 1392) resource.

Syntax
JSON
{
}

"Key" : String,
"Value" : String

YAML
Key: String
Value: String

Properties
Key
The key name of the tag.
Required: Yes
Type: String
Value
The value for the tag.
Required: Yes
Type: String

Route 53 QueryLoggingConﬁg
The QueryLoggingConfig property is part of the AWS::Route53::HostedZone (p. 1392) resource that
speciﬁes a conﬁguration for DNS query logging. After you create a query logging conﬁguration, Amazon
Route 53 begins to publish log data to an Amazon CloudWatch Logs log group. For more information,
see CreateQueryLoggingConﬁg in the Amazon Route 53 API Reference.

Syntax
JSON
{

API Version 2010-05-15
2120

AWS CloudFormation User Guide
Route 53 HostedZoneVPCs

}

"CloudWatchLogsLogGroupArn" : String

YAML
CloudWatchLogsLogGroupArn: String

Properties
CloudWatchLogsLogGroupArn
The Amazon Resource Name (ARN) for the log group that you want Amazon Route 53 to send query
logs to. This is the format of the ARN:
arn:aws:logs:region:account-id:log-group:log_group_name
Required: Yes
Type: String

Route 53 HostedZoneVPCs
The HostedZoneVPCs property is part of the AWS::Route53::HostedZone (p. 1392) resource that
speciﬁes the VPCs to associate with the hosted zone.

Syntax
JSON
{
}

"VPCId" : String,
"VPCRegion" : String

YAML
VPCId: String
VPCRegion: String

Properties
VPCId
The ID of the Amazon VPC that you want to associate with the hosted zone.
Required: Yes
Type: String
VPCRegion
The region in which the Amazon VPC was created as speciﬁed in the VPCId property.
Required: Yes
API Version 2010-05-15
2121

AWS CloudFormation User Guide
Amazon S3 Bucket AbortIncompleteMultipartUpload

Type: String

Amazon S3 Bucket AbortIncompleteMultipartUpload
The AbortIncompleteMultipartUpload property type creates a lifecycle rule that aborts incomplete
multipart uploads to an Amazon S3 bucket. When Amazon S3 aborts a multipart upload, it deletes all
parts associated with the multipart upload. For more information, see Aborting Incomplete Multipart
Uploads Using a Bucket Lifecycle Policy in the Amazon Simple Storage Service Developer Guide.
AbortIncompleteMultipartUpload is a property of the Amazon S3 Bucket Rule (p. 2144) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"DaysAfterInitiation" : Integer

YAML
DaysAfterInitiation: Integer

Properties
DaysAfterInitiation
The number of days after the upload is initiated before aborting the upload.
Required: Yes
Type: Integer
Update requires: No interruption (p. 118)

Amazon S3 Bucket AccelerateConﬁguration
The AccelerateConfiguration property type conﬁgures the transfer acceleration state for an
Amazon S3 bucket. For more information, see Amazon S3 Transfer Acceleration in the Amazon Simple
Storage Service Developer Guide.
AccelerateConfiguration is a property of the AWS::S3::Bucket (p. 1403) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
2122

AWS CloudFormation User Guide
Amazon S3 Bucket AccelerateConﬁguration
"AccelerationStatus" : String

}

YAML
AccelerationStatus: String

Properties
AccelerationStatus
Sets the transfer acceleration state of the bucket.
Required: Yes
Type: String
Valid values: Enabled, Suspended
Update requires: No interruption (p. 118)

Example
The following example sets the transfer acceleration state of a bucket based on the AccelerateStatus
parameter.

JSON
{

"AWSTemplateFormatVersion":"2010-09-09",
"Parameters" : {
"AccelerateStatus" : {
"Type" : "String"
}
},
"Resources":{
"MyBucket":{
"Type":"AWS::S3::Bucket",
"Properties" : {
"AccelerateConfiguration" : {
"AccelerationStatus" : {"Ref" : "AccelerateStatus"}
}
}
}
}

}

YAML
AWSTemplateFormatVersion: 2010-09-09
Parameters:
AccelerateStatus:
Type: String
Resources:
MyBucket:
Type: AWS::S3::Bucket
Properties:
AccelerateConfiguration:

API Version 2010-05-15
2123

AWS CloudFormation User Guide
Amazon S3 Bucket AccessControlTranslation
AccelerationStatus: !Ref AccelerateStatus

Amazon S3 Bucket AccessControlTranslation
The AccessControlTranslation property type speciﬁes replica ownership of the AWS account that
owns the destination bucket.
AccessControlTranslation is a property of the AWS::S3::Bucket (p. 1403) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Owner" : String

YAML
Owner: String

Properties
Owner
Speciﬁes the replica ownership.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon S3 Bucket AnalyticsConﬁguration
The AnalyticsConfiguration property type speciﬁes the conﬁguration and any analyses for the
analytics ﬁlter of an Amazon S3 bucket.
For more information, see GET Bucket analytics in the Amazon Simple Storage Service API Reference
AnalyticsConfigurations is a property of the AWS::S3::Bucket (p. 1403) resource type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Id" : String,
"Prefix" : String,
"StorageClassAnalysis" : StorageClassAnalysis (p. 2150),

API Version 2010-05-15
2124

AWS CloudFormation User Guide
Amazon S3 Bucket BucketEncryption

}

"TagFilters" : [ TagFilter (p. 2151), ... ]

YAML
Id: String
Prefix: String
StorageClassAnalysis: StorageClassAnalysis
TagFilters:
- TagFilter (p. 2151)

Properties
Id
The ID that identiﬁes the analytics conﬁguration.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Prefix
The preﬁx that an object must have to be included in the analytics results.
Required: No
Type: String
Update requires: No interruption (p. 118)
StorageClassAnalysis
Contains data related to access patterns to be collected and made available to analyze the tradeoﬀs
between diﬀerent storage classes.
Required: Yes
Type: Amazon S3 Bucket StorageClassAnalysis (p. 2150)
Update requires: No interruption (p. 118)
TagFilters
The tags to use when evaluating an analytics ﬁlter.
The analytics only includes objects that meet the ﬁlter's criteria. If no ﬁlter is speciiﬁed, all of the
contents of the bucket are included in the analysis.
Required: No
Type: List of Amazon S3 Bucket TagFilter (p. 2151)
Update requires: No interruption (p. 118)

Amazon S3 Bucket BucketEncryption
The BucketEncryption property is part of the AWS::S3::Bucket (p. 1403) resource that speciﬁes
default encryption for a bucket using server-side encryption with Amazon S3-managed keys SSE-S3 or
API Version 2010-05-15
2125

AWS CloudFormation User Guide
Amazon S3 Bucket CorsConﬁguration

AWS KMS-managed Keys (SSE-KMS) bucket. For information about the Amazon S3 default encryption
feature, see Amazon S3 Default Bucket Encryption in the Amazon Simple Storage Service Developer Guide.

Syntax
JSON
{
}

"ServerSideEncryptionConfiguration" : [ ServerSideEncryptionRule (p. 2148), ... ]

YAML
ServerSideEncryptionConfiguration:
- ServerSideEncryptionRule (p. 2148)

Properties
ServerSideEncryptionConfiguration
Speciﬁes the server-side encryption by default conﬁguration.
Required: Yes
Type: List of Amazon S3 Bucket ServerSideEncryptionRule (p. 2148)
Update requires: No interruption (p. 118)

Amazon S3 Bucket CorsConﬁguration
Describes the cross-origin access conﬁguration for objects in an AWS::S3::Bucket (p. 1403) resource.

Syntax
JSON
{
}

"CorsRules" : [ CorsRules, ... ]

YAML
CorsRules:
- CorsRules

Properties
CorsRules
A set of origins and methods that you allow.
Required: Yes
Type: Amazon S3 Bucket CorsRule (p. 2127)
API Version 2010-05-15
2126

AWS CloudFormation User Guide
Amazon S3 Bucket CorsRule

Amazon S3 Bucket CorsRule
Describes cross-origin access rules for the Amazon S3 Bucket CorsConﬁguration (p. 2126) property.

Syntax
JSON
{

}

"AllowedHeaders" :
"AllowedMethods" :
"AllowedOrigins" :
"ExposedHeaders" :
"Id" : String,
"MaxAge" : Integer

[
[
[
[

String,
String,
String,
String,

...
...
...
...

],
],
],
],

YAML
AllowedHeaders:
- String
AllowedMethods:
- String
AllowedOrigins:
- String
ExposedHeaders:
- String
Id: String
MaxAge: Integer

Properties
AllowedHeaders
Headers that are speciﬁed in the Access-Control-Request-Headers header. These headers are
allowed in a preﬂight OPTIONS request. In response to any preﬂight OPTIONS request, Amazon S3
returns any requested headers that are allowed.
Required: No
Type: List of String values
AllowedMethods
An HTTP method that you allow the origin to execute. The valid values are GET, PUT, HEAD, POST,
and DELETE.
Required: Yes
Type: List of String values
AllowedOrigins
An origin that you allow to send cross-domain requests.
Required: Yes
Type: List of String values
API Version 2010-05-15
2127

AWS CloudFormation User Guide
Amazon S3 Bucket DataExport

ExposedHeaders
One or more headers in the response that are accessible to client applications (for example, from a
JavaScript XMLHttpRequest object).
Required: No
Type: List of String values
Id
A unique identiﬁer for this rule. The value cannot be more than 255 characters.
Required: No
Type: String
MaxAge
The time in seconds that your browser is to cache the preﬂight response for the speciﬁed resource.
Required: No
Type: Integer

Amazon S3 Bucket DataExport
The DataExport property type speciﬁes how data related to the storage class analysis should be
exported for an Amazon S3 bucket.
DataExport is a property of the Amazon S3 Bucket StorageClassAnalysis (p. 2150) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Destination" : Destination (p. 2129),
"OutputSchemaVersion" : String

YAML
Destination: Destination
OutputSchemaVersion: String

Properties
Destination
Information about where to publish the analytics results.
Required: Yes
Type: Amazon S3 Bucket Destination (p. 2129)
Update requires: No interruption (p. 118)
API Version 2010-05-15
2128

AWS CloudFormation User Guide
Amazon S3 Bucket Destination

OutputSchemaVersion
The version of the output schema to use when exporting data. Must be V_1.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon S3 Bucket Destination
The Destination property type speciﬁes information about where to publish analysis or conﬁguration
results for an Amazon S3 bucket.
Destination is a property of the Amazon S3 Bucket DataExport (p. 2128) and Amazon S3 Bucket
InventoryConﬁguration (p. 2131) property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"BucketAccountId" : String,
"BucketArn" : String,
"Format" : String,
"Prefix" : String

YAML
BucketAccountId: String
BucketArn: String
Format: String
Prefix: String

Properties
BucketAccountId
The ID of the account that owns the destination bucket where the analytics is published.
Although optional, we recommend that the value be set to prevent problems if the destination
bucket ownership changes.
Required: No
Type: String
Update requires: No interruption (p. 118)
BucketArn
The Amazon Resource Name (ARN) of the bucket where analytics results are published. This
destination bucket must be in the same region as the bucket used for the analytics or inventory
conﬁguration.
API Version 2010-05-15
2129

AWS CloudFormation User Guide
Amazon S3 EncryptionConﬁguration

Required: Yes
Type: String
Update requires: No interruption (p. 118)
Format
Speciﬁes the output format of the analytics or inventory results. Currently, Amazon S3 supports the
comma-separated value (CSV) format.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Prefix
The preﬁx that is prepended to all analytics results.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon S3 Bucket EncryptionConﬁguration
The EncryptionConfiguration property type speciﬁes encryption-related information for an
Amazon S3 bucket that is a destination for replicated objects.
EncryptionConfiguration is a property of the Amazon S3 Bucket ReplicationDestination (p. 2141)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"ReplicaKmsKeyID" : String

YAML
ReplicaKmsKeyID: String

Properties
ReplicaKmsKeyID
Speciﬁes the AWS KMS Key ID (Key ARN or Alias ARN) for the destination bucket. Amazon S3 uses
this key to encrypt replicas.
Required: Yes
Type: String
API Version 2010-05-15
2130

AWS CloudFormation User Guide
Amazon S3 Bucket FilterRule

Update requires: No interruption (p. 118)

Amazon S3 Bucket FilterRule
Rules is a property of the Amazon S3 Bucket S3KeyFilter (p. 2147) property that describes the Amazon
Simple Storage Service (Amazon S3) object key name to ﬁlter on and whether to ﬁlter on the suﬃx or
preﬁx of the key name.

Syntax
JSON
{
}

"Name" : String,
"Value" : String

YAML
Name: String
Value: String

Properties
Name
Whether the ﬁlter matches the preﬁx or suﬃx of object key names. For valid values, see the Name
request element of the PUT Bucket notiﬁcation action in the Amazon Simple Storage Service API
Reference.
Required: Yes
Type: String
Value
The value that the ﬁlter searches for in object key names.
Required: Yes
Type: String

Amazon S3 Bucket InventoryConﬁguration
The InventoryConfiguration property type speciﬁes the inventory conﬁguration for an Amazon S3
bucket.
For more information, see GET Bucket inventory in the Amazon Simple Storage Service API Reference
InventoryConfiguration is a property of the AWS::S3::Bucket (p. 1403) resource type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
2131

AWS CloudFormation User Guide
Amazon S3 Bucket InventoryConﬁguration

JSON
{

}

"Destination" : Destination (p. 2129),
"Enabled" : Boolean,
"Id" : String,
"IncludedObjectVersions" : String,
"OptionalFields" : [ String, ... ]
"Prefix" : String,
"ScheduleFrequency" : String

YAML
Destination: Destination
Enabled: Boolean
Id: String
IncludedObjectVersions: String
OptionalFields:
- String
Prefix: String
ScheduleFrequency: String

Properties
Destination
Information about where to publish the inventory results.
Required: Yes
Type: Amazon S3 Bucket Destination (p. 2129)
Update requires: No interruption (p. 118)
Enabled
Speciﬁes whether the inventory is enabled or disabled. If set to True, an inventory list is generated.
If set to False, no inventory list is generated.
Required: Yes
Type: Boolean
Update requires: No interruption (p. 118)
Id
The ID that identiﬁes the inventory conﬁguration.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
IncludedObjectVersions
Object versions to include in the inventory list. If set to All, the list includes all the object versions,
which adds the version related ﬁelds VersionId, IsLatest, and DeleteMarker to the list. If set
to Current, the list does not contain these version related ﬁelds.
API Version 2010-05-15
2132

AWS CloudFormation User Guide
Amazon S3 Bucket LambdaConﬁguration

Required: Yes
Type: String
Update requires: No interruption (p. 118)
OptionalFields
The optional ﬁelds that are included in the inventory results.
Required: No
Type: StringList
Update requires: No interruption (p. 118)
Prefix
The preﬁx that is prepended to all inventory results.
Required: No
Type: String
Update requires: No interruption (p. 118)
ScheduleFrequency
The frequency of inventory results generation.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Simple Storage Service Bucket
LambdaConﬁguration
LambdaConfigurations is a property of the Amazon S3 Bucket NotiﬁcationConﬁguration (p. 2138)
property that describes the AWS Lambda (Lambda) functions to invoke and the events for which to
invoke them.

Syntax
JSON
{

}

"Event" : String,
"Filter" : Filter,
"Function" : String

YAML
Event: String
Filter:

API Version 2010-05-15
2133

AWS CloudFormation User Guide
Amazon S3 Bucket LambdaConﬁguration
Filter
Function: String

Properties
Event
The S3 bucket event for which to invoke the Lambda function. For more information, see Supported
Event Types in the Amazon Simple Storage Service Developer Guide.
Required: Yes
Type: String
Filter
The ﬁltering rules that determine which objects invoke the Lambda function. For example, you can
create a ﬁlter so that only image ﬁles with a .jpg extension invoke the function when they are
added to the S3 bucket.
Required: No
Type: Amazon S3 Bucket NotiﬁcationFilter (p. 2139)
Function
The Amazon Resource Name (ARN) of the Lambda function that Amazon S3 invokes when the
speciﬁed event type occurs.
Required: Yes
Type: String

Example
The following example creates a NotificationConfiguration for Lambda using an S3 bucket named
EncryptionServiceBucket.

Note

The BucketName is unique and the Value contains a ﬁle extension without a period (.).

JSON
"EncryptionServiceBucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName" : { "Fn::Sub" : "${User}-encryption-service" },
"NotificationConfiguration" : {
"LambdaConfigurations" : [{
"Function" : { "Ref" : "LambdaDeploymentArn" },
"Event" : "s3:ObjectCreated:*",
"Filter" : {
"S3Key" : {
"Rules" : [{
"Name" : "suffix",
"Value" : "zip"
}]
}
}
}]

API Version 2010-05-15
2134

AWS CloudFormation User Guide
Amazon S3 Bucket LifecycleConﬁguration

}

}

}

YAML
EncryptionServiceBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub ${User}-encryption-service
NotificationConfiguration:
LambdaConfigurations:
Function: !Ref LambdaDeploymentArn
Event: "s3:ObjectCreated:*"
Filter:
S3Key:
Rules:
Name: suffix
Value: zip

Amazon S3 Bucket LifecycleConﬁguration
Describes the lifecycle conﬁguration for objects in an AWS::S3::Bucket (p. 1403) resource.

Syntax
JSON
{
}

"Rules" : [ Lifecycle Rule, ... ]

YAML
Rules:
- Lifecycle Rule

Properties
Rules
A lifecycle rule for individual objects in an S3 bucket.
Required: Yes
Type: Amazon S3 Bucket Rule (p. 2144)

Amazon S3 Bucket LoggingConﬁguration
Describes where logs are stored and the preﬁx that Amazon S3 assigns to all log object keys for an
AWS::S3::Bucket (p. 1403) resource. These logs track requests to an Amazon S3 bucket. For more
information, see PUT Bucket logging in the Amazon Simple Storage Service API Reference.
API Version 2010-05-15
2135

AWS CloudFormation User Guide
Amazon S3 Bucket MetricsConﬁguration

Syntax
JSON
{
}

"DestinationBucketName" : String,
"LogFilePrefix" : String

YAML
DestinationBucketName: String
LogFilePrefix: String

Properties
DestinationBucketName
The name of an Amazon S3 bucket where Amazon S3 store server access log ﬁles. You can
store log ﬁles in any bucket that you own. By default, logs are stored in the bucket where the
LoggingConfiguration property is deﬁned.
Required: No
Type: String
LogFilePrefix
A preﬁx for the all log object keys. If you store log ﬁles from multiple Amazon S3 buckets in a single
bucket, you can use a preﬁx to distinguish which log ﬁles came from which bucket.
Required: No
Type: String

Amazon S3 Bucket MetricsConﬁguration
The MetricsConfiguration property type speciﬁes a metrics conﬁguration for the CloudWatch
request metrics (speciﬁed by the metrics conﬁguration ID) from an Amazon S3 bucket. If you're
updating an existing metrics conﬁguration, note that this is a full replacement of the existing metrics
conﬁguration. If you don't include the elements you want to keep, they are erased. For more information,
see PUT Bucket metrics in the Amazon Simple Storage Service (Amazon S3) API Reference.
MetricsConfiguration is a property of the AWS::S3::Bucket (p. 1403) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Id" : String,
"Prefix" : String,
"TagFilters" : [ TagFilter (p. 2151), ... ]

API Version 2010-05-15
2136

AWS CloudFormation User Guide
Amazon S3 Bucket NoncurrentVersionTransition
}

YAML
Id: String
Prefix: String
TagFilters:
- TagFilter (p. 2151)

Properties
For more information and valid values, see PUT Bucket metrics in the Amazon Simple Storage Service
(Amazon S3) API Reference.
Id
The ID used to identify the metrics conﬁguration.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Prefix
The preﬁx that an object must have to be included in the metrics results.
Required: No
Type: String
Update requires: No interruption (p. 118)
TagFilters
Speciﬁes a list of tag ﬁlters to use as a metrics conﬁguration ﬁlter. The metrics conﬁguration
includes only objects that meet the ﬁlter's criteria.
Required: No
Type: List of Amazon S3 Bucket TagFilter (p. 2151)
Update requires: No interruption (p. 118)

Amazon S3 Bucket NoncurrentVersionTransition
NoncurrentVersionTransition is a property of the Amazon S3 Bucket Rule (p. 2144) property that
describes when noncurrent objects transition to a speciﬁed storage class.

Syntax
JSON
{
}

"StorageClass" : String,
"TransitionInDays" : Integer

API Version 2010-05-15
2137

AWS CloudFormation User Guide
Amazon S3 Bucket NotiﬁcationConﬁguration

YAML
StorageClass: String
TransitionInDays: Integer

Properties
StorageClass
The storage class to which you want the object to transition, such as GLACIER. For valid values,
see the StorageClass request element of the PUT Bucket lifecycle action in the Amazon Simple
Storage Service API Reference.
Required: Yes
Type: String
TransitionInDays
The number of days between the time that a new version of the object is uploaded to the bucket
and when old versions of the object are transitioned to the speciﬁed storage class.
Required: Yes
Type: Integer

Amazon S3 Bucket NotiﬁcationConﬁguration
Describes the notiﬁcation conﬁguration for an AWS::S3::Bucket (p. 1403) resource.

Note

If you create the target resource and related permissions in the same template, you might have
a circular dependency.
For example, you might use the AWS::Lambda::Permission resource to grant the S3 bucket to
invoke a Lambda function. However, AWS CloudFormation can't create the S3 bucket until the
bucket has permission to invoke the function (AWS CloudFormation checks if the S3 bucket
can invoke the function). If you're using Refs to pass the bucket name, this leads to a circular
dependency.
To avoid this dependency, you can create all resources without specifying the notiﬁcation
conﬁguration. Then, update the stack with a notiﬁcation conﬁguration.

Syntax
JSON
{

}

"LambdaConfigurations" : [ Lambda Configuration, ... ],
"QueueConfigurations" : [ Queue Configuration, ... ],
"TopicConfigurations" : [ Topic Configuration, ... ]

YAML
LambdaConfigurations:
- Lambda Configuration
QueueConfigurations:

API Version 2010-05-15
2138

AWS CloudFormation User Guide
Amazon S3 Bucket NotiﬁcationFilter
- Queue Configuration
TopicConfigurations:
- Topic Configuration

Properties
LambdaConfigurations
The AWS Lambda functions to invoke and the events for which to invoke the functions.
Required: No
Type: Amazon S3 Bucket LambdaConﬁguration (p. 2133)
QueueConfigurations
The Amazon Simple Queue Service queues to publish messages to and the events for which to
publish messages.
Required: No
Type: Amazon S3 Bucket QueueConﬁguration (p. 2140)
TopicConfigurations
The topic to which notiﬁcations are sent and the events for which notiﬁcation are generated.
Required: No
Type: Amazon S3 Bucket TopicConﬁguration (p. 2152)

Amazon S3 Bucket NotiﬁcationFilter
Filter is a property of the LambdaConfigurations (p. 2133),
QueueConfigurations (p. 2140), and TopicConfigurations (p. 2152) properties that describes
the ﬁltering rules that determine the Amazon Simple Storage Service (Amazon S3) objects for which to
send notiﬁcations.

Syntax
JSON
{
}

"S3Key" : S3 Key

YAML
S3Key:
S3 Key

Properties
S3Key
Amazon S3 ﬁltering rules that describe for which object key names to send notiﬁcations.
API Version 2010-05-15
2139

AWS CloudFormation User Guide
Amazon S3 Bucket QueueConﬁguration

Required: Yes
Type: Amazon S3 Bucket S3KeyFilter (p. 2147)

Amazon Simple Storage Service Bucket
QueueConﬁguration
QueueConfigurations is a property of the Amazon S3 Bucket NotiﬁcationConﬁguration (p. 2138)
property that describes the S3 bucket events about which you want to send messages to Amazon SQS
and the queues to which you want to send them.

Syntax
JSON
{

}

"Event" : String,
"Filter" : Filter,
"Queue" : String

YAML
Event: String
Filter:
Filter
Queue: String

Properties
Event
The S3 bucket event about which you want to publish messages to Amazon Simple Queue Service
( Amazon SQS). For more information, see Supported Event Types in the Amazon Simple Storage
Service Developer Guide.
Required: Yes
Type: String
Filter
The ﬁltering rules that determine for which objects to send notiﬁcations. For example, you can
create a ﬁlter so that Amazon Simple Storage Service (Amazon S3) sends notiﬁcations only when
image ﬁles with a .jpg extension are added to the bucket.
Required: No
Type: Amazon S3 Bucket NotiﬁcationFilter (p. 2139)
Queue
The Amazon Resource Name (ARN) of the Amazon SQS queue that Amazon S3 publishes messages
to when the speciﬁed event type occurs.
Required: Yes
API Version 2010-05-15
2140

AWS CloudFormation User Guide
Amazon S3 Bucket ReplicationConﬁguration

Type: String

Amazon S3 Bucket ReplicationConﬁguration
ReplicationConfiguration is a property of the AWS::S3::Bucket (p. 1403) resource that speciﬁes
replication rules and the AWS Identity and Access Management (IAM) role Amazon Simple Storage
Service (Amazon S3) uses to replicate objects.

Syntax
JSON
{
}

"Role" : String,
"Rules" : [ Rule, ... ]

YAML
Role: String
Rules:
- Rule

Properties
Role
The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that
Amazon S3 assumes when replicating objects. For more information, see How to Set Up CrossRegion Replication in the Amazon Simple Storage Service Developer Guide.
Required: Yes
Type: String
Rules
A replication rule that speciﬁes which objects to replicate and where they are stored.
Required: Yes
Type: List of Amazon S3 Bucket ReplicationRule (p. 2143)

Amazon S3 Bucket ReplicationDestination
Destination is a property of the Amazon S3 Bucket ReplicationRule (p. 2143) property that speciﬁes
which Amazon Simple Storage Service (Amazon S3) bucket to store replicated objects and their storage
class.

Syntax
JSON
{

API Version 2010-05-15
2141

AWS CloudFormation User Guide
Amazon S3 Bucket ReplicationDestination

}

"AccessControlTranslation" : AccessControlTranslation (p. 2124),
"Account" : String,
"Bucket" : String,
"EncryptionConfiguration" : EncryptionConfiguration (p. 2130),
"StorageClass" : String

YAML
AccessControlTranslation: AccessControlTranslation (p. 2124)
Account: String
Bucket: String
EncryptionConfiguration: EncryptionConfiguration (p. 2130)
StorageClass: String

Properties
AccessControlTranslation
Specify this only in a cross-account scenario (where source and destination bucket owners are not
the same), and you want to change replica ownership to the AWS account that owns the destination
bucket. If this is not speciﬁed in the replication conﬁguration, the replicas are owned by same AWS
account that owns the source object.
Required: No
Type: Amazon S3 Bucket AccessControlTranslation (p. 2124)
Account
Destination bucket owner account ID. In a cross-account scenario, if you direct Amazon S3 to
change replica ownership to the AWS account that owns the destination bucket by specifying the
AccessControlTranslation property, this is the account ID of the destination bucket owner. For
more information, see Cross-Region Replication Additional Conﬁguration: Change Replica Owner in
the Amazon Simple Storage Service Developer Guide.
Conditional: If you specify the AccessControlTranslation property, the Account property is
required.
Required: No
Type: String
Bucket
The Amazon resource name (ARN) of an S3 bucket where Amazon S3 stores replicated objects. This
destination bucket must be in a diﬀerent region than your source bucket.
If you have multiple rules in your replication conﬁguration, specify the same destination bucket for
all of the rules.
Required: Yes
Type: String
EncryptionConfiguration
Speciﬁes encryption-related information.
Required: No
Type: Amazon S3 Bucket EncryptionConﬁguration (p. 2130)
API Version 2010-05-15
2142

AWS CloudFormation User Guide
Amazon S3 Bucket ReplicationRule

StorageClass
The storage class to use when replicating objects, such as standard or reduced redundancy. By
default, Amazon S3 uses the storage class of the source object to create object replica. For valid
values, see the StorageClass element of the PUT Bucket replication action in the Amazon Simple
Storage Service API Reference.
Required: No
Type: String

Amazon S3 Bucket ReplicationRule
The ReplicationRule property type speciﬁes which Amazon Simple Storage Service (Amazon
S3) objects to replicate and where to store them. The Rules subproperty of the Amazon S3 Bucket
ReplicationConﬁguration (p. 2141) property contains a list of ReplicationRule property types.

Syntax
JSON
{

}

"Destination" : ReplicationDestination (p. 2141),
"Id" : String,
"Prefix" : String,
"SourceSelectionCriteria" : SourceSelectionCriteria (p. 2150),
"Status" : String

YAML
Destination:
ReplicationDestination (p. 2141)
Id: String
Prefix: String
SourceSelectionCriteria: SourceSelectionCriteria (p. 2150);
Status: String

Properties
Destination
Deﬁnes the destination where Amazon S3 stores replicated objects.
Required: Yes
Type: Amazon S3 Bucket ReplicationDestination (p. 2141)
Id
A unique identiﬁer for the rule. If you don't specify a value, AWS CloudFormation generates a
random ID.
Required: No
Type: String
API Version 2010-05-15
2143

AWS CloudFormation User Guide
Amazon S3 Bucket Rule

Prefix
An object preﬁx. This rule applies to all Amazon S3 objects with this preﬁx. To specify all objects in
an S3 bucket, specify an empty string.
Required: Yes
Type: String
SourceSelectionCriteria
Speciﬁes additional ﬁlters in identifying source objects that you want to replicate.
Currently, Amazon S3 supports only the ﬁlter that you can specify for objects created with serverside encryption using an AWS KMS-managed key. That is, you can choose to enable or disable
replication of these objects.
Required: No
Type: Amazon S3 Bucket SourceSelectionCriteria (p. 2150)
Status
Whether the rule is enabled. For valid values, see the Status element of the PUT Bucket replication
action in the Amazon Simple Storage Service API Reference.
Required: Yes
Type: String

Amazon S3 Bucket Rule
The Rule property type describes lifecycle rules. The Rules subproperty of the Amazon S3 Bucket
LifecycleConﬁguration (p. 2135) property contains a list of Rule property types. For more information,
see PUT Bucket lifecycle in the Amazon Simple Storage Service (Amazon S3) API Reference.

Syntax
JSON
{

}

"AbortIncompleteMultipartUpload" : AbortIncompleteMultipartUpload,
"ExpirationDate" : String,
"ExpirationInDays" : Integer,
"Id" : String,
"NoncurrentVersionExpirationInDays" : Integer,
"NoncurrentVersionTransition (deprecated)" : NoncurrentVersionTransition,
"NoncurrentVersionTransitions" : [ NoncurrentVersionTransition, ... ],
"Prefix" : String,
"Status" : String,
"TagFilters" : [ TagFilter (p. 2151), ... ],
"Transition (deprecated)" : Transition,
"Transitions" : [ Transition, ... ]

YAML
AbortIncompleteMultipartUpload:
AbortIncompleteMultipartUpload
ExpirationDate: String

API Version 2010-05-15
2144

AWS CloudFormation User Guide
Amazon S3 Bucket Rule
ExpirationInDays: Integer
Id: String
NoncurrentVersionExpirationInDays: Integer
NoncurrentVersionTransition (deprecated):
NoncurrentVersionTransition
NoncurrentVersionTransitions:
- NoncurrentVersionTransition
Prefix: String
Status: String
TagFilters:
- TagFilter (p. 2151)
Transition (deprecated):
Transition
Transitions:
- Transition

Properties
AbortIncompleteMultipartUpload
Speciﬁes a lifecycle rule that aborts incomplete multipart uploads to an Amazon S3 bucket.
Required: Conditional. You must specify at least one of the following properties:
AbortIncompleteMultipartUpload, ExpirationDate, ExpirationInDays,
NoncurrentVersionExpirationInDays, NoncurrentVersionTransition,
NoncurrentVersionTransitions, Transition, or Transitions.
Type: Amazon S3 Bucket AbortIncompleteMultipartUpload (p. 2122)
ExpirationDate
Indicates when objects are deleted from Amazon S3 and Amazon Glacier. The date value must be in
ISO 8601 format. The time is always midnight UTC. If you specify an expiration and transition time,
you must use the same time unit for both properties (either in days or by date). The expiration time
must also be later than the transition time.
Required: Conditional. You must specify at least one of the following properties:
AbortIncompleteMultipartUpload, ExpirationDate, ExpirationInDays,
NoncurrentVersionExpirationInDays, NoncurrentVersionTransition,
NoncurrentVersionTransitions, Transition, or Transitions.
Type: String
ExpirationInDays
Indicates the number of days after creation when objects are deleted from Amazon S3 and Amazon
Glacier. If you specify an expiration and transition time, you must use the same time unit for both
properties (either in days or by date). The expiration time must also be later than the transition time.
Required: Conditional. You must specify at least one of the following properties:
AbortIncompleteMultipartUpload, ExpirationDate, ExpirationInDays,
NoncurrentVersionExpirationInDays, NoncurrentVersionTransition,
NoncurrentVersionTransitions, Transition, or Transitions.
Type: Integer
Id
A unique identiﬁer for this rule. The value cannot be more than 255 characters.
Required: No
Type: String
API Version 2010-05-15
2145

AWS CloudFormation User Guide
Amazon S3 Bucket Rule

NoncurrentVersionExpirationInDays
For buckets with versioning enabled (or suspended), speciﬁes the time, in days, between when a
new version of the object is uploaded to the bucket and when old versions of the object expire.
When object versions expire, Amazon S3 permanently deletes them. If you specify a transition and
expiration time, the expiration time must be later than the transition time.
Required: Conditional. You must specify at least one of the following properties:
AbortIncompleteMultipartUpload, ExpirationDate, ExpirationInDays,
NoncurrentVersionExpirationInDays, NoncurrentVersionTransition,
NoncurrentVersionTransitions, Transition, or Transitions.
Type: Integer
NoncurrentVersionTransition (deprecated)
For buckets with versioning enabled (or suspended), speciﬁes when non-current objects transition
to a speciﬁed storage class. If you specify a transition and expiration time, the expiration
time must be later than the transition time. If you specify this property, don't specify the
NoncurrentVersionTransitions property.
Required: Conditional. You must specify at least one of the following properties:
AbortIncompleteMultipartUpload, ExpirationDate, ExpirationInDays,
NoncurrentVersionExpirationInDays, NoncurrentVersionTransition,
NoncurrentVersionTransitions, Transition, or Transitions.
Type: Amazon S3 Bucket NoncurrentVersionTransition (p. 2137)
NoncurrentVersionTransitions
For buckets with versioning enabled (or suspended), one or more transition rules that specify when
non-current objects transition to a speciﬁed storage class. If you specify a transition and expiration
time, the expiration time must be later than the transition time. If you specify this property, don't
specify the NoncurrentVersionTransition property.
Required: Conditional. You must specify at least one of the following properties:
AbortIncompleteMultipartUpload, ExpirationDate, ExpirationInDays,
NoncurrentVersionExpirationInDays, NoncurrentVersionTransition,
NoncurrentVersionTransitions, Transition, or Transitions.
Type: List of Amazon S3 Bucket NoncurrentVersionTransition (p. 2137)
Prefix
Object key preﬁx that identiﬁes one or more objects to which this rule applies.
Required: No
Type: String
Status
Specify either Enabled or Disabled. If you specify Enabled, Amazon S3 executes this rule as
scheduled. If you specify Disabled, Amazon S3 ignores this rule.
Required: Yes
Type: String
TagFilters
Tags to use to identify a subset of objects to which the lifecycle rule applies.
Required: No
API Version 2010-05-15
2146

AWS CloudFormation User Guide
Amazon S3 Bucket S3KeyFilter

Type: List of Amazon S3 Bucket TagFilter (p. 2151)
Update requires: No interruption (p. 118)
Transition (deprecated)
Speciﬁes when an object transitions to a speciﬁed storage class. If you specify an expiration and
transition time, you must use the same time unit for both properties (either in days or by date). The
expiration time must also be later than the transition time. If you specify this property, don't specify
the Transitions property.
Required: Conditional. You must specify at least one of the following properties:
AbortIncompleteMultipartUpload, ExpirationDate, ExpirationInDays,
NoncurrentVersionExpirationInDays, NoncurrentVersionTransition,
NoncurrentVersionTransitions, Transition, or Transitions.
Type: Amazon S3 Bucket Transition (p. 2153)
Transitions
One or more transition rules that specify when an object transitions to a speciﬁed storage class. If
you specify an expiration and transition time, you must use the same time unit for both properties
(either in days or by date). The expiration time must also be later than the transition time. If you
specify this property, don't specify the Transition property.
Required: Conditional. You must specify at least one of the following properties:
AbortIncompleteMultipartUpload, ExpirationDate, ExpirationInDays,
NoncurrentVersionExpirationInDays, NoncurrentVersionTransition,
NoncurrentVersionTransitions, Transition, or Transitions.
Type: List of Amazon S3 Bucket Transition (p. 2153)

Amazon S3 Bucket S3KeyFilter
S3Key is a property of the Amazon S3 Bucket NotiﬁcationFilter (p. 2139) property that speciﬁes the key
names of Amazon Simple Storage Service (Amazon S3) objects for which to send notiﬁcations.

Syntax
JSON
{
}

"Rules" : [ Rule, ... ]

YAML
Rules:
- Rule

Properties
Rules
The object key name to ﬁlter on and whether to ﬁlter on the suﬃx or preﬁx of the key name.
Required: Yes
API Version 2010-05-15
2147

AWS CloudFormation User Guide
Amazon S3 Bucket ServerSideEncryptionRule

Type: List of Amazon S3 Bucket FilterRule (p. 2131)

Amazon S3 Bucket ServerSideEncryptionRule
The ServerSideEncryptionRule property is part of the AWS::S3::Bucket (p. 1403) resource that
speciﬁes the server-side encryption by default conﬁguration. For more information, see PUT Bucket
encryption in the Amazon Simple Storage Service API Reference.

Syntax
JSON
{
}

"ServerSideEncryptionByDefault" : ServerSideEncryptionByDefault (p. 2148)

YAML
ServerSideEncryptionByDefault:
ServerSideEncryptionByDefault (p. 2148)

Properties
ServerSideEncryptionByDefault
Sets server-side encryption by default.
Required: No
Type: ServerSideEncryptionByDefault (p. 2148)
Update requires: No interruption (p. 118)

Amazon S3 Bucket ServerSideEncryptionByDefault
The ServerSideEncryptionByDefault property is part of the AWS::S3::Bucket (p. 1403) resource
that speciﬁes the server-side encryption by default. For more information, see PUT Bucket encryption in
the Amazon Simple Storage Service API Reference.

Syntax
JSON
{
}

"KMSMasterKeyID" : String,
"SSEAlgorithm" : String

YAML
KMSMasterKeyID: String
SSEAlgorithm: String

API Version 2010-05-15
2148

AWS CloudFormation User Guide
Amazon S3 Bucket SseKmsEncryptedObjects

Properties
KMSMasterKeyID
The AWS KMS master key ID used for the SSE-KMS encryption.
Constraint: Can only be used when you set the value of SSEAlgorithm as aws:kms. The default
aws/s3 AWS KMS master key is used if this property is absent while SSEAlgorithm is aws:kms.
Required: No
Type: String
Update requires: No interruption (p. 118)
SSEAlgorithm
The server-side encryption algorithm to use. Valid values include AES256 and aws:kms.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon S3 Bucket SseKmsEncryptedObjects
The SseKmsEncryptedObjects property type speciﬁes the status of whether Amazon S3 replicates
objects created with server-side encryption using an AWS KMS-managed key.
SseKmsEncryptedObjects is a property of the AWS::S3::Bucket (p. 1403) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Status" : String

YAML
Status: String

Properties
Status
Speciﬁes whether Amazon S3 replicates objects created with server-side encryption using an AWS
KMS-managed key. Valid values include Enabled and Disabled.
Required: Yes
API Version 2010-05-15
2149

AWS CloudFormation User Guide
Amazon S3 Bucket SourceSelectionCriteria

Type: String
Update requires: No interruption (p. 118)

Amazon S3 Bucket SourceSelectionCriteria
The SourceSelectionCriteria property type speciﬁes additional ﬁlters in identifying source objects
that you want to replicate.
Currently, Amazon S3 supports only the ﬁlter that you can specify for objects created with server-side
encryption using an AWS KMS-managed key. That is, you can choose to enable or disable replication of
these objects.
SourceSelectionCriteria is a property of the AWS::S3::Bucket (p. 1403) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"SseKmsEncryptedObjects" : SseKmsEncryptedObjects (p. 2149)

YAML
SseKmsEncryptedObjects: SseKmsEncryptedObjects (p. 2149)

Properties
SseKmsEncryptedObjects
Contains the status of whether Amazon S3 replicates objects created with server-side encryption
using an AWS KMS-managed key.
Required: Yes
Type: Amazon S3 Bucket SseKmsEncryptedObjects (p. 2149)
Update requires: No interruption (p. 118)

Amazon S3 Bucket StorageClassAnalysis
The StorageClassAnalysis property type speciﬁes data related to access patterns to be collected
and made available to analyze the tradeoﬀs between diﬀerent storage classes for an Amazon S3 bucket.
StorageClassAnalysis is a property of the Amazon S3 Bucket AnalyticsConﬁguration (p. 2124)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
2150

AWS CloudFormation User Guide
Amazon S3 Bucket TagFilter

JSON
{
}

"DataExport" : DataExport (p. 2128)

YAML
DataExport: DataExport

Properties
DataExport
Describes how data related to the storage class analysis should be exported.
Required: No
Type: Amazon S3 Bucket DataExport (p. 2128)
Update requires: No interruption (p. 118)

Amazon S3 Bucket TagFilter
The TagFilter property type speciﬁes tags to use to identify a subset of objects for an Amazon S3
bucket.
The TagFilters property of the AWS::S3::Bucket (p. 1403) property type contains a list of TagFilter
property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Key" : String,
"Value" : String

YAML
Key: String
Value: String

Properties
Key
The tag key.
Required: Yes
API Version 2010-05-15
2151

AWS CloudFormation User Guide
Amazon S3 Bucket TopicConﬁguration

Type: String
Update requires: No interruption (p. 118)
Value
The tag value.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

Amazon Simple Storage Service Bucket
TopicConﬁguration
Describes the topic and events for the Amazon S3 Bucket NotiﬁcationConﬁguration (p. 2138) property.

Syntax
JSON
{

}

"Event" : String,
"Filter" : Filter,
"Topic" : String

YAML
Event: String
Filter:
Filter
Topic: String

Properties
Event
The Amazon Simple Storage Service (Amazon S3) bucket event about which to send notiﬁcations.
For more information, see Supported Event Types in the Amazon Simple Storage Service Developer
Guide.
Required: Yes
Type: String
Filter
The ﬁltering rules that determine for which objects to send notiﬁcations. For example, you can
create a ﬁlter so that Amazon Simple Storage Service (Amazon S3) sends notiﬁcations only when
image ﬁles with a .jpg extension are added to the bucket.
Required: No
Type: Amazon S3 Bucket NotiﬁcationFilter (p. 2139)
API Version 2010-05-15
2152

AWS CloudFormation User Guide
Amazon S3 Bucket Transition

Topic
The Amazon SNS topic Amazon Resource Name (ARN) to which Amazon S3 reports the speciﬁed
events.
Required: Yes
Type: String

Amazon S3 Bucket Transition
Describes when an object transitions to a speciﬁed storage class for the Amazon S3 Bucket
Rule (p. 2144) property.

Syntax
JSON
{

}

"StorageClass" : String,
"TransitionDate" : String,
"TransitionInDays" : Integer

YAML
StorageClass: String
TransitionDate: String
TransitionInDays: Integer

Properties
StorageClass
The storage class to which you want the object to transition, such as GLACIER. For valid values,
see the StorageClass request element of the PUT Bucket lifecycle action in the Amazon Simple
Storage Service API Reference.
Required: Yes
Type: String
TransitionDate
Indicates when objects are transitioned to the speciﬁed storage class. The date value must be in ISO
8601 format. The time is always midnight UTC.
Required: Conditional
Type: String
TransitionInDays
Indicates the number of days after creation when objects are transitioned to the speciﬁed storage
class.
Required: Conditional
API Version 2010-05-15
2153

AWS CloudFormation User Guide
Amazon S3 Bucket VersioningConﬁguration

Type: Integer

Amazon S3 Bucket VersioningConﬁguration
Describes the versioning state of an AWS::S3::Bucket (p. 1403) resource. For more information, see PUT
Bucket versioning in the Amazon Simple Storage Service API Reference.

Syntax
JSON
{
}

"Status" : String

YAML
Status: String

Properties
Status
The versioning state of an Amazon S3 bucket. If you enable versioning, you must suspend versioning
to disable it.
Valid values include Enabled and Suspended. The default is Suspended.
Required: Yes
Type: String

Amazon S3 Website Conﬁguration Property
WebsiteConfiguration is an embedded property of the AWS::S3::Bucket (p. 1403) resource.

Syntax
JSON
{

}

"ErrorDocument" : String,
"IndexDocument" : String,
"RedirectAllRequestsTo" : Redirect all requests rule,
"RoutingRules" : [ Routing rule, ... ]

YAML
ErrorDocument: String
IndexDocument: String

API Version 2010-05-15
2154

AWS CloudFormation User Guide
Amazon S3 Website Conﬁguration Property
RedirectAllRequestsTo:
Redirect all requests rule
RoutingRules:
- Routing rule

Properties
ErrorDocument
The name of the error document for the website.
Required: No
Type: String
IndexDocument
The name of the index document for the website.
Required: Yes
Type: String
RedirectAllRequestsTo
The redirect behavior for every request to this bucket's website endpoint.

Important

If you specify this property, you cannot specify any other property.
Required: No
Type: Amazon S3 Website Conﬁguration Redirect All Requests To Property (p. 2156)
RoutingRules
Rules that deﬁne when a redirect is applied and the redirect behavior.
Required: No
Type: List of Amazon S3 Website Conﬁguration Routing Rules Property (p. 2156)

Example
"S3Bucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"AccessControl" : "PublicRead",
"WebsiteConfiguration" : {
"IndexDocument" : "index.html",
"ErrorDocument" : "error.html"
}
}
}

See Also
• Custom Error Document Support in the Amazon Simple Storage Service Developer Guide
• Index Document Support in the Amazon Simple Storage Service Developer Guide
API Version 2010-05-15
2155

AWS CloudFormation User Guide
Amazon S3 Website Conﬁguration
Redirect All Requests To Property

Amazon S3 Website Conﬁguration Redirect All
Requests To Property
The RedirectAllRequestsTo code is an embedded property of the Amazon S3 Website Conﬁguration
Property (p. 2154) property that describes the redirect behavior of all requests to a website endpoint of
an Amazon S3 bucket.

Syntax
JSON
{
}

"HostName" : String,
"Protocol" : String

YAML
HostName: String
Protocol: String

Properties
HostName
Name of the host where requests are redirected.
Required: Yes
Type: String
Protocol
Protocol to use (http or https) when redirecting requests. The default is the protocol that is used
in the original request.
Required: No
Type: String

Amazon S3 Website Conﬁguration Routing Rules
Property
The RoutingRules property is an embedded property of the Amazon S3 Website Conﬁguration
Property (p. 2154) property. This property describes the redirect behavior and when a redirect is applied.

Syntax
JSON
{

API Version 2010-05-15
2156

AWS CloudFormation User Guide
Amazon S3 Website Conﬁguration
Routing Rules Redirect Rule Property

}

"RedirectRule" : Redirect rule,
"RoutingRuleCondition" : Routing rule condition

YAML
RedirectRule:
Redirect rule
RoutingRuleCondition:
Routing rule condition

Properties
RedirectRule
Redirect requests to another host, to another page, or with another protocol.
Required: Yes
Type: Amazon S3 Website Conﬁguration Routing Rules Redirect Rule Property (p. 2157)
RoutingRuleCondition
Rules that deﬁne when a redirect is applied.
Required: No
Type: Amazon S3 Website Conﬁguration Routing Rules Routing Rule Condition Property (p. 2158)

Amazon S3 Website Conﬁguration Routing Rules
Redirect Rule Property
The RedirectRule property is an embedded property of the Amazon S3 Website Conﬁguration Routing
Rules Property (p. 2156) that describes how requests are redirected. In the event of an error, you can
specify a diﬀerent error code to return.

Syntax
JSON
{

}

"HostName" : String,
"HttpRedirectCode" : String,
"Protocol" : String,
"ReplaceKeyPrefixWith" : String,
"ReplaceKeyWith" : String

YAML
HostName: String
HttpRedirectCode: String
Protocol: String
ReplaceKeyPrefixWith: String

API Version 2010-05-15
2157

AWS CloudFormation User Guide
Amazon S3 Website Conﬁguration Routing
Rules Routing Rule Condition Property
ReplaceKeyWith: String

Properties
HostName
Name of the host where requests are redirected.
Required: No
Type: String
HttpRedirectCode
The HTTP redirect code to use on the response.
Required: No
Type: String
Protocol
The protocol to use in the redirect request.
Required: No
Type: String
ReplaceKeyPrefixWith
The object key preﬁx to use in the redirect request. For example, to redirect requests for all
pages with the preﬁx docs/ (objects in the docs/ folder) to the documents/ preﬁx, you
can set the KeyPrefixEquals property in routing condition property to docs/, and set the
ReplaceKeyPreﬁxWith property to documents/.

Important

If you specify this property, you cannot specify the ReplaceKeyWith property.
Required: No
Type: String
ReplaceKeyWith
The speciﬁc object key to use in the redirect request. For example, redirect request to error.html.

Important

If you specify this property, you cannot specify the ReplaceKeyPrefixWith property.
Required: No
Type: String

Amazon S3 Website Conﬁguration Routing Rules
Routing Rule Condition Property
The RoutingRuleCondition property is an embedded property of the Amazon S3 Website
Conﬁguration Routing Rules Property (p. 2156) that describes a condition that must be met for a
redirect to apply.
API Version 2010-05-15
2158

AWS CloudFormation User Guide
Amazon SageMaker Endpoint Tag

Syntax
JSON
{
}

"HttpErrorCodeReturnedEquals" : String,
"KeyPrefixEquals" : String

YAML
HttpErrorCodeReturnedEquals: String
KeyPrefixEquals: String

Properties
HttpErrorCodeReturnedEquals
Applies this redirect if the error code equals this value in the event of an error.
Required: Conditional. You must specify at least one condition property.
Type: String
KeyPrefixEquals
The object key name preﬁx when the redirect is applied. For example, to redirect requests for
ExamplePage.html, set the key preﬁx to ExamplePage.html. To redirect request for all pages
with the preﬁx docs/, set the key preﬁx to docs/, which identiﬁes all objects in the docs/ folder.
Required: Conditional. You must at least one condition property.
Type: String

Amazon SageMaker Endpoint Tag
The Tag property type speciﬁes tags for the endpoint resource. Use tags to manage endpoint resources.
Tag is a property of the AWS::SageMaker::Endpoint (p. 1421) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Key" : String,
"Value" : String

YAML
Key: String

API Version 2010-05-15
2159

AWS CloudFormation User Guide
Amazon SageMaker EndpointConﬁg ProductionVariant
Value" : String

Properties
Key
The key name of the tag. You can specify a value that is 1 to 127 Unicode characters in length
and cannot be preﬁxed with aws:. You can use any of the following characters: the set of Unicode
letters, digits, whitespace, _, ., /, =, +, and -.
Required: No
Type: String
Update requires: No interruption (p. 118)
Value
The value for the tag. You can specify a value that is 1 to 255 Unicode characters in length and
cannot be preﬁxed with aws:. You can use any of the following characters: the set of Unicode
letters, digits, whitespace, _, ., /, =, +, and -.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon SageMaker EndpointConﬁg
ProductionVariant
The ProductionVariant property type speciﬁes a model that you want to host and the resources to
deploy for hosting it. If you are deploying multiple models, tell Amazon SageMaker how to distribute
traﬃc among the models by specifying variant weights.
ProductionVariant is a property of the AWS::SageMaker::EndpointConﬁg (p. 1425) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"ModelName" : String,
"VariantName" : String,
"InitialInstanceCount" : Integer,
"InstanceType" : String,
"InitialVariantWeight" : Double,

YAML
ModelName: String
VariantName: String
InitialInstanceCount: Integer

API Version 2010-05-15
2160

AWS CloudFormation User Guide
Amazon SageMaker EndpointConﬁg Tag
InstanceType: String
InitialVariantWeight: Double

Properties
ModelName
The name of the model that you want to host.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
VariantName
The name of the production variant.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
InitialInstanceCount
The number of instances to launch initially for this production variant.
Required: Yes
Type: Integer
Update requires: Replacement (p. 119)
InstanceType
The ML compute instance type to use for this production variant.
Required: Yes
Type: String
Update requires: Replacement (p. 119)
InitialVariantWeight
Determines initial traﬃc distribution among all of the models that you specify in the endpoint
conﬁguration. The traﬃc to a production variant is determined by the ratio of the VariantWeight
to the sum of all VariantWeight values across all production variants for an endpoint. If
unspeciﬁed, it defaults to 1.0.
Required: Yes
Type: Double
Update requires: Replacement (p. 119)

Amazon SageMaker EndpointConﬁg Tag
The Tag property type speciﬁes tags for the endpoint conﬁguration resource. Use tags to manage
endpoint resources.
Tag is a property of the AWS::SageMaker::EndpointConﬁg (p. 1425) resource.
API Version 2010-05-15
2161

AWS CloudFormation User Guide
Amazon SageMaker NotebookInstance Tag

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Key" : String,
"Value" : String

YAML
Key: String
Value" : String

Properties
Key
The key name of the tag. You can specify a value that is 1 to 127 Unicode characters in length
and cannot be preﬁxed with aws:. You can use any of the following characters: the set of Unicode
letters, digits, whitespace, _, ., /, =, +, and -.
Required: No
Type: String
Update requires: No interruption (p. 118)
Value
The value for the tag. You can specify a value that is 1 to 255 Unicode characters in length and
cannot be preﬁxed with aws:. You can use any of the following characters: the set of Unicode
letters, digits, whitespace, _, ., /, =, +, and -.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon SageMaker NotebookInstance Tag
The Tag property type speciﬁes tags for the notebook instance resource. Use tags to manage endpoint
resources.
Tag is a property of the AWS::SageMaker::NotebookInstance (p. 1435) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
2162

AWS CloudFormation User Guide
Amazon SageMaker NotebookInstanceLifecycleConﬁg
NotebookInstanceLifecycleHook

}

"Key" : String,
"Value" : String

YAML
Key: String
Value" : String

Properties
Key
The key name of the tag. You can specify a value that is 1 to 127 Unicode characters in length
and cannot be preﬁxed with aws:. You can use any of the following characters: the set of Unicode
letters, digits, whitespace, _, ., /, =, +, and -.
Required: No
Type: String
Update requires: No interruption (p. 118)
Value
The value for the tag. You can specify a value that is 1 to 255 Unicode characters in length and
cannot be preﬁxed with aws:. You can use any of the following characters: the set of Unicode
letters, digits, whitespace, _, ., /, =, +, and -.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon SageMaker
NotebookInstanceLifecycleConﬁg
NotebookInstanceLifecycleHook
The NotebookInstanceLifecycleHook property type speciﬁes the notebook instance lifecycle
conﬁguration script.
NotebookInstanceLifecycleHook is a property of the
AWS::SageMaker::NotebookInstanceLifecycleConﬁg (p. 1440) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Content" : String

API Version 2010-05-15
2163

AWS CloudFormation User Guide
Amazon SageMaker Model ContainerDeﬁnition
}

YAML
Content: String

Properties
Content
A base64-encoded string that contains a shell script for a notebook instance lifecycle conﬁguration.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon SageMaker Model ContainerDeﬁnition
The ContainerDefinition property type speciﬁes the deﬁnition of the container for a model.
ContainerDefinition is a property of the AWS::SageMaker::Model (p. 1430) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"ContainerHostname" : String,
"Environment" : String,
"ModelDataUrl" : JSON,
"Image" : String

YAML
ContainerHostname: String
Environment: String
ModelDataUrl: JSON
Image: String

Properties
ContainerHostname
The DNS host name for the container after Amazon SageMaker deploys it.
Required: No
API Version 2010-05-15
2164

AWS CloudFormation User Guide
Amazon SageMaker Model Tag

Type: String
Update requires: Replacement (p. 119)
Environment
The environment variables to set in the Docker container. Each key and value in the Environment
string to string map can have length of up to 1024. We support up to 16 entries in the map.
Required: No
Type: JSON
Update requires: Replacement (p. 119)
ModelDataUrl
The S3 path where the model artifacts, which result from model training, are stored. This path must
point to a single gzip compressed tar archive (.tar.gz suﬃx)
Required: No
Type: String
Update requires: Replacement (p. 119)
Image
The Amazon EC2 Container Registry (Amazon ECR) path where inference code is stored. If you are
using your own custom algorithm instead of an algorithm provided by Amazon SageMaker, the
inference code must meet Amazon SageMaker requirements. For more information, see Using Your
Own Algorithms with Amazon SageMaker
Required: Yes
Type: String
Update requires: Replacement (p. 119)

Amazon SageMaker Model Tag
The Tag property type speciﬁes tags for the model resource. Use tags to manage endpoint resources.
Tag is a property of the AWS::SageMaker::Model (p. 1430) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Key" : String,
"Value" : String

YAML

API Version 2010-05-15
2165

AWS CloudFormation User Guide
Amazon SageMaker Model VpcConﬁg
Key: String
Value: String

Properties
Key
The key name of the tag. You can specify a value that is 1 to 127 Unicode characters in length
and cannot be preﬁxed with aws:. You can use any of the following characters: the set of Unicode
letters, digits, whitespace, _, ., /, =, +, and -.
Required: No
Type: String
Update requires: No interruption (p. 118)
Value
The value for the tag. You can specify a value that is 1 to 255 Unicode characters in length and
cannot be preﬁxed with aws:. You can use any of the following characters: the set of Unicode
letters, digits, whitespace, _, ., /, =, +, and -.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon SageMaker Model VpcConﬁg
The VpcConfig property type speciﬁes a VPC that your hosted models have access to. Control access to
and from your training and model containers by conﬁguring the VPC. For more information, see Protect
Models by Using an Amazon Virtual Private Cloud.
VpcConfig is a property of the AWS::SageMaker::Model (p. 1430) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Subnets" : [String, ... ],
"SecurityGroupIds: [String, ... ]

YAML
Subnets:
- String
SecurityGroupIds:
- String

API Version 2010-05-15
2166

AWS CloudFormation User Guide
AWS Service Catalog CloudFormationProduct
ProvisioningArtifactProperties

Properties
Subnets
The ID of the subnets in the VPC to which you want to connect your training job or model.
Required: Yes
Type: List of String values
Update requires: Replacement (p. 119)
SecurityGroupIds
The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is
speciﬁed in the Subnets ﬁeld.
Required: Yes
Type: List of String values
Update requires: Replacement (p. 119)

AWS Service Catalog CloudFormationProduct
ProvisioningArtifactProperties
The ProvisioningArtifactProperties property type speciﬁes information about a provisioning
artifact (also known as a version) for a product.
ProvisioningArtifactProperties is a property of the
AWS::ServiceCatalog::CloudFormationProduct (p. 1445) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Description" : String,
"Info" : Json,
"Name" : String

YAML
Description: String
Info: Json
Name: String

Properties
Description
The description of the provisioning artifact.
API Version 2010-05-15
2167

AWS CloudFormation User Guide
AWS Service Catalog CloudFormationProvisionedProduct
ProvisioningParameter

Required: No
Type: String
Update requires: No interruption (p. 118)
Info
The URL of the CloudFormation template in Amazon S3. Specify the URL in JSON format as follows:
"LoadTemplateFromURL": "https://s3.amazonaws.com/cf-templates-ozkq9d3hgiq2us-east-1/..."
Required: Yes
Type: Json
Update requires: No interruption (p. 118)
Name
The name of the provisioning artifact.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Service Catalog
CloudFormationProvisionedProduct
ProvisioningParameter
The ProvisioningParameter property type speciﬁes a parameter for an AWS Service Catalog
provisioned product.
ProvisioningParameter is a property of the
AWS::ServiceCatalog::CloudFormationProvisionedProduct (p. 1448) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Value" : String,
"Key" : String

YAML
Value: String
Key: String

API Version 2010-05-15
2168

AWS CloudFormation User Guide
Amazon Route 53 ServiceDiscovery DnsConﬁg

Properties
Key
The parameter key.
Required: No
Type: String
Update requires: No interruption (p. 118)
Value
The parameter value.
Required: No
Type: String
Update requires: No interruption (p. 118)

Amazon Route 53 ServiceDiscovery DnsConﬁg
The DnsConfig property type speciﬁes settings for the records that you want Amazon Route 53 to
create when you register an instance
DnsConfig is a property of the AWS::ServiceDiscovery::Service (p. 1471) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"DnsRecords" : [ DnsRecord (p. 2170), ... ],
"NamespaceId" : String

YAML
DnsRecords:
- DnsRecord (p. 2170)
NamespaceId: String

Properties
DnsRecords
Contains one DnsRecord element for each DNS record that you want Route 53 to create when you
register an instance.
Required: Yes
Type: List of Amazon Route 53 ServiceDiscovery DnsRecord (p. 2170)
API Version 2010-05-15
2169

AWS CloudFormation User Guide
Amazon Route 53 ServiceDiscovery DnsRecord

Update requires: No interruption (p. 118)
NamespaceId
The ID of the namespace that you want to use for DNS conﬁguration.
Required: Yes
Type: String
Update requires: Replacement (p. 119)

See Also
• Using Autonaming for Service Discovery in the Amazon Route 53 API Reference
• CreateService in the Amazon Route 53 API Reference

Amazon Route 53 ServiceDiscovery DnsRecord
The DnsRecord property type speciﬁes settings for one DNS record that you want Amazon Route 53 to
create when you register an instance.
The DnsRecords property of the Amazon Route 53 ServiceDiscovery DnsConﬁg (p. 2169) property type
contains a list of DnsRecord property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Type" : String,
"TTL" : String

YAML
Type: String
TTL: String

Properties
Type
The DNS type of the record that you want Route 53 to create. Supported record types include A,
AAAA, and SRV.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
2170

AWS CloudFormation User Guide
Amazon Route 53 ServiceDiscovery HealthCheckConﬁg

TTL
The amount of time, in seconds, that you want DNS resolvers to cache the settings for this record.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• Using Autonaming for Service Discovery in the Amazon Route 53 API Reference
• CreateService in the Amazon Route 53 API Reference

Amazon Route 53 ServiceDiscovery
HealthCheckConﬁg
The HealthCheckConfig property type speciﬁes settings for an optional Amazon Route 53 health
check. If you specify settings for a health check, Route 53 associates the health check with all the
resource record sets that you specify in DnsConfig.
HealthCheckConfig is a property of the AWS::ServiceDiscovery::Service (p. 1471) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Type" : String,
"ResourcePath" : String,
"FailureThreshold" : Double

YAML
Type: String
ResourcePath: String
FailureThreshold: Double

Properties
Type
The type of health check that you want to create, which indicates how Route 53 determines whether
an endpoint is healthy. Valid types include HTTP, HTTPS, and TCP.
Required: Yes
Type: String
API Version 2010-05-15
2171

AWS CloudFormation User Guide
Route 53 ServiceDiscovery Service
HealthCheckCustomConﬁg

Update requires: No interruption (p. 118)
ResourcePath
The path that you want Route 53 to request when performing health checks. The path can be any
value for which your endpoint will return an HTTP status code of 2xx or 3xx when the endpoint is
healthy, such as the ﬁle /docs/route53-health-check.html. Route 53 automatically adds the
DNS name for the service and a leading forward slash (/) character.
Required: No
Type: String
Update requires: No interruption (p. 118)
FailureThreshold
The number of consecutive health checks that an endpoint must pass or fail for Route 53 to change
the current status of the endpoint from unhealthy to healthy or vice versa. For more information, see
How Route 53 Determines Whether an Endpoint Is Healthy in the Amazon Route 53 Developer Guide
Required: No
Type: Double
Update requires: No interruption (p. 118)

See Also
• Using Autonaming for Service Discovery in the Amazon Route 53 API Reference
• CreateService in the Amazon Route 53 API Reference

Route 53 ServiceDiscovery Service
HealthCheckCustomConﬁg
The HealthCheckCustomConfig property type speciﬁes information about an optional custom health
check.
HealthCheckCustomConfig is a property of the AWS::ServiceDiscovery::Service (p. 1471) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"FailureThreshold" : Double

YAML
FailureThreshold: Double

API Version 2010-05-15
2172

AWS CloudFormation User Guide
Amazon SES ConﬁgurationSetEventDestination
CloudWatchDestination

Properties
FailureThreshold
The number of 30-second intervals that you want service discovery to wait after receiving an
UpdateInstanceCustomHealthStatus request before it changes the health status of a service
instance. For example, suppose you specify a value of 2 for FailureTheshold , and then your
application sends an UpdateInstanceCustomHealthStatus request. Service discovery waits for
approximately 60 seconds (2 x 30) before changing the status of the service instance based on that
request.
Sending a second or subsequent UpdateInstanceCustomHealthStatus request with the same
value before FailureThreshold x 30 seconds has passed doesn't accelerate the change. Service
discovery still waits FailureThreshold x 30 seconds after the ﬁrst request to make the change.
Minimum value of 1. Maximum value of 10.
Required: No
Type: Double
Update requires: No interruption (p. 118)

See Also
• HealthCheckCustomConﬁg in the Amazon Route 53 API Reference

Amazon Simple Email Service
ConﬁgurationSetEventDestination
CloudWatchDestination
The CloudWatchDestination property type speciﬁes information associated with an CloudWatch
event destination to which email sending events are published in Amazon SES.
CloudWatchDestination is a property of the Amazon SES ConﬁgurationSetEventDestination
EventDestination (p. 2175) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"DimensionConfigurations" : [ DimensionConfiguration (p. 2174), ... ]

YAML
DimensionConfigurations:
- DimensionConfiguration (p. 2174)

API Version 2010-05-15
2173

AWS CloudFormation User Guide
Amazon SES ConﬁgurationSetEventDestination
DimensionConﬁguration

Properties
DimensionConfigurations
A list of dimensions upon which to categorize your emails when you publish email sending events to
CloudWatch.
Required: No
Type: List of Amazon SES ConﬁgurationSetEventDestination DimensionConﬁguration (p. 2174)
Update requires: No interruption (p. 118)

See Also
• Using Amazon SES Conﬁguration Sets in the Amazon Simple Email Service Developer Guide
• CloudWatchDestination in the Amazon Simple Email Service API Reference

Amazon Simple Email Service
ConﬁgurationSetEventDestination
DimensionConﬁguration
The DimensionConfiguration property type speciﬁes the dimension conﬁguration to use when you
publish email sending events to Amazon CloudWatch using Amazon SES.
DimensionConfiguration is a property of the Amazon SES ConﬁgurationSetEventDestination
CloudWatchDestination (p. 2173) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"DimensionValueSource" : String,
"DefaultDimensionValue" : String,
"DimensionName" : String

YAML
DimensionValueSource: String
DefaultDimensionValue: String
DimensionName: String

Properties
DefaultDimensionValue
The default value of the dimension that is published to Amazon CloudWatch if you do not provide
the value of the dimension when you send an email. The default value can:
API Version 2010-05-15
2174

AWS CloudFormation User Guide
Amazon SES ConﬁgurationSetEventDestination
EventDestination

• Contain ASCII letters (a-z, A-Z), numbers (0-9), underscores (_), or dashes (-).
• Contain up to 256 characters.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
DimensionName
The name of an Amazon CloudWatch dimension associated with an email sending metric. The name
can:
• Contain ASCII letters (a-z, A-Z), numbers (0-9), underscores (_), or dashes (-).
• Contain up to 256 characters.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
DimensionValueSource
The place where Amazon SES ﬁnds the value of a dimension to publish to CloudWatch. If you want
Amazon SES to use the message tags that you specify using an X-SES-MESSAGE-TAGS header or a
parameter to the SendEmail/SendRawEmailAPI, choose messageTag. If you want Amazon SES to
use your own email headers, choose emailHeader.
Valid values include: emailHeader, linkTag, and messageTag.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• Using Amazon SES Conﬁguration Sets in the Amazon Simple Email Service Developer Guide
• CloudWatchDimensionConﬁguration in the Amazon Simple Email Service API Reference

Amazon Simple Email Service
ConﬁgurationSetEventDestination EventDestination
For an Amazon SES conﬁguration set event destination, the EventDestination property type speciﬁes
information about the event destination that the speciﬁed email sending events will be published to.

