CFN Ug

AWS CloudFormation
User Guide
API Version 2010-05-15
AWS CloudFormation User Guide
AWS CloudFormation: User Guide

Copyright © 2019 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be affiliated with, connected to, or sponsored by Amazon.
Table of Contents
What is AWS CloudFormation? ............................................................................................................. 1
Simplify Infrastructure Management ............................................................................................. 1
Quickly Replicate Your Infrastructure ............................................................................................ 1
Easily Control and Track Changes to Your Infrastructure .................................................................. 1
Related Information ................................................................................................................... 2
AWS CloudFormation Concepts .................................................................................................... 2
Templates ......................................................................................................................... 2
Stacks ............................................................................................................................... 4
Change Sets ...................................................................................................................... 5
How Does AWS CloudFormation Work? ......................................................................................... 5
Updating a Stack with Change Sets ...................................................................................... 7
Deleting a Stack ................................................................................................................ 8
Additional Resources .......................................................................................................... 8
Setting Up ........................................................................................................................................ 9
Signing Up for an AWS Account and Pricing .................................................................................. 9
Pricing .............................................................................................................................. 9
Controlling Access with IAM ........................................................................................................ 9
AWS CloudFormation Actions ............................................................................................. 10
AWS CloudFormation Resources ......................................................................................... 11
AWS CloudFormation Conditions ........................................................................................ 12
Acknowledging IAM Resources in AWS CloudFormation Templates .......................................... 16
Manage Credentials for Applications Running on Amazon EC2 Instances .................................. 17
Grant Temporary Access (Federated Access) ......................................................................... 17
AWS CloudFormation Service Role ...................................................................................... 18
Logging API Calls ..................................................................................................................... 18
AWS CloudFormation Information in CloudTrail .................................................................... 19
Understanding AWS CloudFormation Log File Entries ............................................................ 19
Limits ..................................................................................................................................... 22
StackSet Availability ......................................................................................................... 25
StackSets and Macros ....................................................................................................... 25
Endpoints ................................................................................................................................ 26
Setting Up VPC Endpoints for AWS CloudFormation ..................................................................... 26
Before You Begin ............................................................................................................. 26
Creating the VPC EndPoint for AWS CloudFormation ............................................................ 27
Getting Started ................................................................................................................................ 28
Get Started ............................................................................................................................. 28
Step 1: Pick a template ..................................................................................................... 28
Step 2: Make sure you have prepared any required items for the stack ..................................... 33
Step 3: Create the stack .................................................................................................... 34
Step 4: Monitor the progress of stack creation ..................................................................... 34
Step 5: Use your stack resources ........................................................................................ 35
Step 6: Clean Up .............................................................................................................. 36
Learn Template Basics .............................................................................................................. 36
What is an AWS CloudFormation Template? ......................................................................... 36
Resources: Hello Bucket! .................................................................................................... 37
Resource Properties and Using Resources Together ............................................................... 37
Receiving User Input Using Input Parameters ....................................................................... 43
Specifying Conditional Values Using Mappings ..................................................................... 45
Constructed Values and Output Values ............................................................................... 47
Next Steps ....................................................................................................................... 50
Walkthrough: Updating a Stack .................................................................................................. 50
A Simple Application ........................................................................................................ 51
Create the Initial Stack ..................................................................................................... 57
Update the Application ..................................................................................................... 58

iii
Changing Resource Properties ............................................................................................ 60

Adding Resource Properties ............................................................................................... 63
Change the Stack's Resources ............................................................................................ 64
Availability and Impact Considerations ................................................................................ 72
Related Resources ............................................................................................................ 72
Best Practices .................................................................................................................................. 74
Organize Your Stacks By Lifecycle and Ownership ........................................................................ 74
Use Cross-Stack References to Export Shared Resources ................................................................ 75
Use IAM to Control Access ......................................................................................................... 75
Verify Quotas for All Resource Types .......................................................................................... 75
Reuse Templates to Replicate Stacks in Multiple Environments ....................................................... 76
Use Nested Stacks to Reuse Common Template Patterns ............................................................... 76
Do Not Embed Credentials in Your Templates .............................................................................. 76
Using Input Parameters with NoEcho for Credentials ............................................................ 76
Using Dynamic References to Retrieve Credentials ................................................................ 77
Use AWS-Specific Parameter Types ............................................................................................. 77
Use Parameter Constraints ........................................................................................................ 77
Use AWS::CloudFormation::Init to Deploy Software Applications on Amazon EC2 Instances ................. 77
Use the Latest Helper Scripts ..................................................................................................... 77
Validate Templates Before Using Them ....................................................................................... 78
Manage All Stack Resources Through AWS CloudFormation ........................................................... 78
Create Change Sets Before Updating Your Stacks ......................................................................... 78
Use Stack Policies ..................................................................................................................... 78
Use AWS CloudTrail to Log AWS CloudFormation Calls .................................................................. 79
Use Code Reviews and Revision Controls to Manage Your Templates ............................................... 79
Update Your Amazon EC2 Linux Instances Regularly ..................................................................... 79
Continuous Delivery .......................................................................................................................... 80
Walkthrough: Building a Pipeline for Test and Production Stacks .................................................... 80
Prerequisites .................................................................................................................... 80
Walkthrough Overview ...................................................................................................... 81
Step 1: Edit the Artifact and Upload It to an S3 Bucket ......................................................... 81
Step 2: Create the Pipeline Stack ....................................................................................... 82
Step 3: View the WordPress Stack ...................................................................................... 86
Step 4: Clean Up Resources .............................................................................................. 86
See Also .......................................................................................................................... 87
Configuration Properties Reference ............................................................................................. 87
Configuration Properties (Console) ..................................................................................... 87
Configuration Properties (JSON Object) .............................................................................. 89
See Also .......................................................................................................................... 92
AWS CloudFormation Artifacts ................................................................................................... 92
Stack Template File .......................................................................................................... 93
Template Configuration File ............................................................................................... 93
See Also .......................................................................................................................... 94
Using Parameter Override Functions with CodePipeline Pipelines .................................................... 94
Fn::GetArtifactAtt ............................................................................................................. 94
Fn::GetParam ................................................................................................................... 95
See Also .......................................................................................................................... 97
Working with Stacks ......................................................................................................................... 98
Using the Console .................................................................................................................... 98
In This Section ................................................................................................................. 98
Logging In to the Console ................................................................................................. 99
Creating a Stack ............................................................................................................... 99
Creating an EC2 Key Pair ................................................................................................. 106
Estimating the Cost of Your Stack .................................................................................... 106
Viewing Stack Data and Resources .................................................................................... 106
Monitor and Roll Back Stack Operations ............................................................................ 109
Creating Quick-Create Links for Stacks .............................................................................. 111

iv
Deleting a Stack ............................................................................................................. 114

Protecting a Stack From Being Deleted ............................................................................. 114
Viewing Deleted Stacks ................................................................................................... 116
Related Topics ................................................................................................................ 116
Using the AWS CLI .................................................................................................................. 116
Creating a Stack ............................................................................................................. 117
Describing and Listing Your Stacks .................................................................................... 118
Viewing Stack Event History ............................................................................................ 121
Listing Resources ............................................................................................................ 123
Retrieving a Template ..................................................................................................... 123
Validating a Template ..................................................................................................... 124
Uploading Local Artifacts to an S3 Bucket ......................................................................... 125
Quickly Deploying Templates with Transforms ................................................................... 126
Deleting a Stack ............................................................................................................. 126
Stack Updates ........................................................................................................................ 127
Update Behaviors of Stack Resources ................................................................................ 127
Modifying a Stack Template ............................................................................................. 128
Updating Stacks Using Change Sets .................................................................................. 130
Updating Stacks Directly ................................................................................................. 145
Monitoring Progress ........................................................................................................ 147
Canceling a Stack Update ................................................................................................ 148
Prevent Updates to Stack Resources ................................................................................. 149
Continue Rolling Back an Update ..................................................................................... 158
Detecting Unmanaged Configuration Changes to Stacks and Resources ......................................... 161
What Is Drift? ................................................................................................................ 161
Drift Detection Status Codes ............................................................................................ 162
Considerations When Detecting Drift ................................................................................ 163
Detect Drift on an Entire CloudFormation Stack ................................................................. 165
Detect Drift on Individual Stack Resources ......................................................................... 169
Resources that Support Drift Detection ............................................................................. 171
Moving Resources Between Stacks ............................................................................................ 173
Refactor a Stack Using the AWS Management Console ........................................................ 173
Refactor a Stack Using the AWS CLI .................................................................................. 177
Exporting Stack Output Values ................................................................................................. 181
Exporting Stack Output Values vs. Using Nested Stacks ....................................................... 181
Listing Exported Output Values ........................................................................................ 181
Listing Stacks That Import an Exported Output Value ................................................................. 182
Working with Nested Stacks .................................................................................................... 183
Nesting an Existing Stack ................................................................................................ 185
Working with Windows Stacks .................................................................................................. 189
In This Section ............................................................................................................... 189
Windows AMIs and Templates .......................................................................................... 189
Bootstrapping Windows Stacks ......................................................................................... 189
Bringing Existing Resources Into CloudFormation Management ............................................................ 194
Resource Import Overview ....................................................................................................... 194
Resource Import Validation ...................................................................................................... 194
Resource Import Status Codes .................................................................................................. 194
Considerations During an Import Operation ............................................................................... 195
Getting Started with Resource Import ....................................................................................... 195
Creating a Stack From Existing Resources .................................................................................. 195
Create a Stack from Existing Resources Using the AWS CloudFormation Console ..................... 197
Create a Stack from Existing Resources Using the AWS CLI ................................................... 198
Importing Existing Resources Into a Stack .................................................................................. 199
Import an Existing Resource into a Stack Using the AWS CloudFormation Console ................... 200
Import an Existing Resource into a Stack Using the AWS CLI ................................................ 201
Reverting an Import Operation ................................................................................................ 203
Revert an Import Operation Using the AWS Management Console ........................................ 203

v
Revert an Import Operation Using the AWS CLI .................................................................. 205

Resources that Support Import Operations ................................................................................ 206
Working with Templates .................................................................................................................. 209
Template Formats ................................................................................................................... 209
Template Anatomy ................................................................................................................. 210
JSON ............................................................................................................................ 210
YAML ............................................................................................................................ 211
Template Sections .......................................................................................................... 211
Format Version ............................................................................................................... 212
Description .................................................................................................................... 213
Metadata ....................................................................................................................... 213
Parameters .................................................................................................................... 237
Mappings ....................................................................................................................... 256
Conditions ..................................................................................................................... 260
Transform ...................................................................................................................... 264
Resources ...................................................................................................................... 269
Outputs ......................................................................................................................... 271
What Is AWS CloudFormation Designer? .................................................................................... 274
Why Use Designer? ......................................................................................................... 274
Interface Overview ......................................................................................................... 276
How to Get Started ........................................................................................................ 285
Walkthroughs ......................................................................................................................... 285
Walkthrough: Use AWS CloudFormation Designer to Create a Basic Web Server ....................... 285
Walkthrough: Use AWS CloudFormation Designer to Modify a Stack's Template ...................... 303
Peer with a VPC in Another Account ................................................................................. 314
Walkthrough: Refer to Resource Outputs in Another AWS CloudFormation Stack ..................... 321
Create a Scalable, Load-balancing Web Server ................................................................... 323
Deploying Applications .................................................................................................... 333
Creating Wait Conditions ................................................................................................. 351
Template Snippets .................................................................................................................. 355
General ......................................................................................................................... 356
Auto Scaling .................................................................................................................. 363
AWS CloudFormation ...................................................................................................... 368
CloudFront ..................................................................................................................... 372
CloudWatch ................................................................................................................... 379
CloudWatch Logs ............................................................................................................ 383
DynamoDB ..................................................................................................................... 410
Amazon EC2 .................................................................................................................. 414
Amazon ECS .................................................................................................................. 429
Amazon EFS ................................................................................................................... 445
Elastic Beanstalk ............................................................................................................. 462
Elastic Load Balancing ..................................................................................................... 464
IAM ............................................................................................................................... 465
AWS Lambda ................................................................................................................. 478
AWS OpsWorks .............................................................................................................. 482
Amazon Redshift ............................................................................................................ 488
Amazon RDS .................................................................................................................. 494
Route 53 ........................................................................................................................ 500
Amazon S3 .................................................................................................................... 504
Amazon SNS .................................................................................................................. 510
Amazon SQS .................................................................................................................. 510
Custom Resources ................................................................................................................... 511
How Custom Resources Work ........................................................................................... 511
Amazon Simple Notification Service-backed Custom Resources ............................................. 513
AWS Lambda-backed Custom Resources ............................................................................ 518
Custom Resource Reference ............................................................................................. 530
Template Macros .................................................................................................................... 542

vi
How AWS CloudFormation Macros Work ............................................................................ 542

Creating an AWS CloudFormation Macro Definition ............................................................. 543
Using AWS CloudFormation Macros in Your Templates ........................................................ 547
Macro Examples ............................................................................................................. 550
See Also ........................................................................................................................ 550
Macro Example: Creating and Using a Macro ...................................................................... 550
Using Regular Expressions ....................................................................................................... 555
Using CloudFormer (Beta) to Create Templates ........................................................................... 555
Step 1: Create a CloudFormer Stack .................................................................................. 556
Step 2: Launch the CloudFormer Stack .............................................................................. 556
Step 3: Use CloudFormer to Create a Template .................................................................. 557
Step 4: Delete the CloudFormer Stack ............................................................................... 561
Working with AWS CloudFormation StackSets .................................................................................... 562
StackSets Concepts ................................................................................................................. 562
Administrator and target accounts .................................................................................... 563
Stack sets ...................................................................................................................... 563
Stack instances ............................................................................................................... 563
Stack set operations ....................................................................................................... 564
Stack set operation options ............................................................................................. 565
Tags .............................................................................................................................. 566
Stack set and stack instance status codes .......................................................................... 566
Prerequisites: Granting Permissions for Stack Set Operations ....................................................... 567
Set Up Basic Permissions for Stack Sets Operations ............................................................ 567
Set Up Advanced Permissions Options for Stack Set Operations ........................................... 570
Getting Started ...................................................................................................................... 575
Create a New Stack Set ................................................................................................... 575
Update Your Stack Set .................................................................................................... 580
Add Stacks to a Stack Set ............................................................................................... 582
Override Parameters on Stack Instances ............................................................................ 583
Delete Stack Instances .................................................................................................... 585
Delete Stack Sets ........................................................................................................... 587
Target account gates ............................................................................................................... 588
Setup Requirements ........................................................................................................ 589
Sample Lambda Account Gating Functions ........................................................................ 589
Detecting Unmanaged Changes in Stack Sets ............................................................................. 589
How CloudFormation Performs Drift Detection on a Stack Set .............................................. 590
Stopping Drift Detection on a Stack Set ............................................................................ 597
Best Practices ......................................................................................................................... 597
Defining the Template .................................................................................................... 597
Creating or Adding Stacks to the Stack Set ........................................................................ 597
Updating Stacks in a Stack Set ......................................................................................... 598
Sample Templates .................................................................................................................. 598
Troubleshooting ..................................................................................................................... 599
Common reasons for stack operation failure ...................................................................... 599
Retrying failed stack creation or update operations ............................................................. 599
Stack instance deletion fails ............................................................................................. 600
Using the CloudFormation Registry ................................................................................................... 601
Private and Public Resource Providers ....................................................................................... 601
Registering Resource Providers in CloudFormation ...................................................................... 601
Specifying Which Version of a Resource Provider to Use ...................................................... 602
Viewing Registered Resource Providers in CloudFormation ........................................................... 602
Template Reference ........................................................................................................................ 604
Resource and Property Reference ............................................................................................. 604
AccessAnalyzer ............................................................................................................... 607
ASK ............................................................................................................................... 611
AmazonMQ .................................................................................................................... 617
Amplify Console ............................................................................................................. 637

vii
API Gateway .................................................................................................................. 652

API Gateway V2 ............................................................................................................. 749
Application Auto Scaling ................................................................................................. 792
App Mesh ...................................................................................................................... 822
AppStream 2.0 ............................................................................................................... 875
AppSync ........................................................................................................................ 902
Athena .......................................................................................................................... 942
AWS Auto Scaling ........................................................................................................... 945
Amazon EC2 Auto Scaling ............................................................................................... 963
AWS Backup ................................................................................................................. 1025
AWS Batch ................................................................................................................... 1036
AWS Budgets ............................................................................................................... 1063
Certificate Manager ....................................................................................................... 1078
AWS Cloud9 ................................................................................................................. 1082
CloudFormation ............................................................................................................ 1085
CloudFront ................................................................................................................... 1098
AWS Cloud Map ............................................................................................................ 1141
CloudTrail .................................................................................................................... 1161
CloudWatch ................................................................................................................. 1171
CloudWatch Logs .......................................................................................................... 1194
Amazon EventBridge ..................................................................................................... 1206
CodeBuild .................................................................................................................... 1235
CodeCommit ................................................................................................................ 1274
CodeDeploy .................................................................................................................. 1280
CodePipeline ................................................................................................................ 1320
CodeStar ...................................................................................................................... 1351
CodeStarNotifications .................................................................................................... 1356
Amazon Cognito ........................................................................................................... 1359
Config ......................................................................................................................... 1431
AWS Data Pipeline ........................................................................................................ 1477
DAX ............................................................................................................................ 1492
Directory Service .......................................................................................................... 1504
DLM ............................................................................................................................ 1513
DMS ............................................................................................................................ 1523
Amazon DocumentDB ................................................................................................... 1551
DynamoDB ................................................................................................................... 1565
EC2 ............................................................................................................................. 1589
Amazon ECR ................................................................................................................ 1842
ECS ............................................................................................................................. 1847
EFS ............................................................................................................................. 1930
EKS ............................................................................................................................. 1938
ElastiCache ................................................................................................................... 1949
Elasticsearch ................................................................................................................. 1978
Elastic Beanstalk ........................................................................................................... 1995
Elastic Load Balancing ................................................................................................... 2025
ElasticLoadBalancingV2 ................................................................................................. 2039
Amazon EMR ................................................................................................................ 2110
EventSchemas .............................................................................................................. 2193
FSx ............................................................................................................................. 2201
GameLift ..................................................................................................................... 2215
AWS Glue .................................................................................................................... 2259
GuardDuty ................................................................................................................... 2340
IAM ............................................................................................................................. 2354
Inspector ..................................................................................................................... 2389
IoT .............................................................................................................................. 2395
IoT1Click ...................................................................................................................... 2428
IoT Analytics ................................................................................................................ 2437

viii
IoTEvents ..................................................................................................................... 2491

AWS IoT Greengrass ...................................................................................................... 2518
AWS IoT Things Graph .................................................................................................. 2631
Amazon Kinesis ............................................................................................................ 2633
KinesisAnalytics ............................................................................................................ 2640
Amazon Kinesis Data Analytics V2 .................................................................................. 2670
Amazon Kinesis Data Firehose ........................................................................................ 2720
KMS ............................................................................................................................ 2766
LakeFormation .............................................................................................................. 2775
Lambda ....................................................................................................................... 2781
ManagedBlockchain ....................................................................................................... 2818
MediaConvert ............................................................................................................... 2833
MediaLive .................................................................................................................... 2846
MediaStore .................................................................................................................. 2877
MSK ............................................................................................................................ 2881
Amazon Neptune .......................................................................................................... 2921
OpsWorks .................................................................................................................... 2934
OpsWorks-CM ............................................................................................................... 2995
Pinpoint ....................................................................................................................... 3006
PinpointEmail ............................................................................................................... 3075
QLDB .......................................................................................................................... 3093
RAM ............................................................................................................................ 3096
RDS ............................................................................................................................. 3099
Amazon Redshift .......................................................................................................... 3160
RoboMaker ................................................................................................................... 3179
Route 53 ..................................................................................................................... 3201
Route 53 Resolver ......................................................................................................... 3258
Amazon S3 .................................................................................................................. 3269
Amazon SageMaker ....................................................................................................... 3334
Secrets Manager ........................................................................................................... 3373
Service Catalog ............................................................................................................. 3399
SecurityHub ................................................................................................................. 3433
SES ............................................................................................................................. 3434
Amazon SimpleDB ........................................................................................................ 3466
Amazon SNS ................................................................................................................ 3467
Amazon SQS ................................................................................................................ 3476
Step Functions ............................................................................................................. 3485
Systems Manager .......................................................................................................... 3496
AWS SFTP .................................................................................................................... 3550
WAF ............................................................................................................................ 3558
WAFv2 ......................................................................................................................... 3600
WAF Regional ............................................................................................................... 3688
WorkSpaces .................................................................................................................. 3742
Shared Property Types .................................................................................................. 3746
Resource Specification ........................................................................................................... 3749
Specification Format ..................................................................................................... 3751
Resource Attributes ............................................................................................................... 3760
CreationPolicy .............................................................................................................. 3760
DeletionPolicy .............................................................................................................. 3764
DependsOn .................................................................................................................. 3765
Metadata ..................................................................................................................... 3771
UpdatePolicy ................................................................................................................ 3771
UpdateReplacePolicy ..................................................................................................... 3783
Intrinsic Functions ................................................................................................................. 3784
Fn::Base64 ................................................................................................................ 3785
Fn::Cidr .................................................................................................................... 3786
Condition Functions ...................................................................................................... 3788

ix
Fn::FindInMap .......................................................................................................... 3804

Fn::GetAtt ................................................................................................................ 3807
Fn::GetAZs ................................................................................................................ 3809
Fn::ImportValue ....................................................................................................... 3811
Fn::Join .................................................................................................................... 3814
Fn::Select ................................................................................................................ 3815
Fn::Split .................................................................................................................. 3818
Fn::Sub ..................................................................................................................... 3820
Fn::Transform .......................................................................................................... 3823
Ref ............................................................................................................................. 3824
Pseudo Parameters ............................................................................................................... 3826
Example ...................................................................................................................... 3826
AWS::AccountId ............................................................................................................. 3826
AWS::NotificationARNs ................................................................................................... 3826
AWS::NoValue ............................................................................................................... 3827
AWS::Partition .............................................................................................................. 3828
AWS::Region ................................................................................................................. 3828
AWS::StackId ................................................................................................................ 3828
AWS::StackName ........................................................................................................... 3828
AWS::URLSuffix ............................................................................................................. 3828
CloudFormation Helper Scripts ............................................................................................... 3828
Amazon Linux AMI Images ............................................................................................. 3829
Downloading Packages for Other Platforms ..................................................................... 3829
Permissions for helper scripts ......................................................................................... 3830
Using the Latest Version ................................................................................................ 3831
cfn-init ........................................................................................................................ 3831
cfn-signal ..................................................................................................................... 3834
cfn-get-metadata .......................................................................................................... 3839
cfn-hup ....................................................................................................................... 3841
Sample Templates ........................................................................................................................ 3846
Troubleshooting ............................................................................................................................ 3847
Troubleshooting Guide .......................................................................................................... 3847
Troubleshooting Errors .......................................................................................................... 3847
Delete Stack Fails ......................................................................................................... 3848
Dependency Error ......................................................................................................... 3848
Error Parsing Parameter When Passing a List .................................................................... 3849
Insufficient IAM Permissions ........................................................................................... 3849
Invalid Value or Unsupported Resource Property .............................................................. 3849
Limit Exceeded ............................................................................................................. 3849
Nested Stacks are Stuck in UPDATE_COMPLETE_CLEANUP_IN_PROGRESS,
UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS, or
UPDATE_ROLLBACK_IN_PROGRESS ................................................................................. 3849
No Updates to Perform ................................................................................................. 3850
Resource Failed to Stabilize During a Create, Update, or Delete Stack Operation .................... 3850
Security Group Does Not Exist in VPC .............................................................................. 3850
Update Rollback Failed ................................................................................................. 3851
Wait Condition Didn't Receive the Required Number of Signals from an Amazon EC2 Instance .. 3852
Contacting Support ............................................................................................................... 3852
Release History ............................................................................................................................. 3853
Earlier Updates ..................................................................................................................... 3988
Release History for Helper Scripts ........................................................................................... 4056
AWS Glossary ............................................................................................................................... 4059

x
Simplify Infrastructure Management
What is AWS CloudFormation?

AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources
so that you can spend less time managing those resources and more time focusing on your applications
that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon
EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and
configuring those resources for you. You don't need to individually create and configure AWS resources
and figure out what's dependent on what; AWS CloudFormation handles all of that. The following
scenarios demonstrate how AWS CloudFormation can help.
Simplify Infrastructure Management

For a scalable web application that also includes a back-end database, you might use an Auto Scaling
group, an Elastic Load Balancing load balancer, and an Amazon Relational Database Service database
instance. Normally, you might use each individual service to provision these resources. And after you
create the resources, you would have to configure them to work together. All these tasks can add
complexity and time before you even get your application up and running.
Instead, you can create or modify an existing AWS CloudFormation template. A template describes all
of your resources and their properties. When you use that template to create an AWS CloudFormation
stack, AWS CloudFormation provisions the Auto Scaling group, load balancer, and database for you.
After the stack has been successfully created, your AWS resources are up and running. You can delete the
stack just as easily, which deletes all the resources in the stack. By using AWS CloudFormation, you easily
manage a collection of resources as a single unit.
Quickly Replicate Your Infrastructure

If your application requires additional availability, you might replicate it in multiple regions so that if
one region becomes unavailable, your users can still use your application in other regions. The challenge
in replicating your application is that it also requires you to replicate your resources. Not only do you
need to record all the resources that your application requires, but you must also provision and configure
those resources in each region.
When you use AWS CloudFormation, you can reuse your template to set up your resources consistently
and repeatedly. Just describe your resources once and then provision the same resources over and over in
multiple regions.
Easily Control and Track Changes to Your

Infrastructure
In some cases, you might have underlying resources that you want to upgrade incrementally. For
example, you might change to a higher performing instance type in your Auto Scaling launch
configuration so that you can reduce the maximum number of instances in your Auto Scaling group. If
problems occur after you complete the update, you might need to roll back your infrastructure to the
original settings. To do this manually, you not only have to remember which resources were changed, you
also have to know what the original settings were.

1
Related Information
When you provision your infrastructure with AWS CloudFormation, the AWS CloudFormation template
describes exactly what resources are provisioned and their settings. Because these templates are text
files, you simply track differences in your templates to track changes to your infrastructure, similar to
the way developers control revisions to source code. For example, you can use a version control system
with your templates so that you know exactly what changes were made, who made them, and when. If
at any point you need to reverse changes to your infrastructure, you can use a previous version of your
template.
Related Information
• For more information about AWS CloudFormation stacks and templates, see AWS CloudFormation
Concepts (p. 2).
• For an overview about how to use AWS CloudFormation, see How Does AWS CloudFormation
Work? (p. 5).
• For pricing information, see AWS CloudFormation Pricing.
AWS CloudFormation Concepts

When you use AWS CloudFormation, you work with templates and stacks. You create templates to
describe your AWS resources and their properties. Whenever you create a stack, AWS CloudFormation
provisions the resources that are described in your template.
Topics
• Templates (p. 2)
• Stacks (p. 4)
• Change Sets (p. 5)
Templates
An AWS CloudFormation template is a JSON or YAML formatted text file. You can save these files with
any extension, such as .json, .yaml, .template, or .txt. AWS CloudFormation uses these templates
as blueprints for building your AWS resources. For example, in a template, you can describe an Amazon
EC2 instance, such as the instance type, the AMI ID, block device mappings, and its Amazon EC2 key pair
name. Whenever you create a stack, you also specify a template that AWS CloudFormation uses to create
whatever you described in the template.
For example, if you created a stack with the following template, AWS CloudFormation provisions an
instance with an ami-0ff8a91507f77f867 AMI ID, t2.micro instance type, testkey key pair name,
and an Amazon EBS volume.
Example JSON
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "A sample template",
"Resources" : {
"MyEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "ami-0ff8a91507f77f867",
"InstanceType" : "t2.micro",

2
Templates
"KeyName" : "testkey",
"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sdm",
"Ebs" : {
"VolumeType" : "io1",
"Iops" : "200",
"DeleteOnTermination" : "false",
"VolumeSize" : "20"
}
}
]
}
}
}
}
Example YAML
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
MyEC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: "ami-0ff8a91507f77f867"
InstanceType: t2.micro
KeyName: testkey
BlockDeviceMappings:
-
DeviceName: /dev/sdm
Ebs:
VolumeType: io1
Iops: 200
DeleteOnTermination: false
VolumeSize: 20
You can also specify multiple resources in a single template and configure these resources to work
together. For example, you can modify the previous template to include an Elastic IP (EIP) and associate
it with the Amazon EC2 instance, as shown in the following example:
Example JSON
{
"Description" : "A sample template",
"Resources" : {
"MyEC2Instance" : {
"Properties" : {
{
"Ebs" : {
"Iops" : "200",
"VolumeSize" : "20"
}

3
Stacks
}
]
}
},
"MyEIP" : {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"InstanceId" : {"Ref": "MyEC2Instance"}
}
}
}
}
Example YAML
Resources:
MyEC2Instance:
Properties:
KeyName: testkey
-
Ebs:
VolumeType: io1
Iops: 200
VolumeSize: 20
MyEIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref MyEC2Instance
The previous templates are centered around a single Amazon EC2 instance; however, AWS
CloudFormation templates have additional capabilities that you can use to build complex sets of
resources and reuse those templates in multiple contexts. For example, you can add input parameters
whose values are specified when you create an AWS CloudFormation stack. In other words, you can
specify a value like the instance type when you create a stack instead of when you create the template,
making the template easier to reuse in different situations.
For more information about template creation and capabilities, see Template Anatomy (p. 210).
For more information about declaring specific resources, see AWS Resource and Property Types
Reference (p. 604).
To start designing your own templates with AWS CloudFormation Designer, go to https://
console.aws.amazon.com/cloudformation/designer.
Stacks
When you use AWS CloudFormation, you manage related resources as a single unit called a stack. You
create, update, and delete a collection of resources by creating, updating, and deleting stacks. All the
resources in a stack are defined by the stack's AWS CloudFormation template. Suppose you created a
template that includes an Auto Scaling group, Elastic Load Balancing load balancer, and an Amazon
Relational Database Service (Amazon RDS) database instance. To create those resources, you create

4
Change Sets
a stack by submitting the template that you created, and AWS CloudFormation provisions all those
resources for you. You can work with stacks by using the AWS CloudFormation console, API, or AWS CLI.
For more information about creating, updating, or deleting stacks, see Working with Stacks (p. 98).
Change Sets
If you need to make changes to the running resources in a stack, you update the stack. Before making
changes to your resources, you can generate a change set, which is a summary of your proposed changes.
Change sets allow you to see how your changes might impact your running resources, especially for
critical resources, before implementing them.
For example, if you change the name of an Amazon RDS database instance, AWS CloudFormation
will create a new database and delete the old one. You will lose the data in the old database unless
you've already backed it up. If you generate a change set, you will see that your change will cause your
database to be replaced, and you will be able to plan accordingly before you update your stack. For more
information, see Updating Stacks Using Change Sets (p. 130).
How Does AWS CloudFormation Work?

When you create a stack, AWS CloudFormation makes underlying service calls to AWS to provision
and configure your resources. Note that AWS CloudFormation can perform only actions that you
have permission to do. For example, to create EC2 instances by using AWS CloudFormation, you need
permissions to create instances. You'll need similar permissions to terminate instances when you delete
stacks with instances. You use AWS Identity and Access Management (IAM) to manage permissions.
The calls that AWS CloudFormation makes are all declared by your template. For example, suppose
you have a template that describes an EC2 instance with a t1.micro instance type. When you use that
template to create a stack, AWS CloudFormation calls the Amazon EC2 create instance API and specifies
the instance type as t1.micro. The following diagram summarizes the AWS CloudFormation workflow
for creating stacks.

5
How Does AWS CloudFormation Work?
1. You can design an AWS CloudFormation template (a JSON or YAML-formatted document) in AWS
CloudFormation Designer or write one in a text editor. You can also choose to use a provided
template. The template describes the resources you want and their settings. For example, suppose you
want to create an EC2 instance. Your template can declare an EC2 instance and describe its properties,
as shown in the following example:
Example JSON Syntax
{
"Description" : "A simple EC2 instance",
"Resources" : {
"MyEC2Instance" : {
"Properties" : {
"InstanceType" : "t1.micro"
}
}
}
}
Example YAML Syntax
AWSTemplateFormatVersion: '2010-09-09'
Description: A simple EC2 instance
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0ff8a91507f77f867
2. Save the template locally or in an S3 bucket. If you created a template, save it with any file extension
like .json, .yaml, or .txt.
3. Create an AWS CloudFormation stack by specifying the location of your template file , such as a path
on your local computer or an Amazon S3 URL. If the template contains parameters, you can specify
input values when you create the stack. Parameters enable you to pass in values to your template so
that you can customize your resources each time you create a stack.
You can create stacks by using the AWS CloudFormation console (p. 99), API, or AWS CLI.
Note
If you specify a template file stored locally, AWS CloudFormation uploads it to an S3 bucket
in your AWS account. AWS CloudFormation creates a bucket for each region in which
you upload a template file. The buckets are accessible to anyone with Amazon Simple
Storage Service (Amazon S3) permissions in your AWS account. If a bucket created by AWS
CloudFormation is already present, the template is added to that bucket.
You can use your own bucket and manage its permissions by manually uploading templates
to Amazon S3. Then whenever you create or update a stack, specify the Amazon S3 URL of a
template file.
AWS CloudFormation provisions and configures resources by making calls to the AWS services that are
described in your template.
After all the resources have been created, AWS CloudFormation reports that your stack has been created.
You can then start using the resources in your stack. If stack creation fails, AWS CloudFormation rolls
back your changes by deleting the resources that it created.

6
Updating a Stack with Change Sets
Updating a Stack with Change Sets

When you need to update your stack's resources, you can modify the stack's template. You don't need
to create a new stack and delete the old one. To update a stack, create a change set by submitting
a modified version of the original stack template, different input parameter values, or both. AWS
CloudFormation compares the modified template with the original template and generates a change
set. The change set lists the proposed changes. After reviewing the changes, you can execute the change
set to update your stack or you can create a new change set. The following diagram summarizes the
workflow for updating a stack.
Important
Updates can cause interruptions. Depending on the resource and properties that you are
updating, an update might interrupt or even replace an existing resource. For more information,
see AWS CloudFormation Stack Updates (p. 127).
1. You can modify an AWS CloudFormation stack template by using AWS CloudFormation Designer or
a text editor. For example, if you want to change the instance type for an EC2 instance, you would
change the value of the InstanceType property in the original stack's template.
For more information, see Modifying a Stack Template (p. 128).

2. Save the AWS CloudFormation template locally or in an S3 bucket.
3. Create a change set by specifying the stack that you want to update and the location of the modified
template, such as a path on your local computer or an Amazon S3 URL. If the template contains
parameters, you can specify values when you create the change set.
For more information about creating change sets, see Updating Stacks Using Change Sets (p. 130).
Note
If you specify a template that is stored on your local computer, AWS CloudFormation
automatically uploads your template to an S3 bucket in your AWS account.
4. View the change set to check that AWS CloudFormation will perform the changes that you expect. For
example, check whether AWS CloudFormation will replace any critical stack resources. You can create
as many change sets as you need until you have included the changes that you want.
Important
Change sets don't indicate whether your stack update will be successful. For example,
a change set doesn't check if you will surpass an account limit (p. 22), if you're
updating a resource (p. 604) that doesn't support updates, or if you have insufficient
permissions (p. 9) to modify a resource, all of which can cause a stack update to fail.
5. Execute the change set that you want to apply to your stack. AWS CloudFormation updates your stack
by updating only the resources that you modified and signals that your stack has been successfully
updated. If the stack updates fails, AWS CloudFormation rolls back changes to restore the stack to the
last known working state.

7
Deleting a Stack
Deleting a Stack
When you delete a stack, you specify the stack to delete, and AWS CloudFormation deletes the stack and
all the resources in that stack. You can delete stacks by using the AWS CloudFormation console (p. 114),
API, or AWS CLI.
If you want to delete a stack but want to retain some resources in that stack, you can use a deletion
policy (p. 3764) to retain those resources.
After all the resources have been deleted, AWS CloudFormation signals that your stack has been
successfully deleted. If AWS CloudFormation cannot delete a resource, the stack will not be deleted. Any
resources that haven't been deleted will remain until you can successfully delete the stack.
Additional Resources
• For more information about creating AWS CloudFormation templates, see Template
Anatomy (p. 210).
• For more information about creating, updating, or deleting stacks, see Working with Stacks (p. 98).

8
Signing Up for an AWS Account and Pricing
Setting Up
Before you start using AWS CloudFormation, you might need to know what IAM permissions you need,
how to start logging AWS CloudFormation API calls, or what endpoints to use. The following topics
provide this information so that you can start using AWS CloudFormation.
Topics
• Signing Up for an AWS Account and Pricing (p. 9)
• Controlling Access with AWS Identity and Access Management (p. 9)
• Logging AWS CloudFormation API Calls with AWS CloudTrail (p. 18)
• AWS CloudFormation Limits (p. 22)
• AWS CloudFormation Endpoints (p. 26)
• Setting Up VPC Endpoints for AWS CloudFormation (p. 26)
Signing Up for an AWS Account and Pricing

Before you can use AWS CloudFormation or any Amazon Web Services, you must first sign up for an AWS
account.
To sign up for an AWS account
1. Open https://portal.aws.amazon.com/billing/signup.
2. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a verification code on the
phone keypad.
After signing up for an AWS account, you can use AWS CloudFormation through the AWS Management
Console, AWS CloudFormation API, or AWS CLI.
Pricing
AWS CloudFormation is a free service; however, you are charged for the AWS resources you include in
your stacks at the current rates for each. For more information about AWS pricing, go to the detail page
for each product on http://aws.amazon.com.
Controlling Access with AWS Identity and Access

Management
With AWS Identity and Access Management (IAM), you can create IAM users to control who has access
to which resources in your AWS account. You can use IAM with AWS CloudFormation to control what
users can do with AWS CloudFormation, such as whether they can view stack templates, create stacks, or
delete stacks.
In addition to AWS CloudFormation actions, you can manage what AWS services and resources are
available to each user. That way, you can control which resources users can access when they use
AWS CloudFormation. For example, you can specify which users can create Amazon EC2 instances,
terminate database instances, or update VPCs. Those same permissions are applied anytime they use
AWS CloudFormation to do those actions.

9
AWS CloudFormation Actions
For more information about all the services that you can control access to, see AWS Services that
Support IAM in IAM User Guide.
Topics
• AWS CloudFormation Actions (p. 10)
• AWS CloudFormation Resources (p. 11)
• AWS CloudFormation Conditions (p. 12)
• Acknowledging IAM Resources in AWS CloudFormation Templates (p. 16)
• Manage Credentials for Applications Running on Amazon EC2 Instances (p. 17)
• Grant Temporary Access (Federated Access) (p. 17)
• AWS CloudFormation Service Role (p. 18)
AWS CloudFormation Actions

When you create a group or an IAM user in your AWS account, you can associate an IAM policy with that
group or user, which specifies the permissions that you want to grant. For example, imagine you have
a group of entry-level developers. You can create a Junior application developers group that
includes all entry-level developers. Then, you associate a policy with that group that allows users to only
view AWS CloudFormation stacks. In this scenario, you might have a policy such as the following sample:
Example A sample policy that grants view stack permissions
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":[
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources"
],
"Resource":"*"
}]
}
The policy grants permissions to all DescribeStack API actions listed in the Action element.
Note
If you don't specify a stack name or ID in your statement, you must also grant the permission to
use all resources for the action using the * wildcard for the Resource element.
In addition to AWS CloudFormation actions, IAM users who create or delete stacks require additional
permissions that depends on the stack templates. For example, if you have a template that describes
an Amazon SQS Queue, the user must have the corresponding permissions for Amazon SQS actions to
successfully create the stack, as shown in the following sample policy:
Example A sample policy that grants create and view stack actions and all Amazon SQS
actions
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":[
"sqs:*",
"cloudformation:CreateStack",

10
AWS CloudFormation Resources
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"cloudformation:ValidateTemplate"
],
"Resource":"*"
}]
}
For a list of all AWS CloudFormation actions that you can allow or deny, see the AWS CloudFormation API
Reference.
AWS CloudFormation Console-Specific Actions

IAM users who use the AWS CloudFormation console require additional permissions that are not required
for using the AWS Command Line Interface or AWS CloudFormation APIs. Compared to the CLI and API,
the console provides additional features that require additional permissions, such as template uploads to
Amazon S3 buckets and drop-down lists for AWS-specific parameter types (p. 241).
For all the following actions, grant permissions to all resources; don't limit actions to specific stacks or
buckets.
The following required action is used only by the AWS CloudFormation console and is not documented in
the API reference. The action allows users to upload templates to Amazon S3 buckets.
cloudformation:CreateUploadBucket
When users upload templates, they require the following Amazon S3 permissions:
s3:PutObject
s3:ListBucket
s3:GetObject
s3:CreateBucket
For templates with AWS-specific parameter types (p. 241), users need permissions
to make the corresponding describe API calls. For example, if a template includes the
AWS::EC2::KeyPair::KeyName parameter type, users need permission to call the EC2
DescribeKeyPairs action (this is how the console gets values for the parameter drop-down list). The
following examples are actions that users need for other parameter types:
ec2:DescribeSecurityGroups (for the AWS::EC2::SecurityGroup::Id parameter type)

ec2:DescribeSubnets (for the Subnet::Id parameter type)
ec2:DescribeVpcs (for the AWS::EC2::VPC::Id parameter type)
AWS CloudFormation Resources

AWS CloudFormation supports resource-level permissions, so you can specify actions for a specific stack,
as shown in the following policy:
Example A sample policy that denies the delete and update stack actions for the
MyProductionStack
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Deny",

11
AWS CloudFormation Conditions
"Action":[
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Resource":"arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/
*"
}]
}
The policy above uses a wild card at the end of the stack name so that delete stack and update stack are
denied on the full stack ID (such as arn:aws:cloudformation:us-east-1:123456789012:stack/
MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c) and on the stack name (such as
MyProductionStack).
To allow AWS::Serverless transforms to create a change set, the policy should include the
arn:aws:cloudformation:<region>:aws:transform/Serverless-2016-10-31 resource-level
permission, as shown in the following policy:
Example A sample policy that allows the create change set action for the transform
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"cloudformation:CreateChangeSet"
],
"Resource": "arn:aws:cloudformation:us-west-2:aws:transform/Serverless-2016-10-31"
}]
}

In an IAM policy, you can optionally specify conditions that control when a policy is in effect. For
example, you can define a policy that allows IAM users to create a stack only when they specify a certain
template URL. You can define AWS CloudFormation-specific conditions and AWS-wide conditions, such
as DateLessThan, which specifies when a policy stops taking effect. For more information and a list of
AWS-wide conditions, see Condition in IAM Policy Elements Reference in IAM User Guide.
Note
Do not use the aws:SourceIp AWS-wide condition. AWS CloudFormation provisions resources
by using its own IP address, not the IP address of the originating request. For example, when
you create a stack, AWS CloudFormation makes requests from its IP address to launch an EC2
instance or to create an S3 bucket, not from the IP address from the CreateStack call or the
aws cloudformation create-stack command.
The following list describes the AWS CloudFormation-specific conditions. These conditions are applied
only when users create or update stacks:
cloudformation:ChangeSetName
An AWS CloudFormation change set name that you want to associate with a policy. Use this
condition to control which change sets IAM users can execute or delete.
cloudformation:ImportResourceTypes
The template resource types that you want to associate with a policy, such as
AWS::EC2::Instance. Use this condition to control which resource types IAM users can work with
when they import resources into a stack. This condition is checked against the resource types that
users declare in the ResourcesToImport parameter, which is currently supported only for CLI and

12
API requests. When using this parameter, you must specify all the resource types you want users to
control during import operations. For more information about the ResourcesToImport parameter,
see the CreateChangeSet action in the AWS CloudFormation API Reference.
The following list describes how to define resource types in your condition. For a list of possible
ResourcesToImport, see Resources that Support Import Operations.
AWS::*
Specify all supported AWS resources.

AWS::service_name::*
Specify all supported resources for a specific AWS service.

AWS::service_name::resource_type
Specify a specific AWS resource type, such as AWS::EC2::Instance (all EC2 instances).
Custom::*
Specify all custom resources.

Custom::resource_type
Specify a specific custom resource type.

cloudformation:ResourceTypes
The template resource types, such as AWS::EC2::Instance, that you want to associate with
a policy. Use this condition to control which resource types IAM users can work with when they
create or update a stack. This condition is checked against the resource types that users declare
in the ResourceTypes parameter, which is currently supported only for CLI and API requests.
When using this parameter, users must specify all the resource types that are in their template. For
more information about the ResourceTypes parameter, see the CreateStack action in the AWS
CloudFormation API Reference.
The following list describes how to define resource types. For a list of resource types, see AWS
Resource and Property Types Reference (p. 604).
AWS::*
Specify all AWS resources.

AWS::service_name::*
Specify all resources for a specific AWS service.

AWS::service_name::resource_type
Specify a specific AWS resource type, such as AWS::EC2::Instance (all EC2 instances).
Custom::*
Specify all custom resources.

Custom::resource_type
Specify a specific custom resource type, which is defined in the template.

cloudformation:RoleARN
The Amazon Resource Name (ARN) of an IAM service role that you want to associate with a policy.
Use this condition to control which service role IAM users can use when they work with stacks or
change sets.
cloudformation:StackPolicyUrl
An Amazon S3 stack policy URL that you want to associate with a policy. Use this condition to
control which stack policies IAM users can associate with a stack during a create or update stack
action. For more information about stack policies, see Prevent Updates to Stack Resources (p. 149).

13
Note
To ensure that IAM users can only create or update stacks with the stack policies that you
uploaded, set the S3 bucket to read only for those users.
cloudformation:TemplateUrl
An Amazon S3 template URL that you want to associate with a policy. Use this condition to control
which templates IAM users can use when they create or update stacks.
Note
To ensure that IAM users can only create or update stacks with the templates that you
uploaded, set the S3 bucket to read only for those users.
Examples
The following example policy allows users to use only the https://s3.amazonaws.com/
testbucket/test.template template URL to create or update a stack.
Example Template URL Condition
{
"Version":"2012-10-17",
"Statement":[
{
"Effect" : "Allow",
"Action" : [ "cloudformation:CreateStack", "cloudformation:UpdateStack" ],
"Resource" : "*",
"Condition" : {
"ForAllValues:StringEquals" : {
"cloudformation:TemplateUrl" : [ "https://s3.amazonaws.com/testbucket/
test.template" ]
}
}
}
]
}
The following example policy allows users to complete all AWS CloudFormation operations except import
operations.
Example Import Resource Types Condition
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllStackOperations",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Sid": "DenyImport",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"cloudformation:ImportResourceTypes": [
"*"
]
}

14
}
}
]
}
The following example policy allows all stack operations, as well as import operations only on specified
resources (in this example, AWS::S3::Bucket.
Example Import Resource Types Condition
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowImport",
"Effect": "Allow",
"Resource": "*"
"Condition": {
"ForAllValues:StringEqualsIgnoreCase": {
"cloudformation:ImportResourceTypes": [
"AWS::S3::Bucket"
]
}
}
}
]
}
The following example policy allows users to create stacks but denies requests if the stack's template
include any resource from the IAM service. The policy also requires users to specify the ResourceTypes
parameter, which is available only for CLI and API requests. This policy uses explicit deny statements so
that if any other policy grants additional permissions, this policy always remain in effect (an explicit deny
statement always overrides an explicit allow statement).
Example Resource Type Condition
{
"Version":"2012-10-17",
"Statement":[
{
"Effect" : "Allow",
"Action" : [ "cloudformation:CreateStack" ],
"Resource" : "*"
},
{
"Effect" : "Deny",
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringLikeIfExists" : {
"cloudformation:ResourceTypes" : [ "AWS::IAM::*" ]
}
}
},
{
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Null": {
"cloudformation:ResourceTypes": "true"
}

15
Acknowledging IAM Resources in
AWS CloudFormation Templates
}
}
]
}
The following example policy is similar to the preceding example. The policy allows users to create a
stack unless the stack's template includes any resource from the IAM service. It also requires users to
specify the ResourceTypes parameter, which is available only for CLI and API requests. This policy is
simpler, but it doesn't use explicit deny statements. Other policies, granting additional permissions, could
override this policy.
Example Resource Type Condition
{
"Version":"2012-10-17",
"Statement":[
{
"Effect" : "Allow",
"Resource" : "*",
"Condition" : {
"ForAllValues:StringNotLikeIfExists" : {
"cloudformation:ResourceTypes" : [ "AWS::IAM::*" ]
},
"Null":{
"cloudformation:ResourceTypes": "false"
}
}
}
]
}
Acknowledging IAM Resources in AWS

CloudFormation Templates
Before you can create a stack, AWS CloudFormation validates your template. During validation, AWS
CloudFormation checks your template for IAM resources that it might create. IAM resources, such as
an IAM user with full access, can access and modify any resource in your AWS account. Therefore, we
recommend that you review the permissions associated with each IAM resource before proceeding so
that you don't unintentionally create resources with escalated permissions. To ensure that you've done
so, you must acknowledge that the template contains those resources, giving AWS CloudFormation the
specified capabilities before it creates the stack.
You can acknowledge the capabilities of AWS CloudFormation templates by using the AWS
CloudFormation console, AWS Command Line Interface (CLI), or API:
• In the AWS CloudFormation console, on the Review page of the Create Stack or Update Stack wizards,
choose I acknowledge that this template may create IAM resources.
• In the CLI, when you use the aws cloudformation create-stack and aws cloudformation
update-stack commands, specify the CAPABILITY_IAM or CAPABILITY_NAMED_IAM value
for the --capabilities parameter. If your template includes IAM resources, you can specify
either capability. If your template includes custom names for IAM resources, you must specify
CAPABILITY_NAMED_IAM.
• In the API, when you use the CreateStack and UpdateStack
actions, specify Capabilities.member.1=CAPABILITY_IAM or
Capabilities.member.1=CAPABILITY_NAMED_IAM. If your template includes IAM resources, you
can specify either capability. If your template includes custom names for IAM resources, you must
specify CAPABILITY_NAMED_IAM.

16
Manage Credentials for Applications
Running on Amazon EC2 Instances
Important
If your template contains custom named IAM resources, don't create multiple stacks reusing
the same template. IAM resources must be globally unique within your account. If you use the
same template to create multiple stacks in different regions, your stacks might share the same
IAM resources, instead of each having a unique one. Shared resources among stacks can have
unintended consequences from which you can't recover. For example, if you delete or update
shared IAM resources in one stack, you will unintentionally modify the resources of other stacks.
Manage Credentials for Applications Running on

Amazon EC2 Instances
If you have an application that runs on an Amazon EC2 instance and needs to make requests to AWS
resources such as Amazon S3 buckets or an DynamoDB table, the application requires AWS security
credentials. However, distributing and embedding long-term security credentials in every instance that
you launch is a challenge and a potential security risk. Instead of using long-term credentials, like IAM
user credentials, we recommend that you create an IAM role that is associated with an Amazon EC2
instance when the instance is launched. An application can then get temporary security credentials from
the Amazon EC2 instance. You don't have to embed long-term credentials on the instance. Also, to make
managing credentials easier, you can specify just a single role for multiple Amazon EC2 instances; you
don't have to create unique credentials for each instance.
For a template snippet that shows how to launch an instance with a role, see IAM Role Template
Examples (p. 474).
Note
Applications on instances that use temporary security credentials can call any AWS
CloudFormation actions. However, because AWS CloudFormation interacts with many other AWS
services, you must verify that all the services that you want to use support temporary security
credentials. For more information, see AWS Services that Support AWS STS.
Grant Temporary Access (Federated Access)

In some cases, you might want to grant users with no AWS credentials temporary access to your AWS
account. Instead of creating and deleting long-term credentials whenever you want to grant temporary
access, use AWS Security Token Service (AWS STS). For example, you can use IAM roles. From one IAM
role, you can programmatically create and then distribute many temporary security credentials (which
include an access key, secret access key, and security token). These credentials have a limited life, so they
cannot be used to access your AWS account after they expire. You can also create multiple IAM roles
in order to grant individual users different levels of permissions. IAM roles are useful for scenarios like
federated identities and single sign-on.
A federated identity is a distinct identity that you can use across multiple systems. For enterprise users
with an established on-premises identity system (such as LDAP or Active Directory), you can handle
all authentication with your on-premises identity system. After a user has been authenticated, you
provide temporary security credentials from the appropriate IAM user or role. For example, you can
create an administrators role and a developers role, where administrators have full access to
the AWS account and developers have permissions to work only with AWS CloudFormation stacks.
After an administrator is authenticated, the administrator is authorized to obtain temporary security
credentials from the administrators role. However, for developers, they can obtain temporary
security credentials from only the developers role.
You can also grant federated users access to the AWS Management Console. After users authenticate
with your on-premises identity system, you can programmatically construct a temporary URL that gives
direct access to the AWS Management Console. When users use the temporary URL, they won't need to
sign in to AWS because they have already been authenticated (single sign-on). Also, because the URL is
constructed from the users' temporary security credentials, the permissions that are available with those
credentials determine what permissions users have in the AWS Management Console.

17
AWS CloudFormation Service Role
You can use several different AWS STS APIs to generate temporary security credentials. For more
information about which API to use, see Ways to Get Temporary Security Credentials in Using Temporary
Security Credentials.
Important
You cannot work with IAM when you use temporary security credentials that were generated
from the GetFederationToken API. Instead, if you need to work with IAM, use temporary
security credentials from a role.
AWS CloudFormation interacts with many other AWS services. When you use temporary security
credentials with AWS CloudFormation, verify that all the services that you want to use support
temporary security credentials. For more information, see AWS Services that Support AWS STS.
For more information, see the following related resources in Using Temporary Security Credentials:
• Scenarios for Granting Temporary Access

• Giving Federated Users Direct Access to the AWS Management Console
AWS CloudFormation Service Role

A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation
to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS
CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses
a temporary session that it generates from your user credentials for stack operations. If you specify a
service role, AWS CloudFormation uses the role's credentials.
Use a service role to explicitly specify the actions that AWS CloudFormation can perform which
might not always be the same actions that you or other users can do. For example, you might have
administrative privileges, but you can limit AWS CloudFormation access to only Amazon EC2 actions.
You create the service role and its permission policy with the IAM service. For more information about
creating a service role, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User
Guide. Specify AWS CloudFormation (cloudformation.amazonaws.com) as the service that can
assume the role.
To associate a service role with a stack, specify the role when you create the stack. For details, see
Setting AWS CloudFormation Stack Options (p. 103). You can also change the service role when you
update (p. 127) or delete the stack. Before you specify a service role, ensure that you have permission
to pass it (iam:PassRole). The iam:PassRole permission specifies which roles you can use.
Important
When you specify a service role, AWS CloudFormation always uses that role for all operations
that are performed on that stack. Other users that have permissions to perform operations on
this stack will be able to use this role, even if they don't have permission to pass it. If the role
includes permissions that the user shouldn't have, you can unintentionally escalate a user's
permissions. Ensure that the role grants least privilege.
Logging AWS CloudFormation API Calls with AWS

CloudTrail
AWS CloudFormation is integrated with AWS CloudTrail, a service that provides a record of actions
taken by a user, role, or an AWS service in AWS CloudFormation. CloudTrail captures all API calls for
AWS CloudFormation as events, including calls from the AWS CloudFormation console and from code
calls to the AWS CloudFormation APIs. If you create a trail, you can enable continuous delivery of
CloudTrail events to an Amazon S3 bucket, including events for AWS CloudFormation. If you don't

18
AWS CloudFormation Information in CloudTrail
configure a trail, you can still view the most recent events in the CloudTrail console in Event history.
Using the information collected by CloudTrail, you can determine the request that was made to AWS
CloudFormation, the IP address from which the request was made, who made the request, when it was
made, and additional details.
To learn more about CloudTrail, see the AWS CloudTrail User Guide.
Topics
• AWS CloudFormation Information in CloudTrail (p. 19)
• Understanding AWS CloudFormation Log File Entries (p. 19)
AWS CloudFormation Information in CloudTrail

CloudTrail is enabled on your AWS account when you create the account. When activity occurs in AWS
CloudFormation, that activity is recorded in a CloudTrail event along with other AWS service events
in Event history. You can view, search, and download recent events in your AWS account. For more
information, see Viewing Events with CloudTrail Event History.
For an ongoing record of events in your AWS account, including events for AWS CloudFormation, create
a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create
a trail in the console, the trail applies to all regions. The trail logs events from all regions in the AWS
partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can
configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs.
For more information, see:
• Overview for Creating a Trail

• CloudTrail Supported Services and Integrations
• Configuring Amazon SNS Notifications for CloudTrail
• Receiving CloudTrail Log Files from Multiple Regions and Receiving CloudTrail Log Files from Multiple
Accounts
All AWS CloudFormation actions are logged by CloudTrail and are documented in the AWS
CloudFormation API Reference. For example, calls to the CreateStack, DeleteStack, and ListStacks
sections generate entries in the CloudTrail log files.
Every event or log entry contains information about who generated the request. The identity
information helps you determine the following:
• Whether the request was made with root or IAM user credentials.
• Whether the request was made with temporary security credentials for a role or federated user.
• Whether the request was made by another AWS service.
For more information, see the CloudTrail userIdentity Element.
Understanding AWS CloudFormation Log File Entries

A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you
specify. CloudTrail log files contain one or more log entries. An event represents a single request from
any source and includes information about the requested action, the date and time of the action, request
parameters, and so on. CloudTrail log files are not an ordered stack trace of the public API calls, so they
do not appear in any specific order.
The following example shows a CloudTrail log entry that demonstrates the CreateStack action. The
action was made by an IAM user named Alice.

19
Note
Only the input parameter key names are logged; no parameter values are logged.
{
"eventVersion": "1.01",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAABCDEFGHIJKLNMOPQ",
"arn": "arn:aws:iam::012345678910:user/Alice",
"accountId": "012345678910",
"accessKeyId": "AKIDEXAMPLE",
"userName": "Alice"
},
"eventTime": "2014-03-24T21:02:43Z",
"eventSource": "cloudformation.amazonaws.com",
"eventName": "CreateStack",
"awsRegion": "us-east-1",
"sourceIPAddress": "127.0.0.1",
"userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5",
"requestParameters": {
"templateURL": "https://s3.amazonaws.com/Alice-dev/create_stack",
"tags": [
{
"key": "test",
"value": "tag"
}
],
"stackName": "my-test-stack",
"disableRollback": true,
"parameters": [
{
"parameterKey": "password"
},
{
"parameterKey": "securitygroup"
}
]
},
"responseElements": {
"stackId": "arn:aws:cloudformation:us-east-1:012345678910:stack/my-test-stack/a38e6a60-
b397-11e3-b0fc-08002755629e"
},
"requestID": "9f960720-b397-11e3-bb75-a5b75389b02d",
"eventID": "9bf6cfb8-83e1-4589-9a70-b971e727099b"
}
The following example shows that Alice called the UpdateStack action on the my-test-stack stack:
{
"userIdentity": {
"type": "IAMUser",
"accountId": "012345678910",
"userName": "Alice"
},
"eventTime": "2014-03-24T21:04:29Z",
"eventName": "UpdateStack",

20
"templateURL": "https://s3.amazonaws.com/Alice-dev/create_stack",
"parameters": [
{
"parameterKey": "password"
},
{
"parameterKey": "securitygroup"
}
],
"stackName": "my-test-stack"
},
"responseElements": {
"stackId": "arn:aws:cloudformation:us-east-1:012345678910:stack/my-test-stack/a38e6a60-
b397-11e3-b0fc-08002755629e"
},
"requestID": "def0bf5a-b397-11e3-bb75-a5b75389b02d",
"eventID": "637707ce-e4a3-4af1-8edc-16e37e851b17"
}
The following example shows that Alice called the ListStacks action.
{
"userIdentity": {
"type": "IAMUser",
"accountId": "012345678910",
"userName": "Alice"
},
"eventTime": "2014-03-24T21:03:16Z",
"eventName": "ListStacks",
"requestParameters": null,
"responseElements": null,
"requestID": "b7d351d7-b397-11e3-bb75-a5b75389b02d",
"eventID": "918206d0-7281-4629-b778-b91eb0d83ce5"
}
The following example shows that Alice called the DescribeStacks action on the my-test-stack
stack.
{
"userIdentity": {
"type": "IAMUser",
"accountId": "012345678910",
"userName": "Alice"
},
"eventTime": "2014-03-24T21:06:15Z",
"eventName": "DescribeStacks",

21
Limits
},
"requestID": "224f2586-b398-11e3-bb75-a5b75389b02d",
"eventID": "9e5b2fc9-1ba8-409b-9c13-587c2ea940e2"
}
The following example shows that Alice called the DeleteStack action on the my-test-stack stack.
{
"userIdentity": {
"type": "IAMUser",
"accountId": "012345678910",
"userName": "Alice"
},
"eventTime": "2014-03-24T21:07:15Z",
"eventName": "DeleteStack",
},
"requestID": "42dae739-b398-11e3-bb75-a5b75389b02d",
"eventID": "4965eb38-5705-4942-bb7f-20ebe79aa9aa"
}
AWS CloudFormation Limits

Your AWS account has AWS CloudFormation limits that you might need to know when authoring
templates and creating stacks. By understanding these limits, you can avoid limitation errors that would
require you to redesign your templates or stacks.
AWS CloudFormation limits
Limit Description Value Tuning Strategy
cfn-signal Maximum amount of 4,096 bytes To pass a larger

wait condition data that cfn-signal can amount, send the
data (p. 3834) pass. data to an Amazon S3
bucket, and then use
cfn-signal to pass the
Amazon S3 URL to that
bucket.
Custom resource Maximum amount of 4,096 bytes

response data that a custom
resource provider can
pass.
Mappings (p. 210) Maximum number of 100 mappings To specify more

mappings that you mappings, separate

22
Limits

can declare in your your template into
AWS CloudFormation multiple templates
template. by using, for example,
nested stacks.
Mapping Maximum number of 64 attributes To specify more

attributes (p. 210) mapping attributes mapping attributes,
for each mapping that separate the attributes
you can declare in your into multiple mappings.
AWS CloudFormation
template.
Mapping name and Maximum size of each 255 characters

mapping attribute mapping name.
name (p. 210)
Outputs (p. 210) Maximum number 60 outputs

of outputs that you
can declare in your
AWS CloudFormation
template.
Output name (p. 210) Maximum size of an 255 characters

output name.
Parameters (p. 210) Maximum number of 60 parameters To specify more

parameters that you parameters, you can
can declare in your use mappings or lists in
AWS CloudFormation order to assign multiple
template. values to a single
parameter.
Parameter Maximum size of a 255 characters

name (p. 210) parameter name.
Parameter Maximum size of a 4,096 bytes To use a larger

value (p. 210) parameter value. parameter value, create
multiple parameters
and then use Fn::Join
to append the multiple
values into a single
value.
Resources (p. 210) Maximum number of 200 resources To specify more

resources that you resources, separate your
can declare in your template into multiple
AWS CloudFormation templates by using, for
template. example, nested stacks.
Resources in Maximum number Use the

concurrent stack of resources you can DescribeAccountLimits
operations (p. 210) have involved in stack API to determine the
operations (create, current limit for an
update, or delete account in a specific
operations) in your region.
region at a given time.

23
Limits
Resource Maximum size of a 255 characters

name (p. 210) resource name.
Stacks (p. 98) Maximum number of 200 stacks To create more stacks,
AWS CloudFormation delete stacks that you
stacks that you can don't need or request
create. an increase in the
maximum number of
stacks in your AWS
account. For more
information, see AWS
Service Limits in the
AWS General Reference.
StackSets (p. 562) Maximum number of 100 stack sets To create more stack
AWS CloudFormation sets, delete stack sets
stack sets you that you don't need or
can create in your request an increase in
administrator account. the maximum number
of stack sets in your
AWS account. For more
Stack Maximum number of 2000 stack instances To create more stack

instances (p. 562) stack instances you can per stack set instances, delete stack
create per stack set. instances that you
don't need or request
an increase in the
maximum number of
stack instances in your
AWS account. For more
StackSets instance Maximum number 3500 operations This limit applies per
operations (p. 562) of stack instance region, and is regardless
operations you can of the number of
run in each region at stack sets involved. It
the same time, per includes stack instances
administrator account. affected by StackSet
creation and update
operations, as well as
creating, updating, or
deleting stack instances
directly.

24
StackSet Availability
Template body size in a Maximum size of 51,200 bytes To use a larger

request (p. 210) a template body template body,
that you can pass separate your template
in a CreateStack, into multiple templates
UpdateStack, or by using, for example,
ValidateTemplate nested stacks. Or
request. upload the template to
an Amazon S3 bucket.
Template body size Maximum size of a 460,800 bytes To use a larger

in an Amazon S3 template body that template body,
object (p. 210) you can pass in an separate your template
Amazon S3 object into multiple templates
for a CreateStack, by using, for example,
UpdateStack, nested stacks.
ValidateTemplate
request with an
Amazon S3 template
URL.
Template Maximum size of a 1,024 bytes

description (p. 210) template description.
StackSet Availability
StackSets is supported in the following regions:
• US East (N. Virginia)

• US East (Ohio)
• US West (N. California)
• US West (Oregon)
• Canada (Central)
• Asia Pacific (Mumbai)
• Asia Pacific (Seoul)
• Asia Pacific (Singapore)
• Asia Pacific (Sydney)
• Asia Pacific (Tokyo)
• EU (Frankfurt)
• EU (Ireland)
• EU (London)
• EU (Paris)
• South America (São Paulo)
StackSets and Macros

StackSets does not currently support templates that use macros, including transforms, which are macros
hosted by AWS CloudFormation. For more information about macros, see Template Macros (p. 542).

25
Endpoints
AWS CloudFormation Endpoints

To reduce data latency in your applications, most Amazon Web Services products allow you to select a
regional endpoint to make your requests. An endpoint is a URL that is the entry point for a web service.
When you work with stacks by using the command line interface or API actions, you can specify a
regional endpoint. For more information about the regions and endpoints for AWS CloudFormation, see
Regions and Endpoints in the Amazon Web Services General Reference.
Setting Up VPC Endpoints for AWS

CloudFormation
You can improve the security posture of your VPC by configuring AWS CloudFormation to use an
interface VPC endpoint. Interface endpoints are powered by PrivateLink, a technology that enables
you to privately access AWS CloudFormation APIs by using private IP addresses. PrivateLink restricts all
network traffic between your VPC and AWS CloudFormation to the Amazon network. Also, you don't
need an Internet gateway, a NAT device, or a virtual private gateway.
You are not required to configure PrivateLink, but it's recommended. For more information about
PrivateLink and VPC endpoints, see Accessing AWS Services Through PrivateLink.
Before You Begin

Before you configure VPC endpoints for AWS CloudFormation, be aware of the following considerations.
• When using the VPC endpoint feature, grant access to AWS CloudFormation-specific S3 buckets for
resources in a VPC that must respond to a custom resource request or a wait condition.
If you use AWS CloudFormation to create resources in a VPC with a VPC endpoint, you might need to
modify your IAM endpoint policy so that it permits access to certain S3 buckets.
AWS CloudFormation has S3 buckets in each region to monitor responses to a custom

resource (p. 511) request or a wait condition (p. 351). If a template includes custom resources or
wait conditions in a VPC, the VPC endpoint policy must allow users to send responses to the following
buckets:
• For custom resources, permit traffic to the cloudformation-custom-resource-
response-region bucket.
• For wait conditions, permit traffic to the cloudformation-waitcondition-region bucket.
If the endpoint policy blocks traffic to these buckets, AWS CloudFormation won't receive responses
and the stack operation fails. For example, if you have a resource in a VPC in the us-west-2
region that must respond to a wait condition, the resource must be able to send a response to the
cloudformation-waitcondition-us-west-2 bucket.
For a list of regions that AWS CloudFormation supports, see the Regions and Endpoints page in the
Amazon Web Services General Reference.
• VPC endpoints currently do not support cross-region requests—ensure that you create your endpoint
in the same region in which you plan to issue your API calls to AWS CloudFormation.
• VPC endpoints only support Amazon-provided DNS through Route 53. If you want to use your own
DNS, you can use conditional DNS forwarding. For more information, see DHCP Options Sets in the
Amazon VPC User Guide.
• The security group attached to the VPC endpoint must allow incoming connections on port 443 from
the private subnet of the VPC.

26
Creating the VPC EndPoint for AWS CloudFormation
Creating the VPC EndPoint for AWS CloudFormation

To create the VPC endpoint for the AWS CloudFormation service, use the Creating an Interface Endpoint
procedure in the Amazon VPC User Guide to create the following endpoint:
com.amazonaws.region.cloudformation
region represents the region identifier for an AWS region supported by AWS CloudFormation, such as
us-east-2 for the US East (Ohio) Region.

27
Get Started
Getting Started with AWS

CloudFormation
Because you can use AWS CloudFormation to launch many different types of resources, the getting
started walkthrough will touch on just a few simple concepts to help you get an idea of how to use AWS
CloudFormation.
In this section, you will use the AWS Management Console to create a stack from an example template
from the AWS CloudFormation Sample Template Library and learn the basics of creating a template.
In the following walkthrough, we'll use a sample template to launch, update, and delete a stack. After
you learn the fundamentals, you can learn more about creating more complex templates and stacks.
AWS CloudFormation makes deploying a set of Amazon Web Services (AWS) resources as simple as
submitting a template. A template is a simple text file that describes a stack, a collection of AWS
resources you want to deploy together as a group. You use the template to define all the AWS resources
you want in your stack. This can include Amazon Elastic Compute Cloud instances, Amazon Relational
Database Service DB Instances, and other resources. For a list of resource types, see AWS Resource and
Property Types Reference (p. 604).
The following video walks you through the stack creation example presented in the Get
Started (p. 28) section: Getting Started with AWS CloudFormation
Topics
• Get Started (p. 28)
• Learn Template Basics (p. 36)
• Walkthrough: Updating a Stack (p. 50)
Get Started
With the right template, you can deploy at once all the AWS resources you need for an application.
In this section, you'll examine a template that declares the resources for a WordPress blog, creates a
WordPress blog as a stack, monitors the stack creation process, examines the resources on the stack, and
then deletes the stack. You use the AWS Management Console to complete these tasks.
Step 1: Pick a template

First, you'll need a template that specifies the resources that you want in your stack. For this step, you
use a sample template that is already prepared. The sample template creates a basic WordPress blog
that uses a single Amazon EC2 instance with a local MySQL database for storage. The template also
creates an Amazon EC2 security group to control firewall settings for the Amazon EC2 instance.
Important
AWS CloudFormation is free, but the AWS resources that AWS CloudFormation creates are
live (and not running in a sandbox). You will incur the standard usage fees for these resources

28
until you terminate them in the last task in this tutorial. The total charges will be minimal. For
information about how you might minimize any charges, go to http://aws.amazon.com/free/.
To view the template
• You can view the JSON or YAML WordPress sample template. You don't need to download it because
you will use the template URL later in this guide. For more information about the template formats,
see AWS CloudFormation Template Formats (p. 209).
A template is a JSON or YAML text file that contains the configuration information about the AWS
resources you want to create in the stack. For this walkthrough, the sample template includes six top-
level sections: AWSTemplateFormatVersion, Description, Parameters, Mappings, Resources,
and Outputs; however, only the Resources section is required.
The Resources section contains the definitions of the AWS resources you want to create with the
template. Each resource is listed separately and specifies the properties that are necessary for creating
that particular resource. The following resource declaration is the configuration for the EC2 instance,
which in this example has the logical name WebServer:
Example JSON
"Resources" : {
...
"WebServer": {
"Properties": {
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" },
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" :
"InstanceType" }, "Arch" ] } ] },
"InstanceType" : { "Ref" : "InstanceType" },
"SecurityGroups" : [ {"Ref" : "WebServerSecurityGroup"} ],
"KeyName" : { "Ref" : "KeyName" },
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"yum update -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource WebServer ",
" --configsets wordpress_install ",
" --region ", { "Ref" : "AWS::Region" }, "\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --resource WebServer ",
" --region ", { "Ref" : "AWS::Region" }, "\n"
]]}}
},
...
},
...
"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 locked down to the load balancer
+ SSH access",
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : { "Ref" :
"SSHLocation"}}
]
}

29
},
...
},
Example YAML
Resources:
...
WebServer:
Properties:
ImageId: !FindInMap [AWSRegionArch2AMI, !Ref 'AWS::Region', !FindInMap
[AWSInstanceType2Arch, !Ref InstanceType, Arch]]
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyName
SecurityGroups:
- Ref: WebServerSecurityGroup
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum update -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource WebServer --
configsets wordpress_install --region ${AWS::Region}
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource WebServer --
region ${AWS::Region}
...
...
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Enable HTTP access via port 80 locked down to the load balancer +
SSH access"
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: '80'
IpProtocol: tcp
ToPort: '80'
- CidrIp: !Ref SSHLocation
FromPort: '22'
IpProtocol: tcp
ToPort: '22'
...
If you have created EC2 instances before, you can recognize properties, such as ImageId,
InstanceType, and KeyName, that determine the configuration of the instance. Resource declarations
are an efficient way to specify all these configuration settings at once. When you put resource
declarations in a template, you can create and configure all the declared resources easily by using the
template to create a stack. To launch the same configuration of resources, all you have to do is create a
new stack that uses the same template.
The resource declaration begins with a string that specifies the logical name for the resource. As you'll
see, the logical name can be used to refer to resources within the template.
You use the Parameters section to declare values that can be passed to the template when you create
the stack. A parameter is an effective way to specify sensitive information, such as user names and
passwords, that you don't want to store in the template itself. It is also a way to specify information that
might be unique to the specific application or configuration you are deploying, for example, a domain
name or instance type. When you create the WordPress stack later in this section, you'll see the set of

30
parameters declared in the template appear on the Specify Details page of the Create Stack wizard,
where you can specify the parameters before you create the stack.
The following parameters are used in the template to specify values that are used in properties of the
EC2 instance:
Example JSON
"Parameters" : {
...
"KeyName": {
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to the
instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription" : "must be the name of an existing EC2 KeyPair."
},
"InstanceType" : {
"Description" : "WebServer EC2 instance type",
"Type" : "String",
"Default" : "t2.small",
"AllowedValues" : [ "t1.micro", "t2.nano", "t2.micro", "t2.small", "t2.medium",
"t2.large", "m1.small", "m1.medium", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge",
"m2.4xlarge", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge", "m4.large", "m4.xlarge",
"m4.2xlarge", "m4.4xlarge", "m4.10xlarge", "c1.medium", "c1.xlarge", "c3.large",
"c3.xlarge", "c3.2xlarge", "c3.4xlarge", "c3.8xlarge", "c4.large", "c4.xlarge",
"c4.2xlarge", "c4.4xlarge", "c4.8xlarge", "g2.2xlarge", "g2.8xlarge", "r3.large",
"r3.xlarge", "r3.2xlarge", "r3.4xlarge", "r3.8xlarge", "i2.xlarge", "i2.2xlarge",
"i2.4xlarge", "i2.8xlarge", "d2.xlarge", "d2.2xlarge", "d2.4xlarge", "d2.8xlarge",
"hi1.4xlarge", "hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", "cg1.4xlarge"],
"ConstraintDescription" : "must be a valid EC2 instance type."
},
...
Example YAML
Parameters:
...
KeyName:
ConstraintDescription: must be the name of an existing EC2 KeyPair.
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: AWS::EC2::KeyPair::KeyName
InstanceType:
AllowedValues:
- t1.micro
- t2.nano
- t2.micro
- t2.small
- t2.medium
- t2.large
- m1.small
- m1.medium
- m1.large
- m1.xlarge
- m2.xlarge
- m2.2xlarge
- m2.4xlarge
- m3.medium
- m3.large
- m3.xlarge
- m3.2xlarge
- m4.large

31
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
- m4.10xlarge
- c1.medium
- c1.xlarge
- c3.large
- c3.xlarge
- c3.2xlarge
- c3.4xlarge
- c3.8xlarge
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
- g2.2xlarge
- g2.8xlarge
- r3.large
- r3.xlarge
- r3.2xlarge
- r3.4xlarge
- r3.8xlarge
- i2.xlarge
- i2.2xlarge
- i2.4xlarge
- i2.8xlarge
- d2.xlarge
- d2.2xlarge
- d2.4xlarge
- d2.8xlarge
- hi1.4xlarge
- hs1.8xlarge
- cr1.8xlarge
- cc2.8xlarge
- cg1.4xlarge
ConstraintDescription: must be a valid EC2 instance type.
Default: t2.small
Description: WebServer EC2 instance type
Type: String
...
In the WebServer resource declaration, you see the KeyName property specified with the KeyName
parameter:
Example JSON
"WebServer" : {
"Type": "AWS::EC2::Instance",
"Properties": {
...
}
},
Example YAML
WebServer:
Properties:
KeyName:
Ref: KeyName

32
Step 2: Make sure you have prepared
any required items for the stack
...
The braces contain a call to the Ref (p. 3824) function with KeyName as its input. The Ref function
returns the value of the object it refers to. In this case, the Ref function sets the KeyName property to the
value that was specified for KeyName when the stack was created.
The Ref function can also set a resource's property to the value of another resource. For example, the
resource declaration WebServer contains the following property declaration:
Example JSON
"WebServer" : {
"Properties": {
...
...
}
},
Example YAML
WebServer:
Properties:
SecurityGroups:
...
The SecurityGroups property takes a list of EC2 security groups. The Ref function has an input of
WebServerSecurityGroup, which is the logical name of a security group in the template, and adds the
name of WebServerSecurityGroup to the SecurityGroups property.
In the template, you'll also find a Mappings section. You use mappings to declare conditional values that
are evaluated in a similar manner as a lookup table statement. The template uses mappings to select
the correct Amazon machine image (AMI) for the region and the architecture type for the instance type.
Outputs define custom values that are returned by the aws cloudformation describe-stacks
command and in the AWS CloudFormation console Outputs tab after the stack is created. You can use
output values to return information from the resources in the stack, such as the URL for a website that
was created in the template. We cover mappings, outputs, and other things about templates in more
detail in Learn Template Basics (p. 36).
That's enough about templates for now. Let's start creating a stack.
Step 2: Make sure you have prepared any required

items for the stack
Before you create a stack from a template, you must ensure that all dependent resources that the
template requires are available. A template can use or refer to both existing AWS resources and resources
declared in the template itself. AWS CloudFormation takes care of checking references to resources in the
template and also checks references to existing resources to ensure that they exist in the region where
you are creating the stack. If your template refers to a dependent resource that does not exist, stack
creation fails.
The example WordPress template contains an input parameter, KeyName, that specifies the key pair used
for the Amazon EC2 instance that is declared in the template. The template depends on the user who
creates a stack from the template to supply a valid Amazon EC2 key pair for the KeyName parameter. If

33
Step 3: Create the stack
you supply a valid key pair name, the stack creates successfully. If you don't supply a valid key pair name,
the stack is rolled back.
Make sure you have a valid Amazon EC2 key pair and record the key pair name before you create the
stack.
To see your key pairs, open the Amazon EC2 console, then click Key Pairs in the navigation pane.
Note
If you don't have an Amazon EC2 key pair, you must create the key pair in the same region
where you are creating the stack. For information about creating a key pair, see Getting an SSH
Key Pair in the Amazon EC2 User Guide for Linux Instances.
Now that you have a valid key pair, let's use the WordPress template to create a stack.
Step 3: Create the stack

You will create your stack based on the WordPress-1.0.0 file discussed earlier. The template contains
several AWS resources, such as an EC2 instance.
To create the WordPress stack
1. Sign in to the AWS Management Console and open the AWS CloudFormation console at https://
console.aws.amazon.com/cloudformation.
2. If this is a new AWS CloudFormation account, click Create New Stack. Otherwise, click Create Stack.
3. In the Template section, select Specify an Amazon S3 Template URL to type or paste the URL for
the sample WordPress template, and then click Next:
https://s3-us-west-2.amazonaws.com/cloudformation-templates-us-west-2/
WordPress_Single_Instance.template
Note
AWS CloudFormation templates that are stored in an S3 bucket must be accessible to the
user who is creating the stack, and must be located in the same region as the stack that is
being created. Therefore, if the S3 bucket is located in the us-east-2 Region, the stack
must also be created in us-east-2.
4. In the Specify Details section, enter a stack name in the Name field. For this example, use
MyWPTestStack. The stack name cannot contain spaces.
5. In the KeyName field, enter the name of a valid Amazon EC2 key pair in the same region you are
creating the stack.
Note
On the Specify Parameters page, you'll recognize the parameters from the Parameters
section of the template.
6. Click Next.
7. In this scenario, we won't add any tags. Click Next. Tags, which are key-value pairs, can help you
identify your stacks. For more information, see Adding Tags to Your AWS CloudFormation Stack.
8. Review the information for the stack. When you're satisfied with the settings, click Create.
Your stack might take several minutes to create—but you probably don't want to just sit around waiting.
If you're like us, you'll want to know how the stack creation is going.
Step 4: Monitor the progress of stack creation

After you complete the Create Stack wizard, AWS CloudFormation begins creating the resources that are
specified in the template. Your new stack, MyWPTestStack, appears in the list at the top portion of the

34
Step 5: Use your stack resources
CloudFormation console. Its status should be CREATE_IN_PROGRESS. You can see detailed status for a
stack by viewing its events.
To view the events for the stack
1. On the AWS CloudFormation console, select the stack MyWPTestStack in the list.
2. In the stack details pane, click the Events tab.
The console automatically refreshes the event list with the most recent events every 60 seconds.
The Events tab displays each major step in the creation of the stack sorted by the time of each event,
with latest events on top.
The first event (at the bottom of the event list) is the start of the stack creation process:
2013-04-24 18:54 UTC-7 CREATE_IN_PROGRESS AWS::CloudFormation::Stack

MyWPTestStack User initiated
Next are events that mark the beginning and completion of the creation of each resource. For example,
creation of the EC2 instance results in the following entries:
2013-04-24 18:59 UTC-7 CREATE_COMPLETE AWS::EC2::Instance...
2013-04-24 18:54 UTC-7 CREATE_IN_PROGRESS AWS::EC2::Instance...
The CREATE_IN_PROGRESS event is logged when AWS CloudFormation reports that it has begun to
create the resource. The CREATE_COMPLETE event is logged when the resource is successfully created.
When AWS CloudFormation has successfully created the stack, you will see the following event at the top
of the Events tab:
2013-04-24 19:17 UTC-7 CREATE_COMPLETE AWS::CloudFormation::Stack MyWPTestStack
If AWS CloudFormation cannot create a resource, it reports a CREATE_FAILED event and, by default,
rolls back the stack and deletes any resources that have been created. The Status Reason column
displays the issue that caused the failure.
Step 5: Use your stack resources

When the stack MyWPTestStack has a status of CREATE_COMPLETE, AWS CloudFormation has finished
creating the stack, and you can start using its resources.
The sample WordPress stack creates a WordPress website. You can continue with the WordPress setup by
running the WordPress installation script.
To complete the WordPress installation
1. On the Outputs tab, in the WebsiteURL row, click the link in the Value column.
The WebsiteURL output value is the URL of the installation script for the WordPress website that
you created with the stack.
2. On the web page for the WordPress installation, follow the on-screen instructions to complete
the WordPress installation. For more information about installing WordPress, see http://
codex.wordpress.org/Installing_WordPress.
After you complete the installation and log in, you are directed to the dashboard where you can set
additional options for your WordPress blog. Then, you can start writing posts for your blog that you
successfully created by using a AWS CloudFormation template.

35
Step 6: Clean Up
Step 6: Clean Up
You have completed the AWS CloudFormation getting started tasks. To make sure you are not charged
for any unwanted services, you can clean up by deleting the stack and its resources.
To delete the stack and its resources
1. From the AWS CloudFormation console, select the MyWPTestStack stack.

2. Click Delete Stack.
3. In the confirmation message that appears, click Yes, Delete.
The status for MyWPTestStack changes to DELETE_IN_PROGRESS. In the same way you monitored the
creation of the stack, you can monitor its deletion by using the Event tab. When AWS CloudFormation
completes the deletion of the stack, it removes the stack from the list.
Congratulations! You successfully picked a template, created a stack, viewed and used its resources, and
deleted the stack and its resources. Not only that, you were able to set up a WordPress blog using a AWS
CloudFormation template. You can find other templates in the AWS CloudFormation Sample Template
Library.
Now it's time to learn more about templates so that you can easily modify existing templates or create
your own: Learn Template Basics (p. 36).
Learn Template Basics

Topics
• What is an AWS CloudFormation Template? (p. 36)
• Resources: Hello Bucket! (p. 37)
• Resource Properties and Using Resources Together (p. 37)
• Receiving User Input Using Input Parameters (p. 43)
• Specifying Conditional Values Using Mappings (p. 45)
• Constructed Values and Output Values (p. 47)
• Next Steps (p. 50)
In Get Started (p. 28), you learned how to use a template to create a stack. You saw resources declared
in a template and how they map to resources in the stack. We also touched on input parameters and how
they enable you to pass in specific values when you create a stack from a template. In this section, we'll
go deeper into resources and parameters. We'll also cover the other components of templates so that
you'll know how to use these components together to create templates that produce the AWS resources
you want.
What is an AWS CloudFormation Template?

A template is a declaration of the AWS resources that make up a stack. The template is stored as a text
file whose format complies with the JavaScript Object Notation (JSON) or YAML standard. Because
they are just text files, you can create and edit them in any text editor and manage them in your source
control system with the rest of your source code. For more information about the template formats, see
AWS CloudFormation Template Formats (p. 209).
In the template, you declare the AWS resources you want to create and configure. You declare an object
as a name-value pair or a pairing of a name with a set of child objects enclosed. The syntax depends on

36
Resources: Hello Bucket!
the format you use. For more information, see the Template Anatomy (p. 210). The only required top-
level object is the Resources object, which must declare at least one resource. Let's start with the most
basic template containing only a Resources object, which contains a single resource declaration.
Resources: Hello Bucket!

The Resources object contains a list of resource objects. A resource declaration contains the resource's
attributes, which are themselves declared as child objects. A resource must have a Type attribute, which
defines the kind of AWS resource you want to create. The Type attribute has a special format:
AWS::ProductIdentifier::ResourceType
For example, the resource type for an Amazon S3 bucket is AWS::S3::Bucket. For a full list of resource
types, see Template Reference (p. 604).
Let's take a look at a very basic template. The following template declares a single resource of type
AWS::S3::Bucket: with the name HelloBucket.
Example JSON
{
"Resources" : {
"HelloBucket" : {
"Type" : "AWS::S3::Bucket"
}
}
}
Example YAML
Resources:
HelloBucket:
Type: AWS::S3::Bucket
If you use this template to create a stack, AWS CloudFormation will create an Amazon S3 bucket.
Creating a bucket is simple, because AWS CloudFormation can create a bucket with default settings.
For other resources, such as an Auto Scaling group or EC2 instance, AWS CloudFormation requires more
information. Resource declarations use a Properties attribute to specify the information used to
create a resource.
Depending on the resource type, some properties are required, such as the ImageId property for an
AWS::EC2::Instance resource, and others are optional. Some properties have default values, such as
the AccessControl property of the AWS::S3::Bucket resource, so specifying a value for those properties
is optional. Other properties are not required but may add functionality that you want, such as the
WebsiteConfiguration property of the AWS::S3::Bucket resource. Specifying a value for such properties is
entirely optional and based on your needs. In the example above, because the AWS::S3::Bucket resource
has only optional properties and we didn't need any of the optional features, we could accept the
defaults and omit the Properties attribute.
To view the properties for each resource type, see the topics in AWS Resource and Property Types
Reference (p. 604).
Resource Properties and Using Resources Together

Usually, a property for a resource is simply a string value. For example, the following template specifies a
canned ACL (PublicRead) for the AccessControl property of the bucket.

37
Example JSON
{
"Resources" : {
"HelloBucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"AccessControl" : "PublicRead"
}
}
}
}
Example YAML
Resources:
HelloBucket:
Properties:
AccessControl: PublicRead
Some resources can have multiple properties, and some properties can have one or more subproperties.
For example, the AWS::S3::Bucket resource has two properties, AccessControl and WebsiteConfiguration.
The WebsiteConfiguration property has two subproperties, IndexDocument and ErrorDocument. The
following template shows our original bucket resource with the additional properties.
Example JSON
{
"Resources" : {
"HelloBucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"AccessControl" : "PublicRead",
"WebsiteConfiguration" : {
"IndexDocument" : "index.html",
"ErrorDocument" : "error.html"
}
}
}
}
}
Example YAML
Resources:
HelloBucket:
Properties:
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
One of the greatest benefits of templates and AWS CloudFormation is the ability to create a set of
resources that work together to create an application or solution. The name used for a resource within
the template is a logical name. When AWS CloudFormation creates the resource, it generates a physical
name that is based on the combination of the logical name, the stack name, and a unique ID.

38
You're probably wondering how you set properties on one resource based on the name or property of
another resource. For example, you can create a CloudFront distribution backed by an S3 bucket or
an EC2 instance that uses EC2 security groups, and all of these resources can be created in the same
template. AWS CloudFormation has a number of intrinsic functions that you can use to refer to other
resources and their properties. You can use the Ref function (p. 3824) to refer to an identifying property
of a resource. Frequently, this is the physical name of the resource; however, sometimes it can be an
identifier, such as the IP address for an AWS::EC2::EIP resource or an Amazon Resource Name (ARN) for
an Amazon SNS topic. For a list of values returned by the Ref function, see Ref function (p. 3824). The
following template contains an AWS::EC2::Instance resource. The resource's SecurityGroups property calls
the Ref function to refer to the AWS::EC2::SecurityGroup resource InstanceSecurityGroup.
Example JSON
{
"Resources": {
"Ec2Instance": {
"Properties": {
"SecurityGroups": [
{
"Ref": "InstanceSecurityGroup"
}
],
"KeyName": "mykey",
"ImageId": ""
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
}
}
}
Example YAML
Resources:
Ec2Instance:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroups:
- !Ref InstanceSecurityGroup
KeyName: mykey
ImageId: ''
InstanceSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enable SSH access via port 22
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'

39
CidrIp: 0.0.0.0/0
The SecurityGroups property is a list of security groups, and in the previous example we have only one
item in the list. The following template has an additional item in the SecurityGroups property list.
Example JSON
{
"Resources": {
"Ec2Instance": {
"Properties": {
"SecurityGroups": [
{
},
"MyExistingSecurityGroup"
],
"KeyName": "mykey",
"ImageId": "ami-7a11e213"
}
},
"Properties": {
{
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
}
}
}
Example YAML
Resources:
Ec2Instance:
Properties:
SecurityGroups:
- MyExistingSecurityGroup
KeyName: mykey
ImageId: ami-7a11e213
Properties:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
MyExistingSecurityGroup is a string that refers to an existing EC2 security group instead of a security
group declared in a template. You use literal strings to refer to existing AWS resources.

40
In the example above, the KeyName property of the AWS::EC2::Instance is the literal string mykey. This
means that a key pair with the name mykey must exist in the region where the stack is being created;
otherwise, stack creation will fail because the key pair does not exist. The key pair you use can vary with
the region where you are creating the stack, or you may want to share the template with someone else
so that they can use it with their AWS account. If so, you can use an input parameter so that the key pair
name can be specified when the stack is created. The Ref function can refer to input parameters that
are specified at stack creation time. The following template adds a Parameters object containing the
KeyName parameter, which is used to specify the KeyName property for the AWS::EC2::Instance resource.
The parameter type is AWS::EC2::KeyPair::KeyName, which ensures a user specifies a valid key pair
name in his or her account and in the region where the stack is being created.
Example JSON
{
"Parameters": {
"KeyName": {
"Description": "The EC2 Key Pair to allow SSH access to the instance",
"Type": "AWS::EC2::KeyPair::KeyName"
}
},
"Resources": {
"Ec2Instance": {
"Properties": {
"SecurityGroups": [
{
},
"MyExistingSecurityGroup"
],
"KeyName": {
"Ref": "KeyName"
},
"ImageId": "ami-7a11e213"
}
},
"Properties": {
{
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
}
}
}
Example YAML
Parameters:
KeyName:
Description: The EC2 Key Pair to allow SSH access to the instance
Type: 'AWS::EC2::KeyPair::KeyName'
Resources:
Ec2Instance:

41
Properties:
SecurityGroups:
- MyExistingSecurityGroup
KeyName: !Ref KeyName
ImageId: ami-7a11e213
Properties:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
The Ref function is handy if the parameter or the value returned for a resource is exactly what you want;
however, you may need other attributes of a resource. For example, if you want to create a CloudFront
distribution with an S3 origin, you need to specify the bucket location by using a DNS-style address.
A number of resources have additional attributes whose values you can use in your template. To get
these attributes, you use the Fn::GetAtt (p. 3807) function. The following template creates a CloudFront
distribution resource that specifies the DNS name of an S3 bucket resource using Fn::GetAtt function to
get the bucket's DomainName attribute.
Example JSON
{
"Resources": {
"myBucket": {
"Type": "AWS::S3::Bucket"
},
"myDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Origins": [
{
"DomainName": {
"Fn::GetAtt": [
"myBucket",
"DomainName"
]
},
"Id": "myS3Origin",
"S3OriginConfig": {}
}
],
"Enabled": "true",
"DefaultCacheBehavior": {
"TargetOriginId": "myS3Origin",
"ForwardedValues": {
"QueryString": "false"
},
"ViewerProtocolPolicy": "allow-all"
}
}
}
}
}
}

42
Receiving User Input Using Input Parameters
Example YAML
Resources:
myBucket:
Type: 'AWS::S3::Bucket'
myDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Origins:
- DomainName: !GetAtt
- myBucket
- DomainName
Id: myS3Origin
S3OriginConfig: {}
Enabled: 'true'
DefaultCacheBehavior:
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'false'
ViewerProtocolPolicy: allow-all
The Fn::GetAtt function takes two parameters, the logical name of the resource and the name of the
attribute to be retrieved. For a full list of available attributes for resources, see Fn::GetAtt (p. 3807).
You'll notice that the Fn::GetAtt function lists its two parameters in an array. For functions that take
multiple parameters, you use an array to specify their parameters.

So far, you've learned about resources and a little bit about how to use them together within a template.
You've learned how to refer to input parameters, but we haven't gone deeply into how to define the
input parameters themselves. Let's take a look at parameter declarations and how you can restrict and
validate user input.
You declare parameters in a template's Parameters object. A parameter contains a list of attributes that
define its value and constraints against its value. The only required attribute is Type, which can be String,
Number, or an AWS-specific type. You can also add a Description attribute that tells a user more about
what kind of value they should specify. The parameter's name and description appear in the Specify
Parameters page when a user uses the template in the Create Stack wizard.
The following template fragment is a Parameters object that declares the parameters used in the Specify
Parameters page above.
Example JSON
"Parameters": {
"KeyName": {
"Description" : "Name of an existing EC2 KeyPair to enable SSH access into the
WordPress web server",
},
"WordPressUser": {
"Default": "admin",
"NoEcho": "true",
"Description" : "The WordPress database admin account user name",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
"AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*"
},
"WebServerPort": {

43
"Default": "8888",
"Description" : "TCP/IP port for the WordPress web server",
"Type": "Number",
"MinValue": "1",
"MaxValue": "65535"
}
}
Example YAML
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access into the WordPress
web server
WordPressUser:
Default: admin
NoEcho: true
Description: The WordPress database admin account user name
Type: String
MinLength: 1
MaxLength: 16
AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
WebServerPort:
Default: 8888
Description: TCP/IP port for the WordPress web server
Type: Number
MinValue: 1
MaxValue: 65535
For parameters with default values, AWS CloudFormation uses the default values unless users specify
another value. If you omit the default attribute, users are required to specify a value for that parameter;
however, requiring the user to input a value does not ensure that the value is valid. To validate the value
of a parameter, you can declare constraints or specify an AWS-specific parameter type.
You'll notice that the KeyName parameter has no Default attribute and the other parameters do. For
example, the WordPress parameter has the attribute Default: admin, but the KeyName parameter
has none. Users must specify a key name value at stack creation. If they don’t, AWS CloudFormation fails
to create the stack and throws an exception: Parameters: [KeyName] must have values.
For AWS-specific parameter types, AWS CloudFormation validates input values against existing values
in the user's AWS account and in the region where he or she is creating the stack before creating
any stack resources. In the sample template, the KeyName parameter is an AWS-specific parameter
type of AWS::EC2::KeyPair::KeyName. AWS CloudFormation checks that users specify a valid
EC2 key pair name before creating the stack. Another example of an AWS-specific parameter type is
AWS::EC2::VPC::Id, which requires users to specify a valid VPC ID. In addition to upfront validation,
the AWS console shows a drop-down list of valid values for AWS-specific parameter types, such as valid
EC2 key pair names or VPC IDs, when users use the Create Stack wizard.
For the String type, you can use the following attributes to declare constraints: MinLength,
MaxLength, Default, AllowedValues, and AllowedPattern. In the example above, the
WordPressUser parameter has three constraints: the parameter value must be 1 to 16 character long
(MinLength, MaxLength) and must begin with a letter followed by any combination of letters and
numbers (AllowedPattern).
For the Number type, you can declare the following constraints: MinValue, MaxValue, Default,
and AllowedValues. A number can be an integer or a float value. In the example above, the
WebServerPort parameter must be a number between 1 and 65535 inclusive (MinValue, MaxValue).
Earlier in this section, we mentioned that parameters are a good way to specify sensitive or
implementation-specific data, such as passwords or user names, that you need to use but do not want

44
Specifying Conditional Values Using Mappings
to embed in the template itself. If you set the NoEcho attribute to true, CloudFormation returns the
parameter value masked as asterisks (*****) for any calls that describe the stack or stack events. In
the example above, the WordPressUser parameter value is not visible to anyone viewing the stack's
settings, and its value is returned as asterisks.
Important
Rather than embedding sensitive information directly in your AWS CloudFormation templates,
we strongly suggest you do one of the following:
• Use input parameters to pass in information whenever you create or update a stack, using the
NoEcho property to obfuscate the parameter value.
• Use dynamic parameters in the stack template to reference sensitive information that is
stored and managed outside of CloudFormation, such as in the Systems Manager Parameter
Store or Secrets Manager.
For more information, see the Do Not Embed Credentials in Your Templates best practice.

Parameters are a great way to enable users to specify unique or sensitive values for use in the properties
of stack resources; however, there may be settings that are region dependent or are somewhat complex
for users to figure out because of other conditions or dependencies. In these cases, you would want to
put some logic in the template itself so that users can specify simpler values (or none at all) to get the
results that they want. In an earlier example, we hardcoded the AMI ID for the ImageId property of our
EC2 instance. This works fine in the US-East region, where it represents the AMI that we want. However,
if the user tries to build the stack in a different region he or she will get the wrong AMI or no AMI at all.
(AMI IDs are unique to a region, so the same AMI ID in a different region may not represent any AMI or a
completely different one.)
To avoid this problem, you need a way to specify the right AMI ID based on a conditional input (in this
example, the region where the stack is created). There are two template features that can help, the
Mappings object and the AWS::Region pseudo parameter.
The AWS::Region pseudo parameter is a value that AWS CloudFormation resolves as the region where
the stack is created. Pseudo parameters are resolved by AWS CloudFormation when you create the
stack. Mappings enable you to use an input value as a condition that determines another value. Similar
to a switch statement, a mapping associates one set of values with another. Using the AWS::Region
parameter together with a mapping, you can ensure that an AMI ID appropriate to the region is specified.
The following template contains a Mappings object with a mapping named RegionMap that is used to
map an AMI ID to the appropriate region.
Example JSON
{
"Parameters": {
"KeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the
instance",
"Type": "String"
}
},
"Mappings": {
"RegionMap": {
"us-east-1": {
"AMI": "ami-76f0061f"
},
"us-west-1": {
"AMI": "ami-655a0a20"

45
},
"eu-west-1": {
"AMI": "ami-7fd4e10b"
},
"ap-southeast-1": {
"AMI": "ami-72621c20"
},
"ap-northeast-1": {
"AMI": "ami-8e08a38f"
}
}
},
"Resources": {
"Ec2Instance": {
"Properties": {
"KeyName": {
"Ref": "KeyName"
},
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"AMI"
]
},
"UserData": {
"Fn::Base64": "80"
}
}
}
}
}
Example YAML
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: String
Mappings:
RegionMap:
us-east-1:
AMI: ami-76f0061f
us-west-1:
AMI: ami-655a0a20
eu-west-1:
AMI: ami-7fd4e10b
ap-southeast-1:
AMI: ami-72621c20
ap-northeast-1:
AMI: ami-8e08a38f
Resources:
Ec2Instance:
Properties:
ImageId: !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- AMI
UserData: !Base64 '80'

46
Constructed Values and Output Values
In the RegionMap, each region is mapped to a name-value pair. The name-value pair is a label, and the
value to map. In the RegionMap, AMI is the label and the AMI ID is the value. To use a map to return a
value, you use the Fn::FindInMap (p. 3804) function, passing the name of the map, the value used to
find the mapped value, and the label of the mapped value you want to return. In the example above, the
ImageId property of the resource Ec2Instance uses the Fn::FindInMap function to determine its value by
specifying RegionMap as the map to use, AWS::Region as the input value to map from, and AMI as the
label to identify the value to map to. For example, if this template were used to create a stack in the us-
west-1 region, ImageId would be set to ami-655a0a20.
Tip
The AWS::Region pseudo parameter enables you to get the region where the stack is created.
Some resources, such as AWS::EC2::Instance, AWS::AutoScaling::AutoScalingGroup, and
AWS::ElasticLoadBalancing::LoadBalancer, have a property that specifies availability zones. You
can use the Fn::GetAZs function (p. 3809) to get the list of all availability zones in a region.

Parameters and mappings are an excellent way to pass or determine specific values at stack creation
time, but there can be situations where a value from a parameter or other resource attribute is only part
of the value you need. For example, in the following fragment from the WordPress template, the Fn::Join
function constructs the Target subproperty of the HealthCheck property for the ElasticLoadBalancer
resource by concatenating the WebServerPort parameter with other literal strings to form the value
needed.
Example JSON
{
"Resources": {
"ElasticLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": {
"Fn::GetAZs": ""
},
"Instances": [
{
"Ref": "Ec2Instance1"
},
{
"Ref": "Ec2Instance2"
}
],
"Listeners": [
{
"LoadBalancerPort": "80",
"InstancePort": {
"Ref": "WebServerPort"
},
"Protocol": "HTTP"
}
],
"HealthCheck": {
"Target": {
"Fn::Join": [
"",
[
"HTTP:",
{
"Ref": "WebServerPort"
},
"/"
]

47
]
},
"HealthyThreshold": "3",
"UnhealthyThreshold": "5",
"Interval": "30",
"Timeout": "5"
}
}
}
}
}
Example YAML
Resources:
ElasticLoadBalancer:
Type: 'AWS::ElasticLoadBalancing::LoadBalancer'
Properties:
AvailabilityZones: !GetAZs ''
Instances:
- !Ref Ec2Instance1
- !Ref Ec2Instance2
Listeners:
- LoadBalancerPort: '80'
InstancePort: !Ref WebServerPort
Protocol: HTTP
HealthCheck:
Target: !Join
- ''
- - 'HTTP:'
- !Ref WebServerPort
- /
HealthyThreshold: '3'
UnhealthyThreshold: '5'
Interval: '30'
Timeout: '5'
The Fn::Join function takes two parameters, a delimiter that separates the values you want to
concatenate and an array of values in the order that you want them to appear. In the example above, the
Fn::Join function specifies an empty string as the delimiter and HTTP:, the value of the WebServerPort
parameter, and a / character as the values to concatenate. If WebServerPort had a value of 8888, the
Target property would be set to the following value:
HTTP:8888/
The Fn::Join function is also useful for declaring output values for the stack. The Outputs object in
the template contains declarations for the values that you want to have available after the stack is
created. An output is a convenient way to capture important information about your resources or input
parameters. For example, in the WordPress template, we declare the following Outputs object.
Example JSON
"Outputs": {
"InstallURL": {
"Value": {
"Fn::Join": [
"",
[
"http://",
{

48
"Fn::GetAtt": [
"ElasticLoadBalancer",
"DNSName"
]
},
"/wp-admin/install.php"
]
]
},
"Description": "Installation URL of the WordPress website"
},
"WebsiteURL": {
"Value": {
"Fn::Join": [
"",
[
"http://",
{
"Fn::GetAtt": [
"ElasticLoadBalancer",
"DNSName"
]
}
]
]
}
}
}
Example YAML
Outputs:
InstallURL:
Value: !Join
- ''
- - 'http://'
- !GetAtt
- ElasticLoadBalancer
- DNSName
- /wp-admin/install.php
Description: Installation URL of the WordPress website
WebsiteURL:
Value: !Join
- ''
- - 'http://'
- !GetAtt
- ElasticLoadBalancer
- DNSName
Each output value has a name, a Value attribute that contains declaration of the value returned as
the output value, and optionally a description of the value. In the previous example, InstallURL is the
string returned by a Fn::Join function call that concatenates http://, the DNS name of the resource
ElasticLoadBalancer, and /wp-admin/install.php. The output value would be similar to the following:
http://mywptests-elasticl-1gb51l6sl8y5v-206169572.us-east-2.elb.amazonaws.com/wp-admin/
install.php
In the Get Started tutorial, we used this link to conveniently go to the installation page for the
WordPress blog that we created. AWS CloudFormation generates the output values after it finishes
creating the stack. You can view output values in the Outputs tab of the AWS CloudFormation console or
by using the aws cloudformation describe-stacks command.

49
Next Steps
Next Steps
We just walked through the basic parts of a template and how to use them. You learned the following
about templates:
• Declaring resources and their properties

• Referencing other resources with the Ref function and resource attributes using the Fn::GetAtt
function
• Using parameters to enable users to specify values at stack creation time and using constraints to
validate parameter input
• Using mappings to determine conditional values
• Using the Fn::Join function to construct values based on parameters, resource attributes, and other
strings
• Using output values to capture information about the stack's resources.
We didn't cover two top level objects in a template: AWSTemplateFormatVersion and Description.
AWSTemplateFormatVersion is simply the version of the template format—if you don't specify it,
AWS CloudFormation will use the latest version. The Description is any valid JSON or YAML string. This
description appears in the Specify Parameters page of the Create Stack wizard. For more information,
see Format Version (p. 212) and Description (p. 213).
Of course, there are more advanced template and stack features. Here is a list of a few important ones
that you'll want to learn more about:
Optional attributes that can be used with any resource:
• DependsOn attribute (p. 3765) enables you to specify that one resource must be created after
another.
• DeletionPolicy attribute (p. 3764) enables you to specify how AWS CloudFormation should handle the
deletion of a resource.
• Metadata (p. 3771) attribute enables you to specify structured data with a resource.
AWS::CloudFormation::Stack enables you to nest another stack as a resource within your template.
Walkthrough: Updating a Stack

With AWS CloudFormation, you can update the properties for resources in your existing stacks. These
changes can range from simple configuration changes, such as updating the alarm threshold on a
CloudWatch alarm, to more complex changes, such as updating the Amazon Machine Image (AMI)
running on an Amazon EC2 instance. Many of the AWS resources in a template can be updated, and we
continue to add support for more.
This section walks through a simple progression of updates of a running stack. It shows how the use
of templates makes it possible to use a version control system for the configuration of your AWS
infrastructure, just as you use version control for the software you are running. We will walk through the
following steps:
1. Create the Initial Stack (p. 57)—create a stack using a base Amazon Linux AMI, installing the
Apache Web Server and a simple PHP application using the AWS CloudFormation helper scripts.
2. Update the Application (p. 58)—update one of the files in the application and deploy the software
using AWS CloudFormation.
3. Update the Instance Type (p. 60)—change the instance type of the underlying Amazon EC2
instance.

50
A Simple Application
4. Update the AMI on an Amazon EC2 instance (p. 62)—change the Amazon Machine Image (AMI) for
the Amazon EC2 instance in your stack.
5. Add a Key Pair to an Instance (p. 64)—add an Amazon EC2 key pair to the instance, and then
update the security group to allow SSH access to the instance.
6. Change the Stack's Resources (p. 64)—add and remove resources from the stack, converting it to an
auto-scaled, load-balanced application by updating the template.
We'll begin by creating a stack that we can use throughout the rest of this section. We have provided a
simple template that launches a single instance PHP web application hosted on the Apache Web Server
and running on an Amazon Linux AMI.
The Apache Web Server, PHP, and the simple PHP application are all installed by the AWS
CloudFormation helper scripts that are installed by default on the Amazon Linux AMI. The following
template snippet shows the metadata that describes the packages and files to install, in this case the
Apache Web Server and the PHP infrastructure from the Yum repository for the Amazon Linux AMI. The
snippet also shows the Services section, which ensures that the Apache Web Server is running. In the
Properties section of the Amazon EC2 instance definition, the UserData property contains the CloudInit
script that calls cfn-init to install the packages and files.
"WebServerInstance": {
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
"packages" : {
"yum" : {
"httpd" : [],
"php" : []
}
},
"files" : {
"/var/www/html/index.php" : {
"content" : { "Fn::Join" : ["", [
"<?php\n",
"echo '<h1>AWS CloudFormation sample PHP application</h1>';\n",
"echo '<p>", { "Ref" : "WelcomeMessage" }, "</p>';\n",
"?>\n"
]]},
"mode" : "000644",
"owner" : "apache",
"group" : "apache"
},
},
"services" : {
"sysvinit" : {
"httpd" : { "enabled" : "true", "ensureRunning" : "true" }
}
}
}
}
},

51
"Properties": {
:
"#!/bin/bash\n",
"yum install -y aws-cfn-bootstrap\n",
"# Install the files and packages from the metadata\n",

" --resource WebServerInstance ",
:
]]}}
}
},
The application itself is a very simple two-line "Hello, World" example that is entirely defined within
the template. For a real-world application, the files may be stored on Amazon S3, GitHub, or another
repository and referenced from the template. AWS CloudFormation can download packages (such as
RPMs or RubyGems), as well as reference individual files and expand .zip and .tar files to create the
application artifacts on the Amazon EC2 instance.
The template enables and configures the cfn-hup daemon to listen for changes to the configuration
defined in the metadata for the Amazon EC2 instance. By using the cfn-hup daemon, you can update
application software, such as the version of Apache or PHP, or you can update the PHP application file
itself from AWS CloudFormation. The following snippet from the same Amazon EC2 resource in the
template shows the pieces necessary to configure cfn-hup to call cfn-init to update the software if any
changes to the metadata are detected:
"Metadata" : {
"config" : {
"files" : {
"/etc/cfn/cfn-hup.conf" : {
"content" : { "Fn::Join" : ["", [
"[main]\n",
"stack=", { "Ref" : "AWS::StackName" }, "\n",
"region=", { "Ref" : "AWS::Region" }, "\n"
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf" : {
"content": { "Fn::Join" : ["", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -s ", { "Ref" : "AWS::StackId" }, " -r
WebServerInstance ",

52
"runas=root\n"
]]}
}
},
:
},
"Properties": {
"# Start up the cfn-hup daemon to listen for changes to the Web Server metadata\n",
"/opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup'\n",
:
]]}}
}
},
To complete the stack, the template creates an Amazon EC2 security group.
{
"Description" : "AWS CloudFormation Sample Template: Sample template that can be used to
test EC2 updates. **WARNING** This template creates an Amazon Ec2 Instance. You will be
billed for the AWS resources used if you create a stack from this template.",
"Parameters" : {
"InstanceType" : {
"Type" : "String",
"AllowedValues" : [
"t1.micro",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",

53
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
}
},
"Mappings" : {
"AWSInstanceType2Arch" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.medium" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },
"m1.medium" : { "Arch" : "HVM64" },
"m1.large" : { "Arch" : "HVM64" },
"m1.xlarge" : { "Arch" : "HVM64" },
"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c1.medium" : { "Arch" : "HVM64" },
"c1.xlarge" : { "Arch" : "HVM64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },

54
"c4.2xlarge" : { "Arch" : "HVM64" },

"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"g2.2xlarge" : { "Arch" : "HVMG2" },
"r3.large" : { "Arch" : "HVM64" },
"r3.xlarge" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
"hi1.4xlarge" : { "Arch" : "HVM64" },
"hs1.8xlarge" : { "Arch" : "HVM64" },
"cr1.8xlarge" : { "Arch" : "HVM64" },
"cc2.8xlarge" : { "Arch" : "HVM64" }
},
"AWSRegionArch2AMI" : {
"us-east-1" : {"HVM64" : "ami-0ff8a91507f77f867", "HVMG2" :
"ami-0a584ac55a7631c0c"},
"us-west-2" : {"HVM64" : "ami-a0cfeed8", "HVMG2" : "ami-0e09505bc235aa82d"},
"us-west-1" : {"HVM64" : "ami-0bdb828fd58c52235", "HVMG2" :
"ami-066ee5fd4a9ef77f1"},
"eu-west-1" : {"HVM64" : "ami-047bb4163c506cd98", "HVMG2" :
"ami-0a7c483d527806435"},
"eu-west-2" : {"HVM64" : "ami-f976839e", "HVMG2" : "NOT_SUPPORTED"},
"eu-west-3" : {"HVM64" : "ami-0ebc281c20e89ba4b", "HVMG2" : "NOT_SUPPORTED"},
"eu-central-1" : {"HVM64" : "ami-0233214e13e500f77", "HVMG2" :
"ami-06223d46a6d0661c7"},
"ap-northeast-1" : {"HVM64" : "ami-06cd52961ce9f0d85", "HVMG2" :
"ami-053cdd503598e4a9d"},
"ap-northeast-2" : {"HVM64" : "ami-0a10b2721688ce9d2", "HVMG2" : "NOT_SUPPORTED"},
"ap-northeast-3" : {"HVM64" : "ami-0d98120a9fb693f07", "HVMG2" : "NOT_SUPPORTED"},
"ap-southeast-1" : {"HVM64" : "ami-08569b978cc4dfa10", "HVMG2" :
"ami-0be9df32ae9f92309"},
"ap-southeast-2" : {"HVM64" : "ami-09b42976632b27e9b", "HVMG2" :
"ami-0a9ce9fecc3d1daf8"},
"ap-south-1" : {"HVM64" : "ami-0912f71e06545ad88", "HVMG2" :
"ami-097b15e89dbdcfcf4"},
"us-east-2" : {"HVM64" : "ami-0b59bfac6be064b78", "HVMG2" : "NOT_SUPPORTED"},
"ca-central-1" : {"HVM64" : "ami-0b18956f", "HVMG2" : "NOT_SUPPORTED"},
"sa-east-1" : {"HVM64" : "ami-07b14488da8ea02a0", "HVMG2" : "NOT_SUPPORTED"},
"cn-north-1" : {"HVM64" : "ami-0a4eaf6c4454eda75", "HVMG2" : "NOT_SUPPORTED"},
"cn-northwest-1" : {"HVM64" : "ami-6b6a7d09", "HVMG2" : "NOT_SUPPORTED"}
}
},
"Resources" : {
"Metadata" : {
"Comment" : "Install a simple PHP application",
"config" : {
"packages" : {
"yum" : {
"httpd" : [],
"php" : []

55
}
},
"files" : {
"content" : { "Fn::Join" : ["", [
"<?php\n",
"?>\n"
]]},
"mode" : "000644",
"owner" : "apache",
"group" : "apache"
},
"content" : { "Fn::Join" : ["", [
"[main]\n",
"stack=", { "Ref" : "AWS::StackId" }, "\n",
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
WebServerInstance ",
" --region ", { "Ref" :
"AWS::Region" }, "\n",
"runas=root\n"
]]}
}
},
"services" : {
"sysvinit" : {
"httpd" : { "enabled" : "true", "ensureRunning" : "true" },
"cfn-hup" : { "enabled" : "true", "ensureRunning" : "true",
"files" : ["/etc/cfn/cfn-hup.conf", "/etc/cfn/hooks.d/cfn-auto-
reloader.conf"]}
}
}
}
}
},
"Properties": {


56
Create the Initial Stack

"# Start up the cfn-hup daemon to listen for changes to the Web Server
metadata\n",
"# Signal the status from cfn-init\n",

]]}}
},
"CreationPolicy" : {
"ResourceSignal" : {
"Timeout" : "PT5M"
}
}
},
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80",
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" :
"0.0.0.0/0"}
]
}
}
},
"Outputs" : {
"WebsiteURL" : {
"Description" : "Application URL",
"Value" : { "Fn::Join" : ["", ["http://", { "Fn::GetAtt" : [ "WebServerInstance",
"PublicDnsName" ]}]] }
}
}
}
This example uses a single Amazon EC2 instance, but you can use the same mechanisms on more
complex solutions that make use of Elastic Load Balancers and Auto Scaling groups to manage a
collection of application servers. There are, however, some special considerations for Auto Scaling
groups. For more information, see Updating Auto Scaling Groups (p. 60).
Create the Initial Stack

For the purposes of this example, we’ll use the AWS Management Console to create an initial stack from
the sample template.
Warning
Completing this procedure will deploy live AWS services. You will be charged the standard usage
rates as long as these services are running.
To create the stack from the AWS Management Console
1. Copy the previous template and save it locally on your system as a text file. Note the location
because you'll need to use the file in a subsequent step.
2. Log in to the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation .

57
Update the Application
3. Click Create New Stack.

4. In the Create New Stack wizard, on the Select Template screen, type UpdateTutorial in the
Name field. On the same page, select Upload a template to Amazon S3 and browse to the file that
you downloaded in the first step, and then click Next.
5. On the Specify Parameters screen, in the Instance Type box, type t1.micro. Then click Next.
6. On the Options screen, click Next.
7. On the Review screen, verify that all the settings are as you want them, and then click Create.
After the status of your stack is CREATE_COMPLETE, the output tab will display the URL of your website.
If you click the value of the WebsiteURL output, you will see your new PHP application working.

Now that we have deployed the stack, let's update the application. We'll make a simple change to the
text that is printed out by the application. To do so, we’ll add an echo command to the index.php file as
shown in this template snippet:
"Metadata" : {
"config" : {
:
"files" : {
"content" : { "Fn::Join" : ["", [
"<?php\n",
"echo 'Updated version via UpdateStack';\n ",
"?>\n"
]]},
"mode" : "000644",
"owner" : "apache",
"group" : "apache"
},
}
},
Use a text editor to manually edit the template file that you saved locally.
Now, we'll update the stack.
To update the stack from the AWS Management Console
1. Log in to the AWS CloudFormation console, at: https://console.aws.amazon.com/cloudformation.

2. On the AWS CloudFormation dashboard, click the stack you created previously, and then click
Update Stack.
3. In the Update Stack wizard, on the Select Template screen, select Upload a template to Amazon
S3, select the modified template, and then click Next.
5. Click Next because the stack doesn't have a stack policy. All resources can be updated without an
overriding policy.

58
6. On the Review screen, verify that all the settings are as you want them, and then click Update.
If you update the stack from the AWS Management Console, you will notice that the parameters that
were used to create the initial stack are prepopulated on the Parameters page of the Update Stack
wizard. If you use the aws cloudformation update-stack command, be sure to type in the same
values for the parameters that you used originally to create the stack.
When your stack is in the UPDATE_COMPLETE state, you can click the WebsiteURL output value again
to verify that the changes to your application have taken effect. By default, the cfn-hup daemon runs
every 15 minutes, so it may take up to 15 minutes for the application to change once the stack has been
updated.
To see the set of resources that were updated, go to the AWS CloudFormation console. On the Events
tab, look at the stack events. In this particular case, the metadata for the Amazon EC2 instance
WebServerInstance was updated, which caused AWS CloudFormation to also reevaluate the other
resources (WebServerSecurityGroup) to ensure that there were no other changes. None of the other
stack resources were modified. AWS CloudFormation will update only those resources in the stack that
are affected by any changes to the stack. Such changes can be direct, such as property or metadata
changes, or they can be due to dependencies or data flows through Ref, GetAtt, or other intrinsic
template functions.
This simple update illustrates the process; however, you can make much more complex changes to the
files and packages that are deployed to your Amazon EC2 instances. For example, you might decide that
you need to add MySQL to the instance, along with PHP support for MySQL. To do so, simply add the
additional packages and files along with any additional services to the configuration and then update the
stack to deploy the changes. In the following template snippet, the changes are highlighted in red:
"Metadata" : {
"config" : {
"packages" : {
"yum" : {
"httpd" : [],
"php" : [],
"php-mysql" : [],
"mysql-server" : [],
"mysql-libs" : [],
"mysql" : []
}
},
"services" : {
"sysvinit" : {
reloader.conf"]},
"mysqld" : { "enabled" : "true", "ensureRunning" : "true" }
}
}
}
}
},
"Properties": {
:

59
Changing Resource Properties
}
}
You can update the CloudFormation metadata to update to new versions of the packages used by the
application. In the previous examples, the version property for each package is empty, indicating that
cfn-init should install the latest version of the package.
"packages" : {
"yum" : {
"httpd" : [],
"php" : []
}
You can optionally specify a version string for a package. If you change the version string in subsequent
update stack calls, the new version of the package will be deployed. Here's an example of using version
numbers for RubyGems packages. Any package that supports versioning can have specific versions.
"packages" : {
"rubygems" : {
"mysql" : [],
"rubygems-update" : ["1.6.2"],
"rake" : ["0.8.7"],
"rails" : ["2.3.11"]
}
}
Updating Auto Scaling Groups

If you are using Auto Scaling groups in your template, as opposed to Amazon EC2 instance resources,
updating the application will work in exactly the same way; however, AWS CloudFormation does not
provide any synchronization or serialization across the Amazon EC2 instances in an Auto Scaling group.
The cfn-hup daemon on each host will run independently and update the application on its own
schedule. When you use cfn-hup to update the on-instance configuration, each instance will run the cfn-
hup hooks on its own schedule; there is no coordination between the instances in the stack. You should
consider the following:
• If the cfn-hup changes run on all Amazon EC2 instances in the Auto Scaling group at the same time,
your service might be unavailable during the update.
• If the cfn-hup changes run at different times, old and new versions of the software may be running at
the same.
To avoid these issues, consider forcing a rolling update on your instances in the Auto Scaling group. For
more information, see UpdatePolicy Attribute (p. 3771).

With AWS CloudFormation, you can change the properties of an existing resource in the stack. The
following sections describe various updates that solve specific problems; however, any property of any
resource that supports updating in the stack can be modified as necessary.
Update the Instance Type

The stack we have built so far uses a t1.micro Amazon EC2 instance. Let's suppose that your newly
created website is getting more traffic than a t1.micro instance can handle, and now you want to move
to an m1.small Amazon EC2 instance type. If the architecture of the instance type changes, the instance

60
will be created with a different AMI. If you check out the mappings in the template, you will see that
both the t1.micro and m1.small are the same architectures and use the same Amazon Linux AMIs.
"Mappings" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },
"m1.large" : { "Arch" : "HVM64" },
"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },
"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"r3.large" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
},
"ami-0a584ac55a7631c0c"},

61

"ami-0a7c483d527806435"},
"ami-06223d46a6d0661c7"},
"ami-053cdd503598e4a9d"},
}
Let's use the template that we modified in the previous section to change the instance type. Because
InstanceType was an input parameter to the template, we don't need to modify the template; we can
simply change the value of the parameter in the Stack Update wizard, on the Specify Parameters page.
To update the stack from the AWS Management Console
1. Log in to the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

2. On the AWS CloudFormation dashboard, click the stack you created previously, and then click
Update Stack.
3. In the Update Stack wizard, on the Select Template screen, select Use current template, and then
click Next.
The Specify Details page appears with the parameters that were used to create the initial stack are
pre-populated in the Specify Parameters section.
4. Change the value of the InstanceType text box from t1.micro to m1.small. Then, click Next.
6. Click Next because the stack doesn't have a stack policy. All resources can be updated without an
overriding policy.
7. On the Review screen, verify that all the settings are as you want them, and then click Update.
You can dynamically change the instance type of an EBS-backed Amazon EC2 instance by starting and
stopping the instance. AWS CloudFormation tries to optimize the change by updating the instance type
and restarting the instance, so the instance ID does not change. When the instance is restarted, however,
the public IP address of the instance does change. To ensure that the Elastic IP address is bound correctly
after the change, AWS CloudFormation will also update the Elastic IP address. You can see the changes in
the AWS CloudFormation console on the Events tab.
To check the instance type from the AWS Management Console, open the Amazon EC2 console, and
locate your instance there.
Update the AMI on an Amazon EC2 instance

Now let's look at how we might change the Amazon Machine Image (AMI) running on the instance.
We will trigger the AMI change by updating the stack to use a new Amazon EC2 instance type, such as
t2.medium, which is an HVM64 instance type.

62
Adding Resource Properties
As in the previous section, we’ll use our existing template to change the instance type used by our
example stack. In the Stack Update wizard, on the Specify Parameters page, change the value of the
Instance Type.
In this case, we cannot simply start and stop the instance to modify the AMI; AWS CloudFormation
considers this a change to an immutable property of the resource. In order to make a change to an
immutable property, AWS CloudFormation must launch a replacement resource, in this case a new
Amazon EC2 instance running the new AMI.
After the new instance is running, AWS CloudFormation updates the other resources in the stack to point
to the new resource. When all new resources are created, the old resource is deleted, a process known
as UPDATE_CLEANUP. This time, you will notice that the instance ID and application URL of the instance
in the stack has changed as a result of the update. The events in the Event table contain a description
"Requested update has a change to an immutable property and hence creating a new physical resource"
to indicate that a resource was replaced.
If you have application code written into the AMI that you want to update, you can use the same stack
update mechanism to update the AMI to load your new application.
To update the AMI for an instance on your stack
1. Create your new AMIs containing your application or operating system changes. For more
information, go to Creating Your Own AMIs in the Amazon EC2 User Guide for Linux Instances.
2. Update your template to incorporate the new AMI IDs.
3. Update the stack, either from the AWS Management Console as explained in Update the
Application (p. 58) or by using the AWS command aws cloudformation update-stack.
When you update the stack, AWS CloudFormation detects that the AMI ID has changed, and then it
triggers a stack update in the same way as we triggered the one above.
Update the Amazon EC2 Launch Configuration for an Auto

Scaling Group
If you are using Auto Scaling groups rather than Amazon EC2 instances, the process of updating the
running instances is a little different. With Auto Scaling resources, the configuration of the Amazon
EC2 instances, such as the instance type or the AMI ID is encapsulated in the Auto Scaling launch
configuration. You can make changes to the launch configuration in the same way as we made
changes to the Amazon EC2 instance resources in the previous sections. However, changing the launch
configuration does not impact any of the running Amazon EC2 instances in the Auto Scaling group. An
updated launch configuration applies only to new instances that are created after the update.
If you want to propagate the change to your launch configuration across all the instances in your
Auto Scaling group, you can use an update attribute. For more information, see UpdatePolicy
Attribute (p. 3771).
Adding Resource Properties

So far, we've looked at changing existing properties of a resource in a template. You can also add
properties that were not originally specified in the template. To illustrate that, we’ll add an Amazon EC2
key pair to an existing EC2 instance and then open up port 22 in the Amazon EC2 Security Group so that
you can use Secure Shell (SSH) to access the instance.

63
Change the Stack's Resources
Add a Key Pair to an Instance

To add SSH access to an existing Amazon EC2 instance
1. Add two additional parameters to the template to pass in the name of an existing Amazon EC2 key
pair and SSH location.
"Parameters" : {
"KeyName" : {
"Description" : "Name of an existing Amazon EC2 key pair for SSH access",
},
"SSHLocation" : {
"Description" : " The IP address range that can be used to SSH to the EC2
instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
}
:
},
2. Add the KeyName property to the Amazon EC2 instance.
:
"Properties": {
:
:
}
},
3. Add port 22 and the SSH location to the ingress rules for the Amazon EC2 security group.
"Properties" : {
"GroupDescription" : "Enable HTTP and SSH",
{ "Ref" : "SSHLocation"}},
"0.0.0.0/0"}
]
}
},
4. Update the stack, either from the AWS Management Console as explained in Update the
Application (p. 58) or by using the AWS command aws cloudformation update-stack.

Since application needs can change over time, AWS CloudFormation allows you to change the set of
resources that make up the stack. To demonstrate, we’ll take the single instance application from Adding

64
Resource Properties (p. 63) and convert it to an auto-scaled, load-balanced application by updating
the stack.
This will create a simple, single instance PHP application using an Elastic IP address. We'll now turn the
application into a highly available, auto-scaled, load balanced application by changing its resources
during an update.
1. Add an Elastic Load Balancer resource.
"ElasticLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"CrossZone" : "true",
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"LBCookieStickinessPolicy" : [ {
"PolicyName" : "CookieBasedPolicy",
"CookieExpirationPeriod" : "30"
} ],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP",
"PolicyNames" : [ "CookieBasedPolicy" ]
} ],
"HealthCheck" : {
"Target" : "HTTP:80/",
"HealthyThreshold" : "2",
"UnhealthyThreshold" : "5",
"Interval" : "10",
"Timeout" : "5"
}
}
}
2. Convert the EC2 instance in the template into an Auto Scaling Launch Configuration. The properties
are identical, so we only need to change the type name from:
to:
"LaunchConfig": {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
For clarity in the template, we changed the name of the resource from WebServerInstance to
LaunchConfig, so you’ll need to update the resource name referenced by cfn-init and cfn-hup (just
search for WebServerInstance and replace it with LaunchConfig, except for cfn-signal). For cfn-
signal, you'll need to signal the Auto Scaling group (WebServerGroup) not the instance, as shown in
the following snippet:

" --resource WebServerGroup ",
3. Add an Auto Scaling Group resource.

65
"WebServerGroup" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },
"MinSize" : "1",
"DesiredCapacity" : "1",
"MaxSize" : "5",
"LoadBalancerNames" : [ { "Ref" : "ElasticLoadBalancer" } ]
},
"Timeout" : "PT15M"
}
},
"UpdatePolicy": {
"AutoScalingRollingUpdate": {
"MinInstancesInService": "1",
"MaxBatchSize": "1",
"PauseTime" : "PT15M",
"WaitOnResourceSignals": "true"
}
}
}
4. Update the Security Group definition to lock down the traffic to the instances from the load
balancer.
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 locked down to the ELB and
SSH access",
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80",
"SourceSecurityGroupOwnerId" : {"Fn::GetAtt" : ["ElasticLoadBalancer",
"SourceSecurityGroup.OwnerAlias"]},
"SourceSecurityGroupName" : {"Fn::GetAtt" : ["ElasticLoadBalancer",
"SourceSecurityGroup.GroupName"]}},
{ "Ref" : "SSHLocation"}}
]
}
}
5. Update the Outputs to return the DNS Name of the Elastic Load Balancer as the location of the
application from:
"WebsiteURL" : {
"Value" : { "Fn::Join" : ["", ["http://",
{ "Fn::GetAtt" : [ "WebServerInstance", "PublicDnsName" ]}]]},
"Description" : "Application URL"
}
to:
"WebsiteURL" : {
"Value" : { "Fn::Join" : ["", ["http://",
{ "Fn::GetAtt" : [ "ElasticLoadBalancer", "DNSName" ]}]]},

66
"Description" : "Application URL"

}
For reference, the following sample shows the complete template. If you use this template to update the
stack, you will convert your simple, single instance application into a highly available, multi-AZ, auto-
scaled and load balanced application. Only the resources that need to be updated will be altered, so had
there been any data stores for this application, the data would have remained intact. Now, you can use
AWS CloudFormation to grow or enhance your stacks as your requirements change.
{
"Description" : "AWS CloudFormation Sample Template: Sample template that can be used to
test EC2 updates. **WARNING** This template creates an Amazon Ec2 Instance. You will be
billed for the AWS resources used if you create a stack from this template.",
"Parameters" : {
"KeyName": {
instance",
},
"SSHLocation" : {
"Description" : " The IP address range that can be used to SSH to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
},
"InstanceType" : {
"Type" : "String",
"AllowedValues" : [
"t1.micro",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",

67
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
}
},
"Mappings" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },
"m1.large" : { "Arch" : "HVM64" },
"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },

68
"c3.8xlarge" : { "Arch" : "HVM64" },

"c4.large" : { "Arch" : "HVM64" },
"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"r3.large" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
},
"ami-0a584ac55a7631c0c"},
"ami-0a7c483d527806435"},
"ami-06223d46a6d0661c7"},
"ami-053cdd503598e4a9d"},
}
},
"Resources" : {
"Properties" : {
"LBCookieStickinessPolicy" : [ {
"PolicyName" : "CookieBasedPolicy",
"CookieExpirationPeriod" : "30"

69
} ],
"Listeners" : [ {
"Protocol" : "HTTP",
"PolicyNames" : [ "CookieBasedPolicy" ]
} ],
"HealthCheck" : {
"Interval" : "10",
"Timeout" : "5"
}
}
},
"Properties" : {
"MinSize" : "1",
"MaxSize" : "5",
},
"Timeout" : "PT15M"
}
},
"UpdatePolicy": {
}
}
},
"LaunchConfig": {
"Metadata" : {
"config" : {
"packages" : {
"yum" : {
"httpd" : [],
"php" : []
}
},
"files" : {
"content" : { "Fn::Join" : ["", [
"<?php\n",
"echo 'Updated version via UpdateStack';\n ",
"?>\n"
]]},
"mode" : "000644",
"owner" : "apache",

70
"group" : "apache"
},
"content" : { "Fn::Join" : ["", [
"[main]\n",
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
"path=Resources.LaunchConfig.Metadata.AWS::CloudFormation::Init\n",
LaunchConfig ",
" --region ", { "Ref" :
"AWS::Region" }, "\n",
"runas=root\n"
]]}
}
},
"services" : {
"sysvinit" : {
reloader.conf"]}
}
}
}
}
},
"Properties": {

" --resource LaunchConfig ",
"# Start up the cfn-hup daemon to listen for changes to the Web Server
metadata\n",


71
Availability and Impact Considerations

]]}}
}
},
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 locked down to the ELB and SSH
access",
{"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80",
"SourceSecurityGroup.OwnerAlias"]},"SourceSecurityGroupName" : {"Fn::GetAtt" :
["ElasticLoadBalancer", "SourceSecurityGroup.GroupName"]}},
"SSHLocation"}}
]
}
}
},
"Outputs" : {
"WebsiteURL" : {
"Description" : "Application URL",
"Value" : { "Fn::Join" : ["", ["http://", { "Fn::GetAtt" : [ "ElasticLoadBalancer",
"DNSName" ]}]] }
}
}
}
Availability and Impact Considerations

Different properties have different impacts on the resources in the stack. You can use AWS
CloudFormation to update any property; however, before you make any changes, you should consider
these questions:
1. How does the update affect the resource itself? For example, updating an alarm threshold will render
the alarm inactive during the update. As we have seen, changing the instance type requires that the
instance be stopped and restarted. AWS CloudFormation uses the Update or Modify actions for the
underlying resources to make changes to resources. To understand the impact of updates, you should
check the documentation for the specific resources.
2. Is the change mutable or immutable? Some changes to resource properties, such as changing
the AMI on an Amazon EC2 instance, are not supported by the underlying services. In the case of
mutable changes, AWS CloudFormation will use the Update or Modify type APIs for the underlying
resources. For immutable property changes, AWS CloudFormation will create new resources with
the updated properties and then link them to the stack before deleting the old resources. Although
AWS CloudFormation tries to reduce the down time of the stack resources, replacing a resource is a
multistep process, and it will take time. During stack reconfiguration, your application will not be fully
operational. For example, it may not be able to serve requests or access a database.
Related Resources
For more information about using AWS CloudFormation to start applications and on integrating with
other configuration and deployment services such as Puppet and Opscode Chef, see the following
whitepapers:
• Bootstrapping Applications via AWS CloudFormation

72
Related Resources
• Integrating AWS CloudFormation with Opscode Chef

• Integrating AWS CloudFormation with Puppet
The template used throughout this section is a "Hello, World" PHP application. The template library
also has an Amazon ElastiCache sample template that shows how to integrate a PHP application with
ElasticCache using cfn-hup and cfn-init to respond to changes in the Amazon ElastiCache Cache Cluster
configuration, all of which can be performed by Update Stack.

73
Organize Your Stacks By Lifecycle and Ownership
AWS CloudFormation Best Practices

Best practices are recommendations that can help you use AWS CloudFormation more effectively and
securely throughout its entire workflow. Learn how to plan and organize your stacks, create templates
that describe your resources and the software applications that run on them, and manage your stacks
and their resources. The following best practices are based on real-world experience from current AWS
CloudFormation customers.
Planning and organizing

• Organize Your Stacks By Lifecycle and Ownership (p. 74)
• Use Cross-Stack References to Export Shared Resources (p. 75)
• Use IAM to Control Access (p. 75)
• Reuse Templates to Replicate Stacks in Multiple Environments (p. 76)
• Verify Quotas for All Resource Types (p. 75)
• Use Nested Stacks to Reuse Common Template Patterns (p. 76)
Creating templates
• Do Not Embed Credentials in Your Templates (p. 76)
• Use AWS-Specific Parameter Types (p. 77)
• Use Parameter Constraints (p. 77)
• Use AWS::CloudFormation::Init to Deploy Software Applications on Amazon EC2
Instances (p. 77)
• Use the Latest Helper Scripts (p. 77)
• Validate Templates Before Using Them (p. 78)
Managing stacks
• Manage All Stack Resources Through AWS CloudFormation (p. 78)
• Create Change Sets Before Updating Your Stacks (p. 78)
• Use Stack Policies (p. 78)
• Use AWS CloudTrail to Log AWS CloudFormation Calls (p. 79)
• Use Code Reviews and Revision Controls to Manage Your Templates (p. 79)
• Update Your Amazon EC2 Linux Instances Regularly (p. 79)
Organize Your Stacks By Lifecycle and Ownership

Use the lifecycle and ownership of your AWS resources to help you decide what resources should go
in each stack. Initially, you might put all your resources in one stack, but as your stack grows in scale
and broadens in scope, managing a single stack can be cumbersome and time consuming. By grouping
resources with common lifecycles and ownership, owners can make changes to their set of resources by
using their own process and schedule without affecting other resources.
For example, imagine a team of developers and engineers who own a website that is hosted on
autoscaling instances behind a load balancer. Because the website has its own lifecycle and is maintained
by the website team, you can create a stack for the website and its resources. Now imagine that the
website also uses back-end databases, where the databases are in a separate stack that are owned and
maintained by database administrators. Whenever the website team or database team needs to update
their resources, they can do so without affecting each other's stack. If all resources were in a single stack,
coordinating and communicating updates can be difficult.

74
Use Cross-Stack References to Export Shared Resources
For additional guidance about organizing your stacks, you can use two common frameworks: a multi-
layered architecture and service-oriented architecture (SOA).
A layered architecture organizes stacks into multiple horizontal layers that build on top of one another,
where each layer has a dependency on the layer directly below it. You can have one or more stacks in
each layer, but within each layer, your stacks should have AWS resources with similar lifecycles and
ownership.
With a service-oriented architecture, you can organize big business problems into manageable parts.
Each of these parts is a service that has a clearly defined purpose and represents a self-contained unit of
functionality. You can map these services to a stack, where each stack has its own lifecycle and owners.
All of these services (stacks) can be wired together so that they can interact with one another.
Use Cross-Stack References to Export Shared

Resources
When you organize your AWS resources based on lifecycle and ownership, you might want to build a
stack that uses resources that are in another stack. You can hard-code values or use input parameters
to pass resource names and IDs. However, these methods can make templates difficult to reuse or can
increase the overhead to get a stack running. Instead, use cross-stack references to export resources from
a stack so that other stacks can use them. Stacks can use the exported resources by calling them using
the Fn::ImportValue function.
For example, you might have a network stack that includes a VPC, a security group, and a subnet. You
want all public web applications to use these resources. By exporting the resources, you allow all stacks
with public web applications to use them. For more information, see Walkthrough: Refer to Resource
Outputs in Another AWS CloudFormation Stack (p. 321).
Use IAM to Control Access

IAM is an AWS service that you can use to manage users and their permissions in AWS. You can use
IAM with AWS CloudFormation to specify what AWS CloudFormation actions users can perform, such
as viewing stack templates, creating stacks, or deleting stacks. Furthermore, anyone managing AWS
CloudFormation stacks will require permissions to resources within those stacks. For example, if users
want to use AWS CloudFormation to launch, update, or terminate Amazon EC2 instances, they must have
permission to call the relevant Amazon EC2 actions.
In most cases, users require full access to manage all of the resources in a template. AWS
CloudFormation makes calls to create, modify, and delete those resources on their behalf. To
separate permissions between a user and the AWS CloudFormation service, use a service role. AWS
CloudFormation uses the service role's policy to make calls instead of the user's policy. For more
information, see AWS CloudFormation Service Role (p. 18).
Verify Quotas for All Resource Types

Before launching a stack, ensure that you can create all the resources that you want without hitting
your AWS account limits. If you hit a limit, AWS CloudFormation won't create your stack successfully
until you increase your quota or delete extra resources. Each service can have various limits that you
should be aware of before launching a stack. For example, by default, you can only launch 200 AWS
CloudFormation stacks per region in your AWS account. For more information about limits and how to
increase the default limits, see AWS Service Limits in the AWS General Reference.

75
Reuse Templates to Replicate
Stacks in Multiple Environments
Reuse Templates to Replicate Stacks in Multiple

Environments
After you have your stacks and resources set up, you can reuse your templates to replicate your
infrastructure in multiple environments. For example, you can create environments for development,
testing, and production so that you can test changes before implementing them into production. To
make templates reusable, use the parameters, mappings, and conditions sections so that you can
customize your stacks when you create them. For example, for your development environments,
you can specify a lower-cost instance type compared to your production environment, but all other
configurations and settings remain the same. For more information about parameters, mappings, and
conditions, see Template Anatomy (p. 210).
Use Nested Stacks to Reuse Common Template

Patterns
As your infrastructure grows, common patterns can emerge in which you declare the same components
in each of your templates. You can separate out these common components and create dedicated
templates for them. That way, you can mix and match different templates but use nested stacks to create
a single, unified stack. Nested stacks are stacks that create other stacks. To create nested stacks, use the
AWS::CloudFormation::Stack resource in your template to reference other templates.
For example, assume that you have a load balancer configuration that you use for most of your stacks.
Instead of copying and pasting the same configurations into your templates, you can create a dedicated
template for the load balancer. Then, you just use the AWS::CloudFormation::Stack resource to reference
that template from within other templates. If the load balancer template is updated, any stack that
is referencing it will use the updated load balancer (only after you update the stack). In addition to
simplifying updates, this approach lets you use experts to create and maintain components that you
might not be necessarily familiar with. All you need to do is reference their templates.
Do Not Embed Credentials in Your Templates

Rather than embedding sensitive information in your AWS CloudFormation templates, we strongly
suggest you do one of the following:
• Use input parameters to pass in information whenever you create or update a stack, using the NoEcho
property to obfuscate the parameter value.
• Use dynamic parameters in the stack template to reference sensitive information that is stored and
managed outside of CloudFormation, such as in the Systems Manager Parameter Store or Secrets
Manager.
Using Input Parameters with NoEcho for Credentials

Define input parameters in your stack template, so that users can pass in sensitive information whenever
they create or update a stack. If you set the NoEcho attribute to true, CloudFormation returns the
parameter value masked as asterisks (*****) for any calls that describe the stack or stack events.
For example, suppose your stack creates a new database instance. When the database is created,
AWS CloudFormation needs to pass a database administrator password. You can pass in a password
by using an input parameter instead of embedding it in your template. For more information, see
Parameters (p. 237).

76
Using Dynamic References to Retrieve Credentials
Using Dynamic References to Retrieve Credentials

Dynamic references provide a compact, powerful way for you to reference external values that are stored
and managed in other services, such as the Systems Manager Parameter Store or Secrets Manager.
When you use a dynamic reference, CloudFormation retrieves the value of the specified reference when
necessary during stack and change set operations, and passes the value to the appropriate resource.
However, CloudFormation never stores the actual parameter value. For more information, see Using
Dynamic References to Specify Template Values.
For more information on defining template parameters, see Parameters (p. 237).
Use AWS-Specific Parameter Types

If your template requires inputs for existing AWS-specific values, such as existing Amazon Virtual Private
Cloud IDs or an Amazon EC2 key pair name, use AWS-specific parameter types. For example, you can
specify a parameter as type AWS::EC2::KeyPair::KeyName, which takes an existing key pair name
that is in your AWS account and in the region where you are creating the stack. AWS CloudFormation
can quickly validate values for AWS-specific parameter types before creating your stack. Also, if you use
the AWS CloudFormation console, AWS CloudFormation shows a drop-down list of valid values, so you
don't have to look up or memorize the correct VPC IDs or key pair names. For more information, see
Parameters (p. 237).
Use Parameter Constraints

With constraints, you can describe allowed input values so that AWS CloudFormation catches any invalid
values before creating a stack. You can set constraints such as a minimum length, maximum length, and
allowed patterns. For example, you can set constraints on a database user name value so that it must be
a minimum length of eight character and contain only alpha-numeric characters. For more information,
see Parameters (p. 237).
Use AWS::CloudFormation::Init to Deploy Software

Applications on Amazon EC2 Instances
When you launch stacks, you can install and configure software applications on Amazon EC2 instances
by using the cfn-init helper script and the AWS::CloudFormation::Init resource. By using
AWS::CloudFormation::Init, you can describe the configurations that you want rather than
scripting procedural steps. You can also update configurations without recreating instances. And if
anything goes wrong with your configuration, AWS CloudFormation generates logs that you can use to
investigate issues.
In your template, specify installation and configuration states in the AWS::CloudFormation::Init

resource. For a walkthrough that shows how to use cfn-init and AWS::CloudFormation::Init, see
Deploying Applications on Amazon EC2 with AWS CloudFormation (p. 333).
Use the Latest Helper Scripts

The helper scripts (p. 3828) are updated periodically. Be sure you include the following command in the
UserData property of your template before you call the helper scripts to ensure that your launched
instances get the latest helper scripts:

77
Validate Templates Before Using Them
yum install -y aws-cfn-bootstrap
For more information about getting the latest helper scripts, see the CloudFormation Helper Scripts
Reference (p. 3828).
Validate Templates Before Using Them

Before you use a template to create or update a stack, you can use AWS CloudFormation to validate
it. Validating a template can help you catch syntax and some semantic errors, such as circular
dependencies, before AWS CloudFormation creates any resources. If you use the AWS CloudFormation
console, the console automatically validates the template after you specify input parameters. For the
AWS CLI or AWS CloudFormation API, use the aws cloudformation validate-template command or
ValidateTemplate action.
During validation, AWS CloudFormation first checks if the template is valid JSON. If it isn't, AWS
CloudFormation checks if the template is valid YAML. If both checks fail, AWS CloudFormation returns a
template validation error.
Manage All Stack Resources Through AWS

CloudFormation
After you launch a stack, use the AWS CloudFormation console, API, or AWS CLI to update resources
in your stack. Do not make changes to stack resources outside of AWS CloudFormation. Doing so can
create a mismatch between your stack's template and the current state of your stack resources, which
can cause errors if you update or delete the stack. For more information, see Walkthrough: Updating a
Stack (p. 50).
Create Change Sets Before Updating Your Stacks

Change sets allow you to see how proposed changes to a stack might impact your running resources
before you implement them. AWS CloudFormation doesn't make any changes to your stack until you
execute the change set, allowing you to decide whether to proceed with your proposed changes or create
another change set.
Use change sets to check how your changes might impact your running resources, especially for
critical resources. For example, if you change the name of an Amazon RDS database instance, AWS
CloudFormation will create a new database and delete the old one; you will lose the data in the old
database unless you've already backed it up. If you generate a change set, you will see that your change
will replace your database. This can help you plan before you update your stack. For more information,
see Updating Stacks Using Change Sets (p. 130).
Use Stack Policies

Stack policies help protect critical stack resources from unintentional updates that could cause resources
to be interrupted or even replaced. A stack policy is a JSON document that describes what update
actions can be performed on designated resources. Specify a stack policy whenever you create a stack
that has critical resources.

78
Use AWS CloudTrail to Log AWS CloudFormation Calls
During a stack update, you must explicitly specify the protected resources that you want to update;
otherwise, no changes are made to protected resources. For more information, see Prevent Updates to
Stack Resources (p. 149).
Use AWS CloudTrail to Log AWS CloudFormation

Calls
AWS CloudTrail tracks anyone making AWS CloudFormation API calls in your AWS account. API calls
are logged whenever anyone uses the AWS CloudFormation API, the AWS CloudFormation console,
a back-end console, or AWS CloudFormation AWS CLI commands. Enable logging and specify an
Amazon S3 bucket to store the logs. That way, if you ever need to, you can audit who made what AWS
CloudFormation call in your account. For more information, see Logging AWS CloudFormation API Calls
with AWS CloudTrail (p. 18).
Use Code Reviews and Revision Controls to

Manage Your Templates
Your stack templates describe the configuration of your AWS resources, such as their property values. To
review changes and to keep an accurate history of your resources, use code reviews and revision controls.
These methods can help you track changes between different versions of your templates, which can help
you track changes to your stack resources. Also, by maintaining a history, you can always revert your
stack to a certain version of your template.
Update Your Amazon EC2 Linux Instances

Regularly
On all your Amazon EC2 Linux instances and Amazon EC2 Linux instances created with AWS
CloudFormation, regularly run the yum update command to update the RPM package. This ensures that
you get the latest fixes and security updates.

79
Walkthrough: Building a Pipeline
for Test and Production Stacks
Continuous Delivery with

CodePipeline
Continuous delivery is a release practice in which code changes are automatically built, tested, and
prepared for release to production. With AWS CloudFormation and CodePipeline, you can use continuous
delivery to automatically build and test changes to your AWS CloudFormation templates before
promoting them to production stacks. This release process lets you rapidly and reliably make changes to
your AWS infrastructure.
For example, you can create a workflow that automatically builds a test stack when you submit an
updated template to a code repository. After AWS CloudFormation builds the test stack, you can test
it and then decide whether to push the changes to a production stack. For more information about the
benefits of continuous delivery, see What is Continuous Delivery?.
Use CodePipeline to build a continuous delivery workflow by building a pipeline for AWS
CloudFormation stacks. CodePipeline has built-in integration with AWS CloudFormation, so you can
specify AWS CloudFormation-specific actions, such as creating, updating, or deleting a stack, within a
pipeline. For more information about CodePipeline, see the AWS CodePipeline User Guide.
Topics
• Walkthrough: Building a Pipeline for Test and Production Stacks (p. 80)
• AWS CloudFormation Configuration Properties Reference (p. 87)
• AWS CloudFormation Artifacts (p. 92)
• Using Parameter Override Functions with CodePipeline Pipelines (p. 94)
Walkthrough: Building a Pipeline for Test and

Production Stacks
Imagine a release process where you submit an AWS CloudFormation template, which AWS
CloudFormation then uses to automatically build a test stack. After you review the test stack, you can
preview how your changes will modify your production stack, and then choose whether to implement
them. To accomplish this workflow, you could use AWS CloudFormation to build your test stack, delete
the test stack, create a change set, and then execute the change set. However, with each action, you need
to manually interact with AWS CloudFormation. In this walkthrough, we'll build a CodePipeline pipeline
that automates many of these actions, helping you achieve a continuous delivery workflow with your
AWS CloudFormation stacks.
Prerequisites
This walkthrough assumes that you have used CodePipeline and AWS CloudFormation, and know
how pipelines and AWS CloudFormation templates and stacks work. For more information about
CodePipeline, see the AWS CodePipeline User Guide. You also need to have an Amazon S3 bucket in the
same AWS region in which you will create your pipeline.
Important
The sample Word Press template creates an EC2 instance that requires a connection to the
Internet. Check that you have a default VPC and subnet that allow traffic to the Internet.

80
Walkthrough Overview
This walkthrough builds a pipeline for a sample WordPress site in a stack. The pipeline is separated into
three stages. Each stage must contain at least one action, which is a task the pipeline performs on your
artifacts (your input). A stage organizes actions in a pipeline. CodePipeline must complete all actions in
a stage before the stage processes new artifacts, for example, if you submitted new input to rerun the
pipeline.
By the end of this walkthrough, you'll have a pipeline that performs the following workflow:
1. The first stage of the pipeline retrieves a source artifact (an AWS CloudFormation template and its
configuration files) from a repository.
You'll prepare an artifact that includes a sample WordPress template and upload it to an S3 bucket.
2. In the second stage, the pipeline creates a test stack and then waits for your approval.
After you review the test stack, you can choose to continue with the original pipeline or create and
submit another artifact to make changes. If you approve, this stage deletes the test stack, and then
the pipeline continues to the next stage.
3. In the third stage, the pipeline creates a change set against a production stack, and then waits for your
approval.
In your initial run, you won't have a production stack. The change set shows you all of the resources
that AWS CloudFormation will create. If you approve, this stage executes the change set and builds
your production stack.
Note
AWS CloudFormation is a free service. However, you are charged for the AWS resources, such
as the EC2 instance, that you include in your stack at the current rate for each. For more
information about AWS pricing, see the detail page for each product at http://aws.amazon.com.
Step 1: Edit the Artifact and Upload It to an S3

Bucket
Before you build your pipeline, you must set up your source repository and files. CodePipeline copies
these source files into your pipeline's artifact store, and then uses them to perform actions in your
pipeline, such as creating an AWS CloudFormation stack.
When you use Amazon Simple Storage Service (Amazon S3) as the source repository, CodePipeline
requires you to zip your source files before uploading them to an S3 bucket. The zipped file is a
CodePipeline artifact that can contain an AWS CloudFormation template, a template configuration
file, or both. We provide an artifact that contains a sample WordPress template and two template
configuration files. The two configuration files specify parameter values for the WordPress template.
CodePipeline uses them when it creates the WordPress stacks. One file contains parameter values for a
test stack, and the other for a production stack. You'll need to edit the configuration files, for example,
to specify an existing EC2 key-pair name that you own. For more information about artifacts, see AWS
CloudFormation Artifacts (p. 92).
After you build your artifact, you'll upload it to an S3 bucket.
To edit and upload the artifact
1. Download and open the sample artifact: https://s3.amazonaws.com/cloudformation-examples/

user-guide/continuous-deployment/wordpress-single-instance.zip.
The artifact contains three files:

81
Step 2: Create the Pipeline Stack
• The sample WordPress template: wordpress-single-instance.yaml

• The template configuration file for the test stack.: test-stack-configuration.json
• The template configuration file for the production stack: prod-stack-configuration.json
2. Extract all of the files, and then use any text editor to modify the template configuration files.
Open the configuration files to see that they contain key-value pairs that map to the WordPress
template's parameters. The configuration files specify the parameter values that your pipeline uses
when it creates the test and production stacks.
Edit the test-stack-configuration.json file to specify parameter values for the test stack and
the prod-stack-configuration.json file for the production stack.
• Change the values of the DBPassword and DBRootPassword keys to passwords that you can use
to log in to your WordPress database. As defined in the WordPress template, the parameter values
must contain only alphanumeric characters.
• Change the value of the KeyName key to an existing EC2 key-pair name in the region in which you
will create your pipeline.
3. Add the modified configuration files to the original artifact (.zip) file, replacing duplicate files.
You now have a customized artifact that you can upload to an S3 bucket.
4. Upload the artifact to an S3 bucket that you own.
Note the file's location. You'll specify the location of this file when you build your pipeline.
Notes about the artifact and S3 bucket:
• Use a bucket that is in the same AWS region in which you will create your pipeline.
• CodePipeline requires that the bucket is versioning enabled.
• You can also use services that don't require you to zip your files before uploading them, like
GitHub or CodeCommit, for your source repository.
• Artifacts can contain sensitive information such as passwords. Limit access so that only permitted
users can view the file. When you do, ensure that CodePipeline can still access the file.
You now have an artifact that CodePipeline can pull in to your pipeline. In the next step, you'll specify
the artifact's location and build the WordPress pipeline.

To create the WordPress pipeline, you'll use a sample AWS CloudFormation template. In addition to
building the pipeline, the template sets up AWS Identity and Access Management (IAM) service roles
for CodePipeline and AWS CloudFormation, an S3 bucket for the CodePipeline artifact store, and an
Amazon Simple Notification Service (Amazon SNS) topic to which the pipeline sends notifications, such
as notifications about reviews. The sample template makes it easy to provision and configure these
resources in a single AWS CloudFormation stack.
For more details about the configuration of the pipeline, see What the Pipeline Does (p. 83).
Important
The sample WordPress template creates an EC2 instance that requires a connection to the
Internet. Check that your default VPC and subnet allow traffic to the Internet.
To create the pipeline stack
1. Download the sample template at https://s3.amazonaws.com/cloudformation-examples/user-

guide/continuous-deployment/basic-pipeline.yml. Save it on your computer.

82
2. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.

3. Choose an AWS region that supports CodePipeline and AWS CloudFormation.
For more information, see AWS Regions and Endpoints in the AWS General Reference.
4. Choose Create stack.
5. Under Specify template, choose Upload a template file, and then choose the template that you
just downloaded, basic-pipeline.yml.
6. Choose Next.
7. For Stack name, type sample-WordPress-pipeline.
8. In the Parameters section, specify the following parameter values, and then choose Next.
When setting stack parameters, if you kept the same names for the WordPress template and its
configuration files, you can use the default values. If not, specify the filenames that you used.
PipelineName
The name of your pipeline, such as WordPress-test-pipeline.

S3Bucket
The name of the S3 bucket where you saved your artifact (.zip file).
SourceS3Key
The filename of your artifact. If you saved the artifact in a folder, include it as part of the
filename, such as folder/subfolder/wordpress-single-instance.zip.
Email
The email address to which CodePipeline sends pipeline notification, such as

myemail@example.com.
9. For this walkthrough, you don't need to add tags or specify advanced settings, so choose Next.
10. Ensure that the stack name and template URL are correct, and then choose Create stack.
11. To acknowledge that you're aware that AWS CloudFormation might create IAM resources, choose the
checkbox.
It might take several minutes for AWS CloudFormation to create your stack. To monitor progress, view
the stack events. For more information, see Viewing AWS CloudFormation Stack Data and Resources on
the AWS Management Console (p. 106).
After your stack has been created, CodePipeline starts your new pipeline. To view its status, see the
CodePipeline console. From the list of pipelines, choose WordPress-test-pipeline.
What the Pipeline Does

This section explains the pipeline's three stages, using snippets from the sample WordPress pipeline
template.
Stage 1: Source
The first stage of the pipeline is a source stage in which you specify the location of your source code.
Every time you push a revision to this location, CodePipeline reruns your pipeline.
The source code is located in an S3 bucket and is identified by its filename. You specified these
values as input parameter values when you created the pipeline stack. To allow using the source
artifact in subsequent stages, the snippet specifies the OutputArtifacts property, with the name
TemplateSource. To use this artifact in later stages, you specify TemplateSource as an input artifact.
- Name: S3Source

83
Actions:
- Name: TemplateSource
ActionTypeId:
Category: Source
Owner: AWS
Provider: S3
Version: '1'
Configuration:
S3Bucket: !Ref 'S3Bucket'
S3ObjectKey: !Ref 'SourceS3Key'
OutputArtifacts:
Stage 2: TestStage
In the TestStage stage, the pipeline creates the test stack, waits for approval, and then deletes the test
stack.
For the CreateStack action, the pipeline uses the test configuration file and WordPress template to
create the test stack. Both files are contained in the TemplateSource input artifact, which is brought in
from the source stage. The snippet uses the REPLACE_ON_FAILURE action mode. If stack creation fails,
the pipeline replaces it so that you don't need to clean up or troubleshoot the stack before you can rerun
the pipeline. The action mode is useful for quickly iterating on test stacks. For the RoleArn property, the
value is an AWS CloudFormation service role that is declared elsewhere in the template.
The ApproveTestStack action pauses the pipeline and sends a notification to the email address
that you specified when you created the pipeline stack. While the pipeline is paused, you can check
the WordPress test stack and its resources. Use CodePipeline to approve or reject this action. The
CustomData property includes a description of the action you're approving, which the pipeline adds to
the notification email.
After you approve this action, CodePipeline moves to the DeleteTestStack action and deletes the test
WordPress stack and its resources.
- Name: TestStage
Actions:
- Name: CreateStack
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
InputArtifacts:
Configuration:
ActionMode: REPLACE_ON_FAILURE
RoleArn: !GetAtt [CFNRole, Arn]
StackName: !Ref TestStackName
TemplateConfiguration: !Sub "TemplateSource::${TestStackConfig}"
TemplatePath: !Sub "TemplateSource::${TemplateFileName}"
RunOrder: '1'
- Name: ApproveTestStack
ActionTypeId:
Category: Approval
Owner: AWS
Provider: Manual
Version: '1'
Configuration:
NotificationArn: !Ref CodePipelineSNSTopic
CustomData: !Sub 'Do you want to create a change set against the production stack
and delete the ${TestStackName} stack?'
RunOrder: '2'

84
- Name: DeleteTestStack
ActionTypeId:
Category: Deploy
Owner: AWS
Version: '1'
Configuration:
ActionMode: DELETE_ONLY
StackName: !Ref TestStackName
RunOrder: '3'
Stage 3: ProdStage
The ProdStage stage of the pipeline creates a change set against the existing production stack, waits
for approval, and then executes the change set.
A change set provides a preview of all modifications AWS CloudFormation will make to your production
stack before implementing them. On your first pipeline run, you won't have a running production stack.
The change set shows the actions that AWS CloudFormation performed when creating the test stack.
To create the change set, the CreateChangeSet action uses the WordPress sample template and the
production template configuration from the TemplateSource input artifact.
Similar to the previous stage, the ApproveChangeSet action pauses the pipeline and sends an email
notification. While the pipeline is paused, you can view the change set to check all of the proposed
modifications to the production WordPress stack. Use CodePipeline to approve or reject this action to
continue or stop the pipeline, respectively.
After you approve this action, the ExecuteChangeSet action executes the changes set, so that
AWS CloudFormation performs all of the actions described in the change set. For the initial run, AWS
CloudFormation creates the WordPress production stack. On subsequent runs, AWS CloudFormation
updates the stack.
- Name: ProdStage
Actions:
- Name: CreateChangeSet
ActionTypeId:
Category: Deploy
Owner: AWS
Version: '1'
InputArtifacts:
Configuration:
ActionMode: CHANGE_SET_REPLACE
StackName: !Ref ProdStackName
ChangeSetName: !Ref ChangeSetName
TemplateConfiguration: !Sub "TemplateSource::${ProdStackConfig}"
TemplatePath: !Sub "TemplateSource::${TemplateFileName}"
RunOrder: '1'
- Name: ApproveChangeSet
ActionTypeId:
Category: Approval
Owner: AWS
Provider: Manual
Version: '1'
Configuration:
NotificationArn: !Ref CodePipelineSNSTopic
CustomData: !Sub 'A new change set was created for the ${ProdStackName} stack. Do
you want to implement the changes?'
RunOrder: '2'

85
Step 3: View the WordPress Stack
- Name: ExecuteChangeSet
ActionTypeId:
Category: Deploy
Owner: AWS
Version: '1'
Configuration:
ActionMode: CHANGE_SET_EXECUTE
ChangeSetName: !Ref ChangeSetName
StackName: !Ref ProdStackName
RunOrder: '3'
Step 3: View the WordPress Stack

As CodePipeline runs through the pipeline, it uses AWS CloudFormation to create test and production
stacks. To see the status of these stacks and their output, use the AWS CloudFormation console.
To view a stack

2. Depending on whether your pipeline is in the test or production stage, choose the Test-
MyWordPressSite or the Prod-MyWordPressSite stack.
3. To check the status of your stack, view the stack events (p. 106).
If the stack is in a failed state, view the status reason to find the stack error. Fix the error, and then rerun
the pipeline. If the stack is in the CREATE_COMPLETE state, view its outputs to get the URL of your
WordPress site.
You've successfully used CodePipeline to build a continuous delivery workflow for a sample WordPress
site. If you submit changes to the S3 bucket, CodePipeline automatically detects a new version, and then
reruns your pipeline. This workflow makes it easier to submit and test changes before making changes to
your production site.
Step 4: Clean Up Resources

To make sure that you are not charged for unwanted services, delete your resources.
Important
Delete the test and production WordPress stacks before deleting the pipeline stack. The pipeline
stack contains a service role that's required to delete the WordPress stacks. If you deleted the
pipeline stack first, you can associate another service role Amazon Resource Name (ARN) with
the WordPress stacks, and then delete them.
To delete objects in the artifact store
1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

2. Choose the S3 bucket that CodePipeline used as your pipeline's artifact store.
The bucket's name follows the format: stackname-artifactstorebucket-id. If you followed

this walkthrough, the bucket's name might look similar to the following example: sample-
WordPress-pipeline-artifactstorebucket-12345abcd12345.
3. Delete all of the objects in the artifact store S3 bucket.
When you delete the pipeline stack in the next step, this bucket must be empty. Otherwise, AWS
CloudFormation won't be able to delete the bucket.

86
See Also
To delete stacks
1. From the AWS CloudFormation console, choose the stack that you want to delete.
If the WordPress stacks that were created by the pipeline are still running, choose them first. By
default, the stack names are Test-MyWordPressSite and Prod-MyWordPressSite.
If you already deleted the WordPress stacks, choose the sample-WordPress-pipeline stack.
2. Choose Actions, and then choose Delete Stack.
3. In the confirmation message, choose Yes, Delete.
AWS CloudFormation deletes the stack all of the stack's resources, such as the EC2 instance, notification
topic, service role, and the pipeline.
Now that you understand how to build a basic AWS CloudFormation workflow with CodePipeline, you
can use the sample template and artifacts as a starting point for building your own.
See Also
The following related resources can help you as you work with these parameters.
• For more information about the AWS CloudFormation action parameters in CodePipeline, see the AWS
CloudFormation action configuration reference in the AWS CodePipeline User Guide.
• For example template values by action provider, such as for the Owner field or the configuration
fields, see the Action Structure Reference in the AWS CodePipeline User Guide.
• To download example pipeline stack templates in YAML or JSON format, see the tutorials under Create
a Pipeline with AWS CloudFormation in the AWS CodePipeline User Guide.
• For an example template configuration file, see AWS CloudFormation Artifacts.
AWS CloudFormation Configuration Properties

Reference
When you build a CodePipeline pipeline, you add a Deploy action to the pipeline with AWS
CloudFormation as a provider. You then must specify which AWS CloudFormation action the pipeline
invokes and the action's settings. This topic describes the AWS CloudFormation configuration properties.
To specify properties, you can use the CodePipeline console, or you can create a JSON object to use for
the AWS CLI, CodePipeline API, or AWS CloudFormation templates.
Topics
• Configuration Properties (Console) (p. 87)
• Configuration Properties (JSON Object) (p. 89)
• See Also (p. 92)
Configuration Properties (Console)

The CodePipeline console shows the configuration properties and indicates the properties that are
required based on the action mode that you choose.
Note
When you create a pipeline, you can specify the Create or update a stack or Create or replace a
change set action modes only. Properties in the Advanced section are available only when you
edit a pipeline.

87
Configuration Properties (Console)
Action mode
The AWS CloudFormation action that CodePipeline invokes when processing the associated stage.
Choose one of the following action modes:
• Create or replace a change set creates the change set if it doesn't exist based on the stack name
and template that you submit. If the change set exists, AWS CloudFormation deletes it, and then
creates a new one.
• Create or update a stack creates the stack if the specified stack doesn't exist. If the stack exists,
AWS CloudFormation updates the stack. Use this action to update existing stacks. CodePipeline
won't replace the stack.
• Delete a stack deletes a stack. If you specify a stack that doesn't exist, the action is completed
successfully without deleting a stack.
• Execute a change set executes a change set.
• Replace a failed stack creates the stack if the specified stack doesn't exist. If the stack exists and
is in a failed state (reported as ROLLBACK_COMPLETE, ROLLBACK_FAILED, CREATE_FAILED,
DELETE_FAILED, or UPDATE_ROLLBACK_FAILED), AWS CloudFormation deletes the stack and
then creates a new one. If the stack isn't in a failed state, AWS CloudFormation updates it. Use this
action to replace failed stacks without recovering or troubleshooting them. You would typically
choose this mode for testing.
Stack name
The name that is associated with an existing stack or a stack you want to create. The name must be
unique in the AWS Region in which you are creating the stack.
Note
A stack name can contain only alphanumeric characters (case sensitive) and hyphens. It
must start with an alphabetic character and cannot be longer than 128 characters.
Change set name
The name of an existing change set or a new change set that you want to create for the specified
stack.
Template
The location of an AWS CloudFormation template file, which follows the format
ArtifactName::TemplateFileName.
Template configuration
The location of a template configuration file, which follows the format

ArtifactName::TemplateConfigurationFileName. The template configuration file can
contain template parameter values and a stack policy. If you include sensitive information,
such as passwords, restrict access to this file. For more information, see AWS CloudFormation
Artifacts (p. 92).
Capabilities
For stacks that contain certain resources, explicit acknowledgement that AWS CloudFormation might
create or update those resources. For example, you must specify CAPABILITY_IAM if your stack
template contains AWS Identity and Access Management (IAM) resources. For more information, see
CreateStack Request Parameters.
If you have IAM resources in your stack template, you must specify this property.
You can specify more than one capability.