Note

When you create or update an event destination, you must provide one, and only one,
destination. The destination can be Amazon CloudWatch or Amazon Kinesis Data Firehose.
Event destinations are associated with conﬁguration sets, which enable you to publish email sending
events to Amazon CloudWatch or Amazon Kinesis Data Firehose. For information, see Using Amazon SES
Conﬁguration Sets in the Amazon Simple Email Service Developer Guide.
EventDestination is a property of the AWS::SES::ConﬁgurationSetEventDestination (p. 1475)
resource.
API Version 2010-05-15
2175

AWS CloudFormation User Guide
Amazon SES ConﬁgurationSetEventDestination
EventDestination

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"CloudWatchDestination" : CloudWatchDestination (p. 2173),
"Enabled" : Boolean,
"MatchingEventTypes" : [ String, ... ],
"Name" : String,
"KinesisFirehoseDestination" : KinesisFirehoseDestination (p. 2177)

YAML
CloudWatchDestination: CloudWatchDestination (p. 2173)
Enabled: Boolean
MatchingEventTypes:
- String
Name: String
KinesisFirehoseDestination: KinesisFirehoseDestination (p. 2177)

Properties
CloudWatchDestination
The names, default values, and sources of the dimensions associated with an CloudWatch event
destination.
Required: No
Type: Amazon SES ConﬁgurationSetEventDestination CloudWatchDestination (p. 2173)
Update requires: No interruption (p. 118)
Enabled
Sets whether Amazon SES publishes events to this destination when you send an email with the
associated conﬁguration set. Set to true to enable publishing to this destination; set to false to
prevent publishing to this destination. The default value is false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
KinesisFirehoseDestination
Contains the delivery stream ARN and the IAM role ARN associated with an Kinesis Data Firehose
event destination.
Required: No
Type: Amazon SES ConﬁgurationSetEventDestination KinesisFirehoseDestination (p. 2177)
Update requires: No interruption (p. 118)
API Version 2010-05-15
2176

AWS CloudFormation User Guide
Amazon SES ConﬁgurationSetEventDestination
KinesisFirehoseDestination

MatchingEventTypes
The type of email sending events to publish to the event destination.
For a list of valid values, see EventDestination in the Amazon Simple Email Service API Reference.
Required: Yes
Type: List of String values
Update requires: No interruption (p. 118)
Name
The name of the event destination. The name can:
• Contain ASCII letters (a-z, A-Z), numbers (0-9), underscores (_), or dashes (-).
• Contain up to 64 characters.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• Using Amazon SES Conﬁguration Sets in the Amazon Simple Email Service Developer Guide
• EventDestination in the Amazon Simple Email Service API Reference

Amazon Simple Email Service
ConﬁgurationSetEventDestination
KinesisFirehoseDestination
The KinesisFirehoseDestination property type speciﬁes the delivery stream ARN and the IAM role
ARN associated with an Kinesis Data Firehose event destination for an Amazon SES conﬁguration set.
KinesisFirehoseDestination is a property of the Amazon SES ConﬁgurationSetEventDestination
EventDestination (p. 2175) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"IAMRoleARN" : String,
"DeliveryStreamARN" : String

YAML

API Version 2010-05-15
2177

AWS CloudFormation User Guide
Amazon SES ReceiptFilter Filter
IAMRoleARN: String
DeliveryStreamARN: String

Properties
IAMRoleARN
The ARN of the IAM role under which Amazon SES publishes email sending events to the Amazon
Kinesis Data Firehose stream.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
DeliveryStreamARN
The ARN of the Amazon Kinesis Data Firehose stream that email sending events should be published
to.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• Using Amazon SES Conﬁguration Sets in the Amazon Simple Email Service Developer Guide
• KinesisFirehoseDestination in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptFilter Filter
The Filter property type speciﬁes specify whether to accept or reject mail originating from an IP
address or range of IP addresses for Amazon SES.
Filter is a property of the AWS::SES::ReceiptFilter (p. 1479) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"IpFilter" : IpFilter (p. 2179),
"Name" : String

YAML
IpFilter: IpFilter (p. 2179)

API Version 2010-05-15
2178

AWS CloudFormation User Guide
Amazon SES ReceiptFilter IpFilter
Name: String

Properties
IpFilter
The IP addresses to block or allow, and whether to block or allow incoming mail from them.
Required: Yes
Type: Amazon SES ReceiptFilter IpFilter (p. 2179)
Update requires: No interruption (p. 118)
Name
The name of the IP address ﬁlter. The name must:
• Contain only ASCII letters (a-z, A-Z), numbers (0-9), underscores (_), or dashes (-).
• Start and end with a letter or number.
• Contain less than 64 characters.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• Creating IP Address Filters for Amazon SES Email Receiving in the Amazon Simple Email Service
Developer Guide
• ReceiptFilter in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptFilter IpFilter
The IpFilter property type speciﬁes whether to accept or reject mail originating from an IP address or
range of IP addresses for Amazon SES.
IpFilter is a property of the Amazon Simple Email Service ReceiptFilter Filter (p. 2178) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Policy" : String,
"Cidr" : String

YAML

API Version 2010-05-15
2179

AWS CloudFormation User Guide
Amazon SES ReceiptRule Action
Policy: String
Cidr: String

Properties
Policy
Indicates whether to block or allow incoming mail from the speciﬁed IP addresses.
Valid values include Allow and Block
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Cidr
A single IP address or a range of IP addresses that you want to block or allow, speciﬁed in Classless
Inter-Domain Routing (CIDR) notation. An example of a single email address is 10.0.0.1. An example
of a range of IP addresses is 10.0.0.1/24. For more information about CIDR notation, see RFC 2317.
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• Using Amazon SES Conﬁguration Sets in the Amazon Simple Email Service Developer Guide
• ReceiptIpFilter in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptRule Action
The Action property type speciﬁes an action for Amazon SES to take when it receives an email on
behalf of one or more email addresses or domains that you own.
Action is a property of the Amazon Simple Email Service ReceiptRule Rule (p. 2186) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"BounceAction" : BounceAction (p. 2183),
"S3Action" : S3Action (p. 2188),
"StopAction" : StopAction (p. 2192),
"SNSAction" : SNSAction (p. 2190),
"WorkmailAction" : WorkmailAction (p. 2193),
"AddHeaderAction" : AddHeaderAction (p. 2182),
"LambdaAction" : LambdaAction (p. 2185)

API Version 2010-05-15
2180

AWS CloudFormation User Guide
Amazon SES ReceiptRule Action

YAML
BounceAction: BounceAction (p. 2183)
S3Action: S3Action (p. 2188)
StopAction: StopAction (p. 2192)
SNSAction: SNSAction (p. 2190)
WorkmailAction: WorkmailAction (p. 2193)
AddHeaderAction: AddHeaderAction (p. 2182)
LambdaAction: LambdaAction (p. 2185)

Properties
AddHeaderAction
Adds a header to the received email.
Required: No
Type: Amazon SES ReceiptRule AddHeaderAction (p. 2182)
Update requires: No interruption (p. 118)
BounceAction
Rejects the received email by returning a bounce response to the sender and, optionally, publishes a
notiﬁcation to Amazon SNS.
Required: No
Type: Amazon SES ReceiptRule BounceAction (p. 2183)
Update requires: No interruption (p. 118)
LambdaAction
Calls an AWS Lambda function, and optionally, publishes a notiﬁcation to Amazon SNS.
Required: No
Type: Amazon SES ReceiptRule LambdaAction (p. 2185)
Update requires: No interruption (p. 118)
S3Action
Saves the received message to an Amazon S3 bucket and, optionally, publishes a notiﬁcation to
Amazon SNS.
Required: No
Type: Amazon SES ReceiptRule S3Action (p. 2188)
Update requires: No interruption (p. 118)
SNSAction
Publishes the email content within a notiﬁcation to Amazon SNS.
Required: No
Type: Amazon SES ReceiptRule SNSAction (p. 2190)
API Version 2010-05-15
2181

AWS CloudFormation User Guide
Amazon SES ReceiptRule AddHeaderAction

Update requires: No interruption (p. 118)
StopAction
Terminates the evaluation of the receipt rule set and optionally publishes a notiﬁcation to Amazon
SNS.
Required: No
Type: Amazon SES ReceiptRule StopAction (p. 2192)
Update requires: No interruption (p. 118)
WorkmailAction
Calls Amazon WorkMail and, optionally, publishes a notiﬁcation to Amazon SNS.
Required: No
Type: Amazon SES ReceiptRule WorkmailAction (p. 2193)
Update requires: No interruption (p. 118)

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
• CreateReceiptRule in the Amazon Simple Email Service API Reference
• ReceiptAction in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptRule
AddHeaderAction
The AddHeaderAction property type add a header to email it recieves on behalf of one or more email
addresses or domains that you own.
AddHeaderAction is a property of the Amazon Simple Email Service ReceiptRule Action (p. 2180)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"HeaderValue" : String,
"HeaderName" : String

YAML
HeaderValue: String

API Version 2010-05-15
2182

AWS CloudFormation User Guide
Amazon SES ReceiptRule BounceAction
HeaderName: String

Properties
HeaderName
The name of the header to add. Must be between 1 and 50 characters, inclusive, and consist of
alphanumeric (a-z, A-Z, 0-9) characters and dashes only.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
HeaderValue
Must be less than 2048 characters, and must not contain newline characters ("\r" or "\n").
Required: Yes
Type: String
Update requires: No interruption (p. 118)

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
• CreateReceiptRule in the Amazon Simple Email Service API Reference
• AddHeaderAction in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptRule
BounceAction
The BounceAction property type includes an action in an Amazon SES receipt rule that rejects the
received email by returning a bounce response to the sender and, optionally, publishes a notiﬁcation to
Amazon SNS.
BounceAction is a property of the Amazon Simple Email Service ReceiptRule Action (p. 2180) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"Sender" : String,
"SmtpReplyCode" : String,
"Message" : String,
"TopicArn" : String,
"StatusCode" : String

API Version 2010-05-15
2183

AWS CloudFormation User Guide
Amazon SES ReceiptRule BounceAction

YAML
Sender: String
SmtpReplyCode: String
Message: String
TopicArn: String
StatusCode: String

Properties
Message
Human-readable text to include in the bounce message.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Sender
The email address of the sender of the bounced email. This is the address from which the bounce
message will be sent.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
SmtpReplyCode
The SMTP reply code, as deﬁned by RFC 5321.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
TopicArn
The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the
bounce action is taken. An example of an Amazon SNS topic ARN is arn:aws:sns:uswest-2:123456789012:MyTopic. For more information about Amazon SNS topics, see Create a
Topic in the Amazon Simple Notiﬁcation Service Developer Guide.
Required: No
Type: String
Update requires: No interruption (p. 118)
StatusCode
The SMTP enhanced status code, as deﬁned by RFC 3463.
Required: No
Type: String
API Version 2010-05-15
2184

AWS CloudFormation User Guide
Amazon SES ReceiptRule LambdaAction

Update requires: No interruption (p. 118)

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
• CreateReceiptRule in the Amazon Simple Email Service API Reference
• BounceAction in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptRule
LambdaAction
The LambdaAction property type includes an action in an Amazon SES receipt rule that calls an AWS
Lambda function and, optionally, publishes a notiﬁcation to Amazon SNS.
To enable Amazon SES to call your AWS Lambda function or to publish to an Amazon SNS topic of
another account, Amazon SES must have permission to access those resources. For information about
giving permissions, see Giving Permissions to Amazon SES for Email Receiving in the Amazon Simple
Email Service Developer Guide. For information about using AWS Lambda actions in receipt rules, see
Lambda Action in the Amazon Simple Email Service Developer Guide.
LambdaAction is a property of the Amazon Simple Email Service ReceiptRule Action (p. 2180) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"FunctionArn" : String,
"TopicArn" : String,
"InvocationType" : String

YAML
FunctionArn: String
TopicArn: String
InvocationType: String

Properties
FunctionArn
The Amazon Resource Name (ARN) of the AWS Lambda function. An example of an AWS Lambda
function ARN is arn:aws:lambda:us-west-2:account-id:function:MyFunction.
Required: Yes
Type: String
API Version 2010-05-15
2185

AWS CloudFormation User Guide
Amazon SES ReceiptRule Rule

Update requires: No interruption (p. 118)
InvocationType
The invocation type of the AWS Lambda function. An invocation type of RequestResponse means
that the execution of the function will immediately result in a response, and a value of Event means
that the function will be invoked asynchronously. The default value is Event. For information about
AWS Lambda invocation types, see Creating Receipt Rules for Amazon SES Email Receiving in the
AWS Lambda Developer Guide.
Valid values include Event and RequestResponse.

Important

There is a 30-second timeout on RequestResponse invocations. You should use Event
invocation in most cases. Use RequestResponse only when you want to make a mail ﬂow
decision, such as whether to stop the receipt rule or the receipt rule set.
Required: No
Type: String
Update requires: No interruption (p. 118)
TopicArn
The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the
Lambda action is taken. An example of an Amazon SNS topic ARN is arn:aws:sns:uswest-2:123456789012:MyTopic.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
• Giving Permissions to Amazon SES for Email Receiving in the Amazon Simple Email Service Developer
Guide
• Lambda Action in the Amazon Simple Email Service Developer Guide
• LambdaAction in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptRule Rule
The Rule property type speciﬁes which actions Amazon SES should take when it receives mail on behalf
of one or more email addresses or domains that you own.
Each receipt rule deﬁnes a set of email addresses or domains that it applies to. If the email addresses or
domains match at least one recipient address of the message, Amazon SES executes all of the receipt
rule's actions on the message.
For more information, see Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple
Email Service Developer Guide.
Rule is a property of the AWS::SES::ReceiptRule (p. 1480) resource.
API Version 2010-05-15
2186

AWS CloudFormation User Guide
Amazon SES ReceiptRule Rule

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"ScanEnabled" : Boolean,
"Recipients" : [ String, ... ],
"Actions" : [ Action (p. 2180), ... ],
"Enabled" : Boolean,
"Name" : String,
"TlsPolicy" : String

YAML
ScanEnabled: Boolean
Recipients:
- String
Actions:
- Action (p. 2180)
Enabled: Boolean
Name: String
TlsPolicy: String

Properties
Actions
An ordered list of actions to perform on messages that match at least one of the recipient email
addresses or domains speciﬁed in the receipt rule.
Required: No
Type: List of Amazon SES ReceiptRule Action (p. 2180)
Update requires: No interruption (p. 118)
Enabled
If true, the receipt rule is active. The default value is false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
Name
The name of the receipt rule. The name must:
• Contain only ASCII letters (a-z, A-Z), numbers (0-9), underscores (_), or dashes (-).
• Start and end with a letter or number.
• Contain less than 64 characters.
Required: No
Type: String
API Version 2010-05-15
2187

AWS CloudFormation User Guide
Amazon SES ReceiptRule S3Action

Update requires: Replacement (p. 119)
Recipients
The recipient domains and email addresses that the receipt rule applies to. If this ﬁeld is not
speciﬁed, this rule will match all recipients under all veriﬁed domains.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)
ScanEnabled
If true, then messages that this receipt rule applies to are scanned for spam and viruses. The
default value is false.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)
TlsPolicy
Speciﬁes whether Amazon SES should require that incoming email is delivered over a connection
encrypted with Transport Layer Security (TLS). If this parameter is set to Require, Amazon SES will
bounce emails that are not received over TLS. The default is Optional.
Valid values include Optional and Require.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
• CreateReceiptRule in the Amazon Simple Email Service API Reference
• ReceiptRule in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptRule S3Action
The S3Action property type includes an action in an Amazon SES receipt rule that saves the received
message to an Amazon S3 bucket and, optionally, publishes a notiﬁcation to Amazon SNS.
To enable Amazon SES to write emails to your Amazon S3 bucket, use an AWS KMS key to encrypt your
emails, or publish to an Amazon SNS topic of another account, Amazon SES must have permission to
access those resources. For information about giving permissions, see Giving Permissions to Amazon SES
for Email Receiving in the Amazon Simple Email Service Developer Guide.

Note

When you save your emails to an Amazon S3 bucket, the maximum email size (including
headers) is 30 MB. Emails larger than that will bounce.
For information, see S3 Action in the Amazon Simple Email Service Developer Guide.
API Version 2010-05-15
2188

AWS CloudFormation User Guide
Amazon SES ReceiptRule S3Action

S3Action is a property of the Amazon Simple Email Service ReceiptRule Action (p. 2180) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"BucketName" : String,
"KmsKeyArn" : String,
"TopicArn" : String,
"ObjectKeyPrefix" : String

YAML
BucketName: String
KmsKeyArn: String
TopicArn: String
ObjectKeyPrefix: String

Properties
BucketName
The name of the Amazon S3 bucket that incoming email will be saved to.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
KmsKeyArn
The customer master key that Amazon SES should use to encrypt your emails before saving them
to the Amazon S3 bucket. You can use the default master key or a custom master key you created in
AWS KMS as follows:
• To use the default master key, provide an ARN in the form of arn:aws:kms:REGION:ACCOUNTID-WITHOUT-HYPHENS:alias/aws/ses. For example, if your AWS account ID is 123456789012
and you want to use the default master key in the US West (Oregon) region, the ARN of the
default master key would be arn:aws:kms:us-west-2:123456789012:alias/aws/ses. If
you use the default master key, you don't need to perform any extra steps to give Amazon SES
permission to use the key.
• To use a custom master key you created in AWS KMS, provide the ARN of the master key and
ensure that you add a statement to your key's policy to give Amazon SES permission to use it.
For more information about giving permissions, see Giving Permissions to Amazon SES for Email
Receiving in the Amazon Simple Email Service Developer Guide.
For more information about key policies, see AWS Key Management Service Concepts in the AWS
Key Management Service Developer Guide. If you do not specify a master key, Amazon SES will not
encrypt your emails.

Important

Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the
mail is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 serverAPI Version 2010-05-15
2189

AWS CloudFormation User Guide
Amazon SES ReceiptRule SNSAction

side encryption. This means that you must use the Amazon S3 encryption client to decrypt
the email after retrieving it from Amazon S3, as the service has no access to use your AWS
KMS keys for decryption. This encryption client is currently available with the AWS SDK for
Java and AWS SDK for Ruby only. For more information about client-side encryption using
AWS KMS master keys, see Protecting Data Using Client-Side Encryption in the Amazon
Simple Storage Service Developer Guide.
Required: No
Type: String
Update requires: No interruption (p. 118)
ObjectKeyPrefix
The key preﬁx of the Amazon S3 bucket. The key preﬁx is similar to a directory name that enables
you to store similar data under the same directory in a bucket.
Required: No
Type: String
Update requires: No interruption (p. 118)
TopicArn
The ARN of the Amazon SNS topic to notify when the message is saved to the Amazon S3 bucket. An
example of an Amazon SNS topic ARN is arn:aws:sns:us-west-2:123456789012:MyTopic.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
• Giving Permissions to Amazon SES for Email Receiving in the Amazon Simple Email Service Developer
Guide
• S3 Action in the Amazon Simple Email Service Developer Guide
• S3Action in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptRule SNSAction
The SNSAction property type includes an action in an Amazon SES receipt rule that publishes a
notiﬁcation to Amazon SNS.
If you own the Amazon SNS topic, you don't need to do anything to give Amazon SES permission to
publish emails to it. However, if you don't own the Amazon SNS topic, you need to attach a policy to the
topic to give Amazon SES permissions to access it. For information about giving permissions, see Giving
Permissions to Amazon SES for Email Receiving in the Amazon Simple Email Service Developer Guide.

Important

You can only publish emails that are 150 KB or less (including the header) to Amazon SNS.
Larger emails will bounce. If you anticipate emails larger than 150 KB, use the S3 action instead.
API Version 2010-05-15
2190

AWS CloudFormation User Guide
Amazon SES ReceiptRule SNSAction

For more information, see SNS Action in the Amazon Simple Email Service Developer Guide.
SNSAction is a property of the Amazon Simple Email Service ReceiptRule Action (p. 2180) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"TopicArn" : String,
"Encoding" : String

YAML
TopicArn: String
Encoding: String

Properties
Encoding
The encoding to use for the email within the Amazon SNS notiﬁcation. UTF-8 is easier to use, but
may not preserve all special characters when a message was encoded with a diﬀerent encoding
format. Base64 preserves all special characters. The default value is UTF-8.
Valid values include Base64 and UTF-8.
Required: No
Type: String
Update requires: No interruption (p. 118)
TopicArn
The Amazon Resource Name (ARN) of the Amazon SNS topic to notify. An example of an Amazon
SNS topic ARN is arn:aws:sns:us-west-2:123456789012:MyTopic.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
• Giving Permissions to Amazon SES for Email Receiving in the Amazon Simple Email Service Developer
Guide
• SNS Action in the Amazon Simple Email Service Developer Guide
API Version 2010-05-15
2191

AWS CloudFormation User Guide
Amazon SES ReceiptRule StopAction

• SNSAction in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptRule StopAction
The StopAction property type includes an action in an Amazon SES receipt rule that terminates the
evaluation of the receipt rule set and, optionally, publishes a notiﬁcation to Amazon SNS.
StopAction is a property of the Amazon Simple Email Service ReceiptRule Action (p. 2180) property
type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Scope" : String,
"TopicArn" : String

YAML
Scope: String
TopicArn: String

Properties
Scope
The name of the RuleSet that is being stopped.
Valid values include: RuleSet.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
TopicArn
The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the stop action is taken.
An example of an Amazon SNS topic ARN is arn:aws:sns:us-west-2:123456789012:MyTopic.
Required: No
Type: String
Update requires: No interruption (p. 118)

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
API Version 2010-05-15
2192

AWS CloudFormation User Guide
Amazon SES ReceiptRule WorkmailAction

• StopAction in the Amazon Simple Email Service API Reference

Amazon Simple Email Service ReceiptRule
WorkmailAction
The WorkmailAction property type includes an action in an Amazon SES receipt rule that calls Amazon
WorkMail and, optionally, publishes a notiﬁcation to Amazon SNS.
You will typically not use this action directly because Amazon WorkMail adds the rule automatically
during its setup procedure.
For information using a receipt rule to call Amazon WorkMail, see WorkMail Action in the Amazon Simple
Email Service Developer Guide.
WorkmailAction is a property of the Amazon Simple Email Service ReceiptRule Action (p. 2180)
property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"TopicArn" : String,
"OrganizationArn" : String

YAML
TopicArn: String
OrganizationArn: String

Properties
OrganizationArn
The ARN of the Amazon WorkMail organization. An example of an Amazon WorkMail
organization ARN is arn:aws:workmail:us-west-2:123456789012:organization/
m-68755160c4cb4e29a2b2f8fb58f359d7. For information about Amazon WorkMail
organizations, see Working with Organizations in the Amazon WorkMail Administrator Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
TopicArn
The Amazon Resource Name (ARN) of the Amazon SNS topic to notify when the WorkMail
action is called. An example of an Amazon SNS topic ARN is arn:aws:sns:uswest-2:123456789012:MyTopic.
Required: No
API Version 2010-05-15
2193

AWS CloudFormation User Guide
Amazon SES Template Template

Type: String
Update requires: No interruption (p. 118)

See Also
• Creating Receipt Rules for Amazon SES Email Receiving in the Amazon Simple Email Service Developer
Guide
• WorkMail Action in the Amazon Simple Email Service Developer Guide
• WorkmailAction in the Amazon Simple Email Service API Reference

Amazon Simple Email Service Template Template
The Template property type speciﬁes specify the content of the email (composed of a subject line, an
HTML part, and a text-only part) for Amazon SES.
Template is a property of the AWS::SES::Template (p. 1486) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"HtmlPart" : String,
"TextPart" : String,
"TemplateName" : String,
"SubjectPart" : String

YAML
HtmlPart: String
TextPart: String
TemplateName: String
SubjectPart: String

Properties
HtmlPart
The HTML body of the email.
Required: No
Type: String
Update requires: No interruption (p. 118)
SubjectPart
The subject line of the email.
Required: No
API Version 2010-05-15
2194

AWS CloudFormation User Guide
Systems Manager Association
InstanceAssociationOutputLocation

Type: String
Update requires: No interruption (p. 118)
TextPart
The email body that will be visible to recipients whose email clients do not display HTML.
Required: No
Type: String
Update requires: No interruption (p. 118)
TemplateName
The name of the template. You will refer to this name when you send email using the
SendTemplatedEmail or SendBulkTemplatedEmail operations.
Required: No
Type: String
Update requires: Replacement (p. 119)

See Also
• Template in the Amazon Simple Email Service API Reference
• SendTemplatedEmail in the Amazon Simple Email Service API Reference
• SendBulkTemplatedEmail in the Amazon Simple Email Service API Reference

AWS Systems Manager Association
InstanceAssociationOutputLocation
InstanceAssociationOutputLocation is a property of the AWS::SSM::Association (p. 1504)
resource that speciﬁes an Amazon S3 bucket where you want to store the results of this association
request.

Syntax
JSON
{
}

"S3Location" : S3OutputLocation (p. 2196)

YAML
S3Location: S3OutputLocation (p. 2196)

Properties
S3Location
An Amazon S3 bucket where you want to store the results of this request.
API Version 2010-05-15
2195

AWS CloudFormation User Guide
Systems Manager Association S3OutputLocation

Required: No
Type: Systems Manager Association S3OutputLocation (p. 2196)
Update requires: No interruption (p. 118)

AWS Systems Manager Association S3OutputLocation
S3OutputLocation is a property of the Systems Manager Association
InstanceAssociationOutputLocation (p. 2195) property that speciﬁes an Amazon S3 bucket where you
want to store the results of this request.

Syntax
JSON
{
}

"OutputS3BucketName" : String,
"OutputS3KeyPrefix" : String

YAML
OutputS3BucketName: String
OutputS3KeyPrefix: String

Properties
OutputS3BucketName
The name of the Amazon S3 bucket.
Minimum length of 3. Maximum length of 63.
Required: No
Type: String
Update requires: No interruption (p. 118)
OutputS3KeyPrefix
The Amazon S3 bucket subfolder.
Maximum length of 500.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Systems Manager Association Targets
Targets is a property of the AWS::SSM::Association (p. 1504) resource that speciﬁes the targets for an
SSM document in Systems Manager.
API Version 2010-05-15
2196

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTarget Targets

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Key" : String,
"Values" : [ String, ... ]

YAML
Key: String
Values:
- String

Properties
Key
The name of the criteria that EC2 instances must meet. For valid keys, see the Target data type in the
AWS Systems Manager API Reference.
Required: Yes
Type: String
Values
The value of the criteria. Systems Manager runs targeted commands on EC2 instances that match
the criteria. For more information, see the Target data type in the AWS Systems Manager API
Reference.
Required: Yes
Type: List of String values

AWS Systems Manager MaintenanceWindowTarget
Targets
The Targets property type speciﬁes adding a target to a Maintenance Window target in AWS Systems
Manager.
Targets is a property of the AWS::SSM::MaintenanceWindowTarget (p. 1513) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"Key" : String,

API Version 2010-05-15
2197

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTask LoggingInfo

}

"Values" : [ String, ... ]

YAML
Key: String
Values:
- String

Properties
Key
User-deﬁned criteria for sending commands that target instances that meet the criteria. Key can
be tag:Amazon EC2 tag or InstanceIds. For more information about how to send commands
that target instances using Key,Value parameters, see Sending Commands to a Fleet in the AWS
Systems Manager User Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Values
User-deﬁned criteria that maps to Key. For example, if you specify tag:ServerRole, you can
specify value:WebServer to execute a command on instances that include the Amazon EC2 tags
of ServerRole,WebServer. For more information about how to send commands that target
instances using Key,Value parameters, see Sending Commands to a Fleet in the AWS Systems
Manager User Guide.
Required: No
Type: List of strings
Update requires: No interruption (p. 118)

AWS Systems Manager MaintenanceWindowTask
LoggingInfo
The LoggingInfo property type speciﬁes information about the Amazon S3 bucket to write instancelevel logs to.
LoggingInfo is a property of the AWS::SSM::MaintenanceWindowTask (p. 1515) resource.

Note

LoggingInfo has been deprecated. To specify an S3 bucket to contain logs,
instead use the OutputS3BucketName and OutputS3KeyPrefix options in the
TaskInvocationParameters structure. For information about how Systems Manager handles
these options for the supported Maintenance Window task types, see AWS Systems Manager
MaintenanceWindowTask TaskInvocationParameters (p. 2206).

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
2198

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTask
MaintenanceWindowAutomationParameters

JSON
{

}

"S3Bucket" : String,
"Region" : String,
"S3Prefix" : String

YAML
S3Bucket: String
Region: String
S3Prefix: String

Properties
S3Bucket
The name of the Amazon S3 bucket where execution logs are stored.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Region
The region where the Amazon S3 bucket is located.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
S3Prefix
The Amazon S3 bucket subfolder.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Systems Manager MaintenanceWindowTask
MaintenanceWindowAutomationParameters
The MaintenanceWindowAutomationParameters property type speciﬁes the parameters for an
AUTOMATION task type for a Maintenance Window task in AWS Systems Manager .
MaintenanceWindowAutomationParameters is a property of the Systems Manager
MaintenanceWindowTask TaskInvocationParameters (p. 2206) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
API Version 2010-05-15
2199

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTask
MaintenanceWindowLambdaParameters

JSON
{
}

"Parameters" : JSON object,
"DocumentVersion" : String

YAML
Parameters:
JSON object
DocumentVersion: String

Properties
Parameters
The parameters for the AUTOMATION task.
Required: No
Type: JSON object
Update requires: No interruption (p. 118)
DocumentVersion
The version of an Automation document to use during task execution.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Systems Manager MaintenanceWindowTask
MaintenanceWindowLambdaParameters
The MaintenanceWindowLambdaParameters property type speciﬁes the parameters for a LAMBDA
task type for a Maintenance Window task in AWS Systems Manager.
MaintenanceWindowLambdaParameters is a property of the Systems Manager
MaintenanceWindowTask TaskInvocationParameters (p. 2206) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"ClientContext" : String,
"Qualifier" : String,
"Payload" : String

API Version 2010-05-15
2200

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTask
MaintenanceWindowRunCommandParameters

YAML
ClientContext: String
Qualifier: String
Payload: String

Properties
ClientContext
Client-speciﬁc information to pass to the Lambda function that you're invoking. You can then use
the context variable to process the client information in your Lambda function.
Required: No
Type: String
Update requires: No interruption (p. 118)
Qualifier
A Lambda function version or alias name. If you specify a function version, the action uses the
qualiﬁed function Amazon Resource Name (ARN) to invoke a speciﬁc Lambda function. If you specify
an alias name, the action uses the alias ARN to invoke the Lambda function version that the alias
points to.
Required: No
Type: String
Update requires: No interruption (p. 118)
Payload
JSON to provide to your Lambda function as input.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Systems Manager MaintenanceWindowTask
MaintenanceWindowRunCommandParameters
The MaintenanceWindowRunCommandParameters property type speciﬁes the parameters for a
RUN_COMMAND task type for a Maintenance Window task in AWS Systems Manager.
MaintenanceWindowRunCommandParameters is a property of the Systems Manager
MaintenanceWindowTask TaskInvocationParameters (p. 2206) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
2201

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTask
MaintenanceWindowRunCommandParameters

}

"TimeoutSeconds" : Integer,
"Comment" : String,
"OutputS3KeyPrefix" : String,
"Parameters" : JSON object,
"DocumentHashType" : String,
"ServiceRoleArn" : String,
"NotificationConfig" : NotificationConfig (p. 2204),
"OutputS3BucketName" : String,
"DocumentHash" : String

YAML
TimeoutSeconds: Integer
Comment: String
OutputS3KeyPrefix: String
Parameters:
JSON object
DocumentHashType: String
ServiceRoleArn: String
NotificationConfig:
NotificationConfig (p. 2204)
OutputS3BucketName: String
DocumentHash: String

Properties
TimeoutSeconds
If this time is reached and the command hasn't already started executing, it doesn't execute.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
Comment
Information about the command or commands to execute.
Required: No
Type: String
Update requires: No interruption (p. 118)
OutputS3KeyPrefix
The Amazon S3 bucket subfolder.
Required: No
Type: String
Update requires: No interruption (p. 118)
Parameters
The parameters for the RUN_COMMAND task execution.
Required: No
API Version 2010-05-15
2202

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTask
MaintenanceWindowStepFunctionsParameters

Type: JSON object
Update requires: No interruption (p. 118)
DocumentHashType
The SHA-256 or SHA-1 hash type. SHA-1 hashes are deprecated.
Required: No
Type: String
Update requires: No interruption (p. 118)
ServiceRoleArn
The IAM service role that's used during task execution.
Required: No
Type: String
Update requires: No interruption (p. 118)
NotificationConfig
Conﬁgurations for sending notiﬁcations about command status changes on a per-instance basis.
Required: No
Type: Systems Manager MaintenanceWindowTask NotiﬁcationConﬁg (p. 2204)
Update requires: No interruption (p. 118)
OutputS3BucketName
The name of the Amazon S3 bucket.
Required: No
Type: String
Update requires: No interruption (p. 118)
DocumentHash
The SHA-256 or SHA-1 hash created by the system when the document was created. SHA-1 hashes
are deprecated.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Systems Manager MaintenanceWindowTask
MaintenanceWindowStepFunctionsParameters
The MaintenanceWindowStepFunctionsParameters property type speciﬁes the parameters for
execution of the STEP_FUNCTION for a Maintenance Window task in AWS Systems Manager.
MaintenanceWindowStepFunctionsParameters is a property of the Systems Manager
MaintenanceWindowTask TaskInvocationParameters (p. 2206) property type.
API Version 2010-05-15
2203

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTask
NotiﬁcationConﬁg

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Input" : String,
"Name" : String

YAML
Input: String
Name: String

Properties
Input
The inputs for the STEP_FUNCTION task.
Required: No
Type: String
Update requires: No interruption (p. 118)
Name
The name of the STEP_FUNCTION task.
Required: No
Type: String
Update requires: No interruption (p. 118)

AWS Systems Manager MaintenanceWindowTask
NotiﬁcationConﬁg
The NotificationConfig property type speciﬁes conﬁgurations for sending notiﬁcations for a
Maintenance Window task in AWS Systems Manager.
NotificationConfig is a property of the Systems Manager MaintenanceWindowTask
MaintenanceWindowRunCommandParameters (p. 2201) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

API Version 2010-05-15
2204

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTask Target

}

"NotificationArn" : String,
"NotificationType" : String,
"NotificationEvents" : [ String, ... ]

YAML
NotificationArn: String
NotificationType: String
NotificationEvents:
- String

Properties
NotificationArn
An Amazon Resource Name (ARN) for an Amazon SNS topic. Run Command pushes notiﬁcations
about command status changes to this topic.
Required: No
Type: String
Update requires: No interruption (p. 118)
NotificationType
The notiﬁcation type.
• Command: Receive notiﬁcation when the status of a command changes.
• Invocation: For commands sent to multiple instances, receive notiﬁcation on a per-instance
basis when the status of a command changes.
Required: No
Type: String
Update requires: No interruption (p. 118)
NotificationEvents
The diﬀerent events that you can receive notiﬁcations for. These events include the following: All
(events), InProgress, Success, TimedOut, Cancelled, Failed. To learn more about these
events, see Understanding Command Statuses in the AWS Systems Manager User Guide.
Required: No
Type: List of strings
Update requires: No interruption (p. 118)

AWS Systems Manager MaintenanceWindowTask
Target
The Target property type speciﬁes targets (either instances or tags). You specify instances by using
Key=instanceids,Values=instanceid1,instanceid2. You specify tags by using Key=tag
name,Values=tag value for a Maintenance Window task in AWS Systems Manager.
API Version 2010-05-15
2205

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTask
TaskInvocationParameters

Target is a property of the AWS::SSM::MaintenanceWindowTask (p. 1515) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Key" : String,
"Values" : [ String, ... ]

YAML
Key: String
Values:
- String

Properties
Key
User-deﬁned criteria for sending commands that target instances that meet the criteria. Key can be
tag:Amazon EC2 tagor InstanceIds. For more information about how to send commands that
target instances by using Key,Value parameters, see Sending Commands to a Fleet in the AWS
Systems Manager User Guide.
Required: Yes
Type: String
Update requires: No interruption (p. 118)
Values
User-deﬁned criteria that maps to Key. For example, if you specify tag:ServerRole, you can
specify value:WebServer to execute a command on instances that include Amazon EC2 tags
of ServerRole,WebServer. For more information about how to send commands that target
instances using Key,Value parameters, see Sending Commands to a Fleet in the AWS Systems
Manager User Guide.
Required: No
Type: List of String values
Update requires: No interruption (p. 118)

AWS Systems Manager MaintenanceWindowTask
TaskInvocationParameters
The TaskInvocationParameters property type speciﬁes the task execution parameters for a
Maintenance Window task in AWS Systems Manager.
TaskInvocationParameters is a property of the AWS::SSM::MaintenanceWindowTask (p. 1515)
resource.
API Version 2010-05-15
2206

AWS CloudFormation User Guide
Systems Manager MaintenanceWindowTask
TaskInvocationParameters

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

"MaintenanceWindowRunCommandParameters" : MaintenanceWindowRunCommandParameters (p. 2201),
"MaintenanceWindowAutomationParameters" : MaintenanceWindowAutomationParameters (p. 2199),
"MaintenanceWindowStepFunctionsParameters" : MaintenanceWindowStepFunctionsParameters (p. 2203),
"MaintenanceWindowLambdaParameters" : MaintenanceWindowLambdaParameters (p. 2200)

}

YAML
MaintenanceWindowRunCommandParameters:
MaintenanceWindowRunCommandParameters (p. 2201)
MaintenanceWindowAutomationParameters:
MaintenanceWindowAutomationParameters (p. 2199)
MaintenanceWindowStepFunctionsParameters:
MaintenanceWindowStepFunctionsParameters (p. 2203)
MaintenanceWindowLambdaParameters:
MaintenanceWindowLambdaParameters (p. 2200)

Properties
MaintenanceWindowRunCommandParameters
The parameters for a RUN_COMMAND task type.
Required: No
Type: Systems Manager MaintenanceWindowTask
MaintenanceWindowRunCommandParameters (p. 2201)
Update requires: No interruption (p. 118)
MaintenanceWindowAutomationParameters
The parameters for an AUTOMATION task type.
Required: No
Type: Systems Manager MaintenanceWindowTask
MaintenanceWindowAutomationParameters (p. 2199)
Update requires: No interruption (p. 118)
MaintenanceWindowStepFunctionsParameters
The parameters for a STEP_FUNCTION task type.
Required: No
Type: Systems Manager MaintenanceWindowTask
MaintenanceWindowStepFunctionsParameters (p. 2203)
API Version 2010-05-15
2207

AWS CloudFormation User Guide
Systems Manager PatchBaseline PatchFilterGroup

Update requires: No interruption (p. 118)
MaintenanceWindowLambdaParameters
The parameters for a LAMBDA task type.
Required: No
Type: Systems Manager MaintenanceWindowTask MaintenanceWindowLambdaParameters (p. 2200)
Update requires: No interruption (p. 118)

AWS Systems Manager PatchBaseline
PatchFilterGroup
The PatchFilterGroup property type speciﬁes a set of patch ﬁlters for an AWS Systems Manager
patch baseline, typically used for approval rules for a Systems Manager patch baseline.
PatchFilterGroup is the property type for the GlobalFilters property of the
AWS::SSM::PatchBaseline (p. 1522) resource and the PatchFilterGroup property of the Systems
Manager PatchBaseline Rule (p. 2208) property type.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"PatchFilters" : [ PatchFilter (p. 2210), ... ]

YAML
PatchFilters:
- PatchFilter (p. 2210)

Properties
PatchFilters
The set of patch ﬁlters that make up the group.
Required: No
Type: List of Systems Manager PatchBaseline PatchFilter (p. 2210)
Update requires: No interruption (p. 118)

AWS Systems Manager PatchBaseline Rule
The Rule property type speciﬁes an approval rule for a Systems Manager patch baseline.
API Version 2010-05-15
2208

AWS CloudFormation User Guide
Systems Manager PatchBaseline Rule

The PatchRules property of the Systems Manager PatchBaseline RuleGroup (p. 2211) property type
contains a list of Rule property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{

}

"PatchFilterGroup" : PatchFilterGroup (p. 2208),
"ApproveAfterDays" : Integer,
"ComplianceLevel" : String,
"EnableNonSecurity" : Boolean

YAML
PatchFilterGroup:
PatchFilterGroup (p. 2208)
ApproveAfterDays: Integer
ComplianceLevel: String
EnableNonSecurity: Boolean

Properties
PatchFilterGroup
The patch ﬁlter group that deﬁnes the criteria for the rule.
Required: No
Type: Systems Manager PatchBaseline PatchFilterGroup (p. 2208)
Update requires: No interruption (p. 118)
ApproveAfterDays
The number of days after the release date of each patch matched by the rule that the patch is
marked as approved in the patch baseline. For example, a value of 7 means that patches are
approved seven days after they are released.
Required: No
Type: Integer
Update requires: No interruption (p. 118)
ComplianceLevel
A compliance severity level for all approved patches in a patch baseline. Valid compliance severity
levels include the following: Unspecified, Critical, High, Medium, Low, and Informational.
Required: No
Type: String
Update requires: No interruption (p. 118)
API Version 2010-05-15
2209

AWS CloudFormation User Guide
Systems Manager PatchBaseline PatchFilter

EnableNonSecurity
For instances identiﬁed by the approval rule ﬁlters, enables a patch baseline to apply non-security
updates available in the speciﬁed repository. The default value is false. Applies to Linux instances
only.
Required: No
Type: Boolean
Update requires: No interruption (p. 118)

See Also
• PatchRule in the AWS Systems Manager API Reference.

AWS Systems Manager PatchBaseline PatchFilter
The PatchFilter property type deﬁnes a patch ﬁlter for an AWS Systems Manager patch baseline.
The PatchFilters property of the Systems Manager PatchBaseline PatchFilterGroup (p. 2208)
property type contains a list of PatchFilter property types.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"Key" : String,
"Values" : [ String, ... ]

YAML
Key: String
Values:
- String

Properties
Key
The key for the ﬁlter. For information about valid keys, see PatchFilter in the AWS Systems Manager
API Reference.
Required: No
Type: String
Update requires: No interruption (p. 118)
Values
The values for the ﬁlter key.
API Version 2010-05-15
2210

AWS CloudFormation User Guide
Systems Manager PatchBaseline RuleGroup

Required: No
Type: List of String values
Update requires: No interruption (p. 118)

AWS Systems Manager PatchBaseline RuleGroup
The RuleGroup property type speciﬁes a set of rules that deﬁne the approval rules for a AWS Systems
Manager patch baseline.
RuleGroup is the property type for the ApprovalRules property of the
AWS::SSM::PatchBaseline (p. 1522) resource.

Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON
{
}

"PatchRules" : [ Rule (p. 2208), ... ]

YAML
PatchRules:
- Rule (p. 2208)

Properties
PatchRules
The rules that make up the rule group.
Required: No
Type: List of Systems Manager PatchBaseline Rule (p. 2208)
Update requires: No interruption (p. 118)

Amazon SNS Subscription Property Type
Subscription is an embedded property of the AWS::SNS::Topic (p. 1492) resource that describes
the subscription endpoints for an Amazon Simple Notiﬁcation Service (Amazon SNS) topic.

Syntax
JSON
{

"Endpoint" : String,
"Protocol" : String

API Version 2010-05-15
2211

AWS CloudFormation User Guide
Amazon SQS RedrivePolicy
}

YAML
Endpoint: String
Protocol: String

Properties
Endpoint
The subscription's endpoint (format depends on the protocol). For more information, see the
Subscribe Endpoint parameter in the Amazon Simple Notiﬁcation Service API Reference.
Required: Yes
Type: String
Protocol
The subscription's protocol. For more information, see the Subscribe Protocol parameter in the
Amazon Simple Notiﬁcation Service API Reference.
Required: Yes
Type: String

Amazon SQS RedrivePolicy
The RedrivePolicy type is a property of the AWS::SQS::Queue (p. 1495) resource. A redrive
policy deﬁnes the parameters for the dead letter queue functionality of the source queue. For more
information about the redrive policy and dead letter queues, see Using Amazon SQS Dead Letter Queues
in the Amazon Simple Queue Service Developer Guide.

Syntax
JSON
{
}

"deadLetterTargetArn" : String,
"maxReceiveCount" : Integer

YAML
deadLetterTargetArn: String
maxReceiveCount: Integer

Properties
deadLetterTargetArn
The Amazon Resource Name (ARN) of the dead-letter queue to which Amazon SQS moves messages
after the value of maxReceiveCount is exceeded.
API Version 2010-05-15
2212

AWS CloudFormation User Guide
AWS WAF ByteMatchSet ByteMatchTuples

Required: Yes
Type: String
maxReceiveCount
The number of times a message is delivered to the source queue before being moved to the deadletter queue.
Required: Yes
Type: Integer

AWS WAF ByteMatchSet ByteMatchTuples
ByteMatchTuples is a property of the AWS::WAF::ByteMatchSet (p. 1532) resource that speciﬁes
settings for an AWS WAF ByteMatchSet resource, such as the bytes (typically a string that corresponds
with ASCII characters) that you want AWS WAF to search for in web requests.

Syntax
JSON
{

}

"FieldToMatch" : Field to match,
"PositionalConstraint" : String,
"TargetString" : String,
"TargetStringBase64" : String,
"TextTransformation" : String

YAML
FieldToMatch:
Field to match
PositionalConstraint: String
TargetString: String
TargetStringBase64: String
TextTransformation: String

Properties
FieldToMatch
The part of a web request that you want AWS WAF to search, such as a speciﬁc header or a query
string.
Required: Yes
Type: AWS WAF ByteMatchSet ByteMatchTuples FieldToMatch (p. 2214)
PositionalConstraint
How AWS WAF ﬁnds matches within the web request part in which you are searching. For valid
values, see the PositionalConstraint content for the ByteMatchTuple data type in the AWS WAF
API Reference.
API Version 2010-05-15
2213

AWS CloudFormation User Guide
AWS WAF ByteMatchSet ByteMatchTuples FieldToMatch

Required: Yes
Type: String
TargetString
The value that AWS WAF searches for. AWS CloudFormation base64 encodes this value before
sending it to AWS WAF.
AWS WAF searches for this value in a speciﬁc part of web requests, which you deﬁne in the
FieldToMatch property.
Valid values depend on the Type value in the FieldToMatch property. For example, for a METHOD
type, you must specify HTTP methods such as DELETE, GET, HEAD, OPTIONS, PATCH, POST,
and PUT. For more information, see the TargetString content for the ByteMatchTuple data type in
the AWS WAF API Reference.
Required: Conditional. You must specify this property or the TargetStringBase64 property.
Type: String
TargetStringBase64
The base64-encoded value that AWS WAF searches for. AWS CloudFormation sends this value to
AWS WAF without encoding it.
AWS WAF searches for this value in a speciﬁc part of web requests, which you deﬁne in the
FieldToMatch property.
Valid values depend on the Type value in the FieldToMatch property. For example, for a METHOD
type, you must specify HTTP methods such as DELETE, GET, HEAD, OPTIONS, PATCH, POST,
and PUT. For more information, see the TargetString content for the ByteMatchTuple data type in
the AWS WAF API Reference.
Required: Conditional. You must specify this property or the TargetString property.
Type: String
TextTransformation
Speciﬁes how AWS WAF processes the target string value. Text transformations eliminate some
of the unusual formatting that attackers use in web requests in an eﬀort to bypass AWS WAF. If
you specify a transformation, AWS WAF transforms the target string value before inspecting a web
request for a match.
For example, AWS WAF can replace whitespace characters (such as \t and \n) with a single space.
For valid values, see the TextTransformation content for the ByteMatchTuple data type in the
AWS WAF API Reference.
Required: Yes
Type: String

AWS WAF ByteMatchSet ByteMatchTuples
FieldToMatch
FieldToMatch is a property of the AWS WAF ByteMatchSet ByteMatchTuples (p. 2213) property that
speciﬁes the part of a web request that you want AWS WAF to search, such as a speciﬁc header or a
query string.
API Version 2010-05-15
2214

AWS CloudFormation User Guide
AWS WAF IPSet IPSetDescriptors

Syntax
JSON
{
}

"Data" : String,
"Type" : String

YAML
Data: String
Type: String

Properties
Data
If you specify HEADER for the Type property, the name of the header that AWS WAF searches for,
such as User-Agent or Referer. If you specify any other value for the Type property, do not
specify this property.
Required: Conditional
Type: String
Type
The part of the web request in which AWS WAF searches for the target string. For valid values, see
FieldToMatch in the AWS WAF API Reference.
Required: Yes
Type: String

AWS WAF IPSet IPSetDescriptors
IPSetDescriptors is a property of the AWS::WAF::IPSet (p. 1535) resource that speciﬁes the IP
address type and IP address range (in CIDR notation) from which web requests originate.

Syntax
JSON
{
}

"Type" : String,
"Value" : String

YAML
Type: String
Value: String

API Version 2010-05-15
2215

AWS CloudFormation User Guide
AWS WAF Rule Predicates

Properties
Type
The IP address type, such as IPV4. For valid values, see the Type contents of the IPSetDescriptor
data type in the AWS WAF API Reference.
Required: Yes
Type: String
Value
An IP address (in CIDR notation) that AWS WAF permits, blocks, or counts. For example, to specify a
single IP address such as 192.0.2.44, specify 192.0.2.44/32. To specify a range of IP addresses
such as 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.
Required: Yes
Type: String

AWS WAF Rule Predicates
Predicates is a property of the AWS::WAF::Rule (p. 1539) resource that speciﬁes the ByteMatchSet,
IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet objects to include in an
AWS WAF rule. If you add more than one predicate to a rule, an incoming request must match all of the
speciﬁcations in the predicates to be allowed or blocked.

Syntax
JSON
{

}

"DataId" : String,
"Negated" : Boolean,
"Type" : String

YAML
DataId: String
Negated: Boolean
Type: String

Properties
DataId
The unique identiﬁer of a predicate, such as the ID of a ByteMatchSet or IPSet.
Required: Yes
Type: String
Negated
Whether to use the settings or the negated settings that you speciﬁed in the ByteMatchSet,
IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet objects.
API Version 2010-05-15
2216

AWS CloudFormation User Guide
AWS WAF SizeConstraintSet SizeConstraint

Specify false if you want AWS WAF to allow, block, or count requests based on the settings
in the speciﬁed ByteMatchSet, IPSet, SizeConstraintSet, SqlInjectionMatchSet, or
XssMatchSet objects. For example, if an IPSet object includes the IP address 192.0.2.44, AWS
WAF allows, blocks, or counts requests originating from that IP address.
Specify true if you want AWS WAF to allow, block, or count requests based on the negated settings
in the ByteMatchSet, IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet
objects. For example, if an IPSet object includes the IP address 192.0.2.44, AWS WAF allows,
blocks, or counts requests originating from all IP addresses except 192.0.2.44.
Required: Yes
Type: Boolean
Type
The type of predicate in a rule, such as an IPSet (IPMatch). For valid values, see the Type contents
of the Predicate data type in the AWS WAF API Reference.
Required: Yes
Type: String

AWS WAF SizeConstraintSet SizeConstraint
SizeConstraint is a property of the AWS::WAF::SizeConstraintSet (p. 1541) resource that speciﬁes a
size constraint and which part of a web request that you want AWS WAF to constrain.

Syntax
JSON
{

}

"ComparisonOperator" : String,
"FieldToMatch" : Field to match,
"Size" : String,
"TextTransformation" : String

YAML
ComparisonOperator: String
FieldToMatch:
Field to match
Size: String
TextTransformation: String

Properties
ComparisonOperator
The type of comparison that you want AWS WAF to perform. AWS WAF uses this value in
combination with the Size and FieldToMatch property values to check if the size constraint is
a match. For more information and valid values, see the ComparisonOperator content for the
SizeConstraint data type in the AWS WAF API Reference.
Required: Yes
API Version 2010-05-15
2217

AWS CloudFormation User Guide
AWS WAF SizeConstraintSet SizeConstraint FieldToMatch

Type: String
FieldToMatch
The part of a web request that you want AWS WAF to search, such as a speciﬁc header or a query
string.
Required: Yes
Type: AWS WAF SizeConstraintSet SizeConstraint FieldToMatch (p. 2218)
Size
The size in bytes that you want AWS WAF to compare against the size of the speciﬁed
FieldToMatch. AWS WAF uses Size in combination with the ComparisonOperator and
FieldToMatch property values to check if the size constraint of a web request is a match. For more
information and valid values, see the Size content for the SizeConstraint data type in the AWS WAF
API Reference.
Required: Yes
Type: Integer
TextTransformation
Speciﬁes how AWS WAF processes the FieldToMatch property before inspecting a request for a
match. Text transformations eliminate some of the unusual formatting that attackers use in web
requests in an eﬀort to bypass AWS WAF. If you specify a transformation, AWS WAF transforms the
FieldToMatch before inspecting a web request for a match.
For example, AWS WAF can replace white space characters (such as \t and \n) with a single space.
For valid values, see the TextTransformation content for the SizeConstraint data type in the AWS
WAF API Reference.
Required: Yes
Type: String

AWS WAF SizeConstraintSet SizeConstraint
FieldToMatch
FieldToMatch is a property of the AWS WAF SizeConstraintSet SizeConstraint (p. 2217) property
that speciﬁes the part of a web request that you want AWS WAF to check for a size constraint, such as a
speciﬁc header or a query string.

Syntax
JSON
{
}

"Data" : String,
"Type" : String

YAML
Data: String
Type: String

API Version 2010-05-15
2218

AWS CloudFormation User Guide
AWS WAF SqlInjectionMatchSet SqlInjectionMatchTuples

Properties
Data
If you specify HEADER for the Type property, the name of the header that AWS WAF searches for,
such as User-Agent or Referer. If you specify any other value for the Type property, do not
specify this property.
Required: Conditional
Type: String
Type
The part of the web request in which AWS WAF searches for the target string. For valid values, see
FieldToMatch in the AWS WAF API Reference.
Required: Yes
Type: String

AWS WAF SqlInjectionMatchSet
SqlInjectionMatchTuples
SqlInjectionMatchTuples is a property of the AWS::WAF::SqlInjectionMatchSet (p. 1544) resource
that speciﬁes the parts of web requests that AWS WAF inspects for SQL code.

Syntax
JSON
{
}

"FieldToMatch" : Field to match,
"TextTransformation" : String

YAML
FieldToMatch:
Field to match
TextTransformation: String

Properties
FieldToMatch
The part of a web request that you want AWS WAF to search, such as a speciﬁc header or a query
string.
Required: Yes
Type: AWS WAF ByteMatchSet ByteMatchTuples FieldToMatch (p. 2214)
TextTransformation
Text transformations eliminate some of the unusual formatting that attackers use in web requests in
an eﬀort to bypass AWS WAF. If you specify a transformation, AWS WAF transforms the target string
API Version 2010-05-15
2219

AWS CloudFormation User Guide
AWS WAF SqlInjectionMatchSet
SqlInjectionMatchTuples FieldToMatch

value before inspecting a web request for a match. For valid values, see the TextTransformation
content for the SqlInjectionMatchTuple data type in the AWS WAF API Reference.
Required: Yes
Type: String

AWS WAF SqlInjectionMatchSet
SqlInjectionMatchTuples FieldToMatch
FieldToMatch is a property of the AWS WAF ByteMatchSet ByteMatchTuples (p. 2213) property that
speciﬁes the part of a web request that you want AWS WAF to search, such as a speciﬁc header or a
query string.

Syntax
JSON
{
}

"Data" : String,
"Type" : String

YAML
Data: String
Type: String

Properties
Data
If you specify HEADER for the Type property, the name of the header that AWS WAF searches for,
such as User-Agent or Referer. If you specify any other value for the Type property, do not
specify this property.
Required: Conditional
Type: String
Type
The part of the web request in which AWS WAF searches for the target string. For valid values, see
FieldToMatch in the AWS WAF API Reference.
Required: Yes
Type: String

AWS WAF XssMatchSet XssMatchTuple
XssMatchTuple is a property of the AWS::WAF::XssMatchSet (p. 1551) resource that speciﬁes the part
of a web request that you want AWS WAF to inspect for cross-site scripting attacks.
API Version 2010-05-15
2220

AWS CloudFormation User Guide
AWS WAF XssMatchSet XssMatchTuple FieldToMatch

Syntax
JSON
{
}

"FieldToMatch" : Field to match,
"TextTransformation" : String

YAML
FieldToMatch:
Field to match
TextTransformation: String

Properties
FieldToMatch
The part of a web request that you want AWS WAF to search, such as a speciﬁc header or a query
string.
Required: Yes
Type: AWS WAF XssMatchSet XssMatchTuple FieldToMatch (p. 2221)
TextTransformation
Speciﬁes how AWS WAF processes the FieldToMatch property before inspecting a request for a
match. Text transformations eliminate some of the unusual formatting that attackers use in web
requests in an eﬀort to bypass AWS WAF. If you specify a transformation, AWS WAF transforms the
FieldToMatch parameter before inspecting a web request for a match.
For example, AWS WAF can replace white space characters (such as \t and \n) with a single space.
For valid values, see the TextTransformation content for the XssMatchTuple data type in the
AWS WAF API Reference.
Required: Yes
Type: String

AWS WAF XssMatchSet XssMatchTuple FieldToMatch
FieldToMatch is a property of the AWS WAF XssMatchSet XssMatchTuple (p. 2220) property that
speciﬁes the part of a web request that you want AWS WAF to search, such as a speciﬁc header or a
query string.

Syntax
JSON
{

"Data" : String,
"Type" : String

API Version 2010-05-15
2221

AWS CloudFormation User Guide
AWS WAF WebACL Action
}

YAML
Data: String
Type: String

Properties
Data
If you specify HEADER for the Type property, the name of the header that AWS WAF searches for,
such as User-Agent or Referer. If you specify any other value for the Type property, do not
specify this property.
Required: Conditional
Type: String
Type
The part of the web request in which AWS WAF searches for the target string. For valid values, see
FieldToMatch in the AWS WAF API Reference.
Required: Yes
Type: String

AWS WAF WebACL Action
Action is a property of the AWS::WAF::WebACL (p. 1547) resource and the AWS WAF WebACL
ActivatedRule (p. 2223) property that speciﬁes the action AWS WAF takes when a web request matches
or doesn't match all rule conditions.

Syntax
JSON
{
}

"Type" : String

YAML
Type: String

Properties
Type
For actions that are associated with a rule, the action that AWS WAF takes when a web request
matches all conditions in a rule.
API Version 2010-05-15
2222

AWS CloudFormation User Guide
AWS WAF WebACL ActivatedRule

For the default action of a web access control list (ACL), the action that AWS WAF takes when a web
request doesn't match all conditions in any rule.
For valid value, see the Type contents of the WafAction data type in the AWS WAF API Reference.
Required: Yes
Type: String

AWS WAF WebACL ActivatedRule
ActivatedRule is a property of the AWS::WAF::WebACL (p. 1547) resource that speciﬁes a rule to
associate with an AWS WAF web access control list (ACL), and the rule's settings.