Role name
The name of the IAM service role that AWS CloudFormation assumes when it operates on resources
in the specified stack.

88
Configuration Properties (JSON Object)
Output file name
In the Advanced section, you can specify an output file name, such as CreateStackOutput.json,
that CodePipeline adds to the output artifact after it performs the specified action. The output
artifact contains a JSON file with the contents of the Outputs section of the AWS CloudFormation
template.
If you don't specify a name, CodePipeline doesn't generate an output artifact.

Parameter overrides
Parameters are defined in your template and allow you to input custom values when you create
or update a stack. You can specify a JSON object that overrides template parameter values in the
template configuration file. All parameter names must be present in the stack template. For more
information, see Defining a Parameter in a Template.
Note
There is a maximum size limit of 1 kilobyte for the JSON object that can be stored in the
ParameterOverrides property.
We recommend that you use the template configuration file to specify most of your parameter
values. Use parameter overrides to specify dynamic parameter values only. Dynamic parameters are
unknown until you run the pipeline.
The following example defines a value for the ParameterName parameter by using a parameter
override function. The function retrieves a value from a CodePipeline input artifact. For more
information about parameter override functions, see Using Parameter Override Functions with
CodePipeline Pipelines (p. 94).
{
"ParameterName" : { "Fn::GetParam" : ["ArtifactName", "config-file-name.json",
"ParamName"]}
}

When you specify CloudFormation as a provider for a stage action, define the following properties
in the Configuration property. Use the JSON object for the AWS CLI, CodePipeline API, or AWS
CloudFormation templates. For examples, see Walkthrough: Building a Pipeline for Test and Production
Stacks (p. 80) and AWS CloudFormation Configuration Properties Reference (p. 87).
ActionMode
The AWS CloudFormation action that CodePipeline invokes when it processes the associated stage.
Specify only one of the following action modes:
• CHANGE_SET_EXECUTE executes a change set.
• CHANGE_SET_REPLACE creates the change set, if it doesn't exist, based on the stack name and
template that you submit. If the change set exists, AWS CloudFormation deletes it, and then
creates a new one.
• CREATE_UPDATE creates the stack if the specified stack doesn't exist. If the stack exists, AWS
CloudFormation updates the stack. Use this action to update existing stacks. CodePipeline won't
replace the stack.
• DELETE_ONLY deletes a stack. If you specify a stack that doesn't exist, the action is completed
successfully without deleting a stack.
• REPLACE_ON_FAILURE creates a stack, if the specified stack doesn't exist. If the stack exists and
is in a failed state (reported as ROLLBACK_COMPLETE, ROLLBACK_FAILED, CREATE_FAILED,
DELETE_FAILED, or UPDATE_ROLLBACK_FAILED), AWS CloudFormation deletes the stack and
then creates a new stack. If the stack isn't in a failed state, AWS CloudFormation updates it. Use

89
this action to automatically replace failed stacks without recovering or troubleshooting them. You
would typically choose this mode for testing.
This property is required.

Capabilities
For stacks that contain certain resources, explicit acknowledgement that AWS CloudFormation might
create or update those resources. For example, you must specify CAPABILITY_IAM if your stack
template contains AWS Identity and Access Management (IAM) resources. For more information, see
CreateStack Request Parameters.
This property is conditional. If you have IAM resources in your stack template, you must specify this
property.
You can specify multiple capabilities. The following example adds the CAPABILITY_IAM and
CAPABILITY_AUTO_EXPAND properties to the template:
YAML
configuration:
Capabilities: CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND
ChangeSetName: pipeline-changeset
RoleArn: CloudFormation_Role_ARN
StackName: my-pipeline-stack
TemplateConfiguration: 'my-pipeline-stack::template-configuration.json'
TemplatePath: 'my-pipeline-stack::template-export.yml'
JSON
"configuration": {
"ActionMode": "CHANGE_SET_REPLACE",
"Capabilities": "CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND",
"ChangeSetName": "pipeline-changeset",
"RoleArn": "CloudFormation_Role_ARN",
"StackName": "my-pipeline-stack",
"TemplateConfiguration": "my-pipeline-stack::template-configuration.json",
"TemplatePath": "my-pipeline-stack::template-export.yml"
}
ChangeSetName
The name of an existing change set or a new change set that you want to create for the specified
stack.
This property is required for the following action modes: CHANGE_SET_REPLACE and
CHANGE_SET_EXECUTE. For all other action modes, this property is ignored.
OutputFileName
A name for the output file, such as CreateStackOutput.json. CodePipeline adds the file to the
output artifact after it performs the specified action. The output artifact contains a JSON file with
the contents of the Outputs section of the AWS CloudFormation template.
This property is optional. If you don't specify a name, CodePipeline doesn't generate an output
artifact.
ParameterOverrides
Parameters are defined in your template and allow you to input custom values when you create
or update a stack. You can specify a JSON object that overrides template parameter values in the
template configuration file. All parameter names must be present in the stack template. For more
information, see Defining a Parameter in a Template.

90
The following example adds the InstanceType and KeyName parameter overrides to the template:
YAML
configuration:
Capabilities: CAPABILITY_NAMED_IAM
ChangeSetName: pipeline-changeset
ParameterOverrides: '{"InstanceType": "t2.small","KeyName": "my-keypair"}'
RoleArn: CloudFormation_Role_ARN
StackName: my-pipeline-stack
TemplateConfiguration: 'my-pipeline-stack::template-configuration.json'
TemplatePath: 'my-pipeline-stack::template-export.yml'
JSON
"configuration": {
"ActionMode": "CHANGE_SET_REPLACE",
"Capabilities": "CAPABILITY_NAMED_IAM",
"ChangeSetName": "pipeline-changeset",
"ParameterOverrides": "{\"InstanceType\": \"t2.small\",\"KeyName\": \"my-
keypair\"}",
"RoleArn": "CloudFormation_Role_ARN",
"StackName": "my-pipeline-stack",
"TemplateConfiguration": "my-pipeline-stack::template-configuration.json",
"TemplatePath": "my-pipeline-stack::template-export.yml"
}
Note
The maximum size for the JSON object that can be stored in the ParameterOverrides
property is 1 kilobyte.
We recommend that you use the template configuration file to specify most of your parameter
values. Use parameter overrides to specify dynamic parameter values only. Dynamic parameter
values are unknown until you run the pipeline.
The following example defines a value for the ParameterName parameter by using a parameter
override function. The function retrieves a value from a CodePipeline input artifact. For more
information about parameter override functions, see Using Parameter Override Functions with
CodePipeline Pipelines (p. 94).
{
"ParameterName" : { "Fn::GetParam" : ["ArtifactName", "config-file-name.json",
"ParamName"]}
}
This property is optional.

RoleArn
The Amazon Resource Name (ARN) of the IAM service role that AWS CloudFormation assumes when
it operates on resources in a stack.
This property is required for the following action modes: CREATE_UPDATE, REPLACE_ON_FAILURE,
DELETE_ONLY, and CHANGE_SET_REPLACE. RoleArn is not applied when executing a change set. If
you do not use CodePipeline to create the change set, make sure that the change set or stack has an
associated role.
StackName
The name of an existing stack or a stack that you want to create.

91
See Also
This property is required for all action modes.

TemplateConfiguration
TemplateConfiguration is the template configuration file. You include the file in an input
artifact to this action. The template configuration filename follows this format:
Artifactname::TemplateConfigurationFileName
Artifactname is the input artifact name as it appears in CodePipeline. For example, a source stage
with the artifact name of SourceArtifact and a test-configuration.json file name creates a
TemplateConfiguration name as shown in this example:
"TemplateConfiguration": "SourceArtifact::test-configuration.json"
The template configuration file can contain template parameter values and a stack policy. If you
include sensitive information, such as passwords, restrict access to this file. For an example template
configuration file, see AWS CloudFormation Artifacts (p. 92).
This property is optional.

TemplatePath
TemplatePath represents the AWS CloudFormation template file. You include the file in an input
artifact to this action. The file name follows this format:
Artifactname::TemplateFileName
Artifactname is the input artifact name as it appears in CodePipeline. For example, a source
stage with the artifact name of SourceArtifact and a template.yaml file name creates a
TemplatePath name, as shown in this example:
"TemplatePath": "SourceArtifact::template.yaml"
This property is required for the following action modes: CREATE_UPDATE, REPLACE_ON_FAILURE,
and CHANGE_SET_REPLACE. For all other action modes, this property is ignored.
See Also
AWS CloudFormation Artifacts

CodePipeline performs tasks on artifacts as CodePipeline runs a pipeline. For AWS CloudFormation,
artifacts can include a stack template file, a template configuration file, or both. CodePipeline uses these
artifacts to work with AWS CloudFormation stacks and change sets.

92
Stack Template File
If you use Amazon Simple Storage Service (Amazon S3) as a source repository, you must zip the template
and template configuration files into a single file before you upload them to an S3 bucket. For other
repositories, such as GitHub and AWS CodeCommit, upload artifacts without zipping them. For more
information, see Create a Pipeline in CodePipeline in the AWS CodePipeline User Guide.
You can add as many files as you need to your repository. For example, you might want to include two
different configurations for the same template: one for a test configuration and another for a production
configuration.
This topic describes each artifact type.
Topics
• Stack Template File (p. 93)
• Template Configuration File (p. 93)
Stack Template File

A stack template file defines the resources that AWS CloudFormation provisions and configures.
These files are the same template files that you use when you create or update stacks using AWS
CloudFormation. You can use YAML or JSON-formatted templates. For more information about
templates, see Template Anatomy (p. 210).
Template Configuration File

A template configuration file is a JSON-formatted text file that can specify template parameter values,
a stack policy (p. 149), and tags. Use these configuration files to specify parameter values or a stack
policy for a stack. All of the parameter values that you specify must be declared in the associated
template.
If you include sensitive information—such as passwords—in this file, restrict access to it. For example, if
you upload your artifact to an S3 bucket, use S3 bucket policies or user policies to restrict access.
To create a configuration file, use the following format :
{
"Parameters" : {
"NameOfTemplateParameter" : "ValueOfParameter",
...
},
"Tags" : {
"TagKey" : "TagValue",
...
},
"StackPolicy" : {
"Statement" : [
StackPolicyStatement
]
}
}
The following example specifies TestEC2Key for the KeyName parameter, adds a Department tag
whose value is Marketing, and adds a stack policy that allows all update actions except for an update
that deletes a resource.
{
"Parameters" : {

93
See Also
"KeyName" : "TestEC2Key"
},
"Tags" : {
"Department" : "Marketing"
},
"StackPolicy" : {
"Statement" : [
{
"Effect" : "Allow",
"NotAction" : "Update:Delete",
"Principal": "*",
"Resource" : "*"
}
]
}
}
See Also
Using Parameter Override Functions with

CodePipeline Pipelines
In a CodePipeline stage, you can specify parameter overrides (p. 87) for AWS CloudFormation actions.
Parameter overrides let you specify template parameter values that override values in a template
configuration file. AWS CloudFormation provides functions to help you to specify dynamic values (values
that are unknown until the pipeline runs).
Topics
• Fn::GetArtifactAtt (p. 94)
• Fn::GetParam (p. 95)
Fn::GetArtifactAtt
The Fn::GetArtifactAtt function retrieves the value of an attribute from an input artifact, such as
the S3 bucket name where the artifact is stored. Use this function to specify attributes of an artifact,
such as its filename or S3 bucket name.
When you run a pipeline, CodePipeline copies and writes files to the pipeline's artifact store (an S3
bucket). CodePipeline generates the filenames in the artifact store. These filenames are unknown before
you run the pipeline.
For example, in your pipeline, you might have a source stage where CodePipeline copies your AWS
Lambda function source code to the artifact store. In the next stage, you have an AWS CloudFormation

94
Fn::GetParam
template that creates the Lambda function, but AWS CloudFormation requires the filename to create the
function. You must use the Fn::GetArtifactAtt function to pass the exact S3 bucket and file names.
Syntax
Use the following syntax to retrieve an attribute value of an artifact.
{ "Fn::GetArtifactAtt" : [ "artifactName", "attributeName" ] }
artifactName
The name of the input artifact. You must declare this artifact as input for the associated action.
attributeName
The name of the artifact attribute whose value you want to retrieve. For details about each artifact
attribute, see the following Attributes section.
Example
The following parameter overrides specify the BucketName and ObjectKey parameters by retrieving
the S3 bucket name and filename of the LambdaFunctionSource artifact. This example assumes that
CodePipeline copied Lambda function source code and saved it as an artifact, for example, as part of a
source stage.
{
"BucketName" : { "Fn::GetArtifactAtt" : ["LambdaFunctionSource", "BucketName"]},
"ObjectKey" : { "Fn::GetArtifactAtt" : ["LambdaFunctionSource", "ObjectKey"]}
}
Attributes
You can retrieve the following attributes for an artifact.
BucketName
The name of the S3 bucket where the artifact is stored.

ObjectKey
The name of the .zip file that contains the artifact that is generated by CodePipeline, such as
1ABCyZZ.zip.
URL
The Amazon Simple Storage Service (Amazon S3) URL of the artifact, such as https://
s3-us-west-2.amazonaws.com/artifactstorebucket-yivczw8jma0c/test/
TemplateSo/1ABCyZZ.zip.
Fn::GetParam
The Fn::GetParam function returns a value from a key-value pair in a JSON-formatted file. The JSON
file must be included in an artifact.
Use this function to retrieve output values from an AWS CloudFormation stack and use them as input
for another action. For example, if you specify an output filename for an AWS CloudFormation action,

95
Fn::GetParam
CodePipeline saves the output in a JSON file and then adds it to the output artifact's .zip file. Use the
Fn::GetParam function to retrieve the output value, and use it as input for another action.
Syntax
Use the following syntax to retrieve a value from a key-value pair.
{ "Fn::GetParam" : [ "artifactName", "JSONFileName", "keyName" ] }
artifactName
The name of the artifact, which must be included as an input artifact for the associated action.
JSONFileName
The name of a JSON file that is contained in the artifact.

keyName
The name of the key whose value you want to retrieve.
Examples
The following examples demonstrate how to use the Fn::GetParam function in a parameter override.
Syntax
The following parameter override specifies the WebSiteURL parameter by retrieving the value of the
URL key from the stack-output.json file that is in the WebStackOutput artifact.
{
"WebSiteURL" : { "Fn::GetParam" : ["WebStackOutput", "stack-output.json", "URL"]}
}
AWS CloudFormation Template Snippets

The following AWS CloudFormation template snippets, from a CodePipeline pipeline, demonstrate how
to pass stack outputs. These snippets show two stages of pipeline definition. The first stage creates a
stack and saves its outputs in the TestOutput.json file in the StackAOutput artifact. These values
are specified by the OutputFileName and OutputArtifacts properties.
The name of the source input artifact for the stages is TemplateSource. The file name for
the stack template is teststackA.yaml, and the file name for the configuration file is test-
configuration.json. In both stages, these values are specified for the TemplateConfiguration
and TemplatePath properties as shown:
TemplateConfiguration: TemplateSource::test-configuration.json
TemplatePath: TemplateSource::teststackA.yaml
Example Create Stack A Stage
- Name: CreateTestStackA
Actions:
- Name: CloudFormationCreate
ActionTypeId:
Category: Deploy
Owner: AWS

96
See Also
Version: '1'
Configuration:
ActionMode: CREATE_UPDATE
Capabilities: CAPABILITY_IAM
OutputFileName: TestOutput.json
StackName: StackA
TemplatePath: TemplateSource::teststackA.yaml
InputArtifacts:
OutputArtifacts:
- Name: StackAOutput
RunOrder: '1'
In a subsequent stage, stack B uses the outputs from stack A. In the ParameterOverrides property,
the example uses the Fn::GetParam function to specify the StackBInputParam parameter. The
resulting value is the value associated with the StackAOutputName key.
Example Create Stack B Stage
- Name: CreateTestStackB
Actions:
- Name: CloudFormationCreate
ActionTypeId:
Category: Deploy
Owner: AWS
Version: '1'
Configuration:
ActionMode: CREATE_UPDATE
Capabilities: CAPABILITY_IAM
StackName: StackB
TemplatePath: TemplateSource::teststackB.yaml
ParameterOverrides: |
{
"StackBInputParam" : { "Fn::GetParam" : ["StackAOutput", "TestOutput.json",
"StackAOutputName"]}
}
InputArtifacts:
- Name: StackAOutput
RunOrder: '1'
See Also

97
Using the Console
Working with Stacks

A stack is a collection of AWS resources that you can manage as a single unit. In other words, you can
create, update, or delete a collection of resources by creating, updating, or deleting stacks. All the
resources in a stack are defined by the stack's AWS CloudFormation template. A stack, for instance,
can include all the resources required to run a web application, such as a web server, a database, and
networking rules. If you no longer require that web application, you can simply delete the stack, and all
of its related resources are deleted.
AWS CloudFormation ensures all stack resources are created or deleted as appropriate. Because
AWS CloudFormation treats the stack resources as a single unit, they must all be created or deleted
successfully for the stack to be created or deleted. If a resource cannot be created, AWS CloudFormation
rolls the stack back and automatically deletes any resources that were created. If a resource cannot be
deleted, any remaining resources are retained until the stack can be successfully deleted.
You can work with stacks by using the AWS CloudFormation console, API, or AWS CLI.
Note
You are charged for the stack resources for the time they were operating (even if you deleted
the stack right away).
Topics
• Using the AWS CloudFormation Console (p. 98)
• Using the AWS Command Line Interface (p. 116)
• AWS CloudFormation Stack Updates (p. 127)
• Detecting Unmanaged Configuration Changes to Stacks and Resources (p. 161)
• Moving Resources Between Stacks (p. 173)
• Exporting Stack Output Values (p. 181)
• Listing Stacks That Import an Exported Output Value (p. 182)
• Working with Nested Stacks (p. 183)
• Working with Microsoft Windows Stacks on AWS CloudFormation (p. 189)
Using the AWS CloudFormation Console

The AWS CloudFormation console allows you to create, monitor, update and delete stacks directly from
your web browser. This section contains guidance on using the AWS CloudFormation console to perform
common actions.
In This Section
• Logging In to the AWS CloudFormation Console (p. 99)
• Creating a Stack on the AWS CloudFormation Console (p. 99)
• Creating an EC2 Key Pair (p. 106)
• Estimating the Cost of Your CloudFormation Stack (p. 106)
• Viewing AWS CloudFormation Stack Data and Resources on the AWS Management Console (p. 106)
• Monitor and Roll Back Stack Operations (p. 109)
• Creating Quick-Create Links for Stacks (p. 111)
• Deleting a Stack on the AWS CloudFormation Console (p. 114)
• Protecting a Stack From Being Deleted (p. 114)
• Viewing Deleted Stacks on the AWS CloudFormation Console (p. 116)

98
Logging In to the Console
Logging In to the AWS CloudFormation Console

The AWS CloudFormation console allows you to create, monitor, update, and delete your AWS
CloudFormation stacks with a web-based interface. It is part of the AWS Management Console.
You can access the AWS CloudFormation console in a number of ways:
• Open the AWS CloudFormation console directly with the URL https://console.aws.amazon.com/
cloudformation/. If you are not logged in to the AWS Management Console yet, you need to log in
before using the AWS CloudFormation console.
• If you are logged into and using the AWS Management Console, you can access the AWS
CloudFormation console from the home page by:
• Selecting CloudFormation from under Management Tools.
• Searching for CloudFormation using the search bar.
• Selecting CloudFormation from Recently visited services, if you've used CloudFormation recently.
If you don't have any AWS CloudFormation stacks running, you are presented with the option to Create a
stack. Otherwise, you see a list of your currently-running stacks.
See Also
• Creating a Stack on the AWS CloudFormation Console (p. 99)
Creating a Stack on the AWS CloudFormation

Console
Before you create a stack, you must have a template that describes what resources AWS CloudFormation
will include in your stack. For more information, see Working with AWS CloudFormation
Templates (p. 209).
Note
To preview the configuration of a new stack, you can use a change set (p. 105).
Creating a stack on the AWS CloudFormation console is an easy, wizard-driven process that consists of
the following steps:
1. Starting the Create Stack wizard (p. 99)

2. Selecting a stack template (p. 100)
3. Specifying stack parameters (p. 102)
4. Setting AWS CloudFormation Stack Options (p. 103)
5. Reviewing your stack (p. 104)
After creating a stack, you can monitor the stack's progress, view the stack's resources and outputs,
update the stack, and delete it. Information about these actions are provided in their associated topics.
Starting the Create Stack Wizard

To create a stack on the AWS CloudFormation console
1. Log in to the AWS Management Console and select CloudFormation in the Services menu.

99
Creating a Stack
2. Create a new stack by using one of the following options:
• Click Create Stack. This is the only option if you have a currently running stack.
• Click Create Stack on the Stacks page. This option is visible only if you have no running stacks.
Next, you choose a stack template (p. 100).
Selecting a Stack Template

After starting the Create Stack wizard (p. 99), you specify the template that you want AWS
CloudFormation to use to create your stack.
AWS CloudFormation templates are JSON- or YAML-formatted files that specify the AWS resources that
make up your stack. For more information about AWS CloudFormation templates, see Working with AWS
CloudFormation Templates (p. 209).
To choose a stack template:
1. On the Specify template page, choose a stack template by using one of the following options:
Template is ready
Specify a completed template you have ready for creating a stack.
In the Specify template section, select the appropriate option based on the template's location:
• Amazon S3 URL
Specify a URL to a template in an S3 bucket.
Enter the URL in the Amazon S3 URL field.

Important
If your template includes nested stacks (for example, stacks described in other
template documents located in subdirectories), ensure that your S3 bucket contains
the necessary files and directories.
100
Creating a Stack
If you have a template in a versioning-enabled bucket, you can specify a specific version of the
template, such as https://s3.amazonaws.com/templates/myTemplate.template?
versionId=123ab1cdeKdOW5IH4GAcYbEngcpTJTDW. For more information, see Managing
Objects in a Versioning-Enabled Bucket in the Amazon Simple Storage Service Console User
Guide.
The URL must point to a template with a maximum size of 460,800 bytes that is stored in
an S3 bucket that you have read permissions to and that is located in the same region as the
stack. The URL can be a maximum of 1024 characters long.
• Upload a template file
Select a CloudFormation template on your local computer.
Choose Choose File to select the template file that you want to upload. The template can
be a maximum size of 460,800 bytes. Once you have chosen your template, CloudFormation
uploads the file and displays the S3 URL.
If you use the CLI or API to create a stack, you can upload a template with a maximum size of
51,200 bytes.
Note
If you upload a local template file, AWS CloudFormation uploads it to an Amazon
Simple Storage Service (Amazon S3) bucket in your AWS account. If you don't already
have an S3 bucket that was created by AWS CloudFormation, it creates a unique
bucket for each Region in which you upload a template file. If you already have an
S3 bucket that was created by AWS CloudFormation in your AWS account, AWS
CloudFormation adds the template to that bucket.
Considerations to keep in mind about S3 buckets created by AWS CloudFormation
• The buckets are accessible to anyone with Amazon S3 permissions in your AWS
account.
• AWS CloudFormation creates the buckets with server-side encryption enabled by
default, thereby encrypting all objects stored in the bucket.
You can directly manage encryption options for buckets that AWS CloudFormation
has created; for example, using the Amazon S3 console at https://
console.aws.amazon.com/s3/ , or the AWS CLI. For more information, see Amazon
S3 Default Encryption for S3 Buckets in the Amazon Simple Storage Service
Developer Guide.
• You can use your own bucket and manage its permissions by manually uploading
templates to Amazon S3. When you create or update a stack, specify the Amazon
S3 URL of a template file.
Use a sample template
• Select a sample template from a collection of templates provided by CloudFormation to get
you started. For descriptions of the templates, see Sample Templates (p. 3846).
To create a stack from existing AWS resources by using the CloudFormer tool, select
CloudFormer, located in the Tools section, from the list. For more information, see Using
CloudFormer (Beta) to Create Templates (p. 555).
To view more templates samples and snippets, organized by AWS service, click View more
sample templates.
Create template in Designer
Create or modify a template using AWS CloudFormation Designer, a drag-and-drop interface

for graphically diagramming your templates. For more information, see What Is AWS
CloudFormation Designer? (p. 274).
101
Creating a Stack
2. To accept your settings, choose Next, and proceed with specifying the stack name and
parameters (p. 102).
Before creating resources, AWS CloudFormation validates your template to catch syntactic and some
semantic errors, such as circular dependencies. During validation, AWS CloudFormation first checks
if the template is valid JSON. If it isn't, AWS CloudFormation checks if the template is valid YAML. If
both checks fail, AWS CloudFormation returns a template validation error.
Specifying Stack Name and Parameters

After selecting a stack template, specify the stack name and values for the parameters that were defined
in the template.
With parameters, you can customize your stack at creation time. Your parameter values can be used in
the stack template to modify how resources are configured. That way you don't have to hard code values
in multiple templates to specify different settings. For more information about parameters in an AWS
CloudFormation template, see Parameters (p. 237).
To specify the stack name and parameter values
1. On the Specify stack details page, type a stack name in the Stack name box.
The stack name is an identifier that helps you find a particular stack from a list of stacks. A stack
name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an
alphabetic character and can't be longer than 128 characters.
2. In the Parameters section, specify parameters that are defined in the stack template.
You can use or change any parameters with default values.

3. When you are satisfied with the parameter values, click Next to proceed with setting options for
your stack (p. 103).
AWS-specific Parameter Types

When you create stacks that contain AWS-specific parameter types, the AWS CloudFormation
console provides drop-down lists of valid values for those parameters. Depending on the parameter
type, you can search for values by ID, name, or the value of the Name tag. For example, with the
AWS::EC2::VPC::Id parameter type, you can search for a specific VPC ID, such as vpc-b47658d1. If
the VPC was tagged with a name, such as Name:TestVPC, you can also search for TestVPC. Currently,
you can search only for tag values with the Name key.
Note
The console doesn't provide a drop-down list or enable you to search for values with the
AWS::EC2::Image::Id parameter type; AWS CloudFormation only verifies if the input values
are valid Amazon Elastic Compute Cloud image IDs.
Group and Sort Parameters

The console alphabetically lists input parameters by their logical ID. When you create a template, you
can use the AWS::CloudFormation::Interface metadata key to override the default ordering. For
more information and an example of the AWS::CloudFormation::Interface metadata key, see
AWS::CloudFormation::Interface (p. 233).

102
Creating a Stack
Setting AWS CloudFormation Stack Options

After specifying parameters (p. 237) that are defined in the template, you can set additional options for
your stack.
You can set the following stack options:
Tags
Tags are arbitrary key-value pairs that can be used to identify your stack for purposes such as cost
allocation. For more information about what tags are and how they can be used, see Tagging Your
Resources in the Amazon EC2 User Guide.
A Key consists of any alphanumeric characters or spaces. Tag keys can be up to 127 characters long.
A Value consists of any alphanumeric characters or spaces. Tag values can be up to 255 characters
long.
Permissions
An existing AWS Identity and Access Management (IAM) service role that AWS CloudFormation can
assume.
Instead of using your account credentials, AWS CloudFormation uses the role's credentials to create
your stack. For more information, see AWS CloudFormation Service Role (p. 18).
You can also set the following advanced options for stack creation:
Stack policy
Defines the resources that you want to protect from unintentional updates during a stack update. By
default, all resources can be updated during a stack update.
You can enter the stack policy directly as JSON, or upload a JSON file containing the stack policy. For
more information, see Prevent Updates to Stack Resources (p. 149).
Rollback configuration
Enables you to have AWS CloudFormation monitor the state of your stack during stack creation
and updating, and to roll back that operation if the stack breaches the threshold of any of the
alarms you've specified. Specify the Cloudwatch alarms that AWS CloudFormation should monitor.
If any of the alarms goes to ALARM state during the stack operation or the monitoring period, AWS
CloudFormation rolls back the entire stack operation. For more information, see Monitor and Roll
Back Stack Operations (p. 109).
Notification Options
You can specify a new or existing Amazon Simple Notification Service topic where notifications
about stack events are sent.
If you create an Amazon SNS topic, you must specify a name and an email address where stack event
notifications are to be sent.
Stack creation options
The following options are included for stack creation, but are not available as part of stack updates.
Rollback on failure
Specifies whether the stack should be rolled back if stack creation fails. Typically, you want to
accept the default value of Enabled. Select Disabled if you want the stack's state retained even
if creation fails, such as when you are debugging a stack template.

103
Creating a Stack
Timeout
Specifies the amount of time, in minutes, that CloudFormation should allot before timing out
stack creation operations. If CloudFormation cannot create the entire stack in the time allotted,
it fails the stack creation due to timeout and rolls back the stack.
By default, there is no timeout for stack creation. However, individual resources may have their
own timeouts based on the nature of the service they implement. For example, if an individual
resource in your stack times out, stack creation also times out even if the timeout you specified
for stack creation has not yet been reached.
Termination protection
Prevents a stack from being accidently deleted. If a user attempts to delete a stack with
termination protection enabled, the deletion fails and the stack--including its status--remains
unchanged. For more information, see Protecting a Stack From Being Deleted (p. 114).
Termination protection is Disabled by default.
To set stack options
1. On the Configure stack options page of the Create stack wizard, you can specify tags and
permissions. Use the Advanced options section to set additional configuration options for your
stack.
2. When you have entered all of your stack options, click Next Step to proceed with reviewing your
stack (p. 104).
Reviewing Your Stack and Estimating Stack Cost on the AWS

CloudFormation Console
The final step before your stack is launched is to review the values entered while creating the stack. You
can also estimate the cost of your stack.
1. On the Review page, review the details of your stack.
If you need to change any of the values prior to launching the stack, click Edit on the appropriate
section to go back to the page that has the setting that you want to change.
2. (Optional) To estimate the cost of your stack, select the Estimate cost link in the Template section.
The AWS Simple Monthly Calculator displays values from your stack template and launch settings.
3. After you review the stack creation settings and the estimated cost of your stack, click Create stack
to launch your stack.
Note
As this point, you can also choose to create a new change set rather than a new stack. To
do so, click Create change set instead of Create stack. For more information, see Creating
Stacks Using Change Sets (p. 105)
CloudFormation displays the Events pane of the Stack details page for your new stack. From here,
you can view your stack's events, data, or resources (p. 106). AWS CloudFormation automatically
refreshes the stack events every minute. Additionally, CloudFormation displays the New events
available badge when new stack events occur; click the refresh icon to load these events into the
list. By viewing stack creation events, you can understand the sequence of events that lead to your
stack's creation (or failure, if you are debugging your stack).
While your stack is being created, it is listed on the Stacks page with a status of
CREATE_IN_PROGRESS.

104
Creating a Stack
After your stack has been successfully created, its status changes to CREATE_COMPLETE. You can
then click the Outputs tab to view your stack's outputs if you have defined any in the template.
Creating Stacks Using Change Sets

To preview how a AWS CloudFormation stack will be configured before creating the stack, create a
change set. This functionality allows you to examine various configurations and make corrections
and changes to your stack before executing the change set. For more information on change sets, see
Updating Stacks Using Change Sets (p. 130).
Creating a Change Set for a New Stack

To create a change set for a new stack, select your stack template and specify the configuration of your
stack as you would if you were creating a new stack, then choose to create a new change set rather than
a new stack.
To create a change set using the CloudFormation console
1. Start the Create stack wizard (p. 99)

2. Select a stack template (p. 100)
3. Specify parameters for your stack (p. 102)
4. Set stack options (p. 103)
5. On the Review page, review the details of your stack.
If you need to change any of the settings before you create the change set, click Edit on the
appropriate section to go back to the page that has the setting that you want to change.
6. Click Create change set.
7. Enter a name for the change set, and a description if desired. Click Create change set.
When you create a change set for a new stack, CloudFormation does the following:
• Launches a new stack with a status of REVIEW_IN_PROGRESS.

• Creates a change set for the new stack that reflects the stack configuration you specified in the
steps above.
CloudFormation displays the Change sets page for the proposed stack. While AWS CloudFormation
creates the change set, its status is CREATE_IN_PROGRESS, and its execution status is
UNAVAILABLE. When AWS CloudFormation completes succesfully creating the change set, it sets
the change set status to CREATE_COMPLETE, and its execution status is AVAILABLE. The stack
status is updated to REVIEW_IN_PROGRESS. At this point, you can execute the change set to
complete creating the new stack.
In the Changes pane, AWS CloudFormation displays the proposed configuration of your stack.
If AWS CloudFormation fails to create the change set, it sets the changes set status to
CREATE_FAILED. Fix the error displayed in the Status reason field, and then create a new change
set. At this stage, you can try various configurations and make corrections and changes to your stack
before executing the next change set.
8. To complete creating a new stack based on the change set, choose Execute, and then choose
Execute again.

105
Creating an EC2 Key Pair
Creating an EC2 Key Pair

The use of some AWS CloudFormation resources and templates will require you to specify an Amazon
EC2 key pair for authentication, such as when you are configuring SSH access to your instances.
Amazon EC2 key pairs can be created with the AWS Management Console. For more information, see
Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.
Estimating the Cost of Your CloudFormation Stack

There is no additional charge for AWS CloudFormation. You pay for AWS resources (e.g. Amazon EC2
instances, Elastic Load Balancing load balancers and so on) created using AWS CloudFormation as if you
created them by hand.
To estimate the cost of your stack
1. On the Review page of the Create stack wizard, in the Template section, click the Estimate cost
link.
This link opens the AWS Simple Monthly Calculator in a new browser tab.
Note
Because you launched the calculator from the AWS CloudFormation console, it is pre-
populated with your template configuration and parameter values. There are many
additional configurable values that can provide you with a better estimate if you have an
idea of how much data transfer you expect to your Amazon EC2 instance.
2. Click the Estimate of your Monthly Bill tab for a monthly estimate of running your stack, along with
a categorized display of what factors contributed to the estimate.
Viewing AWS CloudFormation Stack Data and

Resources on the AWS Management Console
Viewing Stack Information
After you've created an AWS CloudFormation stack, you can use the AWS Management Console to view
its data and resources. You can view the following stack information:

106
Viewing Stack Data and Resources
Stack info
Displays general information about the stack and its configuration, including:
Overview
Displays stack name, stack ID, and root stack, along with status information such as stack status,
drift status, and termination protection.
Tags
Displays any tags that are associated with the stack.

Stack policy
Describes the stack resources that are protected against stack updates. For you to be able to
update these resources, they must be explicitly allowed during a stack update.
Rollback configuration
Displays any Cloudwatch alarms that you have specified that CloudFormation should monitor
during the stack operation or the specified monitoring period. If any of the alarms goes to
ALARM state during the stack operation or the monitoring period, AWS CloudFormation rolls
back the entire stack operation.
Notification options
Displays the Amazon Simple Notification Service topic where notifications about stack events
are sent, if specified.
Events
Displays the operations that are tracked when you create, update, or delete the stack.
All events that are triggered by a given stack operation are assigned the same client request token,
which you can use to track operations. Stack operations that are initiated from the console use the
token format Console-StackOperation-ID, which helps you to easily identify the stack operation.
For example, if you create a stack using the console, each resulting stack event would be assigned
the same token in the following format: Console-CreateStack-7f59c3cf-00d2-40c7-b2ff-
e75db0987002.
Resources
Displays the resources that are part of the stack.

Outputs
Displays outputs that were declared in the stack's template.

Parameters
Displays the stack's parameters and their values.
For stacks that contain SSM parameters, the Resolved Value column displays the values that are
used in the stack definition for the SSM parameters. For more information, see SSM Parameter
Types (p. 243).
Template
Displays the stack's template.
For stacks that contain macros, choose View original template to view the user-submitted template,
or View processed template to view the template after AWS CloudFormation processes the
referenced macros. AWS CloudFormation uses the processed template to create or update your
stack.

107
Viewing Stack Data and Resources
To view information about your AWS CloudFormation stack
1. On the Stacks page of the AWS CloudFormation console, select the stack name. CloudFormation
displays the stack details for the selected stack.
2. Select a stack details pane to view the related information about your stack.
For example, click Events to view the stack events CloudFormation has generated during the
lifecycle of your stack.
Stack Status Codes

The following table describes stack status codes:
Stack Status Description
CREATE_COMPLETE Successful creation of one or more stacks.
CREATE_IN_PROGRESS Ongoing creation of one or more stacks.
CREATE_FAILED Unsuccessful creation of one or more stacks. View the stack

events to see any associated error messages. Possible reasons
for a failed creation include insufficient permissions to work with
all resources in the stack, parameter values rejected by an AWS
service, or a timeout during resource creation.
DELETE_COMPLETE Successful deletion of one or more stacks. Deleted stacks are

retained and viewable for 90 days.
DELETE_FAILED Unsuccessful deletion of one or more stacks. Because the delete

failed, you might have some resources that are still running;
however, you cannot work with or update the stack. Delete the
stack again or view the stack events to see any associated error
messages.
DELETE_IN_PROGRESS Ongoing removal of one or more stacks.
REVIEW_IN_PROGRESS Ongoing creation of one or more stacks with an expected

StackId but without any templates or resources.
Important
A stack with this status code counts against the
maximum possible number of stacks (p. 22).
ROLLBACK_COMPLETE Successful removal of one or more stacks after a failed stack

creation or after an explicitly canceled stack creation. Any
resources that were created during the create stack action are
deleted.
This status exists only after a failed stack creation. It signifies

that all operations from the partially created stack have been
appropriately cleaned up. When in this state, only a delete
operation can be performed.
ROLLBACK_FAILED Unsuccessful removal of one or more stacks after a failed stack

creation or after an explicitly canceled stack creation. Delete
the stack or view the stack events to see any associated error
messages.

108
Monitor and Roll Back Stack Operations
ROLLBACK_IN_PROGRESS Ongoing removal of one or more stacks after a failed stack

creation or after an explicitly cancelled stack creation.
UPDATE_COMPLETE Successful update of one or more stacks.
Ongoing removal of old resources for one or more stacks after a

UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
successful stack update. For stack updates that require resources
to be replaced, AWS CloudFormation creates the new resources
first and then deletes the old resources to help reduce any
interruptions with your stack. In this state, the stack has been
updated and is usable, but AWS CloudFormation is still deleting
the old resources.
UPDATE_IN_PROGRESS Ongoing update of one or more stacks.
UPDATE_ROLLBACK_COMPLETE Successful return of one or more stacks to a previous working

state after a failed stack update.
Ongoing removal of new resources for one or more stacks after a

UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS
failed stack update. In this state, the stack has been rolled back to
its previous working state and is usable, but AWS CloudFormation
is still deleting any new resources it created during the stack
update.
UPDATE_ROLLBACK_FAILED Unsuccessful return of one or more stacks to a previous working

state after a failed stack update. When in this state, you can
delete the stack or continue rollback (p. 158). You might need
to fix errors before your stack can return to a working state. Or,
you can contact customer support to restore the stack to a usable
state.
UPDATE_ROLLBACK_IN_PROGRESS Ongoing return of one or more stacks to the previous working

state after failed stack update.
IMPORT_IN_PROGRESS The import operation is currently in progress.
IMPORT_COMPLETE The import operation successfully completed for all resources in

the stack that support resource import.
IMPORT_ROLLBACK_IN_PROGRESS Import will roll back to the previous template configuration.
IMPORT_ROLLBACK_FAILED The import rollback operation failed for at least one resource
in the stack. Results will be available for the resources
CloudFormation successfully imported.
IMPORT_ROLLBACK_COMPLETE Import successfully rolled back to the previous template

configuration.

Rollback triggers enable you to have AWS CloudFormation monitor the state of your application during
stack creation and updating, and to roll back that operation if the application breaches the threshold
of any of the alarms you've specified. For each rollback trigger you create, you specify the Cloudwatch
alarm that AWS CloudFormation should monitor. AWS CloudFormation monitors the specified alarms
during the stack create or update operation, and for the specified amount of time after all resources

109
have been deployed. If any of the alarms goes to ALARM state during the stack operation or the
monitoring period, AWS CloudFormation rolls back the entire stack operation.
You can set a monitoring time from the default of 0 up to 180 minutes. During this time, AWS
CloudFormation monitors all the rollback triggers after the stack creation or update operation deploys
all necessary resources. If any of the alarms goes to ALARM state during the stack operation or this
monitoring period, AWS CloudFormation rolls back the entire stack operation. Then, for update
operations, if the monitoring period expires without any alarms going to ALARM state, CloudFormation
proceeds to dispose of old resources as usual. If you set a monitoring time but do not specify any
rollback triggers, AWS CloudFormation still waits the specified period of time before cleaning up
old resources for update operations. You can use this monitoring period to perform any manual
stack validation desired, and manually cancel the stack creation or update as necessary. If you set a
monitoring time of 0 minutes, AWS CloudFormation still monitors the rollback triggers during stack
creation and update operations and rolls back the operation if an alarm goes to ALARM state. Then, for
update operations with no breaching alarms, it begins disposing of old resources immediately once the
operation completes.
By default, CloudFormation only rolls back stack operations if an alarm goes to ALARM state, not
INSUFFICIENT_DATA state. To have AWS CloudFormation roll back the stack operation if an alarm goes
to INSUFFICIENT_DATA state as well, edit the CloudWatch alarm to treat missing data as breaching. For
more information, see Configuring How CloudWatch Alarms Treats Missing Data in Amazon CloudWatch
User Guide.
AWS CloudFormation does not monitor rollback triggers when it rolls back a stack during an update
operation.
You can add a maximum of five rollback triggers. To add a rollback trigger, you specify the ARN (Amazon
Resource Name) of the CloudWatch alarm. Currently, only AWS::CloudWatch::Alarm types can be used
as rollback triggers.
If a given Cloudwatch alarm is missing, the entire stack operation fails and is rolled back.
Be aware that access to Amazon CloudWatch requires credentials. Those credentials must have
permissions to access AWS resources, such as retrieving CloudWatch metric data about your cloud
resources. For more information, see Authentication and Access Control for Amazon CloudWatch in
Amazon CloudWatch User Guide.
To add rollback triggers during stack creation or updating
1. During creating or updating a stack, on the Configure stack options page, under Advanced options,
go to Rollback configuration.
2. Specify a monitoring time between 0 and 180 minutes. The default is 0.
3. Enter the ARN of the Cloudwatch alarm you want to use as a rollback trigger, and click Add
CloudWatch alarm ARN.
You can add a maximum of five rollback triggers.
To add rollback triggers to a change set
1. During creating or updating a change set, on the Configure stack options page, under Advanced
options, go to Rollback configuration.
2. Specify a monitoring time between 0 and 180 minutes. The default is 0.
3. Enter the ARN of the Cloudwatch alarm you want to use as a rollback trigger, and click Add
CloudWatch alarm ARN.
You can add a maximum of five rollback triggers.

110
Creating Quick-Create Links for Stacks
To view rollback triggers for a stack
• On the Stacks page, select the stack you wish to view from the list on the left. On the Stack info
tab, under Advanced options, expand the Rollback configuration section.

Use quick-create links to get stacks up and running quickly from the AWS CloudFormation console.
You can specify the template URL, stack name, and template parameters in URL query parameters to
prepopulate a single Create Stack Wizard page. This simplifies the process of creating stacks by reducing
the number of wizard pages and the amount of user input that's required. It also optimizes template
reuse because you can create multiple URLs that specify different values for the same template.
Supported Parameters
AWS CloudFormation supports the following URL query parameters:
templateURL
Required. Specifies the URL of the stack template. URL encoding is supported, but it isn't required.
stackName
Optional. Specifies the stack name.A stack name can contain only alphanumeric characters (case-
sensitive) and hyphens. It must start with an alphabetic character and can't be longer than 128
characters.
Any parameter in the stack template that isn't a NoEcho parameter type
Optional. Use the format param_parameterName to specify template parameters in the URL query
string. The URL parameter must include the param_ prefix, and the parameter name segment must
exactly match the parameter name in the template. For example: param_DBName.
AWS CloudFormation ignores parameters that don't exist in the template, and any parameters
defined with their NoEcho property set to true types (typically, user names and passwords). URL
parameters override default values that are specified in the template. You can include as many
parameters as needed.
Important
Rather than embedding sensitive information directly in your AWS CloudFormation
templates, we strongly suggest you do one of the following:
• Use input parameters to pass in information whenever you create or update a stack, using
the NoEcho property to obfuscate the parameter value.
• Use dynamic parameters in the stack template to reference sensitive information that
is stored and managed outside of CloudFormation, such as in the Systems Manager
Parameter Store or Secrets Manager.
All query parameter names are case sensitive. Users can overwrite these values in the console before
creating the stack.
Example
The following example is based on the WordPress basic single instance sample template. The query
string includes the required templateURL parameter and the stackName, DBName, InstanceType,
and KeyName parameters.

111
The following URL has line breaks added for clarity.
https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/
stacks/create/review
?templateURL=https://s3-eu-central-1.amazonaws.com/cloudformation-templates-eu-
central-1/WordPress_Single_Instance.template
&stackName=MyWPBlog
&param_DBName=mywpblog
&param_InstanceType=t2.medium
&param_KeyName=MyKeyPair
The following URL includes the same parameters as the previous example, but the line breaks are
removed. This is the actual URL format.
https://eu-central-1.console.aws.amazon.com/cloudformation/home?
region=eu-central-1#/stacks/create/review?templateURL=https://s3-
eu-central-1.amazonaws.com/cloudformation-templates-eu-central-1/
WordPress_Single_Instance.template&stackName=MyWPBlog&param_DBName=mywpblog&param_InstanceType=t2.mediu
The example URL opens the Create Stack Wizard in the console, with the supplied values automatically
used for the parameters.

112

113
Deleting a Stack
Deleting a Stack on the AWS CloudFormation

Console
To delete a stack
1. On the Stacks page in the CloudFormation console, select the stack that you want to delete. The
stack must be currently running.
2. In the stack details pane, choose Delete.
3. Select Delete stack when prompted.
Note
After stack deletion has begun, you cannot abort it. The stack proceeds to the
DELETE_IN_PROGRESS state.
After the stack deletion is complete, the stack will be in the DELETE_COMPLETE state. Stacks in
the DELETE_COMPLETE state are not displayed in the AWS CloudFormation console by default. To
display deleted stacks, you must change the stack view filter as described in Viewing Deleted Stacks
on the AWS CloudFormation Console (p. 116).
If the delete failed, the stack will be in the DELETE_FAILED state. For solutions, see the Delete Stack
Fails (p. 3848) troubleshooting topic.
For information on protecting stacks from being accidentally deleted see Protecting a Stack From Being
Deleted (p. 114).
Protecting a Stack From Being Deleted

You can prevent a stack from being accidentally deleted by enabling termination protection on the
stack. If a user attempts to delete a stack with termination protection enabled, the deletion fails and the
stack--including its status--remains unchanged. You can enable termination protection on a stack when
you create it. Termination protection on stacks is disabled by default. You can set termination protection
on a stack with any status except DELETE_IN_PROGRESS or DELETE_COMPLETE.
Enabling or disabling termination protection on a stack sets it for any nested stacks belonging to that
stack as well. You cannot enable or disable termination protection directly on a nested stack. If a user
attempts to directly delete a nested stack belonging with a stack that has termination protection
enabled, the operation fails and the nested stack remains unchanged.
However, if a user performs a stack update that would delete the nested stack, AWS CloudFormation
deletes the nested stack accordingly.
Termination protection is different than disabling rollback. Termination protection applies only to
attempts to delete stacks, while disabling rollback applies to auto rollback when stack creation fails.
To enable termination protection when creating a stack
• On the Specify stack options page of the Create stack wizard, under Advanced options, expand the
Termination Protection section and select Enable.
For more information, see Setting AWS CloudFormation Stack Options (p. 103) in Creating a Stack
on the AWS CloudFormation Console (p. 99).
To enable or disable termination protection on an existing stack
console.aws.amazon.com/cloudformation/.

114
Protecting a Stack From Being Deleted
2. Select the stack that you want.

Note
If NESTED is displayed next to the stack name, the stack is a nested stack. You can only
change termination protection on the root stack to which the nested stack belongs.
3. In the stack details pane, select Stack actions and then Edit termination protection.
CloudFormation displays the Edit termination protection dialog box.

4. Choose Enable or Disable, and then select Save.
To enable or disable termination protection on a nested stack
If NESTED is displayed next to the stack name, the stack is a nested stack. You can only change
termination protection on the root stack to which the nested stack belongs. To change termination
protection on the root stack:
console.aws.amazon.com/cloudformation/.
2. Select the nested stack that you want.
3. In the Stack info pane, in the Overview section, select the stack name listed as Root stack.
AWS CloudFormation displays the stack details for the root stack.
4. Choose Stack actions and then choose Edit Termination Protection.
CloudFormation displays the Edit termination protection dialog box.

5. Choose Enable or Disable, and then select Save.
To enable or disable termination protection using the command line
• Use the update-termination-protection command.
Controlling Who Can Change Termination Protection on Stacks

To enable or disable termination protection on stacks, a user requires permission to the
cloudformation:UpdateTerminationProtection action. For example, the policy below allows
users to enable or disable termination protection on stacks.
For more information on specifying permissions in AWS CloudFormation, see Controlling Access with
AWS Identity and Access Management (p. 9).
Example A sample policy that grants permissions to change stack termination protection
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":[
"cloudformation:UpdateTerminationProtection"
],
"Resource":"*"
}]
}

115
Viewing Deleted Stacks
Viewing Deleted Stacks on the AWS CloudFormation

Console
By default, the AWS CloudFormation console does not display stacks with a status of
DELETE_COMPLETE. To display information about deleted stacks, you must change the stack view.
To view deleted stacks
• On the Stacks page of the CloudFormation console, select Deleted from the filter list.
AWS CloudFormation lists all of your deleted stacks (stacks with a status of DELETE_COMPLETE).
See Also
• Deleting a Stack on the AWS CloudFormation Console (p. 114)
• Viewing AWS CloudFormation Stack Data and Resources on the AWS Management Console (p. 106)
Related Topics
• Using the AWS CLI (p. 116)
Using the AWS Command Line Interface

With the AWS Command Line Interface (CLI), you can create, monitor, update and delete stacks from
your system's terminal. You can also use the AWS CLI to automate actions through scripts. For more
information about the AWS CLI, see the AWS Command Line Interface User Guide.
If you use Windows PowerShell, AWS also offers the AWS Tools for Windows PowerShell.
Note
The prior AWS CloudFormation CLI tools are still available, but not recommended. If you need
information about the prior AWS CloudFormation CLI tools, see the AWS CloudFormation CLI
Reference in the documentation archive.
Topics
• Creating a Stack (p. 117)

116
Creating a Stack
• Describing and Listing Your Stacks (p. 118)

• Viewing Stack Event History (p. 121)
• Listing Resources (p. 123)
• Retrieving a Template (p. 123)
• Validating a Template (p. 124)
• Uploading Local Artifacts to an S3 Bucket (p. 125)
• Quickly Deploying Templates with Transforms (p. 126)
• Deleting a Stack (p. 126)
Creating a Stack
To create a stack you run the aws cloudformation create-stack command. You must provide the
stack name, the location of a valid template, and any input parameters.
Parameters are separated with a space and the key names are case sensitive. If you mistype a parameter
key name when you run aws cloudformation create-stack, AWS CloudFormation doesn't create
the stack and reports that the template doesn't contain that parameter.
Note
If you specify a local template file, AWS CloudFormation uploads it to an Amazon S3 bucket
in your AWS account. AWS CloudFormation creates a unique bucket for each region in which
you upload a template file. The buckets are accessible to anyone with Amazon S3 permissions
in your AWS account. If an AWS CloudFormation-created bucket already exists, the template is
added to that bucket.
You can use your own bucket and manage its permissions by manually uploading templates
to Amazon S3. Then whenever you create or update a stack, specify the Amazon S3 URL of a
template file.
By default, aws cloudformation describe-stacks returns parameter values. To prevent sensitive

parameter values such as passwords from being returned, include a NoEcho property set to TRUE in your
AWS CloudFormation template.
Important
The following example creates the myteststack stack:
PROMPT> aws cloudformation create-stack --stack-name myteststack --template-body file:///

home/testuser/mytemplate.json --parameters ParameterKey=Parm1,ParameterValue=test1
ParameterKey=Parm2,ParameterValue=test2
{
"StackId" : "arn:aws:cloudformation:us-west-2:123456789012:stack/
myteststack/330b0120-1771-11e4-af37-50ba1b98bea6"
}

117
Describing and Listing Your Stacks

You can use two AWS CLI commands to get information about your AWS CloudFormation stacks: aws
cloudformation list-stacks and aws cloudformation describe-stacks.
Note
See the section called “AWS CloudFormation Resources” (p. 11) for a discussion of how IAM
policies may limit what a user can do with these two AWS CLI commands.
aws cloudformation list-stacks

The aws cloudformation list-stacks command enables you to get a list of any of the stacks
you have created (even those which have been deleted up to 90 days). You can use an option to filter
results by stack status, such as CREATE_COMPLETE and DELETE_COMPLETE. The aws cloudformation
list-stacks command returns summary information about any of your running or deleted stacks,
including the name, stack identifier, template, and status.
Note
The aws cloudformation list-stacks command returns information on deleted stacks for 90 days
after they have been deleted.
The following example shows a summary of all stacks that have a status of CREATE_COMPLETE:
PROMPT> aws cloudformation list-stacks --stack-status-filter CREATE_COMPLETE

[
{
"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/myteststack/
644df8e0-0dff-11e3-8e2f-5088487c4896",
"TemplateDescription": "AWS CloudFormation Sample Template S3_Bucket: Sample
template showing how to create a publicly accessible S3 bucket. **WARNING** This template
creates an
S3 bucket. You will be billed for the AWS resources used if you create a stack from this
template.",
"StackStatusReason": null,
"CreationTime": "2013-08-26T03:27:10.190Z",
"StackName": "myteststack",
"StackStatus": "CREATE_COMPLETE"
}
]
aws cloudformation describe-stacks

The aws cloudformation describe-stacks command provides information on your running
stacks. You can use an option to filter results on a stack name. This command returns information about
the stack, including the name, stack identifier, and status.
The following example shows summary information for the myteststack stack:
PROMPT> aws cloudformation describe-stacks --stack-name myteststack

{
"Stacks": [
{
"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/myteststack/
a69442d0-0b8f-11e3-8b8a-500150b352e0",
"Description": "AWS CloudFormation Sample Template S3_Bucket: Sample template
showing how to create a publicly accessible S3 bucket. **WARNING** This template creates
an S3 bucket.
You will be billed for the AWS resources used if you create a stack from this template.",
"Tags": [],

118
"Outputs": [
{
"Description": "Name of S3 bucket to hold website content",
"OutputKey": "BucketName",
"OutputValue": "myteststack-s3bucket-jssofi1zie2w"
}
],
"CreationTime": "2013-08-23T01:02:15.422Z",
"Capabilities": [],
"StackStatus": "CREATE_COMPLETE",
"DisableRollback": false
}
]
}
If you don't use the --stack-name option to limit the output to one stack, information on all your
running stacks is returned.
Stack Status Codes

You can specify one or more stack status codes to list only stacks with the specified status codes. The
following table describes each stack status code:
CREATE_COMPLETE Successful creation of one or more stacks.
CREATE_IN_PROGRESS Ongoing creation of one or more stacks.
CREATE_FAILED Unsuccessful creation of one or more stacks. View the stack

events to see any associated error messages. Possible reasons
for a failed creation include insufficient permissions to work with
all resources in the stack, parameter values rejected by an AWS
service, or a timeout during resource creation.
DELETE_COMPLETE Successful deletion of one or more stacks. Deleted stacks are

retained and viewable for 90 days.
DELETE_FAILED Unsuccessful deletion of one or more stacks. Because the delete

failed, you might have some resources that are still running;
however, you cannot work with or update the stack. Delete the
stack again or view the stack events to see any associated error
messages.
DELETE_IN_PROGRESS Ongoing removal of one or more stacks.
REVIEW_IN_PROGRESS Ongoing creation of one or more stacks with an expected

StackId but without any templates or resources.
Important
A stack with this status code counts against the
maximum possible number of stacks (p. 22).
ROLLBACK_COMPLETE Successful removal of one or more stacks after a failed stack

creation or after an explicitly canceled stack creation. Any
resources that were created during the create stack action are
deleted.

119

This status exists only after a failed stack creation. It signifies
that all operations from the partially created stack have been
appropriately cleaned up. When in this state, only a delete
operation can be performed.
ROLLBACK_FAILED Unsuccessful removal of one or more stacks after a failed stack

creation or after an explicitly canceled stack creation. Delete
the stack or view the stack events to see any associated error
messages.
ROLLBACK_IN_PROGRESS Ongoing removal of one or more stacks after a failed stack

creation or after an explicitly cancelled stack creation.
UPDATE_COMPLETE Successful update of one or more stacks.
Ongoing removal of old resources for one or more stacks after a

UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
successful stack update. For stack updates that require resources
to be replaced, AWS CloudFormation creates the new resources
first and then deletes the old resources to help reduce any
interruptions with your stack. In this state, the stack has been
updated and is usable, but AWS CloudFormation is still deleting
the old resources.
UPDATE_IN_PROGRESS Ongoing update of one or more stacks.
UPDATE_ROLLBACK_COMPLETE Successful return of one or more stacks to a previous working

state after a failed stack update.
Ongoing removal of new resources for one or more stacks after a

UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS
failed stack update. In this state, the stack has been rolled back to
its previous working state and is usable, but AWS CloudFormation
is still deleting any new resources it created during the stack
update.
UPDATE_ROLLBACK_FAILED Unsuccessful return of one or more stacks to a previous working

state after a failed stack update. When in this state, you can
delete the stack or continue rollback (p. 158). You might need
to fix errors before your stack can return to a working state. Or,
you can contact customer support to restore the stack to a usable
state.
UPDATE_ROLLBACK_IN_PROGRESS Ongoing return of one or more stacks to the previous working

state after failed stack update.


configuration.

120
Viewing Stack Event History

You can track the status of the resources AWS CloudFormation is creating and deleting with the aws
cloudformation describe-stack-events command. The amount of time to create or delete a
stack depends on the complexity of your stack.
In the following example, a sample stack is created from a template file by using the aws
cloudformation create-stack command. After the stack is created, the events that were reported
during stack creation are shown by using the aws cloudformation describe-stack-events command.
The following example creates a stack with the name myteststack using the sampletemplate.json
template file:
PROMPT> aws cloudformation create-stack --stack-name myteststack --template-body file:///

home/local/test/sampletemplate.json
[
{
"StackId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/466df9e0-0dff-08e3-8e2f-5088487c4896",
an S3 bucket.
"Tags": [],
"Outputs": [
{
"OutputKey": "BucketName",
"OutputValue": "myteststack-s3bucket-jssofi1zie2w"
}
],
"CreationTime": "2013-08-23T01:02:15.422Z",
"Capabilities": [],
"StackStatus": "CREATE_COMPLETE",
"DisableRollback": false
}
]
The following example describes the myteststack stack events:
PROMPT> aws cloudformation describe-stack-events --stack-name myteststack

{
"StackEvents": [
{
"EventId": "af67ef60-0b8f-11e3-8b8a-500150b352e0",
"ResourceStatus": "CREATE_COMPLETE",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2013-08-23T01:02:30.070Z",
"PhysicalResourceId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/a69442d0-0b8f-11e3-8b8a-500150b352e0",
"LogicalResourceId": "myteststack"
},
{
"EventId": "S3Bucket-CREATE_COMPLETE-1377219748025",

121
"ResourceType": "AWS::S3::Bucket",
"Timestamp": "2013-08-23T01:02:28.025Z",
"ResourceProperties": "{\"AccessControl\":\"PublicRead\"}",
"PhysicalResourceId": "myteststack-s3bucket-jssofi1zie2w",
"LogicalResourceId": "S3Bucket"
},
{
"EventId": "S3Bucket-CREATE_IN_PROGRESS-1377219746688",
"ResourceStatus": "CREATE_IN_PROGRESS",
"Timestamp": "2013-08-23T01:02:26.688Z",
"ResourceStatusReason": "Resource creation Initiated",
"PhysicalResourceId": "myteststack-s3bucket-jssofi1zie2w",
},
{
"EventId": "S3Bucket-CREATE_IN_PROGRESS-1377219743862",
"Timestamp": "2013-08-23T01:02:23.862Z",
"PhysicalResourceId": null,
},
{
"EventId": "a69469e0-0b8f-11e3-8b8a-500150b352e0",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2013-08-23T01:02:15.422Z",
"ResourceStatusReason": "User Initiated",
"PhysicalResourceId": "arn:aws:cloudformation:us-east-2:123456789012:stack/
myteststack/a69442d0-0b8f-11e3-8b8a-500150b352e0",
"LogicalResourceId": "myteststack"
}
]
}
Note
You can run the aws cloudformation describe-stack-events command while the stack is being
created to view events as they are reported.
The most recent events are reported first. The following table describe the fields returned by the aws
cloudformation describe-stack-events command:
Field Description
EventId Event identifier
StackName Name of the stack that the event corresponds to
StackId Identifier of the stack that the event corresponds to

122
Listing Resources
Field Description
LogicalResourceId Logical identifier of the resource
PhysicalResourceId Physical identifier of the resource
ResourceProperties Properties of the resource
ResourceType Type of the resource
Timestamp Time when the event occurred
ResourceStatus The status of the resource, which can be one of the following
status codes: CREATE_COMPLETE | CREATE_FAILED |
CREATE_IN_PROGRESS | DELETE_COMPLETE | DELETE_FAILED |
DELETE_IN_PROGRESS | DELETE_SKIPPED | UPDATE_COMPLETE |
UPDATE_FAILED | UPDATE_IN_PROGRESS.
The DELETE_SKIPPED status applies to resources with a deletion

policy attribute of retain.
ResourceStatusReason More information on the status
Listing Resources
Immediately after you run the aws cloudformation create-stack command, you can list its
resources using the aws cloudformation list-stack-resources command. This command lists a
summary of each resource in the stack that you specify with the --stack-name parameter. The report
includes a summary of the stack, including the creation or deletion status.
The following example shows the resources for the myteststack stack:
PROMPT> aws cloudformation list-stack-resources --stack-name myteststack

{
"StackResourceSummaries": [
{
"ResourceStatusReason": null,
"LastUpdatedTimestamp": "2013-08-23T01:02:28.025Z",
"PhysicalResourceId": "myteststack-s3bucket-sample",
}
]
}
AWS CloudFormation reports resource details on any running or deleted stack. If you specify the name of
a stack whose status is CREATE_IN_PROCESS, AWS CloudFormation reports only those resources whose
status is CREATE_COMPLETE.
Note
The aws cloudformation describe-stack-resources command returns information on deleted
stacks for 90 days after they have been deleted.
Retrieving a Template
AWS CloudFormation stores the template you use to create your stack as part of the stack. You can
retrieve the template from AWS CloudFormation using the aws cloudformation get-template
command.

123
Validating a Template
Note
The aws cloudformation get-template command returns the deleted stacks templates for
up to 90 days after the stack has been deleted.
The following example shows the template for the myteststack stack:
PROMPT> aws cloudformation get-template --stack-name myteststack

{
"TemplateBody": {
"AWSTemplateFormatVersion": "2010-09-09",
"Outputs": {
"BucketName": {
"Value": {
"Ref": "S3Bucket"
}
}
},
an S3 bucket.
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicRead"
}
}
}
}
}
The output contains the entire template body, enclosed in quotation marks.
Validating a Template
To check your template file for syntax errors, you can use the aws cloudformation validate-
template command.
Note
The aws cloudformation validate-template command is designed to check only the
syntax of your template. It does not ensure that the property values that you have specified for
a resource are valid for that resource. Nor does it determine the number of resources that will
exist when the stack is created.
To check the operational validity, you need to attempt to create the stack. There is no sandbox or test
area for AWS CloudFormation stacks, so you are charged for the resources you create during testing.
During validation, AWS CloudFormation first checks if the template is valid JSON. If it isn't, AWS
CloudFormation checks if the template is valid YAML. If both checks fail, AWS CloudFormation returns a
template validation error. You can validate templates locally by using the --template-body parameter,
or remotely with the --template-url parameter. The following example validates a template in a
remote location:
PROMPT> aws cloudformation validate-template --template-url https://s3.amazonaws.com/

cloudformation-templates-us-east-1/S3_Bucket.template
{
"Description": "AWS CloudFormation Sample Template S3_Bucket: Sample template showing
how to create a publicly accessible S3 bucket. **WARNING** This template creates an S3
bucket.

124
Uploading Local Artifacts to an S3 Bucket
"Parameters": [],
"Capabilities": []
}
The expected result is no error message, with information about all parameters listed.
The following example shows an error with a local template file:
PROMPT> aws cloudformation validate-template --template-body file:///home/local/test/

sampletemplate.json
{
"ResponseMetadata": {
"RequestId": "4ae33ec0-1988-11e3-818b-e15a6df955cd"
},
"Errors": [
{
"Message": "Template format error: JSON not well-formed. (line 11, column 8)",
"Code": "ValidationError",
"Type": "Sender"
}
],
"Capabilities": [],
"Parameters": []
}
A client error (ValidationError) occurred: Template format error: JSON not well-formed.
(line 11, column 8)
Uploading Local Artifacts to an S3 Bucket

For some resource properties that require an Amazon S3 location (a bucket name and filename), you can
specify local references instead. For example, you might specify the S3 location of your AWS Lambda
function's source code or an Amazon API Gateway REST API's OpenAPI (formerly Swagger) file. Instead
of manually uploading the files to an S3 bucket and then adding the location to your template, you can
specify local references, called local artifacts, in your template and then use the package command to
quickly upload them. A local artifact is a path to a file or folder that the package command uploads to
Amazon S3. For example, an artifact can be a local path to your AWS Lambda function's source code or
an Amazon API Gateway REST API's OpenAPI file.
If you specify a file, the command directly uploads it to the S3 bucket. After uploading the artifacts, the
command returns a copy of your template, replacing references to local artifacts with the S3 location
where the command uploaded the artifacts. Then, you can use the returned template to create or update
a stack.
If you specify a folder, the command creates a .zip file for the folder, and then uploads the .zip file. If you
don’t specify a path, the command creates a .zip file for the working directory, and uploads it. You can
specify an absolute or relative path, where the relative path is relative to your template’s location.
You can use local artifacts only for resource properties that the package command supports. For
more information about this command and a list of the supported resource properties, see the aws
cloudformation package command in the AWS CLI Command Reference.
The following template specifies the local artifact for a Lambda function's source code. The source code
is stored in the user's /home/user/code/lambdafunction folder.
Original Template
Transform: 'AWS::Serverless-2016-10-31'

125
Quickly Deploying Templates with Transforms
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: /home/user/code/lambdafunction
The following command creates a .zip file containing the function's source code folder, and then uploads
the .zip file to the root folder of the my-bucket bucket.
Package Command
aws cloudformation package --template /path_to_template/template.json --s3-bucket mybucket

--output json > packaged-template.json
The command saves the template that it generates to the path specified by the --output option. The
command replaces the artifact with the S3 location, as shown in the following example:
Resulting Template
Transform: 'AWS::Serverless-2016-10-31'
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Runtime: nodejs8.10
CodeUri: s3://mybucket/lambdafunction.zip
Quickly Deploying Templates with Transforms

AWS CloudFormation requires you to use a change set to create a template that includes transforms.
Instead of independently creating and then executing a change set, use the aws cloudformation
deploy command. When you run this command, it creates a change set, executes the change set, and
then terminates. This command reduces the numbers of required steps when you create or update a
stack that includes transforms.
The following command creates a new stack by using the my-template.json template.
aws cloudformation deploy --template /path_to_template/my-template.json --stack-name my-

new-stack --parameter-overrides Key1=Value1 Key2=Value2
For more information, see the aws cloudformation deploy command in the AWS CLI Command
Reference
Deleting a Stack
To delete a stack, you run the aws cloudformation delete-stack command. You must specify the
name of the stack that you want to delete. When you delete a stack, you delete the stack and all of its
resources.
The following example deletes the myteststack stack:
PROMPT> aws cloudformation delete-stack --stack-name myteststack

126
Stack Updates
Note
You cannot delete a stack that has termination protection enabled. For more information, see
Protecting a Stack From Being Deleted (p. 114)
AWS CloudFormation Stack Updates

When you need to make changes to a stack's settings or change its resources, you update the stack
instead of deleting it and creating a new stack. For example, if you have a stack with an EC2 instance, you
can update the stack to change the instance's AMI ID.
When you update a stack, you submit changes, such as new input parameter values or an updated
template. AWS CloudFormation compares the changes you submit with the current state of your stack
and updates only the changed resources. For a summary of the update workflow, see How Does AWS
CloudFormation Work? (p. 5).
Note
When updating a stack, AWS CloudFormation might interrupt resources or replace updated
resources, depending on which properties you update. For more information about resource
update behaviors, see Update Behaviors of Stack Resources (p. 127).
Update Methods
AWS CloudFormation provides two methods for updating stacks: direct update or creating and
executing change sets. When you directly update a stack, you submit changes and AWS CloudFormation
immediately deploys them. Use direct updates when you want to quickly deploy your updates.
With change sets, you can preview the changes AWS CloudFormation will make to your stack, and then
decide whether to apply those changes. Change sets are JSON-formatted documents that summarize
the changes AWS CloudFormation will make to a stack. Use change sets when you want to ensure that
AWS CloudFormation doesn't make unintentional changes or when you want to consider several options.
For example, you can use a change set to verify that AWS CloudFormation won't replace your stack's
database instances during an update.
Topics
• Update Behaviors of Stack Resources (p. 127)
• Modifying a Stack Template (p. 128)
• Updating Stacks Using Change Sets (p. 130)
• Updating Stacks Directly (p. 145)
• Monitoring the Progress of a Stack Update (p. 147)
• Canceling a Stack Update (p. 148)
• Prevent Updates to Stack Resources (p. 149)
• Continue Rolling Back an Update (p. 158)
Update Behaviors of Stack Resources

When you submit an update, AWS CloudFormation updates resources based on differences between
what you submit and the stack's current template. Resources that have not changed run without
disruption during the update process. For updated resources, AWS CloudFormation uses one of the
following update behaviors:
Update with No Interruption
AWS CloudFormation updates the resource without disrupting operation of that resource and
without changing the resource's physical ID. For example, if you update any property on an
AWS::CloudTrail::Trail resource, AWS CloudFormation updates the trail without disruption.

127
Modifying a Stack Template
Updates with Some Interruption
AWS CloudFormation updates the resource with some interruption and retains the physical ID. For
example, if you update certain properties on an AWS::EC2::Instance resource, the instance might
have some interruption while AWS CloudFormation and Amazon EC2 reconfigure the instance.
Replacement
AWS CloudFormation recreates the resource during an update, which also generates a new physical
ID. AWS CloudFormation creates the replacement resource first, changes references from other
dependent resources to point to the replacement resource, and then deletes the old resource.
For example, if you update the Engine property of an AWS::RDS::DBInstance resource type, AWS
CloudFormation creates a new resource and replaces the current DB instance resource with the new
one.
The method AWS CloudFormation uses depends on which property you update for a given resource type.
The update behavior for each property is described in the AWS Resource Types Reference (p. 604).
Depending on the update behavior, you can decide when to modify resources to reduce the impact of
these changes on your application. In particular, you can plan when resources must be replaced during an
update. For example, if you update the Port property of an AWS::RDS::DBInstance resource type, AWS
CloudFormation replaces the DB instance by creating a new DB instance with the updated port setting
and deletes the old DB instance. Before the update, you might plan to do the following to prepare for
the database replacement:
• Take a snapshot of the current databases.

• Prepare a strategy for how applications that use that DB instance will handle an interruption while the
DB instance is being replaced.
• Ensure that the applications that use that DB instance take into account the updated port setting and
any other updates you have made.
• Use the DB snapshot to restore the databases on the new DB instance.
This example is not exhaustive; it's meant to give you an idea of the things to plan for when a resource is
replaced during an update.
Note
If the template includes one or more nested stacks, AWS CloudFormation also initiates an
update for every nested stack. This is necessary to determine whether the nested stacks have
been modified. AWS CloudFormation updates only those resources in the nested stacks that
have changes specified in corresponding templates.

If you want to modify resources and properties that are declared in a stack template, you must modify
the stack's template. To ensure that you update only the resources that you intend to update, use the
template for the existing stack as a starting point and make your updates to that template. If you are
managing your template in a source control system, use a copy of that template as a starting point.
Otherwise, you can get a copy of a stack template from AWS CloudFormation.
If you want to modify just the parameters or settings of a stack (like a stack's Amazon SNS topic), you
can reuse the existing stack template. You don't need to get a copy of the stack template or make
modifications to the stack template.
Note
If your template includes an unsupported change, AWS CloudFormation returns a message
saying that the change is not permitted. This message might occur asynchronously, however,
because resources are created and updated by AWS CloudFormation in a non-deterministic
order by default.

128
Topics
• Update a Stack's Template (Console) (p. 129)
• Get and Update a Template for a Stack (CLI) (p. 130)
Update a Stack's Template (Console)

1. On the Stacks page of the AWS CloudFormation console, click the name of the stack that you want
to update.
2. In the stack details pane for the selected stack, select the Template pane, and then click View in
Designer.
AWS CloudFormation opens a copy of the stack's template in AWS CloudFormation Designer.
3. Modify the template.
You can use the AWS CloudFormation Designer drag-and-drop interface or the integrated JSON
and YAML editor to modify the template. For more information about using AWS CloudFormation
Designer, see What Is AWS CloudFormation Designer? (p. 274).
Modify only the resources that you want to update. Use the same values as the current stack
configuration for resources and properties that you aren't updating. You can modify the template by
completing any of the following actions:
• Add new resources, or remove existing resources.
For most resources, changing the logical name of a resource is equivalent to deleting that resource
and replacing it with a new one. Any other resources that depend on the renamed resource also
need to be updated and might cause them to be replaced. Other resources require you to update a
property (not just the logical name) in order to trigger an update.
• Add, modify, or delete properties of existing resources.
Consult the AWS Resource Types Reference (p. 604) for information about the effects of
updating particular resource properties. For each property, the effects of an update will be one of
the following:
• Update requires: No interruption (p. 127)
• Update requires: Some interruptions (p. 128)
• Update requires: Replacement (p. 128)
• Add, modify, or delete attributes for resources (Metadata, DependsOn, CreationPolicy,
UpdatePolicy, and DeletionPolicy).
Important
You cannot update the CreationPolicy, DeletionPolicy. or UpdatePolicy
attribute by itself. You can update them only when you include changes that add, modify,
or delete resources. For example, you can add or modify a metadata attribute of a
resource.
• Add, modify, or delete parameter declarations. However, you cannot add, modify, or delete a
parameter that is used by a resource that does not support updates.
• Add, modify, or delete mapping declarations.
Important
If the values in a mapping are not being used by your stack, you can't update the
mapping by itself. You need to include changes that add, modify, or delete resources.
For example, you can add or modify a metadata attribute of a resource. If you update
a mapping value that your stack is using, you don't need to make any other changes to
trigger an update.
• Add, modify, or delete condition declarations.
129
Updating Stacks Using Change Sets
Important
You cannot update conditions by themselves. You can update conditions only when
you include changes that add, modify, or delete resources. For example, you can add or
modify a metadata attribute of a resource.
• Add, modify, or delete output value declarations.
Some resources or properties may have constraints on property values or changes to those values.
For example, changes to the AllocatedStorage property of an AWS::RDS::DBInstance resource
must be greater than the current setting. If the value specified for the update does not meet those
constraints, the update for that resource fails. For the specific constraints on AllocatedStorage
changes, see ModifyDBInstance.
Updates to a resource can affect the properties of other resources. If you used the Ref function
(p. 3824) or the Fn::GetAtt function (p. 3807) to specify an attribute from an updated resource
as part of a property value in another resource in the template, AWS CloudFormation also updates
the resource that contains the reference to the property that has changed. For example, if you
updated the MasterUsername property of an AWS::RDS::DBInstance resource and you had
an AWS::AutoScaling::LaunchConfiguration resource that had a UserData property that
contained a reference to the DB instance name using the Ref function, AWS CloudFormation would
recreate the DB instance with a new name and also update the LaunchConfiguration resource.
4. To check for syntax errors in your template, from the AWS CloudFormation Designer toolbar, choose
Validate template ( ).
View and fix any errors in the Messages pane, and then validate the template again. If you don't see
any errors, your template is syntactically valid.
5.
From the AWS CloudFormation Designer toolbar, choose the File menu ( ) and then Save to save
the template in an S3 bucket or locally.
Get and Update a Template for a Stack (CLI)

1. To get the template for the stack you want to update, use the command aws cloudformation
get-template.
2. Copy the template, paste it into a text file, modify it, and save it. Copy only the template. The
command encloses the template in quotation marks, but do not copy the quotation marks
surrounding the template. The template itself starts with an open brace and ends with the final
close brace. Specify changes to the stack's resources in this file.

When you need to update a stack, understanding how your changes will affect running resources before
you implement them can help you update stacks with confidence. Change sets allow you to preview how
proposed changes to a stack might impact your running resources, for example, whether your changes
will delete or replace any critical resources, AWS CloudFormation makes the changes to your stack
only when you decide to execute the change set, allowing you to decide whether to proceed with your
proposed changes or explore other changes by creating another change set. You can create and manage
change sets using the AWS CloudFormation console, AWS CLI, or AWS CloudFormation API.
Topics
• Creating a Change Set (p. 131)
• Viewing a Change Set (p. 133)
• Executing a Change Set (p. 136)

130
• Deleting a Change Set (p. 137)

• Example Change Sets (p. 138)
Important
Change sets don't indicate whether AWS CloudFormation will successfully update a stack.
For example, a change set doesn't check if you will surpass an account limit (p. 22), if you're
updating a resource (p. 604) that doesn't support updates, or if you have insufficient
permissions (p. 9) to modify a resource, all of which can cause a stack update to fail. If an update
fails, AWS CloudFormation attempts to roll back your resources to their original state.
Change Set Overview
The following diagram summarizes how you use change sets to update a stack:
1. Create a change set by submitting changes for the stack that you want to update. You can submit a
modified stack template or modified input parameter values. AWS CloudFormation compares your
stack with the changes that you submitted to generate the change set; it doesn't make changes to
your stack at this point.
2. View the change set to see which stack settings and resources will change. For example, you can see
which resources AWS CloudFormation will add, modify, or delete.
3. Optional: If you want to consider other changes before you decide which changes to make, create
additional change sets. Creating multiple change sets helps you understand and evaluate how
different changes will affect your resources. You can create as many change sets as you need.
4. Execute the change set that contains the changes that you want to apply to your stack. AWS
CloudFormation updates your stack with those changes.
Note
After you execute a change, AWS CloudFormation removes all change sets that are associated
with the stack because they aren't applicable to the updated stack.
You can also delete change sets to prevent executing a change set that shouldn't be applied.
Creating a Change Set

To create a change set for a running stack, submit the changes that you want to make by providing a
modified template, new input parameter values, or both. AWS CloudFormation generates a change set
by comparing your stack with the changes you submitted.
You can either modify a template before creating the change set (p. 128) or during change set creation.
To create a change set (console)
1. In the AWS CloudFormation console, in Stacks, choose the running stack for which you want to
create a change set.
2. In the stack details pane, choose Stack actions, and then choose Create change set for current
stack.

131
3. On the Create change set for stack-name page, do one of the following to modify input
parameter values, specify the location of an updated template, or modify the template:
Task Action
To modify input Choose Use current template, and then click Next to proceed to enter
parameter values or modify input parameter values.
To specify the location of If you've modified the template, choose Replace current template,
an updated template and then do one of the following:
• For a template stored in an Amazon S3 bucket, choose Amazon S3

URL. Enter or paste the URL for the template, and then choose Next.
If you have a template in a versioning-enabled bucket, you can

specify a specific version of the template, such as https://
s3.amazonaws.com/templates/myTemplate.template?
versionId=123ab1cdeKdOW5IH4GAcYbEngcpTJTDW. For more
information, see Managing Objects in a Versioning-Enabled Bucket
in the Amazon Simple Storage Service Console User Guide.
• For a template stored locally on your computer, choose Upload a
template file. Choose Choose File to navigate to the file and select
it, and then choose Next.
To modify the template If you haven't modified the template, choose Edit template in
designer, and then choose View in designer. You're redirected to the
AWS CloudFormation Designer. Once you've modified the template,
choose to return to the Create change set for stack-name page,
and then choose Next.
4. If your template contains parameters, on the Specify stack details page, enter or modify applicable
input parameter values, and then choose Next.
If you're reusing the stack's template, AWS CloudFormation populates each parameter with the
current value in the stack, with the exception of parameters declared with the NoEcho attribute. To
use existing values for those parameters, select Use existing value.
For more information about using NoEcho to mask sensitive information, as well as using dynamic
parameters to manage secrets, see the Do Not Embed Credentials in Your Templates best practice.
5. On the Configure stack options page, update the stack's tags, IAM service role, stack policy, rollback
configuration, or Amazon SNS notification topic (if applicable), and then choose Next.
6. On the Review stack-name page, review the changes for this change set.
If the template includes AWS Identity and Access Management (IAM) resources, select I
acknowledge that AWS CloudFormation might create IAM resources. IAM resources can modify
permissions in your AWS account; review these resources to ensure that you're permitting only the
actions that you intend. For more information, see Controlling Access with AWS Identity and Access
Management (p. 9).
7. Choose Create change set. Specify a name for the change set and optionally specify a description of
the change set to identify its purpose. Then, choose Create change set.
You're redirected to the Changes tab of the change set's details page. While AWS CloudFormation
generates the change set, the status of the change set is CREATE_IN_PROGRESS. After it has
created the change set, AWS CloudFormation sets the status to CREATE_COMPLETE. In the Changes
section, AWS CloudFormation lists all of the changes that it will make to your stack. For more
information, see Viewing a Change Set (p. 133).

132
If AWS CloudFormation fails to create the change set (reports FAILED status), fix the error displayed
in the Status field, and then recreate the change set.
To create a change set (AWS CLI)
• Run the aws cloudformation create-change-set command.
You submit your changes as command options. You can specify new parameter values, a
modified template, or both. For example, the following command creates a change set named
SampleChangeSet for the SampleStack stack. The change set uses the current stack's template,
but with a different value for the Purpose parameter:
aws cloudformation create-change-set --stack-name arn:aws:cloudformation:us-

east-1:123456789012:stack/SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000
--change-set-name SampleChangeSet --use-previous-template --
parameters ParameterKey="InstanceType",UsePreviousValue=true
ParameterKey="KeyPairName",UsePreviousValue=true
ParameterKey="Purpose",ParameterValue="production"
Viewing a Change Set

After you create a change set, you can view the proposed changes before executing them. You can use
the AWS CloudFormation console, AWS CLI, or AWS CloudFormation API to view change sets. The AWS
CloudFormation console provides a summary of the changes and a detailed list of changes in JSON
format. The AWS CLI and AWS CloudFormation API return a detailed list of changes in JSON format.
To view a change (console)
1. In the AWS CloudFormation console, in Stacks, choose the name of the stack that contains the
change set that you want to view.
2. In the navigation pane, choose Change Sets to view a list of the stack's change sets.

133
3. Choose the name of the change set that you want view.
The AWS CloudFormation console directs you to the change set's details page, where you can see
the time the change set was created, its status, the input used to generate the change set, and a
summary of the changes.
In the Changes section, each row represents a resource that AWS CloudFormation will add, delete,
or modify. AWS CloudFormation creates a resource when you add a resource to the stack's template.
AWS CloudFormation deletes a resource when you delete a resource from the stack's template.
AWS CloudFormation modifies a resource when you change the properties of a resource in the
stack's template. Note that a modification can cause the resource to be interrupted or replaced
(recreated). For more information about resource update behaviors, see Update Behaviors of Stack
Resources (p. 127).
To focus on specific changes, use the filter view. For example, filter for a specific resource type, such
as AWS::EC2::Instance. To filter for a specific resource, specify its logical or physical ID, such as
myWebServer or i-123abcd4.
If you want to consider other changes before you decide which changes to make, create additional
change sets.
To view a change set (AWS CLI)
1. To get the ID of the change set, run the aws cloudformation list-change-sets command.
Specify the stack ID of the stack that has the change set that you want to view, as shown in the
following example:
aws cloudformation list-change-sets --stack-name arn:aws:cloudformation:us-

east-1:123456789012:stack/SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000
AWS CloudFormation returns a list of change sets, similar to the following:

134
{
"Summaries": [
{
SampleStack/1a2345b6-0000-00a0-a123-00abc0abc000",
"Status": "CREATE_COMPLETE",
"ChangeSetName": "SampleChangeSet",
"CreationTime": "2016-03-16T20:44:05.889Z",
"StackName": "SampleStack",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789012:changeSet/
SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000"
},
{
"ChangeSetName": "SampleChangeSet-conditional",
"CreationTime": "2016-03-16T21:15:56.398Z",
SampleChangeSet-conditional/1a2345b6-0000-00a0-a123-00abc0abc000"
},
{
"ChangeSetName": "SampleChangeSet-replacement",
"CreationTime": "2016-03-16T21:03:37.706Z",
SampleChangeSet-replacement/1a2345b6-0000-00a0-a123-00abc0abc000"
}
]
}
2. Run the aws cloudformation describe-change-set command, specifying the ID of the change set that
you want to view. For example:
aws cloudformation describe-change-set --change-set-name arn:aws:cloudformation:us-

east-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000
AWS CloudFormation returns information about the specified change set:
{
"ChangeSetName": "SampleChangeSet-direct",
"Parameters": [
{
"ParameterValue": "testing",
"ParameterKey": "Purpose"
},
{
"ParameterValue": "ellioty-useast1",
"ParameterKey": "KeyPairName"
},
{
"ParameterValue": "t2.micro",
"ParameterKey": "InstanceType"
}
],

135
"Changes": [
{
"ResourceChange": {
"ResourceType": "AWS::EC2::Instance",
"PhysicalResourceId": "i-1abc23d4",
"Details": [
{
"ChangeSource": "DirectModification",
"Evaluation": "Static",
"Target": {
"Attribute": "Tags",
"RequiresRecreation": "Never"
}
}
],
"Action": "Modify",
"Scope": [
"Tags"
],
"LogicalResourceId": "MyEC2Instance",
"Replacement": "False"
},
"Type": "Resource"
}
],
"CreationTime": "2016-03-17T23:35:25.813Z",
"Capabilities": [],
"NotificationARNs": [],
SampleChangeSet-direct/9edde307-960d-4e6e-ad66-b09ea2f20255"
}
The Changes key lists changes to resources. If you were to execute this change set, AWS
CloudFormation would update the tags of the i-1abc23d4 EC2 instance. For a description of each
field, see the Change data type in the AWS CloudFormation API Reference.
For additional examples of change sets, see Example Change Sets (p. 138).
Executing a Change Set

To make the changes described in a change set to your stack, execute the change set.
Important
After you execute a change set, AWS CloudFormation deletes any additional change sets that
are associated with the stack because they are no longer valid for the updated stack. If an
update fails, you need to create a new change set.
Stack Policies and Executing a Change Set
If you execute a change set on a stack that has a stack policy associated with it, AWS CloudFormation
enforces the policy when it updates the stack. You can't specify a temporary stack policy that overrides
the existing policy when you execute a change set. To update a protected resource, you must update the
stack policy or use the direct update (p. 145) method.
To execute a change set (console)
1. In the AWS CloudFormation console, in Stacks, choose the name the stack that you want to update.
3. Choose the name of the change set that you want execute.

136
4. On the change set's details page, choose Execute.
AWS CloudFormation immediately starts updating the stack. The AWS CloudFormation console
directs you to the Events (p. 106) tab, where you can monitor the progress of the stack update.
To execute a change set (AWS CLI)
• Run the aws cloudformation execute-change-set command.
Specify the change set ID of the change set that you want to execute, as shown in the following
example:
aws cloudformation execute-change-set --change-set-name arn:aws:cloudformation:us-

The command in the example executes a change set with the ID arn:aws:cloudformation:us-
east-1:123456789012:changeSet/SampleChangeSet/1a2345b6-0000-00a0-
a123-00abc0abc000.
After you run the command, AWS CloudFormation starts updating the stack. To view the stack's
progress, use the aws cloudformation describe-stacks (p. 118) command.
Deleting a Change Set

Deleting a change set removes it from the list of change sets for the stack. Deleting a change set
prevents you or another user from accidentally executing a change set that shouldn't be applied. Unless
you delete them, AWS CloudFormation retains all change sets until you update the stack.
To delete a change set (console)
1. In the AWS CloudFormation console, in Stacks, select the name of the stack that contains the
change set that you want to delete.
3. Select the name of the change set that you want delete.
4. On the change set's details page, choose Delete.
AWS CloudFormation immediately starts to delete the change set from the stack's list of change
sets, and you're redirected to the Stacks page.
To delete a change set (AWS CLI)
• Run the aws cloudformation delete-change-set command, specifying the ID of the change set that
you want to delete, as shown in the following example:

137
aws cloudformation delete-change-set --change-set-name arn:aws:cloudformation:us-

Example Change Sets

This section provides examples of the change sets that AWS CloudFormation would create for common
stack changes. They show how to edit a template directly; modify a single input parameter; plan for
resource recreation (replacements), which prevents you from losing data that wasn't backed up or
interrupting applications that are running in your stack; and add and remove resources. To illustrate
how change sets work, we'll walk through the changes that were submitted and discuss the resulting
change set. Because each example builds on and assumes that you understand the previous example, we
recommend that you read them in order. For a description of each field in a change set, see the Change
data type in the AWS CloudFormation API Reference.
You can use the console (p. 133), AWS CLI, or AWS CloudFormation API to view change set details.
We generated each of the following change sets from a stack with the following sample template:
{
"Description" : "A sample EC2 instance template for testing change sets.",
"Parameters" : {
"Purpose" : {
"Type" : "String",
"Default" : "testing",
"AllowedValues" : ["testing", "production"],
"Description" : "The purpose of this instance."
},
"KeyPairName" : {
instance"
},
"InstanceType" : {
"Type" : "String",
"Default" : "t2.micro",
"AllowedValues" : ["t2.micro", "t2.small", "t2.medium"],
"Description" : "The EC2 instance type."
}
},
"Resources" : {
"MyEC2Instance" : {
"Properties" : {
"KeyName" : { "Ref" : "KeyPairName" },
"ImageId" : "ami-8fcee4e5",
"Tags" : [
{
"Key" : "Purpose",
"Value" : { "Ref" : "Purpose" }
}
]
}
}
}
}

138
Directly Editing a Template

When you directly modify resources in the stack's template to generate a change set, AWS
CloudFormation classifies the change as a direct modification, as opposed to changes triggered by
an updated parameter value. The following change set, which added a new tag to the i-1abc23d4
instance, is an example of a direct modification. All other input values, such as the parameter values and
capabilities, are unchanged, so we'll focus on the Changes structure.
{
"ChangeSetName": "SampleChangeSet-direct",
"Parameters": [
{
},
{
"ParameterValue": "MyKeyName",
},
{
}
],
"Changes": [
{
"ResourceChange": {
"Details": [
{
"Target": {
}
}
],
"Action": "Modify",
"Scope": [
"Tags"
],
},
"Type": "Resource"
}
],
"CreationTime": "2016-03-17T23:35:25.813Z",
"Capabilities": [],
SampleChangeSet-direct/1a2345b6-0000-00a0-a123-00abc0abc000"
}
In the Changes structure, there's only one ResourceChange structure. This structure describes
information such as the type of resource AWS CloudFormation will change, the action AWS
CloudFormation will take, the ID of the resource, the scope of the change, and whether the change

139
requires a replacement (where AWS CloudFormation creates a new resource and then deletes the old
one). In the example, the change set indicates that AWS CloudFormation will modify the Tags attribute
of the i-1abc23d4 EC2 instance, and doesn't require the instance to be replaced.
In the Details structure, AWS CloudFormation labels this change as a direct modification that will
never require the instance to be recreated (replaced). You can confidently execute this change, knowing
that AWS CloudFormation won't replace the instance.
AWS CloudFormation shows this change as a Static evaluation. A static evaluation means that AWS
CloudFormation can determine the tag's value before executing the change set. In some cases, AWS
CloudFormation can determine a value only after you execute a change set. AWS CloudFormation
labels those changes as Dynamic evaluations. For example, if you reference an updated resource that
is conditionally replaced, AWS CloudFormation can't determine whether the reference to the updated
resource will change.
Modifying an Input Parameter Value

When you modify an input parameter value, AWS CloudFormation generates two changes for each
resource that uses the updated parameter value. In this example, we want to highlight what those
changes look like and which information you should focus on. The following example was generated by
changing the value of the Purpose input parameter only.
The Purpose parameter specifies a tag key value for the EC2 instance. In the example, the parameter
value was changed from testing to production. The new value is shown in the Parameters
structure.
{
"ChangeSetName": "SampleChangeSet",
"Parameters": [
{
"ParameterValue": "production",
},
{
},
{
}
],
"Changes": [
{
"ResourceChange": {
"Details": [
{
"Evaluation": "Dynamic",
"Target": {
}
},
{
"CausingEntity": "Purpose",
"ChangeSource": "ParameterReference",

140
"Target": {
}
}
],
"Action": "Modify",
"Scope": [
"Tags"
],
},
"Type": "Resource"
}
],
"CreationTime": "2016-03-16T23:59:18.447Z",
"Capabilities": [],
SampleChangeSet/1a2345b6-0000-00a0-a123-00abc0abc000"
}
The Changes structure functions similar to way it does in the Directly Editing a Template (p. 139)
example. There's only one ResourceChange structure; it describes a change to the Tags attribute of the
i-1abc23d4 EC2 instance.
However, in the Details structure, the change set shows two changes for the Tags attribute, even
though only a single parameter value was changed. Resources that reference a changed parameter value
(using the Ref intrinsic function) always result in two changes: one with a Dynamic evaluation and
another with a Static evaluation. You can see these types of changes by viewing the following fields:
• For the Static evaluation change, view the ChangeSource field. In this example, the ChangeSource
field equals ParameterReference, meaning that this change is a result of an updated parameter
reference value. The change set must contain a similar Dynamic evaluation change.
• You can find the matching Dynamic evaluation change by comparing the Target structure for both
changes, which will contain the same information. In this example, the Target structures for both
changes contain the same values for the Attribute and RequireRecreation fields.
For these types of changes, focus on the static evaluation, which gives you the most detailed information
about the change. In this example, the static evaluation shows that the change is the result of a change
in a parameter reference value (ParameterReference). The exact parameter that was changed is
indicated by the CauseEntity field (the Purpose parameter).
Determining the Value of the Replacement Field

The Replacement field in a ResourceChange structure indicates whether AWS CloudFormation will
recreate the resource. Planning for resource recreation (replacements) prevents you from losing data that
wasn't backed up or interrupting applications that are running in your stack.
The value in the Replacement field depends on whether a change requires a replacement,
indicated by the RequiresRecreation field in a change's Target structure. For example, if the
RequiresRecreation field is Never, the Replacement field is False. However, if there are multiple
changes on a single resource and each change has a different value for the RequiresRecreation field,
AWS CloudFormation updates the resource using the most intrusive behavior. In other words, if only
one of the many changes requires a replacement, AWS CloudFormation must replace the resource and,
therefore, sets the Replacement field to True.

141
The following change set was generated by changing the values for every parameter (Purpose,
InstanceType, and KeyPairName), which are all used by the EC2 instance. With these changes, AWS
CloudFormation will be required to replace the instance because the Replacement field is equal to
True.
{
"ChangeSetName": "SampleChangeSet-multiple",
"Parameters": [
{
"ParameterValue": "production",
},
{
"ParameterValue": "MyNewKeyName",
},
{
"ParameterValue": "t2.small",
}
],
"Changes": [
{
"ResourceChange": {
"PhysicalResourceId": "i-7bef86f8",
"Details": [
{
"Target": {
"Attribute": "Properties",
"Name": "KeyName",
"RequiresRecreation": "Always"
}
},
{
"Target": {
"Name": "InstanceType",
"RequiresRecreation": "Conditionally"
}
},
{
"Target": {
}
},
{
"CausingEntity": "KeyPairName",
"Target": {
"Name": "KeyName",
"RequiresRecreation": "Always"
}

142
},
{
"CausingEntity": "InstanceType",
"Target": {
"Name": "InstanceType",
"RequiresRecreation": "Conditionally"
}
},
{
"CausingEntity": "Purpose",
"Target": {
}
}
],
"Action": "Modify",
"Scope": [
"Tags",
"Properties"
],
"Replacement": "True"
},
"Type": "Resource"
}
],
"CreationTime": "2016-03-17T00:39:35.974Z",
"Capabilities": [],
SampleChangeSet-multiple/1a2345b6-0000-00a0-a123-00abc0abc000"
}
Identify the change that requires the resource to be replaced by viewing each change (the static
evaluations in the Details structure). In this example, each change has a different value for the
RequireRecreation field, but the change to the KeyName property has the most intrusive update
behavior, always requiring a recreation. AWS CloudFormation will replace the instance because the key
name was changed.
If the key name were unchanged, the change to the InstanceType property would have the most
intrusive update behavior (Conditionally), so the Replacement field would be Conditionally. To
find the conditions in which AWS CloudFormation replaces the instance, view the update behavior for the
InstanceType property.
Adding and Removing Resources

The following example was generated by submitting a modified template that removes the EC2 instance
and adds an Auto Scaling group and launch configuration.
{
"ChangeSetName": "SampleChangeSet-addremove",
"Parameters": [

143
{
},
{
},
{
}
],
"Changes": [
{
"ResourceChange": {
"Action": "Add",
"ResourceType": "AWS::AutoScaling::AutoScalingGroup",
"Scope": [],
"Details": [],
"LogicalResourceId": "AutoScalingGroup"
},
"Type": "Resource"
},
{
"ResourceChange": {
"Action": "Add",
"ResourceType": "AWS::AutoScaling::LaunchConfiguration",
"Scope": [],
"Details": [],
"LogicalResourceId": "LaunchConfig"
},
"Type": "Resource"
},
{
"ResourceChange": {
"Details": [],
"Action": "Remove",
"Scope": [],
"LogicalResourceId": "MyEC2Instance"
},
"Type": "Resource"
}
],
"CreationTime": "2016-03-18T01:44:08.444Z",
"Capabilities": [],
SampleChangeSet-addremove/1a2345b6-0000-00a0-a123-00abc0abc000"
}
In the Changes structure, there are three ResourceChange structures, one for each resource. For each
resource, the Action field indicates whether AWS CloudFormation adds or removes the resource. The
Scope and Details fields are empty because they apply only to modified resources.
For new resources, AWS CloudFormation can't determine the value of some fields until you execute the
change set. For example, AWS CloudFormation doesn't provide the physical IDs of the Auto Scaling group
and launch configuration because they don't exist yet. AWS CloudFormation creates the new resources
when you execute the change set.

144
Updating Stacks Directly

When you want to quickly deploy updates to your stack, perform a direct update. With a direct update,
you submit a template or input parameters that specify updates to the resources in the stack, and AWS
CloudFormation immediately deploys them. If you want to use a template to make your updates, you can
modify the current template and store it locally or in an S3 bucket.
For resource properties that don't support updates, you must keep the current values. To preview the
changes that AWS CloudFormation will make to your stack before you update it, use change sets. For
more information, see Updating Stacks Using Change Sets (p. 130).
Note
When updating a stack, AWS CloudFormation might interrupt resources or replace updated
resources, depending on which properties you update. For more information about resource
update behaviors, see Update Behaviors of Stack Resources (p. 127).
To update a AWS CloudFormation stack (console)
1. In the AWS CloudFormation console, from the list of stacks, select the running stack that you want
to update.
2. In the stack details pane, choose Update.
3. If you haven't modified the stack template, select Use current template, and then click Next.
If you have modified the template, select Replace current template and specify the location of the
updated template in the Specify template section:
• For a template stored locally on your computer, select Upload a template file. Choose Choose file
to navigate to the file and select it, and then click Next.
Note
If you upload a local template file, AWS CloudFormation uploads it to an Amazon Simple
Storage Service (Amazon S3) bucket in your AWS account. If you don't already have an
S3 bucket that was created by AWS CloudFormation, it creates a unique bucket for each
Region in which you upload a template file. If you already have an S3 bucket that was
created by AWS CloudFormation in your AWS account, AWS CloudFormation adds the
template to that bucket.
Considerations to keep in mind about S3 buckets created by AWS CloudFormation
• The buckets are accessible to anyone with Amazon S3 permissions in your AWS account.
• AWS CloudFormation creates the buckets with server-side encryption enabled by
default, thereby encrypting all objects stored in the bucket.
You can directly manage encryption options for buckets that AWS CloudFormation
has created; for example, using the Amazon S3 console at https://
console.aws.amazon.com/s3/ , or the AWS CLI. For more information, see Amazon
S3 Default Encryption for S3 Buckets in the Amazon Simple Storage Service Developer
Guide.
• You can use your own bucket and manage its permissions by manually uploading
templates to Amazon S3. When you create or update a stack, specify the Amazon S3
URL of a template file.
• For a template stored in an Amazon S3 bucket, choose Amazon S3 URL. Enter or paste the URL
for the template, and then click Next.
Objects in a Versioning-Enabled Bucket in the Amazon Simple Storage Service Console User Guide.
145
4. If your template contains parameters, on the Specify stack details page you can enter or modify the
parameter values, and then click Next.
AWS CloudFormation populates each parameter with the value that is currently set in the stack with
the exception of parameters declared with the NoEcho attribute; however, you can still use current
values by checking Use existing value.
5. On the Configure stack options page, you can update the tags and permissions applied to the
stack, as well as modfiy advanced options such as stack policy, rollback configuration, or update the
Amazon SNS notification topic.
For more information about these options, see Setting AWS CloudFormation Stack
Options (p. 103).
Click Next.
6. Review the stack information and the changes that you submitted.
Check that you submitted the correct information, such as the correct parameter values or template
URL. If your template contains IAM resources, select I acknowledge that this template may create
IAM resources to specify that you want to use IAM resources in the template. For more information
about using IAM resources in templates, see Controlling Access with AWS Identity and Access
Management (p. 9).
In the Change set preview section, check that AWS CloudFormation will make all the changes that
you expect. For example, you can check that AWS CloudFormation adds, removes, and modifies the
resources that you intended to add, remove, or modify. AWS CloudFormation generates this preview
by creating a change set for the stack. For more information, see Updating Stacks Using Change
Sets (p. 130).
7. When you are satisifed with your changes, click Update stack.
Note
At this point, you also have the option to view the change set to review your proposed
updates more thoroughly. To do so, click View change set instead of Update stack.
CloudFormation displays the change set generated based on your updates. When you are
ready to perform the stack update, click Execute.
CloudFormation displays the stack details page for your stack, with the Events pane selected. Your
stack now has a status of UPDATE_IN_PROGRESS. After CloudFormation has successfully finished
updating the stack, it sets the stack status to UPDATE_COMPLETE.
If the stack update fails, CloudFormation; automatically rolls back changes, and sets the stack status
to UPDATE_ROLLBACK_COMPLETE.
Note
You can cancel an update while it's in the UPDATE_IN_PROGRESS state. For more
information, see Canceling a Stack Update (p. 148).
146
Monitoring Progress
To update a AWS CloudFormation stack (AWS CLI)
• Use the aws cloudformation update-stack command to directly update a stack. You specify
the stack, and parameter values and capabilities that you want to update, and, if you want use an
updated template, the name of the template.
The following example updates the template and input parameters for the mystack stack:
PROMPT> aws cloudformation update-stack --stack-name mystack --template-url https://

s3.amazonaws.com/sample/updated.template
--parameters ParameterKey=VPCID,ParameterValue=SampleVPCID
ParameterKey=SubnetIDs,ParameterValue=SampleSubnetID1\\,SampleSubnetID2
The following example updates just the SubnetIDs parameter values for the mystack stack:
PROMPT> aws cloudformation update-stack --stack-name mystack --use-previous-template

--parameters ParameterKey=VPCID,UsePreviousValue=true
ParameterKey=SubnetIDs,ParameterValue=SampleSubnetID1\\,UpdatedSampleSubnetID2
The following example adds two stack notification topics to the mystack stack:

--notification-arns "arn:aws:sns:us-east-1:12345678912:mytopic" "arn:aws:sns:us-
east-1:12345678912:mytopic2"
The following example removes all stack notification topics from the mystack stack:

--notification-arns []
Monitoring the Progress of a Stack Update

You can monitor the progress of a stack update by viewing the stack's events. The console's Events tab
displays each major step in the creation and update of the stack sorted by the time of each event with
latest events on top. The start of the stack update process is marked with an UPDATE_IN_PROGRESS
event for the stack:
2011-09-30 09:35 PDT AWS::CloudFormation::Stack MyStack UPDATE_IN_PROGRESS
Next are events that mark the beginning and completion of the update of each resource that was
changed in the update template. For example, updating an AWS::RDS::DBInstance resource named MyDB
would result in the following entries:
2011-09-30 09:35 PDT AWS::RDS::DBInstance MyDB UPDATE_COMPLETE

2011-09-30 09:35 PDT AWS::RDS::DBInstance MyDB UPDATE_IN_PROGRESS
The UPDATE_IN_PROGRESS event is logged when AWS CloudFormation reports that it has begun to
update the resource. The UPDATE_COMPLETE event is logged when the resource is successfully created.
When AWS CloudFormation has successfully updated the stack, you will see the following event:

147
Canceling a Stack Update
2011-09-30 09:35 PDT AWS::CloudFormation::Stack MyStack UPDATE_COMPLETE
If an update of a resource fails, AWS CloudFormation reports an UPDATE_FAILED event that includes
a reason for the failure. For example, if your update template specified a property change that is not
supported by the resource such as reducing the size of AllocatedStorage for an AWS::RDS::DBInstance
resource, you would see events like these:
2011-09-30 09:36 PDT AWS::RDS::DBInstance MyDB UPDATE_FAILED Size cannot be less than
current size; requested: 5; current: 10
If a resource update fails, AWS CloudFormation rolls back any resources that it has updated during the
upgrade to their configurations before the update. Here is an example of the events you would see
during an update rollback:
2011-09-30 09:38 PDT AWS::CloudFormation::Stack MyStack UPDATE_ROLLBACK_COMPLETE

2011-09-30 09:38 PDT AWS::RDS::DBInstance MyDB UPDATE_COMPLETE
2011-09-30 09:37 PDT AWS::CloudFormation::Stack MyStack UPDATE_ROLLBACK_IN_PROGRESS The
following resource(s) failed to update: [MyDB]
Topics
• To view stack events by using the console (p. 148)
• To view stack events by using the command line (p. 148)
To view stack events by using the console

1. In the AWS CloudFormation console, select the stack that you updated and then click the Events tab
to view the stacks events.
2. To update the event list with the most recent events, click the refresh button in the AWS
CloudFormation console.
To view stack events by using the command line

• Use the command aws cloudformation describe-stack-events to view the events for a
stack.
Canceling a Stack Update

After a stack update has begun, you can cancel the stack update if the stack is still in the
UPDATE_IN_PROGRESS state. After an update has finished, you cannot cancel it. You can, however,
update a stack again with any previous settings.
If you cancel a stack update, the stack is rolled back to the stack configuration that existed prior to
initiating the stack update.
Topics
• To cancel a stack update by using the console (p. 149)
• To cancel a stack update by using the command line (p. 149)

148
Prevent Updates to Stack Resources
To cancel a stack update by using the console

1. From the list of stacks in the AWS CloudFormation console, select the stack that is currently being
updated. Its status must be UPDATE_IN_PROGRESS.
2. Choose Stack actions and then Cancel update stack.
3. To continue canceling the update, click Cancel update. Otherwise, click Cancel to resume the
update.
The stack proceeds to the UPDATE_ROLLBACK_IN_PROGRESS state. After the update cancellation is
complete, the stack is set to UPDATE_ROLLBACK_COMPLETE.
To cancel a stack update by using the command line

• Use the command aws cloudformation cancel-update-stack to cancel an update.

When you create a stack, all update actions are allowed on all resources. By default, anyone with stack
update permissions can update all of the resources in the stack. During an update, some resources might
require an interruption or be completely replaced, resulting in new physical IDs or completely new
storage. You can prevent stack resources (p. 604) from being unintentionally updated or deleted during
a stack update by using a stack policy. A stack policy is a JSON document that defines the update actions
that can be performed on designated resources.
After you set a stack policy, all of the resources in the stack are protected by default. To allow updates
on specific resources, you specify an explicit Allow statement for those resources in your stack policy.
You can define only one stack policy per stack, but, you can protect multiple resources within a single
policy. A stack policy applies to all AWS CloudFormation users who attempt to update the stack. You
can't associate different stack policies with different users.
A stack policy applies only during stack updates. It doesn't provide access controls like an AWS Identity
and Access Management (IAM) policy. Use a stack policy only as a fail-safe mechanism to prevent
accidental updates to specific stack resources. To control access to AWS resources or actions, use IAM.
Topics
• Example Stack Policy (p. 149)
• Defining a Stack Policy (p. 150)
• Setting a Stack Policy (p. 153)
• Updating Protected Resources (p. 153)
• Modifying a Stack Policy (p. 155)
• More Example Stack Policies (p. 156)
Example Stack Policy

The following example stack policy prevents updates to the ProductionDatabase resource:
{
"Statement" : [
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"

149
},
{
"Effect" : "Deny",
"Principal": "*",
"Resource" : "LogicalResourceId/ProductionDatabase"
}
]
}
When you set a stack policy, all resources are protected by default. To allow updates on all resources, we
add an Allow statement that allows all actions on all resources. Although the Allow statement specifies
all resources, the explicit Deny statement overrides it for the resource with the ProductionDatabase
logical ID. This Deny statement prevents all update actions, such as replacement or deletion, on the
ProductionDatabase resource.
The Principal element is required, but supports only the wild card (*), which means that the
statement applies to all principals.
Note
During a stack update, AWS CloudFormation automatically updates resources that depend on
other updated resources. For example, AWS CloudFormation updates a resource that references
an updated resource. AWS CloudFormation makes no physical changes, such as the resource's ID,
to automatically updated resources, but if a stack policy is associated with those resources, you
must have permission to update them.
Defining a Stack Policy

When you create a stack, no stack policy is set, so all update actions are allowed on all resources. To
protect stack resources from update actions, define a stack policy and then set it on your stack. A
stack policy is a JSON document that defines the AWS CloudFormation stack update actions that AWS
CloudFormation users can perform and the resources that the actions apply to. You set the stack policy
when you create a stack, by specifying a text file that contains your stack policy or typing it out. When
you set a stack policy on your stack, any update not explicitly allowed is denied by default.
You define a stack policy with five elements: Effect, Action, Principal, Resource, and Condition.
The following pseudo code shows stack policy syntax.
{
"Statement" : [
{
"Effect" : "Deny_or_Allow",
"Action" : "update_actions",
"Principal" : "*",
"Resource" : "LogicalResourceId/resource_logical_ID",
"Condition" : {
"StringEquals_or_StringLike" : {
"ResourceType" : [resource_type, ...]
}
}
}
]
}
Effect
Determines whether the actions that you specify are denied or allowed on the resource(s) that you
specify. You can specify only Deny or Allow, such as:
"Effect" : "Deny"

150
Important
If a stack policy includes overlapping statements (both allowing and denying updates on
a resource), a Deny statement always overrides an Allow statement. To ensure that a
resource is protected, use a Deny statement for that resource.
Action
Specifies the update actions that are denied or allowed:

Update:Modify
Specifies update actions during which resources might experience no interruptions or some
interruptions while changes are being applied. All resources maintain their physical IDs.
Update:Replace
Specifies update actions during which resources are recreated. AWS CloudFormation creates a
new resource with the specified updates and then deletes the old resource. Because the resource
is recreated, the physical ID of the new resource might be different.
Update:Delete
Specifies update actions during which resources are removed. Updates that completely remove
resources from a stack template require this action.
Update:*
Specifies all update actions. The asterisk is a wild card that represents all update actions.
The following example shows how to specify just the replace and delete actions:
"Action" : ["Update:Replace", "Update:Delete"]
To allow all update actions except for one, use NotAction. For example, to allow all update actions
except for Update:Delete, use NotAction, as shown in this example:
{
"Statement" : [
{
"Effect" : "Allow",
"NotAction" : "Update:Delete",
"Principal": "*",
"Resource" : "*"
}
]
}
For more information about stack updates, see AWS CloudFormation Stack Updates (p. 127).
Principal
The Principal element specifies the entity that the policy applies to. This element is required but
supports only the wild card (*), which means that the policy applies to all principals.
Resource
Specifies the logical IDs of the resources that the policy applies to. To specify types of
resources (p. 604), use the Condition element.
To specify a single resource, use its logical ID. For example:
"Resource" : ["LogicalResourceId/myEC2instance"]
You can use a wild card with logical IDs. For example, if you use a common logical ID prefix for all
related resources, you can specify all of them with a wild card:

151
"Resource" : ["LogicalResourceId/CriticalResource*"]
You can also use a Not element with resources. For example, to allow updates to all resources except
for one, use a NotResource element to protect that resource:
{
"Statement" : [
{
"Effect" : "Allow",
"Principal": "*",
"NotResource" : "LogicalResourceId/ProductionDatabase"
}
]
}
When you set a stack policy, any update not explicitly allowed is denied. By allowing updates
to all resources except for the ProductionDatabase resource, you deny updates to the
ProductionDatabase resource.
Conditions
Specifies the resource type (p. 604) that the policy applies to. To specify the logical IDs of specific
resources, use the Resource element.
You can specify a resource type, such as all EC2 and RDS DB instances, as shown in the following
example:
{
"Statement" : [
{
"Effect" : "Deny",
"Principal" : "*",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ResourceType" : ["AWS::EC2::Instance", "AWS::RDS::DBInstance"]
}
}
},
{
"Effect" : "Allow",
"Principal" : "*",
"Resource" : "*"
}
]
}
The Allow statement grants update permissions to all resources and the Deny statement denies
updates to EC2 and RDS DB instances. The Deny statement always overrides allow actions.
You can use a wild card with resource types. For example, you can deny update permissions to all
Amazon EC2 resources—such as instances, security groups, and subnets—by using a wild card, as
shown in the following example:
"Condition" : {
"StringLike" : {
"ResourceType" : ["AWS::EC2::*"]

152
}
}
You must use the StringLike condition when you use wild cards.
Setting a Stack Policy

You can use the console or AWS CLI to apply a stack policy when you create a stack. You can also use the
AWS CLI to apply a stack policy to an existing stack. After you apply a stack policy, you can't remove it
from the stack, but you can use the AWS CLI to modify it.
Stack policies apply to all AWS CloudFormation users who attempt to update the stack. You can't
associate different stack policies with different users.
For information about writing stack policies, see Defining a Stack Policy (p. 150).
To set a stack policy when you create a stack (console)
1. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

2. On the CloudFormation Stacks page, choose Create stack.
3. In the Create Stack wizard, on the Configure stack options page, expand the Advanced section and
then choose Stack policy.
4. Specify the stack policy:
• To write a policy directly in the console, choose Enter stack policy and then type the stack policy
directly in the text field.
• To use a policy defined in a separate file, choose Upload a file, then Choose file to select the file
containing the stack policy.
To set a stack policy when you create a stack (CLI)
• Use the aws cloudformation create-stack command with the --stack-policy-body

option to type in a modified policy or the --stack-policy-url option to specify a file containing
the policy.
To set a stack policy on an existing stack (CLI only)
• Use the aws cloudformation set-stack-policy command with the --stack-policy-body

the policy.
Note
To add a policy to an existing stack, you must have permission to the AWS CloudFormation
SetStackPolicy action.
Updating Protected Resources

To update protected resources, create a temporary policy that overrides the stack policy and allows
updates on those resources. Specify the override policy when you update the stack. The override policy
doesn't permanently change the stack policy.
To update protected resources, you must have permission to use the AWS CloudFormation
SetStackPolicy action. For information about setting AWS CloudFormation permissions, see
Controlling Access with AWS Identity and Access Management (p. 9).

153
Note
During a stack update, AWS CloudFormation automatically updates resources that depend on
other updated resources. For example, AWS CloudFormation updates a resource that references
an updated resource. AWS CloudFormation makes no physical changes, such as the resources' ID,
to automatically updated resources, but if a stack policy is associated with those resources, you
must have permission to update them.
To update a protected resource (console)

2. Select the stack that you want to update, choose Stack actions, and then choose Update stack.
3. If you haven't modified the stack template, select Use current template, and then click Next. If
you have modified the template, select Replace current template and specify the location of the
updated template in the Specify template section:
• For a template stored locally on your computer, select Upload a template file. Choose Choose
File to navigate to the file and select it, and then click Next.
• For a template stored in an Amazon S3 bucket, select Amazon S3 URL. Enter or paste the URL for
the template, and then click Next.
Objects in a Versioning-Enabled Bucket in the Amazon Simple Storage Service Console User Guide.
4. If your template contains parameters, on the Specify stack details page, enter or modify the
parameter values, and then choose Next.
AWS CloudFormation populates each parameter with the value that is currently set in the stack
except for parameters declared with the NoEcho attribute. You can use current values for those
parameters by choosing Use existing value.
5. Specify an override stack policy.
a. On the Configure stack options page, in the Advanced options section, select Stack policy.
b. Select Upload a file.
c. Click Choose file and navigate to the file that contains the overriding stack policy or type a
policy.
d. Choose Next.
The override policy must specify an Allow statement for the protected resources that you want to
update. For example, to update all protected resources, specify a temporary override policy that
allows all updates:
{
"Statement" : [
{
"Effect" : "Allow",
"Principal": "*",
"Resource" : "*"
}
]
}

154
Note
AWS CloudFormation applies the override policy only during this update. The override
policy doesn't permanently change the stack policy. To modify a stack policy, see Modifying
a Stack Policy (p. 155).
6. Review the stack information and the changes that you submitted.
Check that you submitted the correct information, such as the correct parameter values or template
URL. If your template contains IAM resources, choose I acknowledge that this template may create
IAM resources to specify that you want to use IAM resources in the template. For more information
about using IAM resources in templates, see Controlling Access with AWS Identity and Access
Management (p. 9).
In the Preview your changes section, check that AWS CloudFormation will make all the changes
that you expect. For example, check that AWS CloudFormation adds, removes, and modifies the
resources that you intended to add, remove, or modify. AWS CloudFormation generates this preview
by creating a change set for the stack. For more information, see Updating Stacks Using Change
Sets (p. 130).
7. When you are satisfied with your changes, click Update.
Note
At this point, you also have the option to view the change set to review your proposed
updates more thoroughly. To do so, click View change set instead of Update.
CloudFormation displays the change set generated based on your updates. When you are
ready to perform the stack update, click Execute.
CloudFormation displays the Stack details page for your stack. Your stack now has a status of
UPDATE_IN_PROGRESS. After CloudFormation has successfully finished updating the stack, it sets
the stack status to UPDATE_COMPLETE.
If the stack update fails, CloudFormation; automatically rolls back changes, and sets the stack status
to UPDATE_ROLLBACK_COMPLETE.
To update a protected resource (CLI)
• Use the aws cloudformation update-stack command with the --stack-policy-during-

update-body option to type in a modified policy or the --stack-policy-during-update-url
option to specify a file containing the policy.
Note
AWS CloudFormation applies the override policy only during this update. The override
policy doesn't permanently change the stack policy. To modify a stack policy, see Modifying
a Stack Policy (p. 155).
Modifying a Stack Policy

To protect additional resources or to remove protection from resources, modify the stack policy. For
example, when you add a database that you want to protect to your stack, add a Deny statement
for that database to the stack policy. To modify the policy, you must have permission to use the
SetStackPolicy action.
Use the AWS CLI to modify stack policies.

155
To modify a stack policy (CLI)
• Use the aws cloudformation set-stack-policy command with the --stack-policy-body

the policy.
You can't delete a stack policy. To remove all protection from all resources, you modify the policy to
explicitly allow all actions on all resources. The following policy allows all updates on all resources:
{
"Statement" : [
{
"Effect" : "Allow",
"Principal": "*",
"Resource" : "*"
}
]
}
More Example Stack Policies

The following example policies show how to prevent updates to all stack resources and to specific
resources, and prevent specific types of updates.
Prevent Updates to All Stack Resources

To prevent updates to all stack resources, the following policy specifies a Deny statement for all update
actions on all resources.
{
"Statement" : [
{
"Effect" : "Deny",
"Principal": "*",
"Resource" : "*"
}
]
}
Prevent Updates to a Single Resource

The following policy denies all update actions on the database with the MyDatabase logical ID. It allows
all update actions on all other stack resources with an Allow statement. The Allow statement doesn't
apply to the MyDatabase resource because the Deny statement always overrides allow actions.
{
"Statement" : [
{
"Effect" : "Deny",
"Principal": "*",
"Resource" : "LogicalResourceId/MyDatabase"
},
{
"Effect" : "Allow",

156
"Principal": "*",
"Resource" : "*"
}
]
}
You can achieve the same result as the previous example by using a default denial. When you set a stack
policy, AWS CloudFormation denies any update that is not explicitly allowed. The following policy allows
updates to all resources except for the ProductionDatabase resource, which is denied by default.
{
"Statement" : [
{
"Effect" : "Allow",
"Principal": "*",
"NotResource" : "LogicalResourceId/ProductionDatabase"
}
]
}
Important
There is risk in using a default denial. If you have an Allow statement elsewhere in the policy
(such as an Allow statement that uses a wildcard), you might unknowingly grant update
permission to resources that you don't intend to. Because an explicit denial overrides any allow
actions, you can ensure that a resource is protected by using a Deny statement.
Prevent Updates to All Instances of a Resource Type

The following policy denies all update actions on the RDS DB instance resource type. It allows all update
actions on all other stack resources with an Allow statement. The Allow statement doesn't apply to the
RDS DB instance resources because a Deny statement always overrides allow actions.
{
"Statement" : [
{
"Effect" : "Deny",
"Principal": "*",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ResourceType" : ["AWS::RDS::DBInstance"]
}
}
},
{
"Effect" : "Allow",
"Principal": "*",
"Resource" : "*"
}
]
}
Prevent Replacement Updates for an Instance

The following policy denies updates that would cause a replacement of the instance with the
MyInstance logical ID. It allows all update actions on all other stack resources with an Allow

157
Continue Rolling Back an Update
statement. The Allow statement doesn't apply to the MyInstance resource because the Deny
statement always overrides allow actions.
{
"Statement" : [
{
"Effect" : "Deny",
"Action" : "Update:Replace",
"Principal": "*",
"Resource" : "LogicalResourceId/MyInstance"
},
{
"Effect" : "Allow",
"Principal": "*",
"Resource" : "*"
}
]
}
Prevent Updates to Nested Stacks

The following policy denies all update actions on the AWS CloudFormation stack resource type (nested
stacks). It allows all update actions on all other stack resources with an Allow statement. The Allow
statement doesn't apply to the AWS CloudFormationstack resources because the Deny statement always
overrides allow actions.
{
"Statement" : [
{
"Effect" : "Deny",
"Principal": "*",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ResourceType" : ["AWS::CloudFormation::Stack"]
}
}
},
{
"Effect" : "Allow",
"Principal": "*",
"Resource" : "*"
}
]
}

A stack goes into the UPDATE_ROLLBACK_FAILED state when AWS CloudFormation cannot roll back
all changes during an update. For example, you might have a stack that begins to roll back to an old
database instance that was deleted outside of AWS CloudFormation. Because AWS CloudFormation
doesn't know that the database was deleted, it assumes that the database instance still exists and
attempts to roll back to it, causing the update rollback to fail.
When a stack is in the UPDATE_ROLLBACK_FAILED state, you can continue to roll it back
to a working state (UPDATE_ROLLBACK_COMPLETE). You can't update a stack that is in the

158
UPDATE_ROLLBACK_FAILED state. However, if you can continue to roll it back, you can return the stack
to its original settings and then try to update it again.
In most cases, you must fix the error that causes the update rollback to fail before you can continue to
roll back your stack. In other cases, you can continue to roll back the update without any changes, for
example when a stack operation times out.
Note
If you use nested stacks, rolling back the parent stack will attempt to roll back all the child
stacks as well.
To continue rolling back an update (console)

2. Select the stack that you want to update, choose Stack actions, and then choose Continue update
rollback.
If none of the solutions in the troubleshooting guide worked, you can use the advanced option to
skip the resources that AWS CloudFormation can't successfully roll back. You must look up (p. 106)
and type the logical IDs of the resources that you want to skip. Specify only resources that went into
the UPDATE_FAILED state during the UpdateRollback and not during the forward update.
Warning
AWS CloudFormation sets the status of the specified resources to UPDATE_COMPLETE and
continues to roll back the stack. After the rollback is complete, the state of the skipped
resources will be inconsistent with the state of the resources in the stack template. Before
performing another stack update, you must update the stack or resources to be consistent
with each other. If you don't, subsequent stack updates might fail, and the stack will
become unrecoverable.
Specify the minimum number of resources required to successfully roll back your stack. For example,
a failed resource update might cause dependent resources to fail. In this case, it might not be
necessary to skip the dependent resources.
To skip resources that are part of nested stacks, use the following format:
NestedStackName.ResourceLogicalID. If you want to specify the logical ID of a stack
resource (Type: AWS::CloudFormation::Stack) in the ResourcesToSkip list, then its
corresponding embedded stack must be in one of the following states: DELETE_IN_PROGRESS,
DELETE_COMPLETE, or DELETE_FAILED.
To continue rolling back an update (AWS CLI)
• Use the aws cloudformation continue-update-rollback command with the stack-name

option to specify the ID of the stack that you want to continue to roll back.
Using ResourcesToSkip to recover a nested stacks hierarchy

The following diagram shows a nested stacks hierarchy that is in the UPDATE_ROLLBACK_FAILED state.
In this example, the WebInfra root stack has two nested stacks: WebInfra-Compute and WebInfra-
Storage, which in turn have one or more nested stacks.

159
Note
The stack names in this example are truncated for simplicity. Child stack names are typically
generated by AWS CloudFormation and contain unique random strings, so actual names might
not be user-friendly.
To successfully get the root stack into an operable state using continue-update-rollback, you
must use the resources-to-skip parameter to skip resources that failed to rollback. In this example,
resources-to-skip would include the following items:
1. myCustom
2. WebInfra-Compute-Asg.myAsg
3. WebInfra-Compute-LB.myLoadBalancer
4. WebInfra-Storage.DB
The following example is the full CLI command:
PROMPT> aws cloudformation continue-update-rollback --stack-name WebInfra --resources-

to-skip myCustom WebInfra-Compute-Asg.myAsg WebInfra-Compute-LB.myLoadBalancer WebInfra-
Storage.DB
Note that we specified resources from nested stacks by using the

NestedStackName.ResourceLogicalID format, but for the resources of the root stack, such as
myCustom, we specified only the logical ID.
Finding the stack name of a nested stack

160
Detecting Unmanaged Configuration
Changes to Stacks and Resources
You can find a child stack's name in its stack ID or Amazon Resource Name (ARN). In the following
example, the stack name is WebInfra-Storage-Z2VKC706XKXT:
arn:aws:cloudformation:us-east-1:123456789012:stack/WebInfra-Storage-
Z2VKC706XKXT/ea9e7f90-54f7-11e6-a032-028f3d2330bd
Finding the logical ID of a nested stack
You can find a child stack's logical ID in the template definition of its parent. In the diagram, the
LogicalId of the WebInfra-Storage-DB child stack is DB in its parent WebInfra-Storage.
In the AWS CloudFormation console, you can also find the logical ID in the Logical ID column for the
stack resource on the Resources tab or the Events tab.
Detecting Unmanaged Configuration Changes to

Stacks and Resources
Even as you manage your resources through CloudFormation, users can change those resources outside
of CloudFormation. Users can edit resources directly by using the underlying service that created the
resource. For example, you can use the Amazon EC2 console to update a server instance that was
created as part of an CloudFormation stack. Some changes may be accidental, and some may be made
intentionally to respond to time-sensitive operational events. Regardless, changes made outside of
CloudFormation can complicate stack update or deletion operations. You can use drift detection to
identify stack resources to which configuration changes have been made outside of CloudFormation
management. You can then take corrective action so that your stack resources are again in sync with
their definitions in the stack template, such as updating the drifted resources directly so that they agree
with their template definition. Resolving drift helps to ensure configuration consistency and successful
stack operations.
Topics
• What Is Drift? (p. 161)
• Drift Detection Status Codes (p. 162)
• Considerations When Detecting Drift (p. 163)
• Detect Drift on an Entire CloudFormation Stack (p. 165)
• Detect Drift on Individual Stack Resources (p. 169)
• Resources that Support Drift Detection (p. 171)
What Is Drift?
Drift detection enables you to detect whether a stack's actual configuration differs, or has drifted, from
its expected configuration. Use AWS CloudFormation to detect drift on an entire stack, or on individual
resources within the stack. A resource is considered to have drifted if any of its actual property values
differ from the expected property values. This includes if the property or resource has been deleted. A
stack is considered to have drifted if one or more of its resources have drifted.
In order to determine whether a resource has drifted, CloudFormation determines the expected resource
property values, as defined in the stack template and any values specified as template parameters.
CloudFormation then compares those expected values with the actual values of those resource
properties as they currently exist in the stack. A resource is considered to have drifted if one or more of
its properties have been deleted, or had their value changed.

161
Drift Detection Status Codes
AWS CloudFormation generates detailed information on each resource in the stack that has drifted.
CloudFormation detects drift on those resources that support drift detection. Resources that do not
support drift detection are assigned a drift status of NOT_CHECKED. For a list of resources that support
drift detection, see Resources that Support Drift Detection.
You can perform drift detection on stacks with the following statuses: CREATE_COMPLETE,
UPDATE_COMPLETE, UPDATE_ROLLBACK_COMPLETE, and UPDATE_ROLLBACK_FAILED.
When detecting drift on a stack, CloudFormation does not detect drift on any nested stacks that belong
to that stack. Instead, you can initiate a drift detection operation directly on the nested stack.
Note
CloudFormation only determines drift for property values that are explicitly set, either through
the stack template or by specifying template parameters. This does not include default values
for resource properties. To have CloudFormation track a resource property for purposes of
determining drift, explicitly set the property value, even if you are setting it to the default value.
Drift Detection Status Codes

The tables in this section describe the various status types used with drift detection:
• Drift detection operation status describes the current state of the drift operation.
• Drift status
For stack sets, this describes the drift status of the stack set as a whole, based on the drift status of the
stack instances that belong to it.
For stack instances, this describes the drift status of the stack instance, based on the drift status of its
associated stack.
For stacks, this describes the drift status of the stack as a whole, based on the drift status of its
resources.
• Resource drift status describes the drift status of an individual resource.
The following table lists the status codes CloudFormation assigns to stack drift detection operations.
Drift Detection Operation Status Description
DETECTION_COMPLETE The stack drift detection operation has successfully completed for
all resources in the stack that support drift detection.
DETECTION_FAILED The stack drift detection operation has failed for at least one
resource in the stack. Results will be available for resources on
which CloudFormation successfully completed drift detection.
DETECTION_IN_PROGRESS The stack drift detection operation is currently in progress.
The following table lists the drift status codes CloudFormation assigns to stacks.
Drift Status Description
DRIFTED For stacks: The stack differs, or has drifted, from its expected
template configuration. A stack is considered to have drifted if
one or more of its resources have drifted.

162
Considerations When Detecting Drift
Drift Status Description

For stack instances: A stack instance is considered to have drifted
if the stack associated with it has drifted.
For stack sets: A stack set is considered to have drifted if one or

more stack instances has drifted.
NOT_CHECKED AWS CloudFormation has not checked if the stack, stack set, or
stack instance differs from its expected template configuration.
IN_SYNC The current configuration of each supported resource matches

its expected template configuration. A stack, stack set, or stack
instance with no resources that support drift detection will also
have a status of IN_SYNC.
The following table lists the drift status codes CloudFormation assigns to stack resources.
Resource Drift Status Description
DELETED The resource differs from its expected template configuration

because the resource has been deleted.
MODIFIED The resource differs from its expected template configuration.
NOT_CHECKED CloudFormation has not checked if the resource differs from its
expected template configuration.
IN_SYNC The resource’s current configuration matches its expected

template configuration.
The following table lists the difference-type status codes CloudFormation assigns to resource properties
that differ from their expected template configuration.
Property Difference Types Description
ADD A value has been added to a resource property that is an array or

list data type.
REMOVE The property has been removed from the current resource
configuration.
NOT_EQUAL The current property value differs from its expected value as
defined in the stack template.

In order to successfully perform drift detection on a stack, a user must have the following permissions:
• Read permission for each resource that supports drift detection included in the stack. For example,
if the stack includes an AWS::EC2::Instance resource, you must have ec2:DescribeInstances
permission to perform drift detection on the stack.
• cloudformation:DetectStackDrift
• cloudformation:DetectStackResourceDrift

163
For more information on setting permissions in CloudFormation, see Controlling Access with AWS
Identity and Access Management (p. 9).
In certain edge cases, CloudFormation may not be able to always return accurate drift results. You should
be aware of these edge cases in order to properly interpret your drift detection results.
• In certain cases, objects contained in property arrays will be reported as drift, when in actuality they
are default values supplied to the property from the underlying service responsible for the resource.
• Certain resources have attachment relationships with related resources, such that a resource
may actually attach or remove property values for another resource, defined in the same
or another template. For example, the AWS::EC2::SecurityGroupIngress and
AWS::EC2::SecurityGroupEgress resources may be used to attach and remove values from
AWS::EC2::SecurityGroup resources. In these cases, CloudFormation analyses the stack template
for attachments before performing the drift comparison. However, CloudFormation cannot perform
this analysis across stacks, and so may not return accurate drift results where resources that are
attached reside in different stacks.
Resources that support drift detection and allow or require attachments from other resources include:
Resource Type Attachment Resource Type
AWS::SNS::Topic AWS::SNS::Subscription
AWS::IAM::User AWS::IAM::UserToGroupAddition
AWS::IAM::Group AWS::IAM::Policy
AWS::IAM::Role AWS::IAM::ManagedPolicy
AWS::IAM::User
AWS::ElasticLoadBalancingV2::Listener AWS::ElasticLoadBalancingV2::ListenerCertificate
AWS::EC2::SecurityGroup AWS::EC2::SecurityGroupEgress
AWS::EC2::SecurityGroupIngress
• CloudFormation does not perform drift detection on the KMSKeyId property of any resources. Because
AWS KMS keys can be referenced by multiple aliases, CloudFormation cannot guarantee consistently
accurate drift results for this property.
• There are certain resource properties that you can specify in your stack template that, by their very
nature, CloudFormation will not be able to compare to the properties in the resulting stack resources.
These properties therefore cannot be included in drift detection results. Such properties fall into two
broad categories:
• Property values that CloudFormation cannot map back to their initial resource property value in the
stack template.
For example, CloudFormation cannot map the source code of a Lambda function back to the Code
property type of the Function resource, and therefore CloudFormation cannot include it in drift
detection results.
• Property values that the service that is responsible for the resource does not return.
There are certain property values that, by design, are never returned by the service to which
the resource belongs. These tend to contain confidential information, such as passwords or
other sensitive data that should not be exposed. For example, the IAM service will never return
the value of the Password property of the IAM User LoginProfile property type, and therefore
CloudFormation cannot include it in drift detection results.
• Objects in an array: they may be actually service defaults, not drift added manually out-of-band.

164
Detect Drift on an Entire CloudFormation Stack
• Drift detection is available in the US East (N. Virginia), US East (Ohio), US West (N. California), US West
(Oregon), Canada (Central), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia
Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe
(Paris), and South America (São Paulo) regions.
• If you encounter any false positive, send us your comments using the feedback link in the
CloudFormation console, or reach out to us via the AWS forums at https://forums.aws.amazon.com.

Performing a drift detection operation on a stack determines whether the stack has drifted from its
expected template configuration, and returns detailed information about the drift status of each
resource in the stack that supports drift detection.
To detect drift on an entire stack using the AWS Management Console

2. From the list of stacks, select the stack on which you want to perform drift detection. In the stack
details pane, choose Stack actions, and then choose Detect drift.
CloudFormation displays an information bar stating that drift detection has been initiated for the
selected stack.
3. Wait until CloudFormation completes the drift detection operation. When the drift detection
operation completes, CloudFormation updates Drift status and Last drift check time for your stack.
These fields are listed in the Overview section of the Stack info pane of the stack details page.
The drift detection operation may take several minutes, depending on the number of resources
included in the stack. You can only run a single drift detection operation on a given stack at the
same time. CloudFormation continues the drift detection operation even after you dismiss the
information bar.
4. Review the drift detection results for the stack and its resources. With your stack selected, from the
Stack actions menu select View drift results.
CloudFormation lists the overall drift status of the stack, as well as the last time drift detection was
initiated on the stack or any of its individual resources. A stack is considered to have drifted if one or
more of its resources have drifted.

165
In the Resource drift status section, CloudFormation lists each stack resource, its drift status, and
the last time drift detection was initiated on the resource. The logical ID and physical ID of each
resource is displayed to help you identify them. In addition, for resources with a status of MODIFIED,
CloudFormation displays resource drift details.
You can sort the resources based on their drift status using the Drift status column.
• To view the details on a modified resource.
• With the modified resource selected, select View drift details.
CloudFormation displays the drift detail page for that resource. This page lists the
resource's expected and current property values, and any differences between the two.
To highlight a difference, in the Differences section select the property name.
• Added properties are highlighted in green in the Current column of the Details section.
• Deleted properties are highlighted in red in the Expected column of the Details section.
• Properties whose value have been changed are highlighted in yellow in the both
Expected and Current columns.

166
To detect drift on an entire stack using the AWS CLI
To detect drift on an entire stack using the AWS CLI, use the following aws cloudformation
commands:
• detect-stack-drift to initiate a drift detection operation on a stack.

• describe-stack-drift-detection-status to monitor the status of the stack drift detection
operation.
• describe-stack-resource-drifts to review the details of the stack drift detection operation.
1. Use the detect-stack-drift to detect drift on an entire stack. Specify the stack name or ARN.
You can also specify the logical IDs of any specific resources that you want to use as filters for this
drift detection operation.
PROMPT> aws cloudformation detect-stack-drift --stack-name my-stack-with-resource-drift

{
"StackDriftDetectionId": "624af370-311a-11e8-b6b7-500cexample"
}

167
2. Because stack drift detection operations can be long-running, use describe-stack-drift-

detection-status to monitor the status of drift operation. This command takes the stack drift
detection ID returned by the detect-stack-drift command.
In the example below, we've taken the stack drift detection ID returned by the detect-stack-
drift example above and passed it as a parameter to describe-stack-drift-detection-
status. The parameter returns operation details that show that the drift detection operation has
completed, a single stack resource has drifted, and that the entire stack is considered to have drifted
as a result.
PROMPT> aws cloudformation describe-stack-drift-detection-status --stack-drift-

detection-id 624af370-311a-11e8-b6b7-500cexample
{
"StackId": "arn:aws:cloudformation:us-east-1:099908667365:stack/my-stack-with-
resource-drift/489e5570-df85-11e7-a7d9-50example",
"StackDriftDetectionId": "624af370-311a-11e8-b6b7-500cexample",
"StackDriftStatus": "DRIFTED",
"Timestamp": "2018-03-26T17:23:22.279Z",
"DetectionStatus": "DETECTION_COMPLETE",
"DriftedStackResourceCount": 1
}
3. When the stack drift detection operation is complete, use the describe-stack-resource-
drifts command to review the results, including actual and expected property values for resources
that have drifted.
The example below uses the stack-resource-drift-status-filters parameter to request

stack drift information for those resources that have been modified or deleted. The request
returns information on the one resource that has been modified, including details about two of its
properties whose values have been changed. No resources have been deleted.
PROMPT> aws cloudformation describe-stack-resource-drifts --stack-name my-stack-with-

resource-drift --stack-resource-drift-status-filters MODIFIED DELETED
{
"StackResourceDrifts": [
{
"StackId": "arn:aws:cloudformation:us-east-1:099908667365:stack/my-stack-
with-resource-drift/489e5570-df85-11e7-a7d9-50example",
"ActualProperties": "{\"ReceiveMessageWaitTimeSeconds\":0,
\"DelaySeconds\":120,\"RedrivePolicy\":{\"deadLetterTargetArn\":\"arn:aws:sqs:us-
east-1:099908667365:my-stack-with-resource-drift-DLQ-1BCY7HHD5QIM3\",
\"maxReceiveCount\":12},\"MessageRetentionPeriod\":345600,\"MaximumMessageSize
\":262144,\"VisibilityTimeout\":60,\"QueueName\":\"my-stack-with-resource-drift-
Queue-494PBHCO76H4\"}",
"ResourceType": "AWS::SQS::Queue",
"Timestamp": "2018-03-26T17:23:34.489Z",
"PhysicalResourceId": "https://sqs.us-east-1.amazonaws.com/099908667365/my-
stack-with-resource-drift-Queue-494PBHCO76H4",
"StackResourceDriftStatus": "MODIFIED",
"ExpectedProperties": "{\"ReceiveMessageWaitTimeSeconds\":0,
"PropertyDifferences": [
{
"PropertyPath": "/DelaySeconds",
"ActualValue": "120",
"ExpectedValue": "20",
"DifferenceType": "NOT_EQUAL"
},

168
Detect Drift on Individual Stack Resources
{
"PropertyPath": "/RedrivePolicy/maxReceiveCount",
}
],
"LogicalResourceId": "Queue"
}
]
}

You can detect drift on specific resources within a stack, rather than the entire stack. This is especially
useful when you only need to determine if specific resources now match their expected template
configurations again.
When performing drift detection on a resource, CloudFormation also updates the overall stack drift
status and the Last drift check time, if applicable. For example, suppose a stack has a drift status of
IN_SYNC. You have CloudFormation perform drift detection on one or more resources contained in that
stack, and CloudFormation detects that one or more of those resources has drifted. CloudFormation
updates the stack drift status to DRIFTED. Conversely, suppose you have a stack with a drift status of
DRIFTED because of a single drifted resource. If you set that resource back to its expected property
values, and then detect drift on the resource again, CloudFormation will update both resource drift
status and stack drift status to IN_SYNC without requiring you to detect drift on the entire stack again.
To detect drift on an individual resource using the AWS Management Console

2. From the list of stacks, select the stack that contains the resource. CloudFormation displays the stack
details for that stack.
3. In the left navigation pane, under Stacks, choose Drifts.
4. Under Resource drift status, choose the resource and then select Detect drift for resource.
CloudFormation performs drift detection on the selected resource. If successful, CloudFormation

updates the resource's drift status, and the overall stack drift status, if necessary. CloudFormation
also updates time stamp for when drift detection was last performed on the resource, and the stack
as a whole. If the resource has been modified, CloudFormation displays detailed drift information
about the expected and current property values of the resource.
5. Review the drift detection results for the resource.

169
CloudFormation displays the drift details for that resource, including the resource's
expected and current property values, and any differences between the two.
To detect drift on an individual resource using the AWS CLI
• To detect drift on an individual resource using the AWS CLI, use the aws cloudformation
detect-stack-resource-drift command. Specify the logical ID of the resource, as well as the
stack in which it is contained.
The following example runs a drift detection operation on a specific stack resources, my-drifted-
resource. The response returns information that confirms the resource has been modified, including
details about two of its properties whose values have been changed.

170
Resources that Support Drift Detection
PROMPT> aws cloudformation detect-stack-resource-drift --stack-name my-stack-with-

resource-drift --logical-resource-id my-drifted-resource
{
"StackResourceDrift": {
"StackId": "arn:aws:cloudformation:us-east-1:099908667365:stack/my-stack-with-
resource-drift/489e5570-df85-11e7-a7d9-50example",
"ActualProperties": "{\"ReceiveMessageWaitTimeSeconds\":0,\"DelaySeconds\":120,
\"RedrivePolicy\":{\"deadLetterTargetArn\":\"arn:aws:sqs:us-east-1:099908667365:my-
stack-with-resource-drift-DLQ-1BCY7HHD5QIM3\",\"maxReceiveCount\":12},
\"MessageRetentionPeriod\":345600,\"MaximumMessageSize\":262144,\"VisibilityTimeout
\":60,\"QueueName\":\"my-stack-with-resource-drift-Queue-494PBHCO76H4\"}",
"Timestamp": "2018-03-26T18:54:28.462Z",
"PhysicalResourceId": "https://sqs.us-east-1.amazonaws.com/099908667365/my-
stack-with-resource-drift-Queue-494PBHCO76H4",
"ExpectedProperties": "{\"ReceiveMessageWaitTimeSeconds\":0,
{
},
{
}
],
"LogicalResourceId": "my-drifted-resource"
}
}

The following resource types support drift detection.
Service Resource
API Gateway AWS::ApiGateway::Authorizer
AWS::ApiGateway::Deployment
AWS::ApiGateway::Method
AWS::ApiGateway::Model
AWS::ApiGateway::Resource
AWS::ApiGateway::RestApi
AWS::ApiGateway::RequestValidator

171
Service Resource
AWS::ApiGateway::Stage
Auto Scaling AWS::AutoScaling::AutoScalingGroup
AWS::AutoScaling::LaunchConfiguration
AWS::AutoScaling::LifecycleHook
AWS::AutoScaling::ScalingPolicy
AWS::AutoScaling::ScheduledAction
CloudTrail AWS::CloudTrail::Trail
CloudWatch AWS::CloudWatch::Alarm
AWS::Events::Rule
AWS::Logs::LogGroup
AWS::Logs::MetricFilter
AWS::Logs::SubscriptionFilter
DynamoDB AWS::DynamoDB::Table
Amazon EC2 AWS::EC2::EIP
AWS::EC2::Instance
AWS::EC2::InternetGateway
AWS::EC2::NatGateway
AWS::EC2::NetworkAcl
AWS::EC2::NetworkInterface
AWS::EC2::RouteTable
AWS::EC2::SecurityGroup
AWS::EC2::Subnet
AWS::EC2::Volume
AWS::EC2::VPC
Amazon ECS AWS::ECS::Cluster
AWS::ECS::Service
AWS::ECS::TaskDefinition

172
Moving Resources Between Stacks
Service Resource
Elastic Load Balancing AWS::ElasticLoadBalancing::LoadBalancer
AWS::ElasticLoadBalancingV2::Listener
AWS::ElasticLoadBalancingV2::ListenerRule
AWS::ElasticLoadBalancingV2::LoadBalancer
IAM AWS::IAM::Group
AWS::IAM::InstanceProfile
AWS::IAM::ManagedPolicy
AWS::IAM::Role
AWS::IAM::User
AWS IoT AWS::IoT::Thing
Lambda AWS::Lambda::Alias
AWS::Lambda::Function
AWS::Lambda::Version
Amazon RDS AWS::RDS::DBCluster
AWS::RDS::DBInstance
Route 53 AWS::Route53::HostedZone
Amazon S3 AWS::S3::Bucket
Amazon SNS AWS::SNS::Topic
Amazon SQS AWS::SQS::Queue
Moving Resources Between Stacks

Using the resource import feature, you can move resources between, or refactor, stacks. You need
to first add a Retain deletion policy to the resource you want to move to ensure that the resource is
preserved when you delete it from the source stack and import it to the target stack.
Refactor a Stack Using the AWS Management

Console
1. In the source template, specify a Retain DeletionPolicy for the resource you want to move.
In the following example source template, GamesTable is the target of this refactor.
Example JSON
{

173
Refactor a Stack Using the AWS Management Console
"Description": "Import test",

"Resources": {
"ServiceTable":{
"Type":"AWS::DynamoDB::Table",
"Properties":{
"TableName":"Service",
"AttributeDefinitions":[
{
"AttributeName":"key",
"AttributeType":"S"
}
],
"KeySchema":[
{
"KeyType":"HASH"
}
],
"ProvisionedThroughput":{
"ReadCapacityUnits":5,
"WriteCapacityUnits":1
}
}
},
"GamesTable": {
"Type": "AWS::DynamoDB::Table",
"DeletionPolicy": "Retain",
"Properties": {
"TableName": "Games",
"AttributeDefinitions": [
{
"AttributeName": "key",
"AttributeType": "S"
}
],
"KeySchema": [
{
"KeyType": "HASH"
}
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 1
}
}
}
}
}
2. Open the AWS CloudFormation console to perform a stack update to apply the deletion policy.
a. On the Stacks page, with the stack selected, choose Update, and then choose Update stack
(standard).
b. Under Prepare template, choose Replace current template.
c. Under Specify template, provide the updated source template with the DeletionPolicy
attribute on GamesTable, and then choose Next.
• Choose Amazon S3 URL, and then specify the URL to the updated source template in the text
box.
• Choose Upload a template file, and then browse for the updated source template file.
d. On the Specify stack details page, no changes are required. Choose Next.
e. On the Configure stack options page, no changes are required. Choose Next.

174
f. On the Review stack_name page, review your changes. If your template contains IAM
resources, select I acknowledge that this template may create IAM resources to specify that
you want to use IAM resources in the template. For more information about using IAM resources
in templates, see Controlling Access with AWS Identity and Access Management (p. 9). Then,
either update your source stack by creating a change set or update your source stack directly.
3. Remove the resource, related parameters, and outputs from the source template, and then add them
to the target template.
The source template now looks like the following.
Example JSON
{
"Resources": {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"
}
],
"KeySchema":[
{
"KeyType":"HASH"
}
],
}
}
}
}
}
The following example target template currently has the PlayersTable resource, and now also
contains GamesTable.
Example JSON
{
"Resources": {
"PlayersTable": {
"Properties": {
"TableName": "Players",
{
}
],
"KeySchema": [

175
{
"KeyType": "HASH"
}
],
}
}
},
"GamesTable": {
"Properties": {
{
}
],
"KeySchema": [
{
"KeyType": "HASH"
}
],
}
}
}
}
}
4. Repeat steps 2-3 to update the source stack again, this time to delete the target resource from the
stack.
5. Perform an import operation to add GamesTable to the target stack.
a. On the Stacks page, with the parent stack selected, choose Update, and then choose Import
resources into stack.
b. Read the Import overview page for a list of things you're required to provide during this
operation. Then, choose Next.
c. On the Specify template page, do one of the following, and then choose Next.
• Choose Amazon S3 URL, and then specify a URL in the text box.
• Choose Upload a template file, and then browse for a file to upload.
d. On the Identify resources page, identify the resource you're moving (in this example,
GamesTable).
1. Under Identifier property, choose the type of resource identifier. For example, an
AWS::DynamoDB::Table resource can be identified using the TableName property.

176
Refactor a Stack Using the AWS CLI
2. Under Identifier value, type the actual property value. For example, GamesTables.
3. Choose Next.
e. On the Specify stack details page, modify any parameters, and then choose Next. This
automatically creates a change set.
Important
The import operation fails if you modify existing parameters that trigger a create,
update, or delete operation.
f. On the Review stack-name page, confirm that the correct resource is being imported, and
then choose Import resources. This automatically runs the change set created in the last step.
Any stack-level tags are applied to imported resources at this time.
g. The Events pane of the Stack details page for your parent stack displays.
Note
It's not necessary to run drift detection on the parent stack after this import operation
because the AWS::CloudFormation::Stackresource is already managed by AWS
CloudFormation.

1. In the source template, specify a Retain DeletionPolicy for the resource you want to move.
In the following example source template, GamesTable is the target of this refactor.
Example JSON
{
"Resources": {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"
}

177
],
"KeySchema":[
{
"KeyType":"HASH"
}
],
}
}
},
"GamesTable": {
"Properties": {
{
}
],
"KeySchema": [
{
"KeyType": "HASH"
}
],
}
}
}
}
}
2. Update the source stack to apply the deletion policy to the resource.
update-stack --stack-name "source-stack-name"
3. Remove the resource, related parameters, and outputs from the source template, and then add them
to the target template.
The source template now looks like the following.
Example JSON
{
"Resources": {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"
}
],

178
"KeySchema":[
{
"KeyType":"HASH"
}
],
}
}
}
}
}
The following example target template currently has the PlayersTable resource, and now also
contains GamesTable.
Example JSON
{
"Resources": {
"PlayersTable": {
"Properties": {
"TableName": "Players",
{
}
],
"KeySchema": [
{
"KeyType": "HASH"
}
],
}
}
},
"GamesTable": {
"Properties": {
{
}
],
"KeySchema": [
{
"KeyType": "HASH"
}
],

179
}
}
}
}
}
4. Update the source stack to delete the GamesTable resource and its related parameters and outputs
from the stack.
aws cloudformation update-stack --stack-name "source-stack-name"
5. Create a change set of type IMPORT with the following parameters. --resources-to-import
does not support inline YAML.
> aws cloudformation create-change-set

--stack-name TargetStack --change-set-name ImportChangeSet
--change-set-type IMPORT
--resources-to-import "[{\"ResourceType\":\"AWS::DynamoDB::Table\",
\"LogicalResourceId\":\"GamesTable\",\"ResourceIdentifier\":{\"TableName\":
\"Games\"}}]"
--template-body file://templateToImport.json
The AWS CLI also supports text files as input for the resources-to-import parameter, as shown
in the following example.
--resources-to-import: file://resourcesToImport.txt
In this walkthrough, file://resourcesToImport.txt contains the following.
[
{
"ResourceType":"AWS::DynamoDB::Table",
"LogicalResourceId":"GamesTable",
"ResourceIdentifier": {
"TableName":"Games"
}
}
]
6. Review the change set to make sure the correct resource is being imported into the target stack.
> aws cloudformation describe-change-set --change-set-name ImportChangeSet
7. Execute the change set to import the resource into the target stack. Any stack-level tags
are applied to imported resources at this time. On successful completion of the operation
(IMPORT_COMPLETE), the resource is successfully imported.
> aws cloudformation execute-change-set --change-set-name ImportChangeSet
Note
It's not necessary to run drift detection on the target stack after this import operation
because the resource is already managed by AWS CloudFormation.

180
Exporting Stack Output Values
Exporting Stack Output Values

To share information between stacks, export a stack's output values. Other stacks that are in the
same AWS account and region can import the exported values. For example, you might have a single
networking stack that exports the IDs of a subnet and security group for public web servers. Stacks with
a public web server can easily import those networking resources. You don't need to hard code resource
IDs in the stack's template or pass IDs as input parameters.
To export a stack's output value, use the Export field in the Output (p. 271) section of the stack's
template. To import those values, use the Fn::ImportValue (p. 3811) function in the template for the
other stacks. For a walkthrough and sample templates, see Walkthrough: Refer to Resource Outputs in
Another AWS CloudFormation Stack (p. 321).
Note
After another stack imports an output value, you can't delete the stack that is exporting the
output value or modify the exported output value. All of the imports must be removed before
you can delete the exporting stack or modify the output value.
Exporting Stack Output Values vs. Using Nested

Stacks
A nested stack is a stack that you create within another stack by using the AWS::CloudFormation::Stack
resource. With nested stacks, you deploy and manage all resources from a single stack. You can use
outputs from one stack in the nested stack group as inputs to another stack in the group. This differs
from exporting values.
If you want to isolate information sharing to within a nested stack group, we suggest that you use nested
stacks. To share information with other stacks (not just within the group of nested stacks), export values.
For example, you can create a single stack with a subnet and then export its ID. Other stacks can use that
subnet by importing its ID; each stack doesn't need to create its own subnet. Note that as long as stacks
are importing the subnet ID, you can't change or delete it.
Listing Exported Output Values

To see the values that you can import, list all of the exported output values by using the AWS
CloudFormation console, AWS CLI, or AWS CloudFormation API. AWS CloudFormation shows the names
and values of the exported outputs for the current region and the stack from which the outputs are
exported. To reference an exported output value in a stack's template, use the export name and the
Fn::ImportValue (p. 3811) function.
To list exported output values (console)
• In the AWS CloudFormation console, from the CloudFormation navigation pane, choose Exports.

181
Listing Stacks That Import an Exported Output Value
To list exported output values (AWS CLI)
• Run the aws cloudformation list-exports command.
To list exported output values (API)
• Run the ListExports API.
Listing Stacks That Import an Exported Output

Value
When you export an output value, stacks that are in the same AWS account and region can import that
value. To see which stacks are importing a particular output value, use the list import action.
To delete or modify exported output values, use the ListImports action to track which stacks are
importing them, and then modify those stacks to remove the Fn::ImportValue (p. 3811) functions
that reference the output values. You must remove all of the imports that reference exported output
values before you can delete or modify the exported output values.
For more information about exporting and importing output values, see Exporting Stack Output
Values (p. 181).
To list stacks that import an exported output value (console)
1. In the AWS CloudFormation console, from the CloudFormation navigation pane, choose Exports.

182
Working with Nested Stacks
2. To see which stacks import a given export value, choose the Export Name for that export value.
CloudFormation displays the export details page, which lists all of the stacks that are importing the
value.
To list stacks that import an exported output value (CLI)
• Run the aws cloudformation list-imports command, providing the name of the exported output
value.
AWS CloudFormation returns a list of stacks that are importing the value.
To list stacks that import an exported output value (API)
• Run the ListImports API, providing the name of the exported output value.
AWS CloudFormation returns a list of stacks that are importing the value.

Nested stacks are stacks created as part of other stacks. You create a nested stack within another stack by
using the AWS::CloudFormation::Stack resource.
As your infrastructure grows, common patterns can emerge in which you declare the same components
in multiple templates. You can separate out these common components and create dedicated templates
for them. Then use the resource in your template to reference other templates, creating nested stacks.
For example, assume that you have a load balancer configuration that you use for most of your stacks.
Instead of copying and pasting the same configurations into your templates, you can create a dedicated
template for the load balancer. Then, you just use the resource to reference that template from within
other templates.
Nested stacks can themselves contain other nested stacks, resulting in a hierarchy of stacks, as in the
diagram below. The root stack is the top-level stack to which all the nested stacks ultimately belong. In

183
addition, each nested stack has an immediate parent stack. For the first level of nested stacks, the root
stack is also the parent stack. in the diagram below, for example:
• Stack A is the root stack for all the other, nested, stacks in the hierarchy.
• For stack B, stack A is both the parent stack, as well as the root stack.
• For stack D, stack C is the parent stack; while for stack C, stack B is the parent stack.
Using nested stacks to declare common components is considered a best practice (p. 76).
Certain stack operations, such as stack updates, should be initiated from the root stack rather than
performed directly on nested stacks themselves. Also, in some cases, nested stacks affect how stack
operations are performed. For more information, refer to the following topics:
• Use Nested Stacks to Reuse Common Template Patterns (p. 76)

• Protecting a Stack From Being Deleted (p. 114)
• Update Behaviors of Stack Resources (p. 127)
• Exporting Stack Output Values vs. Using Nested Stacks (p. 181)
• Using ResourcesToSkip to recover a nested stacks hierarchy (p. 159)
• Nested Stacks are Stuck in UPDATE_COMPLETE_CLEANUP_IN_PROGRESS,
UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS, or
UPDATE_ROLLBACK_IN_PROGRESS (p. 3849)
To view the root stack of a nested stack
console.aws.amazon.com/cloudformation/. Select the stack that you want.
Nested stacks display NESTED next to their stack name.

2. On the Overview tab, click the stack name listed as Root stack.

184
Nesting an Existing Stack
To view the nested stacks that belong to a root stack
console.aws.amazon.com/cloudformation/. Click the name of the root stack whose nested stacks
you want to view.
2. Expand the Resources section.
Look for resources of type AWS::CloudFormation::Stack.
Topics
• Nesting an Existing Stack (p. 185)

Use the resource import feature to nest an existing stack within another existing stack. Nested stacks
are common components that you declare and reference from within other templates. That way, you can
avoid copying and pasting the same configurations into your templates and simplify stack updates. If you
have a template for a common component, you can use the AWS::CloudFormation::Stack resource
to reference this template from within another template. For more information on nested stacks, see
Working with Nested Stacks (p. 183).
AWS CloudFormation only supports one level of nesting using resource import. This means that you
cannot import a stack into a child stack or import a stack that has children.
Nested Stack Import Validation

During a nested stack import operation, AWS CloudFormation performs the following validations.
• The nested AWS::CloudFormation::Stack definition in the parent stack template matches the
actual nested stack's template.
• The tags for the nested AWS::CloudFormation::Stack definition in the parent stack template
match the tags for the actual nested stack resource.
Nest an Existing Stack Using the AWS Management Console

1. Add the AWS::CloudFormation::Stack resource to the parent stack template with a Retain
DeletionPolicy. In the following example parent template, NestedStack is the target of the import.
{
"Resources" : {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"
}
],
"KeySchema":[
{
"KeyType":"HASH"
}

185
],
}
}
},
"NestedStack" : {
"Type" : "AWS::CloudFormation::Stack",
"Properties" : {
"TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-2/
EC2ChooseAMI.template",
"Parameters" : {
"KeyName" : "mykey"
}
}
}
}
}
2. Open the AWS CloudFormation console.

3. On the Stacks page, with the parent stack selected, choose Stack actions, and then choose Import
resources into stack.
4. Read the Import overview page for a list of things you're required to provide during this operation.
Then, choose Next.
5. On the Specify template page, provide the updated parent template using one of the following
methods, and then choose Next.
• Choose Amazon S3 URL, and then specify the URL for your template in the text box.
• Choose Upload a template file, and then browse for your template.
6. On the Identify resources page, identify the AWS::CloudFormation::Stack resource.
a. Under Identifier property, choose the type of resource identifier. For example, an
AWS::CloudFormation::Stack resource can be identified using the StackName property.
b. Under Identifier value, type the actual property value. For example, my_stack.
c. Choose Next.
7. On the Specify stack details page, modify any parameters, and then choose Next. This
Important
The import operation fails if you modify existing parameters that trigger a create, update,
or delete operation.
8. On the Review stack-name page, confirm that the correct resource is being imported, and then
choose Import resources. This automatically executes the change set created in the last step. Any
stack-level tags are applied to imported resources at this time.

186
9. The Events pane of the Stack details page for your parent stack displays.
Note
because the AWS::CloudFormation::Stackresource was already managed by AWS
CloudFormation.
Nest an Existing Stack Using the AWS CLI

1. Add the AWS::CloudFormation::Stack resource to the parent stack template with a Retain
DeletionPolicy. In the following example parent template, NestedStack is the target of the import.
{
"Resources" : {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"
}
],
"KeySchema":[
{
"KeyType":"HASH"
}
],
}
}
},
"NestedStack" : {
"Properties" : {
"Parameters" : {
"KeyName" : "mykey"
}

187
}
}
}
}

--stack-name TargetParentStack --change-set-name ImportChangeSet
--resources-to-import "[{\"ResourceType\":\AWS::CloudFormation::Stack\",
\"LogicalResourceId\":\"MyStack\",\"ResourceIdentifier\":{\"StackId\":
\"arn:aws:cloudformation:us-east-2:123456789012:stack/mystack-mynestedstack-
sggfrhxhum7w/f449b250-b969-11e0-a185-5081d0136786\"}}]
[
{
"ResourceType":"AWS::CloudFormation::Stack",
"LogicalResourceId":"MyStack",
"StackId":"arn:aws:cloudformation:us-east-2:123456789012:stack/mystack-
mynestedstack-sggfrhxhum7w/f449b250-b969-11e0-a185-5081d0136786"
}
}
]
3. Review the change set to make sure the correct stack is being imported.
4. Execute the change set to import the stack into the source parent stack. Any stack-level tags are
applied to imported resources at this time. On successful completion of the import operation
(IMPORT_COMPLETE), the stack is successfully nested.
Note
because the AWS::CloudFormation::Stackresource was already managed by AWS
CloudFormation.

188
Working with Windows Stacks
Working with Microsoft Windows Stacks on AWS

CloudFormation
AWS CloudFormation allows you to create Microsoft Windows stacks based on Amazon EC2 Windows
Amazon Machine Images (AMIs) and provides you with the ability to install software, to use remote
desktop to access your stack, and to update and configure your stack.
The topics in this section are designed to demonstrate how common tasks related to creation and
management of Windows instances are accomplished with AWS CloudFormation.
In This Section
• Microsoft Windows Amazon Machine Images (AMIs) and AWS CloudFormation Templates (p. 189)
• Bootstrapping AWS CloudFormation Windows Stacks (p. 189)
Microsoft Windows Amazon Machine Images (AMIs)

and AWS CloudFormation Templates
With AWS CloudFormation, you can create Microsoft Windows stacks for running Windows server
instances. A number of pre-configured templates are available to launch directly from the AWS
CloudFormation Sample Templates page, such as the following templates:
• Windows_Single_Server_SharePoint_Foundation.template - SharePoint® Foundation 2010 running on

Microsoft Windows Server® 2008 R2
• Windows_Single_Server_Active_Directory.template - Create a single server installation of Active
Directory running on Microsoft Windows Server® 2008 R2.
• Windows_Roles_And_Features.template - Create a single server specifying server roles running on
Microsoft Windows Server® 2008 R2.
• ElasticBeanstalk_Windows_Sample.template - Launch an AWS Elastic Beanstalk sample application on
Windows Server 2008 R2 running IIS 7.5.
Note
Microsoft, Windows Server, and SharePoint are trademarks of the Microsoft group of companies.
Although these stacks are already configured, you can use any EC2 Windows AMI as the basis of an AWS
CloudFormation Windows stack.
Bootstrapping AWS CloudFormation Windows Stacks

This topic describes how to bootstrap a Windows stack and troubleshoot stack creation issues. If you will
be creating your own Windows image for use with CloudFormation, see the information at Configuring a
Windows Instance Using EC2ConfigService in the Amazon EC2 Microsoft Windows Guide for instructions.
You must set up a Windows instance with EC2ConfigService for it to work with the AWS CloudFormation
bootstrapping tools.
Example of Bootstrapping a Windows Stack

For the purposes of illustration, we'll examine a AWS CloudFormation single-instance Sharepoint server
template.

189
Bootstrapping Windows Stacks
The template can be viewed in its entirety at the following URL:
• https://s3.amazonaws.com/cloudformation-templates-us-east-1/
Windows_Single_Server_SharePoint_Foundation.template
This example demonstrates how to:
• Create an IAM User and Security Group for access to the instance
• Configure initialization files: cfn-credentials, cfn-hup.conf, and cfn-auto-reloader.conf
• Download and install a package such as Sharepoint Foundation 2010 on the server instance.
• Use a WaitCondition to ensure resources are ready
• Retrieve an IP for the instance with Amazon Elastic IP (EIP).
The AWS CloudFormation helper script cfn-init is used to perform each of these actions, based on
information in the AWS::CloudFormation::Init resource in the Windows Single Server Sharepoint
Foundation template.
The AWS::CloudFormation::Init section is named "SharePointFoundation", and begins with a standard

declaration:
"SharePointFoundation": {
"Metadata" : {
"config" : {
After this, the files section of AWS::CloudFormation::Init is declared:
"files" : {
"c:\\cfn\\cfn-hup.conf" : {
"content" : { "Fn::Join" : ["", [
"[main]\n",
"stack=", { "Ref" : "AWS::StackName" }, "\n",
]]}
},
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf" : {
"path=Resources.SharePointFoundation.Metadata.AWS::CloudFormation::Init\n",
"action=cfn-init.exe -v -s ", { "Ref" : "AWS::StackName" },
" -r SharePointFoundation",
]]}
},
"C:\\SharePoint\\SharePointFoundation2010.exe" : {
"source" : "http://d3adzpja92utk0.cloudfront.net/SharePointFoundation.exe"
}
},
Three files are created here and placed in the C:\cfn directory on the server instance. They are:
• cfn-hup.conf, the configuration file for cfn-hup.