Syntax
JSON
{

}

"Action" : AWS WAF WebACL Action
"Priority" : Integer,
"RuleId" : String

YAML
Action: AWS WAF WebACL Action
Priority: Integer
RuleId: String

Properties
Action
The action that Amazon CloudFront (CloudFront) or AWS WAF takes when a web request matches all
conditions in the rule, such as allow, block, or count the request.
Required: No
Type: AWS WAF WebACL Action (p. 2222)
Priority
The order in which AWS WAF evaluates the rules in a web ACL. AWS WAF evaluates rules with
a lower value before rules with a higher value. The value must be a unique integer. If you have
multiple rules in a web ACL, the priority numbers do not need to be consecutive.
Required: Yes
Type: Integer
RuleId
The ID of an AWS WAF rule (p. 1539) to associate with a web ACL.
Required: Yes
Type: String
API Version 2010-05-15
2223

AWS CloudFormation User Guide
AWS WAF Regional ByteMatchSet ByteMatchTuples

AWS WAF Regional ByteMatchSet ByteMatchTuples
ByteMatchTuples is a property of the AWS::WAFRegional::ByteMatchSet (p. 1555) resource that
speciﬁes settings for an AWS WAF Regional ByteMatchSet resource, such as the bytes (typically a string
that corresponds with ASCII characters) that you want AWS WAF to search for in web requests.

Syntax
JSON
{

}

"FieldToMatch" : Field to match,
"PositionalConstraint" : String,
"TargetString" : String,
"TargetStringBase64" : String,
"TextTransformation" : String

YAML
FieldToMatch:
Field to match
PositionalConstraint: String
TargetString: String
TargetStringBase64: String
TextTransformation: String

Properties
FieldToMatch
The part of a web request that you want AWS WAF to search, such as a speciﬁc header or a query
string.
Required: Yes
Type: AWS WAF Regional ByteMatchSet ByteMatchTuples FieldToMatch (p. 2225)
PositionalConstraint
How AWS WAF ﬁnds matches within the part of the web request in which you are searching. For
valid values, see the PositionalConstraint content for the ByteMatchTuple data type in the
AWS WAF Regional API Reference.
Required: Yes
Type: String
TargetString
The value that AWS WAF searches for. AWS CloudFormation encodes in base64 this value before
sending it to AWS WAF.
AWS WAF searches for this value in a speciﬁc part of web requests, which you deﬁne in the
FieldToMatch property.
Valid values depend on the Type value in the FieldToMatch property. For example, for a METHOD
type, you must specify HTTP methods, such as DELETE, GET, HEAD, OPTIONS, PATCH, POST,
API Version 2010-05-15
2224

AWS CloudFormation User Guide
AWS WAF Regional ByteMatchSet
ByteMatchTuples FieldToMatch

and PUT. For more information, see the TargetString content for the ByteMatchTuple data type in
the AWS WAF Regional API Reference.
Required: Conditional. You must specify this property or the TargetStringBase64 property.
Type: String
TargetStringBase64
The base64-encoded value that AWS WAF searches for. AWS CloudFormation sends this value to
AWS WAF without encoding it.
AWS WAF searches for this value in a speciﬁc part of web requests, which you deﬁne in the
FieldToMatch property.
Valid values depend on the Type value in the FieldToMatch property. For example, for a METHOD
type, you must specify HTTP methods, such as DELETE, GET, HEAD, OPTIONS, PATCH, POST,
and PUT. For more information, see the TargetString content for the ByteMatchTuple data type in
the AWS WAF Regional API Reference.
Required: Conditional. You must specify this property or the TargetString property.
Type: String
TextTransformation
Speciﬁes how AWS WAF processes the target string value. Text transformations eliminate some
of the unusual formatting that attackers use in web requests in an eﬀort to bypass AWS WAF. If
you specify a transformation, AWS WAF transforms the target string value before inspecting a web
request for a match.
For example, AWS WAF can replace whitespace characters (such as \t and \n) with a single space.
For valid values, see the TextTransformation content for the ByteMatchTuple data type in the
AWS WAF Regional API Reference.
Required: Yes
Type: String

AWS WAF Regional ByteMatchSet ByteMatchTuples
FieldToMatch
FieldToMatch is a property of the AWS WAF Regional ByteMatchSet ByteMatchTuples (p. 2224)
property that speciﬁes the part of a web request that you want AWS WAF to search, such as a speciﬁc
header or a query string.

Syntax
JSON
{
}

"Data" : String,
"Type" : String

YAML
Data: String

API Version 2010-05-15
2225

AWS CloudFormation User Guide
AWS WAF Regional IPSet IPSetDescriptors
Type: String

Properties
Data
If you specify HEADER for the Type property, the name of the header that AWS WAF searches for,
such as User-Agent or Referer. If you specify any other value for the Type property, do not
specify this property.
Required: Conditional
Type: String
Type
The part of the web request in which AWS WAF searches for the target string. For valid values, see
FieldToMatch in the AWS WAF Regional API Reference.
Required: Yes
Type: String

AWS WAF Regional IPSet IPSetDescriptors
IPSetDescriptors is a property of the AWS::WAFRegional::IPSet (p. 1558) resource that speciﬁes the
IP address type and IP address range (in CIDR notation) from which web requests originate.

Syntax
JSON
{
}

"Type" : String,
"Value" : String

YAML
Type: String
Value: String

Properties
Type
The IP address type, such as IPV4. For valid values, see the Type contents of the IPSetDescriptor
data type in the AWS WAF Regional API Reference.
Required: Yes
Type: String
Value
An IP address (in CIDR notation) that AWS WAF permits, blocks, or counts. For example, to specify a
single IP address such as 192.0.2.44, specify 192.0.2.44/32. To specify a range of IP addresses
such as 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.
API Version 2010-05-15
2226

AWS CloudFormation User Guide
AWS WAF Regional Rule Predicates

Required: Yes
Type: String

AWS WAF Regional Rule Predicates
Predicates is a property of the AWS::WAFRegional::Rule (p. 1561) resource that speciﬁes the
ByteMatchSet, IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet objects to
include in an AWS WAF Regional rule. If you add more than one predicate to a rule, an incoming request
must match all of the speciﬁcations in the predicates to be allowed or blocked.

Syntax
JSON
{

}

"DataId" : String,
"Negated" : Boolean,
"Type" : String

YAML
DataId: String
Negated: Boolean
Type: String

Properties
DataId
The unique identiﬁer of a predicate, such as the ID of a ByteMatchSet or IPSet.
Required: Yes
Type: String
Negated
Whether to use the settings or the negated settings that you speciﬁed in the ByteMatchSet,
IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet objects.
If you want AWS WAF to allow, block, or count requests based on the settings in the speciﬁed
ByteMatchSet, IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet
objects, specify false. For example, if an IPSet object includes the IP address 192.0.2.44, AWS
WAF allows, blocks, or counts requests originating from that IP address.
If you want AWS WAF to allow, block, or count requests based on the negated settings in the
ByteMatchSet, IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet
objects, specify true. For example, if an IPSet object includes the IP address 192.0.2.44, AWS
WAF allows, blocks, or counts requests originating from all IP addresses except 192.0.2.44.
Required: Yes
Type: Boolean
API Version 2010-05-15
2227

AWS CloudFormation User Guide
AWS WAF Regional SizeConstraintSet SizeConstraint

Type
The type of predicate in a rule, such as an IPSet (IPMatch). For valid values, see the Type contents
of the Predicate data type in the AWS WAF Regional API Reference.
Required: Yes
Type: String

AWS WAF Regional SizeConstraintSet SizeConstraint
SizeConstraint is a property of the AWS::WAFRegional::SizeConstraintSet (p. 1563) resource that
speciﬁes a size constraint and which part of a web request that you want AWS WAF to constrain.

Syntax
JSON
{

}

"ComparisonOperator" : String,
"FieldToMatch" : Field to match,
"Size" : String,
"TextTransformation" : String

YAML
ComparisonOperator: String
FieldToMatch:
Field to match
Size: String
TextTransformation: String

Properties
ComparisonOperator
The type of comparison that you want AWS WAF to perform. AWS WAF uses this value in
combination with the Size and FieldToMatch property values to check if the size constraint is
a match. For more information and valid values, see the ComparisonOperator content for the
SizeConstraint data type in the AWS WAF Regional API Reference.
Required: Yes
Type: String
FieldToMatch
The part of a web request that you want AWS WAF to search, such as a speciﬁc header or a query
string.
Required: Yes
Type: AWS WAF Regional SizeConstraintSet SizeConstraint FieldToMatch (p. 2229)
Size
The size in bytes that you want AWS WAF to compare against the size of the speciﬁed
FieldToMatch. AWS WAF uses Size in combination with the ComparisonOperator and
API Version 2010-05-15
2228

AWS CloudFormation User Guide
AWS WAF Regional SizeConstraintSet
SizeConstraint FieldToMatch

FieldToMatch property values to check if the size constraint of a web request is a match. For more
information and valid values, see the Size content for the SizeConstraint data type in the AWS WAF
Regional API Reference.
Required: Yes
Type: Integer
TextTransformation
Speciﬁes how AWS WAF processes the FieldToMatch property before inspecting a request for a
match. Text transformations eliminate some of the unusual formatting that attackers use in web
requests in an eﬀort to bypass AWS WAF. If you specify a transformation, AWS WAF transforms the
FieldToMatch before inspecting a web request for a match.
For example, AWS WAF can replace white space characters (such as \t and \n) with a single space.
For valid values, see the TextTransformation content for the SizeConstraint data type in the AWS
WAF Regional API Reference.
Required: Yes
Type: String

AWS WAF Regional SizeConstraintSet SizeConstraint
FieldToMatch
FieldToMatch is a property of the AWS WAF Regional SizeConstraintSet SizeConstraint (p. 2228)
property that speciﬁes the part of a web request that you want AWS WAF to check for a size constraint,
such as a speciﬁc header or a query string.

Syntax
JSON
{
}

"Data" : String,
"Type" : String

YAML
Data: String
Type: String

Properties
Data
If you specify HEADER for the Type property, the name of the header that AWS WAF searches for,
such as User-Agent or Referer. If you specify any other value for the Type property, do not
specify this property.
Required: Conditional
Type: String
API Version 2010-05-15
2229

AWS CloudFormation User Guide
AWS WAF Regional SqlInjectionMatchSet
SqlInjectionMatchTuples

Type
The part of the web request in which AWS WAF searches for the target string. For valid values, see
FieldToMatch in the AWS WAF Regional API Reference.
Required: Yes
Type: String

AWS WAF Regional SqlInjectionMatchSet
SqlInjectionMatchTuples
SqlInjectionMatchTuples is a property of the AWS::WAFRegional::SqlInjectionMatchSet (p. 1567)
resource that speciﬁes the parts of web requests that AWS WAF inspects for SQL code.

Syntax
JSON
{
}

"FieldToMatch" : Field to match,
"TextTransformation" : String

YAML
FieldToMatch:
Field to match
TextTransformation: String

Properties
FieldToMatch
The part of a web request that you want AWS WAF to search, such as a speciﬁc header or a query
string.
Required: Yes
Type: AWS WAF Regional ByteMatchSet ByteMatchTuples FieldToMatch (p. 2225)
TextTransformation
Speciﬁes how AWS WAF processes the FieldToMatch property before inspecting a request for a
match.

Note

Text transformations eliminate some of the unusual formatting that attackers use in
web requests in an eﬀort to bypass AWS WAF. If you specify a transformation, AWS WAF
transforms the target string value before inspecting a web request for a match. For valid
values, see the TextTransformation content for the SqlInjectionMatchTuple data type in
the AWS WAF Regional API Reference.
Required: Yes
Type: String
API Version 2010-05-15
2230

AWS CloudFormation User Guide
AWS WAF Regional SqlInjectionMatchSet
SqlInjectionMatchTuples FieldToMatch

AWS WAF Regional SqlInjectionMatchSet
SqlInjectionMatchTuples FieldToMatch
FieldToMatch is a property of the AWS WAF Regional ByteMatchSet ByteMatchTuples (p. 2224)
property that speciﬁes the part of a web request that you want AWS WAF to search, such as a speciﬁc
header or a query string.

Syntax
JSON
{
}

"Data" : String,
"Type" : String

YAML
Data: String
Type: String

Properties
Data
If you specify HEADER for the Type property, the name of the header that AWS WAF searches for,
such as User-Agent or Referer. If you specify any other value for the Type property, do not
specify this property.
Required: Conditional
Type: String
Type
The part of the web request in which AWS WAF searches for the target string. For valid values, see
FieldToMatch in the AWS WAF Regional API Reference.
Required: Yes
Type: String

AWS WAF Regional XssMatchSet XssMatchTuple
XssMatchTuple is a property of the AWS::WAFRegional::XssMatchSet (p. 1575) resource that speciﬁes
the part of a web request that you want AWS WAF to inspect for cross-site scripting attacks.

Syntax
JSON
{

"FieldToMatch" : Field to match,
"TextTransformation" : String

API Version 2010-05-15
2231

AWS CloudFormation User Guide
AWS WAF Regional XssMatchSet
XssMatchTuple FieldToMatch
}

YAML
FieldToMatch:
Field to match
TextTransformation: String

Properties
FieldToMatch
The part of a web request that you want AWS WAF to search, such as a speciﬁc header or a query
string.
Required: Yes
Type: AWS WAF Regional XssMatchSet XssMatchTuple FieldToMatch (p. 2232)
TextTransformation
Speciﬁes how AWS WAF processes the FieldToMatch property before inspecting a request for a
match. Text transformations eliminate some of the unusual formatting that attackers use in web
requests in an eﬀort to bypass AWS WAF. If you specify a transformation, AWS WAF transforms
theFieldToMatch parameter before inspecting a web request for a match.
For example, AWS WAF can replace white space characters (such as \t and \n) with a single space.
For valid values, see the TextTransformation content for the XssMatchTuple data type in the
AWS WAF Regional API Reference.
Required: Yes
Type: String

AWS WAF Regional XssMatchSet XssMatchTuple
FieldToMatch
FieldToMatch is a property of the AWS WAF Regional XssMatchSet XssMatchTuple (p. 2231) property
that speciﬁes the part of a web request that you want AWS WAF to search, such as a speciﬁc header or a
query string.

Syntax
JSON
{
}

"Data" : String,
"Type" : String

YAML
Data: String
Type: String

API Version 2010-05-15
2232

AWS CloudFormation User Guide
AWS WAF Regional WebACL Action

Properties
Data
If you specify HEADER for the Type property, the name of the header that AWS WAF searches for,
such as User-Agent or Referer. If you specify any other value for the Type property, do not
specify this property.
Required: Conditional
Type: String
Type
The part of the web request in which AWS WAF searches for the target string. For valid values, see
FieldToMatch in the AWS WAF Regional API Reference.
Required: Yes
Type: String

AWS WAF Regional WebACL Action
Action is a property of the AWS::WAFRegional::WebACL (p. 1570) resource and the AWS WAF Regional
WebACL Rules (p. 2234) property that speciﬁes the action AWS WAF takes when a web request matches
or doesn't match all rule conditions.

Syntax
JSON
{
}

"Type" : String

YAML
Type: String

Properties
Type
For actions that are associated with a rule, the action that AWS WAF takes when a web request
matches all conditions in a rule.
For the default action of a web access control list (ACL), the action that AWS WAF takes when a web
request doesn't match all conditions in any rule.
For valid value, see the Type contents of the WafAction data type in the AWS WAF Regional API
Reference.
Required: Yes
Type: String
API Version 2010-05-15
2233

AWS CloudFormation User Guide
AWS WAF Regional WebACL Rules

AWS WAF Regional WebACL Rules
Rules is a property of the AWS::WAFRegional::WebACL (p. 1570) resource that speciﬁes the rule to
associate with an AWS WAF Regional web access control list (ACL) and the rule's settings.

Syntax
JSON
{

}

"Action" : String,
"Priority" : Integer,
"RuleId" : String

YAML
Action: String
Priority: Integer
RuleId: String

Properties
Action
The action that Amazon CloudFront (CloudFront) or AWS WAF takes when a web request matches all
conditions in the rule, such as allow, block, or count the request.
Required: Yes
Type: AWS WAF Regional WebACL Action (p. 2233)
Priority
The order in which AWS WAF evaluates the rules in a web ACL. AWS WAF evaluates rules with
a lower value before rules with a higher value. The value must be a unique integer. If you have
multiple rules in a web ACL, the priority numbers do not need to be consecutive.
Required: Yes
Type: Integer
RuleId
The ID of an AWS WAF Regional rule (p. 1561) to associate with a web ACL.
Required: Yes
Type: String

AWS CloudFormation Resource Speciﬁcation
The AWS CloudFormation resource speciﬁcation is a JSON-formatted text ﬁle that deﬁnes the resources
and properties that AWS CloudFormation supports. The document is a machine-readable, strongly
typed speciﬁcation that you can use to build tools for creating AWS CloudFormation templates. For
API Version 2010-05-15
2234

AWS CloudFormation User Guide
Resource Speciﬁcation

example, you can use the speciﬁcation to build auto completion and validation functionality for AWS
CloudFormation templates in your IDE (integrated development environment).
The resource speciﬁcation is organized as both a single ﬁle and as a series of ﬁles, where each ﬁle
contains the deﬁnition of one resource type. The single and separated ﬁles contain identical information.
Depending on the tool and your implementation, use the ﬁle or ﬁles that work for you.
To download the resource speciﬁcation, see the following table.
Resource availability may vary by region. To check the availability of a resource in a given region, refer to
the resource speciﬁcation for that region.

Resource Speciﬁcation
Region

Single File

All Files

Asia Paciﬁc (Mumbai)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

Asia Paciﬁc (Osaka-Local)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

Asia Paciﬁc (Seoul)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

Asia Paciﬁc (Singapore)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

Asia Paciﬁc (Sydney)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

Asia Paciﬁc (Tokyo)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

Canada (Central)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

EU (Frankfurt)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

EU (Ireland)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

EU (London)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

EU (Paris)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

South America (São Paulo)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

US East (N. Virginia)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

US East (Ohio)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

US West (N. California)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

US West (Oregon)

CloudFormationResourceSpeciﬁcation.json
CloudFormationResourceSpeciﬁcation.zip

The following example shows the speciﬁcation for an AWS Key Management Service key resource
(AWS::KMS::Key). It shows the properties for the AWS::KMS::Key resource, which properties are
required, the type of allowed value for each property, and their update behavior. For details about the
speciﬁcation, see Speciﬁcation Format (p. 2236).
"AWS::KMS::Key": {
"Attributes": {
"Arn": {
"PrimitiveType": "String"
}
},
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsresource-kms-key.html",

API Version 2010-05-15
2235

AWS CloudFormation User Guide
Speciﬁcation Format
"Properties": {
"Description": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-kms-key.html#cfn-kms-key-description",
"PrimitiveType": "String",
"Required": false,
"UpdateType": "Mutable"
},
"EnableKeyRotation": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-kms-key.html#cfn-kms-key-enablekeyrotation",
"PrimitiveType": "Boolean",
"Required": false,
"UpdateType": "Mutable"
},
"Enabled": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-kms-key.html#cfn-kms-key-enabled",
"PrimitiveType": "Boolean",
"Required": false,
"UpdateType": "Mutable"
},
"KeyPolicy": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-kms-key.html#cfn-kms-key-keypolicy",
"PrimitiveType": "Json",
"Required": true,
"UpdateType": "Mutable"
},
"KeyUsage": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-kms-key.html#cfn-kms-key-keyusage",
"PrimitiveType": "String",
"Required": false,
"UpdateType": "Immutable"
}
}
}

Speciﬁcation Format
AWS CloudFormation creates a speciﬁcation for each resource type (p. 499), such as
AWS::S3::Bucket or AWS::EC2::Instance. The following sections describe the format and each
ﬁeld within the speciﬁcation.
Topics
• Speciﬁcation Sections (p. 2236)
• Property Speciﬁcation (p. 2237)
• Resource Speciﬁcation (p. 2238)
• Example Resource Speciﬁcation (p. 2239)

Speciﬁcation Sections
The formal deﬁnition for each resource type is organized into three main sections: PropertyTypes,
ResourceSpecificationVersion, and ResourceTypes, as shown in the following example:
{

"PropertyTypes": {
Property specifications (p. 2237)

API Version 2010-05-15
2236

AWS CloudFormation User Guide
Speciﬁcation Format

}

},
"ResourceSpecificationVersion": "Specification version number",
"ResourceTypes": {
Resource specification (p. 2238)
}

PropertyTypes
For resources that have properties within a property (also known as subproperties), a list of
subproperty speciﬁcations, such as which properties are required, the type of allowed value for each
property, and their update behavior. For more information, see Property Speciﬁcation (p. 2237).
If a resource doesn't have subproperties, this section is omitted.
ResourceSpecificationVersion
The version of the resource speciﬁcation. The version format is
majorVersion.minorVersion.patch, where each release increments the version number. All
resources have the same version number regardless of whether the resource was updated.
AWS CloudFormation increments the patch number when the service makes a backwardscompatible bug ﬁx, such as ﬁxing a broken documentation link. When AWS CloudFormation adds
resources or properties that are backwards compatible, it increments the minor version number. For
example, later versions of a speciﬁcation might add additional resource properties to support new
features of an AWS service.
Backwards incompatible changes increment the major version number. A backwards incompatible
change can result from a change in the resource speciﬁcation, such as a name change to a ﬁeld, or a
change to a resource, such as the making an optional resource property required.
ResourceTypes
The list of resources and information about each resource's properties, such as its property names,
which properties are required, and their update behavior. For more information, see Resource
Speciﬁcation (p. 2238).

Note

If you view a ﬁle that contains the deﬁnition of one resource type, this property name is
ResourceType (singular).

Property Speciﬁcation
The speciﬁcation for each property includes the following ﬁelds. For subproperties, the property name
uses the resourceType.subpropertyName format.
"Property name": {
"Documentation": "Link to the relevant documentation"
"DuplicatesAllowed": "true or false",
"ItemType": "Type of list or map (non-primitive)",
"PrimitiveItemType": "Type of list or map (primitive)",
"PrimitiveType": "Type of value (primitive)",
"Required": "true or false",
"Type": "Type of value (non-primitive)",
"UpdateType": "Mutable, Immutable, or Conditional",
}

Documentation
A link to the AWS CloudFormation User Guide that provides information about the property.
API Version 2010-05-15
2237

AWS CloudFormation User Guide
Speciﬁcation Format

DuplicatesAllowed
If the value of the Type ﬁeld is List, indicates whether AWS CloudFormation allows duplicate
values. If the value is true, AWS CloudFormation ignores duplicate values. If the value is false,
AWS CloudFormation returns an error if you submit duplicate values.
ItemType
If the value of the Type ﬁeld is List or Map, indicates the type of list or map if they contain nonprimitive types. Otherwise, this ﬁeld is omitted. For lists or maps that contain primitive types, the
PrimitiveItemType property indicates the valid value type.
A subproperty name is a valid item type. For example, if the type value is List and the item type
value is PortMapping, you can specify a list of port mapping properties.
PrimitiveItemType
If the value of the Type ﬁeld is List or Map, indicates the type of list or map if they contain
primitive types. Otherwise, this ﬁeld is omitted. For lists or maps that contain non-primitive types,
the ItemType property indicates the valid value type.
The valid primitive types for lists and maps are String, Long, Integer, Double, Boolean, or
Timestamp.
For example, if the type value is List and the item type value is String, you can specify a list of
strings for the property. If the type value is Map and the item type value is Boolean, you can specify
a string to Boolean mapping for the property.
PrimitiveType
For primitive values, the valid primitive type for the property. A primitive type is a basic data type for
resource property values. The valid primitive types are String, Long, Integer, Double, Boolean,
Timestamp or Json. If valid values are a non-primitive type, this ﬁeld is omitted and the Type ﬁeld
indicates the valid value type.
Required
Indicates whether the property is required.
Type
For non-primitive types, valid values for the property. The valid types are a subproperty name,
List or Map. If valid values are a primitive type, this ﬁeld is omitted and the PrimitiveType ﬁeld
indicates the valid value type.
A list is a comma-separated list of values. A map is a set of key-value pairs, where the keys
are always strings. The value type for lists and maps are indicated by the ItemType or
PrimitiveItemType ﬁeld.
UpdateType
During a stack update, the update behavior when you add, remove, or modify the property.
AWS CloudFormation replaces the resource when you change Immutable properties. AWS
CloudFormation doesn't replace the resource when you change mutable properties. Conditional
updates can be mutable or immutable, depending on, for example, which other properties you
updated. For more information, see the relevant resource type (p. 499) documentation.

Resource Speciﬁcation
The speciﬁcation for each resource type includes the following ﬁelds.
"Resource type name": {

API Version 2010-05-15
2238

AWS CloudFormation User Guide
Speciﬁcation Format

}

"Attributes": {
"AttributeName": {
"ItemType": "Return list or map type (non-primitive)",
"PrimitiveItemType": "Return list or map type (primitive)",
"PrimitiveType": "Return value type (primitive)",
"Type": "Return value type (non-primitive)",
}
},
"Documentation": "Link to the relevant documentation",
"Properties": {
Property specifications (p. 2237)
}

Attributes
A list of resource attributes that you can use in an Fn::GetAtt (p. 2285) function. For each
attribute, this section provides the attribute name and the type of value that AWS CloudFormation
returns.
ItemType
If the value of the Type ﬁeld is List, indicates the type of list that the Fn::GetAtt function
returns for the attribute if the list contains non-primitive types. The valid type is a name of a
property.
PrimitiveItemType
If the value of the Type ﬁeld is List, indicates the type of list that the Fn::GetAtt function
returns for the attribute if the list contains primitive types. For lists that contain non-primitive
types, the ItemType property indicates the valid value type. The valid primitive types for lists
are String, Long, Integer, Double, Boolean, or Timestamp.
For example, if the type value is List and the primitive item type value is String, the
Fn::GetAtt function returns a list of strings.
PrimitiveType
For primitive return values, the type of primitive value that the Fn::GetAtt function returns
for the attribute. A primitive type is a basic data type for resource property values. The valid
primitive types are String, Long, Integer, Double, Boolean, Timestamp or Json.
Type
For non-primitive return values, the type of value that the Fn::GetAtt function returns for the
attribute. The valid types are a property name or List.
A list is a comma-separated list of values. The value type for lists are indicated by the ItemType
or PrimitiveItemType ﬁeld.
Documentation
A link to the AWS CloudFormation User Guide for information about the resource.
Properties
A list of property speciﬁcations for the resource. For details, see Property Speciﬁcation (p. 2237).

Example Resource Speciﬁcation
The following examples highlight and explain parts of the AWS::Elasticsearch::Domain (p. 1096)
resource speciﬁcation.
API Version 2010-05-15
2239

AWS CloudFormation User Guide
Speciﬁcation Format

The AWS::Elasticsearch::Domain resource type contains subproperties, so the speciﬁcation
includes a PropertyTypes section. This section is followed by the ResourceSpecificationVersion
section, which shows the speciﬁcation version as 1.0.0. After the speciﬁcation version is the
ResourceType section that speciﬁes the resource type, provides a documentation link, and details the
resource's properties.
{

"PropertyTypes": {
...

},
"ResourceSpecificationVersion": "1.0.0",
"ResourceType": {
"AWS::Elasticsearch::Domain": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsresource-elasticsearch-domain.html",
"Properties": {
...

}

}

}

}

}

Focusing on the ResourceType section, the following example shows two properties of the
AWS::Elasticsearch::Domain resource type. The AdvancedOptions property is not required
and accepts a string to string map. A map is a collection of key-value pairs, where the keys are always
strings. The value type is indicated by the ItemType ﬁeld, which is String. Therefore, the type is a
string to string map. The update behavior for this property is mutable. If update this property, AWS
CloudFormation keeps the resource instead of creating a new one and then deleting the old one (an
immutable update).
The SnapshotOptions property is not required and accepts a subproperty named SnapshotOptions.
Details of the SnapshotOptions subproperty is provided in the PropertyTypes section.
{

"PropertyTypes": {
...

},
"ResourceSpecificationVersion": "1.0.0",
"ResourceType": {
"AWS::Elasticsearch::Domain": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsresource-elasticsearch-domain.html",
"Properties": {
...
"AdvancedOptions": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-advancedoptions",
"DuplicatesAllowed": false,
"PrimitiveItemType": "String",
"Required": false,
"Type": "Map",
"UpdateType": "Mutable"
},
...
"SnapshotOptions": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-snapshotoptions",

API Version 2010-05-15
2240

AWS CloudFormation User Guide
Speciﬁcation Format
"Required": false,
"Type": "SnapshotOptions",
"UpdateType": "Mutable"

},
...

}

}

}

}

In the PropertyTypes, the speciﬁcation lists all of the subproperties of a
resource (including nested subproperties). The following example details the
AWS::Elasticsearch::Domain.SnapshotOptions subproperty. It contains one property named
AutomatedSnapshotStartHour, which is not required and accepts integer value types.
"PropertyTypes": {
...
"AWS::Elasticsearch::Domain.SnapshotOptions": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsproperties-elasticsearch-domain-snapshotoptions.html",
"Properties": {
"AutomatedSnapshotStartHour": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-snapshotoptions.html#cfn-elasticsearch-domainsnapshotoptions-automatedsnapshotstarthour",
"PrimitiveType": "Integer",
"Required": false,
"UpdateType": "Mutable"
}
}
},
...
}

For your reference, the following example provides the entire AWS::Elasticsearch::Domain resource
speciﬁcation.
{

"PropertyTypes": {
"AWS::Elasticsearch::Domain.EBSOptions": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsproperties-elasticsearch-domain-ebsoptions.html",
"Properties": {
"EBSEnabled": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-ebsoptions.html#cfn-elasticsearch-domain-ebsoptionsebsenabled",
"PrimitiveType": "Boolean",
"Required": false,
"UpdateType": "Mutable"
},
"Iops": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-ebsoptions.html#cfn-elasticsearch-domain-ebsoptionsiops",
"PrimitiveType": "Integer",
"Required": false,
"UpdateType": "Mutable"
},
"VolumeSize": {

API Version 2010-05-15
2241

AWS CloudFormation User Guide
Speciﬁcation Format
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-ebsoptions.html#cfn-elasticsearch-domain-ebsoptionsvolumesize",
"PrimitiveType": "Integer",
"Required": false,
"UpdateType": "Mutable"
},
"VolumeType": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-ebsoptions.html#cfn-elasticsearch-domain-ebsoptionsvolumetype",
"PrimitiveType": "String",
"Required": false,
"UpdateType": "Mutable"
}
}
},
"AWS::Elasticsearch::Domain.ElasticsearchClusterConfig": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsproperties-elasticsearch-domain-elasticsearchclusterconfig.html",
"Properties": {
"DedicatedMasterCount": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-elasticsearchclusterconfig.html#cfn-elasticsearchdomain-elasticseachclusterconfig-dedicatedmastercount",
"PrimitiveType": "Integer",
"Required": false,
"UpdateType": "Mutable"
},
"DedicatedMasterEnabled": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-elasticsearchclusterconfig.html#cfn-elasticsearchdomain-elasticseachclusterconfig-dedicatedmasterenabled",
"PrimitiveType": "Boolean",
"Required": false,
"UpdateType": "Mutable"
},
"DedicatedMasterType": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-elasticsearchclusterconfig.html#cfn-elasticsearchdomain-elasticseachclusterconfig-dedicatedmastertype",
"PrimitiveType": "String",
"Required": false,
"UpdateType": "Mutable"
},
"InstanceCount": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-elasticsearchclusterconfig.html#cfn-elasticsearchdomain-elasticseachclusterconfig-instancecount",
"PrimitiveType": "Integer",
"Required": false,
"UpdateType": "Mutable"
},
"InstanceType": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-elasticsearchclusterconfig.html#cfn-elasticsearchdomain-elasticseachclusterconfig-instnacetype",
"PrimitiveType": "String",
"Required": false,
"UpdateType": "Mutable"
},
"ZoneAwarenessEnabled": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-elasticsearchclusterconfig.html#cfn-elasticsearchdomain-elasticseachclusterconfig-zoneawarenessenabled",
"PrimitiveType": "Boolean",

API Version 2010-05-15
2242

AWS CloudFormation User Guide
Speciﬁcation Format

}

}

"Required": false,
"UpdateType": "Mutable"

},
"AWS::Elasticsearch::Domain.SnapshotOptions": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsproperties-elasticsearch-domain-snapshotoptions.html",
"Properties": {
"AutomatedSnapshotStartHour": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-elasticsearch-domain-snapshotoptions.html#cfn-elasticsearch-domainsnapshotoptions-automatedsnapshotstarthour",
"PrimitiveType": "Integer",
"Required": false,
"UpdateType": "Mutable"
}
}
},
"Tag": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsproperties-resource-tags.html",
"Properties": {
"Key": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-resource-tags.html#cfn-resource-tags-key",
"PrimitiveType": "String",
"Required": true,
"UpdateType": "Immutable"
},
"Value": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-properties-resource-tags.html#cfn-resource-tags-value",
"PrimitiveType": "String",
"Required": true,
"UpdateType": "Immutable"
}
}
}
},
"ResourceType": {
"AWS::Elasticsearch::Domain": {
"Attributes": {
"DomainArn": {
"PrimitiveType": "String"
},
"DomainEndpoint": {
"PrimitiveType": "String"
}
},
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsresource-elasticsearch-domain.html",
"Properties": {
"AccessPolicies": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-accesspolicies",
"PrimitiveType": "Json",
"Required": false,
"UpdateType": "Mutable"
},
"AdvancedOptions": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-advancedoptions",
"DuplicatesAllowed": false,
"PrimitiveItemType": "String",
"Required": false,

API Version 2010-05-15
2243

AWS CloudFormation User Guide
Resource Attributes
"Type": "Map",
"UpdateType": "Mutable"

},
"DomainName": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-domainname",
"PrimitiveType": "String",
"Required": false,
"UpdateType": "Immutable"
},
"EBSOptions": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-ebsoptions",
"Required": false,
"Type": "EBSOptions",
"UpdateType": "Mutable"
},
"ElasticsearchClusterConfig": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/
UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domainelasticsearchclusterconfig",
"Required": false,
"Type": "ElasticsearchClusterConfig",
"UpdateType": "Mutable"
},
"ElasticsearchVersion": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-elasticsearchversion",
"PrimitiveType": "String",
"Required": false,
"UpdateType": "Immutable"
},
"SnapshotOptions": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-snapshotoptions",
"Required": false,
"Type": "SnapshotOptions",
"UpdateType": "Mutable"
},
"Tags": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-tags",
"DuplicatesAllowed": true,
"ItemType": "Tag",
"Required": false,
"Type": "List",
"UpdateType": "Mutable"
}
}
}
},
"ResourceSpecificationVersion": "1.4.1"
}

Resource Attribute Reference
This section details the attributes that you can add to a resource to control additional behaviors and
relationships.
Topics
• CreationPolicy Attribute (p. 2245)
API Version 2010-05-15
2244

AWS CloudFormation User Guide
CreationPolicy

• DeletionPolicy Attribute (p. 2248)
• DependsOn Attribute (p. 2250)
• Metadata Attribute (p. 2254)
• UpdatePolicy Attribute (p. 2255)

CreationPolicy Attribute
Associate the CreationPolicy attribute with a resource to prevent its status from reaching create
complete until AWS CloudFormation receives a speciﬁed number of success signals or the timeout period
is exceeded. To signal a resource, you can use the cfn-signal (p. 2331) helper script or SignalResource
API. AWS CloudFormation publishes valid signals to the stack events so that you track the number of
signals sent.
The creation policy is invoked only when AWS CloudFormation creates the associated
resource. Currently, the only AWS CloudFormation resources that support creation policies
are AWS::AutoScaling::AutoScalingGroup (p. 620), AWS::EC2::Instance (p. 879), and
AWS::CloudFormation::WaitCondition (p. 696).
Use the CreationPolicy attribute when you want to wait on resource conﬁguration actions before
stack creation proceeds. For example, if you install and conﬁgure software applications on an EC2
instance, you might want those applications to be running before proceeding. In such cases, you can add
a CreationPolicy attribute to the instance, and then send a success signal to the instance after the
applications are installed and conﬁgured. For a detailed example, see Deploying Applications on Amazon
EC2 with AWS CloudFormation (p. 260).

Syntax
JSON
"CreationPolicy" : {
"AutoScalingCreationPolicy" : {
"MinSuccessfulInstancesPercent" : Integer
},
"ResourceSignal" : {
"Count" : Integer,
"Timeout" : String
}
}

YAML
CreationPolicy:
AutoScalingCreationPolicy:
MinSuccessfulInstancesPercent: Integer
ResourceSignal:
Count: Integer
Timeout: String

CreationPolicy Properties
AutoScalingCreationPolicy
For an Auto Scaling group replacement update (p. 2256), speciﬁes how many instances must signal
success for the update to succeed.
API Version 2010-05-15
2245

AWS CloudFormation User Guide
CreationPolicy

MinSuccessfulInstancesPercent
Speciﬁes the percentage of instances in an Auto Scaling replacement update that must signal
success for the update to succeed. You can specify a value from 0 to 100. AWS CloudFormation
rounds to the nearest tenth of a percent. For example, if you update ﬁve instances with a
minimum successful percentage of 50, three instances must signal success. If an instance doesn't
send a signal within the time speciﬁed by the Timeout property, AWS CloudFormation assumes
that the instance wasn't created.
Default: 100
Type: Integer
Required: No
ResourceSignal
When AWS CloudFormation creates the associated resource, conﬁgures the number of required
success signals and the length of time that AWS CloudFormation waits for those signals.
Count
The number of success signals AWS CloudFormation must receive before it sets the resource
status as CREATE_COMPLETE. If the resource receives a failure signal or doesn't receive the
speciﬁed number of signals before the timeout period expires, the resource creation fails and
AWS CloudFormation rolls the stack back.
Default: 1
Type: Integer
Required: No
Timeout
The length of time that AWS CloudFormation waits for the number of signals that was speciﬁed
in the Count property. The timeout period starts after AWS CloudFormation starts creating the
resource, and the timeout expires no sooner than the time you specify but can occur shortly
thereafter. The maximum time that you can specify is 12 hours.
The value must be in ISO8601 duration format, in the form: "PT#H#M#S", where each # is the
number of hours, minutes, and seconds, respectively. For best results, specify a period of time
that gives your instances plenty of time to get up and running. A shorter timeout can cause a
rollback.
Default: PT5M (5 minutes)
Type: String
Required: No

Examples
Auto Scaling Group
The following example shows how to add a creation policy to an Auto Scaling group. The creation policy
requires three success signals and times out after 15 minutes.
To have instances wait for an Elastic Load Balancing health check before they signal success,
add a health-check veriﬁcation by using the cfn-init helper script. For an example, see the
verify_instance_health command in the Auto Scaling rolling updates sample template.
API Version 2010-05-15
2246

AWS CloudFormation User Guide
CreationPolicy

JSON
"AutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"AvailabilityZones": { "Fn::GetAZs": "" },
"LaunchConfigurationName": { "Ref": "LaunchConfig" },
"DesiredCapacity": "3",
"MinSize": "1",
"MaxSize": "4"
},
"CreationPolicy": {
"ResourceSignal": {
"Count": "3",
"Timeout": "PT15M"
}
},
"UpdatePolicy" : {
"AutoScalingScheduledAction" : {
"IgnoreUnmodifiedGroupSizeProperties" : "true"
},
"AutoScalingRollingUpdate" : {
"MinInstancesInService" : "1",
"MaxBatchSize" : "2",
"PauseTime" : "PT1M",
"WaitOnResourceSignals" : "true"
}
}
},
"LaunchConfig": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"ImageId": "ami-16d18a7e",
"InstanceType": "t2.micro",
"UserData": {
"Fn::Base64": {
"Fn::Join" : [ "", [
"#!/bin/bash -xe\n",
"yum install -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-signal -e 0 --stack ", { "Ref": "AWS::StackName" },
" --resource AutoScalingGroup ",
" --region ", { "Ref" : "AWS::Region" }, "\n"
] ]
}
}
}
}

YAML
AutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
AvailabilityZones:
Fn::GetAZs: ''
LaunchConfigurationName:
Ref: LaunchConfig
DesiredCapacity: '3'
MinSize: '1'
MaxSize: '4'
CreationPolicy:
ResourceSignal:
Count: '3'
Timeout: PT15M

API Version 2010-05-15
2247

AWS CloudFormation User Guide
DeletionPolicy
UpdatePolicy:
AutoScalingScheduledAction:
IgnoreUnmodifiedGroupSizeProperties: 'true'
AutoScalingRollingUpdate:
MinInstancesInService: '1'
MaxBatchSize: '2'
PauseTime: PT1M
WaitOnResourceSignals: 'true'
LaunchConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId: ami-16d18a7e
InstanceType: t2.micro
UserData:
"Fn::Base64":
!Sub |
#!/bin/bash -xe
yum update -y aws-cfn-bootstrap
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource
AutoScalingGroup --region ${AWS::Region}

WaitCondition
The following example shows how to add a creation policy to a wait condition.

JSON
"WaitCondition" : {
"Type" : "AWS::CloudFormation::WaitCondition",
"CreationPolicy" : {
"ResourceSignal" : {
"Timeout" : "PT15M",
"Count" : "5"
}
}
}

YAML
WaitCondition:
Type: AWS::CloudFormation::WaitCondition
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Count: 5

DeletionPolicy Attribute
With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is
deleted. You specify a DeletionPolicy attribute for each resource that you want to control. If a resource
has no DeletionPolicy attribute, AWS CloudFormation deletes the resource by default.
Note that this capability also applies to stack update operations that lead to resources being deleted
from stacks. For example, if you remove the resource from the stack template, and then update the stack
with the template. This capability does not apply to resources whose physical instance is replaced during
stack update operations. For example, if you edit a resource's properties such that AWS CloudFormation
replaces that resource during a stack update.

Note

Exception: The default policy is Snapshot for AWS::RDS::DBCluster resources and for
AWS::RDS::DBInstance resources that don't specify the DBClusterIdentifier property.
API Version 2010-05-15
2248

AWS CloudFormation User Guide
DeletionPolicy

To keep a resource when its stack is deleted, specify Retain for that resource. You can use retain for any
resource. For example, you can retain a nested stack, Amazon S3 bucket, or EC2 instance so that you can
continue to use or modify those resources after you delete their stacks.

Note

If you want to modify resources outside of AWS CloudFormation, use a retain policy and
then delete the stack. Otherwise, your resources might get out of sync with your AWS
CloudFormation template and cause stack errors.
For resources that support snapshots, such as AWS::EC2::Volume, specify Snapshot to have AWS
CloudFormation create a snapshot before deleting the resource.
The following snippet contains an Amazon S3 bucket resource with a Retain deletion policy. When this
stack is deleted, AWS CloudFormation leaves the bucket without deleting it.

JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myS3Bucket" : {
"Type" : "AWS::S3::Bucket",
"DeletionPolicy" : "Retain"
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain

DeletionPolicy Options
Delete
AWS CloudFormation deletes the resource and all its content if applicable during stack deletion. You
can add this deletion policy to any resource type. By default, if you don't specify a DeletionPolicy,
AWS CloudFormation deletes your resources. However, be aware of the following considerations:
• For AWS::RDS::DBCluster resources, the default policy is Snapshot.
• For AWS::RDS::DBInstance resources that don't specify the DBClusterIdentifier property,
the default policy is Snapshot.
• For Amazon S3 buckets, you must delete all objects in the bucket for deletion to succeed.
Retain
AWS CloudFormation keeps the resource without deleting the resource or its contents when
its stack is deleted. You can add this deletion policy to any resource type. Note that when AWS
CloudFormation completes the stack deletion, the stack will be in Delete_Complete state;
however, resources that are retained continue to exist and continue to incur applicable charges until
you delete those resources.
For update operations, the following considerations apply:
• If a resource is deleted, the DeletionPolicy retains the physical resource but ensures that it's
deleted from AWS CloudFormation's scope.
API Version 2010-05-15
2249

AWS CloudFormation User Guide
DependsOn

• If a resource is updated such that a new physical resource is created to replace the old resource,
then the old resource is completely deleted, including from AWS CloudFormation's scope.
Snapshot
For resources that support snapshots (AWS::EC2::Volume, AWS::ElastiCache::CacheCluster,
AWS::ElastiCache::ReplicationGroup, AWS::RDS::DBInstance, AWS::RDS::DBCluster,
and AWS::Redshift::Cluster), AWS CloudFormation creates a snapshot for the resource before
deleting it. Note that when AWS CloudFormation completes the stack deletion, the stack will be in
the Delete_Complete state; however, the snapshots that are created with this policy continue to
exist and continue to incur applicable charges until you delete those snapshots.

DependsOn Attribute
With the DependsOn attribute you can specify that the creation of a speciﬁc resource follows another.
When you add a DependsOn attribute to a resource, that resource is created only after the creation of
the resource speciﬁed in the DependsOn attribute.

Important

Dependent stacks also have implicit dependencies. For example, if the properties of resource A
use a !Ref to resource B, the following rule apply:
• Resource B is created before resource A.
• Resource A is deleted before resource B.
You can use the DependsOn attribute with any resource. Here are some typical uses:
• Determine when a wait condition goes into eﬀect. For more information, see Creating Wait Conditions
in a Template (p. 276).
• Declare dependencies for resources that must be created or deleted in a speciﬁc order. For example,
you must explicitly declare dependencies on gateway attachments for some resources in a VPC. For
more information, see When a DependsOn attribute is required (p. 2252).
• Override default parallelism when creating, updating, or deleting resources. AWS CloudFormation
creates, updates, and deletes resources in parallel to the extent possible. It automatically determines
which resources in a template can be parallelized and which have dependencies that require other
operations to ﬁnish ﬁrst. You can use DependsOn to explicitly specify dependencies, which overrides
the default parallelism and directs CloudFormation to operate on those resources in a speciﬁed order.

Note

During a stack update, resources that depend on updated resources are updated automatically.
AWS CloudFormation makes no changes to the automatically-updated resources, but, if a stack
policy is associated with these resources, your account must have the permissions to update
them.

Syntax
The DependsOn attribute can take a single string or list of strings.
"DependsOn" : [ String, ... ]

Example
The following template contains an AWS::EC2::Instance (p. 879) resource with a DependsOn attribute
that speciﬁes myDB, an AWS::RDS::DBInstance (p. 1341). When AWS CloudFormation creates this stack, it
ﬁrst creates myDB, then creates Ec2Instance.
API Version 2010-05-15
2250

AWS CloudFormation User Guide
DependsOn

JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Mappings" : {
"RegionMap" : {
"us-east-1" : { "AMI" : "ami-76f0061f" },
"us-west-1" : { "AMI" : "ami-655a0a20" },
"eu-west-1" : { "AMI" : "ami-7fd4e10b" },
"ap-northeast-1" : { "AMI" : "ami-8e08a38f" },
"ap-southeast-1" : { "AMI" : "ami-72621c20" }
}
},
"Resources" : {
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : {
"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]
}
},
"DependsOn" : "myDB"
},
"myDB" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.m1.small",
"Engine" : "MySQL",
"EngineVersion" : "5.5",
"MasterUsername" : "MyName",
"MasterUserPassword" : "MyPassword"
}
}
}

YAML
AWSTemplateFormatVersion: '2010-09-09'
Mappings:
RegionMap:
us-east-1:
AMI: ami-76f0061f
us-west-1:
AMI: ami-655a0a20
eu-west-1:
AMI: ami-7fd4e10b
ap-northeast-1:
AMI: ami-8e08a38f
ap-southeast-1:
AMI: ami-72621c20
Resources:
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- AMI
DependsOn: myDB

API Version 2010-05-15
2251

AWS CloudFormation User Guide
DependsOn
myDB:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.m1.small
Engine: MySQL
EngineVersion: '5.5'
MasterUsername: MyName
MasterUserPassword: MyPassword

When a DependsOn attribute is required
VPC-gateway attachment
Some resources in a VPC require a gateway (either an Internet or VPN gateway). If your AWS
CloudFormation template deﬁnes a VPC, a gateway, and a gateway attachment, any resources
that require the gateway are dependent on the gateway attachment. For example, an Amazon EC2
instance with a public IP address is dependent on the VPC-gateway attachment if the VPC and
InternetGateway resources are also declared in the same template.
Currently, the following resources depend on a VPC-gateway attachment when they have an associated
public IP address and are in a VPC:
• Auto Scaling groups
• Amazon EC2 instances
• Elastic Load Balancing load balancers
• Elastic IP addresses
• Amazon RDS database instances
• Amazon VPC routes that include the Internet gateway
A VPN gateway route propagation depends on a VPC-gateway attachment when you have a VPN
gateway.
The following snippet shows a sample gateway attachment and an Amazon EC2 instance that depends
on a gateway attachment:

JSON
"GatewayToInternet" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"EC2Host" : {
"Type" : "AWS::EC2::Instance",
"DependsOn" : "GatewayToInternet",
"Properties" : {
"InstanceType" : { "Ref" : "EC2InstanceType" },
"KeyName" : { "Ref" : "KeyName" },
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" },
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" : "EC2InstanceType" },
"Arch" ] } ] },
"NetworkInterfaces" : [{
"GroupSet"
: [{ "Ref" : "EC2SecurityGroup" }],
"AssociatePublicIpAddress" : "true",

API Version 2010-05-15
2252

AWS CloudFormation User Guide
DependsOn
"DeviceIndex"
"DeleteOnTermination"
"SubnetId"

}

}

}]

: "0",
: "true",
: { "Ref" : "PublicSubnet" }

YAML
GatewayToInternet:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: InternetGateway
EC2Host:
Type: AWS::EC2::Instance
DependsOn: GatewayToInternet
Properties:
InstanceType:
Ref: EC2InstanceType
KeyName:
Ref: KeyName
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: EC2InstanceType
- Arch
NetworkInterfaces:
- GroupSet:
- Ref: EC2SecurityGroup
AssociatePublicIpAddress: 'true'
DeviceIndex: '0'
DeleteOnTermination: 'true'
SubnetId:
Ref: PublicSubnet

Amazon ECS Service and Auto Scaling Group
When you use Auto Scaling or Amazon Elastic Compute Cloud (Amazon EC2) to create container
instances for an Amazon ECS cluster, the Amazon ECS service resource must have a dependency on the
Auto Scaling group or Amazon EC2 instances, as shown in the following snippet. That way the container
instances are available and associated with the Amazon ECS cluster before AWS CloudFormation creates
the Amazon ECS service.

JSON
"service": {
"Type": "AWS::ECS::Service",
"DependsOn": ["ECSAutoScalingGroup"],
"Properties" : {
"Cluster": {"Ref": "ECSCluster"},
"DesiredCount": "1",
"LoadBalancers": [
{
"ContainerName": "simple-app",
"ContainerPort": "80",

API Version 2010-05-15
2253

AWS CloudFormation User Guide
Metadata

}

}

}

"LoadBalancerName" : { "Ref" : "EcsElasticLoadBalancer" }

],
"Role" : {"Ref":"ECSServiceRole"},
"TaskDefinition" : {"Ref":"taskdefinition"}

YAML
service:
Type: AWS::ECS::Service
DependsOn:
- ECSAutoScalingGroup
Properties:
Cluster:
Ref: ECSCluster
DesiredCount: 1
LoadBalancers:
- ContainerName: simple-app
ContainerPort: 80
LoadBalancerName:
Ref: EcsElasticLoadBalancer
Role:
Ref: ECSServiceRole
TaskDefinition:
Ref: taskdefinition

IAM Role Policy
Resources that make additional calls to AWS require a service role, which permits a service to make calls
to AWS on your behalf. For example, the AWS::CodeDeploy::DeploymentGroup resource requires a
service role so that AWS CodeDeploy has permissions to deploy applications to your instances. When you
have a single template that deﬁnes a service role, the role's policy (by using the AWS::IAM::Policy or
AWS::IAM::ManagedPolicy resource), and a resource that uses the role, add a dependency so that the
resource depends on the role's policy. This dependency ensures that the policy is available throughout
the resource's lifecycle.
For example, imagine that you have a template with a deployment group resource, a service role, and
the role's policy. When you create a stack, AWS CloudFormation won't create the deployment group until
it creates the role's policy. Without the dependency, AWS CloudFormation can create the deployment
group resource before it creates the role's policy. If that happens, the deployment group will fail to
create because of insuﬃcient permissions.
If the role has an embedded policy, don't specify a dependency. AWS CloudFormation creates the role
and its policy at the same time.

Metadata Attribute
The Metadata attribute enables you to associate structured data with a resource. By adding a Metadata
attribute to a resource, you can add data in JSON or YAML to the resource declaration. In addition,
you can use intrinsic functions (such as GetAtt (p. 2285) and Ref (p. 2311)), parameters, and pseudo
parameters within the Metadata attribute to add those interpreted values.

Note

AWS CloudFormation does not validate the syntax within the Metadata attribute.
You can retrieve this data using the AWS command aws cloudformation describe-stackresource or the DescribeStackResource action.
API Version 2010-05-15
2254

AWS CloudFormation User Guide
UpdatePolicy

Example
The following template contains an Amazon S3 bucket resource with a Metadata attribute.

JSON
{

}

"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyS3Bucket" : {
"Type" : "AWS::S3::Bucket",
"Metadata" : { "Object1" : "Location1",
}
}

"Object2" : "Location2" }

YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyS3Bucket:
Type: AWS::S3::Bucket
Metadata:
Object1: Location1
Object2: Location2

UpdatePolicy Attribute
Use the UpdatePolicy attribute to specify how AWS CloudFormation handles updates to the
AWS::AutoScaling::AutoScalingGroup or AWS::Lambda::Alias resource.
For AWS::AutoScaling::AutoScalingGroup resources, AWS CloudFormation invokes one of three
update policies depending on the type of change you make or whether a scheduled action is associated
with the Auto Scaling group.
• The AutoScalingReplacingUpdate and AutoScalingRollingUpdate policies apply only when
you do one or more of the following:
• Change the Auto Scaling group's AWS::AutoScaling::LaunchConfiguration.
• Change the Auto Scaling group's VPCZoneIdentifier property
• Change the Auto Scaling group's LaunchTemplate property
• Update an Auto Scaling group that contains instances that don't match the current
LaunchConfiguration.
If both the AutoScalingReplacingUpdate and AutoScalingRollingUpdate policies are
speciﬁed, setting the WillReplace property to true gives AutoScalingReplacingUpdate
precedence.
• The AutoScalingScheduledAction policy applies when you update a stack that includes an Auto
Scaling group with an associated scheduled action.
For AWS::Lambda::Alias resources, AWS CloudFormation performs an AWS CodeDeploy deployment
when the version changes on the alias. For more information, see CodeDeployLambdaAliasUpdate
Policy (p. 2260).
API Version 2010-05-15
2255

AWS CloudFormation User Guide
UpdatePolicy

AutoScalingReplacingUpdate Policy
To specify how AWS CloudFormation handles replacement updates for an Auto Scaling group,
use the AutoScalingReplacingUpdate policy. This policy enables you to specify whether AWS
CloudFormation replaces an Auto Scaling group with a new one or replaces only the instances in the
Auto Scaling group.

Important

Before attempting an update, ensure that you have suﬃcient Amazon EC2 capacity for both
your old and new Auto Scaling groups.

Syntax
JSON
"UpdatePolicy" : {
"AutoScalingReplacingUpdate (p. 2256)" : {
"WillReplace" : Boolean
}
}

YAML
UpdatePolicy:
AutoScalingReplacingUpdate (p. 2256):
WillReplace: Boolean

Properties
WillReplace
Speciﬁes whether an Auto Scaling group and the instances it contains are replaced during an update.
During replacement, AWS CloudFormation retains the old group until it ﬁnishes creating the new
one. If the update fails, AWS CloudFormation can roll back to the old Auto Scaling group and delete
the new Auto Scaling group.
While AWS CloudFormation creates the new group, it doesn't detach or attach any instances. After
successfully creating the new Auto Scaling group, AWS CloudFormation deletes the old Auto Scaling
group during the cleanup process.
When you set the WillReplace parameter, remember to specify a matching CreationPolicy. If
the minimum number of instances (speciﬁed by the MinSuccessfulInstancesPercent property)
don't signal success within the Timeout period (speciﬁed in the CreationPolicy policy), the
replacement update fails and AWS CloudFormation rolls back to the old Auto Scaling group.
Type: Boolean
Required: No

AutoScalingRollingUpdate Policy
To specify how AWS CloudFormation handles rolling updates for an Auto Scaling group, use
the AutoScalingRollingUpdate policy. Rolling updates enable you to specify whether AWS
CloudFormation updates instances that are in an Auto Scaling group in batches or all at once.

Important

During a rolling update, some Auto Scaling processes might make changes to the Auto Scaling
group before AWS CloudFormation completes the rolling update. These changes might cause
API Version 2010-05-15
2256

AWS CloudFormation User Guide
UpdatePolicy

the rolling update to fail. To prevent Auto Scaling from running processes during a rolling
update, use the SuspendProcesses property. For more information, see What are some
recommended best practices for performing Auto Scaling group rolling updates?

Syntax
JSON
"UpdatePolicy" : {
"AutoScalingRollingUpdate (p. 2256)" : {
"MaxBatchSize" : Integer,
"MinInstancesInService" : Integer,
"MinSuccessfulInstancesPercent" : Integer
"PauseTime" : String,
"SuspendProcesses" : [ List of processes ],
"WaitOnResourceSignals" : Boolean
}
}

YAML
UpdatePolicy:
AutoScalingRollingUpdate (p. 2256):
MaxBatchSize: Integer
MinInstancesInService: Integer
MinSuccessfulInstancesPercent: Integer
PauseTime: String
SuspendProcesses:
- List of processes
WaitOnResourceSignals: Boolean

Properties
MaxBatchSize
Speciﬁes the maximum number of instances that AWS CloudFormation updates.
Default: 1
Type: Integer
Required: No
MinInstancesInService
Speciﬁes the minimum number of instances that must be in service within the Auto Scaling group
while AWS CloudFormation updates old instances.
Default: 0
Type: Integer
Required: No
MinSuccessfulInstancesPercent
Speciﬁes the percentage of instances in an Auto Scaling rolling update that must signal success for
an update to succeed. You can specify a value from 0 to 100. AWS CloudFormation rounds to the
nearest tenth of a percent. For example, if you update ﬁve instances with a minimum successful
percentage of 50, three instances must signal success.
API Version 2010-05-15
2257

AWS CloudFormation User Guide
UpdatePolicy

If an instance doesn't send a signal within the time speciﬁed in the PauseTime property, AWS
CloudFormation assumes that the instance wasn't updated.
If you specify this property, you must also enable the WaitOnResourceSignals and PauseTime
properties.
Default: 100
Type: Integer
Required: No
PauseTime
The amount of time that AWS CloudFormation pauses after making a change to a batch of instances
to give those instances time to start software applications. For example, you might need to specify
PauseTime when scaling up the number of instances in an Auto Scaling group.
If you enable the WaitOnResourceSignals property, PauseTime is the amount of time that AWS
CloudFormation should wait for the Auto Scaling group to receive the required number of valid
signals from added or replaced instances. If the PauseTime is exceeded before the Auto Scaling
group receives the required number of signals, the update fails. For best results, specify a time
period that gives your applications suﬃcient time to get started. If the update needs to be rolled
back, a short PauseTime can cause the rollback to fail.
Specify PauseTime in the ISO8601 duration format (in the format PT#H#M#S, where each # is the
number of hours, minutes, and seconds, respectively). The maximum PauseTime is one hour (PT1H).
Default: PT0S (zero seconds). If the WaitOnResourceSignals property is set to true, the default
is PT5M.
Type: String
Required: No
SuspendProcesses
Speciﬁes the Auto Scaling processes to suspend during a stack update. Suspending processes
prevents Auto Scaling from interfering with a stack update. For example, you can suspend alarming
so that Amazon EC2 Auto Scaling doesn't execute scaling policies associated with an alarm. For valid
values, see the ScalingProcesses.member.N parameter for the SuspendProcesses action in the
Amazon EC2 Auto Scaling API Reference.
Default: Not speciﬁed
Type: List of Auto Scaling processes
Required: No
WaitOnResourceSignals
Speciﬁes whether the Auto Scaling group waits on signals from new instances during an update.
Use this property to ensure that instances have completed installing and conﬁguring applications
before the Auto Scaling group update proceeds. AWS CloudFormation suspends the update of an
Auto Scaling group after new EC2 instances are launched into the group. AWS CloudFormation
must receive a signal from each new instance within the speciﬁed PauseTime before continuing the
update. To signal the Auto Scaling group, use the cfn-signal helper script or SignalResource API.
To have instances wait for an Elastic Load Balancing health check before they signal success,
add a health-check veriﬁcation by using the cfn-init helper script. For an example, see the
verify_instance_health command in the Auto Scaling rolling updates sample template.
API Version 2010-05-15
2258

AWS CloudFormation User Guide
UpdatePolicy

Default: false
Type: Boolean
Required: Conditional. If you specify the MinSuccessfulInstancesPercent property, you must
also enable the WaitOnResourceSignals and PauseTime properties.

AutoScalingScheduledAction Policy
To specify how AWS CloudFormation handles updates for the MinSize, MaxSize, and
DesiredCapacity properties when the AWS::AutoScaling::AutoScalingGroup resource has an
associated scheduled action, use the AutoScalingScheduledAction policy.
With scheduled actions, the group size properties of an Auto Scaling group can change at any time.
When you update a stack with an Auto Scaling group and scheduled action, AWS CloudFormation always
sets the group size property values of your Auto Scaling group to the values that are deﬁned in the
AWS::AutoScaling::AutoScalingGroup resource of your template, even if a scheduled action is in
eﬀect.
If you do not want AWS CloudFormation to change any of the group size property values when you have
a scheduled action in eﬀect, use the AutoScalingScheduledAction update policy to prevent AWS
CloudFormation from changing the MinSize, MaxSize, or DesiredCapacity properties unless you
have modiﬁed these values in your template.

Syntax
JSON
"UpdatePolicy" : {
"AutoScalingScheduledAction (p. 2259)" : {
"IgnoreUnmodifiedGroupSizeProperties" : Boolean
}
}

YAML
UpdatePolicy:
AutoScalingScheduledAction (p. 2259):
IgnoreUnmodifiedGroupSizeProperties: Boolean

Properties
IgnoreUnmodifiedGroupSizeProperties
Speciﬁes whether AWS CloudFormation ignores diﬀerences in group size properties
between your current Auto Scaling group and the Auto Scaling group described in the
AWS::AutoScaling::AutoScalingGroup resource of your template during a stack update. If
you modify any of the group size property values in your template, AWS CloudFormation uses the
modiﬁed values and updates your Auto Scaling group.
Default: false
Type: Boolean
Required: No
API Version 2010-05-15
2259

AWS CloudFormation User Guide
UpdatePolicy

CodeDeployLambdaAliasUpdate Policy
To perform an AWS CodeDeploy deployment when the version changes on an AWS::Lambda::Alias
resource, use the CodeDeployLambdaAliasUpdate update policy.

Syntax
JSON
"UpdatePolicy" : {
"CodeDeployLambdaAliasUpdate (p. 2260)" : {
"AfterAllowTrafficHook" : String,
"ApplicationName" : String,
"BeforeAllowTrafficHook" : String,
"DeploymentGroupName" : String
}
}

YAML
UpdatePolicy:
CodeDeployLambdaAliasUpdate (p. 2260):
AfterAllowTrafficHook: String
ApplicationName: String
BeforeAllowTrafficHook: String
DeploymentGroupName: String

Properties
AfterAllowTrafficHook
The name of the Lambda function to run after traﬃc routing completes.
Required: No
Type: String
ApplicationName
The name of the AWS CodeDeploy application.
Required: Yes
Type: String
BeforeAllowTrafficHook
The name of the Lambda function to run before traﬃc routing starts.
Required: No
Type: String
DeploymentGroupName
The name of the AWS CodeDeploy deployment group. This is where the traﬃc-shifting policy is set.
Required: Yes
Type: String
API Version 2010-05-15
2260

AWS CloudFormation User Guide
UpdatePolicy

For an example that speciﬁes the UpdatePolicy attribute for an AWS::Lambda::Alias resource, see
Lambda Alias Update Policy (p. 2263).