• cfn-auto-reloader.conf, the configuration file for the hook used by cfn-hup to initiate an update
(calling cfn-init) when the metadata in AWS::CloudFormation::Init changes.

190
There is also a file that is downloaded to the server: SharePointFoundation.exe. This file is used to
install SharePoint on the server instance.
Important
Since paths on Windows use a backslash ('\') character, you must always remember to properly
escape all backslashes by prepending another backslash whenever you refer to a Windows path
in the AWS CloudFormation template.
Next is the commands section, which are cmd.exe commands.
"commands" : {
"1-extract" : {
"command" : "C:\\SharePoint\\SharePointFoundation2010.exe /extract:C:\\SharePoint\
\SPF2010 /quiet /log:C:\\SharePoint\\SharePointFoundation2010-extract.log"
},
"2-prereq" : {
"command" : "C:\\SharePoint\\SPF2010\\PrerequisiteInstaller.exe /unattended"
},
"3-install" : {
"command" : "C:\\SharePoint\\SPF2010\\setup.exe /config C:\\SharePoint\\SPF2010\\Files\
\SetupSilent\\config.xml"
}
Because commands in the instance are processed in alphabetical order by name, each command has
been prepended with a number indicating its desired execution order. Thus, we can make sure that the
installation package is first extracted, all prerequisites are then installed, and finally, installation of
SharePoint is started.
Next is the Properties section:
"Properties": {
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" : "InstanceType" },
"Arch" ] } ] },
"SecurityGroups" : [ {"Ref" : "SharePointFoundationSecurityGroup"} ],
"KeyName" : { "Ref" : "KeyPairName" },
"<script>\n",
"cfn-init.exe -v -s ", { "Ref" : "AWS::StackName" },

" -r SharePointFoundation",
"cfn-signal.exe -e %ERRORLEVEL% ", { "Fn::Base64" : { "Ref" :

"SharePointFoundationWaitHandle" }}, "\n",
"</script>"
]]}}
}
In this section, the UserData property contains a cmd.exe script that will be executed by cfn-init,
surrounded by <script> tags. You can use a Windows Powershell script here instead by surrounding your
script with <powershell> tags. For Windows stacks, you must base64 encode the wait condition handle
URL again.
SharePointFoundationWaitHandle is referenced here and run with cfn-signal. The

WaitConditionHandle and associated WaitCondition are declared next in the template:

191
"SharePointFoundationWaitHandle" : {
"Type" : "AWS::CloudFormation::WaitConditionHandle"
},
"SharePointFoundationWaitCondition" : {
"Type" : "AWS::CloudFormation::WaitCondition",
"DependsOn" : "SharePointFoundation",
"Properties" : {
"Handle" : {"Ref" : "SharePointFoundationWaitHandle"},
"Timeout" : "3600"
}
}
Since executing all of the steps and installing SharePoint might take a while, but not an entire hour, the
WaitCondition waits an hour (3600 seconds) before timing out.
If all goes well, an Elastic IP is used to provide access to the SharePoint instance:
"Outputs" : {
"SharePointFoundationURL" : {
"Value" : { "Fn::Join" : ["", ["http://", { "Ref" : "SharePointFoundationEIP" } ]] },
"Description" : "SharePoint Team Site URL. Please retrieve Administrator password of the
instance and use it to access the URL"
}
Once stack creation is complete, the IP address supplied by EIP will be displayed in the Outputs tab of
the AWS CloudFormation console. However, before you can access the instance you will need to retrieve
the auto-generated temporary Administrator password for the instance. For more information, see
Connecting to Your Windows Instance Using RDP in the Amazon EC2 User Guide for Windows Instances.
How to Manage Windows Services

You manage Windows services in the same way as Linux services, except that you use a windows key
instead of sysvinit. The following example starts the cfn-hup service, sets it to Automatic, and
restarts the service if cfn-init modifies the c:\cfn\cfn-hup.conf or c:\cfn\hooks.d\cfn-auto-
reloader.conf configuration files.
"services" : {
"windows" : {
"cfn-hup" : {
"enabled" : "true",
"ensureRunning" : "true",
"files" : ["c:\\cfn\\cfn-hup.conf", "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"]
}
}
}
You can manage other Windows services in the same way by using the name—not the display name—to
reference the service.
How to Troubleshoot Stack Creation Issues

If your stack fails during creation, the default behavior is to Rollback on failure. While this is normally a
good default because it avoids unnecessary charges, it makes it difficult to debug why your stack creation
is failing.
To turn this behavior off, click Show Advanced Options when creating your stack with the AWS
CloudFormation console, and click the No selector next to Rollback on failure. This will allow you to

192
log into your instance and view the logfiles to pinpoint issues encountered when running your startup
scripts.
Important logs to look at are:
• The EC2 configuration log at C:\Program Files\Amazon\Ec2ConfigService\Logs

\Ec2ConfigLog.txt
• The cfn-init log at C:\cfn\log\cfn-init.log

193
Resource Import Overview
Bringing Existing Resources Into

CloudFormation Management
If you created an AWS resource outside of AWS CloudFormation management, you can bring this existing
resource into AWS CloudFormation management using resource import. You can manage your
resources using AWS CloudFormation regardless of where they were created without having to delete
and re-create them as part of a stack.
For a list of AWS resources that support import operations, see Resources that Support Import
Operations.
Resource Import Overview

During an import operation, you create a change set that imports your existing resources into a stack or
creates a new stack from your existing resources. You provide the following during import.
• A template that describes the entire stack, including both the original stack resources and the
resources you're importing. Each resource to import must have a DeletionPolicy attribute.
• Identifiers for the resources to import. You provide two values to identify each target resource.
• An identifier property. This is a resource property that can be used to identify each resource type.
For example, an AWS::S3::Bucket resource can be identified using its BucketName.
• An identifier value. This is the target resource's actual property value. For example, the actual value
for the BucketName property might be MyS3Bucket.
Resource Import Validation

During an import operation, AWS CloudFormation performs the following validations.
• The resource to import exists.

• The properties and configuration values for each resource to import adhere to the resource type
schema, which defines its accepted properties, required properties, and supported property values.
• The required properties are specified in the template. Required properties for each resource type are
listed in the Resource and Property Reference.
• The resource to import does not belong to another stack in the same Region.
AWS CloudFormation does not check that the template configuration matches the actual configuration
of resource properties.
Resource Import Status Codes

This table describes the various status types used with resource import.

194
Considerations During an Import Operation
Import Operation Status Description


configuration.
Considerations During an Import Operation

• After the import is complete and before performing subsequent stack operations, we recommend
running drift detection on imported resources. Drift detection ensures that the template configuration
matches the actual configuration.
• Import operations don't allow new resource creations, resource deletions, or changes to property
configurations.
• Each resource to import must have a DeletionPolicy attribute for the import operation to
succeed. The DeletionPolicy can be set to any possible value. Only target resources need a
DeletionPolicy. Resources that are already part of the stack don't need a DeletionPolicy.
• You cannot import the same resource into multiple stacks.
• You can use the cloudformation:ImportResourceTypes IAM policy condition to control which
resource types IAM users can work with during an import operation.
• The AWS CloudFormation stack limits apply when importing resources. For more information on limits,
see AWS CloudFormation Limits.
• Resource import is available in the US East (N. Virginia), US East (Ohio), US West (N. California), US
West (Oregon), Canada (Central), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore),
Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), Europe (Ireland), Europe (London),
Europe (Paris), and South America (São Paulo) Regions.
Getting Started with Resource Import

• Creating a Stack From Existing Resources
• Importing Existing Resources Into a Stack
• Moving Resources Between Stacks
• Nesting an Existing Stack
• Reverting an Import Operation
• Resources that Support Import Operations
Creating a Stack From Existing Resources

During this import operation, you need to provide the following.

195
Creating a Stack From Existing Resources
• A template that describes the resources that will be in the new stack and the resource configurations.
Each resource in your template must have a DeletionPolicy attribute.
• A unique identifier for each target resource. Visit the appropriate service console to obtain unique
identifiers.
In this walkthrough, we provide the following example template, called templateToImport.json.

ServiceTable and GamesTable are the targets of the import.
{
"Resources": {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"
}
],
"KeySchema":[
{
"KeyType":"HASH"
}
],
}
}
},
"GamesTable": {
"Properties": {
{
}
],
"KeySchema": [
{
"KeyType": "HASH"
}
],
}
}
}
}
}

196
Create a Stack from Existing Resources
Create a Stack from Existing Resources Using the

AWS CloudFormation Console
2. On the Stacks page, choose Create stack, and then choose With existing resources (import
resources).
3. Read the Import overview page for a list of things you're required to provide during this operation.
Then, choose Next.
4. On the Specify template page, provide your template using one of the following methods, and then
choose Next.
5. On the Identify resources page, identify each target resource.
a. Under Identifier property, choose the type of resource identifier. For example, the
b. Under Identifier value, type the actual property value. For example, the TableName for the
GamesTable resource in the example template is Games.
c. Choose Next.
6. On the Specify stack details page, modify any parameters, and then choose Next. This
Important
7. On the Review stack-name page, confirm that the correct resources are being imported, and then
choose Import resources. This automatically runs the change set created in the last step.
8. The Events pane of the Stack details page for your new stack displays.

197
Create a Stack from Existing Resources Using the AWS CLI
9. (Optional) Run drift detection on the stack to make sure the template and actual configuration of
the imported resources match. For more information about detecting drift, see Detect Drift on an
Entire CloudFormation Stack.
Create a Stack from Existing Resources Using the

AWS CLI
1. Open the AWS CLI.
2. Optionally run GetTemplateSummary to learn which properties identify each resource type
in your template. For example, the AWS::DynamoDB::Table resource can be identified using
the TableName property. For the GamesTable resource in the example template, the value of
TableName is Games.
> aws cloudformation get-template-summary

3. Compose a list of the target resources from your template and their unique identifiers in the
following format.
"[{\"ResourceType\":\"AWS::DynamoDB::Table\",\"LogicalResourceId\":\"GamesTable\",
\"ResourceIdentifier\":{\"TableName\":\"Games\"}}]"

\"LogicalResourceId\":\"GamesTable\",\"ResourceIdentifier\":{\"TableName\":\"Games\"}},
{\"ResourceType\":\"AWS::DynamoDB::Table\",\"LogicalResourceId\":\"ServiceTable\",
\"ResourceIdentifier\":{\"TableName\":\"Service\"}}]"
The AWS CLI also supports text files as input for the --resources-to-import parameter, as
shown in the following example.
[
{
"TableName":"Games"
}
},
{
"LogicalResourceId":"ServiceTable",
"TableName":"Service"
}
}

198
Importing Existing Resources Into a Stack
5. Review the change set to make sure the correct resources will be imported.
6. Run the change set to import the resources. On successful completion of the operation
(IMPORT_COMPLETE), the resources are successfully imported.
7. (Optional) Run drift detection on the IMPORT_COMPLETE stack to make sure the template and
actual configuration of the imported resources match. For more information on detecting drift, see
Detect Drift on an Entire CloudFormation Stack.
> aws cloudformation detect-stack-drift --stack-name TargetStack

{ "Stack-Drift-Detection-Id" : "624af370-311a-11e8-b6b7-500cexample" }
> aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-

id 624af370-311a-11e8-b6b7-500cexample
> aws cloudformation describe-stack-resource-drifts --stackname TargetStack
8. (Optional) If your imported resources don't match their expected template configurations, either
correct the template configurations or update the resources directly. In this walkthrough, we correct
the template configurations to match their actual configurations.
a. Revert the import operation for the affected resources.

b. Add the import targets to your template again, making sure that the template configurations
match the actual configurations.
c. Repeat steps 4-7 using the modified template to import the resources again.
Importing Existing Resources Into a Stack

During this import operation, you need to provide the following.
• A template that describes the entire stack, including both the resources that are already part of the
stack and the resources to import. Each resource to import must have a DeletionPolicy attribute in
your template.
• A unique identifier for each target resource. Visit the appropriate service console to obtain unique
identifiers.
In this walkthrough, we provide the following example template, called templateToImport.json.

ServiceTable is currently part of the stack, and GamesTable is the target of the import.
{
"Resources": {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"

199
Import an Existing Resource into a Stack
}
],
"KeySchema":[
{
"KeyType":"HASH"
}
],
}
}
},
"GamesTable": {
"Properties": {
{
}
],
"KeySchema": [
{
"KeyType": "HASH"
}
],
}
}
}
}
}
Import an Existing Resource into a Stack Using the

AWS CloudFormation Console
2. On the Stacks page, choose the stack you want to import resources into.
3. Choose Stack actions, and then choose Import resources into stack.
4. Review the Import overview page, and then choose Next.

5. On the Specify template page, provide your updated template using one of the following methods,
and then choose Next.

200
Import an Existing Resource into a Stack Using the AWS CLI
6. On the Identify resources page, identify each target resource.
a. Under Identifier property, choose the type of resource identifier. For example, the
b. Under Identifier value, type the actual property value. For example, the TableName for the
GamesTable resource in the example template is Games.
c. Choose Next.
7. On the Specify stack details page, update any parameters, and then choose Next. This
Note
8. On the Review stack-name page, review the resources to import, and then choose Import
resources. This automatically runs the change set created in the last step. Any stack-level tags are
applied to imported resources at this time.
9. The Events page for the stack displays.
10. (Optional) Run drift detection on the stack to make sure the template and actual configuration of
the imported resources match. For more information about detecting drift, see Detect Drift on an
Entire CloudFormation Stack.
Import an Existing Resource into a Stack Using the

AWS CLI
1. Optionally run GetTemplateSummary to learn which properties identify each resource type
in the template. For example, the AWS::DynamoDB::Table resource can be identified using
the TableName property. For the GamesTable resource in the example template, the value of
TableName is Games.
> aws cloudformation get-template-summary

2. Compose a list of resources to import and their unique identifiers in the following format.
"[{\"ResourceType\":\"AWS::DynamoDB::Table\",\"LogicalResourceId\":\"GamesTable\",
\"ResourceIdentifier\":{\"TableName\":\"Games\"}}]"
201
Import an Existing Resource into a Stack Using the AWS CLI

\"LogicalResourceId\":\"GamesTable\",\"ResourceIdentifier\":{\"TableName\":
\"Games\"}}]"
[
{
"TableName":"Games"
}
}
]
4. Review the change set to make sure the correct resources will be imported.
5. Run the change set to import the resources. Any stack-level tags are applied to imported resources
at this time. On successful completion of the operation (IMPORT_COMPLETE), the resources are
successfully imported.
6. (Optional) Run drift detection on the IMPORT_COMPLETE stack to make sure the template and
actual configuration of the imported resources match. For more information about detecting drift,
see Detect Drift on an Entire CloudFormation Stack.
> aws cloudformation detect-stack-drift --stack-name TargetStack

{ "Stack-Drift-Detection-Id" : "624af370-311a-11e8-b6b7-500cexample" }
> aws cloudformation describe-stack-drift-detection-status --stack-drift-detection-

id 624af370-311a-11e8-b6b7-500cexample
> aws cloudformation describe-stack-resource-drifts --stackname TargetStack
7. (Optional) If your imported resources don't match their expected template configurations, either
correct the template configurations or update the resources directly. In this walkthrough, we correct
the template configurations to match their actual configurations.
a. Revert the import operation for the affected resources.

b. Add the import targets to your template again, making sure that the template configurations
match the actual configurations.
c. Repeat steps 3-6 using the modified template to import the resources again.
202
Reverting an Import Operation
Reverting an Import Operation

To revert an import operation, specify a Retain deletion policy for the resource you want to remove
from the template to ensure that it's preserved when you delete it from the stack.
Revert an Import Operation Using the AWS

Management Console
1. Specify a Retain DeletionPolicy for the resources you want to remove from your stack. In the
following example template, GamesTable is the target of this revert operation.
Example JSON
{
"Resources": {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"
}
],
"KeySchema":[
{
"KeyType":"HASH"
}
],
}
}
},
"GamesTable": {
"Properties": {
{
}
],
"KeySchema": [
{
"KeyType": "HASH"
}
],
}

203
Revert an Import Operation Using
the AWS Management Console
}
}
}
}
2. Open the AWS CloudFormation console to perform a stack update to apply the deletion policy.
a. On the Stacks page, with the stack selected, choose Update, and then choose Update stack
(standard).
b. Under Prepare template, choose Replace current template.
c. Under Specify template, provide the updated source template with the DeletionPolicy
attribute on GamesTable, and then choose Next.
• Choose Amazon S3 URL, and then specify the URL to the updated source template in the text
box.
• Choose Upload a template file, and then browse for the updated source template file.
d. On the Specify stack details page, no changes are required. Choose Next.
e. On the Configure stack options page, no changes are required. Choose Next.
f. On the Review stack_name page, review your changes. If your template contains IAM
resources, select I acknowledge that this template may create IAM resources to specify that
you want to use IAM resources in the template. For more information about using IAM resources
in templates, see Controlling Access with AWS Identity and Access Management (p. 9). Then,
either update your source stack by creating a change set or update your source stack directly.
3. Remove the resource, related parameters, and outputs from the stack template. In this example, the
template now looks like the following.
Example JSON
{
"Resources": {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"
}
],
"KeySchema":[
{
"KeyType":"HASH"
}
],
}
}
}
}
}
4. Repeat step 2 to delete the resource (GamesTable) and its related parameters and outputs from the
stack.
204
Revert an Import Operation Using the AWS CLI
Revert an Import Operation Using the AWS CLI

1. Specify a Retain DeletionPolicy for the resources you want to remove from your stack. In the
following example template, GamesTable is the target of this revert operation.
Example JSON
{
"Resources": {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"
}
],
"KeySchema":[
{
"KeyType":"HASH"
}
],
}
}
},
"GamesTable": {
"Properties": {
{
}
],
"KeySchema": [
{
"KeyType": "HASH"
}
],
}
}
}
}
}
2. Update the stack to apply the deletion policy to the resource.
update-stack --stack-name "stack-name"

205
Resources that Support Import Operations
3. Remove the resource, related parameters, and outputs from the stack template. In this example, the
template now looks like the following.
Example JSON
{
"Resources": {
"ServiceTable":{
"Properties":{
{
"AttributeType":"S"
}
],
"KeySchema":[
{
"KeyType":"HASH"
}
],
}
}
}
}
}
4. Update the stack to delete the resource (GamesTable) and its related parameters and outputs from
the stack.
update-stack --stack-name "stack-name"

Import operations support the following resource types. Import operations support the same resource
types that drift detection supports.
Service Resource
API Gateway AWS::ApiGateway::Authorizer

206
Service Resource
Auto Scaling AWS::AutoScaling::AutoScalingGroup
CloudFormation AWS::CloudFormation::Stack
CloudTrail AWS::CloudTrail::Trail
CloudWatch AWS::CloudWatch::Alarm
AWS::Events::Rule
AWS::Logs::LogGroup
DynamoDB AWS::DynamoDB::Table
Amazon EC2 AWS::EC2::EIP
AWS::EC2::Instance
AWS::EC2::Subnet
AWS::EC2::Volume
AWS::EC2::VPC
Amazon ECS AWS::ECS::Cluster
AWS::ECS::Service

207
Service Resource
Elastic Load Balancing AWS::ElasticLoadBalancing::LoadBalancer
IAM AWS::IAM::Group
AWS::IAM::Role
AWS::IAM::User
AWS IoT AWS::IoT::Thing
Lambda AWS::Lambda::Alias
AWS::Lambda::Function
AWS::Lambda::Version
Amazon RDS AWS::RDS::DBCluster
AWS::RDS::DBInstance
Route 53 AWS::Route53::HostedZone
Amazon S3 AWS::S3::Bucket
Amazon SNS AWS::SNS::Topic
Amazon SQS AWS::SQS::Queue

208
Template Formats
Working with AWS CloudFormation

Templates
To provision and configure your stack resources, you must understand AWS CloudFormation templates,
which are formatted text files in JSON or YAML. These templates describe the resources that you want
to provision in your AWS CloudFormation stacks. You can use AWS CloudFormation Designer or any text
editor to create and save templates. For information about the structure and syntax of a template, see
Template Anatomy (p. 210).
If you're unfamiliar with JSON or YAML, you can use AWS CloudFormation Designer to help you
get started with AWS CloudFormation templates. AWS CloudFormation Designer is a tool for
visually creating and modifying templates. For more information, see What Is AWS CloudFormation
Designer? (p. 274).
Template Snippets (p. 355) provides examples that demonstrate how to write templates for a
particular resource. For example, you can view snippets for Amazon EC2 instances, Amazon S3 domains,
AWS CloudFormation mappings, and more. Snippets are grouped by resource, with general-purpose AWS
CloudFormation snippets in General Template Snippets (p. 356).
For details about the supported resources, type names, intrinsic functions, and pseudo parameters you
can use in your templates, see Template Reference (p. 604).
Topics
• AWS CloudFormation Template Formats (p. 209)
• Template Anatomy (p. 210)
• What Is AWS CloudFormation Designer? (p. 274)
• Walkthroughs (p. 285)
• Template Snippets (p. 355)
• Custom Resources (p. 511)
• Using AWS CloudFormation Macros to Perform Custom Processing on Templates (p. 542)
• Using Regular Expressions in AWS CloudFormation Templates (p. 555)
• Using CloudFormer (Beta) to Create AWS CloudFormation Templates from Existing AWS
Resources (p. 555)
AWS CloudFormation Template Formats

You can author AWS CloudFormation templates in JSON or YAML formats. We support all AWS
CloudFormation features and functions for both formats, including in AWS CloudFormation Designer.
When deciding which format to use, pick the format that you're most comfortable working in. Also
consider that YAML inherently provides some features, such as commenting, that aren't available in
JSON.
Important
We recommend that you not add # YAML comments to your templates in Designer. If your YAML
template has # comments, Designer does not preserve those comments when converting the
template to JSON. In addition, if you modify your template in Designer (for example, if you
move a resource on the canvas), your comments are lost.

209
Template Anatomy
You can add comments to the AWS CloudFormation templates you create outside of Designer. The
following example shows a YAML template with inline comments.
Resources:
MyEC2Instance: #An inline comment
Properties:
ImageId: "ami-0ff8a91507f77f867" #Another comment -- This is a Linux AMI
KeyName: testkey
-
Ebs:
VolumeType: io1
Iops: 200
VolumeSize: 20
For more information about the template syntax for each format, see Template Anatomy (p. 210).
AWS CloudFormation supports the following JSON and YAML specifications:
JSON
AWS CloudFormation follows the ECMA-404 JSON standard. For more information about the JSON
format, see http://www.json.org.
YAML
AWS CloudFormation supports the YAML Version 1.1 specification with a few exceptions. AWS
CloudFormation doesn't support the following features:
• The binary, omap, pairs, set, and timestamp tags
• Aliases
• Hash merges
For more information about YAML, see http://www.yaml.org.
Template Anatomy
A template is a JSON- or YAML-formatted text file that describes your AWS infrastructure. The following
examples show an AWS CloudFormation template structure and its sections.
JSON
The following example shows a JSON-formatted template fragment.
{
"AWSTemplateFormatVersion" : "version date",
"Description" : "JSON string",
"Metadata" : {
template metadata
},

210
YAML
"Parameters" : {
set of parameters
},
"Mappings" : {
set of mappings
},
"Conditions" : {
set of conditions
},
"Transform" : {
set of transforms
},
"Resources" : {
set of resources
},
"Outputs" : {
set of outputs
}
}
YAML
The following example shows a YAML-formatted template fragment.
---
AWSTemplateFormatVersion: "version date"
Description:
String
Metadata:
template metadata
Parameters:
set of parameters
Mappings:
set of mappings
Conditions:
set of conditions
Transform:
set of transforms
Resources:
set of resources
Outputs:
set of outputs
Template Sections
Templates include several major sections. The Resources section is the only required section. Some
sections in a template can be in any order. However, as you build your template, it can be helpful to use

211
Format Version
the logical order shown in the following list because values in one section might refer to values from a
previous section.
Format Version (optional) (p. 212)
The AWS CloudFormation template version that the template conforms to. The template format
version is not the same as the API or WSDL version. The template format version can change
independently of the API and WSDL versions.
Description (optional) (p. 213)
A text string that describes the template. This section must always follow the template format
version section.
Metadata (optional) (p. 213)
Objects that provide additional information about the template.

Parameters (optional) (p. 237)
Values to pass to your template at runtime (when you create or update a stack). You can refer to
parameters from the Resources and Outputs sections of the template.
Mappings (optional) (p. 256)
A mapping of keys and associated values that you can use to specify conditional parameter
values, similar to a lookup table. You can match a key to a corresponding value by using the
Fn::FindInMap (p. 3804) intrinsic function in the Resources and Outputs sections.
Conditions (optional) (p. 260)
Conditions that control whether certain resources are created or whether certain resource properties
are assigned a value during stack creation or update. For example, you could conditionally create a
resource that depends on whether the stack is for a production or test environment.
Transform (optional) (p. 264)
For serverless applications (also referred to as Lambda-based applications), specifies the version of
the AWS Serverless Application Model (AWS SAM) to use. When you specify a transform, you can use
AWS SAM syntax to declare resources in your template. The model defines the syntax that you can
use and how it is processed.
You can also use AWS::Include transforms to work with template snippets that are stored
separately from the main AWS CloudFormation template. You can store your snippet files in an
Amazon S3 bucket and then reuse the functions across multiple templates.
Resources (required) (p. 269)
Specifies the stack resources and their properties, such as an Amazon Elastic Compute Cloud
instance or an Amazon Simple Storage Service bucket. You can refer to resources in the Resources
and Outputs sections of the template.
Outputs (optional) (p. 271)
Describes the values that are returned whenever you view your stack's properties. For example, you
can declare an output for an S3 bucket name and then call the aws cloudformation describe-
stacks AWS CLI command to view the name.
Format Version
The AWSTemplateFormatVersion section (optional) identifies the capabilities of the template. The
latest template format version is 2010-09-09 and is currently the only valid value.

212
Description
Note
The template format version is not the same as the API or WSDL version. The template format
version can change independently of the API and WSDL versions.
The value for the template format version declaration must be a literal string. You cannot use a
parameter or function to specify the template format version. If you don't specify a value, AWS
CloudFormation assumes the latest template format version. The following snippet is an example of a
valid template format version declaration:
JSON
"AWSTemplateFormatVersion" : "2010-09-09"
YAML
Description
The Description section (optional) enables you to include comments about your template. The
Description must follow the AWSTemplateFormatVersion section.
The value for the description declaration must be a literal string that is between 0 and 1024 bytes in
length. You cannot use a parameter or function to specify the description. The following snippet is an
example of a description declaration:
JSON
"Description" : "Here are some details about the template."
YAML
Description: >
Here are some
details about
the template.
Metadata
You can use the optional Metadata section to include arbitrary JSON or YAML objects that provide
details about the template. For example, you can include template implementation details about specific
resources, as shown in the following snippet:
Important
During a stack update, you cannot update the Metadata section by itself. You can update it only
when you include changes that add, modify, or delete resources.
JSON
"Metadata" : {
"Instances" : {"Description" : "Information about the instances"},
"Databases" : {"Description" : "Information about the databases"}

213
Metadata
YAML
Metadata:
Instances:
Description: "Information about the instances"
Databases:
Description: "Information about the databases"
Metadata Keys
Some AWS CloudFormation features retrieve settings or configuration information that you define in the
Metadata section. You define this information in the following AWS CloudFormation-specific metadata
keys:
AWS::CloudFormation::Init
Defines configuration tasks for the cfn-init helper script. This script is useful for configuring and
installing applications on EC2 instances. For more information, see AWS::CloudFormation::Init.
AWS::CloudFormation::Interface
Defines the grouping and ordering of input parameters when they are displayed in the AWS
CloudFormation console. By default, the AWS CloudFormation console alphabetically sorts
parameters by their logical ID. For more information, see AWS::CloudFormation::Interface.
AWS::CloudFormation::Designer
Describes how your resources are laid out in AWS CloudFormation Designer (Designer). Designer
automatically adds this information when you use it create and update templates. For more
information, see What Is AWS CloudFormation Designer? (p. 274).
AWS::CloudFormation::Authentication
Use the AWS::CloudFormation::Authentication resource to specify authentication credentials for
files or sources that you specify with the AWS::CloudFormation::Init (p. 219) resource.
To include authentication information for a file or source that you specify with
AWS::CloudFormation::Init, use the uris property if the source is a URI or the buckets property
if the source is an Amazon S3 bucket. For more information about files, see Files (p. 225). For more
information about sources, see Sources (p. 231).
You can also specify authentication information for files directly in the AWS::CloudFormation::Init
resource. The files key of the resource contains a property named authentication. You can
use the authentication property to associate authentication information defined in an
AWS::CloudFormation::Authentication resource directly with a file.
For files, AWS CloudFormation looks for authentication information in the following order:
1. The authentication property of the AWS::CloudFormation::Init files key.

2. The uris or buckets property of the AWS::CloudFormation::Authentication resource.
For sources, AWS CloudFormation looks for authentication information in the uris or buckets property
of the AWS::CloudFormation::Authentication resource.
Topics

214
Metadata
• Syntax (p. 215)

• Properties (p. 215)
• Examples (p. 217)
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
You should be aware of the following considerations when using the

AWS::CloudFormation::Authentication type:
• Unlike most AWS CloudFormation resources, the AWS::CloudFormation::Authentication type

does not contain a block called "Properties", but instead contains a list of user-named blocks, each
containing its own authentication properties.
Not all properties pertain to each authentication type; see the type (p. 216) property for more
details.
• Unlike most AWS CloudFormation resources, property names use lower camel case.
JSON
{
"Type" : "AWS::CloudFormation::Authentication" {
"String" : {
"accessKeyId (p. 215)" : String,
"buckets (p. 216)" : [ String, ... ],
"password (p. 216)" : String,
"secretKey (p. 216)" : String,
"type (p. 216)" : String,
"uris (p. 216)" : [ String, ... ],
"username (p. 216)" : String,
"roleName (p. 216)" : String
}
}
}
YAML
Type: AWS::CloudFormation::Authentication
String:
accessKeyId (p. 215): String
buckets (p. 216):
- String
password (p. 216): String
secretKey (p. 216): String
type (p. 216): String
uris (p. 216):
- String
username (p. 216): String
roleName (p. 216): String
Properties
accessKeyId
Specifies the access key ID for S3 authentication.
Required: Conditional. Can be specified only if the type property is set to "S3".

215
Metadata
Type: String
buckets
A comma-delimited list of Amazon S3 buckets to be associated with the S3 authentication

credentials.
Type: List of String values

password
Specifies the password for basic authentication.
Required: Conditional. Can be specified only if the type property is set to "basic".
Type: String
secretKey
Specifies the secret key for S3 authentication.
Type: String
type
Specifies whether the authentication scheme uses a user name and password ("basic") or an access
key ID and secret key ("S3").
If you specify "basic", specify the username, password, and uris properties.
If you specify "S3", specify the accessKeyId, secretKey, and buckets (optional) properties.
Required: Yes
Type: String Valid values are "basic" or "S3"

uris
A comma-delimited list of URIs to be associated with the basic authentication credentials. The
authorization applies to the specified URIs and any more specific URI. For example, if you specify
http://www.example.com, the authorization will also apply to http://www.example.com/
test.

username
Specifies the user name for basic authentication.
Type: String
roleName
Describes the role for role-based authentication.

Important
This role must be contained within the instance profile that is attached to the EC2 instance.
An instance profile can only contain one IAM role.

216
Metadata
Type: String.
Examples
Note
Unlike most resources, the AWS::CloudFormation::Authentication type defines a list of
user-named blocks, each of which contains authentication properties that use lower camel case
naming.
EC2 Web Server Authentication

This template snippet shows how to get a file from a private S3 bucket within an EC2 instance. The
credentials used for authentication are defined in the AWS::CloudFormation::Authentication
resource, and referenced by the AWS::CloudFormation::Init resource in the files section.
JSON
"WebServer": {
"DependsOn" : "BucketPolicy",
"Metadata" : {
"config" : {
"packages" : { "yum" : { "httpd" : [] } },
"files" : {
"/var/www/html/index.html" : {
"source" : {
"Fn::Join" : [
"", [ "http://http://s3.amazonaws.com/", { "Ref" : "BucketName" },
"/index.html" ]
]
},
"mode" : "000400",
"owner" : "apache",
"group" : "apache",
"authentication" : "S3AccessCreds"
}
},
"services" : {
"sysvinit" : {
}
}
}
},
"AWS::CloudFormation::Authentication" : {
"S3AccessCreds" : {
"type" : "S3",
"accessKeyId" : { "Ref" : "CfnKeys" },
"secretKey" : { "Fn::GetAtt": [ "CfnKeys", "SecretAccessKey" ] }
}
}
},
"Properties": {
EC2 Resource Properties ...
}
}
YAML
WebServer:

217
Metadata
DependsOn: "BucketPolicy"
Metadata:
AWS::CloudFormation::Init:
config:
packages:
yum:
httpd: []
files:
/var/www/html/index.html:
source:
Fn::Join:
- ""
-
- "http://s3.amazonaws.com/"
- Ref: "BucketName"
- "/index.html"
mode: "000400"
owner: "apache"
group: "apache"
authentication: "S3AccessCreds"
services:
sysvinit:
httpd:
enabled: "true"
ensureRunning: "true"
AWS::CloudFormation::Authentication:
S3AccessCreds:
type: "S3"
accessKeyId:
Ref: "CfnKeys"
secretKey:
Fn::GetAtt:
- "CfnKeys"
- "SecretAccessKey"
Properties:
EC2 Resource Properties ...
Specifying Both Basic and S3 Authentication
The following example template snippet includes both basic and S3 authentication types.
JSON
"AWS::CloudFormation::Authentication" : {
"testBasic" : {
"type" : "basic",
"username" : { "Ref" : "UserName" },
"password" : { "Ref" : "Password" },
"uris" : [ "http://www.example.com/test" ]
},
"testS3" : {
"type" : "S3",
"accessKeyId" : { "Ref" : "AccessKeyID" },
"secretKey" : { "Ref" : "SecretAccessKeyID" },
"buckets" : [ "aws-s3-bucket1" ]
}
}
YAML

218
Metadata
testBasic:
type: "basic"
username:
Ref: "UserName"
password:
Ref: "Password"
uris:
- "http://www.example.com/test"
testS3:
type: "S3"
accessKeyId:
Ref: "AccessKeyID"
secretKey:
Ref: "SecretAccessKeyID"
buckets:
- "myawsbucket"
IAM Roles
The following example shows how to use IAM roles:
• myRole is an AWS::IAM::Role resource.

• The Amazon EC2 instance that runs cfn-init is associated with myRole through an instance profile.
• The example specifies the authentication by using the buckets property, like in Amazon S3
authentication. You can also specify authentication by name.
JSON
"AWS::CloudFormation::Authentication": {
"rolebased" : {
"type": "S3",
"buckets": [ "myBucket" ],
"roleName": { "Ref": "myRole" }
}
}
YAML
rolebased:
type: "S3"
buckets:
- "myBucket"
roleName:
Ref: "myRole"
AWS::CloudFormation::Init
Use the AWS::CloudFormation::Init type to include metadata on an Amazon EC2 instance for the cfn-init
helper script. If your template calls the cfn-init script, the script looks for resource metadata rooted in
the AWS::CloudFormation::Init metadata key. For more information about cfn-init, see cfn-init (p. 3831).
cfn-init supports all metadata types for Linux systems. It supports metadata types for Windows with
conditions that are described in the sections that follow.
For an example of using AWS::CloudFormation::Init and the cfn-init helper script, see Deploying
Applications on Amazon EC2 with AWS CloudFormation (p. 333).

219
Metadata
For an example that shows how to use cfn-init to create a Windows stack, see Bootstrapping AWS
CloudFormation Windows Stacks (p. 189).
Syntax
The configuration is separated into sections. The following template snippet shows how you can attach
metadata for cfn-init to an Amazon EC2 instance resource within the template.
The metadata is organized into config keys, which you can group into configsets. You can specify a
configset when you call cfn-init in your template. If you don't specify a configset, cfn-init looks for a
single config key named config.
Note
The cfn-init helper script processes these configuration sections in the following order:
packages, groups, users, sources, files, commands, and then services. If you require a different
order, separate your sections into different config keys, and then use a configset that specifies
the order in which the config keys should be processed.
JSON
"Resources": {
"MyInstance": {
"Metadata" : {
"config" : {
"packages" : {
:
},
"groups" : {
:
},
"users" : {
:
},
"sources" : {
:
},
"files" : {
:
},
"commands" : {
:
},
"services" : {
:
}
}
}
},
"Properties": {
:
}
}
}
YAML
Resources:
MyInstance:
Metadata:

220
Metadata
config:
packages:
:
groups:
:
users:
:
sources:
:
files:
:
commands:
:
services:
:
Properties:
:
Configsets
If you want to create more than one config key and to have cfn-init process them in a specific order,
create a configset that contains the config keys in the desired order.
Single Configset
The following template snippet creates configsets named ascending and descending that each
contain two config keys.
JSON
"configSets" : {
"ascending" : [ "config1" , "config2" ],
"descending" : [ "config2" , "config1" ]
},
"config1" : {
"commands" : {
"test" : {
"command" : "echo \"$CFNTEST\" > test.txt",
"env" : { "CFNTEST" : "I come from config1." },
"cwd" : "~"
}
}
},
"config2" : {
"commands" : {
"test" : {
"command" : "echo \"$CFNTEST\" > test.txt",
"env" : { "CFNTEST" : "I come from config2" },
"cwd" : "~"
}
}
}
}
YAML
configSets:
ascending:

221
Metadata
- "config1"
- "config2"
descending:
- "config2"
- "config1"
config1:
commands:
test:
command: "echo \"$CFNTEST\" > test.txt"
env:
CFNTEST: "I come from config1."
cwd: "~"
config2:
commands:
test:
command: "echo \"$CFNTEST\" > test.txt"
env:
CFNTEST: "I come from config2"
cwd: "~"
Related cfn-init Calls
The following example calls to cfn-init refer to the preceding example configsets. The example calls are
abbreviated for clarity, see cfn-init (p. 3831) for the complete syntax.
• If a call to cfn-init specifies the ascending configset:
cfn-init -c ascending
the script processes config1 and then processes config2 and the test.txt file would contain the text
I come from config2.
• If a call to cfn-init specifies the descending configset:
cfn-init -c descending
the script processes config2 and then processes config1 and the test.txt file would contain the text
I come from config1.
Multiple Configsets
You can create multiple configsets, and call a series of them using your cfn-init script. Each configset
can contain a list of config keys or references to other configsets. For example, the following template
snippet creates three configsets. The first configset, test1, contains one config key named 1. The second
configset, test2, contains a reference to the test1 configset and one config key named 2. The third
configset, default, contains a reference to the configset test2.
JSON
"configSets" : {
"test1" : [ "1" ],
"test2" : [ { "ConfigSet" : "test1" }, "2" ],
"default" : [ { "ConfigSet" : "test2" } ]
},
"1" : {
"commands" : {
"test" : {
"command" : "echo \"$MAGIC\" > test.txt",

222
Metadata
"env" : { "MAGIC" : "I come from the environment!" },

"cwd" : "~"
}
}
},
"2" : {
"commands" : {
"test" : {
"command" : "echo \"$MAGIC\" >> test.txt",
"env" : { "MAGIC" : "I am test 2!" },
"cwd" : "~"
}
}
}
}
YAML
1:
commands:
test:
command: "echo \"$MAGIC\" > test.txt"
env:
MAGIC: "I come from the environment!"
cwd: "~"
2:
commands:
test:
command: "echo \"$MAGIC\" >> test.txt"
env:
MAGIC: "I am test 2!"
cwd: "~"
configSets:
test1:
- "1"
test2:
-
ConfigSet: "test1"
- "2"
default:
-
ConfigSet: "test2"
Related cfn-init Calls
The following calls to cfn-init refer to the configSets declared in the preceding template snippet. The
example calls are abbreviated for clarity, see cfn-init (p. 3831) for the complete syntax.
• If you specify test1 only:
cfn-init -c test1
cfn-init processes config key 1 only.

• If you specify test2 only:
cfn-init -c test2
cfn-init processes config key 1 and then processes config key 2.

• If you specify the default configset (or no configsets at all):

223
Metadata
cfn-init -c default
you get the same behavior that you would if you specify configset test2.
Commands
You can use the commands key to execute commands on the EC2 instance. The commands are processed
in alphabetical order by name.
Key Description
command Required. Either an array or a string specifying the command to run. If

you use an array, you do not need to escape space characters or enclose
command parameters in quotes. Don't use the array to specify multiple
commands.
env Optional. Sets environment variables for the command. This property
overwrites, rather than appends, the existing environment.
cwd Optional. The working directory
test Optional. A test command that determines whether cfn-init runs commands
that are specified in the command key. If the test passes, cfn-init runs the
commands. The cfn-init script runs the test in a command interpreter, such
as Bash or cmd.exe. Whether a test passes depends on the exit code that
the interpreter returns.
For Linux, the test command must return an exit code of 0 for the test to
pass. For Windows, the test command must return an %ERRORLEVEL% of 0.
ignoreErrors Optional. A Boolean value that determines whether cfn-init continues to

run if the command in contained in the command key fails (returns a non-
zero value). Set to true if you want cfn-init to continue running even if
the command fails. Set to false if you want cfn-init to stop running if the
command fails. The default value is false.
waitAfterCompletion Optional. For Windows systems only. Specifies how long to wait (in seconds)
after a command has finished in case the command causes a reboot. The
default value is 60 seconds and a value of "forever" directs cfn-init to exit
and resume only after the reboot is complete. Set this value to 0 if you do
not want to wait for every command.
Example
The following example snippet calls the echo command if the ~/test.txt file doesn't exist.
JSON
"commands" : {
"test" : {
"command" : "echo \"$MAGIC\" > test.txt",
"env" : { "MAGIC" : "I come from the environment!" },
"cwd" : "~",
"test" : "test ! -e ~/test.txt",
"ignoreErrors" : "false"

224
Metadata
},
"test2" : {
"command" : "echo \"$MAGIC2\" > test2.txt",
"env" : { "MAGIC2" : "I come from the environment!" },
"cwd" : "~",
"test" : "test ! -e ~/test2.txt",
"ignoreErrors" : "false"
}
}
YAML
commands:
test:
command: "echo \"$MAGIC\" > test.txt"
env:
MAGIC: "I come from the environment!"
cwd: "~"
test: "test ! -e ~/test.txt"
ignoreErrors: "false"
test2:
command: "echo \"$MAGIC2\" > test2.txt"
env:
MAGIC2: "I come from the environment!"
cwd: "~"
test: "test ! -e ~/test2.txt"
ignoreErrors: "false"
Files
You can use the files key to create files on the EC2 instance. The content can be either inline in the
template or the content can be pulled from a URL. The files are written to disk in lexicographic order. The
following table lists the supported keys.
Key Description
content Either a string or a properly formatted JSON object. If you use a JSON object
as your content, the JSON will be written to a file on disk. Any intrinsic
functions such as Fn::GetAtt or Ref are evaluated before the JSON object is
written to disk. When you create a symlink, specify the symlink target as the
content.
Note
If you create a symlink, the helper script modifies the permissions
of the target file. Currently, you can't create a symlink without
modifying the permissions of the target file.
source A URL to load the file from. This option cannot be specified with the content
key.
encoding The encoding format. Only used if the content is a string. Encoding is not
applied if you are using a source.
Valid values: plain | base64
group The name of the owning group for this file. Not supported for Windows
systems.
owner The name of the owning user for this file. Not supported for Windows
systems.

225
Metadata
Key Description
mode A six-digit octal value representing the mode for this file. Not supported for
Windows systems. Use the first three digits for symlinks and the last three
digits for setting permissions. To create a symlink, specify 120xxx, where
xxx defines the permissions of the target file. To specify permissions for a
file, use the last three digits, such as 000644.
authentication The name of an authentication method to use. This overrides any default
authentication. You can use this property to select an authentication
method you define with the AWS::CloudFormation::Authentication (p. 214)
resource.
context Specifies a context for files that are to be processed as Mustache templates.
To use this key, you must have installed aws-cfn-bootstrap 1.3-11 or later as
well as pystache.
Examples
The following example snippet creates a file named setup.mysql as part of a larger installation.
Example JSON
"files" : {
"/tmp/setup.mysql" : {
"content" : { "Fn::Join" : ["", [
"CREATE DATABASE ", { "Ref" : "DBName" }, ";\n",
"CREATE USER '", { "Ref" : "DBUsername" }, "'@'localhost' IDENTIFIED BY '",
{ "Ref" : "DBPassword" }, "';\n",
"GRANT ALL ON ", { "Ref" : "DBName" }, ".* TO '", { "Ref" : "DBUsername" },
"'@'localhost';\n",
"FLUSH PRIVILEGES;\n"
]]},
"mode" : "000644",
"owner" : "root",
"group" : "root"
}
}
Example YAML
files:
/tmp/setup.mysql:
content: !Sub |
CREATE DATABASE ${DBName};
CREATE USER '${DBUsername}'@'localhost' IDENTIFIED BY '${DBPassword}';
GRANT ALL ON ${DBName}.* TO '${DBUsername}'@'localhost';
FLUSH PRIVILEGES;
mode: "000644"
owner: "root"
group: "root"
The full template is available at: https://s3.amazonaws.com/cloudformation-templates-us-east-1/

Drupal_Single_Instance.template
The following example snippet creates a symlink /tmp/myfile2.txt that points at an existing file
/tmp/myfile1.txt. The permissions of the target file /tmp/myfile1.txt is defined by the mode
value 644.

226
Metadata
Example JSON
"files" : {
"/tmp/myfile2.txt" : {
"content" : "/tmp/myfile1.txt",
"mode" : "120644"
}
}
Example YAML
files:
/tmp/myfile2.txt:
content: "/tmp/myfile1.txt"
mode: "120644"
Mustache templates are used primarily to create configuration files. For example, you can store a
configuration file in an S3 bucket and interpolate Refs and GetAtts from the template, instead of using
Fn::Join (p. 3814). The following example snippet outputs "Content for test9" to /tmp/test9.txt.
Example JSON
"files" : {
"/tmp/test9.txt" : {
"content" : "Content for {{name}}",
"context" : { "name" : "test9" }
}
}
Example YAML
files:
/tmp/test9.txt:
content: "Content for {{name}}"
context:
name: "test9"
When working with Mustache templates, note the following:
• The context key must be present for the files to be processed.

• The context key must be a key-value map, but it can be nested.
• You can process files with inline content by using the content key and remote files by using the source
key.
• Mustache support depends on the pystache version. Version 0.5.2 supports the Mustache 1.1.2
specification.
Groups
You can use the groups key to create Linux/UNIX groups and to assign group IDs. The groups key is not
supported for Windows systems.
To create a group, add a new key-value pair that maps a new group name to an optional group ID. The
groups key can contain one or more group names. The following table lists the available keys.

227
Metadata
Key Description
gid A group ID number.
If a group ID is specified, and the group already exists by name, the group
creation will fail. If another group has the specified group ID, the OS may
reject the group creation.
Example: { "gid" : "23" }
Example snippet
The following snippet specifies a group named groupOne without assigning a group ID and a group
named groupTwo that specified a group ID value of 45.
JSON
"groups" : {
"groupOne" : {},
"groupTwo" : { "gid" : "45" }
}
YAML
groups:
groupOne: {}
groupTwo:
gid: "45"
Packages
You can use the packages key to download and install pre-packaged applications and components. On
Windows systems, the packages key supports only the MSI installer.
Supported package formats

The cfn-init script currently supports the following package formats: apt, msi, python, rpm, rubygems,
and yum. Packages are processed in the following order: rpm, yum/apt, and then rubygems and python.
There is no ordering between rubygems and python, and packages within each package manager are not
guaranteed to be installed in any order.
Specifying versions
Within each package manager, each package is specified as a package name and a list of versions. The
version can be a string, a list of versions, or an empty string or list. An empty string or list indicates that
you want the latest version. For rpm manager, the version is specified as a path to a file on disk or a URL.
If you specify a version of a package, cfn-init will attempt to install that version even if a newer version
of the package is already installed on the instance. Some package managers support multiple versions,
but others may not. Please check the documentation for your package manager for more information. If
you do not specify a version and a version of the package is already installed, the cfn-init script will not
install a new version—it will assume that you want to keep and use the existing version.
Example snippets
RPM, yum, and Rubygems
The following snippet specifies a version URL for rpm, requests the latest versions from yum, and version
0.10.2 of chef from rubygems:

228
Metadata
JSON
"rpm" : {
"epel" : "http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm"
},
"yum" : {
"httpd" : [],
"php" : [],
"wordpress" : []
},
"rubygems" : {
"chef" : [ "0.10.2" ]
}
YAML
rpm:
epel: "http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm"
yum:
httpd: []
php: []
wordpress: []
rubygems:
chef:
- "0.10.2"
MSI Package
The following snippet specifies a URL for an MSI package:
JSON
"msi" : {
"awscli" : "https://s3.amazonaws.com/aws-cli/AWSCLI64.msi"
}
YAML
msi:
awscli: "https://s3.amazonaws.com/aws-cli/AWSCLI64.msi"
Services
You can use the services key to define which services should be enabled or disabled when the instance is
launched. On Linux systems, this key is supported by using sysvinit. On Windows systems, it is supported
by using the Windows service manager.
The services key also allows you to specify dependencies on sources, packages and files so that if a
restart is needed due to files being installed, cfn-init will take care of the service restart. For example,
if you download the Apache HTTP Server package, the package installation will automatically start
the Apache HTTP Server during the stack creation process. However, if the Apache HTTP Server
configuration is updated later in the stack creation process, the update won't take effect unless the
Apache server is restarted. You can use the services key to ensure that the Apache HTTP service is
restarted.
The following table lists the supported keys.

229
Metadata
Key Description
ensureRunning Set to true to ensure that the service is running after cfn-init finishes.
Set to false to ensure that the service is not running after cfn-init finishes.
Omit this key to make no changes to the service state.
enabled Set to true to ensure that the service will be started automatically upon
boot.
Set to false to ensure that the service will not be started automatically upon
boot.
Omit this key to make no changes to this property.
files A list of files. If cfn-init changes one directly via the files block, this service
will be restarted
sources A list of directories. If cfn-init expands an archive into one of these

directories, this service will be restarted.
packages A map of package manager to list of package names. If cfn-init installs or

updates one of these packages, this service will be restarted.
commands A list of command names. If cfn-init runs the specified command, this
service will be restarted.
Examples
Linux
The following Linux snippet configures the services as follows:
• The nginx service will be restarted if either /etc/nginx/nginx.conf or /var/www/html are modified by
cfn-init.
• The php-fastcgi service will be restarted if cfn-init installs or updates php or spawn-fcgi using yum.
• The sendmail service will be stopped and disabled.
JSON
"services" : {
"sysvinit" : {
"nginx" : {
"enabled" : "true",
"files" : ["/etc/nginx/nginx.conf"],
"sources" : ["/var/www/html"]
},
"php-fastcgi" : {
"enabled" : "true",
"packages" : { "yum" : ["php", "spawn-fcgi"] }
},
"sendmail" : {
"enabled" : "false",
"ensureRunning" : "false"
}

230
Metadata
}
}
YAML
services:
sysvinit:
nginx:
enabled: "true"
files:
- "/etc/nginx/nginx.conf"
sources:
- "/var/www/html"
php-fastcgi:
enabled: "true"
packages:
yum:
- "php"
- "spawn-fcgi"
sendmail:
enabled: "false"
ensureRunning: "false"
Windows
The following Windows snippet starts the cfn-hup service, sets it to automatic, and restarts the service
if cfn-init modifies the specified configuration files:
JSON
"services" : {
"windows" : {
"cfn-hup" : {
"enabled" : "true",
"files" : ["c:\\cfn\\cfn-hup.conf", "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"]
}
}
}
YAML
services:
windows:
cfn-hup:
enabled: "true"
files:
- "c:\\cfn\\cfn-hup.conf"
- "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"
Sources
You can use the sources key to download an archive file and unpack it in a target directory on the EC2
instance. This key is fully supported for both Linux and Windows systems.
Supported formats
Supported formats are tar, tar+gzip, tar+bz2 and zip.

231
Metadata
Examples
GitHub
If you use GitHub as a source control system, you can use cfn-init and the sources package mechanism
to pull a specific version of your application. GitHub allows you to create a zip or a tar from a specific
version via a URL as follows:
https://github.com/<your directory>/(zipball|tarball)/<version>
For example, the following snippet pulls down version master as a .tar file.
JSON
"sources" : {
"/etc/puppet" : "https://github.com/user1/cfn-demo/tarball/master"
}
YAML
sources:
/etc/puppet: "https://github.com/user1/cfn-demo/tarball/master"
S3 Bucket
The following example downloads a zip file from an Amazon S3 bucket and unpacks it into /etc/myapp:
Note
You can use authentication credentials for a source. However, you cannot put an
authentication key in the sources block. Instead, include a buckets key in your
S3AccessCreds block. For more information on Amazon S3 authentication credentials, see
AWS::CloudFormation::Authentication (p. 214).
For an example, see the example template.
JSON
"sources" : {
"/etc/myapp" : "https://s3.amazonaws.com/mybucket/myapp.tar.gz"
}
YAML
sources:
/etc/myapp: "https://s3.amazonaws.com/mybucket/myapp.tar.gz"
Users
You can use the users key to create Linux/UNIX users on the EC2 instance. The users key is not supported
for Windows systems.
The following table lists the supported keys.
Key Description
uid A user ID. The creation process fails if the user name exists with a different
user ID. If the user ID is already assigned to an existing user the operating
system may reject the creation request.

232
Metadata
Key Description
groups A list of group names. The user will be added to each group in the list.
homeDir The user's home directory.
Example
Users are created as non-interactive system users with a shell of /sbin/nologin. This is by design and
cannot be modified.
JSON
"users" : {
"myUser" : {
"groups" : ["groupOne", "groupTwo"],
"uid" : "50",
"homeDir" : "/tmp"
}
}
YAML
users:
myUser:
groups:
- "groupOne"
- "groupTwo"
uid: "50"
homeDir: "/tmp"
AWS::CloudFormation::Interface
AWS::CloudFormation::Interface is a metadata key that defines how parameters are grouped
and sorted in the AWS CloudFormation console. When you create or update stacks in the console, the
console lists input parameters in alphabetical order by their logical IDs. By using this key, you can define
your own parameter grouping and ordering so that users can efficiently specify parameter values. For
example, you could group all EC2-related parameters in one group and all VPC-related parameters in
another group.
In addition to grouping and ordering parameters, you can define labels for parameters. A label is a
friendly name or description that the console displays instead of a parameter's logical ID. Labels are
useful for helping users understand the values to specify for each parameter. For example, you could
label a KeyPair parameter Select an EC2 key pair.
Note
Only the AWS CloudFormation console uses the AWS::CloudFormation::Interface
metadata key. AWS CloudFormation CLI and API calls do not use this key.
Syntax
JSON
"Metadata" : {
"AWS::CloudFormation::Interface" : {

233
Metadata
"ParameterGroups" : [ ParameterGroup, ... ],

"ParameterLabels" : ParameterLabel
}
}
YAML
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- ParameterGroup
ParameterLabels:
ParameterLabel
Properties
ParameterGroups
A list of parameter group types, where you specify group names, the parameters in each group, and
the order in which the parameters are shown.
Required: No
Type: AWS CloudFormation Interface ParameterGroup (p. 236)
Update requires: No interruption (p. 127)

ParameterLabels
A mapping of parameters and their friendly names that the AWS CloudFormation console shows
when a stack is created or updated.
Required: No
Type: AWS CloudFormation Interface ParameterLabel (p. 237)
Update requires: No interruption (p. 127)
Example
The following example defines two parameter groups: Network Configuration and Amazon
EC2 Configuration. The Network Configuration group includes the VPCID, SubnetId, and
SecurityGroupID parameters, which are defined in the Parameters section of the template (not
shown). The order in which the console shows these parameters is defined by the order in which the
parameters are listed, starting with the VPCID parameter. The example similarly groups and orders the
Amazon EC2 Configuration parameters.
The example also defines a label for the VPCID parameter. The console will show Which VPC should this
be deployed to? instead of the parameter's logical ID (VPCID).
JSON
"Metadata" : {
"AWS::CloudFormation::Interface" : {
"ParameterGroups" : [
{
"Label" : { "default" : "Network Configuration" },
"Parameters" : [ "VPCID", "SubnetId", "SecurityGroupID" ]
},
{
"Label" : { "default":"Amazon EC2 Configuration" },

234
Metadata
"Parameters" : [ "InstanceType", "KeyName" ]

}
],
"ParameterLabels" : {
"VPCID" : { "default" : "Which VPC should this be deployed to?" }
}
}
}
YAML
Metadata:
ParameterGroups:
-
Label:
default: "Network Configuration"
Parameters:
- VPCID
- SubnetId
- SecurityGroupID
-
Label:
default: "Amazon EC2 Configuration"
Parameters:
- InstanceType
- KeyName
ParameterLabels:
VPCID:
default: "Which VPC should this be deployed to?"
Parameter Groups in the Console
Using the metadata key from this example, the following figure shows how the console displays
parameter groups when a stack is created or updated: Parameter groups in the console

235
Metadata
AWS CloudFormation Interface Label

Label is a property of the ParameterGroup (p. 236) and ParameterLabel (p. 237) properties that
defines name for a parameter group or parameter.
Syntax
JSON
{
"default" : String
}
YAML
default: String
Properties
default
The default label that the AWS CloudFormation console uses to name a parameter group or
parameter.
Required: No
Type: String
AWS CloudFormation Interface ParameterGroup

ParameterGroup is a property of the AWS::CloudFormation::Interface (p. 233) resource that defines a
parameter group and the parameters to include in the group.
Syntax
JSON
{
"Label" : Label,
"Parameters" : [ String, ... ]
}
YAML
Label: Label
Parameters:
- String
Properties
Label
A name for the parameter group.
Required: No

236
Parameters
Type: AWS CloudFormation Interface Label (p. 236)

Parameters
A list of case-sensitive parameter logical IDs to include in the group. Parameters must already
be defined in the Parameters section of the template. A parameter can be included in only one
parameter group.
The console lists the parameters that you don't associate with a parameter group in alphabetical
order in the Other parameters group.
Required: No
AWS CloudFormation Interface ParameterLabel

ParameterLabel is a property of the AWS::CloudFormation::Interface (p. 233) resource that specifies
a friendly name or description for a parameter that the AWS CloudFormation console shows instead of
the parameter's logical ID.
Syntax
JSON
{
"ParameterLogicalID" : Label
}
YAML
ParameterLogicalID: Label
Properties
ParameterLogicalID
A label for a parameter. The label defines a friendly name or description that the AWS
CloudFormation console shows on the Specify Parameters page when a stack is created or updated.
The ParameterLogicalID key must be the case-sensitive logical ID of a valid parameter that has
been declared in the Parameters section of the template.
Required: No
Type: AWS CloudFormation Interface Label (p. 236)
Parameters
Use the optional Parameters section to customize your templates. Parameters enable you to input
custom values to your template each time you create or update a stack.
Defining a Parameter in a Template

The following example declares a parameter named InstanceTypeParameter. This parameter lets you
specify the Amazon EC2 instance type for the stack to use when you create or update the stack.

237
Parameters
Note that InstanceTypeParameter has a default value of t2.micro. This is the value that AWS
CloudFormation uses to provision the stack unless another value is provided.
JSON
"Parameters" : {
"InstanceTypeParameter" : {
"Type" : "String",
"AllowedValues" : ["t2.micro", "m1.small", "m1.large"],
"Description" : "Enter t2.micro, m1.small, or m1.large. Default is t2.micro."
}
}
YAML
Parameters:
InstanceTypeParameter:
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- m1.small
- m1.large
Description: Enter t2.micro, m1.small, or m1.large. Default is t2.micro.
Referencing a Parameter within a Template

You use the Ref intrinsic function to reference a parameter, and AWS CloudFormation uses the
parameter's value to provision the stack. You can reference parameters from the Resources and
Outputs sections of the same template.
In the following example, the InstanceType property of the EC2 instance resource references the
InstanceTypeParameter parameter value:
JSON
"Ec2Instance" : {
"Properties" : {
"InstanceType" : { "Ref" : "InstanceTypeParameter" },
"ImageId" : "ami-0ff8a91507f77f867"
}
}
YAML
Ec2Instance:
Properties:
InstanceType:
Ref: InstanceTypeParameter
General Requirements for Parameters

The following requirements apply when using parameters:

238
Parameters
• You can have a maximum of 60 parameters in an AWS CloudFormation template.

• Each parameter must be given a logical name (also called logical ID), which must be alphanumeric and
unique among all logical names within the template.
• Each parameter must be assigned a parameter type that is supported by AWS CloudFormation. For
more information, see Type (p. 240).
• Each parameter must be assigned a value at runtime for AWS CloudFormation to successfully provision
the stack. You can optionally specify a default value for AWS CloudFormation to use unless another
value is provided.
• Parameters must be declared and referenced from within the same template. You can reference
parameters from the Resources and Outputs sections of the template.
JSON
"Parameters" : {
"ParameterLogicalID" : {
"Type" : "DataType",
"ParameterProperty" : "value"
}
}
YAML
Parameters:
ParameterLogicalID:
Type: DataType
ParameterProperty: value
Properties
AllowedPattern
A regular expression that represents the patterns to allow for String types.
Required: No
AllowedValues
An array containing the list of values allowed for the parameter.
Required: No
ConstraintDescription
A string that explains a constraint when the constraint is violated. For example, without a constraint
description, a parameter that has an allowed pattern of [A-Za-z0-9]+ displays the following error
message when the user specifies an invalid value:
Malformed input-Parameter MyParameter must match pattern [A-Za-z0-9]+
By adding a constraint description, such as must only contain letters (uppercase and lowercase) and
numbers, you can display the following customized error message:
Malformed input-Parameter MyParameter must only contain uppercase and

lowercase letters and numbers
Required: No

239
Parameters
Default
A value of the appropriate type for the template to use if no value is specified when a stack is
created. If you define constraints for the parameter, you must specify a value that adheres to those
constraints.
Required: No
Description
A string of up to 4000 characters that describes the parameter.
Required: No
MaxLength
An integer value that determines the largest number of characters you want to allow for String
types.
Required: No
MaxValue
A numeric value that determines the largest numeric value you want to allow for Number types.
Required: No
MinLength
An integer value that determines the smallest number of characters you want to allow for String
types.
Required: No
MinValue
A numeric value that determines the smallest numeric value you want to allow for Number types.
Required: No
NoEcho
Whether to mask the parameter value to prevent it from being displayed in the console, command
line tools, or API. If you set the NoEcho attribute to true, CloudFormation returns the parameter
value masked as asterisks (*****) for any calls that describe the stack or stack events.
Important
Rather than embedding sensitive information directly in your AWS CloudFormation
templates, we strongly suggest you do one of the following:
• Use input parameters to pass in information whenever you create or update a stack, using
the NoEcho property to obfuscate the parameter value.
• Use dynamic parameters in the stack template to reference sensitive information that
is stored and managed outside of CloudFormation, such as in the Systems Manager
Parameter Store or Secrets Manager.
Required: No
Type
The data type for the parameter (DataType).
Required: Yes
AWS CloudFormation supports the following parameter types:

String
A literal string.

240
Parameters
For example, users could specify "MyUserName".

Number
An integer or float. AWS CloudFormation validates the parameter value as a number; however,
when you use the parameter elsewhere in your template (for example, by using the Ref intrinsic
function), the parameter value becomes a string.
For example, users could specify "8888".

List<Number>
An array of integers or floats that are separated by commas. AWS CloudFormation validates the
parameter value as numbers; however, when you use the parameter elsewhere in your template
(for example, by using the Ref intrinsic function), the parameter value becomes a list of strings.
For example, users could specify "80,20", and a Ref would result in ["80","20"].
CommaDelimitedList
An array of literal strings that are separated by commas. The total number of strings should be
one more than the total number of commas. Also, each member string is space trimmed.
For example, users could specify "test,dev,prod", and a Ref would result in
["test","dev","prod"].
AWS-Specific Parameter Types
AWS values such as Amazon EC2 key pair names and VPC IDs. For more information, see AWS-
Specific Parameter Types (p. 241).
SSM Parameter Types
Parameters that correspond to existing parameters in Systems Manager Parameter Store.

You specify a Systems Manager parameter key as the value of the SSM parameter, and AWS
CloudFormation fetches the latest value from Parameter Store to use for the stack. For more
information, see SSM Parameter Types (p. 243).
Note
AWS CloudFormation doesn't currently support the SecureString Systems Manager
parameter type.

AWS-specific parameter types are helpful in catching invalid values at the start of creating or updating
a stack. To specify parameters with AWS-specific types, a template user must enter existing AWS values
that are in their AWS account. AWS CloudFormation validates these input values against existing values
in the account. For example, with the AWS::EC2::VPC::Id parameter type, a user must enter an
existing VPC ID (p. 102) that is in the account and region in which they are creating the stack.
If you want to allow template users to enter input values from different AWS accounts, don't
define parameters with AWS-specific types; instead, define parameters of type String (or
CommaDelimitedList).
Supported AWS-Specific Parameter Types

AWS CloudFormation supports the following AWS-specific types:
AWS::EC2::AvailabilityZone::Name
An Availability Zone, such as us-west-2a.

241
Parameters
AWS::EC2::Image::Id
An Amazon EC2 image ID, such as ami-0ff8a91507f77f867. Note that the AWS CloudFormation
console doesn't show a drop-down list of values for this parameter type.
AWS::EC2::Instance::Id
An Amazon EC2 instance ID, such as i-1e731a32.

AWS::EC2::KeyPair::KeyName
An Amazon EC2 key pair name.

AWS::EC2::SecurityGroup::GroupName
An EC2-Classic or default VPC security group name, such as my-sg-abc.

AWS::EC2::SecurityGroup::Id
A security group ID, such as sg-a123fd85.

AWS::EC2::Subnet::Id
A subnet ID, such as subnet-123a351e.

AWS::EC2::Volume::Id
An Amazon EBS volume ID, such as vol-3cdd3f56.

AWS::EC2::VPC::Id
A VPC ID, such as vpc-a123baa3.

AWS::Route53::HostedZone::Id
An Amazon Route 53 hosted zone ID, such as Z23YXV4OVPL04A.

List<AWS::EC2::AvailabilityZone::Name>
An array of Availability Zones for a region, such as us-west-2a, us-west-2b.

List<AWS::EC2::Image::Id>
An array of Amazon EC2 image IDs, such as ami-0ff8a91507f77f867,

ami-0a584ac55a7631c0c. Note that the AWS CloudFormation console doesn't show a drop-down
list of values for this parameter type.
List<AWS::EC2::Instance::Id>
An array of Amazon EC2 instance IDs, such as i-1e731a32, i-1e731a34.

List<AWS::EC2::SecurityGroup::GroupName>
An array of EC2-Classic or default VPC security group names, such as my-sg-abc, my-sg-def.
List<AWS::EC2::SecurityGroup::Id>
An array of security group IDs, such as sg-a123fd85, sg-b456fd85.

List<AWS::EC2::Subnet::Id>
An array of subnet IDs, such as subnet-123a351e, subnet-456b351e.

List<AWS::EC2::Volume::Id>
An array of Amazon EBS volume IDs, such as vol-3cdd3f56, vol-4cdd3f56.

List<AWS::EC2::VPC::Id>
An array of VPC IDs, such as vpc-a123baa3, vpc-b456baa3.

List<AWS::Route53::HostedZone::Id>
An array of Amazon Route 53 hosted zone IDs, such as Z23YXV4OVPL04A, Z23YXV4OVPL04B.

242
Parameters
SSM Parameter Types

SSM parameter types correspond to existing parameters in Systems Manager Parameter Store. You
specify a Systems Manager parameter key as the value of the SSM parameter, and AWS CloudFormation
fetches the latest value from Parameter Store to use for the stack. For more information about Systems
Manager parameters, see Systems Manager Parameter Store in the AWS Systems Manager User Guide.
You can also use the ssm or ssm-secure dynamic parameter pattern to specify parameter values in your
template. For more information, see Using Dynamic References to Specify Template Values (p. 249).
When you create or update stacks and create change sets, AWS CloudFormation uses whatever values
exist in Parameter Store at the time the operation is run. If a specified parameter doesn't exist in
Parameter Store under the caller's AWS account, AWS CloudFormation returns a validation error.
When you execute a change set, AWS CloudFormation uses the values that are specified in the change
set. You should review these values before executing the change set because they might change in
Parameter Store between the time that you create the change set and run it.
Tip
You can see the resolved values for SSM parameters on the stack's Parameters tab in the console,
or by running describe-stacks or describe-change-set. These are the values that are
currently used in the stack definition for the corresponding Systems Manager parameter keys.
Note that these values are set when the stack is created or updated, so they might differ from
the latest values in Parameter Store.
If you specify Secure Strings as parameter values using the ssm-secure pattern, AWS
CloudFormation does not store the Secure String value or display it in the console or in the
results of API calls.
Because the value of an SSM parameter is a Systems Manager parameter key, you should be aware of the
following behavior:
• For stack updates, the Use existing value option in the console and the UsePreviousValue attribute
for update-stack tell AWS CloudFormation to use the existing Systems Manager parameter key—not
its value. AWS CloudFormation always fetches the latest values from Parameter Store when it updates
stacks.
However, if you use the ssm or ssm-secure dynamic parameter pattern to specify parameter values,
you must specify a version of the Systems Manager parameter for AWS CloudFormation to use.
• AWS CloudFormation can perform validation on Systems Manager parameter keys, but not on their
corresponding values. For validation purposes, you can treat parameter keys as strings. You should do
any validation for Systems Manager parameter values in Parameter Store.
See SSM Parameter Types (p. 247) for examples that use SSM parameter types.
Supported SSM Parameter Types

AWS CloudFormation supports the following SSM parameter types:
AWS::SSM::Parameter::Name
The name of a Systems Manager parameter key.
Use this parameter when you want to pass the parameter key. For example, you can use this type to
validate that the parameter exists.
AWS::SSM::Parameter::Value<String>
A Systems Manager parameter whose value is a string. This corresponds to the String parameter
type in Parameter Store.

243
Parameters
AWS::SSM::Parameter::Value<List<String>> or
AWS::SSM::Parameter::Value<CommaDelimitedList>
A Systems Manager parameter whose value is a list of strings. This corresponds to the StringList
parameter type in Parameter Store.
AWS::SSM::Parameter::Value<AWS-specific parameter type>
A Systems Manager parameter whose value is an AWS-specific parameter type (p. 241). For
example, the following specifies the AWS::EC2::KeyPair::KeyName type:
AWS::SSM::Parameter::Value<AWS::EC2::KeyPair::KeyPairName>
AWS::SSM::Parameter::Value<List<AWS-specific parameter type>>
A Systems Manager parameter whose value is a list of AWS-specific parameter types (p. 241). For
example, the following specifies a list of AWS::EC2::KeyPair::KeyName types:
AWS::SSM::Parameter::Value<List<AWS::EC2::KeyPair::KeyPairName>>
Unsupported SSM Parameter Types

AWS CloudFormation doesn't support the following SSM parameter type:
• Lists of SSM parameter types—for example: List<AWS::SSM::Parameter::Value<String>>
In addition, AWS CloudFormation does not support defining template parameters as SecureString
Systems Manager parameter types. However, you can specify Secure Strings as parameter values for
certain resources by using dynamic parameter patterns. For more information, see Using Dynamic
References to Specify Template Values (p. 249).
Grouping and Sorting Parameters in the AWS CloudFormation

Console
When you use the AWS CloudFormation console to create or update a stack, the console alphabetically
lists input parameters by their logical ID. To override the default ordering, you can use the
AWS::CloudFormation::Interface metadata key. By grouping and ordering parameters, you make
it easier for users to specify parameter values. For example, you could group all VPC-related parameters
so that they aren't scattered throughout an alphabetical list.
In the metadata key, you can specify the groups to create, the parameters to include in each group,
and the order in which the console shows each parameter within its group. You can also define friendly
parameter names so that the console shows descriptive names instead of logical IDs. All parameters that
you reference in the metadata key must be declared in the Parameters section of the template.
For more information and an example of the AWS::CloudFormation::Interface metadata key, see
AWS::CloudFormation::Interface (p. 233).
Examples
Basic Input Parameters
The following example Parameters section declares two parameters. The DBPort parameter is of type
Number with a default of 3306. The minimum value that can be specified is 1150, and the maximum
value that can be specified is 65535. The DBPwd parameter is of type String with no default value.
The NoEcho property is set to true to prevent describe stack calls, such as the aws cloudformation
describe-stacks AWS CLI command, from returning the parameter value. The minimum length that
can be specified is 1, and the maximum length that can be specified is 41. The pattern allows lowercase
and uppercase alphabetic characters and numerals.

244
Parameters
JSON
"Parameters" : {
"DBPort" : {
"Default" : "3306",
"Description" : "TCP/IP port for the database",
"Type" : "Number",
"MinValue" : "1150",
"MaxValue" : "65535"
},
"DBPwd" : {
"NoEcho" : "true",
"Description" : "The database admin account password",
"Type" : "String",
"MinLength" : "1",
"MaxLength" : "41",
"AllowedPattern" : "^[a-zA-Z0-9]*$"
}
}
YAML
Parameters:
DBPort:
Default: 3306
Description: TCP/IP port for the database
Type: Number
MinValue: 1150
MaxValue: 65535
DBPwd:
NoEcho: true
Description: The database admin account password
Type: String
MinLength: 1
MaxLength: 41
AllowedPattern: ^[a-zA-Z0-9]*$

When you use AWS-specific parameter types, a user who uses your template to create or update a
stack must specify existing AWS values that are in the user's account and in the region for the current
stack. AWS-specific parameter types help ensure that input values for these types exist and are
correct before AWS CloudFormation creates or updates any resources. For example, if you use the
AWS::EC2::KeyPair::KeyName parameter type, AWS CloudFormation validates the input value
against users' existing key pair names before it creates any resources, such as Amazon EC2 instances.
If a user uses the AWS Management Console, AWS CloudFormation prepopulates AWS-specific parameter
types with valid values (p. 102). That way the user doesn't have to remember and correctly enter a
specific name or ID. She just selects one or more values from a drop-down list. Also, depending on the
parameter type, users can search for values by ID, name, or Name tag value. For more information, see
Specifying Stack Name and Parameters (p. 102).
The following example declares two parameters with the types AWS::EC2::KeyPair::KeyName and
AWS::EC2::Subnet::Id. These types limit valid values to existing key pair names and subnet IDs.
Because the mySubnetIDs parameter is specified as a list, a user can specify one or more subnet IDs.
JSON
"Parameters" : {
"myKeyPair" : {
"Description" : "Amazon EC2 Key Pair",

245
Parameters
"Type" : "AWS::EC2::KeyPair::KeyName"
},
"mySubnetIDs" : {
"Description" : "Subnet IDs",
"Type" : "List<AWS::EC2::Subnet::Id>"
}
}
YAML
Parameters:
myKeyPair:
Description: Amazon EC2 Key Pair
Type: "AWS::EC2::KeyPair::KeyName"
mySubnetIDs:
Description: Subnet IDs
Type: "List<AWS::EC2::Subnet::Id>"
AWS CLI and API Support

Currently, users can't use the AWS CLI or AWS CloudFormation API to view a list of valid values for AWS-
specific parameters. However, they can view information about each parameter, such as the parameter
type, by using the aws cloudformation get-template-summary command or GetTemplateSummary API.
Comma-delimited List Parameter Type

You can use the CommaDelimitedList parameter type to specify multiple string values in a single
parameter. That way, you can use a single parameter instead of many different parameters to specify
multiple values. For example, if you create three different subnets with their own CIDR blocks, you could
use three different parameters to specify three different CIDR blocks. But it's simpler just to use a single
parameter that takes a list of three CIDR blocks, as shown in the following snippet:
JSON
"Parameters" : {
"DbSubnetIpBlocks": {
"Description": "Comma-delimited list of three CIDR blocks",
"Type": "CommaDelimitedList",
"Default": "10.0.48.0/24, 10.0.112.0/24, 10.0.176.0/24"
}
}
YAML
Parameters:
DbSubnetIpBlocks:
Description: "Comma-delimited list of three CIDR blocks"
Type: CommaDelimitedList
Default: "10.0.48.0/24, 10.0.112.0/24, 10.0.176.0/24"
Return a Value from a Comma-delimited List Parameter

To refer to a specific value in a list, use the Fn::Select intrinsic function in the Resources section of
your template. You pass the index value of the object that you want and a list of objects, as shown in the
following snippet:
JSON
"DbSubnet1" : {

246
Parameters
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"AvailabilityZone" : {"Fn::Join" : ["",[ { "Ref" : "AWS::Region" }, { "Fn::Select" :
[ "0", {"Ref" : "VpcAzs"} ] } ] ]} ,
"VpcId" : { "Ref" : "VPC" },
"CidrBlock" : { "Fn::Select" : [ "0", {"Ref" : "DbSubnetIpBlocks"} ] }
}
},
"DbSubnet2" : {
"Properties" : {
[ "1", {"Ref" : "VpcAzs"} ] } ] ]} ,
"VpcId" : { "Ref" : "VPC" },
}
},
"DbSubnet3" : {
"Properties" : {
[ "2", {"Ref" : "VpcAzs"} ] } ] ]} ,
"VpcId" : { "Ref" : "VPC" },
}
}
YAML
DbSubnet1:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Sub
- "${AWS::Region}${AZ}"
- AZ: !Select [0, !Ref VpcAzs]
VpcId: !Ref VPC
CidrBlock: !Select [0, !Ref DbSubnetIpBlocks]
DbSubnet2:
Properties:
VpcId: !Ref VPC
DbSubnet3:
Properties:
VpcId: !Ref VPC
SSM Parameter Types

AWS::SSM::Parameter::Value<String> type
The following template declares an AWS::SSM::Parameter::Value<String> parameter type.
JSON

247
Parameters
"Parameters": {
"InstanceType": {
"Type": "AWS::SSM::Parameter::Value<String>"
}
},
"Resources": {
"Instance": {
"Properties": {
"InstanceType": {
"Ref": "InstanceType"
}
}
}
}
}
YAML
Parameters:
InstanceType:
Type: 'AWS::SSM::Parameter::Value<String>'
Resources:
Instance:
Properties:
InstanceType: !Ref InstanceType
The following command creates a stack based on the example template. It provides the Systems
Manager parameter key (myInstanceType) as the value for the InstanceType template parameter.
This assumes that the myInstanceType parameter exists in Parameter Store under the caller's AWS
account.
aws cloudformation create-stack --stack-name S1 --template-body example template --

parameters ParameterKey=InstanceType,ParameterValue=myInstanceType
AWS::SSM::Parameter::Value<AWS::EC2::Image::Id> type
The following template declares an AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>

parameter type.
JSON
{
"Parameters": {
"ImageId": {
"Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
}
},
"Resources": {
"Instance": {
"Properties": {
"ImageId": {
"Ref": "ImageId"
}
}
}
}

248
Parameters
YAML
Parameters:
ImageId:
Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
Resources:
Instance:
Properties:
ImageId: !Ref ImageId
The following command creates a stack based on the example template. It provides the Systems
Manager parameter key (myLatestAMI) as the value for the ImageId template parameter. This assumes
that the myLatestAMI parameter exists in Parameter Store under the caller's AWS account.
aws cloudformation create-stack --stack-name S2 --template-body example template --

parameters ParameterKey=ImageId,ParameterValue=myLatestAMI
Using Dynamic References to Specify Template Values

Dynamic references provide a compact, powerful way for you to specify external values that are stored
and managed in other services, such as the Systems Manager Parameter Store, in your stack templates.
When you use a dynamic reference, CloudFormation retrieves the value of the specified reference when
necessary during stack and change set operations.
CloudFormation currently supports the following dynamic reference patterns:
• ssm (p. 250), for plaintext values stored in AWS Systems Manager Parameter Store
• ssm-secure (p. 251), for secure strings stored in AWS Systems Manager Parameter Store
• secretsmanager (p. 253), for entire secrets or specific secret values that are stored in AWS Secrets
Manager
Some considerations when using dynamic references:
• You can include up to 60 dynamic references in a stack template.

• For transforms, such as AWS::Include and AWS::Serverless, AWS CloudFormation does not resolve
dynamic references prior to invoking any transforms. Rather, AWS CloudFormation passes the literal
string of the dynamic reference to the transform. Dynamic references (including those inserted into
the processed template as the result of a transform) are resolved when you execute the change set
using the template.
• Dynamic references for secure values, such as ssm-secure and secretsmanager, are not currently
supported in custom resources (p. 511).
Note
Do not create a dynamic reference that has a backslash (\) as the final value. AWS
CloudFormation cannot resolve those references, which results in a resource failure.
Specifying Dynamic References in Stack Templates

Dynamic references adhere to the following pattern:
'{{resolve:service-name:reference-key}}'

249
Parameters
service-name
Specifies the service in which the value is stored and managed.
Required.
Currently, valid values include:

• ssm: Systems Manager Parameter Store plaintext parameter.
• ssm-secure: Systems Manager Parameter Store secure string parameter.
Note
Currently, SecureString parameters are not supported by Systems Manager in the cn-
north-1 and cn-northwest-1 regions.
For more information, see AWS Systems Manager Parameter Store in the AWS Systems Manager
User Guide.
• secretsmanager: AWS Secrets Manager secret.
reference-key
The reference key. Depending on the type of dynamic reference, the reference key may be comprised
of multiple segments.
Required.
SSM Parameters
Use the ssm dynamic reference to include values stored in the Systems Manager Parameter Store of type
String or StringList in your templates.
Reference Pattern
For SSM Parameters, the reference-key segment is composed of the parameter name and version
number. Use the following pattern:
'{{resolve:ssm:parameter-name:version}}'
Your reference must adhere to the following regular expression pattern for parameter-name and version:
'{{resolve:ssm:[a-zA-Z0-9_.-/]+:\\d+}}'
parameter-name
The name of the parameter in the Systems Manager Parameter Store. The parameter name is case-
sensitive.
Required.
version
An integer that specifies the version of the parameter to use. You must specify the exact version. You
cannot currently specify that AWS CloudFormation use the latest version of a parameter. For more
information, see Working with Parameter Versions in the AWS Systems Manager User Guide
Required.
Example
The following example uses an ssm dynamic reference to set the access control for an S3 bucket to a
parameter value stored in Systems Manager Parameter Store. As specified, CloudFormation will use
version 2 of the S3AccessControl parameter for stack and change set operations.

250
Parameters
JSON
"MyS3Bucket": {
"Properties": {
"AccessControl": "{{resolve:ssm:S3AccessControl:2}}"
}
}
YAML
MyS3Bucket:
Properties:
AccessControl: '{{resolve:ssm:S3AccessControl:2}}'
To specify a parameter stored in the Systems Manager Parameter Store, you must have access to call
GetParameters for the specified parameter. For more information, see Controlling Access to Systems
Manager Parameters in the AWS Systems Manager User Guide.
Additional considerations to note when using the ssm dynamic reference pattern:
• Currently, CloudFormation does not support cross-account SSM parameter access.

• For custom resources, CloudFormation resolves ssm dynamic references prior to sending the request to
the custom resource. For more information, see Custom Resources (p. 511).
• CloudFormation does not support using parameter labels or public parameters in dynamic references.
A parameter label is a user-defined alias to help you manage different versions of a parameter. For
more information, see Labeling Parameters in the AWS Systems Manager User Guide.
A public parameter is a parameter provided by an AWS service for use with that service, and stored
in AWS Systems Manager Parameter Store. For an example of public parameters, see Retrieving the
Amazon ECS-optimized AMI Metadata in the Amazon Elastic Container Service Developer Guide.
SSM Secure String Parameters

Use the ssm-secure dynamic reference pattern to specify AWS Systems Manager SecureString type
parameters in your templates. For ssm-secure dynamic references, AWS CloudFormation never stores
the actual parameter value. AWS CloudFormation accesses the parameter value during create and update
operations for stacks and change sets. Currently, secure string parameters can only be used for resource
properties that support (p. 253) the ssm-secure dynamic reference pattern.
A secure string parameter is any sensitive data that needs to be stored and referenced in a secure manner.
That is, data that you don't want users to alter or reference in clear text, such as passwords or license
keys. For more information on secure strings, see Use Secure String Parameters in the AWS Systems
Manager User Guide.
Secure string parameters values are not stored in CloudFormation, nor are they returned in any API call
results.
Reference Pattern
For ssm-secure dynamic references, the reference-key segment is composed of the parameter
name and version number. Use the following pattern:
'{{resolve:ssm-secure:parameter-name:version}}'
Your reference must adhere to the following regular expression pattern for parameter-name and version:

251
Parameters
'{{resolve:ssm-secure:[a-zA-Z0-9_.-/]+:\\d+}}'
parameter-name
The name of the parameter in the Systems Manager Parameter Store. The parameter name is case-
sensitive.
Required.
version
An integer that specifies the version of the parameter to use. You must specify the exact version. You
cannot currently specify that AWS CloudFormation use the latest version of a parameter. For more
information, see Working with Parameter Versions in the AWS Systems Manager User Guide
Required.
Example
The following example uses an ssm-secure dynamic reference to set the password for an IAM user to a
secure string stored in Systems Manager Parameter Store. As specified, CloudFormation will use version
10 of the IAMUserPassword parameter for stack and change set operations.
JSON
"MyIAMUser": {
"Type": "AWS::IAM::User",
"Properties": {
"UserName": "MyUserName",
"LoginProfile": {
"Password": "{{resolve:ssm-secure:IAMUserPassword:10}}"
}
}
}
YAML
MyIAMUser:
Type: AWS::IAM::User
Properties:
UserName: 'MyUserName'
LoginProfile:
Password: '{{resolve:ssm-secure:IAMUserPassword:10}}'
Additional considerations to note when using the ssm-secure dynamic reference pattern:
• CloudFormation does not return the actual parameter value for secure strings in any API calls, but
rather returns the literal dynamic reference.
• CloudFormation does store the literal dynamic reference, which contains the plaintext parameter name
of the secure string.
• For change sets, CloudFormation compares the literal dynamic reference string. It does not resolve and
compare the actual values of ssm-secure references.
• Dynamic references for secure values, such as ssm-secure and secretsmanager, are not currently
supported in custom resources (p. 511).
• In cases where CloudFormation must rollback a stack update, that update rollback operation will fail
if the previously-specified version of a secure string parameter is no longer available. in such cases, do
one of the following:
• Use CONTINUE_UPDATE_ROLLBACK to skip the resource.

252
Parameters
• Recreate the secure string parameter in the Systems Manager Parameter Store, and
update it until the parameter version reaches the version used in the template. Then use
CONTINUE_UPDATE_ROLLBACK without skipping the resource.
• Currently, AWS CloudFormation does not support cross-account SSM parameter access.
• CloudFormation does not support using parameter labels or public parameters in dynamic references.
A parameter label is a user-defined alias to help you manage different versions of a parameter. For
more information, see Labeling Parameters in the AWS Systems Manager User Guide.
A public parameter is a parameter provided by an AWS service for use with that service, and stored
in AWS Systems Manager Parameter Store. For an example of public parameters, see Retrieving the
Amazon ECS-optimized AMI Metadata in the Amazon Elastic Container Service Developer Guide.
Resources that Support Dynamic Parameter Patterns for Secure Strings
Resources that support the ssm-secure dynamic reference pattern currently include:
Resource Property Type Properties
AWS::DirectoryService::MicrosoftAD Password
AWS::DirectoryService::SimpleAD Password
AWS::ElastiCache::ReplicationGroup AuthToken
AWS::IAM::User LoginProfile Password
AWS::KinesisFirehose::DeliveryStream
RedshiftDestinationConfiguration Password
AWS::OpsWorks::App Source Password
AWS::OpsWorks::Stack CustomCookbooksSource Password
AWS::OpsWorks::Stack RdsDbInstances DbPassword
AWS::RDS::DBCluster MasterUserPassword
AWS::RDS::DBInstance MasterUserPassword
AWS::Redshift::Cluster MasterUserPassword
Secrets Manager Secrets

Use the secretsmanager dynamic reference to retrieve entire secrets or secret values that are stored
in AWS Secrets Manager for use in your templates. Secrets can be database credentials, passwords,
third-party API keys, and even arbitrary text. Using Secrets Manager, you can store and control access
to these secrets centrally. Secrets Manager enables you to replace hardcoded credentials in your code
(including passwords), with an API call to Secrets Manager to retrieve the secret programmatically. For
more information, see see What Is AWS Secrets Manager? in the AWS Secrets Manager User Guide.
To specify a secret stored in Secrets Manager, you must have access to call GetSecretValue for the
specified secret.
Important
The secretsmanager dynamic reference can be used in all resource properties. Using
the secretsmanager dynamic reference guarantees that neither Secrets Manager nor
CloudFormation logs or persists any resolved secret value. However, the secret value may show

253
Parameters
up in the service whose resource it is being used in. You should review your usage to avoid
leaking secret data.
Dynamic references for secure values, such as secretsmanager, are not currently supported in custom
resources (p. 511).
Reference Pattern
For Secrets Manager secrets, the reference-key segment is composed of several segments, including
the secret id, secret value key, version stage, and version id. Use the following pattern:
{{resolve:secretsmanager:secret-id:secret-string:json-key:version-
stage:version-id}}
secret-id
The name or Amazon Resource Name (ARN) that serves as a unique identifier for the secret.
To access a secret in your AWS account, you need only specify the secret name. To access a secret in a
different AWS account, specify the complete ARN of the secret.
Required.
secret-string
Currently, the only supported value is SecretString. The default is SecretString.

json-key
Specifies the key name of the key-value pair whose value you want to retrieve. If you do not specify
a json-key, CloudFormation retrieves the entire secret text.
This segment may not include the colon character ( : ).

version-stage
Specifies the secret version that you want to retrieve by the staging label attached to the version.
Staging labels are used to keep track of different versions during the rotation process. If you use
version-stage then don't specify version-id. If you don't specify either a version stage or a
version ID, then the default is to retrieve the version with the version stage value of AWSCURRENT.

version-id
Specifies the unique identifier of the version of the secret that you want to use in stack operations.
If you specify version-id, then don't specify version-stage. If you don't specify either a version
stage or a version ID, then the default is to retrieve the version with the version stage value of
AWSCURRENT.
Examples
The following example uses the secret-name and json-key segments to retrieve the username and
password values stored in the MyRDSSecret secret. By default, the secret version retrieved is the version
with the version stage value of AWSCURRENT.
JSON
{
"MyRDSInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {

254
Parameters
"DBName": "MyRDSInstance",
"AllocatedStorage": "20",
"DBInstanceClass": "db.t2.micro",
"Engine": "mysql",
"MasterUsername":
"{{resolve:secretsmanager:MyRDSSecret:SecretString:username}}",
"MasterUserPassword":
"{{resolve:secretsmanager:MyRDSSecret:SecretString:password}}"
}
}
}
YAML
MyRDSInstance:
Type: 'AWS::RDS::DBInstance'
Properties:
DBName: MyRDSInstance
AllocatedStorage: '20'
DBInstanceClass: db.t2.micro
Engine: mysql
MasterUsername: '{{resolve:secretsmanager:MyRDSSecret:SecretString:username}}'
MasterUserPassword: '{{resolve:secretsmanager:MyRDSSecret:SecretString:password}}'
Specifying the following segments would retrieve the entire SecretString field for the version of the
MySecret secret with the version stage value of AWSCURRENT.
'{{resolve:secretsmanager:MySecret}}' or '{{resolve:secretsmanager:MySecret::::}}'
Specifying the following segments would retrieve the password value for the version of the MySecret
SecretString with the version stage value of AWSCURRENT.
'{{resolve:secretsmanager:MySecret:SecretString:password}}'
secret with the version ID of EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE.
'{{resolve:secretsmanager:MySecret:SecretString:password:SecretString:EXAMPLE1-90ab-cdef-
fedc-ba987EXAMPLE}}'
Specifying the following segments would retrieve the entire SecretString for the version of the MySecret
secret with the version stage value of AWSCURRENT from another AWS account. Note that you must
specify the complete secret ARN to access secrets in another AWS account.
'{{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-
asd123}}'
secret with the version stage value of AWSCURRENT from another AWS account. Note that you must
specify the complete secret ARN to access secrets in another AWS account.
'{{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-
asd123:SecretString:password}}'
Specifying the following segments would retrieve the the password value for the version of the
MySecret secret with the version stage value of AWSPENDING from another AWS account. Note that you
must specify the complete secret ARN to access secrets in another AWS account.

255
Mappings
'{{resolve:secretsmanager:arn:aws:secretsmanager:us-
west-2:123456789012:secret:MySecretName-asd123:SecretString:password:AWSPENDING}}'
Mappings
The optional Mappings section matches a key to a corresponding set of named values. For example,
if you want to set values based on a region, you can create a mapping that uses the region name as a
key and contains the values you want to specify for each specific region. You use the Fn::FindInMap
intrinsic function to retrieve values in a map.
You cannot include parameters, pseudo parameters, or intrinsic functions in the Mappings section.
Syntax
The Mappings section consists of the key name Mappings. The keys in mappings must be literal strings.
The values can be String or List types. The following example shows a Mappings section containing a
single mapping named Mapping01 (the logical name).
Within a mapping, each map is a key followed by another mapping. The key identifies a map of name-
value pairs and must be unique within the mapping. The name can contain only alphanumeric characters
(A-Za-z0-9).
JSON
"Mappings" : {
"Mapping01" : {
"Key01" : {
"Name" : "Value01"
},
"Key02" : {
"Name" : "Value02"
},
"Key03" : {
"Name" : "Value03"
}
}
}
YAML
Mappings:
Mapping01:
Key01:
Name: Value01
Key02:
Name: Value02
Key03:
Name: Value03
Examples
Basic Mapping
The following example shows a Mappings section with a map RegionMap, which contains five keys that
map to name-value pairs containing single string values. The keys are region names. Each name-value
pair is the AMI ID for the HVM64 AMI in the region represented by the key.

256
Mappings
The name-value pairs have a name (HVM64 in the example) and a value. By naming the values, you can
map more than one set of values to a key.
JSON
"Mappings" : {
"RegionMap" : {
"us-east-1" : { "HVM64" : "ami-0ff8a91507f77f867"},
"us-west-1" : { "HVM64" : "ami-0bdb828fd58c52235"},
"eu-west-1" : { "HVM64" : "ami-047bb4163c506cd98"},
"ap-southeast-1" : { "HVM64" : "ami-08569b978cc4dfa10"},
"ap-northeast-1" : { "HVM64" : "ami-06cd52961ce9f0d85"}
}
}
YAML
Mappings:
RegionMap:
us-east-1:
"HVM64": "ami-0ff8a91507f77f867"
us-west-1:
"HVM64": "ami-0bdb828fd58c52235"
eu-west-1:
"HVM64": "ami-047bb4163c506cd98"
ap-southeast-1:
"HVM64": "ami-08569b978cc4dfa10"
ap-northeast-1:
"HVM64": "ami-06cd52961ce9f0d85"
Mapping with Multiple Values

The following example has region keys that are mapped to two sets of values: one named HVM64 and
the other HVMG2.
JSON
"RegionMap" : {
"ami-0a584ac55a7631c0c"},
"ami-0a7c483d527806435"},
"ami-053cdd503598e4a9d"},
"ami-0be9df32ae9f92309"}
}
YAML
RegionMap:
us-east-1:
HVM64: ami-0ff8a91507f77f867
HVMG2: ami-0a584ac55a7631c0c
us-west-1:
HVM64: ami-0bdb828fd58c52235
HVMG2: ami-066ee5fd4a9ef77f1
eu-west-1:
HVM64: ami-047bb4163c506cd98

257
Mappings
HVMG2: ami-0a7c483d527806435
ap-northeast-1:
HVM64: ami-06cd52961ce9f0d85
HVMG2: ami-053cdd503598e4a9d
ap-southeast-1:
HVM64: ami-08569b978cc4dfa10
HVMG2: ami-0be9df32ae9f92309
Return a Value from a Mapping

You can use the Fn::FindInMap (p. 3804) function to return a named value based on a specified key.
The following example template contains an Amazon EC2 resource whose ImageId property is assigned
by the FindInMap function. The FindInMap function specifies key as the region where the stack is
created (using the AWS::Region pseudo parameter (p. 3826)) and HVM64 as the name of the value to
map to.
JSON
{
"Mappings" : {
"RegionMap" : {
"ami-0a584ac55a7631c0c"},
"ami-0a7c483d527806435"},
"ami-053cdd503598e4a9d"},
"ami-0be9df32ae9f92309"}
}
},
"Resources" : {
"myEC2Instance" : {
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" },
"HVM64"]},
"InstanceType" : "m1.small"
}
}
}
}
YAML
Mappings:
RegionMap:
us-east-1:
HVM64: ami-0ff8a91507f77f867
us-west-1:
eu-west-1:
HVM64: ami-047bb4163c506cd98
HVMG2: ami-0a7c483d527806435
ap-northeast-1:

258
Mappings
ap-southeast-1:
Resources:
myEC2Instance:
Properties:
ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", HVM64]
InstanceType: m1.small
Input Parameter and FindInMap

You can use an input parameter with the Fn::FindInMap function to refer to a specific value in a map.
For example, suppose you have a list of regions and environment types that map to a specific AMI ID.
You can select the AMI ID that your stack uses by using an input parameter (EnvironmentType). To
determine the region, use the AWS::Region pseudo parameter, which gets the AWS region in which you
create the stack.
JSON
{
"Parameters" : {
"EnvironmentType": {
"Description": "The environment type",
"Type": "String",
"Default": "test",
"AllowedValues": ["prod", "test"],
"ConstraintDescription": "must be a prod or test"
}
},
"Mappings" : {
"RegionAndInstanceTypeToAMIID" : {
"us-east-1": {
"test": "ami-8ff710e2",
"prod": "ami-f5f41398"
},
"us-west-2" : {
"test" : "ami-eff1028f",
"prod" : "ami-d0f506b0"
},
...other regions and AMI IDs...
}
},
"Resources" : {
...other resources...
},
"Outputs" : {
"TestOutput" : {
"Description" : "Return the name of the AMI ID that matches the region and
environment type keys",
"Value" : { "Fn::FindInMap" : [ "RegionAndInstanceTypeToAMIID", { "Ref" :
"AWS::Region" }, { "Ref" : "EnvironmentType" } ]}
}
}

259
Conditions
YAML
Parameters:
EnvironmentType:
Description: The environment type
Type: String
Default: test
AllowedValues:
- prod
- test
ConstraintDescription: must be a prod or test
Mappings:
RegionAndInstanceTypeToAMIID:
us-east-1:
test: "ami-8ff710e2"
prod: "ami-f5f41398"
us-west-2:
test: "ami-eff1028f"
prod: "ami-d0f506b0"
...other regions and AMI IDs...
Resources:
...other resources...
Outputs:
TestOutput:
Description: Return the name of the AMI ID that matches the region and environment
type keys
Value: !FindInMap [RegionAndInstanceTypeToAMIID, !Ref "AWS::Region", !Ref
EnvironmentType]
Conditions
The optional Conditions section contains statements that define the circumstances under which
entities are created or configured. For example, you can create a condition and then associate it with a
resource or output so that AWS CloudFormation only creates the resource or output if the condition is
true. Similarly, you can associate the condition with a property so that AWS CloudFormation only sets the
property to a specific value if the condition is true. If the condition is false, AWS CloudFormation sets the
property to a different value that you specify.
You might use conditions when you want to reuse a template that can create resources in different
contexts, such as a test environment versus a production environment. In your template, you can add an
EnvironmentType input parameter, which accepts either prod or test as inputs. For the production
environment, you might include Amazon EC2 instances with certain capabilities; however, for the test
environment, you want to use reduced capabilities to save money. With conditions, you can define which
resources are created and how they're configured for each environment type.
Conditions are evaluated based on predefined pseudo parameters or input parameter values that you
specify when you create or update a stack. Within each condition, you can reference another condition,
a parameter value, or a mapping. After you define all your conditions, you can associate them with
resources and resource properties in the Resources and Outputs sections of a template.
At stack creation or stack update, AWS CloudFormation evaluates all the conditions in your template
before creating any resources. Resources that are associated with a true condition are created. Resources
that are associated with a false condition are ignored. AWS CloudFormation also re-evaluates these
conditions at each stack update before updating any resources. Resources that are still associated with a
true condition are updated. Resources that are now associated with a false condition are deleted.

260
Conditions
Important
During a stack update, you cannot update conditions by themselves. You can update conditions
only when you include changes that add, modify, or delete resources.
How to Use Conditions Overview

Depending on the entity you want to conditionally create or configure, you must include statements in
the following template sections:
Parameters section
Define the inputs that you want your conditions to evaluate. The conditions evaluate to true or
false based on the values of these input parameters. If you want your conditions to evaluate pseudo
parameters, you don't need to define the pseudo parameters in this section; pseudo parameters are
predefined by AWS CloudFormation.
Conditions section
Define conditions by using the intrinsic condition functions. These conditions determine when AWS
CloudFormation creates the associated resources.
Resources and Outputs sections
Associate conditions with the resources or outputs that you want to conditionally create. AWS
CloudFormation creates entities that are associated with a true condition and ignores entities
that are associated with a false condition. Use the Condition key and a condition's logical ID to
associate it with a resource or output. To conditionally specify a property, use the Fn::If function.
For more information, see Condition Functions (p. 3788).
Syntax
The Conditions section consists of the key name Conditions. Each condition declaration includes
a logical ID and intrinsic functions that are evaluated when you create or update a stack. The following
pseudo template outlines the Conditions section:
JSON
"Conditions" : {
"Logical ID" : {Intrinsic function}

}
YAML
Conditions:
Logical ID:
Intrinsic function
Condition Intrinsic Functions

You can use the following intrinsic functions to define conditions:
• Fn::And
• Fn::Equals
• Fn::If
• Fn::Not
• Fn::Or

261
Conditions
For the syntax and information about each function, see Condition Functions (p. 3788).
Note
Fn::If is only supported in the metadata attribute, update policy attribute, and property
values in the Resources section and Outputs sections of a template.
Examples
The following sample template includes an EnvType input parameter, where you can specify prod
to create a stack for production or test to create a stack for testing. For a production environment,
AWS CloudFormation creates an Amazon EC2 instance and attaches a volume to the instance. For a test
environment, AWS CloudFormation creates only the Amazon EC2 instance.
The CreateProdResources condition evaluates to true if the EnvType parameter is equal to

prod. In the sample template, the NewVolume and MountPoint resources are associated with the
CreateProdResources condition. Therefore, the resources are created only if the EnvType parameter
is equal to prod.
JSON
{
"Mappings" : {
"RegionMap" : {
"us-east-1" : { "AMI" : "ami-0ff8a91507f77f867", "TestAz" : "us-east-1a" },
"us-west-1" : { "AMI" : "ami-0bdb828fd58c52235", "TestAz" : "us-west-1a" },
"us-west-2" : { "AMI" : "ami-a0cfeed8", "TestAz" : "us-west-2a" },
"eu-west-1" : { "AMI" : "ami-047bb4163c506cd98", "TestAz" : "eu-west-1a" },
"sa-east-1" : { "AMI" : "ami-07b14488da8ea02a0", "TestAz" : "sa-east-1a" },
"ap-southeast-1" : { "AMI" : "ami-08569b978cc4dfa10", "TestAz" : "ap-southeast-1a" },
"ap-southeast-2" : { "AMI" : "ami-09b42976632b27e9b", "TestAz" : "ap-southeast-2a" },
"ap-northeast-1" : { "AMI" : "ami-06cd52961ce9f0d85", "TestAz" : "ap-northeast-1a" }
}
},
"Parameters" : {
"EnvType" : {
"Description" : "Environment type.",
"Default" : "test",
"Type" : "String",
"AllowedValues" : ["prod", "test"],
"ConstraintDescription" : "must specify prod or test."
}
},
"Conditions" : {
"CreateProdResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "prod"]}
},
"Resources" : {
"EC2Instance" : {
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]}
}
},
"MountPoint" : {
"Type" : "AWS::EC2::VolumeAttachment",
"Condition" : "CreateProdResources",
"Properties" : {
"InstanceId" : { "Ref" : "EC2Instance" },

262
Conditions
"VolumeId" : { "Ref" : "NewVolume" },

"Device" : "/dev/sdh"
}
},
"NewVolume" : {
"Type" : "AWS::EC2::Volume",
"Condition" : "CreateProdResources",
"Properties" : {
"Size" : "100",
"AvailabilityZone" : { "Fn::GetAtt" : [ "EC2Instance", "AvailabilityZone" ]}
}
}
},
"Outputs" : {
"VolumeId" : {
"Value" : { "Ref" : "NewVolume" },
"Condition" : "CreateProdResources"
}
}
}
YAML
Mappings:
RegionMap:
us-east-1:
AMI: "ami-0ff8a91507f77f867"
TestAz: "us-east-1a"
us-west-1:
AMI: "ami-0bdb828fd58c52235"
TestAz: "us-west-1a"
us-west-2:
AMI: "ami-a0cfeed8"
TestAz: "us-west-2a"
eu-west-1:
AMI: "ami-047bb4163c506cd98"
TestAz: "eu-west-1a"
sa-east-1:
AMI: "ami-07b14488da8ea02a0"
TestAz: "sa-east-1a"
ap-southeast-1:
AMI: "ami-08569b978cc4dfa10"
TestAz: "ap-southeast-1a"
ap-southeast-2:
AMI: "ami-09b42976632b27e9b"
TestAz: "ap-southeast-2a"
ap-northeast-1:
AMI: "ami-06cd52961ce9f0d85"
TestAz: "ap-northeast-1a"
Parameters:
EnvType:
Description: Environment type.
Default: test
Type: String
AllowedValues:
- prod
- test
ConstraintDescription: must specify prod or test.
Conditions:
CreateProdResources: !Equals [ !Ref EnvType, prod ]
Resources:

263
Transform
EC2Instance:
Properties:
ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI]
MountPoint:
Type: "AWS::EC2::VolumeAttachment"
Condition: CreateProdResources
Properties:
InstanceId:
!Ref EC2Instance
VolumeId:
!Ref NewVolume
Device: /dev/sdh
NewVolume:
Type: "AWS::EC2::Volume"
Properties:
Size: 100
AvailabilityZone:
!GetAtt EC2Instance.AvailabilityZone
Outputs:
VolumeId:
Value:
!Ref NewVolume
Transform
The optional Transform section specifies one or more macros that AWS CloudFormation uses to
process your template. The Transform section builds on the simple, declarative language of AWS
CloudFormation with a powerful macro system.
You can declare one or more macros within a template. AWS CloudFormation executes macros in the
order that they are specified. When you create a change set, AWS CloudFormation generates a change
set that includes the processed template content. You can then review the changes and execute the
change set. For more information, see Using AWS CloudFormation Macros to Perform Custom Processing
on Templates (p. 542).
AWS CloudFormation also supports the AWS::Serverless and AWS::Include transforms, which are
macros hosted by AWS CloudFormation. AWS CloudFormation treats these transforms the same as any
macros you create in terms of execution order and scope.
• The AWS::Serverless transform specifies the version of the AWS Serverless Application Model (AWS
SAM) to use. This model defines the AWS SAM syntax that you can use and how AWS CloudFormation
processes it. For more information about serverless applications and AWS SAM, see Deploying
Lambda-based Applications in the AWS Lambda Developer Guide.
• The AWS::Include transform works with template snippets that are stored separately from the main
AWS CloudFormation template. You can insert these snippets into your main template when Creating
a Change Set (p. 131) or Updating Stacks Using Change Sets (p. 130).
To declare multiple macros, use a list format and specify one or more macros.
For example, in the template sample below, AWS CloudFormation evaluates MyMacro and then
AWS::Serverless, both of which can process the contents of the entire template because of their
inclusion in the Transform section.
// Start of processable content for MyMacro and AWS::Serverless

AWSTemplateFormatVersion: 2010-09-09

264
Transform
Transform: [MyMacro, AWS::Serverless]

Resources:
WaitCondition:
Type: AWS::CloudFormation::WaitCondition
MyBucket:
Properties:
BucketName: MyBucket
Tags: [{"key":"value"}]
CorsConfiguration:[]
MyEc2Instance:
Properties:
ImageID: "ami-123"
// End of processable content for MyMacro and AWS::Serverless
Topics
• AWS::Serverless Transform (p. 265)
• AWS::Include Transform (p. 266)
AWS::Serverless Transform
The AWS::Serverless transform, which is a macro hosted by AWS CloudFormation, takes an entire
template written in the AWS Serverless Application Model (AWS SAM) syntax and transforms and
expands it into a compliant AWS CloudFormation template. For more information about serverless
applications and AWS SAM, see Deploying Lambda-based Applications in the AWS Lambda Developer
Guide.
Unlike custom macros, the AWS::Serverless transform doesn't require any special permissions to
use it because it is hosted by AWS CloudFormation. It can be used by templates in any account within
AWS CloudFormation. Also, there is no charge incurred when using this transform. AWS CloudFormation
treats the AWS::Serverless transform the same as any other macro in terms of evaluation order and
scope. For more information about macros, see Using AWS CloudFormation Macros to Perform Custom
Processing on Templates (p. 542).
In the following example, the template uses AWS SAM syntax to simplify the declaration of a Lambda
function and its execution role.
Transform: AWS::Serverless-2016-10-31
Resources:
MyServerlessFunctionLogicalID:
Type: AWS::Serverless::Function
Properties:
Runtime: nodejs8.10
CodeUri: 's3://testBucket/mySourceCode.zip'
When creating a change set from the template, AWS CloudFormation expands the AWS SAM syntax,
as defined by the transform. The processed template expands the AWS::Serverless::Function
resource, declaring an AWS Lambda function and an execution role.
{
"Resources": {
"MyServerlessFunctionLogicalID": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.handler",
"Code": {
"S3Bucket": "testBucket",

265
Transform
"S3Key": "mySourceCode.zip"
},
"Role": {
"Fn::GetAtt": ["FunctionNameRole", "Arn"]
},
"Runtime": "nodejs8.10"
}
},
"FunctionNameRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/
AWSLambdaBasicExecutionRole"],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": ["lambda.amazonaws.com"]
}
}]
}
}
}
}
}
Syntax
The value for the transform declaration must be a literal string. You cannot use a parameter or function
to specify a transform value. The following snippet is an example of a transform declaration:
JSON
"Transform" : "AWS::Serverless-2016-10-31"
YAML
Transform: "AWS::Serverless-2016-10-31"
AWS::Include Transform
Use the AWS::Include transform, which is a macro hosted by AWS CloudFormation, to insert
boilerplate content into your templates. The AWS::Include transform lets you create a reference to
a template snippet in an Amazon S3 bucket. When Creating a Change Set (p. 131) or Updating Stacks
Using Change Sets (p. 130), and the templates reference AWS::Include, AWS CloudFormation inserts
the contents of the specified file at the location of the transform in the template. The AWS::Include
function behaves similarly to an include, copy, or import directive in programming languages.
For example, you might have a Lambda function that you want to reuse in one or more AWS
CloudFormation templates.
Unlike custom macros, the AWS::Include transform doesn't require special permissions to use it
because it is hosted by AWS CloudFormation. It can be used by templates in any account within AWS
CloudFormation. Also, there is no charge incurred when using this transform. AWS CloudFormation treats
the AWS::Include transform the same as any other macro in terms of evaluation order and scope. For
more information about macros, see Using AWS CloudFormation Macros to Perform Custom Processing
on Templates (p. 542).

266
Transform
Usage
You can use the AWS::Include transform anywhere within the AWS CloudFormation template except in
the template parameters section or the template version field. For example, you can use AWS::Include
in the mappings section.
Syntax at the Top Level of a Template
To include the AWS::Include transform at the top level of a template, in the Transform section, use
the following syntax.
JSON
{
"Transform" : {
"Name" : "AWS::Include",
"Parameters" : {
"Location" : "s3://MyAmazonS3BucketName/MyFileName.json"
}
}
}
YAML
Transform:
Name: 'AWS::Include'
Parameters:
Location: 's3://MyAmazonS3BucketName/MyFileName.yaml'
Syntax When the Transform Is Embedded Within a Section of a Template
To include a transform that is embedded within a section, use the Fn::Transform (p. 3823) intrinsic
function and the following syntax.
JSON
{
"Fn::Transform" : {
"Name" : "AWS::Include",
"Parameters" : {
"Location" : "s3://MyAmazonS3BucketName/MyFileName.json"
}
}
}
YAML
'Fn::Transform':
Parameters:
Location: s3://MyAmazonS3BucketName/MyFileName.yaml
Parameters
Location
The location is an Amazon S3 URI, with a specific file name in an S3 bucket. For example, s3://
MyBucketName/MyFile.yaml.

267
Transform
Remarks
When using AWS::Include, keep the following considerations in mind. For general considerations
about using macros, see Considerations When Creating AWS CloudFormation Macro Definitions (p. 546)
• We currently support Amazon S3 URI, but no other Amazon S3 format (such as Amazon S3 ARN). It
must be an Amazon S3 bucket, as opposed to something like a GitHub repository.
• Anyone with access to the Amazon S3 URL can include the snippet in their template.
• Your template snippets must be valid YAML or JSON.
• Your template snippets must be valid key–value objects, for example "KeyName": "keyValue".
• You can't use AWS::Include to reference a template snippet that also uses AWS::Include.
• If your snippets change, your stack doesn't automatically pick up those changes. To get those changes,
you must update the stack with the updated snippets. If you update your stack, make sure your
included snippets haven't changed without your knowledge. To verify before updating the stack, check
the change set.
• When creating templates and snippets, you can mix YAML and JSON template languages.
• We do not currently support using shorthand notations for YAML snippets.
• You can provide a cross-region replication Amazon S3 URI with AWS::Include. Make sure you check
Amazon S3 bucket names when accessing cross-region replication objects. For more information, see
Cross-Region Replication.
Example
The following example shows how to use the AWS::Include transform to execute a wait condition
handle.
Both the JSON and the YAML versions use the following wait condition snippet. Save the file
as single_wait_condition.yaml, and store it in an S3 bucket with the same name as
MyAmazonS3BucketName.
WebServerWaitHandle:
Type: 'AWS::CloudFormation::WaitConditionHandle'
JSON
{
"Resources": {
"MyWaitHandle": {
"Type": "AWS::CloudFormation::WaitConditionHandle"
},
"Fn::Transform": {
"Name": "AWS::Include",
"Parameters": {
"Location": "s3://MyAmazonS3BucketName/single_wait_condition.yaml"
}
}
}
}
YAML
Resources:
MyWaitHandle:
Type: 'AWS::CloudFormation::WaitConditionHandle'
'Fn::Transform':

268
Resources
Parameters:
Location : "s3://MyAmazonS3BucketName/single_wait_condition.yaml"
Resources
The required Resources section declares the AWS resources that you want to include in the stack, such
as an Amazon EC2 instance or an Amazon S3 bucket.
Syntax
The Resources section consists of the key name Resources. The following pseudo template outlines
the Resources section:
JSON
"Resources" : {
"Logical ID" : {
"Type" : "Resource type",
"Properties" : {
Set of properties
}
}
}
YAML
Resources:
Logical ID:
Type: Resource type
Properties:
Set of properties
Resource Fields
Logical ID
The logical ID must be alphanumeric (A-Za-z0-9) and unique within the template. Use the logical
name to reference the resource in other parts of the template. For example, if you want to map
an Amazon Elastic Block Store volume to an Amazon EC2 instance, you reference the logical IDs to
associate the block stores with the instance.
In addition to the logical ID, certain resources also have a physical ID, which is the actual assigned
name for that resource, such as an EC2 instance ID or an S3 bucket name. Use the physical IDs to
identify resources outside of AWS CloudFormation templates, but only after the resources have been
created. For example, suppose you give an EC2 instance resource a logical ID of MyEC2Instance.
When AWS CloudFormation creates the instance, AWS CloudFormation automatically generates
and assigns a physical ID (such as i-28f9ba55) to the instance. You can use this physical ID to
identify the instance and view its properties (such as the DNS name) by using the Amazon EC2
console. For resources that support custom names, you can assign your own names (physical IDs)
to help you quickly identify resources. For example, you can name an S3 bucket that stores logs as
MyPerformanceLogs. For more information, see Name Type (p. 3746).
Resource type
The resource type identifies the type of resource that you are declaring. For example,
AWS::EC2::Instance declares an EC2 instance. For a list of all resource types, see AWS Resource
and Property Types Reference (p. 604).

269
Resources
Resource properties
Resource properties are additional options that you can specify for a resource. For example, for each
EC2 instance, you must specify an Amazon Machine Image (AMI) ID for that instance. You declare the
AMI ID as a property of the instance, as shown in the following example:
Example JSON
"Resources" : {
"MyEC2Instance" : {
"Properties" : {
}
}
}
Example YAML
Resources:
MyEC2Instance:
Properties:
If a resource doesn't require that properties be declared, omit the properties section of that resource.
Property values can be literal strings, lists of strings, Booleans, parameter references, pseudo
references, or the value returned by a function. The following example shows you how to declare
different property value types:
Example JSON
"Properties" : {
"String" : "one-string-value",
"Number" : 123,
"LiteralList" : [ "first-value", "second-value" ],
"Boolean" : true,
"ReferenceForOneValue" : { "Ref" : "MyLogicalResourceName" } ,
"FunctionResultWithFunctionParams" : {
"Fn::Join" : [ "%", [ "Key=", { "Ref" : "MyParameter" } ] ] }
}
Example YAML
Properties:
String: OneStringValue
String: A longer string value
Number: 123
LiteralList:
- "[first]-string-value with a special characters"
- "[second]-string-value with a special characters"
Boolean: true
ReferenceForOneValue:
Ref: MyLogicalResourceName
ReferenceForOneValueShortCut: !Ref MyLogicalResourceName
FunctionResultWithFunctionParams: !Sub |
Key=%${MyParameter}

270
Outputs
You can conditionally create a resource by associating a condition with it. You must define the condition
in the Conditions (p. 260) section of the template.
Examples
The following example shows a resource declaration. It defines two resources. The MyInstance resource
includes the MyQueue resource as part of its UserData property:
JSON
"Resources" : {
"MyInstance" : {
"Properties" : {
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [ "", [ "Queue=", { "Ref" : "MyQueue" } ] ]
} },
"AvailabilityZone" : "us-east-1a",
}
},
"MyQueue" : {
"Type" : "AWS::SQS::Queue",
"Properties" : {
}
}
}
YAML
Resources:
MyInstance:
Properties:
UserData:
"Fn::Base64":
!Sub |
Queue=${MyQueue}
AvailabilityZone: "us-east-1a"
MyQueue:
Type: "AWS::SQS::Queue"
Properties: {}
Outputs
The optional Outputs section declares output values that you can import into other stacks (p. 3811) (to
create cross-stack references (p. 321)), return in response (to describe stack calls), or view on the AWS
CloudFormation console (p. 106). For example, you can output the S3 bucket name for a stack to make
the bucket easier to find.
Syntax
The Outputs section consists of the key name Outputs, followed by a space and a single colon. You can
declare a maximum of 60 outputs in a template.
The following example demonstrates the structure of the Outputs section.

271
Outputs
JSON
Use braces to enclose all output declarations. Delimit multiple outputs with commas.
"Outputs" : {
"Logical ID" : {
"Description" : "Information about the value",
"Value" : "Value to return",
"Export" : {
"Name" : "Value to export"
}
}
}
YAML
Outputs:
Logical ID:
Description: Information about the value
Value: Value to return
Export:
Name: Value to export
Output Fields
The Outputs section can include the following fields.
Logical ID
An identifier for the current output. The logical ID must be alphanumeric (a-z, A-Z, 0-9) and unique
within the template.
Description (optional)
A String type that describes the output value. The value for the description declaration must be a
literal string that is between 0 and 1024 bytes in length. You cannot use a parameter or function to
specify the description. The description can be a maximum of 4 K in length.
Value (required)
The value of the property returned by the aws cloudformation describe-stacks command.
The value of an output can include literals, parameter references, pseudo-parameters, a mapping
value, or intrinsic functions.
Export (optional)
The name of the resource output to be exported for a cross-stack reference (p. 321).
Note
The following restrictions apply to cross-stack references:
• For each AWS account, Export names must be unique within a region.
• You can't create cross-stack references across regions. You can use the intrinsic function
Fn::ImportValue to import only values that have been exported within the same
region.
• For outputs, the value of the Name property of an Export can't use Ref or GetAtt
functions that depend on a resource.
Similarly, the ImportValue function can't include Ref or GetAtt functions that depend
on a resource.
• You can't delete a stack if another stack references one of its outputs.
• You can't modify or remove an output value that is referenced by another stack.

272
Outputs
You can use intrinsic functions to customize the Name value of an export. The following examples
use the Fn::Join function.
JSON
"Export" : {
"Name" : {
"Fn::Join" : [ ":", [ { "Ref" : "AWS::StackName" }, "AccountVPC" ] ]
}
}
YAML
Export:
Name: !Join [ ":", [ !Ref "AWS::StackName", AccountVPC ] ]
To associate a condition with an output, define the condition in the Conditions (p. 260) section of
the template.
Examples
The following examples illustrate how stack output works.
Stack Output
In the following example, the output named BackupLoadBalancerDNSName returns the DNS name
for the resource with the logical ID BackupLoadBalancer only when the CreateProdResources
condition is true. (The second output shows how to specify multiple outputs.)
JSON
"Outputs" : {
"BackupLoadBalancerDNSName" : {
"Description": "The DNSName of the backup load balancer",
"Value" : { "Fn::GetAtt" : [ "BackupLoadBalancer", "DNSName" ]},
"Condition" : "CreateProdResources"
},
"InstanceID" : {
"Description": "The Instance ID",
"Value" : { "Ref" : "EC2Instance" }
}
}
YAML
Outputs:
BackupLoadBalancerDNSName:
Description: The DNSName of the backup load balancer
Value: !GetAtt BackupLoadBalancer.DNSName
InstanceID:
Description: The Instance ID
Value: !Ref EC2Instance
Cross-Stack Output
In the following examples, the output named StackVPC returns the ID of a VPC, and then exports the
value for cross-stack referencing with the name VPCID appended to the stack's name.

273
What Is AWS CloudFormation Designer?
JSON
"Outputs" : {
"StackVPC" : {
"Description" : "The ID of the VPC",
"Value" : { "Ref" : "MyVPC" },
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-VPCID" }
}
}
}
YAML
Outputs:
StackVPC:
Description: The ID of the VPC
Value: !Ref MyVPC
Export:
Name: !Sub "${AWS::StackName}-VPCID"
What Is AWS CloudFormation Designer?

AWS CloudFormation Designer (Designer) is a graphic tool for creating, viewing, and modifying AWS
CloudFormation templates. With Designer, you can diagram your template resources using a drag-and-
drop interface, and then edit their details using the integrated JSON and YAML editor. Whether you are
a new or an experienced AWS CloudFormation user, AWS CloudFormation Designer can help you quickly
see the interrelationship between a template's resources and easily modify templates.
Designer is part of the AWS CloudFormation console. To use it, open Designer at https://
console.aws.amazon.com/cloudformation/designer and sign in with your AWS credentials.
Topics
• Why Use AWS CloudFormation Designer? (p. 274)
• AWS CloudFormation Designer Interface Overview (p. 276)
• How to Get Started With Designer (p. 285)
Why Use AWS CloudFormation Designer?

AWS CloudFormation Designer (Designer) provides the following benefits: it allows you to see graphic
representations of the resources in your template, it simplifies template authoring, and it simplifies
template editing.
Visualize Template Resources

Parsing JSON- or YAML-formatted text files to see the resources that are in your template and their
relationships can be difficult. In Designer, you can see a graphic representation of the resources that are
included in a template and how they relate to each other.
Designer defines the information about your resources, such as their size and relative position, in
template metadata. When you open a template, Designer automatically adds this metadata so that the
current layout is preserved when you save your template. When you reopen a template in Designer, it
displays the diagram exactly as it appeared when you last saved the template.

274
Why Use Designer?
All layout information is defined in the AWS::CloudFormation::Designer metadata key, which is

used only by Designer and won't interfere with creating AWS CloudFormation stacks. The following
example of template metadata shows the layout information that Designer adds to a template as
metadata:
JSON
"Metadata": {
"AWS::CloudFormation::Designer": {
"6b56eaae-0bb6-4215-aad6-12345EXAMPLE": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 340,
"y": 430
},
"z": 2,
"parent": "21ccc9b0-29e9-4a86-9cf2-12345EXAMPLE",
"embeds": [],
"ismemberof": [
"c3eead73-6a76-4532-9268-12345EXAMPLE"
]
},
...
YAML
Metadata:
'AWS::CloudFormation::Designer':
6b56eaae-0bb6-4215-aad6-12345EXAMPLE:
size:
width: 60
height: 60
position:
x: 340
'y': 430
z: 2
parent: 21ccc9b0-29e9-4a86-9cf2-12345EXAMPLE
embeds: []
ismemberof:
- c3eead73-6a76-4532-9268-12345EXAMPLE
...
Simplify Template Authoring

When you author template resources in a text editor, you must manually edit JSON or YAML, which can
be tedious and error-prone. By using Designer, you spend less time manually coding your templates
and more time designing your AWS infrastructure. In Designer, you drag and drop new resources to add
them to your template, and you drag connections between resources to establish relationships. Designer
automatically modifies the JSON or YAML.
When you create templates, Designer enforces some basic relationships between resources to help you
create valid templates. For example, you cannot add an EC2 instance directly inside a VPC; you must add
the instance inside a subnet in the VPC.
You can also validate a template directly in Designer. It provides the same level of validation as the
ValidateTemplate API call, which checks that the JSON or YAML syntax is valid, that all referenced
parameters are declared, and that there are no circular dependencies.

275
Interface Overview
Simplify Editing with the integrated JSON and YAML editor

With the integrated editor, you can make all of your template modifications in the AWS CloudFormation
console. You don't need to use a separate text editor to modify and save your templates. The integrated
editor also provides an auto-complete feature that lists all property names for a resource, so you don't
need to look them up or memorize them. In addition, you can use the integrated editor to convert JSON
templates to YAML and vice versa.
AWS CloudFormation Designer Interface Overview

Designer has four panes. The canvas pane shows a diagram of your template resources so that you can
see them and their relationships at a glance. To add resources to your template, you drag them from
the Resources types pane onto the canvas pane. Use the Integrated JSON and YAML editor pane to
specify template details, such as resource properties or template parameters. After you've modified the
template, you can save it to a local file or to an Amazon S3 bucket. When you convert a valid template
from JSON to YAML or vice-versa, the Messages pane displays a success or failure message. When you
open or validate an invalid template, the Messages pane displays validation errors.
Note
Designer cannot show or modify running resources in your stacks; use it only for creating,
modifying, and saving templates.
The following figure illustrates the Designer panes and its main components.
Designer panes and components
1. Toolbar
The toolbar provides quick access to commands for common actions, such as opening and saving
templates, undoing or redoing changes, creating a stack, and validating your template. You can also
download the diagram as an image, get help, or refresh the diagram in the canvas pane.

276
Interface Overview
2. Resource types pane
The Resource types pane lists all of the template resources that you can add to your template,
categorized by their AWS service name. You add resources by dragging them from the Resource
types pane to the canvas. Most of the supported resources are listed in the AWS Resource and
Property Types Reference (p. 604). The Resource types pane doesn't list connecting resources, such
as the AWS::EC2::SubnetRouteTableAssociation resource. You create these resources when
you connect the relevant resources, such as when you connect a route table to a subnet. For more
information, see Canvas Pane (p. 277).
Note
Designer can display only AWS CloudFormation-supported resource types. It cannot display
other entities, such as Availability Zones (AZs) or the resources of a nested stack.
3. Canvas pane
The canvas pane displays your template resources as a diagram. You use it to add or remove
resources, create relationships between resources, and arrange their layout. The changes that you
make in the canvas automatically modify the template's JSON or YAML. For more information, see
Canvas Pane (p. 277).
4. Fit to window button
A button that resizes the canvas pane to fit your template's diagram.

5. Full screen and Split screen buttons
Buttons to select different views of Designer. You can select a full-screen view of the canvas, a full-
screen view of the Integrated JSON and YAML editor, or a split-screen view of the canvas and
editor.
6. Integrated JSON and YAML editor pane
In the integrated editor, you specify the details of your template, such as resource properties or
template parameters. When you select an item in the canvas, Designer highlights the related JSON
or YAML in the editor. After editing the JSON or YAML, you must refresh the canvas (choose )
to update the diagram. You can convert a valid template between JSON and YAML by selecting
the appropriate radio button in Choose template language. Designer can only convert valid YAML
or valid JSON templates. If the conversion succeeds, the Messages pane displays a message like:
Successfully converted the template to YAML. AWS CloudFormation Designer does not preserve
formatting when converting a template.
Important
We recommend that you do not add # YAML comments to your templates in Designer. If
your YAML template has # comments, Designer doesn't preserve those comments when
editing the YAML or converting to JSON. If you edit or modify your template in Designer
(for example, if you drag a resource on the canvas), your comments are lost.
Once you choose a template language, any new resources you drag onto the canvas will be created
in the language you have selected. To change back to another language, make sure your template is
valid and then select YAML or JSON where it says Choose template language.
For more information, see Integrated JSON and YAML Editor (p. 282).
7. Messages pane
When you convert a template from JSON to YAML or vice-versa, the Messages pane displays a
success or failure message. When you open, validate, or attempt to create a stack with an invalid
template, the Messages pane displays validation errors.
Canvas Pane
Designer displays your template resources as a diagram in the canvas pane. You can modify the
diagram's layout, add or remove resources, and add or remove connections between resources in this

277
Interface Overview
pane. For example, you can add an Auto Scaling group and a launch configuration from the Resource
types pane to the canvas pane. To connect these related resources, you simply drag a connection
between them.
How Does Designer Model Resources?

When you drag a resource from the Resource types pane to the canvas pane, Designer models it as a
container or as a square object.
Containers
Container resources are resizable rectangles that can contain other resources. For example, Designer
models the AWS::EC2::VPC resource type as a container. You can drag resources, such as a subnet,
into the VPC.
Container resource
Square objects
Square objects resources can't be resized or contain other resources. For example, Designer models
the AWS::EC2::Instance resource type as a square object.
Square object
Connecting Resources
You connect resources to create associations between related resources. For example, when you add an
Internet gateway and a VPC to the canvas pane, they have no relationship. To attach the gateway to the
VPC, you must connect them. The method for connecting resources depends on the resource type and
how Designer models the resource. The following descriptions and figures explain each method.
Adding resources to containers
When you drag valid resource into containers, Designer automatically creates associations between
the resource and the container. For example, VPCs are container resources; you can drag a subnet
into a VPC, and Designer automatically associates the two resources.

278
Interface Overview
These associations are represented in your template as a Ref intrinsic function, as shown in the
following example:
JSON
"PublicSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "10.0.0.0/24"
}
YAML
PublicSubnet:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.0.0/24
In some cases, dropping a resource into a container doesn't create an association; you must drag a
connection between the resources (see the next method for information about dragging connections
between resources). To see if Designer associates resources, use the integrated JSON and YAML
editor to look for a Ref from one resource to the other. For example, when you add an Auto Scaling
group in a subnet container, Designer doesn't specify the group's VPCZoneIdentifier (subnet)
property. To associate the two resources, you must drag a connection from the Auto Scaling group
to the subnet.
Dragging connections between resources
The edge of each square and container resource has one or more dots, which represent the resources
that you can create connections with. To create a connection, drag a connector line from the dot to
the corresponding resource type. For example, to attach an Internet gateway to a VPC, drag a line
from the VPC gateway attachment dot to anywhere on the VPC.
These associations are represented in your template as a Ref intrinsic function or as a separate
resource type. For example, when you connect an Internet gateway with a VPC, Designer creates an
AWS::EC2::VPCGatewayAttachment resource type in your template to associate them. Resources
like these are not listed in the Resource types pane.
JSON
"VPCGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": {
"Ref": "InternetGateway"
},
"VpcId": {
"Ref": "VPC"
}

279
Interface Overview
YAML
VPCGatewayAttachment:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
Coding connections between resources
In some cases, you must edit the template's JSON or YAML to create connections, such as when
you connect two security groups. When you must edit the JSON or YAML to create connections,
you create hard-coded connections (dashed-line connections). You cannot create or edit these
connections in the canvas pane.
Typically, when you embed references (Ref) within a resource's property, you create hard-
coded connections. For example, you can define a connection between two security groups
where one security group has an embedded ingress rule that permits traffic from the other.
The following WebServerSecurityGroup resource has an ingress rule with a reference to the
PublicLoadBalancerSecurityGroup resource.
JSON
"WebServerSecurityGroup": {
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"GroupDescription": "Allow access from HTTP and SSH traffic",
{
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"FromPort": "22",
"ToPort": "22",
"CidrIp": {
"Ref": "SSHLocation"
}
}
]
}
...
YAML

280
Interface Overview
Properties:
VpcId: !Ref VPC
GroupDescription: Allow access from HTTP and SSH traffic
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: !Ref SSHLocation
Accessing Common Resource Actions with the Resource Menu

The Resource menu provides easy access to common resource actions: editing resource properties,
duplicating a resource, deleting a resource, or viewing the documentation for the resource. To view
the Resource menu, right-click on a resource in the canvas pane. The documentation link goes to the
template reference (p. 604), which describes the properties and syntax for that resource.
Resource menu
Defining Explicit Dependencies

To specify the order in which AWS CloudFormation creates and deletes resources, you can create explicit
dependencies. Explicit dependencies are useful for overriding parallel resource creation and deletion.
AWS CloudFormation automatically determines which resources in a template can be processed in
parallel and which cannot. When you specify a property that references an attribute from another source
(using the Ref intrinsic function) or gets an attribute from another resource (with the Fn::GetAtt
intrinsic function) in the same template, this implies a dependency and AWS CloudFormation builds
them in the correct order.
However, in some cases, you must explicitly define dependencies. For example, a routing rule cannot use
an Internet gateway until the gateway has been attached to the VPC. Normally, AWS CloudFormation
creates the routing rule immediately after it creates the Internet gateway due to an implicit dependency.
But, AWS CloudFormation might create the rule before the Internet gateway has attached to the
VPC, which causes an error. Therefore, you must explicitly define a dependency on the gateway-VPC
attachment.
To create an explicit dependency, drag a line from the DependsOn (*) dot on the route to the gateway-
VPC attachment.

281
Interface Overview
For more information about when you might need to create an explicit dependency, see DependsOn
JSON
In JSON, these explicit dependencies are represented as a DependsOn attribute on a resource, as shown
in the following example:
"PublicRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": "VPCGatewayAttachment",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId": {
"Ref": "PublicRouteTable"
},
"GatewayId": {
}
}
YAML
In YAML, these explicit dependencies are represented as a DependsOn attribute on a resource, as shown
in the following example:
PublicRoute:
Type: 'AWS::EC2::Route'
DependsOn:
- VPCGatewayAttachment
Properties:
DestinationCidrBlock: 0.0.0.0/0
RouteTableId: !Ref PublicRouteTable
GatewayId: !Ref InternetGateway
Integrated JSON and YAML Editor

Use Designer's integrated JSON and YAML editor to view and edit template details. For example, you can
use the integrated editor to define the properties of a resource or to change a template parameter. The
integrated editor has two views: a Components view and a Template view.
To make minor changes to a specific section of a template, use the Components view. In the
Components view, the components that you can edit are divided into tabs. These tabs change depending
on whether you have a resource selected.
For example, if you select a resource, Designer provides tabs to edit the resource's properties and
attributes, such as an update policy or creation policy. If you haven't selected anything, Designer
provides tabs for editing the template parameters, mappings, conditions, metadata, and outputs. Any
changes that you make in the Components view must be valid JSON or YAML markup. If you introduce
invalid JSON or YAML, Designer reverts the invalid markup to the valid markup when you leave the
Components view.
To make broad changes to your template, use the Template view. In the Template view, the integrated
JSON and YAML editor shows you the raw JSON or YAML of your entire template. When you want to
make changes to a resource, select it in the canvas pane. Designer automatically highlights that resource
in the integrated JSON and YAML editor.
AWS CloudFormation Designer integrated JSON and YAML editor

282
Interface Overview
Converting templates into YAML or JSON

You can convert a valid template back and forth between JSON and YAML by selecting the appropriate
radio button in Choose template language. Designer can only convert valid YAML or valid JSON
templates. If the conversion succeeds, the Messages pane displays a message like: Successfully converted
the template to YAML.
Important
We recommend that you do not add # YAML comments to your templates in Designer. If your
YAML template has # comments, Designer doesn't preserve those comments when editing the
YAML or converting to JSON. If you edit or modify your template in Designer (for example, if
you drag a resource on the canvas), your comments are lost.
Once you choose a template language, any new resources you drag onto the canvas will be created in the
language you have selected. To change back to another language, make sure your template is valid and
then select YAML or JSON where it says Choose template language.
Note
When you convert a template to YAML, Designer uses short form notation for functions. For
example, - !GetAtt. In addition, any visual links that you draw will use short form notation in
YAML mode. For more information about intrinsic functions, see Ref (p. 3824).
Autocomplete
The integrated JSON and YAML editor includes an auto-complete feature that helps you specify resource
properties, so you don't have to remember property names. To see a list of valid properties in a JSON
template, press Ctrl+Space within the Properties curly braces ({}), as shown in the following
example:

283
Interface Overview
For a YAML template, you can first delete the opening and closing curly braces and press Enter to go
to a new line. To see a list of valid properties, press Ctrl+Space on the new line after Properties, as
shown in the following example:
Keyboard Shortcuts
Designer's integrated JSON and YAML editor provides the following keyboard shortcuts:
Ctrl+Space
Within the Properties key of a resource, lists all of the available properties for the resource.
Ctrl+F
Searches for a specified value.
To highlight everything that matches the specified value, press Alt+Enter.

284
How to Get Started
How to Get Started With Designer

For examples of how to use AWS CloudFormation Designer to create and update templates, see the
following walkthroughs:
• Walkthrough: Use AWS CloudFormation Designer to Create a Basic Web Server (p. 285)
• Walkthrough: Use AWS CloudFormation Designer to Modify a Stack's Template (p. 303)
Walkthroughs
Templates are JSON- or YAML-formatted text files that describe the AWS resources that you want
to provision or update in your AWS CloudFormation stacks. To create templates, you can use AWS
CloudFormation Designer or a text editor.
The following walkthroughs show how to create sample AWS CloudFormation templates using AWS
CloudFormation Designer and plain text.
Topics
• Walkthrough: Use AWS CloudFormation Designer to Create a Basic Web Server (p. 285)
• Walkthrough: Use AWS CloudFormation Designer to Modify a Stack's Template (p. 303)
• Walkthrough: Peer with an Amazon VPC in Another AWS Account (p. 314)
• Walkthrough: Refer to Resource Outputs in Another AWS CloudFormation Stack (p. 321)
• Walkthrough: Create a Scalable, Load-balancing Web Server (p. 323)
• Deploying Applications on Amazon EC2 with AWS CloudFormation (p. 333)
• Creating Wait Conditions in a Template (p. 351)
Walkthrough: Use AWS CloudFormation Designer to

Create a Basic Web Server
AWS CloudFormation Designer graphically represents your templates to help you see the resources
in the template and how they're connected. The integrated JSON and YAML editor makes it easy to
modify templates directly in the AWS CloudFormation console. To demonstrate how to use both of these
components, we'll use AWS CloudFormation Designer to build a basic web server in a VPC. Then, we'll
save the template and use it to create an AWS CloudFormation stack.
By the end of the walkthrough, you'll have a template similar to the following sample: https://
console.aws.amazon.com/cloudformation/designer/home?templateUrl=https://s3.amazonaws.com/
cloudformation-examples/sample-ec2-vpc.template&region=us-east-1.
In the walkthrough, you will complete the following steps:
1. Add and connect resources. (p. 286)
When you first open AWS CloudFormation Designer, you start with a blank template. We'll use AWS
CloudFormation Designer to start populating the template by dragging resources, such as a VPC and
an EC2 instance into your template. We'll also create links between them. For example, we'll use AWS
CloudFormation Designer to create a connection between the Internet gateway and the VPC.
2. Add template parameters, mappings, and outputs. (p. 289)
We'll use the AWS CloudFormation Designer integrated editor to add other template components to
make the template more useful. For example, we'll add parameters to the template so that you can

285
Walkthrough: Use AWS CloudFormation
Designer to Create a Basic Web Server
specify input values when you create a stack. That way you don't have to constantly edit the template
for property values that you might commonly change.
3. Specify resource properties. (p. 297)
We'll use the integrated editor again to specify configuration settings for our resources.
4. Provision resources (p. 302)
None of your template resources are up and running until you create a stack. We'll use the template
that you just created to launch an AWS CloudFormation stack, which will provision all the resources
that are defined in your template.
Note
AWS CloudFormation is a free service; however, you are charged for the AWS resources you
include in your stacks at the current rate for each. For more information about AWS pricing,
see the detail page for each product on http://aws.amazon.com.
Prerequisites
This walkthrough assumes that you have a working knowledge of Amazon Virtual Private Cloud (Amazon
VPC), Amazon Elastic Compute Cloud (Amazon EC2), and AWS CloudFormation. For context, each
procedure provides some basic information about each resource.
Also, before you begin, make sure you have an Amazon EC2 key pair in the region in which you're
creating your stack. For more information, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for
Linux Instances.
Step 1: Add and Connect Resources

We'll use the AWS CloudFormation Designer drag-and-drop interface to add an Amazon EC2 instance
and network resources, such as a VPC, subnet, route table, and Internet gateway. After adding all the
resources, we'll create connections between them. For example, we'll associate the Internet gateway with
a VPC.
To add resources to a template
1. Open AWS CloudFormation Designer at https://console.aws.amazon.com/cloudformation/designer.

2.
In the integrated editor on the lower half of the page, choose Edit ( ).
3. Change the template name to BasicWebServerInVPC and then press Enter.
Currently, we have a blank template that isn't valid. In the next steps, we'll add resources to make it
valid.
4. In the Resource types pane, from within the EC2 category, drag a VPC resource type onto the
Canvas pane.
The resources are organized by resource categories. All of the resources we're adding are in the EC2
category.
AWS CloudFormation Designer immediately modifies your template to include a VPC resource, with
the results looking similar to the following JSON snippet.
"Resources": {
"VPC431KO": {
"Type": "AWS::EC2::VPC",
"Properties": {},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "445730ea-0d11-45ba-b6ac-12345EXAMPLE"
}

286
}
}
}
The YAML snippet looks similar to the following.
Resources:
VPC431KO:
Type: 'AWS::EC2::VPC'
Properties: {}
Metadata:
'AWS::CloudFormation::Designer':
id: 9430b008-7a03-41ed-b63e-12345EXAMPLE
Note that we still need to specify the VPC properties, such as the VPC's CIDR block. We'll do that
later. This is true for all resources that we'll add.
5. Rename the VPC.
Note
When you rename a resource, you rename its logical ID, which is the name that is referenced
in the template (not the name assigned when AWS CloudFormation creates the resource).
For more information, see Resources (p. 269).
a. Choose the VPC resource.

b.
In the integrated editor, choose the Edit icon ( ).
c. Change the name to VPC, and then choose Enter.
Next, we'll add resources to the VPC.

6. Drag a corner of the VPC resource to expand it so that it's large enough to fit several more resources.
We need to add a subnet because you can't add an EC2 instance, which hosts the website, directly
into the VPC; instances must be located in a subnet.
7. Add a Subnet resource type inside the VPC and rename it PublicSubnet.
We will use the subnet to allocate a range of IP addresses in the VPC that you can associate with
other AWS resources, such as an Amazon EC2 instance.
When you add the subnet inside the VPC, AWS CloudFormation Designer automatically associates
the subnet with the VPC. This association is a container model, where resources inside the container
are automatically associated with the container resource.
8. Add an Instance resource type inside the PublicSubnet resource and rename it
WebServerInstance.
The instance is a virtual computing environment where you'll host a basic website. Similar to the way
this worked with the subnet and VPC, adding the instance in the subnet automatically associates the
instance with the subnet.
9. Add a SecurityGroup resource type inside the VPC and rename it WebServerSecurityGroup.
The security group is a virtual firewall that controls the inbound and outbound traffic of the web
server instance. It's also required for instances in a VPC. We'll need to associate the web server
instance with this security group, which we'll do later when we specify the instance's properties.
10. Add an InternetGateway resource type anywhere outside of the VPC and rename it
InternetGateway.
The Internet gateway enables communication between the instance that is inside the VPC and the
Internet. Without the Internet gateway, no one can access your website.

287
Although, you can drag the Internet gateway inside the VPC, this doesn't create an association
with the VPC. The Internet gateway doesn't follow the container model; instead, you must drag a
connection from the Internet gateway to the VPC, as described in the next step.
11. Create a connection between the InternetGateway resource and the VPC resource.
a. On the InternetGateway resource, hover over the Internet gateway attachment

(AWS::EC2::VPCGatewayAttachment).
b. Drag a connection to the VPC.
The border of valid target resources changes color. In this case, the VPC is the only valid target
resource. This connection creates an attachment resource that associates the Internet gateway
with the VPC.
12. Next, we need to add a route table and route to specify how to direct network traffic from within a
subnet. Add a RouteTable inside the VPC and rename it PublicRouteTable.
This associates a new route table with the VPC.

13. To add a routing rule to the route table, add a Route resource type inside the PublicRouteTable
resource and rename it PublicRoute.
We'll use the route to specify where to direct traffic.

14. For the public route, we want the Internet gateway to be the destination target. Use GatewayId to
create a connection from the PublicRoute resource to the Internet gateway, similar to the way you
created a connection between the Internet gateway and the VPC.
AWS CloudFormation can't associate a route with an Internet gateway until you associate the
Internet gateway with the VPC. This means we need to create an explicit dependency on the Internet
gateway-VPC attachment, as described in the next step. For more information, see DependsOn
15. Create an explicit dependency between the PublicRoute resource and the Internet gateway-VPC
attachment.
a. On the PublicRoute resource, hover over the DependsOn dot.

b. Drag a connection to the Internet gateway-VPC attachment
(AWS::EC2::VPCGatewayAttachment).
With DependsOn connections, AWS CloudFormation Designer creates a dependency (a

DependsOn attribute), where the originating resource depends on the target resource. In this
case, AWS CloudFormation Designer adds a DependsOn attribute to the PublicRoute resource
and specifies the gateway-VPC attachment as a dependency.
16. Create another dependency from the WebServerInstance resource to the PublicRoute resource.
The WebServerInstance resource depends on the public route to route traffic to the Internet.
Without the public route, the instance cannot send a signal (using the cfn-signal helper script) to
notify AWS CloudFormation when the instance configuration and application deployments are
complete.
17. Drag a connection from the PublicRouteTable resource to the PublicSubnet resource to
associate the route table and subnet.
Now the public subnet will use the public route table to direct traffic.
18. From the AWS CloudFormation Designer toolbar, save the template locally by using the File menu
(the file icon).
AWS CloudFormation Designer saves your template on your hard drive. You can use the template
later to create a stack. We recommend that you save the template regularly to avoid losing changes.

288
In this step, we added seven resources to your template and renamed their logical IDs with friendly
names. We also established visual connections with most of the resources to create associations and a
dependency. However, before we can create a stack with this template, we need to create a few more
connections (such as associating the instance with the security group) and to specify properties for each
resource. In the next step, we'll walk through modifying other components of your template, such as
input parameters, by using the AWS CloudFormation Designer integrated editor.
Step 2: Add Parameters, Mappings, and Outputs

Before we specify resource properties, we need to add other template components to make reusing
the template in multiple environments easier. In this step, we'll use the AWS CloudFormation Designer
integrated editor to add parameters, mappings, and outputs. Then, we can refer to these parameters and
mappings when we specify resource properties. The walkthrough provides sample JSON and YAML that
you can use to copy and paste in to the integrated editor.
To add parameters
Parameters are input values that you specify when you create a stack. They're useful for passing in values
so that you don't have hard coded values in templates. For example, you don't need to hard code your
web server's instance type in your template; instead, you can use a parameter to specify the instance
type when you create a stack. That way you can use the same template to create multiple web servers
with different instance types. For more information, see Parameters (p. 237).
1. Click on an open area in the AWS CloudFormation Designer canvas.
Depending on what you have selected, the integrated editor shows either template-level or
resource-level components that you can edit. At the template-level, you can edit all other sections of
a template, such as template parameters, mappings, and outputs, except for the Resources section.
At the resource-level, you can edit resource properties and attributes.
Clicking on an open area in the canvas allows you to edit template-level components. To edit
resource-level components, select a resource.
2. In the integrated editor pane, choose the Parameters tab in the Components view.
3. Copy the parameters in the following snippet and paste them into the integrated editor.
The following JSON snippet adds parameters for specifying your web server's instance type, an
Amazon EC2 key-pair name for SSH access to the web server, and the IP address range that can be
used to access the web server using SSH.
{
"Parameters": {
"InstanceType" : {
"Type" : "String",
"AllowedValues" : [
"t1.micro",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",

289
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
},
"KeyName": {
"Description": "Name of an EC2 KeyPair to enable SSH access to the instance.",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"SSHLocation": {
"Description": " The IP address range that can be used to access the web server
using SSH.",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
}
}
}
Here is the same snippet in YAML.
Parameters:

290
InstanceType:
Type: String
Default: t2.small
AllowedValues:
- t1.micro
- t2.nano
- t2.micro
- t2.small
- t2.medium
- t2.large
- m1.small
- m1.medium
- m1.large
- m1.xlarge
- m2.xlarge
- m2.2xlarge
- m2.4xlarge
- m3.medium
- m3.large
- m3.xlarge
- m3.2xlarge
- m4.large
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
- m4.10xlarge
- c1.medium
- c1.xlarge
- c3.large
- c3.xlarge
- c3.2xlarge
- c3.4xlarge
- c3.8xlarge
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
- g2.2xlarge
- g2.8xlarge
- r3.large
- r3.xlarge
- r3.2xlarge
- r3.4xlarge
- r3.8xlarge
- i2.xlarge
- i2.2xlarge
- i2.4xlarge
- i2.8xlarge
- d2.xlarge
- d2.2xlarge
- d2.4xlarge
- d2.8xlarge
- hi1.4xlarge
- hs1.8xlarge
- cr1.8xlarge
- cc2.8xlarge
- cg1.4xlarge
KeyName:
Description: Name of an EC2 KeyPair to enable SSH access to the instance.
SSHLocation:

291
Description: ' The IP address range that can be used to access the web server using
SSH.'
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
To add mappings
Mappings are a set of keys that are associated with a set of name-value pairs. They're useful for
specifying values based on an input parameter value. For this walkthrough, we'll use a mapping to
specify an AMI ID for an EC2 instance based on the instance type and region in which you create the
stack. For more information, see Mappings (p. 256).
1. In the integrated editor pane, choose the Mappings tab.

2. Copy the following JSON mappings and paste them into the integrated editor.
{
"Mappings" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },
"m1.large" : { "Arch" : "HVM64" },
"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },
"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"r3.large" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },

292
"r3.8xlarge" : { "Arch" : "HVM64" },

"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
},
"ami-0a584ac55a7631c0c"},
"us-west-2" : {"HVM64" : "ami-a0cfeed8", "HVMG2" :
"ami-0e09505bc235aa82d"},
"ami-0a7c483d527806435"},
"eu-west-3" : {"HVM64" : "ami-0ebc281c20e89ba4b", "HVMG2" :
"NOT_SUPPORTED"},
"ami-06223d46a6d0661c7"},
"ami-053cdd503598e4a9d"},
"ap-northeast-2" : {"HVM64" : "ami-0a10b2721688ce9d2", "HVMG2" :
"NOT_SUPPORTED"},
"ap-northeast-3" : {"HVM64" : "ami-0d98120a9fb693f07", "HVMG2" :
"NOT_SUPPORTED"},
"us-east-2" : {"HVM64" : "ami-0b59bfac6be064b78", "HVMG2" :
"NOT_SUPPORTED"},
"sa-east-1" : {"HVM64" : "ami-07b14488da8ea02a0", "HVMG2" :
"NOT_SUPPORTED"},
"cn-north-1" : {"HVM64" : "ami-0a4eaf6c4454eda75", "HVMG2" :
"NOT_SUPPORTED"},
}
}
}
Here are the same mappings in YAML.
Mappings:
AWSInstanceType2Arch:
t1.micro:
Arch: HVM64
t2.nano:
Arch: HVM64
t2.micro:
Arch: HVM64
t2.small:
Arch: HVM64

293
t2.medium:
Arch: HVM64
t2.large:
Arch: HVM64
m1.small:
Arch: HVM64
m1.medium:
Arch: HVM64
m1.large:
Arch: HVM64
m1.xlarge:
Arch: HVM64
m2.xlarge:
Arch: HVM64
m2.2xlarge:
Arch: HVM64
m2.4xlarge:
Arch: HVM64
m3.medium:
Arch: HVM64
m3.large:
Arch: HVM64
m3.xlarge:
Arch: HVM64
m3.2xlarge:
Arch: HVM64
m4.large:
Arch: HVM64
m4.xlarge:
Arch: HVM64
m4.2xlarge:
Arch: HVM64
m4.4xlarge:
Arch: HVM64
m4.10xlarge:
Arch: HVM64
c1.medium:
Arch: HVM64
c1.xlarge:
Arch: HVM64
c3.large:
Arch: HVM64
c3.xlarge:
Arch: HVM64
c3.2xlarge:
Arch: HVM64
c3.4xlarge:
Arch: HVM64
c3.8xlarge:
Arch: HVM64
c4.large:
Arch: HVM64
c4.xlarge:
Arch: HVM64
c4.2xlarge:
Arch: HVM64
c4.4xlarge:
Arch: HVM64
c4.8xlarge:
Arch: HVM64
g2.2xlarge:
Arch: HVMG2
g2.8xlarge:
Arch: HVMG2
r3.large:
Arch: HVM64

294
r3.xlarge:
Arch: HVM64
r3.2xlarge:
Arch: HVM64
r3.4xlarge:
Arch: HVM64
r3.8xlarge:
Arch: HVM64
i2.xlarge:
Arch: HVM64
i2.2xlarge:
Arch: HVM64
i2.4xlarge:
Arch: HVM64
i2.8xlarge:
Arch: HVM64
d2.xlarge:
Arch: HVM64
d2.2xlarge:
Arch: HVM64
d2.4xlarge:
Arch: HVM64
d2.8xlarge:
Arch: HVM64
hi1.4xlarge:
Arch: HVM64
hs1.8xlarge:
Arch: HVM64
cr1.8xlarge:
Arch: HVM64
cc2.8xlarge:
Arch: HVM64
AWSRegionArch2AMI:
us-east-1:
HVM64: ami-0ff8a91507f77f867
us-west-2:
HVM64: ami-a0cfeed8
HVMG2: ami-0e09505bc235aa82d
us-west-1:
eu-west-1:
HVM64: ami-047bb4163c506cd98
HVMG2: ami-0a7c483d527806435
eu-west-2:
HVM64: ami-f976839e
HVMG2: NOT_SUPPORTED
eu-west-3:
HVM64: ami-0ebc281c20e89ba4b
eu-central-1:
HVM64: ami-0233214e13e500f77
HVMG2: ami-06223d46a6d0661c7
ap-northeast-1:
ap-northeast-2:
HVM64: ami-0a10b2721688ce9d2
ap-northeast-3:
HVM64: ami-0d98120a9fb693f07
ap-southeast-1:

295
ap-southeast-2:
HVM64: ami-09b42976632b27e9b
HVMG2: ami-0a9ce9fecc3d1daf8
ap-south-1:
HVM64: ami-0912f71e06545ad88
HVMG2: ami-097b15e89dbdcfcf4
us-east-2:
HVM64: ami-0b59bfac6be064b78
ca-central-1:
HVM64: ami-0b18956f
sa-east-1:
HVM64: ami-07b14488da8ea02a0
cn-north-1:
HVM64: ami-0a4eaf6c4454eda75
cn-northwest-1:
HVM64: ami-6b6a7d09
To add outputs
Outputs declare values that you want available to a describe stacks API call or through the AWS
CloudFormation console stack Outputs tab. For this walkthrough, we'll output the website URL so that
you can easily view the website after we create it. For more information, see Outputs (p. 271).
1. In the integrated editor pane, select the Outputs tab.

2. Copy the following JSON output and paste it into the integrated editor.
The output uses an Fn::GetAtt intrinsic function to get the public IP of the web server instance.
{
"Outputs": {
"URL": {
"Value": {
"Fn::Join": [
"",
[
"http://",
{
"Fn::GetAtt": [
"WebServerInstance",
"PublicIp"
]
}
]
]
},
"Description": "Newly created application URL"
}
}
}
Here is the same output in YAML.
Outputs:
URL:
Value: !Join
- ''

296
- - 'http://'
- !GetAtt
- WebServerInstance
- PublicIp
Description: Newly created application URL
3. Save your template again so that you don't lose your changes. You can safely save your changes to
the same file that you created in the previous section.
Now that the template parameters, mappings, and outputs are in place, we can specify resource
properties.
Step 3: Specify Resource Properties

Many resources have required properties that define their configurations or settings, such as which
instance type to use for the web server. Similar to what we did in the previous step, we'll use the AWS
CloudFormation Designer integrated editor to specify resource properties. We provide sample JSON and
YAML that you can copy and paste into the integrated editor.
To specify resource properties
1. On the AWS CloudFormation Designer canvas, choose the VPC resource.
The integrated editor shows the resource-level components that you can edit, such as the resource
properties and attributes.
2. In the integrated editor pane, choose the Properties tab.
3. Copy the following JSON snippet and paste it into the integrated editor between the Properties
braces ({}).
This snippet specifies DNS settings and the CIDR block of the VPC.
"EnableDnsSupport": "true",
"EnableDnsHostnames": "true",
"CidrBlock": "10.0.0.0/16"
For YAML, type a new line after Properties: and paste the following snippet.
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
Note
For efficiency, we provide JSON and YAML snippets that you can copy and paste. Note,
however, that the editor has an auto-complete feature that you can use to manually specify
each property. For more information, see Integrated JSON and YAML Editor (p. 282).
4. Repeat this process for the following resources:
PublicSubnet
Add the following CIDR block property after the VPC ID property. AWS CloudFormation
Designer automatically added the VPC ID property when you dragged the subnet inside the
VPC.
Note
You'll see a few other associations that AWS CloudFormation Designer automatically
created for you. Add just the new properties, which are in bold.
297
JSON
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "10.0.0.0/24"
YAML
VpcId: !Ref VPC

PublicRoute
Add the following destination CIDR block property, which directs all traffic to the Internet
gateway:
JSON
"RouteTableId": {
},
"GatewayId": {
}
YAML
GatewayId: !Ref InternetGateway
WebServerSecurityGroup
Add the following inbound rules that determine what traffic can reach the web server instance.
The rules allow all HTTP and certain SSH traffic, which you specify as a parameter value when
you create a stack.
JSON
"VpcId": {
"Ref": "VPC"
},
"GroupDescription" : "Allow access from HTTP and SSH traffic",
{
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"FromPort": "22",
"ToPort": "22",
"CidrIp": {

298
}
}
]
YAML
VpcId: !Ref VPC

GroupDescription: Allow access from HTTP and SSH traffic
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
WebServerInstance
You need to specify a number of properties for the web server instance, so we'll highlight
just a few for demonstration purposes. The InstanceType and ImageId properties use the
parameter and mapping values that we specified in the previous section. When you create a
stack, you specify the instance type as a parameter value. The ImageId value is a mapping that
is based on your stack's region and the instance type that you specified.
The NetworkInterfaces property specifies network settings for the web server instance.
This property allows us to associate the security group and subnet with the instance. Although
AWS CloudFormation Designer used the SubnetId property to associate the instance with the
subnet, we need to use the NetworkInterfaces property because that's the only way to give
the web server a public IP. And when you specify the NetworkInterfaces property, you are
required to specify the subnet and security group within that property.
In the UserData property, we specify configuration scripts that run after the instance is up and
running. All of the configuration information is defined in the instance's metadata, which we'll
add in the next step.
Replace all properties with the following snippet:

Important
Do not append this snippet to existing properties.
JSON
"InstanceType": {
},
"ImageId": {
"Fn::FindInMap": [
"AWSRegionArch2AMI",
{
},
{
"Fn::FindInMap": [
"AWSInstanceType2Arch",
{
},
"Arch"
]
299
}
]
},
"KeyName": {
"Ref": "KeyName"
},
"NetworkInterfaces": [
{
"GroupSet": [
{
"Ref": "WebServerSecurityGroup"
}
],
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"DeleteOnTermination": "true",
"SubnetId": {
"Ref": "PublicSubnet"
}
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
" --stack ",
{
"Ref": "AWS::StackName"
},
" --configsets All ",
" --region ",
{
},
"\n",
" --stack ",
{
},
" --region ",
{
},
"\n"
]
]
}
}
YAML

ImageId: !FindInMap
- AWSRegionArch2AMI

300
- !FindInMap
- AWSInstanceType2Arch
- !Ref InstanceType
- Arch
NetworkInterfaces:
- GroupSet:
- !Ref WebServerSecurityGroup
AssociatePublicIpAddress: 'true'
DeviceIndex: '0'
DeleteOnTermination: 'true'
SubnetId: !Ref PublicSubnet
UserData: !Base64
'Fn::Join':
- ''
- - |
#!/bin/bash -xe
- |
- |
# Install the files and packages from the metadata
- '/opt/aws/bin/cfn-init -v '
- ' --stack '
- !Ref 'AWS::StackName'
- ' --resource WebServerInstance '
- ' --configsets All '
- ' --region '
- |+
- |
# Signal the status from cfn-init
- '/opt/aws/bin/cfn-signal -e $? '
- ' --stack '
- ' --resource WebServerInstance '
- ' --region '
- |+
5. Add the web server configuration metadata to the WebServerInstance resource.
a. Choose the WebServerInstance resource, and then choose the Metadata tab in the
integrated editor pane.
b. If you are authoring your template in JSON: Within the Metadata braces ({}) and after the
AWS::CloudFormation::Designer closing brace, add a comma (,).
c. After the AWS::CloudFormation::Designer property, add the following snippet, which
instructs the cfn-init helper script to start the web server and create a basic web page.
JSON
"configSets" : {
"All" : [ "ConfigureSampleApp" ]
},
"ConfigureSampleApp" : {
"packages" : {
"yum" : {
"httpd" : []
}
},
"files" : {

301
"content" : { "Fn::Join" : ["\n", [

"<h1>Congratulations, you have successfully launched the AWS
CloudFormation sample.</h1>"
]]},
"mode" : "000644",
"owner" : "root",
"group" : "root"
}
},
"services" : {
"sysvinit" : {
}
}
}
}
YAML
'AWS::CloudFormation::Init':
configSets:
All:
- ConfigureSampleApp
ConfigureSampleApp:
packages:
yum:
httpd: []
files:
content: !Join
- |+
- - >-
<h1>Congratulations, you have successfully launched the AWS
CloudFormation sample.</h1>
mode: '000644'
owner: root
group: root
services:
sysvinit:
httpd:
enabled: 'true'
ensureRunning: 'true'
6.
On the AWS CloudFormation Designer toolbar, choose Validate template ( ) to check for syntax
errors in your template.
View and fix errors in the Messages pane, and then validate the template again. If you don't see
errors, your template is syntactically valid.
7. Save your completed template to keep all the changes you made.
You now have a complete AWS CloudFormation template that you can use to create a basic web server
in a VPC. To create the template, we first added and connected template resources by using the AWS
CloudFormation Designer canvas pane. Then, we used the integrated editor to add other template
components and to specify resource properties. In the next step, we'll use this template to create a stack.
Step 4: Provision Resources

To create a stack, you can launch the AWS CloudFormation Create Stack Wizard from AWS
CloudFormation Designer. We'll use the template that we created in the previous steps to create an AWS

302
Designer to Modify a Stack's Template
CloudFormation stack. After AWS CloudFormation provisions all of your resources, you'll have a basic
website up and running.
To create the stack
1. On the AWS CloudFormation Designer toolbar, choose Create Stack (the cloud icon).
AWS CloudFormation Designer saves the open template in an S3 bucket, and then launches the AWS
CloudFormation Create Stack Wizard. AWS CloudFormation uses the same S3 bucket that it creates
whenever you upload templates.
2. AWS CloudFormation automatically populates the template URL; choose Next.
3. In the Specify Details section, enter a stack name in the Stack name field. For this example,
use BasicWebServerStack.
4. In the Parameters section, for the KeyName field, enter the name of a valid Amazon EC2 key pair in
the same region you are creating the stack.
5. Keep the other default parameter values and choose Next.
7. Ensure that the stack name and Amazon EC2 key-pair name are correct, and then choose Create.
It can take several minutes for AWS CloudFormation to create your stack. To monitor progress, view the
stack events. For more information about viewing stack events, see Viewing AWS CloudFormation Stack
Data and Resources on the AWS Management Console (p. 106). After the stack is created, view the stack
outputs and go to the sample website URL to verify that the website is running. For more information,
see Viewing AWS CloudFormation Stack Data and Resources on the AWS Management Console (p. 106).
Now that you've successfully created a template and launched a stack using AWS CloudFormation
Designer, you can use the stack in the following walkthrough: Walkthrough: Use AWS CloudFormation
Designer to Modify a Stack's Template (p. 303), which modifies the template to create a scalable web
server.
Walkthrough: Use AWS CloudFormation Designer to

Modify a Stack's Template
You can use AWS CloudFormation Designer to easily modify a stack's template, and then submit it to
AWS CloudFormation to update the stack. Typically, when you modify a stack, you need to get a copy
of its template, modify the template in a text editor, and then use AWS CloudFormation to update the
stack. With AWS CloudFormation Designer, you can quickly get a copy of any running stack's template,
modify it, and then update the stack without ever leaving the console.
In this walkthrough, we'll start with a basic web server (p. 285) stack, and then modify it so that the
web server is scalable and durable.
By the end of the walkthrough, you'll have a template similar to the following sample: https://
console.aws.amazon.com/cloudformation/designer/home?templateUrl=https://s3.amazonaws.com/
cloudformation-examples/sample-as-vpc.template&region=us-east-1.
In this walkthrough, we will complete the following steps:
1. Get a stack's template. (p. 304)
We'll get a copy of a running stack's template; the same basic web server stack in the following
walkthrough: Walkthrough: Use AWS CloudFormation Designer to Create a Basic Web
Server (p. 285).
2. Modify the template. (p. 304)

303
We'll use AWS CloudFormation Designer to modify the stack's template so that your website is
scalable and durable by replacing the EC2 instance with an Auto Scaling group and an Elastic Load
Balancing load balancer.
3. Update the stack. (p. 313)
After saving the modifications, we'll update the basic web server stack with the modified template.
Note
AWS CloudFormation is a free service; however, you are charged for the AWS resources you
include in your stacks at the current rate for each. For more information about AWS pricing,
see the detail page for each product on http://aws.amazon.com.
4. Delete the stack. (p. 313)
We'll delete the stack to clean up all of the resources.
Prerequisites
This walkthrough assumes that you have a working knowledge of Amazon Virtual Private Cloud (Amazon
VPC), Auto Scaling, Elastic Load Balancing, and AWS CloudFormation. For context, each procedure
provides some basic information about each resource.
Additionally, the walkthrough assumes that you completed the following walkthrough: Walkthrough:
Use AWS CloudFormation Designer to Create a Basic Web Server (p. 285). From that walkthrough, you
should have a running stack named BasicWebServerStack.
Step 1: Get a Stack Template

In this step, we'll use AWS CloudFormation Designer to get and open a copy of a running stack's
template.
To get a copy of a running stack's template

2. From the list of stacks, select the BasicWebServerStack.
3. Choose Actions, and then View/Edit template in Designer.
AWS CloudFormation gets a copy of the BasicWebServerStack stack's template and displays it in AWS
CloudFormation Designer, where you can view the template resources and their relationships. In the
following step, we'll use AWS CloudFormation Designer to modify the template.
Step 2: Modify a Template

We'll modify the basic web server template by using AWS CloudFormation Designer's drag-and-drop
interface and integrated JSON and YAML editor to replace the single Amazon EC2 instance with an
Auto Scaling group and load balancer to make the web site scalable. If traffic to the web site suddenly
increases, use Auto Scaling to quickly increase the number of web servers. The load balancer will equally
distributes the traffic among the instances.
To modify a stack template
1. Remove the WebServerInstance resource.
a. Right-click the WebServerInstance resource.

b.
From the resource menu, choose Delete ( ).

304
c. Choose OK to confirm.
2. From the Resource types pane, add the following resources into the PublicSubnet resource:
AutoScalingGroup, LaunchConfiguration, and LoadBalancer. Before adding resources, you might
need to expand the subnet to include all the resources.
The resources are organized by resource categories. The Auto Scaling group and launch
configuration are in the AutoScaling category, and the load balancer is in the ElasticLoadBalancing
category.
Note
These resources do not follow the container model, so AWS CloudFormation Designer
doesn't automatically associate them with the subnet. We'll create connections later on in
this step.
3. From the Resource types pane in the EC2 category, add the SecurityGroup resource anywhere in
the VPC except in the subnet.
This security group will control the inbound and outbound traffic of the load balancer.
4. Rename the resources to make them easier to identify:
• Rename AutoScalingGroup to WebServerFleet

• Rename LaunchConfiguration to WebServerLaunchConfig
• Rename LoadBalancer to PublicElasticLoadBalancer
• Rename SecurityGroup to PublicLoadBalancerSecurityGroup
5. Create associations for the resources that you added.
a. Associate the load balancer and Auto Scaling group resources with the public subnet:
• From the PublicElasticLoadBalancer resource, drag the AWS::EC2::Subnet

(Property: Subnets) connection to the PublicSubnet resource.
• From the WebServerFleet resource, drag the AWS::EC2::Subnet (Property:
VPCZoneIdentifier) connection to the PublicSubnet resource.
b. Associate the load balancer with its security group:
• From the PublicElasticLoadBalancer resource, drag the

AWS::EC2::SecurityGroup (Property: SecurityGroups) connection to the
PublicLoadBalancerSecurityGroup resource.
c. Associate the Auto Scaling group with the load balancer and launch configuration:
• From the WebServerFleet resource, drag the

AWS::ElasticLoadBalancing::LoadBalancer (Property: LoadBalancerNames)
connection to the PublicElasticLoadBalancer resource.
• From the WebServerFleet resource, drag the
AWS::ElasticLoadBalancing::LaunchConfiguration (Property:
LaunchConfigurationName) connection to the WebServerLaunchConfig resource.
d. Associate the launch configuration with the security group:
• From the WebServerLaunchConfig resource, drag the AWS::EC2::SecurityGroup

(Property: SecurityGroups) connection to the WebServerSecurityGroup resource.
e. Define a dependency for the Auto Scaling group to the public route:
• From the WebServerFleet resource, drag the DependsOn connection to the PublicRoute
resource.
This dependency means that AWS CloudFormation won't create the WebServerFleet resource
until the public route is complete. Otherwise, if the public route isn't available when the web

305
server instances are starting up, they won't be able to send signals (using the cfn-signal helper
script) to notify AWS CloudFormation when their configurations and application deployments
are complete.
6. Specify the properties for the resources that you added.
a. On the AWS CloudFormation Designer canvas, choose the PublicElasticLoadBalancer

resource.
b. In the integrated editor pane, choose the Properties tab, and then copy the following snippet
and paste it between the Properties braces ({}).
AWS CloudFormation Designer automatically added the security group and subnet association,
so you need to add only the Listeners and HealthCheck properties. The Listeners
property specifies where and what type of traffic to listen for, and the HealthCheck property
describes the settings for determining the health status of the load balancer.
JSON
"Listeners": [
{
"InstancePort": "80",
"Protocol": "HTTP"
}
],
"HealthCheck": {
"Target": "HTTP:80/",
"Interval": "90",
"Timeout": "60"
},
"SecurityGroups": [
{
"Ref": "PublicLoadBalancerSecurityGroup"
}
],
"Subnets": [
{
}
]
YAML
Listeners:
InstancePort: '80'
Protocol: HTTP
HealthCheck:
Target: 'HTTP:80/'
Interval: '90'
Timeout: '60'
SecurityGroups:
- !Ref PublicLoadBalancerSecurityGroup
Subnets:
- !Ref PublicSubnet
c. Repeat this process for the following resources:

306
WebServerFleet
Add the MaxSize, MinSize, and DesiredCapacity properties. These properties specify
the maximum and minimum number of instances that you can launch in the Auto Scaling
group and the initial number of instances to start with. The desired capacity value refers to
a new parameter, which we'll add later in this procedure.
JSON
"MinSize": "1",
"MaxSize": "10",
"DesiredCapacity": {
"Ref": "WebServerCount"
},
"VPCZoneIdentifier": [
{
}
],
"LaunchConfigurationName": {
"Ref": "WebServerLaunchConfig"
},
"LoadBalancerNames": [
{
"Ref": "PublicElasticLoadBalancer"
}
]
YAML
MinSize: '1'
MaxSize: '10'
DesiredCapacity: !Ref WebServerCount
VPCZoneIdentifier:
- !Ref PublicSubnet
LaunchConfigurationName: !Ref WebServerLaunchConfig
LoadBalancerNames:
- !Ref PublicElasticLoadBalancer
PublicLoadBalancerSecurityGroup
Add the following inbound and outbound rules that determine the traffic that can reach
and leave the load balancer. The rules allows all HTTP traffic to reach and leave the load
balancer.
JSON
"GroupDescription": "Public Elastic Load Balancing security group with

HTTP access on port 80 from the Internet",
{
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{

307
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
}
],
"VpcId": {
"Ref": "VPC"
}
YAML
GroupDescription: >-
Public Elastic Load Balancing security group with HTTP access on port
80
from the Internet
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
VpcId: !Ref VPC
WebServerSecurityGroup
Modify the HTTP inbound rule to allow only traffic from the load balancer.
JSON
"GroupDescription": "Allow access from load balancer and SSH traffic",

{
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupId": {
"Ref": "PublicLoadBalancerSecurityGroup"
}
},
{
"FromPort": "22",
"ToPort": "22",
"CidrIp": {
}
}
],
"VpcId": {
"Ref": "VPC"
}
YAML
VpcId: !Ref VPC

GroupDescription: Allow access from load balancer and SSH traffic
- IpProtocol: tcp
308
FromPort: '80'
ToPort: '80'
SourceSecurityGroupId: !Ref PublicLoadBalancerSecurityGroup
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
WebServerLaunchConfig
The launch configuration has a number of different properties that you need to specify,
so we'll highlight just a few of them. The InstanceType and ImageId properties use the
parameter and mapping values that were already specified in the template. You specify
the instance type as a parameter value when you create a stack. The ImageId value is a
mapping that is based on your stack's region and the instance type that you specified.
In the UserData property, we specify configurations scripts that run after the instance is
up and running. All of the configuration information is defined in the instance's metadata,
which we'll add in the next step.
JSON
"InstanceType": {
},
"ImageId": {
"Fn::FindInMap": [
{
},
{
"Fn::FindInMap": [
{
},
"Arch"
]
}
]
},
"KeyName": {
"Ref": "KeyName"
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
" --stack ",
{
},
" --resource WebServerLaunchConfig ",
" --configsets All ",
" --region ",
{

309
},
"\n",
" --stack ",
{
},
" --resource WebServerFleet ",
" --region ",
{
},
"\n"
]
]
}
},
"SecurityGroups": [
{
"Ref": "WebServerSecurityGroup"
}
]
YAML

ImageId: !FindInMap
- AWSRegionArch2AMI
- !FindInMap
- !Ref InstanceType
- Arch
AssociatePublicIpAddress: 'true'
UserData: !Base64
'Fn::Join':
- ''
- - |
#!/bin/bash -xe
- |
- |
# Install the files and packages from the metadata
- '/opt/aws/bin/cfn-init -v '
- ' --stack '
- ' --resource WebServerLaunchConfig '
- ' --configsets All '
- ' --region '
- |+
- |
# Signal the status from cfn-init
- '/opt/aws/bin/cfn-signal -e $? '
- ' --stack '
- ' --resource WebServerFleet '
- ' --region '
- |+

310
SecurityGroups:
- !Ref WebServerSecurityGroup
7. Add the launch configuration metadata to the WebServerLaunchConfig resource, which instructs
the cfn-init helper script to start the web server and create a basic web page.
a. Choose the WebServerLaunchConfig resource, and then choose the Metadata tab in the
integrated editor.
b. If you are authoring your template in JSON: Within the Metadata braces ({}), after the
AWS::CloudFormation::Designer closing brace, add a comma (,).
c. Add the following snippet, which instructs the cfn-init helper script to start the web server and
create a basic web page, after the AWS::CloudFormation::Designer property.
JSON
"configSets" : {
"All" : [ "ConfigureSampleApp" ]
},
"ConfigureSampleApp" : {
"packages" : {
"yum" : {
"httpd" : []
}
},
"files" : {
]]},
"mode" : "000644",
"owner" : "root",
"group" : "root"
}
},
"services" : {
"sysvinit" : {
}
}
}
}
YAML
'AWS::CloudFormation::Init':
configSets:
All:
- ConfigureSampleApp
ConfigureSampleApp:
packages:
yum:
httpd: []
files:
content: !Join
- |+
- - >-
<h1>Congratulations, you have successfully launched the AWS

311
CloudFormation sample.</h1>
mode: '000644'
owner: root
group: root
services:
sysvinit:
httpd:
enabled: 'true'
8. Add the WebServerCount parameter. This parameter specifies how many instances to create when
AWS CloudFormation creates the Auto Scaling group.
a. Click on an open area on the AWS CloudFormation Designer canvas.

b. In the integrated editor pane, choose the Parameters tab.
c. Add the following parameter in the integrated editor. If you're authoring the template in JSON,
add a comma as needed.
JSON
"WebServerCount": {
"Description": "Number of Amazon EC2 instances to launch for the WebServer
server",
"Type": "Number",
"Default": "1"
}
YAML
WebServerCount:
Description: Number of Amazon EC2 instances to launch for the WebServer server
Type: Number
Default: '1'
9. Modify the template output to show the DNS name of the load balancer.
a. In the integrated editor pane, choose the Outputs tab.

b. Modify the JSON to use the load balancer DNS name, as shown in the following snippet.
JSON
{
"Outputs": {
"URL": {
"Value": {
"Fn::GetAtt": [
"PublicElasticLoadBalancer",
"DNSName"
]
},
"Description": "Newly created application URL"
}
}
}
If you're authoring your template in YAML, use the following snippet.
Outputs:
URL:
Value: !GetAtt

312
- PublicElasticLoadBalancer
- DNSName
Description: Newly created application URL
10.
On the AWS CloudFormation Designer toolbar, choose Validate template ( ) to check for syntax
errors in your template.
View and fix errors in the Messages pane, and then validate the template again. If you don't see
errors, your template is syntactically valid.
11.
From the AWS CloudFormation Designer toolbar, save the template locally by choosing File ( )
and then Save.
You now have a modified AWS CloudFormation template that you can use to update the basic web server
stack. In the next step, we'll use this template to update the basic web server stack.
Step 3: Update the Stack

To implement your template changes, we need to update the basic web server stack. You can launch the
AWS CloudFormation Update Stack Wizard directly from AWS CloudFormation Designer.
To update the stack
1.
On the AWS CloudFormation Designer toolbar, choose Create Stack ( ).
AWS CloudFormation Designer saves the opened template in an S3 bucket and then launches the
AWS CloudFormation Update Stack Wizard. Because we modified the BasicWebServerStack
stack's template, AWS CloudFormation launches the Update Stack Wizard for that stack.
2. AWS CloudFormation automatically populates the template URL; choose Next.
3. In the Stack section, in the Name field, verify that the stack name is BasicWebServerStack.
4. In the Parameters section, use the existing values; choose Next.
6. Ensure that the stack name is correct, and then choose Update.
It can take several minutes for AWS CloudFormation to update your stack. To monitor progress, view
the stack events. For more information, see Viewing AWS CloudFormation Stack Data and Resources
on the AWS Management Console (p. 106). After the stack is updated, view the stack outputs and
go to the website URL to verify that the website is running. For more information, see Viewing AWS
CloudFormation Stack Data and Resources on the AWS Management Console (p. 106). You successfully
updated a template and a stack using AWS CloudFormation Designer.
To ensure that you are not charged for unwanted services, you can delete this stack.

To make sure you are not charged for unwanted services, delete your stack and it's resources.
To delete the stack
1. From the AWS CloudFormation console, choose the BasicWebServerStack stack.

2. Choose Delete Stack.

313
Peer with a VPC in Another Account
It can take several minutes for AWS CloudFormation to delete your stack. To monitor progress, view
the stack events. After the stack is deleted, all the resources that you created are deleted. Now that you
understand how to use AWS CloudFormation Designer, you can use it to build and modify your own
templates.
Walkthrough: Peer with an Amazon VPC in Another

AWS Account
You can peer with a virtual private cloud (VPC) in another AWS account by using
AWS::EC2::VPCPeeringConnection. This creates a networking connection between two VPCs that enables
you to route traffic between them so they can communicate as if they were within the same network. A
VPC peering connection can help facilitate data access and data transfer.
To establish a VPC peering connection, you need to authorize two separate AWS accounts within a single
AWS CloudFormation stack.
For more information about VPC peering and its limitations, see VPC Peering Overview in the Amazon
VPC Peering Guide.
Prerequisites
1. You need a peer VPC ID, a peer AWS account ID, and a cross-account access role for the peering
connection.
Note
This walkthrough refers to two accounts: First is an account that allows cross-account
peering (the accepter account). Second is an account that requests the peering connection
(the requester account).
2. To accept the VPC peering connection, the cross-account access role must be assumable by you. The
resource behaves the same way as a VPC peering connection resource in the same account.
Step 1: Create a VPC and a Cross-Account Role

Create a VPC and a cross-account access role (example)
In this step, you'll create the VPC and role in the accepter account.
1. In the AWS Management Console, choose AWS CloudFormation.

3. You have several options. To use AWS CloudFormation Designer to create a new, blank template,
choose Create template in Designer.
If you are creating the template in another text editor, choose Template is ready and then Amazon
S3 URL or Upload a template file, as appropriate.
4. Use the following example template to create the VPC and the cross-account role allowing another
account to achieve peering.
Example JSON
{
"Description": "Create a VPC and an assumable role for cross account VPC peering.",
"Parameters": {
"PeerRequesterAccountId": {
"Type": "String"
}

314
},
"Resources": {
"vpc": {
"Properties": {
"CidrBlock": "10.1.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"peerRole": {
"Properties": {
"Statement": [
{
"Principal": {
"AWS": {
"Ref": "PeerRequesterAccountId"
}
},
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow"
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:AcceptVpcPeeringConnection",
"Resource": "*"
}
]
}
}
]
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"RoleARN": {
"Value": {
"Fn::GetAtt": [
"peerRole",
"Arn"
]
}
}
}
}

315
Example YAML
Description: Create a VPC and an assumable role for cross account VPC peering.
Parameters:
PeerRequesterAccountId:
Type: String
Resources:
vpc:
Properties:
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: default
peerRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Principal:
AWS: !Ref PeerRequesterAccountId
Action:
- 'sts:AssumeRole'
Effect: Allow
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'ec2:AcceptVpcPeeringConnection'
Resource: '*'
Outputs:
VPCId:
Value: !Ref vpc
RoleARN:
Value: !GetAtt
- peerRole
- Arn
5. Choose Next.
6. Give the stack a name (for example, VPC-owner), and then type the AWS account ID of the requester
account in the PeerRequesterAccountId field.
7. Accept the defaults, and then choose Next.
8. Choose I acknowledge that AWS CloudFormation might create IAM resources, and then choose
Create stack.
Step 2: Create a Template That Includes

AWS::EC2::VPCPeeringConnection
Now that you've created the VPC and cross-account role, you can peer with the VPC using another AWS
account (the requester account).
To create a template that includes the AWS::EC2::VPCPeeringConnection resource (example)
1. Go back to the AWS CloudFormation console home page.


316
3. Choose Create template in Designer to use AWS CloudFormation Designer to create a new, blank
template.
If you are creating the template in another text editor, choose Template is ready and then Amazon
S3 URL or Upload a template file, as appropriate.
4. Use the following example template to create a VPC and a VPC peering connection using the peer
role you created in Step 1.
Example JSON
{
"Description": "Create a VPC and a VPC Peering connection using the PeerRole to
accept.",
"Parameters": {
"PeerVPCAccountId": {
"Type": "String"
},
"PeerVPCId": {
"Type": "String"
},
"PeerRoleArn": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Properties": {
"CidrBlock": "10.2.0.0/16",
}
},
"vpcPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"PeerVpcId": {
"Ref": "PeerVPCId"
},
"PeerOwnerId": {
"Ref": "PeerVPCAccountId"
},
"PeerRoleArn": {
"Ref": "PeerRoleArn"
}
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"VPCPeeringConnectionId": {
"Value": {
"Ref": "vpcPeeringConnection"
}
}

317
}
}
Example YAML
Description: Create a VPC and a VPC Peering connection using the PeerRole to accept.
Parameters:
PeerVPCAccountId:
Type: String
PeerVPCId:
Type: String
PeerRoleArn:
Type: String
Resources:
vpc:
Properties:
vpcPeeringConnection:
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
VpcId: !Ref vpc
PeerVpcId: !Ref PeerVPCId
PeerOwnerId: !Ref PeerVPCAccountId
PeerRoleArn: !Ref PeerRoleArn
Outputs:
VPCId:
Value: !Ref vpc
VPCPeeringConnectionId:
Value: !Ref vpcPeeringConnection
5. Choose Next.
6. Give the stack a name (for example, VPC-peering-connection).
7. Accept the defaults, and then choose Next.
8. Choose I acknowledge that AWS CloudFormation might create IAM resources, and then choose
Create stack.
Creating a Template with a Highly Restrictive Policy

You might want to create a highly restrictive policy for peering your VPC with another AWS account.
The following example template shows how to change the VPC peer owner template (the accepter
account created in Step 1 above) so that it is more restrictive.
Example JSON
{
"Description": "Create a VPC and an assumable role for cross account VPC peering.",
"Parameters": {
"PeerRequesterAccountId": {
"Type": "String"
}
},
"Resources": {

318
"peerRole": {
"Properties": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Ref": "PeerRequesterAccountId"
}
}
}
]
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": "ec2:acceptVpcPeeringConnection",
"Effect": "Allow",
"Resource": {
"Fn::Sub": "arn:aws:ec2:${AWS::Region}:
${AWS::AccountId}:vpc/${vpc}"
}
},
{
"Action": "ec2:acceptVpcPeeringConnection",
"Condition": {
"StringEquals": {
"ec2:AccepterVpc": {
${AWS::AccountId}:vpc/${vpc}"
}
}
},
"Effect": "Allow",
"Resource": {
${AWS::AccountId}:vpc-peering-connection/*"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "root"
}
]
},
"Type": "AWS::IAM::Role"
},
"vpc": {
"Properties": {
"CidrBlock": "10.1.0.0/16",
},
"Type": "AWS::EC2::VPC"
}
},
"Outputs": {

319
"RoleARN": {
"Value": {
"Fn::GetAtt": [
"peerRole",
"Arn"
]
}
},
"VPCId": {
"Value": {
"Ref": "vpc"
}
}
}
}
Example YAML
Description: Create a VPC and an assumable role for cross account VPC peering.
Parameters:
PeerRequesterAccountId:
Type: String
Resources:
peerRole:
Properties:
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
AWS:
Ref: PeerRequesterAccountId
Path: /
Policies:
- PolicyDocument:
Statement:
- Action: 'ec2:acceptVpcPeeringConnection'
Effect: Allow
Resource:
'Fn::Sub': 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}'
- Action: 'ec2:acceptVpcPeeringConnection'
Condition:
StringEquals:
'ec2:AccepterVpc':
'Fn::Sub': 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}'
Effect: Allow
Resource:
'Fn::Sub': >-
arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc-peering-connection/*
Version: 2012-10-17
PolicyName: root
vpc:
Properties:
Outputs:
RoleARN:
Value:

320
Walkthrough: Refer to Resource Outputs
in Another AWS CloudFormation Stack
'Fn::GetAtt':
- peerRole
- Arn
VPCId:
Value:
Ref: vpc
To access the VPC, you can use the same requester template as in Step 2 above.
Walkthrough: Refer to Resource Outputs in Another

AWS CloudFormation Stack
To export resources from one AWS CloudFormation stack to another, create a cross-stack reference.
Cross-stack references let you use a layered or service-oriented architecture. Instead of including all
resources in a single stack, you create related AWS resources in separate stacks; then you can refer to
required resource outputs from other stacks. By restricting cross-stack references to outputs, you control
the parts of a stack that are referenced by other stacks.
For example, you might have a network stack with a VPC, a security group, and a subnet for public web
applications, and a separate public web application stack. To ensure that the web applications use the
security group and subnet from the network stack, you create a cross-stack reference that allows the web
application stack to reference resource outputs from the network stack. With a cross-stack reference,
owners of the web application stacks don't need to create or maintain networking rules or assets.
To create a cross-stack reference, use the Export output field to flag the value of a resource output for
export. Then, use the Fn::ImportValue intrinsic function to import the value. For more information,
see Outputs (p. 271) and Fn::ImportValue (p. 3811).
Prerequisites
Before you begin this walkthrough, check that you have AWS Identity and Access Management (IAM)
permissions to use all of the following services: Amazon VPC, Amazon EC2, and AWS CloudFormation.
Note
AWS CloudFormation is a free service. However, you are charged for the AWS resources that you
include in your stacks at the current rate for each one. For more information about AWS pricing,
see the detail page for each product.
The following restrictions apply to cross-stack references:
• For each AWS account, Export names must be unique within a region.
• You can't create cross-stack references across regions. You can use the intrinsic function
Fn::ImportValue to import only values that have been exported within the same region.
• For outputs, the value of the Name property of an Export can't use Ref or GetAtt functions
that depend on a resource.
Similarly, the ImportValue function can't include Ref or GetAtt functions that depend on a
resource.
• You can't delete a stack if another stack references one of its outputs.
• You can't modify or remove an output value that is referenced by another stack.
Step 1: Use a Sample Template to Create a Network Stack

The network stack contains the VPC, security group, and subnet that you will use in the web application
stack. In addition to these resources, the network stack creates an Internet gateway and routing tables to
enable public access.

321
Walkthrough: Refer to Resource Outputs
in Another AWS CloudFormation Stack
Note
You must create this stack before you create the web application stack. If you create the web
application stack first, it won't have a security group or subnet.
To create the network stack
1. Open the AWS CloudFormation console and choose Create stack.

2. Choose Template is ready, and in the Specify template section choose Amazon S3 URL. Copy and
paste the following URL into the text box: https://s3.amazonaws.com/cloudformation-
examples/user-guide/cross-stack/SampleNetworkCrossStack.template
The link provides the location of the network stack template. To see the resources that the stack
will create, choose the link, which opens the template. In the outputs section, you can see the
networking resources that the sample template exports. The names of the exported resources are
prefixed with the stack's name in case you export networking resources from other stacks. When
users import networking resources, they can specify from which stack the resources are imported.
3. After reviewing the template, choose Next.
4. For Stack name, type SampleNetworkCrossStack, and then choose Next.
Note
Record the name of this stack. You'll need the stack name when you launch the web
application stack.
5. Choose Next. For this walkthrough, you don't need to add tags or specify advanced settings.
It might take several minutes for AWS CloudFormation to create your stack. Wait until all resources
have been successfully created before proceeding to create the web application stack.
7. To monitor progress, view the stack events. For more information, see Viewing AWS CloudFormation
Stack Data and Resources on the AWS Management Console (p. 106).
Step 2: Use a Sample Template to Create a Web Application

Stack
The web application stack creates an EC2 instance that uses the security group and subnet from the
network stack.
Note
You must create this stack in the same region as the network stack.
To create the web application stack
1. Open the AWS CloudFormation console, and choose Create stack.

2. Choose Template is ready, and in the Specify template section choose Amazon S3 URL. Copy and
paste the following URL into the text box: https://s3.amazonaws.com/cloudformation-examples/
user-guide/cross-stack/SampleWebAppCrossStack.template
The link provides the location of the web application template. To see the resources that the stack
will create, choose the link, which will open the template. In the resources section, view the EC2
instance's properties. You can see how the networking resources are imported from another stack by
using the Fn::ImportValue function.
3. After reviewing the template, choose Next.
4. For Stack name, type SampleWebAppCrossStack. In the Parameters section, use the default value
for the NetworkStackName parameter, and then choose Next.
322
Create a Scalable, Load-balancing Web Server
The sample template uses the parameter value to specify from which stack to import values.
5. Choose Next. For this walkthrough, you don't need to add tags or specify advanced settings.
It might take several minutes for AWS CloudFormation to create your stack.
7. After the stack has been created, view its resources and note the instance ID. For more information
on viewing stack resources, see Viewing AWS CloudFormation Stack Data and Resources on the AWS
Management Console (p. 106).
To verify the instance's security group and subnet, view the instance's properties in the Amazon EC2
console. If the instance uses the security group and subnet from the SampleNetworkCrossStack
stack, you have successfully created a cross-stack reference.
Use the console to view the stack outputs and the example website URL to verify that the web
application is running. For more information, see Viewing AWS CloudFormation Stack Data and
Resources on the AWS Management Console (p. 106).
Step 3: Clean Up Your Resources

To ensure that you are not charged for unwanted services, delete the stacks.
To delete the stacks
1. In the AWS CloudFormation console, choose the SampleWebAppCrossStack stack.

2. Choose Actions, and then choose Delete stack.
3. In the confirmation message, choose Delete.
4. After the stack has been deleted, repeat the same steps for the SampleNetworkCrossStack stack.
Note
Wait until AWS CloudFormation completely deletes the SampleWebAppCrossStack stack. If
the EC2 instance is still running in the VPC, AWS CloudFormation won't delete the VPC in
the SampleNetworkCrossStack stack.
All of the resources that you have previously created are deleted.
Use the sample templates from this walkthrough to build your own cross-referenced stacks.
Walkthrough: Create a Scalable, Load-balancing Web

Server
This template creates a sample web site that uses Auto Scaling and Elastic Load Balancing and is
configured to use multiple availability zones. The template also contains CloudWatch alarms that
execute Auto Scaling policies to add or remove instances from the Auto Scaling group when the defined
thresholds are exceeded.
This template creates one or more Amazon EC2 instances. You will be billed for the AWS resources used
if you create a stack from this template.
Note
The template assumes that your account supports the EC2-VPC platform. In other words, you
have a default VPC that allows instances to access the Internet. If you don't have a default VPC,
you can create one. For more information, see Amazon EC2 and Amazon Virtual Private Cloud in
the Amazon EC2 User Guide for Linux Instances.

323
You can get the latest version of this sample template at https://s3.amazonaws.com/cloudformation-
templates-us-east-1/AutoScalingMultiAZWithNotifications.template.
Auto Scaling Multi-AZ Template

{
"Description" : "AWS CloudFormation Sample Template AutoScalingMultiAZWithNotifications:

Create a multi-az, load balanced and Auto Scaled sample web site running on an Apache Web
Server. The application is configured to span all Availability Zones in the region and is
Auto-Scaled based on the CPU utilization of the web servers. Notifications will be sent
to the operator email address on scaling events. The instances are load balanced with a
simple health check against the default web page. **WARNING** This template creates one
or more Amazon EC2 instances and an Elastic Load Balancer. You will be billed for the AWS
resources used if you create a stack from this template.",
"Parameters" : {
"InstanceType" : {
"Type" : "String",
"AllowedValues" : [
"t1.micro",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",

324
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
},
"OperatorEMail": {
"Description": "EMail address to notify if there are any scaling operations",
"Type": "String",
"AllowedPattern": "([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\
\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?)",
"ConstraintDescription": "must be a valid email address."
},
"KeyName" : {
"Description" : "The EC2 Key Pair to allow SSH access to the instances",
"Type" : "AWS::EC2::KeyPair::KeyName",
},
"SSHLocation" : {
"Description" : "The IP address range that can be used to SSH to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
}
},
"Mappings" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },
"m1.large" : { "Arch" : "HVM64" },
"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },

325

"c3.large" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },
"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"r3.large" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
},
"AWSInstanceType2NATArch" : {
"t1.micro" : { "Arch" : "NATHVM64" },
"t2.nano" : { "Arch" : "NATHVM64" },
"t2.micro" : { "Arch" : "NATHVM64" },
"t2.small" : { "Arch" : "NATHVM64" },
"t2.medium" : { "Arch" : "NATHVM64" },
"t2.large" : { "Arch" : "NATHVM64" },
"m1.small" : { "Arch" : "NATHVM64" },
"m1.medium" : { "Arch" : "NATHVM64" },
"m1.large" : { "Arch" : "NATHVM64" },
"m1.xlarge" : { "Arch" : "NATHVM64" },
"m2.2xlarge" : { "Arch" : "NATHVM64" },
"m3.medium" : { "Arch" : "NATHVM64" },
"c1.medium" : { "Arch" : "NATHVM64" },
"c1.xlarge" : { "Arch" : "NATHVM64" },
"c3.large" : { "Arch" : "NATHVM64" },
"c3.2xlarge" : { "Arch" : "NATHVM64" },
"c4.large" : { "Arch" : "NATHVM64" },

326

"g2.2xlarge" : { "Arch" : "NATHVMG2" },
"g2.8xlarge" : { "Arch" : "NATHVMG2" },
"r3.large" : { "Arch" : "NATHVM64" },
"r3.xlarge" : { "Arch" : "NATHVM64" },
"r3.2xlarge" : { "Arch" : "NATHVM64" },
"i2.xlarge" : { "Arch" : "NATHVM64" },
"i2.2xlarge" : { "Arch" : "NATHVM64" },
"d2.xlarge" : { "Arch" : "NATHVM64" },
"d2.2xlarge" : { "Arch" : "NATHVM64" },
"hi1.4xlarge" : { "Arch" : "NATHVM64" },
"hs1.8xlarge" : { "Arch" : "NATHVM64" },
"cr1.8xlarge" : { "Arch" : "NATHVM64" },
"cc2.8xlarge" : { "Arch" : "NATHVM64" }
}
,
"ami-0a584ac55a7631c0c"},
"ami-0a7c483d527806435"},
"ami-06223d46a6d0661c7"},
"ami-053cdd503598e4a9d"},
}
},
"Resources" : {
"NotificationTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [ { "Endpoint": { "Ref": "OperatorEMail" }, "Protocol": "email" } ]
}
},
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : ""},

327

"MinSize" : "1",
"MaxSize" : "3",
"LoadBalancerNames" : [ { "Ref" : "ElasticLoadBalancer" } ],
"NotificationConfiguration" : {
"TopicARN" : { "Ref" : "NotificationTopic" },
"NotificationTypes" : [ "autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
"autoscaling:EC2_INSTANCE_TERMINATE",
"autoscaling:EC2_INSTANCE_TERMINATE_ERROR"]
}
},
"Timeout" : "PT15M",
"Count" : "1"
}
},
"UpdatePolicy": {
}
}
},
"LaunchConfig" : {
"Metadata" : {
"Comment" : "Install a simple application",
"config" : {
"packages" : {
"yum" : {
"httpd" : []
}
},
"files" : {
"<img src=\"", {"Fn::FindInMap" : ["Region2Examples", {"Ref" :
"AWS::Region"}, "Examples"]}, "/cloudformation_graphic.png\" alt=\"AWS CloudFormation Logo
\"/>",
]]},
"mode" : "000644",
"owner" : "root",
"group" : "root"
},
"content" : { "Fn::Join" : ["", [
"[main]\n",
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},

328

"path=Resources.LaunchConfig.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -v ",
"runas=root\n"
]]}
}
},
"services" : {
"sysvinit" : {
"files" : ["/etc/cfn/cfn-hup.conf", "/etc/cfn/hooks.d/cfn-
auto-reloader.conf"]}
}
}
}
}
},
"Properties" : {
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch",
{ "Ref" : "InstanceType" }, "Arch" ] } ] },
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"yum update -y aws-cfn-bootstrap\n",
]]}}
}
},
"WebServerScaleUpPolicy" : {
"Type" : "AWS::AutoScaling::ScalingPolicy",
"Properties" : {
"AdjustmentType" : "ChangeInCapacity",
"AutoScalingGroupName" : { "Ref" : "WebServerGroup" },
"Cooldown" : "60",
"ScalingAdjustment" : "1"
}
},
"WebServerScaleDownPolicy" : {
"Properties" : {
"AutoScalingGroupName" : { "Ref" : "WebServerGroup" },
"Cooldown" : "60",
"ScalingAdjustment" : "-1"
}
},

329
"CPUAlarmHigh": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Scale-up if CPU > 90% for 10 minutes",
"MetricName": "CPUUtilization",
"Namespace": "AWS/EC2",
"Statistic": "Average",
"Period": "300",
"EvaluationPeriods": "2",
"Threshold": "90",
"AlarmActions": [ { "Ref": "WebServerScaleUpPolicy" } ],
"Dimensions": [
{
"Name": "AutoScalingGroupName",
"Value": { "Ref": "WebServerGroup" }
}
],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"CPUAlarmLow": {
"Properties": {
"AlarmDescription": "Scale-down if CPU < 70% for 10 minutes",
"Period": "300",
"Threshold": "70",
"AlarmActions": [ { "Ref": "WebServerScaleDownPolicy" } ],
"Dimensions": [
{
"Value": { "Ref": "WebServerGroup" }
}
],
"ComparisonOperator": "LessThanThreshold"
}
},
"Properties" : {
"Listeners" : [ {
"Protocol" : "HTTP"
} ],
"HealthCheck" : {
"Interval" : "30",
"Timeout" : "5"
}
}
},
"InstanceSecurityGroup" : {
"Properties" : {
"GroupDescription" : "Enable SSH access and HTTP from the load balancer only",

330
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : { "Ref" : "SSHLocation"}
},
{
"FromPort" : "80",
"ToPort" : "80",
"SourceSecurityGroup.OwnerAlias"]},
"SourceSecurityGroupName" : {"Fn::GetAtt" : ["ElasticLoadBalancer",
"SourceSecurityGroup.GroupName"]}
} ]
}
}
},
"Outputs" : {
"URL" : {
"Description" : "The URL of the website",
"Value" : { "Fn::Join" : [ "", [ "http://", { "Fn::GetAtt" :
[ "ElasticLoadBalancer", "DNSName" ]}]]}
}
}
}
Template Walkthrough
The example template contains an Auto Scaling group with a LoadBalancer, a security group that defines
ingress rules, CloudWatch alarms, and Auto Scaling policies.
The template has three input parameters: InstanceType is the type of EC2 instance to use for the Auto
Scaling group and has a default of m1.small; WebServerPort is the TCP port for the web server and
has a default of 8888; KeyName is the name of an EC2 key pair to be used for the Auto Scaling group.
KeyName must be specified at stack creation (parameters with no default value must be specified at
stack creation).
The AWS::AutoScaling::AutoScalingGroup resource WebServerGroup declares the following Auto Scaling

group configuration:
• AvailabilityZones specifies the availability zones where the auto scaling group's EC2 instances will be
created. The Fn::GetAZs (p. 3809) function call { "Fn::GetAZs" : "" } specifies all availability
zones for the region in which the stack is created.
• MinSize and MaxSize set the minimum and maximum number of EC2 instances in the Auto Scaling
group.
• LoadBalancerNames lists the LoadBalancers used to route traffic to the Auto Scaling group. The
LoadBalancer for this group is the ElasticLoadBalancer resource.
The AWS::AutoScaling::LaunchConfiguration resource LaunchConfig declares the following

configurations to use for the EC2 instances in the WebServerGroup Auto Scaling group:
• KeyName takes the value of the KeyName input parameter as the EC2 key pair to use.
• UserData is the Base64 encoded value of the WebServerPort parameter, which is passed to an
application .
• SecurityGroups is a list of EC2 security groups that contain the firewall ingress rules for EC2 instances
in the Auto Scaling group. In this example, there is only one security group and it is declared as a
AWS::EC2::SecurityGroup resource: InstanceSecurityGroup. This security group contains two ingress

331
rules: 1) a TCP ingress rule that allows access from all IP addresses ("CidrIp" : "0.0.0.0/0") for port 22
(for SSH access) and 2) a TCP ingress rule that allows access from the ElasticLoadBalancer resource for
the WebServerPort port by specifying the LoadBalancer's source security group. The GetAtt (p. 3807)
function is used to get the SourceSecurityGroup.OwnerAlias and SourceSecurityGroup.GroupName
properties from the ElasticLoadBalancer resource. For more information about the Elastic Load
Balancing security groups, see Manage Security Groups in Amazon EC2-Classic or Manage Security
Groups in Amazon VPC.
• ImageId is the evaluated value of a set of nested maps. We added the maps so that the template
contained the logic for choosing the right image ID. That logic is based on the instance type that was
specified with the InstanceType parameter (AWSInstanceType2Arch maps the instance type to an
architecture 32 or 64) and the region where the stack is created (AWSRegionArch2AMI maps the region
and architecture to a image ID):
{ "Fn::FindInMap" : [ "AWSRegionArch2AMI",
{ "Ref" : "AWS::Region" },
{ "Ref" : "InstanceType" },
"Arch" ]
}
]}
For example, if you use this template to create a stack in the us-east-2 region and specify m1.small
as InstanceType, AWS CloudFormation would evaluate the inner map for AWSInstanceType2Arch as
the following:
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch", "m1.small", "Arch" ] }
In the AWSInstanceType2Arch mapping, the Arch value for the m1.small key maps to 32, which is used
as the value for the outer map. The key is the evaluated result of the AWS::Region pseudo parameter
which is the region where the stack is being created. For this example, AWS::Region is us-east-1;
therefore, the outer map is evaluated as follows:
Fn::FindInMap" : [ "AWSRegionArch2AMI", "us-east-1", "32"]
In the AWSRegionArch2AMI mapping, the value 32 for the key us-east-1 maps to ami-6411e20d. This
means that ImageId would be ami-6411e20d.
The AWS::ElasticLoadBalancing::LoadBalancer resource ElasticLoadBalancer declares the following

LoadBalancer configuration:
• AvailabilityZones is a list of availability zones where the LoadBalancer will distribute traffic. In this
example, the Fn::GetAZs function call { "Fn::GetAZs" : "" } specifies all availability zones for the
region in which the stack is created.
• Listeners is a list of load balancing routing configurations that specify the port that the LoadBalancer
accepts requests, the port on the registered EC2 instances where the LoadBalancer forwards requests,
and the protocol used to route requests.
• HealthCheck is the configuration that Elastic Load Balancing uses to check the health of the
EC2 instances that the LoadBalancer routes traffic to. In this example, the HealthCheck targets
the root address of the EC2 instances using the port specified by WebServerPort over the HTTP
protocol. If the WebServerPort is 8888, the { "Fn::Join" : [ "", ["HTTP:", { "Ref" :
"WebServerPort" }, "/"]]} function call is evaluated as the string HTTP:8888/. It also specifies
that the EC2 instances have an interval of 30 seconds between health checks (Interval). The Timeout
is defined as the length of time Elastic Load Balancing waits for a response from the health check
target (5 seconds in this example). After the Timeout period lapses, Elastic Load Balancing marks that
EC2 instance's health check as unhealthy. When an EC2 instance fails 5 consecutive health checks

332
Deploying Applications
(UnhealthyThreshold), Elastic Load Balancing stops routing traffic to that EC2 instance until that
instance has 3 consecutive healthy health checks at which point Elastic Load Balancing considers the
EC2 instance healthy and begins routing traffic to that instance again.
The AWS::AutoScaling::ScalingPolicy resource WebServerScaleUpPolicy is an Auto Scaling policy

that scales up the Auto Scaling group WebServerGroup. The AdjustmentType property is set to
ChangeInCapacity. This means that the ScalingAdjustment represents the number of instances to
add (if ScalingAdjustment is positive, instances are added; if negative, instances are deleted). In this
example, ScalingAdjustment is 1; therefore, the policy increments the number of EC2 instances in
the group by 1 when the policy is executed. The Cooldown property specifies that Auto Scaling waits 60
seconds before starting any other policy or trigger related actions.
The AWS::CloudWatch::Alarm resource CPUAlarmHigh specifies the scaling policy

WebServerScaleUpPolicy as the action to execute when the alarm is in an ALARM state (AlarmActions).
The alarm monitors the EC2 instances in the WebServerGroup Auto Scaling group (Dimensions). The
alarm measures the average (Statistic) EC2 instance CPU utilization (Namespace and MetricName) of
the instances in the WebServerGroup (Dimensions) over a 300 second interval (Period). When this value
(average CPU utilization over 300 seconds) remains greater than 90 percent (ComparisonOperator and
Threshold) for 2 consecutive periods (EvaluationPeriod), the alarm will go into an ALARM state and
CloudWatch will execute the WebServerScaleUpPolicy policy (AlarmActions) described above scale up the
WebServerGroup.
The CPUAlarmLow alarm measures the same metrics but has an alarm that triggers when
CPU utilization is less than 75 percent (ComparisonOperator and Threshold) and executes the
WebServerScaleDownPolicy policy to remove 1 EC2 instance from the Auto Scaling group
WebServerGroup.
Deploying Applications on Amazon EC2 with AWS

CloudFormation
You can use AWS CloudFormation to automatically install, configure, and start applications on Amazon
EC2 instances. Doing so enables you to easily duplicate deployments and update existing installations
without connecting directly to the instance, which can save you a lot of time and effort.
AWS CloudFormation includes a set of helper scripts (cfn-init, cfn-signal, cfn-get-metadata, and cfn-hup)
that are based on cloud-init. You call these helper scripts from your AWS CloudFormation templates to
install, configure, and update applications on Amazon EC2 instances that are in the same template.
The following walkthrough describes how to create a template that launches a LAMP stack by using
cfn helper scripts to install, configure and start Apache, MySQL, and PHP. You'll start with a simple
template that sets up a basic Amazon EC2 instance running Amazon Linux, and then continue adding to
the template until it describes a full LAMP stack.
For additional strategies and examples about deploying applications with AWS CloudFormation, see the
Bootstrapping Applications via AWS CloudFormation article.
Topics
• Basic Amazon EC2 Instance (p. 334)
• LAMP Installation (p. 337)
• LAMP Configuration (p. 340)
• CreationPolicy Attribute (p. 343)

333
Basic Amazon EC2 Instance

You start with a basic template that defines a single Amazon EC2 instance with a security group that
allows SSH traffic on port 22 and HTTP traffic on port 80, as shown in the following example:
{
"Description" : "AWS CloudFormation sample template LAMP_Single_Instance: Create a LAMP

stack using a single EC2
instance and a local MySQL database for storage. This template demonstrates using the AWS
CloudFormation bootstrap
scripts to install the packages and files necessary to deploy the Apache web server, PHP,
and MySQL at instance launch time.
**WARNING** This template creates an Amazon EC2 instance. You will be billed for the AWS
"Parameters" : {
"KeyName": {
instance",
"ConstraintDescription" : "Can contain only ASCII characters."
},
"InstanceType" : {
"Type" : "String",
"AllowedValues" : [
"t1.micro",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",

334
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
},
"SSHLocation" : {
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"ConstraintDescription": "Must be a valid IP CIDR range of the form x.x.x.x/x"
}
},
{
"Mappings" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },
"m1.large" : { "Arch" : "HVM64" },
"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },

335

"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"r3.large" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
},
"ami-0a584ac55a7631c0c"},
"ami-0a7c483d527806435"},
"ami-06223d46a6d0661c7"},
"ami-053cdd503598e4a9d"},
}
},
"Resources" : {
"Properties": {
"KeyName" : { "Ref" : "KeyName" }
}

336
},
"Properties" : {
"0.0.0.0/0"},
"SSHLocation"}}
]
}
}
},
"Outputs" : {
"WebsiteURL" : {
"Description" : "URL for newly created LAMP stack",
}
}
}
In addition to the Amazon EC2 instance and security group, we create three input parameters that
specify the instance type, an Amazon EC2 key pair to use for SSH access, and an IP address range that
can be used to SSH to the instance. The mapping section ensures that AWS CloudFormation uses the
correct AMI ID for the stack's region and the Amazon EC2 instance type. Finally, the output section
outputs the public URL of the web server.
LAMP Installation
You'll build on the previous basic Amazon EC2 template to automatically install Apache, MySQL, and
PHP. To install the applications, you'll add a UserData property and Metadata property. However, the
template won't configure and start the applications until the next section.
In the following example, sections marked with an ellipsis (...) are omitted for brevity. Additions to the
template are shown in red italic text.
{
"Description" : "AWS CloudFormation Sample Template LAMP_Install_Only: ...",
"Parameters" : {
"KeyName" : { ... },
"InstanceType" : { ... },
"Mappings" : { ... },
"Resources" : {
"Metadata" : {
"Comment1" : "Configure the bootstrap helpers to install the Apache Web Server and
PHP",
"Comment2" : "Save website content to /var/www/html/index.php",
"configSets" : {
"Install" : [ "Install" ]

337
},
"Install" : {
"packages" : {
"yum" : {
"mysql" : [],
"mysql-libs" : [],
"httpd" : [],
"php" : [],
"php-mysql" : []
}
},
"files" : {
"content" : { "Fn::Join" : [ "", [
"<html>\n",
" <head>\n",
" <title>AWS CloudFormation PHP Sample</title>\n",
" <meta http-equiv=\"Content-Type\" content=\"text/html;
charset=ISO-8859-1\">\n",
" </head>\n",
" <body>\n",
" <h1>Welcome to the AWS CloudFormation PHP Sample</h1>\n",
" <p/>\n",
" <?php\n",
" // Print out the current data and time\n",
" print \"The Current Date and Time is: <br/>\";\n",
" print date(\"g:i A l, F j Y.\");\n",
" ?>\n",
" <p/>\n",
" <?php\n",
" // Setup a handle for CURL\n",
" $curl_handle=curl_init();\n",
" curl_setopt($curl_handle,CURLOPT_CONNECTTIMEOUT,2);\n",
" curl_setopt($curl_handle,CURLOPT_RETURNTRANSFER,1);\n",
" // Get the hostname of the instance from the instance metadata\n",
" curl_setopt($curl_handle,CURLOPT_URL,'http://169.254.169.254/
latest/meta-data/public-hostname');\n",
" $hostname = curl_exec($curl_handle);\n",
" if (empty($hostname))\n",
" {\n",
" print \"Sorry, for some reason, we got no hostname back <br />
\";\n",
" }\n",
" else\n",
" {\n",
" print \"Server = \" . $hostname . \"<br />\";\n",
" }\n",
" // Get the instance-id of the instance from the instance metadata
\n",
latest/meta-data/instance-id');\n",
" $instanceid = curl_exec($curl_handle);\n",
" if (empty($instanceid))\n",
" {\n",
" print \"Sorry, for some reason, we got no instance id back <br /
>\";\n",
" }\n",
" else\n",
" {\n",
" print \"EC2 instance-id = \" . $instanceid . \"<br />\";\n",
" }\n",
" $Database = \"", {"Ref" : "DBName"}, "\";\n",
" $DBUser = \"", {"Ref" : "DBUsername"}, "\";\n",

338
" $DBPassword = \"", {"Ref" : "DBPassword"}, "\";\n",

" print \"Database = \" . $Database . \"<br />\";\n",
" $dbconnection = mysql_connect($Database, $DBUser, $DBPassword)\n",
" or die(\"Could not connect: \" . mysql_error());
\n",
" print (\"Connected to $Database successfully\");\n",
" mysql_close($dbconnection);\n",
" ?>\n",
" <h2>PHP Information</h2>\n",
" <p/>\n",
" <?php\n",
" phpinfo();\n",
" ?>\n",
" </body>\n",
"</html>\n"
]]},
"mode" : "000600",
"owner" : "apache",
"group" : "apache"
}
},
"services" : {
"sysvinit" : {
}
}
}
},
"Properties": {

" --configsets Install ",
]]}}
}
},
"WebServerSecurityGroup" : { ... }
},
"Outputs" : { ... }
}
The UserData property runs two shell commands: install the AWS CloudFormation helper scripts
and then run the cfn-init (p. 3831) helper script. Because the helper scripts are updated periodically,
running the yum install -y aws-cfn-bootstrap command ensures that you get the latest
helper scripts. When you run cfn-init, it reads metadata from the AWS::CloudFormation::Init (p. 219)
resource, which describes the actions to be carried out by cfn-init. For example, you can use cfn-init and
AWS::CloudFormation::Init to install packages, write files to disk, or start a service. In our case, cfn-init
installs the listed packages (httpd, mysql, and php) and creates the /var/www/html/index.php file (a
sample PHP application).

339
LAMP Configuration
Now that we have a template that installs Linux, Apache, MySQL, and PHP, we'll need to expand the
template so that it automatically configures and runs Apache, MySQL, and PHP. In the following
example, we expand on the Parameters section, AWS::CloudFormation::Init resource, and
UserData property to complete the configuration. As with the previous template, sections marked with
an ellipsis (...) are omitted for brevity. Additions to the template are shown in red italic text.
Note that the example defines the DBUsername and DBPassword parameters with their NoEcho
property set to true. If you set the NoEcho attribute to true, CloudFormation returns the parameter
value masked as asterisks (*****) for any calls that describe the stack or stack events.
Important
{
"Description" : "AWS CloudFormation Sample Template LAMP_Single_Instance: Create a LAMP

stack using a single EC2 instance and a local MySQL database for storage. This template
demonstrates using the AWS CloudFormation bootstrap scripts to install the packages and
files necessary to deploy the Apache web server, PHP and MySQL at instance launch time.
"Parameters" : {
"KeyName" : { ... },
"DBName": {
"Default": "MyDatabase",
"Description" : "MySQL database name",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription" : "Must begin with a letter and contain only alphanumeric
characters"
},
"DBUsername": {
"NoEcho": "true",
"Description" : "Username for MySQL database access",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
characters"
},
"DBPassword": {

340
"NoEcho": "true",
"Description" : "Password for MySQL database access",
"Type": "String",
"MinLength": "1",
"MaxLength": "41",
"AllowedPattern" : "[a-zA-Z0-9]*",
"ConstraintDescription" : "Must contain only alphanumeric characters"
},
"DBRootPassword": {
"NoEcho": "true",
"Description" : "Root password for MySQL",
"Type": "String",
"MinLength": "1",
"MaxLength": "41",
},
"InstanceType" : { ... }
},
"Mappings" : {
...
},
"Resources" : {
"Metadata" : {
"Comment1" : "Configure the bootstrap helpers to install the Apache Web Server and
PHP",
"Comment2" : "Save website content to /var/www/html/index.php",
"configSets" : {
"InstallAndRun" : [ "Install", "Configure" ]
},
"Install" : {
"packages" : {
"yum" : {
"mysql" : [],
"mysql-libs" : [],
"httpd" : [],
"php" : [],
"php-mysql" : []
}
},
"files" : {
"content" : { ... },
"mode" : "000600",
"owner" : "apache",
"group" : "apache"
},
"content" : { "Fn::Join" : ["", [
"GRANT ALL ON ", { "Ref" : "DBName" }, ".* TO '", { "Ref" :
"DBUsername" }, "'@localhost IDENTIFIED BY '", { "Ref" : "DBPassword" }, "';\n"
]]},
"mode" : "000400",

341
"owner" : "root",
"group" : "root"
},
"content" : { "Fn::Join" : ["", [
"[main]\n",
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
" --configsets InstallAndRun ",
"runas=root\n"
]]}
}
},
},
"services" : {
"sysvinit" : {
"mysqld" : { "enabled" : "true", "ensureRunning" : "true" },
}
}
},
"Configure" : {
"commands" : {
"01_set_mysql_root_password" : {
"command" : { "Fn::Join" : ["", ["mysqladmin -u root password '", { "Ref" :
"DBRootPassword" }, "'"]]},
"test" : { "Fn::Join" : ["", ["$(mysql ", { "Ref" : "DBUsername" }, " -u
root --password='", { "Ref" : "DBRootPassword" }, "' >/dev/null 2>&1 </dev/null); (( $? !=
0 ))"]]}
},
"02_create_database" : {
"command" : { "Fn::Join" : ["", ["mysql -u root --password='", { "Ref" :
"DBRootPassword" }, "' < /tmp/setup.mysql"]]},
0 ))"]]}
}
}
}
}
},
"Properties": {

342


"/opt/aws/bin/cfn-init ",
]]}}
}
},
"WebServerSecurityGroup" : { ... }
},
"Outputs" : { ... }
}
The example adds more parameters to obtain information for configuring the MySQL database, such as
the database name, user name, password, and root password. The parameters also contain constraints
that catch incorrectly formatted values before AWS CloudFormation creates the stack.
In the AWS::CloudFormation::Init resource, we added a MySQL setup file, containing the database
name, user name, and password. The example also adds a services property to ensure that the httpd
and mysqld services are running (ensureRunning set to true) and to ensure that the services are
restarted if the instance is rebooted (enabled set to true). A good practice is to also include the cfn-
hup (p. 3841) helper script, with which you can make configuration updates to running instances by
updating the stack template. For example, you could change the sample PHP application and then run a
stack update to deploy the change.
In order to run the MySQL commands after the installation is complete, the example adds another
configuration set to run the commands. Configuration sets are useful when you have a series of tasks
that must be completed in a specific order. The example first runs the Install configuration set and
then the Configure configuration set. The Configure configuration set specifies the database root
password and then creates a database. In the commands section, the commands are processed in
alphabetical order by name, so the example adds a number before each command name to indicate its
desired run order.
CreationPolicy Attribute
Finally, you need a way to instruct AWS CloudFormation to complete stack creation only after all the
services (such as Apache and MySQL) are running and not after all the stack resources are created. In
other words, if you use the template from the previous section to launch a stack, AWS CloudFormation
sets the status of the stack as CREATE_COMPLETE after it successfully creates all the resources.
However, if one or more services failed to start, AWS CloudFormation still sets the stack status as
CREATE_COMPLETE. To prevent the status from changing to CREATE_COMPLETE until all the services
have successfully started, you can add a CreationPolicy (p. 3760) attribute to the instance. This attribute
puts the instance's status in CREATE_IN_PROGRESS until AWS CloudFormation receives the required
number of success signals or the timeout period is exceeded, so you can control when the instance has
been successfully created.
The following example adds a creation policy to the Amazon EC2 instance to ensure that cfn-init
completes the LAMP installation and configuration before the stack creation is completed. In conjunction
with the creation policy, the example needs to run the cfn-signal (p. 3834) helper script to signal AWS
CloudFormation when all the applications are installed and configured.

343
"Description" : "AWS CloudFormation Sample Template LAMP_Single_Instance: ...",
"Parameters" : { ... },
"Mappings" : { ... },
"Resources" : {
"Metadata" : { ... },
"Properties": {
"yum update aws-cfn-bootstrap\n",

"/opt/aws/bin/cfn-init ",

]]}}
},
"Timeout" : "PT5M"
}
}
},
"WebServerSecurityGroup" : { ...
}
},
"Outputs" : {
"WebsiteURL" : { ...
}
}
}
The creation policy attribute uses the ISO 8601 format to define a timeout period of 5 minutes. And
because you're waiting for just 1 instance to be configured, you only need to wait for one success signal,
which is the default count.
In the UserData property, the template runs the cfn-signal script to send a success signal with an exit
code if all the services are configured and started successfully. When you use the cfn-signal script, you
must include the stack ID or name and the logical ID of the resource that you want to signal. If the
configuration fails, cfn-signal sends a failure signal that causes the resource creation to fail. The resource
creation also fails if AWS CloudFormation doesn't receive a success signal within the timeout period.

344
The following example shows the final complete template.
You can also view the template at the following location:
https://s3.amazonaws.com/cloudformation-templates-us-east-1/LAMP_Single_Instance.template
{
"Description" : "AWS CloudFormation Sample Template LAMP_Single_Instance: Create a LAMP

stack using a single EC2 instance and a local MySQL database for storage. This template
demonstrates using the AWS CloudFormation bootstrap scripts to install the packages and
files necessary to deploy the Apache web server, PHP and MySQL at instance launch time.
"Parameters" : {
"KeyName": {
instance",
"ConstraintDescription" : "Can contain only ASCII characters."
},
"DBName": {
"Default": "MyDatabase",
"Description" : "MySQL database name",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
characters"
},
"DBUsername": {
"NoEcho": "true",
"Description" : "User name for MySQL database access",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
characters"
},
"DBPassword": {
"NoEcho": "true",
"Description" : "Password for MySQL database access",
"Type": "String",
"MinLength": "1",
"MaxLength": "41",
},
"DBRootPassword": {
"NoEcho": "true",
"Description" : "Root password for MySQL",
"Type": "String",
"MinLength": "1",
"MaxLength": "41",

345
},
"InstanceType" : {
"Type" : "String",
"AllowedValues" : [
"t1.micro",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
},
"SSHLocation" : {

346
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"ConstraintDescription": "Must be a valid IP CIDR range of the form x.x.x.x/x"
}
},
"Mappings" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },
"m1.large" : { "Arch" : "HVM64" },
"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },
"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"r3.large" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
},

347

"ami-0a584ac55a7631c0c"},
"ami-0a7c483d527806435"},
"ami-06223d46a6d0661c7"},
"ami-053cdd503598e4a9d"},
}
},
"Resources" : {
"Metadata" : {
"configSets" : {
"InstallAndRun" : [ "Install", "Configure" ]
},
"Install" : {
"packages" : {
"yum" : {
"mysql" : [],
"mysql-libs" : [],
"httpd" : [],
"php" : [],
"php-mysql" : []
}
},
"files" : {
"content" : { "Fn::Join" : [ "", [
"<html>\n",
" <head>\n",
" <title>AWS CloudFormation PHP Sample</title>\n",
" <meta http-equiv=\"Content-Type\" content=\"text/html;
charset=ISO-8859-1\">\n",
" </head>\n",
" <body>\n",
" <h1>Welcome to the AWS CloudFormation PHP Sample</h1>\n",
" <p/>\n",
" <?php\n",
" // Print out the current data and time\n",

348
" print \"The Current Date and Time is: <br/>\";\n",

" print date(\"g:i A l, F j Y.\");\n",
" ?>\n",
" <p/>\n",
" <?php\n",
" // Setup a handle for CURL\n",
" $curl_handle=curl_init();\n",
" curl_setopt($curl_handle,CURLOPT_CONNECTTIMEOUT,2);\n",
" curl_setopt($curl_handle,CURLOPT_RETURNTRANSFER,1);\n",
" // Get the hostname of the intance from the instance metadata\n",
latest/meta-data/public-hostname');\n",
" $hostname = curl_exec($curl_handle);\n",
" if (empty($hostname))\n",
" {\n",
" print \"Sorry, for some reason, we got no hostname back <br />
\";\n",
" }\n",
" else\n",
" {\n",
" print \"Server = \" . $hostname . \"<br />\";\n",
" }\n",
" // Get the instance-id of the intance from the instance metadata
\n",
latest/meta-data/instance-id');\n",
" $instanceid = curl_exec($curl_handle);\n",
" if (empty($instanceid))\n",
" {\n",
" print \"Sorry, for some reason, we got no instance id back <br /
>\";\n",
" }\n",
" else\n",
" {\n",
" print \"EC2 instance-id = \" . $instanceid . \"<br />\";\n",
" }\n",
" $Database = \"", {"Ref" : "DBName"}, "\";\n",
" $DBUser = \"", {"Ref" : "DBUsername"}, "\";\n",
" $DBPassword = \"", {"Ref" : "DBPassword"}, "\";\n",
" print \"Database = \" . $Database . \"<br />\";\n",
" $dbconnection = mysql_connect($Database, $DBUser, $DBPassword)\n",
" or die(\"Could not connect: \" . mysql_error());
\n",
" print (\"Connected to $Database successfully\");\n",
" mysql_close($dbconnection);\n",
" ?>\n",
" <h2>PHP Information</h2>\n",
" <p/>\n",
" <?php\n",
" phpinfo();\n",
" ?>\n",
" </body>\n",
"</html>\n"
]]},
"mode" : "000600",
"owner" : "apache",
"group" : "apache"
},
"content" : { "Fn::Join" : ["", [
"GRANT ALL ON ", { "Ref" : "DBName" }, ".* TO '", { "Ref" :
"DBUsername" }, "'@localhost IDENTIFIED BY '", { "Ref" : "DBPassword" }, "';\n"
]]},
"mode" : "000400",
"owner" : "root",

349
"group" : "root"
},
"content" : { "Fn::Join" : ["", [
"[main]\n",
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
"runas=root\n"
]]}
}
},
"services" : {
"sysvinit" : {
"mysqld" : { "enabled" : "true", "ensureRunning" : "true" },
}
}
},
"Configure" : {
"commands" : {
"01_set_mysql_root_password" : {
"command" : { "Fn::Join" : ["", ["mysqladmin -u root password '", { "Ref" :
"DBRootPassword" }, "'"]]},
0 ))"]]}
},
"02_create_database" : {
"command" : { "Fn::Join" : ["", ["mysql -u root --password='", { "Ref" :
"DBRootPassword" }, "' < /tmp/setup.mysql"]]},
0 ))"]]}
}
}
}
}
},
"Properties": {

350
Creating Wait Conditions



]]}}
},
"Timeout" : "PT5M"
}
}
},
"Properties" : {
"0.0.0.0/0"},
"SSHLocation"}}
]
}
}
},
"Outputs" : {
"WebsiteURL" : {
"Description" : "URL for newly created LAMP stack",
}
}
}
Creating Wait Conditions in a Template

Important
For Amazon EC2 and Auto Scaling resources, we recommend that you use a CreationPolicy
attribute instead of wait conditions. Add a CreationPolicy attribute to those resources, and
use the cfn-signal helper script to signal when an instance creation process has completed
successfully.
For more information, see CreationPolicy (p. 3760) or Deploying Applications on Amazon EC2
with AWS CloudFormation (p. 333).
Using the AWS::CloudFormation::WaitConditionHandle resource and CreationPolicy (p. 3760) attribute,

you can do the following:
• Coordinate stack resource creation with other configuration actions that are external to the stack
creation

351
• Track the status of a configuration process
For example, you can start the creation of another resource after an application configuration is partially
complete, or you can send signals during an installation and configuration process to track its progress.
Using a Wait Condition Handle

Note
If you use the VPC endpoint feature, resources in the VPC that respond to wait conditions
must have access to AWS CloudFormation-specific Amazon Simple Storage Service (Amazon
S3) buckets. Resources must send wait condition responses to a pre-signed Amazon S3 URL.
If they can't send responses to Amazon S3, AWS CloudFormation won't receive a response
and the stack operation fails. For more information, see Setting Up VPC Endpoints for AWS
CloudFormation (p. 26) and Example Bucket Policies for VPC Endpoints for Amazon S3.
You can use the wait condition and wait condition handle to make AWS CloudFormation pause the
creation of a stack and wait for a signal before it continues to create the stack. For example, you might
want to download and configure applications on an Amazon EC2 instance before considering the
creation of that Amazon EC2 instance complete.
The following list provides a summary of how a wait condition with a wait condition handle works:
• AWS CloudFormation creates a wait condition just like any other resource. When AWS CloudFormation
creates a wait condition, it reports the wait condition’s status as CREATE_IN_PROGRESS and waits until
it receives the requisite number of success signals or the wait condition’s timeout period has expired.
If AWS CloudFormation receives the requisite number of success signals before the time out period
expires, it continues creating the stack; otherwise, it sets the wait condition’s status to CREATE_FAILED
and rolls the stack back.
• The Timeout property determines how long AWS CloudFormation waits for the requisite number
of success signals. Timeout is a minimum-bound property, meaning the timeout occurs no sooner
than the time you specify, but can occur shortly thereafter. The maximum time that you can specify is
43200 seconds (12 hours ).
• Typically, you want a wait condition to begin immediately after the creation of a specific resource,
such as an Amazon EC2 instance, RDS DB instance, or Auto Scaling group. You do this by adding the
DependsOn attribute (p. 3765) to a wait condition. When you add a DependsOn attribute to a wait
condition, you specify that the wait condition is created only after the creation of a particular resource
has completed. When the wait condition is created, AWS CloudFormation begins the timeout period
and waits for success signals.
• You can also use the DependsOn attribute on other resources. For example, you may want an RDS
DB instance to be created and a database configured on that DB instance first before creating the
EC2 instances that use that database. In this case, you create a wait condition that has a DependsOn
attribute that specifies the DB instance, and you create EC2 instance resources that have DependsOn
attributes that specify the wait condition. This would ensure that the EC2 instances would only be
created directly after the DB instance and the wait condition were completed.
• AWS CloudFormation must receive a specified number of success signals for a wait condition before
setting that wait condition’s status to CREATE_COMPLETE continuing the creation of the stack. The
wait condition’s Count property specifies the number of success signals. If none is set, the default is 1.
• A wait condition requires a wait condition handle to set up a presigned URL that is used as the
signaling mechanism. The presigned URL enables you to send a signal without having to supply
your AWS credentials. You use that presigned URL to signal success or failure, which is encapsulated
in a JSON statement. For the format of that JSON statement, see the Wait Condition Signal JSON
Format (p. 354).
• If a wait condition receives the requisite number of success signals (as defined in the Count
property) before the timeout period expires, AWS CloudFormation marks the wait condition as
CREATE_COMPLETE and continues creating the stack. Otherwise, AWS CloudFormation fails the wait

352
condition and rolls the stack back (for example, if the timeout period expires without requisite success
signals or if a failure signal is received).
To use a wait condition in a stack:
1. Declare an AWS::CloudFormation::WaitConditionHandle resource in the stack's template. A wait

condition handle has no properties; however, a reference to a WaitConditionHandle resource
resolves to a pre-signed URL that you can use to signal success or failure to the WaitCondition. For
example:
"myWaitHandle" : {
"Type" : "AWS::CloudFormation::WaitConditionHandle",
"Properties" : {
}
}
2. Declare an AWS::CloudFormation::WaitCondition resource in the stack's template. A WaitCondition

resource has two required properties: Handle is a reference to a WaitConditionHandle declared in the
template and Timeout is the number seconds for AWS CloudFormation to wait. You can optionally
set the Count property, which determines the number of success signals that the wait condition
must receive before AWS CloudFormation can resume creating the stack.
To control when the wait condition is triggered, you set a DependsOn attribute on the wait
condition. A DependsOn clause associates a resource with the wait condition. After AWS
CloudFormation creates the DependsOn resource, it blocks further stack resource creation until
one of the following events occur: a) the timeout period expires b) The requisite number of success
signals are received c) A failure signal is received.
Here is an example of a wait condition that begins after the successful creation of the Ec2Instance
resource, uses the myWaitHandle resource as the WaitConditionHandle, has a timeout of 4500
seconds, and has the default Count of 1 (since no Count property is specified):
"myWaitCondition" : {
"DependsOn" : "Ec2Instance",
"Properties" : {
"Handle" : { "Ref" : "myWaitHandle" },
"Timeout" : "4500"
}
}
3. Get the presigned URL to use for signaling.
In the template, the presigned URL can be retrieved by passing the logical name of the
AWS::CloudFormation::WaitConditionHandle resource to the Ref intrinsic function. For example, you
can use the UserData property on AWS::EC2::Instance resources to pass the presigned URL to the
Amazon EC2 instances so that scripts or applications running on those instances can signal success
or failure to AWS CloudFormation:
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [ "", ["SignalURL=", { "Ref" : "myWaitHandle" } ] ]
}
}
Note: In the AWS Management Console or the AWS CloudFormation command line tools, the
presigned URL is displayed as the physical ID of the wait condition handle resource.
4. Select a method for detecting when the stack enters the wait condition.
353
If you create the stack with notifications enabled, AWS CloudFormation publishes a notification for
every stack event to the specified topic. If you or your application subscribe to that topic, you can
monitor the notifications for the wait condition handle creation event and retrieve the presigned
URL from the notification message.
You can also monitor the stack's events using the AWS Management Console, the AWS
CloudFormation command line tools, or the AWS CloudFormation API.
5. Use the presigned URL to signal success or failure.
To send a signal, you send an HTTP request message using the presigned URL. The request
method must be PUT and the Content-Type header must be an empty string or omitted. The
request message must be a JSON structure of the form specified in Wait Condition Signal JSON
Format (p. 354).
You need to send the number of success signals specified by the Count property in order for AWS
CloudFormation to continue stack creation. If you have a Count that is greater than 1, the UniqueId
value for each signal must be unique across all signals sent to a particular wait condition. The
UniqueId is an arbitrary alphanumerical string.
A Curl command is one way to send a signal. The following example shows a Curl command line that
signals success to a wait condition.
curl -T /tmp/a "https://cloudformation-waitcondition-test.s3.amazonaws.com/

arn%3Aaws%3Acloudformation%3Aus-east-2%3A034017226601%3Astack
%2Fstack-gosar-20110427004224-test-stack-with-WaitCondition--VEYW
%2Fe498ce60-70a1-11e0-81a7-5081d0136786%2FmyWaitConditionHandle?
Expires=1303976584&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=ik1twT6hpS4cgNAw7wyOoRejVoo
%3D"
where the file /tmp/a contains the following JSON structure:
{
"Status" : "SUCCESS",
"Reason" : "Configuration Complete",
"UniqueId" : "ID1234",
"Data" : "Application has completed configuration."
}
This example shows a Curl command line that sends the same success signal except it sends the
JSON structure as a parameter on the command line.
curl -X PUT -H 'Content-Type:' --data-binary '{"Status" : "SUCCESS","Reason" :

"Configuration Complete","UniqueId" : "ID1234","Data" : "Application
has completed configuration."}' "https://cloudformation-waitcondition-
test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-2%3A034017226601%3Astack
%3D"
Wait Condition Signal JSON Format

When you signal a wait condition, you must use the following JSON format:

354
Template Snippets
{
"Status" : "StatusValue",
"UniqueId" : "Some UniqueId",
"Data" : "Some Data",
"Reason" : "Some Reason"
}
Where:
StatusValue must be one of the following values:
• SUCCESS indicates a success signal.

• FAILURE indicates a failure signal and triggers a failed wait condition and a stack rollback.
UniqueId identifies the signal to AWS CloudFormation. If the Count property of the wait condition is
greater than 1, the UniqueId value must be unique across all signals sent for a particular wait condition;
otherwise, AWS CloudFormation will consider the signal a retransmission of the previously sent signal
with the same UniqueId, and it will ignore the signal.
Data is any information that you want to send back with the signal. The Data value can be accessed
by calling the Fn::GetAtt function (p. 3807) within the template. For example, if you create the
following output value for the wait condition mywaitcondition, you can use the aws cloudformation
describe-stacks command, DescribeStacks action, or Outputs tab of the CloudFormation console to
view the Data sent by valid signals sent to AWS CloudFormation:
"WaitConditionData" : {
"Value" : { "Fn::GetAtt" : [ "mywaitcondition", "Data" ]},
"Description" : "The data passed back as part of signalling the WaitCondition"
},
The Fn::GetAtt function returns the UniqueId and Data as a name/value pair within a JSON structure. The
following is an example of the Data attribute returned by the WaitConditionData output value defined
above:
{"Signal1":"Application has completed configuration."}
Reason is a string with no other restrictions on its content besides JSON compliance.
Template Snippets
This section provides a number of example scenarios that you can use to understand how to declare
various AWS CloudFormation template parts. You can also use the snippets as a starting point for
sections of your custom templates.
Note
Because AWS CloudFormation templates must be JSON compliant, there is no provision for a
line continuation character. The wrapping of the snippets in this document may be random if
the line is longer that 80 characters.
Topics
• General Template Snippets (p. 356)
• Auto Scaling Template Snippets (p. 363)
• AWS CloudFormation Template Snippets (p. 368)

355
General
• Amazon CloudFront Template Snippets (p. 372)

• Amazon CloudWatch Template Snippets (p. 379)
• Amazon CloudWatch Logs Template Snippets (p. 383)
• Amazon DynamoDB Template Snippets (p. 410)
• Amazon EC2 Template Snippets (p. 414)
• Amazon Elastic Container Service Template Snippets (p. 429)
• Amazon Elastic File System Sample Template (p. 445)
• Elastic Beanstalk Template Snippets (p. 462)
• Elastic Load Balancing Template Snippets (p. 464)
• AWS Identity and Access Management Template Snippets (p. 465)
• AWS Lambda Template (p. 478)
• AWS OpsWorks Template Snippets (p. 482)
• Amazon Redshift Template Snippets (p. 488)
• Amazon RDS Template Snippets (p. 494)
• Route 53 Template Snippets (p. 500)
• Amazon S3 Template Snippets (p. 504)
• Amazon SNS Template Snippets (p. 510)
• Amazon SQS Template Snippets (p. 510)
General Template Snippets

The following examples show different AWS CloudFormation template features that aren't specific to an
AWS service.
Topics
• Base64 Encoded UserData Property (p. 356)
• Base64 Encoded UserData Property with AccessKey and SecretKey (p. 357)
• Parameters Section with One Literal String Parameter (p. 357)
• Parameters Section with String Parameter with Regular Expression Constraint (p. 358)
• Parameters Section with Number Parameter with MinValue and MaxValue Constraints (p. 358)
• Parameters Section with Number Parameter with AllowedValues Constraint (p. 359)
• Parameters Section with One Literal CommaDelimitedList Parameter (p. 359)
• Parameters Section with Parameter Value Based on Pseudo Parameter (p. 360)
• Mapping Section with Three Mappings (p. 361)
• Description Based on Literal String (p. 361)
• Outputs Section with One Literal String Output (p. 362)
• Outputs Section with One Resource Reference and One Pseudo Reference Output (p. 362)
• Outputs Section with an Output Based on a Function, a Literal String, a Reference, and a Pseudo
Parameter (p. 362)
• Template Format Version (p. 363)
• AWS Tag Property (p. 363)
Base64 Encoded UserData Property

This example shows the assembly of a UserData property using the Fn::Base64 and Fn::Join functions.
The references MyValue and MyName are parameters that must be defined in the Parameters section of

356
General
the template. The literal string Hello World is just another value this example passes in as part of the
UserData.
JSON
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [ ",", [
{ "Ref" : "MyValue" },
{ "Ref" : "MyName" },
"Hello World" ] ]
}
}
YAML
UserData:
Fn::Base64: !Sub |
Ref: MyValue
Ref: MyName
Hello World
Base64 Encoded UserData Property with AccessKey and

SecretKey
This example shows the assembly of a UserData property using the Fn::Base64 and Fn::Join functions. It
includes the AccessKey and SecretKey information. The references AccessKey and SecretKey are
parameters that must be defined in the Parameters section of the template.
JSON
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [ "", [
"ACCESS_KEY=", { "Ref" : "AccessKey" },
"SECRET_KEY=", { "Ref" : "SecretKey" } ]
]
}
}
YAML
UserData:
Fn::Base64: !Sub |
ACCESS_KEY=${AccessKey}
SECRET_KEY=${SecretKey}
Parameters Section with One Literal String Parameter

The following example depicts a valid Parameters section declaration in which a single String type
parameter is declared.
JSON
"Parameters" : {
"UserName" : {
"Type" : "String",

357
General
"Default" : "nonadmin",
"Description" : "Assume a vanilla user if no command-line spec provided"
}
}
YAML
Parameters:
UserName:
Type: String
Default: nonadmin
Description: Assume a vanilla user if no command-line spec provided
Parameters Section with String Parameter with Regular

Expression Constraint
The following example depicts a valid Parameters section declaration in which a single String type
parameter is declared. The AdminUserAccount parameter has a default of admin. The parameter value
must have a minimum length of 1, a maximum length of 16, and contains alphabetic characters and
numbers but must begin with an alphabetic character.
JSON
"Parameters" : {
"AdminUserAccount": {
"Default": "admin",
"NoEcho": "true",
"Description" : "The admin account user name",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
"AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*"
}
}
YAML
Parameters:
AdminUserAccount:
Default: admin
NoEcho: true
Description: The admin account user name
Type: String
MinLength: 1
MaxLength: 16
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
Parameters Section with Number Parameter with MinValue and

MaxValue Constraints
The following example depicts a valid Parameters section declaration in which a single Number type
parameter is declared. The WebServerPort parameter has a default of 80 and a minimum value 1 and
maximum value 65535.
JSON
"Parameters" : {

358
General
"WebServerPort": {
"Default": "80",
"Description" : "TCP/IP port for the web server",
"Type": "Number",
"MinValue": "1",
"MaxValue": "65535"
}
}
YAML
Parameters:
WebServerPort:
Default: 80
Description: TCP/IP port for the web server
Type: Number
MinValue: 1
MaxValue: 65535
Parameters Section with Number Parameter with AllowedValues

Constraint
The following example depicts a valid Parameters section declaration in which a single Number type
parameter is declared. The WebServerPort parameter has a default of 80 and allows only values of 80
and 8888.
JSON
"Parameters" : {
"WebServerPortLimited": {
"Default": "80",
"Description" : "TCP/IP port for the web server",
"Type": "Number",
"AllowedValues" : ["80", "8888"]
}
}
YAML
Parameters:
WebServerPortLimited:
Default: 80
Description: TCP/IP port for the web server
Type: Number
AllowedValues:
- 80
- 8888
Parameters Section with One Literal CommaDelimitedList

Parameter
The following example depicts a valid Parameters section declaration in which a single
CommaDelimitedList type parameter is declared. The NoEcho property is set to TRUE, which will mask
its value with asterisks (*****) in the aws cloudformation describe-stacks output.
Important

359
General
JSON
"Parameters" : {
"UserRoles" : {
"Type" : "CommaDelimitedList",
"Default" : "guest,newhire",
"NoEcho" : "TRUE"
}
}
YAML
Parameters:
UserRoles:
Default: "guest,newhire"
NoEcho: true
Parameters Section with Parameter Value Based on Pseudo

Parameter
The following example shows commands in the EC2 user data that use the pseudo parameters
AWS::StackName and AWS::Region. For more information about pseudo parameters, see Pseudo
Parameters Reference (p. 3826).
JSON

]]}}
}
YAML
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe

360
General

/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfig --region
${AWS::Region}
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerGroup --
region ${AWS::Region}
Mapping Section with Three Mappings

The following example depicts a valid Mapping section declaration that contains three mappings. The
map, when matched with a mapping key of Stop, SlowDown, or Go, provides the RGB values assigned to
the corresponding RGBColor attribute.
JSON
"Mappings" : {
"LightColor" : {
"Stop" : {
"Description" : "red",
"RGBColor" : "RED 255 GREEN 0 BLUE 0"
},
"SlowDown" : {
"Description" : "yellow",
},
"Go" : {
"Description" : "green",
}
}
}
YAML
Mappings:
LightColor:
Stop:
Description: red
RGBColor: "RED 255 GREEN 0 BLUE 0"
SlowDown:
Description: yellow
Go:
Description: green
Description Based on Literal String

The following example depicts a valid Description section declaration where the value is based on a
literal string. This snippet can be for templates, parameters, resources, properties, or outputs.
JSON
"Description" : "Replace this value"
YAML
Description: "Replace this value"

361
General
Outputs Section with One Literal String Output

This example shows a output assignment based on a literal string.
JSON
"Outputs" : {
"MyPhone" : {
"Value" : "Please call 555-5555",
"Description" : "A random message for aws cloudformation describe-stacks"
}
}
YAML
Outputs:
MyPhone:
Value: Please call 555-5555
Description: A random message for aws cloudformation describe-stacks
Outputs Section with One Resource Reference and One Pseudo

Reference Output
This example shows an Outputs section with two output assignments. One is based on a resource, and
the other is based on a pseudo reference.
JSON
"Outputs" : {
"SNSTopic" : { "Value" : { "Ref" : "MyNotificationTopic" } },
"StackName" : { "Value" : { "Ref" : "AWS::StackName" } }
}
YAML
Outputs:
SNSTopic:
Value: Ref: MyNotificationTopic
StackName:
Value: Ref: AWS::StackName
Outputs Section with an Output Based on a Function, a Literal

String, a Reference, and a Pseudo Parameter
This example shows an Outputs section with one output assignment. The Join function is used to
concatenate the value, using a percent sign as the delimiter.
JSON
"Outputs" : {
"MyOutput" : {
"Value" : { "Fn::Join" :
[ "%", [ "A-string", {"Ref" : "AWS::StackName" } ] ]
}

362
Auto Scaling
}
}
YAML
Outputs:
MyOutput:
Value: !Join [ %, [ 'A-string', !Ref 'AWS::StackName' ]]
Template Format Version

The following snippet depicts a valid Template Format Version section declaration.
JSON
"AWSTemplateFormatVersion" : "2010-09-09"
YAML
AWS Tag Property

This example shows an AWS Tag property. You would specify this property within the Properties section
of a resource. When the resource is created, it will be tagged with the tags you declare.
JSON
"Tags" : [
{
"Key" : "keyname1",
"Value" : "value1"
},
{
"Key" : "keyname2",
"Value" : "value2"
}
]
YAML
Tags:
-
Key: "keyname1"
Value: "value1"
-
Key: "keyname2"
Value: "value2"
Auto Scaling Template Snippets

Topics
• Auto Scaling Launch Configuration Resource (p. 364)
• Auto Scaling Group Resource (p. 364)

363
Auto Scaling
• Auto Scaling Policy Triggered by CloudWatch Alarm (p. 365)

• Auto Scaling Group with Notifications (p. 366)
• Auto Scaling with an UpdatePolicy (p. 367)
Auto Scaling Launch Configuration Resource

This example shows an Auto Scaling AWS::AutoScaling::LaunchConfiguration resource.
The SecurityGroups property specifies both an AWS::EC2::SecurityGroup resource named
myEC2SecurityGroup and an existing EC2 security group named myExistingEC2SecurityGroup. The
BlockDeviceMappings property lists two devices: a 50 gigabyte EBS volume mapped to /dev/sdk and a
virtual device ephemeral0 mapped to /dev/sdc.
JSON
"SimpleConfig" : {
"Properties" : {
"SecurityGroups" : [ { "Ref" : "myEC2SecurityGroup" },
"myExistingEC2SecurityGroup" ],
"InstanceType" : "m1.small",
"BlockDeviceMappings" : [ {
"DeviceName" : "/dev/sdk",
"Ebs" : {"VolumeSize" : "50"}
}, {
"DeviceName" : "/dev/sdc",
"VirtualName" : "ephemeral0"
} ]
}
}
YAML
SimpleConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
SecurityGroups:
- Ref: myEC2SecurityGroup
- myExistingEC2SecurityGroup
- DeviceName: "/dev/sdk"
Ebs:
VolumeSize: '50'
- DeviceName: "/dev/sdc"
VirtualName: ephemeral0
Auto Scaling Group Resource

This example shows an Auto Scaling AWS::AutoScaling::AutoScalingGroup resource. The
AvailabilityZones property specifies the availability zones where the auto-scaling group's EC2 instances
will be created. In this example, the Fn::GetAZs (p. 3809) function call { "Fn::GetAZs" : "" }
specifies all availability zones for the region in which the stack is created. The LoadBalancerNames
property lists the LoadBalancers used to route traffic to the Auto Scaling group. In this example, one
LoadBalancer is specified, the AWS::ElasticLoadBalancing::LoadBalancer resource LB.

364
Auto Scaling
JSON
"MyServerGroup" : {
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : ""},
"LaunchConfigurationName" : { "Ref" : "SimpleConfig" },
"MinSize" : "1",
"MaxSize" : "3",
"LoadBalancerNames" : [ { "Ref" : "LB" } ]
}
}
YAML
MyServerGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
AvailabilityZones:
Fn::GetAZs: ''
LaunchConfigurationName:
Ref: SimpleConfig
MinSize: '1'
MaxSize: '3'
LoadBalancerNames:
- Ref: LB
Auto Scaling Policy Triggered by CloudWatch Alarm

This example shows an AWS::AutoScaling::ScalingPolicy resource that scales up the Auto Scaling
group asGroup. The AdjustmentType property specifies ChangeInCapacity, which means that the
ScalingAdjustment represents the number of instances to add (if ScalingAdjustment is positive) or
delete (if it is negative). In this example, ScalingAdjustment is 1; therefore, the policy increments the
number of EC2 instances in the group by 1 when the policy is executed.
The AWS::CloudWatch::Alarm resource CPUAlarmHigh specifies the scaling policy ScaleUpPolicy as the
action to execute when the alarm is in an ALARM state (AlarmActions).
JSON
"ScaleUpPolicy" : {
"Properties" : {
"AutoScalingGroupName" : { "Ref" : "asGroup" },
"Cooldown" : "1",
"ScalingAdjustment" : "1"
}
},
"CPUAlarmHigh": {
"Properties": {
"Threshold": "10",
"AlarmDescription": "Alarm if CPU too high or metric disappears indicating instance
is down",
"Period": "60",
"AlarmActions": [ { "Ref": "ScaleUpPolicy" } ],

365
Auto Scaling
"Dimensions": [ {
"Value": { "Ref": "asGroup" }
} ],
"ComparisonOperator": "GreaterThanThreshold",
"MetricName": "CPUUtilization"
}
}
YAML
ScaleUpPolicy:
Type: AWS::AutoScaling::ScalingPolicy
Properties:
AdjustmentType: ChangeInCapacity
AutoScalingGroupName:
Ref: asGroup
Cooldown: '1'
ScalingAdjustment: '1'
CPUAlarmHigh:
Type: AWS::CloudWatch::Alarm
Properties:
EvaluationPeriods: '1'
Statistic: Average
Threshold: '10'
AlarmDescription: Alarm if CPU too high or metric disappears indicating instance
is down
Period: '60'
AlarmActions:
- Ref: ScaleUpPolicy
Namespace: AWS/EC2
Dimensions:
- Name: AutoScalingGroupName
Value:
Ref: asGroup
ComparisonOperator: GreaterThanThreshold
MetricName: CPUUtilization
Auto Scaling Group with Notifications

This example shows an AWS::AutoScaling::AutoScalingGroup resource that sends Amazon SNS
notifications when the specified events take place. The NotificationConfigurations property
specifies the SNS topic where AWS CloudFormation sends a notification and the events that will cause
AWS CloudFormation to send notifications. When the events specified by NotificationTypes
occur, AWS CloudFormation will send a notification to the SNS topic specified by TopicARN.
In this example, AWS CloudFormation sends a notification to the SNS topic topic1 when the
autoscaling:EC2_INSTANCE_LAUNCH and autoscaling:EC2_INSTANCE_LAUNCH_ERROR events
occur.
JSON
"MyAsGroupWithNotification" : {
"Properties" : {
"AvailabilityZones" : { "Ref" : "azList" },
"LaunchConfigurationName" : { "Ref" : "myLCOne" },
"MinSize" : "0",
"MaxSize" : "2",
"NotificationConfigurations" : [

366
Auto Scaling
{
"TopicARN" : { "Ref" : "topic1" },
"NotificationTypes" : [
"autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
"autoscaling:EC2_INSTANCE_TERMINATE",
"autoscaling:EC2_INSTANCE_TERMINATE_ERROR"
]
}
]
}
}
YAML
MyAsGroupWithNotification:
Properties:
AvailabilityZones:
Ref: azList
Ref: myLCOne
MinSize: '0'
MaxSize: '2'
DesiredCapacity: '1'
NotificationConfigurations:
- TopicARN:
Ref: topic1
NotificationTypes:
- autoscaling:EC2_INSTANCE_LAUNCH
- autoscaling:EC2_INSTANCE_LAUNCH_ERROR
- autoscaling:EC2_INSTANCE_TERMINATE
- autoscaling:EC2_INSTANCE_TERMINATE_ERROR
Auto Scaling with an UpdatePolicy

This example shows how to use an UpdatePolicy Attribute (p. 3771) with an auto-scaling group.
JSON
"ASG1" : {
"UpdatePolicy" : {
"AutoScalingRollingUpdate" : {
"MinInstancesInService" : "1",
"MaxBatchSize" : "1",
"PauseTime" : "PT12M5S"
}
},
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : { "Ref" : "AWS::Region" } },
"LaunchConfigurationName" : { "Ref" : "ASLC" },
"MaxSize" : "3",
"MinSize" : "1"
}
}
YAML
ASG1:

367
AWS CloudFormation
UpdatePolicy:
AutoScalingRollingUpdate:
MinInstancesInService: '1'
MaxBatchSize: '1'
PauseTime: PT12M5S
Properties:
AvailabilityZones:
Fn::GetAZs:
Ref: AWS::Region
Ref: ASLC
MaxSize: '3'
MinSize: '1'
AWS CloudFormation Template Snippets

Topics
• Nested Stacks (p. 368)
• Wait Condition (p. 369)
Nested Stacks
Nesting a Stack in a Template
This example template contains a nested stack resource called myStack. When AWS CloudFormation
creates a stack from the template, it creates the myStack, whose template is specified in the
TemplateURL property. The output value StackRef returns the stack ID for myStack and the value
OutputFromNestedStack returns the output value BucketName from within the myStack resource.
The Outputs.nestedstackoutputname format is reserved for specifying output values from nested
stacks and can be used anywhere within the containing template.
For more information, see AWS::CloudFormation::Stack.
JSON
{
"Resources" : {
"myStack" : {
"Properties" : {
S3_Bucket.template",
"TimeoutInMinutes" : "60"
}
}
},
"Outputs": {
"StackRef": {"Value": { "Ref" : "myStack"}},
"OutputFromNestedStack" : {
"Value" : { "Fn::GetAtt" : [ "myStack", "Outputs.BucketName" ] }
}
}
}
YAML

368
AWS CloudFormation
Resources:
myStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/
S3_Bucket.template
TimeoutInMinutes: '60'
Outputs:
StackRef:
Value: !Ref myStack
OutputFromNestedStack:
Value: !GetAtt myStack.Outputs.BucketName
Nesting a Stack with Input Parameters in a Template

This example template contains a stack resource that specifies input parameters. When AWS
CloudFormation creates a stack from this template, it uses the value pairs declared within the
Parameters property as the input parameters for the template used to create the myStackWithParams
stack. In this example, the InstanceType and KeyName parameters are specified.
For more information, see AWS::CloudFormation::Stack.
JSON
{
"Resources" : {
"myStackWithParams" : {
"Properties" : {
"Parameters" : {
"KeyName" : "mykey"
}
}
}
}
}
YAML
Resources:
myStackWithParams:
Properties:
TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/
EC2ChooseAMI.template
Parameters:
KeyName: mykey
Wait Condition
Using a Wait Condition with an Amazon EC2 Instance
Important

369
AWS CloudFormation
successfully.
If you can't use a creation policy, you view the following example template, which declares an Amazon
EC2 instance with a wait condition. The wait condition myWaitCondition uses myWaitConditionHandle
for signaling, uses the DependsOn attribute (p. 3765) to specify that the wait condition will trigger after
the Amazon EC2 instance resource has been created, and uses the Timeout property to specify a duration
of 4500 seconds for the wait condition. In addition, the presigned URL that signals the wait condition
is passed to the Amazon EC2 instance with the UserData property of the Ec2Instance resource, thus
enabling an application or script running on that Amazon EC2 instance to retrieve the pre-signed URL
and employ it to signal a success or failure to the wait condition. Note that you need to use cfn-signal
or create the application or script that signals the wait condition. The output value ApplicationData
contains the data passed back from the wait condition signal.
For more information, see Creating Wait Conditions in a Template (p. 351),
AWS::CloudFormation::WaitCondition, AWS::CloudFormation::WaitConditionHandle, and cfn-
signal (p. 3834).
JSON
{
"Mappings" : {
"RegionMap" : {
"us-east-1" : {
"AMI" : "ami-0ff8a91507f77f867"
},
"us-west-1" : {
"AMI" : "ami-0bdb828fd58c52235"
},
"eu-west-1" : {
"AMI" : "ami-047bb4163c506cd98"
},
"ap-northeast-1" : {
"AMI" : "ami-06cd52961ce9f0d85"
},
"ap-southeast-1" : {
"AMI" : "ami-08569b978cc4dfa10"
}
}
},
"Resources" : {
"Ec2Instance" : {
"Properties" : {
"UserData" : { "Fn::Base64" : {"Ref" : "myWaitHandle"}},
"AMI" ]}
}
},
"myWaitHandle" : {
"Properties" : {
}
},
"myWaitCondition" : {
"DependsOn" : "Ec2Instance",
"Properties" : {
"Handle" : { "Ref" : "myWaitHandle" },
"Timeout" : "4500"
}
}

370
AWS CloudFormation
},
"Outputs" : {
"ApplicationData" : {
"Value" : { "Fn::GetAtt" : [ "myWaitCondition", "Data" ]},
"Description" : "The data passed back as part of signalling the WaitCondition."
}
}
}
YAML
Mappings:
RegionMap:
us-east-1:
AMI: ami-0ff8a91507f77f867
us-west-1:
AMI: ami-0bdb828fd58c52235
eu-west-1:
AMI: ami-047bb4163c506cd98
ap-northeast-1:
AMI: ami-06cd52961ce9f0d85
ap-southeast-1:
AMI: ami-08569b978cc4dfa10
Resources:
Ec2Instance:
Properties:
UserData:
Fn::Base64: !Ref myWaitHandle
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- AMI
myWaitHandle:
Type: AWS::CloudFormation::WaitConditionHandle
Properties: {}
myWaitCondition:
DependsOn: Ec2Instance
Properties:
Handle: !Ref myWaitHandle
Timeout: '4500'
Outputs:
ApplicationData:
Value: !GetAtt myWaitCondition.Data
Description: The data passed back as part of signalling the WaitCondition.
Using the cfn-signal Helper Script to Signal a Wait Condition

This example shows a cfn-signal command line that signals success to a wait condition. You need to
define the command line in the UserData property of the EC2 instance.
JSON
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"/opt/aws/bin/cfn-signal --exit-code 0 '",

371
CloudFront
{
"Ref": "myWaitHandle"
},
"'\n"
]
]
}
}
YAML
UserData:
'Fn::Base64':
'Fn::Join':
- ''
- - |
#!/bin/bash -xe
- /opt/aws/bin/cfn-signal --exit-code 0 '
- Ref: myWaitHandle
- |
'
Using Curl to Signal a Wait Condition

This example shows a Curl command line that signals success to a wait condition.
curl -T /tmp/a "https://cloudformation-waitcondition-test.s3.amazonaws.com/

arn%3Aaws%3Acloudformation%3Aus-east-1%3A034017226601%3Astack
%3D"
where the file /tmp/a contains the following JSON structure:
{
"Reason" : "Configuration Complete",
"UniqueId" : "ID1234",
"Data" : "Application has completed configuration."
}
This example shows a Curl command line that sends the same success signal except it sends the JSON as
a parameter on the command line.
curl -X PUT -H 'Content-Type:' --data-binary '{"Status" : "SUCCESS","Reason" :

"Configuration Complete","UniqueId" : "ID1234","Data" : "Application
has completed configuration."}' "https://cloudformation-waitcondition-
test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A034017226601%3Astack
%3D"
Amazon CloudFront Template Snippets

Topics
• Amazon CloudFront Distribution Resource with an Amazon S3 Origin (p. 373)
• Amazon CloudFront Distribution Resource with Custom Origin (p. 374)

372
CloudFront
• Amazon CloudFront Distribution with Multi-origin Support. (p. 376)
Amazon CloudFront Distribution Resource with an Amazon S3

Origin
The following example template shows an Amazon CloudFront Distribution using an S3Origin.
JSON
{
"Resources" : {
"myDistribution" : {
"Type" : "AWS::CloudFront::Distribution",
"Properties" : {
"DistributionConfig" : {
"Origins" : [ {
"DomainName" : "mybucket.s3.amazonaws.com",
"Id" : "myS3Origin",
"S3OriginConfig" : {
"OriginAccessIdentity" : "origin-access-identity/cloudfront/
E127EXAMPLE51Z"
}
}],
"Enabled" : "true",
"Comment" : "Some comment",
"DefaultRootObject" : "index.html",
"Logging" : {
"IncludeCookies" : "false",
"Bucket" : "mylogs.s3.amazonaws.com",
"Prefix" : "myprefix"
},
"Aliases" : [ "mysite.example.com", "yoursite.example.com" ],
"DefaultCacheBehavior" : {
"AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH",
"POST", "PUT" ],
"TargetOriginId" : "myS3Origin",
"ForwardedValues" : {
"QueryString" : "false",
"Cookies" : { "Forward" : "none" }
},
"TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
"ViewerProtocolPolicy" : "allow-all"
},
"PriceClass" : "PriceClass_200",
"Restrictions" : {
"GeoRestriction" : {
"RestrictionType" : "whitelist",
"Locations" : [ "AQ", "CV" ]
}
},
"ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" }
}
}
}
}
}
YAML

373
CloudFront
Resources:
myDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: mybucket.s3.amazonaws.com
Id: myS3Origin
S3OriginConfig:
OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
Enabled: 'true'
Comment: Some comment
DefaultRootObject: index.html
Logging:
IncludeCookies: 'false'
Bucket: mylogs.s3.amazonaws.com
Prefix: myprefix
Aliases:
- mysite.example.com
- yoursite.example.com
AllowedMethods:
- DELETE
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
ForwardedValues:
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
- 1234567891EX
PriceClass: PriceClass_200
Restrictions:
GeoRestriction:
RestrictionType: whitelist
Locations:
- AQ
- CV
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
Amazon CloudFront Distribution Resource with Custom Origin

The following example template shows an Amazon CloudFront Distribution using a CustomOrigin.
JSON
{
"Resources" : {
"Properties" : {
"Origins" : [ {
"DomainName" : "www.example.com",

374
CloudFront
"Id" : "myCustomOrigin",
"CustomOriginConfig" : {
"HTTPPort" : "80",
"HTTPSPort" : "443",
"OriginProtocolPolicy" : "http-only"
}
} ],
"Enabled" : "true",
"Comment" : "Somecomment",
"Logging" : {
"IncludeCookies" : "true",
"Prefix": "myprefix"
},
"Aliases" : [
"mysite.example.com",
"*.yoursite.example.com"
],
"TargetOriginId" : "myCustomOrigin",
"SmoothStreaming" : "false",
"Cookies" : { "Forward" : "all" }
},
"TrustedSigners" : [
"1234567890EX",
"1234567891EX"
],
"ViewerProtocolPolicy" : "allow-all"
},
"CustomErrorResponses" : [ {
"ErrorCode" : "404",
"ResponsePagePath" : "/error-pages/404.html",
"ResponseCode" : "200",
"ErrorCachingMinTTL" : "30"
} ],
"PriceClass" : "PriceClass_200",
"Restrictions" : {
"GeoRestriction" : {
"RestrictionType" : "whitelist",
"Locations" : [ "AQ", "CV" ]
}
},
"ViewerCertificate": { "CloudFrontDefaultCertificate" : "true" }
}
}
}
}
}
YAML
Resources:
myDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Origins:
- DomainName: www.example.com
Id: myCustomOrigin
CustomOriginConfig:

375
CloudFront
HTTPPort: '80'
HTTPSPort: '443'
OriginProtocolPolicy: http-only
Enabled: 'true'
Comment: Somecomment
Logging:
IncludeCookies: 'true'
Prefix: myprefix
Aliases:
- "*.yoursite.example.com"
TargetOriginId: myCustomOrigin
SmoothStreaming: 'false'
ForwardedValues:
Cookies:
Forward: all
TrustedSigners:
- 1234567890EX
- 1234567891EX
CustomErrorResponses:
- ErrorCode: '404'
ResponsePagePath: "/error-pages/404.html"
ResponseCode: '200'
ErrorCachingMinTTL: '30'
PriceClass: PriceClass_200
Restrictions:
GeoRestriction:
RestrictionType: whitelist
Locations:
- AQ
- CV
ViewerCertificate:
Amazon CloudFront Distribution with Multi-origin Support.

The following example template shows how to declare a CloudFront Distribution with multi-origin
support. In the DistributionConfig, a list of origins is provided and a DefaultCacheBehavior is set.
JSON
{
"Resources" : {
"Properties" : {
"Origins" : [ {
"Id" : "myS3Origin",
"DomainName" : "mybucket.s3.amazonaws.com",
"S3OriginConfig" : {
"OriginAccessIdentity" : "origin-access-identity/cloudfront/
E127EXAMPLE51Z"
}
},
{
"Id" : "myCustomOrigin",

376
CloudFront
"DomainName" : "www.example.com",
"CustomOriginConfig" : {
"HTTPPort" : "80",
"HTTPSPort" : "443",
"OriginProtocolPolicy" : "http-only"
}
}
],
"Enabled" : "true",
"Comment" : "Some comment",
"Logging" : {
"IncludeCookies" : "true",
"Prefix" : "myprefix"
},
"Aliases" : [ "mysite.example.com", "yoursite.example.com" ],
"Cookies" : { "Forward" : "all" }
},
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "100",
"SmoothStreaming" : "true"
},
"CacheBehaviors" : [ {
"AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS",
"PATCH", "POST", "PUT" ],
"QueryString" : "true",
},
"MinTTL" : "50",
"PathPattern" : "images1/*.jpg"
},
{
"AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS",
"PATCH", "POST", "PUT" ],
"TargetOriginId" : "myCustomOrigin",
"QueryString" : "true",
},
"MinTTL" : "50",
"PathPattern" : "images2/*.jpg"
}
],
"CustomErrorResponses" : [ {
"ErrorCode" : "404",
"ResponsePagePath" : "/error-pages/404.html",
"ResponseCode" : "200",
"ErrorCachingMinTTL" : "30"
} ],
"PriceClass" : "PriceClass_All",
"ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" }
}
}
}

377
CloudFront
}
}
YAML
Resources:
myDistribution:
Properties:
DistributionConfig:
Origins:
- Id: myS3Origin
DomainName: mybucket.s3.amazonaws.com
S3OriginConfig:
OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
- Id: myCustomOrigin
DomainName: www.example.com
CustomOriginConfig:
HTTPPort: '80'
HTTPSPort: '443'
OriginProtocolPolicy: http-only
Enabled: 'true'
Comment: Some comment
Logging:
IncludeCookies: 'true'
Prefix: myprefix
Aliases:
- yoursite.example.com
ForwardedValues:
Cookies:
Forward: all
TrustedSigners:
- 1234567890EX
- 1234567891EX
MinTTL: '100'
SmoothStreaming: 'true'
CacheBehaviors:
- AllowedMethods:
- DELETE
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
ForwardedValues:
QueryString: 'true'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
- 1234567891EX
MinTTL: '50'
PathPattern: images1/*.jpg

378
CloudWatch
- AllowedMethods:
- DELETE
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
TargetOriginId: myCustomOrigin
ForwardedValues:
QueryString: 'true'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
- 1234567891EX
MinTTL: '50'
PathPattern: images2/*.jpg
- ErrorCode: '404'
ResponsePagePath: "/error-pages/404.html"
ResponseCode: '200'
ErrorCachingMinTTL: '30'
PriceClass: PriceClass_All
ViewerCertificate:
Amazon CloudWatch Template Snippets

Topics
• Billing Alarm (p. 379)
• CPU Utilization Alarm (p. 380)
• Recover an Amazon Elastic Compute Cloud Instance (p. 381)
• Create a Basic Dashboard (p. 382)
• Create a Dashboard with Side-by-Side Widgets (p. 383)
Billing Alarm
In the following sample, Amazon CloudWatch sends an email notification when charges to your AWS
account exceed the alarm threshold. To receive usage notifications, enable billing alerts.
JSON
"SpendingAlarm": {
"Properties": {
"AlarmDescription": { "Fn::Join": ["", [
"Alarm if AWS spending is over $",
{ "Ref": "AlarmThreshold" }
]]},
"Namespace": "AWS/Billing",
"MetricName": "EstimatedCharges",
"Dimensions": [{
"Name": "Currency",
"Value" : "USD"
}],
"Statistic": "Maximum",

379
CloudWatch
"Period": "21600",
"Threshold": { "Ref": "AlarmThreshold" },
"AlarmActions": [{
"Ref": "BillingAlarmNotification"
}],
"InsufficientDataActions": [{
"Ref": "BillingAlarmNotification"
}]
}
}
YAML
SpendingAlarm:
Properties:
AlarmDescription:
'Fn::Join':
- ''
- - Alarm if AWS spending is over $
- Ref: AlarmThreshold
Namespace: AWS/Billing
MetricName: EstimatedCharges
Dimensions:
- Name: Currency
Value: USD
Statistic: Maximum
Period: '21600'
Threshold:
Ref: "AlarmThreshold"
AlarmActions:
- Ref: "BillingAlarmNotification"
InsufficientDataActions:
- Ref: "BillingAlarmNotification"
CPU Utilization Alarm

The following sample snippet creates an alarm that sends a notification when the average CPU
utilization of an Amazon EC2 instance exceeds 90 percent for more than 60 seconds over three
evaluation periods.
JSON
"CPUAlarm" : {
"Type" : "AWS::CloudWatch::Alarm",
"Properties" : {
"AlarmDescription" : "CPU alarm for my instance",
"AlarmActions" : [ { "Ref" : "logical name of an AWS::SNS::Topic resource" } ],
"MetricName" : "CPUUtilization",
"Namespace" : "AWS/EC2",
"Statistic" : "Average",
"Period" : "60",
"EvaluationPeriods" : "3",
"Threshold" : "90",
"ComparisonOperator" : "GreaterThanThreshold",
"Dimensions" : [ {
"Name" : "InstanceId",

380
CloudWatch
"Value" : { "Ref" : "logical name of an AWS::EC2::Instance resource" }

} ]
}
}
YAML
CPUAlarm:
Properties:
AlarmDescription: CPU alarm for my instance
AlarmActions:
- Ref: "logical name of an AWS::SNS::Topic resource"
Namespace: AWS/EC2
Statistic: Average
Period: '60'
Threshold: '90'
Dimensions:
- Name: InstanceId
Value:
Ref: "logical name of an AWS::EC2::Instance resource"
Recover an Amazon Elastic Compute Cloud Instance

The following CloudWatch alarm recovers an EC2 instance when it has status check failures for 15
consecutive minutes. For more information about alarm actions, see Create Alarms That Stop, Terminate,
or Recover an Instance in the Amazon CloudWatch User Guide.
JSON
{
"Parameters" : {
"RecoveryInstance" : {
"Description" : "The EC2 instance ID to associate this alarm with.",
"Type" : "AWS::EC2::Instance::Id"
}
},
"Resources": {
"RecoveryTestAlarm": {
"Properties": {
"AlarmDescription": "Trigger a recovery when instance status check fails for 15
consecutive minutes.",
"Namespace": "AWS/EC2" ,
"MetricName": "StatusCheckFailed_System",
"Statistic": "Minimum",
"Period": "60",
"Threshold": "0",
"AlarmActions": [ {"Fn::Join" : ["", ["arn:aws:automate:", { "Ref" :
"AWS::Region" }, ":ec2:recover" ]]} ],
"Dimensions": [{"Name": "InstanceId","Value": {"Ref": "RecoveryInstance"}}]
}
}
}
}

381
CloudWatch
YAML
Parameters:
RecoveryInstance:
Description: The EC2 instance ID to associate this alarm with.
Type: AWS::EC2::Instance::Id
Resources:
RecoveryTestAlarm:
Properties:
AlarmDescription: Trigger a recovery when instance status check fails for 15
consecutive minutes.
Namespace: AWS/EC2
MetricName: StatusCheckFailed_System
Statistic: Minimum
Period: '60'
Threshold: '0'
AlarmActions: [ !Sub "arn:aws:automate:${AWS::Region}:ec2:recover" ]
Dimensions:
- Name: InstanceId
Value:
Ref: RecoveryInstance
Create a Basic Dashboard

The following example creates a simple CloudWatch dashboard with one metric widget displaying CPU
utilization, and one text widget displaying a message.
JSON
{
"BasicDashboard": {
"Type": "AWS::CloudWatch::Dashboard",
"Properties": {
"DashboardName": "Dashboard1",
"DashboardBody": "{\"widgets\":[{\"type\":\"metric\",\"x\":0,\"y\":0,
\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/EC2\",\"CPUUtilization\",
\"InstanceId\",\"i-012345\"]],\"period\":300,\"stat\":\"Average\",\"region\":\"us-east-1\",
\"title\":\"EC2 Instance CPU\"}},{\"type\":\"text\",\"x\":0,\"y\":7,\"width\":3,\"height
\":3,\"properties\":{\"markdown\":\"Hello world\"}}]}"
}
}
}
YAML
BasicDashboard:
Type: AWS::CloudWatch::Dashboard
Properties:
DashboardName: Dashboard1
DashboardBody: '{"widgets":
[{"type":"metric","x":0,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/
EC2","CPUUtilization","InstanceId","i-012345"]],"period":300,"stat":"Average","region":"us-
east-1","title":"EC2 Instance CPU"}},
{"type":"text","x":0,"y":7,"width":3,"height":3,"properties":{"markdown":"Hello world"}}]}'

382
CloudWatch Logs
Create a Dashboard with Side-by-Side Widgets

The following example creates a dashboard with two metric widgets that appear side by side.
JSON
{
"DashboardSideBySide": {
"Type": "AWS::CloudWatch::Dashboard",
"Properties": {
"DashboardName": "Dashboard1",
"DashboardBody": "{\"widgets\":[{\"type\":\"metric\",\"x\":0,\"y\":0,
\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/EC2\",\"CPUUtilization\",
\"InstanceId\",\"i-012345\"]],\"period\":300,\"stat\":\"Average\",\"region\":\"us-east-1\",
\"title\":\"EC2 Instance CPU\"}},{\"type\":\"metric\",\"x\":12,\"y\":0,\"width\":12,
\"height\":6,\"properties\":{\"metrics\":[[\"AWS/S3\",\"BucketSizeBytes\",\"BucketName\",
\"MyBucketName\"]],\"period\":86400,\"stat\":\"Maximum\",\"region\":\"us-east-1\",\"title
\":\"MyBucketName bytes\"}}]}"
}
}
}
YAML
DashboardSideBySide:
Properties:
DashboardName: Dashboard1
DashboardBody: '{"widgets":
[{"type":"metric","x":0,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/
EC2","CPUUtilization","InstanceId","i-012345"]],"period":300,"stat":"Average","region":"us-
east-1","title":"EC2 Instance CPU"}},
{"type":"metric","x":12,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/
S3","BucketSizeBytes","BucketName","MyBucketName"]],"period":86400,"stat":"Maximum","region":"us-
east-1","title":"MyBucketName bytes"}}]}'
Amazon CloudWatch Logs Template Snippets

Amazon CloudWatch Logs can monitor your system, application, and custom log files from Amazon
EC2 instances or other sources. You can use AWS CloudFormation to provision and manage log groups
and metric filters. For more information about getting started with Amazon CloudWatch Logs, see
Monitoring System, Application, and Custom Log Files in the Amazon CloudWatch User Guide.
Topics
• Send Logs to CloudWatch Logs from a Linux Instance (p. 383)
• Send Logs to CloudWatch Logs from a Windows Instance (p. 394)
Send Logs to CloudWatch Logs from a Linux Instance

The following template describes a web server and its custom metrics. Log events from the web server's
log provides the data for the custom metrics. To send log events to a custom metric, the UserData
field installs a CloudWatch Logs agent on the Amazon EC2 instance. The configuration information for
the agent, such as the location of the server log file, the log group name, and the log stream name, are

383
CloudWatch Logs
defined in the /tmp/cwlogs/apacheaccess.conf file. The log stream is created after the web server
starts sending log events to the /var/log/httpd/access_log file.
Note
A note about permissions: The WebServerHost instance references the
LogRoleInstanceProfile instance profile, which in turn references the LogRole role.
LogRole specifies the s3:GetObject permission for arn:aws:s3:::*.
This permission is required because WebServerHost downloads the CloudWatch Logs agent
(awslogs-agent-setup.py) from Amazon S3 in the UserData section.
The two metric filters describe how the log information is transformed into CloudWatch metrics. The
404 metric counts the number of 404 occurrences. The size metric tracks the size of a request. The two
CloudWatch alarms will send notifications if there are more than two 404s within two minutes or if the
average request size is over 3500 KB over 10 minutes.
JSON
{
"Description": "AWS CloudFormation Sample Template for CloudWatch Logs.",
"Parameters": {
"KeyName": {
instances",
},
"SSHLocation" : {
"Description" : "The IP address range that can be used to SSH to the EC2
instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
},
"OperatorEmail": {
"Description": "Email address to notify if there are any scaling operations",
"Type": "String"
}
},
"Mappings": {
"RegionMap": {
"us-east-1": {
"AMI": "ami-0ff8a91507f77f867"
},
"us-west-1": {
"AMI": "ami-0bdb828fd58c52235"
},
"us-west-2": {
"AMI": "ami-a0cfeed8"
},
"eu-west-1": {
"AMI": "ami-047bb4163c506cd98"
},
"ap-southeast-1": {
"AMI": "ami-08569b978cc4dfa10"
},
"ap-southeast-2": {
"AMI": "ami-09b42976632b27e9b"
},
"ap-northeast-1": {
"AMI": "ami-06cd52961ce9f0d85"

384
CloudWatch Logs
},
"sa-east-1": {
"AMI": "ami-07b14488da8ea02a0"
},
"eu-central-1": {
"AMI" : "ami-0233214e13e500f77"
}
}
},
"Resources": {
"LogRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "LogRolePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Create*",
"logs:PutLogEvents",
"s3:GetObject"
],
"Resource": [
"arn:aws:logs:*:*:*",
"arn:aws:s3:::*"
]
}
]
}
}
]
}
},
"LogRoleInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "LogRole"
}
]
}
},

385
CloudWatch Logs
"Properties": {
"GroupDescription": "Enable HTTP access via port 80 and SSH access via port
22",
"0.0.0.0/0"},
{ "Ref" : "SSHLocation"}}
]
}
},
"WebServerHost": {
"Metadata": {
"Comment": "Install a simple PHP application",
"AWS::CloudFormation::Init": {
"config": {
"packages": {
"yum": {
"httpd": [],
"php": []
}
},
"files": {
"/tmp/cwlogs/apacheaccess.conf": {
"content": {
"Fn::Join": [
"",
[
"[general]\n",
"state_file= /var/awslogs/agent-state\n",
"[/var/log/httpd/access_log]\n",
"file = /var/log/httpd/access_log\n",
"log_group_name = ", {"Ref":
"WebServerLogGroup"}, "\n",
"log_stream_name = {instance_id}/apache.log\n",
"datetime_format = %d/%b/%Y:%H:%M:%S"
]
]
},
"mode": "000400",
"owner": "apache",
"group": "apache"
},
"/var/www/html/index.php": {
"content": {
"Fn::Join": [
"",
[
"<?php\n",
"echo '<h1>AWS CloudFormation sample PHP
application</h1>';\n",
"?>\n"
]
]
},
"mode": "000644",
"owner": "apache",
"group": "apache"
},
"/etc/cfn/cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[

386
CloudWatch Logs
"[main]\n",
"stack=",
{
"Ref": "AWS::StackId"
},
"\n",
"region=",
{
},
"\n"
]
]
},
"mode": "000400",
"owner": "root",
"group": "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -s ",
{
},
" -r WebServerHost ",
" --region ",
{
},
"\n",
"runas=root\n"
]
]
}
}
},
"services": {
"sysvinit": {
"httpd": {
"enabled": "true",
"ensureRunning": "true"
},
"sendmail": {
"enabled": "false",
"ensureRunning": "false"
}
}
}
}
}
},
"ResourceSignal" : { "Timeout" : "PT5M" }
},
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
{

387
CloudWatch Logs
},
"AMI"
]
},
"KeyName": {
"Ref": "KeyName"
},
"InstanceType": "t1.micro",
"SecurityGroups": [ { "Ref": "WebServerSecurityGroup" } ],
"IamInstanceProfile": { "Ref": "LogRoleInstanceProfile" },
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"# Get the latest CloudFormation package\n",

"# Start cfn-init\n",

"/opt/aws/bin/cfn-init -s ", { "Ref": "AWS::StackId" }, " -
r WebServerHost ", " --region ", { "Ref": "AWS::Region" },
" || error_exit 'Failed to run cfn-init'\n",
"# Start up the cfn-hup daemon to listen for changes to the

EC2 instance metadata\n",
"/opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-
hup'\n",
"# Get the CloudWatch Logs agent\n",

"wget https://s3.amazonaws.com/aws-cloudwatch/downloads/
latest/awslogs-agent-setup.py\n",
"# Install the CloudWatch Logs agent\n",

"python awslogs-agent-setup.py -n -r ", { "Ref" :
"AWS::Region" }, " -c /tmp/cwlogs/apacheaccess.conf || error_exit 'Failed to run
CloudWatch Logs agent setup'\n",
"# All done so signal success\n",

" --resource WebServerHost ",
]
]
}
}
}
},
"WebServerLogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 7
}
},
"404MetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {
"Ref": "WebServerLogGroup"
},
"FilterPattern": "[ip, identity, user_id, timestamp, request, status_code =
404, size, ...]",
"MetricTransformations": [

388
CloudWatch Logs
{
"MetricValue": "1",
"MetricNamespace": "test/404s",
"MetricName": "test404Count"
}
]
}
},
"BytesTransferredMetricFilter": {
"Properties": {
"LogGroupName": {
},
"FilterPattern": "[ip, identity, user_id, timestamp, request, status_code,
size, ...]",
{
"MetricValue": "$size",
"MetricNamespace": "test/BytesTransferred",
"MetricName": "testBytesTransferred"
}
]
}
},
"404Alarm": {
"Properties": {
"AlarmDescription": "The number of 404s is greater than 2 over 2 minutes",
"MetricName": "test404Count",
"Namespace": "test/404s",
"Statistic": "Sum",
"Period": "60",
"Threshold": "2",
"AlarmActions": [
{
"Ref": "AlarmNotificationTopic"
}
],
}
},
"BandwidthAlarm": {
"Properties": {
"AlarmDescription": "The average volume of traffic is greater 3500 KB over
10 minutes",
"MetricName": "testBytesTransferred",
"Namespace": "test/BytesTransferred",
"Period": "300",
"Threshold": "3500",
"AlarmActions": [
{
}
],
}
},
"AlarmNotificationTopic": {
"Properties": {
"Subscription": [

389
CloudWatch Logs
{
"Endpoint": { "Ref": "OperatorEmail" },
"Protocol": "email"
}
]
}
}
},
"Outputs": {
"InstanceId": {
"Description": "The instance ID of the web server",
"Value": {
"Ref": "WebServerHost"
}
},
"WebsiteURL" : {
"Value" : { "Fn::Join" : ["", ["http://", { "Fn::GetAtt" : [ "WebServerHost",
"PublicDnsName" ]}]] },
"Description" : "URL for newly created LAMP stack"
},
"PublicIP": {
"Description": "Public IP address of the web server",
"Value": {
"Fn::GetAtt": [
"WebServerHost",
"PublicIp"
]
}
},
"CloudWatchLogGroupName": {
"Description": "The name of the CloudWatch log group",
"Value": {
}
}
}
}
YAML
Description: AWS CloudFormation Sample Template for CloudWatch Logs.
Parameters:
KeyName:
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
OperatorEmail:
Description: Email address to notify if there are any scaling operations
Type: String
Mappings:
RegionMap:
us-east-1:
AMI: ami-0ff8a91507f77f867
us-west-1:
AMI: ami-0bdb828fd58c52235

390
CloudWatch Logs
us-west-2:
AMI: ami-a0cfeed8
eu-west-1:
AMI: ami-047bb4163c506cd98
ap-southeast-1:
AMI: ami-0d98120a9fb693f07
ap-southeast-2:
AMI: ami-09b42976632b27e9b
ap-northeast-1:
AMI: ami-06cd52961ce9f0d85
sa-east-1:
AMI: ami-07b14488da8ea02a0
eu-central-1:
AMI: ami-0233214e13e500f77
Resources:
LogRole:
Type: AWS::IAM::Role
Properties:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: LogRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:Create*
- logs:PutLogEvents
- s3:GetObject
Resource:
- arn:aws:logs:*:*:*
- arn:aws:s3:::*
LogRoleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: LogRole
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access via port 22
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
WebServerHost:
Metadata:
Comment: Install a simple PHP application

391
CloudWatch Logs
config:
packages:
yum:
httpd: []
php: []
files:
"/tmp/cwlogs/apacheaccess.conf":
content: !Sub |
[general]
state_file= /var/awslogs/agent-state
[/var/log/httpd/access_log]
file = /var/log/httpd/access_log
log_group_name = ${WebServerLogGroup}
log_stream_name = {instance_id}/apache.log
datetime_format = %d/%b/%Y:%H:%M:%S
mode: '000400'
owner: apache
group: apache
"/var/www/html/index.php":
content: !Sub |
"<?php"
"echo '<h1>AWS CloudFormation sample PHP application</h1>';"
"?>"
mode: '000644'
owner: apache
group: apache
"/etc/cfn/cfn-hup.conf":
content: !Sub |
[main]
stack= ${AWS::StackId}
region=${AWS::Region}
mode: "000400"
owner: "root"
group: "root"
"/etc/cfn/hooks.d/cfn-auto-reloader.conf":
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource
WebServerHost --region ${AWS::Region}
mode: "000400"
owner: "root"
group: "root"
services:
sysvinit:
httpd:
enabled: 'true'
sendmail:
enabled: 'false'
ensureRunning: 'false'
CreationPolicy:
ResourceSignal:
Timeout: PT5M
Properties:
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- AMI
KeyName:
Ref: KeyName
SecurityGroups:

392
CloudWatch Logs
IamInstanceProfile:
Ref: LogRoleInstanceProfile
UserData:
"Fn::Base64":
!Sub |
#!/bin/bash -xe
# Get the latest CloudFormation package
# Start cfn-init
/opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerHost --region
${AWS::Region} || error_exit 'Failed to run cfn-init'
# Start up the cfn-hup daemon to listen for changes to the EC2 instance
metadata
/opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup'
# Get the CloudWatch Logs agent
wget https://s3.amazonaws.com/aws-cloudwatch/downloads/latest/awslogs-agent-
setup.py
# Install the CloudWatch Logs agent
python awslogs-agent-setup.py -n -r ${AWS::Region} -c /tmp/cwlogs/
apacheaccess.conf || error_exit 'Failed to run CloudWatch Logs agent setup'
# All done so signal success
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource WebServerHost
--region ${AWS::Region}
WebServerLogGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 7
404MetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName:
Ref: WebServerLogGroup
FilterPattern: "[ip, identity, user_id, timestamp, request, status_code = 404,
size, ...]"
MetricTransformations:
- MetricValue: '1'
MetricNamespace: test/404s
MetricName: test404Count
BytesTransferredMetricFilter:
Properties:
LogGroupName:
Ref: WebServerLogGroup
FilterPattern: "[ip, identity, user_id, timestamp, request, status_code, size, ...]"
- MetricValue: "$size"
MetricNamespace: test/BytesTransferred
MetricName: testBytesTransferred
404Alarm:
Properties:
AlarmDescription: The number of 404s is greater than 2 over 2 minutes
Namespace: test/404s
Statistic: Sum
Period: '60'
Threshold: '2'
AlarmActions:
- Ref: AlarmNotificationTopic
BandwidthAlarm:
Properties:
AlarmDescription: The average volume of traffic is greater 3500 KB over 10 minutes
MetricName: testBytesTransferred

393
CloudWatch Logs
Namespace: test/BytesTransferred
Statistic: Average
Period: '300'
Threshold: '3500'
AlarmActions:
- Ref: AlarmNotificationTopic
AlarmNotificationTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint:
Ref: OperatorEmail
Protocol: email
Outputs:
InstanceId:
Description: The instance ID of the web server
Value:
Ref: WebServerHost
WebsiteURL:
Value:
!Sub 'http://${WebServerHost.PublicDnsName}'
Description: URL for newly created LAMP stack
PublicIP:
Description: Public IP address of the web server
Value:
!GetAtt WebServerHost.PublicIp
CloudWatchLogGroupName:
Description: The name of the CloudWatch log group
Value: !Ref WebServerLogGroup
Send Logs to CloudWatch Logs from a Windows Instance

The following template configures CloudWatch Logs for a Windows 2012R2 instance.
The CloudWatch Logs agent on Windows (SSM agent on Windows 2012R2 and Windows 2016 AMIs) only
sends logs after it is started, so any logs that are generated prior to startup are not sent. To work around
this, the template helps to ensure that the agent starts before any logs are written by:
• Configuring the agent setup as the first config item in cfn-init configSets.
• Using waitAfterCompletion to insert a pause after the command that starts the agent.
JSON
{
"Description": "Sample template that sets up and configures CloudWatch logs on Windows
2012R2 instance.",
"Parameters": {
"KeyPair" : {
"Description": "Name of an existing EC2 KeyPair to enable RDP access to the
instances",
},
"RDPLocation" : {
"Description" : "The IP address range that can be used to RDP to the EC2
instances",
"Type": "String",
"MinLength": "9",

394
CloudWatch Logs
"MaxLength": "18",
"Default": "0.0.0.0/0",
},
"OperatorEmail": {
"Description": "Email address to notify if there are any scaling operations",
"Type": "String"
}
},
"Mappings": {
"AWSAMIRegionMap": {
"ap-northeast-1": {
"WS2012R2": "ami-06cd52961ce9f0d85"
},
"ap-northeast-2": {
"WS2012R2": "ami-0a10b2721688ce9d2"
},
"ap-south-1": {
"WS2012R2": "ami-0912f71e06545ad88"
},
"ap-southeast-1": {
"WS2012R2": "ami-08569b978cc4dfa10"
},
"ap-southeast-2": {
"WS2012R2": "ami-09b42976632b27e9b"
},
"ca-central-1": {
"WS2012R2": "ami-0b18956f"
},
"eu-central-1": {
"WS2012R2": "ami-0233214e13e500f77"
},
"eu-west-1": {
"WS2012R2": "ami-047bb4163c506cd98"
},
"eu-west-2": {
"WS2012R2": "ami-f976839e"
},
"sa-east-1": {
"WS2012R2": "ami-07b14488da8ea02a0"
},
"us-east-1": {
"WS2012R2": "ami-0ff8a91507f77f867"
},
"us-east-2": {
"WS2012R2": "ami-0b59bfac6be064b78"
},
"us-west-1": {
"WS2012R2": "ami-0bdb828fd58c52235"
},
"us-west-2": {
"WS2012R2": "ami-a0cfeed8"
}
}
},
"Resources": {
"Properties": {
"GroupDescription": "Enable HTTP access via port 80 and RDP access via port
3389",
"0.0.0.0/0"},

395
CloudWatch Logs

{ "Ref" : "RDPLocation"}}
]
}
},
"LogRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"ManagedPolicyArns" : [ "arn:aws:iam::aws:policy/service-role/
AmazonEC2RoleforSSM"],
"Path": "/",
"Policies": [
{
"PolicyName": "LogRolePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Create*",
"logs:PutLogEvents",
"s3:GetObject"
],
"Resource": [
"arn:aws:logs:*:*:*",
"arn:aws:s3:::*"
]
}
]
}
}
]
}
},
"LogRoleInstanceProfile": {
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "LogRole"
}
]
}
},
"WebServerHost": {

396
CloudWatch Logs
"Timeout" : "PT15M"
}
},
"Metadata": {
"configSets" : {
"config": [
"00-ConfigureCWLogs",
"01-InstallWebServer",
"02-ConfigureApplication",
"03-Finalize"
]
},
"00-ConfigureCWLogs" : {
"files": {
"C:\\Program Files\\Amazon\\SSM\\Plugins\\awsCloudWatch\
\AWS.EC2.Windows.CloudWatch.json": {
"content": {
"Fn::Join": [
"",
[
"{",
" \"IsEnabled\" : true,",
" \"EngineConfiguration\" : {",
" \"PollInterval\" : \"00:00:05\",",
" \"Components\" : [{",
" \"Id\" : \"ApplicationEventLog\",",
" \"FullName\" :
\"AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch
\",",
" \"Parameters\" : {",
" \"LogName\" : \"Application\",",
" \"Levels\" : \"7\"",
" }",
" },",
" {",
" \"Id\" : \"SystemEventLog\",",
" \"FullName\" :
\",",
" \"LogName\" : \"System\",",
" \"Levels\" : \"7\"",
" }",
" },",
" {",
" \"Id\" : \"SecurityEventLog\",",
" \"FullName\" :
\",",
" \"LogName\" : \"Security\",",
" \"Levels\" : \"7\"",
" }",
" },",
" {",
" \"Id\" : \"EC2ConfigLog\",",
" \"FullName\":
\"AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch
\",",
" \"Parameters\": {",
" \"LogDirectoryPath\": \"C:\\\\Program
Files\\\\Amazon\\\\Ec2ConfigService\\\\Logs\",",
" \"TimestampFormat\": \"yyyy-MM-
ddTHH:mm:ss.fffZ:\",",
" \"Encoding\": \"ASCII\",",

397
CloudWatch Logs
" \"Filter\": \"EC2ConfigLog.txt\",",

" \"CultureName\": \"en-US\",",
" \"TimeZoneKind\": \"UTC\"",
" }",
" },",
" {",
" \"Id\": \"CfnInitLog\",",
" \"FullName\":
\",",
" \"LogDirectoryPath\": \"C:\\\\cfn\\\\log
\",",
" \"TimestampFormat\": \"yyyy-MM-dd
HH:mm:ss,fff\",",
" \"Encoding\": \"ASCII\",",
" \"Filter\": \"cfn-init.log\",",
" \"CultureName\": \"en-US\",",
" \"TimeZoneKind\": \"Local\"",
" }",
" },",
" {",
" \"Id\" : \"IISLogs\",",
" \"FullName\" :
\",",
" \"LogDirectoryPath\" : \"C:\\\\inetpub\\\
\logs\\\\LogFiles\\\\W3SVC1\",",
" \"TimestampFormat\" : \"yyyy-MM-dd
HH:mm:ss\",",
" \"Encoding\" : \"UTF-8\",",
" \"Filter\" : \"\",",
" \"CultureName\" : \"en-US\",",
" \"TimeZoneKind\" : \"UTC\",",
" \"LineCount\" : \"3\"",
" }",
" },",
" {",
" \"Id\" : \"MemoryPerformanceCounter\",",
" \"FullName\" :
\"AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Wind
\",",
" \"CategoryName\" : \"Memory\",",
" \"CounterName\" : \"Available MBytes\",",
" \"InstanceName\" : \"\",",
" \"MetricName\" : \"Memory\",",
" \"Unit\" : \"Megabytes\",",
" \"DimensionName\" : \"\",",
" \"DimensionValue\" : \"\"",
" }",
" },",
" {",
" \"Id\": \"CloudWatchApplicationEventLog\",",
" \"FullName\":
\"AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch\",",
" \"AccessKey\": \"\",",
" \"SecretKey\": \"\",",
{
"Fn::Sub": " \"Region\":
\"${AWS::Region}\","
},
{

398
CloudWatch Logs
"Fn::Sub": " \"LogGroup\":

\"${LogGroup}\","
},
" \"LogStream\": \"{instance_id}/
ApplicationEventLog\"",
" }",
" },",
" {",
" \"Id\": \"CloudWatchSystemEventLog\",",
" \"FullName\":
" \"AccessKey\": \"\",",
" \"SecretKey\": \"\",",
{
},
{
\"${LogGroup}\","
},
SystemEventLog\"",
" }",
" },",
" {",
" \"Id\": \"CloudWatchSecurityEventLog\",",
" \"FullName\":
" \"AccessKey\": \"\",",
" \"SecretKey\": \"\",",
{
},
{
\"${LogGroup}\","
},
SecurityEventLog\"",
" }",
" },",
" {",
" \"Id\": \"CloudWatchEC2ConfigLog\",",
" \"FullName\":
" \"AccessKey\": \"\",",
" \"SecretKey\": \"\",",
{
},
{
\"${LogGroup}\","
},
EC2ConfigLog\"",
" }",
" },",
" {",
" \"Id\": \"CloudWatchCfnInitLog\",",

399
CloudWatch Logs
" \"FullName\":
" \"AccessKey\": \"\",",
" \"SecretKey\": \"\",",
{
},
{
\"${LogGroup}\","
},
" \"LogStream\": \"{instance_id}/CfnInitLog
\"",
" }",
" },",
" {",
" \"Id\": \"CloudWatchIISLogs\",",
" \"FullName\":
" \"AccessKey\": \"\",",
" \"SecretKey\": \"\",",
{
},
{
\"${LogGroup}\","
},
" \"LogStream\": \"{instance_id}/IISLogs\"",
" }",
" },",
" {",
" \"Id\" : \"CloudWatch\",",
" \"FullName\" :
\"AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch
\",",
" \"AccessKey\" : \"\",",
" \"SecretKey\" : \"\",",
{
},
" \"NameSpace\" : \"Windows/Default\"",
" }",
" }],",
" \"Flows\": {",
" \"Flows\": [",
"
\"ApplicationEventLog,CloudWatchApplicationEventLog\",",
" \"SystemEventLog,CloudWatchSystemEventLog
\",",
"
\"SecurityEventLog,CloudWatchSecurityEventLog\",",
" \"EC2ConfigLog,CloudWatchEC2ConfigLog\",",
" \"CfnInitLog,CloudWatchCfnInitLog\",",
" \"IISLogs,CloudWatchIISLogs\",",
" \"MemoryPerformanceCounter,CloudWatch\"",
" ]",
" }",
" }",
"}"

400
CloudWatch Logs
]
]
}
}
},
"commands": {
"0-enableSSM" : {
"command" : "powershell.exe -Command \"Set-Service -Name AmazonSSMAgent
-StartupType Automatic\" ",
"waitAfterCompletion" : "0"
},
"1-restartSSM": {
"command" : "powershell.exe -Command \"Restart-Service AmazonSSMAgent
\"",
"waitAfterCompletion" : "30"
}
}
},
"01-InstallWebServer": {
"commands": {
"01_install_webserver": {
"command": "powershell.exe -Command \"Install-WindowsFeature Web-
Server -IncludeAllSubFeature\"",
"waitAfterCompletion": "0"
}
}
},
"02-ConfigureApplication": {
"files": {
"c:\\Inetpub\\wwwroot\\index.htm": {
"content": {
"Fn::Join": [
"\n",
[
"<html>",
"<head>",
"<title>Test Application</title>",
"</head>",
"<body>",
"<h1>Congratulations!! Your IIS Web
Server is configured.</h1>",
"</body>",
"</html>"
]
]
}
}
}
},
"03-Finalize": {
"commands": {
"00_signal_success": {
"command": { "Fn::Sub" : "cfn-signal.exe -e 0 --resource
WebServerHost --stack ${AWS::StackName} --region ${AWS::Region} " },
"waitAfterCompletion": "0"
}
}
}
}
},
"Properties": {
"KeyName": { "Ref" : "KeyPair"},
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{

401
CloudWatch Logs
},
"WS2012R2"
]
},
"InstanceType": "t2.xlarge",
"SecurityGroupIds" : [{ "Ref" : "WebServerSecurityGroup"}],
"IamInstanceProfile" : { "Ref" : "LogRoleInstanceProfile"},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"\n",
[
"<script>",
"wmic product where \"description='Amazon SSM Agent' \"
uninstall",
"wmic product where \"description='aws-cfn-bootstrap' \"
uninstall ",
"start /wait c:\\Windows\\system32\\msiexec /passive /qn /i
https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-win64-latest.msi",
"powershell.exe -Command \"iwr https://s3.amazonaws.com/ec2-
downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe -UseBasicParsing -
OutFile C:\\AmazonSSMAgentSetup.exe\"",
"start /wait C:\\AmazonSSMAgentSetup.exe /install /quiet",
{ "Fn::Sub" : "cfn-init.exe -v -c config -s ${AWS::StackName}
--resource WebServerHost --region ${AWS::Region} " },
"</script>"
]
]
}
}
}
},
"LogGroup": {
"Properties": {
}
},
"Properties": {
"LogGroupName": {
"Ref": "LogGroup"
},
"FilterPattern": "[timestamps,serverip, method, uri, query, port, dash,
clientip, useragent, status_code = 404, ...]",
{
"MetricValue": "1",
"MetricNamespace": "test/404s",
"MetricName": "test404Count"
}
]
}
},
"404Alarm": {
"Properties": {
"AlarmDescription": "The number of 404s is greater than 2 over 2 minutes",
"MetricName": "test404Count",
"Namespace": "test/404s",
"Statistic": "Sum",
"Period": "60",
"Threshold": "2",

402
CloudWatch Logs
"AlarmActions": [
{
}
],
}
},
"AlarmNotificationTopic": {
"Properties": {
"Subscription": [
{
"Endpoint": { "Ref": "OperatorEmail" },
"Protocol": "email"
}
]
}
}
},
"Outputs": {
"InstanceId": {
"Description": "The instance ID of the web server",
"Value": {
"Ref": "WebServerHost"
}
},
"WebsiteURL" : {
"Value" : { "Fn::Join" : ["", ["http://", { "Fn::GetAtt" : [ "WebServerHost",
"PublicDnsName" ]}]] },
"Description" : "URL for newly created IIS web server"
},
"PublicIP": {
"Description": "Public IP address of the web server",
"Value": {
"Fn::GetAtt": [
"WebServerHost",
"PublicIp"
]
}
},
"CloudWatchLogGroupName": {
"Description": "The name of the CloudWatch log group",
"Value": {
"Ref": "LogGroup"
}
}
}
}
YAML
Description: Sample template that sets up and configures CloudWatch logs on Windows 2012R2
instance
instance.
Parameters:
KeyPair:
Description: Name of an existing EC2 KeyPair to enable RDP access to the instances
RDPLocation:
Description: The IP address range that can be used to RDP to the EC2 instances
Type: String

403
CloudWatch Logs
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
OperatorEmail:
Description: Email address to notify if there are any scaling operations
Type: String
Mappings:
AWSAMIRegionMap:
ap-northeast-1:
WS2012R2: ami-06cd52961ce9f0d85
ap-northeast-2:
WS2012R2: ami-0a10b2721688ce9d2
ap-south-1:
WS2012R2: ami-0912f71e06545ad88
ap-southeast-1:
WS2012R2: ami-08569b978cc4dfa10
ap-southeast-2:
WS2012R2: ami-09b42976632b27e9b
ca-central-1:
WS2012R2: ami-0b18956f
eu-central-1:
WS2012R2: ami-0233214e13e500f77
eu-west-1:
WS2012R2: ami-047bb4163c506cd98
eu-west-2:
WS2012R2: ami-f976839e
sa-east-1:
WS2012R2: ami-07b14488da8ea02a0
us-east-1:
WS2012R2: ami-0ff8a91507f77f867
us-east-2:
WS2012R2: ami-0b59bfac6be064b78
us-west-1:
WS2012R2: ami-0bdb828fd58c52235
us-west-2:
WS2012R2: ami-a0cfeed8
Resources:
Properties:
GroupDescription: Enable HTTP access via port 80 and RDP access via port 3389
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '3389'
ToPort: '3389'
CidrIp: !Ref 'RDPLocation'
LogRole:
Properties:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM

404
CloudWatch Logs
Path: /
Policies:
- PolicyName: LogRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:Create*
- logs:PutLogEvents
- s3:GetObject
Resource:
- arn:aws:logs:*:*:*
- arn:aws:s3:::*
LogRoleInstanceProfile:
Properties:
Path: /
Roles:
- !Ref 'LogRole'
WebServerHost:
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Metadata:
configSets:
config:
- 00-ConfigureCWLogs
- 01-InstallWebServer
- 02-ConfigureApplication
- 03-Finalize
00-ConfigureCWLogs:
files:
C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch
\AWS.EC2.Windows.CloudWatch.json:
content: !Sub |
{
"EngineConfiguration": {
"Components": [
{
"FullName":
"AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "ApplicationEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Application"
}
},
{
"FullName":
"Id": "SystemEventLog",
"Parameters": {
"Levels": "7",
"LogName": "System"
}
},
{
"FullName":
"Id": "SecurityEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Security"

405
CloudWatch Logs
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "EC2ConfigLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "EC2ConfigLog.txt",
"LogDirectoryPath": "C:\\Program Files\\Amazon\
\Ec2ConfigService\\Logs",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-ddTHH:mm:ss.fffZ:"
}
},
{
"FullName":
"Id": "CfnInitLog",
"Parameters": {
"Encoding": "ASCII",
"Filter": "cfn-init.log",
"LogDirectoryPath": "C:\\cfn\\log",
"TimeZoneKind": "Local",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss,fff"
}
},
{
"FullName":
"Id": "IISLogs",
"Parameters": {
"Encoding": "UTF-8",
"Filter": "",
"LineCount": "3",
"LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\
\W3SVC1",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss"
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windo
"Id": "MemoryPerformanceCounter",
"Parameters": {
"CategoryName": "Memory",
"CounterName": "Available MBytes",
"DimensionName": "",
"DimensionValue": "",
"InstanceName": "",
"MetricName": "Memory",
"Unit": "Megabytes"
}
},
{
"FullName":
"AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchApplicationEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/ApplicationEventLog",

406
CloudWatch Logs
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName":
"Id": "CloudWatchSystemEventLog",
"Parameters": {
"AccessKey": "",
"LogStream": "{instance_id}/SystemEventLog",
"SecretKey": ""
}
},
{
"FullName":
"Id": "CloudWatchSecurityEventLog",
"Parameters": {
"AccessKey": "",
"LogStream": "{instance_id}/SecurityEventLog",
"SecretKey": ""
}
},
{
"FullName":
"Id": "CloudWatchEC2ConfigLog",
"Parameters": {
"AccessKey": "",
"LogStream": "{instance_id}/EC2ConfigLog",
"SecretKey": ""
}
},
{
"FullName":
"Id": "CloudWatchCfnInitLog",
"Parameters": {
"AccessKey": "",
"LogStream": "{instance_id}/CfnInitLog",
"SecretKey": ""
}
},
{
"FullName":
"Id": "CloudWatchIISLogs",
"Parameters": {
"AccessKey": "",
"LogStream": "{instance_id}/IISLogs",
"SecretKey": ""
}
},
{

407
CloudWatch Logs
"FullName":
"AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatch",
"Parameters": {
"AccessKey": "",
"NameSpace": "Windows/Default",
"SecretKey": ""
}
}
],
"Flows": {
"Flows": [
"ApplicationEventLog,CloudWatchApplicationEventLog",
"SystemEventLog,CloudWatchSystemEventLog",
"SecurityEventLog,CloudWatchSecurityEventLog",
"EC2ConfigLog,CloudWatchEC2ConfigLog",
"CfnInitLog,CloudWatchCfnInitLog",
"IISLogs,CloudWatchIISLogs",
"MemoryPerformanceCounter,CloudWatch"
]
},
"PollInterval": "00:00:05"
},
"IsEnabled": true
}
commands:
0-enableSSM:
command: 'powershell.exe -Command "Set-Service -Name AmazonSSMAgent -
StartupType Automatic" '
waitAfterCompletion: '0'
1-restartSSM:
command: 'powershell.exe -Command "Restart-Service AmazonSSMAgent "'
01-InstallWebServer:
commands:
01_install_webserver:
command: powershell.exe -Command "Install-WindowsFeature Web-Server -
IncludeAllSubFeature"
02-ConfigureApplication:
files:
c:\Inetpub\wwwroot\index.htm:
content: '<html>
<head>
<title>Test Application Page</title>
</head>
<body>
<h1>Congratulations !! Your IIS server is configured.</h1>
</body>
</html>'
03-Finalize:
commands:
00_signal_success:
command: !Sub 'cfn-signal.exe -e 0 --resource WebServerHost --stack
${AWS::StackName} --region ${AWS::Region}'
Properties:
KeyName: !Ref 'KeyPair'
ImageId: !FindInMap [AWSAMIRegionMap, !Ref 'AWS::Region', WS2012R2]
InstanceType: t2.xlarge
SecurityGroupIds:
- !Ref 'WebServerSecurityGroup'
IamInstanceProfile: !Ref 'LogRoleInstanceProfile'
UserData:
Fn::Base64:

408
CloudWatch Logs
!Sub |
<script>
wmic product where "description='Amazon SSM Agent' " uninstall
wmic product where "description='aws-cfn-bootstrap' " uninstall
start /wait c:\\Windows\\system32\\msiexec /passive /qn /i https://
s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-win64-latest.msi
powershell.exe -Command "iwr https://s3.amazonaws.com/ec2-downloads-windows/
SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe -UseBasicParsing -OutFile C:\
\AmazonSSMAgentSetup.exe"
start /wait C:\\AmazonSSMAgentSetup.exe /install /quiet
cfn-init.exe -v -c config -s ${AWS::StackName} --resource WebServerHost --region
${AWS::Region}
</script>
LogGroup:
Properties:
RetentionInDays: 7
404MetricFilter:
Properties:
LogGroupName: !Ref 'LogGroup'
FilterPattern: '[timestamps, serverip, method, uri, query, port, dash, clientip,
useragent, status_code = 404, ...]'
- MetricValue: '1'
MetricNamespace: test/404s
404Alarm:
Properties:
AlarmDescription: The number of 404s is greater than 2 over 2 minutes
Namespace: test/404s
Statistic: Sum
Period: '60'
Threshold: '2'
AlarmActions:
- !Ref 'AlarmNotificationTopic'
AlarmNotificationTopic:
Properties:
Subscription:
- Endpoint: !Ref 'OperatorEmail'
Protocol: email
Outputs:
InstanceId:
Description: The instance ID of the web server
Value: !Ref 'WebServerHost'
WebsiteURL:
Value: !Sub 'http://${WebServerHost.PublicDnsName}'
Description: URL for newly created IIS web server
PublicIP:
Description: Public IP address of the web server
Value: !GetAtt 'WebServerHost.PublicIp'
CloudWatchLogGroupName:
Description: The name of the CloudWatch log group
Value: !Ref 'LogGroup'
See Also
For more information about CloudWatch Logs resources, see AWS::Logs::LogGroup or
AWs::Logs::MetricFilter.

409
DynamoDB
Amazon DynamoDB Template Snippets

Topics
• Application Auto Scaling with an Amazon DynamoDB Table (p. 410)
Application Auto Scaling with an Amazon DynamoDB Table

This example sets up Application Auto Scaling for a AWS::DynamoDB::Table resource. The template
defines a TargetTrackingScaling scaling policy that scales up the WriteCapacityUnits
throughput for the table.
JSON
{
"Resources": {
"DDBTable": {
"Properties": {
{
"AttributeName": "ArtistId",
},
{
"AttributeName": "Concert",
},
{
"AttributeName": "TicketSales",
}
],
"KeySchema": [
{
"KeyType": "HASH"
},
{
"KeyType": "RANGE"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "GSI",
"KeySchema": [
{
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "KEYS_ONLY"
},
}
}
],

410
DynamoDB
}
}
},
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"MaxCapacity": 15,
"MinCapacity": 5,
"ResourceId": { "Fn::Join": [
"/",
[
"table",
{ "Ref": "DDBTable" }
]
] },
"RoleARN": {
"Fn::GetAtt": ["ScalingRole", "Arn"]
},
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb"
}
},
"ScalingRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"application-autoscaling.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:SetAlarmState",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}

411
DynamoDB
}
]
}
},
"WriteScalingPolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "WriteAutoScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration": {
"TargetValue": 50.0,
"ScaleInCooldown": 60,
"ScaleOutCooldown": 60,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "DynamoDBWriteCapacityUtilization"
}
}
}
}
}
}
YAML
Resources:
DDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
-
AttributeName: "ArtistId"
AttributeType: "S"
-
AttributeName: "Concert"
AttributeType: "S"
-
AttributeName: "TicketSales"
AttributeType: "S"
KeySchema:
-
KeyType: "HASH"
-
KeyType: "RANGE"
GlobalSecondaryIndexes:
-
IndexName: "GSI"
KeySchema:
-
KeyType: "HASH"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
WriteCapacityScalableTarget:

412
DynamoDB
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
ResourceId: !Join
- /
- - table
- !Ref DDBTable
RoleARN: !GetAtt ScalingRole.Arn
ScalableDimension: dynamodb:table:WriteCapacityUnits
ServiceNamespace: dynamodb
ScalingRole:
Properties:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- application-autoscaling.amazonaws.com
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "dynamodb:DescribeTable"
- "dynamodb:UpdateTable"
- "cloudwatch:PutMetricAlarm"
- "cloudwatch:DescribeAlarms"
- "cloudwatch:GetMetricStatistics"
- "cloudwatch:SetAlarmState"
- "cloudwatch:DeleteAlarms"
Resource: "*"
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteAutoScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization
See Also
For more information about DynamoDB resources, see AWS::DynamoDB::Table.

413
Amazon EC2
Amazon EC2 Template Snippets

EC2 Block Device Mapping Examples
EC2 Instance with Block Device Mapping
JSON
"Ec2Instance" : {
"Properties" : {
{ "Ref" : "InstanceType" }, "Arch" ] } ] },
"SecurityGroups" : [{ "Ref" : "Ec2SecurityGroup" }],
{
"DeviceName" : "/dev/sda1",
"Ebs" : { "VolumeSize" : "50" }
},{
}
]
}
}
YAML
EC2Instance:
Properties:
ImageId: !FindInMap [ AWSRegionArch2AMI, !Ref 'AWS::Region' , !FindInMap
[ AWSInstanceType2Arch, !Ref InstanceType, Arch ] ]
SecurityGroups:
- !Ref Ec2SecurityGroup
-
DeviceName: /dev/sda1
Ebs:
VolumeSize: 50
-
Ebs:
VolumeSize: 100
EC2 Instance with Ephemeral Drives

JSON
"Ec2Instance" : {
"Properties" : {
"PV64" ]},

414
Amazon EC2

"SecurityGroups" : [{ "Ref" : "Ec2SecurityGroup" }],
{
}
]
}
}
YAML
EC2Instance:
Properties:
ImageId: !FindInMap [ AWSRegionArch2AMI, !Ref 'AWS::Region', PV64 ]
SecurityGroups:
- !Ref Ec2SecurityGroup
-
DeviceName: /dev/sdc
Assigning an Amazon EC2 Elastic IP Using AWS::EC2::EIP Snippet

This example shows how to allocate an Amazon EC2 Elastic IP address and assign it to an Amazon EC2
instance using a AWS::EC2::EIP resource.
JSON
"MyEIP" : {
"Properties" : {
"InstanceId" : { "Ref" : "logical name of an AWS::EC2::Instance resource" }
}
}
YAML
MyEIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref Logical name of an AWS::EC2::Instance resource
Assigning an Existing Elastic IP to an Amazon EC2 instance using

AWS::EC2::EIPAssociation Snippet
This example shows how to assign an existing Amazon EC2 Elastic IP address to an Amazon EC2 instance
using an AWS::EC2::EIPAssociation resource.
JSON
"IPAssoc" : {

415
Amazon EC2
"Type" : "AWS::EC2::EIPAssociation",
"Properties" : {
"InstanceId" : { "Ref" : "logical name of an AWS::EC2::Instance resource" },
"EIP" : "existing Elastic IP address"
}
}
YAML
IPAssoc:
Type: AWS::EC2::EIPAssociation
Properties:
EIP: existing Elastic IP Address
Assigning an Existing VPC Elastic IP to an Amazon EC2 instance

using AWS::EC2::EIPAssociation Snippet
This example shows how to assign an existing VPC Elastic IP address to an Amazon EC2 instance using an
AWS::EC2::EIPAssociation resource.
JSON
"VpcIPAssoc" : {
"Properties" : {
"InstanceId" : { "Ref" : "logical name of an AWS::EC2::Instance resource" },
"AllocationId" : "existing VPC Elastic IP allocation ID"
}
}
YAML
VpcIPAssoc:
Properties:
AllocationId: Existing VPC Elastic IP allocation ID
Elastic Network Interface (ENI) Template Snippets

VPC_EC2_Instance_With_ENI
Sample template showing how to create an instance with two elastic network interface (ENI). The sample
assumes you have already created a VPC.
JSON
"Resources" : {
"ControlPortAddress" : {
"Properties" : {
"Domain" : "vpc"
}

416
Amazon EC2
},
"AssociateControlPort" : {
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : [ "ControlPortAddress", "AllocationId" ]},
"NetworkInterfaceId" : { "Ref" : "controlXface" }
}
},
"WebPortAddress" : {
"Properties" : {
"Domain" : "vpc"
}
},
"AssociateWebPort" : {
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : [ "WebPortAddress", "AllocationId" ]},
"NetworkInterfaceId" : { "Ref" : "webXface" }
}
},
"SSHSecurityGroup" : {
"Properties" : {
"VpcId" : { "Ref" : "VpcId" },
"GroupDescription" : "Enable SSH access via port 22",
"SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" :
"22", "CidrIp" : "0.0.0.0/0" } ]
}
},
"WebSecurityGroup" : {
"Properties" : {
"GroupDescription" : "Enable HTTP access via user defined port",
"SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80,
"CidrIp" : "0.0.0.0/0" } ]
}
},
"controlXface" : {
"Type" : "AWS::EC2::NetworkInterface",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetId" },
"Description" :"Interface for control traffic such as SSH",
"GroupSet" : [ {"Ref" : "SSHSecurityGroup"} ],
"SourceDestCheck" : "true",
"Tags" : [ {"Key" : "Network", "Value" : "Control"}]
}
},
"webXface" : {
"Properties" : {
"Description" :"Interface for web traffic",
"GroupSet" : [ {"Ref" : "WebSecurityGroup"} ],
"Tags" : [ {"Key" : "Network", "Value" : "Web"}]
}
},
"Ec2Instance" : {
"Properties" : {
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]},
"NetworkInterfaces" : [ { "NetworkInterfaceId" : {"Ref" : "controlXface"},
"DeviceIndex" : "0" },

417
Amazon EC2
{ "NetworkInterfaceId" : {"Ref" : "webXface"}, "DeviceIndex" : "1" }],

"Tags" : [ {"Key" : "Role", "Value" : "Test Instance"}],
"UserData" : {"Fn::Base64" : { "Fn::Join" : ["",[
"#!/bin/bash -ex","\n",
"\n","yum install ec2-net-utils -y","\n",
"ec2ifup eth1","\n",
"service httpd start"]]}
}
}
}
}
YAML
Resources:
ControlPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateControlPort:
Properties:
AllocationId: !GetAtt ControlPortAddress.AllocationId
NetworkInterfaceId: !Ref controlXface
WebPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateWebPort:
Properties:
AllocationId: !GetAtt WebPortAddress.AllocationId
NetworkInterfaceId: !Ref webXface
SSHSecurityGroup:
Properties:
VpcId: !Ref VpcId
- CidrIp: 0.0.0.0/0
FromPort: 22
IpProtocol: tcp
ToPort: 22
WebSecurityGroup:
Properties:
VpcId: !Ref VpcId
GroupDescription: Enable HTTP access via user defined port
- CidrIp: 0.0.0.0/0
FromPort: 80
IpProtocol: tcp
ToPort: 80
controlXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId: !Ref SubnetId
Description: Interface for controlling traffic such as SSH
GroupSet:
- !Ref SSHSecurityGroup
SourceDestCheck: true
Tags:
-
Key: Network

418
Amazon EC2
Value: Control
webXface:
Properties:
GroupSet:
- !Ref WebSecurityGroup
Tags:
-
Key: Network
Value: Web
Ec2Instance:
Properties:
ImageId: !FindInMap [ RegionMap, !Ref 'AWS::Region', AMI ]
NetworkInterfaces:
-
DeviceIndex: 0
-
DeviceIndex: 1
Tags:
-
Key: Role
Value: Test Instance
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install ec2-net-utils -y
ec2ifup eth1
service httpd start
Amazon EC2 Instance Resource

This snippet shows a simple AWS::EC2::Instance resource.
JSON
"MyInstance" : {
"Properties" : {
}
}
YAML
MyInstance:
Properties:
AvailabilityZone: us-east-1a

419
Amazon EC2
Amazon EC2 Instance with Volume, Tag, and UserData

Properties
This snippet shows an AWS::EC2::Instance resource with one Amazon EC2 volume, one tag, and
a user data property. An AWS::EC2::SecurityGroup resource, an AWS::SNS::Topic resource, and an
AWS::EC2::Volume resource all must be defined in the same template. Also, the reference to KeyName is
a parameters that must be defined in the Parameters section of the template.
JSON
"MyInstance" : {
"Properties" : {
"SecurityGroups" : [ {
"Ref" : "logical name of AWS::EC2::SecurityGroup resource"
} ],
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [ ":", [
"PORT=80",
"TOPIC=", {
"Ref" : "logical name of an AWS::SNS::Topic resource"
} ]
]
}
},
"Volumes" : [
{ "VolumeId" : {
"Ref" : "logical name of AWS::EC2::Volume resource"
},
"Device" : "/dev/sdk" }
],
"Tags" : [ {
"Key" : "Name",
"Value" : "MyTag"
} ]
}
}
YAML
MyInstance:
Properties:
SecurityGroups:
- !Ref logical name of AWS::EC2::SecurityGroup resource
UserData:
Fn::Base64: !Sub |
PORT=80
TOPIC=${ logical name of an AWS::SNS::Topic resource }
Volumes:
-

420
Amazon EC2
VolumeId: !Ref logical name of AWS::EC2::Volume resource

Device: /dev/sdk
Tags:
-
Key: Name
Value: MyTag
Amazon EC2 Instance Resource with an Amazon SimpleDB

Domain
This snippet shows an AWS::EC2::Instance resource with an Amazon SimpleDB domain specified in the
UserData.
JSON
"MyInstance" : {
"Properties" : {
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [ "",
[ "Domain=", {
"Ref" : "logical name of an AWS::SDB::Domain resource"
} ]
]
}
},
}
}
YAML
MyInstance:
Properties:
UserData:
Fn::Base64: !Sub |
Domain=${ logical name of an AWS::SDB::Domain resource }
Amazon EC2 Security Group Resource with Two CIDR Range

Ingress Rules
This snippet shows an AWS::EC2::SecurityGroup resource that describes two ingress rules giving access to
a specified CIDR range for the TCP protocol on the specified ports.
JSON
"ServerSecurityGroup" : {
"Properties" : {
"GroupDescription" : "allow connections from specified CIDR ranges",
{

421
Amazon EC2
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
},{
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : "192.168.1.1/32"
}
]
}
}
YAML
ServerSecurityGroup:
Properties:
GroupDescription: allow connections from specified CIDR ranges
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 192.168.1.1/32
Amazon EC2 Security Group Resource with Two Security Group

Ingress Rules
This snippet shows an AWS::EC2::SecurityGroup resource that describes two security group ingress rules.
The first ingress rule grants access to the existing security group myadminsecuritygroup, which is owned
by the 1234-5678-9012 AWS account, for the TCP protocol on port 22. The second ingress rule grants
access to the security group mysecuritygroupcreatedincfn for TCP on port 80. This ingress rule uses the
Ref intrinsic function to refer to a security group (whose logical name is mysecuritygroupcreatedincfn)
created in the same template. You must declare a value for both the SourceSecurityGroupName and
SourceSecurityGroupOwnerId properties.
JSON
"ServerSecurityGroupBySG" : {
"Properties" : {
"GroupDescription" : "allow connections from specified source security group",
{
"FromPort" : "22",
"ToPort" : "22",
"SourceSecurityGroupName" : "myadminsecuritygroup",
"SourceSecurityGroupOwnerId" : "123456789012"
},
{
"FromPort" : "80",
"ToPort" : "80",
"SourceSecurityGroupName" : {"Ref" : "mysecuritygroupcreatedincfn"}

422
Amazon EC2
}
]
}
}
YAML
ServerSecurityGroupBySG:
Properties:
GroupDescription: allow connections from specified source security group
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupName: myadminsecuritygroup
SourceSecurityGroupOwnerId: 123456789012
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupName: !Ref mysecuritygroupcreatedincfn
Amazon EC2 Security Group Resource with LoadBalancer Ingress

Rule
This template shows an AWS::EC2::SecurityGroup resource that contains a security group ingress
rule that grants access to the LoadBalancer myELB for TCP on port 80. Note that the rule uses the
SourceSecurityGroup.OwnerAlias and SourceSecurityGroup.GroupName properties of the
myELB resource to specify the source security group of the LoadBalancer.
JSON
{
"Resources": {
"myELB": {
"Properties": {
"AvailabilityZones": [
"eu-west-1a"
],
"Listeners": [
{
"Protocol": "HTTP"
}
]
}
},
"myELBIngressGroup": {
"Properties": {
"GroupDescription": "ELB ingress group",
{
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupOwnerId": {

423
Amazon EC2
"Fn::GetAtt": [
"myELB",
"SourceSecurityGroup.OwnerAlias"
]
},
"SourceSecurityGroupName": {
"Fn::GetAtt": [
"myELB",
"SourceSecurityGroup.GroupName"
]
}
}
]
}
}
}
}
YAML
Resources:
myELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- eu-west-1a
Listeners:
InstancePort: '80'
Protocol: HTTP
myELBIngressGroup:
Properties:
GroupDescription: ELB ingress group
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
SourceSecurityGroupOwnerId: !GetAtt myELB.SourceSecurityGroup.OwnerAlias
SourceSecurityGroupName: !GetAtt myELB.SourceSecurityGroup.GroupName
Using AWS::EC2::SecurityGroupIngress to Create Mutually

Referencing Amazon EC2 Security Group Resources
This snippet shows two AWS::EC2::SecurityGroupIngress resources that add mutual ingress rules to the
EC2 security groups SGroup1 and SGroup2. The SGroup1Ingress resource enables ingress from SGroup2
through TCP/IP port 80 to SGroup1. The SGroup2Ingress resource enables ingress from SGroup1 through
TCP/IP port 80 to SGroup2.
Note
If you are using an Amazon VPC, use the AWS::EC2::SecurityGroup resource and specify the
VpcId property.
JSON
"SGroup1" : {
"Properties" : {
"GroupDescription" : "EC2 Instance access"

424
Amazon EC2
}
},
"SGroup2" : {
"Properties" : {
"GroupDescription" : "EC2 Instance access"
}
},
"SGroup1Ingress" : {
"Type" : "AWS::EC2::SecurityGroupIngress",
"Properties" : {
"GroupName" : { "Ref" : "SGroup1" },
"ToPort" : "80",
"FromPort" : "80",
"SourceSecurityGroupName" : { "Ref" : "SGroup2" }
}
},
"SGroup2Ingress" : {
"Properties" : {
"GroupName" : { "Ref" : "SGroup2" },
"ToPort" : "80",
"FromPort" : "80",
"SourceSecurityGroupName" : { "Ref" : "SGroup1" }
}
}
YAML
SGroup1:
Properties:
GroupDescription: EC2 Instance access
SGroup2:
Properties:
GroupDescription: EC2 Instance access
SGroup1Ingress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupName: !Ref SGroup1
IpProtocol: tcp
ToPort: 80
FromPort: 80
SourceSecurityGroupName: !Ref SGroup2
SGroup2Ingress:
Properties:
GroupName: !Ref SGroup2
IpProtocol: tcp
ToPort: 80
FromPort: 80
SourceSecurityGroupName: !Ref SGroup1
Amazon EC2 Volume Resource

This snippet shows a simple Amazon EC2 volume resource with a DeletionPolicy attribute set to
Snapshot. With the Snapshot DeletionPolicy set, AWS CloudFormation will take a snapshot of this
volume before deleting it during stack deletion. Make sure you specify a value for SnapShotId, or a
value for Size, but not both. Remove the one you don't need.