Examples
The following examples show how to add an update policy to an Auto Scaling group and how to
maintain availability when updating metadata.

Add an UpdatePolicy to an Auto Scaling Group
The following example shows how to add an update policy. During an update, the Auto Scaling group
updates instances in batches of two and keeps a minimum of one instance in service. Because the
WaitOnResourceSignals ﬂag is set, the Auto Scaling group waits for new instances that are added
to the group. The new instances must signal the Auto Scaling group before it updates the next batch of
instances.

JSON
"ASG" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AvailabilityZones" : [
"us-east-1a",
"us-east-1b"
],
"DesiredCapacity" : "1",
"LaunchConfigurationName" : {
"Ref" : "LaunchConfig"
},
"MaxSize" : "4",
"MinSize" : "1"
},
"UpdatePolicy" : {
"AutoScalingScheduledAction" : {
"IgnoreUnmodifiedGroupSizeProperties" : "true"
},
"AutoScalingRollingUpdate" : {
"MinInstancesInService" : "1",
"MaxBatchSize" : "2",
"WaitOnResourceSignals" : "true",
"PauseTime" : "PT10M"
}
}
},
"ScheduledAction" : {
"Type" : "AWS::AutoScaling::ScheduledAction",
"Properties" : {
"AutoScalingGroupName" : {
"Ref" : "ASG"
},
"DesiredCapacity" : "2",
"StartTime" : "2017-06-02T20 : 00 : 00Z"
}
}

YAML
ASG:
Type: 'AWS::AutoScaling::AutoScalingGroup'
Properties:
AvailabilityZones:
- us-east-1a

API Version 2010-05-15
2261

AWS CloudFormation User Guide
UpdatePolicy
- us-east-1b
DesiredCapacity: '1'
LaunchConfigurationName:
Ref: LaunchConfig
MaxSize: '4'
MinSize: '1'
UpdatePolicy:
AutoScalingScheduledAction:
IgnoreUnmodifiedGroupSizeProperties: 'true'
AutoScalingRollingUpdate:
MinInstancesInService: '1'
MaxBatchSize: '2'
WaitOnResourceSignals: 'true'
PauseTime: PT10M
ScheduledAction:
Type: 'AWS::AutoScaling::ScheduledAction'
Properties:
AutoScalingGroupName:
Ref: ASG
DesiredCapacity: '2'
StartTime: '2017-06-02T20 : 00 : 00Z'

AutoScalingReplacingUpdate Policy
The following example declares a policy that forces an associated Auto Scaling group to be
replaced during an update. For the update to succeed, a percentage of instances (speciﬁed by the
MinSuccessfulPercentParameter parameter) must signal success within the Timeout period.

JSON
"UpdatePolicy" : {
"AutoScalingReplacingUpdate" : {
"WillReplace" : "true"
}
},
"CreationPolicy" : {
"ResourceSignal" : {
"Count" : { "Ref" : "ResourceSignalsOnCreate"},
"Timeout" : "PT10M"
},
"AutoScalingCreationPolicy" : {
"MinSuccessfulInstancesPercent" : { "Ref" : "MinSuccessfulPercentParameter" }
}
}

YAML
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: 'true'
CreationPolicy:
ResourceSignal:
Count: !Ref 'ResourceSignalsOnCreate'
Timeout: PT10M
AutoScalingCreationPolicy:
MinSuccessfulInstancesPercent: !Ref 'MinSuccessfulPercentParameter'

Maintain Availability When Updating the Metadata for the cfn-init Helper Script
When you install software applications on your instances, you might use the
AWS::CloudFormation::Init metadata key and the cfn-init helper script to bootstrap the
API Version 2010-05-15
2262

AWS CloudFormation User Guide
UpdatePolicy

instances in your Auto Scaling group. AWS CloudFormation installs the packages, runs the commands,
and performs other bootstrapping actions described in the metadata.
When you update only the metadata (for example, when updating a package to another version), you
can use the cfn-hup helper daemon to detect and apply the updates. However, the cfn-hup daemon
runs independently on each instance. If the daemon happens to runs at the same time on all instances,
your application or service might be unavailable during the update. To guarantee availability, you can
force a rolling update so that AWS CloudFormation updates your instances one batch at a time.

Important

Forcing a rolling update requires AWS CloudFormation to create a new instance and then delete
the old one. Any information stored on the old instance is lost.
To force a rolling update, change the logical ID of the launch conﬁguration resource, and then update
the stack and any references pointing to the original logic ID (such as the associated Auto Scaling group).
AWS CloudFormation triggers a rolling update on the Auto Scaling group, replacing all instances.

Original Template
"LaunchConfig": {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Metadata" : {
"Comment" : "Install a simple PHP application",
"AWS::CloudFormation::Init" : {
...
}
}
}

Updated Logical ID
"LaunchConfigUpdateRubygemsPkg": {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Metadata" : {
"Comment" : "Install a simple PHP application",
"AWS::CloudFormation::Init" : {
...
}
}
}

Lambda Alias Update Policy
The following example speciﬁes the UpdatePolicy attribute for an AWS::Lambda::Alias resource.
All the details for the deployment are deﬁned by the application and deployment group that are passed
into the policy.

JSON
"Alias": {
"Type": "AWS::Lambda::Alias",
"Properties": {
"FunctionName": {
"Ref": "LambdaFunction"
},
"FunctionVersion": {
"Fn::GetAtt": [
"FunctionVersionTwo",
"Version"
]

API Version 2010-05-15
2263

AWS CloudFormation User Guide
Intrinsic Functions
},
"Name": "MyAlias"

}

},
"UpdatePolicy": {
"CodeDeployLambdaAliasUpdate": {
"ApplicationName": {
"Ref": "CodeDeployApplication"
},
"DeploymentGroupName": {
"Ref": "CodeDeployDeploymentGroup"
},
"BeforeAllowTrafficHook": {
"Ref": "PreHookLambdaFunction"
},
"AfterAllowTrafficHook": {
"Ref": "PreHookLambdaFunction"
}
}
}

YAML
Alias:
Type: 'AWS::Lambda::Alias'
Properties:
FunctionName: !Ref LambdaFunction
FunctionVersion: !GetAtt FunctionVersionTwo.Version
Name: MyAlias
UpdatePolicy:
CodeDeployLambdaAliasUpdate:
ApplicationName: !Ref CodeDeployApplication
DeploymentGroupName: !Ref CodeDeployDeploymentGroup
BeforeAllowTrafficHook: !Ref PreHookLambdaFunction
AfterAllowTrafficHook: !Ref PreHookLambdaFunction

Intrinsic Function Reference
AWS CloudFormation provides several built-in functions that help you manage your stacks. Use intrinsic
functions in your templates to assign values to properties that are not available until runtime.

Note

You can use intrinsic functions only in speciﬁc parts of a template. Currently, you can use
intrinsic functions in resource properties, outputs, metadata attributes, and update policy
attributes. You can also use intrinsic functions to conditionally create stack resources.
Topics
• Fn::Base64 (p. 2265)
• Fn::Cidr (p. 2266)
• Condition Functions (p. 2268)
• Fn::FindInMap (p. 2283)
• Fn::GetAtt (p. 2285)
• Fn::GetAZs (p. 2298)
• Fn::ImportValue (p. 2300)
• Fn::Join (p. 2302)
• Fn::Select (p. 2304)
API Version 2010-05-15
2264

AWS CloudFormation User Guide
Fn::Base64

• Fn::Split (p. 2306)
• Fn::Sub (p. 2308)
• Ref (p. 2311)

Fn::Base64
The intrinsic function Fn::Base64 returns the Base64 representation of the input string. This function is
typically used to pass encoded data to Amazon EC2 instances by way of the UserData property.

Declaration
JSON
{ "Fn::Base64" : valueToEncode }

YAML
Syntax for the full function name:
Fn::Base64: valueToEncode

Syntax for the short form:
!Base64 valueToEncode

Note

If you use the short form and immediately include another function in the valueToEncode
parameter, use the full function name for at least one of the functions. For example, the
following syntax is invalid:
!Base64 !Sub string
!Base64 !Ref logical_ID

Instead, use the full function name for at least one of the functions, as shown in the following
examples:
!Base64
"Fn::Sub": string
Fn::Base64:
!Sub string

Parameters
valueToEncode
The string value you want to convert to Base64.

Return Value:
The original string, in Base64 representation.
API Version 2010-05-15
2265

AWS CloudFormation User Guide
Fn::Cidr

Example
JSON
{ "Fn::Base64" : "AWS CloudFormation" }

YAML
Fn::Base64: AWS CloudFormation

Supported Functions
You can use any function that returns a string inside the Fn::Base64 function.

See Also
• Intrinsic Function Reference (p. 2264)

Fn::Cidr
The intrinsic function Fn::Cidr returns an array of CIDR address blocks. The number of CIDR blocks
returned is dependent on the count parameter.

Declaration
JSON
{ "Fn::Cidr" : [ipBlock, count, cidrBits]}

YAML
Syntax for the full function name:
Fn::Cidr:
- ipBlock
- count
- cidrBits

Syntax for the short form:
!Cidr [ ipBlock, count, cidrBits ]

Parameters
ipBlock
The user-speciﬁed CIDR address block to be split into smaller CIDR blocks.
count
The number of CIDRs to generate. Valid range is between 1 and 256.
API Version 2010-05-15
2266

AWS CloudFormation User Guide
Fn::Cidr

cidrBits
The number of subnet bits for the CIDR. For example, specifying a value "8" for this parameter will
create a CIDR with a mask of "/24".

Note

Subnet bits is the inverse of subnet mask. To calculate the required host bits for a given
subnet bits, subtract the subnet bits from 32 for IPv4 or 128 for IPv6.

Return Value
An array of CIDR address blocks.

Example
Basic Usage
This example create 6 CIDRs with a subnet mask "/27" inside from a CIDR with a mask of "/24".

JSON
{ "Fn::Cidr" : [ "192.168.0.0/24", "6", "5"] }

YAML
!Cidr [ "192.168.0.0/24", 6, 5 ]

Creating an IPv6 enabled VPC
This example template creates an IPv6 enabled subnet.

JSON
{

"Resources" : {
"ExampleVpc" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "10.0.0.0/16"
}
},
"IPv6CidrBlock" : {
"Type" : "AWS::EC2::VPCCidrBlock",
"Properties" : {
"AmazonProvidedIpv6CidrBlock" : true,
"VpcId" : { "Ref" : "ExampleVpc" }
}
},
"ExampleSubnet" : {
"Type" : "AWS::EC2::Subnet",
"DependsOn" : "IPv6CidrBlock",
"Properties" : {
"AssignIpv6AddressOnCreation" : true,
"CidrBlock" : { "Fn::Select" : [ 0, { "Fn::Cidr" : [{ "Fn::GetAtt" :
[ "ExampleVpc", "CidrBlock" ]}, 1, 8 ]}]},
"Ipv6CidrBlock" : { "Fn::Select" : [ 0, { "Fn::Cidr" : [{ "Fn::Select" : [ 0,
{ "Fn::GetAtt" : [ "ExampleVpc", "Ipv6CidrBlocks" ]}]}, 1, 64 ]}]},
"VpcId" : { "Ref" : "ExampleVpc" }

API Version 2010-05-15
2267

AWS CloudFormation User Guide
Condition Functions

}

}

}

}

YAML
Resources:
ExampleVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
IPv6CidrBlock:
Type: AWS::EC2::VPCCidrBlock
Properties:
AmazonProvidedIpv6CidrBlock: true
VpcId: !Ref ExampleVpc
ExampleSubnet:
Type: AWS::EC2::Subnet
DependsOn: IPv6CidrBlock
Properties:
AssignIpv6AddressOnCreation: true
CidrBlock: !Select [ 0, !Cidr [ !GetAtt ExampleVpc.CidrBlock, 1, 8 ]]
Ipv6CidrBlock: !Select [ 0, !Cidr [ !Select [ 0, !GetAtt
ExampleVpc.Ipv6CidrBlocks], 1, 64 ]]
VpcId: !Ref ExampleVpc

Supported Functions
You can use the following functions in a Fn::Cidr function:
• Fn::Select (p. 2304)
• Ref (p. 2311)

Condition Functions
You can use intrinsic functions, such as Fn::If, Fn::Equals, and Fn::Not, to conditionally create
stack resources. These conditions are evaluated based on input parameters that you declare when you
create or update a stack. After you deﬁne all your conditions, you can associate them with resources or
resource properties in the Resources and Outputs sections of a template.
You deﬁne all conditions in the Conditions section of a template except for Fn::If conditions. You can
use the Fn::If condition in the metadata attribute, update policy attribute, and property values in the
Resources section and Outputs sections of a template.
You might use conditions when you want to reuse a template that can create resources in diﬀerent
contexts, such as a test environment versus a production environment. In your template, you can add an
EnvironmentType input parameter, which accepts either prod or test as inputs. For the production
environment, you might include Amazon EC2 instances with certain capabilities; however, for the test
environment, you want to use less capabilities to save costs. With conditions, you can deﬁne which
resources are created and how they're conﬁgured for each environment type.
For more information about the Conditions section, see Conditions (p. 187).

Note

You can only reference other conditions and values from the Parameters and Mappings sections
of a template. For example, you can reference a value from an input parameter, but you cannot
reference the logical ID of a resource in a condition.
API Version 2010-05-15
2268

AWS CloudFormation User Guide
Condition Functions

Topics
• Fn::And (p. 2270)
• Fn::Equals (p. 2271)
• Fn::If (p. 2272)
• Fn::Not (p. 2275)
• Fn::Or (p. 2276)
• Supported Functions (p. 2276)
• Sample Templates (p. 2277)
Associating a Condition
To conditionally create resources, resource properties, or outputs, you must associate a condition
with them. Add the Condition: key and the logical ID of the condition as an attribute to associate a
condition, as shown in the following snippet. AWS CloudFormation creates the NewVolume resource only
when the CreateProdResources condition evaluates to true.

Example JSON
"NewVolume" : {
"Type" : "AWS::EC2::Volume",
"Condition" : "CreateProdResources",
"Properties" : {
"Size" : "100",
"AvailabilityZone" : { "Fn::GetAtt" : [ "EC2Instance", "AvailabilityZone" ]}
}

Example YAML
NewVolume:
Type: "AWS::EC2::Volume"
Condition: CreateProdResources
Properties:
Size: 100
AvailabilityZone: !GetAtt EC2Instance.AvailabilityZone

For the Fn::If function, you only need to specify the condition name. The following snippet shows how
to use Fn::If to conditionally specify a resource property. If the CreateLargeSize condition is true,
AWS CloudFormation sets the volume size to 100. If the condition is false, AWS CloudFormation sets the
volume size to 10.

Example JSON
"NewVolume" : {
"Type" : "AWS::EC2::Volume",
"Properties" : {
"Size" : {
"Fn::If" : [
"CreateLargeSize",
"100",
"10"
]},
"AvailabilityZone" : { "Fn::GetAtt" : [ "Ec2Instance", "AvailabilityZone" ]}
},
"DeletionPolicy" : "Snapshot"
}

API Version 2010-05-15
2269

AWS CloudFormation User Guide
Condition Functions

Example YAML
NewVolume:
Type: "AWS::EC2::Volume"
Properties:
Size:
!If [CreateLargeSize, 100, 10]
AvailabilityZone: !GetAtt: Ec2Instance.AvailabilityZone
DeletionPolicy: Snapshot

You can also use conditions inside other conditions. The following snippet is from the Conditions
section of a template. The MyAndCondition condition includes the SomeOtherCondition condition:

Example JSON
"MyAndCondition": {
"Fn::And": [
{"Fn::Equals": ["sg-mysggroup", {"Ref": "ASecurityGroup"}]},
{"Condition": "SomeOtherCondition"}
]
}

Example YAML
MyAndCondition: !And
- !Equals ["sg-mysggroup", !Ref "ASecurityGroup"]
- !Condition SomeOtherCondition

Fn::And
Returns true if all the speciﬁed conditions evaluate to true, or returns false if any one of the
conditions evaluates to false. Fn::And acts as an AND operator. The minimum number of conditions
that you can include is 2, and the maximum is 10.

Declaration
JSON
"Fn::And": [{condition}, {...}]

YAML
Syntax for the full function name:
Fn::And: [condition]

Syntax for the short form:
!And [condition]

Parameters
condition
A condition that evaluates to true or false.
API Version 2010-05-15
2270

AWS CloudFormation User Guide
Condition Functions

Example
The following MyAndCondition evaluates to true if the referenced security group name is equal to sgmysggroup and if SomeOtherCondition evaluates to true:

JSON
"MyAndCondition": {
"Fn::And": [
{"Fn::Equals": ["sg-mysggroup", {"Ref": "ASecurityGroup"}]},
{"Condition": "SomeOtherCondition"}
]
}

YAML
MyAndCondition: !And
- !Equals ["sg-mysggroup", !Ref ASecurityGroup]
- !Condition SomeOtherCondition

Fn::Equals
Compares if two values are equal. Returns true if the two values are equal or false if they aren't.

Declaration
JSON
"Fn::Equals" : ["value_1", "value_2"]

YAML
Syntax for the full function name:
Fn::Equals: [value_1, value_2]

Syntax for the short form:
!Equals [value_1, value_2]

Parameters
value
A value of any type that you want to compare.

Example
The following UseProdCondition condition evaluates to true if the value for the EnvironmentType
parameter is equal to prod:

JSON
"UseProdCondition" : {

API Version 2010-05-15
2271

AWS CloudFormation User Guide
Condition Functions

}

"Fn::Equals": [
{"Ref": "EnvironmentType"},
"prod"
]

YAML
UseProdCondition:
!Equals [!Ref EnvironmentType, prod]

Fn::If
Returns one value if the speciﬁed condition evaluates to true and another value if the speciﬁed
condition evaluates to false. Currently, AWS CloudFormation supports the Fn::If intrinsic function
in the metadata attribute, update policy attribute, and property values in the Resources section and
Outputs sections of a template. You can use the AWS::NoValue pseudo parameter as a return value to
remove the corresponding property.

Declaration
JSON
"Fn::If": [condition_name, value_if_true, value_if_false]

YAML
Syntax for the full function name:
Fn::If: [condition_name, value_if_true, value_if_false]

Syntax for the short form:
!If [condition_name, value_if_true, value_if_false]

Parameters
condition_name
A reference to a condition in the Conditions section. Use the condition's name to reference it.
value_if_true
A value to be returned if the speciﬁed condition evaluates to true.
value_if_false
A value to be returned if the speciﬁed condition evaluates to false.

Examples
To view additional samples, see Sample Templates (p. 2277).

Example 1
The following snippet uses an Fn::If function in the SecurityGroups property for an Amazon EC2
resource. If the CreateNewSecurityGroup condition evaluates to true, AWS CloudFormation uses the
API Version 2010-05-15
2272

AWS CloudFormation User Guide
Condition Functions

referenced value of NewSecurityGroup to specify the SecurityGroups property; otherwise, AWS
CloudFormation uses the referenced value of ExistingSecurityGroup.

JSON
"SecurityGroups" : [{
"Fn::If" : [
"CreateNewSecurityGroup",
{"Ref" : "NewSecurityGroup"},
{"Ref" : "ExistingSecurityGroup"}
]
}]

YAML
SecurityGroups:
- !If [CreateNewSecurityGroup, !Ref NewSecurityGroup, !Ref ExistingSecurityGroup]

Example 2
In the Output section of a template, you can use the Fn::If function to conditionally output
information. In the following snippet, if the CreateNewSecurityGroup condition evaluates to true,
AWS CloudFormation outputs the security group ID of the NewSecurityGroup resource. If the condition
is false, AWS CloudFormation outputs the security group ID of the ExistingSecurityGroup resource.

JSON
"Outputs" : {
"SecurityGroupId" : {
"Description" : "Group ID of the security group used.",
"Value" : {
"Fn::If" : [
"CreateNewSecurityGroup",
{"Ref" : "NewSecurityGroup"},
{"Ref" : "ExistingSecurityGroup"}
]
}
}
}

YAML
Outputs:
SecurityGroupId:
Description: Group ID of the security group used.
Value: !If [CreateNewSecurityGroup, !Ref NewSecurityGroup, !Ref ExistingSecurityGroup]

Example 3
The following snippet uses the AWS::NoValue pseudo parameter in an Fn::If function. The condition
uses a snapshot for an Amazon RDS DB instance only if a snapshot ID is provided. If the UseDBSnapshot
condition evaluates to true, AWS CloudFormation uses the DBSnapshotName parameter value for the
DBSnapshotIdentifier property. If the condition evaluates to false, AWS CloudFormation removes
the DBSnapshotIdentifier property.

JSON
"MyDB" : {

API Version 2010-05-15
2273

AWS CloudFormation User Guide
Condition Functions

}

"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.m1.small",
"Engine" : "MySQL",
"EngineVersion" : "5.5",
"MasterUsername" : { "Ref" : "DBUser" },
"MasterUserPassword" : { "Ref" : "DBPassword" },
"DBParameterGroupName" : { "Ref" : "MyRDSParamGroup" },
"DBSnapshotIdentifier" : {
"Fn::If" : [
"UseDBSnapshot",
{"Ref" : "DBSnapshotName"},
{"Ref" : "AWS::NoValue"}
]
}
}

YAML
MyDB:
Type: "AWS::RDS::DBInstance"
Properties:
AllocatedStorage: 5
DBInstanceClass: db.m1.small
Engine: MySQL
EngineVersion: 5.5
MasterUsername: !Ref DBUser
MasterUserPassword: !Ref DBPassword
DBParameterGroupName: !Ref MyRDSParamGroup
DBSnapshotIdentifier:
!If [UseDBSnapshot, !Ref DBSnapshotName, !Ref "AWS::NoValue"]

Example 4
The following snippet provides an auto scaling update policy only if the RollingUpdates
condition evaluates to true. If the condition evaluates to false, AWS CloudFormation removes the
AutoScalingRollingUpdate update policy.

JSON
"UpdatePolicy": {
"AutoScalingRollingUpdate": {
"Fn::If": [
"RollingUpdates",
{
"MaxBatchSize": "2",
"MinInstancesInService": "2",
"PauseTime": "PT0M30S"
},
{
"Ref" : "AWS::NoValue"
}
]
}
}

YAML
UpdatePolicy:

API Version 2010-05-15
2274

AWS CloudFormation User Guide
Condition Functions
AutoScalingRollingUpdate:
!If
- RollingUpdates
MaxBatchSize: 2
MinInstancesInService: 2
PauseTime: PT0M30S
- !Ref "AWS::NoValue"

Fn::Not
Returns true for a condition that evaluates to false or returns false for a condition that evaluates to
true. Fn::Not acts as a NOT operator.

Declaration
JSON
"Fn::Not": [{condition}]

YAML
Syntax for the full function name:
Fn::Not: [condition]

Syntax for the short form:
!Not [condition]

Parameters
condition
A condition such as Fn::Equals that evaluates to true or false.

Example
The following EnvCondition condition evaluates to true if the value for the EnvironmentType
parameter is not equal to prod:

JSON
"MyNotCondition" : {
"Fn::Not" : [{
"Fn::Equals" : [
{"Ref" : "EnvironmentType"},
"prod"
]
}]
}

YAML
MyNotCondition:

API Version 2010-05-15
2275

AWS CloudFormation User Guide
Condition Functions
!Not [!Equals [!Ref EnvironmentType, prod]]

Fn::Or
Returns true if any one of the speciﬁed conditions evaluate to true, or returns false if all of the
conditions evaluates to false. Fn::Or acts as an OR operator. The minimum number of conditions that
you can include is 2, and the maximum is 10.

Declaration
JSON
"Fn::Or": [{condition}, {...}]

YAML
Syntax for the full function name:
Fn::Or: [condition, ...]

Syntax for the short form:
!Or [condition, ...]

Parameters
condition
A condition that evaluates to true or false.

Example
The following MyOrCondition evaluates to true if the referenced security group name is equal to sgmysggroup or if SomeOtherCondition evaluates to true:

JSON
"MyOrCondition" : {
"Fn::Or" : [
{"Fn::Equals" : ["sg-mysggroup", {"Ref" : "ASecurityGroup"}]},
{"Condition" : "SomeOtherCondition"}
]
}

YAML
MyOrCondition:
!Or [!Equals [sg-mysggroup, !Ref ASecurityGroup], Condition: SomeOtherCondition]

Supported Functions
You can use the following functions in the Fn::If condition:
• Fn::Base64
API Version 2010-05-15
2276

AWS CloudFormation User Guide
Condition Functions

• Fn::FindInMap
• Fn::GetAtt
• Fn::GetAZs
• Fn::If
• Fn::Join
• Fn::Select
• Fn::Sub
• Ref
You can use the following functions in all other condition functions, such as Fn::Equals and Fn::Or:
• Fn::FindInMap
• Ref
• Other condition functions

Sample Templates
Conditionally create resources for a production, development, or test stack
In some cases, you might want to create stacks that are similar but with minor tweaks. For example, you
might have a template that you use for production applications. You want to create the same production
stack so that you can use it for development or testing. However, for development and testing, you
might not require all the extra capacity that's included in a production-level stack. Instead, you can use
an environment type input parameter in order to conditionally create stack resources that are speciﬁc to
production, development, or testing, as shown in the following sample:

Example JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Mappings" : {
"RegionMap" : {
"us-east-1"
"us-west-1"
"us-west-2"
"eu-west-1"
"sa-east-1"
"ap-southeast-1"
"ap-southeast-2"
"ap-northeast-1"
}
},

:
:
:
:
:
:
:
:

{
{
{
{
{
{
{
{

"AMI"
"AMI"
"AMI"
"AMI"
"AMI"
"AMI"
"AMI"
"AMI"

:
:
:
:
:
:
:
:

"ami-aecd60c7"},
"ami-734c6936"},
"ami-48da5578"},
"ami-6d555119"},
"ami-fe36e8e3"},
"ami-3c0b4a6e"},
"ami-bd990e87"},
"ami-2819aa29"}

"Parameters" : {
"EnvType" : {
"Description" : "Environment type.",
"Default" : "test",
"Type" : "String",
"AllowedValues" : ["prod", "dev", "test"],
"ConstraintDescription" : "must specify prod, dev, or test."
}
},
"Conditions" : {
"CreateProdResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "prod"]},
"CreateDevResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "dev"]}

API Version 2010-05-15
2277

AWS CloudFormation User Guide
Condition Functions
},
"Resources" : {
"EC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]},
"InstanceType" : { "Fn::If" : [
"CreateProdResources",
"c1.xlarge",
{"Fn::If" : [
"CreateDevResources",
"m1.large",
"m1.small"
]}
]}
}
},
"MountPoint" : {
"Type" : "AWS::EC2::VolumeAttachment",
"Condition" : "CreateProdResources",
"Properties" : {
"InstanceId" : { "Ref" : "EC2Instance" },
"VolumeId" : { "Ref" : "NewVolume" },
"Device" : "/dev/sdh"
}
},

}

}

"NewVolume" : {
"Type" : "AWS::EC2::Volume",
"Condition" : "CreateProdResources",
"Properties" : {
"Size" : "100",
"AvailabilityZone" : { "Fn::GetAtt" : [ "EC2Instance", "AvailabilityZone" ]}
}
}

Example YAML
AWSTemplateFormatVersion: "2010-09-09"
Mappings:
RegionMap:
us-east-1:
AMI: "ami-aecd60c7"
us-west-1:
AMI: "ami-734c6936"
us-west-2:
AMI: "ami-48da5578"
eu-west-1:
AMI: "ami-6d555119"
sa-east-1:
AMI: "ami-fe36e8e3"
ap-southeast-1:
AMI: "ami-3c0b4a6e"
ap-southeast-2:
AMI: "ami-bd990e87"
ap-northeast-1:
AMI: "ami-2819aa29"
Parameters:

API Version 2010-05-15
2278

AWS CloudFormation User Guide
Condition Functions
EnvType:
Description: Environment type.
Default: test
Type: String
AllowedValues: [prod, dev, test]
ConstraintDescription: must specify prod, dev, or test.
Conditions:
CreateProdResources: !Equals [!Ref EnvType, prod]
CreateDevResources: !Equals [!Ref EnvType, "dev"]
Resources:
EC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI]
InstanceType: !If [CreateProdResources, c1.xlarge, !If [CreateDevResources, m1.large,
m1.small]]
MountPoint:
Type: "AWS::EC2::VolumeAttachment"
Condition: CreateProdResources
Properties:
InstanceId: !Ref EC2Instance
VolumeId: !Ref NewVolume
Device: /dev/sdh
NewVolume:
Type: "AWS::EC2::Volume"
Condition: CreateProdResources
Properties:
Size: 100
AvailabilityZone: !GetAtt EC2Instance.AvailabilityZone

You can specify prod, dev, or test for the EnvType parameter. For each environment type, the
template speciﬁes a diﬀerent instance type. The instance types can range from a large, computeoptimized instance type to a small general purpose instance type. In order to conditionally specify
the instance type, the template deﬁnes two conditions in the Conditions section of the template:
CreateProdResources, which evaluates to true if the EnvType parameter value is equal to prod and
CreateDevResources, which evaluates to true if the parameter value is equal to dev.
In the InstanceType property, the template nests two Fn::If intrinsic functions to determine which
instance type to use. If the CreateProdResources condition is true, the instance type is c1.xlarge. If
the condition is false, the CreateDevResources condition is evaluated. If the CreateDevResources
condition is true, the instance type is m1.large or else the instance type is m1.small.
In addition to the instance type, the production environment creates and attaches an Amazon
EC2 volume to the instance. The MountPoint and NewVolume resources are associated with the
CreateProdResources condition so that the resources are created only if the condition evaluates to
true.

Conditionally assign a resource property
In this example, you can create an Amazon RDS DB instance from a snapshot. If you specify the
DBSnapshotName parameter, AWS CloudFormation uses the parameter value as the snapshot name
when creating the DB instance. If you keep the default value (empty string), AWS CloudFormation
removes the DBSnapshotIdentifier property and creates a DB instance from scratch.

Example JSON
{

"AWSTemplateFormatVersion" : "2010-09-09",
"Parameters": {

API Version 2010-05-15
2279

AWS CloudFormation User Guide
Condition Functions
"DBUser": {
"NoEcho": "true",
"Description" : "The database admin account username",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
"AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription" : "must begin with a letter and contain only alphanumeric
characters."
},
"DBPassword": {
"NoEcho": "true",
"Description" : "The database admin account password",
"Type": "String",
"MinLength": "1",
"MaxLength": "41",
"AllowedPattern" : "[a-zA-Z0-9]*",
"ConstraintDescription" : "must contain only alphanumeric characters."
},
"DBSnapshotName": {
"Description": "The name of a DB snapshot (optional)",
"Default": "",
"Type": "String"
}
},
"Conditions": {
"UseDBSnapshot": {"Fn::Not": [{"Fn::Equals" : [{"Ref" : "DBSnapshotName"}, ""]}]}
},
"Resources" : {
"MyDB" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.m1.small",
"Engine" : "MySQL",
"EngineVersion" : "5.5",
"MasterUsername" : { "Ref" : "DBUser" },
"MasterUserPassword" : { "Ref" : "DBPassword" },
"DBParameterGroupName" : { "Ref" : "MyRDSParamGroup" },
"DBSnapshotIdentifier" : {
"Fn::If" : [
"UseDBSnapshot",
{"Ref" : "DBSnapshotName"},
{"Ref" : "AWS::NoValue"}
]
}
}
},

}

}

"MyRDSParamGroup" : {
"Type": "AWS::RDS::DBParameterGroup",
"Properties" : {
"Family" : "MySQL5.5",
"Description" : "CloudFormation Sample Database Parameter Group",
"Parameters" : {
"autocommit" : "1" ,
"general_log" : "1",
"old_passwords" : "0"
}
}
}

API Version 2010-05-15
2280

AWS CloudFormation User Guide
Condition Functions

Example YAML
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
DBUser:
NoEcho: true
Description: The database admin account username
Type: String
MinLength: 1
MaxLength: 16
AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
ConstraintDescription: must begin with a letter and contain only alphanumeric
characters.
DBPassword:
NoEcho: true
Description: The database admin account password
Type: String
MinLength: 1
MaxLength: 41
AllowedPattern: "[a-zA-Z0-9]*"
ConstraintDescription: must contain only alphanumeric characters.
DBSnapshotName:
Description: The name of a DB snapshot (optional)
Default: ""
Type: String
Conditions:
UseDBSnapshot: !Not [!Equals [!Ref DBSnapshotName, ""]]
Resources:
MyDB:
Type: "AWS::RDS::DBInstance"
Properties:
AllocatedStorage: 5
DBInstanceClass: db.m1.small
Engine: MySQL
EngineVersion: 5.5
MasterUsername: !Ref DBUser
MasterUserPassword: !Ref DBPassword
DBParameterGroupName: !Ref MyRDSParamGroup
DBSnapshotIdentifier: !If [UseDBSnapshot, !Ref DBSnapshotName, !Ref "AWS::NoValue"]
MyRDSParamGroup:
Type: "AWS::RDS::DBParameterGroup"
Properties:
Family: MySQL5.5
Description: CloudFormation Sample Database Parameter Group
Parameters:
autocommit: 1
general_log: 1
old_passwords: 0

The UseDBSnapshot condition evaluates to true only if the DBSnapshotName is not an empty string.
If the UseDBSnapshot condition evaluates to true, AWS CloudFormation uses the DBSnapshotName
parameter value for the DBSnapshotIdentifier property. If the condition evaluates to false,
AWS CloudFormation removes the DBSnapshotIdentifier property. The AWS::NoValue pseudo
parameter removes the corresponding resource property when it is used as a return value.

Conditionally use an existing resource
In this example, you can use an Amazon EC2 security group that has already been created or you can
create a new security group, which is speciﬁed in the template. For the ExistingSecurityGroup
parameter, you can specify the default security group name or NONE. If you specify default, AWS
CloudFormation uses a security group that has already been created and is named default. If you
specify NONE, AWS CloudFormation creates the security group that's deﬁned in the template.
API Version 2010-05-15
2281

AWS CloudFormation User Guide
Condition Functions

Example JSON
{

"Parameters" : {
"ExistingSecurityGroup" : {
"Description" : "An existing security group ID (optional).",
"Default" : "NONE",
"Type" : "String",
"AllowedValues" : ["default", "NONE"]
}
},
"Conditions" : {
"CreateNewSecurityGroup" : {"Fn::Equals" : [{"Ref" : "ExistingSecurityGroup"},
"NONE"] }
},
"Resources" : {
"MyInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "ami-1b814f72",
"SecurityGroups" : [{
"Fn::If" : [
"CreateNewSecurityGroup",
{"Ref" : "NewSecurityGroup"},
{"Ref" : "ExistingSecurityGroup"}
]
}]
}
},
"NewSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Condition" : "CreateNewSecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80",
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
} ]
}
}

},

}

"Outputs" : {
"SecurityGroupId" : {
"Description" : "Group ID of the security group used.",
"Value" : {
"Fn::If" : [
"CreateNewSecurityGroup",
{"Ref" : "NewSecurityGroup"},
{"Ref" : "ExistingSecurityGroup"}
]
}
}
}

Example YAML

API Version 2010-05-15
2282

AWS CloudFormation User Guide
Fn::FindInMap
Parameters:
ExistingSecurityGroup:
Description: An existing security group ID (optional).
Default: NONE
Type: String
AllowedValues:
- default
- NONE
Conditions:
CreateNewSecurityGroup: !Equals [!Ref ExistingSecurityGroup, NONE]
Resources:
MyInstance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: "ami-1b814f72"
SecurityGroups: !If [CreateNewSecurityGroup, !Ref NewSecurityGroup, !Ref
ExistingSecurityGroup]
NewSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Condition: CreateNewSecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80
SecurityGroupIngress:
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Outputs:
SecurityGroupId:
Description: Group ID of the security group used.
Value: !If [CreateNewSecurityGroup, !Ref NewSecurityGroup, !Ref ExistingSecurityGroup]

To determine whether to create the NewSecurityGroup resource, the resource is associated with the
CreateNewSecurityGroup condition. The resource is created only when the condition is true (when
the ExistingSecurityGroup parameter is equal to NONE).
In the SecurityGroups property, the template uses the Fn::If intrinsic function to determine which
security group to use. If the CreateNewSecurityGroup condition evaluates to true, the security group
property references the NewSecurityGroup resource. If the CreateNewSecurityGroup condition
evaluates to false, the security group property references the ExistingSecurityGroup parameter (the
default security group).
Lastly, the template conditionally outputs the security group ID. If the CreateNewSecurityGroup
condition evaluates to true, AWS CloudFormation outputs the security group ID of the
NewSecurityGroup resource. If the condition is false, AWS CloudFormation outputs the security group
ID of the ExistingSecurityGroup resource.

Fn::FindInMap
The intrinsic function Fn::FindInMap returns the value corresponding to keys in a two-level map that
is declared in the Mappings section.

Declaration
JSON
{ "Fn::FindInMap" : [ "MapName", "TopLevelKey", "SecondLevelKey"] }

API Version 2010-05-15
2283

AWS CloudFormation User Guide
Fn::FindInMap

YAML
Syntax for the full function name:
Fn::FindInMap: [ MapName, TopLevelKey, SecondLevelKey ]

Syntax for the short form:
!FindInMap [ MapName, TopLevelKey, SecondLevelKey ]

Note

You can't nest two instances of two functions in short form.

Parameters
MapName
The logical name of a mapping declared in the Mappings section that contains the keys and values.
TopLevelKey
The top-level key name. Its value is a list of key-value pairs.
SecondLevelKey
The second-level key name, which is set to one of the keys from the list assigned to TopLevelKey.

Return Value:
The value that is assigned to SecondLevelKey.

Example
The following example shows how to use Fn::FindInMap for a template with a Mappings section that
contains a single map, RegionMap, that associates AMIs with AWS regions.
• The map has 5 top-level keys that correspond to various AWS regions.
• Each top-level key is assigned a list with two second level keys, "32" and "64", that correspond to the
AMI's architecture.
• Each of the second-level keys is assigned an appropriate AMI name.
The example template contains an AWS::EC2::Instance resource whose ImageId property is set by
the FindInMap function.
MapName is set to the map of interest, "RegionMap" in this example. TopLevelKey is set to the region
where the stack is created, which is determined by using the "AWS::Region" pseudo parameter.
SecondLevelKey is set to the desired architecture, "32" for this example.
FindInMap returns the AMI assigned to FindInMap. For a 32-bit instance in us-east-1, FindInMap
would return "ami-6411e20d".

JSON
{

API Version 2010-05-15
2284

AWS CloudFormation User Guide
Fn::GetAtt
...
"Mappings" : {
"RegionMap" : {
"us-east-1" : { "32"
"us-west-1" : { "32"
"eu-west-1" : { "32"
"ap-southeast-1" : {
"ap-northeast-1" : {
}
},

: "ami-6411e20d", "64"
: "ami-c9c7978c", "64"
: "ami-37c2f643", "64"
"32" : "ami-66f28c34",
"32" : "ami-9c03a89d",

: "ami-7a11e213" },
: "ami-cfc7978a" },
: "ami-31c2f645" },
"64" : "ami-60f28c32" },
"64" : "ami-a003a8a1" }

"Resources" : {
"myEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" },
"32"]},
"InstanceType" : "m1.small"
}
}
}

}

YAML
Mappings:
RegionMap:
us-east-1:
32: "ami-6411e20d"
64: "ami-7a11e213"
us-west-1:
32: "ami-c9c7978c"
64: "ami-cfc7978a"
eu-west-1:
32: "ami-37c2f643"
64: "ami-31c2f645"
ap-southeast-1:
32: "ami-66f28c34"
64: "ami-60f28c32"
ap-northeast-1:
32: "ami-9c03a89d"
64: "ami-a003a8a1"
Resources:
myEC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: !FindInMap [ RegionMap, !Ref "AWS::Region", 32 ]
InstanceType: m1.small

Supported Functions
You can use the following functions in a Fn::FindInMap function:
• Fn::FindInMap
• Ref

Fn::GetAtt
The Fn::GetAtt intrinsic function returns the value of an attribute from a resource in the template.
API Version 2010-05-15
2285

AWS CloudFormation User Guide
Fn::GetAtt

Declaration
JSON
{ "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] }

YAML
Syntax for the full function name:
Fn::GetAtt: [ logicalNameOfResource, attributeName ]

Syntax for the short form:
!GetAtt logicalNameOfResource.attributeName

Parameters
logicalNameOfResource
The logical name (also called logical ID) of the resource that contains the attribute that you want.
attributeName
The name of the resource-speciﬁc attribute whose value you want. See the resource's reference page
for details about the attributes available for that resource type.

Return Value
The attribute value.

Examples
Return a String
This example snippet returns a string containing the DNS name of the load balancer with the logical
name myELB.

JSON
"Fn::GetAtt" : [ "myELB" , "DNSName" ]

YAML
!GetAtt myELB.DNSName

Return Multiple Strings
The following example template returns the SourceSecurityGroup.OwnerAlias and
SourceSecurityGroup.GroupName of the load balancer with the logical name myELB.
API Version 2010-05-15
2286

AWS CloudFormation User Guide
Fn::GetAtt

JSON
{

}

"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myELB": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": [
"eu-west-1a"
],
"Listeners": [
{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP"
}
]
}
},
"myELBIngressGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "ELB ingress group",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupOwnerId": {
"Fn::GetAtt": [
"myELB",
"SourceSecurityGroup",
"OwnerAlias"
]
},
"SourceSecurityGroupName": {
"Fn::GetAtt": [
"myELB",
"SourceSecurityGroup",
"GroupName"
]
}
}
]
}
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Resources:
myELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- eu-west-1a
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
myELBIngressGroup:

API Version 2010-05-15
2287

AWS CloudFormation User Guide
Fn::GetAtt
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ELB ingress group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
SourceSecurityGroupOwnerId: !GetAtt myELB.SourceSecurityGroup.OwnerAlias
SourceSecurityGroupName: !GetAtt myELB.SourceSecurityGroup.GroupName

Supported Functions
For the Fn::GetAtt logical resource name, you cannot use functions. You must specify a string that is a
resource's logical ID.
For the Fn::GetAtt attribute name, you can use the Ref function.

Attributes
You can retrieve the following attributes using Fn::GetAtt.
Resource TypeName

Attribute

Description

AWS::AmazonMQ::Broker
Arn
(p. 506)

The Amazon Resource Name (ARN) of the Amazon MQ
broker.
Example: arn:aws:mq:useast-2:123456789012:broker:MyBroker:b-1234a5b6-78cd-901e

AWS::AmazonMQ::Broker
ConfigurationId
(p. 506)
The unique ID that Amazon MQ generates for the
conﬁguration.
Example:
c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9
AWS::AmazonMQ::Broker
ConfigurationRevision
(p. 506)
The revision number of the Amazon MQ conﬁguration.
Example: 1
AWS::AmazonMQ::Conﬁguration
Arn
(p. 513)

The Amazon Resource Name (ARN) of the Amazon MQ
conﬁguration.
Example: arn:aws:mq:useast-2:123456789012:configuration:MyConfigurationDevelop

AWS::AmazonMQ::Conﬁguration
Revision
(p. 513)

The revision number of the Amazon MQ conﬁguration.
Example: 1

AWS::ApiGateway::DomainName
DistributionDomainName
(p. 538)
The Amazon CloudFront distribution domain name that is
mapped to the custom domain name.
Example: d111111abcdef8.cloudfront.net
AWS::ApiGateway::RestApi
RootResourceId
(p. 563)
The root resource ID for a RestApi resource.
Example: a0bc123d4e
AWS::Cloud9::EnvironmentEC2
Arn
(p. 666)

The Amazon Resource Name (ARN) of the AWS Cloud9
development environment.

Example: arn:aws:cloud9:useast-2:123456789012:environment:2bc3642873c342e485f7e0c5
AWS::Cloud9::EnvironmentEC2
Name (p. 666)

The name of the AWS Cloud9 development environment.

API Version 2010-05-15
2288

AWS CloudFormation User Guide
Fn::GetAtt

Resource TypeName

Attribute

Description
Example: my-demo-environment

AWS::CloudFormation::WaitCondition
Data
(p. 696)
A JSON-format string containing the UniqueId and Data
values from the wait condition signal(s) for the speciﬁed
wait condition. For more information about wait condition
signals, see Wait Condition Signal JSON Format (p. 279).
Example of a wait condition with two signals:
{"Signal1":"Step 1 complete.","Signal2":"Step 2
complete."}

AWS::CloudFormation::Stack
Outputs.NestedStackOutputName
(p. 694)
The output value from the nested stack that you speciﬁed,
where NestedStackOutputName is the name of the
output value.
AWS::CloudFront::Distribution
DomainName
(p. 700)

Example: d2fadu0nynjpfn.cloudfront.net

AWS::CloudTrail::Trail (p.Arn
708)

Example: arn:aws:cloudtrail:useast-2:123456789012:trail/myCloudTrail

AWS::CloudTrail::Trail (p.SnsTopicArn
708)

The Amazon Resource Name (ARN) of the Amazon SNS
topic that is associated with the CloudTrail trail.
Example: arn:aws:sns:useast-2:123456789012:mySNSTopic

AWS::CloudWatch::Alarm
Arn
(p. 714)

Example: arn:aws:cloudwatch:useast-2:123456789012:alarm:myCloudWatchAlarmCPUAlarm-UXMMZK36R55Z

AWS::CodeBuild::ProjectArn
(p. 720)

Example: arn:aws:codebuild:uswest-2:123456789012:project/myProjectName

AWS::CodeCommit::Repository
Arn
(p. 729)

Example: arn:aws:codecommit:useast-2:123456789012:MyDemoRepo

AWS::CodeCommit::Repository
CloneUrlHttp
(p. 729)

Example: https://codecommit.useast-2.amazonaws.com/v1/repos/MyDemoRepo

AWS::CodeCommit::Repository
CloneUrlSsh
(p. 729)

Example: ssh://git-codecommit.useast-2.amazonaws.com/v1/repos//v1/repos/
MyDemoRepo

AWS::CodeCommit::Repository
Name (p. 729)

Example: MyDemoRepo

AWS::CodePipeline::Pipeline
Version
(p. 755)

The pipeline version. Example: 1

AWS::CodePipeline::Webhook
Url (p. 760)

Example: https://eu-central-1.webhooks.aws/
trigger123456

AWS::Conﬁg::ConﬁgRuleArn
(p. 788)

Example: arn:aws:config:useast-2:123456789012:config-rule/config-rulea1bzhi

AWS::Conﬁg::ConﬁgRuleConfigRuleId
(p. 788)

Example: config-rule-a1bzhi

AWS::Conﬁg::ConﬁgRuleCompliance.Type
(p. 788)
Example: COMPLIANT

API Version 2010-05-15
2289

AWS CloudFormation User Guide
Fn::GetAtt

Resource TypeName

Attribute

Description

AWS::DAX::Cluster (p. 810)
Arn

Example: arn:aws:dax:useast-1:111122223333:cache/MyDAXCluster

AWS::DAX::Cluster (p. 810)
ClusterDiscoveryEndpoint
Example:
mydaxcluster.0h3d6x.clustercfg.dax.use1.cache.amazonaws.
AWS::DirectoryService::MicrosoftAD
Alias
(p. 821) The alias for a directory.
and
AWS::DirectoryService::SimpleAD (p. 825) Examples: d-12373a053a or alias4mydirectory-12345abcgmzsk (if you have the
CreateAlias property set to true)
AWS::DirectoryService::MicrosoftAD
DnsIpAddresses
(p. 821) The IP addresses of the DNS servers for the directory.
and
AWS::DirectoryService::SimpleAD (p. 825) Example: [ "192.0.2.1", "192.0.2.2" ]
AWS::DynamoDB::Table Arn
(p. 848)

Example: arn:aws:dynamodb:useast-2:123456789012:table/myDynamoDBTable

AWS::DynamoDB::Table StreamArn
(p. 848)

The Amazon Resource Name (ARN) of the DynamoDB
table stream. To use this attribute, you must specify the
DynamoDB table StreamSpecification property.
Example: arn:aws:dynamodb:useast-2:123456789012:table/testddbstackmyDynamoDBTable-012A1SL7SMP5Q/
stream/2015-11-30T20:10:00.000

AWS::EC2::EIP (p. 868) AllocationId

The ID that AWS assigns to represent the allocation of the
address for use with Amazon VPC. It is returned only for
VPC Elastic IP addresses.
Example: eipalloc-5723d13e

AWS::EC2::Instance (p. 879)
AvailabilityZoneThe Availability Zone where the instance that you speciﬁed
is launched.
Example: us-east-1b
AWS::EC2::Instance (p. 879)
PrivateDnsName The private DNS name of the instance that you speciﬁed.
Example: ip-10-24-34-0.ec2.internal
AWS::EC2::Instance (p. 879)
PublicDnsName

The public DNS name of the instance that you speciﬁed.
Example:
ec2-107-20-50-45.compute-1.amazonaws.com

AWS::EC2::Instance (p. 879)
PrivateIp

The private IP address of the instance that you speciﬁed.
Example: 10.24.34.0

AWS::EC2::Instance (p. 879)
PublicIp

The public IP address of the instance that you speciﬁed.
Example: 192.0.2.0

API Version 2010-05-15
2290

AWS CloudFormation User Guide
Fn::GetAtt

Resource TypeName

Attribute

Description

AWS::EC2::NetworkInterface
PrimaryPrivateIpAddress
(p. 901)
The primary private IP address of the network interface
that you speciﬁed.
Example: 10.0.0.192
AWS::EC2::NetworkInterface
SecondaryPrivateIpAddresses
(p. 901)
The secondary private IP addresses of the network
interface that you speciﬁed.
Example: ["10.0.0.161", "10.0.0.162",
"10.0.0.163"]
AWS::EC2::SecurityGroup
GroupId
(p. 917)

The group ID of the speciﬁed security group.
Example: sg-94b3a1f6

AWS::EC2::Subnet (p. 935)
AvailabilityZoneThe Availability Zone of the subnet.
Example: us-east-1a
AWS::EC2::Subnet (p. 935)
Ipv6CidrBlocks A list of IPv6 CIDR blocks that are associated with the
subnet.
Example: [ 2001:db8:1234:1a00::/64 ]
AWS::EC2::Subnet (p. 935)
NetworkAclAssociationId
The ID of the network ACL that is associated with the
subnet's VPC.
Example: acl-5fb85d36
AWS::EC2::Subnet (p. 935)
VpcId

The ID of the subnet's VPC.
Example: vpc-11ad4878

AWS::EC2::SubnetNetworkAclAssociation
AssociationId (p. The
940)NetworkAcl associationId that is attached to a
subnet.
AWS::EC2::VPC (p. 950) CidrBlock

The set of IP addresses for the VPC.
Example: 10.0.0.0/16

AWS::EC2::VPC (p. 950) CidrBlockAssociations
A list of IPv4 CIDR block association IDs for the VPC.
Example: [ vpc-cidr-assoc-0280ab6b ]
AWS::EC2::VPC (p. 950) DefaultNetworkAcl
The default network ACL ID that is associated with the
VPC, which AWS creates when you create a VPC.
Example: acl-814dafe3
AWS::EC2::VPC (p. 950) DefaultSecurityGroup
The default security group ID that is associated with the
VPC, which AWS creates when you create a VPC.
Example: sg-b178e0d3
AWS::EC2::VPC (p. 950) Ipv6CidrBlocks A list of IPv6 CIDR blocks that are associated with the VPC.
Example: [ 2001:db8:1234:1a00::/56 ]

API Version 2010-05-15
2291

AWS CloudFormation User Guide
Fn::GetAtt

Resource TypeName

Attribute

Description

AWS::ECR::Repository (p.Arn
985)

Example: arn:aws:ecr:useast-2:123456789012:repository/testrepository

AWS::ECS::Cluster (p. 989)
Arn

Example: arn:aws:ecs:useast-2:123456789012:cluster/MyECSCluster

AWS::ECS::Service (p. 991)
Name

The name of an Amazon Elastic Container Service service.
Example: sample-webapp

AWS::EKS::Cluster (p. 1015)
Arn

The ARN of the cluster.
Example: arn:aws:eks:useast-2:123456789012:cluster/MyECSCluster

AWS::EKS::Cluster (p. 1015)
CertificateAuthorityData
The certificate-authority-data for your cluster.
AWS::EKS::Cluster (p. 1015)
Endpoint

The endpoint for your Kubernetes API server.
Example: https://
EXAMPLEFBBB3BA591B746AFC5AB30262.yl4.uswest-2.eks.amazonaws.com

AWS::ElastiCache::CacheCluster
ConfigurationEndpoint.Address
(p. 1018)
The DNS address of the conﬁguration endpoint for the
Memcached cache cluster.
Example:
test.abc12a.cfg.use1.cache.amazonaws.com:11111
AWS::ElastiCache::CacheCluster
ConfigurationEndpoint.Port
(p. 1018)
The port number of the conﬁguration endpoint for the
Memcached cache cluster.
AWS::ElastiCache::CacheCluster
RedisEndpoint.Address
(p. 1018)
The DNS address of the conﬁguration endpoint for the
Redis cache cluster.
Example:
test.abc12a.cfg.use1.cache.amazonaws.com:11111
AWS::ElastiCache::CacheCluster
RedisEndpoint.Port
(p. 1018)
The port number of the conﬁguration endpoint for the
Redis cache cluster.
AWS::ElastiCache::ReplicationGroup
ConfigurationEndPoint.Address
(p. 1028)The DNS hostname of the cache node.
AWS::ElastiCache::ReplicationGroup
ConfigurationEndPoint.Port
(p. 1028)The port number that the cache engine is listening on.
AWS::ElastiCache::ReplicationGroup
PrimaryEndPoint.Address
(p. 1028)The DNS address of the primary read-write cache node.
AWS::ElastiCache::ReplicationGroup
PrimaryEndPoint.Port
(p. 1028)The port number that the primary read-write cache engine
is listening on.
AWS::ElastiCache::ReplicationGroup
ReadEndPoint.Addresses
(p. 1028)A string with a list of endpoints for the read-only replicas.
The order of the addresses maps to the order of the ports
from the ReadEndPoint.Ports attribute.

Example:
"[abc12xmy3d1w3hv6-001.rep12a.0001.use1.cache.amazonaws.
abc12xmy3d1w3hv6-002.rep12a.0001.use1.cache.amazonaws.co
abc12xmy3d1w3hv6-003.rep12a.0001.use1.cache.amazonaws.co
API Version 2010-05-15
2292

AWS CloudFormation User Guide
Fn::GetAtt

Resource TypeName

Attribute

Description

AWS::ElastiCache::ReplicationGroup
ReadEndPoint.Ports
(p. 1028)A string with a list of ports for the read-only replicas. The
order of the ports maps to the order of the addresses from
the ReadEndPoint.Addresses attribute.
Example: "[6379, 6379, 6379]"
AWS::ElastiCache::ReplicationGroup
ReadEndPoint.Addresses.List
(p. 1028)A list of endpoints for the read-only replicas.

Example:
["abc12xmy3d1w3hv6-001.rep12a.0001.use1.cache.amazonaws.
"abc12xmy3d1w3hv6-002.rep12a.0001.use1.cache.amazonaws.c
"abc12xmy3d1w3hv6-003.rep12a.0001.use1.cache.amazonaws.c
AWS::ElastiCache::ReplicationGroup
ReadEndPoint.Ports.List
(p. 1028)A list of ports for the read-only replicas.
Example: ["6379","6379","6379"]
AWS::ElasticBeanstalk::Environment
EndpointURL
(p. 1050)
The URL to the load balancer for this environment.
Example: awseb-mystmyen-132MQC4KRLAMD-1371280482.useast-2.elb.amazonaws.com
AWS::ElasticLoadBalancing::LoadBalancer
CanonicalHostedZoneName
(p.The
1063)
name of the Route 53-hosted zone that is associated
with the load balancer.
Example: mystackmyelb-15HMABG9ZCN57-1013119603.useast-2.elb.amazonaws.com
AWS::ElasticLoadBalancing::LoadBalancer
CanonicalHostedZoneNameID
(p.The
1063)
ID of the Route 53 hosted zone name that is
associated with the l oad balancer.
Example: Z3DZXE0Q79N41H
AWS::ElasticLoadBalancing::LoadBalancer
DNSName
(p.The
1063)
DNS name for the load balancer.
Example: mystackmyelb-15HMABG9ZCN57-1013119603.useast-2.elb.amazonaws.com
AWS::ElasticLoadBalancing::LoadBalancer
SourceSecurityGroup.GroupName
(p.The
1063)
security group that you can use as part of your
inbound rules for your load balancer's back-end Amazon
EC2 application instances.
Example: amazon-elb
AWS::ElasticLoadBalancing::LoadBalancer
SourceSecurityGroup.OwnerAlias
(p.The
1063)
owner of the source security group.
Example: amazon-elb-sg
AWS::ElasticLoadBalancingV2::LoadBalancer
DNSName
The
(p. 1082)
DNS name for the application load balancer.
Example: my-load-balancer-424835706.uswest-2.elb.amazonaws.com

API Version 2010-05-15
2293

AWS CloudFormation User Guide
Fn::GetAtt

Resource TypeName

Attribute

Description

AWS::ElasticLoadBalancingV2::LoadBalancer
CanonicalHostedZoneID
The
(p. 1082)
ID of the Amazon Route 53-hosted zone name that is
associated with the load balancer.
Example: Z2P70J7EXAMPLE
AWS::ElasticLoadBalancingV2::LoadBalancer
LoadBalancerFullName
The
(p. 1082)
full name of the application load balancer.
Example: app/my-load-balancer/50dc6c495c0c9188
AWS::ElasticLoadBalancingV2::LoadBalancer
LoadBalancerNameThe
(p. 1082)
name of the application load balancer.
Example: my-load-balancer
AWS::ElasticLoadBalancingV2::LoadBalancer
SecurityGroups The
(p. 1082)
IDs of the security groups for the application load
balancer.
Example: sg-123456a
AWS::ElasticLoadBalancingV2::TargetGroup
LoadBalancerArns(p.
The1088)
Amazon Resource Names (ARNs) of the load balancers
that route traﬃc to this target group.
Example: [ "arn:aws:elasticloadbalancing:uswest-2:123456789012:loadbalancer/app/myload-balancer/50dc6c495c0c9188" ]
AWS::ElasticLoadBalancingV2::TargetGroup
TargetGroupFullName
(p.
The1088)
full name of the target group.
Example: targetgroup/my-target-group/
cbf133c568e0d028
AWS::ElasticLoadBalancingV2::TargetGroup
TargetGroupName (p.
The1088)
name of the target group.
Example: my-target-group
AWS::Elasticsearch::Domain
DomainArn
(p. 1096)

The Amazon Resource Name (ARN) of the domain.
Example: arn:aws:es:uswest-2:123456789012:domain/mystackelasti-1ab2cdefghij

AWS::Elasticsearch::Domain
DomainEndpoint
(p. 1096)
The domain-speciﬁc endpoint that is used to submit
index, search, and data upload requests to an Amazon
Elasticsearch Service domain.
Example: search-mystack-elasti-1ab2cdefghijab1c2deckoyb3hofw7wpqa3cm.uswest-2.es.amazonaws.com
AWS::EMR::Cluster (p. 1104)
MasterPublicDNS The public DNS name of the master node (instance).
Example: ec2-12-123-123-123.uswest-2.compute.amazonaws.com
AWS::Events::Rule (p. 1132)
Arn

Example: arn:aws:events:useast-2:123456789012:rule/example

API Version 2010-05-15
2294

AWS CloudFormation User Guide
Fn::GetAtt

Resource TypeName

Attribute

Description

AWS::IAM::AccessKey (p.SecretAccessKey
1184)
The secret access key for the speciﬁed Access Key.
Example: wJalrXUtnFEMI/K7MDENG/
bPxRfiCYzEXAMPLEKEY
AWS::IAM::Group (p. 1186)
Arn

Example: arn:aws:iam::123456789012:group/
mystack-mygroup-1DZETITOWEKVO

AWS::IAM::InstanceProﬁle
Arn
(p. 1188)

Example: arn:aws:iam::1234567890:instanceprofile/MyProfile-ASDNSDLKJ

AWS::IAM::Role (p. 1197)Arn

Example: arn:aws:iam::1234567890:role/MyRoleAJJHDSKSDF

AWS::IAM::User (p. 1205)
Arn

Example: arn:aws:iam::123456789012:user/
mystack-myuser-1CCXAFG2H2U4D

AWS::IoT::Certiﬁcate (p. Arn
1215)

Example: arn:aws:iot:apsoutheast-2:123456789012:cert/
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs23456

AWS::IoT::Policy (p. 1218)
Arn

Example: arn:aws:iot:useast-2:123456789012:policy/MyIoTPolicy

AWS::IoT::TopicRule (p. 1225)
Arn

Example: arn:aws:iot:useast-2:123456789012:rule/MyIoTRule

AWS::Kinesis::Stream (p.Arn
1228)

Example: arn:aws:kinesis:useast-2:123456789012:stream/stream-name

AWS::KinesisFirehose::DeliveryStream
Arn
(p. 1237)
Example: arn:aws:firehose:useast-2:123456789012:deliverystream/deliverystream-name
AWS::KMS::Key (p. 1247)Arn

Example: arn:aws:kms:uswest-2:123456789012:key/12a34567-8c90-1defgaf84-0bf06c1747f3

AWS::Lambda::FunctionArn
(p. 1257)

Example: arn:aws:lambda:uswest-2:123456789012:MyStack-AMILookUpNT5EUXTNTXXD

AWS::Lambda::Version (p.
Version
1265)

The version of a Lambda function.
Example: 1

AWS::Logs::Destination (p.
Arn1267)

Example: arn:aws:logs:useast-2:123456789012:destination:MyDestination

AWS::Logs::LogGroup (p.Arn
1270)

Example: arn:aws:logs:useast-2:123456789012:log-group:/mystacktestgroup-12ABC1AB12A1:*

AWS::OpsWorks::Instance
AvailabilityZone
(p. 1298)
The Availability Zone of an AWS OpsWorks instance.
Example: us-east-2a.
AWS::OpsWorks::Instance
PrivateDnsName
(p. 1298)
The private DNS name of an AWS OpsWorks instance.

API Version 2010-05-15
2295

AWS CloudFormation User Guide
Fn::GetAtt

Resource TypeName

Attribute

Description

AWS::OpsWorks::Instance
PrivateIp
(p. 1298)

The private IP address of an AWS OpsWorks instance.

AWS::OpsWorks::Instance
PublicDnsName
(p. 1298)

The public DNS name of an AWS OpsWorks instance.

AWS::OpsWorks::Instance
PublicIp
(p. 1298)

The public IP address of an AWS OpsWorks instance.

Note

To use this attribute, the AWS OpsWorks instance
must be in an AWS OpsWorks layer that autoassigns public IP addresses.
Example: 192.0.2.0
AWS::OpsWorks::UserProﬁle
SshUserName
(p. 1327)

The SSH user name of an AWS OpsWorks instance.

AWS::Redshift::Cluster (p.
Endpoint.Address
1373)
The connection endpoint for the cluster.
Example: examplecluster.cg034hpkmmjt.useast-2.redshift.amazonaws.com
AWS::Redshift::Cluster (p.
Endpoint.Port
1373)

The connection port for the cluster.
Example: 5439

AWS::RDS::DBCluster (p.Endpoint.Address
1331)
The connection endpoint for the DB cluster.
Example: mystackmydbcluster-1apw1j4phylrk.cg034hpkmmjt.useast-2.rds.amazonaws.com
AWS::RDS::DBCluster (p.Endpoint.Port
1331)

The port number on which the DB cluster accepts
connections.
Example: 3306

AWS::RDS::DBCluster (p.ReadEndpoint.Address
1331)
The reader endpoint for the DB cluster.
Example: mystack-mydbclusterro-1apw1j4phylrk.cg034hpkmmjt.useast-2.rds.amazonaws.com
AWS::RDS::DBInstance (p.
Endpoint.Address
1341)
The connection endpoint for the database.
Example: mystackmydb-1apw1j4phylrk.cg034hpkmmjt.useast-2.rds.amazonaws.com
AWS::RDS::DBInstance (p.
Endpoint.Port
1341)

The port number on which the database accepts
connections.
Example: 3306

AWS::Route53::HostedZone
NameServers
(p. 1392)

The set of name servers for the speciﬁc hosted zone.
Example: ns1.example.com
This attribute is not supported for private hosted zones.