425
Amazon EC2
JSON
"MyEBSVolume" : {
"Properties" : {
"Size" : "specify a size if no SnapShotId",
"SnapshotId" : "specify a SnapShotId if no Size",
"AvailabilityZone" : { "Ref" : "AvailabilityZone" }
},
"DeletionPolicy" : "Snapshot"
}
YAML
MyEBSVolume:
Type: AWS::EC2::Volume
Properties:
Size: specify a size if no SnapshotId
SnapshotId: specify a SnapShotId if no Size
AvailabilityZone: !Ref AvailabilityZone
DeletionPolicy: Snapshot
Amazon EC2 VolumeAttachment Resource

This snippet shows the following resources: an Amazon EC2 instance using an Amazon Linux AMI from
the US-East (Northern Virginia) Region, an EC2 security group that allows SSH access to IP addresses, a
new Amazon EBS volume sized at 100 GB and in the same Availability Zone as the EC2 instance, and a
volume attachment that attaches the new volume to the EC2 instance.
JSON
"Resources" : {
"Ec2Instance" : {
"Properties" : {
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
}
},
"Properties" : {
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : "0.0.0.0/0"
} ]
}
},
"NewVolume" : {
"Properties" : {
"Size" : "100",
"AvailabilityZone" : { "Fn::GetAtt" : [ "Ec2Instance", "AvailabilityZone" ]}
}
},

426
Amazon EC2
"MountPoint" : {
"Properties" : {
"InstanceId" : { "Ref" : "Ec2Instance" },
}
}
}
YAML
Resources:
Ec2Instance:
Properties:
SecurityGroups:
Properties:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
NewVolume:
Properties:
Size: 100
AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
MountPoint:
Type: AWS::EC2::VolumeAttachment
Properties:
InstanceId: !Ref Ec2Instance
VolumeId: !Ref NewVolume
Device: /dev/sdh
Amazon EC2 Instance in a Default VPC Security Group

Whenever you create a VPC, AWS automatically creates default resources for that VPC, such as a security
group. However, when you define a VPC in AWS CloudFormation templates, you don't yet have the
physical IDs of those default resources. To obtain the IDs, use the Fn::GetAtt (p. 3807) intrinsic
function. That way, you can use the default resources instead of creating new ones in your template. For
example, the following template snippet associates the default security group of the myVPC VPC with
the myInstance Amazon EC2 instance.
JSON
"myVPC": {
"Properties": {
"CidrBlock": {"Ref": "myVPCCIDRRange"},
}
},

427
Amazon EC2
"myInstance" : {
"Properties" : {
"ImageId": {
"Fn::FindInMap": ["AWSRegionToAMI",{"Ref": "AWS::Region"},"64"]
},
"SecurityGroupIds" : [{"Fn::GetAtt": ["myVPC", "DefaultSecurityGroup"]}],
"SubnetId" : {"Ref" : "mySubnet"}
}
}
YAML
myVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref myVPCCIDRRange
myInstance:
Properties:
ImageId: !FindInMap [ AWSRegionToAMI , !Ref 'AWS::Region', 64 ]
SecurityGroupIds:
- !GetAtt myVPC.DefaultSecurityGroup
SubnetId: !Ref mySubnet
Amazon EC2 Route with Egress-Only Internet Gateway

The following template sets up an egress-only Internet gateway that's used with an EC2 route.
JSON
{
"Resources": {
"DefaultIpv6Route": {
"Properties": {
"DestinationIpv6CidrBlock": "::/0",
"EgressOnlyInternetGatewayId": {
"Ref": "EgressOnlyInternetGateway"
},
"RouteTableId": {
"Ref": "RouteTable"
}
},
"Type": "AWS::EC2::Route"
},
"EgressOnlyInternetGateway": {
"Properties": {
"VpcId": {
"Ref": "VPC"
}
},
"Type": "AWS::EC2::EgressOnlyInternetGateway"
},
"RouteTable": {
"Properties": {
"VpcId": {
"Ref": "VPC"
}

428
Amazon ECS
},
"Type": "AWS::EC2::RouteTable"
},
"VPC": {
"Properties": {
"CidrBlock": "10.0.0.0/16"
},
"Type": "AWS::EC2::VPC"
}
}
}
YAML
Resources:
DefaultIpv6Route:
Type: AWS::EC2::Route
Properties:
DestinationIpv6CidrBlock: "::/0"
EgressOnlyInternetGatewayId: !Ref EgressOnlyInternetGateway
RouteTableId: !Ref RouteTable
EgressOnlyInternetGateway:
Type: AWS::EC2::EgressOnlyInternetGateway
Properties:
VpcId: !Ref VPC
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
VPC:
Type: AWS::EC2::VPC
Properties:
Amazon Elastic Container Service Template Snippets

Amazon Elastic Container Service (Amazon ECS) is a container management service that makes it easy to
run, stop, and manage Docker containers on a cluster of Amazon Elastic Compute Cloud (Amazon EC2)
instances.
The following example template deploys a web application in an Amazon ECS container with autoscaling
and an application load balancer. For more information, see Getting Started with Amazon ECS in the
Amazon Elastic Container Service Developer Guide.
Important
For the latest AMI IDs, see Amazon ECS-optimized AMI in the Amazon Elastic Container Service
Developer Guide.
JSON
{
"AWSTemplateFormatVersion":"2010-09-09",
"Parameters":{
"KeyName":{
"Type":"AWS::EC2::KeyPair::KeyName",
"Description":"Name of an existing EC2 KeyPair to enable SSH access to the ECS
instances."
},
"VpcId":{
"Type":"AWS::EC2::VPC::Id",

429
Amazon ECS
"Description":"Select a VPC that allows instances to access the Internet."

},
"SubnetId":{
"Type":"List<AWS::EC2::Subnet::Id>",
"Description":"Select at two subnets in your selected VPC."
},
"DesiredCapacity":{
"Type":"Number",
"Default":"1",
"Description":"Number of instances to launch in your ECS cluster."
},
"MaxSize":{
"Type":"Number",
"Default":"1",
"Description":"Maximum number of instances that can be launched in your ECS cluster."
},
"InstanceType":{
"Description":"EC2 instance type",
"Type":"String",
"Default":"t2.micro",
"AllowedValues":[
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge"
],
"ConstraintDescription":"Please choose a valid instance type."
}
},
"Mappings":{
"AWSRegionToAMI":{
"us-east-1":{
"AMIID":"ami-eca289fb"
},
"us-east-2":{
"AMIID":"ami-446f3521"
},
"us-west-1":{

430
Amazon ECS
"AMIID":"ami-9fadf8ff"
},
"us-west-2":{
"AMIID":"ami-7abc111a"
},
"eu-west-1":{
"AMIID":"ami-a1491ad2"
},
"eu-central-1":{
"AMIID":"ami-54f5303b"
},
"ap-northeast-1":{
"AMIID":"ami-9cd57ffd"
},
"ap-southeast-1":{
"AMIID":"ami-a900a3ca"
},
"ap-southeast-2":{
"AMIID":"ami-5781be34"
}
}
},
"Resources":{
"ECSCluster":{
"Type":"AWS::ECS::Cluster"
},
"EcsSecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"GroupDescription":"ECS Security Group",
"VpcId":{
"Ref":"VpcId"
}
}
},
"EcsSecurityGroupHTTPinbound":{
"Type":"AWS::EC2::SecurityGroupIngress",
"Properties":{
"GroupId":{
"Ref":"EcsSecurityGroup"
},
"IpProtocol":"tcp",
"FromPort":"80",
"ToPort":"80",
"CidrIp":"0.0.0.0/0"
}
},
"EcsSecurityGroupSSHinbound":{
"Properties":{
"GroupId":{
},
"IpProtocol":"tcp",
"FromPort":"22",
"ToPort":"22",
"CidrIp":"0.0.0.0/0"
}
},
"EcsSecurityGroupALBports":{
"Properties":{
"GroupId":{
},
"IpProtocol":"tcp",

431
Amazon ECS
"FromPort":"31000",
"ToPort":"61000",
"SourceSecurityGroupId":{
}
}
},
"CloudwatchLogsGroup":{
"Type":"AWS::Logs::LogGroup",
"Properties":{
"LogGroupName":{
"Fn::Join":[
"-",
[
"ECSLogGroup",
{
"Ref":"AWS::StackName"
}
]
]
},
"RetentionInDays":14
}
},
"taskdefinition":{
"Type":"AWS::ECS::TaskDefinition",
"Properties":{
"Family":{
"Fn::Join":[
"",
[
{
},
"-ecs-demo-app"
]
]
},
"ContainerDefinitions":[
{
"Name":"simple-app",
"Cpu":"10",
"Essential":"true",
"Image":"httpd:2.4",
"Memory":"300",
"LogConfiguration":{
"LogDriver":"awslogs",
"Options":{
"awslogs-group":{
"Ref":"CloudwatchLogsGroup"
},
"awslogs-region":{
"Ref":"AWS::Region"
},
"awslogs-stream-prefix":"ecs-demo-app"
}
},
"MountPoints":[
{
"ContainerPath":"/usr/local/apache2/htdocs",
"SourceVolume":"my-vol"
}
],
"PortMappings":[
{
"ContainerPort":80

432
Amazon ECS
}
]
},
{
"Name":"busybox",
"Cpu":10,
"Command":[
"/bin/sh -c \"while true; do echo '<html> <head> <title>Amazon ECS
Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style>
</head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1>
<h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon
ECS.</p>' > top; /bin/date > date ; echo '</div></body></html>' > bottom; cat top date
bottom > /usr/local/apache2/htdocs/index.html ; sleep 1; done\""
],
"EntryPoint":[
"sh",
"-c"
],
"Essential":false,
"Image":"busybox",
"Memory":200,
"LogConfiguration":{
"LogDriver":"awslogs",
"Options":{
"awslogs-group":{
"Ref":"CloudwatchLogsGroup"
},
"awslogs-region":{
"Ref":"AWS::Region"
},
"awslogs-stream-prefix":"ecs-demo-app"
}
},
"VolumesFrom":[
{
"SourceContainer":"simple-app"
}
]
}
],
"Volumes":[
{
"Name":"my-vol"
}
]
}
},
"ECSALB":{
"Type":"AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties":{
"Name":"ECSALB",
"Scheme":"internet-facing",
"LoadBalancerAttributes":[
{
"Key":"idle_timeout.timeout_seconds",
"Value":"30"
}
],
"Subnets":{
"Ref":"SubnetId"
},
"SecurityGroups":[
{
}
]

433
Amazon ECS
}
},
"ALBListener":{
"Type":"AWS::ElasticLoadBalancingV2::Listener",
"DependsOn":"ECSServiceRole",
"Properties":{
"DefaultActions":[
{
"Type":"forward",
"TargetGroupArn":{
"Ref":"ECSTG"
}
}
],
"LoadBalancerArn":{
"Ref":"ECSALB"
},
"Port":"80",
"Protocol":"HTTP"
}
},
"ECSALBListenerRule":{
"Type":"AWS::ElasticLoadBalancingV2::ListenerRule",
"DependsOn":"ALBListener",
"Properties":{
"Actions":[
{
"Type":"forward",
"TargetGroupArn":{
"Ref":"ECSTG"
}
}
],
"Conditions":[
{
"Field":"path-pattern",
"Values":[
"/"
]
}
],
"ListenerArn":{
"Ref":"ALBListener"
},
"Priority":1
}
},
"ECSTG":{
"Type":"AWS::ElasticLoadBalancingV2::TargetGroup",
"DependsOn":"ECSALB",
"Properties":{
"HealthCheckIntervalSeconds":10,
"HealthCheckPath":"/",
"HealthCheckProtocol":"HTTP",
"HealthCheckTimeoutSeconds":5,
"HealthyThresholdCount":2,
"Name":"ECSTG",
"Port":80,
"Protocol":"HTTP",
"UnhealthyThresholdCount":2,
"VpcId":{
"Ref":"VpcId"
}
}
},
"ECSAutoScalingGroup":{

434
Amazon ECS
"Type":"AWS::AutoScaling::AutoScalingGroup",
"Properties":{
"VPCZoneIdentifier":{
"Ref":"SubnetId"
},
"LaunchConfigurationName":{
"Ref":"ContainerInstances"
},
"MinSize":"1",
"MaxSize":{
"Ref":"MaxSize"
},
"DesiredCapacity":{
"Ref":"DesiredCapacity"
}
},
"CreationPolicy":{
"ResourceSignal":{
"Timeout":"PT15M"
}
},
"UpdatePolicy":{
"AutoScalingReplacingUpdate":{
"WillReplace":"true"
}
}
},
"ContainerInstances":{
"Type":"AWS::AutoScaling::LaunchConfiguration",
"Properties":{
"ImageId":{
"Fn::FindInMap":[
"AWSRegionToAMI",
{
"Ref":"AWS::Region"
},
"AMIID"
]
},
"SecurityGroups":[
{
}
],
"InstanceType":{
"Ref":"InstanceType"
},
"IamInstanceProfile":{
"Ref":"EC2InstanceProfile"
},
"KeyName":{
"Ref":"KeyName"
},
"UserData":{
"Fn::Base64":{
"Fn::Join":[
"",
[
"echo ECS_CLUSTER=",
{
"Ref":"ECSCluster"
},
" >> /etc/ecs/ecs.config\n",

435
Amazon ECS
" --stack ",

{
},
" --resource ECSAutoScalingGroup ",
" --region ",
{
"Ref":"AWS::Region"
},
"\n"
]
]
}
}
}
},
"service":{
"Type":"AWS::ECS::Service",
"DependsOn":"ALBListener",
"Properties":{
"Cluster":{
"Ref":"ECSCluster"
},
"DesiredCount":"1",
"LoadBalancers":[
{
"ContainerName":"simple-app",
"ContainerPort":"80",
"TargetGroupArn":{
"Ref":"ECSTG"
}
}
],
"Role":{
"Ref":"ECSServiceRole"
},
"TaskDefinition":{
"Ref":"taskdefinition"
}
}
},
"ECSServiceRole":{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":[
"ecs.amazonaws.com"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
},
"Path":"/",
"Policies":[
{
"PolicyName":"ecs-service",
"PolicyDocument":{
"Statement":[
{

436
Amazon ECS
"Effect":"Allow",
"Action":[
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
"ec2:Describe*",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource":"*"
}
]
}
}
]
}
},
"ServiceScalingTarget":{
"Type":"AWS::ApplicationAutoScaling::ScalableTarget",
"DependsOn":"service",
"Properties":{
"MaxCapacity":2,
"MinCapacity":1,
"ResourceId":{
"Fn::Join":[
"",
[
"service/",
{
"Ref":"ECSCluster"
},
"/",
{
"Fn::GetAtt":[
"service",
"Name"
]
}
]
]
},
"RoleARN":{
"Fn::GetAtt":[
"AutoscalingRole",
"Arn"
]
},
"ScalableDimension":"ecs:service:DesiredCount",
"ServiceNamespace":"ecs"
}
},
"ServiceScalingPolicy":{
"Type":"AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties":{
"PolicyName":"AStepPolicy",
"PolicyType":"StepScaling",
"ScalingTargetId":{
"Ref":"ServiceScalingTarget"
},
"StepScalingPolicyConfiguration":{
"AdjustmentType":"PercentChangeInCapacity",
"Cooldown":60,
"MetricAggregationType":"Average",
"StepAdjustments":[
{

437
Amazon ECS
"MetricIntervalLowerBound":0,
"ScalingAdjustment":200
}
]
}
}
},
"ALB500sAlarmScaleUp":{
"Type":"AWS::CloudWatch::Alarm",
"Properties":{
"EvaluationPeriods":"1",
"Statistic":"Average",
"Threshold":"10",
"AlarmDescription":"Alarm if our ALB generates too many HTTP 500s.",
"Period":"60",
"AlarmActions":[
{
"Ref":"ServiceScalingPolicy"
}
],
"Namespace":"AWS/ApplicationELB",
"Dimensions":[
{
"Name":"LoadBalancer",
"Value":{
"Fn::GetAtt" : [
"ECSALB",
"LoadBalancerFullName"
]
}
}
],
"ComparisonOperator":"GreaterThanThreshold",
"MetricName":"HTTPCode_ELB_5XX_Count"
}
},
"EC2Role":{
"Properties":{
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":[
"ec2.amazonaws.com"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
},
"Path":"/",
"Policies":[
{
"PolicyName":"ecs-service",
"PolicyDocument":{
"Statement":[
{
"Effect":"Allow",
"Action":[
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",

438
Amazon ECS
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:Submit*",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource":"*"
}
]
}
}
]
}
},
"AutoscalingRole":{
"Properties":{
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":[
]
},
"Action":[
"sts:AssumeRole"
]
}
]
},
"Path":"/",
"Policies":[
{
"PolicyName":"service-autoscaling",
"PolicyDocument":{
"Statement":[
{
"Effect":"Allow",
"Action":[
"application-autoscaling:*",
"ecs:DescribeServices",
"ecs:UpdateService"
],
"Resource":"*"
}
]
}
}
]
}
},
"EC2InstanceProfile":{
"Type":"AWS::IAM::InstanceProfile",
"Properties":{
"Path":"/",
"Roles":[
{
"Ref":"EC2Role"
}
]
}

439
Amazon ECS
}
},
"Outputs":{
"ecsservice":{
"Value":{
"Ref":"service"
}
},
"ecscluster":{
"Value":{
"Ref":"ECSCluster"
}
},
"ECSALB":{
"Description":"Your ALB DNS URL",
"Value":{
"Fn::Join":[
"",
[
{
"Fn::GetAtt":[
"ECSALB",
"DNSName"
]
}
]
]
}
},
"taskdef":{
"Value":{
}
}
}
}
YAML
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the ECS instances.
VpcId:
Type: AWS::EC2::VPC::Id
Description: Select a VPC that allows instances access to the Internet.
SubnetId:
Type: List<AWS::EC2::Subnet::Id>
Description: Select at two subnets in your selected VPC.
DesiredCapacity:
Type: Number
Default: '1'
Description: Number of instances to launch in your ECS cluster.
MaxSize:
Type: Number
Default: '1'
Description: Maximum number of instances that can be launched in your ECS cluster.
InstanceType:
Description: EC2 instance type
Type: String
Default: t2.micro
AllowedValues: [t2.micro, t2.small, t2.medium, t2.large, m3.medium, m3.large,
m3.xlarge, m3.2xlarge, m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge,

440
Amazon ECS
c4.large, c4.xlarge, c4.2xlarge, c4.4xlarge, c4.8xlarge, c3.large, c3.xlarge,

c3.2xlarge, c3.4xlarge, c3.8xlarge, r3.large, r3.xlarge, r3.2xlarge, r3.4xlarge,
r3.8xlarge, i2.xlarge, i2.2xlarge, i2.4xlarge, i2.8xlarge]
ConstraintDescription: Please choose a valid instance type.
Mappings:
AWSRegionToAMI:
us-east-1:
AMIID: ami-eca289fb
us-east-2:
AMIID: ami-446f3521
us-west-1:
AMIID: ami-9fadf8ff
us-west-2:
AMIID: ami-7abc111a
eu-west-1:
AMIID: ami-a1491ad2
eu-central-1:
AMIID: ami-54f5303b
ap-northeast-1:
AMIID: ami-9cd57ffd
ap-southeast-1:
AMIID: ami-a900a3ca
ap-southeast-2:
AMIID: ami-5781be34
Resources:
ECSCluster:
Type: AWS::ECS::Cluster
EcsSecurityGroup:
Properties:
GroupDescription: ECS Security Group
VpcId: !Ref 'VpcId'
EcsSecurityGroupHTTPinbound:
Properties:
GroupId: !Ref 'EcsSecurityGroup'
IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
EcsSecurityGroupSSHinbound:
Properties:
IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
EcsSecurityGroupALBports:
Properties:
IpProtocol: tcp
FromPort: '31000'
ToPort: '61000'
SourceSecurityGroupId: !Ref 'EcsSecurityGroup'
CloudwatchLogsGroup:
Properties:
LogGroupName: !Join ['-', [ECSLogGroup, !Ref 'AWS::StackName']]
RetentionInDays: 14
taskdefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Join ['', [!Ref 'AWS::StackName', -ecs-demo-app]]
ContainerDefinitions:

441
Amazon ECS
- Name: simple-app
Cpu: '10'
Essential: 'true'
Image: httpd:2.4
Memory: '300'
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref 'CloudwatchLogsGroup'
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: ecs-demo-app
MountPoints:
- ContainerPath: /usr/local/apache2/htdocs
SourceVolume: my-vol
PortMappings:
- ContainerPort: 80
- Name: busybox
Cpu: 10
Command: ['/bin/sh -c "while true; do echo ''<html> <head> <title>Amazon ECS
Sample App</title> <style>body {margin-top: 40px; background-color: #333;}
</style> </head><body> <div style=color:white;text-align:center> <h1>Amazon
ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now
running on a container in Amazon ECS.</p>'' > top; /bin/date > date ;
echo ''</div></body></html>'' > bottom; cat top date bottom > /usr/local/
apache2/htdocs/index.html
; sleep 1; done"']
EntryPoint: [sh, -c]
Essential: false
Image: busybox
Memory: 200
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref 'CloudwatchLogsGroup'
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: ecs-demo-app
VolumesFrom:
- SourceContainer: simple-app
Volumes:
- Name: my-vol
ECSALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: ECSALB
Scheme: internet-facing
LoadBalancerAttributes:
- Key: idle_timeout.timeout_seconds
Value: '30'
Subnets: !Ref 'SubnetId'
SecurityGroups: [!Ref 'EcsSecurityGroup']
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
DependsOn: ECSServiceRole
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref 'ECSTG'
LoadBalancerArn: !Ref 'ECSALB'
Port: '80'
Protocol: HTTP
ECSALBListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
DependsOn: ALBListener
Properties:
Actions:
- Type: forward

442
Amazon ECS

Conditions:
- Field: path-pattern
Values: [/]
ListenerArn: !Ref 'ALBListener'
Priority: 1
ECSTG:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
DependsOn: ECSALB
Properties:
HealthCheckIntervalSeconds: 10
HealthCheckPath: /
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 5
HealthyThresholdCount: 2
Name: ECSTG
Port: 80
Protocol: HTTP
UnhealthyThresholdCount: 2
VpcId: !Ref 'VpcId'
ECSAutoScalingGroup:
Properties:
VPCZoneIdentifier: !Ref 'SubnetId'
LaunchConfigurationName: !Ref 'ContainerInstances'
MinSize: '1'
MaxSize: !Ref 'MaxSize'
DesiredCapacity: !Ref 'DesiredCapacity'
CreationPolicy:
ResourceSignal:
Timeout: PT15M
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: 'true'
ContainerInstances:
Properties:
ImageId: !FindInMap [AWSRegionToAMI, !Ref 'AWS::Region', AMIID]
SecurityGroups: [!Ref 'EcsSecurityGroup']
InstanceType: !Ref 'InstanceType'
IamInstanceProfile: !Ref 'EC2InstanceProfile'
KeyName: !Ref 'KeyName'
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource
ECSAutoScalingGroup --region ${AWS::Region}
service:
Type: AWS::ECS::Service
DependsOn: ALBListener
Properties:
Cluster: !Ref 'ECSCluster'
DesiredCount: '1'
LoadBalancers:
- ContainerName: simple-app
ContainerPort: '80'
Role: !Ref 'ECSServiceRole'
TaskDefinition: !Ref 'taskdefinition'
ECSServiceRole:
Properties:
Statement:

443
Amazon ECS
- Effect: Allow
Principal:
Service: [ecs.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer',
'elasticloadbalancing:DeregisterTargets',
'elasticloadbalancing:Describe*',
'elasticloadbalancing:RegisterInstancesWithLoadBalancer',
'elasticloadbalancing:RegisterTargets', 'ec2:Describe*',
'ec2:AuthorizeSecurityGroupIngress']
Resource: '*'
ServiceScalingTarget:
DependsOn: service
Properties:
MaxCapacity: 2
MinCapacity: 1
ResourceId: !Join ['', [service/, !Ref 'ECSCluster', /, !GetAtt [service, Name]]]
RoleARN: !GetAtt [AutoscalingRole, Arn]
ScalableDimension: ecs:service:DesiredCount
ServiceNamespace: ecs
ServiceScalingPolicy:
Properties:
PolicyName: AStepPolicy
PolicyType: StepScaling
ScalingTargetId: !Ref 'ServiceScalingTarget'
StepScalingPolicyConfiguration:
AdjustmentType: PercentChangeInCapacity
Cooldown: 60
MetricAggregationType: Average
StepAdjustments:
- MetricIntervalLowerBound: 0
ScalingAdjustment: 200
ALB500sAlarmScaleUp:
Properties:
Statistic: Average
Threshold: '10'
AlarmDescription: Alarm if our ALB generates too many HTTP 500s.
Period: '60'
AlarmActions: [!Ref 'ServiceScalingPolicy']
Namespace: AWS/ApplicationELB
Dimensions:
- Name: LoadBalancer
Value: !GetAtt
- ECSALB
- LoadBalancerFullName
MetricName: HTTPCode_ELB_5XX_Count
EC2Role:
Properties:
Statement:
- Effect: Allow
Principal:
Service: [ec2.amazonaws.com]

444
Amazon EFS
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action: ['ecs:CreateCluster', 'ecs:DeregisterContainerInstance',
'ecs:DiscoverPollEndpoint',
'ecs:Poll', 'ecs:RegisterContainerInstance', 'ecs:StartTelemetrySession',
'ecs:Submit*', 'logs:CreateLogStream', 'logs:PutLogEvents']
Resource: '*'
AutoscalingRole:
Properties:
Statement:
- Effect: Allow
Principal:
Service: [application-autoscaling.amazonaws.com]
Path: /
Policies:
- PolicyName: service-autoscaling
PolicyDocument:
Statement:
- Effect: Allow
Action: ['application-autoscaling:*', 'cloudwatch:DescribeAlarms',
'cloudwatch:PutMetricAlarm',
'ecs:DescribeServices', 'ecs:UpdateService']
Resource: '*'
EC2InstanceProfile:
Properties:
Path: /
Roles: [!Ref 'EC2Role']
Outputs:
ecsservice:
Value: !Ref 'service'
ecscluster:
Value: !Ref 'ECSCluster'
ECSALB:
Description: Your ALB DNS URL
Value: !Join ['', [!GetAtt [ECSALB, DNSName]]]
taskdef:
Value: !Ref 'taskdefinition'
Amazon Elastic File System Sample Template

Amazon Elastic File System (Amazon EFS) is a file storage service for Amazon Elastic Compute Cloud
(Amazon EC2) instances. With Amazon EFS, your applications have storage when they need it because
storage capacity grows and shrinks automatically as you add and remove files.
The following sample template deploys EC2 instances (in an Auto Scaling group) that are associated with
an Amazon EFS file system. To associate the instances with the file system, the instances run the cfn-init
helper script, which downloads and installs the nfs-utils yum package, creates a new directory, and
then uses the file system's DNS name to mount the file system at that directory. The file system's DNS
name resolves to a mount target’s IP address in the Amazon EC2 instance's Availability Zone. For more
information about the DNS name structure, see Mounting File Systems in the Amazon Elastic File System
User Guide.
To measure Network File System activity, the template includes custom Amazon CloudWatch metrics.
The template also creates a VPC, subnet, and security groups. To allow the instances to communicate

445
Amazon EFS
with the file system, the VPC must have DNS enabled, and the mount target and the EC2 instances must
be in the same Availability Zone (AZ), which is specified by the subnet.
The security group of the mount target enables a network connection to TCP port 2049, which is
required for an NFSv4 client to mount a file system. For more information on security groups for EC2
instances and mount targets, see Security in the Amazon Elastic File System User Guide.
Note
If you make an update to the mount target that causes it to be replaced, instances or
applications that use the associated file system might be disrupted. This can cause uncommitted
writes to be lost. To avoid disruption, stop your instances when you update the mount target by
setting the desired capacity to zero. This allows the instances to unmount the file system before
the mount target is deleted. After the mount update has completed, start your instances in a
subsequent update by setting the desired capacity.
JSON
{
"Description": "This template creates an Amazon EFS file system and mount target and
associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This
template creates Amazon EC2 instances and related resources. You will be billed for the
AWS resources used if you create a stack from this template.",
"Parameters": {
"InstanceType" : {
"Type" : "String",
"AllowedValues" : [
"t1.micro",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",

446
Amazon EFS
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
},
"KeyName": {
"Description": "Name of an existing EC2 key pair to enable SSH access to the ECS
instances"
},
"AsgMaxSize": {
"Type": "Number",
"Description": "Maximum size and initial desired capacity of Auto Scaling Group",
"Default": "2"
},
"SSHLocation" : {
"Description" : "The IP address range that can be used to connect to the EC2
instances by using SSH",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
},
"VolumeName" : {
"Description" : "The name to be used for the EFS volume",
"Type": "String",
"MinLength": "1",
"Default": "myEFSvolume"
},
"MountPoint" : {
"Description" : "The Linux mount point for the EFS volume",
"Type": "String",
"MinLength": "1",
"Default": "myEFSvolume"
}
},
"Mappings" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },

447
Amazon EFS
"m1.large" : { "Arch" : "HVM64" },

"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },
"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"r3.large" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
},
"ami-0a584ac55a7631c0c"},
"ami-0a7c483d527806435"},
"ami-06223d46a6d0661c7"},
"ami-053cdd503598e4a9d"},

448
Amazon EFS

}
},
"Resources": {
"CloudWatchPutMetricsRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"Service" : [ "ec2.amazonaws.com" ]
},
"Action" : [ "sts:AssumeRole" ]
} ]
},
"Path" : "/"
}
},
"CloudWatchPutMetricsRolePolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "CloudWatch_PutMetricData",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudWatchPutMetricData",
"Effect": "Allow",
"Action": ["cloudwatch:PutMetricData"],
"Resource": ["*"]
}
]
},
"Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ]
}
},
"CloudWatchPutMetricsInstanceProfile" : {
"Type" : "AWS::IAM::InstanceProfile",
"Properties" : {
"Path" : "/",
"Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ]
}
},
"VPC": {
"Properties": {
"EnableDnsSupport" : "true",
"EnableDnsHostnames" : "true",
"CidrBlock": "10.0.0.0/16",
"Tags": [ {"Key": "Application", "Value": { "Ref": "AWS::StackId"} } ]
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
"Properties" : {
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Public" }
]

449
Amazon EFS
}
},
"GatewayToInternet" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"RouteTable":{
"Type":"AWS::EC2::RouteTable",
"Properties":{
"VpcId": {"Ref":"VPC"}
}
},
"SubnetRouteTableAssoc": {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"RouteTableId" : {"Ref":"RouteTable"},
"SubnetId" : {"Ref":"Subnet"}
}
},
"InternetGatewayRoute": {
"Type":"AWS::EC2::Route",
"Properties":{
"DestinationCidrBlock":"0.0.0.0/0",
"RouteTableId":{"Ref":"RouteTable"},
"GatewayId":{"Ref":"InternetGateway"}
}
},
"Subnet": {
"Properties": {
"VpcId": { "Ref": "VPC" },
"CidrBlock": "10.0.0.0/24",
"Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } } ]
}
},
"Properties": {
{ "IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": { "Ref":
"SSHLocation" } },
{ "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": "0.0.0.0/0" }
]
}
},
"MountTargetSecurityGroup": {
"Properties": {
"GroupDescription": "Security group for mount target",
{
"FromPort": "2049",
"ToPort": "2049",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"FileSystem": {

450
Amazon EFS
"Type": "AWS::EFS::FileSystem",
"Properties": {
"PerformanceMode": "generalPurpose",
"FileSystemTags": [
{
"Key": "Name",
"Value": { "Ref" : "VolumeName" }
}
]
}
},
"MountTarget": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": { "Ref": "FileSystem" },
"SubnetId": { "Ref": "Subnet" },
"SecurityGroups": [ { "Ref": "MountTargetSecurityGroup" } ]
}
},
"LaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Metadata" : {
"configSets" : {
"MountConfig" : [ "setup", "mount" ]
},
"setup" : {
"packages" : {
"yum" : {
"nfs-utils" : []
}
},
"files" : {
"/home/ec2-user/post_nfsstat" : {
"content" : { "Fn::Join" : [ "", [
"#!/bin/bash\n",
"\n",
"INPUT=\"$(cat)\"\n",
"CW_JSON_OPEN='{ \"Namespace\": \"EFS\", \"MetricData\": [ '\n",
"CW_JSON_CLOSE=' ] }'\n",
"CW_JSON_METRIC=''\n",
"METRIC_COUNTER=0\n",
"\n",
"for COL in 1 2 3 4 5 6; do\n",
"\n",
" COUNTER=0\n",
" METRIC_FIELD=$COL\n",
" DATA_FIELD=$(($COL+($COL-1)))\n",
"\n",
" while read line; do\n",
" if [[ COUNTER -gt 0 ]]; then\n",
"\n",
" LINE=ècho $line | tr -s ' ' `\n",
" AWS_COMMAND=\"aws cloudwatch put-metric-data --region ",
{ "Ref": "AWS::Region" }, "\"\n",
" MOD=$(( $COUNTER % 2))\n",
"\n",
" if [ $MOD -eq 1 ]; then\n",
" METRIC_NAME=ècho $LINE | cut -d ' ' -f $METRIC_FIELD`\n",
" else\n",
" METRIC_VALUE=ècho $LINE | cut -d ' ' -f $DATA_FIELD`\n",
" fi\n",
"\n",
" if [[ -n \"$METRIC_NAME\" && -n \"$METRIC_VALUE\" ]]; then\n",
" INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-
data/instance-id)\n",

451
Amazon EFS
" CW_JSON_METRIC=\"$CW_JSON_METRIC { \\\"MetricName\\\": \\

\"$METRIC_NAME\\\", \\\"Dimensions\\\": [{\\\"Name\\\": \\\"InstanceId\\\", \\\"Value\\\":
\\\"$INSTANCE_ID\\\"} ], \\\"Value\\\": $METRIC_VALUE },\"\n",
" unset METRIC_NAME\n",
" unset METRIC_VALUE\n",
"\n",
" METRIC_COUNTER=$((METRIC_COUNTER+1))\n",
" if [ $METRIC_COUNTER -eq 20 ]; then\n",
" # 20 is max metric collection size, so we have to submit
here\n",
" aws cloudwatch put-metric-data --region ", { "Ref":
"AWS::Region" }, " --cli-input-json \"ècho $CW_JSON_OPEN ${CW_JSON_METRIC%?}
$CW_JSON_CLOSE`\"\n",
"\n",
" # reset\n",
" METRIC_COUNTER=0\n",
" CW_JSON_METRIC=''\n",
" fi\n",
" fi \n",
"\n",
"\n",
"\n",
" COUNTER=$((COUNTER+1))\n",
" fi\n",
"\n",
" if [[ \"$line\" == \"Client nfs v4:\" ]]; then\n",
" # the next line is the good stuff \n",
" COUNTER=$((COUNTER+1))\n",
" fi\n",
" done <<< \"$INPUT\"\n",
"done\n",
"\n",
"# submit whatever is left\n",
"aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" },
" --cli-input-json \"ècho $CW_JSON_OPEN ${CW_JSON_METRIC%?} $CW_JSON_CLOSE`\""
] ] },
"mode": "000755",
"owner": "ec2-user",
"group": "ec2-user"
},
"/home/ec2-user/crontab" : {
"content" : { "Fn::Join" : [ "", [
"* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n"
] ] },
"owner": "ec2-user",
"group": "ec2-user"
}
},
"commands" : {
"01_createdir" : {
"command" : {"Fn::Join" : [ "", [ "mkdir /", { "Ref" : "MountPoint" }]]}
}
}
},
"mount" : {
"commands" : {
"01_mount" : {
"command" : { "Fn::Sub": "sudo mount -t nfs4 -o
nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${FileSystem}.efs.
${AWS::Region}.amazonaws.com:/ /${MountPoint}"}
},
"02_permissions" : {
"command" : {"Fn::Join" : [ "", [ "chown ec2-user:ec2-user /", { "Ref" :
"MountPoint" }]]}
}
}

452
Amazon EFS
}
}
},
"Properties": {
"AssociatePublicIpAddress" : true,
"ImageId": {
"Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, {
"Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ]
} ]
},
"InstanceType": { "Ref": "InstanceType" },
"KeyName": { "Ref": "KeyName" },
"SecurityGroups": [ { "Ref": "InstanceSecurityGroup" } ],
"IamInstanceProfile" : { "Ref" : "CloudWatchPutMetricsInstanceProfile" },
" --resource LaunchConfiguration ",
" --configsets MountConfig ",
"crontab /home/ec2-user/crontab\n",
" --resource AutoScalingGroup ",
]]}}
}
},
"AutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"DependsOn": ["MountTarget", "GatewayToInternet"],
"Timeout" : "PT15M",
"Count" : { "Ref": "AsgMaxSize" }
}
},
"Properties": {
"VPCZoneIdentifier": [ { "Ref": "Subnet" } ],
"LaunchConfigurationName": { "Ref": "LaunchConfiguration" },
"MinSize": "1",
"MaxSize": { "Ref": "AsgMaxSize" },
"DesiredCapacity": { "Ref": "AsgMaxSize" },
"Tags": [ {
"Key": "Name",
"Value": "EFS FileSystem Mounted Instance",
"PropagateAtLaunch": "true"
} ]
}
}
},
"Outputs" : {
"MountTargetID" : {
"Description" : "Mount target ID",
"Value" : { "Ref" : "MountTarget" }
},
"FileSystemID" : {
"Description" : "File system ID",
"Value" : { "Ref" : "FileSystem" }
}
}

453
Amazon EFS
YAML
Description: This template creates an Amazon EFS file system and mount target and
associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This
template creates Amazon EC2 instances and related resources. You will be billed
for the AWS resources used if you create a stack from this template.
Parameters:
InstanceType:
Type: String
Default: t2.small
AllowedValues:
- t1.micro
- t2.nano
- t2.micro
- t2.small
- t2.medium
- t2.large
- m1.small
- m1.medium
- m1.large
- m1.xlarge
- m2.xlarge
- m2.2xlarge
- m2.4xlarge
- m3.medium
- m3.large
- m3.xlarge
- m3.2xlarge
- m4.large
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
- m4.10xlarge
- c1.medium
- c1.xlarge
- c3.large
- c3.xlarge
- c3.2xlarge
- c3.4xlarge
- c3.8xlarge
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
- g2.2xlarge
- g2.8xlarge
- r3.large
- r3.xlarge
- r3.2xlarge
- r3.4xlarge
- r3.8xlarge
- i2.xlarge
- i2.2xlarge
- i2.4xlarge
- i2.8xlarge
- d2.xlarge
- d2.2xlarge
- d2.4xlarge
- d2.8xlarge

454
Amazon EFS
- hi1.4xlarge
- hs1.8xlarge
- cr1.8xlarge
- cc2.8xlarge
- cg1.4xlarge
KeyName:
Description: Name of an existing EC2 key pair to enable SSH access to the ECS
instances
AsgMaxSize:
Type: Number
Description: Maximum size and initial desired capacity of Auto Scaling Group
Default: '2'
SSHLocation:
Description: The IP address range that can be used to connect to the EC2 instances
by using SSH
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
VolumeName:
Description: The name to be used for the EFS volume
Type: String
MinLength: '1'
Default: myEFSvolume
MountPoint:
Description: The Linux mount point for the EFS volume
Type: String
MinLength: '1'
Default: myEFSvolume
Mappings:
t1.micro:
Arch: HVM64
t2.nano:
Arch: HVM64
t2.micro:
Arch: HVM64
t2.small:
Arch: HVM64
t2.medium:
Arch: HVM64
t2.large:
Arch: HVM64
m1.small:
Arch: HVM64
m1.medium:
Arch: HVM64
m1.large:
Arch: HVM64
m1.xlarge:
Arch: HVM64
m2.xlarge:
Arch: HVM64
m2.2xlarge:
Arch: HVM64
m2.4xlarge:
Arch: HVM64
m3.medium:
Arch: HVM64
m3.large:
Arch: HVM64
m3.xlarge:

455
Amazon EFS
Arch: HVM64
m3.2xlarge:
Arch: HVM64
m4.large:
Arch: HVM64
m4.xlarge:
Arch: HVM64
m4.2xlarge:
Arch: HVM64
m4.4xlarge:
Arch: HVM64
m4.10xlarge:
Arch: HVM64
c1.medium:
Arch: HVM64
c1.xlarge:
Arch: HVM64
c3.large:
Arch: HVM64
c3.xlarge:
Arch: HVM64
c3.2xlarge:
Arch: HVM64
c3.4xlarge:
Arch: HVM64
c3.8xlarge:
Arch: HVM64
c4.large:
Arch: HVM64
c4.xlarge:
Arch: HVM64
c4.2xlarge:
Arch: HVM64
c4.4xlarge:
Arch: HVM64
c4.8xlarge:
Arch: HVM64
g2.2xlarge:
Arch: HVMG2
g2.8xlarge:
Arch: HVMG2
r3.large:
Arch: HVM64
r3.xlarge:
Arch: HVM64
r3.2xlarge:
Arch: HVM64
r3.4xlarge:
Arch: HVM64
r3.8xlarge:
Arch: HVM64
i2.xlarge:
Arch: HVM64
i2.2xlarge:
Arch: HVM64
i2.4xlarge:
Arch: HVM64
i2.8xlarge:
Arch: HVM64
d2.xlarge:
Arch: HVM64
d2.2xlarge:
Arch: HVM64
d2.4xlarge:
Arch: HVM64
d2.8xlarge:

456
Amazon EFS
Arch: HVM64
hi1.4xlarge:
Arch: HVM64
hs1.8xlarge:
Arch: HVM64
cr1.8xlarge:
Arch: HVM64
cc2.8xlarge:
Arch: HVM64
AWSRegionArch2AMI:
us-east-1:
HVM64: ami-0ff8a91507f77f867
us-west-2:
HVM64: ami-a0cfeed8
us-west-1:
eu-west-1:
HVM64: ami-047bb4163c506cd98
HVMG2: ami-0a7c483d527806435
eu-west-2:
HVM64: ami-f976839e
eu-west-3:
HVM64: ami-0ebc281c20e89ba4b
eu-central-1:
HVM64: ami-0233214e13e500f77
HVMG2: ami-06223d46a6d0661c7
ap-northeast-1:
ap-northeast-2:
HVM64: ami-0a10b2721688ce9d2
ap-northeast-3:
HVM64: ami-0d98120a9fb693f07
ap-southeast-1:
ap-southeast-2:
HVM64: ami-09b42976632b27e9b
ap-south-1:
HVM64: ami-0912f71e06545ad88
HVMG2: ami-097b15e89dbdcfcf4
us-east-2:
HVM64: ami-0b59bfac6be064b78
ca-central-1:
HVM64: ami-0b18956f
sa-east-1:
cn-north-1:
cn-northwest-1:
HVM64: ami-6b6a7d09
Resources:
CloudWatchPutMetricsRole:

457
Amazon EFS
Properties:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
CloudWatchPutMetricsRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CloudWatch_PutMetricData
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: CloudWatchPutMetricData
Effect: Allow
Action:
- cloudwatch:PutMetricData
Resource:
- "*"
Roles:
- Ref: CloudWatchPutMetricsRole
CloudWatchPutMetricsInstanceProfile:
Properties:
Path: "/"
Roles:
- Ref: CloudWatchPutMetricsRole
VPC:
Type: AWS::EC2::VPC
Properties:
Tags:
- Key: Application
Value:
Ref: AWS::StackId
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Application
Value:
Ref: AWS::StackName
- Key: Network
Value: Public
GatewayToInternet:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: InternetGateway
RouteTable:
Properties:
VpcId:
Ref: VPC
SubnetRouteTableAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:

458
Amazon EFS
RouteTableId:
Ref: RouteTable
SubnetId:
Ref: Subnet
InternetGatewayRoute:
Properties:
RouteTableId:
Ref: RouteTable
GatewayId:
Ref: InternetGateway
Subnet:
Properties:
VpcId:
Ref: VPC
Tags:
- Key: Application
Value:
Ref: AWS::StackId
Properties:
VpcId:
Ref: VPC
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
MountTargetSecurityGroup:
Properties:
VpcId:
Ref: VPC
GroupDescription: Security group for mount target
- IpProtocol: tcp
FromPort: '2049'
ToPort: '2049'
CidrIp: 0.0.0.0/0
FileSystem:
Type: AWS::EFS::FileSystem
Properties:
PerformanceMode: generalPurpose
FileSystemTags:
- Key: Name
Value:
Ref: VolumeName
MountTarget:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: FileSystem
SubnetId:
Ref: Subnet
SecurityGroups:
- Ref: MountTargetSecurityGroup

459
Amazon EFS
LaunchConfiguration:
Metadata:
configSets:
MountConfig:
- setup
- mount
setup:
packages:
yum:
nfs-utils: []
files:
"/home/ec2-user/post_nfsstat":
content: !Sub |
#!/bin/bash
INPUT="$(cat)"
CW_JSON_OPEN='{ "Namespace": "EFS", "MetricData": [ '
CW_JSON_CLOSE=' ] }'
CW_JSON_METRIC=''
METRIC_COUNTER=0
for COL in 1 2 3 4 5 6; do
COUNTER=0
METRIC_FIELD=$COL
DATA_FIELD=$(($COL+($COL-1)))
while read line; do

if [[ COUNTER -gt 0 ]]; then
LINE=ècho $line | tr -s ' ' `

AWS_COMMAND="aws cloudwatch put-metric-data --region ${AWS::Region}"
MOD=$(( $COUNTER % 2))
if [ $MOD -eq 1 ]; then

METRIC_NAME=ècho $LINE | cut -d ' ' -f $METRIC_FIELD`
else
METRIC_VALUE=ècho $LINE | cut -d ' ' -f $DATA_FIELD`
fi
if [[ -n "$METRIC_NAME" && -n "$METRIC_VALUE" ]]; then

INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/
instance-id)
CW_JSON_METRIC="$CW_JSON_METRIC { \"MetricName\": \"$METRIC_NAME\",
\"Dimensions\": [{\"Name\": \"InstanceId\", \"Value\": \"$INSTANCE_ID\"} ], \"Value\":
$METRIC_VALUE },"
unset METRIC_NAME
unset METRIC_VALUE
METRIC_COUNTER=$((METRIC_COUNTER+1))
if [ $METRIC_COUNTER -eq 20 ]; then
# 20 is max metric collection size, so we have to submit here
aws cloudwatch put-metric-data --region ${AWS::Region} --cli-
input-json "ècho $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`"
# reset
METRIC_COUNTER=0
CW_JSON_METRIC=''
fi
fi
COUNTER=$((COUNTER+1))

460
Amazon EFS
fi
if [[ "$line" == "Client nfs v4:" ]]; then

# the next line is the good stuff
COUNTER=$((COUNTER+1))
fi
done <<< "$INPUT"
done
# submit whatever is left

aws cloudwatch put-metric-data --region ${AWS::Region} --cli-input-json
"ècho $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`"
mode: '000755'
owner: ec2-user
group: ec2-user
"/home/ec2-user/crontab":
content: "* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n"
owner: ec2-user
group: ec2-user
commands:
01_createdir:
command: !Sub "mkdir /${MountPoint}"
mount:
commands:
01_mount:
command: !Sub >
mount -t nfs4 -o nfsvers=4.1 ${FileSystem}.efs.
${AWS::Region}.amazonaws.com:/ /${MountPoint}
02_permissions:
command: !Sub "chown ec2-user:ec2-user /${MountPoint}"
Properties:
AssociatePublicIpAddress: true
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- Ref: InstanceType
- Arch
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyName
SecurityGroups:
- Ref: InstanceSecurityGroup
IamInstanceProfile:
Ref: CloudWatchPutMetricsInstanceProfile
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfiguration
--configsets MountConfig --region ${AWS::Region}
crontab /home/ec2-user/crontab
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource
AutoScalingGroup --region ${AWS::Region}
AutoScalingGroup:
DependsOn:
- MountTarget
- GatewayToInternet
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Count:

461
Elastic Beanstalk
Ref: AsgMaxSize
Properties:
VPCZoneIdentifier:
- Ref: Subnet
Ref: LaunchConfiguration
MinSize: '1'
MaxSize:
Ref: AsgMaxSize
DesiredCapacity:
Ref: AsgMaxSize
Tags:
- Key: Name
Value: EFS FileSystem Mounted Instance
PropagateAtLaunch: 'true'
Outputs:
MountTargetID:
Description: Mount target ID
Value:
Ref: MountTarget
FileSystemID:
Description: File system ID
Value:
Ref: FileSystem
Elastic Beanstalk Template Snippets

With Elastic Beanstalk, you can quickly deploy and manage applications in AWS without worrying about
the infrastructure that runs those applications. The following sample template can help you describe
Elastic Beanstalk resources in your AWS CloudFormation template.
Elastic Beanstalk Sample PHP

The following sample template deploys a sample PHP web application that is stored in an Amazon S3
bucket. The Elastic Beanstalk environment is 64-bit Amazon Linux 2018.03 v2.8.15 running PHP 7.2. The
environment is also an autoscaling, load-balancing environment, with a minimum of two Amazon EC2
instances and a maximum of six.
JSON
{
"Resources": {
"sampleApplication": {
"Type": "AWS::ElasticBeanstalk::Application",
"Properties": {
"Description": "AWS Elastic Beanstalk Sample Application"
}
},
"sampleApplicationVersion": {
"Type": "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties": {
"ApplicationName": { "Ref": "sampleApplication" },
"Description": "AWS ElasticBeanstalk Sample Application Version",
"SourceBundle": {
"S3Bucket": { "Fn::Join": [ "-", [ "elasticbeanstalk-samples", { "Ref":
"AWS::Region" } ] ] },
"S3Key": "php-newsample-app.zip"
}
}
},
"sampleConfigurationTemplate": {

462
Elastic Beanstalk
"Type": "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties": {
"Description": "AWS ElasticBeanstalk Sample Configuration Template",
"OptionSettings": [
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MinSize",
"Value": "2"
},
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MaxSize",
"Value": "6"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "EnvironmentType",
"Value": "LoadBalanced"
}
],
"SolutionStackName": "64bit Amazon Linux 2018.03 v2.8.15 running PHP 7.2"
}
},
"sampleEnvironment": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"Description": "AWS ElasticBeanstalk Sample Environment",
"TemplateName": { "Ref": "sampleConfigurationTemplate" },
"VersionLabel": { "Ref": "sampleApplicationVersion" }
}
}
}
}
YAML
Resources:
sampleApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Sample Application
sampleApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Application Version
SourceBundle:
S3Bucket: !Sub "elasticbeanstalk-samples-${AWS::Region}"
S3Key: php-newsample-app.zip
sampleConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Description: AWS ElasticBeanstalk Sample Configuration Template
OptionSettings:
- Namespace: aws:autoscaling:asg
OptionName: MinSize
Value: '2'
- Namespace: aws:autoscaling:asg

463
Elastic Load Balancing
OptionName: MaxSize
Value: '6'
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: LoadBalanced
SolutionStackName: 64bit Amazon Linux 2018.03 v2.8.15 running PHP 7.2
sampleEnvironment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName:
Description: AWS ElasticBeanstalk Sample Environment
TemplateName:
Ref: sampleConfigurationTemplate
VersionLabel:
Ref: sampleApplicationVersion
Elastic Load Balancing Template Snippets

Elastic Load Balancing Load Balancer Resource
This example shows an Elastic Load Balancing load balancer with a single listener, and no instances.
JSON
"MyLoadBalancer" : {
"Properties" : {
"AvailabilityZones" : [ "us-east-1a" ],
"Listeners" : [ {
"Protocol" : "HTTP"
} ]
}
}
YAML
MyLoadBalancer:
Properties:
AvailabilityZones:
- "us-east-1a"
Listeners:
InstancePort: '80'
Protocol: HTTP
Elastic Load Balancing Load Balancer Resource with Health

Check
This example shows an Elastic Load Balancing load balancer with two Amazon EC2 instances, a single
listener and a health check.
JSON
"MyLoadBalancer" : {

464
IAM
"Properties" : {
"Instances" : [
{ "Ref" : "logical name of AWS::EC2::Instance resource 1" },
{ "Ref" : "logical name of AWS::EC2::Instance resource 2" }
],
"Listeners" : [ {
"Protocol" : "HTTP"
} ],
"HealthCheck" : {
"Interval" : "30",
"Timeout" : "5"
}
}
}
YAML
MyLoadBalancer:
Properties:
AvailabilityZones:
- "us-east-1a"
Instances:
- Ref: logical name of AWS::EC2::Instance resource 1
- Ref: logical name of AWS::EC2::Instance resource 2
Listeners:
InstancePort: '80'
Protocol: HTTP
HealthCheck:
Target: HTTP:80/
Interval: '30'
Timeout: '5'
AWS Identity and Access Management Template

Snippets
This section contains AWS Identity and Access Management template snippets.
Topics
• Declaring an IAM User Resource (p. 466)
• Declaring an IAM Access Key Resource (p. 467)
• Declaring an IAM Group Resource (p. 469)
• Adding Users to a Group (p. 470)
• Declaring an IAM Policy (p. 470)
• Declaring an Amazon S3 Bucket Policy (p. 471)
• Declaring an Amazon SNS Topic Policy (p. 472)

465
IAM
• Declaring an Amazon SQS Policy (p. 473)

• IAM Role Template Examples (p. 474)
Important
When creating or updating a stack using a template containing IAM resources, you must
acknowledge the use of IAM capabilities. For more information about using IAM resources in
templates, see Controlling Access with AWS Identity and Access Management (p. 9).
Declaring an IAM User Resource

This snippet shows how to declare an AWS::IAM::User resource to create an IAM user. The user is
declared with the path ("/") and a login profile with the password (myP@ssW0rd).
The policy document named giveaccesstoqueueonly gives the user permission to perform all
Amazon SQS actions on the Amazon SQS queue resource myqueue, and denies access to all other
Amazon SQS queue resources. The Fn::GetAtt (p. 3807) function gets the Arn attribute of the
AWS::SQS::Queue resource myqueue.
The policy document named giveaccesstotopiconly is added to the user to give the user permission
to perform all Amazon SNS actions on the Amazon SNS topic resource mytopic and to deny access to
all other Amazon SNS resources. The Ref (p. 3824) function gets the ARN of the AWS::SNS::Topic
resource mytopic.
JSON
"myuser" : {
"Type" : "AWS::IAM::User",
"Properties" : {
"Path" : "/",
"LoginProfile" : {
"Password" : "myP@ssW0rd"
},
"Policies" : [ {
"PolicyName" : "giveaccesstoqueueonly",
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}, {
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ {
} ]
}
] }
}, {
"PolicyName" : "giveaccesstotopiconly",
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sns:*" ],
"Resource" : [ { "Ref" : "mytopic" } ]
}, {
"Effect" : "Deny",

466
IAM
"Action" : [ "sns:*" ],
"NotResource" : [ { "Ref" : "mytopic" } ]
} ]
}
} ]
}
}
YAML
myuser:
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
- PolicyName: giveaccesstotopiconly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:*
Resource:
- !Ref mytopic
- Effect: Deny
Action:
- sns:*
NotResource:
- !Ref mytopic
Declaring an IAM Access Key Resource
This snippet shows an AWS::IAM::AccessKey resource. The myaccesskey resource creates an access
key and assigns it to an IAM user that is declared as an AWS::IAM::User resource in the template.
JSON
"myaccesskey" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : { "Ref" : "myuser" }
}
}

467
IAM
YAML
myaccesskey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref myuser
You can get the secret key for an AWS::IAM::AccessKey resource using the Fn::GetAtt (p. 3807)
function. The only time that you can get the secret key for an AWS access key is when it is created. One
way to retrieve the secret key is to put it into an Output value. You can get the access key using the Ref
function. The following Output value declarations get the access key and secret key for myaccesskey.
JSON
"AccessKeyformyaccesskey" : {
"Value" : { "Ref" : "myaccesskey" }
},
"SecretKeyformyaccesskey" : {
"Value" : {
"Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ]
}
}
YAML
AccessKeyformyaccesskey:
Value:
!Ref myaccesskey
SecretKeyformyaccesskey:
Value: !GetAtt myaccesskey.SecretAccessKey
You can also pass the AWS access key and secret key to an EC2 instance or Auto Scaling group defined in
the template. The following AWS::EC2::Instance declaration uses the UserData property to pass the
access key and secret key for the myaccesskey resource.
JSON
"myinstance" : {
"Properties" : {
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [
"", [
"ACCESS_KEY=", {
"Ref" : "myaccesskey"
},
"&",
"SECRET_KEY=",
{
"Fn::GetAtt" : [
"myaccesskey",
"SecretAccessKey"

468
IAM
]
}
]
]
}
}
}
}
YAML
myinstance:
Properties:
UserData:
Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}
Declaring an IAM Group Resource

This snippet shows an AWS::IAM::Group resource. The group has a path ("/myapplication/"). The
policy document named myapppolicy is added to the group to allow the group's users to perform all
Amazon SQS actions on the Amazon SQS queue resource myqueue and deny access to all other Amazon
SQS resources except myqueue.
To assign a policy to a resource, IAM requires the Amazon Resource Name (ARN) for the resource. In the
snippet, the Fn::GetAtt (p. 3807) function gets the ARN of the AWS::SQS::Queue resource queue.
JSON
"mygroup" : {
"Type" : "AWS::IAM::Group",
"Properties" : {
"Path" : "/myapplication/",
"Policies" : [ {
"PolicyName" : "myapppolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
} ]
},
{
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ]
}
] }
} ]
}
}
YAML
mygroup:

469
IAM
Type: AWS::IAM::Group
Properties:
Path: "/myapplication/"
Policies:
- PolicyName: myapppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource: !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource: !GetAtt myqueue.Arn
Adding Users to a Group

The AWS::IAM::UserToGroupAddition resource adds users to a group. In the following snippet, the
addUserToGroup resource adds the following users to an existing group named myexistinggroup2:
the existing user existinguser1 and the user myuser which is declared as an AWS::IAM::User
resource in the template.
JSON
"addUserToGroup" : {
"Type" : "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName" : "myexistinggroup2",
"Users" : [ "existinguser1", { "Ref" : "myuser" } ]
}
}
YAML
addUserToGroup:
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName: myexistinggroup2
Users:
- existinguser1
- !Ref myuser
Declaring an IAM Policy

This snippet shows how to create a policy and apply it to multiple groups using an AWS::IAM::Policy
resource named mypolicy. The mypolicy resource contains a PolicyDocument property that allows
GetObject, PutObject, and PutObjectAcl actions on the objects in the S3 bucket represented
by the ARN arn:aws:s3:::myAWSBucket. The mypolicy resource applies the policy to an existing
group named myexistinggroup1 and a group mygroup that is declared in the template as an
AWS::IAM::Group resource. This example shows how to apply a policy to a group using the Groups
property; however, you can alternatively use the Users property to add a policy document to a list of
users.
Important
The Amazon SNS policy actions that are declared in the AWS::IAM::Policy
resource (p. 470) differ from the Amazon SNS topic policy actions that are declared

470
IAM
in the AWS::SNS::TopicPolicy resource (p. 472). For example, the policy actions
sns:Unsubscribe and sns:SetSubscriptionAttributes are valid for the
AWS::IAM::Policy resource, but are invalid for the AWS::SNS::TopicPolicy resource.
For more information about valid Amazon SNS policy actions that you can use with the
AWS::IAM::Policy resource, see Special Information for Amazon SNS Policies in the Amazon
Simple Notification Service Developer Guide.
JSON
"mypolicy" : {
"Properties" : {
"PolicyName" : "mygrouppolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [
"s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ],
"Resource" : "arn:aws:s3:::myAWSBucket/*"
} ]
},
"Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ]
}
}
YAML
mypolicy:
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::myAWSBucket/*
Groups:
- myexistinggroup1
- !Ref mygroup
Declaring an Amazon S3 Bucket Policy

This snippet shows how to create a policy and apply it to an Amazon S3 bucket using the
AWS::S3::BucketPolicy resource. The mybucketpolicy resource declares a policy document that
allows the user1 IAM user to perform the GetObject action on all objects in the S3 bucket to which
this policy is applied. In the snippet, the Fn::GetAtt (p. 3807) function gets the ARN of the user1
resource. The mybucketpolicy resource applies the policy to the AWS::S3::BucketPolicy resource
mybucket. The Ref (p. 3824) function gets the bucket name of the mybucket resource.
JSON
"mybucketpolicy" : {

471
IAM
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"Id" : "MyPolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "ReadAccess",
"Action" : [ "s3:GetObject" ],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ]
] },
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] }
}
} ]
},
"Bucket" : { "Ref" : "mybucket" }
}
}
YAML
mybucketpolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: '2012-10-17'
Statement:
- Sid: ReadAccess
Action:
- s3:GetObject
Effect: Allow
Resource: !Sub "arn:aws:s3:::${mybucket}/*"
Principal:
AWS: !GetAtt user1.Arn
Bucket: !Ref mybucket
Declaring an Amazon SNS Topic Policy

This snippet shows how to create a policy and apply it to an Amazon SNS topic using the
AWS::SNS::TopicPolicy resource. The mysnspolicy resource contains a PolicyDocument
property that allows the AWS::IAM::User resource myuser to perform the Publish action on an
AWS::SNS::Topic resource mytopic. In the snippet, the Fn::GetAtt (p. 3807) function gets the
ARN for the myuser resource and the Ref (p. 3824) function gets the ARN for the mytopic resource.
Important
The Amazon SNS policy actions that are declared in the AWS::IAM::Policy
resource (p. 470) differ from the Amazon SNS topic policy actions that are declared
in the AWS::SNS::TopicPolicy resource (p. 472). For example, the policy actions
sns:Unsubscribe and sns:SetSubscriptionAttributes are valid for the
AWS::IAM::Policy resource, but are invalid for the AWS::SNS::TopicPolicy resource.
For more information about valid Amazon SNS policy actions that you can use with the
AWS::IAM::Policy resource, see Special Information for Amazon SNS Policies in the Amazon
Simple Notification Service Developer Guide.
JSON

472
IAM
"mysnspolicy" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"Id" : "MyTopicPolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] }
},
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "mytopic" } ]
}
}
YAML
mysnspolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Sid: My-statement-id
Effect: Allow
Principal:
AWS: !GetAtt myuser.Arn
Action: sns:Publish
Resource: "*"
Topics:
- !Ref mytopic
Declaring an Amazon SQS Policy

This snippet shows how to create a policy and apply it to an Amazon SQS queue using the
AWS::SQS::QueuePolicy resource. The PolicyDocument property allows the existing user myapp
(specified by its ARN) to perform the SendMessage action on an existing queue, which is specified by
its URL, and an AWS::SQS::Queue resource myqueue. The Ref (p. 3824) function gets the URL for the
myqueue resource.
JSON
"mysqspolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"Properties" : {
"Id" : "MyQueuePolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "Allow-User-SendMessage",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},

473
IAM
"Action" : [ "sqs:SendMessage" ],
"Resource" : "*"
} ]
},
"Queues" : [
"https://sqs.us-east-2.amazonaws.com/123456789012/myexistingqueue",
{ "Ref" : "myqueue" }
]
}
}
YAML
mysqspolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Id: MyQueuePolicy
Version: '2012-10-17'
Statement:
- Sid: Allow-User-SendMessage
Effect: Allow
Principal:
AWS: arn:aws:iam::123456789012:user/myapp
Action:
- sqs:SendMessage
Resource: "*"
Queues:
- https://sqs.us-east-2.amazonaws.com/123456789012/myexistingqueue
- !Ref myqueue
IAM Role Template Examples

This section provides CloudFormation template examples for IAM Roles for EC2 Instances.
For more information about IAM roles, see Working with Roles in the AWS Identity and Access
Management User Guide.
IAM Role with EC2

In this example, the instance profile is referenced by the IamInstanceProfile property of the EC2
Instance. Both the instance policy and role policy reference AWS::IAM::Role.
JSON
{
"Resources": {
"myEC2Instance": {
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"Monitoring": "true",
"DisableApiTermination": "false",
"IamInstanceProfile": {
"Ref": "RootInstanceProfile"
}
}
},

474
IAM
"RootRole": {
"Properties": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Properties": {
"Path": "/",
}
}
}
}
YAML
Resources:
myEC2Instance:
Version: '2009-05-15'
Properties:
Monitoring: 'true'
DisableApiTermination: 'false'
IamInstanceProfile:
!Ref RootInstanceProfile
RootRole:
Properties:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:

475
IAM
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Properties:
Path: "/"
Roles:
- !Ref RootRole
IAM Role with AutoScaling Group

In this example, the instance profile is referenced by the IamInstanceProfile property of an
AutoScaling Group Launch Configuration.
JSON
{
"Resources": {
"myLCOne": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"InstanceMonitoring": "true",
"IamInstanceProfile": { "Ref": "RootInstanceProfile" }
}
},
"myASGrpOne": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Version": "2009-05-15",
"Properties": {
"AvailabilityZones": [ "us-east-1a" ],
"LaunchConfigurationName": { "Ref": "myLCOne" },
"MinSize": "0",
"MaxSize": "0",
"HealthCheckType": "EC2",
"HealthCheckGracePeriod": "120"
}
},
"RootRole": {
"Properties": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {

476
IAM
},
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Properties": {
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
}
},
"Properties": {
"Path": "/",
}
}
}
}
YAML
Resources:
myLCOne:
Version: '2009-05-15'
Properties:
InstanceMonitoring: 'true'
IamInstanceProfile:
!Ref RootInstanceProfile
myASGrpOne:
Version: '2009-05-15'
Properties:
AvailabilityZones:
- "us-east-1a"
!Ref myLCOne
MinSize: '0'
MaxSize: '0'
HealthCheckType: EC2
HealthCheckGracePeriod: '120'
RootRole:
Properties:
Version: '2012-10-17'
Statement:
- Effect: Allow

477
AWS Lambda
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
Properties:
Path: "/"
Roles:
- !Ref RootRole
AWS Lambda Template
The following template uses an AWS Lambda (Lambda) function and custom resource to append a new
security group to a list of existing security groups. This function is useful when you want to build a list
of security groups dynamically, so that your list includes both new and existing security groups. For
example, you can pass a list of existing security groups as a parameter value, append the new value to
the list, and then associate all your values with an EC2 instance. For more information about the Lambda
function resource type, see AWS::Lambda::Function.
In the example, when AWS CloudFormation creates the AllSecurityGroups custom resource, AWS
CloudFormation invokes the AppendItemToListFunction Lambda function. AWS CloudFormation
passes the list of existing security groups and a new security group (NewSecurityGroup) to the
function, which appends the new security group to the list and then returns the modified list. AWS
CloudFormation uses the modified list to associate all security groups with the MyEC2Instance
resource.
JSON
{
"Parameters" : {
"ExistingSecurityGroups" : {
"Type" : "List<AWS::EC2::SecurityGroup::Id>"
},
"ExistingVPC" : {
"Type" : "AWS::EC2::VPC::Id",
"Description" : "The VPC ID that includes the security groups in the
ExistingSecurityGroups parameter."
},
"InstanceType" : {
"Type" : "String",
"AllowedValues" : ["t2.micro", "m1.small"]
}

478
AWS Lambda
},
"Mappings": {
"t2.micro" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" }
},
"ami-0a584ac55a7631c0c"},
"ami-0a7c483d527806435"},
"ami-06223d46a6d0661c7"},
"ami-053cdd503598e4a9d"},
"cn-north-1" : {"HVM64" : "ami-0a4eaf6c4454eda75", "HVMG2" : "NOT_SUPPORTED"}
}
},
"Resources" : {
"SecurityGroup" : {
"Properties" : {
"GroupDescription" : "Allow HTTP traffic to the host",
"VpcId" : {"Ref" : "ExistingVPC"},
"SecurityGroupIngress" : [{
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
}],
"SecurityGroupEgress" : [{
"FromPort" : "80",
"ToPort" : "80",
"CidrIp" : "0.0.0.0/0"
}]
}
},
"AllSecurityGroups": {
"Type": "Custom::Split",
"Properties": {
"ServiceToken": { "Fn::GetAtt" : ["AppendItemToListFunction", "Arn"] },
"List": { "Ref" : "ExistingSecurityGroups" },
"AppendedItem": { "Ref" : "SecurityGroup" }
}
},
"AppendItemToListFunction": {
"Properties": {
"Role": { "Fn::GetAtt" : ["LambdaExecutionRole", "Arn"] },
"Code": {
"ZipFile": { "Fn::Join": ["", [
"var response = require('cfn-response');",
"exports.handler = function(event, context) {",
" var responseData = {Value: event.ResourceProperties.List};",

479
AWS Lambda
" responseData.Value.push(event.ResourceProperties.AppendedItem);",
" response.send(event, context, response.SUCCESS, responseData);",
"};"
]]}
},
"Runtime": "nodejs8.10"
}
},
"MyEC2Instance" : {
"Properties" : {
"ImageId": { "Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" },
{ "Fn::FindInMap": [
"AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ] } ]
},
"SecurityGroupIds" : { "Fn::GetAtt": [ "AllSecurityGroups", "Value" ] },
"InstanceType" : { "Ref" : "InstanceType" }
}
},
"LambdaExecutionRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [{ "Effect": "Allow", "Principal": {"Service":
["lambda.amazonaws.com"]}, "Action": ["sts:AssumeRole"] }]
},
"Path": "/",
"Policies": [{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{ "Effect": "Allow", "Action": ["logs:*"], "Resource":
"arn:aws:logs:*:*:*" }]
}
}]
}
}
},
"Outputs" : {
"AllSecurityGroups" : {
"Description" : "Security Groups that are associated with the EC2 instance",
"Value" : { "Fn::Join" : [ ", ", { "Fn::GetAtt": [ "AllSecurityGroups", "Value" ] }]}
}
}
}
YAML
Parameters:
ExistingSecurityGroups:
Type: List<AWS::EC2::SecurityGroup::Id>
ExistingVPC:
Type: AWS::EC2::VPC::Id
Description: The VPC ID that includes the security groups in the ExistingSecurityGroups
parameter.
InstanceType:
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- m1.small
Mappings:

480
AWS Lambda
t2.micro:
Arch: HVM64
m1.small:
Arch: HVM64
AWSRegionArch2AMI:
us-east-1:
HVM64: ami-0ff8a91507f77f867
us-west-2:
HVM64: ami-a0cfeed8
us-west-1:
eu-west-1:
HVM64: ami-047bb4163c506cd98
HVMG2: ami-0a7c483d527806435
eu-central-1:
HVM64: ami-0233214e13e500f77
HVMG2: ami-06223d46a6d0661c7
ap-northeast-1:
ap-southeast-1:
ap-southeast-2:
HVM64: ami-09b42976632b27e9b
sa-east-1:
cn-north-1:
Resources:
SecurityGroup:
Properties:
GroupDescription: Allow HTTP traffic to the host
VpcId:
Ref: ExistingVPC
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
AllSecurityGroups:
Type: Custom::Split
Properties:
ServiceToken: !GetAtt AppendItemToListFunction.Arn
List:
Ref: ExistingSecurityGroups
AppendedItem:
Ref: SecurityGroup
AppendItemToListFunction:
Type: AWS::Lambda::Function
Properties:

481
AWS OpsWorks
Role: !GetAtt LambdaExecutionRole.Arn

Code:
ZipFile: !Sub |
var response = require('cfn-response');
exports.handler = function(event, context) {
var responseData = {Value: event.ResourceProperties.List};
responseData.Value.push(event.ResourceProperties.AppendedItem);
response.send(event, context, response.SUCCESS, responseData);
};
Runtime: nodejs8.10
MyEC2Instance:
Properties:
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- Ref: InstanceType
- Arch
SecurityGroupIds: !GetAtt AllSecurityGroups.Value
InstanceType:
Ref: InstanceType
LambdaExecutionRole:
Properties:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
Outputs:
AllSecurityGroups:
Description: Security Groups that are associated with the EC2 instance
Value:
Fn::Join:
- ", "
- Fn::GetAtt:
- AllSecurityGroups
- Value
AWS OpsWorks Template Snippets

AWS OpsWorks is an application management service that simplifies a wide range of tasks such as
software configuration, application deployment, scaling, and monitoring. AWS CloudFormation is a
resource management service that you can use to manage AWS OpsWorks resources, such as AWS
OpsWorks stacks, layers, apps, and instances.

482
AWS OpsWorks
AWS OpsWorks Sample PHP App

The following sample template deploys a sample AWS OpsWorks PHP web application that is stored in
public Git repository. The AWS OpsWorks stack includes two application servers with a load balancer
that distributes incoming traffic evenly across the servers. The AWS OpsWorks stack also includes a
back-end MySQL database server to store data. For more information about the sample AWS OpsWorks
application, see Walkthrough: Learn AWS AWS OpsWorks Basics by Creating an Application Server Stack
in the AWS OpsWorks User Guide.
Note
The ServiceRoleArn and DefaultInstanceProfileArn properties reference IAM roles that
are created after you use AWS OpsWorks for the first time.
The example defines the MysqlRootPassword parameter with its NoEcho property set to true. If you
set the NoEcho attribute to true, CloudFormation returns the parameter value masked as asterisks
(*****) for any calls that describe the stack or stack events.
Important
JSON
{
"Parameters": {
"ServiceRole": {
"Default": "aws-opsworks-service-role",
"Description": "The OpsWorks service role",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9-]*",
"ConstraintDescription": "must begin with a letter and contain only alphanumeric
characters."
},
"InstanceRole": {
"Default": "aws-opsworks-ec2-role",
"Description": "The OpsWorks instance role",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9-]*",
characters."
},
"AppName": {
"Default": "myapp",
"Description": "The app name",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*",

483
AWS OpsWorks

characters."
},
"MysqlRootPassword" : {
"Description" : "MysqlRootPassword",
"NoEcho" : "true",
"Type" : "String"
}
},
"Resources": {
"myStack": {
"Type": "AWS::OpsWorks::Stack",
"Properties": {
"Name": {
},
"ServiceRoleArn": {
"Fn::Join": [
"", ["arn:aws:iam::", {"Ref": "AWS::AccountId"},
":role/", {"Ref": "ServiceRole"}]
]
},
"DefaultInstanceProfileArn": {
"Fn::Join": [
"", ["arn:aws:iam::", {"Ref": "AWS::AccountId"},
":instance-profile/", {"Ref": "InstanceRole"}]
]
},
"UseCustomCookbooks": "true",
"CustomCookbooksSource": {
"Type": "git",
"Url": "git://github.com/amazonwebservices/opsworks-example-cookbooks.git"
}
}
},
"myLayer": {
"Type": "AWS::OpsWorks::Layer",
"DependsOn": "myApp",
"Properties": {
"StackId": {"Ref": "myStack"},
"Type": "php-app",
"Shortname" : "php-app",
"EnableAutoHealing" : "true",
"AutoAssignElasticIps" : "false",
"AutoAssignPublicIps" : "true",
"Name": "MyPHPApp",
"CustomRecipes" : {
"Configure" : ["phpapp::appsetup"]
}
}
},
"DBLayer" : {
"Type" : "AWS::OpsWorks::Layer",
"DependsOn": "myApp",
"Properties" : {
"StackId" : {"Ref":"myStack"},
"Type" : "db-master",
"Shortname" : "db-layer",
"EnableAutoHealing" : "true",
"AutoAssignElasticIps" : "false",
"AutoAssignPublicIps" : "true",
"Name" : "MyMySQL",
"CustomRecipes" : {
"Setup" : ["phpapp::dbsetup"]
},
"Attributes" : {

484
AWS OpsWorks
"MysqlRootPassword" : {"Ref":"MysqlRootPassword"},
"MysqlRootPasswordUbiquitous": "true"
},
"VolumeConfigurations":[{"MountPoint":"/vol/mysql","NumberOfDisks":1,"Size":10}]
}
},
"ELBAttachment" : {
"Type" : "AWS::OpsWorks::ElasticLoadBalancerAttachment",
"Properties" : {
"ElasticLoadBalancerName" : { "Ref" : "ELB" },
"LayerId" : { "Ref" : "myLayer" }
}
},
"ELB" : {
"Properties": {
"AvailabilityZones": { "Fn::GetAZs" : "" } ,
"Listeners": [{
"Protocol": "HTTP",
"InstanceProtocol": "HTTP"
}],
"HealthCheck": {
"Target": "HTTP:80/",
"Interval": "30",
"Timeout": "5"
}
}
},
"myAppInstance1": {
"Type": "AWS::OpsWorks::Instance",
"Properties": {
"LayerIds": [{"Ref": "myLayer"}],
"InstanceType": "m1.small"
}
},
"myAppInstance2": {
"Properties": {
"LayerIds": [{"Ref": "myLayer"}],
}
},
"myDBInstance": {
"Properties": {
"LayerIds": [{"Ref": "DBLayer"}],
}
},
"myApp" : {
"Type" : "AWS::OpsWorks::App",
"Properties" : {
"StackId" : {"Ref":"myStack"},
"Type" : "php",
"Name" : {"Ref": "AppName"},
"AppSource" : {
"Type" : "git",
"Url" : "git://github.com/amazonwebservices/opsworks-demo-php-simple-app.git",
"Revision" : "version2"

485
AWS OpsWorks
},
"Attributes" : {
"DocumentRoot" : "web"
}
}
}
}
}
YAML
Parameters:
ServiceRole:
Default: aws-opsworks-service-role
Description: The OpsWorks service role
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: "[a-zA-Z][a-zA-Z0-9-]*"
ConstraintDescription: must begin with a letter and contain only alphanumeric
characters.
InstanceRole:
Default: aws-opsworks-ec2-role
Description: The OpsWorks instance role
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: "[a-zA-Z][a-zA-Z0-9-]*"
characters.
AppName:
Default: myapp
Description: The app name
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
characters.
MysqlRootPassword:
Description: MysqlRootPassword
NoEcho: 'true'
Type: String
Resources:
myStack:
Type: AWS::OpsWorks::Stack
Properties:
Name:
Ref: AWS::StackName
ServiceRoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/${ServiceRole}"
DefaultInstanceProfileArn: !Sub "arn:aws:iam::${AWS::AccountId}:instance-profile/
${InstanceRole}"
UseCustomCookbooks: 'true'
CustomCookbooksSource:
Type: git
Url: git://github.com/amazonwebservices/opsworks-example-cookbooks.git
myLayer:
Type: AWS::OpsWorks::Layer
DependsOn: myApp
Properties:
StackId:
Ref: myStack
Type: php-app

486
AWS OpsWorks
Shortname: php-app
EnableAutoHealing: 'true'
AutoAssignElasticIps: 'false'
AutoAssignPublicIps: 'true'
Name: MyPHPApp
CustomRecipes:
Configure:
- phpapp::appsetup
DBLayer:
Type: AWS::OpsWorks::Layer
DependsOn: myApp
Properties:
StackId:
Ref: myStack
Type: db-master
Shortname: db-layer
EnableAutoHealing: 'true'
AutoAssignElasticIps: 'false'
AutoAssignPublicIps: 'true'
Name: MyMySQL
CustomRecipes:
Setup:
- phpapp::dbsetup
Attributes:
MysqlRootPassword:
Ref: MysqlRootPassword
MysqlRootPasswordUbiquitous: 'true'
VolumeConfigurations:
- MountPoint: "/vol/mysql"
NumberOfDisks: 1
Size: 10
ELBAttachment:
Type: AWS::OpsWorks::ElasticLoadBalancerAttachment
Properties:
ElasticLoadBalancerName:
Ref: ELB
LayerId:
Ref: myLayer
ELB:
Properties:
AvailabilityZones:
Fn::GetAZs: ''
Listeners:
InstancePort: '80'
Protocol: HTTP
InstanceProtocol: HTTP
HealthCheck:
Target: HTTP:80/
Interval: '30'
Timeout: '5'
myAppInstance1:
Type: AWS::OpsWorks::Instance
Properties:
StackId:
Ref: myStack
LayerIds:
- Ref: myLayer
myAppInstance2:
Properties:
StackId:

487
Amazon Redshift
Ref: myStack
LayerIds:
- Ref: myLayer
myDBInstance:
Properties:
StackId:
Ref: myStack
LayerIds:
- Ref: DBLayer
myApp:
Type: AWS::OpsWorks::App
Properties:
StackId:
Ref: myStack
Type: php
Name:
Ref: AppName
AppSource:
Type: git
Url: git://github.com/amazonwebservices/opsworks-demo-php-simple-app.git
Revision: version2
Attributes:
DocumentRoot: web
Amazon Redshift Template Snippets

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can use
AWS CloudFormation to provision and manage Amazon Redshift clusters.
Amazon Redshift Cluster

The following sample template creates an Amazon Redshift cluster according to the parameter values
that are specified when the stack is created. The cluster parameter group that is associated with the
Amazon Redshift cluster enables user activity logging. The template also launches the Amazon Redshift
clusters in an Amazon VPC that is defined in the template. The VPC includes an internet gateway so that
you can access the Amazon Redshift clusters from the Internet. However, the communication between
the cluster and the Internet gateway must also be enabled, which is done by the route table entry.
Note
The template includes the IsMultiNodeCluster condition so that the NumberOfNodes
parameter is declared only when the ClusterType parameter value is set to multi-node.
The example defines the MysqlRootPassword parameter with its NoEcho property set to true. If you
set the NoEcho attribute to true, CloudFormation returns the parameter value masked as asterisks
(*****) for any calls that describe the stack or stack events.
Important

488
Amazon Redshift
JSON
{
"Parameters" : {
"DatabaseName" : {
"Description" : "The name of the first database to be created when the cluster is
created",
"Type" : "String",
"Default" : "dev",
"AllowedPattern" : "([a-z]|[0-9])+"
},
"ClusterType" : {
"Description" : "The type of cluster",
"Type" : "String",
"Default" : "single-node",
"AllowedValues" : [ "single-node", "multi-node" ]
},
"NumberOfNodes" : {
"Description" : "The number of compute nodes in the cluster. For multi-node clusters,
the NumberOfNodes parameter must be greater than 1",
"Type" : "Number",
"Default" : "1"
},
"NodeType" : {
"Description" : "The type of node to be provisioned",
"Type" : "String",
"Default" : "ds2.xlarge",
"AllowedValues" : [ "ds2.xlarge", "ds2.8xlarge", "dc1.large", "dc1.8xlarge" ]
},
"MasterUsername" : {
"Description" : "The user name that is associated with the master user account for
the cluster that is being created",
"Type" : "String",
"Default" : "defaultuser",
"AllowedPattern" : "([a-z])([a-z]|[0-9])*"
},
"MasterUserPassword" : {
"Description" : "The password that is associated with the master user account for the
cluster that is being created.",
"Type" : "String",
"NoEcho" : "true"
},
"InboundTraffic" : {
"Description" : "Allow inbound traffic to the cluster from this CIDR range.",
"Type" : "String",
"MinLength": "9",
"MaxLength": "18",
"Default" : "0.0.0.0/0",
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x."
},
"PortNumber" : {
"Description" : "The port number on which the cluster accepts incoming connections.",
"Type" : "Number",
"Default" : "5439"
}
},
"Conditions" : {
"IsMultiNodeCluster" : {
"Fn::Equals" : [{ "Ref" : "ClusterType" }, "multi-node" ]
}
},
"Resources" : {
"RedshiftCluster" : {

489
Amazon Redshift
"Type" : "AWS::Redshift::Cluster",
"DependsOn" : "AttachGateway",
"Properties" : {
"ClusterType" : { "Ref" : "ClusterType" },
"NumberOfNodes" : { "Fn::If" : [ "IsMultiNodeCluster", { "Ref" :
"NumberOfNodes" }, { "Ref" : "AWS::NoValue" }]},
"NodeType" : { "Ref" : "NodeType" },
"DBName" : { "Ref" : "DatabaseName" },
"MasterUsername" : { "Ref" : "MasterUsername" },
"MasterUserPassword" : { "Ref" : "MasterUserPassword" },
"ClusterParameterGroupName" : { "Ref" : "RedshiftClusterParameterGroup" },
"VpcSecurityGroupIds" : [ { "Ref" : "SecurityGroup" } ],
"ClusterSubnetGroupName" : { "Ref" : "RedshiftClusterSubnetGroup" },
"PubliclyAccessible" : "true",
"Port" : { "Ref" : "PortNumber" }
}
},
"RedshiftClusterParameterGroup" : {
"Type" : "AWS::Redshift::ClusterParameterGroup",
"Properties" : {
"Description" : "Cluster parameter group",
"ParameterGroupFamily" : "redshift-1.0",
"Parameters" : [{
"ParameterName" : "enable_user_activity_logging",
"ParameterValue" : "true"
}]
}
},
"RedshiftClusterSubnetGroup" : {
"Type" : "AWS::Redshift::ClusterSubnetGroup",
"Properties" : {
"Description" : "Cluster subnet group",
"SubnetIds" : [ { "Ref" : "PublicSubnet" } ]
}
},
"VPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "10.0.0.0/16"
}
},
"PublicSubnet" : {
"Properties" : {
"CidrBlock" : "10.0.0.0/24",
"VpcId" : { "Ref" : "VPC" }
}
},
"SecurityGroup" : {
"Properties" : {
"GroupDescription" : "Security group",
"CidrIp" : { "Ref": "InboundTraffic" },
"FromPort" : { "Ref" : "PortNumber" },
"ToPort" : { "Ref" : "PortNumber" },
"IpProtocol" : "tcp"
} ],
"VpcId" : { "Ref" : "VPC" }
}
},
"myInternetGateway" : {
"Type" : "AWS::EC2::InternetGateway"
},
"AttachGateway" : {

490
Amazon Redshift
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "myInternetGateway" }
}
},
"PublicRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
}
}
},
"PublicRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : "AttachGateway",
"Properties" : {
"RouteTableId" : {
"Ref" : "PublicRouteTable"
},
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : {
"Ref" : "myInternetGateway"
}
}
},
"PublicSubnetRouteTableAssociation" : {
"Properties" : {
"SubnetId" : {
"Ref" : "PublicSubnet"
},
"RouteTableId" : {
"Ref" : "PublicRouteTable"
}
}
}
},
"Outputs" : {
"ClusterEndpoint" : {
"Description" : "Cluster endpoint",
"Value" : { "Fn::Join" : [ ":", [ { "Fn::GetAtt" : [ "RedshiftCluster",
"Endpoint.Address" ] }, { "Fn::GetAtt" : [ "RedshiftCluster", "Endpoint.Port" ] } ] ] }
},
"ClusterName" : {
"Description" : "Name of cluster",
"Value" : { "Ref" : "RedshiftCluster" }
},
"ParameterGroupName" : {
"Description" : "Name of parameter group",
"Value" : { "Ref" : "RedshiftClusterParameterGroup" }
},
"RedshiftClusterSubnetGroupName" : {
"Description" : "Name of cluster subnet group",
"Value" : { "Ref" : "RedshiftClusterSubnetGroup" }
},
"RedshiftClusterSecurityGroupName" : {
"Description" : "Name of cluster security group",
"Value" : { "Ref" : "SecurityGroup" }
}
}
}

491
Amazon Redshift
YAML
Parameters:
DatabaseName:
Description: The name of the first database to be created when the cluster is
created
Type: String
Default: dev
AllowedPattern: "([a-z]|[0-9])+"
ClusterType:
Description: The type of cluster
Type: String
Default: single-node
AllowedValues:
- single-node
- multi-node
NumberOfNodes:
Description: The number of compute nodes in the cluster. For multi-node clusters,
the NumberOfNodes parameter must be greater than 1
Type: Number
Default: '1'
NodeType:
Description: The type of node to be provisioned
Type: String
Default: ds2.xlarge
AllowedValues:
- ds2.xlarge
- ds2.8xlarge
- dc1.large
- dc1.8xlarge
MasterUsername:
Description: The user name that is associated with the master user account for
the cluster that is being created
Type: String
Default: defaultuser
AllowedPattern: "([a-z])([a-z]|[0-9])*"
MasterUserPassword:
Description: The password that is associated with the master user account for
the cluster that is being created.
Type: String
NoEcho: 'true'
InboundTraffic:
Description: Allow inbound traffic to the cluster from this CIDR range.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
ConstraintDescription: must be a valid CIDR range of the form x.x.x.x/x.
PortNumber:
Description: The port number on which the cluster accepts incoming connections.
Type: Number
Default: '5439'
Conditions:
IsMultiNodeCluster:
Fn::Equals:
- Ref: ClusterType
- multi-node
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
DependsOn: AttachGateway
Properties:
ClusterType:

492
Amazon Redshift
Ref: ClusterType
NumberOfNodes:
Fn::If:
- IsMultiNodeCluster
- Ref: NumberOfNodes
- Ref: AWS::NoValue
NodeType:
Ref: NodeType
DBName:
Ref: DatabaseName
MasterUsername:
Ref: MasterUsername
MasterUserPassword:
Ref: MasterUserPassword
ClusterParameterGroupName:
Ref: RedshiftClusterParameterGroup
VpcSecurityGroupIds:
- Ref: SecurityGroup
ClusterSubnetGroupName:
Ref: RedshiftClusterSubnetGroup
PubliclyAccessible: 'true'
Port:
Ref: PortNumber
RedshiftClusterParameterGroup:
Type: AWS::Redshift::ClusterParameterGroup
Properties:
Description: Cluster parameter group
ParameterGroupFamily: redshift-1.0
Parameters:
- ParameterName: enable_user_activity_logging
ParameterValue: 'true'
RedshiftClusterSubnetGroup:
Type: AWS::Redshift::ClusterSubnetGroup
Properties:
Description: Cluster subnet group
SubnetIds:
- Ref: PublicSubnet
VPC:
Type: AWS::EC2::VPC
Properties:
PublicSubnet:
Properties:
VpcId:
Ref: VPC
SecurityGroup:
Properties:
GroupDescription: Security group
- CidrIp:
Ref: InboundTraffic
FromPort:
Ref: PortNumber
ToPort:
Ref: PortNumber
IpProtocol: tcp
VpcId:
Ref: VPC
myInternetGateway:
AttachGateway:
Properties:

493
Amazon RDS
VpcId:
Ref: VPC
InternetGatewayId:
Ref: myInternetGateway
PublicRouteTable:
Properties:
VpcId:
Ref: VPC
PublicRoute:
Properties:
RouteTableId:
Ref: PublicRouteTable
GatewayId:
PublicSubnetRouteTableAssociation:
Properties:
SubnetId:
Ref: PublicSubnet
RouteTableId:
Ref: PublicRouteTable
Outputs:
ClusterEndpoint:
Description: Cluster endpoint
Value: !Sub "${RedshiftCluster.Endpoint.Address}:${RedshiftCluster.Endpoint.Port}"
ClusterName:
Description: Name of cluster
Value:
Ref: RedshiftCluster
ParameterGroupName:
Description: Name of parameter group
Value:
Ref: RedshiftClusterParameterGroup
RedshiftClusterSubnetGroupName:
Description: Name of cluster subnet group
Value:
Ref: RedshiftClusterSubnetGroup
RedshiftClusterSecurityGroupName:
Description: Name of cluster security group
Value:
Ref: SecurityGroup
See Also
AWS::Redshift::Cluster
Amazon RDS Template Snippets

Topics
• Amazon RDS DB Instance Resource (p. 495)
• Amazon RDS Oracle Database DB Instance Resource (p. 495)
• Amazon RDS DBSecurityGroup Resource for CIDR Range (p. 496)
• Amazon RDS DBSecurityGroup with an Amazon EC2 security group (p. 497)
• Multiple VPC security groups (p. 498)
• Amazon RDS Database Instance in a VPC Security Group (p. 499)

494
Amazon RDS
Amazon RDS DB Instance Resource

This example shows an Amazon RDS DB Instance resource. Because the optional EngineVersion
property is not specified, the default engine version is used for this DB Instance. For details
about the default engine version and other default settings, see CreateDBInstance. The
DBSecurityGroups property authorizes network ingress to the AWS::RDS::DBSecurityGroup resources
named MyDbSecurityByEC2SecurityGroup and MyDbSecurityByCIDRIPGroup. For details, see
AWS::RDS::DBInstance. The DB Instance resource also has a DeletionPolicy attribute set to Snapshot.
With the Snapshot DeletionPolicy set, AWS CloudFormation will take a snapshot of this DB Instance
before deleting it during stack deletion.
JSON
"MyDB" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"DBSecurityGroups" : [
{"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" :
"MyDbSecurityByCIDRIPGroup"} ],
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.m1.small",
"Engine" : "MySQL",
"MasterUsername" : "MyName",
"MasterUserPassword" : "MyPassword"
},
}
YAML
MyDB:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
- Ref: MyDbSecurityByEC2SecurityGroup
- Ref: MyDbSecurityByCIDRIPGroup
DBInstanceClass: db.m1.small
Engine: MySQL
MasterUsername: MyName
MasterUserPassword: MyPassword
Amazon RDS Oracle Database DB Instance Resource

This example creates an Oracle Database DB Instance resource by specifying the Engine as oracle-ee
with a license model of bring-your-own-license. For details about the settings for Oracle Database
DB instances, see CreateDBInstance. The DBSecurityGroups property authorizes network ingress
to the AWS::RDS::DBSecurityGroup resources named MyDbSecurityByEC2SecurityGroup and
MyDbSecurityByCIDRIPGroup. For details, see AWS::RDS::DBInstance. The DB Instance resource also has a
DeletionPolicy attribute set to Snapshot. With the Snapshot DeletionPolicy set, AWS CloudFormation will
take a snapshot of this DB Instance before deleting it during stack deletion.
JSON
"MyDB" : {

495
Amazon RDS
"Properties" : {
"DBSecurityGroups" : [
{"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" :
"MyDbSecurityByCIDRIPGroup"} ],
"Engine" : "oracle-ee",
"LicenseModel" : "bring-your-own-license",
"MasterUsername" : "master",
"MasterUserPassword" : "SecretPassword01"
},
}
YAML
MyDB:
Properties:
DBSecurityGroups:
- Ref: MyDbSecurityByEC2SecurityGroup
- Ref: MyDbSecurityByCIDRIPGroup
Engine: oracle-ee
LicenseModel: bring-your-own-license
MasterUsername: master
MasterUserPassword: SecretPassword01
Amazon RDS DBSecurityGroup Resource for CIDR Range

This example shows an Amazon RDS DBSecurityGroup resource with ingress authorization for the
specified CIDR range in the format ddd.ddd.ddd.ddd/dd. For details, see AWS::RDS::DBSecurityGroup and
Ingress.
JSON
"MyDbSecurityByCIDRIPGroup" : {
"Type" : "AWS::RDS::DBSecurityGroup",
"Properties" : {
"GroupDescription" : "Ingress for CIDRIP",
"DBSecurityGroupIngress" : {
"CIDRIP" : "192.168.0.0/32"
}
}
}
YAML
MyDbSecurityByCIDRIPGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: Ingress for CIDRIP
DBSecurityGroupIngress:
CIDRIP: "192.168.0.0/32"

496
Amazon RDS
Amazon RDS DBSecurityGroup with an Amazon EC2 security

group
This example shows an AWS::RDS::DBSecurityGroup resource with ingress authorization from an Amazon
EC2 security group referenced by MyEc2SecurityGroup.
To do this, you define an EC2 security group and then use the intrinsic Ref function to refer to the EC2
security group within your DBSecurityGroup.
JSON
"DBInstance" : {
"Properties": {
"DBName" : { "Ref" : "DBName" },
"Engine" : "MySQL",
"MasterUsername" : { "Ref" : "DBUsername" },
"DBInstanceClass" : { "Ref" : "DBClass" },
"DBSecurityGroups" : [ { "Ref" : "DBSecurityGroup" } ],
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" }
}
},
"DBSecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"DBSecurityGroupIngress": { "EC2SecurityGroupName": { "Ref":
"WebServerSecurityGroup" } },
"GroupDescription" : "Frontend Access"
}
},
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 and SSH access",
"0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"}
]
}
}
YAML
This example is extracted from the following full example: Drupal_Single_Instance_With_RDS.template
DBInstance:
Properties:
DBName:
Ref: DBName
Engine: MySQL
MasterUsername:
Ref: DBUsername
DBInstanceClass:
Ref: DBClass
DBSecurityGroups:

497
Amazon RDS
- Ref: DBSecurityGroup
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
DBSecurityGroup:
Properties:
EC2SecurityGroupName:
Ref: WebServerSecurityGroup
GroupDescription: Frontend Access
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
Multiple VPC security groups

This example shows an AWS::RDS::DBSecurityGroup resource with ingress authorization for multiple
Amazon EC2 VPC security groups in AWS::RDS::DBSecurityGroupIngress.
JSON
{
"Resources" : {
"DBinstance" : {
"Properties" : {
"DBName" : {"Ref": "MyDBName" },
"DBSecurityGroups" : [ { "Ref" : "DbSecurityByEC2SecurityGroup" } ],
"DBSubnetGroupName" : { "Ref" : "MyDBSubnetGroup" },
"Engine" : "MySQL",
"MasterUserPassword": { "Ref" : "MyDBPassword" },
"MasterUsername" : { "Ref" : "MyDBUsername" }
},
},
"DbSecurityByEC2SecurityGroup" : {
"Type" : "AWS::RDS::DBSecurityGroup",
"Properties" : {
"GroupDescription" : "Ingress for Amazon EC2 security group",
"EC2VpcId" : { "Ref" : "MyVPC" },
"DBSecurityGroupIngress" : [ {
"EC2SecurityGroupId" : "sg-b0ff1111",
"EC2SecurityGroupOwnerId" : "111122223333"
}, {
"EC2SecurityGroupId" : "sg-ffd722222",
"EC2SecurityGroupOwnerId" : "111122223333"
} ]
}
}

498
Amazon RDS
}
}
YAML
Resources:
DBinstance:
Properties:
DBName:
Ref: MyDBName
DBSecurityGroups:
- Ref: DbSecurityByEC2SecurityGroup
DBSubnetGroupName:
Ref: MyDBSubnetGroup
Engine: MySQL
MasterUserPassword:
Ref: MyDBPassword
MasterUsername:
Ref: MyDBUsername
DbSecurityByEC2SecurityGroup:
Properties:
GroupDescription: Ingress for Amazon EC2 security group
EC2VpcId:
Ref: MyVPC
- EC2SecurityGroupId: sg-b0ff1111
EC2SecurityGroupOwnerId: '111122223333'
- EC2SecurityGroupId: sg-ffd722222
EC2SecurityGroupOwnerId: '111122223333'
Amazon RDS Database Instance in a VPC Security Group

This example shows an Amazon RDS database instance associated with an Amazon EC2 VPC security
group.
JSON
{
"DBEC2SecurityGroup": {
"Properties" : {
"GroupDescription": "Open database for access",
"FromPort" : "3306",
"ToPort" : "3306",
"SourceSecurityGroupName" : { "Ref" : "WebServerSecurityGroup" }
}]
}
},
"DBInstance" : {
"Properties": {
"DBName" : { "Ref" : "DBName" },
"Engine" : "MySQL",

499
Route 53
"MultiAZ" : { "Ref": "MultiAZDatabase" },

"MasterUsername" : { "Ref" : "DBUser" },
"DBInstanceClass" : { "Ref" : "DBClass" },
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" },
"VPCSecurityGroups" : [ { "Fn::GetAtt": [ "DBEC2SecurityGroup", "GroupId" ] } ]
}
}
}
YAML
DBEC2SecurityGroup:
Properties:
GroupDescription: Open database for access
- IpProtocol: tcp
FromPort: '3306'
ToPort: '3306'
SourceSecurityGroupName:
Ref: WebServerSecurityGroup
DBInstance:
Properties:
DBName:
Ref: DBName
Engine: MySQL
MultiAZ:
Ref: MultiAZDatabase
MasterUsername:
Ref: DBUser
DBInstanceClass:
Ref: DBClass
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
VPCSecurityGroups:
- !GetAtt DBEC2SecurityGroup.GroupId
Route 53 Template Snippets

Topics
• Amazon Route 53 Resource Record Set Using Hosted Zone Name or ID (p. 500)
• Using RecordSetGroup to Set Up Weighted Resource Record Sets (p. 502)
• Using RecordSetGroup to Set Up an Alias Resource Record Set (p. 503)
• Alias Resource Record Set for a CloudFront Distribution (p. 504)
Amazon Route 53 Resource Record Set Using Hosted Zone

Name or ID
When you create an Amazon Route 53 resource record set, you must specify the hosted zone where you
want to add it. AWS CloudFormation provides two ways to do this. You can explicitly specify the hosted
zone using the HostedZoneId property or have AWS CloudFormation find the hosted zone using the
HostedZoneName property. If you use the HostedZoneName property and there are multiple hosted
zones with the same domain name, AWS CloudFormation doesn't create the stack.

500
Route 53
Adding RecordSet using HostedZoneId

This example adds an Amazon Route 53 resource record set containing an SPF record for the domain
name mysite.example.com that uses the HostedZoneId property to specify the hosted zone.
JSON
"myDNSRecord" : {
"Type" : "AWS::Route53::RecordSet",
"Properties" :
{
"HostedZoneId" : "Z3DG6IL3SJCGPX",
"Name" : "mysite.example.com.",
"Type" : "SPF",
"TTL" : "900",
"ResourceRecords" : [ "\"v=spf1 ip4:192.168.0.1/16 -all\"" ]
}
}
YAML
myDNSRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: Z3DG6IL3SJCGPX
Name: mysite.example.com.
Type: SPF
TTL: '900'
ResourceRecords:
- '"v=spf1 ip4:192.168.0.1/16 -all"'
Adding RecordSet using HostedZoneName

This example adds an Amazon Route 53 resource record set containing A records for the domain name
"mysite.example.com" using the HostedZoneName property to specify the hosted zone.
JSON
"myDNSRecord2" : {
"Type" : "AWS::Route53::RecordSet",
"Properties" : {
"HostedZoneName" : "example.com.",
"Type" : "A",
"TTL" : "900",
"ResourceRecords" : [
"192.168.0.1",
"192.168.0.2"
]
}
}
YAML
myDNSRecord2:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneName: example.com.

501
Route 53
Name: mysite.example.com.
Type: A
TTL: '900'
ResourceRecords:
- 192.168.0.1
- 192.168.0.2
Using RecordSetGroup to Set Up Weighted Resource Record

Sets
This example uses an AWS::Route53::RecordSetGroup to set up two CNAME records for the
"example.com." hosted zone. The RecordSets property contains the CNAME record sets for the
"mysite.example.com" DNS name. Each record set contains an identifier (SetIdentifier) and weight
(Weight). The weighting for Frontend One is 40% (4 of 10) and Frontend Two is 60% (6 of 10). For more
information about weighted resource record sets, see Setting Up Weighted Resource Record Sets in
Route 53 Developer Guide.
JSON
"myDNSOne" : {
"Type" : "AWS::Route53::RecordSetGroup",
"Properties" : {
"Comment" : "Weighted RR for my frontends.",
"RecordSets" : [
{
"Type" : "CNAME",
"TTL" : "900",
"SetIdentifier" : "Frontend One",
"Weight" : "4",
"ResourceRecords" : ["example-ec2.amazonaws.com"]
},
{
"Type" : "CNAME",
"TTL" : "900",
"SetIdentifier" : "Frontend Two",
"Weight" : "6",
"ResourceRecords" : ["example-ec2-larger.amazonaws.com"]
}
]
}
}
YAML
myDNSOne:
Type: AWS::Route53::RecordSetGroup
Properties:
Comment: Weighted RR for my frontends.
RecordSets:
- Name: mysite.example.com.
Type: CNAME
TTL: '900'
SetIdentifier: Frontend One
Weight: '4'
ResourceRecords:
- example-ec2.amazonaws.com

502
Route 53
- Name: mysite.example.com.
Type: CNAME
TTL: '900'
SetIdentifier: Frontend Two
Weight: '6'
ResourceRecords:
- example-ec2-larger.amazonaws.com
Using RecordSetGroup to Set Up an Alias Resource Record Set

This example uses an AWS::Route53::RecordSetGroup to set up an alias resource record set
for the "example.com." hosted zone. The RecordSets property contains the A record for the
zone apex "example.com." The AliasTarget property specifies the hosted zone ID and DNS name
for the myELB LoadBalancer by using the GetAtt (p. 3807) intrinsic function to retrieve the
CanonicalHostedZoneNameID and DNSName properties of myELB resource. For more information about
alias resource record sets, see Creating Alias Resource Record Sets in the Route 53 Developer Guide.
JSON
"myELB" : {
"Properties" : {
"Listeners" : [ {
"Protocol" : "HTTP"
} ]
}
},
"myDNS" : {
"Properties" : {
"Comment" : "Zone apex alias targeted to myELB LoadBalancer.",
"RecordSets" : [
{
"Name" : "example.com.",
"Type" : "A",
"AliasTarget" : {
"HostedZoneId" : { "Fn::GetAtt" : ["myELB",
"CanonicalHostedZoneNameID"] },
"DNSName" : { "Fn::GetAtt" : ["myELB","DNSName"] }
}
}
]
}
}
YAML
myELB:
Properties:
AvailabilityZones:
- "us-east-1a"
Listeners:
InstancePort: '80'
Protocol: HTTP
myDNS:

503
Amazon S3
Properties:
Comment: Zone apex alias targeted to myELB LoadBalancer.
RecordSets:
- Name: example.com.
Type: A
AliasTarget:
HostedZoneId: !GetAtt myELB.CanonicalHostedZoneNameID
DNSName: !GetAtt myELB.DNSName
Alias Resource Record Set for a CloudFront Distribution

The following example creates an alias record set that routes queries to the specified CloudFront
distribution domain name.
Note
When you create alias resource record sets, you must specify Z2FDTNDATAQYW2 for the
HostedZoneId property, as shown in the following example. Alias resource record sets for
CloudFront can't be created in a private zone.
JSON
"myDNS" : {
"Properties" : {
"HostedZoneId" : { "Ref" : "myHostedZoneID" },
"RecordSets" : [{
"Name" : { "Ref" : "myRecordSetDomainName" },
"Type" : "A",
"AliasTarget" : {
"HostedZoneId" : "Z2FDTNDATAQYW2",
"DNSName" : { "Ref" : "myCloudFrontDistributionDomainName" }
}
}]
}
}
YAML
myDNS:
Properties:
HostedZoneId:
Ref: myHostedZoneID
RecordSets:
- Name:
Ref: myRecordSetDomainName
Type: A
AliasTarget:
HostedZoneId: Z2FDTNDATAQYW2
DNSName:
Ref: myCloudFrontDistributionDomainName
Amazon S3 Template Snippets

Topics
• Creating an Amazon S3 Bucket with Defaults (p. 505)

504
Amazon S3
• Creating an Amazon S3 Bucket for Website Hosting and with a DeletionPolicy (p. 505)
• Creating a Static Website Using a Custom Domain (p. 507)
Creating an Amazon S3 Bucket with Defaults

This example uses a AWS::S3::Bucket to create a bucket with default settings.
JSON
"myS3Bucket" : {
"Type" : "AWS::S3::Bucket"
}
YAML
MyS3Bucket:
Creating an Amazon S3 Bucket for Website Hosting and with a

DeletionPolicy
This example creates a bucket as a website. The AccessControl property is set to the canned ACL
PublicRead (public read permissions are required for buckets set up for website hosting). Because this
bucket resource has a DeletionPolicy attribute (p. 3764) set to Retain, AWS CloudFormation will not
delete this bucket when it deletes the stack. The Output section uses Fn::GetAtt to retrieve the
WebsiteURL attribute and DomainName attribute of the S3Bucket resource.
JSON
{
"Resources": {
"S3Bucket": {
"Properties": {
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "error.html"
}
},
"DeletionPolicy": "Retain"
},
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"PolicyDocument": {
"Id": "MyPolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",

505
Amazon S3
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "S3Bucket"
},
"/*"
]
]
}
}
]
},
"Bucket": {
"Ref": "S3Bucket"
}
}
}
},
"Outputs": {
"WebsiteURL": {
"Value": {
"Fn::GetAtt": [
"S3Bucket",
"WebsiteURL"
]
},
"Description": "URL for website hosted on S3"
},
"S3BucketSecureURL": {
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"S3Bucket",
"DomainName"
]
}
]
]
},
"Description": "Name of S3 bucket to hold website content"
}
}
}
YAML
Resources:
S3Bucket:
Properties:
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:

506
Amazon S3
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Principal: '*'
Action: 's3:GetObject'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket
- /*
Bucket: !Ref S3Bucket
Outputs:
WebsiteURL:
Value: !GetAtt
- S3Bucket
- WebsiteURL
Description: URL for website hosted on S3
S3BucketSecureURL:
Value: !Join
- ''
- - 'https://'
- !GetAtt
- S3Bucket
- DomainName
Description: Name of S3 bucket to hold website content
Creating a Static Website Using a Custom Domain

You can use Route 53 with a registered domain. The following sample assumes that you have already
created a hosted zone in Route 53 for your domain. The example creates two buckets for website
hosting. The root bucket hosts the content, and the other bucket redirects www.domainname.com
requests to the root bucket. The record sets map your domain name to Amazon S3 endpoints. Note that
you will also need to add a bucket policy, as shown in the examples above.
For more information about using a custom domain, see Setting Up a Static Website Using a Custom
Domain in the Amazon Simple Storage Service Developer Guide.
JSON
{
"Mappings" : {
"RegionMap" : {
"us-east-1" : { "S3hostedzoneID" : "Z3AQBSTGFYJSTF", "websiteendpoint" : "s3-
website-us-east-1.amazonaws.com" },
"us-west-1" : { "S3hostedzoneID" : "Z2F56UZL2M1ACD", "websiteendpoint" : "s3-
website-us-west-1.amazonaws.com" },
"us-west-2" : { "S3hostedzoneID" : "Z3BJ6K6RIION7M", "websiteendpoint" : "s3-
website-us-west-2.amazonaws.com" },
"eu-west-1" : { "S3hostedzoneID" : "Z1BKCTXD74EZPE", "websiteendpoint" : "s3-
website-eu-west-1.amazonaws.com" },
"ap-southeast-1" : { "S3hostedzoneID" : "Z3O0J2DXBE1FTB", "websiteendpoint" :
"s3-website-ap-southeast-1.amazonaws.com" },
"ap-southeast-2" : { "S3hostedzoneID" : "Z1WCIGYICN2BYD", "websiteendpoint" :
"s3-website-ap-southeast-2.amazonaws.com" },
"ap-northeast-1" : { "S3hostedzoneID" : "Z2M4EHUR26P7ZW", "websiteendpoint" :
"s3-website-ap-northeast-1.amazonaws.com" },

507
Amazon S3
"sa-east-1" : { "S3hostedzoneID" : "Z31GFT0UA1I2HV", "websiteendpoint" : "s3-

website-sa-east-1.amazonaws.com" }
}
},
"Parameters": {
"RootDomainName": {
"Description": "Domain name for your website (example.com)",
"Type": "String"
}
},
"Resources": {
"RootBucket": {
"Properties": {
"BucketName" : {"Ref":"RootDomainName"},
"AccessControl": "PublicRead",
"IndexDocument":"index.html",
"ErrorDocument":"404.html"
}
}
},
"WWWBucket": {
"Properties": {
"BucketName": {
"Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]]
},
"AccessControl": "BucketOwnerFullControl",
"RedirectAllRequestsTo": {
"HostName": {"Ref": "RootBucket"}
}
}
}
},
"myDNS": {
"Type": "AWS::Route53::RecordSetGroup",
"Properties": {
"HostedZoneName": {
"Fn::Join": ["", [{"Ref": "RootDomainName"}, "."]]
},
"Comment": "Zone apex alias.",
"RecordSets": [
{
"Name": {"Ref": "RootDomainName"},
"Type": "A",
"AliasTarget": {
"HostedZoneId": {"Fn::FindInMap" : [ "RegionMap", { "Ref" :
"AWS::Region" }, "S3hostedzoneID"]},
"DNSName": {"Fn::FindInMap" : [ "RegionMap", { "Ref" :
"AWS::Region" }, "websiteendpoint"]}
}
},
{
"Name": {
"Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]]
},
"Type": "CNAME",
"TTL" : "900",
"ResourceRecords" : [
{"Fn::GetAtt":["WWWBucket", "DomainName"]}
]
}
]
}

508
Amazon S3
}
},
"Outputs": {
"WebsiteURL": {
"Value": {"Fn::GetAtt": ["RootBucket", "WebsiteURL"]},
"Description": "URL for website hosted on S3"
}
}
}
YAML
Parameters:
RootDomainName:
Description: Domain name for your website (example.com)
Type: String
Mappings:
RegionMap:
us-east-1:
S3hostedzoneID: Z3AQBSTGFYJSTF
websiteendpoint: s3-website-us-east-1.amazonaws.com
us-west-1:
S3hostedzoneID: Z2F56UZL2M1ACD
websiteendpoint: s3-website-us-west-1.amazonaws.com
us-west-2:
S3hostedzoneID: Z3BJ6K6RIION7M
websiteendpoint: s3-website-us-west-2.amazonaws.com
eu-west-1:
S3hostedzoneID: Z1BKCTXD74EZPE
websiteendpoint: s3-website-eu-west-1.amazonaws.com
ap-southeast-1:
S3hostedzoneID: Z3O0J2DXBE1FTB
websiteendpoint: s3-website-ap-southeast-1.amazonaws.com
ap-southeast-2:
S3hostedzoneID: Z1WCIGYICN2BYD
websiteendpoint: s3-website-ap-southeast-2.amazonaws.com
ap-northeast-1:
S3hostedzoneID: Z2M4EHUR26P7ZW
websiteendpoint: s3-website-ap-northeast-1.amazonaws.com
sa-east-1:
S3hostedzoneID: Z31GFT0UA1I2HV
websiteendpoint: s3-website-sa-east-1.amazonaws.com
Resources:
RootBucket:
Properties:
BucketName: !Ref RootDomainName
ErrorDocument: 404.html
WWWBucket:
Properties:
BucketName: !Sub
- www.${Domain}
- Domain: !Ref RootDomainName
AccessControl: BucketOwnerFullControl
RedirectAllRequestsTo:
HostName: !Ref RootBucket
myDNS:
Properties:

509
Amazon SNS
HostedZoneName: !Sub
- ${Domain}.
Comment: Zone apex alias.
RecordSets:
-
Name: !Ref RootDomainName
Type: A
AliasTarget:
HostedZoneId: !FindInMap [ RegionMap, !Ref 'AWS::Region', S3hostedzoneID]
DNSName: !FindInMap [ RegionMap, !Ref 'AWS::Region', websiteendpoint]
-
Name: !Sub
- www.${Domain}
Type: CNAME
TTL: 900
ResourceRecords:
- !GetAtt WWWBucket.DomainName
Outputs:
WebsiteURL:
Value: !GetAtt RootBucket.WebsiteURL
Description: URL for website hosted on S3
Amazon SNS Template Snippets

This example shows an Amazon SNS topic resource. It requires a valid email address.
JSON
"MySNSTopic" : {
"Type" : "AWS::SNS::Topic",
"Properties" : {
"Subscription" : [ {
"Endpoint" : "add valid email address",
"Protocol" : "email"
} ]
}
}
YAML
MySNSTopic:
Properties:
Subscription:
- Endpoint: "add valid email address"
Protocol: email
Amazon SQS Template Snippets

This example shows an Amazon SQS queue.
JSON
"MyQueue" : {

510
Custom Resources
"Type" : "AWS::SQS::Queue",
"Properties" : {
"VisibilityTimeout" : "value"
}
}
YAML
MyQueue:
Type: AWS::SQS::Queue
Properties:
VisibilityTimeout: value
Custom Resources
Custom resources enable you to write custom provisioning logic in templates that AWS CloudFormation
runs anytime you create, update (if you changed the custom resource), or delete stacks. For example, you
might want to include resources that aren't available as AWS CloudFormation resource types (p. 604).
You can include those resources by using custom resources. That way you can still manage all your
related resources in a single stack.
Use the AWS::CloudFormation::CustomResource or Custom::MyCustomResourceTypeName resource

type to define custom resources in your templates. Custom resources require one property: the service
token, which specifies where AWS CloudFormation sends requests to, such as an Amazon SNS topic.
Note
If you use the VPC endpoint feature, custom resources in the VPC must have access to AWS
CloudFormation-specific S3 buckets. Custom resources must send responses to a pre-signed
Amazon S3 URL. If they can't send responses to Amazon S3, AWS CloudFormation won't receive
a response and the stack operation fails. For more information, see Setting Up VPC Endpoints
for AWS CloudFormation (p. 26).
How Custom Resources Work

Any action taken for a custom resource involves three parties.
template developer
Creates a template that includes a custom resource type. The template developer specifies the
service token and any input data in the template.
custom resource provider
Owns the custom resource and determines how to handle and respond to requests from AWS
CloudFormation. The custom resource provider must provide a service token that the template
developer uses.
AWS CloudFormation
During a stack operation, sends a request to a service token that is specified in the template, and
then waits for a response before proceeding with the stack operation.
The template developer and custom resource provider can be the same person or entity, but the process
is the same. The following steps describe the general process:

511
How Custom Resources Work
1. The template developer defines a custom resource in his or her template, which includes a service
token and any input data parameters. Depending on the custom resource, the input data might be
required; however, the service token is always required.
The service token specifies where AWS CloudFormation sends requests to, such as to an
Amazon SNS topic ARN or to an AWS Lambda function ARN. For more information, see
AWS::CloudFormation::CustomResource. The service token and the structure of the input data is
defined by the custom resource provider.
2. Whenever anyone uses the template to create, update, or delete a custom resource, AWS
CloudFormation sends a request to the specified service token. The service token must be in the same
region in which you are creating the stack.
In the request, AWS CloudFormation includes information such as the request type and a pre-signed
Amazon Simple Storage Service URL, where the custom resource sends responses to. For more
information about what's included in the request, see Custom Resource Request Objects (p. 530).
The following sample data shows what AWS CloudFormation includes in a request:
{
"RequestType" : "Create",
"ResponseURL" : "http://pre-signed-S3-url-for-response",
"StackId" : "arn:aws:cloudformation:us-west-2:123456789012:stack/stack-name/guid",
"RequestId" : "unique id for this create request",
"ResourceType" : "Custom::TestResource",
"LogicalResourceId" : "MyTestResource",
"ResourceProperties" : {
"Name" : "Value",
"List" : [ "1", "2", "3" ]
}
}
Note
In this example, ResourceProperties allows AWS CloudFormation to create a custom
payload to send to the Lambda function.
3. The custom resource provider processes the AWS CloudFormation request and returns a response of
SUCCESS or FAILED to the pre-signed URL. The custom resource provider provides the response in a
JSON-formatted file and uploads it to the pre-signed S3 URL. For more information, see Uploading
Objects Using Pre-Signed URLs in the Amazon Simple Storage Service Developer Guide.
In the response, the custom resource provider can also include name-value pairs that the template
developer can access. For example, the response can include output data if the request succeeded or
an error message if the request failed. For more information about responses, see Custom Resource
Response Objects (p. 532).
Important
If the name-value pairs contain sensitive information, you should use the NoEcho field to
mask the output of the custom resource. Otherwise, the values are visible through APIs that
surface property values (such as DescribeStackEvents).
For more information about using NoEcho to mask sensitive information, see the Do Not
Embed Credentials in Your Templates best practice.
The custom resource provider is responsible for listening and responding to the request. For example,
for Amazon SNS notifications, the custom resource provider must listen and respond to notifications
that are sent to a specific topic ARN. AWS CloudFormation waits and listens for a response in the pre-
signed URL location.
The following sample data shows what a custom resource might include in a response:

512
Amazon Simple Notification
Service-backed Custom Resources
"PhysicalResourceId" : "TestResource1",
"LogicalResourceId" : "MyTestResource",
"Data" : {
"OutputName1" : "Value1",
"OutputName2" : "Value2",
}
}
4. After getting a SUCCESS response, AWS CloudFormation proceeds with the stack operation. If a
FAILED response or no response is returned, the operation fails. Any output data from the custom
resource is stored in the pre-signed URL location. The template developer can retrieve that data by
using the Fn::GetAtt (p. 3807) function.
Amazon Simple Notification Service-backed Custom

Resources
When you associate an Amazon SNS topic with a custom resource, you use Amazon SNS notifications
to trigger custom provisioning logic. With custom resources and Amazon SNS, you can enable scenarios
such as adding new resources to a stack and injecting dynamic data into a stack. For example, when
you create a stack, AWS CloudFormation can send a create request to a topic that's monitored by an
application that's running on an Amazon Elastic Compute Cloud instance. The Amazon SNS notification
triggers the application to carry out additional provisioning tasks, such as retrieve a pool of white-listed
Elastic IPs. After it's done, the application sends a response (and any output data) that notifies AWS
CloudFormation to proceed with the stack operation.
Walkthrough: Using Amazon Simple Notification Service to

Create Custom Resources
This walkthrough will step through the custom resource process, explaining the sequence of events and
messages sent and received as a result of custom resource stack creation, updates, and deletion.
Step 1: Stack Creation

1. The template developer creates an AWS CloudFormation stack that contains a custom resource; in the
template example below, we use the custom resource type name Custom::SeleniumTester for the
custom resource MySeleniumTest.
The custom resource type is declared with a service token, optional provider-specific properties, and
optional Fn::GetAtt (p. 3807) attributes that are defined by the custom resource provider. These
properties and attributes can be used to pass information from the template developer to the custom
resource provider and vice-versa. Custom resource type names must be alphanumeric and can have a
maximum length of 60 characters.
The following example shows a template that has both custom properties and return attributes:
{
"Resources" : {
"MySeleniumTest" : {
"Type": "Custom::SeleniumTester",
"Version" : "1.0",
"Properties" : {
"ServiceToken": "arn:aws:sns:us-west-2:123456789012:CRTest",

513
"seleniumTester" : "SeleniumTest()",
"endpoints" : [ "http://mysite.com", "http://myecommercesite.com/", "http://
search.mysite.com" ],
"frequencyOfTestsPerHour" : [ "3", "2", "4" ]
}
}
},
"Outputs" : {
"topItem" : {
"Value" : { "Fn::GetAtt" : ["MySeleniumTest", "resultsPage"] }
},
"numRespondents" : {
"Value" : { "Fn::GetAtt" : ["MySeleniumTest", "lastUpdate"] }
}
}
}
Note
The names and values of the data accessed with Fn::GetAtt are returned by the custom
resource provider during the provider's response to AWS CloudFormation. If the custom
resource provider is a third-party, then the template developer must obtain the names of
these return values from the custom resource provider.
2. AWS CloudFormation sends an Amazon SNS notification to the resource provider with a
"RequestType" : "Create" that contains information about the stack, the custom resource
properties from the stack template, and an S3 URL for the response.
The SNS topic that is used to send the notification is embedded in the template in the ServiceToken
property. To avoid using a hard-coded value, a template developer can use a template parameter so
that the value is entered at the time the stack is launched.
The following example shows a custom resource Create request which includes a custom
resource type name, Custom::SeleniumTester, created with a LogicalResourceId of
MySeleniumTester:
{
"ResourceType" : "Custom::SeleniumTester",
"LogicalResourceId" : "MySeleniumTester",
}
}
3. The custom resource provider processes the data sent by the template developer and determines
whether the Create request was successful. The resource provider then uses the S3 URL sent by AWS
CloudFormation to send a response of either SUCCESS or FAILED.
Depending on the response type, different response fields will be expected by AWS CloudFormation.
Refer to the Responses section in the reference topic for the RequestType that is being processed.
In response to a create or update request, the custom resource provider can return data elements
in the Data (p. 533) field of the response. These are name/value pairs, and the names correspond
to the Fn::GetAtt attributes used with the custom resource in the stack template. The values are
the data that is returned when the template developer calls Fn::GetAtt on the resource with the
attribute name.

514
The following is an example of a custom resource response:
{
"PhysicalResourceId" : "Tester1",
"Data" : {
"resultsPage" : "http://www.myexampledomain/test-results/guid",
"lastUpdate" : "2012-11-14T03:30Z",
}
}
The StackId, RequestId, and LogicalResourceId fields must be copied verbatim from the
request.
4. AWS CloudFormation declares the stack status as CREATE_COMPLETE or CREATE_FAILED. If the stack
was successfully created, the template developer can use the output values of the created custom
resource by accessing them with Fn::GetAtt (p. 3807).
For example, the custom resource template used for illustration used Fn::GetAtt to copy resource
outputs into the stack outputs:
"Outputs" : {
"topItem" : {
},
}
}
For detailed information about the request and response objects involved in Create requests, see
Create (p. 534) in the Custom Resource Reference (p. 530).
Step 2: Stack Updates

To update an existing stack, you must submit a template that specifies updates for the properties of
resources in the stack, as shown in the example below. AWS CloudFormation updates only the resources
that have changes specified in the template. For more information about updating stacks, see AWS
CloudFormation Stack Updates (p. 127).
You can update custom resources that require a replacement of the underlying physical resource. When
you update a custom resource in an AWS CloudFormation template, AWS CloudFormation sends an
update request to that custom resource. If a custom resource requires a replacement, the new custom
resource must send a response with the new physical ID. When AWS CloudFormation receives the
response, it compares the PhysicalResourceId between the old and new custom resources. If they
are different, AWS CloudFormation recognizes the update as a replacement and sends a delete request to
the old resource, as shown in Step 3: Stack Deletion (p. 517).
Note
If you didn't make changes to the custom resource, AWS CloudFormation won't send requests to
it during a stack update.
1. The template developer initiates an update to the stack that contains a custom resource. During an
update, the template developer can specify new Properties in the stack template.

515
The following is an example of an Update to the stack template using a custom resource type:
{
"Resources" : {
"MySeleniumTest" : {
"Type": "Custom::SeleniumTester",
"Version" : "1.0",
"Properties" : {
"ServiceToken": "arn:aws:sns:us-west-2:123456789012:CRTest",
search.mysite.com",
"http://mynewsite.com" ],
"frequencyOfTestsPerHour" : [ "3", "2", "4", "3" ]
}
}
},
"Outputs" : {
"topItem" : {
},
}
}
}
"RequestType" : "Update" that contains similar information to the Create call, except that
the OldResourceProperties field contains the old resource properties, and ResourceProperties
contains the updated (if any) resource properties.
The following is an example of an Update request:
{
"RequestType" : "Update",
"RequestId" : "uniqueid for this update request",
search.mysite.com",
},
"OldResourceProperties" : {
}
}
3. The custom resource provider processes the data sent by AWS CloudFormation. The custom resource
performs the update and sends a response of either SUCCESS or FAILED to the S3 URL. AWS

516
CloudFormation then compares the PhysicalResourceIDs of old and new custom resources. If they
are different, AWS CloudFormation recognizes that the update requires a replacement and sends a
delete request to the old resource. The following example demonstrates the custom resource provider
response to an Update request.
{
"RequestId" : "uniqueid for this update request",
"PhysicalResourceId" : "Tester2"
}
request.
4. AWS CloudFormation declares the stack status as UPDATE_COMPLETE or UPDATE_FAILED. If the
update fails, the stack rolls back. If the stack was successfully updated, the template developer can
access any new output values of the created custom resource with Fn::GetAtt.
For detailed information about the request and response objects involved in Update requests, see
Update (p. 539) in the Custom Resource Reference (p. 530).
Step 3: Stack Deletion

1. The template developer deletes a stack that contains a custom resource. AWS CloudFormation gets
the current properties specified in the stack template along with the SNS topic, and prepares to make
a request to the custom resource provider.
"RequestType" : "Delete" that contains current information about the stack, the custom
resource properties from the stack template, and an S3 URL for the response.
Whenever you delete a stack or make an update that removes or replaces the custom resource, AWS
CloudFormation compares the PhysicalResourceId between the old and new custom resources. If
they are different, AWS CloudFormation recognizes the update as a replacement and sends a delete
request for the old resource (OldPhysicalResource), as shown in the following example of a
Delete request.
{
"RequestType" : "Delete",
"RequestId" : "unique id for this delete request",
search.mysite.com",
}
}

517
AWS Lambda-backed Custom Resources
DescribeStackResource, DescribeStackResources, and ListStackResources display the

user-defined name if it has been specified.
3. The custom resource provider processes the data sent by AWS CloudFormation and determines
whether the Delete request was successful. The resource provider then uses the S3 URL sent by AWS
CloudFormation to send a response of either SUCCESS or FAILED. To successfully delete a stack with
a custom resource, the custom resource provider must respond successfully to a delete request.
The following is an example of a custom resource provider response to a Delete request:
{
"PhysicalResourceId" : "Tester1"
}
request.
4. AWS CloudFormation declares the stack status as DELETE_COMPLETE or DELETE_FAILED.
For detailed information about the request and response objects involved in Delete requests, see
Delete (p. 536) in the Custom Resource Reference (p. 530).
See Also
• AWS CloudFormation Custom Resource Reference (p. 530)
• AWS::CloudFormation::CustomResource
• Fn::GetAtt (p. 3807)

When you associate a Lambda function with a custom resource, the function is invoked whenever the
custom resource is created, updated, or deleted. AWS CloudFormation calls a Lambda API to invoke
the function and to pass all the request data (such as the request type and resource properties) to the
function. The power and customizability of Lambda functions in combination with AWS CloudFormation
enable a wide range of scenarios, such as dynamically looking up AMI IDs during stack creation, or
implementing and using utility functions, such as string reversal functions.
Topics
• Walkthrough: Looking Up Amazon Machine Image IDs (p. 518)
• cfn-response Module (p. 525)
Walkthrough: Looking Up Amazon Machine Image IDs

AWS CloudFormation templates that declare an Amazon Elastic Compute Cloud (Amazon EC2) instance
must also specify an Amazon Machine Image (AMI) ID, which includes an operating system and other
software and configuration information used to launch the instance. The correct AMI ID depends on the
instance type and region in which you're launching your stack. And IDs can change regularly, such as
when an AMI is updated with software updates.

518
Normally, you might map AMI IDs to specific instance types and regions. To update the IDs, you manually
change them in each of your templates. By using custom resources and AWS Lambda (Lambda), you can
create a function that gets the IDs of the latest AMIs for the region and instance type that you're using so
that you don't have to maintain mappings.
This walkthrough shows you how to create a custom resource and associate a Lambda function with it to
look up AMI IDs. Note that the walkthrough assumes that you understand how to use custom resources
and Lambda. For more information, see Custom Resources (p. 511) or the AWS Lambda Developer
Guide.
For this walkthrough, you'll create a stack with a custom resource, a Lambda function, and an EC2
instance. The walkthrough provides sample code and a sample template that you'll use to create the
stack.
The sample template uses the custom resource type to invoke and send input values to the Lambda
function. When you use the template, AWS CloudFormation invokes the function and sends information
to it, such as the request type, input data, and a pre-signed Amazon Simple Storage Service (Amazon S3)
URL. The function uses that information to look up the AMI ID, and then sends a response to the pre-
signed URL.
After AWS CloudFormation gets a response in the pre-signed URL location, it proceeds with creating the
stack. When AWS CloudFormation creates the instance, it uses the Lambda function's response to specify
the instance's AMI ID.
The following list summarizes the process. You need AWS Identity and Access Management
(IAM) permissions to use all the corresponding services, such as Lambda, Amazon EC2, and AWS
CloudFormation.
Note
AWS CloudFormation is a free service; however, you are charged for the AWS resources, such as
the Lambda function and EC2 instance, that you include in your stacks at the current rate for
each. For more information about AWS pricing, see the detail page for each product at http://
aws.amazon.com.
1. Save the sample Lambda package in an Amazon Simple Storage Service (Amazon S3)
bucket. (p. 519)
The sample package contains everything that's required to create the Lambda function. You must save
the package in a bucket that's in the same region in which you will create your stack.
2. Use the sample template to create a stack. (p. 520)
The stack demonstrates how you associate the Lambda function with a custom resource and how to
use the results from the function to specify an AMI ID. The stack also creates an IAM role (execution
role), which Lambda uses to make calls to Amazon EC2.
3. Delete the stack. (p. 525)
Delete the stack to clean up all the stack resources that you created so that you aren't charged for
unnecessary resources.
Step 1: Downloading and Saving the Sample Package in Amazon S3

When you create a stack with a Lambda function, you must specify the location of the Amazon S3 bucket
that contains the function's source code. The bucket must be in the same region in which you create your
stack.

519
This walkthrough provides a sample package (a .zip file) that's required to create the Lambda function.
A Lambda package contains the source code for the function and required libraries. For this walkthrough,
the function doesn't require additional libraries.
The function takes an instance's architecture and region as inputs from an AWS CloudFormation custom
resource request and returns the latest AMI ID to a pre-signed Amazon S3 URL.
To download and save the package in Amazon S3
1. Download the sample package from Amazon S3. When you save the file, use the same file name as
the sample, amilookup.zip or amilookup-win.zip.
Look up Linux AMI IDs
https://s3.amazonaws.com/cloudformation-examples/lambda/amilookup.zip
Look up Windows AMI IDs
https://s3.amazonaws.com/cloudformation-examples/lambda/amilookup-win.zip
2. Open the Amazon S3 console at https://console.aws.amazon.com/s3/home.
3. Choose or create a bucket that's located in the same region in which you'll create your AWS
CloudFormation stack. Record the bucket name.
You'll save the sample package in this bucket. For more information about creating a bucket, see
Creating a Bucket in the Amazon Simple Storage Service Console User Guide.
4. Upload the sample package to the bucket that you chose or created.
For more information about uploading objects, see Uploading Objects in the Amazon Simple Storage
Service Console User Guide.
With the package in Amazon S3, you can now specify its location in the Lambda resource declaration
of the AWS CloudFormation template. The next step demonstrates how you declare the function and
invoke it by using a custom resource. You'll also see how to use the results of the function to specify the
AMI ID of an EC2 instance.
Step 2: Creating the Stack

To create the sample Amazon EC2 stack, you'll use a sample template that includes a Lambda function,
an IAM execution role, a custom resource that invokes the function, and an EC2 instance that uses the
results from the function.
During stack creation, the custom resource invokes the Lambda function and waits until the function
sends a response to the pre-signed Amazon S3 URL. In the response, the function returns the ID of the
latest AMI that corresponds to the EC2 instance type and region in which you are creating the instance.
The data from the function's response is stored as an attribute of the custom resource, which is used to
specify the AMI ID of the EC2 instance.
The following snippets explain relevant parts of the sample template to help you understand how to
associate a Lambda function with a custom resource and how to use the function's response.
To view the entire sample template, see:
Linux template
https://s3.amazonaws.com/cloudformation-examples/lambda/LambdaAMILookupSample.template
Windows template
https://s3.amazonaws.com/cloudformation-examples/lambda/LambdaAMILookupSample-
win.template

520
Stack Template Snippets
To create the Lambda function, you declare the AWS::Lambda::Function resource, which requires the
function's source code, handler name, runtime environment, and execution role ARN.
Example JSON Syntax
"AMIInfoFunction": {
"Properties": {
"Code": {
"S3Bucket": { "Ref": "S3Bucket" },
"S3Key": { "Ref": "S3Key" }
},
"Handler": { "Fn::Join" : [ "", [{ "Ref": "ModuleName" },".handler"] ] },
"Runtime": "nodejs8.10",
"Timeout": "30",
"Role": { "Fn::GetAtt" : ["LambdaExecutionRole", "Arn"] }
}
}
Example YAML Syntax
AMIInfoFunction:
Properties:
Code:
S3Bucket: !Ref S3Bucket
S3Key: !Ref S3Key
Handler: !Sub "${ModuleName}.handler"
Runtime: nodejs8.10
Timeout: 30
Role: !GetAtt LambdaExecutionRole.Arn
The Code property specifies the Amazon S3 location (bucket name and file name) where you uploaded
the sample package. The sample template uses input parameters ("Ref": "S3Bucket" and "Ref":
"S3Key") to set the bucket and file names so that you are able to specify the names when you create
the stack. Similarly, the handler name, which corresponds to the name of the source file (the JavaScript
file) in the .zip package, also uses an input parameter ("Ref": "ModuleName"). Because the source
file is JavaScript code, the runtime is specified as nodejs8.10.
For this walkthrough, the execution time for the function exceeds the default value of 3 seconds, so
the timeout is set to 30 seconds. If you don't specify a sufficiently long timeout, Lambda might cause a
timeout before the function can complete, causing stack creation to fail.
The execution role, which is declared elsewhere in the template, is specified by using the Fn::GetAtt
intrinsic function in the Role property. The execution role grants the Lambda function permission to
send logs to AWS and to call the EC2 DescribeImages API. The following snippet shows the role and
policy that grant the appropriate permission:
Example JSON Syntax
"LambdaExecutionRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Service": ["lambda.amazonaws.com"]},
"Action": ["sts:AssumeRole"]

521
}]
},
"Path": "/",
"Policies": [{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": ["ec2:DescribeImages"],
"Resource": "*"
}]
}
}]
}
}
Example YAML Syntax
Properties:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- ec2:DescribeImages
Resource: "*"
For both the Linux and Windows templates, the custom resource invokes the Lambda function that is
associated with it. To associate a function with a custom resource, you specify the Amazon Resource
Name (ARN) of the function for the ServiceToken property, using the Fn::GetAtt intrinsic function.
AWS CloudFormation sends the additional properties that are included in the custom resource
declaration, such as Region and Architecture, to the Lambda function as inputs. The Lambda
function determines the correct names and values for these input properties.
Example JSON Syntax
"AMIInfo": {

522
"Type": "Custom::AMIInfo",
"Properties": {
"ServiceToken": { "Fn::GetAtt" : ["AMIInfoFunction", "Arn"] },
"Region": { "Ref": "AWS::Region" },
"Architecture": { "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" :
"InstanceType" }, "Arch" ] }
}
}
Example YAML Syntax
AMIInfo:
Type: Custom::AMIInfo
Properties:
ServiceToken: !GetAtt AMIInfoFunction.Arn
Region: !Ref "AWS::Region"
Architecture:
Fn::FindInMap:
- !Ref InstanceType
- Arch
For Windows, the custom resource provides the Windows version to the Lambda function instead of the
instance's architecture.
Example JSON Syntax
"AMIInfo": {
"Type": "Custom::AMIInfo",
"Properties": {
"ServiceToken": { "Fn::GetAtt" : ["AMIInfoFunction", "Arn"] },
"Region": { "Ref": "AWS::Region" },
"OSName": { "Ref": "WindowsVersion" }
}
}
Example YAML Syntax
AMIInfo:
Type: Custom::AMIInfo
Properties:
ServiceToken: !GetAtt AMIInfoFunction.Arn
Region: !Ref "AWS::Region"
OSName: !Ref "WindowsVersion"
When AWS CloudFormation invokes the Lambda function, the function calls the EC2 DescribeImages
API, using the region and instance architecture or the OS name to filter the list of images. Then the
function sorts the list of images by date and returns the ID of the latest AMI.
When returning the ID of the latest AMI, the function sends the ID to a pre-signed URL in the Data
property of the response object (p. 532). The data is structured as a name-value pair, as shown in the
following example:
"Data": {
"Id": "ami-43795473"
}
The following snippet shows how to get the data from a Lambda function. It uses the Fn::GetAtt
intrinsic function, providing the name of the custom resource and the attribute name of the value that

523
you want to get. In this walkthrough, the custom resource name is AMIInfo and the attribute name is
Id.
Example JSON Syntax
"SampleInstance": {
"Properties": {
"ImageId": { "Fn::GetAtt": [ "AMIInfo", "Id" ] }
}
}
Example YAML Syntax
SampleInstance:
Properties:
ImageId: !GetAtt AMIInfo.Id
Now that you understand what the template does, use the sample template to create a stack.
To create the stack

2. Choose Create Stack.
3. In the Template section, choose Specify an Amazon S3 template URL, and then copy and paste the
following URL in the text box:
Linux template
https://s3.amazonaws.com/cloudformation-examples/lambda/
LambdaAMILookupSample.template
Windows template
https://s3.amazonaws.com/cloudformation-examples/lambda/
LambdaAMILookupSample-win.template
4. Choose Next.
5. In the Stack name field, type SampleEC2Instance.
6. In the Parameters section, specify the name of the Amazon S3 bucket that you created, and then
choose Next.
The default values for the other parameters are the same names that are used in the sample .zip
package.
8. Ensure that the stack name and template URL are correct, and then choose Create.
It might take several minutes for AWS CloudFormation to create your stack. To monitor progress, view
the stack events. For more information, see Viewing AWS CloudFormation Stack Data and Resources on
the AWS Management Console (p. 106).
If stack creation succeeds, all resources in the stack, such as the Lambda function, custom resource, and
EC2 instance, were created. You successfully used a Lambda function and custom resource to specify the
AMI ID of an EC2 instance. You don't need to create and maintain a mapping of AMI IDs in this template.

524
To see which AMI ID AWS CloudFormation used to create the EC2 instance, view the stack outputs.
If the Lambda function returns an error, view the function's logs in the Amazon CloudWatch Logs
console. The name of the log stream is the physical ID of the custom resource, which you can find by
viewing the stack's resources. For more information, see Viewing Log Data in the Amazon CloudWatch
User Guide.

To make sure that you are not charged for unwanted services, delete your stack.
To delete the stack
1. From the AWS CloudFormation console, choose the SampleEC2Instance stack.

2. Choose Actions and then Delete Stack.
All the resources that you created are deleted.
Now that you understand how to create and use Lambda functions with AWS CloudFormation, you can
use the sample template and code from this walkthrough to build other stacks and functions.
Related Information
• AWS CloudFormation Custom Resource Reference (p. 530)
cfn-response Module
When you use the ZipFile property to specify your function's source code and that function
interacts with an AWS CloudFormation custom resource, you can load the cfn-response module
to send responses to those resources. The module contains a send method, which sends a response
object (p. 532) to a custom resource by way of an Amazon S3 presigned URL (the ResponseURL).
After executing the send method, the Lambda function terminates, so anything you write after that
method is ignored.
Note
The cfn-response module is available only when you use the ZipFile property to write your
source code. It isn't available for source code that's stored in Amazon S3 buckets. For code in
buckets, you must write your own functions to send responses.
Loading the cfn-response Module

For Node.js functions, use the require() function to load the cfn-response module. For example, the
following code example creates a cfn-response object with the name response:
For Python, use the import statement to load the cfnresponse module, as shown in the following
example:
Note
Use this exact import statement. If you use other variants of the import statement, AWS
CloudFormation doesn't include the response module.
import cfnresponse

525
send Method Parameters

You can use the following parameters with the send method.
event
The fields in a custom resource request (p. 533).

context
An object, specific to Lambda functions, that you can use to specify when the function and any
callbacks have completed execution, or to access information from within the Lambda execution
environment. For more information, see Programming Model (Node.js) in the AWS Lambda Developer
Guide.
responseStatus
Whether the function successfully completed. Use the cfnresponse module constants to specify
the status: SUCCESS for successful executions and FAILED for failed executions.
responseData
The Data field of a custom resource response object (p. 532). The data is a list of name-value pairs.
physicalResourceId
Optional. The unique identifier of the custom resource that invoked the function. By default, the
module uses the name of the Amazon CloudWatch Logs log stream that's associated with the
Lambda function.
noEcho
Optional. Indicates whether to mask the output of the custom resource when it's retrieved by using
the Fn::GetAtt function. If set to true, all returned values are masked with asterisks (*****). By
default, this value is false.
For more information about using NoEcho to mask sensitive information, see the Do Not Embed
Credentials in Your Templates best practice.
Examples
Node.js
In the following Node.js example, the inline Lambda function takes an input value and multiplies it by 5.
Inline functions are especially useful for smaller functions because they allow you to specify the source
code directly in the template, instead of creating a package and uploading it to an Amazon S3 bucket.
The function uses the cfn-response send method to send the result back to the custom resource that
invoked it.
JSON
"ZipFile": { "Fn::Join": ["", [

"var response = require('cfn-response');",
" var input = parseInt(event.ResourceProperties.Input);",
" var responseData = {Value: input * 5};",
" response.send(event, context, response.SUCCESS, responseData);",
"};"
]]}
YAML
ZipFile: >

526

var input = parseInt(event.ResourceProperties.Input);
var responseData = {Value: input * 5};
response.send(event, context, response.SUCCESS, responseData);
};
Python
In the following Python example, the inline Lambda function takes an integer value and multiplies it by
5.
JSON
"ZipFile" : { "Fn::Join" : ["\n", [

"import json",
"import cfnresponse",
"def handler(event, context):",
" responseValue = int(event['ResourceProperties']['Input']) * 5",
" responseData = {}",
" responseData['Data'] = responseValue",
" cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData,
\"CustomResourcePhysicalID\")"
]]}
YAML
ZipFile: |
import json
import cfnresponse
def handler(event, context):
responseValue = int(event['ResourceProperties']['Input']) * 5
responseData = {}
responseData['Data'] = responseValue
cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData,
"CustomResourcePhysicalID")
Module Source Code

The following is the response module source code for the Node.js functions. Review it to understand
what the module does and for help with implementing your own response functions.
/* Copyright 2015 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
This file is licensed to you under the AWS Customer Agreement (the "License").
You may not use this file except in compliance with the License.
A copy of the License is located at http://aws.amazon.com/agreement/ .
This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, express or implied.
See the License for the specific language governing permissions and limitations under
the License. */
exports.SUCCESS = "SUCCESS";
exports.FAILED = "FAILED";
exports.send = function(event, context, responseStatus, responseData, physicalResourceId,

noEcho) {
var responseBody = JSON.stringify({

Status: responseStatus,
Reason: "See the details in CloudWatch Log Stream: " + context.logStreamName,

527
PhysicalResourceId: physicalResourceId || context.logStreamName,

StackId: event.StackId,
RequestId: event.RequestId,
LogicalResourceId: event.LogicalResourceId,
NoEcho: noEcho || false,
Data: responseData
});
console.log("Response body:\n", responseBody);
var https = require("https");

var url = require("url");
var parsedUrl = url.parse(event.ResponseURL);

var options = {
hostname: parsedUrl.hostname,
port: 443,
path: parsedUrl.path,
method: "PUT",
headers: {
"content-type": "",
"content-length": responseBody.length
}
};
var request = https.request(options, function(response) {

console.log("Status code: " + response.statusCode);
console.log("Status message: " + response.statusMessage);
context.done();
});
request.on("error", function(error) {
console.log("send(..) failed executing https.request(..): " + error);
context.done();
});
request.write(responseBody);
request.end();
}
The following is the response module source code for Python 3 functions:
# Copyright 2016 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
# This file is licensed to you under the AWS Customer Agreement (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at http://aws.amazon.com/agreement/ .
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# See the License for the specific language governing permissions and limitations under
the License.
from botocore.vendored import requests

import json
SUCCESS = "SUCCESS"
FAILED = "FAILED"
def send(event, context, responseStatus, responseData, physicalResourceId=None,

noEcho=False):
responseUrl = event['ResponseURL']
print(responseUrl)
responseBody = {}
responseBody['Status'] = responseStatus

528
responseBody['Reason'] = 'See the details in CloudWatch Log Stream: ' +

context.log_stream_name
responseBody['PhysicalResourceId'] = physicalResourceId or context.log_stream_name
responseBody['StackId'] = event['StackId']
responseBody['RequestId'] = event['RequestId']
responseBody['LogicalResourceId'] = event['LogicalResourceId']
responseBody['NoEcho'] = noEcho
responseBody['Data'] = responseData
json_responseBody = json.dumps(responseBody)
print("Response body:\n" + json_responseBody)
headers = {
'content-type' : '',
'content-length' : str(len(json_responseBody))
}
try:
response = requests.put(responseUrl,
data=json_responseBody,
headers=headers)
print("Status code: " + response.reason)
except Exception as e:
print("send(..) failed executing requests.put(..): " + str(e))
The following is the response module source code for Python 2 functions:
# Copyright 2016 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
# This file is licensed to you under the AWS Customer Agreement (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at http://aws.amazon.com/agreement/ .
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# See the License for the specific language governing permissions and limitations under
the License.
from botocore.vendored import requests

import json
SUCCESS = "SUCCESS"
FAILED = "FAILED"
def send(event, context, responseStatus, responseData, physicalResourceId=None,

noEcho=False):
responseUrl = event['ResponseURL']
print responseUrl
responseBody = {}
responseBody['Status'] = responseStatus
responseBody['Reason'] = 'See the details in CloudWatch Log Stream: ' +
context.log_stream_name
responseBody['PhysicalResourceId'] = physicalResourceId or context.log_stream_name
responseBody['StackId'] = event['StackId']
responseBody['RequestId'] = event['RequestId']
responseBody['LogicalResourceId'] = event['LogicalResourceId']
responseBody['NoEcho'] = noEcho
responseBody['Data'] = responseData
json_responseBody = json.dumps(responseBody)
print "Response body:\n" + json_responseBody
headers = {

529
Custom Resource Reference
'content-type' : '',
'content-length' : str(len(json_responseBody))
}
try:
response = requests.put(responseUrl,
data=json_responseBody,
headers=headers)
print "Status code: " + response.reason
except Exception as e:
print "send(..) failed executing requests.put(..): " + str(e)

This section provides detail about:
• The JSON request and response fields that are used in messages sent to and from AWS
CloudFormation when providing a custom resource.
• Expected fields for requests to, and responses to, the custom resource provider in response to stack
creation, stack updates, and stack deletion.
In This Section
• Custom Resource Request Objects (p. 530)
• Custom Resource Response Objects (p. 532)
• Custom Resource Request Types (p. 533)
Custom Resource Request Objects

Template Developer Request Properties
The template developer uses the AWS CloudFormation resource, AWS::CloudFormation::CustomResource,
to specify a custom resource in a template.
In AWS::CloudFormation::CustomResource, all properties are defined by the custom resource

provider. There is only one required property: ServiceToken.
ServiceToken
The service token (an Amazon SNS topic or AWS Lambda function Amazon Resource Name) that is
obtained from the custom resource provider to access the service. The service token must be in the
same region in which you are creating the stack.
Required: Yes
Type: String
All other fields in the resource properties are optional and are sent, verbatim, to the custom resource
provider in the request's ResourceProperties field. The provider defines both the names and the valid
contents of these fields.
Custom Resource Provider Request Fields

These fields are sent in JSON requests from AWS CloudFormation to the custom resource provider in the
SNS topic that the provider has configured for this purpose.

530
RequestType
The request type is set by the AWS CloudFormation stack operation (create-stack, update-stack, or
delete-stack) that was initiated by the template developer for the stack that contains the custom
resource.
Must be one of: Create, Update, or Delete. For more information, see Custom Resource Request
Types (p. 533).
Required: Yes
Type: String
ResponseURL
The response URL identifies a presigned S3 bucket that receives responses from the custom resource
provider to AWS CloudFormation.
Required: Yes
Type: String
StackId
The Amazon Resource Name (ARN) that identifies the stack that contains the custom resource.
Combining the StackId with the RequestId forms a value that you can use to uniquely identify a
request on a particular custom resource.
Required: Yes
Type: String
RequestId
A unique ID for the request.
Combining the StackId with the RequestId forms a value that you can use to uniquely identify a
request on a particular custom resource.
Required: Yes
Type: String
ResourceType
The template developer-chosen resource type of the custom resource in the AWS CloudFormation
template. Custom resource type names can be up to 60 characters long and can include
alphanumeric and the following characters: _@-.
Required: Yes
Type: String
LogicalResourceId
The template developer-chosen name (logical ID) of the custom resource in the AWS
CloudFormation template. This is provided to facilitate communication between the custom resource
provider and the template developer.
Required: Yes
Type: String
PhysicalResourceId
A required custom resource provider-defined physical ID that is unique for that provider.

531
Required: Always sent with Update and Delete requests; never sent with Create.
Type: String
ResourceProperties
This field contains the contents of the Properties object sent by the template developer. Its
contents are defined by the custom resource provider.
Required: No
Type: JSON object

OldResourceProperties
Used only for Update requests. Contains the resource properties that were declared previous to the
update request.
Required: Yes
Type: JSON object
Custom Resource Response Objects

Custom Resource Provider Response Fields
The following are properties that the custom resource provider includes when it sends the JSON file
to the presigned URL. For more information about uploading objects by using presigned URLs, see the
related topic in the Amazon Simple Storage Service Developer Guide.
Note
The total size of the response body cannot exceed 4096 bytes.
Status
The status value sent by the custom resource provider in response to an AWS CloudFormation-
generated request.
Must be either SUCCESS or FAILED.
Required: Yes
Type: String
Reason
Describes the reason for a failure response.
Required: Required if Status is FAILED. It's optional otherwise.
Type: String
PhysicalResourceId
This value should be an identifier unique to the custom resource vendor, and can be up to 1 Kb in
size. The value must be a non-empty string and must be identical for all responses for the same
resource.
Required: Yes
Type: String

532
StackId
The Amazon Resource Name (ARN) that identifies the stack that contains the custom resource. This
response value should be copied verbatim from the request.
Required: Yes
Type: String
RequestId
A unique ID for the request. This response value should be copied verbatim from the request.
Required: Yes
Type: String
LogicalResourceId
CloudFormation template. This response value should be copied verbatim from the request.
Required: Yes
Type: String
NoEcho
Optional. Indicates whether to mask the output of the custom resource when retrieved by using
the Fn::GetAtt function. If set to true, all returned values are masked with asterisks (*****). The
default value is false.
Required: No
Type: Boolean
Data
Optional. The custom resource provider-defined name-value pairs to send with the response. You
can access the values provided here by name in the template with Fn::GetAtt.
Important
Required: No
Type: JSON object
Custom Resource Request Types

The request type is sent in the RequestType field in the vendor request object (p. 530) sent by AWS
CloudFormation when the template developer creates, updates, or deletes a stack that contains a custom
resource.
Each request type has a particular set of fields that are sent with the request, including an S3 URL for
the response by the custom resource provider. The provider must respond to the S3 bucket with either a
SUCCESS or FAILED result within one hour. After one hour, the request times out. Each result also has a
particular set of fields expected by AWS CloudFormation.

533
This section provides information about the request and response fields, with examples, for each request
type.
In This Section
• Create (p. 534)
• Delete (p. 536)
• Update (p. 539)
Create
Custom resource provider requests with RequestType set to "Create" are sent when the template
developer creates a stack that contains a custom resource.
Request
Create requests contain the following fields:
RequestType
Will be "Create".
RequestId

ResponseURL
ResourceType
LogicalResourceId
CloudFormation template.
StackId
ResourceProperties
Example
{
"ResponseURL" : "pre-signed-url-for-create-response",
"ResourceType" : "Custom::MyCustomResourceType",
"LogicalResourceId" : "name of resource in template",
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid",

534
"key1" : "string",
"key2" : [ "list" ],
"key3" : { "key4" : "map" }
}
}
Responses
Success
When the create request is successful, a response must be sent to the S3 bucket with the following fields:
Status
Must be "SUCCESS".
RequestId
LogicalResourceId
StackId
PhysicalResourceId
resource.
NoEcho
Data
Important
Example
{
"RequestId" : "unique id for this create request (copied from request)",
"LogicalResourceId" : "name of resource in template (copied from request)",
"StackId" : "arn:aws:cloudformation:us-east-2:namespace:stack/stack-name/guid (copied
from request)",

535
"PhysicalResourceId" : "required vendor-defined physical id that is unique for that

vendor",
"Data" : {
"keyThatCanBeUsedInGetAtt1" : "data for key 1",
"keyThatCanBeUsedInGetAtt2" : "data for key 2"
}
}
Failed
When the create request fails, a response must be sent to the S3 bucket with the following fields:
Status
Must be "FAILED".
Reason

RequestId
LogicalResourceId
StackId
PhysicalResourceId
resource.
Example
{
"Status" : "FAILED",
"Reason" : "Required failure reason string",
"RequestId" : "unique id for this create request (copied from request)",
from request)",
"PhysicalResourceId" : "required vendor-defined physical id that is unique for that
vendor"
}
Delete
Custom resource provider requests with RequestType set to "Delete" are sent when the template
developer deletes a stack that contains a custom resource. To successfully delete a stack with a custom
resource, the custom resource provider must respond successfully to a delete request.
Request
Delete requests contain the following fields:

536
RequestType
Will be "Delete".
RequestId

ResponseURL
ResourceType
LogicalResourceId
StackId
PhysicalResourceId
ResourceProperties
Example
{
"RequestType" : "Delete",
"ResponseURL" : "pre-signed-url-for-delete-response",
"PhysicalResourceId" : "custom resource provider-defined physical id",
"key1" : "string",
"key2" : [ "list" ],
"key3" : { "key4" : "map" }
}
}
Responses
Success
When the delete request is successful, a response must be sent to the S3 bucket with the following fields:
Status
Must be "SUCCESS".

537
RequestId
LogicalResourceId
StackId
PhysicalResourceId
resource.
Example
{
"RequestId" : "unique id for this delete request (copied from request)",
from request)",
"PhysicalResourceId" : "custom resource provider-defined physical id"
}
Failed
When the delete request fails, a response must be sent to the S3 bucket with the following fields:
Status
Must be "FAILED".
Reason
The reason for the failure.

RequestId
The RequestId value copied from the delete request (p. 536).
LogicalResourceId
The LogicalResourceId value copied from the delete request (p. 536).
StackId
The StackId value copied from the delete request (p. 536).
PhysicalResourceId
Example
{

538

"RequestId" : "unique id for this delete request (copied from request)",
from request)",
}
Update
Custom resource provider requests with RequestType set to "Update" are sent when there's any
change to the properties of the custom resource within the template. Therefore, custom resource code
doesn't have to detect changes because it knows that its properties have changed when Update is being
called.
Request
Update requests contain the following fields:
RequestType
Will be "Update".
RequestId

ResponseURL
ResourceType
alphanumeric and the following characters: _@-. You can't change the type during an update.
LogicalResourceId
StackId
PhysicalResourceId
ResourceProperties
The new resource property values that are declared by the template developer in the updated AWS
OldResourceProperties
The resource property values that were previously declared by the template developer in the AWS
Example

539
{
"RequestType" : "Update",
"RequestId" : "unique id for this update request",
"ResponseURL" : "pre-signed-url-for-update-response",
"key1" : "new-string",
"key2" : [ "new-list" ],
"key3" : { "key4" : "new-map" }
},
"OldResourceProperties" : {
"key1" : "string",
"key2" : [ "list" ],
"key3" : { "key4" : "map" }
}
}
Responses
Success
If the custom resource provider is able to successfully update the resource, AWS CloudFormation expects
the status to be set to "SUCCESS" in the response.
Status
Must be "SUCCESS".
RequestId
LogicalResourceId
StackId
PhysicalResourceId
resource.
NoEcho
Data

540
Important
Example
{
"RequestId" : "unique id for this update request (copied from request)",
from request)",
"Data" : {
"keyThatCanBeUsedInGetAtt1" : "data for key 1",
"keyThatCanBeUsedInGetAtt2" : "data for key 2"
}
}
Failed
If the resource can't be updated with a new set of properties, AWS CloudFormation expects the status to
be set to "FAILED", along with a failure reason in the response.
Status
Must be "FAILED".
Reason

RequestId
LogicalResourceId
StackId
PhysicalResourceId
resource.
Example
{
"RequestId" : "unique id for this update request (copied from request)",

541
Template Macros

from request)",
}
Using AWS CloudFormation Macros to Perform

Custom Processing on Templates
Macros enable you to perform custom processing on templates, from simple actions like find-and-
replace operations to extensive transformations of entire templates.
To get an idea of the breadth of possibilities, consider the AWS::Include and AWS::Serverless
transforms, which are macros hosted by AWS CloudFormation:
• AWS::Include Transform (p. 266) enables you to insert boilerplate template snippets into your
templates.
• AWS::Serverless Transform (p. 265) takes an entire template written in the AWS Serverless
Application Model (AWS SAM) syntax and transforms and expands it into a compliant AWS
CloudFormation template. (For more information about serverless applications and AWS SAM, see
Deploying Lambda-based Applications in the AWS Lambda Developer Guide.)
How AWS CloudFormation Macros Work

There are two major steps to processing templates using macros: creating the macro itself, and then
using the macro to perform processing on your templates.
To create a macro definition, you need to create the following:
• An AWS Lambda function to perform the template processing. This Lambda function accepts either a
snippet or an entire template, and any additional parameters that you define. It returns the processed
template snippet or the entire template as a response.
• A resource of type AWS::CloudFormation::Macro, which enables users to call the Lambda function
from within AWS CloudFormation templates. This resource specifies the ARN of the Lambda function
to invoke for this macro, and additional optional properties to assist with debugging. To create this
resource within an account, author a stack template that includes a AWS::CloudFormation::Macro
resource, and then create a stack from the template.
To use a macro, reference the macro in your template:
• To process a section, or snippet, of a template, reference the macro in a Fn::Transform (p. 3823)
function located relative to the template content you want to transform. When using
Fn::Transform, you can also pass any specified parameters it requires.
• To process an entire template, reference the macro in the Transform (p. 264) section of the template.
Next, you typically create a change set and then execute it. (Processing macros can add multiple
resources that you might not be aware of. To ensure that you're aware of all of the changes introduced
by macros, we strongly advise that you use change sets.) AWS CloudFormation passes the specified
template content, along with any additional specified parameters, to the Lambda function specified in
the macro resource. The Lambda function returns the processed template content, be it a snippet or an
entire template.

542
Creating an AWS CloudFormation Macro Definition
After all macros in the template have been called, AWS CloudFormation generates a change set that
includes the processed template content. After you review the change set, execute it to apply the
changes.
Note
If you are comfortable creating or updating a stack directly from a processed template,
without first reviewing the proposed changes in a change set, you can do so by specifying the
CAPABILITY_AUTO_EXPAND capability during a CreateStack or UpdateStack request. You
should only create stacks directly from a stack template that contains macros if you know what
processing the macro performs.
In addition, change sets do not currently support nested stacks. If you want to create a stack
from a stack template that contains macros and nested stacks, you must create the stack
directly from the template using this capability.
For more information, see CreateStack or UpdateStack in the AWS CloudFormation API
Reference.

When you create a macro definition, the macro definition makes the underlying Lambda function
available in the specified account so that AWS CloudFormation can invokes it to process the templates.
AWS CloudFormation Macro Function Interface

For macros, AWS CloudFormation invokes the underlying Lambda functions with the following event
mapping. AWS CloudFormation sends its request in JSON format, and it expects the function response to
be formatted as JSON too.
{
"region" : "us-east-1",
"accountId" : "$ACCOUNT_ID",
"fragment" : { ... },
"transformId" : "$TRANSFORM_ID",
"params" : { ... },
"requestId" : "$REQUEST_ID",
"templateParameterValues" : { ... }
}

543
• region
The region in which the macro resides.

• accountId
The account ID of the account from which the macro is invoking the Lambda function.
• fragment
The template content available for custom processing, in JSON format.

• For macros included in the Transform template section, this is the entire template except for the
Transform section.
• For macros included in an Fn::Transform intrinsic function call, this includes all sibling nodes
(and their children) based on the location of the intrinsic function within the template except for the
Fn::Transform function. For more information, see AWS CloudFormation Macro Scope (p. 547).
• transformId
The name of the macro invoking this function.

• params
For Fn::Transform function calls, any specified parameters for the function. AWS CloudFormation
does not evaluate these parameters before passing them to the function.
For macros included in the Transform template section, this section is empty.
• requestId
The ID of the request invoking this function.

• templateParameterValues
Any parameters specified in the Parameters (p. 237) section of the template. AWS CloudFormation
evaluates these parameters before passing them to the function.
AWS CloudFormation expects the underlying function to return a response in the following JSON format:
{
"requestId" : "$REQUEST_ID",
"status" : "$STATUS",
"fragment" : { ... }
}
• requestId
The ID of the request invoking this function. This must match the request ID provided by AWS
CloudFormation when invoking the function.
• status
The status of the request (case-insensitive). Should be set to "success". AWS CloudFormation treats any
other response as a failure.
• fragment
The processed template content for AWS CloudFormation to include in the processed template,
including siblings. AWS CloudFormation replaces the template content that is passed to the Lambda
function with the template fragment it receives in the Lambda response.
The processed template content must be valid JSON, and its inclusion in the processed template must
result in a valid template.
544
If your function doesn't actually change the template content that AWS CloudFormation passes to it,
but you still need to include that content in the processed template, your function needs to return that
template content to AWS CloudFormation in its response.
For information about additional considerations when creating macros, see Considerations When
Creating AWS CloudFormation Macro Definitions (p. 546).
AWS CloudFormation Macro Account Scope and Permissions

You can use macros only in the account in which they were created as a resource. The name of the
macro must be unique within a given account. However, you can make the same functionality available
in multiple accounts by enabling cross-account access on the underlying Lambda function, and then
creating macro definitions referencing that function in multiple accounts. In the example below, three
accounts contain macro definitions that each point to the same Lambda function.
For more information, see Overview of Managing Access Permissions to Your AWS Lambda Resources in
the AWS Lambda Developer Guide.
In order to create a macro definition, the user must have permissions to create a stack within the
specified account.
In order for AWS CloudFormation to successfully run a macro included in a template, the user must have
Invoke permissions for the underlying Lambda function. To prevent potential escalation of privileges,
AWS CloudFormation impersonates the user while running the macro. For more information, see Lambda
Permissions Model in the AWS Lambda Developer Guide and Actions and Condition Context Keys for AWS
Lambda in the IAM User Guide.
The AWS::Serverless Transform (p. 265) and AWS::Include Transform (p. 266) transforms are macros
hosted by AWS CloudFormation. No special permissions are necessary to use them, and they are
available from within any account in AWS CloudFormation.

545
Debugging AWS CloudFormation Macros

To aid in debugging, you can also specify the LogGroupName and LogRoleArn properties when creating
the AWS::CloudFormation::Macro resource type for your macro. These properties enable you to specify
the CloudWatch log group to which AWS CloudFormation sends error logging information when invoking
the macro's underlying AWS Lambda function, and the role AWS CloudFormation should assume when
sending log entries to those logs.
Billing
When a macro is run, the owner of the Lambda function is billed for any charges related to the execution
of that function.
The AWS::Serverless Transform (p. 265) and AWS::Include Transform (p. 266) transforms are macros
hosted by AWS CloudFormation. There is no charge for using them.
Considerations When Creating AWS CloudFormation Macro

Definitions
When creating macro definitions, keep the following in mind:
• Macros are supported only in regions where AWS Lambda is available. For a list of regions where
Lambda is available, see http://docs.aws.amazon.com/general/latest/gr/rande.html#lambda_region.
• Any processed template snippets must be valid JSON.
• Any processed template snippets must pass validation checks for a create stack or update stack
operation.
• AWS CloudFormation resolves macros first, and then processes the template. The resulting template
must be valid JSON and must not exceed the template size limit.
• When using the update rollback feature, AWS CloudFormation uses a copy of the original template. It
rolls back to the original template even if the included snippet was changed.
• Including macros within macros does not work because we do not process macros iteratively.
• The Fn::ImportValue intrinsic function isn't currently supported in macros.
• Intrinsic functions included in the template are evaluated after any macros. Therefore, the processed
template content your macro returns can include calls to intrinsic functions, and they are evaluated as
usual.
• AWS CloudFormation macros are not supported in stack sets.
• Change sets do not currently support nested stacks. If you want to create or update a stack using a
stack template that contains macros and nested stacks, you must create or update the stack directly.
To do this, use the CreateStack or UpdateStack action and specify the CAPABILITY_AUTO_EXPAND
capability.
To create a AWS CloudFormation macro definition
1. Build an AWS Lambda function that processes AWS CloudFormation templates.
The Lambda function you build performs the processing of the template contents. Your function can
process any part of a template, up to the entire template. For information about the event mapping
to which your function must adhere, see AWS CloudFormation Macro Function Interface (p. 543).
For information about additional considerations when creating macros, see Considerations When
Creating AWS CloudFormation Macro Definitions (p. 546).
2. Create a template (p. 209) containing a AWS::CloudFormation::Macro resource type.

546
Using AWS CloudFormation Macros in Your Templates
• You must specify the Name and FunctionName properties. The FunctionName property specifies
the ARN of the Lambda function to invoke when AWS CloudFormation runs the macro.
• To aid in debugging, you can also specify the LogGroupName and LogRoleArn properties.
3. Create a stack (p. 99) from the template containing the macro in the desired account.
After AWS CloudFormation has successfully created the stack that contains the macro definition, the
macro is available for use within that account.
Using AWS CloudFormation Macros in Your

Templates
After AWS CloudFormation has successfully created the stack which contains the macro definition, the
macro is available for use within that account. You use a macro by referencing it in the stack template, at
the appropriate location relevant to the template contents you want to process.
AWS CloudFormation Macro Evaluation Order

You can reference multiple macros in a given template, including transforms hosted by AWS
CloudFormation, such as AWS::Include Transform (p. 266) and AWS::Serverless Transform (p. 265).
Macros are evaluated in order, based on their location in the template, from the most deeply nested
outward to the most general. Macros at the same location in the template are evaluated serially based
on the order in which they are listed.
Transforms such as AWS::Include and AWS::Transform are treated the same as any other macros in
terms of action order and scope.
For example, in the template sample below, AWS CloudFormation evaluates the PolicyAdder macro
first, because it is the most deeply-nested macro in the template. AWS CloudFormation then evaluates
MyMacro before evaluating AWS::Serverless because it is listed before AWS::Serverless in the
Transform section.
Transform: [MyMacro, AWS::Serverless]
Resources:
WaitCondition:
MyBucket:
Properties:
'Fn::Transform':
- Name: PolicyAdder
CorsConfiguration:[]
MyEc2Instance:
Properties:
ImageID: "ami-123"
AWS CloudFormation Macro Scope

Macros referenced in the Transform section of a template can process the entire contents of that
template.

547
Macros referenced in a Fn::Transform function can process the contents of any of the sibling elements
(including children) of that Fn::Transform function in the template.
For example, in the template sample below, AWS::Include can process all of the MyBucket properties,
based on the location of the Fn::Transform function that contains it. MyMacro can process the
contents of the entire template because of its inclusion in the Transform section.
// Start of processable content for MyMacro

Transform: [MyMacro]
Resources:
WaitCondition:
MyBucket:
Type: 'AWS::S3::Bucket' //Start of processable content for AWS::Include
Properties:
'Fn::Transform':
- Name: 'AWS::Include'
Parameters:
Location: s3://MyAmazonS3BucketName/MyFileName.yaml
CorsConfiguration:[] //End of processable content for AWS::Include
MyEc2Instance:
Properties:
ImageID: "ami-123"
// End of processable content for MyMacro
Change Sets and AWS CloudFormation Macros

To create or update a stack using a template that references macros, you typically create a change set
and then execute it. A change set describes the actions CloudFormation will take based on the processed
template. Processing macros can add multiple resources that you might not be aware of. To ensure that
you're aware of all of the changes introduced by macros, we strongly recommend you use change sets.
After you review the change set, you can execute it to actually apply the changes.
A macro can add IAM resources to your template. For these resources, AWS CloudFormation requires
you to acknowledge their capabilities (p. 16). Because AWS CloudFormation can't know which resources
are added before processing your template, you might need to acknowledge IAM capabilities when
you create the change set, depending on whether the referenced macros contain IAM resources. That
way, when you run the change set, AWS CloudFormation has the necessary capabilities to create IAM
resources.
Note
If you are comfortable creating or updating a stack directly from a processed template,
without first reviewing the proposed changes in a change set, you can do so by specifying the
CAPABILITY_AUTO_EXPAND capability during a CreateStack or UpdateStack request. You
should only create stacks directly from a stack template that contains macros if you know what
processing the macro performs.
In addition, change sets do not currently support nested stacks. If you want to create a stack
from a stack template that contains macros and nested stacks, you must create the stack
directly from the template using this capability.
For more information, see CreateStack or UpdateStack in the AWS CloudFormation API
Reference.
If you use the AWS CLI, you can use the package and deploy commands to reduce the number of
steps for launching stacks from templates that reference macros. For more information, see Deploying
Lambda-based Applications in the AWS Lambda Developer Guide.

548
Template Stage and CloudFormation Macros

A template's stage indicates whether the template is the original user-submitted template or one in
which AWS CloudFormation has processed the macros.
• Original: The template that the user originally submitted to create or update the stack.
• Processed: The template AWS CloudFormation used to create or update the stack after processing
any referenced macros. The processed template is formatted as JSON, even if the original template
was formatted as YAML.
Use the processed template for troubleshooting stack issues. If a template doesn't reference macros, the
original and processed templates are identical.
You can use the AWS CloudFormation console (p. 106) or AWS CLI (p. 123) to see the stage of a stack
template.
Note
The maximum size for a processed stack template is 51,200 bytes when passed directly into a
CreateStack, UpdateStack, or ValidateTemplate request, or 460,800 bytes when passed
as an S3 object using an Amazon S3 template URL. However, during processing CloudFormation
updates the temporary state of the template as it serially processes the macros contained in the
template. Because of this, the size of the template during processing may temporarily exceed
the allowed size of a fully-processed template. CloudFormation allows some buffer for these in-
process templates. However, you should design your templates and macros keeping in mind the
maximum allowed size for a processed stack template.
If CloudFormation returns a Transformation data limit exceeded error while processing
your template, your template has exceeded the maximum template size CloudFormation allows
during processing.
To resolve this issue, consider doing the following:
• Restructure your template into multiple templates to avoid exceeding the maximum size for
in-process templates. For example:
• Use nested stack templates to encapsulate parts of the template. For more information, see
Working with Nested Stacks (p. 183).
• Create multiple stacks and use cross-stack references to exchange information between
them. For more information, see Walkthrough: Refer to Resource Outputs in Another AWS
CloudFormation Stack (p. 321).
• Reduce the size of template fragment returned by a given macro. CloudFormation does not
tamper with the contents of fragments returned by macros.
To use a AWS CloudFormation Macro in your template

Note
In order for AWS CloudFormation to successfully run a macro referenced in a template, the user
must have Invoke permissions for the underlying Lambda function. For more information, see
Overview of Managing Access Permissions to Your AWS Lambda Resources in the AWS Lambda
Developer Guide.
1. Include a reference to the macro in the template.
• To process a template snippet, reference the macro in a Fn::Transform (p. 3823) function
located relative to the template content you want to process.
• To process the entire template, reference the macro in the Transform (p. 264) section of the
template.
2. Create a change set (p. 131) using the template.