AWS::S3::Bucket (p. 1403)
Arn

Example: arn:aws:s3:::mybucket

API Version 2010-05-15
2296

AWS CloudFormation User Guide
Fn::GetAtt

Resource TypeName

Attribute

Description

AWS::S3::Bucket (p. 1403)
DomainName

The DNS name of the speciﬁed bucket.
Example: mystack-mybucketkdwwxmddtr2g.s3.amazonaws.com

AWS::S3::Bucket (p. 1403)
DualStackDomainName
The IPv6 DNS name of the speciﬁed bucket.
Example: mystack-mybucketkdwwxmddtr2g.s3.dualstack.useast-2.amazonaws.com/
AWS::S3::Bucket (p. 1403)
WebsiteURL

The Amazon S3 website endpoint for the speciﬁed bucket.
Example: http://mystack-mybucketkdwwxmddtr2g.s3-website-useast-2.amazonaws.com/

AWS::Serverless::Function
Arn
(p. 192)

The ARN of an AWS::Serverless::Function resource.

AWS::ServiceDiscovery::PrivateDnsNamespace
Id
Example:
(p. 1468)
ns-t2kl4fs6xexample
AWS::ServiceDiscovery::PrivateDnsNamespace
Arn
Example:
(p. 1468)
arn:aws:servicediscovery:uswest-2:1234567890:namespace/nst2kl4fs6xexample
AWS::ServiceDiscovery::PublicDnsNamespace
Id
Example:
(p. 1470)ns-d6wz3hq6kexample
AWS::ServiceDiscovery::PublicDnsNamespace
Arn
Example:
(p. 1470)arn:aws:servicediscovery:uswest-2:1234567890:namespace/nsd6wz3hq6kexample
AWS::ServiceDiscovery::Service
Id
(p. 1471)

Example: srv-7dfj3r6cyexample

AWS::ServiceDiscovery::Service
Arn
(p. 1471)

Example: arn:aws:servicediscovery:uswest-2:1234567890:service/
srv-7dfj3r6cyexample

AWS::ServiceDiscovery::Service
Name (p. 1471)

Example: example

AWS::SNS::Topic (p. 1492)
TopicName

The name of an Amazon SNS topic.
Example: my-sns-topic

AWS::StepFunctions::Activity
Name (p. 1527)

The name of the AWS Step Functions activity.

AWS::StepFunctions::StateMachine
Name
(p. 1529)The name of the Step Functions state machine.
AWS::SQS::Queue (p. 1495)
Arn

Example: arn:aws:sqs:useast-2:123456789012:mystackmyqueue-15PG5C2FC1CW8

AWS::SQS::Queue (p. 1495)
QueueName

The name of an Amazon SQS queue.
Example: mystack-myqueue-1VF9BKQH5BJVI

API Version 2010-05-15
2297

AWS CloudFormation User Guide
Fn::GetAZs

Fn::GetAZs
The intrinsic function Fn::GetAZs returns an array that lists Availability Zones for a speciﬁed region.
Because customers have access to diﬀerent Availability Zones, the intrinsic function Fn::GetAZs
enables template authors to write templates that adapt to the calling user's access. That way you don't
have to hard-code a full list of Availability Zones for a speciﬁed region.

Important

For the EC2-Classic platform, the Fn::GetAZs function returns all Availability Zones for a
region. For the EC2-VPC platform, the Fn::GetAZs function returns only Availability Zones that
have a default subnet unless none of the Availability Zones has a default subnet; in that case, all
Availability Zones are returned.
Similarly to the response from the describe-availability-zones AWS CLI command, the
order of the results from the Fn::GetAZs function is not guaranteed and can change when new
Availability Zones are added.
IAM permissions
The permissions that you need in order to use the Fn::GetAZs function depend on the platform in
which you're launching Amazon EC2 instances. For both platforms, you need permissions to the Amazon
EC2 DescribeAvailabilityZones and DescribeAccountAttributes actions. For EC2-VPC, you
also need permissions to the Amazon EC2 DescribeSubnets action.

Declaration
JSON
{ "Fn::GetAZs" : "region" }

YAML
Syntax for the full function name:
Fn::GetAZs: region

Syntax for the short form:
!GetAZs region

Parameters
region
The name of the region for which you want to get the Availability Zones.
You can use the AWS::Region pseudo parameter to specify the region in which the stack is created.
Specifying an empty string is equivalent to specifying AWS::Region.

Return Value
The list of Availability Zones for the region.
API Version 2010-05-15
2298

AWS CloudFormation User Guide
Fn::GetAZs

Examples
Evaluate a Region
For these examples, AWS CloudFormation evaluates Fn::GetAZs to the following array—assuming that
the user has created the stack in the us-east-1 region:
[ "us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d" ]

JSON
{ "Fn::GetAZs" : "" }
{ "Fn::GetAZs" : { "Ref" : "AWS::Region" } }
{ "Fn::GetAZs" : "us-east-1" }

YAML
Fn::GetAZs: ""
Fn::GetAZs:
Ref: "AWS::Region"
Fn::GetAZs: us-east-1

Specify a Subnet's Availability Zone
The following example uses Fn::GetAZs to specify a subnet's Availability Zone:

JSON
"mySubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"CidrBlock" : "10.0.0.0/24",
"AvailabilityZone" : {
"Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ]
}
}
}

YAML
mySubnet:
Type: "AWS::EC2::Subnet"
Properties:
VpcId:
!Ref VPC
CidrBlock: 10.0.0.0/24
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""

Nested Functions with Short Form YAML
The following examples show valid patterns for using nested intrinsic functions using short form YAML.
You can't nest short form functions consecutively, so a pattern like !GetAZs !Ref is invalid.
API Version 2010-05-15
2299

AWS CloudFormation User Guide
Fn::ImportValue

YAML
AvailabilityZone: !Select
- 0
- !GetAZs
Ref: 'AWS::Region'

YAML
AvailabilityZone: !Select
- 0
- Fn::GetAZs: !Ref 'AWS::Region'

Supported Functions
You can use the Ref function in the Fn::GetAZs function.

Fn::ImportValue
The intrinsic function Fn::ImportValue returns the value of an output exported (p. 199) by another
stack. You typically use this function to create cross-stack references (p. 248). In the following example
template snippets, Stack A exports VPC security group values and Stack B imports them.

Note

The following restrictions apply to cross-stack references:
• For each AWS account, Export names must be unique within a region.
• You can't create cross-stack references across regions. You can use the intrinsic function
Fn::ImportValue to import only values that have been exported within the same region.
• For outputs, the value of the Name property of an Export can't use Ref or GetAtt functions
that depend on a resource.
Similarly, the ImportValue function can't include Ref or GetAtt functions that depend on a
resource.
• You can't delete a stack if another stack references one of its outputs.
• You can't modify or remove an output value that is referenced by another stack.
Stack A Export
"Outputs" : {
"PublicSubnet" : {
"Description" : "The subnet ID to use for public web servers",
"Value" : { "Ref" : "PublicSubnet" },
"Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-SubnetID" }}
},
"WebServerSecurityGroup" : {
"Description" : "The security group ID to use for public web servers",
"Value" : { "Fn::GetAtt" : ["WebServerSecurityGroup", "GroupId"] },
"Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-SecurityGroupID" }}
}
}

Stack B Import
"Resources" : {
"WebServerInstance" : {

API Version 2010-05-15
2300

AWS CloudFormation User Guide
Fn::ImportValue
"Type" : "AWS::EC2::Instance",
"Properties" : {
"InstanceType" : "t2.micro",
"ImageId" : "ami-a1b23456",
"NetworkInterfaces" : [{
"GroupSet" : [{"Fn::ImportValue" : {"Fn::Sub" : "${NetworkStackNameParameter}SecurityGroupID"}}],
"AssociatePublicIpAddress" : "true",
"DeviceIndex" : "0",
"DeleteOnTermination" : "true",
"SubnetId" : {"Fn::ImportValue" : {"Fn::Sub" : "${NetworkStackNameParameter}SubnetID"}}
}]
}
}
}

Declaration
JSON
{ "Fn::ImportValue" : sharedValueToImport }

YAML
You can use the full function name:
Fn::ImportValue: sharedValueToImport

Alternatively, you can use the short form:
!ImportValue sharedValueToImport

Important

You can't use the short form of !ImportValue when it contains a !Sub. The following example
is valid for AWS CloudFormation, but not valid for YAML:
!ImportValue
!Sub "${NetworkStack}-SubnetID"

Instead, you must use the full function name, for example:
Fn::ImportValue:
!Sub "${NetworkStack}-SubnetID"

Parameters
sharedValueToImport
The stack output value that you want to import.

Return Value
The stack output value.
API Version 2010-05-15
2301

AWS CloudFormation User Guide
Fn::Join

Example
JSON
{ "Fn::ImportValue" : {"Fn::Sub": "${NetworkStackNameParameter}-SubnetID" } }

YAML
Fn::ImportValue:
!Sub "${NetworkStackName}-SecurityGroupID"

Supported Functions
You can use the following functions in the Fn::ImportValue function. The value of these functions
can't depend on a resource.
• Fn::Base64
• Fn::FindInMap
• Fn::If
• Fn::Join
• Fn::Select
• Fn::Split
• Fn::Sub
• Ref

Fn::Join
The intrinsic function Fn::Join appends a set of values into a single value, separated by the speciﬁed
delimiter. If a delimiter is the empty string, the set of values are concatenated with no delimiter.

Declaration
JSON
{ "Fn::Join" : [ "delimiter", [ comma-delimited list of values ] ] }

YAML
Syntax for the full function name:
Fn::Join: [ delimiter, [ comma-delimited list of values ] ]

Syntax for the short form:
!Join [ delimiter, [ comma-delimited list of values ] ]

API Version 2010-05-15
2302

AWS CloudFormation User Guide
Fn::Join

Parameters
delimiter
The value you want to occur between fragments. The delimiter will occur between fragments only. It
will not terminate the ﬁnal value.
ListOfValues
The list of values you want combined.

Return Value
The combined string.

Examples
Join a Simple String Array
The following example returns: "a:b:c".

JSON
"Fn::Join" : [ ":", [ "a", "b", "c" ] ]

YAML
!Join [ ":", [ a, b, c ] ]

Join Using the Ref Function with Parameters
The following example uses Fn::Join to construct a string value. It uses the Ref function with the
Partition parameter and the AWS::AccountId pseudo parameter.

JSON
{

"Fn::Join": [
"", [
"arn:",
{
"Ref": "Partition"
},
":s3:::elasticbeanstalk-*-",
{
"Ref": "AWS::AccountId"
}
]
]

}}

YAML
!Join
- ''

API Version 2010-05-15
2303

AWS CloudFormation User Guide
Fn::Select
- -

'arn:'
!Ref Partition
':s3:::elasticbeanstalk-*-'
!Ref 'AWS::AccountId'

Note

Also see the Fn::Sub (p. 2308) function for similar functionality.

Supported Functions
For the Fn::Join delimiter, you cannot use any functions. You must specify a string value.
For the Fn::Join list of values, you can use the following functions:
• Fn::Base64
• Fn::FindInMap
• Fn::GetAtt
• Fn::GetAZs
• Fn::If
• Fn::ImportValue
• Fn::Join
• Fn::Split
• Fn::Select
• Fn::Sub
• Ref

Fn::Select
The intrinsic function Fn::Select returns a single object from a list of objects by index.

Important

Fn::Select does not check for null values or if the index is out of bounds of the array. Both
conditions will result in a stack error, so you should be certain that the index you choose is valid,
and that the list contains non-null values.

Declaration
JSON
{ "Fn::Select" : [ index, listOfObjects ] }

YAML
Syntax for the full function name:
Fn::Select: [ index, listOfObjects ]

Syntax for the short form:
!Select [ index, listOfObjects ]

API Version 2010-05-15
2304

AWS CloudFormation User Guide
Fn::Select

Parameters
index
The index of the object to retrieve. This must be a value from zero to N-1, where N represents the
number of elements in the array.
listOfObjects
The list of objects to select from. This list must not be null, nor can it have null entries.

Return Value
The selected object.

Examples
Basic Example
The following example returns: "grapes".

JSON
{ "Fn::Select" : [ "1", [ "apples", "grapes", "oranges", "mangoes" ] ] }

YAML
!Select [ "1", [ "apples", "grapes", "oranges", "mangoes" ] ]

Comma-delimited List Parameter Type
You can use Fn::Select to select an object from a CommaDelimitedList parameter. You might use
a CommaDelimitedList parameter to combine the values of related parameters, which reduces the
total number of parameters in your template. For example, the following parameter speciﬁes a commadelimited list of three CIDR blocks:

JSON
"Parameters" : {
"DbSubnetIpBlocks": {
"Description": "Comma-delimited list of three CIDR blocks",
"Type": "CommaDelimitedList",
"Default": "10.0.48.0/24, 10.0.112.0/24, 10.0.176.0/24"
}
}

YAML
Parameters:
DbSubnetIpBlocks:
Description: "Comma-delimited list of three CIDR blocks"
Type: CommaDelimitedList
Default: "10.0.48.0/24, 10.0.112.0/24, 10.0.176.0/24"

To specify one of the three CIDR blocks, use Fn::Select in the Resources section of the same template,
as shown in the following sample snippet:
API Version 2010-05-15
2305

AWS CloudFormation User Guide
Fn::Split

JSON
"Subnet0": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": { "Ref": "VPC" },
"CidrBlock": { "Fn::Select" : [ "0", {"Ref": "DbSubnetIpBlocks"} ] }
}
}

YAML
Subnet0:
Type: "AWS::EC2::Subnet"
Properties:
VpcId: !Ref VPC
CidrBlock: !Select [ 0, !Ref DbSubnetIpBlocks ]

Nested Functions with Short Form YAML
The following examples show valid patterns for using nested intrinsic functions with the !Select short
form. You can't nest short form functions consecutively, so a pattern like !GetAZs !Ref is invalid.

YAML
AvailabilityZone: !Select
- 0
- !GetAZs
Ref: 'AWS::Region'

YAML
AvailabilityZone: !Select
- 0
- Fn::GetAZs: !Ref 'AWS::Region'

Supported Functions
For the Fn::Select index value, you can use the Ref and Fn::FindInMap functions.
For the Fn::Select list of objects, you can use the following functions:
• Fn::FindInMap
• Fn::GetAtt
•
•
•
•

Fn::GetAZs
Fn::If
Fn::Split
Ref

Fn::Split
To split a string into a list of string values so that you can select an element from the resulting string list,
use the Fn::Split intrinsic function. Specify the location of splits with a delimiter, such as , (a comma).
After you split a string, use the Fn::Select (p. 2304) function to pick a speciﬁc element.
API Version 2010-05-15
2306

AWS CloudFormation User Guide
Fn::Split

For example, if a comma-delimited string of subnet IDs is imported to your stack template, you can split
the string at each comma. From the list of subnet IDs, use the Fn::Select intrinsic function to specify a
subnet ID for a resource.

Declaration
JSON
{ "Fn::Split" : [ "delimiter", "source string" ] }

YAML
Syntax for the full function name:
Fn::Split: [ delimiter, source string ]

Syntax for the short form:
!Split [ delimiter, source string ]

Parameters
You must specify both parameters.
delimiter
A string value that determines where the source string is divided.
source string
The string value that you want to split.

Return Value
A list of string values.

Examples
The following examples demonstrate the behavior of the Fn::Split function.

Simple List
The following example splits a string at each vertical bar (|). The function returns ["a", "b", "c"].

JSON
{ "Fn::Split" : [ "|" , "a|b|c" ] }

YAML
!Split [ "|" , "a|b|c" ]

API Version 2010-05-15
2307

AWS CloudFormation User Guide
Fn::Sub

List with Empty String Values
If you split a string with consecutive delimiters, the resulting list will include an empty string. The
following example shows how a string with two consecutive delimiters and an appended delimiter is
split. The function returns ["a", "", "c", ""].

JSON
{ "Fn::Split" : [ "|" , "a||c|" ] }

YAML
!Split [ "|" , "a||c|" ]

Split an Imported Output Value
The following example splits an imported output value, and then selects the third element from the
resulting list of subnet IDs, as speciﬁed by the Fn::Select function.

JSON
{ "Fn::Select" : [ "2", { "Fn::Split": [",", {"Fn::ImportValue": "AccountSubnetIDs"}]}] }

YAML
!Select [2, !Split [",", !ImportValue AccountSubnetIDs]]

Supported Functions
For the Fn::Split delimiter, you cannot use any functions. You must specify a string value.
For the Fn::Split list of values, you can use the following functions:
• Fn::Base64
• Fn::FindInMap
• Fn::GetAtt
• Fn::GetAZs
• Fn::If
• Fn::ImportValue
• Fn::Join
• Fn::Select
• Fn::Sub
• Ref

Fn::Sub
The intrinsic function Fn::Sub substitutes variables in an input string with values that you specify. In
your templates, you can use this function to construct commands or outputs that include values that
aren't available until you create or update a stack.
API Version 2010-05-15
2308

AWS CloudFormation User Guide
Fn::Sub

Declaration
The following sections show the function's syntax.

JSON
{ "Fn::Sub" : [ String, { Var1Name: Var1Value, Var2Name: Var2Value } ] }

If you're substituting only template parameters, resource logical IDs, or resource attributes in the String
parameter, don't specify a variable map.
{ "Fn::Sub" : String }

YAML
Syntax for the full function name:
Fn::Sub:
- String
- { Var1Name: Var1Value, Var2Name: Var2Value }

Syntax for the short form:
!Sub
- String
- { Var1Name: Var1Value, Var2Name: Var2Value }

If you're substituting only template parameters, resource logical IDs, or resource attributes in the String
parameter, don't specify a variable map.
Syntax for the full function name:
Fn::Sub: String

Syntax for the short form:
!Sub String

Parameters
String
A string with variables that AWS CloudFormation substitutes with their associated values at runtime.
Write variables as ${MyVarName}. Variables can be template parameter names, resource logical IDs,
resource attributes, or a variable in a key-value map. If you specify only template parameter names,
resource logical IDs, and resource attributes, don't specify a key-value map.
If you specify template parameter names or resource logical IDs, such as
${InstanceTypeParameter}, AWS CloudFormation returns the same values as if you used the
Ref intrinsic function. If you specify resource attributes, such as ${MyInstance.PublicIp}, AWS
CloudFormation returns the same values as if you used the Fn::GetAtt intrinsic function.
To write a dollar sign and curly braces (${}) literally, add an exclamation point (!) after the open
curly brace, such as ${!Literal}. AWS CloudFormation resolves this text as ${Literal}.
API Version 2010-05-15
2309

AWS CloudFormation User Guide
Fn::Sub

VarName
The name of a variable that you included in the String parameter.
VarValue
The value that AWS CloudFormation substitutes for the associated variable name at runtime.

Return Value
AWS CloudFormation returns the original string, substituting the values for all of the variables.

Examples
The following examples demonstrate how to use the Fn::Sub function.

Fn::Sub with a Mapping
The following example uses a mapping to substitute the ${Domain} variable with the resulting value
from the Ref function.

JSON
{ "Fn::Sub": [ "www.${Domain}", { "Domain": {"Ref" : "RootDomainName" }} ]}

YAML
Name: !Sub
- www.${Domain}
- { Domain: !Ref RootDomainName }

Fn::Sub without a Mapping
The following example uses Fn::Sub with the AWS::Region and AWS::AccountId pseudo parameters
and the vpc resource logical ID to create an Amazon Resource Name (ARN) for a VPC.

JSON
{ "Fn::Sub": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}" }

YAML
!Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}'

UserData Commands
The following example uses Fn::Sub to substitute the AWS::StackName and AWS::Region pseudo
parameters for the actual stack name and region at runtime.

JSON
For readability, the JSON example uses the Fn::Join function to separate each command, instead of
specifying the entire user data script in a single string value.
API Version 2010-05-15
2310

AWS CloudFormation User Guide
Ref

"UserData": { "Fn::Base64": { "Fn::Join": ["\n", [
"#!/bin/bash -xe",
"yum update -y aws-cfn-bootstrap",
{ "Fn::Sub": "/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfig
--configsets wordpress_install --region ${AWS::Region}" },
{ "Fn::Sub": "/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource
WebServerGroup --region ${AWS::Region}" }]]
}}

YAML
The YAML example uses a literal block to specify the user data script.
UserData:
Fn::Base64:
!Sub |
#!/bin/bash -xe
yum update -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfig -configsets wordpress_install --region ${AWS::Region}
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerGroup -region ${AWS::Region}

Supported Functions
For the String parameter, you cannot use any functions. You must specify a string value.
For the VarName and VarValue parameters, you can use the following functions:
• Fn::Base64
• Fn::FindInMap
• Fn::GetAtt
• Fn::GetAZs
• Fn::If
• Fn::ImportValue
• Fn::Join
• Fn::Select
• Ref

Ref
The intrinsic function Ref returns the value of the speciﬁed parameter or resource.
• When you specify a parameter's logical name, it returns the value of the parameter.
• When you specify a resource's logical name, it returns a value that you can typically use to refer to that
resource, such as a physical ID (p. 196).
When you are declaring a resource in a template and you need to specify another template resource
by name, you can use the Ref to refer to that other resource. In general, Ref returns the name of the
resource. For example, a reference to an AWS::AutoScaling::AutoScalingGroup (p. 620) returns the
name of that Auto Scaling group resource.
For some resources, an identiﬁer is returned that has another signiﬁcant meaning in the context
of the resource. An AWS::EC2::EIP (p. 868) resource, for instance, returns the IP address, and an
AWS::EC2::Instance (p. 879) returns the instance ID.
API Version 2010-05-15
2311

AWS CloudFormation User Guide
Ref

At the bottom of this topic, there is a table that lists the values returned for many common resource
types. More information about Ref return values for a particular resource or property can be found in
the documentation for that resource or property.

Tip

You can also use Ref to add values to Output messages.

Declaration
JSON
{ "Ref" : "logicalName" }

YAML
Syntax for the full function name:
Ref: logicalName

Syntax for the short form:
!Ref logicalName

Parameters
logicalName
The logical name of the resource or parameter you want to dereference.

Return Value
The physical ID of the resource or the value of the parameter.

Example
The following resource declaration for an Elastic IP address needs the instance ID of an EC2 instance and
uses the Ref function to specify the instance ID of the MyEC2Instance resource:

JSON
"MyEIP" : {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"InstanceId" : { "Ref" : "MyEC2Instance" }
}
}

YAML
MyEIP:
Type: "AWS::EC2::EIP"
Properties:
InstanceId: !Ref MyEC2Instance

API Version 2010-05-15
2312

AWS CloudFormation User Guide
Ref

Supported Functions
You cannot use any functions in the Ref function. You must specify a string that is a resource logical ID.

Resource Return Examples
This section lists sample values returned by Ref for particular AWS CloudFormation resources. For more
information about Ref return values for a particular resource or property, refer to the documentation for
that resource or property.
Resource Type

Reference Value

Example Return Value

AWS::AmazonMQ::Broker
Amazon
(p. 506)MQ broker ID

b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9

AWS::AmazonMQ::Conﬁguration
Amazon MQ
(p. 513)
conﬁguration ID

c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9

AWS::ApiGateway::Account
API (p.
Gateway
516) account resource ID

mystaaccou-01234b567890example

AWS::ApiGateway::ApiKey
API(p.key
518)

m2m1k7sybf

AWS::ApiGateway::Authorizer
Authorizer
(p. 522)
resource ID

abcde1

AWS::ApiGateway::ClientCertiﬁcate
Client certiﬁcate
(p. 527)
name

abc123

AWS::ApiGateway::Deployment
Deployment
(p. 528)
resource ID

abc123

AWS::ApiGateway::DomainName
Domain name
(p. 538)

example.mydomain.com

AWS::ApiGateway::Method
Method
(p. 548)
resource ID

mystametho-01234b567890example

AWS::ApiGateway::ModelModel
(p. 556)
name

myModel

AWS::ApiGateway::Resource
API Gateway
(p. 561) resource ID

abc123

AWS::ApiGateway::RestApi
Rest
(p.API
563)
resource ID

a1bcdef2gh

AWS::ApiGateway::StageStage
(p. 570)
name

MyTestStage

AWS::ApplicationAutoScaling::ScalableTarget
Scalable Target ID
(p. 581)

service/ecsStackMyECSClusterAB12CDE3F4GH/ecsStackMyECSService-AB12CDE3F4GH|
ecs:service:DesiredCount|
ecs

AWS::ApplicationAutoScaling::ScalingPolicy
Application Auto Scaling
(p. 594)
policy Amazon
Resource Name (ARN)

arn:aws:autoscaling:useast-1:123456789012:scalingPolicy:12ab3
ecs/service/ecsStackMyECSCluster-AB12CDE3F4GH/
ecsStack-MyECSServiceAB12CDE3F4GH:policyName/
MyStepPolicy

AWS::Athena::NamedQuery
Named
(p. 618)
query name

abc123

AWS::AutoScaling::AutoScalingGroup
Name
(p. 620)

mystack-myasgroupNT5EUXTNTXXD

API Version 2010-05-15
2313

AWS CloudFormation User Guide
Ref

Resource Type

Reference Value

Example Return Value

AWS::AutoScaling::LaunchConﬁguration
Name
(p. 628)

mystackmylaunchconfig-1DDYF1E3B3I

AWS::AutoScaling::LifecycleHook
Name
(p. 637)

mylifecyclehookname

AWS::AutoScaling::ScalingPolicy
Scaling policy
(p. 640)
Amazon Resource Name
(ARN)

arn:aws:autoscaling:useast-1:123456789012:scalingPolicy:ab12c
a1b2-a1b2-a1b2ab12c4d56789:autoScalingGroupName/
myStack-AutoScalingGroupAB12C4D5E6:policyName/
myStack-myScalingPolicyAB12C4D5E6

AWS::AutoScaling::ScheduledAction
Name
(p. 646)

mystack-myscheduledactionNT5EUXTNTXXD

AWS::Batch::ComputeEnvironment
AWS Batch (p.
Compute
651) Environment
Amazon Resource Name (ARN)

arn:aws:batch:useast-1:555555555555:computeenvironment/M4OnDemand

AWS::Batch::JobDeﬁnition
AWS
(p. Batch
655) Job Deﬁnition Amazon
Resource Name (ARN)

arn:aws:batch:useast-1:111122223333:jobdefinition/test-gpu:2

AWS::Batch::JobQueue (p.
AWS
658)
Batch Job Queue Amazon Resource arn:aws:batch:usName (ARN)
east-1:111122223333:jobqueue/HighPriority
AWS::CertiﬁcateManager::Certiﬁcate
Certiﬁcate Amazon
(p. 663)Resource Name
(ARN)

arn:aws:acm:useast-1:123456789012:certificate/12ab3c4

AWS::Cloud9::EnvironmentEC2
Development
(p. 666)environment ID

2bc3642873c342e485f7e0c56example

AWS::CloudFormation::Stack
Stack(p.
ID694)

arn:aws:cloudformation:useast-2:803981987763:stack/
mystack-mynestedstacksggfrhxhum7w/f449b250b969-11e0-a185-5081d0136786

AWS::CloudFormation::WaitCondition
Name
(p. 696)

arn:aws:cloudformation:useast-2:803981987763:stack/
mystack/c325e210bdf2-11e0-9638-50690880c386/
mywaithandle

AWS::CloudFormation::WaitConditionHandle
Wait Condition Signal(p.
URL
699)

https://cloudformationwaitcondition-useast-2.s3.amazonaws.com/
arn%3Aaws
%3Acloudformation%3Auseast-2%3A803981987763%3Astack
%2Fwaittest%2F054a33d0bdee-11e0-8816-5081c490a786%2FmyWaitHan
Expires=1312475488&AWSAccessKeyId=AKIAI
%3D

API Version 2010-05-15
2314

AWS CloudFormation User Guide
Ref

Resource Type

Reference Value

Example Return Value

AWS::CloudFront::Distribution
Distribution
(p. 700)
ID

E27LVI50CSW06W

AWS::CloudTrail::Trail (p.Trail
708)name

awscloudtrail-example

AWS::CloudWatch::AlarmName
(p. 714)

mystackmyalarm-3AOHFRGOXR5T

AWS::CodeBuild::ProjectProject
(p. 720)name

myProjectName

AWS::CodeCommit::Repository
Repository
(p. 729)
ID

12a345b6bbb7-4bb6-90b0-8c9577a2d2b9

AWS::CodeDeploy::Application
Application
(p. 731)
name

myapplication-a123d0d1

AWS::CodeDeploy::DeploymentConﬁg
Deployment conﬁguration
(p. 733)
name

mydeploymentconfig-a123d0d1

AWS::CodeDeploy::DeploymentGroup
Deployment group
(p. 735)
name

mydeploymentgroup-a123d0d1

AWS::CodePipeline::CustomActionType
Custom action name
(p. 751)

mysta-MyCus-A1BCDEFGHIJ2

AWS::CodePipeline::Pipeline
Pipeline
(p. 755)
name

mysta-MyPipelineA1BCDEFGHIJ2

AWS::CodePipeline::Webhook
Webhook
(p. 760)
name

MyFirstPipelineSourceAction1-Webhookutb9LrOl24Kk

AWS::Conﬁg::ConﬁgRuleConﬁguration
(p. 788)
rule name

mystackMyConfigRule-12ABCFPXHV4OV

AWS::Conﬁg::ConﬁgurationRecorder
Conﬁguration
(p.recorder
797) name

default

AWS::Conﬁg::DeliveryChannel
Delivery
(p.channel
799) name

default

AWS::DataPipeline::Pipeline
Pipeline
(p. 801)
ID

df-sample322HVPGK130TOD

AWS::DAX::Cluster (p. 810)
Name

MyDAXCluster

AWS::DirectoryService::MicrosoftAD
Microsoft directory
(p. 821)ID

d-12345ab592

AWS::DirectoryService::SimpleAD
Directory (p.
ID 825)

d-12345ab592

AWS::DynamoDB::Table Table
(p. 848)
Name

MyDDBTable

AWS::EC2::EIP (p. 868) Elastic IP Address

192.0.2.0

AWS::EC2::EIPAssociationName
(p. 870)

mystackmyeipa-1NU3IL8LJ313N

AWS::EC2::FlowLog (p. 875)
Flow log ID

fl-1a23b456

AWS::EC2::Host (p. 877) Host ID

h-0ab123c45d67ef89

AWS::EC2::Instance (p. 879)
Instance ID

i-1234567890abcdef0

AWS::EC2::NatGateway (p.
NAT
893)
gateway ID

nat-0a12bc456789de0fg

AWS::EC2::NetworkInterfacePermission
Network interface
(p. permission
908)
ID

eni-perm-055663b682ea24b48

API Version 2010-05-15
2315

AWS CloudFormation User Guide
Ref

Resource Type

Reference Value

Example Return Value

AWS::EC2::PlacementGroup
Placement
(p. 910)group name

mystack-myplacementgroupCU6107MRVLR7

AWS::EC2::RouteTable (p.
Route
915) table ID

rtb-12a34567

AWS::EC2::SecurityGroupName
(p. 917)
or security group ID (for VPC
security groups that are not in a default
VPC)

mystack-mysecuritygroupQQB406M8FISX or sg-94b3a1f6

AWS::EC2::SecurityGroupIngress
Name (p. 925)

mysecuritygroupingress

AWS::EC2::SpotFleet (p. Name
932)

sfr-73fbd2ceaa30-494c-8788-1cee4EXAMPLE

AWS::EC2::Subnet (p. 935)
Subnet ID

subnet-e19f0178

AWS::EC2::Volume (p. 944)
Volume ID

vol-3cdd3f56

AWS::EC2::VolumeAttachment
Name (p. 948)

mystack-myvola-ERXHJITXMRLT

AWS::EC2::VPC (p. 950) VPC ID

vpc-18ac277d

AWS::EC2::VPCPeeringConnection
VPC peering
(p.connection
967)
ID

pcx-75de3e1d

AWS::EC2::VPCEndpoint Endpoint
(p. 958) ID

vpce-a123d0d1

AWS::ECR::Repository (p.Repository
985)
name

test-repository

AWS::ECS::Cluster (p. 989)
Name

MyStack-MyECSClusterNT5EUXTNTXXD

AWS::ECS::Service (p. 991)
Service ARN

arn:aws:ecs:uswest-2:123456789012:service/
sample-webapp

AWS::ECS::TaskDeﬁnitionTask
(p. 1002)
deﬁnition ARN

arn:aws:ecs:uswest-2:123456789012:taskdefinition/
TaskDefinitionFamily:1

AWS::EFS::FileSystem (p.File
1009)
system ID

fs-47a2c22e

AWS::EFS::MountTarget Mount
(p. 1013)
target ID

fsmt-55a4413c

AWS::EKS::Cluster (p. 1015)
Name

EKSCluster-NT5EUXTNTXXD

AWS::ElastiCache::ReplicationGroup
Name
(p. 1028)

abc12xmy3d1w3hv6

AWS::ElastiCache::SubnetGroup
Name (p. 1041)

myCachesubnetgroup

AWS::ElasticLoadBalancingV2::Listener
Listener's Amazon
(p. 1074)
Resource Name (ARN)

arn:aws:elasticloadbalancing:uswest-2:123456789012:listener/
app/my-loadbalancer/50dc6c495c0c9188/
f2f7dc8efc522ab2

API Version 2010-05-15
2316

AWS CloudFormation User Guide
Ref

Resource Type

Reference Value

Example Return Value

AWS::ElasticLoadBalancingV2::ListenerRule
Listener rule's Amazon
(p. 1080)
Resource Name
(ARN)

arn:aws:elasticloadbalancing:uswest-2:123456789012:listenerrule/app/my-loadbalancer/50dc6c495c0c9188/
f2f7dc8efc522ab2/9683b2d02a6cabee

AWS::ElasticLoadBalancingV2::LoadBalancer
Application load balancer's
(p. 1082)
Amazon
Resource Name (ARN)

arn:aws:elasticloadbalancing:uswest-2:123456789012:loadbalancer/
app/my-internal-loadbalancer/50dc6c495c0c9188

AWS::ElasticLoadBalancingV2::TargetGroup
Target group's Amazon
(p. 1088)
Resource Name
(ARN)

arn:aws:elasticloadbalancing:uswest-2:123456789012:targetgroup/
my-targets/73e2d6bc24d8a067

AWS::Elasticsearch::Domain
Domain
(p. 1096)
name

mystack-elasticseaabc1d2efg3h4

AWS::EMR::Cluster (p. 1104)
Cluster ID

j-1ABCD123AB1A

AWS::EMR::InstanceGroupConﬁg
Instance group
(p. 1124)
ID

ig-ABC12DEF3456

AWS::EMR::SecurityConﬁguration
Name
(p. 1127)

mySecurityConfiguration

AWS::EMR::Step (p. 1130)
Step ID

s-1A2BC3D4EFG56

AWS::ElasticBeanstalk::Application
Name
(p. 1043)

mystack-myapplicationFM6BIXY7U8PK

AWS::ElasticBeanstalk::ApplicationVersion
Name
(p. 1045)

mystackmyapplicationversioniy8ptveuxjly

AWS::ElasticBeanstalk::ConﬁgurationTemplate
Name
(p. 1047)

mystackmyconfigurationtemplate-108RPH64J195

AWS::ElasticBeanstalk::Environment
Name
(p. 1050)

mystack-myenv-LKGNQSFHO1DB

AWS::ElasticLoadBalancing::LoadBalancer
Name
(p. 1063)

mystack-myelb-1WQN7BJGDB5YQ

AWS::Events::Rule (p. 1132)
Event rule ID

mystack-ScheduledRuleABCDEFGHIJK

AWS::GameLift::Alias (p.Alias
1138)
ID

myaliasa01234b56-7890-1de2-f345g67h8i901j2k

AWS::GameLift::Build (p.Build
1140)
ID

mybuilda01234b56-7890-1de2-f345g67h8i901j2k

AWS::GameLift::Fleet (p.Fleet
1142)
ID

myfleeta01234b56-7890-1de2-f345g67h8i901j2k

AWS::Glue::Classiﬁer (p. Name
1146)

abc123

AWS::Glue::Connection (p.
ConnectionInput
1147)
name

abc123

API Version 2010-05-15
2317

AWS CloudFormation User Guide
Ref

Resource Type

Reference Value

Example Return Value

AWS::Glue::Crawler (p. 1149)
Name

abc123

AWS::Glue::Database (p. DatabaseInput
1154)
name

abc123

AWS::Glue::Job (p. 1157)Name

abc123

AWS::Glue::Table (p. 1164)
TableInput name

abc123

AWS::Glue::Trigger (p. 1165)
Name

abc123

AWS::GuardDuty::Detector
Detector
(p. 1171)
ID

12abc34d567e8fa901bc2d34e56789f0

AWS::GuardDuty::IPSet (p.
IPSet
1180)
ID

0cb0141ab9fbde177613ab9436212e90

AWS::GuardDuty::MasterMaster
(p. 1175)
ID

012345678901

AWS::GuardDuty::Member
Member
(p. 1177)
ID

012345678901

AWS::GuardDuty::ThreatIntelSet
ThreatIntel
(p. Set
1182)
ID

12a34567890bc1de2345f67ab8901234

AWS::IAM::AccessKey (p. AccessKeyId
1184)

AKIAIOSFODNN7EXAMPLE

AWS::IAM::Group (p. 1186)
Group name

mystackmygroup-1DZETITOWEKVO

AWS::IAM::ManagedPolicy
Policy
(p. 1190)
ARN

arn:aws:iam::123456789012:policy/
teststackCreateTestDBPolicy-16M23YE3CS700

AWS::IAM::Role (p. 1197)Name

MyRole

AWS::IAM::User (p. 1205)User name

mystackmyuser-1CCXAFG2H2U4D

AWS::IoT::Certiﬁcate (p. Certiﬁcate
1215)
ID

a1234567b89c012d3e4fg567hij8k9l01mno1p2

AWS::IoT::Policy (p. 1218)
Policy name

MyPolicyName

AWS::IoT::Thing (p. 1221)
Thing name

MyStack-MyThingAB1CDEFGHIJK

AWS::IoT::TopicRule (p. 1225)
Topic rule name

MyStackMyTopicRule12ABC3D456EFG

AWS::Kinesis::Stream (p.Name
1228)

mystackmystream-1NAOH4L1RIQ7I

AWS::KinesisFirehose::DeliveryStream
Delivery stream
(p.name
1237)

mystackdeliverystream-1ABCD2EF3GHIJ

AWS::KMS::Alias (p. 1245)
Alias name

alias/myAlias

AWS::KMS::Key (p. 1247)Key ID

123ab456-a4c2-44cb-95fdb781f32fbb37

AWS::Lambda::Alias (p. 1254)
Amazon Resource Name of the AWS
Lambda alias

arn:aws:lambda:uswest-2:123456789012:function:helloworld

AWS::Lambda::EventSourceMapping
Name
(p. 1251)

MyStacklambdaeventsourcemappingCU6107MRVLR7

API Version 2010-05-15
2318

AWS CloudFormation User Guide
Ref

Resource Type

Reference Value

Example Return Value

AWS::Lambda::Function Name
(p. 1257)

MyStack-AMILookUpNT5EUXTNTXXD

AWS::Lambda::Version (p.
Amazon
1265) Resource Name of the AWS
Lambda version

arn:aws:lambda:uswest-2:123456789012:function:helloworld

AWS::Logs::Destination (p.
Destination
1267)
name

TestDestination

AWS::Logs::LogGroup (p.Name
1270)

mystackmyLogGroup-1341JS4M96031

AWS::Logs::LogStream (p.
Log
1272)
stream name

MyAppLogStream

AWS::OpsWorks::App (p.AWS
1293)
OpsWorks Application ID

4fee5b96-0d10-4af1bcc5-25f92e3c6acf

AWS::OpsWorks::Instance
AWS
(p. 1298)
OpsWorks Instance ID

aa2e9ae2-2b4b-491caeb6-8bf3ce9400fe

AWS::OpsWorks::Layer (p.
AWS
1305)
OpsWorks Layer ID

730b238b-f7c4-461db7c0-3feb7ef1152a

AWS::OpsWorks::Stack (p.
AWS
1316)
OpsWorks Stack ID

5c9f04e8-370e-4bd3-ae09a4bbcc2998bb

AWS::OpsWorks::UserProﬁle
IAM user
(p. 1327)
Amazon Resource Name

arn:aws:iam::123456789012:user/
opsworksuser

AWS::OpsWorks::VolumeAWS
(p. 1329)
OpsWorks Volume ID

1ab23cd4-92ff-4501-b37cexample

AWS::RDS::DBCluster (p.Cluster
1331) name

test-rdsclusterpdedtss0mfqr

AWS::RDS::DBClusterParameterGroup
Parameter group
(p. 1338)
name

testdbparamgroup-4l8qqx46vjby

AWS::RDS::DBInstance (p.
Name
1341)

mystack-mydb-ea5ugmfvuaxg

AWS::RDS::DBSecurityGroup
Name
(p. 1360)

mystackmydbsecuritygroup-1k5u5dxjb0nxs

AWS::RDS::DBSubnetGroup
DB subnet
(p. 1365)
group name

mystackmydbsubnetgroup-1k5u5dxjb0nxs

AWS::RDS::OptionGroupName
(p. 1370)

mystackmyoptiongroup-1qmfawfea4vmz

AWS::Redshift::Cluster (p.
Name
1373)

mystack-myredshiftclusterranmiv3f0mad

AWS::Redshift::ClusterParameterGroup
Name
(p. 1381)

mysta-mypar-1AJYM1FL3WQBW

AWS::Redshift::ClusterSecurityGroup
Name
(p. 1384)

mystackmyredshiftclustersecuritygroupbjy2afmhy3ee

API Version 2010-05-15
2319

AWS CloudFormation User Guide
Ref

Resource Type

Reference Value

Example Return Value

AWS::Redshift::ClusterSubnetGroup
Name
(p. 1388)

mystackmyredshiftclustersubnetgroupaq6rsdq8rp71

AWS::Route53::HealthCheck
Amazon
(p. 1390)
Route 53 health check ID

e0a123b4-4dba-4650-935eexample

AWS::Route53::HostedZone
Hosted
(p. 1392)
zone ID

Z23ABC4XYZL05B

AWS::S3::Bucket (p. 1403)
Name

mystackmys3bucket-1hbsmonr9mytq

AWS::SES::ReciptRule (p.Name
1480)

my-receipt-rule

AWS::SDB::Domain (p. 1444)
Name

mystack-mysdbdomainIVNAOZTDFVXL

AWS::SNS::Topic (p. 1492)
Topic ARN

arn:aws:sns:useast-2:123456789012:mystackmytopic-NZJ5JSMVGFIE

AWS::SQS::Queue (p. 1495)
Queue URL

https://sqs.useast-2.amazonaws.com/803981987763/
aa4-MyQueue-Z5NOSZO2PZE9

AWS::SSM::Document (p.SSM
1507)
document name

ssm-myinstanceconfigABCNPH3XCAO6

AWS::SSM::MaintenanceWindow
Maintenance
(p. 1511)
window ID

mw-abcde1234567890yz

AWS::SSM::MaintenanceWindowTarget
Maintenance window
(p. 1513)
target ID

12a345b6bbb7-4bb6-90b0-8c9577a2d2b9

AWS::SSM::MaintenanceWindowTask
Maintenance (p.
window
1515)task ID

12a345b6bbb7-4bb6-90b0-8c9577a2d2b9

AWS::SSM::PatchBaseline
Patch
(p. 1522)
baseline ID

pb-abcde1234567890yz
The ID of the default patch baseline
provided by AWS is an ARN—
for example arn:aws:ssm:uswest-2:123456789012:patchbaseline/
abcde1234567890yz.

AWS::StepFunctions::Activity
Amazon
(p. 1527)
Resource Name (ARN) of the
AWS Step Functions activity

arn:aws:states:useast-1:111122223333:activity:myActivity

AWS::StepFunctions::StateMachine
ARN of the (p.
created
1529)Step Functions state
machine

arn:aws:states:useast-1:111122223333:stateMachine:MyStat
ABCDEFGHIJ1K

AWS::WAF::ByteMatchSet
Byte
(p. 1532)
match ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAF::IPSet (p. 1535)
IP set ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

API Version 2010-05-15
2320

AWS CloudFormation User Guide
Ref

Resource Type

Reference Value

Example Return Value

AWS::WAF::Rule (p. 1539)
Rule ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAF::SizeConstraintSet
Size constraint
(p. 1541) set ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAF::SqlInjectionMatchSet
SQL match
(p.set
1544)
ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAF::WebACL (p. 1547)
Web ACL ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAF::XssMatchSetXSS
(p. 1551)
match set ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAFRegional::ByteMatchSet
Byte match(p.
ID1555)

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAFRegional::IPSet
IP(p.
set1558)
ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAFRegional::RuleRule
(p. 1561)
ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAFRegional::SizeConstraintSet
Size constraint(p.
set1563)
ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAFRegional::SqlInjectionMatchSet
SQL match set ID (p. 1567)

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAFRegional::WebACL
Web (p.
ACL1570)
ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WAFRegional::XssMatchSet
XSS match
(p.set
1575)
ID

aabc123a-fb4f-4fc6becb-2b00831cadcf

AWS::WorkSpaces::Workspace
Workspace
(p. 1579)
ID

ws-cdd1gggh7

Pseudo
Parameter (p. 2322)

AWS::AccountId

123456789012

Pseudo
Parameter (p. 2322)

AWS::NotiﬁcationARNs

[arn:aws:sns:useast-1:123456789012:MyTopic]

Pseudo
Parameter (p. 2322)

AWS::NoValue

Does not return a value.

Pseudo
Parameter (p. 2322)

AWS::Partition

aws

Pseudo
Parameter (p. 2322)

AWS::Region

us-east-2

Pseudo
Parameter (p. 2322)

AWS::StackId

arn:aws:cloudformation:useast-1:123456789012:stack/
MyStack/1c2fa620-982a-11e3aff7-50e2416294e0

API Version 2010-05-15
2321

AWS CloudFormation User Guide
Pseudo Parameters

Resource Type

Reference Value

Example Return Value

Pseudo
Parameter (p. 2322)

AWS::StackName

MyStack

Pseudo Parameters Reference
Pseudo parameters are parameters that are predeﬁned by AWS CloudFormation. You do not declare
them in your template. Use them the same way as you would a parameter, as the argument for the Ref
function.

Example
The following snippet assigns the value of the AWS::Region pseudo parameter to an output value:

JSON
"Outputs" : {
"MyStacksRegion" : { "Value" : { "Ref" : "AWS::Region" } }
}

YAML
Outputs:
MyStacksRegion:
Value: !Ref "AWS::Region"

AWS::AccountId
Returns the AWS account ID of the account in which the stack is being created, such as 123456789012.

AWS::NotiﬁcationARNs
Returns the list of notiﬁcation Amazon Resource Names (ARNs) for the current stack.
To get a single ARN from the list, use Fn::Select (p. 2304).

JSON
"myASGrpOne" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Version" : "2009-05-15",
"Properties" : {
"AvailabilityZones" : [ "us-east-1a" ],
"LaunchConfigurationName" : { "Ref" : "MyLaunchConfiguration" },
"MinSize" : "0",
"MaxSize" : "0",
"NotificationConfigurations" : [{
"TopicARN" : { "Fn::Select" : [ "0", { "Ref" : "AWS::NotificationARNs" } ] },
"NotificationTypes" : [ "autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR" ]
}]
}

API Version 2010-05-15
2322

AWS CloudFormation User Guide
AWS::NoValue
}

YAML
myASGrpOne:
Type: AWS::AutoScaling::AutoScalingGroup
Version: '2009-05-15'
Properties:
AvailabilityZones:
- "us-east-1a"
LaunchConfigurationName:
Ref: MyLaunchConfiguration
MinSize: '0'
MaxSize: '0'
NotificationConfigurations:
- TopicARN:
Fn::Select:
- '0'
- Ref: AWS::NotificationARNs
NotificationTypes:
- autoscaling:EC2_INSTANCE_LAUNCH
- autoscaling:EC2_INSTANCE_LAUNCH_ERROR

AWS::NoValue
Removes the corresponding resource property when speciﬁed as a return value in the Fn::If intrinsic
function.
For example, you can use the AWS::NoValue parameter when you want to use a snapshot for
an Amazon RDS DB instance only if a snapshot ID is provided. If the UseDBSnapshot condition
evaluates to true, AWS CloudFormation uses the DBSnapshotName parameter value for the
DBSnapshotIdentifier property. If the condition evaluates to false, AWS CloudFormation removes
the DBSnapshotIdentifier property.

JSON
"MyDB" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.m1.small",
"Engine" : "MySQL",
"EngineVersion" : "5.5",
"MasterUsername" : { "Ref" : "DBUser" },
"MasterUserPassword" : { "Ref" : "DBPassword" },
"DBParameterGroupName" : { "Ref" : "MyRDSParamGroup" },
"DBSnapshotIdentifier" : {
"Fn::If" : [
"UseDBSnapshot",
{"Ref" : "DBSnapshotName"},
{"Ref" : "AWS::NoValue"}
]
}
}
}

YAML
MyDB:

API Version 2010-05-15
2323

AWS CloudFormation User Guide
AWS::Partition
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.m1.small
Engine: MySQL
EngineVersion: '5.5'
MasterUsername:
Ref: DBUser
MasterUserPassword:
Ref: DBPassword
DBParameterGroupName:
Ref: MyRDSParamGroup
DBSnapshotIdentifier:
Fn::If:
- UseDBSnapshot
- Ref: DBSnapshotName
- Ref: AWS::NoValue

AWS::Partition
Returns the partition that the resource is in. For standard AWS regions, the partition is aws. For resources
in other partitions, the partition is aws-partitionname. For example, the partition for resources in the
China (Beijing) region is aws-cn.

AWS::Region
Returns a string representing the AWS Region in which the encompassing resource is being created, such
as us-west-2.

AWS::StackId
Returns the ID of the stack as speciﬁed with the aws cloudformation create-stack command,
such as arn:aws:cloudformation:us-west-2:123456789012:stack/teststack/51af3dc0da77-11e4-872e-1234567db123.

AWS::StackName
Returns the name of the stack as speciﬁed with the aws cloudformation create-stack command,
such as teststack.

AWS::URLSuﬃx
Returns the suﬃx for a domain. The suﬃx is typically amazonaws.com, but might diﬀer by region. For
example, the suﬃx for the China (Beijing) region is amazonaws.com.cn.

CloudFormation Helper Scripts Reference
AWS CloudFormation provides the following Python helper scripts that you can use to install software
and start services on an Amazon EC2 instance that you create as part of your stack:
• cfn-init (p. 2328): Use to retrieve and interpret resource metadata, install packages, create ﬁles, and
start services.
• cfn-signal (p. 2331): Use to signal with a CreationPolicy or WaitCondition, so you can synchronize
other resources in the stack when the prerequisite resource or application is ready.
• cfn-get-metadata (p. 2335): Use to retrieve metadata for a resource or path to a speciﬁc key.
API Version 2010-05-15
2324

AWS CloudFormation User Guide
Amazon Linux AMI Images

• cfn-hup (p. 2337): Use to check for updates to metadata and execute custom hooks when changes are
detected.
You call the scripts directly from your template. The scripts work in conjunction with resource metadata
that's deﬁned in the same template. The scripts run on the Amazon EC2 instance during the stack
creation process.

Note

The scripts are not executed by default. You must include calls in your template to execute
speciﬁc helper scripts.

Amazon Linux AMI Images
The AWS CloudFormation helper scripts are preinstalled on Amazon Linux AMI images.
• On the latest Amazon Linux AMI version, the scripts are installed in /opt/aws/bin.
• On previous Amazon Linux AMI versions, the aws-cfn-bootstrap package that contains the scripts is
located in the Yum repository.

Downloading Packages for Other Platforms
For Linux/Unix distributions other than Amazon Linux AMI images and for Microsoft Windows (2008 or
later), you can download the aws-cfn-bootstrap package.
File Format

Download
URL

RPM

https://
s3.amazonaws.com/
cloudformationexamples/
aws-cfnbootstraplatest.amzn1.noarch.rpm
Source ﬁles:
https://
s3.amazonaws.com/
cloudformationexamples/
aws-cfnbootstraplatest.src.rpm

TAR.GZ

https://
s3.amazonaws.com/
cloudformationexamples/
aws-cfnbootstraplatest.tar.gz
Uses the
Python
easy-install
tools. To
API Version 2010-05-15
2325

AWS CloudFormation User Guide
Permissions for helper scripts

File Format

Download
URL
complete
the
installation
for Ubuntu,
you must
create a
symlink:
ln -s /
root/
aws-cfnbootstraplatest/
init/
ubuntu/
cfnhup /etc/
init.d/
cfn-hup

ZIP

https://
s3.amazonaws.com/
cloudformationexamples/
aws-cfnbootstraplatest.zip

MSI

32-bit
Windows:
https://
s3.amazonaws.com/
cloudformationexamples/
aws-cfnbootstraplatest.msi
64-bit
Windows:
https://
s3.amazonaws.com/
cloudformationexamples/
aws-cfnbootstrapwin64latest.msi

Permissions for helper scripts
By default, helper scripts do not require credentials, so you do not need to use the --access-key,
--secret-key, --role, or --credential-file options. However, if no credentials are speciﬁed,
API Version 2010-05-15
2326

AWS CloudFormation User Guide
Using the Latest Version

AWS CloudFormation checks for stack membership and limits the scope of the call to the stack that the
instance belongs to.
If you choose to specify an option, we recommend that you specify only one of the following:
• --role
• --credential-file
• --access-key together with --secret-key
If you do specify an option, keep in mind which permissions the various helper scripts require:
• cfn-signal requires cloudformation:SignalResource
• All other helper scripts require cloudformation:DescribeStackResource
For more information on using AWS CloudFormation-speciﬁc actions and condition context keys in IAM
policies, see Controlling Access with AWS Identity and Access Management (p. 9).

Using the Latest Version
The helper scripts are updated periodically. If you use the helper scripts, ensure that your launched
instances are using the latest version of the scripts:
• Include the following command in the UserData property of your template before you call the scripts.
This command ensures that you get the latest version:
yum install -y aws-cfn-bootstrap
• If you don't include the yum install command and you use the cfn-init, cfn-signal, or cfnget-metadata scripts, then you'll need to manually update the scripts in each Amazon EC2 Linux
instance using this command:
sudo yum install -y aws-cfn-bootstrap
• If you don't include the yum install command and you use the cfn-hup script, then you'll need to
manually update the script in each Amazon EC2 Linux instance using these commands:
sudo yum install -y aws-cfn-bootstrap
sudo /sbin/service cfn-hup restart
• If you use the source code for the scripts to work with another version of Linux or a diﬀerent platform,
and you have created your own certiﬁcate trust store, you'll also need to keep the trust store updated.
For the version history of the aws-cfn-bootstrap package, see Release History for AWS CloudFormation
Helper Scripts (p. 2449).
Topics
• cfn-init (p. 2328)
• cfn-signal (p. 2331)
• cfn-get-metadata (p. 2335)
• cfn-hup (p. 2337)

API Version 2010-05-15
2327

AWS CloudFormation User Guide
cfn-init

cfn-init
Description
The cfn-init helper script reads template metadata from the AWS::CloudFormation::Init key and acts
accordingly to:
• Fetch and parse metadata from AWS CloudFormation
• Install packages
• Write ﬁles to disk
• Enable/disable and start/stop services

Note

If you use cfn-init to update an existing ﬁle, it creates a backup copy of the original ﬁle in the
same directory with a .bak extension. For example, if you update /path/to/file_name, the
action produces two ﬁles: /path/to/file_name.bak contains the original ﬁle's contents and
/path/to/file_name contains the updated contents.
For information about the template metadata, see AWS::CloudFormation::Init (p. 677).

Note

cfn-init does not require credentials, so you do not need to use the --access-key, --secretkey, --role, or --credential-file options. However, if no credentials are speciﬁed, AWS
CloudFormation checks for stack membership and limits the scope of the call to the stack that
the instance belongs to.

Syntax
cfn-init --stack|-s stack.name.or.id \
--resource|-r logical.resource.id \
--region region
--access-key access.key \
--secret-key secret.key \
--role rolename\
--credential-file|-f credential.file \
--configsets|-c config.sets \
--url|-u service.url \
--http-proxy HTTP.proxy \
--https-proxy HTTPS.proxy \
--verbose|-v

Options
Name

Description

Required

-s, --stack

Name of the Stack.

Yes

Type: String
Default: None
Example: -s { "Ref" : "AWS::StackName" },
-r, --resource

The logical resource ID of the resource that contains
the metadata.
API Version 2010-05-15
2328

Yes

AWS CloudFormation User Guide
cfn-init

Name

Description

Required

Type: String
Example: -r WebServerHost
--region

The AWS CloudFormation regional endpoint to use.

No

Type: String
Default: us-east-1
Example: --region ", { "Ref" :
"AWS::Region" },
--access-key

AWS access key for an account with permission to call
DescribeStackResource on AWS CloudFormation. The
credential ﬁle parameter supersedes this parameter.

No

Type: String
--secret-key

AWS secret access key that corresponds to the
speciﬁed AWS access key.

No

Type: String
--role

The name of an IAM role that is associated with the
instance.

No

Type: String
Condition: The credential ﬁle parameter supersedes
this parameter.
-f, --credentialfile

A ﬁle that contains both a secret access key and an
access key. The credential ﬁle parameter supersedes
the --role, --access-key, and --secret-key parameters.

No

Type: String
-c, --configsets

A comma-separated list of conﬁgsets to run (in order). No
Type: String
Default: default

-u, --url

The AWS CloudFormation endpoint to use.

No

Type: String
--http-proxy

An HTTP proxy (non-SSL). Use the following format:
http://user:password@host:port

No

Type: String
--https-proxy

An HTTPS proxy. Use the following format:
https://user:password@host:port
Type: String

API Version 2010-05-15
2329

No

AWS CloudFormation User Guide
cfn-init

Name

Description

Required

-v

Verbose output. This is useful for debugging cases
where cfn-init is failing to initialize.

No

Note

To debug initialization events, you should
turn DisableRollback on. You can do this
by using the AWS CloudFormation console,
selecting Show Advanced Options, and then
setting "Rollback on failure" to "No". You can
then SSH into the console and read the logs
at /var/log/cfn-init.log.

Example
Amazon Linux Example
The following snippet shows the UserData property of an EC2 instance, which runs the
InstallAndRun conﬁgset that is associated with the WebServerInstance resource.
For a complete example template, see Deploying Applications on Amazon EC2 with AWS
CloudFormation (p. 260).

JSON
"UserData" : { "Fn::Base64" :
{ "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"# Install the files and packages from the metadata\n",
"/opt/aws/bin/cfn-init -v ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource WebServerInstance ",
"
--configsets InstallAndRun ",
"
--region ", { "Ref" : "AWS::Region" }, "\n"
]]}
}

YAML
UserData: !Base64
'Fn::Join':
- ''
- - |
#!/bin/bash -xe
- |
# Install the files and packages from the metadata
- '/opt/aws/bin/cfn-init -v '
- '
--stack '
- !Ref 'AWS::StackName'
- '
--resource WebServerInstance '
- '
--configsets InstallAndRun '
- '
--region '
- !Ref 'AWS::Region'
- |+

API Version 2010-05-15
2330

AWS CloudFormation User Guide
cfn-signal

cfn-signal
Description
The cfn-signal helper script signals AWS CloudFormation to indicate whether Amazon EC2 instances have
been successfully created or updated. If you install and conﬁgure software applications on instances, you
can signal AWS CloudFormation when those software applications are ready.
You use the cfn-signal script in conjunction with a CreationPolicy (p. 2245) or an Auto Scaling group
with a WaitOnResourceSignals (p. 2255) update policy. When AWS CloudFormation creates or
updates resources with those policies, it suspends work on the stack until the resource receives the
requisite number of signals or until the timeout period is exceeded. For each valid signal that AWS
CloudFormation receives, AWS CloudFormation publishes the signals to the stack events so that
you track each signal. For a walkthrough that uses a creation policy and cfn-signal, see Deploying
Applications on Amazon EC2 with AWS CloudFormation (p. 260).

Note

cfn-signal does not require credentials, so you do not need to use the --access-key, -secret-key, --role, or --credential-file options. However, if no credentials are
speciﬁed, AWS CloudFormation checks for stack membership and limits the scope of the call to
the stack that the instance belongs to.

Syntax for Resource Signaling (Recommended)
If you want to signal AWS CloudFormation resources, use the following syntax.
cfn-signal --success|-s signal.to.send \
--access-key access.key \
--credential-file|-f credential.file \
--exit-code|-e exit.code \
--http-proxy HTTP.proxy \
--https-proxy HTTPS.proxy \
--id|-i unique.id \
--region AWS.region \
--resource resource.logical.ID \
--role IAM.role.name \
--secret-key secret.key \
--stack stack.name.or.stack.ID \
--url AWS CloudFormation.endpoint

Syntax for Use with Wait Condition Handle
If you want to signal a wait condition handle, use the following syntax.
cfn-signal --success|-s signal.to.send \
--reason|-r resource.status.reason \
--data|-d data \
--id|-i unique.id \
--exit-code|-e exit.code \
waitconditionhandle.url

Options
The options that you can use depend on whether you're signaling a creation policy or a wait condition
handle. Some options that apply to a creation policy might not apply to a wait condition handle.
API Version 2010-05-15
2331

AWS CloudFormation User Guide
cfn-signal

Name

Description

Required

--access-key (resource
signaling only)

AWS access key for an account with permission to
call the AWS CloudFormation SignalResource
API. The credential ﬁle parameter supersedes this
parameter.

No

Type: String
-d, --data (wait
condition handle only)

Data to send back with the waitConditionHandle.
Defaults to blank.

No

Type: String
Default: blank
-e, --exit-code

The error code from a process that can be used to
determine success or failure. If speciﬁed, the -success option is ignored.

No

Type: String
Examples: -e $? (for Linux), -e %ERRORLEVEL% (for
Windows cmd.exe), and -e $lastexitcode (for
Windows PowerShell).
-f, --credentialfile (resource signaling
only)

A ﬁle that contains both a secret access key and an
access key. The credential ﬁle parameter supersedes
the --role, --access-key, and --secret-key parameters.

No

Type: String
--http-proxy

An HTTP proxy (non-SSL). Use the following format:
http://user:password@host:port

No

Type: String
--https-proxy

An HTTPS proxy. Use the following format:
https://user:password@host:port

No

Type: String
-i, --id

The unique ID to send.

No

Type: String
Default: The ID of the Amazon EC2 instance. If the
ID cannot be resolved, the machine's Fully Qualiﬁed
Domain Name (FQDN) is returned.
-r, --reason (wait
condition handle only)

A status reason for the resource event (currently only
used on failure) - defaults to 'Conﬁguration failed' if
success is false.

No

Type: String
--region (resource
signaling only)

The AWS CloudFormation regional endpoint to use.
Type: String

API Version 2010-05-15
2332

No

AWS CloudFormation User Guide
cfn-signal

Name

Description

Required

Default: us-east-1
--resource (resource
signaling only)

The logical ID (p. 196) of the resource that contains
the creations policy you want to signal.

Yes

Type: String
--role (resource
signaling only)

The name of an IAM role that is associated with the
instance.

No

Type: String
Condition: The credential ﬁle parameter supersedes
this parameter.
-s, --success

if true, signal SUCCESS, else FAILURE.

No

Type: Boolean
Default: true
--secret-key (resource
signaling only)

AWS secret access key that corresponds to the
speciﬁed AWS access key.

No

Type: String
--stack (resource
signaling only)

The stack name or stack ID that contains the resource
you want to signal.

Yes

Type: String
-u, --url (resource
signaling only)

The AWS CloudFormation endpoint to use.

No

Type: String

waitconditionhandle.url
A presigned URL that you can use to signal success or
(wait condition handle
failure to an associated WaitCondition
only)
Type: String

Yes

Example
Amazon Linux Example
A common usage pattern is to use cfn-init and cfn-signal together. The cfn-signal call uses the
return status of the call to cfn-init (using the $? shell construct). If the application fails to install, the
instance will fail to create and the stack will rollback. For Windows stacks, see Bootstrapping AWS
CloudFormation Windows Stacks (p. 157).

JSON
{

"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Simple EC2 instance",
"Resources": {
"MyInstance": {
"Type": "AWS::EC2::Instance",
"Metadata": {

API Version 2010-05-15
2333

AWS CloudFormation User Guide
cfn-signal
"AWS::CloudFormation::Init": {
"config": {
"files": {
"/tmp/test.txt": {
"content": "Hello world!",
"mode": "000755",
"owner": "root",
"group": "root"
}
}
}
}

}

}

}

},
"Properties": {
"ImageId": "ami-a4c7edb2",
"InstanceType": "t2.micro",
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash -x\n",
"# Install the files and packages from the metadata\n",
"/opt/aws/bin/cfn-init -v ",
"
--stack ",
{
"Ref": "AWS::StackName"
},
"
--resource MyInstance ",
"
--region ",
{
"Ref": "AWS::Region"
},
"\n",
"# Signal the status from cfn-init\n",
"/opt/aws/bin/cfn-signal -e $? ",
"
--stack ",
{
"Ref": "AWS::StackName"
},
"
--resource MyInstance ",
"
--region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
}
},
"CreationPolicy": {
"ResourceSignal": {
"Timeout": "PT5M"
}
}

YAML
AWSTemplateFormatVersion: 2010-09-09
Description: Simple EC2 instance

API Version 2010-05-15
2334

AWS CloudFormation User Guide
cfn-get-metadata
Resources:
MyInstance:
Type: AWS::EC2::Instance
Metadata:
'AWS::CloudFormation::Init':
config:
files:
/tmp/test.txt:
content: Hello world!
mode: '000755'
owner: root
group: root
Properties:
ImageId: ami-a4c7edb2
InstanceType: t2.micro
UserData: !Base64
'Fn::Join':
- ''
- - |
#!/bin/bash -x
- |
# Install the files and packages from the metadata
- '/opt/aws/bin/cfn-init -v '
- '
--stack '
- !Ref 'AWS::StackName'
- '
--resource MyInstance '
- '
--region '
- !Ref 'AWS::Region'
- |+
- |
# Signal the status from cfn-init
- '/opt/aws/bin/cfn-signal -e $? '
- '
--stack '
- !Ref 'AWS::StackName'
- '
--resource MyInstance '
- '
--region '
- !Ref 'AWS::Region'
- |+
CreationPolicy:
ResourceSignal:
Timeout: PT5M

Examples
Several AWS CloudFormation sample templates use cfn-signal, including the following templates.
• LAMP: Single EC2 Instance with local MySQL database
• WordPress: Single EC2 Instance with local MySQL database

cfn-get-metadata
Description
You can use the cfn-get-metadata helper script to fetch a metadata block from AWS CloudFormation
and print it to standard out. You can also print a sub-tree of the metadata block if you specify a key.
However, only top-level keys are supported.

API Version 2010-05-15
2335

AWS CloudFormation User Guide
cfn-get-metadata

Note

cfn-get-metadata does not require credentials, so you do not need to use the --access-key,
--secret-key, --role, or --credential-file options. However, if no credentials are
speciﬁed, AWS CloudFormation checks for stack membership and limits the scope of the call to
the stack that the instance belongs to.

Syntax
cfn-get-metadata --access-key access.key \
--secret-key secret.key \
--credential-file|f credential.file \
--key|k key \
--stack|-s stack.name.or.id \
--resource|-r logical.resource.id \
--role IAM.role.name \
--url|-u service.url \
--region region

Options
Name

Description

Required

-k, --key

For a key-value pair, returns the name of the key for
the value that you speciﬁed.

No

Type: String
Example: For { "SampleKey1" : "Key1",
"SampleKey2" : "Key2" }, cfn-get-metadata
-k Key2 returns SampleKey2.
-s, --stack

Name of the Stack.

Yes

Type: String
Default: None
Example: -s { "Ref" : "AWS::StackName" },
-r, --resource

The logical resource ID of the resource that contains
the metadata.

Yes

Type: String
Example: -r WebServerHost
--role (resource
signaling only)

The name of an IAM role that is associated with the
instance.

No

Type: String
Condition: The credential ﬁle parameter supersedes
this parameter.
--region

The region to derive the AWS CloudFormation URL
from.
Type: String
API Version 2010-05-15
2336

No

AWS CloudFormation User Guide
cfn-hup

Name

Description

Required

Default: None
Example: --region ", { "Ref" :
"AWS::Region" },
--access-key

AWS Access Key for an account with permission to call Conditional
DescribeStackResource on AWS CloudFormation.
Type: String
Condition: The credential ﬁle parameter supersedes
this parameter.

--secret-key

AWS Secret Key that corresponds to the speciﬁed
AWS Access Key.

Conditional

Type: String
Condition: The credential ﬁle parameter supersedes
this parameter.
-f, --credentialfile

A ﬁle that contains both a secret key and an access
key.

Conditional

Type: String
Condition: The credential ﬁle parameter supersedes
the --access-key and --secret-key parameters.

cfn-hup
Description
The cfn-hup helper is a daemon that detects changes in resource metadata and runs user-speciﬁed
actions when a change is detected. This allows you to make conﬁguration updates on your running
Amazon EC2 instances through the UpdateStack API action.

Syntax
cfn-hup --config|-c config.dir \
--no-daemon \
--verbose|-v

Options
Name

Description

Required

--config|-c
config.dir

Speciﬁes the path that the cfn-hup script looks for
the cfn-hup.conf and the hooks.d directories. On
Windows, the default path is system_drive\cfn.
On Linux, the default path is /etc/cfn.

No

--no-daemon

Specify this option to run the cfn-hup script once and
exit.

No

API Version 2010-05-15
2337

AWS CloudFormation User Guide
cfn-hup

Name

Description

Required

-v, --verbose

Specify this option to use verbose mode.

No

cfn-hup.conf Conﬁguration File
The cfn-hup.conf ﬁle stores the name of the stack and the AWS credentials that the cfn-hup daemon
targets.
The cfn-hup.conf ﬁle uses the following format:
[main]
stack=

Name

Description

Required

stack

A stack name or ID.

Yes

Type: String
credential-file

An owner-only credential ﬁle, in the same format
used for the command line tools.

No

Type: String
Condition: The role parameter supersedes this
parameter.
role

The name of an IAM role that is associated with the
instance.

No

Type: String
region

The name of the AWS region containing the stack.

No

Example: us-east-2
umask

The umask used by the cfn-hup daemon.

No

This value can be speciﬁed with or without a leading
0. In both cases, it is interpreted as an octal number
(very similar to the Linux umask command). This
parameter has no eﬀect on Windows.
Type: Octal integer between 0 and 0777
Default: 022, version 1.4-22 and higher. The
default value of 022 masks group and world write
permissions, so ﬁles created by the cfn-hup daemon
are not group or world writable by default. The
default value for versions 1.4-21 and earlier is 0,
which masks nothing.
interval

The interval used to check for changes to the
resource metadata in minutes
Type: Number
API Version 2010-05-15
2338

No

AWS CloudFormation User Guide
cfn-hup

Name

Description

Required

Default: 15
verbose

Speciﬁes whether to use verbose logging.

No

Type: Boolean
Default: false

hooks.conf Conﬁguration File
The user actions that the cfn-hup daemon calls periodically are deﬁned in the hooks.conf conﬁguration
ﬁle. The hooks.conf ﬁle uses the following format:
[hookname]
triggers=post.add or post.update or post.remove
path=Resources. (.Metadata or .PhysicalResourceId)
(.)
action=
runas=

When the action is run, it is run in a copy of the current environment (that cfn-hup is in), with
CFN_OLD_METADATA set to the previous value of path, and CFN_NEW_METADATA set to the current
value.
The hooks conﬁguration ﬁle is loaded at cfn-hup daemon startup only, so new hooks will require the
daemon to be restarted. A cache of previous metadata values is stored at /var/lib/cfn-hup/data/
metadata_db—you can delete this cache to force cfn-hup to run all post.add actions again.
Name

Description

Required

hookname

A unique name for this hook

Yes

Type: String
triggers

A comma-delimited list of conditions to detect.

Yes

Valid values: post.add, post.update, or
post.remove
Example: post.add, post.update
path

The path to the metadata object. Supports an
arbitrarily deep path within the Metadata block.

Yes

Path format options
• Resources.—monitor the
last updated time of the resource, triggering on any
change to the resource.
• Resources..PhysicalResourceId
—monitor the physical ID of the resource,
triggering only when the associated resource
identity changes (such as a new EC2 instance).
• Resources..Metadata(.optional
path)—monitor the metadata of a resource for
API Version 2010-05-15
2339

AWS CloudFormation User Guide
cfn-hup

Name

Description

Required

changes (a metadata subpath may be speciﬁed to
an arbitrarily deep level to monitor speciﬁc values).
action

An arbitrary shell command that is run as given.

Yes

runas

A user to run the commands as. Cfn-hup uses the su
command to switch to the user.

Yes

hooks.d Directory
To support composition of several applications deploying change notiﬁcation hooks, cfn-hup supports a
directory named hooks.d that is located in the hooks conﬁguration directory. You can place one or more
additional hooks conﬁguration ﬁles in the hooks.d directory. The additional hooks ﬁles must use the
same layout as the hooks.conf ﬁle.
The cfn-hup daemon parses and loads each ﬁle in this directory. If any hooks in the hooks.d directory
have the same name as a hook in hooks.conf, the hooks will be merged (meaning hooks.d will overwrite
hooks.conf for any values that both ﬁles specify).

Example
In the following template snippet, AWS CloudFormation triggers the cfn-auto-reloader.conf
hooks ﬁle when you change the AWS::CloudFormation::Init resource that is associated with the
LaunchConfig resource.

JSON
...

...

"LaunchConfig": {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Metadata" : {
"QBVersion": {"Ref": "paramQBVersion"},
"AWS::CloudFormation::Init" : {

...

"/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
"content": { "Fn::Join": [ "", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.LaunchConfig.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -v ",
"
--stack ", { "Ref" : "AWS::StackName" },
"
--resource LaunchConfig ",
"
--configsets wordpress_install ",
"
--region ", { "Ref" : "AWS::Region" }, "\n",
"runas=root\n"
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
}

YAML
...
LaunchConfig:

API Version 2010-05-15
2340

AWS CloudFormation User Guide
cfn-hup

...

Type: "AWS::AutoScaling::LaunchConfiguration"
Metadata:
QBVersion: !Ref paramQBVersion
AWS::CloudFormation::Init:

/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.LaunchConfig.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource
LaunchConfig --configsets wordpress_install --region ${AWS::Region}
runas=root
mode: "000400"
owner: "root"
group: "root"
...

Additional Example
For a sample template, see Deploying Applications on Amazon EC2 with AWS CloudFormation (p. 260).

API Version 2010-05-15
2341

AWS CloudFormation User Guide

Sample Templates
AWS CloudFormation sample templates demonstrate how you can create templates for various uses. For
example, one sample template describes a load-balancing, auto scaling WordPress blog in an Amazon
VPC. We recommend that you use these sample templates as a starting point for creating your own
templates and not to launch production-level environments.
To view the sample templates, go to http://docs.aws.amazon.com/AWSCloudFormation/latest/
UserGuide/cfn-sample-templates.html

Note

The AWS Quick Starts use AWS CloudFormation templates to automate software deployments,
such as a Chef Server or MongoDB, on AWS. You can use these templates to learn how to deploy
your own solution on AWS. For more information, see AWS Quick Start Reference Deployments.

API Version 2010-05-15
2342

AWS CloudFormation User Guide
Troubleshooting Guide

Troubleshooting AWS
CloudFormation
When you use AWS CloudFormation, you might encounter issues when you create, update, or delete AWS
CloudFormation stacks. The following sections can help you troubleshoot some common issues that you
might encounter.
For general questions about AWS CloudFormation, see the AWS CloudFormation FAQs. You can also
search for answers and post questions in the AWS CloudFormation forums.
Topics
• Troubleshooting Guide (p. 2343)
• Troubleshooting Errors (p. 2343)
• Contacting Support (p. 2348)

Troubleshooting Guide
If AWS CloudFormation fails to create, update, or delete your stack, you can view error messages
or logs to help you learn more about the issue. The following tasks describe general methods for
troubleshooting a AWS CloudFormation issue. For information about speciﬁc errors and solutions, see
the Troubleshooting Errors (p. 2343) section.
• Use the AWS CloudFormation console to view the status of your stack. In the console, you can view
a list of stack events while your stack is being created, updated, or deleted. From this list, ﬁnd the
failure event and then view the status reason for that event. The status reason might contain an
error message from AWS CloudFormation or from a particular service that can help you troubleshoot
your problem. For more information about viewing stack events, see Viewing Stack Data and
Resources (p. 99).
• For Amazon EC2 issues, view the cloud-init and cfn logs. These logs are published on the Amazon EC2
instance in the /var/log/ directory. These logs capture processes and command outputs while AWS
CloudFormation is setting up your instance. For Windows, view the EC2Conﬁgure service and cfn logs
in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.
You can also conﬁgure your AWS CloudFormation template so that the logs are published to Amazon
CloudWatch, which displays logs in the AWS Management Console so you don't have to connect to
your Amazon EC2 instance. For more information, see View CloudFormation Logs in the Console in the
Application Management Blog.

Troubleshooting Errors
When you come across the following errors with your AWS CloudFormation stack, you can use the
following solutions to help you ﬁnd the source of the problems and ﬁx them.
Topics
• Delete Stack Fails (p. 2344)
• Dependency Error (p. 2344)
API Version 2010-05-15
2343

AWS CloudFormation User Guide
Delete Stack Fails

• Error Parsing Parameter When Passing a List (p. 2345)
• Insuﬃcient IAM Permissions (p. 2345)
• Invalid Value or Unsupported Resource Property (p. 2345)
• Limit Exceeded (p. 2345)
• Nested Stacks are Stuck in UPDATE_COMPLETE_CLEANUP_IN_PROGRESS,
UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS, or
UPDATE_ROLLBACK_IN_PROGRESS (p. 2345)
• No Updates to Perform (p. 2346)
• Resource Failed to Stabilize During a Create, Update, or Delete Stack Operation (p. 2346)
• Security Group Does Not Exist in VPC (p. 2346)
• Update Rollback Failed (p. 2347)
• Wait Condition Didn't Receive the Required Number of Signals from an Amazon EC2
Instance (p. 2348)

Delete Stack Fails
To resolve this situation, try the following:
• Some resources must be empty before they can be deleted. For example, you must delete all objects in
an Amazon S3 bucket or remove all instances in an Amazon EC2 security group before you can delete
the bucket or security group.
• Ensure that you have the necessary IAM permissions to delete the resources in the stack. In addition
to AWS CloudFormation permissions, you must be allowed to use the underlying services, such as
Amazon S3 or Amazon EC2.
• When stacks are in the DELETE_FAILED state because AWS CloudFormation couldn't delete a
resource, rerun the deletion with the RetainResources parameter and specify the resource that AWS
CloudFormation can't delete. AWS CloudFormation deletes the stack without deleting the retained
resource. Retaining resources is useful when you can't delete a resource, such as an S3 bucket that
contains objects that you want to keep, but you still want to delete the stack.
After you delete the stack, you can manually delete retained resources by using their associated AWS
service.
• You cannot delete stacks that have termination protection enabled. If you attempt to delete a stack
with termination protection enabled, the deletion fails and the stack--including its status--remains
unchanged. Disable termination protection on the stack, then perform the delete operation again.
This includes nested stacks (p. 155) whose root stacks have termination protection enabled. Disable
termination protection on the root stack, then perform the delete operation again. It is strongly
recommended that you do not delete nested stacks directly, but only delete them as part of deleting
the root stack and all its resources.
For more information, see Protecting a Stack From Being Deleted (p. 106).
• For all other issues, if you have AWS Premium Support, you can create a Technical Support case. See
Contacting Support (p. 2348).

Dependency Error
To resolve a dependency error, add a DependsOn attribute to resources that depend on other resources
in your template. In some cases, you must explicitly declare dependencies so that AWS CloudFormation
can create or delete resources in the correct order. For example, if you create an Elastic IP and a VPC with
an Internet gateway in the same stack, the Elastic IP must depend on the Internet gateway attachment.
For additional information, see DependsOn Attribute (p. 2250).
API Version 2010-05-15
2344

AWS CloudFormation User Guide
Error Parsing Parameter When Passing a List

Error Parsing Parameter When Passing a List
When you use the AWS Command Line Interface or AWS CloudFormation to pass in a list, add the escape
character (\) before each comma. The following sample shows how you specify an input parameter when
using the CLI.
ParameterKey=CIDR,ParameterValue='10.10.0.0/16\,10.10.0.0/24\,10.10.1.0/24'

Insuﬃcient IAM Permissions
When you work with an AWS CloudFormation stack, you not only need permissions to use AWS
CloudFormation, you must also have permission to use the underlying services that are described in your
template. For example, if you're creating an Amazon S3 bucket or starting an Amazon EC2 instance, you
need permissions to Amazon S3 or Amazon EC2. Review your IAM policy and verify that you have the
necessary permissions before you work with AWS CloudFormation stacks. For more information see,
Controlling Access with AWS Identity and Access Management (p. 9).

Invalid Value or Unsupported Resource Property
When you create or update an AWS CloudFormation stack, your stack can fail due to invalid input
parameters, unsupported resource property names, or unsupported resource property values. For input
parameters, verify that the resource exists. For example, when you specify an Amazon EC2 key pair or
VPC ID, the resource must exist in your account and in the region in which you are creating or updating
your stack. You can use AWS-speciﬁc parameter types (p. 169) to ensure that you use valid values.
For resource property names and values, update your template to use valid names and values. For a list
of all the resources and their property names, see AWS Resource Types Reference (p. 499).

Limit Exceeded
Verify that you didn't reach a resource limit. For example, the default number Amazon EC2 instances that
you can launch is 20. If try to create more Amazon EC2 instances than your account limit, the instance
creation fails and you receive the error Status=start_failed. To view the default AWS limits by
service, see AWS Service Limits in the AWS General Reference.
For AWS CloudFormation limits and tweaking strategies, see AWS CloudFormation Limits (p. 21).
Also, during an update, if a resource is replaced, AWS CloudFormation creates new resource before it
deletes the old one. This replacement might put your account over the resource limit, which would cause
your update to fail. You can delete excess resources or request a limit increase.

Nested Stacks are Stuck in
UPDATE_COMPLETE_CLEANUP_IN_PROGRESS,
UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS,
or UPDATE_ROLLBACK_IN_PROGRESS
A nested stack failed to roll back. Because of potential resource dependencies between nested stacks,
AWS CloudFormation doesn't start cleaning up nested stack resources until all nested stacks have been
updated or have rolled back. When a nested stack fails to roll back, AWS CloudFormation cancels all
operations, regardless of the state that the other nested stacks are in. A nested stack that completed
updating or rolling back but did not receive a signal from AWS CloudFormation to start cleaning up
API Version 2010-05-15
2345

AWS CloudFormation User Guide
No Updates to Perform

because another nested failed to roll back is in an UPDATE_COMPLETE_CLEANUP_IN_PROGRESS or
UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS state. A nested stack that failed to update but
did not receive a signal to start rolling back is in an UPDATE_ROLLBACK_IN_PROGRESS state.
A nested stack might fail to roll back because of changes that were made outside of AWS
CloudFormation, when the stack template doesn't accurately reﬂect the state of the stack. A nested
stack might also fail if an Auto Scaling group in a nested stack had an insuﬃcient resource signal timeout
period when the group was created or updated.
To ﬁx the stack, contact AWS customer support (p. 2348).

No Updates to Perform
To update an AWS CloudFormation stack, you must submit template or parameter value changes
to AWS CloudFormation. However, AWS CloudFormation won't recognize some template changes
as an update, such as changes to a deletion policy, update policy, condition declaration, or output
declaration. If you need to make such changes without making any other change, you can add or modify
a metadata (p. 2254) attribute for any of your resources.
For more information about modifying templates during an update, see Modifying a Stack
Template (p. 119).

Resource Failed to Stabilize During a Create, Update,
or Delete Stack Operation
A resource did not respond because the operation exceeded the AWS CloudFormation timeout period or
an AWS service was interrupted. For service interruptions, check that the relevant AWS service is running,
and then retry the stack operation.
If the AWS services have been running successfully, check if your stack contains one of the following
resources:
• AWS::AutoScaling::AutoScalingGroup for create, update, and delete operations
• AWS::CertificateManager::Certificate for create operations
• AWS::CloudFormation::Stack for create, update, and delete operations
• AWS::ElasticSearch::Domain for update operations
• AWS::RDS::DBCluster for create and update operations
• AWS::RDS::DBInstance for create, update, and delete operations
• AWS::Redshift::Cluster for update operations
Operations for these resources might take longer than the default timeout period. The timeout period
depends on the resource and credentials that you use. To extend the timeout period, specify a service
role (p. 17) when you perform the stack operation. If you're already using a service role, or if your stack
contains a resource that isn't listed, contact AWS customer support (p. 2348).
If your stack is in the UPDATE_ROLLBACK_FAILED state, see Update Rollback Failed (p. 2347).

Security Group Does Not Exist in VPC
Verify that the security group exists in the VPC that you speciﬁed. If the security group exists,
ensure that you specify the security group ID and not the security group name. For example,
the AWS::EC2::SecurityGroupIngress resource has a SourceSecurityGroupName
and SourceSecurityGroupId properties. For VPC security groups, you must use the
SourceSecurityGroupId property and specify the security group ID.
API Version 2010-05-15
2346

AWS CloudFormation User Guide
Update Rollback Failed

Update Rollback Failed
A dependent resource cannot return to its original state, causing the rollback to fail
(UPDATE_ROLLBACK_FAILED state). For example, you might have a stack that is rolling back to an old
database instance that was deleted outside of AWS CloudFormation. Because AWS CloudFormation
doesn't know the database was deleted, it assumes that the database instance still exists and attempts
to roll back to it, causing the update rollback to fail.
Depending on the cause of the failure, you can manually ﬁx the error and continue the rollback. By
continuing the rollback, you can return your stack to a working state (the UPDATE_ROLLBACK_COMPLETE
state), and then try to update the stack again. The following list describes solutions to common errors
that cause update rollback failures:
• Failed to receive the required number of signals
Use the signal-resource command to manually send the required number of successful signals
to the resource that is waiting for them, and then continue rolling back the update. For example,
during an update rollback, instances in an Auto Scaling group might fail to signal success within
the speciﬁed timeout duration. Manually send success signals to the Auto Scaling group. When
you continue the update rollback, AWS CloudFormation sees your signals and proceeds with the
rollback.
• Changes to a resource were made outside of AWS CloudFormation
Manually sync resources so that they match the original stack's template, and then
continue rolling back the update. For example, if you manually deleted a resource that AWS
CloudFormation is attempting to roll back to, you must manually create that resource with the
same name and properties it had in the original stack.
• Insuﬃcient permissions
Check that you have suﬃcient IAM permissions to modify resources, and then continue the update
rollback. For example, your IAM policy might allow you to create an S3 bucket, but not modify the
bucket. Add the modify actions to your policy.
• Invalid security token
AWS CloudFormation requires a new set of credentials. No change is required. Continue rolling
back the update, which refreshes the credentials.
• Limitation error
Delete resources that you don't need or request a limit increase, and then continue rolling back
the update. For example, if your account limit for the number of EC2 instances is 20 and the
update rollback exceeds that limit, it will fail.
• Resource did not stabilize
A resource did not respond because the operation might have exceeded the AWS CloudFormation
timeout period or an AWS service might have been interrupted. No change is required. After the
resource operation is complete or the AWS service is back in operation, continue rolling back the
update.
To continue rolling back an update, you can use the AWS CloudFormation console or AWS command line
interface (CLI). For more information, see Continue Rolling Back an Update (p. 150).
If none of these solutions work, you can skip the resources that AWS CloudFormation can't successfully
roll back. For more information, see the ResourcesToSkip parameter for the ContinueUpdateRollback
action in the AWS CloudFormation API Reference. AWS CloudFormation sets the status of the speciﬁed
resources to UPDATE_COMPLETE and continues to roll back the stack. After the rollback is complete, the
state of the skipped resources will be inconsistent with the state of the resources in the stack template.
API Version 2010-05-15
2347

AWS CloudFormation User Guide
Wait Condition Didn't Receive the Required
Number of Signals from an Amazon EC2 Instance

Before you perform another stack update, you must modify the resources or update the stack to be
consistent with each other. If you don't, subsequent stack updates might fail and make your stack
unrecoverable.

Wait Condition Didn't Receive the Required Number
of Signals from an Amazon EC2 Instance
To resolve this situation, try the following:
• Ensure that the AMI you're using has the AWS CloudFormation helper scripts installed. If the AMI
doesn't include the helper scripts, you can also download them to your instance. For more information,
see CloudFormation Helper Scripts Reference (p. 2324).
• Verify that the cfn-signal command was successfully run on the instance. You can view logs, such as
/var/log/cloud-init.log or /var/log/cfn-init.log, to help you debug the instance launch.
You can retrieve the logs by logging in to your instance, but you must disable rollback on failure (p. 95)
or else AWS CloudFormation deletes the instance after your stack fails to create. You can also publish
the logs to Amazon CloudWatch. For Windows, you can view cfn logs in C:\cfn\log and EC2Conﬁg
service logs in %ProgramFiles%\Amazon\EC2ConfigService.
• Verify that the instance has a connection to the Internet. If the instance is in a VPC, the instance should
be able to connect to the Internet through a NAT device if it's is in a private subnet or through an
Internet gateway if it's in a public subnet. To test the instance's Internet connection, try to access
a public web page, such as http://aws.amazon.com. For example, you can run the following
command on the instance. It should return an HTTP 200 status code.
curl -I https://aws.amazon.com

For information about conﬁguring a NAT device, see NAT in the Amazon VPC User Guide.

Contacting Support
If you have AWS Premium Support, you can create a technical support case at https://
console.aws.amazon.com/support/home#/. Before you contact support, gather the following
information:
• The ID of the stack. You can ﬁnd the stack ID in the Overview tab of the AWS CloudFormation console.
For more information, see Viewing Stack Data and Resources (p. 99).

Important

Do not make changes to the stack outside of AWS CloudFormation. Making changes to your
stack outside of AWS CloudFormation might put your stack in an unrecoverable state.
• Any stack error messages. For information about viewing stack error messages, see the
Troubleshooting Guide (p. 2343) section.
• For Amazon EC2 issues, gather the cloud-init and cfn logs. These logs are published on the Amazon
EC2 instance in the /var/log/ directory. These logs capture processes and command outputs
while your instance is setting up. For Windows, gather the EC2Conﬁgure service and cfn logs in
%ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.
You can also search for answers and post questions in the AWS CloudFormation forums.

API Version 2010-05-15
2348

AWS CloudFormation User Guide

Release History
The following table describes important changes in each release of the AWS CloudFormation User Guide
after May 2018. For notiﬁcation about updates to this documentation, you can subscribe to an RSS feed.
update-history-change

update-history-description

update-history-date

Dynamic references for stack
templates

You can now use dynamic
references to specify values that
are stored and managed in other
services, such as the Systems
Manager Parameter Store, in
your stack templates.

August 16, 2018

For more information, see Using
Dynamic References to Specify
Template Values.
Updated resources

The following resources
August 15, 2018
were updated:
AWS::ApiGateway::DomainName,
AWS::CertiﬁcateManager::Certiﬁcate,
AWS::EC2::VPCPeeringConnection,
AWS::EFS::FileSystem,
AWS::EMR::Cluster,
AWS::RDS::DBClusterParameterGroup,
AWS::SNS::Subscription, and
AWS::SQS::Queue.
AWS::ApiGateway::DomainName
Use the following attributes
with the Fn::GetAtt
intrinsic function:
• The
DistributionHostedZoneId
attribute returns the
region-agnostic Amazon
Route 53 Hosted Zone ID
of the edge-optimized
endpoint.
• The
RegionalDomainName
attribute returns the
domain name associated
with the regional
endpoint for this custom
domain name.
• The
RegionalHostedZoneId
attribute returns the
region-speciﬁc Amazon
Route 53 Hosted Zone ID
of the regional endpoint.
API Version 2010-05-15
2349

AWS CloudFormation User Guide

AWS::CertiﬁcateManager::Certiﬁcate
Use the
ValidationMethod
property to specify the
method you want to use
if you are requesting a
public certiﬁcate to validate
that you own or control a
domain.
AWS::EC2::VPCPeeringConnection
Use the PeerRegion
property to specify the
region code for the accepter
VPC, if the accepter VPC is
located in a region other
than the region in which you
make the request.
AWS::EFS::FileSystem
• Use the
ProvisionedThroughputInMibps
property to specify the
throughput, measured in
MiB/s, that you want to
provision for a ﬁle system
that you're creating.
• Use the
ThroughputMode
property to specify the
throughput mode for the
ﬁle system to be created.
AWS::EMR::Cluster
Use the
KerberosAttributes
property to specify
attributes for Kerberos
conﬁguration when
Kerberos authentication is
enabled using a security
conﬁguration.
AWS::RDS::DBClusterParameterGroup
The Tags property now
requires no interruption to
update.
AWS::SNS::Subscription
• Use the
DeliveryPolicy
property to specify the
JSON serialization of the
subscription's delivery
policy.

API Version 2010-05-15
2350

AWS CloudFormation User Guide

• Use the FilterPolicy
property to specify
the ﬁlter policy JSON
that is assigned to the
subscription.
• Use the
RawMessageDelivery
property to specify if
raw message delivery
is enabled for the
subscription.
• Use the Region property
to specify the region in
which the topic resides.
AWS::SQS::Queue
Use the Tags property
to specify the tags that
you want to attach to this
queue.
Updated resource

Added the SSESpeciﬁcation
property to AWS::DAX::Cluster.

August 9, 2018

AWS::DAX::Cluster
Use the
SSESpecification
property to specify the
settings to enable serverside encryption.
New resource

Added the
August 9, 2018
AWS::EC2::VPCEndpointServicePermissions
resource.
AWS::EC2::VPCEndpointServicePermissions
Grant or revoke permissions
for service consumers to
connect the VPC endpoint
service.

API Version 2010-05-15
2351

AWS CloudFormation User Guide

Updated resource

Added the OverrideArtifactName August 7, 2018
property to
AWS::CodeBuild::Project.
AWS::CodeBuild::Project
In the Artifacts
property type, set the
OverrideArtifactName
property to true to override
the artifact name with
a name speciﬁed in the
buildspec ﬁle. The name
speciﬁed in a buildspec ﬁle
is calculated at build time
and uses the Shell command
language. For example, you
can append a date and time
to your artifact name so
that it is always unique.

Updated resource

Added the EncryptionDisabled
property to
AWS::CodeBuild::Project.

July 26, 2018

AWS::CodeBuild::Project
In the Artifacts
property type, set the
EncryptionDisabled
property to true to disable
encryption for build output
artifacts. This option is
only valid if your artifact
type is Amazon S3. If
this is set to true with
another artifact type, an
invalidInputException will
be thrown.
Updated resource

Added the Timeout property to
AWS::Batch::JobDeﬁnition.
AWS::Batch::JobDeﬁnition
Use the Timeout property
type to specify a job timeout
conﬁguration.

API Version 2010-05-15
2352

July 19, 2018

AWS CloudFormation User Guide

New resource

The following
resource was added:
AWS::IAM::ServiceLinkedRole.

July 19, 2018

AWS::IAM::ServiceLinkedRole
Use the
AWS::IAM::ServiceLinkedRole
resource to create a servicelinked role in IAM. A servicelinked role is a unique
type of IAM role that is
linked directly to an AWS
service. Service-linked
roles are predeﬁned by the
service and include all the
permissions that the service
requires to call other AWS
services on your behalf.
Updated resources

Added the
FieldLevelEncryptionId property
to AWS::CloudFront::Distribution
property types.

July 18, 2018

AWS::CloudFront::Distribution
In the Distribution
CacheBehavior
and Distribution
DefaultCacheBehavior
property types, use the
FieldLevelEncryptionId
property to specify the
ID for the ﬁeld-level
encryption conﬁguration
that you want CloudFront to
use for encrypting speciﬁc
ﬁelds of data for a cache
behavior or for the default
cache behavior.
Updated resource

Added the HttpConﬁg property
to AWS::AppSync::DataSource.
AWS::AppSync::DataSource
Use the HttpConfig
property type to specify
HttpConﬁg for an AWS
AppSync data source.

API Version 2010-05-15
2353

July 12, 2018

AWS CloudFormation User Guide

Updated resource

Added the ReportBuildStatus
property to
AWS::CodeBuild::Project.

July 10, 2018

AWS::CodeBuild::Project
In the Source
property type, use the
ReportBuildStatus
property to specify whether
to send your source provider
the status of a build's start
and completion.
New resource

The following
resource was added:
AWS::CodePipeline::Webhook.

July 5, 2018

AWS::CodePipeline::Webhook
Use the
AWS::CodePipeline::Webhook
resource to create a
webhook that connects
your pipeline to an external
event, such as a GitHub
source repository change,
which triggers your pipeline
to start every time the
external event occurs.

API Version 2010-05-15
2354

AWS CloudFormation User Guide

Updated resource

Added the following properties
to AWS::EC2::VPCEndpoint:
PrivateDnsEnabled,
SecurityGroupIds, SubnetIds,
and VpcEndpointType.

June 21, 2018

AWS::EC2::VPCEndpoint
Use the
PrivateDnsEnabled
property to indicate
whether to associate a
private hosted zone with the
speciﬁed VPC.
Use the
SecurityGroupIds
property to specify the ID
of one or more security
groups to associate with the
endpoint network interface.
Use the SubnetIds
property to specify the ID
of one or more subnets in
which to create an endpoint
network interface.
Use the VpcEndpointType
property to specify the type
of endpoint.
New resources

The following
June 21, 2018
resources were added:
AWS::EC2::VPCEndpointConnectionNotiﬁcation
and
AWS::EC2::VPCEndpointService.
AWS::EC2::VPCEndpointConnectionNotiﬁcation
Use the
AWS::EC2::VPCEndpointConnectionNotification
resource to create a
connection notiﬁcation for
the speciﬁed VPC endpoint
or VPC endpoint service.
AWS::EC2::VPCEndpointService
Use the
AWS::EC2::VPCEndpointService
resource to create a
VPC endpoint service
conﬁguration to which
service consumers (AWS
accounts, IAM users, and
IAM roles) can connect.

API Version 2010-05-15
2355

AWS CloudFormation User Guide

Updated resource

Added the following property to
AWS::ServiceDiscovery::Service:
HealthCheckCustomConﬁg.

June 14, 2018

AWS::ServiceDiscovery::Service
Use the
HealthCheckCustomConfig
property to specify
information about an
optional custom health
check.
New resources

The following new
June 14, 2018
resources were released:
AWS::AmazonMQ::Broker and
AWS::AmazonMQ::Conﬁguration.
AWS::AmazonMQ::Broker
Use the
AWS::AmazonMQ::Broker
resource to create a broker,
add conﬁguration changes
or modify users for the
speciﬁed broker, return
information about the
speciﬁed broker, or delete
the speciﬁed broker.
AWS::AmazonMQ::Conﬁguration
Use the
AWS::AmazonMQ::Configuration
resource to create a
conﬁguration, update the
speciﬁed conﬁguration, or
return information about
the speciﬁed conﬁguration.

New resource

The following resource
was released: :
AWS::SSM::ResourceDataSync.

June 11, 2018

AWS::SSM::ResourceDataSync
Use the
AWS::SSM::ResourceDataSync
resource to create or delete
a Resource Data Sync for
Systems Manager Inventory.
You can use Resource Data
Sync to send Inventory
data collected from all of
your Systems Manager
managed instances to a
single Amazon S3 bucket.

API Version 2010-05-15
2356

AWS CloudFormation User Guide

New resource

The following resource was
released: AWS::EKS::Cluster.

June 5, 2018

AWS::EKS::Cluster
Use the
AWS::EKS::Cluster
resource to create Amazon
EKS clusters.
Updated resource

For the AWS::GuardDuty::Master
resource, the InvitationId
property is now optional.
AWS::GuardDuty::Master
The InvitationId
property is now optional.

API Version 2010-05-15
2357

May 31, 2018

AWS CloudFormation User Guide

New resources

The following new
May 31, 2018
resources were released:
AWS::SageMaker::Endpoint,
AWS::SageMaker::EndpointConﬁg,
AWS::SageMaker::Model,
AWS::SageMaker::NotebookInstance,
and
AWS::SageMaker::NotebookInstanceLifecycleConﬁg.
AWS::SageMaker::Endpoint
Use the
AWS::SageMaker::Endpoint
resource to create a
SageMaker endpoint to host
trained models.
AWS::SageMaker::EndpointConﬁg
Use the
AWS::SageMaker::EndpointConfig
resource to create a
conﬁguration for an
endpoint.
AWS::SageMaker::Model
Use the
AWS::SageMaker::Model
resource to create a model
to host at an Amazon
SageMaker endpoint.
AWS::SageMaker::NotebookInstance
Use the
AWS::SageMaker::NotebookInstance
resource to create an
Amazon SageMaker
notebook instance.
AWS::SageMaker::NotebookInstanceLifecycleConﬁg
Use the
AWS::SageMaker::NotebookInstanceLifecycleConfig
resource to specify shell
scripts that run when you
create or start a notebook
instance.

Stack sets now support
customized execution roles

Use customized execution roles
in target accounts to control
the stack resources that users or
groups can include in their stack
sets.
For more information, see
Granting Permissions for Stack
Set Operations.

API Version 2010-05-15
2358

May 30, 2018

AWS CloudFormation User Guide

Selective updates of stack
instances

Use the optional Accounts and
Regions parameters to specify
the accounts and regions in
which to update stack instances
during a stack set update
operation.

May 30, 2018

For more information, see
UpdateStackSet in the AWS
CloudFormation API Reference.
New resources

The following new
May 30, 2018
resources were released:
AWS::Neptune::DBCluster,
AWS::Neptune::DBClusterParameterGroup,
AWS::Neptune::DBInstance,
AWS::Neptune::DBParameterGroup,
and
AWS::Neptune::DBSubnetGroup.
AWS::Neptune::DBCluster
Use the
AWS::Neptune::DBCluster
resource to create an
Amazon Neptune DB cluster.
AWS::Neptune::DBClusterParameterGroup
Use the
AWS::Neptune::DBClusterParameterGroup
resource to create a DB
cluster parameter group.
AWS::Neptune::DBInstance
Use the
AWS::Neptune::DBInstance
resource to create an
Amazon Neptune database
instance.
AWS::Neptune::DBParameterGroup
Use the
AWS::Neptune::DBParameterGroup
resource to create a custom
parameter group for
Amazon Neptune.
AWS::Neptune::DBSubnetGroup
Use the
AWS::Neptune::DBSubnetGroup
resource to create an
Amazon Neptune database
subnet group that contains
subnets.

API Version 2010-05-15
2359

AWS CloudFormation User Guide

Updated resources

The following resources
May 24, 2018
were updated:
AWS::ApiGateway::RestApi,
AWS::AutoScaling::AutoScalingGroup,
AWS::AutoScaling::LaunchConﬁguration,
AWS::DirectoryService::MicrosoftAD,
AWS::DynamoDB::Table,
AWS::EC2::Instance,
AWS::ECS::Service,
AWS::ECS::TaskDeﬁnition,
AWS::Elasticsearch::Domain,
AWS::IAM::Role,
AWS::KinesisFirehose::DeliveryStream,
AWS::Lambda::EventSourceMapping,
AWS::Logs::MetricFilter, and
AWS::SSM::Association.
AWS::ApiGateway::RestApi
Use the Policy property
to specify a policy
document that contains the
permissions for the speciﬁed
RestAPI.
AWS::AutoScaling::AutoScalingGroup
Use the
ServiceLinkedRoleARN
property to specify the
Amazon Resource Name
(ARN) of the service-linked
role that the Auto Scaling
group uses to call other AWS
services on your behalf.
AWS::AutoScaling::LaunchConﬁguration
Use the
LaunchConfigurationName
property to specify the
name of the launch
conﬁguration.
AWS::DirectoryService::MicrosoftAD
Use the Edition property
to specify the AWS
Microsoft AD edition to use.
AWS::DynamoDB::Table
Use the
PointInTimeRecoverySpecification
property to specify the
settings used to enable
point in time recovery.

API Version 2010-05-15
2360

AWS CloudFormation User Guide

AWS::EC2::Instance
Use the LaunchTemplate
property to specify the
launch template to use for
an Amazon EC2 instance.
AWS::ECS::Service
Use the ServiceRegistry
property type to specify
the details of the service
registry.
AWS::ECS::TaskDeﬁnition
Use the HealthCheck
property type to specify a
container health check.
AWS::Elasticsearch::Domain
Use the
EncryptionAtRestOptions
property type to specify
whether the domain
should encrypt data at
rest, and if so, the AWS Key
Management Service (KMS)
key to use.
AWS::IAM::Role
Use the RoleId attribute
to have Fn::GetAtt return
the stable and unique string
identifying the role.
Use the
MaxSessionDuration
property to specify the
maximum session duration
(in seconds) for the speciﬁed
role.
AWS::KinesisFirehose::DeliveryStream
Use the
SplunkDestinationConfiguration
property to specify
the conﬁguration of a
destination in Splunk for
a Kinesis Data Firehose
delivery stream.
AWS::Lambda::EventSourceMapping
The StartingPosition
property is no longer
required.

API Version 2010-05-15
2361

AWS CloudFormation User Guide

AWS::Logs::MetricFilter
In the CloudWatch
Logs MetricFilter
MetricTransformation
Property property type,
use the DefaultValue
property to specify the
value to emit when a ﬁlter
pattern does not match a
log event.
AWS::SSM::Association
Use the OutputLocation
property to specify an
Amazon S3 bucket where
you want to store the results
of an association request.

API Version 2010-05-15
2362

AWS CloudFormation User Guide

New resources

The following new
May 24, 2018
resources were released:
AWS::ServiceCatalog::AcceptedPortfolioShare,
AWS::ServiceCatalog::CloudFormationProduct,
AWS::ServiceCatalog::LaunchNotiﬁcationConstraint,
AWS::ServiceCatalog::LaunchRoleConstraint,
AWS::ServiceCatalog::LaunchTemplateConstraint,
AWS::ServiceCatalog::Portfolio,
AWS::ServiceCatalog::PortfolioPrincipalAssociation,
AWS::ServiceCatalog::PortfolioProductAssociation,
AWS::ServiceCatalog::PortfolioShare,
AWS::ServiceCatalog::TagOption,
and
AWS::ServiceCatalog::TagOptionAssociation.
AWS::ServiceCatalog::AcceptedPortfolioShare
Use the
AWS::ServiceCatalog::AcceptedPortfolioShare
resource to accept an oﬀer
to share the speciﬁed
portfolio for AWS Service
Catalog.
AWS::ServiceCatalog::CloudFormationProduct
Use the
AWS::ServiceCatalog::CloudFormationProduct
resource to create a product
for AWS Service Catalog.
AWS::ServiceCatalog::LaunchNotiﬁcationConstraint
Use the
AWS::ServiceCatalog::LaunchNotificationConstraint
resource to create a
notiﬁcation constraint for
AWS Service Catalog.
AWS::ServiceCatalog::LaunchRoleConstraint
Use the
AWS::ServiceCatalog::LaunchRoleConstraint
resource to create a launch
constraint for AWS Service
Catalog.
AWS::ServiceCatalog::LaunchTemplateConstraint
Use the
AWS::ServiceCatalog::LaunchTemplateConstraint
resource to create a
template constraint for AWS
Service Catalog.
AWS::ServiceCatalog::Portfolio
Use the
AWS::ServiceCatalog::Portfolio
resource to create a

API Version 2010-05-15
2363

AWS CloudFormation User Guide

portfolio for AWS Service
Catalog.
AWS::ServiceCatalog::PortfolioPrincipalAssociation
Use the
AWS::ServiceCatalog::PortfolioPrincipalAssociation
resource to associate a
principal with a portfolio for
AWS Service Catalog.
AWS::ServiceCatalog::PortfolioProductAssociation
Use the
AWS::ServiceCatalog::PortfolioProductAssociation
resource to associate a
product with a portfolio for
AWS Service Catalog.
AWS::ServiceCatalog::PortfolioShare
Use the
AWS::ServiceCatalog::PortfolioShare
resource to share a portfolio
for AWS Service Catalog.
AWS::ServiceCatalog::TagOption
Use the
AWS::ServiceCatalog::TagOption
resource to create a
TagOption.
AWS::ServiceCatalog::TagOptionAssociation
Use the
AWS::ServiceCatalog::TagOptionAssociation
resource to associate a
TagOption with a resource
for AWS Service Catalog.
AWS CloudFormation now
creates S3 buckets with
encryption enabled

For Amazon S3 buckets that
AWS CloudFormation creates to
store uploaded stack templates,
server-side encryption is now
enabled by default, thereby
encrypting all objects stored in
those buckets.

May 24, 2018

For more information, see
Selecting a Stack Template.
New resource

The following resource was
released: AWS::Budgets::Budget.
AWS::Budgets::Budget
Use the
AWS::Budgets::Budget
resource to create a budget.

API Version 2010-05-15
2364

May 22, 2018

AWS CloudFormation User Guide

FIPS endpoints added

AWS CloudFormation now oﬀers
new endpoints which use FIPS
140-2 validated cryptographic
modules in the following public
US regions: US-East-1, USEast-2, US-West-1, and USWest-2.

May 17, 2018

See Regions and Endpoints in
the Amazon Web Services General
Reference for the new FIPScompliant endpoint URLs.
New resource

The following
May 9, 2018
resource was released:
AWS::AutoScalingPlans::ScalingPlan.
AWS::AutoScalingPlans::ScalingPlan
Use the
AWS::AutoScalingPlans::ScalingPlan
resource to create a
scaling plan for the
scalable resources for your
application.

New resource

The following resource was
released: AWS::GuardDuty::Filter.
AWS::GuardDuty::Filter
Use the
AWS::GuardDuty::Filter
resource to create a ﬁlter for
your GuardDuty ﬁndings.

API Version 2010-05-15
2365

May 8, 2018

AWS CloudFormation User Guide
Earlier Updates

Updated resources

The following resources
were updated:
AWS::AppSync::GraphQLApi and
AWS::GuardDuty::Member.

May 1, 2018

AWS::AppSync::GraphQLApi
Use the
OpenIDConnectConfig
property to specify the
authorization conﬁguration
for using an OpenId Connect
compliant service with your
GraphQL endpoint.
AWS::GuardDuty::Member
Use the
DisableEmailNotification
property to specify whether
an email notiﬁcation is to
be sent to the accounts
that you want to invite to
GuardDuty as members.
When set to 'True', email
notiﬁcation is not sent to
the invitees.
New resource

The following
May 1, 2018
resource was released:
AWS::ServiceCatalog::CloudFormationProvisionedProduct.
AWS::ServiceCatalog::CloudFormationProvisionedProduct
Use the
AWS::ServiceCatalog::CloudFormationProvisionedProduct
resource to provision the
speciﬁed product for AWS
Service Catalog.

Earlier Updates
The following table describes important changes in each release of the AWS CloudFormation User Guide
before May 2018.
Change

Release Date

Description

API
Version

Stack set
naming
convention

April 10,
2018

AWS CloudFormation stacks created using stack sets now
follow a new naming convention, in which the stack name
contains the stack set name.

2010-05-15

New resources

April 10,
2018

AWS::AppSync::ApiKey (p. 601)

2010-05-15

Use the AWS::AppSync::ApiKey resource to create
a unique key that you can distribute to clients who are
executing GraphQL operations with AWS AppSync.
API Version 2010-05-15
2366

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

AWS::AppSync::DataSource (p. 604)
Use the AWS::AppSync::DataSource resource to
create data sources for resolvers in AWS AppSync.
AWS::AppSync::GraphQLApi (p. 608)
Use the AWS::AppSync::GraphQLApi resource to
create a new AWS AppSync GraphQL API.
AWS::AppSync::GraphQLSchema (p. 611)
Use the AWS::AppSync::GraphQLSchema resource to
create the data model for your AWS AppSync GraphQL
API.
AWS::AppSync::Resolver (p. 613)
Use the AWS::AppSync::Resolver resource to deﬁne
the logical GraphQL resolver that you will attach to
ﬁelds in a schema.
Updated
resource

April 10,
2018

AWS::Conﬁg::ConﬁgurationAggregator (p. 794)

New resources

April 4, 2018

AWS::Conﬁg::AggregationAuthorization (p. 780)

2010-05-15

Use the OrganizationAggregationSource property
type to specify the regions of AWS Conﬁg data to
aggregate into an AWS Conﬁg conﬁguration aggregator
and the IAM role to use to retrieve AWS Organizations
details.
2010-05-15

Use the
AWS::Config::AggregationAuthorization
resource to grant permission to an aggregator account
to collect your AWS Conﬁg data.
AWS::Conﬁg::ConﬁgurationAggregator (p. 794)
Use the AWS::Config::ConfigurationAggregator
resource to create a conﬁguration aggregator for AWS
Conﬁg.
Stack sets
now support
customized
administrator
roles

March 29,
2018

Use customized administrator roles to control which
users or groups can manage speciﬁc stack sets within
the same administrator account. For more information,
see Prerequisites: Granting Permissions for Stack Set
Operations (p. 470).

2010-05-15

New resource

March 29,
2018

AWS::EC2::LaunchTemplate (p. 891)

2010-05-15

Use the AWS::EC2::LaunchTemplate resource to
create a launch template for an Amazon EC2 instance.

API Version 2010-05-15
2367

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

March 29,
2018

AWS::AutoScaling::AutoScalingGroup (p. 620)

2010-05-15

Use the LaunchTemplate property to specify the
launch template to use to launch instances.
AWS::EC2::SpotFleet (p. 932)
In the Amazon EC2 SpotFleet
SpotFleetRequestConﬁgData (p. 1850) property
type, use the LaunchTemplateConfigs property to
describe a launch template and overrides.

New Fn::Cidr
intrinsic
function

March 6,
2018

Returns the speciﬁed Cidr address block. For more
information, see Fn::Cidr (p. 2266).

API Version 2010-05-15
2368

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

March 6,
2018

AWS::ApiGateway::VpcLink (p. 578)

2010-05-15

Use the AWS::ApiGateway::VpcLink resource
to specify an API Gateway VPC link for a
AWS::ApiGateway::RestApi to access resources in
an Amazon Virtual Private Cloud (VPC).
AWS::GuardDuty::Master (p. 1175)
Use the AWS::GuardDuty::Master resource to create
a GuardDuty master account.
AWS::GuardDuty::Member (p. 1177)
Use the AWS::GuardDuty::Member resource to create
a GuardDuty member account.
AWS::SES::ConﬁgurationSet (p. 1473)
Use the AWS::SES::ConfigurationSet resource
to to create groups of rules that you can apply to the
emails you send.
AWS::SES::ConﬁgurationSetEventDestination (p. 1475)
Use the
AWS::SES::ConfigurationSetEventDestination
resource to specify a conﬁguration set event
destination.
AWS::SES::ReceiptFilter (p. 1479)
Use the AWS::SES::ReceiptFilter resource to
specify whether to accept or reject mail originating
from an IP address or range of IP addresses.
AWS::SES::ReceiptRule (p. 1480)
Use the AWS::SES::ReceiptRule resource to specify
which actions Amazon SES should take when it receives
mail on behalf of one or more email addresses or
domains that you own.
AWS::SES::ReceiptRuleSet (p. 1484)
Use the AWS::SES::ReceiptRuleSet resource to
specify an empty rule set for Amazon SES.
AWS::SES::Template (p. 1486)
Use the AWS::SES::Template resource to to specify
the content of the email, composed of a subject line, an
HTML part, and a text-only part.

API Version 2010-05-15
2369

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

March 6,
2018

AWS::AutoScaling::AutoScalingGroup (p. 620)

2010-05-15

Use the AutoScalingGroup property to specify the
name of the Auto Scaling group.
AWS::ApiGateway::RestApi (p. 563)
Use the ApiKeySourceType property to specify the
source of the API key for metering requests according
to a usage plan.
Use the MinimumCompressionSize property to
specify a nullable integer that is used to enable
compression or disable compression on an API.
AWS::ApplicationAutoScaling::ScalingPolicy (p. 594)
In the Application Auto Scaling ScalingPolicy
TargetTrackingScalingPolicyConﬁguration (p. 1622)
property type, use the DisableScaleIn property to
specify whether scale in by the target tracking policy is
disabled.
AWS::EC2::SpotFleet (p. 932)
In the Amazon EC2 SpotFleet
LaunchSpeciﬁcations (p. 1853) property type, use the
TagSpecifications property to specify the tags to
apply during SpotFleet creation.
AWS::Elasticsearch::Domain (p. 1096)
Use the Arn attribute to have Fn::GetAtt return the
Amazon Resource Name (ARN) of the domain.
The DomainArn attribute of Fn::GetAtt has been
deprecated.
AWS::RDS::DBCluster (p. 1331)
Use the DBClusterIdentifier property to specify
the DB cluster identiﬁer.
AWS::RDS::DBCluster (p. 1331)
Use the DBClusterIdentifier property to specify
the DB cluster identiﬁer.
AWS::Redshift::Cluster (p. 1373)
Use the ClusterIdentifier property to specify the
unique identiﬁer of the cluster.
AWS::Route53::HealthCheck (p. 1390)
In the Route 53 HealthCheck
HealthCheckConﬁg (p. 2114) property type, use the
Regions property to specify the regions from which
you want Route 53 health checkers to check the
speciﬁed endpoint.

API Version 2010-05-15
2370

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

AWS::SSM::Document (p. 1507)
Use the Tags property to specify the AWS
CloudFormation resource tags to apply to the
document.
Updated
resource

February 19,
2018

AWS::CodeBuild::Project (p. 720)

Updated
resource

February 8,
2018

AWS::DynamoDB::Table (p. 848)

Updated
resource

February 5,
2018

AWS::CodeBuild::Project (p. 720)

2010-05-15

Use the Triggers property to conﬁgure a webhook
for the project to begin to automatically rebuild the
source code every time a code change is pushed to the
repository. This is available only for GitHub projects
in AWS CloudFormation. It is not available for GitHub
Enterprise projects.
2010-05-15

Use the SSESpecification property to specify the
settings to enable server-side encryption.

In the AWS CodeBuild Project Source (p. 1733)
property type:
• Use the GitCloneDepth property to specify the
depth of history to download.
• Use the InsecureSsl property to specify whether
to ignore SSL warnings while connecting to your
GitHub Enterprise project repository.

API Version 2010-05-15
2371

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

January 23,
2018

AWS::AutoScaling::LifecycleHook (p. 637)

2010-05-15

Use the LifecycleHookName property to specify the
name of the lifecycle hook.
AWS::DynamoDB::Table (p. 848)
The AttributeDefinitions property now requires
replacement when updated.
AWS::EC2::Instance (p. 879)
Use the CreditSpecification property to specify
the credit option for CPU usage of a T2 instance.
Use the ElasticGpuSpecifications property to
specify Elastic GPUs, GPU resources that you can attach
to your instance to accelerate the graphics performance
of your applications.
AWS::EC2::VPC (p. 950)
The InstanceTenancy property now requires no
interruption when updated from "dedicated" to
"default".
AWS::ECS::Service (p. 991)
Use the HealthCheckGracePeriodSeconds property
to specify the period of time, in seconds, that the
Amazon ECS service scheduler ignores unhealthy Elastic
Load Balancing target health checks after a task has
ﬁrst started.
AWS::IoT::TopicRule (p. 1225)
In the DynamoDBAction (p. 2017) property type, the
RangeKeyField and RangeKeyValue properties are
no longer required.
AWS::KinesisAnalytics::ApplicationOutput (p. 1234)
In the ApplicationOutput (p. 1234) property
type, use the LambdaOutput property to identify a
Lambda function as the destination when conﬁguring
application output.
AWS::Kinesis::Stream (p. 1228)
Use the StreamEncryption property to enable or
update server-side encryption using an AWS KMS key
for a speciﬁed stream.
AWS::Lambda::Function (p. 1257)
Use the ReservedConcurrentExecutions property
to specify the maximum of concurrent executions you
want reserved for the function.

API Version 2010-05-15
2372

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

AWS::RDS::DBSubnetGroup (p. 1365)
Use the DBSubnetGroupName property to specify the
name for the DB Subnet Group.
AWS::S3::Bucket (p. 1403)
Use the BucketEncryption property to specify
default encryption for a bucket using server-side
encryption with Amazon S3-managed keys SSE-S3 or
AWS KMS-managed Keys (SSE-KMS) bucket.
In the ReplicationRule (p. 2143) property type, use
the SourceSelectionCriteria property to specify
additional ﬁlters in identifying source objects that you
want to replicate.
In the ReplicationDestination (p. 2141) property
type:
• Use the AccessControlTranslation property to
specify replica ownership of the AWS account that
owns the destination bucket.
• Use the Account property to specify destination
bucket owner account ID.
• Use the EncryptionConfiguration property to
specify encryption-related information for a bucket
that is a destination for replicated objects.
AWS::SSM::Association (p. 1504)
Use the AssociationName property to specify the
name of the association between an SSM document
and EC2 instances that contain a conﬁguration agent to
process the document.
Rollback
January 15,
triggers added
2018
to the AWS
CloudFormation
console.

Rollback triggers enable you to have AWS CloudFormation
2010-05-15
monitor the state of your application during stack creation
and updating, and to roll back that operation if the
application breaches the threshold of any of the alarms
you've speciﬁed. For more information, see Monitor and Roll
Back Stack Operations.

Updated
resource

AWS::SSM::Parameter (p. 1518)

January 12,
2018

Use the AllowedPattern property to specify a regular
expression used to validate the parameter value.

API Version 2010-05-15
2373

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

December 5,
2017

AWS::Inspector::AssessmentTarget (p. 1209)

2010-05-15

Use the AWS::Inspector::AsssmentTarget
resource to create an Amazon Inspector assessment
target.
AWS::Inspector::AssessmentTemplate (p. 1211)
Use the AWS::Inspector::AssessmentTemplate
resource to create an Amazon Inspector assessment
template.
AWS::Inspector::ResourceGroup (p. 1214)
Use the AWS::Inspector::ResourceGroup resource
to create an Amazon Inspector resource group, which
deﬁnes tags that identify AWS resources that make up
an Amazon Inspector assessment target.
AWS::ServiceDiscovery::Instance (p. 1466)
Use the AWS::ServiceDiscovery::Instance
resource to specify information about an instance that
Amazon Route 53 creates.
AWS::ServiceDiscovery::PrivateDnsNamespace (p. 1468)
Use the
AWS::ServiceDiscovery::PrivateDnsNamespace
resource to specify information about a private
namespace for Amazon Route 53.
AWS::ServiceDiscovery::PublicDnsNamespace (p. 1470)
Use the
AWS::ServiceDiscovery::PublicDnsNamespace
resource to specify information about a public
namespace for Amazon Route 53.
AWS::ServiceDiscovery::Service (p. 1471)
Use the AWS::ServiceDiscovery::Service
resource to deﬁne a template for up to ﬁve records
and an optional health check that you want Amazon
Route 53 to create when you register an instance.

Updated
resource

December 5,
2017

AWS::KinesisAnalytics::Application (p. 1231)
In the Input (p. 2031) property type, use the
InputProcessingConfiguration property to
transform records as they are received from the stream.

API Version 2010-05-15
2374

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resource

December 1,
2017

AWS::CodeBuild::Project (p. 720)

2010-05-15

Use the BadgeEnabled property to generate a publicly
accessible URL for a project's build badge.
Use the Cache property to conﬁgure cache settings for
build dependencies.
Use the VpcConfig property to enable AWS CodeBuild
to access resources in an Amazon VPC.
In the EnvironmentVariable (p. 1731) property
type, use the Type property to specify the type of
environment variable.

New resource

Updated
resources

November
30, 2017

AWS::Cloud9::EnvironmentEC2 (p. 666)

November
29, 2017

AWS::ECS::TaskDeﬁnition (p. 1002)

2010-05-15

Use the AWS::Cloud9::EnvironmentEC2 resource
to create an Amazon EC2 development environment in
AWS Cloud9.

Use the Cpu property to specify the number of cpu
units needed for the task.
Use the ExecutionRoleArn property to specify the
ARN of the execution role.
Use the Memory property to specify the amount (in
MiB) of memory needed for the task.
Use the RequiresCompatibilities property to
specify the launch type the task requires.
AWS::ECS::Service (p. 991)
Use the LaunchType property to specify the launch
type on which to run your service.
Use the NetworkConfiguration property to specify
the network conﬁguration for the service.
Use the PlatformVersion property to specify the
platform version on which to run your service.

API Version 2010-05-15
2375

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

November
28, 2017

AWS::GuardDuty::Detector (p. 1171)

2010-05-15

Use the AWS::GuardDuty::Detector resource to
create a single Amazon GuardDuty detector.
AWS::GuardDuty::IPSet (p. 1180)
Use the AWS::GuardDuty::IPSet resource to create
an Amazon GuardDuty IP set.
AWS::GuardDuty::ThreatIntelSet (p. 1182)
Use the AWS::GuardDuty::ThreatIntelSet
resource to create a ThreatIntelSet.

Updated
resources

November
28, 2017

AWS::CodeDeploy::Application (p. 731)

2010-05-15

Use the ComputePlatform property to specify an AWS
Lambda compute platform for AWS CodeDeploy to
deploy an application to.
AWS::CodeDeploy::DeploymentGroup (p. 735)
In the DeploymentStyle (p. 1743) property type, use
the DeploymentType property to specify a blue/green
deployment on a Lambda compute platform.
AWS::EC2::SpotFleet (p. 932)
In the SpotFleetRequestConfigData (p. 1850)
property type, the SpotPrice property is now
optional.
AWS::Lambda::Alias (p. 1254)
Use the RoutingConfig property to specify two
diﬀerent versions of an AWS Lambda function, allowing
you to dictate what percentage of traﬃc will invoke
each version.

New
November
Use the CodeDeployLambdaAliasUpdate update policy
CodeDeployLambdaAliasUpdate
28, 2017
to perform an AWS CodeDeploy deployment when the
update policy
version changes on an AWS::Lambda::Alias resource. For
more information, see UpdatePolicy (p. 2255).

2010-05-15

New SSM
parameter
types

Use SSM parameter types to use existing parameters
from Systems Manager Parameter Store. Note:
AWS CloudFormation doesn't currently support the
SecureString type. For more information, see SSM
Parameter Types (p. 172).

2010-05-15

The ResolvedValue ﬁeld returns the value that's used
in the stack deﬁnition for an SSM parameter. For more
information, see the Parameter data type in the AWS
CloudFormation API Reference.