549
Macro Examples
3. Review and run the change set (p. 136).
Macro Examples
In addition to the Macro Example: Creating and Using a Macro (p. 550) walkthrough in this guide,
you can find example macros, including source code and templates, in the Macros Examples section of
the Amazon Web Services - Labs repo on GitHub. These examples are provided 'as-is' for instructional
purposes.
See Also
AWS::CloudFormation::Macro
Transform (p. 264)
Fn::Transform (p. 3823)
AWS::Serverless Transform (p. 265)
AWS::Include Transform (p. 266)
Macro Example: Creating and Using a Macro

The following example walks through the process of using macros, from defining the macro in a
template, to creating a Lamdba function for the macro, and then to using the macro in a template.
In this example, we create a simple macro that inserts the specified string in place of the specified target
content in the processed template. And then we'll use it to insert a blank WaitHandleCondition in the
specified location in the processed template.
Macro Example: Macro Definition Template

Before using a macro, we first have to do two things: create the Lambda function that performs the
desired template processing, and then make that Lambda function available to CloudFormation by
creating a macro definition.
Note
We'll examine the actual code for the Lambda function later in this topic.
The following sample template contains the definition for our example macro. To make the
macro available in a specific CloudFormation account, we create a stack from the template. The
macro definition specifies the macro name, a brief description, and references the ARN of the
Lambda function that CloudFormation invokes when this macro is used in a template. (We have not
included a LogGroupName or LogRoleARN property for error logging.) For more information, see
AWS::CloudFormation::Macro.
In this example, assume that the stack created from this template is named JavaMacroFunc. Because the
macro Name property is set to the stack name, the resulting macro is named JavaMacroFunc as well.
Resources:
Macro:
Type: AWS::CloudFormation::Macro
Properties:
Name: !Sub '${AWS::StackName}'
Description: Adds a blank WaitConditionHandle named 'WaitHandle'

550
FunctionName: "arn:aws:lambda:us-east-1:012345678910:function:JavaMacroFunc"
Macro Example: Macro Usage Template

To use our macro in this case, we're going to include it in a template using the
Fn::Transform (p. 3823) intrinsic function.
When we create a stack using the template below, CloudFormation calls our example macro. The
underlying Lambda function replaces one specified string with another specified string. In this case, the
result is a blank AWS::CloudFormation::WaitConditionHandle is inserted into the processed template.
Note the following:
• The macro to invoke is specified as JavaMacroFunc, which is from the previous macro definition
example.
• The macro is passed two parameters, target and replacement, which represent the target string
and its desired replacement value.
• The macro can operate on the contents of the Type node because Type is a sibling of the
Fn::Transform function referencing the macro.
• The resulting AWS::CloudFormation::WaitConditionHandle is named 2a.
• The template also contains a template parameter, ExampleParameter, which the macro also has
access to (but doesn't use in this case).
Parameters:
ExampleParameter:
Type: String
Default: 'SampleMacro'
Resources:
2a:
Fn::Transform:
Name: "JavaMacroFunc"
Parameters:
replacement: 'AWS::CloudFormation::WaitConditionHandle'
target: '$$REPLACEMENT$$'
Type: '$$REPLACEMENT$$'
Macro Example: Request Event Mapping

When CloudFormation processes our example template during stack creation, it passes the following
event mapping to the Lambda function referenced in the JavaMacroFunc macro definition.
Note that fragment contains JSON representing the template fragment that the macro can process.
This fragment consists of the siblings of the Fn::Transform function call, but not the function call
itself. Also, params contains JSON representing the macro parameters. In this case, replacement and
target. Similarly, templateParameterValues contains JSON representing the parameters specified for
the template as a whole.
• region
us-east-1
• accountId
012345678910
• fragment

551
{
"Type": "$$REPLACEMENT$$"
}
• transformId
012345678910::JavaMacroFunc
• params
{
"replacement": "AWS::CloudFormation::WaitConditionHandle",
"target": "$$REPLACEMENT$$"
}
• requestId
5dba79b5-f117-4de0-9ce4-d40363bfb6ab
• templateParameterValues
{
"ExampleParameter": "SampleMacro"
}
Macro Example: Lambda Function Code

Following is the actual code for the Lambda function underlying the JavaMacroFunc example macro. It
iterates over the template fragment included in the response (be it in string, list, or map format), looking
for the specified target string. If it finds the specified target string, the Lambda function replaces the
target string with the specified replacement string. If not, the function leaves the template fragment
unchanged. Then, the function returns a map of the expected properties, discussed in detail below, to
CloudFormation.
package com.macroexample.lambda.demo;
import java.util.List;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import com.amazonaws.services.lambda.runtime.Context;
import com.amazonaws.services.lambda.runtime.RequestHandler;
public class LambdaFunctionHandler implements RequestHandler<Map<String, Object>,

Map<String, Object>> {
private static final String REPLACEMENT = "replacement";

private static final String TARGET = "target";
private static final String PARAMS = "params";
private static final String FRAGMENT = "fragment";
private static final String REQUESTID = "requestId";
private static final String STATUS = "status";
private static final String SUCCESS = "SUCCESS";
private static final String FAILURE = "FAILURE";
@Override
public Map<String, Object> handleRequest(Map<String, Object> event, Context context) {
// TODO: implement your handler
final Map<String, Object> responseMap = new HashMap<String, Object>();
responseMap.put(REQUESTID, event.get(REQUESTID));

552
responseMap.put(STATUS, FAILURE);
try {
if (!event.containsKey(PARAMS)) {
throw new RuntimeException("Params are required");
}
final Map<String, Object> params = (Map<String, Object>) event.get(PARAMS);

if (!params.containsKey(REPLACEMENT) || !params.containsKey(TARGET)) {
throw new RuntimeException("replacement or target under Params are required");
}
final String replacement = (String) params.get(REPLACEMENT);

final String target = (String) params.get(TARGET);
final Object fragment = event.getOrDefault(FRAGMENT, new HashMap<String, Object>());
final Object retFragment;
if (fragment instanceof String) {
retFragment = iterateAndReplace(replacement, target, (String) fragment);
} else if (fragment instanceof List) {
retFragment = iterateAndReplace(replacement, target, (List<Object>) fragment);
} else if (fragment instanceof Map) {
retFragment = iterateAndReplace(replacement, target, (Map<String, Object>)
fragment);
} else {
retFragment = fragment;
}
responseMap.put(STATUS, SUCCESS);
responseMap.put(FRAGMENT, retFragment);
return responseMap;
} catch (Exception e) {
e.printStackTrace();
context.getLogger().log(e.getMessage());
return responseMap;
}
}
private Map<String, Object> iterateAndReplace(final String replacement, final String

target, final Map<String, Object> fragment) {
final Map<String, Object> retFragment = new HashMap<String, Object>();
final List<String> replacementKeys = new ArrayList<>();
fragment.forEach((k, v) -> {
if (v instanceof String) {
retFragment.put(k, iterateAndReplace(replacement, target, (String)v));
} else if (v instanceof List) {
retFragment.put(k, iterateAndReplace(replacement, target, (List<Object>)v));
} else if (v instanceof Map ) {
retFragment.put(k, iterateAndReplace(replacement, target, (Map<String, Object>) v));
} else {
retFragment.put(k, v);
}
});
return retFragment;
}
private List<Object> iterateAndReplace(final String replacement, final String target,

final List<Object> fragment) {
final List<Object> retFragment = new ArrayList<>();
fragment.forEach(o -> {
if (o instanceof String) {
retFragment.add(iterateAndReplace(replacement, target, (String) o));
} else if (o instanceof List) {
retFragment.add(iterateAndReplace(replacement, target, (List<Object>) o));
} else if (o instanceof Map) {
retFragment.add(iterateAndReplace(replacement, target, (Map<String, Object>) o));
} else {
retFragment.add(o);
}

553
});
return retFragment;
}
private String iterateAndReplace(final String replacement, final String target, final

String fragment) {
System.out.println(replacement + " == " + target + " == " + fragment );
if (fragment != null AND_AND fragment.equals(target))
return replacement;
return fragment;
}
}
Macro Example: Lambda Function Response

Following is the mapping that the Lambda function returns to AWS CloudFormation for processing. The
requestId matches that sent from CloudFormation, and a status value of SUCCESS denotes that the
Lambda function successfully processed the template fragment included in the request. In this response,
fragment contains JSON representing the content to insert into the processed template in place of the
original template snippet.
• requestId
5dba79b5-f117-4de0-9ce4-d40363bfb6ab
• status
SUCCESS
• fragment
{
}
Macro Example: Resulting Processed Template

After CloudFormation receives a successful response from the Lambda function, it inserts the returned
template fragment into the processed template.
Below is the resulting processed template for our example. The Fn::Transform intrinsic
function call that referenced the JavaMacroFunc macro is no longer included. The template
fragment returned by the Lambda function is included in the appropriate location, with the
result that the content "Type": "$$REPLACEMENT$$" has been replaced with "Type":
"AWS::CloudFormation::WaitConditionHandle".
{
"Parameters": {
"ExampleParameter": {
"Default": "SampleMacro",
"Type": "String"
}
},
"Resources": {
"2a": {
}
}
}

554
Using Regular Expressions
Additional Macro Examples

In addition to this walkthrough in this guide, you can find example macros, including source code and
templates, in the Macros Examples section of the Amazon Web Services - Labs repo on GitHub. These
examples are provided 'as-is' for instructional purposes.
Using Regular Expressions in AWS CloudFormation

Templates
Regular expressions (commonly known as regexes) can be specified in a number of places within an
AWS CloudFormation template, such as for the AllowedPattern property when creating a template
parameter (p. 237).
Regular expressions in AWS CloudFormation conform to the Java regular expression syntax. A
full description of this syntax and its constructs can be viewed in the Java documentation, here:
java.util.regex.Pattern.
Important
Since AWS CloudFormation templates use the JSON syntax for specifying objects and data, you
will need to add an additional backslash to any backslash characters in your regular expression,
or JSON will interpret these as escape characters.
For example, if you include a \d in your regular expression to match a digit character, you will
need to write it as \\d in your JSON template.
Using CloudFormer (Beta) to Create AWS

CloudFormation Templates from Existing AWS
Resources
CloudFormer is a template creation beta tool that creates an AWS CloudFormation template from
existing AWS resources in your account. You select any supported AWS resources that are running in your
account, and CloudFormer creates a template in an Amazon S3 bucket.
Use CloudFormer to produce templates that you can use as a starting point. Not all AWS resources or
resource properties are supported.
Important
CloudFormer is currently in beta. We recommend against utilizing it in critical or production
environments.
The following list outlines the basic procedure for using CloudFormer:
1. Provision and configure the required resources using your existing processes and tools.
2. Create and launch a CloudFormer stack.
CloudFormer is an AWS CloudFormation stack. You run CloudFormer by launching the stack from your
AWS environment. It runs on a t2.medium Amazon EC2 instance and requires no other resources.
3. Use CloudFormer to create a template using your existing AWS resources and save the template to an
Amazon S3 bucket.
4. Delete the CloudFormer stack.

555
Step 1: Create a CloudFormer Stack
You usually don't need CloudFormer beyond this point, so you can avoid additional charges by
deleting the stack.
5. Use the template to launch a new stack, as needed.
The following topics describes how to use CloudFormer by walking you through a basic scenario (a
simple website on an Amazon EC2 instance) that creates a template with multiple resources. However,
this example is just one of many possible scenarios; CloudFormer can create a template from any
collection of supported AWS resources.
Step 1: Create a CloudFormer Stack

CloudFormer is itself an AWS CloudFormation stack, so the first step is to create and launch the stack
from the AWS CloudFormation console.
To create a CloudFormer stack using the AWS CloudFormation Console
1. Log in to the AWS CloudFormation console and click Create stack. For instructions on how to log in,
see Logging in to the AWS CloudFormation Console.
2. Select Use a sample template, and in the Select a sample template section, select Choose a
sample template and then select CloudFormer from the drop-down list.
3. Click Next to specify the stack name and input parameters.
4. Specify a name for the CloudFormer stack in the Name field.
5. In the Parameters section, type a password and user name that you'll use to log in to CloudFormer,
and then click Next.
Important
You can't leave the password blank, and you can't use special characters in the password
(such as ; & ! " £ $ % ^ ( ) / \).
6. Click Next.
For CloudFormer, you don't need to specify any additional options.

7. Review the information about the stack and select I acknowledge that this template may create
IAM resources.
8. After you finish reviewing the stack information, click Create to start creating the CloudFormer
stack.
CloudFormer is an AWS CloudFormation stack, so it must go through the normal stack creation
process, which can take a few minutes.
Step 2: Launch the CloudFormer Stack

After the CloudFormer stack's status is CREATE_COMPLETE, you can launch the stack.
To launch the CloudFormer stack
1. Click the CloudFormer stack's entry in the AWS CloudFormation Console, and select the Outputs tab
in the stack information pane.
2. In the Value column, click the URL to launch the CloudFormer tool.
3. Type the user name and password that you specified when you created the CloudFormer stack.
When you log in to CloudFormer, it displays the first page of the tool in your browser, where you can
start to create your template, as described in the next section.

556
Step 3: Use CloudFormer to Create a Template
Note
The CloudFormer stack launches a t2.medium Amazon EC2 instance. You'll delete this stack at
the end of the walkthrough after the template is created.
After you create a CloudFormer stack, it is added to the collection of stacks in your account. To create
another template, just launch the CloudFormer stack again.

Before you start using CloudFormer to create a template, first ensure that your account has all the AWS
resources that you want to include in your template. This walkthrough assumes that your account has:
• An Amazon EC2 instance (AWS::EC2::Instance).

• An Amazon EC2 security group (AWS::EC2::SecurityGroup). You should associate the security
group with the instance.
• An Elastic IP Address (AWS::EC2::EIP). You should associate the address with the instance.
To use CloudFormer to create a template from your AWS resources
1. Under Select the AWS Region, select the template's region from the list, and click Create Template.
The tool must first analyze your account, so it might take a few minutes before the Intro page is
displayed.
2. On the Intro page, enter a description for your template.
Note that you can use this page to select resources with a filter or select all resources in your
account. However, this walkthrough specifies resources manually, so leave the Resource Name Filter
field blank, clear the Select all resources in your account checkbox, and then click Continue.

557
3. The following pages are for resources that are not used by this walkthrough, so just examine the
page for future reference and click Continue. In order:
1. DNS Names allows you to include Route 53 records.

2. The Virtual Private Clouds allows you to include Amazon VPCs.
3. Virtual Private Cloud Network Topologies allows you to include Amazon VPC subnets, gateways,
DHCP configurations, and VPN connections.
4. Virtual Private Cloud Security Configuration allows you to include network ACLS and route
tables.
4. Network Resources allows you to include Elastic Load Balancing load balancers, Elastic IP Addresses,
CloudFront distributions, and Amazon EC2 network interfaces. Select the Elastic IP address you want
to include in the template and click Continue.
5. The Compute Resources page allows you to include Auto Scaling groups and Amazon EC2 instances.
Before you started creating the template, you associated an Elastic IP Address with your Amazon
EC2 instance, creating a dependent resource. When you reach Compute Resources, CloudFormer
automatically selects dependent instances, so just ensure that your instance is selected and click
Continue.

558
Note
You can manually include additional instances, as needed. If you don't want to include an
automatically selected instance, just clear the check box.
6. The following pages are for resources that are not used by this walkthrough, so just examine the
page for future reference and click Continue. In order:
1. Storage allows you to include Amazon EBS volumes, Amazon RDS instances, DynamoDB tables,
and Amazon S3 buckets.
2. Application Services allows you to include ElastiCache clusters, Amazon SQS queues, Amazon
SimpleDB domains, and Amazon SNS topics.
System Configuration allows you to include Auto Scaling launch configurations, Amazon RDS
subnet groups, ElastiCache parameter groups, and Amazon RDS parameter groups.
7. The Security Groups page allows you include security groups. Before you started creating the
template, you associated an Amazon EC2 security group with your Amazon EC2 instance, creating
a dependent resource. When you reach Security Groups, CloudFormer automatically selects
dependent security groups, so just ensure that your group is selected and click Continue.
Note
You can manually include additional security groups—including Amazon EC2 security
groups, Amazon RDS security groups, and so on—as appropriate. If you don't want to
include an automatically selected security group, just clear the check box.
8. The Operational Resources page allows you to include Auto Scaling policies and CloudWatch
alarms. This walkthrough uses neither, so just click Continue.
9. The Summary page serves several purposes:
• It allows you to review the resources you've added to your template.
To modify your resources, click Back to return to the appropriate pages and modify your
selections as needed.
• It allows you to change the auto-generated logical names that were assigned to your resources.
To modify a logical name, click Modify and enter the name in the Logical Name field.
• It allows you to specify outputs that provide necessary information, such as your site's IP address
or URL.
To modify an output, click Modify and select the appropriate output from the list.
559
Examine the resources you've selected and make any necessary changes. You should have one Elastic
IP Address, one Amazon EC2 instance, and one Amazon EC2 security group. When you are satisfied,
click Continue to generate the template.
10. The AWS CloudFormation Template page displays the generated template. You can use the
template to deploy your resources as a combined set with AWS CloudFormation, or as a base
template for further modification.
Note
In addition to the resources that you explicitly specified, the template includes values that
are associated with those resources such as Amazon EC2 instances' Availability Zones.
Select an Amazon S3 bucket from the S3 Bucket list and click Save Template to save the template
to the bucket and add it to the collection of stacks in your account.

560
Step 4: Delete the CloudFormer Stack
Save Template gives you two options:
• Launch Stack saves the template to the specified Amazon S3 bucket and also launches the stack
immediately.
• Create Template simply saves the template to the specified Amazon S3 bucket.
You can launch the stack later just like you would with any other template, for example, by using
the AWS CloudFormation console.
Step 4: Delete the CloudFormer Stack

Now that you have the template, you don't need the CloudFormer stack any more. To avoid unnecessary
charges to your account, select the stack in the AWS CloudFormation console and then choose Actions >
Delete Stack.

561
StackSets Concepts
Working with AWS CloudFormation

StackSets
AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update,
or delete stacks across multiple accounts and regions with a single operation. Using an administrator
account, you define and manage an AWS CloudFormation template, and use the template as the basis
for provisioning stacks into selected target accounts across specified regions.
This section helps you get started using StackSets, and answers common questions about how to work
with and troubleshoot stack set creation, updates, and deletion.
Topics
• StackSets Concepts (p. 562)
• Prerequisites: Granting Permissions for Stack Set Operations (p. 567)
• Getting Started with AWS CloudFormation StackSets (p. 575)
• Configuring a target account gate in AWS CloudFormation StackSets (p. 588)
• Detecting Unmanaged Configuration Changes in Stack Sets (p. 589)
• Best Practices (p. 597)
• AWS CloudFormation StackSets Sample Templates (p. 598)
• Troubleshooting AWS CloudFormation StackSets (p. 599)
StackSets Concepts
When you use StackSets, you work with stack sets, stack instances, and stacks.

562
Administrator and target accounts
Topics
• Administrator and target accounts (p. 563)
• Stack sets (p. 563)
• Stack instances (p. 563)
• Stack set operations (p. 564)
• Stack set operation options (p. 565)
• Tags (p. 566)
• Stack set and stack instance status codes (p. 566)
Administrator and target accounts

An administrator account is the AWS account in which you create stack sets. A stack set is managed by
signing in to the AWS administrator account in which it was created. A target account is the account into
which you create, update, or delete one or more stacks in your stack set. Before you can use a stack set
to create stacks in a target account, you must set up a trust relationship between the administrator and
target accounts.
Stack sets
A stack set lets you create stacks in AWS accounts across regions by using a single AWS CloudFormation
template. All the resources included in each stack are defined by the stack set's AWS CloudFormation
template. As you create the stack set, you specify the template to use, as well as any parameters and
capabilities that template requires.
After you've defined a stack set, you can create, update, or delete stacks in the target accounts
and regions you specify. When you create, update, or delete stacks, you can also specify operation
preferences, such as the order of regions in which you want the operation to be performed, the failure
tolerance beyond which stack operations stop, and the number of accounts in which operations are
performed on stacks concurrently.
A stack set is a regional resource. If you create a stack set in one region, you cannot see it or change it in
other regions.
Stack instances
A stack instance is a reference to a stack in a target account within a region. A stack instance can exist
without a stack; for example, if the stack could not be created for some reason, the stack instance shows
the reason for stack creation failure. A stack instance is associated with only one stack set.
The following figure shows the logical relationships between stack sets, stack operations, and stacks.
When you update a stack set, all associated stack instances are updated throughout all accounts and
regions.

563
Stack set operations
Stack set operations

You can perform the following operations on stack sets.
Create stack set
Creating a new stack set includes specifying an AWS CloudFormation template that you want to use
to create stacks, specifying the target accounts in which you want to create stacks, and identifying
the AWS regions in which you want to deploy stacks in your target accounts. A stack set ensures
consistent deployment of the same stack resources, with the same settings, to all specified target
accounts within the regions you choose.
Update stack set
When you update a stack set, you push changes out to stacks in your stack set. You can update a
stack set in one of the following ways. Note that your template updates always affect all stacks; you
cannot selectively update the template for some stacks in the stack set, but not others.
• Change existing settings in the template or add new resources, such as updating parameter
settings for a specific service, or adding new Amazon EC2 instances.
• Replace the template with a different template.
• Add stacks in existing or additional target accounts, across existing or additional regions.
Delete stacks
When you delete stacks, you are removing a stack and all its associated resources from the target
accounts you specify, within the regions you specify. You can delete stacks in the following ways.
• Delete stacks from some target accounts, while leaving other stacks in other target accounts
running.
• Delete stacks from some regions, while leaving stacks in other regions running.
• Delete stacks from your stack set, but save them so they continue to run independently of
your stack set by choosing the Retain Stacks option. Retained stacks are managed in AWS
CloudFormation, outside of your stack set.
• Delete all stacks in your stack set, in preparation for deleting your entire stack set.
Delete stack set
You can delete your stack set only when there are no stack instances in it.

564
Stack set operation options
Stack set operation options

The options described in this section help to control the time and number of failures allowed to
successfully perform stack set operations, and prevent you from losing stack resources.
Maximum concurrent accounts
This setting, available in create, update, and delete workflows, lets you specify the maximum
number or percentage of target accounts in which an operation is performed at one time. A lower
number or percentage means that an operation is performed in fewer target accounts at one time.
Operations are performed in one region at a time, in the order specified in the Deployment order
box. For example, if you are deploying stacks to 10 target accounts within two regions, setting
Maximum concurrent accounts to 50 and By percentage will deploy stacks to five accounts in the
first region, then the second five accounts within the first region, before moving on to the next
region and beginning deployment to the first five target accounts.
When you choose By percentage, if the specified percentage does not represent a whole number of
your specified accounts, AWS CloudFormation rounds down. For example, if you are deploying stacks
to 10 target accounts, and you set Maximum concurrent accounts to 25 and By percentage, AWS
CloudFormation rounds down from deploying 2.5 stacks concurrently (which would not be possible)
to deploying two stacks concurrently.
Note that this setting lets you specify the maximum for operations. For large deployments, under
certain circumstances the actual number of accounts acted upon concurrently may be lower due to
service throttling.
Failure tolerance
This setting, available in create, update, and delete workflows, lets you specify the maximum
number or percentage of stack operation failures that can occur, per region, beyond which AWS
CloudFormation stops an operation automatically. A lower number or percentage means that the
operation is performed on fewer stacks, but you are able to start troubleshooting failed operations
faster. For example, if you are updating 10 stacks in 10 target accounts within three regions, setting
Failure tolerance to 20 and By percentage means that a maximum of two stack updates in a region
can fail for the operation to continue. If a third stack in the same region fails, AWS CloudFormation
stops the operation. If a stack could not be updated in the first region, the update operation
continues in that region, and then moves on to the next region. If two stacks cannot be updated in
the second region, the failure tolerance of 20% is reached; if a third stack in the region fails, AWS
CloudFormation stops the update operation, and does not go on to subsequent regions.
When you choose By percentage, if the specified percentage does not represent a whole number
of your stacks within each region, AWS CloudFormation rounds down. For example, if you are
deploying stacks to 10 target accounts in three regions, and you set Failure tolerance to 25 and By
percentage, AWS CloudFormation rounds down from a failure tolerance of 2.5 stacks (which would
not be possible) to a failure tolerance of two stacks per region.
Retain stacks
This setting, available in delete stack workflows, lets you keep stacks and their resources running
even after they have been removed from a stack set. When you retain stacks, AWS CloudFormation
leaves stacks in individual accounts and regions intact. Stacks are disassociated from the stack set,
but the stack and its resources are saved. After a delete stacks operation is complete, you manage
retained stacks in AWS CloudFormation, in the target account (not the administrator account) in
which they were created. Retaining stacks permanently disassociates a stack from a stack set; the
stack cannot be added to the stack set again, and it cannot be added to a new stack set.

565
Tags
Tags
You can add tags during stack set creation and update operations by specifying key and value pairs.
Tags are useful for sorting and filtering stack set resources for billing and cost allocation. For more
information about how tags are used in AWS, see Using Cost Allocation Tags in the AWS Billing and Cost
Management User Guide. After you specify the key-value pair, choose + to save the tag.You can delete
tags that you are no longer using by choosing the red X to the right of a tag.
Tags that you apply to stack sets are applied to all stacks, and the resources that are created by your
stacks. Tags can be added at the stack-only level in AWS CloudFormation, but those tags might not show
up in StackSets.
Although StackSets does not currently add any system-defined tags, you should not start the key names
of any tags with the string aws:.
Stack set and stack instance status codes

AWS CloudFormation StackSets generates status codes for stack set operations and stack instances.
The following table describes status codes for stack set operations.
Stack Set Operation Status Description
RUNNING The operation is currently in progress.
SUCCEEDED The operation finished without exceeding the failure tolerance for
the operation.
FAILED The number of stacks on which the operation could not be

completed exceeded the user-defined failure tolerance. The
failure tolerance value you've set for an operation is applied
for each region during stack creation and update operations. If
the number of failed stacks within a region exceeds the failure
tolerance, the status of the operation in the region is set to
FAILED. The status of the operation as a whole is also set to
FAILED, and AWS CloudFormation cancels the operation in any
remaining regions.
STOPPING The operation is in the process of stopping, at the user's request.
STOPPED The operation has been stopped, at the user's request.
The following table describes status codes for stack instances within stack sets.
Stack Instance Status Description
CURRENT The stack is currently up to date with the stack set.
OUTDATED The stack is not currently up to date with the stack set for one of
the following reasons.
• A CreateStackSet or UpdateStackSet operation on the

associated stack failed.
• The stack was part of a CreateStackSet or
UpdateStackSet operation that failed, or was stopped before
the stack was created or updated.

566
Prerequisites: Granting Permissions
for Stack Set Operations
Stack Instance Status Description
INOPERABLE A DeleteStackInstances operation has failed and left the

stack in an unstable state. Stacks in this state are excluded
from further UpdateStackSet operations. You might need
to perform a DeleteStackInstances operation, with
RetainStacks set to true, to delete the stack instance, and
then delete the stack manually.
Prerequisites: Granting Permissions for Stack Set

Operations
Because stack sets perform stack operations across multiple accounts, before you can get started
creating your first stack set you need to have the necessary permissions defined in your AWS accounts.
To set up the necessary permissions:
1. Determine which AWS account is the administrator account.
Stack sets are created in this administrator account. A target account is the account in which you
create individual stacks that belong to a stack set.
2. Determine how you want to structure permissions for the stack sets.
The simplest (and most permissive) permissions configuration is where you give all users and groups
in the administrator account the ability to create and update all the stack sets managed through that
account. If you need finer-grained control, you can set up permissions to specify:
• Which users and groups can perform stack set operations in which target accounts.
• Which resources users and groups can include in their stack sets.
• Which stack set operations specific users and groups can perform.
3. Create the necessary IAM service roles in your administrator and target accounts to define the
permissions you want.
Important
The role in your administrator account must be named
AWSCloudFormationStackSetAdministrationRole. The role in each of your target accounts
must be named AWSCloudFormationStackSetExecutionRole.
Topics
• Set Up Basic Permissions for Stack Sets Operations (p. 567)
• Set Up Advanced Permissions Options for Stack Set Operations (p. 570)
Set Up Basic Permissions for Stack Sets Operations

The simplest (and most permissive) permissions configuration is where you give all users and groups
in the administrator account the ability to create and update all the stack sets managed through that
account. To do this, you create IAM service roles for your administrator and all target accounts. Anyone
with permissions to the administrator account then has permissions to create, update, or delete any
stack sets in any of the target accounts.
Your administrator account and target accounts must have service roles configured that create a trust
relationship between the accounts, and grant the target accounts permission to create and manage the
resources described in your template.

567
If you structure your permissions this way, users do not pass an administrator role when creating or
updating stack sets.
Set up permissions for all users of the administrator account to perform stack set operations
in all target accounts
1. In the administrator account, create an IAM role named

AWSCloudFormationStackSetAdministrationRole. The role must have this exact name. You
can do this by creating a stack from the following AWS CloudFormation template, available
online at https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/
AWSCloudFormationStackSetAdministrationRole.yml. The role created by this template enables the
following policy on your administrator account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"
],
"Effect": "Allow"
}
]
}
The following trust relationship is created by the preceding template.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
2. In each target account, create a service role named AWSCloudFormationStackSetExecutionRole

that trusts the administrator account. The role must have this exact name. You can do this
by creating a stack from the following AWS CloudFormation template, available online
at https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/
AWSCloudFormationStackSetExecutionRole.yml. When you use this template, you are prompted to
provide the name of the administrator account with which your target account must have a trust
relationship.

568
Important
Be aware that this template grants administrator access. After you use the template
to create a target account execution role, you must scope the permissions in the policy
statement to the types of resources that you are creating by using StackSets.
The target account service role requires permissions to perform any operations that are specified
in your AWS CloudFormation template. For example, if your template is creating an S3 bucket,
then you need permissions to create new objects for S3. Your target account always needs full AWS
CloudFormation permissions, which include permissions to create, update, delete, and describe
stacks. The role created by this template enables the following policy on a target account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
The following example shows a policy statement with the minimum permissions for
StackSets to work. To create stacks in target accounts that use resources from services
other than AWS CloudFormation, you must add those service actions and resources to the
AWSCloudFormationStackSetExecutionRole policy statement for each target account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":
[
"cloudformation:*",
"s3:*",
"sns:*"
],
"Resource": "*"
}
]
}
The following trust relationship is created by the template. The administrator account's ID is shown
as admin_account_id.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::admin_account_id:root"
},
}
]
}

569
Set Up Advanced Permissions
Options for Stack Set Operations
You can configure the trust relationship of an existing target account execution role to trust a
specific role in the administrator account. If you delete the role in the administrator account, and
create a new one to replace it, you must configure your target account trust relationships with the
new administrator account role, represented by admin_account_id in the preceding example.
Set Up Advanced Permissions Options for Stack Set

Operations
If you require finer-grained control over the stack sets that users and groups are creating through a
single administrator account, you can use IAM roles to specify:
• Which users and groups can perform stack set operations in which target accounts.
• Which resources users and groups can include in their stack sets.
• Which stack set operations specific users and groups can perform.
Set Up Permissions to Control Target Account Access

Use customized administrator roles to control which users and groups can perform stack set operations
in which target accounts. You might want to control which users of the administrator account can
perform stack set operations in which target accounts. To do this, you create a trust relationship
between each target account and a specific customized administration role, rather than creating the
AWSCloudFormationStackSetAdministrationRole service role in the administrator account itself. You
then enable specific users and groups to use the customized administration role when performing stack
set operations in a specific target account.
For example, you can create Role A and Role B within your administrator account. You can give Role A
permissions to access target account 1 through account 8. You can give Role B permissions to access
target account 9 through account 16.
Setting up the necessary permissions involves defining a customized administrator role, creating a
service role for the target account, and granting users permission to pass the customized administrator
role when performing stack set operations.
In general, here's how it works once you have the necessary permissions in place: When creating a stack
set, the user must specify a customized administrator. The user must have permission to pass the role to

570
AWS CloudFormation. In addition, the customized administrator role must have a trust relationship with
the target accounts specified for the stack set. AWS CloudFormation creates the stack set and associates
the customized administrator role with it. When updating a stack set, the user must explicitly specify a
customized administrator role, even if it is the same customized administrator role used with this stack
set previously. AWS CloudFormation uses that role to update the stack, subject to the requirements
above.
Set up permissions for which users and groups can perform stack set operations in specific
target accounts
1. For each stack set, create a customized administrator role with permissions to assume the
AWSCloudFormationStackSetExecutionRole service role in the target accounts.
Create an IAM service role with a custom name, using the following permissions policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::target_account_id:role/
AWSCloudFormationStackSetExecutionRole"
],
"Effect": "Allow"
}
]
}
Or, if you want to specify all target accounts, use the following permissions policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole"
],
"Effect": "Allow"
}
]
}
You must provide the following trust policy when you create the role to define the trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
}
]

571
2. In each target account, create a service role named AWSCloudFormationStackSetExecutionRole

that trusts the customized administration role you want to use with this account.
Important
You must scope the permissions in the policy statement to the types of resources that you
are creating by using StackSets.
The target account service role requires permissions to perform any operations that are specified
in your AWS CloudFormation template. For example, if your template is creating an S3 bucket,
then you need permissions to create new objects in S3. Your target account always needs full AWS
CloudFormation permissions, which include permissions to create, update, delete, and describe
stacks.
The following example shows a policy statement with the minimum permissions for
StackSets to work. To create stacks in target accounts that use resources from services
other than AWS CloudFormation, you must add those service actions and resources to the
AWSCloudFormationStackSetExecutionRole permissions policy statement for each target account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":
[
"cloudformation:*",
"s3:*",
"sns:*"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::admin_account_id:role/customized_admin_role"
},
}
]
}
3. Allow users to pass the customized administrator role when performing stack set operations.
Attach an IAM permissions policy to users or groups that allows them to pass the appropriate
customized administrator role when creating or updating specific stack sets. For more information,
see Granting a User Permissions to Pass a Role to an AWS Service. In the example below,
customized_admin_role refers to the administrator role the user needs to pass.
{
"Version": "2012-10-17",
"Statement": [{
572
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/customized_admin_role"
}]
}
Set Up Permissions to Control Stack Resource Inclusion

Use customized execution roles to control which stack resources users and groups can include in their
stack sets. For example, you might want to set up a group that can only include Amazon S3-related
resources in the stack sets they create, while another team can only include DynamoDB resources. To
do this, you create a trust relationship between the customized administrator role for each group and a
customized execution role for each set of resources. The customized execution role defines which stack
resources can be included in stack sets. The customized administrator role resides in the administrator
account, while the customized execution role resides in each target account in which you want to create
stack sets using the defined resources. You then enable specific users and groups to use the customized
administration role when performing stack set operations.
For example you can create customized administrator roles A, B, and C in the administrator account.
Users and groups with permission to use Role A can create stack sets containing the stack resources
specifically listed in customized execution role X, but not those in roles Y or Z, or resource not included in
any execution role.
When updating a stack set, the user must explicitly specify a customized administrator role, even if it
is the same customized administrator role used with this stack set previously. AWS CloudFormation
performs the update using the customized administrator role specified, so long as the user has
permissions to perform operations on that stack set.
Similarly, the user can also specify a customized execution role. If they specify a customized execution
role, AWS CloudFormation uses that role to update the stack, subject to the requirements above. If the
user does not specify a customized execution role, AWS CloudFormation performs the update using the
customized execution role previously associated with the stack set, so long as the user has permissions to
perform operations on that stack set.

573
Set up permissions for which resources users and groups can include in specific stack sets
1. In the target accounts in which you want to create your stack sets, create a customized execution
role that grants permissions to the services and resources that you want users and groups to be able
to include in the stack sets.
The following example provides the minimum permissions for stack sets, along with permission to
create DynamoDB tables.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":
[
"cloudformation:*",
"s3:*",
"sns:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action":
[
"dynamoDb:createTable"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::admin_account_id:role/customized_admin_role"
},
}
]
}
2. Create a customized administrator role in your administrator account, as detailed in Set Up

Advanced Permissions Options for Stack Set Operations (p. 570). Include a trust relationship
between the customized administrator role and the customized execution roles which you want it to
use.
The following example includes an sts::AssumeRole policy for both the

AWSCloudFormationStackSetExecutionRole defined for the target account, as well as a customized
execution role.
{
"Version": "2012-10-17",
"Statement": [

574
Getting Started
{
"Sid": "Stmt1487980684000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole",
"arn:aws:iam::*:role/custom_execution_role"
]
}
]
}
Set Up Permissions for Specific Stack Set Operations

In addition, you can set up permissions for which user and groups can perform specific stack set
operations, such as creating, updating, or deleting stack sets or stack instances. For more information,
see Actions, Resources, and Condition Keys for AWS CloudFormation in the IAM User Guide.
Getting Started with AWS CloudFormation

StackSets
Before you create your first stack set, be sure that you have completed required account setup steps in
Prerequisites: Granting Permissions for Stack Set Operations (p. 567).
The template in this walkthrough enables AWS Config in a target account within the US West (Oregon)
Region (us-west-2) and US East (N. Virginia) Region (us-east-1). The Enable AWS Config template is
located in the following S3 bucket: https://s3.amazonaws.com/cloudformation-stackset-sample-
templates-us-east-1/EnableAWSConfig.yml. You can also choose this sample template in the StackSets
console.
Topics
• Create a New Stack Set (p. 575)
• Update Your Stack Set (p. 580)
• Add Stacks to a Stack Set (p. 582)
• Override Parameters on Stack Instances (p. 583)
• Delete Stack Instances (p. 585)
• Delete Stack Sets (p. 587)
Create a New Stack Set

You can create a stack set in either the AWS Management Console, or by using AWS CloudFormation
commands in the AWS CLI.
To create a stack set by using the AWS Management Console

2. From the navigation pane, choose StackSets.
3. At the top of the StackSets page, choose Create StackSet.
4. Under Prerequisite - Prepare template, choose Use a sample template.

575
5. Under Select a sample template, from the drop-down menu choose the Enable AWS config
template. Click Next.
6. On the Specify StackSet details page, provide the following information.
a. Provide a name for the stack set. Stack set names must begin with an alphabetical character,
and contain only letters, numbers, and hyphens. In this walkthrough, we use the name my-
awsconfig-stackset.
b. You are prompted to specify values for parameters that are used by AWS Config. For more
information about these parameters, see Setting up AWS Config with the Console in the AWS
Config Developer Guide. In this walkthrough, we will leave default settings for all AWS Config
parameters.
c. You can configure Amazon Simple Notification Service (SNS) updates by email, based on log
content, using the TopicARN and NotificationEmail parameters. For the purposes of this
walkthrough, we are not configuring Amazon SNS updates.
d. You can configure the delivery channel for updates and notifications using the
DeliveryChannelName and Frequency parameters. For more information about the delivery
channel in AWS Config, see Managing the Delivery Channel in the AWS Config Developer Guide.
For the purposes of this walkthrough, we are leaving default settings in this area.
7. When you are finished specifying parameters for AWS Config, choose Next.
8. On the Configure StackSet options page, add a tag by specifying a key and value pair. In this
walkthrough, we create a tag called Stage, with a value of Test. Tags that you apply to stack sets are
applied to all resources that are created by your stacks. For more information about how tags are
used in AWS, see Using Cost Allocation Tags in the AWS Billing and Cost Management User Guide.
Leave Permissions unspecified, and choose Next.

576
9. On the Set deployment options page, provide the accounts and regions into which you want stacks
in your stack set deployed.
AWS CloudFormation will deploy stacks in the specified accounts within the first region, then moves
on to the next, and so on, as long as a region's deployment failures do not exceed a specified failure
tolerance.
a. For Accounts, choose Deploy stacks in accounts. Paste your target account numbers in the text
box, separating multiple numbers with commas.
b. For Specify regions, choose US East (N. Virginia) Region. Repeat for the US West (Oregon)
Region. Click the up arrow next to US West (Oregon) Region to move it to be the first entry in
the list. The order of the regions under Specify regions determines their deployment order.
c. For Deployment options:
• For Maximum concurrent accounts, keep the default values of Number and 1.
This means that AWS CloudFormation deploys your stack in only one account at one time.
• For Failure tolerance, keep the defauls of Number and 0.
This means that a maximum of one stack deployment can fail in one of your specified regions
before AWS CloudFormation stops deployment in the current region, and cancels deployment
in remaining regions.
Choose Next.

577
10. On the Review page, review your choices and your stack set's properties. To make changes, choose
Edit in the area in which you want to change properties. Before you can create the stack set, you
must fill the check box in the Capabilities area to acknowledge that some of the resources that
you are creating with the stack set might require new IAM resources and permissions. For more
information about potentially required permissions, see Acknowledging IAM Resources in AWS
CloudFormation Templates in this guide. When you are are ready to create your stack set, choose
Submit.

578
11. AWS CloudFormation starts creating your stack set. View the progress and status of the creation of
the stacks in your stack set in the stack set details page that opens when you choose Submit.
To create a stack set by using the AWS CLI
When you create stack sets by using AWS CLI commands, you run two separate commands: create-
stack-set to upload your template and create the stack set container, and create-stack-
instances to create the stacks within your stack set. Start by running an AWS CLI command, create-
stack-set, to upload the sample AWS CloudFormation template that enables AWS Config, and then
start stack set creation.
1. Open the AWS CLI.

2. Run the following command. For the --template-url parameter, provide the URL of the Amazon
S3 bucket in which you are storing your template. For this walkthrough, we use my-awsconfig-
stackset as the value of the --stack-set-name parameter.
aws cloudformation create-stack-set --stack-set-name my-awsconfig-stackset --template-

url https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/
EnableAWSConfig.yml
3. After your create-stack-set command is finished, run the list-stack-sets command to see
that your stack set has been created. You should see your new stack set in the results.
aws cloudformation list-stack-sets
4. Run the create-stack-instances AWS CLI command to add stack instances to your stack set. In
this walkthrough, we use us-west-2 and us-east-1 as the values of the --regions parameter.
Set the failure tolerance and maximum concurrent accounts by setting FailureToleranceCount
to 0 and MaxConcurrentCount to 1 in the --operation-preferences parameter, as shown

579
Update Your Stack Set
in the following example. To apply percentages instead, use FailureTolerancePercentage

or MaxConcurrentPercentage. For the purposes of this walkthrough, we are using count, not
percentage.
aws cloudformation create-stack-instances --stack-set-name my-awsconfig-stackset --

accounts '["account_ID_1","account_ID_2"]' --regions '["region_1","region_2"]' --
operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1
Important
Wait until an operation is complete before starting another one. You can run only one
operation at a time.
5. Verify that the stack instances were created successfully. Run DescribeStackSetOperation with
the operation-id that is returned as part of the output of step 4.
aws cloudformation describe-stack-set-operation --stack-set-name my-awsconfig-stackset

--operation-id operation_ID

You can update your stack set in either the AWS Management Console, or by using AWS CloudFormation
commands in the AWS CLI. In this walkthrough, we are changing the default snapshot delivery frequency
for delivery channel configuration from 24hours to 12hours.
To override parameter values for specific stack instances, see Override Parameters on Stack
Instances (p. 583).
To update a stack set by using the AWS Management Console

2. From the navigation pane, choose StackSets.
3. On the StackSets page, select the stack set that you created in Create a New Stack Set (p. 575). In
this walkthrough, we created a stack set named my-awsconfig-stackset.
4. With the stack set selected, choose Edit StackSet details from the Actions menu.
5. On the Choose a template page, choose whether you want to update the current template,
specify an S3 URL to another template, or upload a new template to AWS CloudFormation. In this
walkthrough, we are using the current template. Choose Use current template, and then choose
Next.
6. On the Specify StackSet details page, change the value of the Frequency parameter from 24hours
to 12hours.
For more information about this and the other parameters, which specify values used by AWS
Config, see Setting up AWS Config with the Console in the AWS Config Developer Guide.
Do not make changes to the other parameters. For the purposes of this walkthrough, we are not
configuring Amazon SNS updates.

580
When done, choose Next.

7. On the Configure StackSet options page, no changes are needed, but you can update, delete, or
add new tags here if desired. For more information about how tags are used in AWS, see Using Cost
Allocation Tags in the AWS Billing and Cost Management User Guide.
Leave the Permissions unchanged, and choose Next.

8. On the Set deployment options page, keep the default value of 1 and By number for Maximum
concurrent accounts. Keep the default Failure tolerance of 0, and keep the By number default
option. Choose Next.
Note
You cannot change accounts and regions here; that is, you cannot deploy stack set changes
to stacks in some accounts and regions, but not others.
Edit in the upper-right corner of an area in which you want to change properties. Before you can
update the stack set, you must fill the check box in the Capabilities area to acknowledge that some
of the resources that you are updating with the stack set might require new IAM resources and
permissions. For more information about potentially required permissions, see Acknowledging IAM
Resources in AWS CloudFormation Templates in this guide. When you are are ready to create your
stack set, choose Submit.
AWS CloudFormation starts applying your updates to your stack set, and displays the Operations
tab of the stack set details page
10. You can view the progress and status of update operations on the Operations tab. You should see
the updated Frequency parameter in the Parameter tab.
To update a stack set template by using the AWS CLI

Run the update-stack-set AWS CLI command to make changes to your stack set. In this walkthrough,
we are updating the value of the MaximumExecutionFrequency parameter. For more information
about the parameter names and values for creating or updating an AWS Config rule, see put-config-rule
in the AWS CLI reference. To change template parameter values, add the --parameters parameter. For
more information about what you can specify as a value for --parameters, see Parameter in the AWS
CloudFormation API Reference, and update-stack in the AWS CLI Command Reference.
In the example command shown here, we are updating the stack set by using --parameters;
specifically, we change the default snapshot delivery frequency for delivery channel configuration from
TwentyFour_Hours to Twelve_Hours. Because we are still using the current template, we add the --
use-previous-template parameter.
1. Run the following command. For stack set name, specify the stack set name my-awsconfig-
stackset.
to 0, and MaxConcurrentCount to 1 in the --operation-preferences parameter, as shown
percentage.
aws cloudformation update-stack-set --stack-set-name my-

awsconfig-stackset --use-previous-template --parameters
ParameterKey=MaximumExecutionFrequency,ParameterValue=TwentyFour_Hours\\,Twelve_Hours
--operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1
2. Verify that your stack set was updated successfully by running the describe-stack-set-
operation command to show the status and results of your update operation. For --operation-
id, use the operation ID that was returned by your update-stack-set command.

581
Add Stacks to a Stack Set
aws cloudformation describe-stack-set-operation --operation-id operation_ID
Add Stacks to a Stack Set

When you create a stack set, you can create the stacks for that stack set. AWS CloudFormation also
enables you to add more stacks, for additional accounts and regions, at any point after the stack set
is created. You can add stack instances using either the AWS CloudFormation console, or by using
AWS CloudFormation commands in the AWS CLI. In this procedure, we will add stack instances for an
additional region to the stack set we created in Create a New Stack Set (p. 575).
To add stacks to a stack set by using the AWS Management Console

2. From the navigation pane, choose StackSets. On the StackSets page, select the stack set that you
created in Create a New Stack Set (p. 575). In this walkthrough, we created a stack set named my-
awsconfig-stackset.
3. With the stack set selected, choose Add new stacks to StackSet from the Actions menu.
4. On the Set deployment options page, provide the accounts and regions into which you want to add
stacks for your stack set.
tolerance.
b. For Specify regions, choose US West (N. California). You will be creating new stacks, in the US
West (N. California) region, for the accounts you've specified.
If you add multiple regions, the order of the regions under Specify regions determines their
deployment order.
Choose Next.

582
Override Parameters on Stack Instances
5. On the Specify Overrides page, leave the property values as specified. You won't be overriding any
property values for the stacks you're going to create. Choose Next.
Edit in the area in which you want to change properties. Before you can create the new stacks, you
must fill the check box in the Capabilities area to acknowledge that some of the resources that
you are creating with the stack set might require new IAM resources and permissions. For more
information about potentially required permissions, see Acknowledging IAM Resources in AWS
CloudFormation Templates in this guide. When you are are ready to create your stack instances,
choose Submit.
7. AWS CloudFormation starts creating your stack instances. View the progress and status of the
creation of the stack instances in your stack set in the stack set details page that opens when you
choose Submit. When complete, your new stack instances should be listed on the Stack instances
tab.

In certain cases, you might want stack instances in certain regions or accounts to have different
property values than those specified in the stack set itself. For example, you might want to specify
a different value for a given parameter based on whether an account is used for development or
production. For these situations, AWS CloudFormation allows you to override parameter values in stack
instances by account and region. You can override template parameter values when you first create the
stack instances, and you can override parameter values for existing stack instances. You can only set
parameters you've previously overridden in stack instances back to the values specified in the stack set.
Parameter value overrides apply to stack instances in the accounts and regions you select. During stack
set updates, any parameter values overridden for a stack instance are not updated, but retain their
overridden value.

583
You can only override parameter values that are specified in the stack set; to add or delete a parameter
itself, you need to update the stack set template. If you add a parameter to a stack set template, then
before you can override that parameter value in a stack instance you must first update all stack instances
with the new parameter and value specified in the stack set. Once all stack instances have been updated
with the new parameter, you can then override the parameter value in individual stack instances as
desired.
To learn how to override stack set parameter values when you create stack instances, see Add Stacks to a
Stack Set (p. 582).
To override parameter values in stack instances by using the AWS Management Console

2. From the navigation pane, choose StackSets. On the StackSets page, select the stack set that you
created in Create a New Stack Set (p. 575). In that walkthrough, we created a stack set named my-
awsconfig-stackset.
3. With the stack set selected, choose Override StackSet parameters from the Actions menu.
4. On the Set deployment options page, provide the accounts and regions for the stack instances
whose parameters you want to override.
tolerance.
a. For Accounts, choose Deploy stacks in accounts. Paste some or all the target account IDs that
you used to create your stack set in Create a New Stack Set (p. 575).
b. For Specify regions, add one or more of the regions into which you have deployed stack
instances for this stack set.
If you add multiple regions, the order of the regions under Specify regions determines their
deployment order.
Choose Next.
5. On the Specify Overrides page, check the Frequency parameter and then choose Override
StackSet value from the Edit override value menu.

584
Delete Stack Instances
6. In Override StackSet parameter values, select 6hours for the Frequency parameter, and choose
Save changes. You are instructing AWS CloudFormation to override the Frequency parameter value
and use 6hours for all the stack instances for the specified accounts in the specified regions. Choose
Next.
Note
To set any overridden parameters back to using the value specified in the stack set, check all
parameters and choose Set to StackSet value from the Edit override value menu. Doing so
removes all overridden values once you update the stack instances.
7. On the Review page, review your choices. Note that the Frequency parameter displays a value in the
Override value column, indicating that its value has been overridden at the stack level.
Before you can override parameters for these stack instances, you must fill the check box in the
Capabilities area to acknowledge that some of the resources that you are creating with the stack set
might require new IAM resources and permissions. For more information about potentially required
permissions, see Acknowledging IAM Resources in AWS CloudFormation Templates in this guide.
When you are are ready, choose Submit.
8. AWS CloudFormation starts updating your stack instances. View the progress and status of the stack
instances in the stack set details page that opens when you choose Submit.

You can delete stack instances from a stack set in either the AWS Management Console, or by using AWS
CloudFormation commands in the AWS CLI. In this procedure, we will delete all stacks.
To delete stack instances by using the AWS Management Console

585
2. Choose StackSets from the navigation pane. On the StackSets page, select the stack set that you
created in Create a New Stack Set (p. 575). In this walkthrough, we created a stack set named my-
awsconfig-stackset.
3. With the stack set selected, choose Delete stacks from StackSet from the Actions menu.
4. On the Set deployment options page:
b. For Specify regions, choose the regions from which you want to delete stack instances. In this
case, US East (N. Virginia) Region and US West (Oregon) Region.
In the Retain stacks area, keep the default setting of disabled.
When you are deleting stacks from a stack set, the Retain stacks option lets you choose
to remove the stack instances from your stack set, but save the stacks and their associated
resources. When you save stacks from a stack set by choosing the Retain stacks option, the
stack's resources stay in their current state, but the stack is no longer part of the stack set.
You cannot reassociate a retained stack, or add an existing, saved stack to a new stack set. The
stack is permanently independent of a stack set. In this procedure, we are deleting all stacks in
preparation for deleting the entire stack set, so we are not retaining stacks.
Choose Next.
5. On the Review page, review your choices and choose Submit.
6. After stack deletion is finished, you can verify that stack instances were deleted from your stack set
in the StackSet detail page, on the Stack instances tab.
To delete stack instances by using the AWS CLI
When you are ready to delete stack instances, run the delete-stack-instances AWS CLI command.

586
Delete Stack Sets
• Run the following command, and replace account_ID with the accounts you used to create your
stack set in Create a New Stack Set (p. 575). For stack set name, specify the stack set name my-
awsconfig-stackset.
to 0, and MaxConcurrentCount to 1 in the --operation-preferences parameter, as shown
percentage.
Because --retain-stacks is a required parameter of delete-stack-instances, if you do not

want to retain (save) stacks, add --no-retain-stacks. In this walkthrough, we add the --no-
retain-stacks parameter, because we are not retaining any stacks.
aws cloudformation delete-stack-instances --stack-set-name my-awsconfig-stackset --

accounts '["account_ID_1","account_ID_2"]' --regions '["region_1","region_2"]' --
operation-preferences FailureToleranceCount=0,MaxConcurrentCount=1 --no-retain-stacks
After stack deletion is finished, you can verify that stack instances were deleted from your stack set
by running the describe-stack-set-operation command to show the status and results of
the delete stacks operation. For --operation-id, use the operation ID that was returned by your
delete-stack-instances command.
aws cloudformation describe-stack-set-operation --operation-id operation_ID
Delete Stack Sets

When you are finished with the AWS CloudFormation StackSets Getting Started walkthrough, you can
follow procedures in this section to delete stack sets and other resources that you have created as part
of this walkthrough. To delete a stack set, you must first delete all stack instances in the stack set. For
information about how to delete all stack instances, see Delete Stack Instances (p. 585).
Delete Stack Set

After you have deleted all stack instances, you can delete the stack set.
To delete a stack set by using the AWS CloudFormation console
1. On the StackSets page, select the stack set that you created in Create a New Stack Set (p. 575). In
this walkthrough, we created a stack set named my-awsconfig-stackset.
2. With the stack set selected, choose Delete StackSet from the Actions menu.
3. When you are prompted to confirm that you want to delete the stack set, choose Delete StackSet.

587
Target account gates
To delete a stack set by using the AWS CLI
1. Run the following command. When you are prompted to confirm, type y, and then press Enter.
aws cloudformation delete-stack-set --stack-set-name my-awsconfig-stackset
2. Verify that the stack set was deleted by running the list-stack-sets command. The results of
the list-stack-sets command should show your stack with a status of DELETED.
aws cloudformation list-stack-sets
Delete Service Roles (Optional)

Delete the service roles that you created as part of the Prerequisites: Granting Permissions for Stack Set
Operations (p. 567) for the walkthrough in this guide. The roles that you created to get started with
StackSets are named AWSCloudFormationStackSetAdministrationRole in the administrator account,
and AwsCloudFormationStackSetExecutionRole in each target account. For more information about
deleting roles, see Deleting Roles and Instance Profiles in the IAM User Guide.
To delete a service role by using the AWS Management Console
1. Sign in to the AWS Management Console and open the IAM console at https://
console.aws.amazon.com/iam/.
2. In the navigation pane, choose Roles, and then fill the check box next to the role that you want to
delete.
3. In the Role actions menu at the top of the page, choose Delete role.
4. In the confirmation dialog box, choose Yes, Delete. If you are sure, you can proceed with the
deletion even if the service last accessed data is still loading.
To delete a service role by using the AWS CLI
• Run the following command. When you are prompted to confirm, type y, and then press Enter.
aws iam delete-role --role-name role name
Configuring a target account gate in AWS

CloudFormation StackSets
An account gate is an optional feature that lets you specify an AWS Lambda function to verify that
a target account meets certain requirements before AWS CloudFormation StackSets begins stack
operations in that account. A common example of an account gate is verifying that there are no
CloudWatch alarms active or unresolved on the target account. StackSets invokes the function each
time you start stack operations in the target account, and only continues if the function returns a
SUCCEEDED code. If the Lambda function returns a status of FAILED, StackSets does not continue with
your requested operation. If you do not have an account gating Lambda function configured, StackSets
skips the check, and continues with your operation.
If your target account fails an account gate check, the failed operation counts toward your specified
failure tolerance number or percentage of stacks. For more information about failure tolerance, see Stack
set operation options (p. 565).

588
Setup Requirements
Account gating is only available for StackSets operations. This functionality is not available for other
AWS CloudFormation operations outside of StackSets.
Setup Requirements
The following list describes setup requirements for account gating.
• To work with the StackSets account gating functionality, your Lambda function must be named
AWSCloudFormationStackSetAccountGate.
• The AWSCloudFormationStackSetExecutionRole needs permissions to invoke your Lambda function.
Without these permissions, StackSets skips the account gating check, and continues with stack
operations.
• The Lambda InvokeFunction permission must be added to target accounts for account gating to
work. The target account trust policy must have a trust relationship with the administrator account.
The following is an example of a policy statement that grants Lambda invokefunction permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "*"
}
]
}
Sample Lambda Account Gating Functions

The following sample AWS CloudFormation templates are available for you to create Lambda
AWSCloudFormationStackSetAccountGate functions. For more information about how to create a new
stack using either of these templates, see Creating a Stack in this guide.
Template Location Description
https://s3.amazonaws.com/cloudformation- Creates a stack that implements a Lambda

stackset-templates-us-east-1/cloudformation- account gate function that will return a status of
stack-set-accountgate-succeeded.template SUCCEEDED.
https://s3.amazonaws.com/cloudformation- Creates a stack that implements a Lambda

stackset-templates-us-east-1/cloudformation- account gate function that will return a status of
stack-set-accountgate-failed.template FAILED.
Detecting Unmanaged Configuration Changes in

Stack Sets
Even as you manage your stacks and the resources they contain through CloudFormation, users can
change those resources outside of CloudFormation. Users can edit resources directly by using the
underlying service that created the resource. By performing drift detection on a stack set, you can

589
How CloudFormation Performs
Drift Detection on a Stack Set
determine if any of the stack instances belonging to that stack set differ, or have drifted, from their
expected configuration.
How CloudFormation Performs Drift Detection on a

Stack Set
When CloudFormation performs drift detection on a stack set, it performs drift detection on the stack
associated with each stack instance in the stack set. To do this, CloudFormation compares the current
state of each resource in the stack with the expected state of that resource, as defined in the stack's
template and and any specified input parameters. If the current state of a resource varies from its
expected state, that resource is considered to have drifted. If one or more resources in a stack have
drifted, then the stack itself is considered to have drifted, and the stack instances that the stack is
associated with is considered to have drifted as well. If one or more stack instances in a stack set have
drifted, the stack set itself is considered to have drifted.
Drift detection identifies unmanaged changes; that is, changes made to stacks outside of
CloudFormation. Changes made through CloudFormation to a stack directly, rather than at the stack-
set level, are not considered drift. For example, suppose you have a stack that is associated with a stack
instance of a stack set. If you use CloudFormation to update that stack to use a different template,
that is not considered drift, even though that stack now has a different template than any other stacks
belonging to the stack set. This is because the stack still matches its expected template and parameter
configuration in CloudFormation.
For detailed information on how CloudFormation performs drift detection on a stack, see Detecting
Unmanaged Configuration Changes to Stacks and Resources (p. 161).
Because CloudFormation performs drift detection on each stack individually, it takes any overridden
parameter values into account when determining whether a stack has drifted. For more information on
overriding template parameters in stack instances, see Override Parameters on Stack Instances (p. 583).
If you perform drift detection directly on a stack that is associated with a stack instance, those drift
results are not available from the StackSets console page.
To detect drift on a stack set using the AWS Management Console

2. On the StackSets page, select the stack set on which you want to perform drift detection.
3. From the Actions menu, select Detect drifts.
CloudFormation displays an information bar stating that drift detection has been initiated for the
selected stack set.
4. Optional: To monitor the progress of the drift detection operation:
a. Click the stack set name to display the Stackset details page.
b. Select the Operations tab, select the drift detection operation, and then select View drift
details.
CloudFormation displays the Operation details dialog box.

5. Wait until CloudFormation completes the drift detection operation. When the drift detection
operation completes, CloudFormation updates Drift status and Last drift check time for your stack
set. These fields are listed on the Overview tab of the StackSet details page for the selected stack
set.
The drift detection operation may take some time, depending on the number of stack instances
included in the stack set, as well as the number of resources included in the stack set. You can only

590
run a single drift detection operation on a given stack set at one time. CloudFormation continues the
drift detection operation even after you dismiss the information bar.
6. To review the drift detection results for the stack instances in a stack set, select the Stack instances
tab.
The Stack name column lists the name of the stack associated with each stack instance, and the
Drift status column lists the drift status of that stack. A stack is considered to have drifted if one or
more of its resources have drifted.
7. To review the drift detection results for the stack associated with a specific stack instances:
1. Note the AWS account, Stack name, and AWS region for the stack instance.
Log into the AWS account containing the stack instance.

3. Select the AWS region containing the stack instance.
4. From the left-hand navigation pane, select Stacks.
5. Select the stack you wish to view, and then select Drifts.
CloudFormation displays the Drifts page for the stack associated with the specified stack
instance.
In the Resource drift status section, CloudFormation lists each stack resource, its drift status, and
the last time drift detection was initiated on the resource. The logical ID and physical ID of each
resource is displayed to help you identify them. In addition, for resources with a status of MODIFIED,
CloudFormation displays resource drift details.
You can sort the resources based on their drift status using the Drift status column.
CloudFormation displays the drift detail page for that resource. This page lists the
resource's expected and current property values, and any differences between the two.

591
To detect drift on a stack set using the AWS CLI
To detect drift on an entire stack using the AWS CLI, use the following aws cloudformation
commands:
• detect-stack-set-drift to initiate a drift detection operation on a stack.

• describe-stack-set-operation to monitor the status of the stack drift detection operation.
• Once the drift detection operation has completed, use the following commands to return drift
information you want:
• Use describe-stack-set to return detailed information about the stack set, including detailed
information about the last completed drift operation performed on the stack set. (Information about
drift operations that are in progress is not included.)
• Use list-stackinstances to return a list of stack instances belonging to the stack set, including
the drift status and last drift time checked of each instance.
• Use describe-stack-instance to return detailed information about a specific stack instance,
including its drift status and last drift time checked.
1. Use detect-stack-set-drift to detect drift on an entire stack set and its associated stack
instances.

592
The following example initiates drift detection on the stack set stack-set-drift-example.
aws cloudformation detect-stack-set-drift --stack-set-name stack-set-drift-example
{
"OperationId": "c36e44aa-3a83-411a-b503-cb611example"
}
2. Because stack set drift detection operations can be a long-running operation, use describe-
stack-set-operation to monitor the status of drift operation. This command takes the stack set
operation ID returned by the detect-stack-set-drift command.
The following examples uses the operation ID from the previous example to return information on
the stack set drift detection operation. In this example, the operation is still running. Of the seven
stack instances associated with this stack set, one stack instance has already been found to have
drifted, two instances are in synch, and drift detection for the remaining four stack instances is still
in progress. Since one instance has drifted, the drift status of the stack set itself is now DRIFTED.
aws cloudformation describe-stack-set-operation --stack-set-name stack-set-drift-

example --operation-id c36e44aa-3a83-411a-b503-cb611example
{
"StackSetOperation": {
"Status": "RUNNING",
"AdministrationRoleARN": "arn:aws:iam::012345678910:role/
AWSCloudFormationStackSetAdministrationRole",
"OperationPreferences": {
"RegionOrder": []
},
"ExecutionRoleName": "AWSCloudFormationStackSetExecutionRole",
"StackSetDriftDetectionDetails": {
"DriftedStackInstancesCount": 1,
"TotalStackInstancesCount": 7,
"LastDriftCheckTimestamp": "2019-12-04T20:34:28.543Z",
"InSyncStackInstancesCount": 2,
"InProgressStackInstancesCount": 4,
"DriftStatus": "DRIFTED",
"FailedStackInstancesCount": 0
},
"Action": "DETECT_DRIFT",
"CreationTimestamp": "2019-12-04T20:33:13.673Z",
"StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22example",
}
}
Performing the same command later, this example shows the information returned once the drift
detection operation has completed. Two of the seven total stack instances associated with this stack
set have drifted, rendering the drift status of the stack set itself as DRIFTED.
aws cloudformation describe-stack-set-operation --stack-set-name stack-set-drift-

example --operation-id c36e44aa-3a83-411a-b503-cb611example
{
"StackSetOperation": {
"Status": "SUCCEEDED",
"OperationPreferences": {
"RegionOrder": []
},

593
"EndTimestamp": "2019-12-04T20:37:32.829Z",
},
"Action": "DETECT_DRIFT",
"CreationTimestamp": "2019-12-04T20:33:13.673Z",
"StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22example",
}
}
3. When the stack set drift detection operation is complete, use the describe-stack-set, list-
stackinstances, and describe-stack-instance commands to review the results.
The describe-stack-set command includes the same detailed drift information returned by the
describe-stack-set-operation command.
aws cloudformation describe-stack-set --stack-set-name stack-set-drift-example
{
"StackSet": {
"Status": "ACTIVE",
"Description": "Demonstration of drift detection on stack sets.",
"Parameters": [],
"Tags": [
{
"Value": "Drift detection",
"Key": "Feature"
}
],
"Capabilities": [],
"DriftDetectionStatus": "COMPLETED",
},
"StackSetARN": "arn:aws:cloudformation:us-east-1:012345678910:stackset/stack-
set-drift-example:bd1f4017-d4f9-432e-a73f-8c22example",
"TemplateBody": [details omitted],
"StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22ebexample",
"StackSetName": "stack-set-drift-example"
}
}
You can use the list-stack-instances command to return summary information about the
stack instances associated with a stack set, including the drift status of each stack instance.

594
In this example, executing list-stack-instances on the example stack set enables us to identify
which two stack instances have a drift status of DRIFTED.
aws cloudformation list-stack-instances --stack-set-name stack-set-drift-example
{
"Summaries": [
{
"StackId": "arn:aws:cloudformation:ap-
northeast-1:012345678910:stack/StackSet-stack-set-drift-example-29168cdd-
e587-4709-8a1f-90f752ec65e1/1a8a98f0-16d4-11ea-9844-060a5example",
"Status": "CURRENT",
"Account": "012345678910",
"Region": "ap-northeast-1",
"DriftStatus": "IN_SYNC",
"StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-
a73f-8c22eexample"
},
{
"StackId": "arn:aws:cloudformation:eu-west-1:012345678910:stack/
StackSet-stack-set-drift-example-b0fb6083-60c0-4e39-
af15-2f071e0db90c/0e4f0940-16d4-11ea-93d8-0641cexample",
"Account": "012345678910",
"Region": "eu-west-1",
a73f-8c22eexample"
},
{
StackSet-stack-set-drift-example-b7fde68e-e541-44c2-b33d-
ef2e2988071a/008e6030-16d4-11ea-8090-12f89example",
"Account": "012345678910",
"Region": "us-east-1",
a73f-8c22eexample"
},
[additional stack instances omitted]
]
}
The describe-stack-instance command also returns this information, but for a single stack
instance, as in the example below.
aws cloudformation describe-stack-instance --stack-set-name stack-set-drift-example --

stack-instance-account 012345678910 --stack-instance-region us-east-1
{
"StackInstance": {
ef2e2988071a/008e6030-16d4-11ea-8090-12f89example",
"Account": "012345678910",

595
"Region": "us-east-1",
"ParameterOverrides": [],
"StackSetId": "stack-set-drift-example:bd1f4017-d4f9-432e-a73f-8c22eexample"
}
}
4. Once you've identified which stack instances have drifted, you can use the information about
the stack instances that is returned by the list-stack-instances or describe-stack-
instance commands to execute the describe-stack-resource-drifts. This command returns detailed
information about which resources in the stack have drifted.
The following example uses the stack ID of one of the drifted stacks, returned by the list-stack-
instances command in the example above, to return detailed information about the resources
that have been modified or deleted outside of CloudFormation. In this stack, two properties on an
AWS::SQS::Queue resource, DelaySeconds and maxReceiveCount, have been modified.
aws cloudformation describe-stack-resource-drifts --stack-name

arn:aws:cloudformation:us-east-1:012345678910:stack/StackSet-stack-set-drift-example-
b7fde68e-e541-44c2-b33d-ef2e2988071a/008e6030-16d4-11ea-8090-12f89example --stack-
resource-drift-status-filters "MODIFIED" "DELETED"
{
"StackResourceDrifts": [
{
ef2e2988071a/008e6030-16d4-11ea-8090-12f8925a37c4",
"ActualProperties": "{\"DelaySeconds\":10,\"RedrivePolicy\":
{\"deadLetterTargetArn\":\"arn:aws:sqs:us-east-1:012345678910:StackSet-stack-set-drift-
example-b7fde68e-e541-44c2-b33d-ef2e2-DLQ-1H0SQCOKALBDJ\",\"maxReceiveCount\":20},
\"VisibilityTimeout\":60}",
"Timestamp": "2019-12-04T20:33:57.261Z",
"PhysicalResourceId": "https://sqs.us-east-1.amazonaws.com/012345678910/
StackSet-stack-set-drift-example-b7fde68e-e541-44c2-b33d-ef2-Queue-6FNDEY4AUEPV",
"ExpectedProperties": "{\"DelaySeconds\":20,\"RedrivePolicy\":
{\"deadLetterTargetArn\":\"arn:aws:sqs:us-east-1:012345678910:StackSet-stack-set-drift-
example-b7fde68e-e541-44c2-b33d-ef2e2-DLQ-1H0SQCOKALBDJ\",\"maxReceiveCount\":10},
\"VisibilityTimeout\":60}",
{
},
{
}
],
"LogicalResourceId": "Queue"
}
]
}

596
Stopping Drift Detection on a Stack Set
Stopping Drift Detection on a Stack Set

Because drift detection on a stack set can be a long-running operation, there may be instances when you
want to stop a drift detection operation that is currently running on a stack set.
To stop drift detection on a stack set using the AWS Management Console

2. On the StackSets page, select the name of the stack set.
CloudFormation displays the StackSets details page for the selected stack set.
3. On the StackSets details page, select the Operations tab, and then select the drift detection
operation.
4. Select Stop operation.
To stop drift detection on a stack set using the the AWS CLI
• Use the stop-stack-set-operation command. You must supply both the stack set name and
the operation ID of the drift detection stack set operation.
aws cloudformation stop-stack-set-operation --stack-set-name stack-set-drift-example --

operation-id 624af370-311a-11e8-b6b7-500cexample
Best Practices
Topics
• Defining the Template (p. 597)
• Creating or Adding Stacks to the Stack Set (p. 597)
• Updating Stacks in a Stack Set (p. 598)
Review the AWS CloudFormation Best Practices.
Defining the Template

• Define the template that you want to standardize in multiple accounts, within multiple regions.
• As you create the template, be sure that global resources (such as IAM roles and Amazon S3 buckets)
do not have naming conflicts when they are created in more than one region in the same account.
• A stack set has a single template and parameter set. The same stack is created in all accounts that are
associated with a stack set. As you author your templates, make them granular enough to allow you a
good balance of control and standardization.
• We recommend that you store your template in an Amazon S3 bucket.
Creating or Adding Stacks to the Stack Set

• Verify that adding stack instances to your initial stack set works before you add larger numbers of
stack instances to your stack set.
• Choose the deployment (rollout) options that work for your use case.

597
Updating Stacks in a Stack Set
• For a more conservative deployment, set Maximum Concurrent Accounts to 1, and Failure
Tolerance to 0. Set your lowest-impact region to be first in the Region Order list. Start with one
region.
• For a faster deployment, increase the values of Maximum Concurrent Accounts and Failure
Tolerance as needed.
• Operations on stack sets depend on how many stack instances are involved, and can take significant
time.
Updating Stacks in a Stack Set

• By default, updating a stack set updates all stack instances. If you have 20 accounts each in two
regions, you will have 40 stack instances, and all will be updated when you update the stack set.
For stack sets with a large number of stack instances, we recommend that to test the updated version
of a template, you selectively update the stack instances in a few test accounts before updating all
stack instances.
• To get more granular control over updating individual stacks within your stack set, plan to create
multiple stack sets.
• Updating a stack set that contains a large number of stacks can take significant time. In this release,
only one operation is permitted at a time on a stack set. Plan your updates so you are not blocked
from performing other operations on the stack set.
AWS CloudFormation StackSets Sample Templates

This section includes links to some sample AWS CloudFormation templates that can help you use AWS
CloudFormation StackSets in your enterprise. Templates listed in this section enable AWS Config and
rules within it.
Sample Templates
Description S3 Link
Enable AWS CloudTrail https://s3.amazonaws.com/cloudformation-

stackset-sample-templates-us-east-1/
EnableAWSCloudtrail.yml
Enable AWS Config https://s3.amazonaws.com/cloudformation-

stackset-sample-templates-us-east-1/
EnableAWSConfig.yml
Configure an AWS Config rule to determine if https://s3.amazonaws.com/cloudformation-

CloudTrail is enabled stackset-sample-templates-us-east-1/
ConfigRuleCloudtrailEnabled.yml
Configure an AWS Config rule to determine if root https://s3.amazonaws.com/cloudformation-

MFA is enabled stackset-sample-templates-us-east-1/
ConfigRuleRootAccountMFAEnabled.yml
Configure an AWS Config rule to determine if EIPs https://s3.amazonaws.com/cloudformation-

are attached stackset-sample-templates-us-east-1/
ConfigRuleEipAttached.yml

598
Troubleshooting
Description S3 Link
Configure an AWS Config rule to determine if EBS https://s3.amazonaws.com/cloudformation-

volumes are encrypted stackset-sample-templates-us-east-1/
ConfigRuleEncryptedVolumes.yml
Troubleshooting AWS CloudFormation StackSets

This topic contains some common AWS CloudFormation StackSets issues, and suggested solutions for
those issues.
Topics
• Common reasons for stack operation failure (p. 599)
• Retrying failed stack creation or update operations (p. 599)
• Stack instance deletion fails (p. 600)
Common reasons for stack operation failure

Problem: A stack operation failed, and the stack instance status is OUTDATED.
Cause: There can be several common causes for stack operation failure.
• Insufficient permissions in a target account for creating resources that are specified in your template.
• The AWS CloudFormation template might have errors. Validate the template in AWS CloudFormation
and fix errors before trying to create your stack set.
• The template could be trying to create global resources that must be unique but aren't, such as S3
buckets.
• A specified target account number doesn't exist. Check the target account numbers that you specified
on the Set deployment options page of the wizard.
• The administrator account does not have a trust relationship with the target account.
• The maximum number of a resource that is specified in your template already exists in your target
account. For example, you might have reached the limit of allowed IAM roles in a target account, but
the template creates more IAM roles.
• You have reached the maximum number of stacks that are allowed in a stack set. See AWS
CloudFormation Limits for the maximum number of stacks per stack set.
Solution: For more information about the permissions required of target and administrator accounts
before you can create stack sets, see Set Up Basic Permissions for Stack Sets Operations (p. 567).
Retrying failed stack creation or update operations

Problem: A stack creation or update failed, and the stack instance status is OUTDATED. To troubleshoot
why a stack creation or update failed, open the AWS CloudFormation console, and view the events for
the stack, which will have a status of DELETED (for failed create operations) or FAILED (for failed update
operations). Browse the stack events, and find the Status reason column. The value of Status reason
explains why the stack operation failed.
After you have fixed the underlying cause of the stack creation failure, and you are ready to retry stack
creation, perform the following steps.
Solution: Perform the following steps to retry your stack operation.

599
Stack instance deletion fails
1. In the console, select the stack set that contains the stack on which the operation failed.
2. In the Actions menu, choose Edit StackSet details to retry creating or updating stacks.
3. On the Specify template page, to use the same AWS CloudFormation template, keep the default
option, Use current template. If your stack operation failed because the template required changes,
and you want to upload a revised template, choose Upload a template to Amazon S3 instead, and
then choose Browse to select your updated template. When you are finished uploading your revised
template, choose Next.
4. On the Specify details page, if you are not changing any parameters that are specific to your
template, choose Next.
5. On the Set deployment options page, change defaults for Maximum concurrent accounts and
Failure tolerance, if desired. For more information about these settings, see Stack set operation
options (p. 565).
6. On the Review page, review your selections, and fill the checkbox to acknowledge required IAM
capabilities. Choose Submit.
7. If your stack is not successfully updated, repeat this procedure, after you've resolved any underlying
issues that are preventing stack creation.
Stack instance deletion fails

Problem: A stack deletion has failed.
Cause: Stack deletion will fail for any stacks on which termination protection has been enabled.
Solution: Determine if termination protection has been enabled for the stack. If it has, disable
termination protection and then perform the stack instance deletion again.

600
Private and Public Resource Providers
Using the CloudFormation Registry

The CloudFormation registry lists the resources, both private and public (AWS), that are available for use
in your CloudFormation account.
Private and Public Resource Providers

Private resource providers are those resource providers that you have explicitly registered for use in your
AWS account. These may be resource providers you've created yourself, as well as ones shared with you.
You can use the CloudFormation CLI, an open-source tool for resource management, to create private
resource providers. For more information, see the CloudFormation Command Line Interface User Guide.
Note
Private resource providers implement custom logic that runs during resource create, read,
update, list, and delete operations. Because of this, using private resource providers in your
CloudFormation stacks incurs charges to your account. This is in additon to any charges incurred
for the resources created. For more informaiton, see AWS CloudFormation Pricing.
Public resource providers are those provided by AWS to manage specific AWS service resources. While
the registry lists AWS resources implemented using the open-source resource provider framework,
all the resources included in the Resource and Property Types Reference are available for use in your
CloudFormation account.
Registering Resource Providers in CloudFormation

To use private resource providers--either ones you develop yourself, or providers shared with you--you
must first register them with CloudFormation, in the accounts and regions in which you want to use
them. Once you're registered a resource provider, it will appear in the CloudFormation registry for that
account and region, and you can use it in your stack templates.
You can register a resource provider using the register-type command of the AWS CLI, or using the
submit command of the CloudFormation CLI. To register a resource provider using the CloudFormation
CLI, see Registering Resource Providers in the CloudFormation CLI User Guide.
To Register a Resource Provider Using the AWS CLI
1. Locate the S3 bucket that contains the resource provider package for the resource provider you want
to register in your account.
2. Use the register-type command to register the resource provider in your account:
RegisterType is an asynchronous action, and returns a registration token you can use to track the
progress of your registration request.
Note
If your resource type calls AWS APIs in any of its handlers, you must create an IAM execution
role that includes the necessary permissions to call those AWS APIs, and provision that
execution role in your account. You can then specify this execution role using the --
execution-role-arn parameter. CloudFormation then assumes that execution role to
provide your resource type with the appropriate credentials.
For example. the following command registers the My::Resource::Example resource type in the
current AWS account:

601
Specifying Which Version of a Resource Provider to Use
aws cloudformation register-type --type-name My::Resource::Example --schema-handler-

package [s3 object path] --type RESOURCE
{
"RegistrationToken": "f5525280-104e-4d35-bef5-8f1fexample"
}
3. Optional: Use the registration token with the describe-type-registration command to track
the progress of your registration request.
When CloudFormation completes the registration request, it sets the progress status of the request
to COMPLETE.
The following example uses the registration token returned by the RegisterType command above to
return registration status information.
aws cloudformation describe-type-registration --registration-token f5525280-104e-4d35-

bef5-8f1fexample
{
"ProgressStatus": "COMPLETE",
"TypeArn": "arn:aws:cloudformation:us-east-1:012345678910:type/resource/My-
Resource-Example",
"Description": "Deployment is currently in DEPLOY_STAGE of status COMPLETED; ",
"TypeVersionArn": "arn:aws:cloudformation:us-east-1:012345678910:type/resource/My-
Resource-Example/00000001"
}
Specifying Which Version of a Resource Provider to

Use
Over time, you may register multiple versions of the same resource provider. You can specify which
version of the resource provider you want to use for CloudFormation operations.
To Specify Which Version of a Resource Provider to Use Using the AWS CLI
• Use the set-type-default-version command to specify which version of the resource provider
to use for CloudFormation operations in your account.
For example, the following command sets the default version of the My::Resource::Example
resource type to 00000003 for the current account.
aws cloudformation set-type-default-version --type RESOURCE --type-name

My::Resource::Example --version-id 00000003
Viewing Registered Resource Providers in

CloudFormation
Once you've registered a resource provider in an account, you can view the details of that resource
provider in the CloudFormation console. Private resource providers are displayed in the Private section of
the CloudFormation registry.

602
Viewing Registered Resource Providers in CloudFormation
To View Registered Resource Providers in the CloudFormation Console
1. In the AWS CloudFormation console, from the CloudFormation navigation pane, under
CloudFormation registry, select Resource types.
2. On the Resource types page, under Resource types, select Public or Private.

603
Resource and Property Reference
Template Reference
This section details the supported resources, type names, intrinsic functions, and pseudo parameters
used in AWS CloudFormation templates.
Topics
• AWS Resource and Property Types Reference (p. 604)
• AWS CloudFormation Resource Specification (p. 3749)
• Resource Attribute Reference (p. 3760)
• Intrinsic Function Reference (p. 3784)
• Pseudo Parameters Reference (p. 3826)
• CloudFormation Helper Scripts Reference (p. 3828)
AWS Resource and Property Types Reference

This section contains reference information for all AWS resource and property types that are supported
by AWS CloudFormation.
Resource type identifiers always take the following form:
service-provider::service-name::data-type-name
Service Resource Type

• AccessAnalyzer Resource Type Reference (p. 607)
• ASK Resource Type Reference (p. 611)
• AmazonMQ Resource Type Reference (p. 617)
• Amplify Console Resource Type Reference (p. 637)
• Amazon API Gateway Resource Type Reference (p. 652)
• Amazon API Gateway V2 Resource Type Reference (p. 749)
• Application Auto Scaling Resource Type Reference (p. 792)
• App Mesh Resource Type Reference (p. 822)
• Amazon AppStream 2.0 Resource Type Reference (p. 875)
• AppSync Resource Type Reference (p. 902)
• Amazon Athena Resource Type Reference (p. 942)
• AWS Auto Scaling Resource Type Reference (p. 945)
• Amazon EC2 Auto Scaling Resource Type Reference (p. 963)
• AWS Backup Resource Type Reference (p. 1025)
• AWS Batch Resource Type Reference (p. 1036)
• AWS Billing and Cost Management Budgets Resource Type Reference (p. 1063)
• AWS Certificate Manager Resource Type Reference (p. 1078)
• AWS Cloud9 Resource Type Reference (p. 1082)

604
• CloudFormation Resource Type Reference (p. 1085)

• CloudFront Resource Type Reference (p. 1098)
• AWS Cloud Map Resource Type Reference (p. 1141)
• CloudTrail Resource Type Reference (p. 1161)
• CloudWatch Resource Type Reference (p. 1171)
• CloudWatch Logs Resource Type Reference (p. 1194)
• Amazon EventBridge Resource Type Reference (p. 1206)
• CodeBuild Resource Type Reference (p. 1235)
• CodeCommit Resource Type Reference (p. 1274)
• CodeDeploy Resource Type Reference (p. 1280)
• CodePipeline Resource Type Reference (p. 1320)
• CodeStar Resource Type Reference (p. 1351)
• CodeStarNotifications Resource Type Reference (p. 1356)
• Amazon Cognito Resource Type Reference (p. 1359)
• Config Resource Type Reference (p. 1431)
• AWS Data Pipeline Resource Type Reference (p. 1477)
• DAX Resource Type Reference (p. 1492)
• AWS Directory Service Resource Type Reference (p. 1504)
• DLM Resource Type Reference (p. 1513)
• DMS Resource Type Reference (p. 1523)
• Amazon DocumentDB Resource Type Reference (p. 1551)
• DynamoDB Resource Type Reference (p. 1565)
• EC2 Resource Type Reference (p. 1589)
• Amazon ECR Resource Type Reference (p. 1842)
• ECS Resource Type Reference (p. 1847)
• EFS Resource Type Reference (p. 1930)
• EKS Resource Type Reference (p. 1938)
• ElastiCache Resource Type Reference (p. 1949)
• Elasticsearch Resource Type Reference (p. 1978)
• AWS Elastic Beanstalk Resource Type Reference (p. 1995)
• Elastic Load Balancing Resource Type Reference (p. 2025)
• ElasticLoadBalancingV2 Resource Type Reference (p. 2039)
• Amazon EMR Resource Type Reference (p. 2110)
• EventSchemas Resource Type Reference (p. 2193)
• FSx Resource Type Reference (p. 2201)
• Amazon GameLift Resource Type Reference (p. 2215)
• AWS Glue Resource Type Reference (p. 2259)
• GuardDuty Resource Type Reference (p. 2340)
• IAM Resource Type Reference (p. 2354)
• Inspector Resource Type Reference (p. 2389)
• IoT Resource Type Reference (p. 2395)
• IoT1Click Resource Type Reference (p. 2428)
• AWS IoT Analytics Resource Type Reference (p. 2437)
• IoTEvents Resource Type Reference (p. 2491)

605
• AWS IoT Greengrass Resource Type Reference (p. 2518)

• AWS IoT Things Graph Resource Type Reference (p. 2631)
• Amazon Kinesis Resource Type Reference (p. 2633)
• KinesisAnalytics Resource Type Reference (p. 2640)
• Amazon Kinesis Data Analytics V2 Resource Type Reference (p. 2670)
• Amazon Kinesis Data Firehose Resource Type Reference (p. 2720)
• KMS Resource Type Reference (p. 2766)
• LakeFormation Resource Type Reference (p. 2775)
• Lambda Resource Type Reference (p. 2781)
• ManagedBlockchain Resource Type Reference (p. 2818)
• AWS Elemental MediaConvert Resource Type Reference (p. 2833)
• AWS Elemental MediaLive Resource Type Reference (p. 2846)
• MediaStore Resource Type Reference (p. 2877)
• MSK Resource Type Reference (p. 2881)
• Amazon Neptune Resource Type Reference (p. 2921)
• AWS OpsWorks Resource Type Reference (p. 2934)
• AWS OpsWorks CM Resource Type Reference (p. 2995)
• Pinpoint Resource Type Reference (p. 3006)
• PinpointEmail Resource Type Reference (p. 3075)
• QLDB Resource Type Reference (p. 3093)
• RAM Resource Type Reference (p. 3096)
• RDS Resource Type Reference (p. 3099)
• Amazon Redshift Resource Type Reference (p. 3160)
• RoboMaker Resource Type Reference (p. 3179)
• Amazon Route 53 Resource Type Reference (p. 3201)
• Amazon Route 53 Resolver Resource Type Reference (p. 3258)
• Amazon Simple Storage Service Resource Type Reference (p. 3269)
• Amazon SageMaker Resource Type Reference (p. 3334)
• AWS Secrets Manager (p. 3373)
• AWS Service Catalog Resource Type Reference (p. 3399)
• SecurityHub Resource Type Reference (p. 3433)
• SES Resource Type Reference (p. 3434)
• Amazon SimpleDB Resource Type Reference (p. 3466)
• Amazon Simple Notification Service Resource Type Reference (p. 3467)
• Amazon Simple Queue Service Resource Type Reference (p. 3476)
• AWS Step Functions Resource Type Reference (p. 3485)
• AWS Systems Manager Resource Type Reference (p. 3496)
• AWS Transfer for SFTP Resource Type Reference (p. 3550)
• WAF Resource Type Reference (p. 3558)
• WAFv2 Resource Type Reference (p. 3600)
• AWS WAF Regional Resource Type Reference (p. 3688)
• WorkSpaces Resource Type Reference (p. 3742)
• Shared Property Types Reference (p. 3746)

606
AccessAnalyzer
AccessAnalyzer Resource Type Reference

Resource Types
• AWS::AccessAnalyzer::Analyzer (p. 607)
AWS::AccessAnalyzer::Analyzer
The AWS::AccessAnalyzer::Analyzer resource specifies a new analyzer. The analyzer is an object
that represents the IAM Access Analyzer feature. An analyzer is required for Access Analyzer to become
operational.
Syntax
JSON
{
"Type" : "AWS::AccessAnalyzer::Analyzer",
"Properties" : {
"AnalyzerName" : String,
"ArchiveRules" : [ ArchiveRule (p. 609), ... ],
"Tags" : [ Tag, ... ],
"Type" : String
}
}
YAML
Type: AWS::AccessAnalyzer::Analyzer
Properties:
AnalyzerName: String
ArchiveRules:
- ArchiveRule (p. 609)
Tags:
- Tag
Type: String
Properties
AnalyzerName
The name of the analyzer.
Required: Yes
Type: String
Update requires: Replacement

ArchiveRules
Specifies the archive rules to add for the analyzer.
Required: No
Type: List of ArchiveRule (p. 609)

607
AccessAnalyzer
Update requires: No interruption

Tags
The tags to apply to the analyzer.
Required: No
Type: List of Tag

Type
The type represents the zone of trust for the analyzer.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN of the
analyzer created.
For more information about using the Ref function, see Ref.
Examples
Declare an Analyzer Resource
The following example shows how to declare a IAM Access Analyzer Analyzer resource:
JSON
{
"Resources": {
"Analyzer": {
"Properties": {
"AnalyzerName": "DevAccountAnalyzer",
"ArchiveRules": [
{
"Filter": [
{
"Eq": [
"123456789012"
],
"Property": "principal.AWS"
}
],
"RuleName": "ArchiveTrustedAccountAccess"
},
{
"Filter": [
{
"Contains": [
"arn:aws:s3:::docs-bucket",
"arn:aws:s3:::clients-bucket"
],

608
AccessAnalyzer
"Property": "resource"
}
],
"RuleName": "ArchivePublicS3BucketsAccess"
}
],
"Tags": [
{
"Key": "Kind",
"Value": "Dev"
}
],
"Type": "ACCOUNT"
},
"Type": "AWS::AccessAnalyzer::Analyzer"
}
}
}
YAML
Resources:
Analyzer:
Type: 'AWS::AccessAnalyzer::Analyzer'
Properties:
AnalyzerName: MyAccountAnalyzer
Type: ACCOUNT
Tags:
-
Key: Kind
Value: Dev
ArchiveRules:
-
# Archive findings for a trusted AWS account
RuleName: ArchiveTrustedAccountAccess
Filter:
-
Property: 'principal.AWS'
Eq:
- '123456789012'
-
# Archive findings for known public S3 buckets
RuleName: ArchivePublicS3BucketsAccess
Filter:
-
Property: 'resource'
Contains:
- 'arn:aws:s3:::docs-bucket'
- 'arn:aws:s3:::clients-bucket'
AWS::AccessAnalyzer::Analyzer ArchiveRule
The criteria for an archive rule.
Syntax
JSON

609
AccessAnalyzer
"Filter" : [ Filter (p. 610), ... ],

"RuleName" : String
}
YAML
Filter:
- Filter (p. 610)
RuleName: String
Properties
Filter
The criteria for the rule.
Required: Yes
Type: List (p. 610) of Filter (p. 610)

RuleName
The name of the archive rule.
Required: Yes
Type: String
AWS::AccessAnalyzer::Analyzer Filter
The criteria that defines the rule.
Syntax
JSON
{
"Contains" : [ String, ... ],
"Eq" : [ String, ... ],
"Exists" : Boolean,
"Neq" : [ String, ... ],
"Property" : String
}
YAML
Contains:
- String
Eq:
- String
Exists: Boolean
Neq:
- String
Property: String

610
ASK
Properties
Contains
A "contains" condition to match for the rule.
Required: No
Type: List of String

Eq
An "equals" condition to match for the rule.
Required: No

Exists
An "exists" condition to match for the rule.
Required: No
Type: Boolean

Neq
A "not equal" condition to match for the rule.
Required: No

Property
The property used to define the criteria in the filter for the rule.
Required: Yes
Type: String
ASK Resource Type Reference

Resource Types
• Alexa::ASK::Skill (p. 611)
Alexa::ASK::Skill
The Alexa::ASK::Skill resource creates an Alexa skill that enables customers to access new abilities.
For more information about developing a skill, see the Build Skills with the Alexa Skills Kit developer
documentation.

611
ASK
Syntax
JSON
{
"Type" : "Alexa::ASK::Skill",
"Properties" : {
"AuthenticationConfiguration" : AuthenticationConfiguration (p. 614),
"SkillPackage" : SkillPackage (p. 616),
"VendorId" : String
}
}
YAML
Type: Alexa::ASK::Skill
Properties:
AuthenticationConfiguration:
AuthenticationConfiguration (p. 614)
SkillPackage:
SkillPackage (p. 616)
VendorId: String
Properties
AuthenticationConfiguration
Login with Amazon (LWA) configuration used to authenticate with the Alexa service. Only Login with
Amazon clients created through the Amazon Developer Console are supported. The client ID, client
secret, and refresh token are required.
Required: Yes
Type: AuthenticationConfiguration (p. 614)

SkillPackage
Configuration for the skill package that contains the components of the Alexa skill. Skill packages
are retrieved from an Amazon S3 bucket and key and used to create and update the skill. For more
information about the skill package format, see the Skill Package API Reference.
Required: Yes
Type: SkillPackage (p. 616)

VendorId
The vendor ID associated with the Amazon developer account that will host the skill. Details for
retrieving the vendor ID are in How to get your vendor ID. The provided LWA credentials must be
linked to the developer account associated with this vendor ID.
Required: Yes
Type: String

612
ASK
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the skill ID, such
as amzn1.ask.skill.a3103cee-c48c-40a0-a2c9-251141888863.
Examples
Alexa Skill Resource Configuration
The following example retrieves the skill package from an S3 bucket and provides credentials for
authentication with the Alexa service through Login with Amazon (LWA).
JSON
"MySkill": {
"Type": "Alexa::ASK::Skill",
"Properties": {
"SkillPackage": {
"S3Bucket": "my-skill-packages",
"S3Key": "skillpackage.zip",
"S3BucketRole": { "Fn::GetAtt": [ "S3BucketReadRole", "Arn" ] },
"Overrides": {
"Manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": { "Fn::GetAtt" : [ "SkillFunction", "Arn" ] }
}
}
}
}
}
},
"AuthenticationConfiguration": {
"ClientId": "amzn1.application-oa2-client.1234",
"ClientSecret": "1234",
"RefreshToken": "Atzr|1234"
},
"VendorId": "1234"
}
}
YAML
MySkill: Type: "Alexa::ASK::Skill"

Properties:
SkillPackage:
S3Bucket: "my-skill-packages"
S3Key: "skillpackage.zip"
S3BucketRole: !GetAtt S3BucketReadRole.Arn
Overrides:
Manifest:
apis:
custom:

613
ASK
endpoint:
uri: !GetAtt SkillFunction.Arn
ClientId: "amzn1.application-oa2-client.1234"
ClientSecret: "1234"
RefreshToken: "Atzr|1234"
VendorId: "1234"
Alexa::ASK::Skill AuthenticationConfiguration
The AuthenticationConfiguration property type specifies the Login with Amazon (LWA)
configuration used to authenticate with the Alexa service. Only Login with Amazon security profiles
created through the Build Skills with the Alexa Skills Kit developer documentation are supported for
authentication. A client ID, client secret, and refresh token are required. You can generate a client ID
and client secret by creating a new security profile on the Amazon Developer Portal or you can retrieve
them from an existing profile. You can then retrieve the refresh token using the Alexa Skills Kit CLI. For
instructions, see util-command in the ASK CLI Command Reference.
AuthenticationConfiguration is a property of the Alexa::ASK::Skill resource.
Syntax
JSON
{
"ClientId" : String,
"ClientSecret" : String,
"RefreshToken" : String
}
YAML
ClientId: String
ClientSecret: String
RefreshToken: String
Properties
ClientId
Client ID from Login with Amazon (LWA).
Required: Yes
Type: String

ClientSecret
Client secret from Login with Amazon (LWA).
Required: Yes
Type: String

614
ASK
RefreshToken
Refresh token from Login with Amazon (LWA).
Required: Yes
Type: String
Alexa::ASK::Skill Overrides
The Overrides property type provides overrides to the skill package to apply when creating or
updating the skill. Values provided here do not modify the contents of the original skill package.
Currently, only overriding values inside of the skill manifest component of the package is supported.
Overrides is a property of the Alexa::ASK::Skill SkillPackage property type.
Syntax
JSON
{
"Manifest" : Json
}
YAML
Manifest: Json
Properties
Manifest
Overrides to apply to the skill manifest inside of the skill package. The skill manifest contains
metadata about the skill. For more information, see Skill Manifest Schemas.
Required: No
Type: Json
Examples
Alexa Skill Overrides Resource Configuration
JSON
"Manifest": {
"publishingInformation": {
"locales": {
"en-US": {
"summary": "Sample Short Description",

615
ASK
}
},
"category": "EDUCATION_AND_REFERENCE"
}
}
YAML
Manifest:
publishingInformation:
locales:
en-US:
summary: "Sample Short Description"
category: "EDUCATION_AND_REFERENCE"
Alexa::ASK::Skill SkillPackage
The SkillPackage property type contains configuration details for the skill package that contains
the components of the Alexa skill. Skill packages are retrieved from an Amazon S3 bucket and key and
used to create and update the skill. More details about the skill package format are located in the Skill
Package API Reference.
SkillPackage is a property of the Alexa::ASK::Skill resource.
Syntax
JSON
{
"Overrides" : Overrides (p. 615),
"S3Bucket" : String,
"S3BucketRole" : String,
"S3Key" : String,
"S3ObjectVersion" : String
}
YAML
Overrides:
Overrides (p. 615)
S3Bucket: String
S3BucketRole: String
S3Key: String
S3ObjectVersion: String
Properties
Overrides
Overrides to the skill package to apply when creating or updating the skill. Values provided here do
not modify the contents of the original skill package. Currently, only overriding values inside of the
skill manifest component of the package is supported.
Required: No
Type: Overrides (p. 615)

616
AmazonMQ

S3Bucket
The name of the Amazon S3 bucket where the .zip file that contains the skill package is stored.
Required: Yes
Type: String

S3BucketRole
ARN of the IAM role that grants the Alexa service (alexa-appkit.amazon.com) permission to
access the bucket and retrieve the skill package. This property is optional. If you do not provide it,
the bucket must be publicly accessible or configured with a policy that allows this access. Otherwise,
AWS CloudFormation cannot create the skill.
Required: No
Type: String

S3Key
The location and name of the skill package .zip file.
Required: Yes
Type: String

S3ObjectVersion
If you have S3 versioning enabled, the version ID of the skill package.zip file.
Required: No
Type: String
AmazonMQ Resource Type Reference

Resource Types
• AWS::AmazonMQ::Broker (p. 617)

• AWS::AmazonMQ::Configuration (p. 631)
• AWS::AmazonMQ::ConfigurationAssociation (p. 634)
AWS::AmazonMQ::Broker
A broker is a message broker environment running on Amazon MQ. It is the basic building block of
Amazon MQ.
The AWS::AmazonMQ::Broker resource lets you create Amazon MQ brokers, add configuration changes
or modify users for the specified broker, return information about the specified broker, and delete the

617
AmazonMQ
specified broker. For more information, see Amazon MQ Basic Elements in the Amazon MQ Developer
Guide.
• ec2:CreateNetworkInterface
This permission is required to allow Amazon MQ to create an elastic network interface (ENI) on behalf
of your account.
• ec2:CreateNetworkInterfacePermission
This permission is required to attach the ENI to the broker instance.

• ec2:DeleteNetworkInterface
• ec2:DeleteNetworkInterfacePermission
• ec2:DetachNetworkInterface
• ec2:DescribeInternetGateways
• ec2:DescribeNetworkInterfaces
• ec2:DescribeNetworkInterfacePermissions
• ec2:DescribeRouteTables
• ec2:DescribeSecurityGroups
• ec2:DescribeSubnets
• ec2:DescribeVpcs
Syntax
JSON
{
"Type" : "AWS::AmazonMQ::Broker",
"Properties" : {
"AutoMinorVersionUpgrade" : Boolean,
"BrokerName" : String,
"Configuration" : ConfigurationId (p. 626),
"DeploymentMode" : String,
"EncryptionOptions" : EncryptionOptions (p. 626),
"EngineType" : String,
"EngineVersion" : String,
"HostInstanceType" : String,
"Logs" : LogList (p. 627),
"MaintenanceWindowStartTime" : MaintenanceWindow (p. 628),
"PubliclyAccessible" : Boolean,
"SecurityGroups" : [ String, ... ],
"StorageType" : String,
"SubnetIds" : [ String, ... ],
"Tags" : [ TagsEntry (p. 629), ... ],
"Users" : [ User (p. 629), ... ]
}
}
YAML
Type: AWS::AmazonMQ::Broker
Properties:
AutoMinorVersionUpgrade: Boolean
BrokerName: String
Configuration:

618
AmazonMQ
ConfigurationId (p. 626)

DeploymentMode: String
EncryptionOptions:
EncryptionOptions (p. 626)
EngineType: String
EngineVersion: String
HostInstanceType: String
Logs:
LogList (p. 627)
MaintenanceWindowStartTime:
MaintenanceWindow (p. 628)
PubliclyAccessible: Boolean
SecurityGroups:
- String
StorageType: String
SubnetIds:
- String
Tags:
- TagsEntry (p. 629)
Users:
- User (p. 629)
Properties
AutoMinorVersionUpgrade
Enables automatic upgrades to new minor versions for brokers, as Apache releases the versions. The
automatic upgrades occur during the maintenance window of the broker or after a manual broker
reboot.
Required: Yes
Type: Boolean

BrokerName
The name of the broker. This value must be unique in your AWS account, 1-50 characters long, must
contain only letters, numbers, dashes, and underscores, and must not contain white spaces, brackets,
wildcard characters, or special characters.
Required: Yes
Type: String

Configuration
A list of information about the configuration.
Required: No
Type: ConfigurationId (p. 626)

DeploymentMode
The deployment mode of the broker. Available values:

• SINGLE_INSTANCE
• ACTIVE_STANDBY_MULTI_AZ

619
AmazonMQ
Required: Yes
Type: String

EncryptionOptions
Encryption options for the broker.
Required: No
Type: EncryptionOptions (p. 626)

EngineType
The type of broker engine. Note: Currently, Amazon MQ supports only ACTIVEMQ.
Required: Yes
Type: String

EngineVersion
The version of the broker engine. For a list of supported engine versions, see https://
docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html.
Required: Yes
Type: String

HostInstanceType
The broker's instance type.
Required: Yes
Type: String

Logs
Enables Amazon CloudWatch logging for brokers.
Required: No
Type: LogList (p. 627)

MaintenanceWindowStartTime
The scheduled time period relative to UTC during which Amazon MQ begins to apply pending
updates or patches to the broker..
Required: No
Type: MaintenanceWindow (p. 628)

620
AmazonMQ

PubliclyAccessible
Enables connections from applications outside of the VPC that hosts the broker's subnets.
Required: Yes
Type: Boolean

SecurityGroups
The list of rules (1 minimum, 125 maximum) that authorize connections to brokers.
Required: No

StorageType
Not supported.
Required: No
Type: String

SubnetIds
The list of groups (2 maximum) that define which subnets and IP ranges the broker can use from
different Availability Zones. A SINGLE_INSTANCE deployment requires one subnet (for example, the
default subnet). An ACTIVE_STANDBY_MULTI_AZ deployment requires two subnets.
Required: No

Tags
An array of key-value pairs. For more information, see Using Cost Allocation Tags in the AWS Billing
and Cost Management User Guide.
Required: No
Type: List of TagsEntry (p. 629)

Users
The list of ActiveMQ users (persons or applications) who can access queues and topics. This value can
contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value
must be 2-100 characters long.
Required: Yes
Type: List of User (p. 629)

621
AmazonMQ
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon MQ
broker ID. For example:
b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following
are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
AmqpEndpoints
The AMQP endpoints of each broker instance as a list of strings.
amqp+ssl://b-4aada85d-a80c-4be0-9d30-e344a01b921e-1.mq.eu-central-
amazonaws.com:5671
Arn
The Amazon Resource Name (ARN) of the Amazon MQ broker.
arn:aws:mq:us-
east-2:123456789012:broker:MyBroker:b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9
ConfigurationId
The unique ID that Amazon MQ generates for the configuration.
c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9
ConfigurationRevision
The revision number of the configuration.
1
IpAddresses
The IP addresses of each broker instance as a list of strings.
['198.51.100.2', '203.0.113.9']
MqttEndpoints
The MQTT endpoints of each broker instance as a list of strings.
mqtt+ssl://b-4aada85d-a80c-4be0-9d30-e344a01b921e-1.mq.eu-central-
amazonaws.com:8883
OpenWireEndpoints
The OpenWire endpoints of each broker instance as a list of strings.

622
AmazonMQ
ssl://b-4aada85d-a80c-4be0-9d30-e344a01b921e-1.mq.eu-central-
amazonaws.com:61617
StompEndpoints
The STOMP endpoints of each broker instance as a list of strings.
stomp+ssl://b-4aada85d-a80c-4be0-9d30-e344a01b921e-1.mq.eu-central-
amazonaws.com:61614
WssEndpoints
The WSS endpoints of each broker instance as a list of strings.
wss://b-4aada85d-a80c-4be0-9d30-e344a01b921e-1.mq.eu-central-
amazonaws.com:61619
Examples
Basic Amazon MQ Broker
The following example creates a basic Amazon MQ broker with one user that belongs to a group.
JSON
{
"Description": "Create a basic AmazonMQ broker",
"Resources": {
"BasicBroker": {
"Type": "AWS::AmazonMQ::Broker",
"Properties": {
"AutoMinorVersionUpgrade": "false",
"BrokerName": "MyBasicBroker",
"DeploymentMode": "SINGLE_INSTANCE",
"EngineType": "ActiveMQ",
"EngineVersion": "5.15.0",
"HostInstanceType": "mq.t2.micro",
"PubliclyAccessible": "true",
"Users": [
{
"ConsoleAccess": "true",
"Groups": [
"MyGroup"
],
"Password" : { "Ref" : "AmazonMqPassword" },
"Username" : { "Ref" : "AmazonMqUsername" }
}
]
}
}
}
}
YAML
---
Description: "Create a basic AmazonMQ broker"
Resources:
BasicBroker:
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: "false"

623
AmazonMQ
BrokerName: MyBasicBroker
DeploymentMode: SINGLE_INSTANCE
EngineType: ActiveMQ
EngineVersion: "5.15.0"
HostInstanceType: mq.t2.micro
PubliclyAccessible: "true"
Users:
-
ConsoleAccess: "true"
Groups:
- MyGroup
Password:
Ref: "BrokerPassword"
Username:
Ref: "BrokerUsername"
Complex Amazon MQ Broker
The following example creates a complex Amazon MQ broker with two users that don't belong to a
group and one user that belongs in a group.
JSON
{
"Description": "Create a complex AmazonMQ broker",
"Resources": {
"ComplexBroker": {
"Type": "AWS::AmazonMQ::Broker",
"Properties": {
"AutoMinorVersionUpgrade": "false",
"BrokerName": "MyComplexBroker",
"Configuration": {
"Id": { "Ref": "Configuration1" },
"Revision" : { "Fn::GetAtt": ["Configuration1", "Revision"] }
},
"DeploymentMode": "SINGLE_INSTANCE",
"EngineType": "ActiveMQ",
"HostInstanceType": "mq.t2.micro",
"Logs": {
"General": true,
"Audit": false
},
"MaintenanceWindowStartTime": {
"DayOfWeek": "Monday",
"TimeOfDay": "22:45",
"TimeZone": "America/Los_Angeles"
},
"PubliclyAccessible": "true",
"SecurityGroups": [
"sg-a1b234cd",
"sg-e5f678gh"
],
"SubnetIds": [
"subnet-12a3b45c",
"subnet-67d8e90f"
],
"Users": [{
"ConsoleAccess": "true",
"Password" : { "Ref" : "AmazonMqPassword1" },
"Username" : { "Ref" : "AmazonMqUsername1" }
}, {

624
AmazonMQ
}, {
"Groups": [
"MyGroup1",
"MyGroup2"
],
}]
}
}
}
}
YAML
---
Description: "Create a complex AmazonMQ broker"
Resources:
ComplexBroker:
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: "false"
BrokerName: MyComplexBroker
Configuration:
Id: !GetAtt Configuration1.Id
Revision: !GetAtt Configuration1.Revision
DeploymentMode: SINGLE_INSTANCE
EngineType: ActiveMQ
HostInstanceType: mq.t2.micro
Logs:
General: "true"
Audit: "false"
MaintenanceWindowStartTime:
DayOfWeek: Monday
TimeOfDay: "22:45"
TimeZone: America/Los_Angeles
PubliclyAccessible: "true"
SecurityGroups:
- "sg-a1b234cd"
- "sg-e5f678gh"
SubnetIds:
- "subnet-12a3b45c"
- "subnet-67d8e90f"
Users:
-
ConsoleAccess: "true"
Password:
Ref: "BrokerPassword1"
Username:
Ref: "BrokerUsername1"
-
Password:
Username:
-
Groups:
- MyGroup1
- MyGroup2
Password:
Username:

625
AmazonMQ
AWS::AmazonMQ::Broker ConfigurationId
A list of information about the configuration.
Syntax
JSON
{
"Id" : String,
"Revision" : Integer
}
YAML
Id: String
Revision: Integer
Properties
Id
Required: Yes
Type: String

Revision
Required: Yes
Type: Integer
AWS::AmazonMQ::Broker EncryptionOptions
Encryption options for the broker.
Syntax
JSON
{
"KmsKeyId" : String,
"UseAwsOwnedKey" : Boolean
}

626
AmazonMQ
YAML
KmsKeyId: String
UseAwsOwnedKey: Boolean
Properties
KmsKeyId
The customer master key (CMK) to use for the AWS Key Management Service (KMS). This key is used
to encrypt your data at rest. If not provided, Amazon MQ will use a default CMK to encrypt your
data.
Required: No
Type: String

UseAwsOwnedKey
Enables the use of an AWS owned CMK using AWS Key Management Service (KMS).
Required: Yes
Type: Boolean
AWS::AmazonMQ::Broker LogList
The list of information about logs to be enabled for the specified broker.
Syntax
JSON
{
"Audit" : Boolean,
"General" : Boolean
}
YAML
Audit: Boolean
General: Boolean
Properties
Audit
Enables audit logging. Every user management action made using JMX or the ActiveMQ Web
Console is logged.
Required: No
Type: Boolean

627
AmazonMQ

General
Enables general logging.
Required: No
Type: Boolean
AWS::AmazonMQ::Broker MaintenanceWindow
The parameters that determine the WeeklyStartTime to apply pending updates or patches to the
broker.
Syntax
JSON
{
"DayOfWeek" : String,
"TimeOfDay" : String,
"TimeZone" : String
}
YAML
DayOfWeek: String
TimeOfDay: String
TimeZone: String
Properties
DayOfWeek
The day of the week.
Required: Yes
Type: String

TimeOfDay
The time, in 24-hour format.
Required: Yes
Type: String

TimeZone
The time zone, UTC by default, in either the Country/City format, or the UTC offset format.

628
AmazonMQ
Required: Yes
Type: String
AWS::AmazonMQ::Broker TagsEntry
A key-value pair to associate with the broker.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The key in a key-value pair.
Required: Yes
Type: String

Value
The value in a key-value pair.
Required: Yes
Type: String
AWS::AmazonMQ::Broker User
The list of ActiveMQ users (persons or applications) who can access queues and topics. This value can
contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must
be 2-100 characters long.
Syntax

629
AmazonMQ
JSON
{
"ConsoleAccess" : Boolean,
"Groups" : [ String, ... ],
"Password" : String,
"Username" : String
}
YAML
ConsoleAccess: Boolean
Groups:
- String
Password: String
Username: String
Properties
ConsoleAccess
Enables access to the the ActiveMQ Web Console for the ActiveMQ user.
Required: No
Type: Boolean

Groups
The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only
alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100
characters long.
Required: No

Password
The password of the ActiveMQ user. This value must be at least 12 characters long, must contain at
least 4 unique characters, and must not contain commas.
Required: Yes
Type: String

Username
The username of the ActiveMQ user. This value can contain only alphanumeric characters, dashes,
periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.
Required: Yes
Type: String

630
AmazonMQ
AWS::AmazonMQ::Configuration
Creates a new configuration for the specified configuration name. Amazon MQ uses the default
configuration (the engine type and version).
Syntax
JSON
{
"Type" : "AWS::AmazonMQ::Configuration",
"Properties" : {
"Data" : String,
"Description" : String,
"EngineType" : String,
"Name" : String,
"Tags" : [ TagsEntry (p. 634), ... ]
}
}
YAML
Type: AWS::AmazonMQ::Configuration
Properties:
Data: String
Description: String
EngineType: String
Name: String
Tags:
Properties
Data
The base64-encoded XML configuration.
Required: Yes
Type: String

Description
The description of the configuration.
Required: No
Type: String

EngineType
The type of broker engine. Note: Currently, Amazon MQ supports only ACTIVEMQ.
Required: Yes

631
AmazonMQ
Type: String

EngineVersion
The version of the broker engine. For a list of supported engine versions, see Engine.
Required: Yes
Type: String

Name
The name of the configuration. This value can contain only alphanumeric characters, dashes,
periods, underscores, and tildes (- . _ ~). This value must be 1-150 characters long.
Required: Yes
Type: String

Tags
Create tags when creating the configuration.
Required: No
Return Values
Ref
configuration ID. For example:
c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the Amazon MQ configuration.
arn:aws:mq:us-
east-2:123456789012:configuration:MyConfigurationDevelopment:c-1234a5b6-78cd-901e-2fgh-
Id
The ID of the Amazon MQ configuration.
c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9

632
AmazonMQ
Revision
Examples
Amazon MQ Configuration
JSON
{
"Description": "Create an Amazon MQ configuration",
"Configuration1": {
"Type": "AWS::AmazonMQ::Configuration",
"Properties": {
"Data": {
"Fn::Base64": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=
\"yes\"?>\n<broker xmlns=\"http://activemq.apache.org/schema/core\" start=
\"false\">\n <destinationPolicy>\n <policyMap>\n <policyEntries>\n
<policyEntry topic=\">\">\n <pendingMessageLimitStrategy>\n
<constantPendingMessageLimitStrategy limit=\"3000\"/>\n </
pendingMessageLimitStrategy>\n </policyEntry>\n </policyEntries>\n </
policyMap>\n </destinationPolicy>\n <plugins>\n </plugins>\n</broker>\n"
},
"EngineType": "ACTIVEMQ",
"Name": "my-configuration-1"
}
}
}
YAML
---
Description: "Create an Amazon MQ configuration"
Resources:
Configuration:
Type: "AWS::AmazonMQ::Configuration"
Properties:
Data:
? "Fn::Base64"
: |
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<broker xmlns="http://activemq.apache.org/schema/core" start="false">
<destinationPolicy>
<policyMap>
<policyEntries>
<policyEntry topic=">">
<pendingMessageLimitStrategy>
<constantPendingMessageLimitStrategy limit="3000"/>
</pendingMessageLimitStrategy>
</policyEntry>
</policyEntries>
</policyMap>
</destinationPolicy>
<plugins>
</plugins>
</broker>
EngineType: ACTIVEMQ

633
AmazonMQ
Name: my-configuration-1
AWS::AmazonMQ::Configuration TagsEntry
A key-value pair to associate with the configuration.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The key in a key-value pair.
Required: Yes
Type: String

Value
The value in a key-value pair.
Required: Yes
Type: String
AWS::AmazonMQ::ConfigurationAssociation
Use the AWS CloudFormation AWS::AmazonMQ::ConfigurationAssociation resource to associate
a configuration with a broker, or return information about the specified ConfigurationAssociation.
Only use one per broker, and don't use a configuration on the broker resource if you have associated a
configuration with that broker.
Syntax
JSON

634
AmazonMQ
"Type" : "AWS::AmazonMQ::ConfigurationAssociation",
"Properties" : {
"Broker" : String,
"Configuration" : ConfigurationId (p. 636)
}
}
YAML
Type: AWS::AmazonMQ::ConfigurationAssociation
Properties:
Broker: String
Configuration:
ConfigurationId (p. 636)
Properties
Broker
The broker to associate with a configuration.
Required: Yes
Type: String

Configuration
The configuration to associate with a broker.
Required: Yes
Type: ConfigurationId (p. 636)
Return Values
Ref
configurationassociation ID. For example:
c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9
Examples
ConfigurationAssociation
The following example creates an Amazon MQ ConfigurationAssociation.
JSON
"ConfigurationAssociation1": {
"Type": "AWS::AmazonMQ::ConfigurationAssociation",

635
AmazonMQ
"Properties": {
"Broker": {
"Ref": "Broker1"
},
"Configuration": {
"Id": {
"Ref": "Configuration1"
},
"Revision": {
"Fn::GetAtt": [
"Configuration1",
"Revision"
]
}
}
}
}
YAML
ConfigurationAssociation1:
Type: AWS::AmazonMQ::ConfigurationAssociation
Properties:
Broker: {Ref: Broker1}
Configuration:
Id: {Ref: Configuration1}
Revision: {'Fn::GetAtt': [Configuration1, Revision]}
AWS::AmazonMQ::ConfigurationAssociation ConfigurationId
The ConfigurationId property type specifies a configuration Id and the revision of a configuration.
Syntax
JSON
{
"Id" : String,
"Revision" : Integer
}
YAML
Id: String
Revision: Integer
Properties
Id
Required: Yes
Type: String

636
Amplify Console
Revision
Required: Yes
Type: Integer
Amplify Console Resource Type Reference

Resource Types
• AWS::Amplify::App (p. 637)

• AWS::Amplify::Branch (p. 645)
• AWS::Amplify::Domain (p. 650)
AWS::Amplify::App
The AWS::Amplify::App resource creates Apps in the Amplify Console. An App is a collection of branches.
Syntax
JSON
{
"Type" : "AWS::Amplify::App",
"Properties" : {
"AccessToken" : String,
"AutoBranchCreationConfig" : AutoBranchCreationConfig (p. 640),
"BasicAuthConfig" : BasicAuthConfig (p. 642),
"BuildSpec" : String,
"CustomRules" : [ CustomRule (p. 643), ... ],
"EnvironmentVariables" : [ EnvironmentVariable (p. 644), ... ],
"IAMServiceRole" : String,
"Name" : String,
"OauthToken" : String,
"Repository" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::Amplify::App
Properties:
AccessToken: String
AutoBranchCreationConfig:
AutoBranchCreationConfig (p. 640)
BasicAuthConfig:
BasicAuthConfig (p. 642)
BuildSpec: String
CustomRules:
- CustomRule (p. 643)

637
Amplify Console
Description: String
EnvironmentVariables:
- EnvironmentVariable (p. 644)
IAMServiceRole: String
Name: String
OauthToken: String
Repository: String
Tags:
- Tag
Properties
AccessToken
Personal Access token for 3rd party source control system for an Amplify App, used to create
webhook and read-only deploy key. Token is not stored.
Required: No
Type: String

AutoBranchCreationConfig
Sets the configuration for your automatic branch creation.
Required: No
Type: AutoBranchCreationConfig (p. 640)

BasicAuthConfig
Credentials for Basic Authorization for an Amplify App.
Required: No
Type: BasicAuthConfig (p. 642)

BuildSpec
BuildSpec for an Amplify App
Required: No
Type: String

CustomRules
Custom rewrite / redirect rules for an Amplify App.
Required: No
Type: List of CustomRule (p. 643)

Description
Description for an Amplify App

638
Amplify Console
Required: No
Type: String

EnvironmentVariables
Environment variables map for an Amplify App.
Required: No
Type: List of EnvironmentVariable (p. 644)

IAMServiceRole
IAM service role ARN for the Amplify App.
Required: No
Type: String

Name
Name for the Amplify App
Required: Yes
Type: String

OauthToken
OAuth token for 3rd party source control system for an Amplify App, used to create webhook and
read-only deploy key. OAuth token is not stored.
Required: No
Type: String

Repository
Repository for an Amplify App
Required: No
Type: String

Tags
Tag for an Amplify App
Required: No
Type: List of Tag

639
Amplify Console
Return Values
Fn::GetAtt
AppId
Unique Id for the Amplify App.

AppName
Name for the Amplify App.

Arn
ARN for the Amplify App.

DefaultDomain
Default domain for the Amplify App.
AWS::Amplify::App AutoBranchCreationConfig
Use the AutoBranchCreationConfig property type to automatically create branches that match a certain
pattern.
Syntax
JSON
{
"AutoBranchCreationPatterns" : [ String, ... ],
"EnableAutoBranchCreation" : Boolean,
"EnableAutoBuild" : Boolean,
"EnablePullRequestPreview" : Boolean,
"PullRequestEnvironmentName" : String,
"Stage" : String
}
YAML
AutoBranchCreationPatterns:
- String
BasicAuthConfig:
BuildSpec: String
EnableAutoBranchCreation: Boolean
EnableAutoBuild: Boolean
EnablePullRequestPreview: Boolean
PullRequestEnvironmentName: String
Stage: String

640
Amplify Console
Properties
AutoBranchCreationPatterns
Automated branch creation glob patterns for the Amplify app.
Required: No

BasicAuthConfig
Sets password protection for your auto created branch.
Required: No

BuildSpec
Build spec for the auto created branch.
Required: No
Type: String

EnableAutoBranchCreation
Enables automated branch creation for the Amplify app.
Required: No
Type: Boolean

EnableAutoBuild
Enables auto building for the auto created branch.
Required: No
Type: Boolean

EnablePullRequestPreview
Sets whether pull request previews are enabled for each branch that Amplify Console automatically
creates for your app. Amplify Console creates previews by deploying your app to a unique URL
whenever a pull request is opened for the branch. Development and QA teams can use this preview
to test the pull request before it's merged into a production or integration branch.
To provide backend support for your preview, the Amplify Console automatically
provisions a temporary backend environment that it deletes when the pull request is
closed. If you want to specify a dedicated backend environment for your previews, use the
PullRequestEnvironmentName property.
For more information, see Web Previews in the AWS Amplify Console User Guide.

641
Amplify Console
Required: No
Type: Boolean

Environment variables for the auto created branch.
Required: No

PullRequestEnvironmentName
If pull request previews are enabled, you can use this property to specify a dedicated backend
environment for your previews. For example, you could specify an environment named prod, test,
or dev that you initialized with the Amplify CLI.
To enable pull request previews, set the EnablePullRequestPreview property to true.
If you don't specify an environment, the Amplify Console provides backend support for each preview
by automatically provisioning a temporary backend environment. Amplify Console deletes this
environment when the pull request is closed.
For more information about creating backend environments, see Feature Branch Deployments and
Team Workflows in the AWS Amplify Console User Guide.
Required: No
Type: String

Stage
Stage for the auto created branch.
Required: No
Type: String
AWS::Amplify::App BasicAuthConfig
Use the BasicAuthConfig property type to set password protection at an app level to all your branches.
Syntax
JSON
{
"EnableBasicAuth" : Boolean,
"Username" : String
}

642
Amplify Console
YAML
EnableBasicAuth: Boolean
Password: String
Username: String
Properties
EnableBasicAuth
Enables Basic Authorization for branches for the Amplify App.
Required: No
Type: Boolean

Password
The password for basic authorization.
Required: No
Type: String

Username
The user name for basic authorization.
Required: No
Type: String
AWS::Amplify::App CustomRule
The CustomRule property type allows you to specify redirects, rewrites, and reverse proxies. Redirects
enable a web app to reroute navigation from one URL to another.
Syntax
JSON
{
"Condition" : String,
"Source" : String,
"Status" : String,
"Target" : String
}
YAML
Condition: String

643
Amplify Console
Source: String
Status: String
Target: String
Properties
Condition
The condition for a URL rewrite or redirect rule, e.g. country code.
Required: No
Type: String

Source
The source pattern for a URL rewrite or redirect rule.
Required: Yes
Type: String

Status
The status code for a URL rewrite or redirect rule.
Required: No
Type: String

Target
The target pattern for a URL rewrite or redirect rule.
Required: Yes
Type: String
AWS::Amplify::App EnvironmentVariable
Environment variables are key-value pairs that are available at build time. Set environment variables for
all branches in your app.
Syntax
JSON
{
"Name" : String,
"Value" : String
}

644
Amplify Console
YAML
Name: String
Value: String
Properties
Name
The environment variable name.
Required: Yes
Type: String

Value
The environment variable value.
Required: Yes
Type: String
AWS::Amplify::Branch
The AWS::Amplify::Branch resource creates a new branch within an app.
Syntax
JSON
{
"Type" : "AWS::Amplify::Branch",
"Properties" : {
"AppId" : String,
"BranchName" : String,
"EnableAutoBuild" : Boolean,
"EnablePullRequestPreview" : Boolean,
"PullRequestEnvironmentName" : String,
"Stage" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::Amplify::Branch
Properties:
AppId: String

645
Amplify Console
BasicAuthConfig:
BranchName: String
BuildSpec: String
Description: String
EnableAutoBuild: Boolean
EnablePullRequestPreview: Boolean
PullRequestEnvironmentName: String
Stage: String
Tags:
- Tag
Properties
AppId
Unique Id for an Amplify App.
Required: Yes
Type: String

BasicAuthConfig
Basic Authorization credentials for a branch, part of an Amplify App.
Required: No

BranchName
Name for the branch.
Required: Yes
Type: String

BuildSpec
BuildSpec for the branch.
Required: No
Type: String

Description
Description for the branch.
Required: No
Type: String

646
Amplify Console
EnableAutoBuild
Enables auto building for the branch.
Required: No
Type: Boolean

EnablePullRequestPreview
Sets whether the Amplify Console creates a preview for each pull request that is made for this
branch. If this property is enabled, the Amplify Console deploys your app to a unique preview URL
after each pull request is opened. Development and QA teams can use this preview to test the pull
request before it's merged into a production or integration branch.
To provide backend support for your preview, the Amplify Console automatically
provisions a temporary backend environment that it deletes when the pull request is
closed. If you want to specify a dedicated backend environment for your previews, use the
PullRequestEnvironmentName property.
For more information, see Web Previews in the AWS Amplify Console User Guide.
Required: No
Type: Boolean

Environment Variables for the branch.
Required: No

PullRequestEnvironmentName
If pull request previews are enabled for this branch, you can use this property to specify a dedicated
backend environment for your previews. For example, you could specify an environment named
prod, test, or dev that you initialized with the Amplify CLI and mapped to this branch.
To enable pull request previews, set the EnablePullRequestPreview property to true.
If you don't specify an environment, the Amplify Console provides backend support for each preview
by automatically provisioning a temporary backend environment. Amplify Console deletes this
environment when the pull request is closed.
For more information about creating backend environments, see Feature Branch Deployments and
Team Workflows in the AWS Amplify Console User Guide.
Required: No
Type: String

Stage
Stage for the branch.

647
Amplify Console
Required: No
Type: String

Tags
Tag for the branch.
Required: No
Type: List of Tag
Return Values
Fn::GetAtt
Arn
ARN for a branch, part of an Amplify App.

BranchName
Name for a branch, part of an Amplify App.
AWS::Amplify::Branch BasicAuthConfig
Use the BasicAuthConfig property type to set password protection for a specific branch.
Syntax
JSON
{
"EnableBasicAuth" : Boolean,
"Username" : String
}
YAML
EnableBasicAuth: Boolean
Password: String
Username: String
Properties
EnableBasicAuth
Enables Basic Auth for the branch.
Required: No
Type: Boolean

648
Amplify Console

Password
The password for basic authorization.
Required: Yes
Type: String

Username
The user name for basic authorization.
Required: Yes
Type: String
AWS::Amplify::Branch EnvironmentVariable
The EnvironmentVariable property type sets environment variables for a specific branch. Environment
variables are key-value pairs that are available at build time.
Syntax
JSON
{
"Name" : String,
"Value" : String
}
YAML
Name: String
Value: String
Properties
Name
The environment variable name.
Required: Yes
Type: String

Value
The environment variable value.
Required: Yes
Type: String

649
Amplify Console
AWS::Amplify::Domain
The AWS::Amplify::Domain resource allows you to connect a custom domain to your app.
Syntax
JSON
{
"Type" : "AWS::Amplify::Domain",
"Properties" : {
"AppId" : String,
"DomainName" : String,
"SubDomainSettings" : [ SubDomainSetting (p. 651), ... ]
}
}
YAML
Type: AWS::Amplify::Domain
Properties:
AppId: String
DomainName: String
SubDomainSettings:
- SubDomainSetting (p. 651)
Properties
AppId
Unique Id for an Amplify App.
Required: Yes
Type: String

DomainName
Domain name for the Domain Association.
Required: Yes
Type: String

SubDomainSettings
Setting structure for the Subdomain.
Required: Yes
Type: List of SubDomainSetting (p. 651)

650
Amplify Console
Return Values
Fn::GetAtt
Arn
ARN for the Domain Association.

CertificateRecord
DNS Record for certificate verification.

DomainName
Name of the domain.

DomainStatus
Status fo the Domain Association.

StatusReason
Reason for the current status of the domain.
AWS::Amplify::Domain SubDomainSetting
The SubDomainSetting property type allows you to connect a subdomain (e.g. foo.yourdomain.com) to a
specific branch.
Syntax
JSON
{
"BranchName" : String,
"Prefix" : String
}
YAML
BranchName: String
Prefix: String
Properties
BranchName
Branch name setting for the Subdomain.
Required: Yes
Type: String

Prefix
Prefix setting for the Subdomain.

651
API Gateway
Required: Yes
Type: String
Amazon API Gateway Resource Type Reference

Resource Types
• AWS::ApiGateway::Account (p. 652)

• AWS::ApiGateway::ApiKey (p. 654)
• AWS::ApiGateway::Authorizer (p. 659)
• AWS::ApiGateway::BasePathMapping (p. 663)
• AWS::ApiGateway::ClientCertificate (p. 665)
• AWS::ApiGateway::Deployment (p. 666)
• AWS::ApiGateway::DocumentationPart (p. 679)
• AWS::ApiGateway::DocumentationVersion (p. 683)
• AWS::ApiGateway::DomainName (p. 687)
• AWS::ApiGateway::GatewayResponse (p. 695)
• AWS::ApiGateway::Method (p. 698)
• AWS::ApiGateway::Model (p. 713)
• AWS::ApiGateway::RequestValidator (p. 716)
• AWS::ApiGateway::Resource (p. 718)
• AWS::ApiGateway::RestApi (p. 720)
• AWS::ApiGateway::Stage (p. 729)
• AWS::ApiGateway::UsagePlan (p. 739)
• AWS::ApiGateway::UsagePlanKey (p. 745)
• AWS::ApiGateway::VpcLink (p. 746)
AWS::ApiGateway::Account
The AWS::ApiGateway::Account resource specifies the IAM role that Amazon API Gateway uses to
write API logs to Amazon CloudWatch Logs.
Important
If an API Gateway resource has never been created in your AWS account, you must add a
dependency on another API Gateway resource, such as an AWS::ApiGateway::RestApi or
AWS::ApiGateway::ApiKey resource.
If an API Gateway resource has been created in your AWS account, no dependency is required
(even if the resource was deleted).
Syntax
JSON

652
API Gateway
"Type" : "AWS::ApiGateway::Account",
"Properties" : {
"CloudWatchRoleArn" : String
}
}
YAML
Type: AWS::ApiGateway::Account
Properties:
CloudWatchRoleArn: String
Properties
CloudWatchRoleArn
The Amazon Resource Name (ARN) of an IAM role that has write access to CloudWatch Logs in your
account.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the
resource, such as mysta-accou-01234b567890example.
Examples
Associate account with IAM role
The following example creates an IAM role that API Gateway can assume to push logs to CloudWatch
Logs. The example associates the role with the AWS::ApiGateway::Account resource.
JSON
{
"CloudWatchRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.amazonaws.com"
]
},

653
API Gateway
}
]
},
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
]
}
},
"Account": {
"Type": "AWS::ApiGateway::Account",
"Properties": {
"CloudWatchRoleArn": {
"Fn::GetAtt": [
"CloudWatchRole",
"Arn"
]
}
}
}
}
YAML
CloudWatchRole:
Properties:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- apigateway.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- >-
arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs
Account:
Type: 'AWS::ApiGateway::Account'
Properties:
CloudWatchRoleArn: !GetAtt
- CloudWatchRole
- Arn
See Also
• account:update in the Amazon API Gateway REST API Reference
AWS::ApiGateway::ApiKey
The AWS::ApiGateway::ApiKey resource creates a unique key that you can distribute to clients who
are executing API Gateway Method resources that require an API key. To specify which API key clients
must use, map the API key with the RestApi and Stage resources that include the methods that require
a key.
Syntax

654
API Gateway
JSON
{
"Type" : "AWS::ApiGateway::ApiKey",
"Properties" : {
"CustomerId" : String,
"Enabled" : Boolean,
"GenerateDistinctId" : Boolean,
"Name" : String,
"StageKeys" : [ StageKey (p. 658), ... ],
"Tags" : [ Tag, ... ],
"Value" : String
}
}
YAML
Type: AWS::ApiGateway::ApiKey
Properties:
CustomerId: String
Description: String
Enabled: Boolean
GenerateDistinctId: Boolean
Name: String
StageKeys:
- StageKey (p. 658)
Tags:
- Tag
Value: String
Properties
CustomerId
An AWS Marketplace customer identifier to use when integrating with the AWS SaaS Marketplace.
Required: No
Type: String

Description
A description of the purpose of the API key.
Required: No
Type: String

Enabled
Indicates whether the API key can be used by clients.
Required: No
Type: Boolean

655
API Gateway
GenerateDistinctId
Specifies whether the key identifier is distinct from the created API key value.
Required: No
Type: Boolean

Name
A name for the API key. If you don't specify a name, AWS CloudFormation generates a unique
physical ID and uses that ID for the API key name. For more information, see Name Type.
Important
If you specify a name, you cannot perform updates that require replacement of this
resource. You can perform updates that require no or some interruption. If you must replace
the resource, specify a new name.
Required: No
Type: String

StageKeys
A list of stages to associate with this API key.
Required: No
Type: List of StageKey (p. 658)

Tags
An array of arbitrary tags (key-value pairs) to associate with the API key.
Required: No
Type: List of Tag

Value
The value of the API key. Must be at least 20 characters long.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the API key ID,
such as m2m1k7sybf.

656
API Gateway
Examples
API Key
The following example creates an API key and associates it with the Test stage of the
TestAPIDeployment deployment. To ensure that AWS CloudFormation creates the stage and
deployment (which are declared elsewhere in the same template) before the API key, the example adds
an explicit dependency on the deployment and stage. Without this dependency, AWS CloudFormation
might create the API key first, which would cause the association to fail because the deployment and
stage wouldn't exist.
JSON
{
"ApiKey": {
"Type": "AWS::ApiGateway::ApiKey",
"DependsOn": [
"TestAPIDeployment",
"Test"
],
"Properties": {
"Name": "TestApiKey",
"Description": "CloudFormation API Key V1",
"Enabled": "true",
"StageKeys": [
{
"RestApiId": {
"Ref": "RestApi"
},
"StageName": "Test"
}
]
}
}
}
YAML
ApiKey:
Type: 'AWS::ApiGateway::ApiKey'
DependsOn:
- TestAPIDeployment
- Test
Properties:
Name: TestApiKey
Description: CloudFormation API Key V1
Enabled: 'true'
StageKeys:
- RestApiId: !Ref RestApi
StageName: Test
Customer ID
The following example creates an API key, and enables you to specify a customer ID and whether to
create a distinct ID.
JSON
{
"Parameters": {
"apiKeyName": {

657
API Gateway
"Type": "String"
},
"customerId": {
"Type": "String"
},
"generateDistinctId": {
"Type": "String"
}
},
"Resources": {
"ApiKey": {
"Type": "AWS::ApiGateway::ApiKey",
"Properties": {
"CustomerId": {
"Ref": "customerId"
},
"GenerateDistinctId": {
"Ref": "generateDistinctId"
},
"Name": {
"Ref": "apiKeyName"
}
}
}
}
}
YAML
Parameters:
apiKeyName:
Type: String
customerId:
Type: String
generateDistinctId:
Type: String
Resources:
ApiKey:
Type: AWS::ApiGateway::ApiKey
Properties:
CustomerId: !Ref customerId
GenerateDistinctId: !Ref generateDistinctId
Name: !Ref apiKeyName
See Also
• apikey:create in the Amazon API Gateway REST API Reference
AWS::ApiGateway::ApiKey StageKey
StageKey is a property of the AWS::ApiGateway::ApiKey resource that specifies the stage to associate
with the API key. This association allows only clients with the key to make requests to methods in that
stage.
Syntax
JSON

658
API Gateway
"RestApiId" : String,
"StageName" : String
}
YAML
RestApiId: String
StageName: String
Properties
RestApiId
The ID of a RestApi resource that includes the stage with which you want to associate the API key.
Required: No
Type: String

StageName
The name of the stage with which to associate the API key. The stage must be included in the
RestApi resource that you specified in the RestApiId property.
Required: No
Type: String
See Also
• stageKeys in the Amazon API Gateway REST API Reference
AWS::ApiGateway::Authorizer
The AWS::ApiGateway::Authorizer resource creates an authorization layer that API Gateway
activates for methods that have authorization enabled. API Gateway activates the authorizer when a
client calls those methods.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::Authorizer",
"Properties" : {
"AuthorizerCredentials" : String,
"AuthorizerResultTtlInSeconds" : Integer,
"AuthorizerUri" : String,
"AuthType" : String,
"IdentitySource" : String,
"IdentityValidationExpression" : String,

659
API Gateway
"Name" : String,
"ProviderARNs" : [ String, ... ],
"Type" : String
}
}
YAML
Type: AWS::ApiGateway::Authorizer
Properties:
AuthorizerCredentials: String
AuthorizerResultTtlInSeconds: Integer
AuthorizerUri: String
AuthType: String
IdentitySource: String
IdentityValidationExpression: String
Name: String
ProviderARNs:
- String
RestApiId: String
Type: String
Properties
AuthorizerCredentials
The credentials that are required for the authorizer. To specify an IAM role that API Gateway
assumes, specify the role's Amazon Resource Name (ARN). To use resource-based permissions on the
Lambda function, specify null.
Required: No
Type: String

AuthorizerResultTtlInSeconds
The time-to-live (TTL) period, in seconds, that specifies how long API Gateway caches authorizer
results. If you specify a value greater than 0, API Gateway caches the authorizer responses. By
default, API Gateway sets this property to 300. The maximum value is 3600, or 1 hour.
Required: No
Type: Integer

AuthorizerUri
The authorizer's Uniform Resource Identifier (URI). If you specify TOKEN for the
authorizer's Type property, specify a Lambda function URI that has the form
arn:aws:apigateway:region:lambda:path/path. The path usually has the
form /2015-03-31/functions/LambdaFunctionARN/invocations.
Required: Conditional
Type: String

660
API Gateway
AuthType
An optional customer-defined field that's used in OpenApi imports and exports without functional
impact.
Required: No
Type: String

IdentitySource
The source of the identity in an incoming request.
If you specify TOKEN or COGNITO_USER_POOLS for the Type property, specify a header mapping
expression using the form method.request.header.name, where name is the name of a custom
authorization header that clients submit as part of their requests.
If you specify REQUEST for the Type property, specify a comma-separated string of
one or more mapping expressions of the specified request parameter using the form
method.request.parameter.name. For supported parameter types, see Configure Lambda
Authorizer Using the API Gateway Console in the API Gateway Developer Guide.
Required: No
Type: String

IdentityValidationExpression
A validation expression for the incoming identity. If you specify TOKEN for the authorizer's Type
property, specify a regular expression. API Gateway uses the expression to attempt to match the
incoming client token, and proceeds if the token matches. If the token doesn't match, API Gateway
responds with a 401 (unauthorized request) error code.
Required: No
Type: String

Name
The name of the authorizer.
Required: No
Type: String

ProviderARNs
A list of the Amazon Cognito user pool Amazon Resource Names (ARNs) to associate with this
authorizer. For more information, see Use Amazon Cognito User Pools in the API Gateway Developer
Guide.
Required: No

661
API Gateway
RestApiId
The ID of the RestApi resource that API Gateway creates the authorizer in.
Required: Yes
Type: String

Type
The type of authorizer. Valid values include:

• TOKEN: A custom authorizer that uses a Lambda function.
• COGNITO_USER_POOLS: An authorizer that uses Amazon Cognito user pools.
• REQUEST: An authorizer that uses a Lambda function using incoming request parameters.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the authorizer's
ID, such as abcde1.
Examples
Create authorizer
The following examples create a custom authorizer that is an AWS Lambda function.
JSON
{
"Authorizer": {
"Type": "AWS::ApiGateway::Authorizer",
"Properties": {
"AuthorizerCredentials": {
"Fn::GetAtt": [
"LambdaInvocationRole",
"Arn"
]
},
"AuthorizerResultTtlInSeconds": "300",
"AuthorizerUri": {
"Fn::Join": [
"",
[
"arn:aws:apigateway:",
{
},
":lambda:path/2015-03-31/functions/",
{

662
API Gateway
"Fn::GetAtt": [
"LambdaAuthorizer",
"Arn"
]
},
"/invocations"
]
]
},
"Type": "TOKEN",
"IdentitySource": "method.request.header.Auth",
"Name": "DefaultAuthorizer",
"RestApiId": {
"Ref": "RestApi"
}
}
}
}
YAML
Authorizer:
Type: 'AWS::ApiGateway::Authorizer'
Properties:
AuthorizerCredentials: !GetAtt
- LambdaInvocationRole
- Arn
AuthorizerResultTtlInSeconds: '300'
AuthorizerUri: !Join
- ''
- - 'arn:aws:apigateway:'
- ':lambda:path/2015-03-31/functions/'
- !GetAtt
- LambdaAuthorizer
- Arn
- /invocations
Type: TOKEN
IdentitySource: method.request.header.Auth
Name: DefaultAuthorizer
RestApiId: !Ref RestApi
See Also
• authorizer:create in the Amazon API Gateway REST API Reference
AWS::ApiGateway::BasePathMapping
The AWS::ApiGateway::BasePathMapping resource creates a base path that clients who call your API
must use in the invocation URL.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::BasePathMapping",
"Properties" : {

663
API Gateway
"BasePath" : String,
"Stage" : String
}
}
YAML
Type: AWS::ApiGateway::BasePathMapping
Properties:
BasePath: String
DomainName: String
RestApiId: String
Stage: String
Properties
BasePath
The base path name that callers of the API must provide in the URL after the domain name. If you
specify this property, it can't be an empty string.
Required: No
Type: String

DomainName
The DomainName of an AWS::ApiGateway::DomainName resource.
Required: Yes
Type: String

RestApiId
The name of the API.
Required: No
Type: String

Stage
The name of the API's stage.
Required: No
Type: String
See Also
• basepathmapping:create in the Amazon API Gateway REST API Reference

664
API Gateway
AWS::ApiGateway::ClientCertificate
The AWS::ApiGateway::ClientCertificate resource creates a client certificate that API Gateway
uses to configure client-side SSL authentication for sending requests to the integration endpoint.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::ClientCertificate",
"Properties" : {
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::ApiGateway::ClientCertificate
Properties:
Description: String
Tags:
- Tag
Properties
Description
A description of the client certificate.
Required: No
Type: String

Tags
An array of arbitrary tags (key-value pairs) to associate with the client certificate.
Required: No
Type: List of Tag
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the client
certificate name, such as abc123.

665
API Gateway
Examples
Create client certificate
The following example creates a client certificate that you can use with an API Gateway deployment and
stage.
JSON
{
"TestClientCertificate": {
"Type": "AWS::ApiGateway::ClientCertificate",
"Properties": {
"Description": "A test client certificate"
}
}
}
YAML
TestClientCertificate:
Type: 'AWS::ApiGateway::ClientCertificate'
Properties:
Description: A test client certificate
See Also
• clientcertificate:generate in the Amazon API Gateway REST API Reference
The AWS::ApiGateway::Deployment resource deploys an API Gateway RestApi resource to a stage
so that clients can call the API over the internet. The stage acts as an environment.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::Deployment",
"Properties" : {
"DeploymentCanarySettings" : DeploymentCanarySettings (p. 671),
"StageDescription" : StageDescription (p. 674),
}
}
YAML
Type: AWS::ApiGateway::Deployment
Properties:
DeploymentCanarySettings:
DeploymentCanarySettings (p. 671)
Description: String

666
API Gateway
RestApiId: String
StageDescription:
StageDescription (p. 674)
StageName: String
Properties
DeploymentCanarySettings
Specifies settings for the canary deployment.
Required: No
Type: DeploymentCanarySettings (p. 671)

Description
A description of the purpose of the API Gateway deployment.
Required: No
Type: String

RestApiId
The ID of the RestApi resource to deploy.
Required: Yes
Type: String

StageDescription
Configures the stage that API Gateway creates with this deployment.
Required: No
Type: StageDescription (p. 674)

StageName
A name for the stage that API Gateway creates with this deployment. Use only alphanumeric
characters.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the deployment
ID, such as 123abc.

667
API Gateway
Examples
The following sections provide examples for declaring API Gateway deployments.
Deployment with an empty embedded stage
The following example deploys the MyApi API to a stage named DummyStage.
JSON
{
"Deployment": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"RestApiId": {
"Ref": "MyApi"
},
"Description": "My deployment",
"StageName": "DummyStage"
}
}
}
YAML
Deployment:
Type: 'AWS::ApiGateway::Deployment'
Properties:
RestApiId: !Ref MyApi
Description: My deployment
StageName: DummyStage
AWS::ApiGateway::Method Dependency
If you create an AWS::ApiGateway::RestApi resource and its methods (using AWS::ApiGateway::Method)

in the same template as your deployment, the deployment must depend on the RestApi's methods. To
create a dependency, add a DependsOn attribute to the deployment. If you don't, AWS CloudFormation
creates the deployment right after it creates the RestApi resource that doesn't contain any methods,
and AWS CloudFormation encounters the following error: The REST API doesn't contain any
methods.
JSON
{
"Deployment": {
"DependsOn": "MyMethod",
"Properties": {
"RestApiId": {
"Ref": "MyApi"
},
"StageName": "DummyStage"
}
}
}

668
API Gateway
YAML
Deployment:
DependsOn: MyMethod
Type: 'AWS::ApiGateway::Deployment'
Properties:
StageName: DummyStage
See Also
• deployment:create in the Amazon API Gateway REST API Reference
AWS::ApiGateway::Deployment AccessLogSetting
The AccessLogSetting property type specifies settings for logging access in this stage.
AccessLogSetting is a property of the StageDescription property type.
Syntax
JSON
{
"DestinationArn" : String,
"Format" : String
}
YAML
DestinationArn: String
Format: String
Properties
DestinationArn
The Amazon Resource Name (ARN) of the CloudWatch Logs log group or Kinesis Data Firehose
delivery stream to receive access logs. If you specify a Kinesis Data Firehose delivery stream, the
stream name must begin with amazon-apigateway-.
Required: No
Type: String

Format
A single line format of the access logs of data, as specified by selected $context variables. The
format must include at least $context.requestId.
Required: No
Type: String

669
API Gateway
See Also
• accessLogSettings in the Amazon API Gateway REST API Reference
AWS::ApiGateway::Deployment CanarySetting
The CanarySetting property type specifies settings for the canary deployment in this stage.
CanarySetting is a property of the StageDescription property type.
Syntax
JSON
{
"PercentTraffic" : Double,
"StageVariableOverrides" : {Key : Value, ...},
"UseStageCache" : Boolean
}
YAML
PercentTraffic: Double
StageVariableOverrides:
Key : Value
UseStageCache: Boolean
Properties
PercentTraffic
The percent (0-100) of traffic diverted to a canary deployment.
Required: No
Type: Double

StageVariableOverrides
Stage variables overridden for a canary release deployment, including new stage variables
introduced in the canary. These stage variables are represented as a string-to-string map between
stage variable names and their values.
Required: No
Type: Map of String

UseStageCache
Whether the canary deployment uses the stage cache or not.

670
API Gateway
Required: No
Type: Boolean
See Also
• Stage in the Amazon API Gateway REST API Reference
AWS::ApiGateway::Deployment DeploymentCanarySettings
The DeploymentCanarySettings property type specifies settings for the canary deployment.
Syntax
JSON
{
}
YAML
Key : Value
Properties
PercentTraffic
The percentage (0-100) of traffic diverted to a canary deployment.
Required: No
Type: Double

Duplicates are not allowed.
Required: No
Type: Map of String

671
API Gateway
UseStageCache
Whether the canary deployment uses the stage cache.
Required: No
Type: Boolean
See Also
• Deployment in the Amazon API Gateway REST API Reference
AWS::ApiGateway::Deployment MethodSetting
The MethodSetting property type configures settings for all methods in a stage.
The MethodSettings property of the Amazon API Gateway Deployment StageDescription property
type contains a list of MethodSetting property types.
Syntax
JSON
{
"CacheDataEncrypted" : Boolean,
"CacheTtlInSeconds" : Integer,
"CachingEnabled" : Boolean,
"DataTraceEnabled" : Boolean,
"HttpMethod" : String,
"LoggingLevel" : String,
"MetricsEnabled" : Boolean,
"ResourcePath" : String,
"ThrottlingBurstLimit" : Integer,
"ThrottlingRateLimit" : Double
}
YAML
CacheDataEncrypted: Boolean
CacheTtlInSeconds: Integer
CachingEnabled: Boolean
DataTraceEnabled: Boolean
HttpMethod: String
LoggingLevel: String
MetricsEnabled: Boolean
ResourcePath: String
ThrottlingBurstLimit: Integer
ThrottlingRateLimit: Double
Properties
CacheDataEncrypted
Indicates whether the cached responses are encrypted.

672
API Gateway
Required: No
Type: Boolean

CacheTtlInSeconds
The time-to-live (TTL) period, in seconds, that specifies how long API Gateway caches responses.
Required: No
Type: Integer

CachingEnabled
Indicates whether responses are cached and returned for requests. You must enable a cache cluster
on the stage to cache responses. For more information, see Enable API Gateway Caching in a Stage
to Enhance API Performance in the API Gateway Developer Guide.
Required: No
Type: Boolean

DataTraceEnabled
Indicates whether data trace logging is enabled for methods in the stage. API Gateway pushes these
logs to Amazon CloudWatch Logs.
Required: No
Type: Boolean

HttpMethod
The HTTP method.
Required: No
Type: String

LoggingLevel
The logging level for this method. For valid values, see the loggingLevel property of the Stage
resource in the Amazon API Gateway API Reference.
Required: No
Type: String

MetricsEnabled
Indicates whether Amazon CloudWatch metrics are enabled for methods in the stage.

673
API Gateway
Required: No
Type: Boolean

ResourcePath
The resource path for this method. Forward slashes (/) are encoded as ~1 and the initial slash must
include a forward slash. For example, the path value /resource/subresource must be encoded
as /~1resource~1subresource. To specify the root path, use only a slash (/).
Required: No
Type: String

ThrottlingBurstLimit
The number of burst requests per second that API Gateway permits across all APIs, stages, and
methods in your AWS account. For more information, see Manage API Request Throttling in the API
Gateway Developer Guide.
Required: No
Type: Integer

ThrottlingRateLimit
The number of steady-state requests per second that API Gateway permits across all APIs, stages,
and methods in your AWS account. For more information, see Manage API Request Throttling in the
API Gateway Developer Guide.
Required: No
Type: Double
See Also
AWS::ApiGateway::Deployment StageDescription
StageDescription is a property of the AWS::ApiGateway::Deployment resource that configures a
deployment stage.
Syntax
JSON
{
"AccessLogSetting" : AccessLogSetting (p. 669),
"CacheClusterEnabled" : Boolean,

674
API Gateway
"CacheClusterSize" : String,
"CanarySetting" : CanarySetting (p. 670),
"ClientCertificateId" : String,
"DocumentationVersion" : String,
"MethodSettings" : [ MethodSetting (p. 672), ... ],
"Tags" : [ Tag, ... ],
"ThrottlingRateLimit" : Double,
"TracingEnabled" : Boolean,
"Variables" : {Key : Value, ...}
}
YAML
AccessLogSetting:
AccessLogSetting (p. 669)
CacheClusterEnabled: Boolean
CacheClusterSize: String
CanarySetting:
CanarySetting (p. 670)
ClientCertificateId: String
Description: String
DocumentationVersion: String
MethodSettings:
- MethodSetting (p. 672)
Tags:
- Tag
TracingEnabled: Boolean
Variables:
Key : Value
Properties
AccessLogSetting
Specifies settings for logging access in this stage.
Required: No
Type: AccessLogSetting (p. 669)

CacheClusterEnabled
Indicates whether cache clustering is enabled for the stage.
Required: No

675
API Gateway
Type: Boolean

CacheClusterSize
The size of the stage's cache cluster.
Required: No
Type: String

CacheDataEncrypted
Required: No
Type: Boolean

CacheTtlInSeconds
Required: No
Type: Integer

CachingEnabled
on the stage to cache responses. For more information, see Enable API Gateway Caching in a Stage
to Enhance API Performance in the API Gateway Developer Guide.
Required: No
Type: Boolean

CanarySetting
Specifies settings for the canary deployment in this stage.
Required: No
Type: CanarySetting (p. 670)

ClientCertificateId
The identifier of the client certificate that API Gateway uses to call your integration endpoints in the
stage.
Required: No
Type: String

676
API Gateway

DataTraceEnabled
Required: No
Type: Boolean

Description
A description of the purpose of the stage.
Required: No
Type: String

DocumentationVersion
The version identifier of the API documentation snapshot.
Required: No
Type: String

LoggingLevel
Required: No
Type: String

MethodSettings
Configures settings for all of the stage's methods.
Required: No
Type: List of MethodSetting (p. 672)

MetricsEnabled
Required: No
Type: Boolean

677
API Gateway
Tags
An array of arbitrary tags (key-value pairs) to associate with the stage.
Required: No
Type: List of Tag

Required: No
Type: Integer

ThrottlingRateLimit
Required: No
Type: Double

TracingEnabled
Specifies whether active tracing with X-ray is enabled for this stage.
For more information, see Trace API Gateway API Execution with AWS X-Ray in the API Gateway
Developer Guide.
Required: No
Type: Boolean

Variables
A map that defines the stage variables. Variable names must consist of alphanumeric characters, and
the values must match the following regular expression: [A-Za-z0-9-._~:/?#&=,]+.
Required: No
Type: Map of String
See Also

678
API Gateway
AWS::ApiGateway::DocumentationPart
The AWS::ApiGateway::DocumentationPart resource creates a documentation part for an API.
For more information, see Representation of API Documentation in API Gateway in the API Gateway
Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::DocumentationPart",
"Properties" : {
"Location" : Location (p. 681),
"Properties" : String,
"RestApiId" : String
}
}
YAML
Type: AWS::ApiGateway::DocumentationPart
Properties:
Location:
Location (p. 681)
Properties: String
RestApiId: String
Properties
Location
The location of the API entity that the documentation applies to.
Required: Yes
Type: Location (p. 681)

Properties
The documentation content map of the targeted API entity.
Required: Yes
Type: String

RestApiId
The identifier of the targeted API entity.
Required: Yes
Type: String

679
API Gateway
Return Values
Ref
documentation part, such as abc123.
Examples
Associate documentation part with documentation version
The following example associates a documentation part for an API entity with a documentation version.
JSON
{
"Parameters": {
"apiName": {
"Type": "String"
},
"description": {
"Type": "String"
},
"version": {
"Type": "String"
},
"type": {
"Type": "String"
},
"property": {
"Type": "String"
}
},
"Resources": {
"RestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": {
"Ref": "apiName"
}
}
},
"DocumentationPart": {
"Type": "AWS::ApiGateway::DocumentationPart",
"Properties": {
"Location": {
"Type": {
"Ref": "type"
}
},
"RestApiId": {
"Ref": "RestApi"
},
"Property": {
"Ref": "property"
}
}
},
"DocumentationVersion": {
"Type": "AWS::ApiGateway::DocumentationVersion",
"Properties": {

680
API Gateway
"Description": {
"Ref": "description"
},
"Ref": "version"
},
"RestApiId": {
"Ref": "RestApi"
}
},
"DependsOn": "DocumentationPart"
}
}
}
YAML
Parameters:
apiName:
Type: String
description:
Type: String
version:
Type: String
type:
Type: String
property:
Type: String
Resources:
RestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: !Ref apiName
DocumentationPart:
Properties:
Location:
Type: !Ref type
Property: !Ref property
DocumentationVersion:
Type: AWS::ApiGateway::DocumentationVersion
Properties:
Description: !Ref description
DocumentationVersion: !Ref version
DependsOn: DocumentationPart
See Also
• documentationpart:create in the Amazon API Gateway REST API Reference
AWS::ApiGateway::DocumentationPart Location
The Location property specifies the location of the Amazon API Gateway API entity that the
documentation applies to. Location is a property of the AWS::ApiGateway::DocumentationPart
resource.
Note
For more information about each property, including constraints and valid values, see
DocumentationPart in the Amazon API Gateway REST API Reference.

681
API Gateway
Syntax
JSON
{
"Method" : String,
"Name" : String,
"Path" : String,
"StatusCode" : String,
"Type" : String
}
YAML
Method: String
Name: String
Path: String
StatusCode: String
Type: String
Properties
Method
The HTTP verb of a method.
Required: No
Type: String

Name
The name of the targeted API entity.
Required: No
Type: String

Path
The URL path of the target.
Required: No
Type: String

StatusCode
The HTTP status code of a response.
Required: No
Type: String

682
API Gateway
Type
The type of API entity that the documentation content applies to.
Required: No
Type: String
See Also
• DocumentationPart in the Amazon API Gateway REST API Reference
AWS::ApiGateway::DocumentationVersion
The AWS::ApiGateway::DocumentationVersion resource creates a snapshot of the documentation
for an API. For more information, see Representation of API Documentation in API Gateway in the API
Syntax
JSON
{
"Type" : "AWS::ApiGateway::DocumentationVersion",
"Properties" : {
}
}
YAML
Properties:
Description: String
RestApiId: String
Properties
Description
The description of the API documentation snapshot.
Required: No
Type: String

The version identifier of the API documentation snapshot.
Required: Yes

683
API Gateway
Type: String

RestApiId
The identifier of the API.
Required: Yes
Type: String
Examples
Associate documentation version with stage
The following example associates a documentation version with an API stage.
JSON
{
"Parameters": {
"apiName": {
"Type": "String"
},
"description": {
"Type": "String"
},
"property": {
"Type": "String"
},
"stageName": {
"Type": "String"
},
"type": {
"Type": "String"
},
"version": {
"Type": "String"
}
},
"Resources": {
"Deployment": {
"Properties": {
"RestApiId": {
"Ref": "RestApi"
}
},
"DependsOn": [
"Method"
]
},
"DocumentationPart": {
"Type": "AWS::ApiGateway::DocumentationPart",
"Properties": {
"Location": {
"Type": {
"Ref": "type"
}
},

684
API Gateway
"RestApiId": {
"Ref": "RestApi"
},
"Property": {
"Ref": "property"
}
}
},
"Type": "AWS::ApiGateway::DocumentationVersion",
"Properties": {
"Description": {
},
"Ref": "version"
},
"RestApiId": {
"Ref": "RestApi"
}
},
"DependsOn": "DocumentationPart"
},
"Method": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"AuthorizationType": "NONE",
"HttpMethod": "POST",
"ResourceId": {
"Fn::GetAtt": [
"RestApi",
"RootResourceId"
]
},
"RestApiId": {
"Ref": "RestApi"
},
"Integration": {
"Type": "MOCK"
}
}
},
"RestApi": {
"Properties": {
"Name": {
"Ref": "apiName"
}
}
},
"Stage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"DeploymentId": {
"Ref": "Deployment"
},
"Ref": "version"
},
"RestApiId": {
"Ref": "RestApi"
},
"StageName": {
"Ref": "stageName"
}
},

685
API Gateway
"DependsOn": "DocumentationVersion"
}
}
}
YAML
Parameters:
apiName:
Type: String
description:
Type: String
property:
Type: String
stageName:
Type: String
type:
Type: String
version:
Type: String
Resources:
Deployment:
Type: AWS::ApiGateway::Deployment
Properties:
DependsOn:
- Method
DocumentationPart:
Properties:
Location:
Type: !Ref type
Property: !Ref property
DocumentationVersion:
Properties:
DependsOn: DocumentationPart
Method:
Type: AWS::ApiGateway::Method
Properties:
AuthorizationType: NONE
HttpMethod: POST
ResourceId: !GetAtt
- RestApi
- RootResourceId
Integration:
Type: MOCK
RestApi:
Properties:
Name: !Ref apiName
Stage:
Type: AWS::ApiGateway::Stage
Properties:
DeploymentId: !Ref Deployment
StageName: !Ref stageName
DependsOn: DocumentationVersion

686
API Gateway
See Also
• documentationpart:create in the Amazon API Gateway REST API Reference
AWS::ApiGateway::DomainName
The AWS::ApiGateway::DomainName resource specifies a custom domain name for your API in API
Gateway.
You can use a custom domain name to provide a URL that's more intuitive and easier to recall. For more
information about using custom domain names, see Set up Custom Domain Name for an API in API
Gateway in the API Gateway Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::DomainName",
"Properties" : {
"CertificateArn" : String,
"EndpointConfiguration" : EndpointConfiguration (p. 694),
"RegionalCertificateArn" : String,
"SecurityPolicy" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::ApiGateway::DomainName
Properties:
CertificateArn: String
DomainName: String
EndpointConfiguration:
EndpointConfiguration (p. 694)
RegionalCertificateArn: String
SecurityPolicy: String
Tags:
- Tag
Properties
CertificateArn
The reference to an AWS-managed certificate for use by the edge-optimized endpoint for this
domain name. AWS Certificate Manager is the only supported source. For requirements and
additional information about setting up certificates, see Get Certificates Ready in AWS Certificate
Manager in the API Gateway Developer Guide.
Required: No
Type: String

687
API Gateway
DomainName
The custom domain name for your API. Uppercase letters are not supported.
Required: Yes
Type: String

EndpointConfiguration
A list of the endpoint types of the domain name.
Required: No
Type: EndpointConfiguration (p. 694)

RegionalCertificateArn
The reference to an AWS-managed certificate for use by the regional endpoint for the domain name.
AWS Certificate Manager is the only supported source.
Required: No
Type: String

SecurityPolicy
The Transport Layer Security (TLS) version + cipher suite for this domain name.
Valid values include TLS_1_0 and TLS_1_2.
Required: No
Type: String

Tags
An array of arbitrary tags (key-value pairs) to associate with the domain name.
Required: No
Type: List of Tag
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the domain name.
Fn::GetAtt

688
API Gateway
DistributionDomainName
The Amazon CloudFront distribution domain name that's mapped to the custom domain name. This
is only applicable for endpoints whose type is EDGE.
Example: d111111abcdef8.cloudfront.net
DistributionHostedZoneId
The region-agnostic Amazon Route 53 Hosted Zone ID of the edge-optimized endpoint. The only
valid value is Z2FDTNDATAQYW2 for all regions.
RegionalDomainName
The domain name associated with the regional endpoint for this custom domain name. You set
up this association by adding a DNS record that points the custom domain name to this regional
domain name.
RegionalHostedZoneId
The region-specific Amazon Route 53 Hosted Zone ID of the regional endpoint.
Examples
Create Custom Domain
The following example creates a custom domain name of api.mydomain.com.
JSON
{
"MyDomainName": {
"Type": "AWS::ApiGateway::DomainName",
"Properties": {
"DomainName": "api.mydomain.com",
"CertificateArn": "arn:aws:acm:us-east-1:111122223333:certificate/fb1b9770-
a305-495d-aefb-27e5e101ff3"
}
}
}
YAML
MyDomainName:
Type: 'AWS::ApiGateway::DomainName'
Properties:
DomainName: api.mydomain.com
CertificateArn: >-
arn:aws:acm:us-east-1:111122223333:certificate/fb1b9770-a305-495d-aefb-27e5e101ff3
Create Custom Domain from Parameters
The following example creates a custom domain name of example.mydomain.com.
JSON
{
"Parameters": {

689
API Gateway
"basePath": {
"Type": "String",
"Default": "examplepath"
},
"domainName": {
"Type": "String",
"Default": "example.mydomain.com"
},
"restApiName": {
"Type": "String",
"Default": "exampleapi"
}
},
"Resources": {
"myCertificate": {
"Type": "AWS::CertificateManager::Certificate",
"Properties": {
"DomainName": {
"Ref": "domainName"
}
}
},
"myDomainName": {
"Properties": {
"CertificateArn": {
"Ref": "myCertificate"
},
"DomainName": {
"Ref": "domainName"
}
}
},
"myMapping": {
"Type": "AWS::ApiGateway::BasePathMapping",
"Properties": {
"BasePath": {
"Ref": "basePath"
},
"DomainName": {
"Ref": "myDomainName"
},
"RestApiId": {
"Ref": "myRestApi"
}
}
},
"myRestApi": {
"Properties": {
"Name": {
"Ref": "restApiName"
}
}
}
},
"Outputs": {
"domainName": {
"Value": {
"Fn::GetAtt": [
"myDomainName",
"DistributionDomainName"
]
}
}
}

690
API Gateway
YAML
Parameters:
basePath:
Type: String
Default: examplepath
domainName:
Type: String
Default: example.mydomain.com
restApiName:
Type: String
Default: exampleapi
Resources:
myCertificate:
Type: 'AWS::CertificateManager::Certificate'
Properties:
DomainName: !Ref domainName
myDomainName:
Properties:
CertificateArn: !Ref myCertificate
DomainName: !Ref domainName
myMapping:
Type: 'AWS::ApiGateway::BasePathMapping'
Properties:
BasePath: !Ref basePath
DomainName: !Ref myDomainName
RestApiId: !Ref myRestApi
myRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: !Ref restApiName
Outputs:
domainName:
Value: !GetAtt
- myDomainName
- DistributionDomainName
Create domain name with EndpointConfiguration
The following example creates a custom domain name that specifies a regional certificate ARN and an
endpoint type.
JSON
{
"Parameters": {
"cfnDomainName": {
"Type": "String"
},
"certificateArn": {
"Type": "String"
},
"type": {
"Type": "String"
}
},
"Resources": {
"myDomainName": {
"Properties": {

691
API Gateway
"CertificateArn": {
"Ref": "certificateArn"
},
"DomainName": {
"Ref": "cfnDomainName"
},
"EndpointConfiguration": {
"Types": [
{
"Ref": "type"
}
]
},
"RegionalCertificateArn": {
}
}
}
},
"Outputs": {
"DomainName": {
"Value": {
"Ref": "myDomainName"
}
}
}
}
YAML
Parameters:
cfnDomainName:
Type: String
certificateArn:
Type: String
type:
Type: String
Resources:
myDomainName:
Type: AWS::ApiGateway::DomainName
Properties:
CertificateArn: !Ref certificateArn
DomainName: !Ref cfnDomainName
Types:
- !Ref type
RegionalCertificateArn: !Ref certificateArn
Outputs:
DomainName:
Value: !Ref myDomainName
Create Domain Names and Zone IDs as Outputs
The following example defines the distribution and regional domain names, as well as the distribution
and regional hosted zone IDs, as outputs from the stack.
JSON
{
"Resources": {
"myDomainName": {
"Properties": {

692
API Gateway
"CertificateArn": {
},
"DomainName": {
"Ref": "cfnDomainName"
},
"Types": [
{
"Ref": "type"
}
]
},
"RegionalCertificateArn": {
}
}
}
},
"Outputs": {
"DistributionDomainName": {
"Value": {
"Fn::GetAtt": [
"myDomainName",
"DistributionDomainName"
]
}
},
"DistributionHostedZoneId": {
"Value": {
"Fn::GetAtt": [
"myDomainName",
"DistributionHostedZoneId"
]
}
},
"RegionalDomainName": {
"Value": {
"Fn::GetAtt": [
"myDomainName",
"RegionalDomainName"
]
}
},
"RegionalHostedZoneId": {
"Value": {
"Fn::GetAtt": [
"myDomainName",
"RegionalHostedZoneId"
]
}
}
}
}
YAML
Resources:
myDomainName:
Properties:
CertificateArn: !Ref certificateArn
DomainName: !Ref cfnDomainName

693
API Gateway
Types:
- !Ref type
RegionalCertificateArn: !Ref certificateArn
Outputs:
DistributionDomainName:
Value: !GetAtt
- myDomainName
- DistributionDomainName
DistributionHostedZoneId:
Value: !GetAtt
- myDomainName
- DistributionHostedZoneId
RegionalDomainName:
Value: !GetAtt
- myDomainName
- RegionalDomainName
RegionalHostedZoneId:
Value: !GetAtt
- myDomainName
- RegionalHostedZoneId
See Also
• domainname:create in the Amazon API Gateway REST API Reference
AWS::ApiGateway::DomainName EndpointConfiguration
The EndpointConfiguration property type specifies the endpoint types of an Amazon API Gateway
domain name.
EndpointConfiguration is a property of the AWS::ApiGateway::DomainName resource.
Syntax
JSON
{
"Types" : [ String, ... ]
}
YAML
Types:
- String
Properties
Types
A list of endpoint types of an API or its custom domain name. For an edge-optimized API and its
custom domain name, the endpoint type is EDGE. For a regional API and its custom domain name,
the endpoint type is REGIONAL.
Required: No

694
API Gateway
See Also
• DomainName in the Amazon API Gateway REST API Reference
AWS::ApiGateway::GatewayResponse
The AWS::ApiGateway::GatewayResponse resource creates a gateway response for your API. For
more information, see API Gateway Responses in the API Gateway Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::GatewayResponse",
"Properties" : {
"ResponseParameters" : {Key : Value, ...},
"ResponseTemplates" : {Key : Value, ...},
"ResponseType" : String,
"StatusCode" : String
}
}
YAML
Type: AWS::ApiGateway::GatewayResponse
Properties:
ResponseParameters:
Key : Value
ResponseTemplates:
Key : Value
ResponseType: String
RestApiId: String
StatusCode: String
Properties
ResponseParameters
The response parameters (paths, query strings, and headers) for the response. Duplicates not
allowed.
Required: No
Type: Map of String

ResponseTemplates
The response templates for the response. Duplicates not allowed.
Required: No

695
API Gateway
Type: Map of String

ResponseType
The response type. For valid values, see GatewayResponse in the API Gateway API Reference.
Required: Yes
Type: String

RestApiId
Required: Yes
Type: String

StatusCode
The HTTP status code for the response.
Required: No
Type: String
Examples
404 Response
The following example returns a 404 status code for resource not found instead of missing
authentication token for a CORS request (applicable to unsecured/unrestricted APIs).
JSON
{
"Resources": {
"RestApi": {
"Properties": {
"Name": "myRestApi"
}
},
"GatewayResponse": {
"Type": "AWS::ApiGateway::GatewayResponse",
"Properties": {
"ResponseParameters": {
"gatewayresponse.header.Access-Control-Allow-Origin": "'*'",
"gatewayresponse.header.Access-Control-Allow-Headers": "'*'"
},
"ResponseType": "MISSING_AUTHENTICATION_TOKEN",
"RestApiId": {

696
API Gateway
"Ref": "RestApi"
},
"StatusCode": "404"
}
}
}
}
YAML
Resources:
RestApi:
Properties:
Name: myRestApi
GatewayResponse:
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: MISSING_AUTHENTICATION_TOKEN
StatusCode: '404'
Parameterized Response
The following example creates a response for an API based on the supplied parameters.
JSON
{
"Parameters": {
"apiName": {
"Type": "String"
},
"responseParameter1": {
"Type": "String"
},
"responseParameter2": {
"Type": "String"
},
"responseType": {
"Type": "String"
},
"statusCode": {
"Type": "String"
}
},
"Resources": {
"RestApi": {
"Properties": {
"Name": {
"Ref": "apiName"
}
}
},
"GatewayResponse": {
"Type": "AWS::ApiGateway::GatewayResponse",
"Properties": {
"ResponseParameters": {

697
API Gateway
"gatewayresponse.header.k1": {
"Ref": "responseParameter1"
},
"gatewayresponse.header.k2": {
"Ref": "responseParameter2"
}
},
"ResponseType": {
"Ref": "responseType"
},
"RestApiId": {
"Ref": "RestApi"
},
"StatusCode": {
"Ref": "statusCode"
}
}
}
}
}
YAML
Parameters:
apiName :
Type : String
responseParameter1:
Type : String
responseParameter2:
Type : String
responseType:
Type : String
statusCode:
Type : String
Resources :
RestApi:
Properties:
Name: !Ref apiName
GatewayResponse:
Properties:
ResponseParameters:
gatewayresponse.header.k1 : !Ref responseParameter1
gatewayresponse.header.k2 : !Ref responseParameter2
ResponseType: !Ref responseType
StatusCode: !Ref statusCode
See Also
• gatewayresponse:put in the Amazon API Gateway REST API Reference
The AWS::ApiGateway::Method resource creates API Gateway methods that define the parameters
and body that clients must send in their requests.
Syntax

698
API Gateway
JSON
{
"Type" : "AWS::ApiGateway::Method",
"Properties" : {
"ApiKeyRequired" : Boolean,
"AuthorizationScopes" : [ String, ... ],
"AuthorizationType" : String,
"AuthorizerId" : String,
"Integration" : Integration (p. 706),
"MethodResponses" : [ MethodResponse (p. 712), ... ],
"OperationName" : String,
"RequestModels" : {Key : Value, ...},
"RequestParameters" : {Key : Value, ...},
"RequestValidatorId" : String,
"ResourceId" : String,
}
}
YAML
Properties:
ApiKeyRequired: Boolean
AuthorizationScopes:
- String
AuthorizationType: String
AuthorizerId: String
HttpMethod: String
Integration:
Integration (p. 706)
MethodResponses:
- MethodResponse (p. 712)
OperationName: String
RequestModels:
Key : Value
RequestParameters:
Key : Value
RequestValidatorId: String
ResourceId: String
RestApiId: String
Properties
ApiKeyRequired
Indicates whether the method requires clients to submit a valid API key.
Required: No
Type: Boolean

AuthorizationScopes
A list of authorization scopes configured on the method. The scopes are used with a
COGNITO_USER_POOLS authorizer to authorize the method invocation. The authorization works
by matching the method scopes against the scopes parsed from the access token in the incoming
request. The method invocation is authorized if any method scopes match a claimed scope in the

699
API Gateway
access token. Otherwise, the invocation is not authorized. When the method scope is configured, the
client must provide an access token instead of an identity token for authorization purposes.
Required: No

AuthorizationType
The method's authorization type. This parameter is required. For valid values, see Method in the API
Gateway API Reference.
Note
If you specify the AuthorizerId property, specify CUSTOM for this property.
Required: No
Type: String

AuthorizerId
The identifier of the authorizer to use on this method. If you specify this property, specify CUSTOM
for the AuthorizationType property.
Required: No
Type: String

HttpMethod
The HTTP method that clients use to call this method.
Required: Yes
Type: String

Integration
The backend system that the method calls when it receives a request.
Required: No
Type: Integration (p. 706)

MethodResponses
The responses that can be sent to the client who calls the method.
Required: No
Type: List of MethodResponse (p. 712)

700
API Gateway
OperationName
A friendly operation name for the method. For example, you can assign the OperationName of
ListPets for the GET /pets method.
Required: No
Type: String

RequestModels
The resources that are used for the request's content type. Specify request models as key-value pairs
(string-to-string mapping), with a content type as the key and a Model resource name as the value.
Required: No
Type: Map of String

RequestParameters
The request parameters that API Gateway accepts. Specify request parameters as key-value
pairs (string-to-Boolean mapping), with a source as the key and a Boolean as the value.
The Boolean specifies whether a parameter is required. A source must match the format
method.request.location.name, where the location is query string, path, or header, and name
is a valid, unique parameter name.
Required: No
Type: Map of Boolean

RequestValidatorId
The ID of the associated request validator.
Required: No
Type: String

ResourceId
The ID of an API Gateway resource. For root resource methods, specify the RestApi root resource ID,
such as { "Fn::GetAtt": ["MyRestApi", "RootResourceId"] }.
Required: Yes
Type: String

RestApiId
The ID of the RestApi resource in which API Gateway creates the method.
Required: Yes
Type: String

701
API Gateway
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the method ID,
such as mysta-metho-01234b567890example.
Examples
Mock Method
The following example creates a mock GET method for the MyApi API.
JSON
{
"MockMethod": {
"Properties": {
"RestApiId": {
"Ref": "MyApi"
},
"ResourceId": {
"Fn::GetAtt": [
"MyApi",
"RootResourceId"
]
},
"HttpMethod": "GET",
"Integration": {
"Type": "MOCK"
}
}
}
}
YAML
MockMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
ResourceId: !GetAtt
- MyApi
- RootResourceId
HttpMethod: GET
Integration:
Type: MOCK
Lambda Proxy
The following example creates a proxy resource to enable clients to call a Lambda function with a single
integration setup on a catch-all ANY method. The Uri property specifies the Lambda function. For more

702
API Gateway
information about Lambda proxy integration and a sample Lambda function, see Create an API with
Lambda Proxy Integration through a Proxy Resource in the API Gateway Developer Guide.
Note
Use the AWS::Lambda::Permission resource to grant API Gateway permission to invoke your
Lambda function.
JSON
{
"ProxyResource": {
"Type": "AWS::ApiGateway::Resource",
"Properties": {
"RestApiId": {
"Ref": "LambdaSimpleProxy"
},
"ParentId": {
"Fn::GetAtt": [
"LambdaSimpleProxy",
"RootResourceId"
]
},
"PathPart": "{proxy+}"
}
},
"ProxyResourceANY": {
"Properties": {
"RestApiId": {
"Ref": "LambdaSimpleProxy"
},
"ResourceId": {
"Ref": "ProxyResource"
},
"HttpMethod": "ANY",
"Integration": {
"Type": "AWS_PROXY",
"IntegrationHttpMethod": "POST",
"Uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/
functions/${LambdaForSimpleProxy.Arn}/invocations"
}
}
}
}
}
YAML
ProxyResource:
Type: 'AWS::ApiGateway::Resource'
Properties:
RestApiId: !Ref LambdaSimpleProxy
ParentId: !GetAtt
- LambdaSimpleProxy
- RootResourceId
PathPart: '{proxy+}'
ProxyResourceANY:
Type: 'AWS::ApiGateway::Method'
Properties:
RestApiId: !Ref LambdaSimpleProxy
ResourceId: !Ref ProxyResource
HttpMethod: ANY

703
API Gateway
Integration:
Type: AWS_PROXY
IntegrationHttpMethod: POST
Uri: !Sub >-
arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/
${LambdaForSimpleProxy.Arn}/invocations
Associated Request Validator
The following example creates a REST API, method, and request validator, and associates the request
validator with the method. It also lets you specify how to convert the request payload.
JSON
{
"Parameters": {
"contentHandling": {
"Type": "String"
},
"operationName": {
"Type": "String",
"Default": "testoperationName"
},
"restApiName": {
"Type": "String",
"Default": "testrestApiName"
},
"validatorName": {
"Type": "String",
"Default": "testvalidatorName"
},
"validateRequestBody": {
"Type": "String",
"Default": "testvalidateRequestBody"
},
"validateRequestParameters": {
"Type": "String",
"Default": true
}
},
"Resources": {
"RestApi": {
"Properties": {
"Name": {
"Ref": "restApiName"
}
}
},
"Method": {
"Properties": {
"ResourceId": {
"Fn::GetAtt": [
"RestApi",
"RootResourceId"
]
},
"RestApiId": {
"Ref": "RestApi"
},

704
API Gateway
"Integration": {
"Type": "MOCK",
"ContentHandling": {
"Ref": "contentHandling"
},
"IntegrationResponses": [
{
"ContentHandling": {
"Ref": "contentHandling"
},
"StatusCode": 400
}
]
},
"RequestValidatorId": {
"Ref": "RequestValidator"
},
"OperationName": {
"Ref": "operationName"
}
}
},
"RequestValidator": {
"Type": "AWS::ApiGateway::RequestValidator",
"Properties": {
"Name": {
"Ref": "validatorName"
},
"RestApiId": {
"Ref": "RestApi"
},
"ValidateRequestBody": {
"Ref": "validateRequestBody"
},
"ValidateRequestParameters": {
"Ref": "validateRequestParameters"
}
}
}
},
"Outputs": {
"RootResourceId": {
"Value": {
"Fn::GetAtt": [
"RestApi",
"RootResourceId"
]
}
}
}
}
YAML
Parameters:
contentHandling:
Type: String
operationName:
Type: String
Default: testoperationName
restApiName:
Type: String
Default: testrestApiName
validatorName:

705
API Gateway
Type: String
Default: testvalidatorName
validateRequestBody:
Type: String
Default: testvalidateRequestBody
validateRequestParameters:
Type: String
Default: true
Resources:
RestApi:
Properties:
Name: !Ref restApiName
Method:
Properties:
HttpMethod: POST
ResourceId: !GetAtt RestApi.RootResourceId
Integration:
Type: MOCK
ContentHandling: !Ref contentHandling
IntegrationResponses:
- ContentHandling: !Ref contentHandling
StatusCode: 400
RequestValidatorId: !Ref RequestValidator
OperationName: !Ref operationName
RequestValidator:
Type: AWS::ApiGateway::RequestValidator
Properties:
Name: !Ref validatorName
ValidateRequestBody: !Ref validateRequestBody
ValidateRequestParameters: !Ref validateRequestParameters
Outputs:
RootResourceId:
Value: !GetAtt RestApi.RootResourceId
See Also
• method:put in the Amazon API Gateway REST API Reference
AWS::ApiGateway::Method Integration
Integration is a property of the AWS::ApiGateway::Method resource that specifies information about
the target backend that a method calls.
Syntax
JSON
{
"CacheKeyParameters" : [ String, ... ],
"CacheNamespace" : String,
"ConnectionId" : String,
"ConnectionType" : String,
"ContentHandling" : String,
"Credentials" : String,
"IntegrationHttpMethod" : String,

706
API Gateway
"IntegrationResponses" : [ IntegrationResponse (p. 710), ... ],

"PassthroughBehavior" : String,
"RequestParameters" : {Key : Value, ...},
"RequestTemplates" : {Key : Value, ...},
"TimeoutInMillis" : Integer,
"Type" : String,
"Uri" : String
}
YAML
CacheKeyParameters:
- String
CacheNamespace: String
ConnectionId: String
ConnectionType: String
ContentHandling: String
Credentials: String
IntegrationHttpMethod: String
IntegrationResponses:
- IntegrationResponse (p. 710)
PassthroughBehavior: String
RequestParameters:
Key : Value
RequestTemplates:
Key : Value
TimeoutInMillis: Integer
Type: String
Uri: String
Properties
CacheKeyParameters
A list of request parameters whose values API Gateway caches. For cases where the integration
type allows for RequestParameters to be set, these parameters must also be specified in
RequestParameters to be supported in CacheKeyParameters.
Required: No

CacheNamespace
An API-specific tag group of related cached parameters.
Required: No
Type: String

ConnectionId
The ID of the VpcLink used for the integration when connectionType=VPC_LINK, otherwise
undefined.
Required: No
Type: String

707
API Gateway

ConnectionType
The type of the network connection to the integration endpoint. The valid value is INTERNET for
connections through the public routable internet or VPC_LINK for private connections between API
Gateway and a network load balancer in a VPC. The default value is INTERNET.
Required: No
Type: String

ContentHandling
Specifies how to handle request payload content type conversions. Valid values are:
• CONVERT_TO_BINARY: Converts a request payload from a base64-encoded string to a binary blob.
• CONVERT_TO_TEXT: Converts a request payload from a binary blob to a base64-encoded string.
If this property isn't defined, the request payload is passed through from the method request to the
integration request without modification, provided that the PassthroughBehaviors property is
configured to support payload pass-through.
Required: No
Type: String

Credentials
The credentials that are required for the integration. To specify an AWS Identity and Access
Management (IAM) role that API Gateway assumes, specify the role's Amazon Resource Name (ARN).
To require that the caller's identity be passed through from the request, specify arn:aws:iam::*:user/*.
To use resource-based permissions on the AWS Lambda (Lambda) function, don't specify this
property. Use the AWS::Lambda::Permission resource to permit API Gateway to call the function. For
more information, see Allow Amazon API Gateway to Invoke a Lambda Function in the AWS Lambda
Developer Guide.
Required: No
Type: String

IntegrationHttpMethod
The integration's HTTP method type.
For the Type property, if you specify MOCK, this property is optional. For all other types, you must
specify this property.
Type: String

IntegrationResponses
The response that API Gateway provides after a method's backend completes processing a request.
API Gateway intercepts the response from the backend so that you can control how API Gateway

708
API Gateway
surfaces backend responses. For example, you can map the backend status codes to codes that you
define.
Required: No
Type: List of IntegrationResponse (p. 710)

PassthroughBehavior
Indicates when API Gateway passes requests to the targeted backend. This behavior depends on the
request's Content-Type header and whether you defined a mapping template for it.
For more information and valid values, see the passthroughBehavior field in the API Gateway API
Reference.
Required: No
Type: String

RequestParameters
The request parameters that API Gateway sends with the backend request. Specify request
parameters as key-value pairs (string-to-string mappings), with a destination as the key and a source
as the value.
Specify the destination by using the following pattern integration.request.location.name,

where location is query string, path, or header, and name is a valid, unique parameter name.
The source must be an existing method request parameter or a static value. You must enclose static
values in single quotation marks and pre-encode these values based on their destination in the
request.
Required: No
Type: Map of String

RequestTemplates
A map of Apache Velocity templates that are applied on the request payload. The template that
API Gateway uses is based on the value of the Content-Type header that's sent by the client.
The content type value is the key, and the template is the value (specified as a string), such as the
following snippet:
"application/json": "{\n \"statusCode\": 200\n}"
For more information about templates, see API Gateway Mapping Template and Access Logging
Variable Reference in the API Gateway Developer Guide.
Required: No
Type: Map of String

TimeoutInMillis
Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29
seconds.

709
API Gateway
Required: No
Type: Integer

Type
The type of backend that your method is running, such as HTTP or MOCK. For all of the valid
values, see the type property for the Integration resource in the Amazon API Gateway REST API
Reference.
Required: No
Type: String

Uri
The Uniform Resource Identifier (URI) for the integration.
If you specify HTTP for the Type property, specify the API endpoint URL.
If you specify MOCK for the Type property, don't specify this property.
If you specify AWS for the Type property, specify an AWS service that follows this form:
arn:aws:apigateway:region:subdomain.service|service:path|action/service_api. For example, a Lambda
function URI follows this form: arn:aws:apigateway:region:lambda:path/path. The path is usually in
the form /2015-03-31/functions/LambdaFunctionARN/invocations. For more information, see the
uri property of the Integration resource in the Amazon API Gateway REST API Reference.
If you specified HTTP or AWS for the Type property, you must specify this property.
Type: String
See Also
• Method in the Amazon API Gateway REST API Reference
AWS::ApiGateway::Method IntegrationResponse
IntegrationResponse is a property of the Amazon API Gateway Method Integration property type
that specifies the response that API Gateway sends after a method's backend finishes processing a
request.
Syntax
JSON
{
"ContentHandling" : String,
"ResponseTemplates" : {Key : Value, ...},
"SelectionPattern" : String,

710
API Gateway
}
YAML
ContentHandling: String
ResponseParameters:
Key : Value
ResponseTemplates:
Key : Value
SelectionPattern: String
StatusCode: String
Properties
ContentHandling
Specifies how to handle request payload content type conversions. Valid values are:
• CONVERT_TO_BINARY: Converts a request payload from a base64-encoded string to a binary blob.
• CONVERT_TO_TEXT: Converts a request payload from a binary blob to a base64-encoded string.
If this property isn't defined, the request payload is passed through from the method request to the
integration request without modification.
Required: No
Type: String

ResponseParameters
The response parameters from the backend response that API Gateway sends to the method
response. Specify response parameters as key-value pairs (string-to-string mappings).
Use the destination as the key and the source as the value:
• The destination must be an existing response parameter in the MethodResponse property.
• The source must be an existing method request parameter or a static value. You must enclose
static values in single quotation marks and pre-encode these values based on the destination
specified in the request.
For more information about templates, see API Gateway Mapping Template and Access Logging
Variable Reference in the API Gateway Developer Guide.
Required: No
Type: Map of String

ResponseTemplates
The templates that are used to transform the integration response body. Specify templates as key-
value pairs (string-to-string mappings), with a content type as the key and a template as the value.
For more information, see API Gateway Mapping Template and Access Logging Variable Reference in
the API Gateway Developer Guide.
Required: No
Type: Map of String

711
API Gateway

SelectionPattern
A regular expression that specifies which error strings or status codes from the backend map to the
integration response.
Required: No
Type: String

StatusCode
The status code that API Gateway uses to map the integration response to a MethodResponse status
code.
Required: Yes
Type: String
See Also
AWS::ApiGateway::Method MethodResponse
MethodResponse is a property of the AWS::ApiGateway::Method resource that defines the responses
that can be sent to the client that calls a method.
Syntax
JSON
{
"ResponseModels" : {Key : Value, ...},
}
YAML
ResponseModels:
Key : Value
ResponseParameters:
Key : Value
StatusCode: String
Properties
ResponseModels
The resources used for the response's content type. Specify response models as key-value pairs
(string-to-string maps), with a content type as the key and a Model resource name as the value.

712
API Gateway
Required: No
Type: Map of String

ResponseParameters
Response parameters that API Gateway sends to the client that called a method. Specify
response parameters as key-value pairs (string-to-Boolean maps), with a destination as
the key and a Boolean as the value. Specify the destination using the following pattern:
method.response.header.name, where name is a valid, unique header name. The Boolean
specifies whether a parameter is required.
Required: No
Type: Map of Boolean

StatusCode
The method response's status code, which you map to an IntegrationResponse.
Required: Yes
Type: String
See Also
The AWS::ApiGateway::Model resource defines the structure of a request or response payload for an
API method.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::Model",
"Properties" : {
"ContentType" : String,
"Name" : String,
"Schema" : Json
}
}
YAML
Type: AWS::ApiGateway::Model

713
API Gateway
Properties:
ContentType: String
Description: String
Name: String
RestApiId: String
Schema: Json
Properties
ContentType
The content type for the model.
Required: No
Type: String

Description
A description that identifies this model.
Required: No
Type: String

Name
A name for the model. If you don't specify a name, AWS CloudFormation generates a unique physical
ID and uses that ID for the model name. For more information, see Name Type.
Important
Required: No
Type: String

RestApiId
The ID of a REST API with which to associate this model.
Required: Yes
Type: String

Schema
The schema to use to transform data to one or more output formats. Specify null ({}) if you don't
want to specify a schema.
Required: No
Type: Json

714
API Gateway
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the model name,
such as myModel.
Examples
Create model
The following example creates a model that transforms input data into the described schema.
JSON
{
"PetsModelNoFlatten": {
"Type": "AWS::ApiGateway::Model",
"Properties": {
"RestApiId": {
"Ref": "RestApi"
},
"ContentType": "application/json",
"Description": "Schema for Pets example",
"Name": "PetsModelNoFlatten",
"Schema": {
"$schema": "http://json-schema.org/draft-04/schema#",
"title": "PetsModelNoFlatten",
"type": "array",
"items": {
"type": "object",
"properties": {
"number": {
"type": "integer"
},
"class": {
"type": "string"
},
"salesPrice": {
"type": "number"
}
}
}
}
}
}
}
YAML
PetsModelNoFlatten:
Type: 'AWS::ApiGateway::Model'
Properties:
ContentType: application/json
Description: Schema for Pets example
Name: PetsModelNoFlatten
Schema:
$schema: 'http://json-schema.org/draft-04/schema#'
title: PetsModelNoFlatten
type: array

715
API Gateway
items:
type: object
properties:
number:
type: integer
class:
type: string
salesPrice:
type: number
See Also
• model:create in the Amazon API Gateway REST API Reference
The AWS::ApiGateway::RequestValidator resource sets up basic validation rules for incoming
requests to your API. For more information, see Enable Basic Request Validation for an API in API
Syntax
JSON
{
"Type" : "AWS::ApiGateway::RequestValidator",
"Properties" : {
"Name" : String,
"ValidateRequestBody" : Boolean,
"ValidateRequestParameters" : Boolean
}
}
YAML
Properties:
Name: String
RestApiId: String
ValidateRequestBody: Boolean
ValidateRequestParameters: Boolean
Properties
Name
The name of this request validator.
Required: No
Type: String

RestApiId
The identifier of the targeted API entity.

716
API Gateway
Required: Yes
Type: String

ValidateRequestBody
Indicates whether to validate the request body according to the configured schema for the targeted
API and method.
Required: No
Type: Boolean

ValidateRequestParameters
Indicates whether to validate request parameters.
Required: No
Type: Boolean
Return Values
Ref
request validator, such as abc123.
Examples
Create request validator
The following example creates an API Gateway API with an associated request validator, based on the
supplied parameters.
JSON
{
"Parameters": {
"apiName": {
"Type": "String"
},
"validatorName": {
"Type": "String"
},
"validateRequestBody": {
"Type": "String"
},
"validateRequestParameters": {
"Type": "String"
}
},
"Resources": {
"RestApi": {

717
API Gateway
"Properties": {
"Name": {
"Ref": "apiName"
}
}
},
"RequestValidator": {
"Type": "AWS::ApiGateway::RequestValidator",
"Properties": {
"Name": {
"Ref": "validatorName"
},
"RestApiId": {
"Ref": "RestApi"
},
"ValidateRequestBody": {
"Ref": "validateRequestBody"
},
"ValidateRequestParameters": {
"Ref": "validateRequestParameters"
}
}
}
}
}
YAML
Parameters:
apiName:
Type: String
validatorName:
Type: String
validateRequestBody:
Type: String
validateRequestParameters:
Type: String
Resources:
RestApi:
Properties:
Name: !Ref apiName
RequestValidator:
Properties:
Name: !Ref validatorName
ValidateRequestBody: !Ref validateRequestBody
ValidateRequestParameters: !Ref validateRequestParameters
See Also
• requestvalidator:create in the Amazon API Gateway REST API Reference
The AWS::ApiGateway::Resource resource creates a resource in an API.
Syntax

718
API Gateway
JSON
{
"Type" : "AWS::ApiGateway::Resource",
"Properties" : {
"ParentId" : String,
"PathPart" : String,
}
}
YAML
Type: AWS::ApiGateway::Resource
Properties:
ParentId: String
PathPart: String
RestApiId: String
Properties
ParentId
If you want to create a child resource, the ID of the parent resource. For resources without a
parent, specify the RestApi root resource ID, such as { "Fn::GetAtt": ["MyRestApi",
"RootResourceId"] }.
Required: Yes
Type: String

PathPart
A path name for the resource.
Required: Yes
Type: String

RestApiId
The ID of the RestApi resource in which you want to create this resource.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource ID,
such as abc123.

719
API Gateway
Examples
Create resource
The following example creates a stack resource for the MyApi API.
JSON
{
"Stack": {
"Type": "AWS::ApiGateway::Resource",
"Properties": {
"RestApiId": {
"Ref": "MyApi"
},
"ParentId": {
"Fn::GetAtt": [
"MyApi",
"RootResourceId"
]
},
"PathPart": "stack"
}
}
}
YAML
Stack:
Type: 'AWS::ApiGateway::Resource'
Properties:
ParentId: !GetAtt
- MyApi
- RootResourceId
PathPart: stack
See Also
• resource:create in the Amazon API Gateway REST API Reference
The AWS::ApiGateway::RestApi resource creates a REST API. For more information, see
restapi:create in the Amazon API Gateway REST API Reference.
Note
On January 1, 2016, the Swagger Specification was donated to the OpenAPI initiative, becoming
the foundation of the OpenAPI Specification.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::RestApi",
"Properties" : {

720
API Gateway
"ApiKeySourceType" : String,
"BinaryMediaTypes" : [ String, ... ],
"Body" : Json,
"BodyS3Location" : S3Location (p. 728),
"CloneFrom" : String,
"EndpointConfiguration" : EndpointConfiguration (p. 727),
"FailOnWarnings" : Boolean,
"MinimumCompressionSize" : Integer,
"Name" : String,
"Parameters" : {Key : Value, ...},
"Policy" : Json,
"Tags" : [ Tag, ... ]
}
}
YAML
Properties:
ApiKeySourceType: String
BinaryMediaTypes:
- String
Body: Json
BodyS3Location:
S3Location (p. 728)
CloneFrom: String
Description: String
EndpointConfiguration (p. 727)
FailOnWarnings: Boolean
MinimumCompressionSize: Integer
Name: String
Parameters:
Key : Value
Policy: Json
Tags:
- Tag
Properties
ApiKeySourceType
The source of the API key for metering requests according to a usage plan. Valid values are:
• HEADER to read the API key from the X-API-Key header of a request.
• AUTHORIZER to read the API key from the UsageIdentifierKey from a Lambda authorizer.
Required: No
Type: String

BinaryMediaTypes
The list of binary media types that are supported by the RestApi resource, such as image/png or
application/octet-stream. By default, RestApi supports only UTF-8-encoded text payloads.
Duplicates are not allowed. Slashes must be escaped with ~1. For example, image/png would be
image~1png in the BinaryMediaTypes list. For more information, see Enable Support for Binary
Payloads in API Gateway in the API Gateway Developer Guide.
Required: No

721
API Gateway

Body
An OpenAPI specification that defines a set of RESTful APIs in JSON format. For YAML templates,
you can also provide the specification in YAML format.
Required: No
Type: Json

BodyS3Location
The Amazon Simple Storage Service (Amazon S3) location that points to an OpenAPI file, which
defines a set of RESTful APIs in JSON or YAML format.
Required: No
Type: S3Location (p. 728)

CloneFrom
The ID of the RestApi resource that you want to clone.
Required: No
Type: String

Description
A description of the RestApi resource.
Required: No
Type: String

EndpointConfiguration
A list of the endpoint types of the API. Use this property when creating an API. When importing an
existing API, specify the endpoint configuration types using the Parameters property.
Required: No
Type: EndpointConfiguration (p. 727)

FailOnWarnings
Indicates whether to roll back the resource if a warning occurs while API Gateway is creating the
RestApi resource.
Required: No
Type: Boolean

722
API Gateway

MinimumCompressionSize
A nullable integer that is used to enable compression (with non-negative between 0 and 10485760
(10M) bytes, inclusive) or disable compression (with a null value) on an API. When compression is
enabled, compression or decompression is not applied on the payload if the payload size is smaller
than this value. Setting it to zero allows compression for any payload size.
Required: No
Type: Integer

Name
A name for the RestApi resource.
Type: String

Parameters
Custom header parameters for the request.
Required: No
Type: Map of String

Policy
A policy document that contains the permissions for the RestApi resource, in JSON format. To
set the ARN for the policy, use the !Join intrinsic function with "" as delimiter and values of
"execute-api:/" and "*".
Required: No
Type: Json

Tags
An array of arbitrary tags (key-value pairs) to associate with the API.
Required: No
Type: List of Tag
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the RestApi ID,
such as a1bcdef2gh.

723
API Gateway
Fn::GetAtt
RootResourceId
The root resource ID for a RestApi resource, such as a0bc123d4e.
Examples
Based on OpenAPI specification
The following example creates an API Gateway RestApi resource based on an OpenAPI specification.
JSON
{
"MyRestApi": {
"Properties": {
"Body": {
"OpenAPI specification": null
},
"Description": "A test API",
"Name": "MyRestAPI"
}
}
}
YAML
MyRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Body:
OpenAPI specification: null
Description: A test API
Name: MyRestAPI
With endpoint type
The following example creates an API Gateway RestApi resource with an endpoint type.
JSON
{
"Parameters": {
"apiName": {
"Type": "String"
},
"type": {
"Type": "String"
}

724
API Gateway
},
"Resources": {
"MyRestApi": {
"Properties": {
"Types": [
{
"Ref": "type"
}
]
},
"Name": {
"Ref": "apiName"
}
}
}
}
}
YAML
Parameters:
apiName:
Type: String
type:
Type: String
Resources:
MyRestApi:
Properties:
Types:
- !Ref type
Name: !Ref apiName
With REGIONAL endpoint type
The following example imports an API Gateway RestApi resource with an endpoint type of REGIONAL.
JSON
{
"Resources": {
"RestApi": {
"Properties": {
"Body": {
"swagger": 2,
"info": {
"version": "0.0.1",
"title": "test"
},
"basePath": "/pete",
"schemes": [
"https"
],
"definitions": {
"Empty": {
"type": "object"
}
}
},

725
API Gateway
"Name": "myApi",
"Parameters": {
"endpointConfigurationTypes": "REGIONAL"
}
}
}
}
}
YAML
Resources :
RestApi :
Type : AWS::ApiGateway::RestApi
Properties :
Body :
swagger : 2.0
info :
version : 0.0.1
title : test
basePath : /pete
schemes :
- https
definitions:
Empty :
type : object
Name : myApi
Parameters:
endpointConfigurationTypes: REGIONAL
With ApiKeySourceType
The following example creates an API Gateway RestApi resource with ApiKeySourceType,
BinaryMediaTypes and MinimumCompressionSize.
JSON
{
"Parameters": {
"apiKeySourceType": {
"Type": "String"
},
"apiName": {
"Type": "String"
},
"binaryMediaType1": {
"Type": "String"
},
"binaryMediaType2": {
"Type": "String"
},
"minimumCompressionSize": {
"Type": "String"
}
},
"Resources": {
"MyRestApi": {
"Properties": {
"ApiKeySourceType": {
"Ref": "apiKeySourceType"
},
"BinaryMediaTypes": [

726
API Gateway
{
"Ref": "binaryMediaType1"
},
{
"Ref": "binaryMediaType2"
}
],
"MinimumCompressionSize": {
"Ref": "minimumCompressionSize"
},
"Name": {
"Ref": "apiName"
}
}
}
}
}
YAML
Parameters:
apiKeySourceType:
Type: String
apiName:
Type: String
binaryMediaType1:
Type: String
binaryMediaType2:
Type: String
minimumCompressionSize:
Type: String
Resources:
MyRestApi:
Properties:
ApiKeySourceType: !Ref apiKeySourceType
BinaryMediaTypes:
- !Ref binaryMediaType1
- !Ref binaryMediaType2
MinimumCompressionSize: !Ref minimumCompressionSize
Name: !Ref apiName
See Also
• restapi:create in the Amazon API Gateway REST API Reference
AWS::ApiGateway::RestApi EndpointConfiguration
The EndpointConfiguration property type specifies the endpoint types of a REST API.
EndpointConfiguration is a property of the AWS::ApiGateway::RestApi resource.
Syntax
JSON
{
"Types" : [ String, ... ],
"VpcEndpointIds" : [ String, ... ]

727
API Gateway
YAML
Types:
- String
VpcEndpointIds:
- String
Properties
Types
A list of endpoint types of an API or its custom domain name. Valid values include:
• EDGE: For an edge-optimized API and its custom domain name.
• REGIONAL: For a regional API and its custom domain name.
• PRIVATE: For a private API.
Required: No

VpcEndpointIds
A list of VPC endpoint IDs of an API (AWS::ApiGateway::RestApi) against which to create Route53
ALIASes. It is only supported for PRIVATE endpoint type.
Required: No
See Also
• RestApi in the Amazon API Gateway REST API Reference
AWS::ApiGateway::RestApi S3Location
S3Location is a property of the AWS::ApiGateway::RestApi resource that specifies the Amazon S3
location of a OpenAPI (formerly Swagger) file that defines a set of RESTful APIs in JSON or YAML.
Note
On January 1, 2016, the Swagger Specification was donated to the OpenAPI initiative, becoming
the foundation of the OpenAPI Specification.
Syntax
JSON
{
"Bucket" : String,
"ETag" : String,
"Key" : String,

728
API Gateway
"Version" : String
}
YAML
Bucket: String
ETag: String
Key: String
Version: String
Properties
Bucket
The name of the S3 bucket where the OpenAPI file is stored.
Required: No
Type: String

ETag
The Amazon S3 ETag (a file checksum) of the OpenAPI file. If you don't specify a value, API Gateway
skips ETag validation of your OpenAPI file.
Required: No
Type: String

Key
The file name of the OpenAPI file (Amazon S3 object name).
Required: No
Type: String

Version
For versioning-enabled buckets, a specific version of the OpenAPI file.
Required: No
Type: String
See Also
• RestApi in the Amazon API Gateway REST API Reference
The AWS::ApiGateway::Stage resource creates a stage for a deployment.

729
API Gateway
Syntax
JSON
{
"Type" : "AWS::ApiGateway::Stage",
"Properties" : {
"AccessLogSetting" : AccessLogSetting (p. 734),
"CacheClusterEnabled" : Boolean,
"CacheClusterSize" : String,
"CanarySetting" : CanarySetting (p. 735),
"DeploymentId" : String,
"MethodSettings" : [ MethodSetting (p. 736), ... ],
"StageName" : String,
"Tags" : [ Tag, ... ],
"TracingEnabled" : Boolean,
"Variables" : {Key : Value, ...}
}
}
YAML
Properties:
AccessLogSetting:
AccessLogSetting (p. 734)
CacheClusterEnabled: Boolean
CacheClusterSize: String
CanarySetting:
CanarySetting (p. 735)
DeploymentId: String
Description: String
MethodSettings:
- MethodSetting (p. 736)
RestApiId: String
StageName: String
Tags:
- Tag
TracingEnabled: Boolean
Variables:
Key : Value
Properties
AccessLogSetting
Specifies settings for logging access in this stage.
Required: No
Type: AccessLogSetting (p. 734)

730
API Gateway
CacheClusterEnabled
Indicates whether cache clustering is enabled for the stage.
Required: No
Type: Boolean

CacheClusterSize
The stage's cache cluster size.
Required: No
Type: String

CanarySetting
Specifies settings for the canary deployment in this stage.
Required: No
Type: CanarySetting (p. 735)

ClientCertificateId
The ID of the client certificate that API Gateway uses to call your integration endpoints in the stage.
Required: No
Type: String

DeploymentId
The ID of the deployment that the stage is associated with. This parameter is required.
Required: No
Type: String

Description
A description of the stage.
Required: No
Type: String

The version ID of the API documentation snapshot.
Required: No

731
API Gateway
Type: String

MethodSettings
Settings for all methods in the stage.
Required: No
Type: List of MethodSetting (p. 736)

RestApiId
The ID of the RestApi resource that you're deploying with this stage.
Required: Yes
Type: String

StageName
The name of the stage, which API Gateway uses as the first path segment in the invoked Uniform
Resource Identifier (URI).
Required: No
Type: String

Tags
An array of arbitrary tags (key-value pairs) to associate with the stage.
Required: No
Type: List of Tag

TracingEnabled
Specifies whether active X-Ray tracing is enabled for this stage.
For more information, see Trace API Gateway API Execution with AWS X-Ray in the API Gateway
Developer Guide.
Required: No
Type: Boolean

Variables
A map (string-to-string map) that defines the stage variables, where the variable name is the key
and the variable value is the value. Variable names are limited to alphanumeric characters. Values
must match the following regular expression: [A-Za-z0-9-._~:/?#&=,]+.

732
API Gateway
Required: No
Type: Map of String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the
stage, such as MyTestStage.
Examples
Create stage
The following example creates a stage for the TestDeployment deployment. The stage also specifies
method settings for the MyRestApi API.
JSON
{
"Resources": {
"Prod": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"RestApiId": {
"Ref": "MyRestApi"
},
"DeploymentId": {
"Ref": "TestDeployment"
},
"Ref": "MyDocumentationVersion"
},
"ClientCertificateId": {
"Ref": "ClientCertificate"
},
"Variables": {
"Stack": "Prod"
},
"MethodSettings": [
{
"ResourcePath": "/",
"MetricsEnabled": "true",
"DataTraceEnabled": "true"
},
{
"ResourcePath": "/stack",
"DataTraceEnabled": "true",
"ThrottlingBurstLimit": "999"
},
{
"ResourcePath": "/stack",

733
API Gateway
"DataTraceEnabled": "true",
"ThrottlingBurstLimit": "555"
}
]
}
}
}
}
YAML
Resources:
Prod:
Properties:
StageName: Prod
Description: Prod Stage
RestApiId: !Ref MyRestApi
DeploymentId: !Ref TestDeployment
DocumentationVersion: !Ref MyDocumentationVersion
ClientCertificateId: !Ref ClientCertificate
Variables:
Stack: Prod
MethodSettings:
- ResourcePath: /
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'true'
- ResourcePath: /stack
HttpMethod: POST
ThrottlingBurstLimit: '999'
- ResourcePath: /stack
HttpMethod: GET
ThrottlingBurstLimit: '555'
See Also
• stage:create in the Amazon API Gateway REST API Reference
AWS::ApiGateway::Stage AccessLogSetting
The AccessLogSetting property type specifies settings for logging access in this stage.
AccessLogSetting is a property of the AWS::ApiGateway::Stage resource.
Syntax
JSON
{
"Format" : String

734
API Gateway
YAML
Format: String
Properties
DestinationArn
The Amazon Resource Name (ARN) of the CloudWatch Logs log group or Kinesis Data Firehose
delivery stream to receive access logs. If you specify a Kinesis Data Firehose delivery stream, the
stream name must begin with amazon-apigateway-.
Required: No
Type: String

Format
Required: No
Type: String
See Also
AWS::ApiGateway::Stage CanarySetting
The CanarySetting property type specifies settings for the canary deployment in this stage.
CanarySetting is a property of the AWS::ApiGateway::Stage resource.
Syntax
JSON
{
}
YAML

735
API Gateway
Key : Value
Properties
DeploymentId
The identifier of the deployment that the stage points to.
Required: No
Type: String

PercentTraffic
The percentage (0-100) of traffic diverted to a canary deployment.
Required: No
Type: Double

Required: No
Type: Map of String

UseStageCache
Whether the canary deployment uses the stage cache or not.
Required: No
Type: Boolean
See Also
AWS::ApiGateway::Stage MethodSetting
The MethodSetting property type configures settings for all methods in a stage.
The MethodSettings property of the AWS::ApiGateway::Stage resource contains a list of

MethodSetting property types.

736
API Gateway
Syntax
JSON
{
}
YAML
HttpMethod: String
Properties
CacheDataEncrypted
Required: No
Type: Boolean

CacheTtlInSeconds
Required: No
Type: Integer

CachingEnabled
on the stage to cache responses.
Required: No
Type: Boolean

737
API Gateway

DataTraceEnabled
Required: No
Type: Boolean

HttpMethod
The HTTP method. You can use an asterisk (*) as a wildcard to apply method settings to multiple
methods.
Required: No
Type: String

LoggingLevel
Required: No
Type: String

MetricsEnabled
Required: No
Type: Boolean

ResourcePath
The resource path for this method. Forward slashes (/) are encoded as ~1 and the initial slash must
include a forward slash. For example, the path value /resource/subresource must be encoded
as /~1resource~1subresource. To specify the root path, use only a slash (/). You can use an
asterisk (*) as a wildcard to apply method settings to multiple methods.
Required: No
Type: String


738
API Gateway
Required: No
Type: Integer

ThrottlingRateLimit
Required: No
Type: Double
See Also
AWS::ApiGateway::UsagePlan
The AWS::ApiGateway::UsagePlan resource creates a usage plan for deployed APIs. A usage plan
enforces throttling and quota limits on individual client API keys. For more information, see Creating and
Using API Usage Plans in Amazon API Gateway in the API Gateway Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::UsagePlan",
"Properties" : {
"ApiStages" : [ ApiStage (p. 742), ... ],
"Quota" : QuotaSettings (p. 743),
"Tags" : [ Tag, ... ],
"Throttle" : ThrottleSettings (p. 744),
"UsagePlanName" : String
}
}
YAML
Type: AWS::ApiGateway::UsagePlan
Properties:
ApiStages:
- ApiStage (p. 742)
Description: String
Quota:
QuotaSettings (p. 743)
Tags:
- Tag
Throttle:
ThrottleSettings (p. 744)

739
API Gateway
UsagePlanName: String
Properties
ApiStages
The API stages to associate with this usage plan.
Required: No
Type: List of ApiStage (p. 742)

Description
A description of the usage plan.
Required: No
Type: String

Quota
Configures the number of requests that users can make within a given interval.
Required: No
Type: QuotaSettings (p. 743)

Tags
An array of arbitrary tags (key-value pairs) to associate with the usage plan.
Required: No
Type: List of Tag

Throttle
Configures the overall request rate (average requests per second) and burst capacity.
Required: No
Type: ThrottleSettings (p. 744)

UsagePlanName
A name for the usage plan.
Required: No
Type: String

740
API Gateway
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the usage plan ID,
such as MyUsagePlan.
Examples
Create usage plan
The following examples create a usage plan for the Prod API stage, with a quota of 5000 requests per
month and a rate limit of 100 requests per second.
JSON
{
"usagePlan": {
"Type": "AWS::ApiGateway::UsagePlan",
"Properties": {
"ApiStages": [
{
"ApiId": {
"Ref": "MyRestApi"
},
"Stage": {
"Ref": "Prod"
}
}
],
"Description": "Customer ABC's usage plan",
"Quota": {
"Limit": 5000,
"Period": "MONTH"
},
"Throttle": {
"BurstLimit": 200,
"RateLimit": 100
},
"UsagePlanName": "Plan_ABC"
}
}
}
YAML
usagePlan:
Type: 'AWS::ApiGateway::UsagePlan'
Properties:
ApiStages:
- ApiId: !Ref MyRestApi
Stage: !Ref Prod
Description: Customer ABC's usage plan
Quota:
Limit: 5000
Period: MONTH
Throttle:
BurstLimit: 200
RateLimit: 100
UsagePlanName: Plan_ABC

741
API Gateway
See Also
• usageplan:create in the Amazon API Gateway REST API Reference
AWS::ApiGateway::UsagePlan ApiStage
ApiStage is a property of the AWS::ApiGateway::UsagePlan resource that specifies which stages and
APIs to associate with a usage plan.
Syntax
JSON
{
"ApiId" : String,
"Stage" : String,
"Throttle" : {Key : Value, ...}
}
YAML
ApiId: String
Stage: String
Throttle:
Key : Value
Properties
ApiId
The ID of an API that is in the specified Stage property that you want to associate with the usage
plan.
Required: No
Type: String

Stage
The name of the stage to associate with the usage plan.
Required: No
Type: String

Throttle
Map containing method-level throttling information for API stage in a usage plan.
Required: No
Type: Map of ThrottleSettings (p. 744)

742
API Gateway
See Also
• UsagePlan in the Amazon API Gateway REST API Reference
AWS::ApiGateway::UsagePlan QuotaSettings
QuotaSettings is a property of the AWS::ApiGateway::UsagePlan resource that specifies the maximum
number of requests users can make to your REST APIs.
Syntax
JSON
{
"Limit" : Integer,
"Offset" : Integer,
"Period" : String
}
YAML
Limit: Integer
Offset: Integer
Period: String
Properties
Limit
The maximum number of requests that users can make within the specified time period.
Required: No
Type: Integer

Offset
For the initial time period, the number of requests to subtract from the specified limit. When you
first implement a usage plan, the plan might start in the middle of the week or month. With this
property, you can decrease the limit for this initial time period.
Required: No
Type: Integer

Period
The time period for which the maximum limit of requests applies, such as DAY or WEEK. For valid
values, see the period property for the UsagePlan resource in the Amazon API Gateway REST API
Reference.

743
API Gateway
Required: No
Type: String
See Also
AWS::ApiGateway::UsagePlan ThrottleSettings
ThrottleSettings is a property of the AWS::ApiGateway::UsagePlan resource that specifies the overall
request rate (average requests per second) and burst capacity when users call your REST APIs.
Syntax
JSON
{
"BurstLimit" : Integer,
"RateLimit" : Double
}
YAML
BurstLimit: Integer
RateLimit: Double
Properties
BurstLimit
The maximum API request rate limit over a time ranging from one to a few seconds. The maximum
API request rate limit depends on whether the underlying token bucket is at its full capacity. For
more information about request throttling, see Manage API Request Throttling in the API Gateway
Developer Guide.
Required: No
Type: Integer

RateLimit
The API request steady-state rate limit (average requests per second over an extended period of
time). For more information about request throttling, see Manage API Request Throttling in the API
Required: No
Type: Double

744
API Gateway
See Also
AWS::ApiGateway::UsagePlanKey
The AWS::ApiGateway::UsagePlanKey resource associates an API key with a usage plan. This
association determines which users the usage plan is applied to.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::UsagePlanKey",
"Properties" : {
"KeyId" : String,
"KeyType" : String,
"UsagePlanId" : String
}
}
YAML
Type: AWS::ApiGateway::UsagePlanKey
Properties:
KeyId: String
KeyType: String
UsagePlanId: String
Properties
KeyId
The ID of the usage plan key.
Required: Yes
Type: String

KeyType
The type of usage plan key. Currently, the only valid key type is API_KEY.
Required: Yes
Type: String

UsagePlanId
The value of the usage plan key.
Required: Yes

745
API Gateway
Type: String
Examples
Create usage plan key
JSON
{
"usagePlanKey": {
"Type": "AWS::ApiGateway::UsagePlanKey",
"Properties": {
"KeyId": {
"Ref": "myApiKey"
},
"KeyType": "API_KEY",
"UsagePlanId": {
"Ref": "myUsagePlan"
}
}
}
}
YAML
usagePlanKey:
Type: 'AWS::ApiGateway::UsagePlanKey'
Properties:
KeyId: !Ref myApiKey
KeyType: API_KEY
UsagePlanId: !Ref myUsagePlan
See Also
• usageplankey:create in the Amazon API Gateway REST API Reference
AWS::ApiGateway::VpcLink
The AWS::ApiGateway::VpcLink resource creates an API Gateway VPC link for a REST API to access
resources in an Amazon Virtual Private Cloud (VPC). For more information, see vpclink:create in the
Amazon API Gateway REST API Reference.
Syntax
JSON
{
"Type" : "AWS::ApiGateway::VpcLink",
"Properties" : {
"Name" : String,
"TargetArns" : [ String, ... ]
}

746
API Gateway
YAML
Type: AWS::ApiGateway::VpcLink
Properties:
Description: String
Name: String
TargetArns:
- String
Properties
Description
A description of the VPC link.
Required: No
Type: String

Name
A name for the VPC link.
Required: Yes
Type: String

TargetArns
The ARNs of network load balancers of the VPC targeted by the VPC link. The network load
balancers must be owned by the same AWS account of the API owner.
Required: Yes
Return Values
Ref
VpcLink.
Examples
Create VPC link
JSON

747
API Gateway
"Parameters": {
"description": {
"Type": "String"
},
"name": {
"Type": "String"
}
},
"Resources": {
"MyVpcLink": {
"Type": "AWS::ApiGateway::VpcLink",
"Properties": {
"Description": {
},
"Name": {
"Ref": "name"
},
"TargetArns": [
{
"Ref": "MyLoadBalancer"
}
]
}
},
"MyLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Type": "network",
"Subnets": [
{
"Ref": "MySubnet"
}
]
}
},
"MySubnet": {
"Properties": {
"VpcId": {
"Ref": "MyVPC"
},
"CidrBlock": "10.0.0.0/24"
}
},
"MyVPC": {
"Properties": {
"CidrBlock": "10.0.0.0/16"
}
},
"MyInternetGateway": {
"Type": "AWS::EC2::InternetGateway"
},
"MyInternetGatewayAttachment": {
"Properties": {
"VpcId": {
"Ref": "MyVPC"
},
"Ref": "MyInternetGateway"
}
}
}
}

748
API Gateway V2
YAML
Parameters:
description:
Type: String
name:
Type: String
Resources:
MyVpcLink:
Type: AWS::ApiGateway::VpcLink
Properties:
Name: !Ref name
TargetArns:
- !Ref MyLoadBalancer
MyLoadBalancer:
Properties:
Type: network
Subnets:
- !Ref MySubnet
MySubnet:
Properties:
VpcId: !Ref MyVPC
MyVPC:
Type: AWS::EC2::VPC
Properties:
MyInternetGateway:
MyInternetGatewayAttachment:
Properties:
VpcId: !Ref MyVPC
InternetGatewayId: !Ref MyInternetGateway
See Also
• vpclink:create in the Amazon API Gateway REST API Reference
Amazon API Gateway V2 Resource Type Reference

Resource Types
• AWS::ApiGatewayV2::Api (p. 750)

• AWS::ApiGatewayV2::ApiMapping (p. 757)
• AWS::ApiGatewayV2::Authorizer (p. 759)
• AWS::ApiGatewayV2::Deployment (p. 764)
• AWS::ApiGatewayV2::DomainName (p. 766)
• AWS::ApiGatewayV2::Integration (p. 769)
• AWS::ApiGatewayV2::IntegrationResponse (p. 774)
• AWS::ApiGatewayV2::Model (p. 777)
• AWS::ApiGatewayV2::Route (p. 779)

749
API Gateway V2
• AWS::ApiGatewayV2::RouteResponse (p. 784)

• AWS::ApiGatewayV2::Stage (p. 786)
AWS::ApiGatewayV2::Api
The AWS::ApiGatewayV2::Api resource creates an API. WebSocket APIs and HTTP APIs (beta) are
supported. For more information about WebSocket APIs, see About WebSocket APIs in API Gateway
in the API Gateway Developer Guide. For more information about HTTP APIs, see HTTP APIs in the API
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::Api",
"Properties" : {
"ApiKeySelectionExpression" : String,
"BasePath" : String,
"Body" : Json,
"BodyS3Location" : BodyS3Location (p. 755),
"CorsConfiguration" : Cors (p. 756),
"CredentialsArn" : String,
"DisableSchemaValidation" : Boolean,
"FailOnWarnings" : Boolean,
"Name" : String,
"ProtocolType" : String,
"RouteKey" : String,
"RouteSelectionExpression" : String,
"Tags" : Json,
"Target" : String,
"Version" : String
}
}
YAML
Type: AWS::ApiGatewayV2::Api
Properties:
ApiKeySelectionExpression: String
BasePath: String
Body: Json
BodyS3Location:
BodyS3Location (p. 755)
CorsConfiguration:
Cors (p. 756)
CredentialsArn: String
Description: String
DisableSchemaValidation: Boolean
FailOnWarnings: Boolean
Name: String
ProtocolType: String
RouteKey: String
RouteSelectionExpression: String
Tags: Json
Target: String
Version: String

750
API Gateway V2
Properties
ApiKeySelectionExpression
An API key selection expression. Supported only for WebSocket APIs. See API Key Selection
Expressions.
Required: No
Type: String

BasePath
Represents the base path of the imported API. Supported only for HTTP APIs.
Required: No
Type: String

Body
The OpenAPI definition. Supported only for HTTP APIs. To import an HTTP API, you must specify a
Body or BodyS3Location.
Type: Json

BodyS3Location
The S3 location of an OpenAPI definition. Supported only for HTTP APIs. To import an HTTP API,
you must specify a Body or BodyS3Location.
Type: BodyS3Location (p. 755)

CorsConfiguration
A CORS configuration. Supported only for HTTP APIs. See Configuring CORS for more information.
Required: No
Type: Cors (p. 756)

CredentialsArn
This property is part of quick create. It specifies the credentials required for the integration, if any.
For a Lambda integration, three options are available. To specify an IAM Role for API Gateway to
assume, use the role's Amazon Resource Name (ARN). To require that the caller's identity be passed
through from the request, specify arn:aws:iam::*:user/*. To use resource-based permissions
on supported AWS services, specify null. Currently, this property is not used for HTTP integrations.
Supported only for HTTP APIs.

751
API Gateway V2
Required: No
Type: String

Description
The description of the API.
Required: No
Type: String

DisableSchemaValidation
Avoid validating models when creating a deployment. Supported only for WebSocket APIs.
Required: No
Type: Boolean

FailOnWarnings
Specifies whether to rollback the API creation (true) or not (false) when a warning is encountered.
The default value is false.
Required: No
Type: Boolean

Name
The name of the API. Required unless you specify an OpenAPI definition for Body or
S3BodyLocation.
Type: String

ProtocolType
The API protocol. Required unless you specify an OpenAPI definition for Body or S3BodyLocation.
Type: String

RouteKey
This property is part of quick create. If you don't specify a routeKey, a default route of $default
is created. The $default route acts as a catch-all for any request made to your API, for a particular
stage. The $default route key can't be modified. You can add routes after creating the API, and you
can update the route keys of additional routes. Supported only for HTTP APIs.
Required: No

752
API Gateway V2
Type: String

RouteSelectionExpression
The route selection expression for the API. For HTTP APIs, the routeSelectionExpression must
be ${request.method} ${request.path}. If not provided, this will be the default for HTTP
APIs. This property is required for WebSocket APIs.
Type: String

Tags
The collection of tags. Each tag element is associated with a given resource.
Required: No
Type: Json

Target
This property is part of quick create. Quick create produces an API with an integration, a default
catch-all route, and a default stage which is configured to automatically deploy changes. For HTTP
integrations, specify a fully qualified URL. For Lambda integrations, specify a function ARN. The type
of the integration will be HTTP_PROXY or AWS_PROXY, respectively. Supported only for HTTP APIs.
Required: No
Type: String

Version
A version identifier for the API.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the API ID, such as
a1bcdef2gh.
Examples
API creation example
The following example creates a WebSocket Api resource called MyApi.

753
API Gateway V2
JSON
{
"MyApi": {
"Type": "AWS::ApiGatewayV2::Api",
"Properties": {
"Name": "MyApi",
"ProtocolType": "WEBSOCKET",
"RouteSelectionExpression": "$request.body.action",
"ApiKeySelectionExpression": "$request.header.x-api-key"
}
}
}
YAML
MyApi:
Type: 'AWS::ApiGatewayV2::Api'
Properties:
Name: MyApi
ProtocolType: WEBSOCKET
RouteSelectionExpression: $request.body.action
ApiKeySelectionExpression: $request.header.x-api-key
Quick create HTTP API
The following example uses quick create to launch an HTTP API Api resource called HttpApi that's
integrated with a Lambda function. Quick create produces an HTTP API with an integration, a default
catch-all route, and a default stage which is configured to automatically deploy changes.
Note
To invoke a Lambda integration, API Gateway must have the required permissions. You can use
a resource-based policy or an IAM role to grant API Gateway permissions to invoke a Lambda
function. To learn more, see AWS Lambda Permissions in the AWS Lambda Developer Guide.
JSON
"HttpApi": {
"Type": "AWS::ApiGatewayV2::Api",
"Properties": {
"Name": "Lambda Proxy",
"Description": "Lambda proxy using quick create",
"ProtocolType": "HTTP",
"Target": "arn:aws:apigateway:{region}:lambda:path/2015-03-31/functions/
arn:aws:lambda:{region}:{account-id}:function:{function-name}/invocations"
}
}
YAML
HttpApi:
Type: AWS::ApiGatewayV2::Api
Properties:
Name: Lambda Proxy
Description: Lambda proxy using quick create
ProtocolType: HTTP
Target: arn:aws:apigateway:{region}:lambda:path/2015-03-31/functions/arn:aws:lambda:
{region}:{account-id}:function:{function-name}/invocations

754
API Gateway V2
See Also
• CreateApi in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::Api BodyS3Location
The BodyS3Location property specifies an S3 location from which to import an OpenAPI definition.
Syntax
JSON
{
"Bucket" : String,
"Etag" : String,
"Key" : String,
"Version" : String
}
YAML
Bucket: String
Etag: String
Key: String
Version: String
Properties
Bucket
The S3 bucket that contains the OpenAPI definition to import. Required if you specify a
BodyS3Location for an API.
Type: String

Etag
The Etag of the S3 object.
Required: No
Type: String

Key
The key of the S3 object. Required if you specify a BodyS3Location for an API.
Type: String

755
API Gateway V2
Version
The version of the S3 object.
Required: No
Type: String
AWS::ApiGatewayV2::Api Cors
The Cors property specifies a CORS configuration for an API. Supported only for HTTP APIs. See
Configuring CORS for more information.
Syntax
JSON
{
"AllowCredentials" : Boolean,
"AllowHeaders" : [ String, ... ],
"AllowMethods" : [ String, ... ],
"AllowOrigins" : [ String, ... ],
"ExposeHeaders" : [ String, ... ],
"MaxAge" : Integer
}
YAML
AllowCredentials: Boolean
AllowHeaders:
- String
AllowMethods:
- String
AllowOrigins:
- String
ExposeHeaders:
- String
MaxAge: Integer
Properties
AllowCredentials
Specifies whether credentials are included in the CORS request. Supported only for HTTP APIs.
Required: No
Type: Boolean

AllowHeaders
Represents a collection of allowed headers. Supported only for HTTP APIs.
Required: No

756
API Gateway V2

AllowMethods
Represents a collection of allowed HTTP methods. Supported only for HTTP APIs.
Required: No

AllowOrigins
Represents a collection of allowed origins. Supported only for HTTP APIs.
Required: No

ExposeHeaders
Represents a collection of exposed headers. Supported only for HTTP APIs.
Required: No

MaxAge
The number of seconds that the browser should cache preflight request results. Supported only for
HTTP APIs.
Required: No
Type: Integer
AWS::ApiGatewayV2::ApiMapping
The AWS::ApiGatewayV2::ApiMapping resource contains an API mapping. An API mapping relates a
path of your custom domain name to a stage of your API. A custom domain name can have multiple API
mappings, but the paths can't overlap. A custom domain can map only to APIs of the same protocol type.
For more information, see CreateApiMapping in the Amazon API Gateway V2 API Reference.
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::ApiMapping",
"Properties" : {
"ApiId" : String,
"ApiMappingKey" : String,

757
API Gateway V2
"Stage" : String
}
}
YAML
Type: AWS::ApiGatewayV2::ApiMapping
Properties:
ApiId: String
ApiMappingKey: String
DomainName: String
Stage: String
Properties
ApiId
Required: Yes
Type: String

ApiMappingKey
The API mapping key.
Required: No
Type: String

DomainName
The domain name.
Required: Yes
Type: String

Stage
The API stage.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the API mapping
resource ID.

758
API Gateway V2
Examples
API mapping creation example
The following example creates an ApiMapping resource called MyApiMapping.
JSON
{
"MyApiMapping": {
"Type": "AWS::ApiGatewayV2::ApiMapping",
"Properties": {
"DomainName": "mydomainame.us-east-1.com",
"ApiId": {
"Ref": "MyApi"
},
"Stage": {
"Ref": "MyStage"
}
}
}
}
YAML
MyApiMapping:
Type: 'AWS::ApiGatewayV2::ApiMapping'
Properties:
DomainName: mydomainame.us-east-1.com
ApiId: !Ref MyApi
Stage: !Ref MyStage
See Also
• CreateApiMapping in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::Authorizer
The AWS::ApiGatewayV2::Authorizer resource updates a Lambda authorizer function for a
WebSocket API or a JSON Web Token (JWT) authorizer for an HTTP API. For more information about
Lambda authorizer functions for WebSocket APIs, see Create a Lambda REQUEST Authorizer Function in
the API Gateway Developer Guide. For more information about JWT authorizers for HTTP APIs, see JWT
authorizers in the API Gateway Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::Authorizer",
"Properties" : {
"ApiId" : String,
"AuthorizerCredentialsArn" : String,
"AuthorizerResultTtlInSeconds" : Integer,

759
API Gateway V2
"AuthorizerType" : String,
"AuthorizerUri" : String,
"IdentitySource" : [ String, ... ],
"IdentityValidationExpression" : String,
"JwtConfiguration" : JWTConfiguration (p. 763),
"Name" : String
}
}
YAML
Type: AWS::ApiGatewayV2::Authorizer
Properties:
ApiId: String
AuthorizerCredentialsArn: String
AuthorizerResultTtlInSeconds: Integer
AuthorizerType: String
AuthorizerUri: String
IdentitySource:
- String
IdentityValidationExpression: String
JwtConfiguration:
JWTConfiguration (p. 763)
Name: String
Properties
ApiId
The API identifier.
Required: Yes
Type: String

AuthorizerCredentialsArn
Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. To
specify an IAM role for API Gateway to assume, use the role's Amazon Resource Name (ARN). To
use resource-based permissions on the Lambda function, specify null. Supported only for REQUEST
authorizers.
Required: No
Type: String

AuthorizerResultTtlInSeconds
Authorizer caching is not currently supported. Don't specify this value for authorizers.
Required: No
Type: Integer

AuthorizerType
The authorizer type. For WebSocket APIs, specify REQUEST for a Lambda function using incoming
request parameters. For HTTP APIs, specify JWT to use JSON Web Tokens.

760
API Gateway V2
Required: Yes
Type: String

AuthorizerUri
The authorizer's Uniform Resource Identifier (URI). For REQUEST authorizers, this must
be a well-formed Lambda function URI, for example, arn:aws:apigateway:us-
west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-
west-2:{account_id}:function:{lambda_function_name}/invocations. In general, the
URI has this form: arn:aws:apigateway:{region}:lambda:path/{service_api} , where
{region} is the same as the region hosting the Lambda function, path indicates that the remaining
substring in the URI should be treated as the path to the resource, including the initial /. For Lambda
functions, this is usually of the form /2015-03-31/functions/[FunctionARN]/invocations.
Required: No
Type: String

IdentitySource
The identity source for which authorization is requested.
For a REQUEST authorizer, this is optional. The value is a set of one or more mapping expressions
of the specified request parameters. Currently, the identity source can be headers, query string
parameters, stage variables, and context parameters. For example, if an Auth header and a Name
query string parameter are defined as identity sources, this value is route.request.header.Auth,
route.request.querystring.Name. These parameters will be used to perform runtime validation for
Lambda-based authorizers by verifying all of the identity-related request parameters are present
in the request, not null, and non-empty. Only when this is true does the authorizer invoke the
authorizer Lambda function. Otherwise, it returns a 401 Unauthorized response without calling the
Lambda function.
For JWT, a single entry that specifies where to extract the JSON Web Token (JWT) from inbound
requests. Currently only header-based and query parameter-based selections are supported, for
example "$request.header.Authorization".
Required: Yes

IdentityValidationExpression
This parameter is not used.
Required: No
Type: String

JwtConfiguration
The JWTConfiguration property specifies the configuration of a JWT authorizer. Required for the
JWT authorizer type. Supported only for HTTP APIs.
Required: No

761
API Gateway V2
Type: JWTConfiguration (p. 763)

Name
The name of the authorizer.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the authorizer's
ID, such as abcde1.
Examples
Authorizer creation example
The following example creates a Lambda authorizer resource for the MyApi API.
JSON
{
"Authorizer": {
"Type": "AWS::ApiGatewayV2::Authorizer",
"Properties": {
"Name": "LambdaAuthorizer",
"ApiId": {
"Ref": "MyApi"
},
"AuthorizerType": "REQUEST",
"AuthorizerCredentialsArn": "Arn",
"AuthorizerUri": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":apigateway:",
{
},
"/invocations"
]
]
},
"AuthorizerResultTtlInSeconds": 500,
"IdentitySource": [
"route.request.header.Auth"
]
}

762
API Gateway V2
}
}
YAML
Authorizer:
Type: 'AWS::ApiGatewayV2::Authorizer'
Properties:
Name: LambdaAuthorizer
ApiId: !Ref MyApi
AuthorizerType: REQUEST
AuthorizerCredentialsArn: Arn
AuthorizerUri: !Join
- ''
- - 'arn:'
- !Ref 'AWS::Partition'
- ':apigateway:'
- /invocations
AuthorizerResultTtlInSeconds: 500
IdentitySource:
- route.request.header.Auth
See Also
• CreateAuthorizer in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::Authorizer JWTConfiguration
The JWTConfiguration property specifies the configuration of a JWT authorizer. Required for the JWT
authorizer type. Supported only for HTTP APIs.
Syntax
JSON
{
"Audience" : [ String, ... ],
"Issuer" : String
}
YAML
Audience:
- String
Issuer: String
Properties
Audience
A list of the intended recipients of the JWT. A valid JWT must provide an aud that matches at least
one entry in this list. See RFC 7519. Supported only for HTTP APIs.
Required: No

763
API Gateway V2

Issuer
The base domain of the identity provider that issues JSON Web Tokens. For example,
an Amazon Cognito user pool has the following format: https://cognito-
idp.{region}.amazonaws.com/{userPoolId} . Required for the JWT authorizer type.
Required: No
Type: String
AWS::ApiGatewayV2::Deployment
The AWS::ApiGatewayV2::Deployment resource creates a deployment for an API.
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::Deployment",
"Properties" : {
"ApiId" : String,
}
}
YAML
Type: AWS::ApiGatewayV2::Deployment
Properties:
ApiId: String
Description: String
StageName: String
Properties
ApiId
Required: Yes
Type: String

Description
The description for the deployment resource.

764
API Gateway V2
Required: No
Type: String

StageName
The name of the Stage resource for the Deployment resource to create.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the deployment
ID, such as 123abc.
Examples
Deployment creation example
The following example creates a deployment resource for the MyApi API, which has the MyRoute route
defined.
JSON
{
"Deployment": {
"Type": "AWS::ApiGatewayV2::Deployment",
"DependsOn": [
"MyRoute"
],
"Properties": {
"ApiId": {
"Ref": "MyApi"
},
"StageName": "Beta"
}
}
}
YAML
Deployment:
Type: 'AWS::ApiGatewayV2::Deployment'
DependsOn:
- MyRoute
Properties:
ApiId: !Ref MyApi
StageName: Beta

765
API Gateway V2
See Also
• CreateDeployment in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::DomainName
The AWS::ApiGatewayV2::DomainName resource specifies a custom domain name for your API in
Amazon API Gateway (API Gateway).
You can use a custom domain name to provide a URL that's more intuitive and easier to recall. For more
information about using custom domain names, see Set up Custom Domain Name for an API in API
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::DomainName",
"Properties" : {
"DomainNameConfigurations" : [ DomainNameConfiguration (p. 768), ... ],
"Tags" : Json
}
}
YAML
Type: AWS::ApiGatewayV2::DomainName
Properties:
DomainName: String
DomainNameConfigurations:
- DomainNameConfiguration (p. 768)
Tags: Json
Properties
DomainName
The custom domain name for your API in Amazon API Gateway. Uppercase letters are not supported.
Required: Yes
Type: String

DomainNameConfigurations
The domain name configurations.
Required: No
Type: List of DomainNameConfiguration (p. 768)

766
API Gateway V2
Tags
The collection of tags associated with a domain name.
Required: No
Type: Json
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the domain name,
such as example.mydomain.com.
Fn::GetAtt
RegionalDomainName
The domain name associated with the regional endpoint for this custom domain name. You set
up this association by adding a DNS record that points the custom domain name to this regional
domain name.
RegionalHostedZoneId
The region-specific Amazon Route 53 Hosted Zone ID of the regional endpoint.
Examples
Domain name creation example
The following example creates a DomainName resource called MyDomainName.
JSON
{
"MyDomainName": {
"Type": "AWS::ApiGatewayV2::DomainName",
"Properties": {
"DomainName": "mydomainame.us-east-1.com",
"DomainNameConfigurations": [
{
"EndpointType": "REGIONAL",
"CertificateArn": "arn:aws:acm:us-
east-1:123456789012:certificate/1a2b3c4d-aaaa-aaaa-aaaa-1a2b3c4d5e6f",
"CertificateName": "testCertificate"
}
]
}
}
}

767
API Gateway V2
YAML
MyDomainName:
Type: 'AWS::ApiGatewayV2::DomainName'
Properties:
DomainName: mydomainame.us-east-1.com
DomainNameConfigurations:
- EndpointType: REGIONAL
CertificateArn: >-
arn:aws:acm:us-east-1:123456789012:certificate/1a2b3c4d-aaaa-aaaa-
aaaa-1a2b3c4d5e6f
CertificateName: testCertificate
See Also
• CreateDomainName in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::DomainName DomainNameConfiguration
The DomainNameConfiguration property type specifies the configuration for a an API's domain name.
DomainNameConfiguration is a property of the AWS::ApiGatewayV2::DomainName resource.
Syntax
JSON
{
"CertificateName" : String,
"EndpointType" : String
}
YAML
CertificateName: String
EndpointType: String
Properties
CertificateArn
An AWS-managed certificate that will be used by the edge-optimized endpoint for this domain
name. AWS Certificate Manager is the only supported source.
Required: No
Type: String

CertificateName
The user-friendly name of the certificate that will be used by the edge-optimized endpoint for this
domain name.

768
API Gateway V2
Required: No
Type: String

EndpointType
The endpoint type.
Required: No
Type: String
See Also
• DomainNameConfiguration in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::Integration
The AWS::ApiGatewayV2::Integration resource creates an integration for an API.
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::Integration",
"Properties" : {
"ApiId" : String,
"ContentHandlingStrategy" : String,
"CredentialsArn" : String,
"IntegrationMethod" : String,
"IntegrationType" : String,
"IntegrationUri" : String,
"PassthroughBehavior" : String,
"PayloadFormatVersion" : String,
"RequestParameters" : Json,
"RequestTemplates" : Json,
"TemplateSelectionExpression" : String,
"TimeoutInMillis" : Integer
}
}
YAML
Type: AWS::ApiGatewayV2::Integration
Properties:
ApiId: String
ContentHandlingStrategy: String
CredentialsArn: String
Description: String
IntegrationMethod: String

769
API Gateway V2
IntegrationType: String
IntegrationUri: String
PassthroughBehavior: String
PayloadFormatVersion: String
RequestParameters: Json
RequestTemplates: Json
TemplateSelectionExpression: String
TimeoutInMillis: Integer
Properties
ApiId
Required: Yes
Type: String

ConnectionType
The type of the network connection to the integration endpoint. Currently the only valid value is
INTERNET, for connections through the public routable internet.
Required: No
Type: String

ContentHandlingStrategy
Supported only for WebSocket APIs. Specifies how to handle response payload content type
conversions. Supported values are CONVERT_TO_BINARY and CONVERT_TO_TEXT, with the
following behaviors:
CONVERT_TO_BINARY: Converts a response payload from a Base64-encoded string to the

corresponding binary blob.
CONVERT_TO_TEXT: Converts a response payload from a binary blob to a Base64-encoded string.
If this property is not defined, the response payload will be passed through from the integration
response to the route response or method response without modification.
Required: No
Type: String

CredentialsArn
Specifies the credentials required for the integration, if any. For AWS integrations, three options are
available. To specify an IAM Role for API Gateway to assume, use the role's Amazon Resource Name
(ARN). To require that the caller's identity be passed through from the request, specify the string
arn:aws:iam::*:user/*. To use resource-based permissions on supported AWS services, specify
null.
Required: No
Type: String

770
API Gateway V2

Description
The description of the integration.
Required: No
Type: String

IntegrationMethod
Specifies the integration's HTTP method type.
Required: No
Type: String

IntegrationType
The integration type of an integration. One of the following:
AWS: for integrating the route or method request with an AWS service action, including the Lambda
function-invoking action. With the Lambda function-invoking action, this is referred to as the
Lambda custom integration. With any other AWS service action, this is known as AWS integration.
Supported only for WebSocket APIs.
AWS_PROXY: for integrating the route or method request with the Lambda function-invoking action
with the client request passed through as-is. This integration is also referred to as Lambda proxy
integration.
HTTP: for integrating the route or method request with an HTTP endpoint. This integration is also
referred to as the HTTP custom integration. Supported only for WebSocket APIs.
HTTP_PROXY: for integrating route or method request with an HTTP endpoint, with the client
request passed through as-is. This is also referred to as HTTP proxy integration.
MOCK: for integrating the route or method request with API Gateway as a "loopback" endpoint
without invoking any backend. Supported only for WebSocket APIs.
Required: Yes
Type: String

IntegrationUri
For a Lambda proxy integration, this is the URI of the Lambda function.
Required: No
Type: String

PassthroughBehavior
Specifies the pass-through behavior for incoming requests based on the Content-Type header in
the request, and the available mapping templates specified as the requestTemplates property on

771
API Gateway V2
the Integration resource. There are three valid values: WHEN_NO_MATCH, WHEN_NO_TEMPLATES,
and NEVER. Supported only for WebSocket APIs.
WHEN_NO_MATCH passes the request body for unmapped content types through to the integration
backend without transformation.
NEVER rejects unmapped content types with an HTTP 415 Unsupported Media Type response.
WHEN_NO_TEMPLATES allows pass-through when the integration has no content types mapped to
templates. However, if there is at least one content type defined, unmapped content types will be
rejected with the same HTTP 415 Unsupported Media Type response.
Required: No
Type: String

PayloadFormatVersion
Specifies the format of the payload sent to an integration. Required for HTTP APIs. Currently, the
only supported value is 1.0.
Required: No
Type: String

RequestParameters
A key-value map specifying request parameters that are passed from the method request to the
backend. The key is an integration request parameter name and the associated value is a method
request parameter value or static value that must be enclosed within single quotes and pre-encoded
as required by the backend. The method request parameter value must match the pattern of
method.request.{location}.{name} , where {location} is querystring, path, or
header; and {name} must be a valid and unique method request parameter name. Supported
only for WebSocket APIs.
Required: No
Type: Json

RequestTemplates
Represents a map of Velocity templates that are applied on the request payload based on the value
of the Content-Type header sent by the client. The content type value is the key in this map, and the
template (as a String) is the value. Supported only for WebSocket APIs.
Required: No
Type: Json

TemplateSelectionExpression
The template selection expression for the integration. Supported only for WebSocket APIs.
Required: No
Type: String

772
API Gateway V2

TimeoutInMillis
Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29
seconds for WebSocket APIs. The default value is 5,000 milliseconds, or 5 seconds for HTTP APIs.
Required: No
Type: Integer
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Integration
resource ID, such as abcd123.
Examples
Integration creation example
The following example creates an integration resource named MyIntegration for the MyApi API,
whose credentials are specified by MyCredentialsArn.
JSON
{
"MyIntegration": {
"Type": "AWS::ApiGatewayV2::Integration",
"Properties": {
"ApiId": {
"Ref": "MyApi"
},
"Description": "Lambda Integration",
"IntegrationType": "AWS",
"IntegrationUri": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":apigateway:",
{
},
{
"Ref": "MyLambdaFunction"
},
"/invocations"
]
]
},
"CredentialsArn": "MyCredentialsArn",
"IntegrationMethod": "GET",

773
API Gateway V2
"ConnectionType": "INTERNET"
}
}
}
YAML
MyIntegration:
Type: 'AWS::ApiGatewayV2::Integration'
Properties:
ApiId: !Ref MyApi
Description: Lambda Integration
IntegrationType: AWS
IntegrationUri: !Join
- ''
- - 'arn:'
- !Ref 'AWS::Partition'
- ':apigateway:'
- !Ref MyLambdaFunction
- /invocations
CredentialsArn: MyCredentialsArn
IntegrationMethod: GET
ConnectionType: INTERNET
See Also
• CreateIntegration in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::IntegrationResponse
The AWS::ApiGatewayV2::IntegrationResponse resource updates an integration response for an
WebSocket API. For more information, see Set up WebSocket API Integration Responses in API Gateway
in the API Gateway Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::IntegrationResponse",
"Properties" : {
"ApiId" : String,
"ContentHandlingStrategy" : String,
"IntegrationId" : String,
"IntegrationResponseKey" : String,
"ResponseParameters" : Json,
"ResponseTemplates" : Json,
"TemplateSelectionExpression" : String
}
}
YAML
Type: AWS::ApiGatewayV2::IntegrationResponse
Properties:

774
API Gateway V2
ApiId: String
ContentHandlingStrategy: String
IntegrationId: String
IntegrationResponseKey: String
ResponseParameters: Json
ResponseTemplates: Json
TemplateSelectionExpression: String
Properties
ApiId
Required: Yes
Type: String

ContentHandlingStrategy
Supported only for WebSocket APIs. Specifies how to handle response payload content type
conversions. Supported values are CONVERT_TO_BINARY and CONVERT_TO_TEXT, with the
following behaviors:
CONVERT_TO_BINARY: Converts a response payload from a Base64-encoded string to the

corresponding binary blob.
CONVERT_TO_TEXT: Converts a response payload from a binary blob to a Base64-encoded string.
If this property is not defined, the response payload will be passed through from the integration
response to the route response or method response without modification.
Required: No
Type: String

IntegrationId
The integration ID.
Required: Yes
Type: String

IntegrationResponseKey
The integration response key.
Required: Yes
Type: String

ResponseParameters
A key-value map specifying response parameters that are passed to the method response from
the backend. The key is a method response header parameter name and the mapped value is
an integration response header value, a static value enclosed within a pair of single quotes, or a

775
API Gateway V2
JSON expression from the integration response body. The mapping key must match the pattern
of method.response.header.{name} , where name is a valid and unique header name. The
mapped non-static value must match the pattern of integration.response.header.{name}
or integration.response.body.{JSON-expression} , where {name} is a valid and unique
response header name and {JSON-expression} is a valid JSON expression without the $ prefix.
Required: No
Type: Json

ResponseTemplates
The collection of response templates for the integration response as a string-to-string map of key-
value pairs. Response templates are represented as a key/value map, with a content-type as the key
and a template as the value.
Required: No
Type: Json

TemplateSelectionExpression
The template selection expression for the integration response. Supported only for WebSocket APIs.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the integration
response resource ID, such as abcd123.
Examples
Integration response creation example
The following example creates an IntegrationResponse resource for an API named MyApi that has
an integration resource called MyIntegration.
JSON
{
"IntegrationResponse": {
"Type": "AWS::ApiGatewayV2::IntegrationResponse",
"Properties": {
"IntegrationId": {
"Ref": "MyIntegration"
},
"IntegrationResponseKey": "/400/",
"ApiId": {
"Ref": "MyApi"

776
API Gateway V2
}
}
}
}
YAML
IntegrationResponse:
Type: 'AWS::ApiGatewayV2::IntegrationResponse'
Properties:
IntegrationId: !Ref MyIntegration
IntegrationResponseKey: /400/
ApiId: !Ref MyApi
See Also
• CreateIntegrationResponse in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::Model
The AWS::ApiGatewayV2::Model resource updates data model for a WebSocket API. For more
information, see Model Selection Expressions in the API Gateway Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::Model",
"Properties" : {
"ApiId" : String,
"Name" : String,
"Schema" : Json
}
}
YAML
Type: AWS::ApiGatewayV2::Model
Properties:
ApiId: String
ContentType: String
Description: String
Name: String
Schema: Json
Properties
ApiId
Required: Yes

777
API Gateway V2
Type: String

ContentType
The content-type for the model, for example, "application/json".
Required: No
Type: String

Description
The description of the model.
Required: No
Type: String

Name
The name of the model.
Required: Yes
Type: String

Schema
The schema for the model. For application/json models, this should be JSON schema draft 4 model.
Required: Yes
Type: Json
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the model ID,
such as abc123.
Examples
Model creation example
The following example creates a model resource called MyModel for an API called MyApi.
JSON
{
"MyModel": {

778
API Gateway V2
"Type": "AWS::ApiGatewayV2::Model",
"Properties": {
"Name": "ModelName",
"ApiId": {
"Ref": "MyApi"
},
"ContentType": "application/json",
"Schema": {
"$schema": "http://json-schema.org/draft-04/schema#",
"title": "DummySchema",
"type": "object",
"properties": {
"id": {
"type": "string"
}
}
}
}
}
}
YAML
MyModel:
Type: 'AWS::ApiGatewayV2::Model'
Properties:
Name: ModelName
ApiId: !Ref MyApi
ContentType: application/json
Schema:
$schema: 'http://json-schema.org/draft-04/schema#'
title: DummySchema
type: object
properties:
id:
type: string
See Also
• CreateModel in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::Route
The AWS::ApiGatewayV2::Route resource creates a route for an API.
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::Route",
"Properties" : {
"ApiId" : String,
"ApiKeyRequired" : Boolean,
"AuthorizationScopes" : [ String, ... ],
"AuthorizerId" : String,
"ModelSelectionExpression" : String,

779
API Gateway V2
"OperationName" : String,
"RequestModels" : Json,
"RequestParameters" : Json,
"RouteKey" : String,
"RouteResponseSelectionExpression" : String,
"Target" : String
}
}
YAML
Type: AWS::ApiGatewayV2::Route
Properties:
ApiId: String
ApiKeyRequired: Boolean
AuthorizationScopes:
- String
AuthorizerId: String
ModelSelectionExpression: String
OperationName: String
RequestModels: Json
RequestParameters: Json
RouteKey: String
RouteResponseSelectionExpression: String
Target: String
Properties
ApiId
Required: Yes
Type: String

ApiKeyRequired
Specifies whether an API key is required for the route. Supported only for WebSocket APIs.
Required: No
Type: Boolean

AuthorizationScopes
The authorization scopes supported by this route.
Required: No

AuthorizationType
The authorization type for the route. For WebSocket APIs, valid values are NONE for open access,
AWS_IAM for using AWS IAM permissions, and CUSTOM for using a Lambda authorizer For HTTP APIs,
valid values are NONE for open access, or JWT for using JSON Web Tokens.

780
API Gateway V2
Required: No
Type: String

AuthorizerId
The identifier of the Authorizer resource to be associated with this route. The authorizer identifier
is generated by API Gateway when you created the authorizer.
Required: No
Type: String

ModelSelectionExpression
The model selection expression for the route. Supported only for WebSocket APIs.
Required: No
Type: String

OperationName
The operation name for the route.
Required: No
Type: String

RequestModels
The request models for the route. Supported only for WebSocket APIs.
Required: No
Type: Json

RequestParameters
The request parameters for the route. Supported only for WebSocket APIs.
Required: No
Type: Json

RouteKey
The route key for the route.
Required: Yes
Type: String

781
API Gateway V2
RouteResponseSelectionExpression
The route response selection expression for the route. Supported only for WebSocket APIs.
Required: No
Type: String

Target
The target for the route.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Route
resource ID, such as abcd123.
Examples
Route creation example
The following example creates a route resource called MyRoute for a WebSocket API called MyAPI
that already has an integration resource called MyIntegration. The route has a route key value of
routekey1.
JSON
{
"MyRoute": {
"Type": "AWS::ApiGatewayV2::Route",
"DependsOn": [
"MyIntegration"
],
"Properties": {
"ApiId": {
"Ref": "MyApi"
},
"RouteKey": "routekey1",
"Target": {
"Fn::Join": [
"/",
[
"integrations",
{
"Ref": "MyIntegration"
}
]
]

782
API Gateway V2
}
}
}
}
YAML
MyRoute:
Type: 'AWS::ApiGatewayV2::Route'
DependsOn:
- MyIntegration
Properties:
ApiId: !Ref MyApi
RouteKey: routekey1
Target: !Join
- /
- - integrations
- !Ref MyIntegration
See Also
• CreateRoute in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::Route ParameterConstraints
Specifies whether the parameter is required.
Syntax
JSON
{
"Required" : Boolean
}
YAML
Required: Boolean
Properties
Required
Required: Yes
Type: Boolean
See Also
• Routes in the Amazon API Gateway Version 2 API Reference

783
API Gateway V2
AWS::ApiGatewayV2::RouteResponse
The AWS::ApiGatewayV2::RouteResponse resource creates a route response for a WebSocket
API. For more information, see Set up Route Responses for a WebSocket API in API Gateway in the API
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::RouteResponse",
"Properties" : {
"ApiId" : String,
"ModelSelectionExpression" : String,
"ResponseModels" : Json,
"ResponseParameters" : Json,
"RouteId" : String,
"RouteResponseKey" : String
}
}
YAML
Type: AWS::ApiGatewayV2::RouteResponse
Properties:
ApiId: String
ModelSelectionExpression: String
ResponseModels: Json
ResponseParameters: Json
RouteId: String
RouteResponseKey: String
Properties
ApiId
Required: Yes
Type: String

ModelSelectionExpression
The model selection expression for the route response. Supported only for WebSocket APIs.
Required: No
Type: String

ResponseModels
The response models for the route response.
Required: No

784
API Gateway V2
Type: Json

ResponseParameters
The route response parameters.
Required: No
Type: Json

RouteId
The route ID.
Required: Yes
Type: String

RouteResponseKey
The route response key.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Route
Response resource ID, such as abc123.
Examples
Route response creation example
The following example creates a RouteResponse resource for a WebSocket API called MyApi that
already has an integration called MyIntegration and a route called MyRoute.
JSON
{
"MyRouteResponse": {
"Type": "AWS::ApiGatewayV2::RouteResponse",
"Properties": {
"RouteId": {
"Ref": "MyRoute"
},
"ApiId": {
"Ref": "MyApi"
},

785
API Gateway V2
"RouteResponseKey": "$default"
}
}
}
YAML
MyRouteResponse:
Type: 'AWS::ApiGatewayV2::RouteResponse'
Properties:
RouteId: !Ref MyRoute
ApiId: !Ref MyApi
RouteResponseKey: $default
See Also
• CreateRouteResponse in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::RouteResponse ParameterConstraints
Syntax
JSON
{
"Required" : Boolean
}
YAML
Required: Boolean
Properties
Required
Required: Yes
Type: Boolean
See Also
• RouteResponses in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::Stage
The AWS::ApiGatewayV2::Stage resource updates a stage for an API.

786
API Gateway V2
Syntax
JSON
{
"Type" : "AWS::ApiGatewayV2::Stage",
"Properties" : {
"AccessLogSettings" : AccessLogSettings (p. 790),
"ApiId" : String,
"AutoDeploy" : Boolean,
"DefaultRouteSettings" : RouteSettings (p. 791),
"RouteSettings" : Json (p. 791),
"StageName" : String,
"StageVariables" : Json,
"Tags" : Json
}
}
YAML
Type: AWS::ApiGatewayV2::Stage
Properties:
AccessLogSettings:
AccessLogSettings (p. 790)
ApiId: String
AutoDeploy: Boolean
DefaultRouteSettings:
RouteSettings (p. 791)
Description: String
RouteSettings: Json (p. 791)
StageName: String
StageVariables: Json
Tags: Json
Properties
AccessLogSettings
Settings for logging access in this stage.
Required: No
Type: AccessLogSettings (p. 790)

ApiId
Required: Yes
Type: String

787
API Gateway V2
AutoDeploy
Specifies whether updates to an API automatically trigger a new deployment. The default value is
false.
Required: No
Type: Boolean

ClientCertificateId
The identifier of a client certificate for a Stage. Supported only for WebSocket APIs.
Required: No
Type: String

DefaultRouteSettings
The default route settings for the stage.
Required: No
Type: RouteSettings (p. 791)

DeploymentId
The deployment identifier for the API stage. Can't be updated if autoDeploy is enabled.
Required: No
Type: String

Description
The description for the API stage.
Required: No
Type: String

RouteSettings
Route settings for the stage.
Required: No
Type: Json (p. 791)

StageName
The stage name. Stage names can only contain alphanumeric characters, hyphens, and underscores.
Maximum length is 128 characters.

788
API Gateway V2
Required: Yes
Type: String

StageVariables
A map that defines the stage variables for a Stage. Variable names can have alphanumeric and
underscore characters, and the values must match [A-Za-z0-9-._~:/?#&=,]+. Supported only for
WebSocket APIs.
Required: No
Type: Json

Tags
The collection of tags. Each tag element is associated with a given resource.
Required: No
Type: Json
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the stage name,
such as MyTestStage.
Examples
Stage creation example
The following example creates a stage resource called MyStage and associates it with an existing
deployment called MyDeployment.
JSON
{
"MyStage": {
"Type": "AWS::ApiGatewayV2::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"DeploymentId": {
"Ref": "MyDeployment"
},
"ApiId": {
"Ref": "CFNWebSocket"
},
"DefaultRouteSettings": {
"DetailedMetricsEnabled": true,

789
API Gateway V2
"LoggingLevel": "INFO",
"DataTraceEnabled": true,
"ThrottlingBurstLimit": 10,
"ThrottlingRateLimit": 10
},
"AccessLogSettings": {
"DestinationArn": "arn:aws:logs:us-east-1:123456789:log-group:my-log-
group",
"Format": "{\"requestId\":\"$context.requestId\", \"ip\":
\"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":
\"$context.identity.user\",\"requestTime\":\"$context.requestTime\", \"eventType\":
\"$context.eventType\",\"routeKey\":\"$context.routeKey\", \"status\":\"$context.status\",
\"connectionId\":\"$context.connectionId\"}"
}
}
}
}
YAML
MyStage:
Type: 'AWS::ApiGatewayV2::Stage'
Properties:
StageName: Prod
Description: Prod Stage
DeploymentId: !Ref MyDeployment
ApiId: !Ref CFNWebSocket
DefaultRouteSettings:
DetailedMetricsEnabled: true
LoggingLevel: INFO
DataTraceEnabled: true
ThrottlingBurstLimit: 10
ThrottlingRateLimit: 10
AccessLogSettings:
DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
Format: >-
{"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user","requestTime":"$context.requestTime",
"eventType":"$context.eventType","routeKey":"$context.routeKey",
"status":"$context.status","connectionId":"$context.connectionId"}
See Also
• CreateStage in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::Stage AccessLogSettings
Settings for logging access in a stage.
Syntax
JSON
{
"Format" : String
}

790
API Gateway V2
YAML
Format: String
Properties
DestinationArn
The ARN of the CloudWatch Logs log group to receive access logs.
Required: No
Type: String

Format
Required: No
Type: String
See Also
• Stages in the Amazon API Gateway Version 2 API Reference
AWS::ApiGatewayV2::Stage RouteSettings
Represents a collection of route settings.
Syntax
JSON
{
"DetailedMetricsEnabled" : Boolean,
}
YAML
DetailedMetricsEnabled: Boolean

791
Application Auto Scaling
Properties
DataTraceEnabled
Specifies whether (true) or not (false) data trace logging is enabled for this route. This property
affects the log entries pushed to Amazon CloudWatch Logs. Supported only for WebSocket APIs.
Required: No
Type: Boolean

DetailedMetricsEnabled
Specifies whether detailed metrics are enabled.
Required: No
Type: Boolean

LoggingLevel
Specifies the logging level for this route: INFO, ERROR, or OFF. This property affects the log entries
pushed to Amazon CloudWatch Logs. Supported only for WebSocket APIs.
Required: No
Type: String

Specifies the throttling burst limit. Supported only for WebSocket APIs.
Required: No
Type: Integer

ThrottlingRateLimit
Specifies the throttling rate limit. Supported only for WebSocket APIs.
Required: No
Type: Double
See Also
• Stages in the Amazon API Gateway Version 2 API Reference
Application Auto Scaling Resource Type Reference

Resource Types
• AWS::ApplicationAutoScaling::ScalableTarget (p. 793)

792
• AWS::ApplicationAutoScaling::ScalingPolicy (p. 803)
AWS::ApplicationAutoScaling::ScalableTarget
The AWS::ApplicationAutoScaling::ScalableTarget resource specifies a resource that
Application Auto Scaling can scale.
For more information, see RegisterScalableTarget in the Application Auto Scaling API Reference.
Syntax
JSON
{
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : Integer,
"MinCapacity" : Integer,
"RoleARN" : String,
"ScalableDimension" : String,
"ScheduledActions" : [ ScheduledAction (p. 801), ... ],
"ServiceNamespace" : String,
"SuspendedState" : SuspendedState (p. 802)
}
}
YAML
Properties:
MaxCapacity: Integer
MinCapacity: Integer
ResourceId: String
RoleARN: String
ScalableDimension: String
ScheduledActions:
- ScheduledAction (p. 801)
ServiceNamespace: String
SuspendedState:
SuspendedState (p. 802)
Properties
MaxCapacity
The maximum value to scale to in response to a scale-out event.
Required: Yes
Type: Integer

MinCapacity
The minimum value to scale to in response to a scale-in event.
Required: Yes

793
Type: Integer

ResourceId
The resource identifier to associate with this scalable target. This string consists of the resource type
and unique identifier. For valid values, see the ResourceId parameter for RegisterScalableTarget in
the Application Auto Scaling API Reference.
Required: Yes
Type: String

RoleARN
Specify the Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role
that allows Application Auto Scaling to modify the scalable target on your behalf. This can be either
an IAM service role that Application Auto Scaling can assume to make calls to other AWS resources
on your behalf, or a service-linked role for the specified service. For more information, see Service-
Linked Roles in the Application Auto Scaling User Guide.
To automatically create a service-linked role, specify the full ARN of the service-linked role in your
stack template. For examples of the ARN format, see the Examples section at the bottom of this
page and in AWS::ApplicationAutoScaling::ScalingPolicy.
Required: Yes
Type: String

ScalableDimension
The scalable dimension that is associated with the scalable target. Specify the service namespace,
resource type, and scaling property, for example, ecs:service:DesiredCount for the desired
task count of an Amazon ECS service. For valid values, see the ScalableDimension parameter for
RegisterScalableTarget in the Application Auto Scaling API Reference.
Required: Yes
Type: String

ScheduledActions
The scheduled actions for the scalable target. Duplicates aren't allowed.
For more information about using scheduled scaling, see Scheduled Scaling in the Application Auto
Scaling User Guide.
Required: No
Type: List of ScheduledAction (p. 801)

ServiceNamespace
The namespace of the AWS service that provides the resource or custom-resource for a resource
provided by your own application or service. For valid values, see the ServiceNamespace
parameter for RegisterScalableTarget in the Application Auto Scaling API Reference.

794
Required: Yes
Type: String

SuspendedState
An embedded object that contains attributes and attribute values that are used to suspend and
resume automatic scaling. Setting the value of an attribute to true suspends the specified scaling
activities. Setting it to false (default) resumes the specified scaling activities.
Suspension Outcomes
• For DynamicScalingInSuspended, while a suspension is in effect, all scale-in activities that are
triggered by a scaling policy are suspended.
• For DynamicScalingOutSuspended, while a suspension is in effect, all scale-out activities that
are triggered by a scaling policy are suspended.
• For ScheduledScalingSuspended, while a suspension is in effect, all scaling activities that
involve scheduled actions are suspended.
For more information, see Suspending and Resuming Scaling in the Application Auto Scaling User
Guide.
Required: No
Type: SuspendedState (p. 802)
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the AWS
CloudFormation-generated ID of the resource. For example: service/ecsStack-MyECSCluster-
AB12CDE3F4GH/ecsStack-MyECSService-AB12CDE3F4GH|ecs:service:DesiredCount|ecs.
AWS CloudFormation uses the following format to generate the ID:

service/resource_ID|scalable_dimension|service_namespace .
Examples
Each scalable target has a service namespace, scalable dimension, and resource ID, as well as values for
minimum and maximum capacity.
Register a Scalable Target

The following example creates a scalable target for an AWS::AppStream::Fleet. Application Auto Scaling
can scale the number of fleet instances at a minimum of 1 instance and a maximum of 20.
To register a different resource supported by Application Auto Scaling, specify its namespace
in ServiceNamespace, its scalable dimension in ScalableDimension, and its resource ID in
ResourceId. For examples, see Examples for registering scalable targets in the AWS CLI Command
Reference.
JSON

795
"ScalableTarget":{
"Properties":{
"MaxCapacity":20,
"MinCapacity":1,
"RoleARN": "arn:aws:iam::012345678910:role/aws-service-role/appstream.application-
autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet",
"ServiceNamespace":"appstream",
"ScalableDimension":"appstream:fleet:DesiredCapacity",
"ResourceId":"fleet/sample-fleet"
}
}
}
YAML
ScalableTarget:
Properties:
MaxCapacity: 20
MinCapacity: 1
RoleARN: arn:aws:iam::012345678910:role/aws-service-role/appstream.application-
autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet
ServiceNamespace: appstream
ScalableDimension: appstream:fleet:DesiredCapacity
ResourceId: fleet/sample-fleet
Spot Fleet with a Scheduled Action

The following example registers an AWS::EC2::SpotFleet as a scalable target and creates a scheduled
action. It also uses the Fn::Join and Ref intrinsic functions to construct the ResourceId property of the
scaling target.
JSON
{
"SpotFleetScalableTarget":{
"Properties":{
"MaxCapacity":2,
"MinCapacity":1,
"RoleARN":"arn:aws:iam::012345678910:role/aws-service-role/ec2.application-
autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest",
"ServiceNamespace":"ec2",
"ScalableDimension":"ec2:spot-fleet-request:TargetCapacity",
"ResourceId":{
"Fn::Join":[
"/",
[
"spot-fleet-request",
{
"Ref":"ECSSpotFleet"
}
]
]
},
"ScheduledActions":[
{
"EndTime":"2019-12-31T12:00:00.000Z",
"ScalableTargetAction":{
"MaxCapacity":"20",
"MinCapacity":"5"
},

796
"ScheduledActionName":"First",
"StartTime":"2019-12-25T12:00:00.000Z",
"Schedule":"cron(0 18 * * ? *)"
}
]
}
}
}
YAML
SpotFleetScalableTarget:
Properties:
MaxCapacity: 2
MinCapacity: 1
RoleARN: arn:aws:iam::012345678910:role/aws-service-role/ec2.application-
autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest
ServiceNamespace: ec2
ScalableDimension: 'ec2:spot-fleet-request:TargetCapacity'
ResourceId: !Join
- /
- - spot-fleet-request
- !Ref ECSSpotFleet
ScheduledActions:
- EndTime: '2019-12-31T12:00:00.000Z'
ScalableTargetAction:
MaxCapacity: '20'
MinCapacity: '5'
ScheduledActionName: First
StartTime: '2019-12-25T12:00:00.000Z'
Schedule: 'cron(0 18 * * ? *)'
Amazon DynamoDB
This example registers the read and write capacity (throughput) of an AWS::DynamoDB::Table and its
global secondary index as scalable targets.
JSON
{
"Resources" : {
"DDBTable" : {
"Type" : "AWS::DynamoDB::Table",
"Properties" : {
"AttributeDefinitions" : [
{
"AttributeName" : "id",
"AttributeType" : "S"
}
],
"KeySchema" : [
{
"KeyType" : "HASH"
}
],
"ProvisionedThroughput" : {
"ReadCapacityUnits" : "5",
"WriteCapacityUnits" : "5"
},
"GlobalSecondaryIndexes" : [{
"IndexName" : "GSI",

797
"KeySchema" : [
{
"KeyType" : "HASH"
}
],
"Projection" : {
"ProjectionType" : "KEYS_ONLY"
},
}
}]
}
},
"WriteCapacityScalableTarget":{
"Properties":{
"MaxCapacity":100,
"MinCapacity":5,
"RoleARN":"arn:aws:iam::012345678910:role/aws-service-role/dynamodb.application-
autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
"ServiceNamespace":"dynamodb",
"ScalableDimension":"dynamodb:table:WriteCapacityUnits",
"ResourceId":{
"Fn::Sub":"table/${DDBTable}"
}
}
},
"ReadCapacityScalableTarget":{
"Properties":{
"MaxCapacity":100,
"MinCapacity":5,
"ScalableDimension":"dynamodb:table:ReadCapacityUnits",
"ResourceId":{
"Fn::Sub":"table/${DDBTable}"
}
}
},
"WriteCapacityScalableTargetGSI":{
"Properties":{
"MaxCapacity":100,
"MinCapacity":5,
"ScalableDimension":"dynamodb:index:WriteCapacityUnits",
"ResourceId":{
"Fn::Sub":"table/${DDBTable}/index/GSI"
}
}
},
"ReadCapacityScalableTargetGSI":{
"Properties":{
"MaxCapacity":100,
"MinCapacity":5,

798
"ScalableDimension":"dynamodb:index:ReadCapacityUnits",
"ResourceId":{
"Fn::Sub":"table/${DDBTable}/index/GSI"
}
}
}
}
}
YAML
Resources:
DDBTable:
Properties:
- AttributeName: "id"
AttributeType: "S"
KeySchema:
KeyType: "HASH"
- IndexName: "GSI"
KeySchema:
KeyType: "HASH"
Projection:
Properties:
MaxCapacity: 100
MinCapacity: 5
RoleARN: arn:aws:iam::012345678910:role/aws-service-role/dynamodb.application-
autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable
ResourceId: !Sub table/${DDBTable}
ReadCapacityScalableTarget:
Properties:
MaxCapacity: 100
MinCapacity: 5
ScalableDimension: dynamodb:table:ReadCapacityUnits
ResourceId: !Sub table/${DDBTable}
WriteCapacityScalableTargetGSI:
Properties:
MaxCapacity: 100
MinCapacity: 5
ScalableDimension: dynamodb:index:WriteCapacityUnits
ResourceId: !Sub table/${DDBTable}/index/GSI

799
ReadCapacityScalableTargetGSI:
Properties:
MaxCapacity: 100
MinCapacity: 5
ScalableDimension: dynamodb:index:ReadCapacityUnits
ResourceId: !Sub table/${DDBTable}/index/GSI
See Also
• Application Auto Scaling User Guide
AWS::ApplicationAutoScaling::ScalableTarget ScalableTargetAction
ScalableTargetAction is a subproperty of ScheduledAction that represents the minimum and
maximum capacity for a scheduled action.
Syntax
JSON
{
"MinCapacity" : Integer
}
YAML
Properties
MaxCapacity
The maximum capacity.
Required: No
Type: Integer

MinCapacity
The minimum capacity.
Required: No
Type: Integer
See Also

800
AWS::ApplicationAutoScaling::ScalableTarget ScheduledAction
ScheduledAction is a property of ScalableTarget that specifies a scheduled action for a scalable
target.
For more information, see PutScheduledAction in the Application Auto Scaling API Reference.
Syntax
JSON
{
"EndTime" : Timestamp,
"ScalableTargetAction" : ScalableTargetAction (p. 800),
"Schedule" : String,
"ScheduledActionName" : String,
"StartTime" : Timestamp
}
YAML
EndTime: Timestamp
ScalableTargetAction:
ScalableTargetAction (p. 800)
Schedule: String
ScheduledActionName: String
StartTime: Timestamp
Properties
EndTime
The date and time that the action is scheduled to end.
Required: No
Type: Timestamp

ScalableTargetAction
The new minimum and maximum capacity. You can set both values or just one. During the scheduled
time, if the current capacity is below the minimum capacity, Application Auto Scaling scales out
to the minimum capacity. If the current capacity is above the maximum capacity, Application Auto
Scaling scales in to the maximum capacity.
Required: No
Type: ScalableTargetAction (p. 800)

Schedule
The schedule for this action. The following formats are supported:
• At expressions - "at(yyyy-mm-ddThh:mm:ss)"
• Rate expressions - "rate(value unit)"
• Cron expressions - "cron(fields)"

801
At expressions are useful for one-time schedules. Specify the time, in UTC.
For rate expressions, value is a positive integer and unit is minute | minutes | hour | hours | day |
days.
For more information about cron expressions, see Cron Expressions in the Amazon CloudWatch
Events User Guide.
Required: Yes
Type: String
Minimum: 1
Maximum: 1600
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*

ScheduledActionName
The name of the scheduled action.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
Pattern: (?!((^[ ]+.*)|(.*([\u0000-\u001f]|[\u007f-\u009f]|[:/|])+.*)|(.*[ ]+

$))).+

StartTime
The date and time that the action is scheduled to begin.
Required: No
Type: Timestamp
See Also
• Scheduled Scaling in the Application Auto Scaling User Guide
AWS::ApplicationAutoScaling::ScalableTarget SuspendedState
Specifies whether the scaling activities for a scalable target are in a suspended state.
Syntax
JSON
{
"DynamicScalingInSuspended" : Boolean,
"DynamicScalingOutSuspended" : Boolean,

802
"ScheduledScalingSuspended" : Boolean
}
YAML
DynamicScalingInSuspended: Boolean
DynamicScalingOutSuspended: Boolean
ScheduledScalingSuspended: Boolean
Properties
DynamicScalingInSuspended
Whether scale in by a target tracking scaling policy or a step scaling policy is suspended. Set the
value to true if you don't want Application Auto Scaling to remove capacity when a scaling policy is
triggered. The default is false.
Required: No
Type: Boolean

DynamicScalingOutSuspended
Whether scale out by a target tracking scaling policy or a step scaling policy is suspended. Set the
value to true if you don't want Application Auto Scaling to add capacity when a scaling policy is
triggered. The default is false.
Required: No
Type: Boolean

ScheduledScalingSuspended
Whether scheduled scaling is suspended. Set the value to true if you don't want Application Auto
Scaling to add or remove capacity by initiating scheduled actions. The default is false.
Required: No
Type: Boolean
AWS::ApplicationAutoScaling::ScalingPolicy
The AWS::ApplicationAutoScaling::ScalingPolicy resource defines a scaling policy that
Application Auto Scaling uses to adjust your application resources.
For more information, see PutScalingPolicy in the Application Auto Scaling API Reference. For more
information about scaling policies, see the Application Auto Scaling User Guide.
Syntax
JSON

803
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : String,
"PolicyType" : String,
"ScalingTargetId" : String,
"StepScalingPolicyConfiguration" : StepScalingPolicyConfiguration (p. 818),
"TargetTrackingScalingPolicyConfiguration" : TargetTrackingScalingPolicyConfiguration (p. 820)

}
}
YAML
Properties:
PolicyName: String
PolicyType: String
ResourceId: String
ScalingTargetId: String
StepScalingPolicyConfiguration:
StepScalingPolicyConfiguration (p. 818)
TargetTrackingScalingPolicyConfiguration (p. 820)
Properties
PolicyName
The name of the scaling policy.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
Pattern: \p{Print}+

PolicyType
The Application Auto Scaling policy type.
The following policy types are supported:
TargetTrackingScaling—Not supported for Amazon EMR
StepScaling—Not supported for DynamoDB, Comprehend, or Lambda
Required: Yes
Type: String

804
ResourceId
The unique resource identifier for the scalable target that this scaling policy applies to. For valid
values, see the ResourceId parameter for PutScalingPolicy in the Application Auto Scaling API
Reference.
You must specify either the ResourceId, ScalableDimension, and ServiceNamespace

properties, or the ScalingTargetId property, but not both.
Type: String

ScalableDimension
The scalable dimension of the scalable target that this scaling policy applies to. The scalable
dimension contains the service namespace, resource type, and scaling property, such as
ecs:service:DesiredCount for the desired task count of an Amazon ECS service. For valid
values, see the ScalableDimension parameter for PutScalingPolicy in the Application Auto Scaling
API Reference.

Type: String

ScalingTargetId
The AWS CloudFormation-generated ID of an Application Auto Scaling scalable

target. For more information about the ID, see the Return Value section of the
AWS::ApplicationAutoScaling::ScalableTarget resource.
You must specify either the ScalingTargetId property, or the ResourceId,

ScalableDimension, and ServiceNamespace properties, but not both.
Type: String

ServiceNamespace
The namespace of the AWS service that provides the resource or custom-resource for a resource
provided by your own application or service. For valid values, see the ServiceNamespace
parameter for PutScalingPolicy in the Application Auto Scaling API Reference.

Type: String

StepScalingPolicyConfiguration
A step scaling policy.
Required: No

805
Type: StepScalingPolicyConfiguration (p. 818)

TargetTrackingScalingPolicyConfiguration
A target tracking scaling policy.
Required: No
Type: TargetTrackingScalingPolicyConfiguration (p. 820)
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the Application
Auto Scaling scaling policy Amazon Resource Name (ARN). For example: arn:aws:autoscaling:us-
east-2:123456789012:scalingPolicy:12ab3c4d-56789-0ef1-2345-6ghi7jk8lm90:resource/
ecs/service/ecsStack-MyECSCluster-AB12CDE3F4GH/ecsStack-MyECSService-
AB12CDE3F4GH:policyName/MyStepPolicy.
Examples
The following examples create scaling policies for a scalable target that is registered with Application
Auto Scaling. For more information, see PutScalingPolicy in the Application Auto Scaling API Reference.
Target Tracking Scaling Policy with a Predefined Metric Specification for an Amazon DynamoDB
Table
This example both registers an AWS::DynamoDB::Table as a scalable target and defines a
TargetTrackingScaling scaling policy that scales the table's write capacity (throughput) to maintain
the target utilization (50%) based on the write capacity utilization metric.
JSON
{
"Resources":{
"DDBTable":{
"Properties":{
{
"AttributeName":"ArtistId",
"AttributeType":"S"
},
{
"AttributeName":"Concert",
"AttributeType":"S"
},
{
"AttributeName":"TicketSales",
"AttributeType":"S"
}
],
"KeySchema":[
{
"AttributeName":"ArtistId",

806
"KeyType":"HASH"
},
{
"AttributeName":"Concert",
"KeyType":"RANGE"
}
],
"GlobalSecondaryIndexes":[
{
"IndexName":"GSI",
"KeySchema":[
{
"AttributeName":"TicketSales",
"KeyType":"HASH"
}
],
"Projection":{
"ProjectionType":"KEYS_ONLY"
},
}
}
],
}
}
},
"WriteCapacityScalableTarget":{
"Properties":{
"MaxCapacity":15,
"MinCapacity":5,
"ScalableDimension":"dynamodb:table:WriteCapacityUnits",
"ResourceId":{
"Fn::Join":[
"/",
[
"table",
{
"Ref":"DDBTable"
}
]
]
}
}
},
"WriteScalingPolicy":{
"Properties":{
"PolicyName":"WriteAutoScalingPolicy",
"PolicyType":"TargetTrackingScaling",
"ScalingTargetId":{
"Ref":"WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration":{
"TargetValue":50.0,
"ScaleInCooldown":60,
"ScaleOutCooldown":60,
"PredefinedMetricSpecification":{

807
"PredefinedMetricType":"DynamoDBWriteCapacityUtilization"
}
}
}
}
}
}
YAML
Resources:
DDBTable:
Properties:
- AttributeName: "ArtistId"
AttributeType: "S"
- AttributeName: "Concert"
AttributeType: "S"
- AttributeName: "TicketSales"
AttributeType: "S"
KeySchema:
- AttributeName: "ArtistId"
KeyType: "HASH"
- AttributeName: "Concert"
KeyType: "RANGE"
- IndexName: "GSI"
KeySchema:
- AttributeName: "TicketSales"
KeyType: "HASH"
Projection:
Properties:
MaxCapacity: 15
MinCapacity: 5
ResourceId: !Join
- /
- - table
- !Ref DDBTable
WriteScalingPolicy:
Properties:
TargetValue: 50.0
ScaleInCooldown: 60

808
Target Tracking Scaling Policy for Scale Out Only for an ECS Service
The following example both registers an AWS::ECS::Service as a scalable target and defines a
TargetTrackingScaling scaling policy. The policy is used to add capacity to the ECS service when the
average CPU utilization metric exceeds the target utilization. Because the value of DisableScaleIn is
set to true, the target tracking policy won't remove capacity from the scalable resource.
JSON
{
"Description":"Creating ECS service",
"Parameters":{
"AppName":{
"Type":"String",
"Description":"Name of app requiring ELB exposure",
"Default":"simple-app"
},
"AppContainerPort":{
"Type":"Number",
"Description":"Container port of app requiring ELB exposure",
"Default":"80"
},
"AppHostPort":{
"Type":"Number",
"Description":"Host port of app requiring ELB exposure",
"Default":"80"
}
},
"Resources":{
"ScalableTarget":{
"Properties":{
"MaxCapacity":"2",
"MinCapacity":"1",
"RoleARN":"arn:aws:iam::012345678910:role/aws-service-role/ecs.application-
autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService",
"ServiceNamespace":"ecs",
"ScalableDimension":"ecs:service:DesiredCount",
"ResourceId":{
"Fn::Join":[
"/",
[
"service",
{
"Ref":"cluster"
},
{
"Fn::GetAtt":[
"service",
"Name"
]
}
]
]
}
}
},
"TargetTrackingScalingPolicy":{
"Properties":{
"PolicyName":"TargetTrackingScalingPolicy",
"ScalingTargetId":{

809
"Ref":"ScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration":{
"TargetValue":70.0,
"ScaleInCooldown":60,
"ScaleOutCooldown":60,
"DisableScaleIn":true,
"PredefinedMetricType":"ECSServiceAverageCPUUtilization"
}
}
}
},
"cluster":{
"Type":"AWS::ECS::Cluster"
},
"taskdefinition":{
"Type":"AWS::ECS::TaskDefinition",
"Properties":{
"ContainerDefinitions":[
{
"Name":{
"Ref":"AppName"
},
"MountPoints":[
{
"SourceVolume":"my-vol",
"ContainerPath":"/var/www/my-vol"
}
],
"Image":"amazon/amazon-ecs-sample",
"Cpu":"10",
"PortMappings":[
{
"ContainerPort":{
"Ref":"AppContainerPort"
},
"HostPort":{
"Ref":"AppHostPort"
}
}
],
"EntryPoint":[
"/usr/sbin/apache2",
"-D",
"FOREGROUND"
],
"Memory":"500",
"Essential":"true"
},
{
"Name":"busybox",
"Image":"busybox",
"Cpu":"10",
"EntryPoint":[
"sh",
"-c"
],
"Memory":"500",
"Command":[
"/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done
\""
],
"Essential":"false",
"VolumesFrom":[
{

810
"SourceContainer":{
"Ref":"AppName"
}
}
]
}
],
"Volumes":[
{
"Host":{
"SourcePath":"/var/lib/docker/vfs/dir/"
},
"Name":"my-vol"
}
]
}
},
"service":{
"Type":"AWS::ECS::Service",
"Properties":{
"Cluster":{
"Ref":"cluster"
},
"DesiredCount":0,
"TaskDefinition":{
}
}
}
},
"Outputs":{
"resourceId":{
"Description":"ResourceId",
"Value":{
"Fn::Join":[
"/",
[
"service",
{
"Ref":"cluster"
},
{
"Fn::GetAtt":[
"service",
"Name"
]
}
]
]
}
}
}
}
YAML
Description: Creating ECS service
Parameters:
AppName:
Type: String
Description: Name of app requiring ELB exposure
Default: simple-app
AppContainerPort:

811
Type: Number
Description: Container port of app requiring ELB exposure
Default: '80'
AppHostPort:
Type: Number
Description: Host port of app requiring ELB exposure
Default: '80'
Resources:
ScalableTarget:
Properties:
MaxCapacity: '2'
MinCapacity: '1'
RoleARN: arn:aws:iam::012345678910:role/aws-service-role/ecs.application-
autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService
ServiceNamespace: ecs
ScalableDimension: 'ecs:service:DesiredCount'
ResourceId: !Join
- /
- - service
- !Ref cluster
- !GetAtt service.Name
TargetTrackingScalingPolicy:
Properties:
PolicyName: TargetTrackingScalingPolicy
ScalingTargetId:
Ref: ScalableTarget
TargetValue: 70.0
ScaleInCooldown: 60
DisableScaleIn: true
PredefinedMetricType: ECSServiceAverageCPUUtilization
cluster:
taskdefinition:
Properties:
- Name: !Ref AppName
MountPoints:
- SourceVolume: my-vol
ContainerPath: /var/www/my-vol
Image: amazon/amazon-ecs-sample
Cpu: '10'
PortMappings:
- ContainerPort: !Ref AppContainerPort
HostPort: !Ref AppHostPort
EntryPoint:
- /usr/sbin/apache2
- '-D'
- FOREGROUND
Memory: '500'
Essential: 'true'
- Name: busybox
Image: busybox
Cpu: '10'
EntryPoint:
- sh
- '-c'
Memory: '500'
Command:
- >-

812
/bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep

1; done"
Essential: 'false'
VolumesFrom:
- SourceContainer: !Ref AppName
Volumes:
- Host:
SourcePath: /var/lib/docker/vfs/dir/
Name: my-vol
service:
Properties:
Cluster: !Ref cluster
DesiredCount: 0
TaskDefinition: !Ref taskdefinition
Outputs:
resourceId:
Description: ResourceId
Value: !Join
- /
- - service
- !Ref cluster
- !GetAtt service.Name
See Also
AWS::ApplicationAutoScaling::ScalingPolicy CustomizedMetricSpecification
CustomizedMetricSpecification is a subproperty of TargetTrackingScalingPolicyConfiguration that
configures a customized metric for a target tracking scaling policy to use with Application Auto Scaling.
For more information, see CustomizedMetricSpecification in the Application Auto Scaling API Reference.
Syntax
JSON
{
"Dimensions" : [ MetricDimension (p. 815), ... ],
"MetricName" : String,
"Namespace" : String,
"Statistic" : String,
"Unit" : String
}
YAML
Dimensions:
- MetricDimension (p. 815)
MetricName: String
Namespace: String
Statistic: String
Unit: String

813
Properties
Dimensions
The dimensions of the metric.
Conditional: If you published your metric with dimensions, you must specify the same dimensions in
your scaling policy.
Required: No
Type: List of MetricDimension (p. 815)

MetricName
The name of the metric.
Required: Yes
Type: String

Namespace
The namespace of the metric.
Required: Yes
Type: String

Statistic
The statistic of the metric.
Required: Yes
Type: String
Allowed Values: Average | Maximum | Minimum | SampleCount | Sum

Unit
The unit of the metric.
Required: No
Type: String
See Also
• Target Tracking Scaling Policies in the Application Auto Scaling User Guide

814
AWS::ApplicationAutoScaling::ScalingPolicy MetricDimension
MetricDimension is a subproperty of CustomizedMetricSpecification that specifies the dimensions
of a metric for a target tracking scaling policy. Dimensions are arbitrary name/value pairs that can be
associated with a CloudWatch metric. Duplicate dimensions are not allowed.
Syntax
JSON
{
"Name" : String,
"Value" : String
}
YAML
Name: String
Value: String
Properties
Name
The name of the dimension.
Required: Yes
Type: String

Value
The value of the dimension.
Required: Yes
Type: String
See Also
AWS::ApplicationAutoScaling::ScalingPolicy PredefinedMetricSpecification
PredefinedMetricSpecification is a subproperty of TargetTrackingScalingPolicyConfiguration that
configures a predefined metric for a target tracking scaling policy to use with Application Auto Scaling.
For more information, see PredefinedMetricSpecification in the Application Auto Scaling API Reference.
Syntax

815
JSON
{
"PredefinedMetricType" : String,
"ResourceLabel" : String
}
YAML
PredefinedMetricType: String
ResourceLabel: String
Properties
PredefinedMetricType
The metric type. The ALBRequestCountPerTarget metric type applies only to Spot fleet requests
and ECS services.
Required: Yes
Type: String
Allowed Values: ALBRequestCountPerTarget | AppStreamAverageCapacityUtilization

| ComprehendInferenceUtilization | DynamoDBReadCapacityUtilization |
DynamoDBWriteCapacityUtilization | EC2SpotFleetRequestAverageCPUUtilization
| EC2SpotFleetRequestAverageNetworkIn | EC2SpotFleetRequestAverageNetworkOut
| ECSServiceAverageCPUUtilization | ECSServiceAverageMemoryUtilization |
LambdaProvisionedConcurrencyUtilization | RDSReaderAverageCPUUtilization |
RDSReaderAverageDatabaseConnections | SageMakerVariantInvocationsPerInstance

ResourceLabel
Identifies the resource associated with the metric type. You can't specify a resource label unless the
metric type is ALBRequestCountPerTarget and there is a target group attached to the Spot Fleet
request or ECS service.
The format is app/<load-balancer-name>/<load-balancer-id>/targetgroup/<target-group-name>/

<target-group-id>, where:
• app/<load-balancer-name>/<load-balancer-id> is the final portion of the load balancer ARN
• targetgroup/<target-group-name>/<target-group-id> is the final portion of the target group ARN.
Type: String
Minimum: 1
Maximum: 1023
See Also

816
AWS::ApplicationAutoScaling::ScalingPolicy StepAdjustment
StepAdjustment is a subproperty of StepScalingPolicyConfiguration that represents a step adjustment
for a step scaling policy.
For the following examples, suppose that you have an alarm with a breach threshold of 50:
• To trigger a step adjustment when the metric is greater than or equal to 50 and less than 60, specify a
lower bound of 0 and an upper bound of 10.
• To trigger a step adjustment when the metric is greater than 40 and less than or equal to 50, specify a
lower bound of -10 and an upper bound of 0.
For more information, see Step Adjustments in the Application Auto Scaling User Guide.
Syntax
JSON
{
"MetricIntervalLowerBound" : Double,
"MetricIntervalUpperBound" : Double,
"ScalingAdjustment" : Integer
}
YAML
MetricIntervalLowerBound: Double
MetricIntervalUpperBound: Double
ScalingAdjustment: Integer
Properties
MetricIntervalLowerBound
The lower bound for the difference between the alarm threshold and the CloudWatch metric. If the
metric value is above the breach threshold, the lower bound is inclusive (the metric must be greater
than or equal to the threshold plus the lower bound). Otherwise, it is exclusive (the metric must be
greater than the threshold plus the lower bound). A null value indicates negative infinity.
You must specify at least one upper or lower bound.
Type: Double

MetricIntervalUpperBound
The upper bound for the difference between the alarm threshold and the CloudWatch metric. If the
metric value is above the breach threshold, the upper bound is exclusive (the metric must be less
than the threshold plus the upper bound). Otherwise, it is inclusive (the metric must be less than or
equal to the threshold plus the upper bound). A null value indicates positive infinity.

817
Type: Double

ScalingAdjustment
The amount by which to scale. The adjustment is based on the value that you specified in the
AdjustmentType property (either an absolute number or a percentage). A positive value adds to
the current capacity and a negative number subtracts from the current capacity.
Required: Yes
Type: Integer
AWS::ApplicationAutoScaling::ScalingPolicy StepScalingPolicyConfiguration
StepScalingPolicyConfiguration is a property of ScalingPolicy that specifies a step scaling policy
configuration to use with Application Auto Scaling.
information about step scaling policies, see Step Scaling Policies in the Application Auto Scaling User
Guide.
Syntax
JSON
{
"AdjustmentType" : String,
"Cooldown" : Integer,
"MetricAggregationType" : String,
"MinAdjustmentMagnitude" : Integer,
"StepAdjustments" : [ StepAdjustment (p. 817), ... ]
}
YAML
AdjustmentType: String
Cooldown: Integer
MetricAggregationType: String
MinAdjustmentMagnitude: Integer
StepAdjustments:
- StepAdjustment (p. 817)
Properties
AdjustmentType
Specifies whether the ScalingAdjustment value in the StepAdjustment property is an absolute

number or a percentage of the current capacity.
Required: No

818
Type: String
Allowed Values: ChangeInCapacity | ExactCapacity | PercentChangeInCapacity

Cooldown
The amount of time, in seconds, after a scaling activity completes where previous trigger-related
scaling activities can influence future scaling events.
For scale-out policies, while the cooldown period is in effect, the capacity that has been added by
the previous scale-out event that initiated the cooldown is calculated as part of the desired capacity
for the next scale out. The intention is to continuously (but not excessively) scale out. For example,
an alarm triggers a step scaling policy to scale out an Amazon ECS service by 2 tasks, the scaling
activity completes successfully, and a cooldown period of 5 minutes starts. During the cooldown
period, if the alarm triggers the same policy again but at a more aggressive step adjustment to scale
out the service by 3 tasks, the 2 tasks that were added in the previous scale-out event are considered
part of that capacity and only 1 additional task is added to the desired count.
For scale-in policies, the cooldown period is used to block subsequent scale-in requests until it has
expired. The intention is to scale in conservatively to protect your application's availability. However,
if another alarm triggers a scale-out policy during the cooldown period after a scale-in, Application
Auto Scaling scales out your scalable target immediately.
Required: No
Type: Integer

MetricAggregationType
The aggregation type for the CloudWatch metrics. Valid values are Minimum, Maximum, and
Average. If the aggregation type is null, the value is treated as Average.
Required: No
Type: String
Allowed Values: Average | Maximum | Minimum

MinAdjustmentMagnitude
The minimum number to adjust your scalable dimension as a result of a scaling activity. If the
adjustment type is PercentChangeInCapacity, the scaling policy changes the scalable dimension
of the scalable target by this amount.
For example, suppose that you create a step scaling policy to scale out an Amazon ECS service
by 25 percent and you specify a MinAdjustmentMagnitude of 2. If the service has 4 tasks
and the scaling policy is performed, 25 percent of 4 is 1. However, because you specified a
MinAdjustmentMagnitude of 2, Application Auto Scaling scales out the service by 2 tasks.
Required: No
Type: Integer

819
StepAdjustments
A set of adjustments that enable you to scale based on the size of the alarm breach.
Required: No
Type: List of StepAdjustment (p. 817)
AWS::ApplicationAutoScaling::ScalingPolicy
TargetTrackingScalingPolicyConfiguration
TargetTrackingScalingPolicyConfiguration is a property of ScalingPolicy that specifies a target
tracking scaling policy to use with Application Auto Scaling. Use a target tracking scaling policy to adjust
the capacity of the specified scalable target in response to actual workloads, so that resource utilization
remains at or near the target utilization value.
information about target tracking scaling policies, see Target Tracking Scaling Policies in the Application
Auto Scaling User Guide.
Syntax
JSON
{
"CustomizedMetricSpecification" : CustomizedMetricSpecification (p. 813),
"DisableScaleIn" : Boolean,
"PredefinedMetricSpecification" : PredefinedMetricSpecification (p. 815),
"ScaleInCooldown" : Integer,
"ScaleOutCooldown" : Integer,
"TargetValue" : Double
}
YAML
CustomizedMetricSpecification:
CustomizedMetricSpecification (p. 813)
DisableScaleIn: Boolean
PredefinedMetricSpecification (p. 815)
ScaleInCooldown: Integer
ScaleOutCooldown: Integer
TargetValue: Double
Properties
CustomizedMetricSpecification
A customized metric. You can specify either a predefined metric or a customized metric.
Required: No
Type: CustomizedMetricSpecification (p. 813)

820
DisableScaleIn
Indicates whether scale in by the target tracking scaling policy is disabled. If the value is true,
scale in is disabled and the target tracking scaling policy won't remove capacity from the scalable
resource. Otherwise, scale in is enabled and the target tracking scaling policy can remove capacity
from the scalable resource. The default value is false.
Required: No
Type: Boolean

PredefinedMetricSpecification
A predefined metric. You can specify either a predefined metric or a customized metric.
Required: No
Type: PredefinedMetricSpecification (p. 815)

ScaleInCooldown
The amount of time, in seconds, after a scale-in activity completes before another scale in activity
can start.
The cooldown period is used to block subsequent scale-in requests until it has expired. The intention
is to scale in conservatively to protect your application's availability. However, if another alarm
triggers a scale-out policy during the cooldown period after a scale-in, Application Auto Scaling
scales out your scalable target immediately.
Required: No
Type: Integer

ScaleOutCooldown
The amount of time, in seconds, after a scale-out activity completes before another scale-out
activity can start.
While the cooldown period is in effect, the capacity that has been added by the previous scale-out
event that initiated the cooldown is calculated as part of the desired capacity for the next scale out.
The intention is to continuously (but not excessively) scale out.
Required: No
Type: Integer

TargetValue
The target value for the metric.
Required: Yes
Type: Double

821
App Mesh
App Mesh Resource Type Reference

Resource Types
• AWS::AppMesh::Mesh (p. 822)

• AWS::AppMesh::Route (p. 826)
• AWS::AppMesh::VirtualNode (p. 848)
• AWS::AppMesh::VirtualRouter (p. 863)
• AWS::AppMesh::VirtualService (p. 868)
AWS::AppMesh::Mesh
Creates a service mesh. A service mesh is a logical boundary for network traffic between the services that
reside within it.
After you create your service mesh, you can create virtual services, virtual nodes, virtual routers, and
routes to distribute traffic between the applications in your mesh.
Syntax
JSON
{
"Type" : "AWS::AppMesh::Mesh",
"Properties" : {
"MeshName" : String,
"Spec" : MeshSpec (p. 826),
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::AppMesh::Mesh
Properties:
MeshName: String
Spec:
MeshSpec (p. 826)
Tags:
- Tag
Properties
MeshName
The name to use for the service mesh.
Required: Yes
Type: String

Spec
The service mesh specification to apply.

822
App Mesh
Required: No
Type: MeshSpec (p. 826)

Tags
Optional metadata that you can apply to the service mesh to assist with categorization and
organization. Each tag consists of a key and an optional value, both of which you define. Tag keys
can have a maximum character length of 128 characters, and tag values can have a maximum length
of 256 characters.
Required: No
Type: List of Tag
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource ARN.
For example:
{ "Ref": "myMesh" }
When you pass the logical ID of an AWS::AppMesh::Mesh resource to the intrinsic

Ref function, the function returns the mesh ARN, such as arn:aws:appmesh:us-
east-1:555555555555:mesh/myMesh .
Fn::GetAtt
Arn
The full Amazon Resource Name (ARN) for the mesh.

MeshName
The name of the service mesh.

Uid
The unique identifier for the mesh.
Examples
Create a Service Mesh
This example creates a service mesh that allows all egress traffic.

823
App Mesh
JSON
{
"Description": "Basic Test Mesh",
"Resources": {
"BasicMesh": {
"Type": "AWS::AppMesh::Mesh",
"Properties": {
"MeshName": "BasicMesh1",
"Spec": {
"EgressFilter": {
"Type": "ALLOW_ALL"
}
},
"Tags": [
{
"Key": "Key1",
"Value": "Value1"
},
{
"Key": "Key2",
"Value": "Value2"
}
]
}
}
},
"Outputs": {
"MeshName": {
"Description": "Name of the Mesh",
"Value": {
"Fn::GetAtt": [
"BasicMesh",
"MeshName"
]
}
},
"Arn": {
"Description": "Arn of the Mesh created",
"Value": {
"Fn::GetAtt": [
"BasicMesh",
"Arn"
]
}
},
"Uid": {
"Description": "Uid of the Mesh created",
"Value": {
"Fn::GetAtt": [
"BasicMesh",
"Uid"
]
}
}
}
}
YAML
Description: "Basic Test Mesh"

Resources:
BasicMesh:
Type: "AWS::AppMesh::Mesh"

824
App Mesh
Properties:
MeshName: "BasicMesh1"
Spec:
EgressFilter:
Type: "ALLOW_ALL"
Tags:
- Key: "Key1"
Value: "Value1"
- Key: "Key2"
Value: "Value2"
Outputs:
MeshName:
Description: Name of the Mesh
Value:
Fn::GetAtt:
- BasicMesh
- MeshName
Arn:
Description: Arn of the Mesh created
Value:
Fn::GetAtt:
- BasicMesh
- Arn
Uid:
Description: Uid of the Mesh created
Value:
Fn::GetAtt:
- BasicMesh
- Uid
See Also
• Service Meshes in the AWS App Mesh User Guide .
• CreateMesh in the AWS App Mesh API Reference .
AWS::AppMesh::Mesh EgressFilter
An object that represents the egress filter rules for a service mesh.
Syntax
JSON
{
"Type" : String
}
YAML
Type: String
Properties
Type
The egress filter type. By default, the type is DROP_ALL, which allows egress only from virtual nodes
to other defined resources in the service mesh (and any traffic to *.amazonaws.com for AWS API

825
App Mesh
calls). You can set the egress filter type to ALLOW_ALL to allow egress to any endpoint inside or
outside of the service mesh.
Required: Yes
Type: String
AWS::AppMesh::Mesh MeshSpec
An object that represents the specification of a service mesh.
Syntax
JSON
{
"EgressFilter" : EgressFilter (p. 825)
}
YAML
EgressFilter:
EgressFilter (p. 825)
Properties
EgressFilter
The egress filter rules for the service mesh.
Required: No
Type: EgressFilter (p. 825)
AWS::AppMesh::Route
Creates a route that is associated with a virtual router.
You can use the prefix parameter in your route specification for path-based routing of requests. For
example, if your virtual service name is my-service.local and you want the route to match requests
to my-service.local/metrics, your prefix should be /metrics.
If your route matches a request, you can distribute traffic to one or more target virtual nodes with
relative weighting.
Syntax
JSON

826
App Mesh
"Type" : "AWS::AppMesh::Route",
"Properties" : {
"RouteName" : String,
"Spec" : RouteSpec (p. 844),
"Tags" : [ Tag, ... ],
"VirtualRouterName" : String
}
}
YAML
Type: AWS::AppMesh::Route
Properties:
MeshName: String
RouteName: String
Spec:
RouteSpec (p. 844)
Tags:
- Tag
VirtualRouterName: String
Properties
MeshName
The name of the service mesh to create the route in.
Required: Yes
Type: String

RouteName
The name to use for the route.
Required: Yes
Type: String

Spec
The route specification to apply.
Required: Yes
Type: RouteSpec (p. 844)

Tags
Optional metadata that you can apply to the route to assist with categorization and organization.
Each tag consists of a key and an optional value, both of which you define. Tag keys can have a
maximum character length of 128 characters, and tag values can have a maximum length of 256
characters.
Required: No
Type: List of Tag

827
App Mesh

VirtualRouterName
The name of the virtual router in which to create the route.
Required: Yes
Type: String
Return Values
Ref
For example:
{ "Ref": "myRoute" }
When you pass the logical ID of an AWS::AppMesh::Route resource to the intrinsic

Ref function, the function returns the route ARN, such as arn:aws:appmesh:us-
east-1:555555555555:route/myRoute .
Fn::GetAtt
Arn
The full Amazon Resource Name (ARN) for the route.

MeshName
The name of the service mesh that the route resides in.
RouteName
The name of the route.

Uid
The unique identifier for the route.

VirtualRouterName
The name of the virtual router that the route is associated with.
Examples
Create a Route
This example creates a route with two weighted targets.
JSON

828
App Mesh
"Description": "Basic Test Route",

"Resources": {
"BasicRoute": {
"Type": "AWS::AppMesh::Route",
"Properties": {
"RouteName": "TestRoute",
"MeshName": null,
"VirtualRouterName": null,
"Spec": {
"HttpRoute": {
"Match": {
"Prefix": "routePrefix"
},
"Action": {
"WeightedTargets": [
{
"VirtualNode": null,
"Weight": 10
},
{
"VirtualNode": null,
"Weight": 20
}
]
}
}
},
"Tags": [
{
"Key": "Key1",
"Value": "Value1"
},
{
"Key": "Key2",
"Value": "Value2"
}
]
}
}
},
"Outputs": {
"RouteName": {
"Description": "Name of the Route",
"Value": {
"Fn::GetAtt": [
"BasicRoute",
"RouteName"
]
}
},
"MeshName": {
"Value": {
"Fn::GetAtt": [
"BasicRoute",
"MeshName"
]
}
},
"VirtualRouterName": {
"Description": "Name of the VirtualRouter",
"Value": {
"Fn::GetAtt": [
"BasicRoute",
"VirtualRouterName"
]

829
App Mesh
}
},
"Arn": {
"Description": "Arn of the Route created",
"Value": {
"Fn::GetAtt": [
"BasicRoute",
"Arn"
]
}
},
"Uid": {
"Description": "Uid of the Route created",
"Value": {
"Fn::GetAtt": [
"BasicRoute",
"Uid"
]
}
}
}
}
YAML
Description: "Basic Test Route"

Resources:
BasicRoute:
Type: "AWS::AppMesh::Route"
Properties:
RouteName: "TestRoute"
MeshName: !ImportValue TestMeshName
VirtualRouterName: !ImportValue TestVirtualRouterName1
Spec:
HttpRoute:
Match:
Prefix: "routePrefix"
Action:
WeightedTargets:
- VirtualNode: !ImportValue TestVirtualNodeName1
Weight: 10
- VirtualNode: !ImportValue TestVirtualNodeName2
Weight: 20
Tags:
- Key: "Key1"
Value: "Value1"
- Key: "Key2"
Value: "Value2"
Outputs:
RouteName:
Description: Name of the Route
Value:
Fn::GetAtt:
- BasicRoute
- RouteName
MeshName:
Value:
Fn::GetAtt:
- BasicRoute
- MeshName
VirtualRouterName:
Description: Name of the VirtualRouter

830
App Mesh
Value:
Fn::GetAtt:
- BasicRoute
- VirtualRouterName
Arn:
Description: Arn of the Route created
Value:
Fn::GetAtt:
- BasicRoute
- Arn
Uid:
Description: Uid of the Route created
Value:
Fn::GetAtt:
- BasicRoute
- Uid
See Also
• Routes in the AWS App Mesh User Guide .
• CreateRoute in the AWS App Mesh API Reference .
AWS::AppMesh::Route Duration
An object that represents a duration of time.
Syntax
JSON
{
"Unit" : String,
"Value" : Integer
}
YAML
Unit: String
Value: Integer
Properties
Unit
A unit of time.
Required: Yes
Type: String

Value
A number of time units.
Required: Yes

831
App Mesh
Type: Integer
AWS::AppMesh::Route GrpcRetryPolicy
An object that represents a retry policy. Specify at least one value for at least one of the types of
RetryEvents, a value for maxRetries, and a value for perRetryTimeout.
Syntax
JSON
{
"GrpcRetryEvents" : [ String, ... ],
"HttpRetryEvents" : [ String, ... ],
"MaxRetries" : Integer,
"PerRetryTimeout" : Duration (p. 831),
"TcpRetryEvents" : [ String, ... ]
}
YAML
GrpcRetryEvents:
- String
HttpRetryEvents:
- String
MaxRetries: Integer
PerRetryTimeout:
Duration (p. 831)
TcpRetryEvents:
- String
Properties
GrpcRetryEvents
Specify at least one of the valid values.
Required: No

HttpRetryEvents
Specify at least one of the following values.

• server-error – HTTP status codes 500, 501, 502, 503, 504, 505, 506, 507, 508, 510, and 511
• gateway-error – HTTP status codes 502, 503, and 504
• client-error – HTTP status code 409
• stream-error – Retry on refused stream
Required: No

832
App Mesh

MaxRetries
The maximum number of retry attempts.
Required: Yes
Type: Integer

PerRetryTimeout
Required: Yes
Type: Duration (p. 831)

TcpRetryEvents
Specify a valid value.
Required: No
AWS::AppMesh::Route GrpcRoute
An object that represents a gRPC route type.
Syntax
JSON
{
"Action" : GrpcRouteAction (p. 834),
"Match" : GrpcRouteMatch (p. 834),
"RetryPolicy" : GrpcRetryPolicy (p. 832)
}
YAML
Action:
GrpcRouteAction (p. 834)
Match:
GrpcRouteMatch (p. 834)
RetryPolicy:
GrpcRetryPolicy (p. 832)
Properties
Action
An object that represents the action to take if a match is determined.

833
App Mesh
Required: Yes
Type: GrpcRouteAction (p. 834)

Match
An object that represents the criteria for determining a request match.
Required: Yes
Type: GrpcRouteMatch (p. 834)

RetryPolicy
An object that represents a retry policy.
Required: No
Type: GrpcRetryPolicy (p. 832)
AWS::AppMesh::Route GrpcRouteAction
Syntax
JSON
{
"WeightedTargets" : [ WeightedTarget (p. 847), ... ]
}
YAML
WeightedTargets:
- WeightedTarget (p. 847)
Properties
WeightedTargets
An object that represents the targets that traffic is routed to when a request matches the route.
Required: Yes
Type: List of WeightedTarget (p. 847)
AWS::AppMesh::Route GrpcRouteMatch

834
App Mesh
Syntax
JSON
{
"Metadata" : [ GrpcRouteMetadata (p. 835), ... ],
"MethodName" : String,
"ServiceName" : String
}
YAML
Metadata:
- GrpcRouteMetadata (p. 835)
MethodName: String
ServiceName: String
Properties
Metadata
An object that represents the data to match from the request.
Required: No
Type: List of GrpcRouteMetadata (p. 835)

MethodName
The method name to match from the request. If you specify a name, you must also specify a
serviceName.
Required: No
Type: String

ServiceName
The fully qualified domain name for the service to match from the request.
Required: No
Type: String
AWS::AppMesh::Route GrpcRouteMetadata
An object that represents the match metadata for the route.
Syntax

835
App Mesh
JSON
{
"Invert" : Boolean,
"Match" : GrpcRouteMetadataMatchMethod (p. 836),
"Name" : String
}
YAML
Invert: Boolean
Match:
GrpcRouteMetadataMatchMethod (p. 836)
Name: String
Properties
Invert
Specify True to match anything except the match criteria. The default value is False.
Required: No
Type: Boolean

Match
An object that represents the data to match from the request.
Required: No
Type: GrpcRouteMetadataMatchMethod (p. 836)

Name
The name of the route.
Required: Yes
Type: String
AWS::AppMesh::Route GrpcRouteMetadataMatchMethod
An object that represents the match method. Specify one of the match values.
Syntax
JSON
{
"Exact" : String,

836
App Mesh
"Prefix" : String,
"Range" : MatchRange (p. 844),
"Regex" : String,
"Suffix" : String
}
YAML
Exact: String
Prefix: String
Range:
MatchRange (p. 844)
Regex: String
Suffix: String
Properties
Exact
The value sent by the client must match the specified value exactly.
Required: No
Type: String

Prefix
The value sent by the client must begin with the specified characters.
Required: No
Type: String

Range
An object that represents the range of values to match on.
Required: No
Type: MatchRange (p. 844)

Regex
The value sent by the client must include the specified characters.
Required: No
Type: String

Suffix
The value sent by the client must end with the specified characters.
Required: No

837
App Mesh
Type: String
AWS::AppMesh::Route HeaderMatchMethod
An object that represents the method and value to match with the header value sent in a request.
Specify one match method.
Syntax
JSON
{
"Exact" : String,
"Prefix" : String,
"Range" : MatchRange (p. 844),
"Regex" : String,
"Suffix" : String
}
YAML
Exact: String
Prefix: String
Range:
MatchRange (p. 844)
Regex: String
Suffix: String
Properties
Exact
The value sent by the client must match the specified value exactly.
Required: No
Type: String

Prefix
The value sent by the client must begin with the specified characters.
Required: No
Type: String

Range
An object that represents the range of values to match on.
Required: No

838
App Mesh
Type: MatchRange (p. 844)

Regex
The value sent by the client must include the specified characters.
Required: No
Type: String

Suffix
The value sent by the client must end with the specified characters.
Required: No
Type: String
AWS::AppMesh::Route HttpRetryPolicy
An object that represents a retry policy. Specify at least one value for at least one of the types of
RetryEvents, a value for maxRetries, and a value for perRetryTimeout.
Syntax
JSON
{
"HttpRetryEvents" : [ String, ... ],
"PerRetryTimeout" : Duration (p. 831),
"TcpRetryEvents" : [ String, ... ]
}
YAML
HttpRetryEvents:
- String
MaxRetries: Integer
PerRetryTimeout:
Duration (p. 831)
TcpRetryEvents:
- String
Properties
HttpRetryEvents
Specify at least one of the following values.

• server-error – HTTP status codes 500, 501, 502, 503, 504, 505, 506, 507, 508, 510, and 511
• gateway-error – HTTP status codes 502, 503, and 504

839
App Mesh
• client-error – HTTP status code 409

• stream-error – Retry on refused stream
Required: No

MaxRetries
The maximum number of retry attempts.
Required: Yes
Type: Integer

PerRetryTimeout
Required: Yes
Type: Duration (p. 831)

TcpRetryEvents
Specify a valid value.
Required: No
AWS::AppMesh::Route HttpRoute
An object that represents an HTTP or HTTP/2 route type.
Syntax
JSON
{
"Action" : HttpRouteAction (p. 841),
"Match" : HttpRouteMatch (p. 843),
"RetryPolicy" : HttpRetryPolicy (p. 839)
}
YAML
Action:
HttpRouteAction (p. 841)
Match:
HttpRouteMatch (p. 843)

840
App Mesh
RetryPolicy:
HttpRetryPolicy (p. 839)
Properties
Action
Required: Yes
Type: HttpRouteAction (p. 841)

Match
Required: Yes
Type: HttpRouteMatch (p. 843)

RetryPolicy
An object that represents a retry policy.
Required: No
Type: HttpRetryPolicy (p. 839)
AWS::AppMesh::Route HttpRouteAction
Syntax
JSON
{
}
YAML
WeightedTargets:
Properties
WeightedTargets

841
App Mesh
Required: Yes
AWS::AppMesh::Route HttpRouteHeader
An object that represents the HTTP header in the request.
Syntax
JSON
{
"Invert" : Boolean,
"Match" : HeaderMatchMethod (p. 838),
"Name" : String
}
YAML
Invert: Boolean
Match:
HeaderMatchMethod (p. 838)
Name: String
Properties
Invert
Specify True to match anything except the match criteria. The default value is False.
Required: No
Type: Boolean

Match
The HeaderMatchMethod object.
Required: No
Type: HeaderMatchMethod (p. 838)

Name
A name for the HTTP header in the client request that will be matched on.
Required: Yes
Type: String

842
App Mesh
AWS::AppMesh::Route HttpRouteMatch
An object that represents the requirements for a route to match HTTP requests for a virtual router.
Syntax
JSON
{
"Headers" : [ HttpRouteHeader (p. 842), ... ],
"Method" : String,
"Prefix" : String,
"Scheme" : String
}
YAML
Headers:
- HttpRouteHeader (p. 842)
Method: String
Prefix: String
Scheme: String
Properties
Headers
An object that represents the client request headers to match on.
Required: No
Type: List of HttpRouteHeader (p. 842)

Method
The client request method to match on. Specify only one.
Required: No
Type: String

Prefix
Specifies the path to match requests with. This parameter must always start with /, which by itself
matches all requests to the virtual service name. You can also match for path-based routing of
requests. For example, if your virtual service name is my-service.local and you want the route to
match requests to my-service.local/metrics, your prefix should be /metrics.
Required: Yes
Type: String

Scheme
The client request scheme to match on. Specify only one.

843
App Mesh
Required: No
Type: String
AWS::AppMesh::Route MatchRange
An object that represents the range of values to match on. The first character of the range is included in
the range, though the last character is not. For example, if the range specified were 1-100, only values
1-99 would be matched.
Syntax
JSON
{
"End" : Integer,
"Start" : Integer
}
YAML
End: Integer
Start: Integer
Properties
End
The end of the range.
Required: Yes
Type: Integer

Start
The start of the range.
Required: Yes
Type: Integer
AWS::AppMesh::Route RouteSpec
An object that represents a route specification. Specify one route type.
Syntax

844
App Mesh
JSON
{
"GrpcRoute" : GrpcRoute (p. 833),
"Http2Route" : HttpRoute (p. 840),
"HttpRoute" : HttpRoute (p. 840),
"Priority" : Integer,
"TcpRoute" : TcpRoute (p. 846)
}
YAML
GrpcRoute:
GrpcRoute (p. 833)
Http2Route:
HttpRoute (p. 840)
HttpRoute:
HttpRoute (p. 840)
Priority: Integer
TcpRoute:
TcpRoute (p. 846)
Properties
GrpcRoute
An object that represents the specification of a gRPC route.
Required: No
Type: GrpcRoute (p. 833)

Http2Route
An object that represents the specification of an HTTP/2 route.
Required: No
Type: HttpRoute (p. 840)

HttpRoute
An object that represents the specification of an HTTP route.
Required: No
Type: HttpRoute (p. 840)

Priority
The priority for the route. Routes are matched based on the specified value, where 0 is the highest
priority.
Required: No
Type: Integer

845
App Mesh

TcpRoute
An object that represents the specification of a TCP route.
Required: No
Type: TcpRoute (p. 846)
AWS::AppMesh::Route TcpRoute
An object that represents a TCP route type.
Syntax
JSON
{
"Action" : TcpRouteAction (p. 846)
}
YAML
Action:
TcpRouteAction (p. 846)
Properties
Action
The action to take if a match is determined.
Required: Yes
Type: TcpRouteAction (p. 846)
AWS::AppMesh::Route TcpRouteAction
Syntax
JSON
{
}

846
App Mesh
YAML
WeightedTargets:
Properties
WeightedTargets
Required: Yes
AWS::AppMesh::Route WeightedTarget
An object that represents a target and its relative weight. Traffic is distributed across targets according
to their relative weight. For example, a weighted target with a relative weight of 50 receives five times as
much traffic as one with a relative weight of 10. The total weight for all targets combined must be less
than or equal to 100.
Syntax
JSON
{
"VirtualNode" : String,
"Weight" : Integer
}
YAML
VirtualNode: String
Weight: Integer
Properties
VirtualNode
The virtual node to associate with the weighted target.
Required: Yes
Type: String

Weight
The relative weight of the weighted target.
Required: Yes
Type: Integer

847
App Mesh
AWS::AppMesh::VirtualNode
Creates a virtual node within a service mesh.
A virtual node acts as a logical pointer to a particular task group, such as an Amazon ECS service
or a Kubernetes deployment. When you create a virtual node, you can specify the service discovery
information for your task group.
Any inbound traffic that your virtual node expects should be specified as a listener. Any outbound
traffic that your virtual node expects to reach should be specified as a backend.
The response metadata for your new virtual node contains the arn that is associated with the virtual
node. Set this value (either the full ARN or the truncated resource name: for example, mesh/default/
virtualNode/simpleapp) as the APPMESH_VIRTUAL_NODE_NAME environment variable for your task
group's Envoy proxy container in your task definition or pod spec. This is then mapped to the node.id
and node.cluster Envoy parameters.
Note
If you require your Envoy stats or tracing to use a different name, you can override
the node.cluster value that is set by APPMESH_VIRTUAL_NODE_NAME with the
APPMESH_VIRTUAL_NODE_CLUSTER environment variable.
Syntax
JSON
{
"Type" : "AWS::AppMesh::VirtualNode",
"Properties" : {
"Spec" : VirtualNodeSpec (p. 861),
"Tags" : [ Tag, ... ],
"VirtualNodeName" : String
}
}
YAML
Type: AWS::AppMesh::VirtualNode
Properties:
MeshName: String
Spec:
VirtualNodeSpec (p. 861)
Tags:
- Tag
VirtualNodeName: String
Properties
MeshName
The name of the service mesh to create the virtual node in.
Required: Yes

848
App Mesh
Type: String

Spec
The virtual node specification to apply.
Required: Yes
Type: VirtualNodeSpec (p. 861)

Tags
Optional metadata that you can apply to the virtual node to assist with categorization and
of 256 characters.
Required: No
Type: List of Tag

VirtualNodeName
The name to use for the virtual node.
Required: Yes
Type: String
Return Values
Ref
For example:
{ "Ref": "myVirtualNode" }
When you pass the logical ID of an AWS::AppMesh::VirtualNode resource to the intrinsic

Ref function, the function returns the virtual node ARN, such as arn:aws:appmesh:us-
east-1:555555555555:virtualNode/myVirtualNode .
Fn::GetAtt
Arn
The full Amazon Resource Name (ARN) for the virtual node.

849
App Mesh
MeshName
The name of the service mesh that the virtual node resides in.
Uid
The unique identifier for the virtual node.

VirtualNodeName
The name of the virtual node.
Examples
Create a Virtual Node
This example creates a virtual node with two backends and a listener with a health check policy. It also
sends access logs to a file path and uses DNS service discovery.
JSON
{
"Description": "Basic Test Virtual Node",
"Resources": {
"BasicVirtualNode": {
"Type": "AWS::AppMesh::VirtualNode",
"Properties": {
"VirtualNodeName": "TestVirtualNode",
"MeshName": null,
"Spec": {
"Backends": [
{
"VirtualService": {
"VirtualServiceName": "Backend_1"
}
},
{
"VirtualService": {
"VirtualServiceName": "Backend_2"
}
}
],
"Listeners": [
{
"HealthCheck": {
"HealthyThreshold": 2,
"IntervalMillis": 5000,
"Path": "Path",
"Port": 8080,
"Protocol": "http",
"TimeoutMillis": 2000,
"UnhealthyThreshold": 2
},
"PortMapping": {
"Port": 8080,
"Protocol": "http"
}
}
],
"ServiceDiscovery": {
"DNS": {
"Hostname": "Hostname"
}
},

850
App Mesh
"Logging": {
"AccessLog": {
"File": {
"Path": "Path"
}
}
}
},
"Tags": [
{
"Key": "Key1",
"Value": "Value1"
},
{
"Key": "Key2",
"Value": "Value2"
}
]
}
}
},
"Outputs": {
"VirtualNodeName": {
"Description": "Name of the VirtualNode",
"Value": {
"Fn::GetAtt": [
"BasicVirtualNode",
"VirtualNodeName"
]
}
},
"MeshName": {
"Value": {
"Fn::GetAtt": [
"BasicVirtualNode",
"MeshName"
]
}
},
"Arn": {
"Description": "Arn of the VirtualNode created",
"Value": {
"Fn::GetAtt": [
"BasicVirtualNode",
"Arn"
]
}
},
"Uid": {
"Description": "Uid of the VirtualNode created",
"Value": {
"Fn::GetAtt": [
"BasicVirtualNode",
"Uid"
]
}
}
}
}
YAML
Description: "Basic Test Virtual Node"

851
App Mesh
Resources:
BasicVirtualNode:
Type: "AWS::AppMesh::VirtualNode"
Properties:
VirtualNodeName: "TestVirtualNode"
Spec:
Backends:
- VirtualService:
VirtualServiceName: "Backend_1"
- VirtualService:
VirtualServiceName: "Backend_2"
Listeners:
- HealthCheck:
HealthyThreshold: 2
IntervalMillis: 5000
Path: "Path"
Port: 8080
Protocol: "http"
TimeoutMillis: 2000
UnhealthyThreshold: 2
PortMapping:
Port: 8080
Protocol: "http"
ServiceDiscovery:
DNS:
Hostname: "Hostname"
Logging:
AccessLog:
File:
Path: "Path"
Tags:
- Key: "Key1"
Value: "Value1"
- Key: "Key2"
Value: "Value2"
Outputs:
VirtualNodeName:
Description: Name of the VirtualNode
Value:
Fn::GetAtt:
- BasicVirtualNode
- VirtualNodeName
MeshName:
Value:
Fn::GetAtt:
- BasicVirtualNode
- MeshName
Arn:
Description: Arn of the VirtualNode created
Value:
Fn::GetAtt:
- BasicVirtualNode
- Arn
Uid:
Description: Uid of the VirtualNode created
Value:
Fn::GetAtt:
- BasicVirtualNode
- Uid

852
App Mesh
See Also
• Virtual Nodes in the AWS App Mesh User Guide .
• CreateVirtualNode in the AWS App Mesh API Reference .
AWS::AppMesh::VirtualNode AccessLog
An object that represents the access logging information for a virtual node.
Syntax
JSON
{
"File" : FileAccessLog (p. 856)
}
YAML
File:
FileAccessLog (p. 856)
Properties
File
The file object to send virtual node access logs to.
Required: No
Type: FileAccessLog (p. 856)
AWS::AppMesh::VirtualNode AwsCloudMapInstanceAttribute
An object that represents the AWS Cloud Map attribute information for your virtual node.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String

853
App Mesh
Properties
Key
The name of an AWS Cloud Map service instance attribute key. Any AWS Cloud Map service instance
that contains the specified key and value is returned.
Required: Yes
Type: String

Value
The value of an AWS Cloud Map service instance attribute key. Any AWS Cloud Map service instance
that contains the specified key and value is returned.
Required: Yes
Type: String
AWS::AppMesh::VirtualNode AwsCloudMapServiceDiscovery
An object that represents the AWS Cloud Map service discovery information for your virtual node.
Syntax
JSON
{
"Attributes" : [ AwsCloudMapInstanceAttribute (p. 853), ... ],
"NamespaceName" : String,
"ServiceName" : String
}
YAML
Attributes:
- AwsCloudMapInstanceAttribute (p. 853)
NamespaceName: String
ServiceName: String
Properties
Attributes
A string map that contains attributes with values that you can use to filter instances by any custom
attribute that you specified when you registered the instance. Only instances that match all of the
specified key/value pairs will be returned.
Required: No
Type: List of AwsCloudMapInstanceAttribute (p. 853)

854
App Mesh
NamespaceName
The name of the AWS Cloud Map namespace to use.
Required: Yes
Type: String

ServiceName
The name of the AWS Cloud Map service to use.
Required: Yes
Type: String
AWS::AppMesh::VirtualNode Backend
An object that represents the backends that a virtual node is expected to send outbound traffic to.
Syntax
JSON
{
"VirtualService" : VirtualServiceBackend (p. 862)
}
YAML
VirtualService:
VirtualServiceBackend (p. 862)
Properties
VirtualService
Specifies a virtual service to use as a backend for a virtual node.
Required: No
Type: VirtualServiceBackend (p. 862)
AWS::AppMesh::VirtualNode DnsServiceDiscovery
An object that represents the DNS service discovery information for your virtual node.
Syntax

855
App Mesh
JSON
{
"Hostname" : String
}
YAML
Hostname: String
Properties
Hostname
Specifies the DNS service discovery hostname for the virtual node.
Required: Yes
Type: String
AWS::AppMesh::VirtualNode FileAccessLog
An object that represents an access log file.
Syntax
JSON
{
"Path" : String
}
YAML
Path: String
Properties
Path
The file path to write access logs to. You can use /dev/stdout to send access logs to standard out
and configure your Envoy container to use a log driver, such as awslogs, to export the access logs
to a log storage service such as Amazon CloudWatch Logs. You can also specify a path in the Envoy
container's file system to write the files to disk.
Note
The Envoy process must have write permissions to the path that you specify here.
Otherwise, Envoy fails to bootstrap properly.
Required: Yes
Type: String

856
App Mesh
AWS::AppMesh::VirtualNode HealthCheck
An object that represents the health check policy for a virtual node's listener.
Syntax
JSON
{
"HealthyThreshold" : Integer,
"IntervalMillis" : Integer,
"Path" : String,
"Port" : Integer,
"Protocol" : String,
"TimeoutMillis" : Integer,
"UnhealthyThreshold" : Integer
}
YAML
HealthyThreshold: Integer
IntervalMillis: Integer
Path: String
Port: Integer
Protocol: String
TimeoutMillis: Integer
UnhealthyThreshold: Integer
Properties
HealthyThreshold
The number of consecutive successful health checks that must occur before declaring listener
healthy.
Required: Yes
Type: Integer

IntervalMillis
The time period in milliseconds between each health check execution.
Required: Yes
Type: Integer

Path
The destination path for the health check request. This value is only used if the specified protocol is
HTTP or HTTP/2. For any other protocol, this value is ignored.
Required: No
Type: String

857
App Mesh
Port
The destination port for the health check request. This port must match the port defined in the
PortMapping for the listener.
Required: No
Type: Integer

Protocol
The protocol for the health check request. If you specify grpc, then your service must conform to
the GRPC Health Checking Protocol.
Required: Yes
Type: String

TimeoutMillis
The amount of time to wait when receiving a response from the health check, in milliseconds.
Required: Yes
Type: Integer

UnhealthyThreshold
The number of consecutive failed health checks that must occur before declaring a virtual node
unhealthy.
Required: Yes
Type: Integer
AWS::AppMesh::VirtualNode Listener
An object that represents a listener for a virtual node.
Syntax
JSON
{
"HealthCheck" : HealthCheck (p. 857),
"PortMapping" : PortMapping (p. 859)
}
YAML
HealthCheck:
HealthCheck (p. 857)

858
App Mesh
PortMapping:
PortMapping (p. 859)
Properties
HealthCheck
The health check information for the listener.
Required: No
Type: HealthCheck (p. 857)

PortMapping
The port mapping information for the listener.
Required: Yes
Type: PortMapping (p. 859)
AWS::AppMesh::VirtualNode Logging
An object that represents the logging information for a virtual node.
Syntax
JSON
{
"AccessLog" : AccessLog (p. 853)
}
YAML
AccessLog:
AccessLog (p. 853)
Properties
AccessLog
The access log configuration for a virtual node.
Required: No
Type: AccessLog (p. 853)
AWS::AppMesh::VirtualNode PortMapping
An object representing a virtual node or virtual router listener port mapping.

859
App Mesh
Syntax
JSON
{
"Port" : Integer,
"Protocol" : String
}
YAML
Port: Integer
Protocol: String
Properties
Port
The port used for the port mapping.
Required: Yes
Type: Integer

Protocol
The protocol used for the port mapping. Specify one protocol.
Required: Yes
Type: String
AWS::AppMesh::VirtualNode ServiceDiscovery
An object that represents the service discovery information for a virtual node.
Syntax
JSON
{
"AWSCloudMap" : AwsCloudMapServiceDiscovery (p. 854),
"DNS" : DnsServiceDiscovery (p. 855)
}
YAML
AWSCloudMap:
AwsCloudMapServiceDiscovery (p. 854)
DNS:

860
App Mesh
DnsServiceDiscovery (p. 855)
Properties
AWSCloudMap
Specifies any AWS Cloud Map information for the virtual node.
Required: No
Type: AwsCloudMapServiceDiscovery (p. 854)

DNS
Specifies the DNS information for the virtual node.
Required: No
Type: DnsServiceDiscovery (p. 855)
AWS::AppMesh::VirtualNode VirtualNodeSpec
An object that represents the specification of a virtual node.
Syntax
JSON
{
"Backends" : [ Backend (p. 855), ... ],
"Listeners" : [ Listener (p. 858), ... ],
"Logging" : Logging (p. 859),
"ServiceDiscovery" : ServiceDiscovery (p. 860)
}
YAML
Backends:
- Backend (p. 855)
Listeners:
- Listener (p. 858)
Logging:
Logging (p. 859)
ServiceDiscovery:
ServiceDiscovery (p. 860)
Properties
Backends
The backends that the virtual node is expected to send outbound traffic to.
Required: No

861
App Mesh
Type: List of Backend (p. 855)

Listeners
The listener that the virtual node is expected to receive inbound traffic from. You can specify one
listener.
Required: No
Type: List of Listener (p. 858)

Logging
The inbound and outbound access logging information for the virtual node.
Required: No
Type: Logging (p. 859)

ServiceDiscovery
The service discovery information for the virtual node. If your virtual node does not expect ingress
traffic, you can omit this parameter. If you specify a listener, then you must specify service
discovery information.
Required: No
Type: ServiceDiscovery (p. 860)
AWS::AppMesh::VirtualNode VirtualServiceBackend
An object that represents a virtual service backend for a virtual node.
Syntax
JSON
{
"VirtualServiceName" : String
}
YAML
VirtualServiceName: String
Properties
VirtualServiceName
The name of the virtual service that is acting as a virtual node backend.

862
App Mesh
Required: Yes
Type: String
AWS::AppMesh::VirtualRouter
Creates a virtual router within a service mesh.
Any inbound traffic that your virtual router expects should be specified as a listener.
Virtual routers handle traffic for one or more virtual services within your mesh. After you create your
virtual router, create and associate routes for your virtual router that direct incoming requests to
different virtual nodes.
Syntax
JSON
{
"Type" : "AWS::AppMesh::VirtualRouter",
"Properties" : {
"Spec" : VirtualRouterSpec (p. 868),
"Tags" : [ Tag, ... ],
}
}
YAML
Type: AWS::AppMesh::VirtualRouter
Properties:
MeshName: String
Spec:
VirtualRouterSpec (p. 868)
Tags:
- Tag
Properties
MeshName
The name of the service mesh to create the virtual router in.
Required: Yes
Type: String

Spec
The virtual router specification to apply.

863
App Mesh
Required: Yes
Type: VirtualRouterSpec (p. 868)

Tags
Optional metadata that you can apply to the virtual router to assist with categorization and
of 256 characters.
Required: No
Type: List of Tag

VirtualRouterName
The name to use for the virtual router.
Required: Yes
Type: String
Return Values
Ref
For example:
{ "Ref": "myVirtualRouter" }
When you pass the logical ID of an AWS::AppMesh::VirtualRouter resource to the intrinsic

Ref function, the function returns the virtual router ARN, such as arn:aws:appmesh:us-
east-1:555555555555:virtualRouter/myVirtualRouter .
Fn::GetAtt
Arn
The full Amazon Resource Name (ARN) for the virtual router.
MeshName
The name of the service mesh that the virtual router resides in.
Uid
The unique identifier for the virtual router.