2010-05-15

November
21, 2017

New
November
ResolvedValue 21, 2017
ﬁeld for
Parameter
data type

API Version 2010-05-15
2376

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

November
20, 2017

AWS::ApiGateway::ApiKey (p. 518)

2010-05-15

Use the CustomerId property to specify an AWS
Marketplace customer identiﬁer.
Use the GenerateDistinctId property to specify
whether the key identiﬁer is distinct from the created
API key value.
AWS::ApiGateway::Authorizer (p. 522)
Use the AuthType property to specify a customerdeﬁned ﬁeld that's used in Swagger imports and
exports without functional impact.
AWS::ApiGateway::DomainName (p. 538)
Use the EndpointConfiguration property to specify
the endpoint types of an API Gateway domain name.
Use the RegionalCertificateArn property to
reference a certiﬁcate for use by the regional endpoint
for a domain name.
AWS::ApiGateway::Method (p. 548)
In the Integration (p. 1604) and
IntegrationResponse (p. 1607) property types, use
the ContentHandling property to specify how to
handle request payload content type conversions.
AWS::ApiGateway::RestApi (p. 563)
Use the EndpointConfiguration property to specify
the endpoint types of an API Gateway REST API.
AWS::ApplicationAutoScaling::ScalableTarget (p. 581)
Use the ScheduledActions property to specify
scheduled actions for an Application Auto Scaling
scalable target.
AWS::ECR::Repository (p. 985)
Use the LifecyclePolicy property to specify a
lifecycle policy for an Amazon ECR repository.
AWS::ECS::TaskDeﬁnition (p. 1002)
In the ContainerDefinition (p. 1878) property type,
use the LinuxParameters property to specify Linuxspeciﬁc options for an Amazon ECS container.
AWS::ElastiCache::ReplicationGroup (p. 1028)
Use the AtRestEncryptionEnabled property to
enable encryption at rest.
Use the AuthToken property to specify a password
that's used to access a password-protected server.

API Version 2010-05-15
2377

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Use the TransitEncryptionEnabled property to
enable in-transit encryption.
AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088)
Use the TargetGroupName attribute with the
Fn::GetAtt function to get the name of an Elastic
Load Balancing target group.
AWS::Elasticsearch::Domain (p. 1096)
Use the VPCOptions property to specify a VPC
conﬁguration for the Amazon ES domain.
AWS::EMR::Cluster (p. 1104)
Use the EbsRootVolumeSize property to specify the
size of the EBS root volume for an Amazon EMR cluster.
AWS::RDS::DBInstance (p. 1341)
Use the SourceRegion and KmsKeyId properties to
create an encrypted read replica from a cross-region
source DB instance.
AWS::Route53::HostedZone (p. 1392)
Use the QueryLoggingConfig property to specify a
conﬁguration for DNS query logging.
New NoEcho
November
ﬁeld for custom 20, 2017
resource
Response
objects

You can now use the optional NoEcho ﬁeld to mask the
output of a custom resource. For more information, see
Custom Resource Response Objects (p. 448).

2010-05-15

Stack instance
overrides
added for stack
sets.

November
17, 2017

AWS CloudFormation StackSets allows you to override
parameter values in stack instances by account and region.
You can override parameter values when you create the
stack instances, or when updating existing stack instances.
For more information, see Override Parameters on Stack
Instances (p. 489).

2010-05-15

Updated
resource

November
15, 2017

AWS::StepFunctions::StateMachine (p. 1529)

2010-05-15

StackSets
now supports
a maximum
of 500 stack
instances per
stack set.

November 6,
2017

You can now create up to a maximum of 500 stack instances 2010-05-15
per stack set. For more information on AWS CloudFormation
limits, see AWS CloudFormation Limits (p. 21).

The corresponding noEcho parameter is supported by the
send method. For more information, see cfn-response
Module.

You can use AWS::StepFunctions::StateMachine
to specify a StateMachineName when creating a state
machine, and both DefinitionString and RoleArn
can be updated without replacing the state machine.

API Version 2010-05-15
2378

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

November 2,
2017

AWS::CloudFront::CloudFrontOriginAccessIdentity (p. 703)

2010-05-15

Use the
AWS::CloudFront::CloudFrontOriginAccessIdentity
resource to specify the Amazon CloudFront origin
access identity to associate with the origin of a
CloudFront distribution.
AWS::CloudFront::StreamingDistribution (p. 705)
Use the
AWS::CloudFront::StreamingDistribution
resource to specify an Adobe Real-Time Messaging
Protocol (RTMP) streaming distribution for CloudFront.

API Version 2010-05-15
2379

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

November 2,
2017

AWS::ApiGateway::Deployment (p. 528)

2010-05-15

The StageName property has been deprecated on the
StageDescription (p. 1598) property type.
AWS::ApiGateway::Method (p. 548)
Use the OperationName property to assign a friendly
name to an API Gateway method.
Use the RequestValidatorId property to associate a
request validator with a method.
AWS::AutoScaling::AutoScalingGroup (p. 620)
Use the LifecycleHookSpecificationList
property to specify actions to perform when Auto
Scaling launches or terminates instances.
AWS::CloudFront::Distribution (p. 700)
Use the Tags property to specify an arbitrary set of
tags (key–value pairs) to associate with a CloudFront
distribution.
In the CacheBehavior (p. 1686) and
DefaultCacheBehavior (p. 1692) property types,
use the LambdaFunctionAssociations property to
specify Lambda function associations for a CloudFront
distribution.
In the CustomOriginConfig (p. 1691) property
type, use the OriginKeepaliveTimeout property
to specify a custom keep-alive timeout, and use the
OriginReadTimeout property to specify a custom
origin read timeout.
In the DistributionConfig (p. 1695) property type,
use the IPV6Enabled property to specify whether
CloudFront responds to IPv6 DNS requests with an IPv6
address for your distribution.
AWS::CodeDeploy::DeploymentGroup (p. 735)
In the LoadBalancerInfo (p. 1746) property type,
use the TargetGroupInfoList property to specify
information about a target group in Elastic Load
Balancing to use in a deployment.
AWS::EC2::SecurityGroup (p. 917),
AWS::EC2::SecurityGroupEgress (p. 921), and
AWS::EC2::SecurityGroupIngress (p. 925)
Use the Description property to specify the
description of a security group rule.
AWS::EC2::Subnet (p. 935)
The Ipv6CidrBlock property now supports No
interruption updates.
API Version 2010-05-15
2380

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description
AWS::EC2::VPNGateway (p. 982)
Use the AmazonSideAsn property to specify a private
Autonomous System Number (ASN) for the Amazon
side of a BGP session.
AWS::EC2::VPNConnection (p. 977)
Use the VpnTunnelOptionsSpecifications
property to conﬁgure tunnel options for a VPN
connection.
AWS::ElasticBeanstalk::ConﬁgurationTemplate (p. 1047) and
AWS::ElasticBeanstalk::Environment (p. 1050)
In the ConfigurationOptionSetting (p. 1900)
and OptionSetting (p. 1903) property types, use the
ResourceName property to specify a resource name for
a time-based scaling conﬁguration option.
AWS::EMR::Cluster (p. 1104)
Use the CustomAmiId property to specify a custom
Amazon Linux AMI for a cluster.
AWS::KinesisFirehose::DeliveryStream (p. 1237)
Use the Arn attribute with the Fn::GetAtt function to
get the Amazon Resource Name (ARN) of the delivery
stream.
AWS::KMS::Key (p. 1247)
Use the Tags property to specify an arbitrary set of
tags (key–value pairs) to associate with a custom master
key (CMS).
AWS::OpsWorks::Layer (p. 1305) and
AWS::OpsWorks::Stack (p. 1316)
Use the Tags property to specify an arbitrary set
of tags (key–value pairs) to associate with an AWS
OpsWorks layer or stack.
AWS::RDS::OptionGroup (p. 1370)
In the OptionConfiguration (p. 2108) property type,
use the OptionVersion property to specify a version
for the option.
AWS::S3::Bucket (p. 1403)
Use the AnalyticsConfigurations property to
conﬁgure an analysis ﬁlter for an Amazon S3 bucket.

API Version 2010-05-15
2381

API
Version

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

October 24,
2017

AWS::Glue::Classiﬁer (p. 1146)

2010-05-15

Use the AWS::Glue::Classifier resource to create
an AWS Glue classiﬁer.
AWS::Glue::Connection (p. 1147)
Use the AWS::Glue::Connection resource to specify
an AWS Glue connection to a data source.
AWS::Glue::Crawler (p. 1149)
Use the AWS::Glue::Crawler resource to specify an
AWS Glue crawler.
AWS::Glue::Database (p. 1154)
Use the AWS::Glue::Database resource to create an
AWS Glue database.
AWS::Glue::DevEndpoint (p. 1155)
Use the AWS::Glue::DevEndpoint resource
to specify a development endpoint for remotely
debugging ETL scripts.
AWS::Glue::Job (p. 1157)
Use the AWS::Glue::Job resource to specify an AWS
Glue job in the data catalog.
AWS::Glue::Partition (p. 1162)
Use the AWS::Glue::Partition resource to create
an AWS Glue partition, which represents a slice of table
data.
AWS::Glue::Table (p. 1164)
Use the AWS::Glue::Table resource to create an AWS
Glue table.
AWS::Glue::Trigger (p. 1165)
Use the AWS::Glue::Trigger resource to specify
triggers that run AWS Glue jobs.

API Version 2010-05-15
2382

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

October 11,
2017

AWS::SSM::MaintenanceWindow (p. 1511)

2010-05-15

Use the AWS::SSM::MaintenanceWindow resource to
create an AWS Systems Manager Maintenance Window.
AWS::SSM::MaintenanceWindowTarget (p. 1513)
Use the AWS::SSM::MaintenanceWindowTarget
resource to register a target with a Maintenance
Window.
AWS::SSM::MaintenanceWindowTask (p. 1515)
Use the AWS::SSM::MaintenanceWindowTask
resource to deﬁne a Maintenance Window task.
AWS::SSM::PatchBaseline (p. 1522)
Use the AWS::SSM::PatchBaseline resource to
deﬁne a Systems Manager patch baseline.

New resource

New resource

October 10,
2017

AWS::ElasticLoadBalancingV2::ListenerCertiﬁcate (p. 1077)

September
27, 2017

AWS::Athena::NamedQuery (p. 618)

2010-05-15

Use the
AWS::ElasticLoadBalancingV2::ListenerCertificate
resource to specify certiﬁcates for an Elastic Load
Balancing listener.

Use the AWS::Athena::NamedQuery resource to
create an Amazon Athena query.

API Version 2010-05-15
2383

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

September
27, 2017

AWS::EC2::NatGateway (p. 893)

2010-05-15

Use the Tags property to specify resource tags for a
NAT gateway.
AWS::ElasticBeanstalk::Application (p. 1043)
Use the ResourceLifecycleConfig property to
deﬁne lifecycle settings for resources that belong to the
application, and the service role that Elastic Beanstalk
assumes in order to apply lifecycle settings.
AWS::ElasticBeanstalk::ConﬁgurationTemplate (p. 1047) and
AWS::ElasticBeanstalk::Environment (p. 1050)
Use the PlatformArn property to specify a custom
platform for Elastic Beanstalk.
AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088)
In the TargetDescription (p. 1922) property type,
use the AvailabilityZone property to specify
the Availability Zone where the IP address is to be
registered.
AWS::Events::Rule (p. 1132)
In the Target (p. 1722) property type, use the following
properties for input transformation of events and
setting Amazon ECS task and Kinesis stream targets.
• EcsParameters
• InputTransformer
• KinesisParameters
• RunCommandParameters
AWS::KinesisFirehose::DeliveryStream (p. 1237)
Use the DeliveryStreamType property
to specify the stream type and the
KinesisStreamSourceConfiguration property to
specify the stream and role ARNs for a Kinesis stream
used as the source for a delivery stream.
AWS::RDS::DBInstance (p. 1341)
For the Engine property, if you have speciﬁed
oracle-se or oracle-se1, you can update to
oracle-se2 without the database instance being
replaced.
AWS::S3::Bucket (p. 1403)
Use the AccelerateConfiguration property to
conﬁgure the transfer acceleration state for an Amazon
S3 bucket.

API Version 2010-05-15
2384

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Termination
protection
added for
stacks.

September
26, 2017

Enabling termination protection on a stack prevents it from
being accidently deleted. A user cannot delete a stack with
termination protection enabled. For more information, see
Protecting a Stack From Being Deleted (p. 106).

2010-05-15

Changed
default umask
value from
version 1.4-22
onwards

September
14, 2017

The default umask parameter value for the cfn-hup.conf
conﬁguration ﬁle is now 022. For more information, see cfnhup (p. 2337).

Updated
resources

September 7,
2017

AWS::ElasticLoadBalancingV2::LoadBalancer (p. 1082)

2010-05-15

Use the SubnetMappings property to specify the IDs
of the subnets to attach to the load balancer.
Use the Type property to specify the type of load
balancer to create.
AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088)
Use the TargetType property to specify the
registration type of the targets in this target group.

Rollback
August 31,
triggers added
2017
to the AWS
CloudFormation
API

Rollback triggers enable you to have AWS CloudFormation
monitor the state of your application during stack
creation and updating, and to roll back that operation
if the application breaches the threshold of any of the
alarms you've speciﬁed. For more information, see
RollbackConﬁguration in the AWS CloudFormation API
Reference.

New umask
parameter for
cfn-hup.conf
ﬁle

August 31,
2017

Use the umask parameter in the cfn-hup.conf conﬁguration
ﬁle to control ﬁle permissions used by the cfn-hup
daemon (version 1.4-21). For more information, see cfnhup (p. 2337).

Updated
resources for
VPC Sizing
support

August 29,
2017

AWS::EC2::VPCCidrBlock (p. 953)
Use the CidrBlock property to associate an IPv4 CIDR
block with a VPC.
AWS::EC2::VPC (p. 950)
Use the CidrBlockAssociations attribute with the
Fn::GetAtt function to get a list of IPv4 CIDR block
association IDs associated with the VPC.

API Version 2010-05-15
2385

2010-05-15

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

August 23,
2017

AWS::S3::Bucket (p. 1403)

2010-05-15

In the Rule (p. 2144) property type, use the
TagFilters property to specify tags to use in
identifying a subset of objects for an Amazon S3
bucket.
Use the MetricsConfiguration property to specify
a metrics conﬁguration for the CloudWatch request
metrics from an Amazon S3 bucket.
AWS::IoT::TopicRule (p. 1225)
In the Action (p. 2012) property type, use the
DynamoDBv2Action property to describe an AWS IoT
action that writes data to a DynamoDB table.
In the Action (p. 2012) property type, the
DynamoDBAction property now supports the
HashKeyType and RangeKeyType properties.
AWS::Lambda::Permission (p. 1263)
Use the EventSourceToken property to specify a
unique token that must be supplied by the principal
invoking the function.

New pseudo
parameters

August 23,
2017

Use the AWS::Partition pseudo parameter to return the
partition that a resource is in.

2010-05-15

Use the AWS::URLSuffix pseudo parameter to return the
suﬃx for a domain.
For more information, see Pseudo Parameters
Reference (p. 2322).
New resources
for DAX
support

August 22,
2017

AWS::DAX::Cluster (p. 810)
Use the AWS::DAX::Cluster resource to create a DAX
cluster for use with Amazon DynamoDB.
AWS::DAX::ParameterGroup (p. 816)
Use the AWS::DAX::ParameterGroup resource
to create a parameter group for use with Amazon
DynamoDB.
AWS::DAX::SubnetGroup (p. 818)
Use the AWS::DAX::SubnetGroup resource to
create a subnet group for use with DAX (DynamoDB
Accelerator).

API Version 2010-05-15
2386

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

August 18,
2017

AWS::ApiGateway::DocumentationPart (p. 531) and
AWS::ApiGateway::DocumentationVersion (p. 534)

2010-05-15

Use the AWS::ApiGateway::DocumentationPart
and AWS::ApiGateway::DocumentationVersion
resources to create documentation for your API
Gateway API.
AWS::ApiGateway::GatewayResponse (p. 545)
Use the AWS::ApiGateway::GatewayResponse
resource to create a custom response for your API
Gateway API.
AWS::ApiGateway::RequestValidator (p. 558)
Use the AWS::ApiGateway::RequestValidator
resource to set up validation rules for incoming
requests to your API Gateway API.
AWS::EC2::NetworkInterfacePermission (p. 908)
Use the AWS::EC2::NetworkInterfacePermission
resource to grant an AWS account permission to a
network interface.

API Version 2010-05-15
2387

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

August 18,
2017

AWS::ApiGateway::Stage (p. 570)

2010-05-15

Use the DocumentationVersion property to specify a
versioned snapshot of the API documentation.
AWS::AutoScaling::ScalingPolicy (p. 640)
Use the TargetTrackingConfiguration property
to specify an Auto Scaling target tracking scaling policy
conﬁguration.
AWS::CloudTrail::Trail (p. 708)
Use the EventSelectors property for Amazon S3
Data Events support.
AWS::CodeDeploy::DeploymentGroup (p. 735)
Use the LoadBalancerInfo and DeploymentStyle
properties to specify an Elastic Load Balancing load
balancer for an in-place deployment.
Use the AutoRollbackConfiguration property to
conﬁgure automatic rollback for the deployment.
AWS::EC2::SpotFleet (p. 932)
In the SpotFleetRequestConfigData (p. 1850)
property type, use the ReplaceUnhealthyInstances
property to indicate whether the Spot ﬂeet should
replace unhealthy instances and the Type property to
specify the type of request.
AWS::EC2::Subnet (p. 935)
Use the AssignIpv6AddressOnCreation and
Ipv6CidrBlock properties to create a subnet with an
IPv6 CIDR block.
AWS::KinesisFirehose::DeliveryStream (p. 1237)
Use the ExtendedS3DestinationConfiguration
property to conﬁgure a destination in Amazon S3.
Use the ProcessingConfiguration subproperty
within each destination conﬁguration to invoke Lambda
functions that transform incoming source data and
deliver the transformed data to destinations.
AWS::RDS::DBCluster (p. 1331) and
AWS::RDS::DBInstance (p. 1341)
The default DeletionPolicy is now Snapshot
for AWS::RDS::DBCluster resources and for
AWS::RDS::DBInstance resources that don't specify
the DBClusterIdentifier property. For more
information about how AWS CloudFormation deletes
resources, see DeletionPolicy Attribute (p. 2248).

API Version 2010-05-15
2388

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

AWS::S3::Bucket (p. 1403)
In the Rule (p. 2144) property type, use the
AbortIncompleteMultipartUpload property to
specify a lifecycle rule that aborts incomplete multipart
uploads to an Amazon S3 bucket.
AWS::SQS::Queue (p. 1495)
Use the KmsMasterKeyId and
KmsDataKeyReusePeriodSeconds properties to
conﬁgure server-side encryption for Amazon SQS.
Added the Arn attribute to the Fn::GetAtt intrinsic
function for the following resources:
• AWS::CloudTrail::Trail (p. 708). Also added SnsTopicArn.
• AWS::CloudWatch::Alarm (p. 714)
• AWS::DynamoDB::Table (p. 848)
• AWS::ECS::Cluster (p. 989)
• AWS::IoT::Policy (p. 1218)
• AWS::IoT::TopicRule (p. 1225)
• AWS::Logs::Destination (p. 1267)
Support
for stack
tags in AWS
CodePipeline
artifacts

August 18,
2017

You can now specify tags for stacks in template
conﬁguration ﬁles for use as artifacts for AWS CodePipeline
pipelines. Speciﬁed tags are applied to stacks created using
the template conﬁguration ﬁle. For more information, see
AWS CloudFormation Artifacts (p. 85).

2010-05-15

Create
encrypted ﬁle
systems

August 14,
2017

AWS::EFS::FileSystem (p. 1009)

2010-05-15

Use the Encrypted property to encrypt an Amazon
EFS ﬁle system during creation.
Use the KmsKeyId property to optionally specify a
custom customer master key to use to protect the
encrypted ﬁle system.

New resources
for AWS Batch
support

August 8,
2017

AWS::Batch::ComputeEnvironment (p. 651)
Use the AWS::Batch::ComputeEnvironment
resource to deﬁne your AWS Batch compute
environment.
AWS::Batch::JobDeﬁnition (p. 655)
Use the AWS::Batch::JobDefinition resource to
specify the parameters for an AWS Batch job deﬁnition.
AWS::Batch::JobQueue (p. 658)
Use the AWS::Batch::JobQueue resource to deﬁne
your AWS Batch job queue.

API Version 2010-05-15
2389

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources
for Amazon
Kinesis Data
Analytics
support

July 28, 2017

AWS::KinesisAnalytics::Application (p. 1231)

2010-05-15

Use the AWS::KinesisAnalytics::Application
resource to create an Amazon Kinesis Data Analytics
application.
AWS::KinesisAnalytics::ApplicationOutput (p. 1234)
Use the
AWS::KinesisAnalytics::ApplicationOutput
resource to add an external destination to your Amazon
Kinesis Data Analytics application.
AWS::KinesisAnalytics::ApplicationReferenceDataSource (p. 1235)
Use the
AWS::KinesisAnalytics::ApplicationReferenceDataSource
resource to add a reference data source to an existing
Amazon Kinesis Data Analytics application.

Use StackSets
to centrally
manage stacks
across accounts
and regions

July 25, 2017

StackSets enables you to create, update, or delete stacks
across multiple accounts and regions in a single operation.
Using an administrator account, you deﬁne and manage
an AWS CloudFormation template, and use the template
as the basis for provisioning stacks into selected target
accounts across speciﬁed regions. For more information
about StackSets, see Working with AWS CloudFormation
StackSets (p. 465).

2010-05-15

View stack
events by client
request token

July 14, 2017

In the console, stack operations display the client request
token on the Events tab. All events triggered by a given
stack operation are assigned the same client request
token, which you can use to track operations. For more
information, see Viewing Stack Data and Resources (p. 99)
and StackEvent in the AWS CloudFormation API Reference.

2010-05-15

Use stack
quick-create
links

July 14, 2017

Use quick-create links to get stacks up and running quickly.
You can specify the template URL, stack name, and
template parameters to prepopulate a single Create Stack
Wizard page. For more information, see Creating QuickCreate Links for Stacks (p. 103).

API Version 2010-05-15
2390

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources
for AWS
Database
Migration
Service support

July 12, 2017

AWS::DMS::Certiﬁcate (p. 828)

2010-05-15

Use the AWS::DMS::Certificate resource to create
an SSL certiﬁcate that encrypts connections between
AWS DMS endpoints and the replication instance.
AWS::DMS::Endpoint (p. 830)
Use the AWS::DMS::Endpoint resource to create an
AWS DMS endpoint.
AWS::DMS::EventSubscription (p. 835)
Use the AWS::DMS::EventSubscription resource
to get notiﬁcations for AWS DMS events through the
Amazon Simple Notiﬁcation Service.
AWS::DMS::ReplicationInstance (p. 838)
Use the AWS::DMS::ReplicationInstance resource
to create an AWS DMS replication instance.
AWS::DMS::ReplicationSubnetGroup (p. 842)
Use the AWS::DMS::ReplicationSubnetGroup
resource to create an AWS DMS replication subnet
group.
AWS::DMS::ReplicationTask (p. 845)
Use the AWS::DMS::ReplicationTask resource to
create an AWS DMS replication task.

New resources

July 5, 2017

AWS::CloudWatch::Dashboard (p. 719)
Use the AWS::CloudWatch::Dashboard resource
to specify a custom CloudWatch dashboard for your
CloudWatch console.
AWS::ApiGateway::DomainName (p. 538)
Use the AWS::ApiGateway::DomainName resource
to specify a custom, friendly URL for your API that's
deployed to Amazon API Gateway.
AWS::EC2::EgressOnlyInternetGateway (p. 867)
Use the AWS::EC2::EgressOnlyInternetGateway
resource to create an egress-only internet gateway for
your VPC.
AWS::EMR::InstanceFleetConﬁg (p. 1122)
Use the InstanceFleetConfig resource to conﬁgure
a Spot Instance ﬂeet for an Amazon EMR cluster.

API Version 2010-05-15
2391

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

July 5, 2017

AWS::ApiGateway::RestApi (p. 563)

2010-05-15

Use the BinaryMediaTypes property to specify
supported binary media types.
AWS::ApplicationAutoScaling::ScalingPolicy (p. 594)
Use the
TargetTrackingScalingPolicyConfiguration
property to specify a a target tracking scaling policy
conﬁguration.
AWS::CloudTrail::Trail (p. 708)
Use the TrailName property to specify a custom name
for an AWS CloudTrail resource.
Use the Tags property to specify resource tags.
AWS::CodeDeploy::DeploymentGroup (p. 735)
Use the AlarmConfiguration property to conﬁgure
alarms for the deployment group.
Use the TriggerConfigurations property to
conﬁgure notiﬁcation triggers for the deployment
group.
AWS::EMR::Cluster (p. 1104)
Use the CoreInstanceFleet property and the
MasterInstanceFleet property in the Amazon EMR
Cluster JobFlowInstancesConﬁg (p. 1939) property type
to conﬁgure the Spot Instance ﬂeet for an Amazon EMR
cluster.
AWS::DynamoDB::Table (p. 848)
Use the TimeToLiveSpecification property to
specify the Time to Live (TTL) settings for an Amazon
DynamoDB table.
Use the Tags property to specify resource tags for a
DynamoDB table.
AWS::EC2::Instance (p. 879)
The IamInstanceProfile property now supports No
interruption updates.
AWS::EC2::Route (p. 911)
Use the EgressOnlyInternetGatewayId property
to specify an egress-only Internet gateway for an EC2
route.
AWS::Kinesis::Stream (p. 1228)
Use the RetentionPeriodHours property to specify
the number of hours that data records stored in shards
remain accessible.

API Version 2010-05-15
2392

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

AWS::RDS::DBCluster (p. 1331)
Use the ReplicationSourceIdentifier property
to create a DB cluster as a Read Replica of another DB
cluster or an Amazon RDS MySQL DB instance.
AWS::Redshift::Cluster (p. 1373)
Use the LoggingProperties property to create audit
log ﬁles and store them in Amazon S3.
New resources

June 6, 2017

AWS::EMR::SecurityConﬁguration (p. 1127)
Use the AWS::EMR::SecurityConfiguration
resource to create a security conﬁguration, which
is stored in the service and can be speciﬁed when a
cluster is created.

API Version 2010-05-15
2393

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

June 6, 2017

AWS::AutoScaling::LifecycleHook (p. 637)

2010-05-15

The NotificationTargetARN and RoleARN
properties are now optional.
AWS::CloudWatch::Alarm (p. 714)
You can now use the
EvaluateLowSampleCountPercentile,
ExtendedStatistic, and TreatMissingData
properties when creating AWS::CloudWatch::Alarm
resources.
AWS::EC2::SpotFleet (p. 932)
AWS CloudFormation supports mutable changes to
Spot ﬂeet properties.
The following properties of the
SpotFleetRequestConfigData property support
Replacement updates:
• AllocationStrategy
• IamFleetRole
• LaunchSpecifications
• SpotPrice
• TerminateInstancesWithExpiration
• ValidFrom
• ValidUntil
The following properties of the
SpotFleetRequestConfigData property support No
interruption updates:
• ExcessCapacityTerminationPolicy
• TargetCapacity
AWS::EMR::InstanceGroupConﬁg (p. 1124)
AWS CloudFormation now supports Auto Scaling for
Amazon EMR task instance groups.
AWS::Events::Rule (p. 1132)
The RoleArn property is deprecated on the Rule
resource.
Use the RoleArn property on the Target property
type to specify the IAM role to use for a target.
AWS::Kinesis::Stream (p. 1228)
The ShardCount property now supports No
interruption updates.
AWS::Lambda::Function (p. 1257)
Use the TracingConfig property to conﬁgure tracing
settings for Lambda functions.

API Version 2010-05-15
2394

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description
AWS::Redshift::Cluster (p. 1373),
AWS::Redshift::ClusterParameterGroup (p. 1381),
AWS::Redshift::ClusterSecurityGroup (p. 1384), and
AWS::Redshift::ClusterSubnetGroup (p. 1388)
Use the Tags property to specify resource tags.
AWS::RDS::DBCluster (p. 1331)
Added the ReadEndpoint.Address attribute to the
Fn::GetAtt intrinsic function.
AWS::S3::Bucket (p. 1403)
Added the Arn attribute to the Fn::GetAtt intrinsic
function.

API Version 2010-05-15
2395

API
Version

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

New resources

May 11, 2017 The following new resources support using AWS WAF with
Elastic Load Balancing (ELB) Application load balancers.
AWS::WAFRegional::ByteMatchSet (p. 1555)
Use the AWS::WAFRegional::ByteMatchSet
resource to identify a part of a web request that you
want to inspect.
AWS::WAFRegional::IPSet (p. 1558)
Use the AWS::WAFRegional::IPSet resource to
specify which web requests to permit or block based on
the IP addresses from which the requests originate.
AWS::WAFRegional::Rule (p. 1561)
Use the AWS::WAFRegional::Rule resource to
specify a combination of IPSet, ByteMatchSet, and
SqlInjectionMatchSet objects that identify the web
requests to allow, block, or count.
AWS::WAFRegional::SizeConstraintSet (p. 1563)
Use the AWS::WAFRegional::SizeConstraintSet
resource to specify a size constraint used to check the
size of a web request and which parts of the request to
check.
AWS::WAFRegional::SqlInjectionMatchSet (p. 1567)
Use the
AWS::WAFRegional::SqlInjectionMatchSet
resource to allow, block, or count requests that contain
malicious SQL code in a speciﬁc part of web requests.
AWS::WAFRegional::WebACL (p. 1570)
Use the AWS::WAFRegional::WebACL resource to
identify the web requests that you want to allow, block,
or count.
AWS::WAFRegional::WebACLAssociation (p. 1574)
Use the AWS::WAFRegional::WebACLAssociation
resource to associate a web access control group (ACL)
with a resource.
AWS::WAFRegional::XssMatchSet (p. 1575)
Use the AWS::WAFRegional::XssMatchSet resource
to specify the parts of web requests that you want AWS
WAF to inspect for cross-site scripting attacks and the
name of the header to inspect.

API Version 2010-05-15
2396

API
Version
2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

April 28,
2017

AWS::Cognito::IdentityPool (p. 763)

2010-05-15

Use the AWS::Cognito::IdentityPool resource to
create an Amazon Cognito identity pool.
AWS::Cognito::IdentityPoolRoleAttachment (p. 766)
Use the
AWS::Cognito::IdentityPoolRoleAttachment
resource to manage the role conﬁguration for an
Amazon Cognito identity pool.
AWS::Cognito::UserPool (p. 768)
Use the AWS::Cognito::UserPool resource to create
an Amazon Cognito user pool.
AWS::Cognito::UserPoolClient (p. 772)
Use the AWS::Cognito::UserPoolClient resource
to create a user pool client.
AWS::Cognito::UserPoolGroup (p. 774)
Use the AWS::Cognito::UserPoolGroup resource to
create a user group in an Amazon Cognito user pool.
AWS::Cognito::UserPoolUser (p. 776)
Use the AWS::Cognito::UserPoolUser resource to
create an Amazon Cognito user pool user.
AWS::Cognito::UserPoolUserToGroupAttachment (p. 779)
Use the
AWS::Cognito::UserPoolUserToGroupAttachment
resource to attach a user to an Amazon Cognito user
pool group.

API Version 2010-05-15
2397

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

April 28,
2017

AWS Conﬁg ConﬁgRule SourceDetails (p. 1785)

2010-05-15

Use the MaximumExecutionFrequency subproperty
of the AWS::Config::ConfigRule resource to run
evaluations for a custom rule using a periodic trigger.
AWS::EC2::Volume (p. 944)
We now support Elastic Volumes for Amazon Elastic
Block Store (Amazon EBS) in CloudFormation. We
now support No interruption updates on three
properties: VolumeType, Size, and Iops.
AWS::EC2::SecurityGroup (p. 917)
Use the GroupName property to specify a name for
your Amazon EC2 security group.
AWS::ECS::Service (p. 991)
There are three new properties for
AWS::ECS::Service: PlacementConstraints,
PlacementStrategies, and ServiceName.
AWS::ECS::TaskDeﬁnition (p. 1002)
Use the PlacementConstraints property to deﬁne
placement constraints for tasks in the service.
AWS::ElastiCache::ReplicationGroup (p. 1028)
Added the ConfigurationEndPoint.Address
attribute and the ConfigurationEndPoint.Port
attribute to the Fn::GetAtt intrinsic function.
AWS::ElasticLoadBalancingV2::LoadBalancer (p. 1082)
Use the IpAddressType property to specify the type
of IP addresses that are used by the load balancer's
subnets.
AWS::EMR::Cluster (p. 1104)
AWS CloudFormation now supports Auto Scaling for
Amazon EMR clusters.
AWS::IAM::ManagedPolicy (p. 1190)
Use the ManagedPolicyName property to specify a
custom name for your IAM managed policy.
AWS::Lambda::Function (p. 1257)
Use the Tags property to add tags to your Lambda
function.
AWS::OpsWorks::Instance (p. 1298)
Added the following attributes to the Fn::GetAtt
intrinsic function: AvailabilityZone,
PrivateDnsName, PrivateIp, and PublicDnsName.

API Version 2010-05-15
2398

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

AWS::OpsWorks::UserProﬁle (p. 1327)
Use the SshUsername property to specify a user's SSH
name.
Added the SshUsername attribute to the Fn::GetAtt
intrinsic function.
AWS::Redshift::Cluster (p. 1373)
Use the IamRoles property to provide a list of one or
more AWS Identity and Access Management roles that
the Amazon Redshift cluster can use to access other
AWS services.
Edit templates
April 6, 2017
in YAML
and JSON
using AWS
CloudFormation
Designer

When you create AWS CloudFormation templates using
Designer, you can now edit your template in both YAML
and JSON in the integrated editor. You can also convert
JSON templates to YAML and vice-versa, depending
on your preferred template authoring language. For
more information, see What Is AWS CloudFormation
Designer? (p. 202).

2010-05-15

New resource

AWS::SSM::Parameter (p. 1518)

2010-05-15

April 6, 2017

Use the AWS::SSM::Parameter resource to create an
SSM parameter in Parameter Store.
AWS::Include March 28,
transform
2017

Use the AWS::Include transform to reference reusable
snippets stored in an Amazon S3 bucket. For more
information, see AWS::Include Transform (p. 194).

2010-05-15

Peer your
Amazon VPC
with another
account

March 28,
2017

You can now use AWS CloudFormation to peer your
Amazon VPC with a VPC in another AWS account. For more
information, see Walkthrough: Peer with an Amazon VPC in
Another AWS Account (p. 241).

2010-05-15

New resource

March 28,
2017

AWS::ApiGateway::UsagePlanKey (p. 577)

2010-05-15

Use the AWS::ApiGateway::UsagePlanKey resource
to associate a usage plan key and determine which
users the usage plan is applied to.

API Version 2010-05-15
2399

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

March 28,
2017

AWS::EC2::VPCPeeringConnection (p. 967)

2010-05-15

Use the PeerOwnerId property and the PeerRoleArn
property to peer with a VPC in another AWS account.
For more information, see Walkthrough: Peer with an
Amazon VPC in Another AWS Account (p. 241).
AWS::IAM::InstanceProﬁle (p. 1188)
Use the InstanceProfileName property to conﬁgure
an instance proﬁle.
AWS::Lambda::Function (p. 1257)
Use the DeadLetterConfig property to conﬁgure
how AWS Lambda handles events that it can't process.
Node.js v0.10 is no longer supported for the Runtime
property.
AWS::Route53::HealthCheck (p. 1390)
There are seven new resource subproperty
types for the Route 53 HealthCheck
HealthCheckConﬁg (p. 2114) HealthCheckConfig
property: AlarmIdentifier, ChildHealthChecks,
EnableSNI, HealthThreshold,
InsufficientDataHealthStatus, Inverted, and
MeasureLatency.
AWS::SQS::Queue (p. 1495)
Use the ContentBasedDeduplication and
FifoQueue properties to create First-In-First-Out
(FIFO) Amazon Simple Queue Service queues.
AWS::S3::Bucket (p. 1403)
You can now specify IPv6 domain names for your
Amazon S3 buckets.

New resources

February 10,
2017

AWS::StepFunctions::Activity (p. 1527)

2010-05-15

Use the AWS::StepFunctions::Activity resource
to create an AWS Step Functions activity.
AWS::StepFunctions::StateMachine (p. 1529)
Use the AWS::StepFunctions::StateMachine
resource to create a Step Functions state machine.

New intrinsic
function

January 17,
2017

Use the Fn::Split function to split a string into
a list of string values. For more information, see
Fn::Split (p. 2306).

2010-05-15

Console
support for
listing imports

January 17,
2017

Use the AWS CloudFormation console to see all of the
stacks that are importing an exported output value. For
more information, see Listing Stacks That Import an
Exported Output Value (p. 154).

2010-05-15

API Version 2010-05-15
2400

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

January 17,
2017

AWS::AutoScaling::AutoScalingGroup (p. 620)

2010-05-15

The LoadBalancerNames property can be updated
without replacing the Auto Scaling group.
AWS::ECS::TaskDeﬁnition (p. 1002)
Added the NetworkMode and MemoryReservation
properties.
AWS::RDS::DBCluster (p. 1331)
AWS CloudFormation supports updates to the Tags
property.
AWS::RDS::DBInstance (p. 1341)
Added the Timezone property.
AWS IoT TopicRule FirehoseAction (p. 2021)
Added the Separator property.
AWS::OpsWorks::Instance (p. 1298)
Added the PublicIp attribute for the Fn::GetAtt
intrinsic function.

New resources

December
01, 2016

AWS::CodeBuild::Project (p. 720)
Use the AWS::CodeBuild::Project resource to
create an AWS CodeBuild project that deﬁnes how AWS
CodeBuild builds your source code.
AWS::SSM::Association (p. 1504)
Use the AWS::SSM::Association resource to
associate an Amazon EC2 Systems Manager document
with EC2 instances.
AWS::EC2::SubnetCidrBlock (p. 938)
Use the AWS::EC2::SubnetCidrBlock resource to
associate a single IPv6 CIDR block with an Amazon VPC
subnet.
AWS::EC2::VPCCidrBlock (p. 953)
Use the AWS::EC2::VPCCidrBlock resource to
associate a single Amazon-provided IPv6 CIDR block
with an Amazon VPC VPC.

API Version 2010-05-15
2401

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources for
IPv6 support

December
01, 2016

AWS::EC2::Instance (p. 879)

2010-05-15

Added the Ipv6AddressCount and Ipv6Addresses
properties.
AWS::EC2::NetworkAclEntry (p. 897)
Added the Ipv6CidrBlock property.
AWS::EC2::NetworkInterface (p. 901)
Added the Ipv6AddressCount and Ipv6Addresses
properties.
AWS::EC2::Route (p. 911)
Added the DestinationIpv6CidrBlock property.
AWS::EC2::SecurityGroupEgress (p. 921)
Added the CidrIpv6 property.
AWS::EC2::SecurityGroupIngress (p. 925)
Added the CidrIpv6 property.
AWS::EC2::SpotFleet (p. 932)
Added the Ipv6AddressCount and Ipv6Addresses
properties for the launch speciﬁcation network
interfaces.
AWS::EC2::Subnet (p. 935)
Added the Ipv6CidrBlocks attribute for the
Fn::GetAtt function.
AWS::EC2::VPC (p. 950)
Added the Ipv6CidrBlocks attribute for the
Fn::GetAtt function.
AWS::SSM::Document (p. 1507)
Added the DocumentType property.

Resource
speciﬁcation

November
22, 2016

Use the AWS CloudFormation resource speciﬁcation to
builds tools that help you create AWS CloudFormation
templates. The speciﬁcation is a machine-readable,
JSON-formatted text ﬁle. For more information, see AWS
CloudFormation Resource Speciﬁcation (p. 2234).

2010-05-15

New resources

November
22, 2016

AWS::OpsWorks::UserProﬁle (p. 1327)

2010-05-15

Use the AWS::OpsWorks::UserProfile resource to
conﬁgure SSH access for users who require access to
instances in an AWS OpsWorks stack.
AWS::OpsWorks::Volume (p. 1329)
Use the AWS::OpsWorks::Volume resource to register
an Amazon Elastic Block Store volume with an AWS
OpsWorks stack.

API Version 2010-05-15
2402

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

November
22, 2016

AWS::OpsWorks::App (p. 1293)

2010-05-15

Added the DataSources property.
AWS::OpsWorks::Instance (p. 1298)
Added the BlockDeviceMappings, AgentVersion,
ElasticIps, Hostname, Tenancy, and Volumes
properties.
AWS::OpsWorks::Layer (p. 1305)
Added the CustomJson and VolumeConfigurations
properties.
AWS::OpsWorks::Stack (p. 1316)
Added the ElasticIps, EcsClusterArn,
RdsDbInstances, CloneAppIds,
ClonePermissions, and SourceStackId properties.
AWS::RDS::DBInstance (p. 1341)
Added the CopyTagsToSnapshot property.

List imports

November
22, 2016

List imports of an exported output value to track which
AWS CloudFormation stacks are importing the value.
For more information, see Listing Stacks That Import an
Exported Output Value (p. 154).

2010-05-15

Transforms

November
17, 2016

Specify the AWS Serverless Application Model (AWS SAM)
that AWS CloudFormation uses to process AWS SAM syntax
for serverless applications. For more information, see
Transform (p. 191).

2010-05-15

New resource

November
17, 2016

AWS::SNS::Subscription (p. 1488)

2010-05-15

November
17, 2016

AWS::Lambda::Function (p. 1257)

Updated
resource

Use the AWS::SNS::Subscription resource
to subscribe an endpoint to an Amazon Simple
Notiﬁcation Service topic.

Use the Environment property to specify key-value
pairs (environment variables) that your AWS Lambda
function can access.
Use the KmsKeyArn property to specify an AWS Key
Management Service key that AWS Lambda uses to
encrypt and decrypt environment variables.

API Version 2010-05-15
2403

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New CLI
commands

November
17, 2016

Uploading Local Artifacts to an S3 Bucket (p. 116)

2010-05-15

Use the aws cloudformation package command
to upload local artifacts that are referenced in an AWS
CloudFormation template to an S3 bucket.
Quickly Deploying Templates with Transforms (p. 117)
Use the aws cloudformation deploy command to
combine the create and execute change set actions into
a single command. This command is useful for quickly
creating or updating stacks that contain transforms.

Updated
resource

November
03, 2016

AWS::CloudFront::Distribution (p. 700)

2010-05-15

For the CloudFront Distribution
DistributionConﬁg (p. 1695) property, use the
HttpVersion property to specify the latest HTTP
version that viewers can use to communicate with
Amazon CloudFront.
For the CloudFront Distribution
ForwardedValues (p. 1699) property, use the
QueryStringCacheKeys property to specify the
query string parameters that CloudFront uses to
determine which content to cache.

List stack
exports

November
03, 2016

Use the AWS CloudFormation console, API, or AWS
CLI to see a list of all the exported output values for a
region. For more information, see Exporting Stack Output
Values (p. 153).

2010-05-15

Continuous
delivery with
stacks

November
03, 2016

Use AWS CodePipeline to build continuous delivery
workﬂows with AWS CloudFormation stacks. For
more information, see Continuous Delivery with AWS
CodePipeline (p. 74).

2010-05-15

Skip resources
during rollback

November
03, 2016

If you have a stack in the UPDATE_ROLLBACK_FAILED
state, use the ResourcesToSkip parameter for the
ContinueUpdateRollback action to skip resources that
AWS CloudFormation can't rollback. For more information,
see the Troubleshooting section in Update Rollback
Failed (p. 2347).

2010-05-15

Change sets
enhancement

November
03, 2016

You can create a new stack using a change set (p. 97).

2010-05-15

API Version 2010-05-15
2404

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resource

October 12,
2016

AWS::ElastiCache::CacheCluster (p. 1018)

2010-05-15

Update the CacheNodeType property without
replacing the cluster.
AWS::ElastiCache::ReplicationGroup (p. 1028)
You can create a Redis (cluster mode enabled)
replication group that can contain multiple node groups
(shards), each with a primary cluster and read replicas.
AWS::ElastiCache::SubnetGroup (p. 1041)
Use the CacheSubnetGroupName property to specify a
name for an Amazon ElastiCache subnet group.

New resources

October 06,
2016

AWS::ApiGateway::UsagePlan (p. 574)

2010-05-15

Use the AWS::ApiGateway::UsagePlan resource to
specify a usage plan for deployed Amazon API Gateway
APIs.
AWS::CodeCommit::Repository (p. 729)
Use the AWS::CodeCommit::Repository resource to
create an AWS CodeCommit repository that is hosted
by Amazon Web Services.

Updated
resources

October 06,
2016

AWS::ApiGateway::Authorizer (p. 522)

2010-05-15

Use the ProviderARNs property to use Amazon
Cognito user pools as Amazon API Gateway API
authorizers.
AWS::ApiGateway::Deployment (p. 528)
The StageName property is no longer required.
AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088)
For the GetAtt function, use the LoadBalancerArns
attribute to retrieve the Amazon Resource Names
(ARNs) of the load balancers that route traﬃc to the
target group.
AWS::RDS::DBInstance (p. 1341)
Use the Domain and DomainIAMRoleName properties
to use Windows Authentication when users connect to
the RDS DB instance.
AWS::EC2::SecurityGroupEgress (p. 921)
Use the DestinationPrefixListId property to
specify the AWS service preﬁx of an Amazon VPC
endpoint.

Cross-stack
reference
enhancement

October 06,
2016

Use intrinsic functions to customize the Name value
of an export (p. 199) or to refer to a value in the
ImportValue (p. 2300) function.

API Version 2010-05-15
2405

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Description

API
Version

AWS
September
CloudFormation 26, 2016
service role

Use an AWS Identity and Access Management (IAM) service
role for AWS CloudFormation stack operations. AWS
CloudFormation uses the role's credentials to make calls to
stack resources on your behalf. For more information, see
AWS CloudFormation Service Role (p. 17).

2010-05-15

New feature

September
19, 2016

You can use the Export output ﬁeld and the
Fn::ImportValue intrinsic function to have
one stack refer to resource outputs in another
stack. For more information, see Outputs (p. 199),
Fn::ImportValue (p. 2300), and Walkthrough: Refer
to Resource Outputs in Another AWS CloudFormation
Stack (p. 248).

2010-05-15

YAML support

September
19, 2016

You can use the YAML format to author AWS
CloudFormation templates. YAML also allows you to, for
example, add comments to your templates or use the short
form for intrinsic functions. For more information, see AWS
CloudFormation Template Formats (p. 162).

2010-05-15

New intrinsic
function

September
19, 2016

Use the Fn::Sub function to substitute variables in
an input string with values that you specify. For more
information, see Fn::Sub (p. 2308).

2010-05-15

New resources

September
19, 2016

AWS::KMS::Alias (p. 1245)

September
19, 2016

AWS::EC2::SpotFleet (p. 932)

Updated
resources

Release Date

Use the AWS::KMS::Alias resource to create an alias
for an AWS Key Management Service customer master
key.

For the LaunchSpecifications property, use the
SpotPrice property to specify a bid price for a speciﬁc
instance type.
AWS::ECS::Cluster (p. 989)
Use the ClusterName property to specify a name for
an Amazon Elastic Container Service cluster.
AWS::ECS::TaskDeﬁnition (p. 1002)
Use the TaskRoleArn property to specify an AWS
Identity and Access Management role that Amazon
Elastic Container Service containers use to make AWS
calls on your behalf.
Use the Family property to register a task deﬁnition to
a speciﬁc family.
AWS::Elasticsearch::Domain (p. 1096)
Use the ElasticsearchVersion property to specify
which version of Elasticsearch to use.

API Version 2010-05-15
2406

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

August 11,
2016

Use the following Elastic Load Balancing Application load
balancer resources to distribute incoming application traﬃc
to multiple targets, such as EC2 instances, in multiple
Availability Zones:

2010-05-15

• AWS::ElasticLoadBalancingV2::Listener (p. 1074)
• AWS::ElasticLoadBalancingV2::ListenerRule (p. 1080)
• AWS::ElasticLoadBalancingV2::LoadBalancer (p. 1082)
• AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088)
Updated
resource

August 11,
2016

AWS::AutoScaling::AutoScalingGroup (p. 620)

2010-05-15

Use the TargetGroupARNs property to associate the
Auto Scaling group with one or more Application load
balancer target groups.
AWS::ECS::Service (p. 991)
For the load LoadBalancers property, use the
TargetGroupArn property to associate an Amazon
Elastic Container Service service with an Application
load balancer target group.

New resources

August 09,
2016

AWS CloudFormation added the following resources:

2010-05-15

AWS::ApplicationAutoScaling::ScalableTarget (p. 581) and
AWS::ApplicationAutoScaling::ScalingPolicy (p. 594)
Use an Application Auto Scaling scaling policy to deﬁne
when and how a target resource scales.
AWS::CertiﬁcateManager::Certiﬁcate (p. 663)
Provision an AWS Certiﬁcate Manager certiﬁcate that
you can use with other AWS services to enable secure
connections.

Updated
resources

August 09,
2016

AWS CloudFormation updated the following resources:
AWS::CloudFront::Distribution (p. 700)
For the distribution conﬁguration
ViewerCertificate property, you can specify an
AWS Certiﬁcate Manager certiﬁcate. For the distribution
conﬁguration Origin property, you can specify custom
headers and the SSL protocols for custom origins.
AWS::EFS::FileSystem (p. 1009)
You can specify the performance mode for an Amazon
Elastic File System ﬁle system.

API Version 2010-05-15
2407

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

July 20, 2016

AWS IoT

2010-05-15

Use AWS IoT to declare an AWS IoT policy, an X.509
certiﬁcate, an association between a policy and a
principal (an X.509 certiﬁcate or other credential), an
AWS IoT thing, an association between a principal and a
thing, or an AWS IoT rule.
• AWS::IoT::Certiﬁcate (p. 1215)
• AWS::IoT::Policy (p. 1218)
• AWS::IoT::PolicyPrincipalAttachment (p. 1220)
• AWS::IoT::Thing (p. 1221)
• AWS::IoT::ThingPrincipalAttachment (p. 1224)
• AWS::IoT::TopicRule (p. 1225)
Updated
resources

July 20, 2016

AWS CloudFormation updated the following resources:

2010-05-15

AWS::IAM::Group (p. 1186), AWS::IAM::Role (p. 1197),
AWS::IAM::User (p. 1205)
Use the name properties to specify a custom name for
AWS Identity and Access Management (IAM) resources.
AWS::ApiGateway::Method (p. 548)
For the Integration property, you can use the
PassthroughBehavior property to specify when
Amazon API Gateway passes requests to the targeted
back end.
AWS::ApiGateway::Model (p. 556) and
AWS::ApiGateway::RestApi (p. 563)
You can specify JSON objects for the Schema and Body
properties.

Auto Scaling
group
UpdatePolicy

June 9, 2016

For the UpdatePolicy attribute, use the
AutoScalingReplacingUpdate property to specify
whether an Auto Scaling group and the instances it contains
are replaced when you update the Auto Scaling group.
During a replacement, AWS CloudFormation retains the old
Auto Scaling group until it creates the new one successfully
so that AWS CloudFormation can roll back to the old Auto
Scaling group if the update fails. For more information, see
UpdatePolicy (p. 2255).

API Version 2010-05-15
2408

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resource

June 9, 2016

AWS CloudFormation added the following resources:

2010-05-15

AWS::EC2::FlowLog (p. 875)
Creates an Amazon Elastic Compute Cloud ﬂow log that
captures IP traﬃc for a speciﬁed network interface,
subnet, or VPC.
AWS::KinesisFirehose::DeliveryStream (p. 1237)
Creates a delivery stream that delivers real-time
streaming data to a destination, such as Amazon
Simple Storage Service, Amazon Redshift, or Amazon
Elasticsearch Service.
Updated
resources

June 9, 2016

AWS CloudFormation updated the following resources:

2010-05-15

AWS::Kinesis::Stream (p. 1228)
Use the Name property to specify a name for an
Amazon Kinesis stream.
AWS::Lambda::Function (p. 1257)
For the Code property, you can use the ZipFile
property and cfn response module for nodejs4.3
runtime environments.
AWS::SNS::Topic (p. 1492)
AWS CloudFormation enabled updates for the Amazon
Simple Notiﬁcation Service topic resource.

New resource

April 25,
2016

Use the AWS::EC2::Host (p. 877) resource to allocate a fully
dedicated physical server for launching EC2 instances.

API Version 2010-05-15
2409

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

April 25,
2016

AWS::EC2::Instance (p. 879)

2010-05-15

Use the Affinity and HostId properties to launch
instances onto an Amazon Elastic Compute Cloud
dedicated host.
AWS::ECS::Service (p. 991)
Use the DeploymentConfiguration property
to conﬁgure how many tasks can run during a
deployment.
AWS::ECS::TaskDeﬁnition (p. 1002)
AWS CloudFormation added support for additional
Amazon Elastic Container Service container deﬁnition
properties.
AWS::GameLift::Fleet (p. 1142)
Use the MaxSize and MinSize properties to specify
the maximum and minimum number of EC2 instances
allowed in your Amazon GameLift ﬂeet.
AWS::Lambda::Function (p. 1257)
Use the FunctionName property to specify a name for
your AWS Lambda function. You can also use Python
2.7 to specify an inline function.

API Version 2010-05-15
2410

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

April 18,
2016

Amazon API Gateway

2010-05-15

Use the Amazon API Gateway resources to publish,
maintain, and monitor APIs at any scale. You can create
APIs that clients can call to access your back-end
services, such as applications running EC2 instances or
code running on AWS Lambda.
• AWS::ApiGateway::Account (p. 516)
• AWS::ApiGateway::ApiKey (p. 518)
• AWS::ApiGateway::Authorizer (p. 522)
• AWS::ApiGateway::BasePathMapping (p. 525)
• AWS::ApiGateway::ClientCertiﬁcate (p. 527)
• AWS::ApiGateway::Deployment (p. 528)
• AWS::ApiGateway::Method (p. 548)
• AWS::ApiGateway::Model (p. 556)
• AWS::ApiGateway::Resource (p. 561)
• AWS::ApiGateway::RestApi (p. 563)
• AWS::ApiGateway::Stage (p. 570)
AWS::Events::Rule (p. 1132)
Create an Amazon CloudWatch Events rule that
monitors changes to AWS resources in your account
(events). If an incoming event matches the conditions
that you described in the rule, Amazon CloudWatch
Events sends messages to and activates your speciﬁed
targets, such as AWS Lambda functions or Amazon
Simple Notiﬁcation Service topics.
AWS::WAF::SizeConstraintSet (p. 1541) and
AWS::WAF::XssMatchSet (p. 1551)
Use the two AWS WAF rules to check the size of a web
request or to prevent cross-site scripting attacks.

New resources

March 31,
2016

Use the AWS::Lambda::Alias (p. 1254) resource to
create aliases for your AWS Lambda functions and the
AWS::Lambda::Version (p. 1265) resource to create versions
of your functions.

API Version 2010-05-15
2411

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

March 31,
2016

AWS CloudFormation updated the following resources:

2010-05-15

AWS::EMR::Cluster (p. 1104) and
AWS::EMR::InstanceGroupConﬁg (p. 1124)
Use the EbsConfiguration property to conﬁgure
Amazon Elastic Block Store storage volumes for your
Amazon EMR clusters or instance groups.
AWS::Lambda::Function (p. 1257)
Use the VpcConfig property to enable AWS Lambda
functions to access resources in a VPC.
AWS::S3::Bucket (p. 1403)
For the Amazon Simple Storage Service life cycle rules,
you can specify multiple transition rules that specify
when objects transition to a speciﬁed storage class.

Change sets

March 29,
2016

Before updating stacks, use change sets to see how
your changes might aﬀect your running resources. For
more information, see Updating Stacks Using Change
Sets (p. 122).

2010-05-15

New resources

March 15,
2016

Use the AWS::GameLift::Alias (p. 1138),
AWS::GameLift::Build (p. 1140), and
AWS::GameLift::Fleet (p. 1142) resources to deploy
multiplayer game servers in AWS.

2010-05-15

New resources

February 26,
2016

AWS CloudFormation added the following resources:

2010-05-15

AWS::ECR::Repository (p. 985)
Create Amazon Elastic Container Registry repositories
where users can push and pull Docker images.
AWS::EC2::NatGateway (p. 893)
Use the network address translator (NAT) gateway to
enable EC2 instances in a private subnet to connect to
the Internet.
AWS::Elasticsearch::Domain (p. 1096)
Create Amazon Elasticsearch Service (Amazon ES)
domains that contain the Amazon ES engine instances,
which process Amazon ES requests.
AWS::EMR::Cluster (p. 1104),
AWS::EMR::InstanceGroupConﬁg (p. 1124),
AWS::EMR::Step (p. 1130)
Use the Amazon EMR resources to help you analyze and
process vast amounts of data. You can create clusters
and then run jobs on them.

API Version 2010-05-15
2412

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Updated
resources

February 26,
2016

AWS CloudFormation updated the following resources:

2010-05-15

AWS::CloudTrail::Trail (p. 708)
Use the IsMultiRegionTrail property to specify
whether to create an AWS CloudTrail trail in the region
in which you create a stack or in all regions.
AWS::Conﬁg::ConﬁgurationRecorder (p. 797)
For the recording group, use the
IncludeGlobalResourceTypes property to record
all global resource types.
AWS::RDS::DBCluster (p. 1331)
Use the KmsKeyId and StorageEncrypted properties
to encrypt database instances in the cluster.

Retain
resources

February 26,
2016

For stacks in the DELETE_FAILED state, use the
RetainResources parameter to retain resources that AWS
CloudFormation can't delete. For more information, see
Delete Stack Fails (p. 2344).

2010-05-15

Update stack
tags

February 26,
2016

You can add, modify, or remove stack tags when you update
a stack. For more information, see AWS CloudFormation
Stacks Updates (p. 118).

2010-05-15

Continue
rolling back
failed update
rollbacks

January 25,
2016

For a stack in the UPDATE_ROLLBACK_FAILED state, you
can continue rolling back the update to get your stack
in a working state. That way, you can return the stack to
its original settings and try to update it again. For more
information, see Continue Rolling Back an Update (p. 150).

2010-05-15

New sample
templates
available for
the Asia Paciﬁc
(Seoul) region.

January 7,
2016

The following collection of AWS CloudFormation sample
templates are for the ap-northeast-2 region:

2010-05-15

• Sample Solutions
• Application Frameworks
• Services
For more information, see Sample Templates (p. 2342).

API Version 2010-05-15
2413

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

December
28, 2015

AWS CloudFormation added the following resources:

2010-05-15

AWS::DirectoryService::MicrosoftAD (p. 821)
Use the Microsoft Active Directory resource to create a
Microsoft Active Directory directory in AWS.
AWS::Logs::Destination (p. 1267) and
AWS::Logs::LogStream (p. 1272)
Use the Amazon CloudWatch Logs resources to create
a destination for real-time processing of log data or to
create log streams, respectively.
AWS::WAF::ByteMatchSet (p. 1532),
AWS::WAF::IPSet (p. 1535), AWS::WAF::Rule (p. 1539),
AWS::WAF::SqlInjectionMatchSet (p. 1544), and
AWS::WAF::WebACL (p. 1547)
Use the AWS WAF resources to control and monitor web
requests to your content.

Resource
updates

December
28, 2015

AWS CloudFormation updated the following resources:

2010-05-15

AWS::CloudFront::Distribution (p. 700)
For the distribution conﬁguration, use the WebACLId
property to associate an AWS WAF web access control
list (ACL) with an Amazon CloudFront distribution. For
the cache behavior and default cache behavior, you
can specify a default and maximum Time to Live (TTL)
value.
AWS::DynamoDB::Table (p. 848)
You can create, update, or delete a global secondary
index without replacing your Amazon DynamoDB table.
AWS::S3::Bucket (p. 1403)
Use the ReplicationConfiguration property to
specify which objects to replicate and where they are
stored.
Use the properties in the
NotificationConfiguration property to specify
ﬁlters so that Amazon Simple Storage Service sends
notiﬁcations for objects that you specify.

Parameter
grouping and
sorting

December 3,
2015

Use the AWS::CloudFormation::Interface (p. 691)
metadata key to group and sort parameters in the AWS
CloudFormation console when users create or update a
stack with your template.

2010-05-15

Update policy
attribute

December 3,
2015

For an Auto Scaling update policy attribute (p. 2255), use
the MinSuccessfulInstancesPercent property to
specify the percentage of instances that must signal success
for a successful update.

2010-05-15

API Version 2010-05-15
2414

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

December 3,
2015

AWS CloudFormation added the following resources:

2010-05-15

AWS::CodePipeline::Pipeline (p. 755) and
AWS::CodePipeline::CustomActionType (p. 751)
Use the AWS CodePipeline resources to create a
pipeline that describes how software changes go
through a release process.
AWS::Conﬁg::ConﬁgurationRecorder (p. 797),
AWS::Conﬁg::DeliveryChannel (p. 799), and
AWS::Conﬁg::ConﬁgRule (p. 788)
Use the AWS Conﬁg resources to monitor conﬁguration
changes to speciﬁc AWS resources.
AWS::KMS::Key (p. 1247)
Use the AWS Key Management Service (AWS KMS)
resource to create customer master keys in AWS KMS
that users can use to encrypt small amounts of data.
AWS::SSM::Document (p. 1507)
Use the Amazon EC2 Systems Manager to create a
document that speciﬁes on-instance conﬁgurations.

API Version 2010-05-15
2415

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Resources
update

December 3,
2015

AWS CloudFormation updated the following resources:

2010-05-15

AWS::AutoScaling::LaunchConﬁguration (p. 628)
Specify whether EBS volumes are encrypted.
AWS::AutoScaling::ScalingPolicy (p. 640)
You can use two diﬀerent policy types (simple and step
scaling) to specify how an Auto Scaling group scales
when an Amazon CloudWatch (CloudWatch) alarm is
breached.
AWS::CloudTrail::Trail (p. 708)
Use the CloudWatch properties to send logs to a
CloudWatch log group. You can add tags to a trail
and specify an AWS KMS key that you want to use to
encrypt logs.
AWS::CodeDeploy::Application (p. 731),
AWS::CodeDeploy::DeploymentConﬁg (p. 733), and
AWS::CodeDeploy::DeploymentGroup (p. 735)
Use the ApplicationName,
DeploymentConfigName, and
DeploymentGroupName properties to specify custom
names for AWS CodeDeploy resources.
AWS::DynamoDB::Table (p. 848)
Use the StreamSpecification property to specify
settings for capturing changes to items stored in an
Amazon DynamoDB (DynamoDB) table.
AWS::EC2::Instance (p. 879)
Use the SsmAssociations property to associate
an Amazon EC2 Systems Manager document with an
instance.
AWS::EC2::SpotFleet (p. 932)
Use the AllocationStrategy property to specify
how to allocate target capacity across Spot pools. Use
the ExcessCapacityTerminationPolicy property
to specify how instances are terminated if the target
capacity is below the size of the Spot ﬂeet.
AWS::Redshift::Cluster (p. 1373)
Use the KmsKeyId property to specify an AWS KMS key
to encrypt data in an Amazon Redshift cluster.
AWS::WorkSpaces::Workspace (p. 1579)
Use the encryption properties to encrypt data stored on
volumes.

API Version 2010-05-15
2416

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Resource
update

November 4,
2015

For the AWS::EC2::Volume (p. 944) resource, use the
AutoEnableIO property to automatically resume I/O
operations if a volume's data becomes inconsistent.

2010-05-15

New resources

October 1,
2015

AWS CloudFormation added the following resources:

2010-05-15

AWS::CodeDeploy::Application (p. 731),
AWS::CodeDeploy::DeploymentGroup (p. 735), and
AWS::CodeDeploy::DeploymentConﬁg (p. 733)
Use the AWS CodeDeploy resources to create and apply
deployments to EC2 or on-premises instances.
AWS::DirectoryService::SimpleAD (p. 825)
Use the Simple Active Directory resource to create an
AWS Directory Service Simple AD, which is a Microsoft
Active Directory-compatible directory.
AWS::EC2::PlacementGroup (p. 910)
Use a placement group to create a cluster of instances
in a low-latency network.
AWS::EC2::SpotFleet (p. 932)
Use a Spot ﬂeet to launch a collection of Spot instances
that run interruptible tasks.
AWS::Lambda::EventSourceMapping (p. 1251)
Use the event source mapping resource to specify
a stream as an event source for an AWS Lambda
(Lambda) function.
AWS::Lambda::Permission (p. 1263)
Use a Lambda permission to add a statement to a
Lambda function's policy.
AWS::Logs::SubscriptionFilter (p. 1275)
Use the subscription ﬁlter to deﬁne which log events
are delivered to your Kinesis stream.
AWS::RDS::DBCluster (p. 1331) and
AWS::RDS::DBClusterParameterGroup (p. 1338)
Use the cluster and cluster parameter group resources
to create an Amazon Aurora DB cluster.
AWS::WorkSpaces::Workspace (p. 1579)
Use Amazon WorkSpaces to create cloud-based desktop
experiences.

API Version 2010-05-15
2417

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Resource
updates

October 1,
2015

AWS CloudFormation updated the following resources:

2010-05-15

AWS::ElastiCache::ReplicationGroup (p. 1028)
Use the Fn::GetAtt intrinsic function to get a list of
read-only replica addresses and ports.
AWS::OpsWorks::Stack (p. 1316)
Use the AgentVersion property to specify a particular
AWS OpsWorks agent.
AWS::OpsWorks::App (p. 1293)
Use the Environment property to specify environment
variables for an AWS OpsWorks app.
AWS::S3::Bucket (p. 1403)
For the NotiﬁcationConﬁguration (p. 2138) property,
you can conﬁgure notiﬁcation settings for Lambda
functions and Amazon Simple Queue Service (Amazon
SQS) queues.

IAM condition
keys

October 1,
2015

For AWS Identity and Access Management (IAM) policies,
use AWS CloudFormation-speciﬁc condition keys to specify
when an IAM policy takes eﬀect. For more information,
see Controlling Access with AWS Identity and Access
Management (p. 9).

2010-05-15

AWS
October 1,
CloudFormation 2015
Designer

Use AWS CloudFormation Designer (p. 202) to create and
modify templates using a drag-and-drop interface.

2010-05-15

New resource

Use the AWS::EC2::VPCEndpoint (p. 958) resource to
establish a private connection between your VPC and
another AWS service.

2010-05-15

August 24,
2015

API Version 2010-05-15
2418

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Resource
updates

August 24,
2015

AWS CloudFormation updated the following resources:

2010-05-15

AWS::ElasticBeanstalk::Environment (p. 1050)
Use the Tags property to specify tags (key-value
pairs) for an AWS Elastic Beanstalk (Elastic Beanstalk)
environment.
AWS::Lambda::Function (p. 1257)
For the Code (p. 2078) property, use the ZipFile
property to write the source code of your Lambda
function directly in a template. Currently, you can
use the ZipFile property only for nodejs runtime
environments. You can still point to a ﬁle in an S3
bucket for all runtime environments, such as java8 and
nodejs.
AWS::OpsWorks::Instance (p. 1298)
Use the EbsOptimized property to indicate whether
an instance is optimized for Amazon Elastic Block Store
(Amazon EBS) I/O.
AWS::RDS::DBInstance (p. 1341)
For the SourceDBInstanceIdentifier property,
you can specify a database instance in another region
to create a cross-region read replica.

Amazon S3
template URL

August 24,
2015

For versioning-enabled buckets, you can specify a version
ID in an Amazon S3 template URL when you create or
update a stack, such as https://s3.amazonaws.com/
templates/myTemplate.template?
versionId=123ab1cdeKdOW5IH4GAcYbEngcpTJTDW.

New resource

August 3,
2015

Use the AWS::EFS::FileSystem (p. 1009) resource to create
2010-05-15
an Amazon Elastic File System (Amazon EFS) ﬁle system and
the AWS::EFS::MountTarget (p. 1013) resource to create a
mount point for a ﬁle system.

Permission
requirement
change

June 11,
2015

When you create or update an
AWS::RDS::DBInstance (p. 1341) resource, you
must now also have permission to call the
ec2:DescribeAccountAttributes action.

API Version 2010-05-15
2419

2010-05-15

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

June 11,
2015

AWS CloudFormation added the following resources:

2010-05-15

AWS::DataPipeline::Pipeline (p. 801)
Use data pipelines to automate the movement and
transformation of data.
Amazon Elastic Container Service resources
Use the AWS::ECS::Service (p. 991),
AWS::ECS::Cluster (p. 989), and
AWS::ECS::TaskDeﬁnition (p. 1002) resources to create
Docker containers on a cluster of EC2 instances.
AWS::ElastiCache::ReplicationGroup (p. 1028)
Use replication groups to create a collection of nodes
with one primary read-write cluster and a maximum of
ﬁve secondary read-only clusters.
AWS::IAM::ManagedPolicy (p. 1190)
Use managed policies to create policies in your AWS
account that you can use to apply permissions to IAM
users, groups, and roles.
AWS::Lambda::Function (p. 1257)
Use Lambda functions to run code in response to
events.
AWS::RDS::OptionGroup (p. 1370)
Use option groups to help you create and manage
Amazon Relational Database Service (Amazon RDS)
databases.

API Version 2010-05-15
2420

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Resource
updates

June 11,
2015

AWS CloudFormation updated the following resources:

2010-05-15

AWS::EC2::Subnet (p. 935)
Use the MapPublicIpOnLaunch property to
automatically assign public IP addresses to instances in
a subnet.
AWS::ElastiCache::CacheCluster (p. 1018)
Use the SnapshotName property to restore snapshot
data into a new Redis cache cluster.
AWS::IAM::User (p. 1205)
For the LoginProfile property, use the
PasswordResetRequired property so that users are
required to set a new password when they log in to the
AWS Management Console.
AWS::OpsWorks::Layer (p. 1305)
Use the LifecycleEventConfiguration property to
conﬁgure lifecycle events for an AWS OpsWorks layer.
AWS::S3::Bucket (p. 1403)
For the LifecycleConfiguration property, use
the NoncurrentVersionExpirationInDays and
NoncurrentVersionTransition properties to
specify lifecycle rules for non-current object versions.

New parameter
types

May 19, 2015 Whenever you use the AWS CloudFormation console to
create or update a stack, you can search for AWS-speciﬁc
parameter type values by ID, name, or Name tag value.
AWS CloudFormation also added support for the following
AWS-speciﬁc parameter types. For more information, see
Parameters (p. 167).
• AWS::EC2::AvailabilityZone::Name
• List
• AWS::EC2::Instance::Id
• List
• AWS::EC2::Image::Id
• List
• AWS::EC2::SecurityGroup::GroupName
• List
• AWS::EC2::Volume::Id
• List
• AWS::Route53::HostedZone::Id
• List

API Version 2010-05-15
2421

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New resources

April 16,
2015

AWS CloudFormation added the following resources:

2010-05-15

AWS::AutoScaling::LifecycleHook (p. 637)
Use Auto Scaling lifecycle hooks to control the state of
an instance after it is launched or terminated.
AWS::RDS::EventSubscription (p. 1367)
Use event subscriptions to get notiﬁcations about
Amazon RDS events.

API Version 2010-05-15
2422

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Resource
updates

April 16,
2015

AWS CloudFormation updated the following resources:

2010-05-15

AWS::AutoScaling::AutoScalingGroup (p. 620)
Use the NotificationConfigurations property to
specify multiple notiﬁcations.
AWS::AutoScaling::LaunchConﬁguration (p. 628)
Use the PlacementTenancy property to specify the
tenancy of instances.
Use the ClassicLinkVPCId and
ClassicLinkVPCSecurityGroups properties to link
EC2-Classic instances to a ClassicLink-enabled VPC.
AWS::AutoScaling::ScalingPolicy (p. 640)
Use the MinAdjustmentStep property to specify
the minimum number of instances that are added or
removed during a scaling event.
AWS::CloudFront::Distribution (p. 700)
For viewer certiﬁcates, use the
MinimumProtocolVersion property to specify a
minimum protocol version. For cache behaviors, use the
CachedMethods property to specify which methods
Amazon CloudFront (CloudFront) caches responses for.
For origins, use the OriginPath to specify a path that
CloudFront uses to request content.
AWS::ElastiCache::CacheCluster (p. 1018)
For Memcached cache clusters, use the AZMode and
PreferredAvailabilityZones properties to specify
nodes in multiple Availability Zones (AZs).
AWS::EC2::Volume (p. 944)
Use the KmsKeyId property to specify a master key for
encrypted volumes.
AWS::OpsWorks::Instance (p. 1298)
Use the TimeBasedAutoScaling property to
automatically scale instances based on a schedule that
you specify.
AWS::OpsWorks::Layer (p. 1305)
Use the LoadBasedAutoScaling property to specify
load-based scaling policies. For volume conﬁgurations,
use the VolumeType and Iops properties to specify
a volume type and the number of I/O operations per
second, respectively.
AWS::RDS::DBInstance (p. 1341)
Use the CharacterSetName property to specify a
character set for supported database engines.

API Version 2010-05-15
2423

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Use the StorageEncrypted property to indicate
whether database instances will be encrypted and
the KmsKeyId to specify a master key for encrypted
database instances.
AWS::Route53::HealthCheck (p. 1390)
Use the HealthCheckTags property to associate tags
with health checks.
AWS::Route53::HostedZone (p. 1392)
Use the VPCs property to create private hosted zones.
Use the HostedZoneTags property to associate tags
with hosted zones.
New template
section

April 16,
2015

Add the Metadata (p. 166) section to your templates to
2010-05-15
include arbitrary JSON objects that describe your templates,
such as the design or implementation details.

Resource
update

April 8, 2015

For the AWS::CloudFormation::CustomResource (p. 674)
resource, you can specify Lambda function Amazon
Resource Names (ARNs) in the ServiceToken property.

2010-05-15

Amazon RDS
update

December
24, 2014

AWS CloudFormation added two new properties for RDS
DB instances. You can associate an option group with a DB
instance and specify the DB instance storage type. For more
information, see AWS::RDS::DBInstance (p. 1341).

2010-05-15

Elastic Load
Balancing
update

December
24, 2014

You can use the ConnectionSettings
property to specify how long connections
can remain idle. For more information, see
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063).

2010-05-15

Route 53
update

November 6,
2014

You can now provision and manage Route 53 hosted
zones (p. 1392), health checks (p. 1390), failover record
sets (p. 1395), and geolocation record sets (p. 2113).

2010-05-15

Auto Scaling
rolling update
enhancement

November 6,
2014

During an update, you can use the
WaitOnResourceSignals ﬂag to instruct AWS
CloudFormation to wait for instances to signal success.
That way, AWS CloudFormation won't update the next
batch of instances until the current batch is ready. For more
information, see UpdatePolicy (p. 2255).

2010-05-15

New VPC
Fn:GetAtt
attributes

November 6,
2014

Given a VPC ID, you can retrieve the default security group
and network ACL for that VPC. For more information, see
Fn::GetAtt (p. 2285).

2010-05-15

New AWSspeciﬁc
parameter
types

November 6,
2014

You can specify AWS-speciﬁc parameter types in your AWS
CloudFormation templates. In the AWS CloudFormation
console, these parameter types provide a drop-down list of
valid values. With the API or CLI, AWS CloudFormation can
quickly validate values for these parameter types before
creating or updating a stack. For more information, see
Parameters (p. 167).

2010-05-15

API Version 2010-05-15
2424

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

CreationPolicy
attribute

November 6,
2014

With the CreationPolicy attribute, you can instruct AWS
CloudFormation to wait until applications are ready on
EC2 instances before proceeding with stack creation.
You can use a creation policy instead of a wait condition
and wait condition handle. For more information, see
CreationPolicy (p. 2245).

2010-05-15

Amazon
CloudFront
forwarded
values

September
29, 2014

For cache behaviors, you can forward headers to the origin.
See CloudFront Distribution ForwardedValues (p. 1699).

2010-05-15

AWS OpsWorks
update

September
29, 2014

For Chef 11.10, you can use the ChefConfiguration
property to enable Berkshelf. You can also use the
AWS OpsWorks built-in security groups with your
AWS OpsWorks stacks. For more information, see
AWS::OpsWorks::Stack (p. 1316).

2010-05-15

Elastic Load
Balancing
tagging
support

September
29, 2014

AWS CloudFormation tags Elastic Load Balancing
load balancers with stack-level tags. You can
also add your own tags to a load balancer. See
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063).

2010-05-15

Amazon Simple
Notiﬁcation
Service topic
policy update

September
29, 2014

You can now update Amazon SNS topic policies. For more
information, see AWS::SNS::TopicPolicy (p. 1494).

2010-05-15

RDS DB
instance
update

September 5,
2014

You can specify whether a DB instance is Internet-facing
by using the PubliclyAccessible property in the
AWS::RDS::DBInstance (p. 1341) resource.

2010-05-15

UpdatePolicy
attribute
update

September
05, 2014

You can specify an update policy for an Auto Scaling
group that has an associated scheduled action. For more
information, see UpdatePolicy (p. 2255).

2010-05-15

Amazon
CloudWatch
support

July 10, 2014

You can use AWS CloudFormation to provision and
manage Amazon CloudWatch Logs (CloudWatch
Logs) log groups and metric ﬁlters. For more
information, see AWS::Logs::LogGroup (p. 1270) or
AWS::Logs::MetricFilter (p. 1273).

2010-05-15

API Version 2010-05-15
2425

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Amazon
CloudFront
distribution
conﬁguration
update

June 17,
2014

You can specify additional CloudFront distribution
conﬁguration properties:

2010-05-15

• Custom error responses deﬁne custom error messages for
4xx and 5xx HTTP status codes.
• Price class deﬁnes the maximum price that you want to
pay for the CloudFront service.
• Restrictions deﬁne who can view your content.
• Viewer certiﬁcate speciﬁes the certiﬁcate to use when
viewers use HTTPS.
• For cache behaviors, you can specify allowed HTTP
methods and indicate whether to forward cookies.
For more information, see
AWS::CloudFront::Distribution (p. 700).

EC2 instance
update

June 17,
2014

You can specify whether an instance stops or terminates
when you invoke the instance's operating system
shutdown command. For more information, see
AWS::EC2::Instance (p. 879).

2010-05-15

EBS volume
update

June 17,
2014

You can use encrypted EBS volumes with supported
instance types. For more information, see
AWS::EC2::Volume (p. 944).

2010-05-15

New Amazon
VPC peering
connection

June 17,
2014

You can use AWS CloudFormation to create an
Amazon Virtual Private Cloud (Amazon VPC) peering
connection, which establishes a network connection
between two VPCs. For more information, see
AWS::EC2::VPCPeeringConnection (p. 967).

2010-05-15

Amazon EC2
Auto Scaling
group update

June 17,
2014

You can specify an existing cluster placement group
in which to launch instances for an Amazon EC2
Auto Scaling group. For more information, see
AWS::AutoScaling::AutoScalingGroup (p. 620).

2010-05-15

AWS CloudTrail
support

June 17,
2014

AWS CloudFormation supports AWS CloudTrail, which can
capture API calls made from your AWS account and publish
the logs at a location you designate. For more information,
see AWS::CloudTrail::Trail (p. 708).

2010-05-15

Update stack
enhancements

May 12, 2014 AWS CloudFormation supports additional features for
updating stacks:
• You can update AWS CloudFormation stack parameters
without resubmitting the stack's template.
• You can add or remove Amazon SNS notiﬁcation topics
for an AWS CloudFormation stack.
For more information, see AWS CloudFormation Stacks
Updates (p. 118).

API Version 2010-05-15
2426

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Amazon Kinesis
support

May 6, 2014

You can use AWS CloudFormation to create Amazon
Kinesis streams that capture and transport data
records from data sources. For more information, see
AWS::Kinesis::Stream (p. 1228).

2010-05-15

New S3 bucket
properties

May 5, 2014

AWS CloudFormation supports additional S3 bucket
properties:

2010-05-15

• Cross-origin resource sharing (CORS) deﬁnes cross-origin
resource sharing of objects in a bucket.
• Lifecycle deﬁnes how Amazon S3 manages objects during
their lifetime.
• Access logging policy captures information about
requests made to your bucket.
• Notiﬁcations deﬁne which events to report and which
Amazon SNS topic to send messages to.
• Versioning enables multiple variants of all objects in a
bucket.
• Redirect and routing rules govern redirect behavior for
requests made to a bucket's website endpoint.
For more information, see AWS::S3::Bucket (p. 1403).
Amazon EC2
Auto Scaling
support

May 5, 2014

AWS CloudFormation supports metrics collection for
an Auto Scaling group. For more information, see
AWS::AutoScaling::AutoScalingGroup (p. 620).

2010-05-15

Fn::If update

May 5, 2014

You can use the Fn::If intrinsic function in the output
section of a template. For more information, see Condition
Functions (p. 2268).

2010-05-15

API logging
with AWS
CloudTrail

April 2, 2014

You can use AWS CloudTrail (CloudTrail) to log AWS
CloudFormation requests. With CloudTrail you can get a
history of AWS CloudFormation API calls for your account.
For more information, see Logging AWS CloudFormation
API Calls with AWS CloudTrail (p. 17).

2010-05-15

Elastic Load
Balancing
update

March 20,
2014

You can specify an access logging policy to capture
information about requests made to your load balancer. You
can also specify a connection draining policy that describes
how to handle in-ﬂight requests when instances are
deregistered or become unhealthy. For more information,
see AWS::ElasticLoadBalancing::LoadBalancer (p. 1063).

2010-05-15

AWS OpsWorks
support

March 3,
2014

You can use AWS CloudFormation to provision and
manage AWS OpsWorks stacks. For more information,
see AWS::OpsWorks::Stack (p. 1316) or AWS OpsWorks
Template Snippets (p. 404).

2010-05-15

Amazon S3
template size
limit increase

February 18,
2014

You can specify template sizes up to 460,800 bytes in
Amazon S3.

2010-05-15

API Version 2010-05-15
2427

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Amazon
Redshift
support

February 10,
2014

You can use AWS CloudFormation to provision and
manage Amazon Redshift clusters. For more information,
see Amazon Redshift Template Snippets (p. 410) or
AWS::Redshift::Cluster (p. 1373).

2010-05-15

S3 buckets and
bucket policies
update

February 10,
2014

You can update some properties of the S3
bucket and bucket policy resources. For more
information, see AWS::S3::Bucket (p. 1403) or
AWS::S3::BucketPolicy (p. 1419).

2010-05-15

Elastic
February 10,
Beanstalk
2014
environments
and application
versions update

You can update Elastic Beanstalk
environment conﬁgurations and application
versions. For more information, see
AWS::ElasticBeanstalk::Environment (p. 1050),
AWS::ElasticBeanstalk::ConﬁgurationTemplate (p. 1047), or
AWS::ElasticBeanstalk::ApplicationVersion (p. 1045).

2010-05-15

Amazon SQS
update

January 29,
2014

You can specify a dead letter queue for an
Amazon SQS queue. For more information, see
AWS::SQS::Queue (p. 1495).

2010-05-15

Auto Scaling
scheduled
actions

January 27,
2014

You can scale the number of EC2 instances in an
Auto Scaling group based on a schedule. By using a
schedule, you can scale applications in response to
predictable load changes. For more information, see
AWS::AutoScaling::ScheduledAction (p. 646).

2010-05-15

DynamoDB
secondary
indexes

January 27,
2014

You can create local and global secondary indexes for
DynamoDB databases. By using secondary indexes,
you can eﬃciently access data with attributes other
than the primary key. For more information, see
AWS::DynamoDB::Table (p. 848).

2010-05-15

Auto Scaling
update

January 2,
2014

You can specify an instance ID for an Auto Scaling group
or launch conﬁguration. You can also specify additional
Auto Scaling block device properties. For more information,
see AWS::AutoScaling::AutoScalingGroup (p. 620) or
AWS::AutoScaling::LaunchConﬁguration (p. 628).

2010-05-15

Amazon SQS
update

January 2,
2014

You can update SQS queues and specify
additional properties. For more information, see
AWS::SQS::Queue (p. 1495).

2010-05-15

Limit increases

January 2,
2014

You can specify up to 60 parameters and 60 outputs in your
AWS CloudFormation templates.

2010-05-15

New console

December
19, 2013

The new AWS CloudFormation console adds features like
auto-refreshing stack events and alphabetical ordering of
stack parameters.

2010-05-15

Cross-zone
load balancing

December
19, 2013

With cross-zone load balancing, you can
route traﬃc to back-end instances across all
Avalibility Zones (AZs). For more information, see
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063).

2010-05-15

API Version 2010-05-15
2428

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

AWS Elastic
Beanstalk
environment
tiers

December
19, 2013

You can specify whether AWS Elastic Beanstalk
provisions resources to support a web server or to handle
background processing tasks. For more information, see
AWS::ElasticBeanstalk::Environment (p. 1050).

2010-05-15

Resource
names

December
19, 2013

You can assign names (physical IDs) to the following
resources:

2010-05-15

• ElastiCache clusters
• Elastic Load Balancing load balancers
• RDS DB instances
For more information, see Name Type (p. 2085).
VPN support

November
22, 2013

You can enable a virtual private gateway
(VGW) to propagate routes to the routing
tables of a VPC. For more information, see
AWS::EC2::VPNGatewayRoutePropagation (p. 984).

2010-05-15

Conditionally
create
resources
and assign
properties

November 8,
2013

Using input parameters, you can control the creation
and settings of designated stack resources by deﬁning
conditions in your AWS CloudFormation templates. For
example, you can use conditions to create stack resources
for a production environment. Using the same template,
you can create similar stack resources with lower capacity
for a test environment. For more information, see Condition
Functions (p. 2268).

2010-05-15

Prevent
accidental
updates to
stack resources

November 8,
2013

You can prevent stack updates that might result in
unintentional changes to stack resources. For example, if
you have a stack with a database layer that should rarely be
updated, you can set a stack policy that prevents most users
from updating that database layer. For more information,
see Prevent Updates to Stack Resources (p. 141).

2010-05-15

Instead of using AWS CloudFormation-generated physical
IDs, you can assign names to certain resources. The
following AWS CloudFormation resources support naming

2010-05-15

Name resources November 8,
2013

• CloudWatch alarms
• DynamoDB tables
• Elastic Beanstalk applications and environments
• S3 buckets
• SNS topics
• Amazon SQS queues
For more information, see Name Type (p. 2085).

API Version 2010-05-15
2429

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Assign custom
resource types

November 8,
2013

In your templates, you can specify your own resource
type for AWS CloudFormation custom resources
(AWS::CloudFormation::CustomResource). By using
your own custom resource type name, you can quickly
identify the type of custom resources that you have
in your stack. For example, you can specify "Type":
"Custom::MyCustomResource". For more information,
see AWS::CloudFormation::CustomResource (p. 674).

2010-05-15

Add pseudo
parameter

November 8,
2013

You can now refer to the AWS AccountID inside
AWS CloudFormation templates by referring to the
AWS::AccountID pseudo parameter. For more
information, see Pseudo Parameters Reference (p. 2322).

2010-05-15

Specify stacks
in IAM policies

November 8,
2013

You can allow or deny IAM users, groups, or roles to operate
on speciﬁc AWS CloudFormation stacks. For example, you
can deny the delete stack action on a speciﬁc stack ID. For
more information, see Controlling Access with AWS Identity
and Access Management (p. 9).

2010-05-15

Federation
support

October 14,
2013

AWS CloudFormation supports temporary security
credentials from IAM roles, which enable scenarios such
as federation and single sign-on to the AWS Management
Console. You can also make calls to AWS CloudFormation
from EC2 instances without embedding long-term security
credentials by using IAM roles. For more information about
AWS CloudFormation and IAM, see Controlling Access with
AWS Identity and Access Management (p. 9).

2010-05-15

Amazon RDS
read replica
support

September
24, 2013

You can now create Amazon RDS read replicas from
a source DB instance. For more information, see the
SourceDBInstanceIdentifier property in the
AWS::RDS::DBInstance (p. 1341) resource.

2010-05-15

Associate
public IP
address with
instances in an
Auto Scaling
group

September
19, 2013

You can now associate public IP addresses with instances
in an Auto Scaling group. For more information, see
AWS::AutoScaling::LaunchConﬁguration (p. 628).

2010-05-15

Additional VPC
support

September
17, 2013

AWS CloudFormation adds several enhancements to
support VPC and VPN functionality

2010-05-15

• You can associate a public IP address and multiple private
IP addresses to Amazon EC2 network interfaces. For more
information, see AWS::EC2::NetworkInterface (p. 901).
You can also associate a primary private IP address to an
elastic IP address (EIP).
• You can enable DNS support and specify DNS host names.
For more information, see AWS::EC2::VPC (p. 950).
• You can specify a static route between a virtual private
gateway to your VPN gateway. For more information, see
AWS::EC2::VPNConnectionRoute (p. 980).

API Version 2010-05-15
2430

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

Redis and
VPC security
groups support
for Amazon
ElastiCache

September 3,
2013

You can now specify Redis as the cache engine for an
Amazon ElastiCache (ElastiCache) cluster. You can also now
assign VPC security groups to ElastiCache clusters. For more
information, see AWS::ElastiCache::CacheCluster (p. 1018).

2010-05-15

Parallel stack
creation,
update and
deletion, and
nested stack
updates

August 12,
2013

AWS CloudFormation now creates, updates, and
deletes resources in parallel, improving the operations'
performance. If you update a top-level template, AWS
CloudFormation automatically updates nested stacks
that have changed. For more information, see AWS
CloudFormation Stacks Updates (p. 118).

2010-05-15

VPC security
February 28,
groups can now 2013
be set in RDS
DB instances

You can now assign VPC security groups to an RDS DB
instance with AWS CloudFormation. For more information,
see the VPCSecurityGroups (p. 1353) property in
AWS::RDS::DBInstance (p. 1341).

2010-05-15

Rolling
deployments
for Amazon
EC2 Auto
Scaling groups

AWS CloudFormation now supports update policies on
Amazon EC2 Auto Scaling groups, which describe how
instances in the Amazon EC2 Auto Scaling group are
replaced or modiﬁed when the Amazon EC2 Auto Scaling
group adds or removes instances. You can modify these
settings at stack creation or during a stack update.

2010-05-15

February 20,
2013

For more information and an example, see
UpdatePolicy (p. 2255).
Cancel and
rollback action
for stack
updates

February 20,
2013

AWS CloudFormation supports the ability to cancel a stack
update. The stack must be in the UPDATE_IN_PROGRESS
state when the update request is made. More information is
available in the following topics:

2010-05-15

• Canceling a Stack Update (p. 140)
• aws cloudformation cancel-update-stack
• CancelUpdateStack in the AWS CloudFormation API
Reference
EBS-optimized
instances for
Amazon EC2
Auto Scaling
groups

February 20,
2013

You can now provision EBS-optimized instances in Amazon
EC2 Auto Scaling groups for dedicated throughput to
Amazon Elastic Block Store (Amazon EBS) in autoscaled
instances. The implementation is similar to that of the
previously released support for optimized Amazon EBS EC2
instances.
For more information, see the new EbsOptimized property
in AWS::AutoScaling::LaunchConﬁguration (p. 628).

API Version 2010-05-15
2431

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New
documentation

December
21, 2012

AWS::EC2::Instance (p. 879) now provides a
BlockDeviceMappings property to allow you to set block
device mappings for your EC2 instance.

2010-05-15

With this change, two new types have been added:
• Amazon EC2 Block Device Mapping Property (p. 1811)
• Amazon Elastic Block Store Block Device
Property (p. 1813)
New
documentation

December
21, 2012

New sections have been added to describe the procedures
for creating and viewing stacks using the recently
redesigned AWS Management Console. You can ﬁnd them
here:

2010-05-15

• Creating a Stack (p. 92)
• Viewing Stack Data and Resources (p. 99)
New
documentation

November
15, 2012

Information about custom resources is provided in the
following topics:

2010-05-15

• Custom Resources (p. 432)
• AWS::CloudFormation::CustomResource (p. 674)
• Custom Resource Reference (p. 446)
Updated
documentation

November
15, 2012

AWS CloudFormation now supports specifying provisioned
I/O operations per second (IOPS) for RDS DB instances.
You can set this value from 1000–10,000 in 1000 IOPS
increments by using the new Iops (p. 1348) property in
AWS::RDS::DBInstance (p. 1341).
For more information about specifying IOPS for RDS DB
instances, see Provisioned IOPS in the Amazon Relational
Database Service User Guide.

API Version 2010-05-15
2432

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New and
updated
documentation

August 27,
2012

Topics have been reorganized to more clearly provide
speciﬁc information about using the AWS Management
Console and using the AWS CloudFormation command-line
interface (CLI).

2010-05-15

Information about tagging AWS CloudFormation stacks has
been added, including new guides and updated reference
topics:
• New topic in Using the Console: Setting Stack
Options (p. 95).
• New information about tags in the AWS CloudFormation
API reference: CreateStack, Stack, and Tag.
New information about working with Windows
stacks (p. 157):
• Microsoft Windows Amazon Machine Images (AMIs) and
AWS CloudFormation Templates (p. 157)
• Bootstrapping AWS CloudFormation Windows
Stacks (p. 157)
New topic: Using Regular Expressions in AWS
CloudFormation Templates (p. 458).

API Version 2010-05-15
2433

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New feature

April 25,
2012

AWS CloudFormation now provides full support for Virtual
Private Cloud (VPC) security with Amazon EC2 You can now
create and populate an entire VPC with every type of VPC
resource (subnets, gateways, network ACLs, route tables,
and so forth) using a single AWS CloudFormation template.

2010-05-15

Templates that demonstrate new VPC features can be
downloaded:
• Single instance in a single subnet
• Multiple subnets with Elastic Load Balancing (ELB) and an
Auto Scaling group
Documentation for the following resource types has been
updated:
• AWS::EC2::SecurityGroup (p. 917)
• AWS::EC2::SecurityGroupIngress (p. 925)
• AWS::EC2::SecurityGroupEgress (p. 921)
• AWS::EC2::Instance (p. 879)
• AWS::AutoScaling::AutoScalingGroup (p. 620)
• AWS::EC2::EIP (p. 868)
• AWS::EC2::EIPAssociation (p. 870)
• AWS::ElasticLoadBalancing::LoadBalancer (p. 1063)
New resource types have been added to the documentation:
• AWS::EC2::VPC (p. 950)
• AWS::EC2::InternetGateway (p. 890)
• AWS::EC2::DHCPOptions (p. 863)
• AWS::EC2::DHCPOptions (p. 915)
• AWS::EC2::RouteTable (p. 911)
• AWS::EC2::NetworkAcl (p. 895)
• AWS::EC2::NetworkAclEntry (p. 897)
• AWS::EC2::Subnet (p. 935)
• AWS::EC2::VPNGateway (p. 982)
• AWS::EC2::CustomerGateway (p. 861)
New feature

April 13,
2012

AWS CloudFormation now allows you to add or
remove elements from a stack when updating it. AWS
CloudFormation Stacks Updates (p. 118) has been updated,
and a new section has been added to the walkthrough:
Change the Stack's Resources (p. 60), which describes how
to add and remove resources when updating the stack.

API Version 2010-05-15
2434

2010-05-15

AWS CloudFormation User Guide
Earlier Updates

Change

Release Date

Description

API
Version

New feature

February 2,
2012

AWS CloudFormation now provides support for resources
in an existing Amazon Virtual Private Cloud (Amazon VPC).
With this release, you can:

2010-05-15

• Launch an EC2 Dedicated instance into an
existing Amazon VPC. For more information, see
AWS::EC2::Instance (p. 879).
• Set the SourceDestCheck attribute of an EC2 instance
that resides in an existing Amazon VPC. For more
information, see AWS::EC2::Instance (p. 879).
• Create Elastic IP addresses in an existing Amazon VPC. For
more information, see AWS::EC2::EIP (p. 868).
• Use AWS CloudFormation to create Amazon VPC security
groups and ingress/egress rules in an existing VPC. For
more information, see AWS::EC2::SecurityGroup (p. 917).
• Associate an Auto Scaling group with an existing Amazon
VPC by setting the VPCZoneIdentifier property
of your AWS::AutoScaling::AutoScalingGroup
resource. For more information, see
AWS::AutoScaling::AutoScalingGroup (p. 620).
• Attach an Elastic Load Balancing load balancer to
a Amazon VPC subnet and create security groups
for the load balancer. For more information, see
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063).
• Create an RDS DB instance in an existing Amazon VPC. For
more information, see AWS::RDS::DBInstance (p. 1341).
New feature

February 2,
2012

You can now update properties for the following resources
in an existing stack:

2010-05-15

• AWS::EC2::SecurityGroupIngress (p. 925)
• AWS::EC2::SecurityGroupEgress (p. 921)
• AWS::EC2::EIPAssociation (p. 870)
• AWS::RDS::DBSubnetGroup (p. 1365)
• AWS::RDS::DBSecurityGroup (p. 1360)
• AWS::RDS::DBSecurityGroupIngress (p. 1363)
• AWS::Route53::RecordSetGroup (p. 1401)
For a complete list of updatable resources and details
about what to consider when updating a stack, see AWS
CloudFormation Stacks Updates (p. 118).
Restructured
guide

February 2,
2012

Reorganized existing sections into new sections: Working
with AWS CloudFormation Templates (p. 162) and
Managing Stacks. Moved Template Reference (p. 499) to
the top level of the Table of Contents. Moved Estimating
the Cost of Your AWS CloudFormation Stack (p. 99) to the
Getting Started section.

API Version 2010-05-15
2435

2010-05-15

AWS CloudFormation User Guide
Supported AWS Services

Change

Release Date

Description

API
Version

New content

February 2,
2012

Added three new sections:

2010-05-15

• Walkthrough: Updating a Stack (p. 47) is a tutorial that
walks through the process of updating a LAMP stack.
• Deploying Applications on Amazon EC2 with AWS
CloudFormation (p. 260) describes how to use AWS
CloudFormation helper scripts to deploy applications
using metadata stored in your template.
• CloudFormation Helper Scripts Reference (p. 2324)
provides reference material for the AWS CloudFormation
helper scripts (cfn-init, cfn-get-metadata, cfn-signal, and
cfn-hup).

New feature

May 26, 2011 AWS CloudFormation now provides the aws cloudformation
list-stacks command, which enables you to list stacks
ﬁltered by stack status. Deleted stacks can be listed for
up to 90 days after they have been deleted. For more
information, see Describing and Listing Your Stacks (p. 109).

2010-05-15

New features

May 26, 2011 The aws cloudformation describe-stack-resources and aws
cloudformation get-template commands now enable you
to get information from stacks that have been deleted
for 90 days after they have been deleted. For more
information, see Listing Resources (p. 114) and Retrieving a
Template (p. 114).

2010-05-15

New link

March 1,
2011

AWS CloudFormation endpoint information is now located
in the AWS General Reference. For more information, go to
Regions and Endpoints in Amazon Web Services General
Reference.

2010-05-15

Initial release

February 25,
2011

This is the initial public release of AWS CloudFormation.

2010-05-15

Supported AWS Services
AWS CloudFormation supports the following AWS services and features through the listed resources.
Topics
• Analytics (p. 2437)
• Application Services (p. 2438)
•
•
•
•

Compute (p. 2438)
Customer Engagement (p. 2440)
Database (p. 2440)
Developer Tools (p. 2442)

•
•
•
•
•

Enterprise Applications (p. 2442)
Game Development (p. 2442)
Internet of Things (p. 2443)
Machine Learning (p. 2443)
Management Tools (p. 2443)
API Version 2010-05-15
2436

AWS CloudFormation User Guide
Analytics

• Mobile Services (p. 2445)
• Networking (p. 2445)
• Security and Identity (p. 2447)
• Storage and Content Delivery (p. 2448)
• Additional Software and Services (p. 2449)

Analytics
Amazon Athena (Added in September 2017)
AWS::Athena::NamedQuery (p. 618)
Amazon EMR (Amazon EMR) (Updated in November 2017)
AWS::EMR::Cluster (p. 1104)
AWS::EMR::InstanceFleetConﬁg (p. 1122)
AWS::EMR::InstanceGroupConﬁg (p. 1124)
AWS::EMR::SecurityConﬁguration (p. 1127)
AWS::EMR::Step (p. 1130)
AWS Data Pipeline (Added in June 2015)
AWS::DataPipeline::Pipeline (p. 801)
Amazon Elasticsearch Service (Amazon ES) (Updated in September 2016)
AWS::Elasticsearch::Domain (p. 1096)
AWS Glue (Added in October 2017)
AWS::Glue::Classiﬁer (p. 1146)
AWS::Glue::Connection (p. 1147)
AWS::Glue::Crawler (p. 1149)
AWS::Glue::Database (p. 1154)
AWS::Glue::DevEndpoint (p. 1155)
AWS::Glue::Job (p. 1157)
AWS::Glue::Trigger (p. 1165)
AWS::Glue::Partition (p. 1162)
AWS::Glue::Table (p. 1164)
Amazon Kinesis (Updated in November 2017)
AWS::Kinesis::Stream (p. 1228)
AWS::KinesisFirehose::DeliveryStream (p. 1237)
AWS::KinesisAnalytics::Application (p. 1231)
AWS::KinesisAnalytics::ApplicationOutput (p. 1234)
AWS::KinesisAnalytics::ApplicationReferenceDataSource (p. 1235)
API Version 2010-05-15
2437

AWS CloudFormation User Guide
Application Services

Application Services
Amazon MQ (Added in June 2018)
AWS::AmazonMQ::Broker (p. 506)
AWS::AmazonMQ::Conﬁguration (p. 513)
Amazon API Gateway (API Gateway) (Updated in February 2018)
AWS::ApiGateway::Account (p. 516)
AWS::ApiGateway::ApiKey (p. 518)
AWS::ApiGateway::Authorizer (p. 522)
AWS::ApiGateway::BasePathMapping (p. 525)
AWS::ApiGateway::ClientCertiﬁcate (p. 527)
AWS::ApiGateway::Deployment (p. 528)
AWS::ApiGateway::DocumentationPart (p. 531)
AWS::ApiGateway::DocumentationVersion (p. 534)
AWS::ApiGateway::DomainName (p. 538)
AWS::ApiGateway::GatewayResponse (p. 545)
AWS::ApiGateway::Method (p. 548)
AWS::ApiGateway::Model (p. 556)
AWS::ApiGateway::RequestValidator (p. 558)
AWS::ApiGateway::Resource (p. 561)
AWS::ApiGateway::RestApi (p. 563)
AWS::ApiGateway::Stage (p. 570)
AWS::ApiGateway::UsagePlan (p. 574)
AWS::ApiGateway::UsagePlanKey (p. 577)
AWS::ApiGateway::VpcLink (p. 578)
Amazon Simple Queue Service (Amazon SQS) (Updated in August 2017)
AWS::SQS::Queue (p. 1495)
AWS::SQS::QueuePolicy (p. 1503)
AWS Step Functions (Step Functions) (Updated in February 2017)
AWS::StepFunctions::Activity (p. 1527)
AWS::StepFunctions::StateMachine (p. 1529)

Compute
Application Auto Scaling (Added in July 2017)
AWS::ApplicationAutoScaling::ScalableTarget (p. 581)
API Version 2010-05-15
2438

AWS CloudFormation User Guide
Compute

AWS::ApplicationAutoScaling::ScalingPolicy (p. 594)
Amazon EC2 Auto Scaling (Updated in November 2017)
AWS::AutoScaling::AutoScalingGroup (p. 620)
AWS::AutoScaling::LaunchConﬁguration (p. 628)
AWS::AutoScaling::LifecycleHook (p. 637)
AWS::AutoScaling::ScalingPolicy (p. 640)
AWS::AutoScaling::ScheduledAction (p. 646)
Amazon Elastic Compute Cloud (Amazon EC2) (Updated in August 2018)
AWS::EC2::Host (p. 877)
AWS::EC2::Instance (p. 879)
AWS::EC2::LaunchTemplate (p. 891)
AWS::EC2::PlacementGroup (p. 910)
AWS::EC2::SpotFleet (p. 932)
AWS::EC2::VPCPeeringConnection (p. 967)
AWS::EC2::VPCEndpointServicePermissions (p. 964)
Amazon Elastic Container Registry (Amazon ECR) (Added in February 2016)
AWS::ECR::Repository (p. 985)
Amazon Elastic Container Service (Amazon ECS) (Updated in April 2017)
AWS::ECS::Cluster (p. 989)
AWS::ECS::Service (p. 991)
AWS::ECS::TaskDeﬁnition (p. 1002)
Amazon Elastic Container Service for Kubernetes (Added in June 2018)
AWS::EKS::Cluster (p. 1015)
Amazon EC2 Systems Manager (SSM) (Updated in June 2018)
AWS::SSM::Association (p. 1504)
AWS::SSM::Document (p. 1507)
AWS::SSM::MaintenanceWindow (p. 1511)
AWS::SSM::MaintenanceWindowTarget (p. 1513)
AWS::SSM::MaintenanceWindowTask (p. 1515)
AWS::SSM::Parameter (p. 1518)
AWS::SSM::PatchBaseline (p. 1522)
AWS::SSM::ResourceDataSync (p. 1524)
AWS Batch (Added in August 2017)
AWS::Batch::ComputeEnvironment (p. 651)
AWS::Batch::JobDeﬁnition (p. 655)
API Version 2010-05-15
2439

AWS CloudFormation User Guide
Customer Engagement

AWS::Batch::JobQueue (p. 658)
AWS Elastic Beanstalk (Elastic Beanstalk) (Updated in November 2017)
AWS::ElasticBeanstalk::Application (p. 1043)
AWS::ElasticBeanstalk::ApplicationVersion (p. 1045)
AWS::ElasticBeanstalk::ConﬁgurationTemplate (p. 1047)
AWS::ElasticBeanstalk::Environment (p. 1050)
Elastic Load Balancing (Updated in November 2017)
AWS::ElasticLoadBalancing::LoadBalancer (p. 1063)
AWS::ElasticLoadBalancingV2::Listener (p. 1074)
AWS::ElasticLoadBalancingV2::ListenerCertiﬁcate (p. 1077)
AWS::ElasticLoadBalancingV2::ListenerRule (p. 1080)
AWS::ElasticLoadBalancingV2::LoadBalancer (p. 1082)
AWS::ElasticLoadBalancingV2::TargetGroup (p. 1088)
AWS Lambda (Lambda) (Updated in April 2017)
AWS::Lambda::Alias (p. 1254)
AWS::Lambda::EventSourceMapping (p. 1251)
AWS::Lambda::Function (p. 1257)
AWS::Lambda::Permission (p. 1263)
AWS::Lambda::Version (p. 1265)

Customer Engagement
Amazon Simple Email Service (Amazon SES) (Added in March 2018)
AWS::SES::ConﬁgurationSet (p. 1473)
AWS::SES::ConﬁgurationSetEventDestination (p. 1475)
AWS::SES::ReceiptFilter (p. 1479)
AWS::SES::ReceiptRule (p. 1480)
AWS::SES::ReceiptRuleSet (p. 1484)
AWS::SES::Template (p. 1486)

Database
Amazon DynamoDB (DynamoDB) (Updated in August 2017)
AWS::DynamoDB::Table (p. 848)
Amazon DynamoDB Accelerator (DAX) (Added in August 2017)
AWS::DAX::Cluster (p. 810)
API Version 2010-05-15
2440

AWS CloudFormation User Guide
Database

AWS::DAX::ParameterGroup (p. 816)
AWS::DAX::SubnetGroup (p. 818)
Amazon ElastiCache (ElastiCache) (Updated in August 2017)
AWS::ElastiCache::CacheCluster (p. 1018)
AWS::ElastiCache::ParameterGroup (p. 1026)
AWS::ElastiCache::ReplicationGroup (p. 1028)
AWS::ElastiCache::SecurityGroup (p. 1039)
AWS::ElastiCache::SecurityGroupIngress (p. 1040)
AWS::ElastiCache::SubnetGroup (p. 1041)
Amazon Neptune (Neptune) (Added in May 2018)
AWS::Neptune::DBCluster (p. 1278)
AWS::Neptune::DBClusterParameterGroup (p. 1282)
AWS::Neptune::DBInstance (p. 1284)
AWS::Neptune::DBParameterGroup (p. 1288)
AWS::Neptune::DBSubnetGroup (p. 1290)
Amazon Relational Database Service (Amazon RDS) (Updated in October 2017)
AWS::RDS::DBCluster (p. 1331)
AWS::RDS::DBClusterParameterGroup (p. 1338)
AWS::RDS::DBInstance (p. 1341)
AWS::RDS::DBParameterGroup (p. 1357)
AWS::RDS::DBSecurityGroup (p. 1360)
AWS::RDS::DBSecurityGroupIngress (p. 1363)
AWS::RDS::DBSubnetGroup (p. 1365)
AWS::RDS::EventSubscription (p. 1367)
AWS::RDS::OptionGroup (p. 1370)
Amazon Redshift (Updated in July 2017)
AWS::Redshift::Cluster (p. 1373)
AWS::Redshift::ClusterParameterGroup (p. 1381)
AWS::Redshift::ClusterSecurityGroup (p. 1384)
AWS::Redshift::ClusterSecurityGroupIngress (p. 1386)
AWS::Redshift::ClusterSubnetGroup (p. 1388)
Amazon SimpleDB (Added in February 2011)
AWS::SDB::Domain (p. 1444)
API Version 2010-05-15
2441

AWS CloudFormation User Guide
Developer Tools

AWS Database Migration Service (Added in July 2017)
AWS::DMS::Certiﬁcate (p. 828)
AWS::DMS::Endpoint (p. 830)
AWS::DMS::EventSubscription (p. 835)
AWS::DMS::ReplicationInstance (p. 838)
AWS::DMS::ReplicationSubnetGroup (p. 842)
AWS::DMS::ReplicationTask (p. 845)

Developer Tools
AWS Cloud9 (Added in November 2017)
AWS::Cloud9::EnvironmentEC2 (p. 666)
AWS CodeBuild (Added in December 2016)
AWS::CodeBuild::Project (p. 720)
AWS CodeCommit (Added in October 2016)
AWS::CodeCommit::Repository (p. 729)
AWS CodeDeploy (Updated in November 2017)
AWS::CodeDeploy::Application (p. 731)
AWS::CodeDeploy::DeploymentConﬁg (p. 733)
AWS::CodeDeploy::DeploymentGroup (p. 735)
AWS CodePipeline (Updated in May 2018)
AWS::CodePipeline::CustomActionType (p. 751)
AWS::CodePipeline::Pipeline (p. 755)
AWS::CodePipeline::Webhook (p. 760)

Enterprise Applications
Amazon WorkSpaces (Updated in December 2015)
AWS::WorkSpaces::Workspace (p. 1579)

Game Development
Amazon GameLift (GameLift) (Updated in April 2016)
AWS::GameLift::Alias (p. 1138)
AWS::GameLift::Build (p. 1140)
AWS::GameLift::Fleet (p. 1142)
API Version 2010-05-15
2442

AWS CloudFormation User Guide
Internet of Things

Internet of Things
AWS IoT (Updated in August 2017)
AWS::IoT::Certiﬁcate (p. 1215)
AWS::IoT::Policy (p. 1218)
AWS::IoT::PolicyPrincipalAttachment (p. 1220)
AWS::IoT::Thing (p. 1221)
AWS::IoT::ThingPrincipalAttachment (p. 1224)
AWS::IoT::TopicRule (p. 1225)

Machine Learning
Amazon SageMaker (Added in May 2018)
AWS::SageMaker::Endpoint (p. 1421)
AWS::SageMaker::EndpointConﬁg (p. 1425)
AWS::SageMaker::Model (p. 1430)
AWS::SageMaker::NotebookInstance (p. 1435)
AWS::SageMaker::NotebookInstanceLifecycleConﬁg (p. 1440)

Management Tools
AWS Auto Scaling (Added in May 2018)
AWS::AutoScalingPlans::ScalingPlan (p. 650)
AWS CloudFormation (AWS CloudFormation) (Updated in April 2015)
AWS::CloudFormation::Authentication (p. 668)
AWS::CloudFormation::CustomResource (p. 674)
AWS::CloudFormation::Init (p. 677)
AWS::CloudFormation::Stack (p. 694)
AWS::CloudFormation::WaitCondition (p. 696)
AWS::CloudFormation::WaitConditionHandle (p. 699)
AWS CloudTrail (CloudTrail) (Updated in August 2017)
AWS::CloudTrail::Trail (p. 708)
Amazon CloudWatch (CloudWatch) (Updated in September 2017)
AWS::CloudWatch::Alarm (p. 714)
AWS::CloudWatch::Dashboard (p. 719)
AWS::Events::Rule (p. 1132)
API Version 2010-05-15
2443

AWS CloudFormation User Guide
Management Tools

AWS::Logs::Destination (p. 1267)
AWS::Logs::LogGroup (p. 1270)
AWS::Logs::LogStream (p. 1272)
AWS::Logs::MetricFilter (p. 1273)
AWS::Logs::SubscriptionFilter (p. 1275)
AWS Conﬁg (Updated in April 2018)
AWS::Conﬁg::AggregationAuthorization (p. 780)
AWS::Conﬁg::ConﬁgRule (p. 788)
AWS::Conﬁg::ConﬁgurationAggregator (p. 794)
AWS::Conﬁg::ConﬁgurationRecorder (p. 797)
AWS::Conﬁg::DeliveryChannel (p. 799)
AWS OpsWorks (Updated in November 2017)
AWS::OpsWorks::App (p. 1293)
AWS::OpsWorks::ElasticLoadBalancerAttachment (p. 1297)
AWS::OpsWorks::Instance (p. 1298)
AWS::OpsWorks::Layer (p. 1305)
AWS::OpsWorks::Stack (p. 1316)
AWS::OpsWorks::UserProﬁle (p. 1327)
AWS::OpsWorks::Volume (p. 1329)
AWS Service Catalog (Updated in May 2018)
AWS::ServiceCatalog::AcceptedPortfolioShare (p. 1444)
AWS::ServiceCatalog::CloudFormationProduct (p. 1445)
AWS::ServiceCatalog::CloudFormationProvisionedProduct (p. 1448)
AWS::ServiceCatalog::LaunchNotiﬁcationConstraint (p. 1453)
AWS::ServiceCatalog::LaunchRoleConstraint (p. 1455)
AWS::ServiceCatalog::LaunchTemplateConstraint (p. 1456)
AWS::ServiceCatalog::Portfolio (p. 1458)
AWS::ServiceCatalog::PortfolioPrincipalAssociation (p. 1460)
AWS::ServiceCatalog::PortfolioProductAssociation (p. 1461)
AWS::ServiceCatalog::PortfolioShare (p. 1463)
AWS::ServiceCatalog::TagOption (p. 1464)
AWS::ServiceCatalog::TagOptionAssociation (p. 1465)
AWS Systems Manager (Updated in May 2018)
AWS::SSM::Association (p. 1504)
API Version 2010-05-15
2444

AWS CloudFormation User Guide
Mobile Services

AWS::SSM::Document (p. 1507)
AWS::SSM::MaintenanceWindow (p. 1511)
AWS::SSM::MaintenanceWindowTarget (p. 1513)
AWS::SSM::MaintenanceWindowTask (p. 1515)
AWS::SSM::Parameter (p. 1518)
AWS::SSM::PatchBaseline (p. 1522)
AWS::SSM::ResourceDataSync (p. 1524)

Mobile Services
AWS AppSync (Added in April 2018)
AWS::AppSync::ApiKey (p. 601)
AWS::AppSync::DataSource (p. 604)
AWS::AppSync::GraphQLApi (p. 608)
AWS::AppSync::GraphQLSchema (p. 611)
AWS::AppSync::Resolver (p. 613)
Amazon Cognito (Added in April 2017)
AWS::Cognito::IdentityPool (p. 763)
AWS::Cognito::IdentityPoolRoleAttachment (p. 766)
AWS::Cognito::UserPool (p. 768)
AWS::Cognito::UserPoolClient (p. 772)
AWS::Cognito::UserPoolGroup (p. 774)
AWS::Cognito::UserPoolUser (p. 776)
AWS::Cognito::UserPoolUserToGroupAttachment (p. 779)
Amazon Simple Notiﬁcation Service (Amazon SNS) (Updated in November 2016)
AWS::SNS::Subscription (p. 1488)
AWS::SNS::Topic (p. 1492)
AWS::SNS::TopicPolicy (p. 1494)

Networking
Amazon Route 53 (Updated in March 2017)
AWS::Route53::HealthCheck (p. 1390)
AWS::Route53::HostedZone (p. 1392)
AWS::Route53::RecordSet (p. 1395)
API Version 2010-05-15
2445

AWS CloudFormation User Guide
Networking

AWS::Route53::RecordSetGroup (p. 1401)
Service Discovery (Added in December 2017)
AWS::ServiceDiscovery::Instance (p. 1466)
AWS::ServiceDiscovery::PrivateDnsNamespace (p. 1468)
AWS::ServiceDiscovery::PublicDnsNamespace (p. 1470)
AWS::ServiceDiscovery::Service (p. 1471)
Amazon Virtual Private Cloud (Amazon VPC) (Updated in November 2017)
AWS::EC2::CustomerGateway (p. 861)
AWS::EC2::DHCPOptions (p. 863)
AWS::EC2::EgressOnlyInternetGateway (p. 867)
AWS::EC2::EIP (p. 868)
AWS::EC2::EIPAssociation (p. 870)
AWS::EC2::FlowLog (p. 875)
AWS::EC2::InternetGateway (p. 890)
AWS::EC2::NatGateway (p. 893)
AWS::EC2::NetworkAcl (p. 895)
AWS::EC2::NetworkAclEntry (p. 897)
AWS::EC2::NetworkInterface (p. 901)
AWS::EC2::NetworkInterfaceAttachment (p. 906)
AWS::EC2::NetworkInterfacePermission (p. 908)
AWS::EC2::Route (p. 911)
AWS::EC2::RouteTable (p. 915)
AWS::EC2::SecurityGroup (p. 917)
AWS::EC2::SecurityGroupEgress (p. 921)
AWS::EC2::SecurityGroupIngress (p. 925)
AWS::EC2::Subnet (p. 935)
AWS::EC2::SubnetCidrBlock (p. 938)
AWS::EC2::SubnetNetworkAclAssociation (p. 940)
AWS::EC2::SubnetRouteTableAssociation (p. 942)
AWS::EC2::VPC (p. 950)
AWS::EC2::VPCCidrBlock (p. 953)
AWS::EC2::VPCDHCPOptionsAssociation (p. 956)
AWS::EC2::VPCEndpoint (p. 958)
API Version 2010-05-15
2446

AWS CloudFormation User Guide
Security and Identity

AWS::EC2::VPCGatewayAttachment (p. 965)
AWS::EC2::VPCPeeringConnection (p. 967)
AWS::EC2::VPNConnection (p. 977)
AWS::EC2::VPNConnectionRoute (p. 980)
AWS::EC2::VPNGateway (p. 982)
AWS::EC2::VPNGatewayRoutePropagation (p. 984)

Security and Identity
AWS Certiﬁcate Manager (ACM) (Added in August 2016)
AWS::CertiﬁcateManager::Certiﬁcate (p. 663)
AWS Directory Service (Updated in December 2015)
AWS::DirectoryService::MicrosoftAD (p. 821)
AWS::DirectoryService::SimpleAD (p. 825)
Amazon Inspector (Added in December 2017)
AWS::Inspector::AssessmentTarget (p. 1209)
AWS::Inspector::AssessmentTemplate (p. 1211)
AWS::Inspector::ResourceGroup (p. 1214)
Amazon GuardDuty (Updated in May 2018)
AWS::GuardDuty::Detector (p. 1171)
AWS::GuardDuty::Filter (p. 1172)
AWS::GuardDuty::IPSet (p. 1180)
AWS::GuardDuty::Master (p. 1175)
AWS::GuardDuty::Member (p. 1177)
AWS::GuardDuty::ThreatIntelSet (p. 1182)
AWS Identity and Access Management (IAM) (Updated in April 2017)
AWS::IAM::AccessKey (p. 1184)
AWS::IAM::Group (p. 1186)
AWS::IAM::InstanceProﬁle (p. 1188)
AWS::IAM::ManagedPolicy (p. 1190)
AWS::IAM::Policy (p. 1194)
AWS::IAM::Role (p. 1197)
AWS::IAM::User (p. 1205)
AWS::IAM::UserToGroupAddition (p. 1208)
API Version 2010-05-15
2447

AWS CloudFormation User Guide
Storage and Content Delivery

AWS Key Management Service (AWS KMS) (Updated in October 2017)
AWS::KMS::Alias (p. 1245)
AWS::KMS::Key (p. 1247)
AWS WAF (Updated in May 2017)
AWS::WAF::ByteMatchSet (p. 1532)
AWS::WAF::IPSet (p. 1535)
AWS::WAF::Rule (p. 1539)
AWS::WAF::SizeConstraintSet (p. 1541)
AWS::WAF::SqlInjectionMatchSet (p. 1544)
AWS::WAF::WebACL (p. 1547)
AWS::WAF::XssMatchSet (p. 1551)
AWS::WAFRegional::ByteMatchSet (p. 1555)
AWS::WAFRegional::IPSet (p. 1558)
AWS::WAFRegional::Rule (p. 1561)
AWS::WAFRegional::SizeConstraintSet (p. 1563)
AWS::WAFRegional::SqlInjectionMatchSet (p. 1567)
AWS::WAFRegional::WebACL (p. 1570)
AWS::WAFRegional::WebACLAssociation (p. 1574)
AWS::WAFRegional::XssMatchSet (p. 1575)

Storage and Content Delivery
Amazon CloudFront (CloudFront) (Updated in November 2017)
AWS::CloudFront::CloudFrontOriginAccessIdentity (p. 703)
AWS::CloudFront::Distribution (p. 700)
AWS::CloudFront::StreamingDistribution (p. 705)
Amazon Elastic Block Store (Amazon EBS) (Updated in April 2017)
AWS::EC2::Volume (p. 944)
AWS::EC2::VolumeAttachment (p. 948)
Amazon Elastic File System (Amazon EFS) (Updated in August 2017)
AWS::EFS::FileSystem (p. 1009)
AWS::EFS::MountTarget (p. 1013)
Amazon Simple Storage Service (Amazon S3) (Updated in November 2017)
AWS::S3::Bucket (p. 1403)
AWS::S3::BucketPolicy (p. 1419)
API Version 2010-05-15
2448

AWS CloudFormation User Guide
Additional Software and Services

Additional Software and Services
AWS Billing and Cost Management (Billing and Cost Management) (Added in May 2018)
AWS::Budgets::Budget (p. 660)

Release History for AWS CloudFormation Helper
Scripts
The following table describes the changes to the aws-cfn-bootstrap package, which contains the AWS
CloudFormation helper scripts.

Note

The AWS CloudFormation helper scripts are preinstalled on Amazon Linux AMI images. The
download packages listed in the table apply to other Linux/Unix distributions and Microsoft
Windows (2008 or later). To learn how to use the helper scripts, see CloudFormation Helper
Scripts Reference (p. 2324).
You can also download the latest version of the helper scripts at the following links. These links redirect
to the most recent version of the helper scripts listed in the table below.
• RPM
• RPM (Source ﬁles)
• TAR.GZ
• ZIP
• MSI (32-bit Windows)
• MSI (64-bit Windows)

Version

Release
Date

1.4-30
3/21/2018
(Latest;
recommended)

Change Description

Download Packages

• Added additional retries on speciﬁc network
errors.
• Improved cfn-hup logging.

• RPM
• RPM (Source ﬁles)
• TAR.GZ
• ZIP
• MSI (32-bit Windows)
• MSI (64-bit Windows)

1.4-29

2/12/2018

Extending support for newer AWS regions.

• RPM
• RPM (Source ﬁles)
• TAR.GZ
• ZIP
• MSI (32-bit Windows)
• MSI (64-bit Windows)

1.4-27

1/24/2018

Extending support for newer AWS regions.

• RPM
• RPM (Source ﬁles)
• TAR.GZ
• ZIP

API Version 2010-05-15
2449

AWS CloudFormation User Guide
Release History for Helper Scripts

Version

Release
Date

Change Description

Download Packages
• MSI (32-bit Windows)
• MSI (64-bit Windows)

1.4-24,
1.4-26

10/12/2017 Fixed an incompatibility for customers using an
older version of Python.

• RPM
• RPM (Source ﬁles)
• TAR.GZ
• ZIP
• MSI (32-bit Windows)
• MSI (64-bit Windows)

1.4-23

10/3/2017

• Fixed datetime serialization issue.
• Fixed issue logging non-ASCII characters.

• RPM
• RPM (Source ﬁles)
• TAR.GZ
• ZIP
• MSI (32-bit Windows)
• MSI (64-bit Windows)

1.4-22

9/14/2017

Changed umask default value from 0 to 0022.

• RPM
• RPM (Source ﬁles)
• TAR.GZ
• ZIP
• MSI (32-bit Windows)
• MSI (64-bit Windows)

1.4-21

8/31/2017

Added the umask parameter for the cfn-hup
daemon, with a default value of 0.

• RPM
• RPM (Source ﬁles)
• TAR.GZ
• ZIP
• MSI (32-bit Windows)
• MSI (64-bit Windows)

1.4-20

1.4-19

8/2/2017

7/20/2017

• Set 0700 permissions to the /var/lib/
cfn-hup/data directory.
• Set 0700 permissions to the /var/lib/
cfn-init directory.
• Ensure that we remove all permissions for
group and world whenever we update the
metadata_db.json and resume_db.json
ﬁles.

• RPM
• RPM (Source ﬁles)
• TAR.GZ

• Changed the data format stored into
metadata_db and resume_db ﬁles from
shelf to JSON.
• Set 0600 permissions to the /var/lib/
cfn-init directory.

• RPM
• RPM (Source ﬁles)
• TAR.GZ

• ZIP
• MSI (32-bit Windows)
• MSI (64-bit Windows)

• ZIP
• MSI (32-bit Windows)
• MSI (64-bit Windows)

API Version 2010-05-15
2450

AWS CloudFormation User Guide

AWS Glossary
For the latest AWS terminology, see the AWS Glossary in the AWS General Reference.

API Version 2010-05-15
2451

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
Linearized                      : No
Page Count                      : 2474
Profile CMM Type                : Little CMS
Profile Version                 : 2.1.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 1998:02:09 06:49:00
Profile File Signature          : acsp
Primary Platform                : Apple Computer Inc.
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : Hewlett-Packard
Device Model                    : sRGB
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Perceptual
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : Little CMS
Profile ID                      : 0
Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company
Profile Description             : sRGB IEC61966-2.1
Media White Point               : 0.95045 1 1.08905
Media Black Point               : 0 0 0
Red Matrix Column               : 0.43607 0.22249 0.01392
Green Matrix Column             : 0.38515 0.71687 0.09708
Blue Matrix Column              : 0.14307 0.06061 0.7141
Device Mfg Desc                 : IEC http://www.iec.ch
Device Model Desc               : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc               : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant         : 19.6445 20.3718 16.8089
Viewing Cond Surround           : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type    : D50
Luminance                       : 76.03647 80 87.12462
Measurement Observer            : CIE 1931
Measurement Backing             : 0 0 0
Measurement Geometry            : Unknown
Measurement Flare               : 0.999%
Measurement Illuminant          : D65
Technology                      : Cathode Ray Tube Display
Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)
Producer                        : Apache FOP Version 2.1
PDF Version                     : 1.4
Creator                         : Amazon Web Services
Format                          : application/pdf
Title                           : AWS CloudFormation - User Guide
Language                        : en
Date                            : 2018:08:17 07:30:58Z
Creator Tool                    : ZonBook XSL Stylesheets with Apache FOP
Metadata Date                   : 2018:08:17 07:30:58Z
Create Date                     : 2018:08:17 07:30:58Z
Page Mode                       : UseOutlines
Author                          : Amazon Web Services
Keywords                        : CloudFormation, AWSCloudFormation, resource provisioning, resource configuration, infrastructure management, CloudFormer, CloudFormation Designer, CloudFormation stack, CloudFormation stackset, CloudFormation template, change set

EXIF Metadata provided by EXIF.tools

AWS CloudFormation User Guide Cloud Formation Gettng Started

Congratulations !! Your IIS server is configured.

Amazon ECS Sample App

Congratulations!

Amazon ECS Sample App

Congratulations!

Navigation menu

Versions of this User Manual:

Views

Navigation