864
App Mesh
VirtualRouterName
The name of the virtual router.
Examples
Create a Virtual Router
This example creates a basic virtual router with an HTTP port mapping and two tags.
JSON
{
"Description": "Basic Test Virtual Router",
"Resources": {
"BasicVirtualRouter": {
"Type": "AWS::AppMesh::VirtualRouter",
"Properties": {
"VirtualRouterName": "TestVirtualRouter",
"MeshName": null,
"Spec": {
"Listeners": [
{
"PortMapping": {
"Port": 8080,
"Protocol": "http"
}
}
]
},
"Tags": [
{
"Key": "Key1",
"Value": "Value1"
},
{
"Key": "Key2",
"Value": "Value2"
}
]
}
}
},
"Outputs": {
"VirtualRouterName": {
"Description": "Name of the VirtualRouter",
"Value": {
"Fn::GetAtt": [
"BasicVirtualRouter",
"VirtualRouterName"
]
}
},
"MeshName": {
"Value": {
"Fn::GetAtt": [
"MeshName"
]
}
},
"Arn": {

865
App Mesh
"Description": "Arn of the VirtualRouter created",

"Value": {
"Fn::GetAtt": [
"Arn"
]
}
},
"Uid": {
"Description": "Uid of the VirtualRouter created",
"Value": {
"Fn::GetAtt": [
"Uid"
]
}
}
}
}
YAML
Description: Basic Test Virtual Router

Resources:
BasicVirtualRouter:
Type: AWS::AppMesh::VirtualRouter
Properties:
VirtualRouterName: TestVirtualRouter
MeshName:
Spec:
Listeners:
- PortMapping:
Port: 8080
Protocol: http
Tags:
- Key: Key1
Value: Value1
- Key: Key2
Value: Value2
Outputs:
VirtualRouterName:
Description: Name of the VirtualRouter
Value:
Fn::GetAtt:
- BasicVirtualRouter
- VirtualRouterName
MeshName:
Value:
Fn::GetAtt:
- MeshName
Arn:
Description: Arn of the VirtualRouter created
Value:
Fn::GetAtt:
- Arn
Uid:
Description: Uid of the VirtualRouter created
Value:
Fn::GetAtt:
- Uid

866
App Mesh
See Also
• Virtual Routers in the AWS App Mesh User Guide .
• CreateVirtualRouter in the AWS App Mesh API Reference .
AWS::AppMesh::VirtualRouter PortMapping
An object representing a virtual router listener port mapping.
Syntax
JSON
{
"Port" : Integer,
"Protocol" : String
}
YAML
Port: Integer
Protocol: String
Properties
Port
The port used for the port mapping.
Required: Yes
Type: Integer

Protocol
The protocol used for the port mapping. Specify one protocol.
Required: Yes
Type: String
AWS::AppMesh::VirtualRouter VirtualRouterListener
An object that represents a virtual router listener.
Syntax
JSON

867
App Mesh
"PortMapping" : PortMapping (p. 867)

}
YAML
PortMapping:
PortMapping (p. 867)
Properties
PortMapping
The port mapping information for the listener.
Required: Yes
Type: PortMapping (p. 867)
AWS::AppMesh::VirtualRouter VirtualRouterSpec
An object that represents the specification of a virtual router.
Syntax
JSON
{
"Listeners" : [ VirtualRouterListener (p. 867), ... ]
}
YAML
Listeners:
- VirtualRouterListener (p. 867)
Properties
Listeners
The listeners that the virtual router is expected to receive inbound traffic from. You can specify one
listener.
Required: Yes
Type: List of VirtualRouterListener (p. 867)
AWS::AppMesh::VirtualService
Creates a virtual service within a service mesh.

868
App Mesh
A virtual service is an abstraction of a real service that is provided by a virtual node directly or indirectly
by means of a virtual router. Dependent services call your virtual service by its virtualServiceName,
and those requests are routed to the virtual node or virtual router that is specified as the provider for the
virtual service.
Syntax
JSON
{
"Type" : "AWS::AppMesh::VirtualService",
"Properties" : {
"Spec" : VirtualServiceSpec (p. 874),
"Tags" : [ Tag, ... ],
"VirtualServiceName" : String
}
}
YAML
Type: AWS::AppMesh::VirtualService
Properties:
MeshName: String
Spec:
VirtualServiceSpec (p. 874)
Tags:
- Tag
VirtualServiceName: String
Properties
MeshName
The name of the service mesh to create the virtual service in.
Required: Yes
Type: String

Spec
The virtual service specification to apply.
Required: Yes
Type: VirtualServiceSpec (p. 874)

Tags
Optional metadata that you can apply to the virtual service to assist with categorization and
of 256 characters.

869
App Mesh
Required: No
Type: List of Tag

VirtualServiceName
The name to use for the virtual service.
Required: Yes
Type: String
Return Values
Ref
For example:
{ "Ref": "myVirtualService" }
When you pass the logical ID of an AWS::AppMesh::VirtualService resource to the intrinsic

Ref function, the function returns the virtual service ARN, such as arn:aws:appmesh:us-
east-1:555555555555:virtualService/myVirtualService .
Fn::GetAtt
Arn
The full Amazon Resource Name (ARN) for the virtual service.
MeshName
The name of the service mesh that the virtual service resides in.
Uid
The unique identifier for the virtual service.

VirtualServiceName
The name of the virtual service.
Examples
Create a Virtual Service
This example creates a virtual service that is provided by a virtual node.

870
App Mesh
JSON
{
"Description": "Basic Test VirtualService",
"Resources": {
"BasicVirtualService1": {
"Type": "AWS::AppMesh::VirtualService",
"Properties": {
"VirtualServiceName": "TestVirtualService1.internal",
"MeshName": null,
"Spec": {
"Provider": {
"VirtualNode": {
"VirtualNodeName": null
}
}
},
"Tags": [
{
"Key": "Key1",
"Value": "Value1"
},
{
"Key": "Key2",
"Value": "Value2"
}
]
}
}
},
"Outputs": {
"VirtualServiceName1": {
"Description": "Name of the VirtualService",
"Value": {
"Fn::GetAtt": [
"BasicVirtualService1",
"VirtualServiceName"
]
}
},
"MeshName": {
"Value": {
"Fn::GetAtt": [
"MeshName"
]
}
},
"Arn": {
"Description": "Arn of the VirtualService created",
"Value": {
"Fn::GetAtt": [
"Arn"
]
}
},
"Uid": {
"Description": "Uid of the VirtualService created",
"Value": {
"Fn::GetAtt": [
"Uid"
]

871
App Mesh
}
}
}
}
YAML
Description: "Basic Test VirtualService"

Resources:
BasicVirtualService1:
Type: "AWS::AppMesh::VirtualService"
Properties:
VirtualServiceName: "TestVirtualService1.internal"
Spec:
Provider:
VirtualNode:
VirtualNodeName: !ImportValue TestVirtualNodeName1
Tags:
- Key: "Key1"
Value: "Value1"
- Key: "Key2"
Value: "Value2"
Outputs:
VirtualServiceName1:
Description: Name of the VirtualService
Value:
Fn::GetAtt:
- BasicVirtualService1
- VirtualServiceName
MeshName:
Value:
Fn::GetAtt:
- MeshName
Arn:
Description: Arn of the VirtualService created
Value:
Fn::GetAtt:
- Arn
Uid:
Description: Uid of the VirtualService created
Value:
Fn::GetAtt:
- Uid
See Also
• Virtual Services in the AWS App Mesh User Guide .
• CreateVirtualService in the AWS App Mesh API Reference .
AWS::AppMesh::VirtualService VirtualNodeServiceProvider
An object that represents a virtual node service provider.
Syntax

872
App Mesh
JSON
{
"VirtualNodeName" : String
}
YAML
VirtualNodeName: String
Properties
VirtualNodeName
The name of the virtual node that is acting as a service provider.
Required: Yes
Type: String
AWS::AppMesh::VirtualService VirtualRouterServiceProvider
An object that represents a virtual node service provider.
Syntax
JSON
{
}
YAML
Properties
VirtualRouterName
The name of the virtual router that is acting as a service provider.
Required: Yes
Type: String
AWS::AppMesh::VirtualService VirtualServiceProvider
An object that represents the provider for a virtual service.

873
App Mesh
Syntax
JSON
{
"VirtualNode" : VirtualNodeServiceProvider (p. 872),
"VirtualRouter" : VirtualRouterServiceProvider (p. 873)
}
YAML
VirtualNode:
VirtualNodeServiceProvider (p. 872)
VirtualRouter:
VirtualRouterServiceProvider (p. 873)
Properties
VirtualNode
The virtual node associated with a virtual service.
Required: No
Type: VirtualNodeServiceProvider (p. 872)

VirtualRouter
The virtual router associated with a virtual service.
Required: No
Type: VirtualRouterServiceProvider (p. 873)
AWS::AppMesh::VirtualService VirtualServiceSpec
An object that represents the specification of a virtual service.
Syntax
JSON
{
"Provider" : VirtualServiceProvider (p. 873)
}
YAML
Provider:

874
AppStream 2.0
VirtualServiceProvider (p. 873)
Properties
Provider
The App Mesh object that is acting as the provider for a virtual service. You can specify a single
virtual node or virtual router.
Required: No
Type: VirtualServiceProvider (p. 873)
Amazon AppStream 2.0 Resource Type Reference

Resource Types
• AWS::AppStream::DirectoryConfig (p. 875)

• AWS::AppStream::Fleet (p. 877)
• AWS::AppStream::ImageBuilder (p. 884)
• AWS::AppStream::Stack (p. 890)
• AWS::AppStream::StackFleetAssociation (p. 897)
• AWS::AppStream::StackUserAssociation (p. 898)
• AWS::AppStream::User (p. 900)
AWS::AppStream::DirectoryConfig
The AWS::AppStream::DirectoryConfig resource specifies the configuration information required
to join Amazon AppStream 2.0 fleets and image builders to Microsoft Active Directory domains.
Syntax
JSON
{
"Type" : "AWS::AppStream::DirectoryConfig",
"Properties" : {
"DirectoryName" : String,
"OrganizationalUnitDistinguishedNames" : [ String, ... ],
"ServiceAccountCredentials" : ServiceAccountCredentials (p. 876)
}
}
YAML
Type: AWS::AppStream::DirectoryConfig
Properties:
DirectoryName: String
OrganizationalUnitDistinguishedNames:
- String
ServiceAccountCredentials:

875
AppStream 2.0
ServiceAccountCredentials (p. 876)
Properties
DirectoryName
The fully qualified name of the directory (for example, corp.example.com).
Required: Yes
Type: String

OrganizationalUnitDistinguishedNames
The distinguished names of the organizational units for computer accounts.
Required: Yes

ServiceAccountCredentials
The credentials for the service account used by the streaming instance to connect to the directory.
Do not use this parameter directly. Use ServiceAccountCredentials as an input parameter with
noEcho as shown in the Parameters. For best practices information, see Do Not Embed Credentials
in Your Templates.
Required: Yes
Type: ServiceAccountCredentials (p. 876)
See Also
• CreateDirectoryConfig in the Amazon AppStream 2.0 API Reference
AWS::AppStream::DirectoryConfig ServiceAccountCredentials
The credentials for the service account used by the streaming instance to connect to the directory.
Syntax
JSON
{
"AccountName" : String,
"AccountPassword" : String
}
YAML
AccountName: String

876
AppStream 2.0
AccountPassword: String
Properties
AccountName
The user name of the account. This account must have the following privileges: create computer
objects, join computers to the domain, and change/reset the password on descendant computer
objects for the organizational units specified.
Required: Yes
Type: String
Minimum: 1

AccountPassword
The password for the account.
Required: Yes
Type: String
Minimum: 1
Maximum: 127
AWS::AppStream::Fleet
The AWS::AppStream::Fleet resource creates a fleet for Amazon AppStream 2.0. A fleet consists of
streaming instances that run a specified image.
Syntax
JSON
{
"Type" : "AWS::AppStream::Fleet",
"Properties" : {
"ComputeCapacity" : ComputeCapacity (p. 882),
"DisconnectTimeoutInSeconds" : Integer,
"DisplayName" : String,
"DomainJoinInfo" : DomainJoinInfo (p. 882),
"EnableDefaultInternetAccess" : Boolean,
"FleetType" : String,
"IdleDisconnectTimeoutInSeconds" : Integer,
"ImageArn" : String,
"ImageName" : String,
"InstanceType" : String,
"MaxUserDurationInSeconds" : Integer,
"Name" : String,
"Tags" : [ Tag, ... ],

877
AppStream 2.0
"VpcConfig" : VpcConfig (p. 883)

}
}
YAML
Type: AWS::AppStream::Fleet
Properties:
ComputeCapacity:
ComputeCapacity (p. 882)
Description: String
DisconnectTimeoutInSeconds: Integer
DisplayName: String
DomainJoinInfo:
DomainJoinInfo (p. 882)
EnableDefaultInternetAccess: Boolean
FleetType: String
IdleDisconnectTimeoutInSeconds: Integer
ImageArn: String
ImageName: String
InstanceType: String
MaxUserDurationInSeconds: Integer
Name: String
Tags:
- Tag
VpcConfig:
VpcConfig (p. 883)
Properties
ComputeCapacity
The desired capacity for the fleet.
Required: Yes
Type: ComputeCapacity (p. 882)

Description
The description to display.
Required: No
Type: String
Maximum: 256

DisconnectTimeoutInSeconds
The amount of time that a streaming session remains active after users disconnect. If users try to
reconnect to the streaming session after a disconnection or network interruption within this time
interval, they are connected to their previous session. Otherwise, they are connected to a new
session with a new streaming instance.
Specify a value between 60 and 360000.
Required: No

878
AppStream 2.0
Type: Integer

DisplayName
The fleet name to display.
Required: No
Type: String
Maximum: 100

DomainJoinInfo
The name of the directory and organizational unit (OU) to use to join the fleet to a Microsoft Active
Directory domain.
Required: No
Type: DomainJoinInfo (p. 882)

EnableDefaultInternetAccess
Enables or disables default internet access for the fleet.
Required: No
Type: Boolean

FleetType
The fleet type.

ALWAYS_ON
Provides users with instant-on access to their apps. You are charged for all running instances in
your fleet, even if no users are streaming apps.
ON_DEMAND
Provide users with access to applications after they connect, which takes one to two minutes.
You are charged for instance streaming when users are connected and a small hourly fee for
instances that are not streaming apps.
Required: No
Type: String
Allowed Values: ALWAYS_ON | ON_DEMAND

IdleDisconnectTimeoutInSeconds
The amount of time that users can be idle (inactive) before they are disconnected from their
streaming session and the DisconnectTimeoutInSeconds time interval begins. Users are
notified before they are disconnected due to inactivity. If they try to reconnect to the streaming
session before the time interval specified in DisconnectTimeoutInSeconds elapses, they are

879
AppStream 2.0
connected to their previous session. Users are considered idle when they stop providing keyboard
or mouse input during their streaming session. File uploads and downloads, audio in, audio out, and
pixels changing do not qualify as user activity. If users continue to be idle after the time interval in
IdleDisconnectTimeoutInSeconds elapses, they are disconnected.
To prevent users from being disconnected due to inactivity, specify a value of 0. Otherwise, specify a
value between 60 and 3600.
Note
If you enable this feature, we recommend that you specify a value that corresponds exactly
to a whole number of minutes (for example, 60, 120, and 180). If you don't do this, the
value is rounded to the nearest minute. For example, if you specify a value of 70, users
are disconnected after 1 minute of inactivity. If you specify a value that is at the midpoint
between two different minutes, the value is rounded up. For example, if you specify a value
of 90, users are disconnected after 2 minutes of inactivity.
Required: No
Type: Integer

ImageArn
The ARN of the public, private, or shared image to use.
Required: No
Type: String
Pattern: ârn:aws:[A-Za-z0-9][A-Za-z0-9_/.-]{0,62}:[A-Za-z0-9_/.-]{0,63}:[A-
Za-z0-9_/.-]{0,63}:[A-Za-z0-9][A-Za-z0-9:_/+=,@.-]{0,1023}$

ImageName
The name of the image used to create the fleet.
Required: No
Type: String
Minimum: 1

InstanceType
The instance type to use when launching fleet instances. The following instance types are available:
• stream.standard.medium
• stream.standard.large
• stream.compute.large
• stream.compute.xlarge
• stream.compute.2xlarge
• stream.memory.large
• stream.memory.xlarge
• stream.memory.2xlarge

880
AppStream 2.0
• stream.memory.z1d.large
• stream.memory.z1d.xlarge
• stream.memory.z1d.2xlarge
• stream.graphics-design.large
• stream.graphics-design.xlarge
• stream.graphics-design.2xlarge
• stream.graphics-desktop.2xlarge
• stream.graphics-pro.4xlarge
Required: Yes
Type: String
Minimum: 1

MaxUserDurationInSeconds
The maximum amount of time that a streaming session can remain active, in seconds. If users are
still connected to a streaming instance five minutes before this limit is reached, they are prompted
to save any open documents before being disconnected. After this time elapses, the instance is
terminated and replaced by a new instance.
Specify a value between 600 and 360000.
Required: No
Type: Integer

Name
A unique name for the fleet.
Required: No
Type: String
Pattern: ^[a-zA-Z0-9][a-zA-Z0-9_.-]{0,100}$

Tags
Required: No

881
AppStream 2.0
Type: List of Tag

VpcConfig
The VPC configuration for the fleet.
Required: No
Type: VpcConfig (p. 883)
See Also
• CreateFleet in the Amazon AppStream 2.0 API Reference
AWS::AppStream::Fleet ComputeCapacity
The desired capacity for a fleet.
Syntax
JSON
{
"DesiredInstances" : Integer
}
YAML
DesiredInstances: Integer
Properties
DesiredInstances
The desired number of streaming instances.
Required: Yes
Type: Integer
AWS::AppStream::Fleet DomainJoinInfo
The name of the directory and organizational unit (OU) to use to join a fleet to a Microsoft Active
Directory domain.
Syntax

882
AppStream 2.0
JSON
{
"OrganizationalUnitDistinguishedName" : String
}
YAML
OrganizationalUnitDistinguishedName: String
Properties
DirectoryName
Required: No
Type: String

OrganizationalUnitDistinguishedName
The distinguished name of the organizational unit for computer accounts.
Required: No
Type: String
Maximum: 2000
AWS::AppStream::Fleet VpcConfig
The VPC configuration information for the fleet.
Syntax
JSON
{
"SecurityGroupIds" : [ String, ... ],
"SubnetIds" : [ String, ... ]
}
YAML
SecurityGroupIds:
- String
SubnetIds:
- String

883
AppStream 2.0
Properties
SecurityGroupIds
The identifiers of the security groups for the fleet.
Required: No
Maximum: 5

SubnetIds
The identifiers of the subnets to which a network interface is attached from the fleet instance. Fleet
instances can use one or two subnets.
Required: No
AWS::AppStream::ImageBuilder
The AWS::AppStream::ImageBuilder resource creates an image builder for Amazon AppStream 2.0.
An image builder is a virtual machine that is used to create an image.
The initial state of the image builder is PENDING. When it is ready, the state is RUNNING.
Syntax
JSON
{
"Type" : "AWS::AppStream::ImageBuilder",
"Properties" : {
"AccessEndpoints" : [ AccessEndpoint (p. 888), ... ],
"AppstreamAgentVersion" : String,
"DomainJoinInfo" : DomainJoinInfo (p. 889),
"EnableDefaultInternetAccess" : Boolean,
"ImageArn" : String,
"ImageName" : String,
"Name" : String,
"Tags" : [ Tag, ... ],
}
}
YAML
Type: AWS::AppStream::ImageBuilder
Properties:
AccessEndpoints:

884
AppStream 2.0
- AccessEndpoint (p. 888)

AppstreamAgentVersion: String
Description: String
DisplayName: String
DomainJoinInfo:
DomainJoinInfo (p. 889)
EnableDefaultInternetAccess: Boolean
ImageArn: String
ImageName: String
Name: String
Tags:
- Tag
VpcConfig:
VpcConfig (p. 889)
Properties
AccessEndpoints
The list of virtual private cloud (VPC) interface endpoint objects. Administrators can connect to the
image builder only through the specified endpoints.
Required: No
Type: List of AccessEndpoint (p. 888)
Maximum: 4

AppstreamAgentVersion
The version of the AppStream 2.0 agent to use for this image builder. To use the latest version of the
AppStream 2.0 agent, specify [LATEST].
Required: No
Type: String
Minimum: 1
Maximum: 100

Description
Required: No
Type: String
Maximum: 256

DisplayName
The image builder name to display.
Required: No
Type: String

885
AppStream 2.0
Maximum: 100

DomainJoinInfo
The name of the directory and organizational unit (OU) to use to join the image builder to a
Microsoft Active Directory domain.
Required: No
Type: DomainJoinInfo (p. 889)

EnableDefaultInternetAccess
Enables or disables default internet access for the image builder.
Required: No
Type: Boolean

ImageArn
The ARN of the public, private, or shared image to use.
Required: No
Type: String
Pattern: ârn:aws:[A-Za-z0-9][A-Za-z0-9_/.-]{0,62}:[A-Za-z0-9_/.-]{0,63}:[A-
Za-z0-9_/.-]{0,63}:[A-Za-z0-9][A-Za-z0-9:_/+=,@.-]{0,1023}$

ImageName
The name of the image used to create the image builder.
Required: No
Type: String
Minimum: 1

InstanceType
The instance type to use when launching the image builder. The following instance types are
available:
• stream.standard.medium
• stream.standard.large
• stream.compute.large
• stream.compute.xlarge
• stream.memory.large
• stream.memory.xlarge

886
AppStream 2.0
• stream.memory.z1d.large
• stream.memory.z1d.xlarge
• stream.graphics-design.large
• stream.graphics-design.xlarge
• stream.graphics-desktop.2xlarge
Required: Yes
Type: String
Minimum: 1

Name
A unique name for the image builder.
Required: No
Type: String

Tags
Required: No
Type: List of Tag

VpcConfig
The VPC configuration for the image builder. You can specify only one subnet.
Required: No

887
AppStream 2.0
Return Values
Ref
Fn::GetAtt
StreamingUrl
The URL to start an image builder streaming session, returned as a string.
See Also
• CreateImageBuilder in the Amazon AppStream 2.0 API Reference
AWS::AppStream::ImageBuilder AccessEndpoint
Describes an interface VPC endpoint (interface endpoint) that lets you create a private connection
between the virtual private cloud (VPC) that you specify and AppStream 2.0. When you specify an
interface endpoint for a stack, users of the stack can connect to AppStream 2.0 only through that
endpoint. When you specify an interface endpoint for an image builder, administrators can connect to
the image builder only through that endpoint.
Syntax
JSON
{
"EndpointType" : String,
"VpceId" : String
}
YAML
VpceId: String
Properties
EndpointType
The type of interface endpoint.
Required: Yes
Type: String
Allowed Values: STREAMING

888
AppStream 2.0
VpceId
The identifier (ID) of the VPC in which the interface endpoint is used.
Required: Yes
Type: String
Minimum: 1
AWS::AppStream::ImageBuilder DomainJoinInfo
The name of the directory and organizational unit (OU) to use to join the image builder to a Microsoft
Active Directory domain.
Syntax
JSON
{
"OrganizationalUnitDistinguishedName" : String
}
YAML
Properties
DirectoryName
Required: No
Type: String

The distinguished name of the organizational unit for computer accounts.
Required: No
Type: String
Maximum: 2000
AWS::AppStream::ImageBuilder VpcConfig
The VPC configuration for the image builder.

889
AppStream 2.0
Syntax
JSON
{
}
YAML
SecurityGroupIds:
- String
SubnetIds:
- String
Properties
SecurityGroupIds
The identifiers of the security groups for the image builder.
Required: No
Maximum: 5

SubnetIds
The identifier of the subnet to which a network interface is attached from the image builder
instance. An image builder instance can use one subnet.
Required: No
AWS::AppStream::Stack
The AWS::AppStream::Stack resource creates a stack to start streaming applications to Amazon
AppStream 2.0 users. A stack consists of an associated fleet, user access policies, and storage
configurations.
Syntax
JSON
{
"Type" : "AWS::AppStream::Stack",

890
AppStream 2.0
"Properties" : {
"AccessEndpoints" : [ AccessEndpoint (p. 894), ... ],
"ApplicationSettings" : ApplicationSettings (p. 895),
"AttributesToDelete" : [ String, ... ],
"DeleteStorageConnectors" : Boolean,
"EmbedHostDomains" : [ String, ... ],
"FeedbackURL" : String,
"Name" : String,
"RedirectURL" : String,
"StorageConnectors" : [ StorageConnector (p. 895), ... ],
"Tags" : [ Tag, ... ],
"UserSettings" : [ UserSetting (p. 896), ... ]
}
}
YAML
Type: AWS::AppStream::Stack
Properties:
AccessEndpoints:
- AccessEndpoint (p. 894)
ApplicationSettings:
ApplicationSettings (p. 895)
AttributesToDelete:
- String
DeleteStorageConnectors: Boolean
Description: String
DisplayName: String
EmbedHostDomains:
- String
FeedbackURL: String
Name: String
RedirectURL: String
StorageConnectors:
- StorageConnector (p. 895)
Tags:
- Tag
UserSettings:
- UserSetting (p. 896)
Properties
AccessEndpoints
The list of virtual private cloud (VPC) interface endpoint objects. Users of the stack can connect to
AppStream 2.0 only through the specified endpoints.
Required: No
Type: List of AccessEndpoint (p. 894)
Maximum: 4

ApplicationSettings
The persistent application settings for users of the stack. When these settings are enabled, changes
that users make to applications and Windows settings are automatically saved after each session and
applied to the next session.

891
AppStream 2.0
Required: No
Type: ApplicationSettings (p. 895)

AttributesToDelete
The stack attributes to delete.
Required: No

DeleteStorageConnectors
This parameter has been deprecated.
Deletes the storage connectors currently enabled for the stack.
Required: No
Type: Boolean

Description
Required: No
Type: String
Minimum: 1

DisplayName
The stack name to display.
Required: No
Type: String
Maximum: 100

EmbedHostDomains
The domains where AppStream 2.0 streaming sessions can be embedded in an iframe. You must
approve the domains that you want to host embedded AppStream 2.0 streaming sessions.
Required: No
Maximum: 20

892
AppStream 2.0
FeedbackURL
The URL that users are redirected to after they click the Send Feedback link. If no URL is specified, no
Send Feedback link is displayed.
Required: No
Type: String
Maximum: 1000

Name
The name of the stack.
Required: No
Type: String

RedirectURL
The URL that users are redirected to after their streaming session ends.
Required: No
Type: String
Maximum: 1000

StorageConnectors
The storage connectors to enable.
Required: No
Type: List of StorageConnector (p. 895)

Tags
Required: No
Type: List of Tag

UserSettings
The actions that are enabled or disabled for users during their streaming sessions. By default, these
actions are enabled.
Required: No

893
AppStream 2.0
Type: List of UserSetting (p. 896)
See Also
• CreateStack in the Amazon AppStream 2.0 API Reference
AWS::AppStream::Stack AccessEndpoint
Describes an interface VPC endpoint (interface endpoint) that lets you create a private connection
between the virtual private cloud (VPC) that you specify and AppStream 2.0. When you specify an
interface endpoint for a stack, users of the stack can connect to AppStream 2.0 only through that
endpoint. When you specify an interface endpoint for an image builder, administrators can connect to
the image builder only through that endpoint.
Syntax
JSON
{
"VpceId" : String
}
YAML
VpceId: String
Properties
EndpointType
The type of interface endpoint.
Required: Yes
Type: String
Allowed Values: STREAMING

VpceId
The identifier (ID) of the VPC in which the interface endpoint is used.
Required: Yes
Type: String
Minimum: 1

894
AppStream 2.0
AWS::AppStream::Stack ApplicationSettings
The persistent application settings for users of a stack.
Syntax
JSON
{
"SettingsGroup" : String
}
YAML
Enabled: Boolean
SettingsGroup: String
Properties
Enabled
Enables or disables persistent application settings for users during their streaming sessions.
Required: Yes
Type: Boolean

SettingsGroup
The path prefix for the S3 bucket where users’ persistent application settings are stored. You can
allow the same persistent application settings to be used across multiple stacks by specifying the
same settings group for each stack.
Required: No
Type: String
Maximum: 100
AWS::AppStream::Stack StorageConnector
A connector that enables persistent storage for users.
Syntax
JSON
{
"ConnectorType" : String,

895
AppStream 2.0
"Domains" : [ String, ... ],

"ResourceIdentifier" : String
}
YAML
ConnectorType: String
Domains:
- String
ResourceIdentifier: String
Properties
ConnectorType
The type of storage connector.
Required: Yes
Type: String
Allowed Values: GOOGLE_DRIVE | HOMEFOLDERS | ONE_DRIVE

Domains
The names of the domains for the account.
Required: No
Maximum: 10

ResourceIdentifier
The ARN of the storage connector.
Required: No
Type: String
AWS::AppStream::Stack UserSetting
Specifies an action and whether the action is enabled or disabled for users during their streaming
sessions.
Syntax
JSON
{
"Action" : String,

896
AppStream 2.0
"Permission" : String
}
YAML
Action: String
Permission: String
Properties
Action
The action that is enabled or disabled.
Required: Yes
Type: String
Allowed Values: CLIPBOARD_COPY_FROM_LOCAL_DEVICE |

CLIPBOARD_COPY_TO_LOCAL_DEVICE | FILE_DOWNLOAD | FILE_UPLOAD |
PRINTING_TO_LOCAL_DEVICE

Permission
Indicates whether the action is enabled or disabled.
Required: Yes
Type: String
Allowed Values: DISABLED | ENABLED
AWS::AppStream::StackFleetAssociation
The AWS::AppStream::StackFleetAssociation resource associates the specified fleet with the
specified stack for Amazon AppStream 2.0.
Syntax
JSON
{
"Type" : "AWS::AppStream::StackFleetAssociation",
"Properties" : {
"FleetName" : String,
"StackName" : String
}
}
YAML
Type: AWS::AppStream::StackFleetAssociation

897
AppStream 2.0
Properties:
FleetName: String
StackName: String
Properties
FleetName
The name of the fleet.
To associate a fleet with a stack, you must specify a dependency on the fleet resource. For more
information, see DependsOn Attribute.
Required: Yes
Type: String
Minimum: 1

StackName
The name of the stack.
To associate a fleet with a stack, you must specify a dependency on the stack resource. For more
information, see DependsOn Attribute.
Required: Yes
Type: String
Minimum: 1
See Also
• AssociateFleet in the Amazon AppStream 2.0 API Reference
AWS::AppStream::StackUserAssociation
The AWS::AppStream::StackUserAssociation resource associates the specified users with the
specified stacks for Amazon AppStream 2.0. Users in an AppStream 2.0 user pool cannot be assigned to
stacks with fleets that are joined to an Active Directory domain.
Syntax
JSON
{
"Type" : "AWS::AppStream::StackUserAssociation",
"Properties" : {
"AuthenticationType" : String,
"SendEmailNotification" : Boolean,
"StackName" : String,

898
AppStream 2.0
"UserName" : String
}
}
YAML
Type: AWS::AppStream::StackUserAssociation
Properties:
AuthenticationType: String
SendEmailNotification: Boolean
StackName: String
UserName: String
Properties
AuthenticationType
The authentication type for the user who is associated with the stack. You must specify USERPOOL.
Required: Yes
Type: String

SendEmailNotification
Specifies whether a welcome email is sent to a user after the user is created in the user pool.
Required: No
Type: Boolean

StackName
The name of the stack that is associated with the user.
Required: Yes
Type: String
Minimum: 1

UserName
The email address of the user who is associated with the stack.
Note
Users' email addresses are case-sensitive.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

899
AppStream 2.0
Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}]+
See Also
• BatchAssociateUserStack in the Amazon AppStream 2.0 API Reference
AWS::AppStream::User
The AWS::AppStream::User resource creates a new user in the AppStream 2.0 user pool.
Syntax
JSON
{
"Type" : "AWS::AppStream::User",
"Properties" : {
"FirstName" : String,
"LastName" : String,
"MessageAction" : String,
"UserName" : String
}
}
YAML
Type: AWS::AppStream::User
Properties:
FirstName: String
LastName: String
MessageAction: String
UserName: String
Properties
AuthenticationType
The authentication type for the user. You must specify USERPOOL.
Required: Yes
Type: String

FirstName
The first name, or given name, of the user.
Required: No
Type: String

900
AppStream 2.0
Maximum: 2048
Pattern: ^[A-Za-z0-9_\-\s]+$

LastName
The last name, or surname, of the user.
Required: No
Type: String
Maximum: 2048
Pattern: ^[A-Za-z0-9_\-\s]+$

MessageAction
The action to take for the welcome email that is sent to a user after the user is created in the user
pool. If you specify SUPPRESS, no email is sent. If you specify RESEND, do not specify the first name
or last name of the user. If the value is null, the email is sent.
Note
The temporary password in the welcome email is valid for only 7 days. If users don’t set
their passwords within 7 days, you must send them a new welcome email.
Required: No
Type: String
Allowed Values: RESEND | SUPPRESS

UserName
The email address of the user.

Note
Users' email addresses are case-sensitive. During login, if they specify an email address that
doesn't use the same capitalization as the email address specified when their user pool
account was created, a "user does not exist" error message displays.
Required: Yes
Type: String
Minimum: 1
Maximum: 128
See Also
• CreateUser in the Amazon AppStream 2.0 API Reference

901
AppSync
AppSync Resource Type Reference

Resource Types
• AWS::AppSync::ApiCache (p. 902)

• AWS::AppSync::ApiKey (p. 904)
• AWS::AppSync::DataSource (p. 907)
• AWS::AppSync::FunctionConfiguration (p. 919)
• AWS::AppSync::GraphQLApi (p. 923)
• AWS::AppSync::GraphQLSchema (p. 932)
• AWS::AppSync::Resolver (p. 935)
AWS::AppSync::ApiCache
Represents the input of a CreateApiCache operation.
Syntax
JSON
{
"Type" : "AWS::AppSync::ApiCache",
"Properties" : {
"ApiCachingBehavior" : String,
"ApiId" : String,
"AtRestEncryptionEnabled" : Boolean,
"TransitEncryptionEnabled" : Boolean,
"Ttl" : Double,
"Type" : String
}
}
YAML
Type: AWS::AppSync::ApiCache
Properties:
ApiCachingBehavior: String
ApiId: String
AtRestEncryptionEnabled: Boolean
TransitEncryptionEnabled: Boolean
Ttl: Double
Type: String
Properties
ApiCachingBehavior
Caching behavior.
• FULL_REQUEST_CACHING: All requests are fully cached.
• PER_RESOLVER_CACHING: Individual resovlers that you specify are cached.
Required: Yes

902
AppSync
Type: String

ApiId
The GraphQL API Id.
Required: Yes
Type: String

AtRestEncryptionEnabled
At rest encryption flag for cache. This setting cannot be updated after creation.
Required: No
Type: Boolean

TransitEncryptionEnabled
Transit encryption flag when connecting to cache. This setting cannot be updated after creation.
Required: No
Type: Boolean

Ttl
TTL in seconds for cache entries.
Valid values are between 1 and 3600 seconds.
Required: Yes
Type: Double

Type
The cache instance type.

• T2_SMALL: A t2.small instance type.
• T2_MEDIUM: A t2.medium instance type.
• R4_LARGE: A r4.large instance type.
• R4_XLARGE: A r4.xlarge instance type.
• R4_2XLARGE: A r4.2xlarge instance type.
Required: Yes
Type: String

903
AppSync
Examples
ApiCache Creation Example
The following example creates an ApiCache for your GraphQL API.
YAML
Parameters:
graphQlApiId:
Type: String
Resources:
ApiCache:
Type: 'AWS::AppSync::ApiCache'
Properties:
ApiId: graphQlApiId
Type: T2_SMALL
ApiCachingBehavior: FULL_REQUEST_CACHING
Ttl: 1200
TransitEncryptionEnabled: true
AtRestEncryptionEnabled: true
JSON
{
"Parameters": {
"graphQlApiId": {
"Type": "String"
}
},
"Resources": {
"ApiCache": {
"Type": "AWS::AppSync::ApiCache",
"Properties": {
"ApiId": "graphQlApiId",
"Type": "T2_SMALL",
"ApiCachingBehavior": "FULL_REQUEST_CACHING",
"Ttl": 1200,
"TransitEncryptionEnabled": true,
"AtRestEncryptionEnabled": true
}
}
}
}
AWS::AppSync::ApiKey
The AWS::AppSync::ApiKey resource creates a unique key that you can distribute to clients who are
executing GraphQL operations with AWS AppSync that require an API key.
Syntax
JSON
{
"Type" : "AWS::AppSync::ApiKey",
"Properties" : {
"ApiId" : String,

904
AppSync
"Expires" : Double
}
}
YAML
Type: AWS::AppSync::ApiKey
Properties:
ApiId: String
Description: String
Expires: Double
Properties
ApiId
Unique AWS AppSync GraphQL API ID for this API key.
Required: Yes
Type: String

Description
Unique description of your API key.
Required: No
Type: String

Expires
Expiration time of the API key in seconds (using Unix Epoch time), with a minimum of 1 day and a
maximum of 365 days. The default value is 7 days.
Required: No
Type: Double
Return Values
Ref
When you pass the logical ID of an AWS::AppSync::ApiKey resource to the intrinsic Ref
function, the function returns the ARN of the API key, such as arn:aws:appsync:us-
east-1:123456789012:apis/graphqlapiid/apikey/apikeya1bzhi.
Fn::GetAtt
Fn::GetAtt returns a value for a specified attribute of this type. The following are the available
attributes and sample return values.

905
AppSync
For more information about using Fn::GetAtt, see Fn::GetAtt.
ApiKey
The API key.

Arn
The Amazon Resource Name (ARN) of the API key, such as arn:aws:appsync:us-
east-1:123456789012:apis/graphqlapiid/apikey/apikeya1bzhi.
Examples
API Key Creation Example
The following example creates an API key and associates it with an existing GraphQL API by passing the
GraphQL API ID as a parameter.
YAML
Parameters:
graphQlApiId:
Type: String
apiKeyDescription:
Type: String
apiKeyExpires:
Type: Number
Resources:
ApiKey:
Type: AWS::AppSync::ApiKey
Properties:
ApiId:
Ref: graphQlApiId
Description:
Ref: apiKeyDescription
Expires:
Ref: apiKeyExpires
JSON
{
"Parameters": {
"graphQlApiId": {
"Type": "String"
},
"apiKeyDescription": {
"Type": "String"
},
"apiKeyExpires": {
"Type": "Number"
}
},
"Resources": {
"ApiKey": {
"Type": "AWS::AppSync::ApiKey",
"Properties": {
"ApiId": {
"Ref": "graphQlApiId"
},
"Description": {
"Ref": "apiKeyDescription"

906
AppSync
},
"Expires": {
"Ref": "apiKeyExpires"
}
}
}
}
}
See Also
• CreateApiKey operation in the AWS AppSync API Reference.
AWS::AppSync::DataSource
The AWS::AppSync::DataSource resource creates data sources for resolvers in AWS AppSync to
connect to, such as Amazon DynamoDB, AWS Lambda, and Amazon Elasticsearch Service. Resolvers use
these data sources to fetch data when clients make GraphQL calls.
Syntax
JSON
{
"Type" : "AWS::AppSync::DataSource",
"Properties" : {
"ApiId" : String,
"DynamoDBConfig" : DynamoDBConfig (p. 914),
"ElasticsearchConfig" : ElasticsearchConfig (p. 915),
"HttpConfig" : HttpConfig (p. 916),
"LambdaConfig" : LambdaConfig (p. 916),
"Name" : String,
"RelationalDatabaseConfig" : RelationalDatabaseConfig (p. 918),
"ServiceRoleArn" : String,
"Type" : String
}
}
YAML
Type: AWS::AppSync::DataSource
Properties:
ApiId: String
Description: String
DynamoDBConfig:
DynamoDBConfig (p. 914)
ElasticsearchConfig:
ElasticsearchConfig (p. 915)
HttpConfig:
HttpConfig (p. 916)
LambdaConfig:
LambdaConfig (p. 916)
Name: String
RelationalDatabaseConfig:
RelationalDatabaseConfig (p. 918)
ServiceRoleArn: String
Type: String

907
AppSync
Properties
ApiId
Unique AWS AppSync GraphQL API identifier where this data source will be created.
Required: Yes
Type: String

Description
The description of the data source.
Required: No
Type: String

DynamoDBConfig
AwsRegion and TableName for an Amazon DynamoDB table in your account.
Required: No
Type: DynamoDBConfig (p. 914)

ElasticsearchConfig
AwsRegion and Endpoints for an Amazon Elasticsearch Service domain in your account.
Required: No
Type: ElasticsearchConfig (p. 915)

HttpConfig
Endpoints for an HTTP data source.
Required: No
Type: HttpConfig (p. 916)

LambdaConfig
A valid ARN of a Lambda function in your account.
Required: No
Type: LambdaConfig (p. 916)

Name
Friendly name for you to identify your AppSync data source after creation.
Required: Yes

908
AppSync
Type: String

RelationalDatabaseConfig
Relational Database configuration of the relational database data source.
Required: No
Type: RelationalDatabaseConfig (p. 918)

ServiceRoleArn
The AWS IAM service role ARN for the data source. The system assumes this role when accessing the
data source.
Required if Type is specified as AWS_LAMBDA, AMAZON_DYNAMODB, or AMAZON_ELASTICSEARCH.
Type: String

Type
The type of the data source.

• AMAZON_DYNAMODB: The data source is an Amazon DynamoDB table.
• AMAZON_ELASTICSEARCH: The data source is an Amazon Elasticsearch Service domain.
• AWS_LAMBDA: The data source is an AWS Lambda function.
• NONE: There is no data source. This type is used when you wish to invoke a GraphQL operation
without connecting to a data source, such as performing data transformation with resolvers or
triggering a subscription to be invoked from a mutation.
• HTTP: The data source is an HTTP endpoint.
• RELATIONAL_DATABASE: The data source is a relational database.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of an AWS::AppSync::DataSource resource to the intrinsic Ref
function, the function returns the ARN of the Data Source, such as arn:aws:appsync:us-
east-1:123456789012:apis/graphqlapiid/datasources/datasourcename.
Fn::GetAtt

909
AppSync
DataSourceArn
east-1:123456789012:apis/graphqlapiid/datasources/datasourcename.
Name
Friendly name for you to identify your AppSync data source after creation.
Examples
Data Source Creation Example
The following example creates a data source and associates it with an existing GraphQL API by passing
the GraphQL API ID as a parameter.
YAML
Parameters:
graphQlApiId:
Type: String
dataSourceName:
Type: String
dataSourceDescription:
Type: String
serviceRoleArn:
Type: String
lambdaFunctionArn:
Type: String
Resources:
DataSource:
Type: AWS::AppSync::DataSource
Properties:
ApiId:
Ref: graphQlApiId
Name:
Ref: dataSourceName
Description:
Ref: dataSourceDescription
Type: "AWS_LAMBDA"
ServiceRoleArn:
Ref: serviceRoleArn
LambdaConfig:
LambdaFunctionArn:
Ref: lambdaFunctionArn
JSON
{
"Parameters": {
"graphQlApiId": {
"Type": "String"
},
"dataSourceName": {
"Type": "String"
},
"dataSourceDescription": {
"Type": "String"
},
"serviceRoleArn": {
"Type": "String"

910
AppSync
},
"lambdaFunctionArn": {
"Type": "String"
}
},
"Resources": {
"DataSource": {
"Type": "AWS::AppSync::DataSource",
"Properties": {
"ApiId": {
},
"Name": {
"Ref": "dataSourceName"
},
"Description": {
"Ref": "dataSourceDescription"
},
"Type": "AWS_LAMBDA",
"ServiceRoleArn": {
"Ref": "serviceRoleArn"
},
"LambdaConfig": {
"LambdaFunctionArn": {
"Ref": "lambdaFunctionArn"
}
}
}
}
}
}
See Also
• CreateDataSource operation in the AWS AppSync API Reference.
AWS::AppSync::DataSource AuthorizationConfig
The AuthorizationConfig property type specifies the authorization type and configuration for an
AWS AppSync http data source.
AuthorizationConfig is a property of the AWS AppSync DataSource HttpConfig property type.
Syntax
JSON
{
"AwsIamConfig" : AwsIamConfig (p. 912)
}
YAML
AwsIamConfig:
AwsIamConfig (p. 912)

911
AppSync
Properties
AuthorizationType
The authorization type required by the HTTP endpoint.

• AWS_IAM: The authorization type is Sigv4.
Required: Yes
Type: String

AwsIamConfig
The AWS IAM settings.
Required: No
Type: AwsIamConfig (p. 912)
AWS::AppSync::DataSource AwsIamConfig
Use the AwsIamConfig property type to specify AwsIamConfig for a AWS AppSync authorizaton.
AwsIamConfig is a property of the AWS AppSync DataSource AuthorizationConfig resource.
Syntax
JSON
{
"SigningRegion" : String,
"SigningServiceName" : String
}
YAML
SigningRegion: String
SigningServiceName: String
Properties
SigningRegion
The signing region for AWS IAM authorization.
Required: No
Type: String

SigningServiceName
The signing service name for AWS IAM authorization.

912
AppSync
Required: No
Type: String
AWS::AppSync::DataSource DeltaSyncConfig
Describes a Delta Sync configuration.
Syntax
JSON
{
"BaseTableTTL" : String,
"DeltaSyncTableName" : String,
"DeltaSyncTableTTL" : String
}
YAML
BaseTableTTL: String
DeltaSyncTableName: String
DeltaSyncTableTTL: String
Properties
BaseTableTTL
The number of minutes an Item is stored in the datasource.
Required: Yes
Type: String

DeltaSyncTableName
The Delta Sync table name.
Required: Yes
Type: String

DeltaSyncTableTTL
The number of minutes a Delta Sync log entry is stored in the Delta Sync table.
Required: Yes
Type: String

913
AppSync
AWS::AppSync::DataSource DynamoDBConfig
The DynamoDBConfig property type specifies the AwsRegion and TableName for an Amazon
DynamoDB table in your account for an AWS AppSync data source.
DynamoDBConfig is a property of the AWS::AppSync::DataSource property type.
Syntax
JSON
{
"AwsRegion" : String,
"DeltaSyncConfig" : DeltaSyncConfig (p. 913),
"TableName" : String,
"UseCallerCredentials" : Boolean,
"Versioned" : Boolean
}
YAML
AwsRegion: String
DeltaSyncConfig:
DeltaSyncConfig (p. 913)
TableName: String
UseCallerCredentials: Boolean
Versioned: Boolean
Properties
AwsRegion
The AWS Region.
Required: Yes
Type: String

DeltaSyncConfig
The DeltaSyncConfig for a versioned datasource.
Required: No
Type: DeltaSyncConfig (p. 913)

TableName
The table name.
Required: Yes
Type: String

914
AppSync
UseCallerCredentials
Set to TRUE to use AWS IAM with this data source.
Required: No
Type: Boolean

Versioned
Set to TRUE to use Conflict Detection and Resolution with this data source.
Required: No
Type: Boolean
AWS::AppSync::DataSource ElasticsearchConfig
The ElasticsearchConfig property type specifies the AwsRegion and Endpoints for an Amazon
Elasticsearch Service domain in your account for an AWS AppSync data source.
ElasticsearchConfig is a property of the AWS::AppSync::DataSource property type.
Syntax
JSON
{
"Endpoint" : String
}
YAML
AwsRegion: String
Endpoint: String
Properties
AwsRegion
The AWS Region.
Required: Yes
Type: String

Endpoint
The endpoint.
Required: Yes
Type: String

915
AppSync
AWS::AppSync::DataSource HttpConfig
Use the HttpConfig property type to specify HttpConfig for an AWS AppSync data source.
HttpConfig is a property of the AWS::AppSync::DataSource resource.
Syntax
JSON
{
"AuthorizationConfig" : AuthorizationConfig (p. 911),
"Endpoint" : String
}
YAML
AuthorizationConfig:
AuthorizationConfig (p. 911)
Endpoint: String
Properties
AuthorizationConfig
The authorization configuration.
Required: No
Type: AuthorizationConfig (p. 911)

Endpoint
The endpoint.
Required: Yes
Type: String
AWS::AppSync::DataSource LambdaConfig
The LambdaConfig property type specifies the Lambda function ARN for an AWS AppSync data source.
LambdaConfig is a property of the AWS::AppSync::DataSource property type.
Syntax
JSON

916
AppSync
"LambdaFunctionArn" : String
}
YAML
LambdaFunctionArn: String
Properties
LambdaFunctionArn
The ARN for the Lambda function.
Required: Yes
Type: String
AWS::AppSync::DataSource RdsHttpEndpointConfig
Use the RdsHttpEndpointConfig property type to specify RdsHttpEndpoint for an AWS AppSync
relational database.
RdsHttpEndpointConfig is a property of the AWS AppSync DataSource RelationalDatabaseConfig

resource.
Syntax
JSON
{
"AwsSecretStoreArn" : String,
"DatabaseName" : String,
"DbClusterIdentifier" : String,
"Schema" : String
}
YAML
AwsRegion: String
AwsSecretStoreArn: String
DatabaseName: String
DbClusterIdentifier: String
Schema: String
Properties
AwsRegion
AWS Region for RDS HTTP endpoint.
Required: Yes
Type: String

917
AppSync

AwsSecretStoreArn
AWS secret store ARN for database credentials.
Required: Yes
Type: String

DatabaseName
Logical database name.
Required: No
Type: String

DbClusterIdentifier
Amazon RDS cluster identifier.
Required: Yes
Type: String

Schema
Logical schema name.
Required: No
Type: String
AWS::AppSync::DataSource RelationalDatabaseConfig
Use the RelationalDatabaseConfig property type to specify RelationalDatabaseConfig for an
AWS AppSync data source.
RelationalDatabaseConfig is a property of the AWS::AppSync::DataSource property type.
Syntax
JSON
{
"RdsHttpEndpointConfig" : RdsHttpEndpointConfig (p. 917),
"RelationalDatabaseSourceType" : String
}
YAML
RdsHttpEndpointConfig:
RdsHttpEndpointConfig (p. 917)

918
AppSync
RelationalDatabaseSourceType: String
Properties
RdsHttpEndpointConfig
Information about the Amazon RDS resource.
Required: No
Type: RdsHttpEndpointConfig (p. 917)

RelationalDatabaseSourceType
The type of relational data source.
Required: Yes
Type: String
AWS::AppSync::FunctionConfiguration
The AWS::AppSync::FunctionConfiguration resource defines the functions in GraphQL APIs to
perform certain operations. You can use pipeline resolvers to attach functions. For more information, see
Pipeline Resolvers in the AWS AppSync Developer Guide.
Syntax
JSON
{
"Type" : "AWS::AppSync::FunctionConfiguration",
"Properties" : {
"ApiId" : String,
"DataSourceName" : String,
"FunctionVersion" : String,
"Name" : String,
"RequestMappingTemplate" : String,
"RequestMappingTemplateS3Location" : String,
"ResponseMappingTemplate" : String,
"ResponseMappingTemplateS3Location" : String
}
}
YAML
Type: AWS::AppSync::FunctionConfiguration
Properties:
ApiId: String
DataSourceName: String
Description: String
FunctionVersion: String
Name: String
RequestMappingTemplate: String

919
AppSync
RequestMappingTemplateS3Location: String
ResponseMappingTemplate: String
ResponseMappingTemplateS3Location: String
Properties
ApiId
The AWS AppSync GraphQL API that you want to attach using this function.
Required: Yes
Type: String

DataSourceName
The name of data source this function will attach.
Required: Yes
Type: String

Description
The Function description.
Required: No
Type: String

FunctionVersion
The version of the request mapping template. Currently only the 2018-05-29 version of the
template is supported.
Required: Yes
Type: String

Name
The name of the function.
Required: Yes
Type: String

RequestMappingTemplate
The Function request mapping template. Functions support only the 2018-05-29 version of the
request mapping template.
Required: No
Type: String

920
AppSync
RequestMappingTemplateS3Location
The location of a request mapping template in an Amazon S3 bucket. Use this if you want to
provision with a template file in Amazon S3 rather than embedding it in your CloudFormation
template.
Required: No
Type: String

ResponseMappingTemplate
The Function response mapping template.
Required: No
Type: String

ResponseMappingTemplateS3Location
The location of a response mapping template in an Amazon S3 bucket. Use this if you want to
template.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of an AWS::AppSync::FunctionConfiguration resource to

the intrinsic Ref function, the function returns the ARN of the FunctionConfiguration, such as
arn:aws:appsync:us-east-1:123456789012:apis/graphqlapiid/functions/functionid.
Fn::GetAtt
DataSourceName
The name of data source this function will attach.

FunctionArn
ARN of the function, such as arn:aws:appsync:us-east-1:123456789012:apis/

graphqlapiid/functions/functionId.
FunctionId
The unique ID of this function.

921
AppSync
Name
The name of the function.
Examples
Function Creation Example
The following example creates a function and associates it with an existing GraphQL API and a data
source by passing the GraphQL API ID and data source name as a parameter.
YAML
Parameters:
graphQlApiId:
Type: String
dataSourceName:
Type: String
name:
Type: String
description:
Type: String
functionVersion:
Type: String
requestMappingTemplateS3LocationInput:
Type: String
responseMappingTemplateS3LocationInput:
Type: String
Resources:
FunctionConfiguration:
Type: AWS::AppSync::FunctionConfiguration
Properties:
ApiId:
Ref: graphQlApiId
Name:
Ref: name
Description:
Ref: description
DataSourceName:
Ref: dataSourceName
FunctionVersion:
Ref: functionVersion
RequestMappingTemplateS3Location:
Ref: requestMappingTemplateS3LocationInput
ResponseMappingTemplateS3Location:
Ref: responseMappingTemplateS3LocationInput
JSON
{
"Parameters": {
"graphQlApiId": {
"Type": "String"
},
"name": {
"Type": "String"
},
"description": {
"Type": "String"
},
"dataSourceName": {
"Type": "String"

922
AppSync
},
"functionVersion": {
"Type": "String"
},
"requestMappingTemplateS3LocationInput": {
"Type": "String"
},
"responseMappingTemplateS3LocationInput": {
"Type": "String"
}
},
"Resources": {
"FunctionConfiguration": {
"Type": "AWS::AppSync::FunctionConfiguration",
"Properties": {
"ApiId": {
},
"Name": {
"Ref": "name"
},
"Description": {
},
"FunctionVersion": {
"Ref": "functionVersion"
},
"DataSourceName": {
},
"RequestMappingTemplateS3Location": {
"Ref": "requestMappingTemplateS3LocationInput"
},
"ResponseMappingTemplateS3Location": {
"Ref": "responseMappingTemplateS3LocationInput"
}
}
}
}
}
See Also
• CreateFunction operation in the AWS AppSync API Reference.
AWS::AppSync::GraphQLApi
The AWS::AppSync::GraphQLApi resource creates a new AppSync GraphQL API. This is the top-level
construct for your application. For more information, see Quick Start in the AWS AppSync Developer
Guide.
Syntax
JSON
{
"Type" : "AWS::AppSync::GraphQLApi",
"Properties" : {
"AdditionalAuthenticationProviders" : AdditionalAuthenticationProviders (p. 928),

923
AppSync
"LogConfig" : LogConfig (p. 929),
"Name" : String,
"OpenIDConnectConfig" : OpenIDConnectConfig (p. 930),
"Tags" : Tags (p. 931),
"UserPoolConfig" : UserPoolConfig (p. 931)
}
}
YAML
Type: AWS::AppSync::GraphQLApi
Properties:
AdditionalAuthenticationProviders:
AdditionalAuthenticationProviders (p. 928)
LogConfig:
LogConfig (p. 929)
Name: String
OpenIDConnectConfig:
OpenIDConnectConfig (p. 930)
Tags:
Tags (p. 931)
UserPoolConfig:
UserPoolConfig (p. 931)
Properties
AdditionalAuthenticationProviders
A list of additional authentication providers for the GraphqlApi API.
Required: No
Type: AdditionalAuthenticationProviders (p. 928)

AuthenticationType
Security configuration for your GraphQL API. For allowed values (such as API_KEY, AWS_IAM, or
AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT), see Security in the AWS AppSync Developer
Guide.
Required: Yes
Type: String

LogConfig
The Amazon CloudWatch Logs configuration.
Required: No
Type: LogConfig (p. 929)

Name
The API name.

924
AppSync
Required: Yes
Type: String

OpenIDConnectConfig
The OpenID Connect configuration.
Required: No
Type: OpenIDConnectConfig (p. 930)

Tags
An arbitrary set of tags (key-value pairs) for this GraphQL API.
Required: No
Type: Tags (p. 931)

UserPoolConfig
Optional authorization configuration for using Amazon Cognito user pools with your GraphQL
endpoint.
Required: No
Type: UserPoolConfig (p. 931)
Return Values
Ref
When you pass the logical ID of an AWS::AppSync::GraphQLApi resource to the intrinsic Ref
function, the function returns the ARN of the GraphQL API, such as arn:aws:appsync:us-
east-1:123456789012:apis/graphqlapiid.
Fn::GetAtt
ApiId
Unique AWS AppSync GraphQL API identifier.

Arn
east-1:123456789012:apis/graphqlapiid.

925
AppSync
GraphQLUrl
The Endpoint URL of your GraphQL API.
Examples
GraphQL API Creation Example
The following example creates a GraphQL API.
YAML
Parameters:
graphQlApiName:
Type: String
userPoolId:
Type: String
userPoolAwsRegion:
Type: String
defaultAction:
Type: String
Resources:
GraphQLApi:
Type: AWS::AppSync::GraphQLApi
Properties:
Name:
Ref: graphQlApiName
AuthenticationType: "AMAZON_COGNITO_USER_POOLS"
UserPoolConfig:
UserPoolId:
Ref: userPoolId
AwsRegion:
Ref: userPoolAwsRegion
DefaultAction:
Ref: defaultAction
JSON
{
"Parameters": {
"graphQlApiName": {
"Type": "String"
},
"userPoolId": {
"Type": "String"
},
"userPoolAwsRegion": {
"Type": "String"
},
"defaultAction": {
"Type": "String"
}
},
"Resources": {
"GraphQLApi": {
"Type": "AWS::AppSync::GraphQLApi",
"Properties": {
"Name": {
"Ref": "graphQlApiName"
},
"AuthenticationType": "AMAZON_COGNITO_USER_POOLS",
"UserPoolConfig": {

926
AppSync
"UserPoolId": {
"Ref": "userPoolId"
},
"AwsRegion": {
"Ref": "userPoolAwsRegion"
},
"DefaultAction": {
"Ref": "defaultAction"
}
}
}
}
}
}
See Also
• CreateGraphqlApi operation in the AWS AppSync API Reference.
AWS::AppSync::GraphQLApi AdditionalAuthenticationProvider
Describes an additional authentication provider.
Syntax
JSON
{
"OpenIDConnectConfig" : OpenIDConnectConfig (p. 930),
"UserPoolConfig" : CognitoUserPoolConfig (p. 928)
}
YAML
OpenIDConnectConfig:
OpenIDConnectConfig (p. 930)
UserPoolConfig:
CognitoUserPoolConfig (p. 928)
Properties
AuthenticationType
The authentication type: API key, AWS IAM, OIDC, or Amazon Cognito user pools.
Required: Yes
Type: String

OpenIDConnectConfig
The OpenID Connect configuration.
Required: No

927
AppSync
Type: OpenIDConnectConfig (p. 930)

UserPoolConfig
The Amazon Cognito user pool configuration.
Required: No
Type: CognitoUserPoolConfig (p. 928)
AWS::AppSync::GraphQLApi AdditionalAuthenticationProviders
A list of additional authentication providers for the GraphqlApi API.
Required: No
Type: List of AdditionalAuthenticationProvider
AWS::AppSync::GraphQLApi CognitoUserPoolConfig
Describes an Amazon Cognito user pool configuration.
Syntax
JSON
{
"AppIdClientRegex" : String,
"UserPoolId" : String
}
YAML
AppIdClientRegex: String
AwsRegion: String
UserPoolId: String
Properties
AppIdClientRegex
A regular expression for validating the incoming Amazon Cognito user pool app client ID.
Required: No
Type: String

AwsRegion
The AWS Region in which the user pool was created.

928
AppSync
Required: No
Type: String

UserPoolId
The user pool ID.
Required: No
Type: String
AWS::AppSync::GraphQLApi LogConfig
The LogConfig property type specifies the logging configuration when writing GraphQL operations and
tracing to Amazon CloudWatch for a AWS AppSync GraphQL API.
LogConfig is a property of the AWS::AppSync::GraphQLApi property type.
Syntax
JSON
{
"CloudWatchLogsRoleArn" : String,
"ExcludeVerboseContent" : Boolean,
"FieldLogLevel" : String
}
YAML
CloudWatchLogsRoleArn: String
ExcludeVerboseContent: Boolean
FieldLogLevel: String
Properties
CloudWatchLogsRoleArn
The service role that AWS AppSync will assume to publish to Amazon CloudWatch Logs in your
account.
Required: No
Type: String

ExcludeVerboseContent
Set to TRUE to exclude sections that contain information such as headers, context, and evaluated
mapping templates, regardless of logging level.
Required: No

929
AppSync
Type: Boolean

FieldLogLevel
The field logging level. Values can be NONE, ERROR, or ALL.

• NONE: No field-level logs are captured.
• ERROR: Logs the following information only for the fields that are in error:
• The error section in the server response.
• Field-level errors.
• The generated request/response functions that got resolved for error fields.
• ALL: The following information is logged for all fields in the query:
• Field-level tracing information.
• The generated request/response functions that got resolved for each field.
Required: No
Type: String
AWS::AppSync::GraphQLApi OpenIDConnectConfig
The OpenIDConnectConfig property type specifies the optional authorization configuration for using
an OpenID Connect compliant service with your GraphQL endpoint for an AWS AppSync GraphQL API.
OpenIDConnectConfig is a property of the AWS::AppSync::GraphQLApi property type.
Syntax
JSON
{
"AuthTTL" : Double,
"IatTTL" : Double,
"Issuer" : String
}
YAML
AuthTTL: Double
ClientId: String
IatTTL: Double
Issuer: String
Properties
AuthTTL
The number of milliseconds a token is valid after being authenticated.
Required: No

930
AppSync
Type: Double

ClientId
The client identifier of the Relying party at the OpenID identity provider. This identifier is typically
obtained when the Relying party is registered with the OpenID identity provider. You can specify a
regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
Required: No
Type: String

IatTTL
The number of milliseconds a token is valid after being issued to a user.
Required: No
Type: Double

Issuer
The issuer for the OpenID Connect configuration. The issuer returned by discovery must exactly
match the value of iss in the ID token.
Required: No
Type: String
AWS::AppSync::GraphQLApi Tags
An arbitrary set of tags (key-value pairs) for this GraphQL API.
Required: No
Type: List of Tag
AWS::AppSync::GraphQLApi UserPoolConfig
The UserPoolConfig property type specifies the optional authorization configuration for using
Amazon Cognito user pools with your GraphQL endpoint for an AWS AppSync GraphQL API.
LogConfig is a property of the AWS::AppSync::GraphQLApi property type.
Syntax
JSON

931
AppSync
"AppIdClientRegex" : String,
"DefaultAction" : String,
}
YAML
AppIdClientRegex: String
AwsRegion: String
DefaultAction: String
UserPoolId: String
Properties
AppIdClientRegex
A regular expression for validating the incoming Amazon Cognito user pool app client ID.
Required: No
Type: String

AwsRegion
The AWS Region in which the user pool was created.
Required: No
Type: String

DefaultAction
The action that you want your GraphQL API to take when a request that uses Amazon Cognito user
pool authentication doesn't match the Amazon Cognito user pool configuration.
Required: No
Type: String

UserPoolId
The user pool ID.
Required: No
Type: String
AWS::AppSync::GraphQLSchema
The AWS::AppSync::GraphQLSchema resource is used for your AWS AppSync GraphQL schema that
controls the data model for your API. Schema files are text written in Schema Definition Language (SDL)

932
AppSync
format. For more information about schema authoring, see Designing a GraphQL API in the AWS AppSync
Developer Guide.
Syntax
JSON
{
"Type" : "AWS::AppSync::GraphQLSchema",
"Properties" : {
"ApiId" : String,
"Definition" : String,
"DefinitionS3Location" : String
}
}
YAML
Type: AWS::AppSync::GraphQLSchema
Properties:
ApiId: String
Definition: String
DefinitionS3Location: String
Properties
ApiId
The AWS AppSync GraphQL API identifier to which you want to apply this schema.
Required: Yes
Type: String

Definition
The text representation of a GraphQL schema in SDL format.
Required: No
Type: String

DefinitionS3Location
The location of a GraphQL schema file in an Amazon S3 bucket. Use this if you want to provision
with the schema living in Amazon S3 rather than embedding it in your CloudFormation template.
Required: No
Type: String

933
AppSync
Return Values
Ref
When you pass the logical ID of an AWS::AppSync::GraphQLSchema resource to the intrinsic Ref
function, the function returns the GraphQL API id with the literal String GraphQLSchema attached to it.
Examples
GraphQL Schema Creation Example
The following example creates a GraphQL Schema and associates it with an existing GraphQL API by
passing the GraphQL API ID as a parameter.
YAML
Parameters:
graphQlApiId:
Type: String
graphQlSchemaS3DescriptionLocation:
Type: String
Resources:
Schema:
Type: AWS::AppSync::GraphQLSchema
Properties:
ApiId:
Ref: graphQlApiId
DefinitionS3Location:
Ref: graphQlSchemaS3DescriptionLocation
JSON
{
"Parameters": {
"graphQlApiId": {
"Type": "String"
},
"graphQlSchemaS3DescriptionLocation": {
"Type": "String"
}
},
"Resources": {
"Schema": {
"Type": "AWS::AppSync::GraphQLSchema",
"Properties": {
"ApiId": {
},
"DefinitionS3Location": {
"Ref": "graphQlSchemaS3DescriptionLocation"
}
}
}
}
}
See Also
• StartSchemaCreation operation in the AWS AppSync API Reference.

934
AppSync
AWS::AppSync::Resolver
The AWS::AppSync::Resolver resource defines the logical GraphQL resolver that you attach
to fields in a schema. Request and response templates for resolvers are written in Apache Velocity
Template Language (VTL) format. For more information about resolvers, see Resolver Mapping Template
Reference.
Syntax
JSON
{
"Type" : "AWS::AppSync::Resolver",
"Properties" : {
"ApiId" : String,
"CachingConfig" : CachingConfig (p. 939),
"DataSourceName" : String,
"FieldName" : String,
"Kind" : String,
"PipelineConfig" : PipelineConfig (p. 941),
"RequestMappingTemplate" : String,
"RequestMappingTemplateS3Location" : String,
"ResponseMappingTemplate" : String,
"ResponseMappingTemplateS3Location" : String,
"SyncConfig" : SyncConfig (p. 941),
"TypeName" : String
}
}
YAML
Type: AWS::AppSync::Resolver
Properties:
ApiId: String
CachingConfig:
CachingConfig (p. 939)
DataSourceName: String
FieldName: String
Kind: String
PipelineConfig:
PipelineConfig (p. 941)
RequestMappingTemplate: String
RequestMappingTemplateS3Location: String
ResponseMappingTemplate: String
ResponseMappingTemplateS3Location: String
SyncConfig:
SyncConfig (p. 941)
TypeName: String
Properties
ApiId
The AWS AppSync GraphQL API to which you want to attach this resolver.
Required: Yes
Type: String

935
AppSync

CachingConfig
The caching configuration for the resolver.
Required: No
Type: CachingConfig (p. 939)

DataSourceName
The resolver data source name.
Required: No
Type: String

FieldName
The GraphQL field on a type that invokes the resolver.
Required: Yes
Type: String

Kind
The resolver type.

• UNIT: A UNIT resolver type. A UNIT resolver is the default resolver type. A UNIT resolver enables
you to execute a GraphQL query against a single data source.
• PIPELINE: A PIPELINE resolver type. A PIPELINE resolver enables you to execute a series of
Function in a serial manner. You can use a pipeline resolver to execute a GraphQL query against
multiple data sources.
Required: No
Type: String

PipelineConfig
Functions linked with the pipeline resolver.
Required: No
Type: PipelineConfig (p. 941)

RequestMappingTemplate
The request mapping template.
Required: No
Type: String

936
AppSync
RequestMappingTemplateS3Location
The location of a request mapping template in an Amazon S3 bucket. Use this if you want to
template.
Required: No
Type: String

ResponseMappingTemplate
The response mapping template.
Required: No
Type: String

ResponseMappingTemplateS3Location
The location of a response mapping template in an Amazon S3 bucket. Use this if you want to
template.
Required: No
Type: String

SyncConfig
The SyncConfig for a resolver attached to a versioned datasource.
Required: No
Type: SyncConfig (p. 941)

TypeName
The GraphQL type that invokes this resolver.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of an AWS::AppSync::Resolver resource to the intrinsic

Ref function, the function returns the ARN of the Resolver, such as arn:aws:appsync:us-
east-1:123456789012:apis/graphqlapiid/types/typename/resolvers/resolvername.

937
AppSync
Fn::GetAtt
FieldName
The GraphQL field on a type that invokes the resolver.

ResolverArn
ARN of the resolver, such as arn:aws:appsync:us-east-1:123456789012:apis/

graphqlapiid/types/typename/resolvers/resolvername.
TypeName
The GraphQL type that invokes this resolver.
Examples
Resolver Creation Example
The following example creates a resolver and associates it with an existing GraphQL API and a data
source by passing the GraphQL API ID and data source name as a parameter.
YAML
Parameters:
graphQlApiId:
Type: String
dataSourceName:
Type: String
fieldName:
Type: String
typeName:
Type: String
requestMappingTemplateS3LocationInput:
Type: String
responseMappingTemplateS3LocationInput:
Type: String
Resources:
Resolver:
Type: AWS::AppSync::Resolver
Properties:
ApiId:
Ref: graphQlApiId
TypeName:
Ref: typeName
FieldName:
Ref: fieldName
DataSourceName:
Ref: dataSourceName
RequestMappingTemplateS3Location:
Ref: requestMappingTemplateS3LocationInput
ResponseMappingTemplateS3Location:
Ref: responseMappingTemplateS3LocationInput
JSON

938
AppSync
"Parameters": {
"graphQlApiId": {
"Type": "String"
},
"dataSourceName": {
"Type": "String"
},
"fieldName": {
"Type": "String"
},
"typeName": {
"Type": "String"
},
"requestMappingTemplateS3LocationInput": {
"Type": "String"
},
"responseMappingTemplateS3LocationInput": {
"Type": "String"
}
},
"Resources": {
"Resolver": {
"Type": "AWS::AppSync::Resolver",
"Properties": {
"ApiId": {
},
"TypeName": {
"Ref": "typeName"
},
"FieldName": {
"Ref": "fieldName"
},
"DataSourceName": {
},
"RequestMappingTemplateS3Location": {
"Ref": "requestMappingTemplateS3LocationInput"
},
"ResponseMappingTemplateS3Location": {
"Ref": "responseMappingTemplateS3LocationInput"
}
}
}
}
}
See Also
• CreateResolver operation in the AWS AppSync API Reference.
AWS::AppSync::Resolver CachingConfig
The caching configuration for a resolver that has caching enabled.
Syntax
JSON

939
AppSync
"CachingKeys" : [ String, ... ],

"Ttl" : Double
}
YAML
CachingKeys:
- String
Ttl: Double
Properties
CachingKeys
The caching keys for a resolver that has caching enabled.
Valid values are entries from the $context.identity and $context.arguments maps.
Required: No

Ttl
The TTL in seconds for a resolver that has caching enabled.
Valid values are between 1 and 3600 seconds.
Required: No
Type: Double
AWS::AppSync::Resolver LambdaConflictHandlerConfig
The LambdaConflictHandlerConfig when configuring LAMBDA as the Conflict Handler.
Syntax
JSON
{
"LambdaConflictHandlerArn" : String
}
YAML
LambdaConflictHandlerArn: String
Properties
LambdaConflictHandlerArn
The Arn for the Lambda function to use as the Conflict Handler.

940
AppSync
Required: No
Type: String
AWS::AppSync::Resolver PipelineConfig
Use the PipelineConfig property type to specify PipelineConfig for an AWS AppSync resolver.
PipelineConfig is a property of the AWS::AppSync::Resolver resource.
Syntax
JSON
{
"Functions" : [ String, ... ]
}
YAML
Functions:
- String
Properties
Functions
A list of Function objects.
Required: No
AWS::AppSync::Resolver SyncConfig
Describes a Sync configuration for a resolver.
Contains information on which Conflict Detection as well as Resolution strategy should be performed
when the resolver is invoked.
Syntax
JSON
{
"ConflictDetection" : String,
"ConflictHandler" : String,
"LambdaConflictHandlerConfig" : LambdaConflictHandlerConfig (p. 940)
}

941
Athena
YAML
ConflictDetection: String
ConflictHandler: String
LambdaConflictHandlerConfig:
LambdaConflictHandlerConfig (p. 940)
Properties
ConflictDetection
The Conflict Detection strategy to use.

• VERSION: Detect conflicts based on object versions for this resolver.
• NONE: Do not detect conflicts when executing this resolver.
Required: Yes
Type: String

ConflictHandler
The Conflict Resolution strategy to perform in the event of a conflict.

• OPTIMISTIC_CONCURRENCY: Resolve conflicts by rejecting mutations when versions do not
match the latest version at the server.
• AUTOMERGE: Resolve conflicts with the Automerge conflict resolution strategy.
• LAMBDA: Resolve conflicts with a Lambda function supplied in the LambdaConflictHandlerConfig.
Required: No
Type: String

LambdaConflictHandlerConfig
The LambdaConflictHandlerConfig when configuring LAMBDA as the Conflict Handler.
Required: No
Type: LambdaConflictHandlerConfig (p. 940)
Amazon Athena Resource Type Reference

Resource Types
• AWS::Athena::NamedQuery (p. 942)
AWS::Athena::NamedQuery
The AWS::Athena::NamedQuery resource specifies an Amazon Athena query, where QueryString is the
list of SQL query statements that comprise the query. For more information, see CreateNamedQuery in
the Amazon Athena API Reference.

942
Athena
Syntax
JSON
{
"Type" : "AWS::Athena::NamedQuery",
"Properties" : {
"Database" : String,
"Name" : String,
"QueryString" : String
}
}
YAML
Type: AWS::Athena::NamedQuery
Properties:
Database: String
Description: String
Name: String
QueryString:
String
Properties
Database
The database to which the query belongs.
Required: Yes
Type: String
Minimum: 1
Maximum: 255

Description
The query description.
Required: No
Type: String
Minimum: 1
Maximum: 1024

Name
The query name.
Required: No

943
Athena
Type: String
Minimum: 1
Maximum: 128

QueryString
The SQL query statements that comprise the query.
Required: Yes
Type: String
Minimum: 1
Maximum: 262144
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource
name.
Examples
The following example creates a named query.
JSON
{
"Resources": {
"AthenaNamedQuery": {
"Type": "AWS::Athena::NamedQuery",
"Properties": {
"Database": "swfnetadata",
"Description": "A query that selects all aggregated data",
"Name": "MostExpensiveWorkflow",
"QueryString": "SELECT workflowname, AVG(activitytaskstarted) AS AverageWorkflow
FROM swfmetadata WHERE year='17' AND GROUP BY workflowname ORDER BY AverageWorkflow DESC
LIMIT 10"
}
}
}
}
YAML
Resources:
AthenaNamedQuery:
Type: AWS::Athena::NamedQuery
Properties:
Database: "swfnetadata"

944
AWS Auto Scaling
Description: "A query that selects all aggregated data"

Name: "MostExpensiveWorkflow"
QueryString: >
SELECT workflowname, AVG(activitytaskstarted) AS AverageWorkflow
FROM swfmetadata
WHERE year='17' AND GROUP BY workflowname
ORDER BY AverageWorkflow DESC LIMIT 10
AWS Auto Scaling Resource Type Reference

Resource Types
• AWS::AutoScalingPlans::ScalingPlan (p. 945)
AWS::AutoScalingPlans::ScalingPlan
The AWS::AutoScalingPlans::ScalingPlan resource defines a scaling plan that AWS Auto Scaling
uses to scale the following application resources:
• Amazon EC2 Auto Scaling groups

• Amazon EC2 Spot Fleet requests
• Amazon ECS services
• Amazon DynamoDB tables and global secondary indexes
• Amazon Aurora Replicas
For more information, see the AWS Auto Scaling User Guide.
Syntax
JSON
{
"Type" : "AWS::AutoScalingPlans::ScalingPlan",
"Properties" : {
"ApplicationSource" : ApplicationSource (p. 948),
"ScalingInstructions" : [ ScalingInstruction (p. 956), ... ]
}
}
YAML
Type: AWS::AutoScalingPlans::ScalingPlan
Properties:
ApplicationSource:
ApplicationSource (p. 948)
ScalingInstructions:
- ScalingInstruction (p. 956)
Properties
ApplicationSource
A CloudFormation stack or a set of tags. You can create one scaling plan per application source.

945
AWS Auto Scaling
Required: Yes
Type: ApplicationSource (p. 948)

ScalingInstructions
The scaling instructions.
Required: Yes
Type: List of ScalingInstruction (p. 956)
Return Values
Ref
When you pass the logical ID of an AWS::AutoScalingPlans::ScalingPlan resource to the intrinsic

Ref function, the function returns the Amazon Resource Name (ARN) of the scaling plan. The format of
the ARN is as follows:
arn:aws:autoscaling:region:123456789012:scalingPlan:scalingPlanName/plan-
name:scalingPlanVersion/plan-version
Examples
Scaling Plan
The following example creates a scaling plan named myScalingPlan for an existing Auto Scaling group
whose name you specify (along with other values) when launching the stack using this template. It
specifies the TagFilters property as the application source and enables predictive scaling and dynamic
scaling.
JSON
{
"Parameters":{
"myTagKey":{
"Type":"String"
},
"myTagValue":{
"Type":"String"
},
"myASGroup":{
"Type":"String",
"Description":"Name of the Auto Scaling group"
},
"ASGMinCapacity":{
"Type":"Number"
},
"ASGMaxCapacity":{
"Type":"Number"
},
"ASGTargetUtilization":{
"Type":"Number",
"Default":"50.0"

946
AWS Auto Scaling
},
"ASGEstimatedInstanceWarmup":{
"Type":"Number",
"Default":"600"
}
},
"Resources":{
"myScalingPlan":{
"Type":"AWS::AutoScalingPlans::ScalingPlan",
"Properties":{
"ApplicationSource":{
"TagFilters":[
{
"Key":{
"Ref":"myTagKey"
},
"Values":[{
"Ref":"myTagValue"
}]
}
]
},
"ScalingInstructions":[
{
"MinCapacity":{
"Ref":"ASGMinCapacity"
},
"MaxCapacity":{
"Ref":"ASGMaxCapacity"
},
"ServiceNamespace":"autoscaling",
"ScalableDimension":"autoscaling:autoScalingGroup:DesiredCapacity",
"ResourceId":{
"Fn::Join":[
"/",
[
"autoScalingGroup",
{
"Ref":"myASGroup"
}
]
]
},
"TargetTrackingConfigurations":[
{
"PredefinedScalingMetricSpecification":{
"PredefinedScalingMetricType":"ASGAverageCPUUtilization"
},
"TargetValue":{
"Ref":"ASGTargetUtilization"
},
"EstimatedInstanceWarmup":{
"Ref":"ASGEstimatedInstanceWarmup"
}
}
],
"PredefinedLoadMetricSpecification":{
"PredefinedLoadMetricType":"ASGTotalCPUUtilization"
},
"PredictiveScalingMode":"ForecastAndScale",
"PredictiveScalingMaxCapacityBehavior":"SetMaxCapacityAboveForecastCapacity",
"PredictiveScalingMaxCapacityBuffer":25,
"ScheduledActionBufferTime":600
}
]
}

947
AWS Auto Scaling
}
}
}
YAML
Parameters:
myTagKey:
Type: String
myTagValue:
Type: String
myASGroup:
Type: String
Description: Name of the Auto Scaling group
ASGMinCapacity:
Type: Number
ASGMaxCapacity:
Type: Number
ASGTargetUtilization:
Type: Number
Default: 50.0
ASGEstimatedInstanceWarmup:
Type: Number
Default: 600
Resources:
myScalingPlan:
Type: AWS::AutoScalingPlans::ScalingPlan
Properties:
ApplicationSource:
TagFilters:
- Key: !Ref myTagKey
Values:
- !Ref myTagValue
ScalingInstructions:
- MinCapacity: !Ref ASGMinCapacity
MaxCapacity: !Ref ASGMaxCapacity
ServiceNamespace: autoscaling
ScalableDimension: autoscaling:autoScalingGroup:DesiredCapacity
ResourceId: !Join
- /
- - autoScalingGroup
- !Ref myASGroup
TargetTrackingConfigurations:
- PredefinedScalingMetricSpecification:
PredefinedScalingMetricType: "ASGAverageCPUUtilization"
TargetValue: !Ref ASGTargetUtilization
EstimatedInstanceWarmup: !Ref ASGEstimatedInstanceWarmup
PredefinedLoadMetricSpecification:
PredefinedLoadMetricType: "ASGTotalCPUUtilization"
PredictiveScalingMode: "ForecastAndScale"
PredictiveScalingMaxCapacityBehavior: "SetMaxCapacityAboveForecastCapacity"
PredictiveScalingMaxCapacityBuffer: 25
ScheduledActionBufferTime: 600
AWS::AutoScalingPlans::ScalingPlan ApplicationSource
ApplicationSource is a property of ScalingPlan that specifies the application source to use with AWS
Auto Scaling. You can create one scaling plan per application source.
Syntax

948
AWS Auto Scaling
JSON
{
"CloudFormationStackARN" : String,
"TagFilters" : [ TagFilter (p. 961), ... ]
}
YAML
CloudFormationStackARN: String
TagFilters:
- TagFilter (p. 961)
Properties
CloudFormationStackARN
The Amazon Resource Name (ARN) of a CloudFormation stack.
Required: No
Type: String

TagFilters
A set of tags (up to 50).
Required: No
Type: List of TagFilter (p. 961)
See Also
• AWS Auto Scaling User Guide
AWS::AutoScalingPlans::ScalingPlan CustomizedLoadMetricSpecification
CustomizedLoadMetricSpecification is a subproperty of ScalingInstruction that specifies a
customized load metric for predictive scaling to use with AWS Auto Scaling.
For predictive scaling to work with a customized load metric specification, AWS Auto Scaling needs
access to the Sum and Average statistics that CloudWatch computes from metric data.
When you choose a load metric, make sure that the required Sum and Average statistics for your metric
are available in CloudWatch and that they provide relevant data for predictive scaling. The Sum statistic
must represent the total load on the resource, and the Average statistic must represent the average
load per capacity unit of the resource. For example, there is a metric that counts the number of requests
processed by your Auto Scaling group. If the Sum statistic represents the total request count processed by
the group, then the Average statistic for the specified metric must represent the average request count
processed by each instance of the group.
If you publish your own metrics, you can aggregate the data points at a given interval and then publish
the aggregated data points to CloudWatch. Before AWS Auto Scaling generates the forecast, it sums up

949
AWS Auto Scaling
all the metric data points that occurred within each hour to match the granularity period that is used in
the forecast (60 minutes).
For information about terminology, available metrics, or how to publish new metrics, see Amazon
CloudWatch Concepts in the Amazon CloudWatch User Guide.
After creating your scaling plan, you can use the AWS Auto Scaling console to visualize forecasts for the
specified metric. For more information, see View Scaling Information for a Resource in the AWS Auto
Scaling User Guide.
Syntax
JSON
{
"Unit" : String
}
YAML
Dimensions:
MetricName: String
Namespace: String
Statistic: String
Unit: String
Properties
Dimensions
your customized load metric specification.
Required: No

MetricName
Required: Yes
Type: String

Namespace

950
AWS Auto Scaling
Required: Yes
Type: String

Statistic
Allowed Values: Sum
Required: Yes
Type: String

Unit
Required: No
Type: String
See Also
AWS::AutoScalingPlans::ScalingPlan CustomizedScalingMetricSpecification
CustomizedScalingMetricSpecification is a subproperty of TargetTrackingConfiguration that
specifies a customized scaling metric for a target tracking configuration to use with AWS Auto Scaling.
To create your customized scaling metric specification:
• Add values for each required property from CloudWatch. You can use an existing metric, or a new
metric that you create. To use your own metric, you must first publish the metric to CloudWatch. For
more information, see Publish Custom Metrics in the Amazon CloudWatch User Guide.
• Choose a metric that changes proportionally with capacity. The value of the metric should increase or
decrease in inverse proportion to the number of capacity units. That is, the value of the metric should
decrease when capacity increases.
For information about terminology, available metrics, or how to publish new metrics, see Amazon
CloudWatch Concepts in the Amazon CloudWatch User Guide.
Syntax
JSON
{

951
AWS Auto Scaling
"Unit" : String
}
YAML
Dimensions:
MetricName: String
Namespace: String
Statistic: String
Unit: String
Properties
Dimensions
your customized scaling metric specification.
Required: No

MetricName
Required: Yes
Type: String

Namespace
Required: Yes
Type: String

Statistic
Required: Yes
Type: String

Unit

952
AWS Auto Scaling
Required: No
Type: String
See Also
AWS::AutoScalingPlans::ScalingPlan MetricDimension
MetricDimension is a subproperty of CustomizedScalingMetricSpecification that specifies a dimension
for a customized metric to use with AWS Auto Scaling. Dimensions are arbitrary name/value pairs that
can be associated with a CloudWatch metric. Duplicate dimensions are not allowed.
Syntax
JSON
{
"Name" : String,
"Value" : String
}
YAML
Name: String
Value: String
Properties
Name
Required: Yes
Type: String

Value
Required: Yes
Type: String
AWS::AutoScalingPlans::ScalingPlan PredefinedLoadMetricSpecification
PredefinedLoadMetricSpecification is a subproperty of ScalingInstruction that specifies a
predefined load metric for predictive scaling to use with AWS Auto Scaling.

953
AWS Auto Scaling
After creating your scaling plan, you can use the AWS Auto Scaling console to visualize forecasts for the
specified metric. For more information, see View Scaling Information for a Resource in the AWS Auto
Scaling User Guide.
Syntax
JSON
{
"PredefinedLoadMetricType" : String,
}
YAML
PredefinedLoadMetricType: String
Properties
PredefinedLoadMetricType
The metric type.
Required: Yes
Type: String
Allowed Values: ALBTargetGroupRequestCount | ASGTotalCPUUtilization |

ASGTotalNetworkIn | ASGTotalNetworkOut

ResourceLabel
metric type is ALBTargetGroupRequestCount and there is a target group for an Application Load
Balancer attached to the Auto Scaling group.

• app/<load-balancer-name>/<load-balancer-id> is the final portion of the load balancer ARN.
Type: String
Minimum: 1
Maximum: 1023
See Also

954
AWS Auto Scaling
AWS::AutoScalingPlans::ScalingPlan PredefinedScalingMetricSpecification
PredefinedScalingMetricSpecification is a subproperty of TargetTrackingConfiguration that
specifies a customized scaling metric for a target tracking configuration to use with AWS Auto Scaling.
Syntax
JSON
{
"PredefinedScalingMetricType" : String,
}
YAML
PredefinedScalingMetricType: String
Properties
PredefinedScalingMetricType
The metric type. The ALBRequestCountPerTarget metric type applies only to Auto Scaling
groups, Spot Fleet requests, and ECS services.
Required: Yes
Type: String
Allowed Values: ALBRequestCountPerTarget | ASGAverageCPUUtilization

| ASGAverageNetworkIn | ASGAverageNetworkOut |
DynamoDBReadCapacityUtilization | DynamoDBWriteCapacityUtilization
| EC2SpotFleetRequestAverageCPUUtilization |
EC2SpotFleetRequestAverageNetworkIn | EC2SpotFleetRequestAverageNetworkOut
| ECSServiceAverageCPUUtilization | ECSServiceAverageMemoryUtilization |
RDSReaderAverageCPUUtilization | RDSReaderAverageDatabaseConnections

ResourceLabel
metric type is ALBRequestCountPerTarget and there is a target group for an Application Load
Balancer attached to the Auto Scaling group, Spot Fleet request, or ECS service.

• app/<load-balancer-name>/<load-balancer-id> is the final portion of the load balancer ARN.
Type: String
Minimum: 1
Maximum: 1023

955
AWS Auto Scaling
See Also
AWS::AutoScalingPlans::ScalingPlan ScalingInstruction
ScalingInstruction is a property of ScalingPlan that specifies the scaling instruction for a scalable
resource in a scaling plan. Each scaling instruction applies to one resource.
AWS Auto Scaling creates target tracking scaling policies based on the scaling instructions. Target
tracking scaling policies adjust the capacity of your scalable resource as required to maintain resource
utilization at the target value that you specified.
AWS Auto Scaling also configures predictive scaling for your Amazon EC2 Auto Scaling groups using a
subset of properties, including the load metric, the scaling metric, the target value for the scaling metric,
the predictive scaling mode (forecast and scale or forecast only), and the desired behavior when the
forecast capacity exceeds the maximum capacity of the resource. With predictive scaling, AWS Auto
Scaling generates forecasts with traffic predictions for the two days ahead and schedules scaling actions
that proactively add and remove resource capacity to match the forecast.
Important
We recommend waiting a minimum of 24 hours after creating an Auto Scaling group to
configure predictive scaling. At minimum, there must be 24 hours of historical data to generate
a forecast. For more information, see Best Practices for AWS Auto Scaling in the AWS Auto
Scaling User Guide.
Syntax
JSON
{
"CustomizedLoadMetricSpecification" : CustomizedLoadMetricSpecification (p. 949),
"DisableDynamicScaling" : Boolean,
"MinCapacity" : Integer,
"PredefinedLoadMetricSpecification" : PredefinedLoadMetricSpecification (p. 953),
"PredictiveScalingMaxCapacityBehavior" : String,
"PredictiveScalingMaxCapacityBuffer" : Integer,
"PredictiveScalingMode" : String,
"ScalingPolicyUpdateBehavior" : String,
"ScheduledActionBufferTime" : Integer,
"TargetTrackingConfigurations" : [ TargetTrackingConfiguration (p. 961), ... ]
}
YAML
CustomizedLoadMetricSpecification:
CustomizedLoadMetricSpecification (p. 949)
DisableDynamicScaling: Boolean
PredefinedLoadMetricSpecification:

956
AWS Auto Scaling
PredefinedLoadMetricSpecification (p. 953)

PredictiveScalingMaxCapacityBehavior: String
PredictiveScalingMaxCapacityBuffer: Integer
PredictiveScalingMode: String
ResourceId: String
ScalingPolicyUpdateBehavior: String
ScheduledActionBufferTime: Integer
TargetTrackingConfigurations:
- TargetTrackingConfiguration (p. 961)
Properties
CustomizedLoadMetricSpecification
The customized load metric to use for predictive scaling. This property or a
PredefinedLoadMetricSpecification is required when configuring predictive scaling, and cannot be
used otherwise.
Type: CustomizedLoadMetricSpecification (p. 949)

DisableDynamicScaling
Controls whether dynamic scaling by AWS Auto Scaling is disabled. When dynamic scaling is
enabled, AWS Auto Scaling creates target tracking scaling policies based on the specified target
tracking configurations.
The default is enabled (false).
Required: No
Type: Boolean

MaxCapacity
The maximum capacity of the resource. The exception to this upper limit is if you specify a non-
default setting for PredictiveScalingMaxCapacityBehavior.
Required: Yes
Type: Integer

MinCapacity
The minimum capacity of the resource.
Required: Yes
Type: Integer

PredefinedLoadMetricSpecification
The predefined load metric to use for predictive scaling. This property or a
CustomizedLoadMetricSpecification is required when configuring predictive scaling, and cannot be
used otherwise.

957
AWS Auto Scaling
Type: PredefinedLoadMetricSpecification (p. 953)

PredictiveScalingMaxCapacityBehavior
Defines the behavior that should be applied if the forecast capacity approaches
or exceeds the maximum capacity specified for the resource. The default value is
SetForecastCapacityToMaxCapacity.
The following are possible values:

• SetForecastCapacityToMaxCapacity - AWS Auto Scaling cannot scale resource capacity
higher than the maximum capacity. The maximum capacity is enforced as a hard limit.
• SetMaxCapacityToForecastCapacity - AWS Auto Scaling can scale resource capacity higher
than the maximum capacity to equal but not exceed forecast capacity.
• SetMaxCapacityAboveForecastCapacity - AWS Auto Scaling can scale resource capacity
higher than the maximum capacity by a specified buffer value. The intention is to give the target
tracking scaling policy extra capacity if unexpected traffic occurs.
Valid only when configuring predictive scaling.
Required: No
Type: String
Allowed Values: SetForecastCapacityToMaxCapacity |

SetMaxCapacityAboveForecastCapacity | SetMaxCapacityToForecastCapacity

PredictiveScalingMaxCapacityBuffer
The size of the capacity buffer to use when the forecast capacity is close to or exceeds the maximum
capacity. The value is specified as a percentage relative to the forecast capacity. For example, if the
buffer is 10, this means a 10 percent buffer. With a 10 percent buffer, if the forecast capacity is 50,
and the maximum capacity is 40, then the effective maximum capacity is 55.
Valid only when configuring predictive scaling. Required if PredictiveScalingMaxCapacityBehavior

is set to SetMaxCapacityAboveForecastCapacity, and cannot be used otherwise.
The range is 1-100.
Type: Integer

PredictiveScalingMode
The predictive scaling mode. The default value is ForecastAndScale. Otherwise, AWS Auto Scaling
forecasts capacity but does not apply any scheduled scaling actions based on the capacity forecast.
Required: No
Type: String
Allowed Values: ForecastAndScale | ForecastOnly

958
AWS Auto Scaling
ResourceId
The ID of the resource. This string consists of the resource type and unique identifier.
• Auto Scaling group - The resource type is autoScalingGroup and the unique identifier is the
name of the Auto Scaling group. Example: autoScalingGroup/my-asg.
• ECS service - The resource type is service and the unique identifier is the cluster name and
service name. Example: service/default/sample-webapp.
• Spot Fleet request - The resource type is spot-fleet-request and the unique
identifier is the Spot Fleet request ID. Example: spot-fleet-request/sfr-73fbd2ce-
aa30-494c-8788-1cee4EXAMPLE.
• DynamoDB table - The resource type is table and the unique identifier is the resource ID.
Example: table/my-table.
• DynamoDB global secondary index - The resource type is index and the unique identifier is the
resource ID. Example: table/my-table/index/my-table-index.
• Aurora DB cluster - The resource type is cluster and the unique identifier is the cluster name.
Example: cluster:my-db-cluster.
Required: Yes
Type: String
Minimum: 1
Maximum: 1600

ScalableDimension
The scalable dimension associated with the resource.

• autoscaling:autoScalingGroup:DesiredCapacity - The desired capacity of an Auto
Scaling group.
• ecs:service:DesiredCount - The desired task count of an ECS service.
• ec2:spot-fleet-request:TargetCapacity - The target capacity of a Spot Fleet request.
• dynamodb:table:ReadCapacityUnits - The provisioned read capacity for a DynamoDB table.
• dynamodb:table:WriteCapacityUnits - The provisioned write capacity for a DynamoDB
table.
• dynamodb:index:ReadCapacityUnits - The provisioned read capacity for a DynamoDB global
secondary index.
• dynamodb:index:WriteCapacityUnits - The provisioned write capacity for a DynamoDB
global secondary index.
• rds:cluster:ReadReplicaCount - The count of Aurora Replicas in an Aurora DB cluster.
Available for Aurora MySQL-compatible edition and Aurora PostgreSQL-compatible edition.
Required: Yes
Type: String
Allowed Values: autoscaling:autoScalingGroup:DesiredCapacity |

dynamodb:index:ReadCapacityUnits | dynamodb:index:WriteCapacityUnits
| dynamodb:table:ReadCapacityUnits | dynamodb:table:WriteCapacityUnits
| ec2:spot-fleet-request:TargetCapacity | ecs:service:DesiredCount |
rds:cluster:ReadReplicaCount

959
AWS Auto Scaling
ScalingPolicyUpdateBehavior
Controls whether your scaling policies that are external to AWS Auto Scaling are deleted and new
target tracking scaling policies created. The default value is KeepExternalPolicies.
Valid only when configuring dynamic scaling.
Required: No
Type: String
Allowed Values: KeepExternalPolicies | ReplaceExternalPolicies

ScheduledActionBufferTime
The amount of time, in seconds, to buffer the run time of scheduled scaling actions when scaling
out. For example, if the forecast says to add capacity at 10:00 AM, and the buffer time is 5 minutes,
then the run time of the corresponding scheduled scaling action will be 9:55 AM. The intention is
to give resources time to be provisioned. For example, it can take a few minutes to launch an EC2
instance. The actual amount of time required depends on several factors, such as the size of the
instance and whether there are startup scripts to complete.
The value must be less than the forecast interval duration of 3600 seconds (60 minutes). The default
is 300 seconds.
Valid only when configuring predictive scaling.
Required: No
Type: Integer
Minimum: 0

ServiceNamespace
The namespace of the AWS service.
Required: Yes
Type: String
Allowed Values: autoscaling | dynamodb | ec2 | ecs | rds

TargetTrackingConfigurations
The target tracking configurations (up to 10). Each of these structures must specify a unique scaling
metric and a target value for the metric.
Required: Yes
Type: List of TargetTrackingConfiguration (p. 961)
See Also

960
AWS Auto Scaling
AWS::AutoScalingPlans::ScalingPlan TagFilter
TagFilter is a subproperty of ApplicationSource that specifies a tag for an application source to use
with AWS Auto Scaling.
Syntax
JSON
{
"Key" : String,
"Values" : [ String, ... ]
}
YAML
Key: String
Values:
- String
Properties
Key
The tag key.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

Values
The tag values (0 to 20).
Required: No
See Also
AWS::AutoScalingPlans::ScalingPlan TargetTrackingConfiguration
TargetTrackingConfiguration is a subproperty of ScalingInstruction that specifies a target tracking
configuration to use with AWS Auto Scaling.

961
AWS Auto Scaling
Syntax
JSON
{
"CustomizedScalingMetricSpecification" : CustomizedScalingMetricSpecification (p. 951),
"EstimatedInstanceWarmup" : Integer,
"PredefinedScalingMetricSpecification" : PredefinedScalingMetricSpecification (p. 955),
"ScaleInCooldown" : Integer,
"ScaleOutCooldown" : Integer,
}
YAML
CustomizedScalingMetricSpecification:
CustomizedScalingMetricSpecification (p. 951)
EstimatedInstanceWarmup: Integer
PredefinedScalingMetricSpecification:
PredefinedScalingMetricSpecification (p. 955)
ScaleInCooldown: Integer
ScaleOutCooldown: Integer
TargetValue: Double
Properties
CustomizedScalingMetricSpecification
A customized metric. You can specify either a predefined metric or a customized metric.
Required: No
Type: CustomizedScalingMetricSpecification (p. 951)

DisableScaleIn
Indicates whether scale in by the target tracking scaling policy is disabled. If the value is true,
scale in is disabled and the target tracking scaling policy doesn't remove capacity from the scalable
resource. Otherwise, scale in is enabled and the target tracking scaling policy can remove capacity
from the scalable resource.
Required: No
Type: Boolean

EstimatedInstanceWarmup
The estimated time, in seconds, until a newly launched instance can contribute to the CloudWatch
metrics. This value is used only if the resource is an Auto Scaling group.
Required: No

962
Amazon EC2 Auto Scaling
Type: Integer

PredefinedScalingMetricSpecification
A predefined metric. You can specify either a predefined metric or a customized metric.
Required: No
Type: PredefinedScalingMetricSpecification (p. 955)

ScaleInCooldown
The amount of time, in seconds, after a scale-in activity completes before another scale in activity
can start. This value is not used if the scalable resource is an Auto Scaling group.
Required: No
Type: Integer

ScaleOutCooldown
The amount of time, in seconds, after a scale-out activity completes before another scale-out
activity can start. This value is not used if the scalable resource is an Auto Scaling group.
Required: No
Type: Integer

TargetValue
The target value for the metric. The range is 8.515920e-109 to 1.174271e+108 (Base 10) or 2e-360
to 2e360 (Base 2).
Required: Yes
Type: Double
See Also
Amazon EC2 Auto Scaling Resource Type Reference

Resource Types
• AWS::AutoScaling::AutoScalingGroup (p. 964)

• AWS::AutoScaling::LaunchConfiguration (p. 988)
• AWS::AutoScaling::LifecycleHook (p. 1004)
• AWS::AutoScaling::ScalingPolicy (p. 1009)

963
• AWS::AutoScaling::ScheduledAction (p. 1022)
AWS::AutoScaling::AutoScalingGroup
Defines an Amazon EC2 Auto Scaling group with the specified name and attributes.
To configure Amazon EC2 instances launched as part of the group, you can specify a launch template or
a launch configuration. We recommend that you use a launch template to make sure that you can use
the latest features of Amazon EC2, such as T2 Unlimited instances. For more information, see Creating a
Launch Template for an Auto Scaling Group.
Important
You can add an UpdatePolicy attribute to your Auto Scaling group to perform rolling updates
(or replace the group) when a change has been made to the group. You can find sample update
policies for rolling updates in the Examples section.
For more information, see CreateAutoScalingGroup and UpdateAutoScalingGroup in the Amazon EC2
Auto Scaling API Reference. For more information about Amazon EC2 Auto Scaling, see the Amazon EC2
Syntax
JSON
{
"Properties" : {
"AutoScalingGroupName" : String,
"AvailabilityZones" : [ String, ... ],
"Cooldown" : String,
"DesiredCapacity" : String,
"HealthCheckGracePeriod" : Integer,
"HealthCheckType" : String,
"InstanceId" : String,
"LaunchConfigurationName" : String,
"LaunchTemplate" : LaunchTemplateSpecification (p. 980),
"LifecycleHookSpecificationList" : [ LifecycleHookSpecification (p. 982), ... ],
"LoadBalancerNames" : [ String, ... ],
"MaxSize" : String,
"MetricsCollection" : [ MetricsCollection (p. 984), ... ],
"MinSize" : String,
"MixedInstancesPolicy" : MixedInstancesPolicy (p. 985),
"NotificationConfigurations" : [ NotificationConfiguration (p. 986), ... ],
"PlacementGroup" : String,
"ServiceLinkedRoleARN" : String,
"Tags" : [ TagProperty (p. 987), ... ],
"TargetGroupARNs" : [ String, ... ],
"TerminationPolicies" : [ String, ... ],
"VPCZoneIdentifier" : [ String, ... ]
}
}
YAML
Properties:
AutoScalingGroupName: String
AvailabilityZones:

964
- String
Cooldown: String
DesiredCapacity: String
HealthCheckGracePeriod: Integer
HealthCheckType: String
InstanceId: String
LaunchConfigurationName: String
LaunchTemplate:
LaunchTemplateSpecification (p. 980)
LifecycleHookSpecificationList:
- LifecycleHookSpecification (p. 982)
LoadBalancerNames:
- String
MaxSize: String
MetricsCollection:
- MetricsCollection (p. 984)
MinSize: String
MixedInstancesPolicy:
MixedInstancesPolicy (p. 985)
NotificationConfigurations:
- NotificationConfiguration (p. 986)
PlacementGroup: String
ServiceLinkedRoleARN: String
Tags:
- TagProperty (p. 987)
TargetGroupARNs:
- String
TerminationPolicies:
- String
VPCZoneIdentifier:
- String
Properties
AutoScalingGroupName
The name of the Auto Scaling group. This name must be unique per Region per account.
Required: No
Type: String
Minimum: 1
Maximum: 255

AvailabilityZones
A list of Availability Zones for the group. You must specify one of the following properties:
VPCZoneIdentifier or AvailabilityZones.
If your account supports EC2-Classic and VPC, this property is required to create an Auto Scaling
group that launches instances into EC2-Classic.

965
Cooldown
The amount of time, in seconds, after a scaling activity completes before another scaling activity can
start. The default value is 300.
Used only when a scaling-specific cooldown is not specified and not supported for target tracking
scaling policies, step scaling policies, or scheduled scaling. For more information, see Scaling
Cooldowns in the Amazon EC2 Auto Scaling User Guide.
Required: No
Type: String

DesiredCapacity
The number of Amazon EC2 instances that the Auto Scaling group attempts to maintain. The
number must be greater than or equal to the minimum size of the group and less than or equal to
the maximum size of the group. If you do not specify a desired capacity, the default is the minimum
size of the group.
CloudFormation marks the Auto Scaling group as successful (by setting its status to
CREATE_COMPLETE) when the desired capacity is reached. However, if SpotPrice is set in
the launch configuration, then desired capacity is not used as a criteria for success, because
whether your request is fulfilled depends on Spot Instance capacity and your maximum price. If
the current Spot price is less than your specified maximum price, Amazon EC2 Auto Scaling uses
DesiredCapacity as the target capacity for the group.
Required: No
Type: String

HealthCheckGracePeriod
The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health
status of an EC2 instance that has come into service. The default value is 0.
For more information, see Health Checks for Auto Scaling Instances in the Amazon EC2 Auto Scaling
User Guide.
If you are adding an ELB health check, you must specify this property.
Type: Integer

HealthCheckType
The service to use for the health checks. The valid values are EC2 (default) and ELB. If you configure
an Auto Scaling group to use ELB health checks, it considers the instance unhealthy if it fails either
the EC2 status checks or the load balancer health checks.
For more information, see Health Checks for Auto Scaling Instances in the Amazon EC2 Auto Scaling
User Guide.
Required: No
Type: String

966
Minimum: 1
Maximum: 32

InstanceId
The ID of the instance used to create a launch configuration for the group.
When you specify an ID of an instance, Amazon EC2 Auto Scaling creates a new launch
configuration and associates it with the Auto Scaling group. The new launch configuration
derives all its properties from the instance, with the exception of BlockDeviceMapping and
AssociatePublicIpAddress.
For more information, see Create an Auto Scaling Group Using an EC2 Instance in the Amazon EC2
You must specify one of the following properties: LaunchConfigurationName, LaunchTemplate,

InstanceId, or MixedInstancesPolicy.
Type: String

LaunchConfigurationName
The name of the LaunchConfiguration to use to launch instances.

Note
When you update LaunchConfigurationName, existing Amazon EC2 instances continue
to run with the configuration that they were originally launched with. To update existing
instances, specify an UpdatePolicy attribute for the Auto Scaling group.
Type: String
Minimum: 1
Maximum: 255

LaunchTemplate
The LaunchTemplate to use to launch instances.

Note
When you update LaunchTemplate, existing Amazon EC2 instances continue to run with
the configuration that they were originally launched with. To update existing instances,
specify an UpdatePolicy attribute for the Auto Scaling group.

967
Type: LaunchTemplateSpecification (p. 980)

LifecycleHookSpecificationList
The lifecycle hooks for the group, which specify actions to perform when Amazon EC2 Auto Scaling
launches or terminates instances.
Required: No
Type: List of LifecycleHookSpecification (p. 982)

LoadBalancerNames
A list of Classic Load Balancers associated with this Auto Scaling group. For Application Load
Balancers and Network Load Balancers, specify a list of target groups using the TargetGroupARNs
property instead.
For more information, see Using a Load Balancer with an Auto Scaling Group in the Amazon EC2
Required: No

MaxSize
The maximum number of Amazon EC2 instances in the Auto Scaling group.
Required: Yes
Type: String

MetricsCollection
Enables the monitoring of group metrics of an Auto Scaling group. By default, these metrics are
disabled.
Required: No
Type: List (p. 984) of MetricsCollection (p. 984)

MinSize
The minimum number of Amazon EC2 instances in the Auto Scaling group.
Required: Yes
Type: String

MixedInstancesPolicy
An embedded object that specifies a mixed instances policy.

968
The policy includes properties that not only define the distribution of On-Demand Instances and
Spot Instances, the maximum price to pay for Spot Instances, and how the Auto Scaling group
allocates instance types to fulfill On-Demand and Spot capacity, but also the properties that specify
the instance configuration information—the launch template and instance types.
For more information, see Auto Scaling Groups with Multiple Instance Types and Purchase Options in
the Amazon EC2 Auto Scaling User Guide.

Type: MixedInstancesPolicy (p. 985)

NotificationConfigurations
Configures an Auto Scaling group to send notifications when specified events take place.
Required: No
Type: List of NotificationConfiguration (p. 986)

PlacementGroup
The name of an existing cluster placement group into which you want to launch your instances.
A placement group is a logical grouping of instances within a single Availability Zone. You cannot
specify multiple Availability Zones and a placement group.
Required: No
Type: String
Minimum: 1
Maximum: 255

ServiceLinkedRoleARN
The Amazon Resource Name (ARN) of the service-linked role that the Auto Scaling group uses to call
other AWS services on your behalf. By default, Amazon EC2 Auto Scaling uses a service-linked role
named AWSServiceRoleForAutoScaling, which it creates if it does not exist.
Required: No
Type: String
Minimum: 1
Maximum: 1600

969
Tags
The tags for the group.
Required: No
Type: List of TagProperty (p. 987)

TargetGroupARNs
A list of Amazon Resource Names (ARN) of target groups to associate with the Auto Scaling group.
Instances are registered as targets in a target group, and traffic is routed to the target group.
For more information, see Using a Load Balancer with an Auto Scaling Group in the Amazon EC2
Required: No

TerminationPolicies
A policy or a list of policies that are used to select the instances to terminate. The
policies are executed in the order that you list them. The termination policies supported
by Amazon EC2 Auto Scaling: OldestInstance, OldestLaunchConfiguration,
NewestInstance, ClosestToNextInstanceHour, Default, OldestLaunchTemplate, and
AllocationStrategy.
For more information, see Controlling Which Auto Scaling Instances Terminate During Scale In in the
Amazon EC2 Auto Scaling User Guide.
Required: No

VPCZoneIdentifier
A list of subnet IDs for a virtual private cloud (VPC). If you specify VPCZoneIdentifier with
AvailabilityZones, the subnets that you specify for this property must reside in those
Availability Zones.
If your account supports EC2-Classic and VPC, this property is required to create an Auto Scaling
group that launches instances into a VPC.
If this resource has a public IP address and is also in a VPC that is defined in the same stack
template, you must use the DependsOn attribute to declare a dependency on the VPC-gateway
attachment.
Note
When you update VPCZoneIdentifier, this retains the same Auto Scaling group and
replaces old instances with new ones, according to the specified subnets. You can specify
how AWS CloudFormation handles these updates by using an UpdatePolicy attribute.

970
Minimum: 1
Maximum: 2047
Update requires: Some interruptions
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource
name. For example: mystack-myasgroup-NT5EUXTNTXXD.
Examples
The following examples create or make changes to an Auto Scaling group. To view more examples, see
Auto Scaling Template Snippets.
Auto Scaling Group with Load Balancer and Multiple Properties
The following example attaches an Elastic Load Balancing load balancer to an Auto Scaling group
named myASG. It enables two group metrics using the MetricsCollection property and creates
tags using the Tags property. The first tag, Environment=Production, is assigned to the Auto
Scaling group and to any EC2 instances launched as part of the Auto Scaling group. The second tag,
Purpose=WebServerGroup, is assigned only to the Auto Scaling group itself.
It also specifies the launch configuration that the Auto Scaling group uses to launch EC2 instances. The
AvailabilityZones property specifies the Availability Zones where the Auto Scaling group's instances
will be created. The Fn::GetAZs function call { "Fn::GetAZs" : "" } specifies all Availability Zones for the
region in which the stack is created. Amazon EC2 Auto Scaling can scale the number of instances in the
group at a minimum of 1 instance and a maximum of 4 based on the values for MinSize and MaxSize.
JSON
{
"myASG":{
"Properties":{
"AvailabilityZones":{
"Fn::GetAZs":""
},
"Ref":"myLaunchConfig"
},
"MinSize":"1",
"MaxSize":"4",
"LoadBalancerNames":[
{
"Ref":"myLoadBalancer"
}
],
"MetricsCollection":[
{
"Granularity":"1Minute",
"Metrics":[
"GroupMinSize",
"GroupMaxSize"

971
]
}
],
"Tags":[
{
"Key":"Environment",
"Value":"Production",
"PropagateAtLaunch":"true"
},
{
"Key":"Purpose",
"Value":"WebServerGroup",
"PropagateAtLaunch":"false"
}
]
}
}
}
YAML
myASG:
Properties:
AvailabilityZones:
Fn::GetAZs: ""
Ref: "myLaunchConfig"
MinSize: "1"
MaxSize: "4"
LoadBalancerNames:
- Ref: "myLoadBalancer"
MetricsCollection:
-
Granularity: "1Minute"
Metrics:
- "GroupMinSize"
- "GroupMaxSize"
Tags:
- Key: Environment
Value: Production
PropagateAtLaunch: "true"
- Key: Purpose
Value: WebServerGroup
PropagateAtLaunch: "false"
Rolling Updates with Batch Update Policy
The following example specifies an UpdatePolicy attribute for an Auto Scaling group and configures it to
use the AutoScalingRollingUpdate policy with attributes that define the update policy settings.
The sample update policy instructs CloudFormation to perform a rolling update. The rolling update
makes changes to the Auto Scaling group in small batches (for this example, instance by instance) based
on the MaxBatchSize and a pause time between batches of updates based on the PauseTime. The
MinInstancesInService specifies the minimum number of instances that must be in service within
the Auto Scaling group while CloudFormation updates old instances.
While the stack update is in progress, the following Auto Scaling processes are suspended:
HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, and ScheduledActions.
Note: Do not suspend the Launch, Terminate, or AddToLoadBalancer (if the Auto Scaling group is
being used with Elastic Load Balancing) process types because it can prevent the rolling update from
functioning properly.

972
JSON
{
"myASG":{
"UpdatePolicy":{
"AutoScalingRollingUpdate":{
"MinInstancesInService":"1",
"MaxBatchSize":"1",
"PauseTime":"PT12M5S",
"SuspendProcesses":[
"HealthCheck",
"ReplaceUnhealthy",
"AZRebalance",
"AlarmNotification",
"ScheduledActions"
]
}
},
"Properties":{
"Fn::GetAZs":{
"Ref":"AWS::Region"
}
},
},
"MaxSize":"3",
"MinSize":"1"
}
}
}
YAML
myASG:
UpdatePolicy:
MinInstancesInService: "1"
MaxBatchSize: "1"
PauseTime: "PT12M5S"
SuspendProcesses:
- HealthCheck
- ReplaceUnhealthy
- AZRebalance
- AlarmNotification
- ScheduledActions
Properties:
AvailabilityZones:
Fn::GetAZs:
Ref: "AWS::Region"
MaxSize: "3"
MinSize: "1"
Batch Update Policy with Wait Condition

The following example demonstrates a batch update policy that instructs CloudFormation to wait for
new instances to signal the Auto Scaling group before the group proceeds to update the next batch
of instances. In the UpdatePolicy attribute, the WaitOnResourceSignals attribute is set to true.

973
CloudFormation must receive a signal from each new instance within the specified PauseTime before
continuing the update. To signal the Auto Scaling group, a cfn-signal helper script (not shown) is run on
each instance.
JSON
{
"myASG":{
"UpdatePolicy":{
"AutoScalingRollingUpdate":{
"MinInstancesInService":"1",
"MaxBatchSize":"1",
"PauseTime":"PT15M",
"WaitOnResourceSignals":"true",
"SuspendProcesses":[
"HealthCheck",
"ReplaceUnhealthy",
"AZRebalance",
"AlarmNotification",
"ScheduledActions"
]
}
},
"Properties":{
"Fn::GetAZs":{
"Ref":"AWS::Region"
}
},
},
"MaxSize":"3",
"MinSize":"1"
}
}
}
YAML
myASG:
UpdatePolicy:
MinInstancesInService: "1"
MaxBatchSize: "1"
PauseTime: "PT15M"
WaitOnResourceSignals: "true"
SuspendProcesses:
- HealthCheck
- ReplaceUnhealthy
- AZRebalance
- AlarmNotification
- ScheduledActions
Properties:
AvailabilityZones:
Fn::GetAZs:
Ref: "AWS::Region"
MaxSize: "3"
MinSize: "1"

974
Auto Scaling Group and Launch Template
The following example creates an Auto Scaling group and a launch template that the Auto Scaling group
uses to launch EC2 instances. It uses the Fn::Sub intrinsic function to customize the name of the launch
template to include the stack name.
The launch template provisions T2 instances in unlimited mode using the CPUCredits property. By
referencing a parameter value for ImageId, the AMI is specified when launching the stack. A block
device mapping specifies an EBS volume to attach to each instance, in addition to attaching the volumes
specified by the AMI. Because Monitoring is enabled, EC2 metric data will be available at 1-minute
intervals (known as detailed monitoring) through CloudWatch.
The example stack creates an Auto Scaling group with a minimum size of 1 and a maximum size of 6.
The initial size of the group is 2 based on the value for DesiredCapacity. The VPCZoneIdentifier
property specifies the subnets where the instances will be created. Each instance has 300 seconds to
warm up before receiving its first health check.
JSON
{
"Parameters":{
"myImageId":{
"Type":"AWS::EC2::Image::Id"
}
},
"Resources":{
"LaunchTemplate":{
"Type":"AWS::EC2::LaunchTemplate",
"Properties":{
"LaunchTemplateName":{"Fn::Sub":"${AWS::StackName}-launch-template"},
"LaunchTemplateData":{
"BlockDeviceMappings":[{
"Ebs":{"VolumeSize":8},
"DeviceName":"/dev/sdf"}],
"CreditSpecification":{
"CpuCredits":"unlimited"
},
"ImageId":{"Ref":"myImageId"},
"KeyName":"my-key-pair-useast2",
"InstanceType":"t2.micro",
"Monitoring":{"Enabled":true},
"SecurityGroupIds":["sg-7c227019", "sg-903004f8"]
}
}
},
"myASG":{
"Properties":{
"AutoScalingGroupName":"myASG",
"MinSize":1,
"MaxSize":6,
"DesiredCapacity":2,
"HealthCheckGracePeriod":300,
"LaunchTemplate":{
"LaunchTemplateId":{
"Ref":"LaunchTemplate"
},
"Version":{
"Fn::GetAtt":[
"LaunchTemplate",
"LatestVersionNumber"
]

975
}
},
"VPCZoneIdentifier":["subnet-5ea0c127", "subnet-6194ea3b", "subnet-c934b782"]
}
}
}
}
YAML
Parameters:
myImageId:
Type: AWS::EC2::Image::Id
Resources:
LaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: !Sub ${AWS::StackName}-launch-template
LaunchTemplateData:
- Ebs:
VolumeSize: 8
DeviceName: /dev/sdf
CreditSpecification:
CpuCredits: Unlimited
ImageId: !Ref myImageId
KeyName: my-key-pair-useast2
Monitoring:
Enabled: true
SecurityGroupIds:
- sg-7c227019
- sg-903004f8
myASG:
Properties:
AutoScalingGroupName: myASG
MinSize: "1"
MaxSize: "6"
DesiredCapacity: "2"
HealthCheckGracePeriod: 300
LaunchTemplate:
LaunchTemplateId: !Ref LaunchTemplate
Version: !GetAtt LaunchTemplate.LatestVersionNumber
VPCZoneIdentifier:
- subnet-5ea0c127
- subnet-6194ea3b
- subnet-c934b782
See Also
• UpdatePolicy Attribute
• AWS CloudFormation Stacks Updates
• Suspending and Resuming Scaling Processes in the Amazon EC2 Auto Scaling User Guide
AWS::AutoScaling::AutoScalingGroup InstancesDistribution
InstancesDistribution is a subproperty of MixedInstancesPolicy that describes an instances
distribution for an Auto Scaling group. The instances distribution specifies the distribution of On-

976
Demand Instances and Spot Instances, the maximum price to pay for Spot Instances, and how the Auto
Scaling group allocates instance types to fulfill On-Demand and Spot capacity.
For more information, see Auto Scaling Groups with Multiple Instance Types and Purchase Options in the
Syntax
JSON
{
"OnDemandAllocationStrategy" : String,
"OnDemandBaseCapacity" : Integer,
"OnDemandPercentageAboveBaseCapacity" : Integer,
"SpotAllocationStrategy" : String,
"SpotInstancePools" : Integer,
"SpotMaxPrice" : String
}
YAML
OnDemandAllocationStrategy: String
OnDemandBaseCapacity: Integer
OnDemandPercentageAboveBaseCapacity: Integer
SpotAllocationStrategy: String
SpotInstancePools: Integer
SpotMaxPrice: String
Properties
OnDemandAllocationStrategy
Indicates how to allocate instance types to fulfill On-Demand capacity.
The only valid value is prioritized, which is also the default value. This strategy uses the order
of instance type overrides for LaunchTemplate to define the launch priority of each instance type.
The first instance type in the array is prioritized higher than the last. If all your On-Demand capacity
cannot be fulfilled using your highest priority instance, then the Auto Scaling groups launches the
remaining capacity using the second priority instance type, and so on.
Required: No
Type: String

OnDemandBaseCapacity
The minimum amount of the Auto Scaling group's capacity that must be fulfilled by On-Demand
Instances. This base portion is provisioned first as your group scales.
The default value is 0. If you leave this property set to 0, On-Demand Instances
are launched as a percentage of the Auto Scaling group's desired capacity, per the
OnDemandPercentageAboveBaseCapacity setting.
Note
An update to this property means a gradual replacement of instances to maintain the
specified number of On-Demand Instances for your base capacity. When replacing

977
instances, Amazon EC2 Auto Scaling launches new instances before terminating the old
ones.
Required: No
Type: Integer

OnDemandPercentageAboveBaseCapacity
Controls the percentages of On-Demand Instances and Spot Instances for your additional capacity
beyond OnDemandBaseCapacity.
The range is 0–100. The default value is 100. If you leave this property set to 100, the percentages
are 100% for On-Demand Instances and 0% for Spot Instances.
Note
An update to this property means a gradual replacement of instances to maintain the
percentage of On-Demand Instances for your additional capacity above the base capacity.
When replacing instances, Amazon EC2 Auto Scaling launches new instances before
terminating the old ones.
Required: No
Type: Integer

SpotAllocationStrategy
Indicates how to allocate Spot capacity across Spot pools.
If the allocation strategy is lowest-price, the Auto Scaling group launches instances using the
Spot pools with the lowest price, and evenly allocates your instances across the number of Spot
pools that you specify. If the allocation strategy is capacity-optimized, the Auto Scaling group
launches instances using Spot pools that are optimally chosen based on the available Spot capacity.
The default is lowest-price.
Valid values: lowest-price | capacity-optimized
Required: No
Type: String

SpotInstancePools
The number of Spot pools to use to allocate your Spot capacity. The Spot pools are determined
from the different instance types in the Overrides array of LaunchTemplate. The range is 1–20. The
default value is 2.
Valid only when the Spot allocation strategy is lowest-price.
Required: No
Type: Integer

978
SpotMaxPrice
The maximum price per unit hour that you are willing to pay for a Spot Instance. If you leave the
value of this property blank (which is the default), the maximum Spot price is set at the On-Demand
price.
Required: No
Type: String
Minimum: 0
Maximum: 255
AWS::AutoScaling::AutoScalingGroup LaunchTemplate
LaunchTemplate is a subproperty of MixedInstancesPolicy that describes a launch template and
overrides. The overrides are used to override the instance type specified by the launch template with
multiple instance types that can be used to launch On-Demand Instances and Spot Instances.
Syntax
JSON
{
"LaunchTemplateSpecification" : LaunchTemplateSpecification (p. 980),
"Overrides" : [ LaunchTemplateOverrides (p. 980), ... ]
}
YAML
LaunchTemplateSpecification:
Overrides:
- LaunchTemplateOverrides (p. 980)
Properties
LaunchTemplateSpecification
The launch template to use. You must specify either the launch template ID or launch template
name in the request.
Required: Yes

Overrides
An optional setting. Any properties that you specify override the same properties in the launch
template. Currently, the only supported override is instance type. You can specify between 1 and 20
instance types.
Required: No

979
Type: List of LaunchTemplateOverrides (p. 980)
AWS::AutoScaling::AutoScalingGroup LaunchTemplateOverrides
LaunchTemplateOverrides is a subproperty of LaunchTemplate that describes an override for a
launch template.
Syntax
JSON
{
"InstanceType" : String
}
YAML
Properties
InstanceType
The instance type. For more information, see Available Instance Types in the Amazon EC2 User Guide
for Linux Instances.
Required: No
Type: String
Minimum: 1
Maximum: 255
AWS::AutoScaling::AutoScalingGroup LaunchTemplateSpecification
LaunchTemplateSpecification is a property of AutoScalingGroup that specifies the launch template
to use to launch instances.
For information about creating a launch template, see Creating a Launch Template for an Auto Scaling
Group in the Amazon EC2 Auto Scaling User Guide.
Syntax
JSON

980
"LaunchTemplateId" : String,
"LaunchTemplateName" : String,
"Version" : String
}
YAML
LaunchTemplateId: String
LaunchTemplateName: String
Version: String
Properties
LaunchTemplateId
The ID of the launch template. You must specify either a template ID or a template name.
Type: String
Minimum: 1
Maximum: 255

LaunchTemplateName
The name of the launch template. You must specify either a template name or a template ID.
Type: String
Minimum: 3
Maximum: 128
Pattern: [a-zA-Z0-9\.-/_]+

Version
The version number. AWS CloudFormation does not support specifying $Latest, or $Default for the
template version number.
Required: Yes
Type: String
Minimum: 1
Maximum: 255

981
AWS::AutoScaling::AutoScalingGroup LifecycleHookSpecification
LifecycleHookSpecification specifies a list of lifecycle hooks for the
LifecycleHookSpecificationList property of AutoScalingGroup.
LifecycleHookSpecification defines lifecycle hooks for an Auto Scaling group that specify actions
to perform when Amazon EC2 Auto Scaling launches or terminates instances.
For more information, see Amazon EC2 Auto Scaling Lifecycle Hooks in the Amazon EC2 Auto
Scaling User Guide. You can find a sample template snippet in the Examples section of the
AWS::AutoScaling::LifecycleHook documentation.
Syntax
JSON
{
"DefaultResult" : String,
"HeartbeatTimeout" : Integer,
"LifecycleHookName" : String,
"LifecycleTransition" : String,
"NotificationMetadata" : String,
"NotificationTargetARN" : String,
"RoleARN" : String
}
YAML
DefaultResult: String
HeartbeatTimeout: Integer
LifecycleHookName: String
LifecycleTransition: String
NotificationMetadata: String
NotificationTargetARN: String
RoleARN: String
Properties
DefaultResult
The action the Auto Scaling group takes when the lifecycle hook timeout elapses or if an unexpected
failure occurs. The valid values are CONTINUE and ABANDON (default).
Required: No
Type: String

HeartbeatTimeout
The maximum time, in seconds, that can elapse before the lifecycle hook times out. If the lifecycle
hook times out, Amazon EC2 Auto Scaling performs the default action.
Required: No
Type: Integer

982
LifecycleHookName
The name of the lifecycle hook.
Required: Yes
Type: String
Minimum: 1
Maximum: 255
Pattern: [A-Za-z0-9\-_\/]+

LifecycleTransition
The state of the EC2 instance to attach the lifecycle hook to. The valid values are:
• autoscaling:EC2_INSTANCE_LAUNCHING
• autoscaling:EC2_INSTANCE_TERMINATING
Required: Yes
Type: String

NotificationMetadata
Additional information that you want to include any time Amazon EC2 Auto Scaling sends a message
to the notification target.
Required: No
Type: String
Minimum: 1
Maximum: 1023

NotificationTargetARN
The Amazon Resource Name (ARN) of the notification target that Amazon EC2 Auto Scaling uses
to notify you when an instance is in the transition state for the lifecycle hook. You can specify an
Amazon SQS queue or an Amazon SNS topic.
Required: No
Type: String
Minimum: 0
Maximum: 1600

983
RoleARN
The ARN of the IAM role that allows the Auto Scaling group to publish to the specified notification
target, for example, an Amazon SNS topic or an Amazon SQS queue. For information about creating
this role, see Preparing for Notifications in the Amazon EC2 Auto Scaling User Guide.
Required: No
Type: String
Minimum: 1
Maximum: 1600
AWS::AutoScaling::AutoScalingGroup MetricsCollection
MetricsCollection is a property of AutoScalingGroup that describes the group metrics that an
Amazon EC2 Auto Scaling group sends to Amazon CloudWatch. These metrics describe the group rather
than any of its instances.
For more information, see Monitoring Your Auto Scaling Groups and Instances Using Amazon
CloudWatch in the Amazon EC2 Auto Scaling User Guide. You can find a sample template snippet in the
Examples section of the AWS::AutoScaling::AutoScalingGroup documentation.
Syntax
JSON
{
"Granularity" : String,
"Metrics" : [ String, ... ]
}
YAML
Granularity: String
Metrics:
- String
Properties
Granularity
The frequency at which Amazon EC2 Auto Scaling sends aggregated data to CloudWatch.
Allowed Values: 1Minute
Required: Yes
Type: String

984
Metrics
The list of Auto Scaling group metrics to collect. If you specify Granularity and don't specify any
metrics, all metrics are enabled.
Allowed Values:
• GroupMinSize
• GroupMaxSize
• GroupDesiredCapacity
• GroupInServiceInstances
• GroupPendingInstances
• GroupStandbyInstances
• GroupTerminatingInstances
• GroupTotalInstances
Required: No
AWS::AutoScaling::AutoScalingGroup MixedInstancesPolicy
MixedInstancesPolicy is a property of AutoScalingGroup that describes a mixed instances policy
for an Amazon EC2 Auto Scaling group. With mixed instances, your Auto Scaling group can provision
a combination of On-Demand Instances and Spot Instances across multiple instance types. For more
information, see Auto Scaling Groups with Multiple Instance Types and Purchase Options in the Amazon
EC2 Auto Scaling User Guide.
You can create a mixed instances policy for a new Auto Scaling group, or you can create it for an existing
group by updating the group to specify MixedInstancesPolicy as the top-level parameter instead of
a launch configuration or template. If you specify a MixedInstancesPolicy, you must specify a launch
template as a property of the policy. You cannot specify a launch configuration for the policy.
Syntax
JSON
{
"InstancesDistribution" : InstancesDistribution (p. 976),
"LaunchTemplate" : LaunchTemplate (p. 979)
}
YAML
InstancesDistribution:
InstancesDistribution (p. 976)
LaunchTemplate:
LaunchTemplate (p. 979)
Properties
InstancesDistribution
The instances distribution to use.

985
If you leave this property unspecified, the value for each property in InstancesDistribution
uses a default value.
Required: No
Type: InstancesDistribution (p. 976)

LaunchTemplate
The launch template and instance types (overrides).
Required: Yes
Type: LaunchTemplate (p. 979)
AWS::AutoScaling::AutoScalingGroup NotificationConfiguration
NotificationConfiguration specifies a list of notification configurations for the
NotificationConfigurations property of AutoScalingGroup. NotificationConfiguration
specifies the events that the Amazon EC2 Auto Scaling group sends notifications for.
For example snippets, see Auto Scaling Group with Notifications.
Syntax
JSON
{
"NotificationTypes" : [ String, ... ],
"TopicARN" : String
}
YAML
NotificationTypes:
- String
TopicARN: String
Properties
NotificationTypes
A list of event types that trigger a notification. Event types can include any of the following types.
Allowed Values:
• autoscaling:EC2_INSTANCE_LAUNCH
• autoscaling:EC2_INSTANCE_LAUNCH_ERROR
• autoscaling:EC2_INSTANCE_TERMINATE
• autoscaling:EC2_INSTANCE_TERMINATE_ERROR
• autoscaling:TEST_NOTIFICATION
Required: No

986

TopicARN
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (Amazon SNS) topic.
Required: Yes
Type: String
Minimum: 1
Maximum: 1600
AWS::AutoScaling::AutoScalingGroup TagProperty
TagProperty specifies a list of tags for the Tag property of AutoScalingGroup. TagProperty adds tags
to all associated instances in an Amazon EC2 Auto Scaling group.
For more information, see Tagging Auto Scaling Groups and Instances in the Amazon EC2 Auto
Scaling User Guide. You can find a sample template snippet in the Examples section of the
AWS::AutoScaling::AutoScalingGroup documentation.
AWS CloudFormation adds the following tags to all Auto Scaling groups and associated instances:
• aws:cloudformation:stack-name
• aws:cloudformation:stack-id
• aws:cloudformation:logical-id
Syntax
JSON
{
"Key" : String,
"PropagateAtLaunch" : Boolean,
"Value" : String
}
YAML
Key: String
PropagateAtLaunch: Boolean
Value: String
Properties
Key
The tag key.

987
Required: Yes
Type: String
Minimum: 1
Maximum: 128

PropagateAtLaunch
Set to true if you want AWS CloudFormation to copy the tag to EC2 instances that are launched as
part of the Auto Scaling group. Set to false if you want the tag attached only to the Auto Scaling
group and not copied to any instances launched as part of the Auto Scaling group.
Required: Yes
Type: Boolean

Value
The tag value.
Required: Yes
Type: String
Minimum: 0
Maximum: 256
Specifies an Amazon EC2 Auto Scaling launch configuration that can be used by an Auto Scaling group to
configure Amazon EC2 instances.
Important
When you update the launch configuration, AWS CloudFormation deletes that resource and
creates a new launch configuration with the updated properties and a new name. This update
action does not deploy any change across the running Amazon EC2 instances in the Auto Scaling
group. In other words, after you associate a new launch configuration with an Auto Scaling
group, all new instances will get the updated configuration, but existing instances continue to
run with the configuration that they were originally launched with. This works the same way as
any other Auto Scaling group that uses a launch configuration.
If you want to update existing instances when you update the LaunchConfiguration
resource, you must specify an UpdatePolicy attribute for the Auto Scaling group. You
can find sample update policies for rolling updates in the Examples section of the
For more information, see CreateLaunchConfiguration in the Amazon EC2 Auto Scaling API Reference and
Launch Configurations in the Amazon EC2 Auto Scaling User Guide.

988
Syntax
JSON
{
"Properties" : {
"AssociatePublicIpAddress" : Boolean,
"BlockDeviceMappings" : [ BlockDeviceMapping (p. 1002), ... ],
"ClassicLinkVPCId" : String,
"ClassicLinkVPCSecurityGroups" : [ String, ... ],
"EbsOptimized" : Boolean,
"IamInstanceProfile" : String,
"ImageId" : String,
"InstanceMonitoring" : Boolean,
"KernelId" : String,
"KeyName" : String,
"LaunchConfigurationName" : String,
"PlacementTenancy" : String,
"RamDiskId" : String,
"SpotPrice" : String,
"UserData" : String
}
}
YAML
Properties:
AssociatePublicIpAddress: Boolean
- BlockDeviceMapping (p. 1002)
ClassicLinkVPCId: String
ClassicLinkVPCSecurityGroups:
- String
EbsOptimized: Boolean
IamInstanceProfile: String
ImageId: String
InstanceId: String
InstanceMonitoring: Boolean
KernelId: String
KeyName: String
LaunchConfigurationName: String
PlacementTenancy: String
RamDiskId: String
SecurityGroups:
- String
SpotPrice: String
UserData: String
Properties
AssociatePublicIpAddress
For Auto Scaling groups that are running in a virtual private cloud (VPC), specifies whether to
assign a public IP address to the group's instances. If you specify true, each instance in the Auto

989
Scaling group receives a unique public IP address. For more information, see Launching Auto Scaling
Instances in a VPC in the Amazon EC2 Auto Scaling User Guide.
If an instance receives a public IP address and is also in a VPC that is defined in the same stack
template, you must use the DependsOn attribute to declare a dependency on the VPC-gateway
attachment.
Note
If the instance is launched into a default subnet, the default is to assign a public IP address,
unless you disabled the option to assign a public IP address on the subnet. If the instance
is launched into a nondefault subnet, the default is not to assign a public IP address, unless
you enabled the option to assign a public IP address on the subnet.
Required: No
Type: Boolean

BlockDeviceMappings
Specifies how block devices are exposed to the instance. You can specify virtual devices and EBS
volumes.
Required: No
Type: List of BlockDeviceMapping (p. 1002)

ClassicLinkVPCId
The ID of a ClassicLink-enabled VPC to link your EC2-Classic instances to.
For more information, see ClassicLink in the Amazon EC2 User Guide for Linux Instances and Linking
EC2-Classic Instances to a VPC in the Amazon EC2 Auto Scaling User Guide.
This property can only be used if you are launching EC2-Classic instances.
Required: No
Type: String
Minimum: 1
Maximum: 255

ClassicLinkVPCSecurityGroups
The IDs of one or more security groups for the VPC that you specified in the ClassicLinkVPCId
property.
If you specify the ClassicLinkVPCId property, you must specify this property.

990
EbsOptimized
Specifies whether the launch configuration is optimized for EBS I/O (true) or not (false). This
optimization provides dedicated throughput to Amazon EBS and an optimized configuration
stack to provide optimal EBS I/O performance. Additional fees are incurred when you enable EBS
optimization for an instance type that is not EBS-optimized by default. For more information, see
EBS-Optimized Instances in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: Boolean

IamInstanceProfile
Provides the name or the Amazon Resource Name (ARN) of the instance profile associated with the
IAM role for the instance. The instance profile contains the IAM role.
For more information, see IAM Role for Applications that Run on Amazon EC2 Instances in the
Required: No
Type: String
Minimum: 1
Maximum: 1600

ImageId
Provides the unique ID of the Amazon Machine Image (AMI) that was assigned during registration.
For more information, see Finding an AMI in the Amazon EC2 User Guide for Linux Instances.
Required: Yes
Type: String
Minimum: 1
Maximum: 255

InstanceId
The ID of the Amazon EC2 instance you want to use to create the launch configuration. Use this
property if you want the launch configuration to use settings from an existing Amazon EC2 instance.
When you use an instance to create a launch configuration, all properties are derived from the
instance with the exception of BlockDeviceMapping and AssociatePublicIpAddress. You can
override any properties from the instance by specifying them in the launch configuration.

991
Required: No
Type: String

InstanceMonitoring
Controls whether instances in this group are launched with detailed (true) or basic (false)
monitoring. The default value is true (enabled).
Important
When detailed monitoring is enabled, Amazon CloudWatch generates metrics every minute
and your account is charged a fee. When you disable detailed monitoring, CloudWatch
generates metrics every 5 minutes. For more information, see Configure Monitoring for
Auto Scaling Instances in the Amazon EC2 Auto Scaling User Guide.
Required: No
Type: Boolean

InstanceType
Specifies the instance type of the EC2 instance. For information about available instance types, see
Available Instance Types in the Amazon EC2 User Guide for Linux Instances.
Required: Yes
Type: String
Minimum: 1
Maximum: 255

KernelId
Provides the ID of the kernel associated with the EC2 AMI.

Note
We recommend that you use PV-GRUB instead of kernels and RAM disks. For more
information, see User Provided Kernels in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: String
Minimum: 1
Maximum: 255

KeyName
Provides the name of the EC2 key pair.

992
Important
If you do not specify a key pair, you can't connect to the instance unless you choose an AMI
that is configured to allow users another way to log in. For information on creating a key
pair, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.
Required: No
Type: String
Minimum: 1
Maximum: 255

LaunchConfigurationName
The name of the launch configuration. This name must be unique per Region per account.
Required: No
Type: String
Minimum: 1
Maximum: 255

PlacementTenancy
The tenancy of the instance, either default or dedicated. An instance with dedicated tenancy
runs on isolated, single-tenant hardware and can only be launched into a VPC. You must set the
value of this property to dedicated if want to launch dedicated instances in a shared tenancy VPC
(a VPC with the instance placement tenancy attribute set to default).
If you specify this property, you must specify at least one subnet in the VPCZoneIdentifier
property of the AutoScalingGroup resource.
For more information, see Instance Placement Tenancy in the Amazon EC2 Auto Scaling User Guide.
Required: No
Type: String
Minimum: 1
Maximum: 64

RamDiskId
The ID of the RAM disk to select.

Note
information, see User Provided Kernels in the Amazon EC2 User Guide for Linux Instances.

993
Required: No
Type: String
Minimum: 1
Maximum: 255

SecurityGroups
A list that contains the security groups to assign to the instances in the Auto Scaling group. The
list can contain both the IDs of existing security groups and references to SecurityGroup resources
created in the template.
For more information, see Security Groups for Your VPC in the Amazon Virtual Private Cloud User
Guide.
Required: No

SpotPrice
The maximum hourly price to be paid for any Spot Instance launched to fulfill the request. Spot
Instances are launched when the price you specify exceeds the current Spot price. For more
information, see Launching Spot Instances in your Auto Scaling Group in the Amazon EC2 Auto
Scaling User Guide.
Note
When you change your maximum price by creating a new launch configuration, running
instances will continue to run as long as the maximum price for those running instances is
higher than the current Spot price.
Required: No
Type: String
Minimum: 1
Maximum: 255

UserData
The Base64-encoded user data to make available to the launched EC2 instances.
For more information, see Instance Metadata and User Data in the Amazon EC2 User Guide for Linux
Instances.
Required: No
Type: String
Maximum: 21847

994
Return Values
Ref
name. For example: mystack-mylaunchconfig-1DDYF1E3B3I.
Examples
The following examples create launch configurations that can be used by an Auto Scaling group to
configure Amazon EC2 instances.
Launch Configuration with Block Device Mappings
This example shows a launch configuration with a BlockDeviceMappings property that lists two
devices: a 50 gigabyte EBS root volume mapped to /dev/sda1 and a 100 gigabyte EBS volume mapped
to /dev/sdm. The /dev/sdm volume uses the default EBS volume type based on the region and is not
deleted when terminating the instance it is attached to.
JSON
{
"myLaunchConfig":{
"Properties":{
"KeyName":{
"Ref":"KeyName"
},
"ImageId":{
"Fn::FindInMap":[
{
"Ref":"AWS::Region"
},
{
"Fn::FindInMap":[
{
},
"Arch"
]
}
]
},
"UserData":{
"Fn::Base64":{
"Ref":"WebServerPort"
}
},
"SecurityGroups":[
{
"Ref":"InstanceSecurityGroup"
}
],
"InstanceType":{
},

995
"BlockDeviceMappings":[
{
"DeviceName":"/dev/sda1",
"Ebs":{
"VolumeSize":"50",
"VolumeType":"io1",
"Iops":200
}
},
{
"DeviceName":"/dev/sdm",
"Ebs":{
"VolumeSize":"100",
"DeleteOnTermination":"false"
}
}
]
}
}
}
YAML
myLaunchConfig:
Properties:
KeyName:
Ref: "KeyName"
ImageId:
Fn::FindInMap:
- "AWSRegionArch2AMI"
- Ref: "AWS::Region"
- Fn::FindInMap:
- "AWSInstanceType2Arch"
- Ref: "InstanceType"
- "Arch"
UserData:
Fn::Base64:
Ref: "WebServerPort"
SecurityGroups:
- Ref: "InstanceSecurityGroup"
InstanceType:
Ref: "InstanceType"
- DeviceName: "/dev/sda1"
Ebs:
VolumeSize: "50"
VolumeType: "io1"
Iops: 200
- DeviceName: "/dev/sdm"
Ebs:
VolumeSize: "100"
DeleteOnTermination: "false"
Launch Configuration with Spot Price

This example shows a launch configuration that launches Spot Instances in the Auto Scaling group. This
launch configuration will only be active if the current Spot price is less than the price in the template
specification (0.05).
JSON

996
"myLaunchConfig":{
"Properties":{
"KeyName":{
"Ref":"KeyName"
},
"ImageId":{
"Fn::FindInMap":[
{
"Ref":"AWS::Region"
},
{
"Fn::FindInMap":[
{
},
"Arch"
]
}
]
},
"SecurityGroups":[
{
}
],
"SpotPrice":"0.05",
"InstanceType":{
}
}
}
}
YAML
myLaunchConfig:
Properties:
KeyName:
Ref: "KeyName"
ImageId:
Fn::FindInMap:
- Fn::FindInMap:
- "Arch"
SecurityGroups:
SpotPrice: "0.05"
InstanceType:
Ref: "InstanceType"
Launch Configuration with IAM Instance Profile
This example demonstrates a launch configuration that uses the IamInstanceProfile property. Only
the AWS::AutoScaling::LaunchConfiguration specification is shown. For an example of the full
template, including the definition of, and further references from the InstanceProfile object referenced
here as RootInstanceProfile, see auto_scaling_with_instance_profile.template.

997
JSON
{
"myLaunchConfig":{
"Properties":{
"ImageId":{
"Fn::FindInMap":[
{
"Ref":"AWS::Region"
},
{
"Fn::FindInMap":[
{
},
"Arch"
]
}
]
},
"InstanceType":{
},
"IamInstanceProfile":{
"Ref":"RootInstanceProfile"
}
}
}
}
YAML
myLaunchConfig:
Properties:
ImageId:
Fn::FindInMap:
- Fn::FindInMap:
- "Arch"
InstanceType:
Ref: "InstanceType"
IamInstanceProfile:
Ref: "RootInstanceProfile"
Launch Configuration with a Provisioned IOPS EBS Volume
This example demonstrates a launch configuration that configures the EbsOptmized property to launch
instances with a provisioned IOPS EBS-optimized volume. This can increase the performance of your
EBS-backed instances.
Note
For instances that are not EBS–optimized by default, you must enable EBS optimization
to achieve the level of performance described in the Amazon EBS-Optimized Instances
documentation in the Amazon Elastic Compute Cloud User Guide. For current generation instance
types, EBS-optimization is enabled by default at no additional cost. Enabling EBS optimization

998
for a previous generation instance type that is not EBS-optimized by default incurs additional
fees.
When you use a launch configuration such as this one, your m1.large instances will contain optimized
EBS root volumes with the provisioned IOPS settings that you specified in the AMI. Because you cannot
specify the IOPS settings in a launch configuration, the AMI must be configured with a block device
mapping that specifies the desired number of IOPS. The following are key attributes of this EBS-
optimized instance configuration:
• An instance type of m1.large or greater. This is required for EBS optimization. This optimization is
only available for certain instance types and sizes.
• An EBS-backed AMI with a volume type of io1 and the number of IOPS you want to provision for the
volume.
• The size of the EBS volume must accommodate the IOPS you need. There is a 50:1 ratio between IOPS
and Gibibytes (GiB) of storage.
For more information about IOPS performance with provisioned IOPS volumes, see Provisioned IOPS
SSD (io1) Volumes in the Amazon Elastic Compute Cloud User Guide.
For more performance tips, see Amazon EBS Volume Performance on Linux Instances in the Amazon
Elastic Compute Cloud User Guide.
JSON
{
"myLaunchConfig":{
"Properties":{
"KeyName":{
"Ref":"KeyName"
},
"ImageId":"ami-7430ba44",
"UserData":{
"Fn::Base64":{
"Ref":"WebServerPort"
}
},
"SecurityGroups":[
{
},
"sg-903004f8"
],
"InstanceType":"m1.large",
"EbsOptimized":"true"
}
}
}
YAML
myLaunchConfig:
Properties:
KeyName:
Ref: "KeyName"
ImageId: "ami-7430ba44"
UserData:
Fn::Base64:
Ref: "WebServerPort"

999
SecurityGroups:
- sg-903004f8
InstanceType: "m1.large"
EbsOptimized: "true"
AWS::AutoScaling::LaunchConfiguration BlockDevice
BlockDevice is a subproperty of BlockDeviceMapping that describes an Amazon EBS volume.
For Amazon EC2 Auto Scaling EBS Block Device snippets, see Auto Scaling Launch Configuration
Resource.
Syntax
JSON
{
"DeleteOnTermination" : Boolean,
"Encrypted" : Boolean,
"Iops" : Integer,
"SnapshotId" : String,
"VolumeSize" : Integer,
"VolumeType" : String
}
YAML
DeleteOnTermination: Boolean
Encrypted: Boolean
Iops: Integer
SnapshotId: String
VolumeSize: Integer
VolumeType: String
Properties
DeleteOnTermination
Indicates whether to delete the volume when the instance is terminated. For Amazon EC2 Auto
Scaling, the default value is true.
Required: No
Type: Boolean

Encrypted
Specifies whether the EBS volume is encrypted. Encrypted EBS volumes can only be attached to
instances that support Amazon EBS encryption. For more information, see Supported Instance
Types. If your AMI uses encrypted volumes, you can also only launch it on supported instance types.
Note
If you are creating a volume from a snapshot, you cannot specify an encryption value.
Volumes that are created from encrypted snapshots are automatically encrypted, and

1000
volumes that are created from unencrypted snapshots are automatically unencrypted. By
default, encrypted snapshots use the AWS managed CMK that is used for EBS encryption,
but you can specify a custom CMK when you create the snapshot. The ability to encrypt
a snapshot during copying also allows you to apply a new CMK to an already-encrypted
snapshot. Volumes restored from the resulting copy are only accessible using the new CMK.
Enabling encryption by default results in all EBS volumes being encrypted with the AWS
managed CMK or a customer managed CMK, whether or not the snapshot was encrypted.
Required: No
Type: Boolean

Iops
The number of I/O operations per second (IOPS) to provision for the volume. The maximum ratio of
IOPS to volume size (in GiB) is 50:1, so for 5,000 provisioned IOPS, you need at least 100 GiB storage
on the volume. For more information, see Amazon EBS Volume Types in the Amazon EC2 User Guide
for Linux Instances.
If the volume type is io1, this property is required. (Not used with standard, gp2, st1, or sc1
volumes.)
Type: Integer
Minimum: 100
Maximum: 20000

SnapshotId
The snapshot ID of the volume to use.
You must specify either a VolumeSize or a SnapshotId.
Type: String
Minimum: 1
Maximum: 255

VolumeSize
The volume size, in Gibibytes (GiB).
This can be a number from 1-1,024 for standard, 4-16,384 for io1, 1-16,384 for gp2, and
500-16,384 for st1 and sc1.
If you create a volume from a snapshot and you don't specify a volume size, the default is the
snapshot size.

1001
You must specify either a VolumeSize or a SnapshotId. If you specify both SnapshotId and
VolumeSize, VolumeSize must be equal or greater than the size of the snapshot.
Type: Integer
Minimum: 1
Maximum: 16384

VolumeType
The volume type, which can be standard for Magnetic, io1 for Provisioned IOPS SSD, gp2
for General Purpose SSD, st1 for Throughput Optimized HDD, or sc1 for Cold HDD. For more
information, see Amazon EBS Volume Types in the Amazon EC2 User Guide for Linux Instances.
Valid values: standard | io1 | gp2 | st1 | sc1
Required: No
Type: String
Minimum: 1
Maximum: 255
See Also
• Required CMK Key Policy for Use with Encrypted Volumes in the Amazon EC2 Auto Scaling User Guide
• Using Encryption with EBS-Backed AMIs in the Amazon EC2 User Guide for Linux Instances
AWS::AutoScaling::LaunchConfiguration BlockDeviceMapping
BlockDeviceMapping is a property of LaunchConfiguration that describes a block device mapping for
an Amazon EC2 Auto Scaling group.
Each instance that is launched has an associated root device volume, either an Amazon EBS volume or an
instance store volume. You can use block device mappings to specify additional EBS volumes or instance
store volumes to attach to an instance when it is launched.
For more information, see Example Block Device Mapping in the Amazon EC2 User Guide for Linux
Instances.
Syntax
JSON
{
"DeviceName" : String,
"Ebs" : BlockDevice (p. 1000),
"NoDevice" : Boolean,

1002
"VirtualName" : String
}
YAML
DeviceName: String
Ebs:
BlockDevice (p. 1000)
NoDevice: Boolean
VirtualName: String
Properties
DeviceName
The device name exposed to the EC2 instance (for example, /dev/sdh or xvdh). For more
information, see Device Naming on Linux Instances in the Amazon EC2 User Guide for Linux Instances.
Required: Yes
Type: String
Minimum: 1
Maximum: 255

Ebs
The information about the Amazon EBS volume.
You can specify either VirtualName or Ebs, but not both.
Required: No
Type: BlockDevice (p. 1000)

NoDevice
Suppresses the device mapping. If this property is set to true for the root device, the instance might
fail the Amazon EC2 health check. Amazon EC2 Auto Scaling launches a replacement instance if the
instance fails the health check.
Required: No
Type: Boolean

VirtualName
The name of the virtual device. The name must be in the form ephemeralX where X is a number
starting from zero (0), for example, ephemeral0.

1003
Required: No
Type: String
Minimum: 1
Maximum: 255
See Also
• Amazon EC2 Instance Store in the Amazon EC2 User Guide for Linux Instances
• Amazon Elastic Block Store (Amazon EBS) in the Amazon EC2 User Guide for Linux Instances
Defines lifecycle hooks for an Amazon EC2 Auto Scaling group. Lifecycle hooks specify actions to
perform when Amazon EC2 Auto Scaling launches or terminates instances. When you use a lifecycle
hook, the Auto Scaling group pauses the instance either after it is launched (before it is put into service)
or as it is terminated (before it is fully terminated).
For more information, see PutLifecycleHook in the Amazon EC2 Auto Scaling API Reference and Amazon
EC2 Auto Scaling Lifecycle Hooks in the Amazon EC2 Auto Scaling User Guide.
Syntax
JSON
{
"Type" : "AWS::AutoScaling::LifecycleHook",
"Properties" : {
"DefaultResult" : String,
"HeartbeatTimeout" : Integer,
"LifecycleHookName" : String,
"LifecycleTransition" : String,
"NotificationMetadata" : String,
"NotificationTargetARN" : String,
"RoleARN" : String
}
}
YAML
Type: AWS::AutoScaling::LifecycleHook
Properties:
DefaultResult: String
HeartbeatTimeout: Integer
LifecycleHookName: String
LifecycleTransition: String
NotificationMetadata: String
NotificationTargetARN: String

1004
RoleARN: String
Properties
The name of the Auto Scaling group for the lifecycle hook.
Required: Yes
Type: String
Minimum: 1
Maximum: 1600

DefaultResult
The action the Auto Scaling group takes when the lifecycle hook timeout elapses or if an unexpected
failure occurs. The valid values are CONTINUE and ABANDON (default).
Required: No
Type: String

HeartbeatTimeout
The amount of time, in seconds, that can elapse before the lifecycle hook times out. If the
lifecycle hook times out, Amazon EC2 Auto Scaling performs the action that you specified in the
DefaultResult property.
Required: No
Type: Integer

LifecycleHookName
The name of the lifecycle hook.
Required: No
Type: String
Minimum: 1
Maximum: 255
Pattern: [A-Za-z0-9\-_\/]+

LifecycleTransition
The instance state to which you want to attach the lifecycle hook. The valid values are:

1005
• autoscaling:EC2_INSTANCE_LAUNCHING
• autoscaling:EC2_INSTANCE_TERMINATING
Required: Yes
Type: String

NotificationMetadata
Additional information that is included any time Amazon EC2 Auto Scaling sends a message to the
notification target.
Required: No
Type: String
Minimum: 1
Maximum: 1023

NotificationTargetARN
The Amazon Resource Name (ARN) of the notification target that Amazon EC2 Auto Scaling uses
to notify you when an instance is in the transition state for the lifecycle hook. You can specify
an Amazon SQS queue or an Amazon SNS topic. The notification message includes the following
information: lifecycle action token, user account ID, Auto Scaling group name, lifecycle hook name,
instance ID, lifecycle transition, and notification metadata.
Required: No
Type: String
Minimum: 1
Maximum: 1600

RoleARN
The ARN of the IAM role that allows the Auto Scaling group to publish to the specified notification
target, for example, an Amazon SNS topic or an Amazon SQS queue. For information about creating
this role, see Preparing for Notifications in the Amazon EC2 Auto Scaling User Guide.
Required: No
Type: String
Minimum: 1
Maximum: 1600

1006
Return Values
Ref
name. For example: mylifecyclehook.
Examples
The following examples specify lifecycle hooks.
Lifecycle Hook for Instance Termination
The following example specifies a lifecycle hook that supports a custom action at instance termination.
It uses the Ref intrinsic function to refer to an Auto Scaling group (whose logical name is myASG) that is
declared elsewhere in the same template.
Note that the snippet uses the NotificationTargetARN and RoleARN properties to specify the
Amazon SNS topic and IAM role to use to receive notification when a lifecycle action occurs.
JSON
{
"myLifecycleHook":{
"Type":"AWS::AutoScaling::LifecycleHook",
"Properties":{
"AutoScalingGroupName":{
"Ref":"myASG"
},
"LifecycleTransition":"autoscaling:EC2_INSTANCE_TERMINATING",
"NotificationTargetARN":{
"Ref":"lifecycleHookTopic"
},
"RoleARN":{
"Fn::GetAtt":[
"lifecycleHookRole",
"Arn"
]
}
}
}
}
YAML
myLifecycleHook:
Type: AWS::AutoScaling::LifecycleHook
Properties:
Ref: myASG
LifecycleTransition: "autoscaling:EC2_INSTANCE_TERMINATING"
NotificationTargetARN:
Ref: lifecycleHookTopic
RoleARN:
Fn::GetAtt:

1007
- lifecycleHookRole
- Arn
Lifecycle Hook for Instance Launch

The following example specifies a lifecycle hook that supports a custom action at instance launch. The
lifecycle hook is added to a new Auto Scaling group that's created from the same snippet. For more
information, see LifecycleHookSpecification.
Note that the snippet uses the NotificationTargetARN and RoleARN properties to specify the
Amazon SQS queue and IAM role to use to receive notification when a lifecycle action occurs.
JSON
{
"Parameters":{
"Subnets":{
"Type":"CommaDelimitedList"
},
"AZs":{
}
},
"Resources":{
"myASG":{
"Properties":{
"AvailabilityZones":[
{
"Ref":"AZs"
}
],
"Ref":"Subnets"
},
"DesiredCapacity":"2",
"MaxSize":"3",
"MinSize":"1",
},
"LifecycleHookSpecificationList":[
{
"LifecycleTransition":"autoscaling:EC2_INSTANCE_LAUNCHING",
"LifecycleHookName":"myLifecycleHook",
"HeartbeatTimeout":4800,
"NotificationTargetARN":{
"Fn::GetAtt":[
"SQS",
"Arn"
]
},
"RoleArn":{
"Fn::Join":[
":",
[
"arn:aws:iam:",
{
"Ref":"AWS::AccountId"
},
"role/role-name"
]
]

1008
}
}
]
}
},
"SQS":{
"Type":"AWS::SQS::Queue"
}
}
}
YAML
Parameters:
Subnets:
AZs:
Resources:
myASG:
Properties:
AvailabilityZones:
- !Ref AZs
VPCZoneIdentifier: !Ref Subnets
DesiredCapacity: '2'
MaxSize: '3'
MinSize: '1'
LaunchConfigurationName: !Ref myLaunchConfig
LifecycleHookSpecificationList:
- LifecycleTransition: "autoscaling:EC2_INSTANCE_LAUNCHING"
LifecycleHookName: "myLifecycleHook"
HeartbeatTimeout: 4800
NotificationTargetARN: !GetAtt SQS.Arn
RoleARN: !Join
- ':'
- - 'arn:aws:iam:'
- !Ref 'AWS::AccountId'
- role/role-name
SQS:
Type: AWS::SQS::Queue
Specifies a scaling policy for an Amazon EC2 Auto Scaling group.
To update an existing scaling policy, use the existing policy name and set the property to change. If
you leave a property unspecified when updating a scaling policy, the corresponding value remains
unchanged.
If you create either a step scaling policy or a simple scaling policy, you must also create a CloudWatch
alarm that monitors a CloudWatch metric for your Auto Scaling group. Note that you can associate a
CloudWatch alarm with only one scaling policy.
For more information about using scaling policies to scale your Auto Scaling group automatically, see
Dynamic Scaling in the Amazon EC2 Auto Scaling User Guide.
Syntax

1009
JSON
{
"Properties" : {
"Cooldown" : String,
"EstimatedInstanceWarmup" : Integer,
"MetricAggregationType" : String,
"MinAdjustmentMagnitude" : Integer,
"ScalingAdjustment" : Integer,
"StepAdjustments" : [ StepAdjustment (p. 1019), ... ],
"TargetTrackingConfiguration" : TargetTrackingConfiguration (p. 1020)
}
}
YAML
Properties:
Cooldown: String
EstimatedInstanceWarmup: Integer
MetricAggregationType: String
MinAdjustmentMagnitude: Integer
PolicyType: String
StepAdjustments:
- StepAdjustment (p. 1019)
TargetTrackingConfiguration:
TargetTrackingConfiguration (p. 1020)
Properties
AdjustmentType
Specifies whether the ScalingAdjustment property is an absolute number or a percentage

of the current capacity. The valid values are ChangeInCapacity, ExactCapacity, and
PercentChangeInCapacity.
Valid only if the policy type is StepScaling or SimpleScaling. For more information, see Scaling
Adjustment Types in the Amazon EC2 Auto Scaling User Guide.
Required: No
Type: String
Minimum: 1
Maximum: 255

The name or Amazon Resource Name (ARN) of the Auto Scaling group that you want to attach the
policy to.

1010
Required: Yes
Type: String
Minimum: 1
Maximum: 255

Cooldown
The amount of time, in seconds, after a scaling activity completes before any further dynamic
scaling activities can start. If this property is not specified, the default cooldown period for the group
applies.
Valid only if the policy type is SimpleScaling. For more information, see Scaling Cooldowns in the
Required: No
Type: String

EstimatedInstanceWarmup
The estimated time, in seconds, until a newly launched instance can contribute to the CloudWatch
metrics. The default is to use the value specified for the default cooldown period for the group.
Valid only if the policy type is StepScaling or TargetTrackingScaling.
Required: No
Type: Integer

MetricAggregationType
The aggregation type for the CloudWatch metrics. The valid values are Minimum, Maximum, and
Average. By default, AWS CloudFormation specifies Average.
Valid only if the policy type is StepScaling.
Required: No
Type: String
Minimum: 1
Maximum: 32

MinAdjustmentMagnitude
The minimum number of instances to scale. If the value of AdjustmentType is

PercentChangeInCapacity, the scaling policy changes the DesiredCapacity of the Auto
Scaling group by at least this many instances. This property replaces the MinAdjustmentStep
property.

1011
For example, suppose that you create a step scaling policy to scale out an Auto Scaling group
by 25 percent and you specify a MinAdjustmentMagnitude of 2. If the group has 4 instances
and the scaling policy is performed, 25 percent of 4 is 1. However, because you specified a
MinAdjustmentMagnitude of 2, Amazon EC2 Auto Scaling scales out the group by 2 instances.
Valid only if the policy type is StepScaling or SimpleScaling.
Required: No
Type: Integer

PolicyType
The policy type. The default value is SimpleScaling.
Allowed Values: SimpleScaling, StepScaling, or TargetTrackingScaling
Required: No
Type: String

ScalingAdjustment
The amount by which a simple scaling policy scales the Auto Scaling group in response to an alarm
breach. The adjustment is based on the value that you specified in the AdjustmentType property
(either an absolute number or a percentage). A positive value adds to the current capacity and a
negative value subtracts from the current capacity. For exact capacity, you must specify a positive
value.
If you specify SimpleScaling for the policy type, you must specify this property. (Not used with
any other policy type.)
Type: Integer

StepAdjustments
A set of adjustments that enable you to scale based on the size of the alarm breach.
If you specify StepScaling for the policy type, you must specify this property. (Not used with any
other policy type.)
Type: List of StepAdjustment (p. 1019)

TargetTrackingConfiguration
Configures a target tracking scaling policy.
If you specify TargetTrackingScaling for the policy type, you must specify this property. (Not
used with any other policy type.)
Type: TargetTrackingConfiguration (p. 1020)

1012
Return Values
Ref
When you specify an AWS::AutoScaling::ScalingPolicy type as an argument to the Ref

function, AWS CloudFormation returns the policy Amazon Resource Name (ARN). For example:
arn:aws:autoscaling:us-east-2:123456789012:scalingPolicy:ab12c4d5-a1b2-
a1b2-a1b2-ab12c4d56789:autoScalingGroupName/myStack-AutoScalingGroup-
AB12C4D5E6:policyName/myStack-myScalingPolicy-AB12C4D5E6.
Examples
The following examples specify scaling policies for an Auto Scaling group.
Target Tracking Scaling Policy
The following example is a target tracking scaling policy based on the ASGAverageCPUUtilization
metric. The TargetValue property of the scaling policy references a PolicyTargetValue parameter
value from the same template.
JSON
{
"Parameters":{
"AMI":{
"Type":"String"
},
"Subnets":{
},
"AZs":{
},
"PolicyTargetValue":{
"Type":"String"
}
},
"Resources":{
"myLaunchConfig":{
"Properties":{
"ImageId":{
"Ref":"AMI"
},
"InstanceType":"t2.large"
}
},
"myCPUPolicy":{
"Type":"AWS::AutoScaling::ScalingPolicy",
"Properties":{
"Ref":"myASG"
},
"TargetTrackingConfiguration":{
"PredefinedMetricType":"ASGAverageCPUUtilization"
},
"TargetValue":{
"Ref":"PolicyTargetValue"

1013
}
}
}
},
"myASG":{
"Properties":{
"MaxSize":"2",
"Ref":"AZs"
},
"Ref":"Subnets"
},
"MinSize":"1",
}
}
}
}
}
YAML
Parameters:
AMI:
Type: String
Subnets:
AZs:
PolicyTargetValue:
Type: String
Resources:
myLaunchConfig:
Properties:
ImageId: !Ref AMI
InstanceType: t2.large
myCPUPolicy:
Properties:
AutoScalingGroupName: !Ref myASG
TargetTrackingConfiguration:
PredefinedMetricType: ASGAverageCPUUtilization
TargetValue: !Ref PolicyTargetValue
myASG:
Properties:
MaxSize: '2'
AvailabilityZones: !Ref AZs
VPCZoneIdentifier: !Ref Subnets
MinSize: '1'
LaunchConfigurationName: !Ref myLaunchConfig
Step Scaling Policy
The following example is a step scaling policy that increases the number instances by one or two,
depending on the size of the alarm breach. For a breach that is less than 50 units than the threshold

1014
value, the policy increases the number of instances by one. For a breach that is 50 units or more higher
than the threshold, the policy increases the number of instances by two.
JSON
{
"ASGScaleOutPolicy":{
"Properties":{
"AdjustmentType":"ChangeInCapacity",
"Ref":"myASG"
},
"PolicyType":"StepScaling",
"MetricAggregationType":"Average",
"EstimatedInstanceWarmup":"60",
"StepAdjustments":[
{
"MetricIntervalLowerBound":"0",
"MetricIntervalUpperBound":"50",
"ScalingAdjustment":"1"
},
{
"MetricIntervalLowerBound":"50",
"ScalingAdjustment":"2"
}
]
}
}
}
YAML
ASGScaleOutPolicy:
Properties:
AdjustmentType: "ChangeInCapacity"
Ref: "myASG"
PolicyType: "StepScaling"
MetricAggregationType: "Average"
EstimatedInstanceWarmup: "60"
StepAdjustments:
-
MetricIntervalLowerBound: "0"
MetricIntervalUpperBound: "50"
ScalingAdjustment: "1"
-
MetricIntervalLowerBound: "50"
ScalingAdjustment: "2"
Simple Scaling Policy
The following example is a simple scaling policy that increases the number instances by one when it is
triggered.
JSON
{
"ASGScaleOutPolicy":{
"Properties":{

1015
"AdjustmentType":"ChangeInCapacity",
"PolicyType":"SimpleScaling",
"Cooldown":"60",
"Ref":"myASG"
},
"ScalingAdjustment":1
}
}
}
YAML
ASGScaleOutPolicy:
Properties:
AdjustmentType: "ChangeInCapacity"
PolicyType: "SimpleScaling"
Cooldown: "60"
Ref: "myASG"
AWS::AutoScaling::ScalingPolicy CustomizedMetricSpecification
CustomizedMetricSpecification is a subproperty of TargetTrackingConfiguration that configures a
customized metric for a target tracking policy to use with Amazon EC2 Auto Scaling.
For more information, see CustomizedMetricSpecification in the Amazon EC2 Auto Scaling API Reference.
Syntax
JSON
{
"Unit" : String
}
YAML
Dimensions:
MetricName: String
Namespace: String
Statistic: String
Unit: String
Properties
Dimensions
your scaling policy.

1016
Required: No

MetricName
Required: Yes
Type: String

Namespace
Required: Yes
Type: String

Statistic
Required: Yes
Type: String

Unit
Required: No
Type: String
AWS::AutoScaling::ScalingPolicy MetricDimension
MetricDimension is a subproperty of CustomizedMetricSpecification that specifies the dimensions
of a metric for a target tracking scaling policy. Dimensions are arbitrary name/value pairs that can be
associated with a CloudWatch metric. Duplicate dimensions are not allowed.
Syntax
JSON
{
"Name" : String,
"Value" : String
}

1017
YAML
Name: String
Value: String
Properties
Name
Required: Yes
Type: String

Value
Required: Yes
Type: String
AWS::AutoScaling::ScalingPolicy PredefinedMetricSpecification
PredefinedMetricSpecification is a subproperty of TargetTrackingConfiguration that configures a
predefined metric for a target tracking policy to use with Amazon EC2 Auto Scaling.
Syntax
JSON
{
"PredefinedMetricType" : String,
}
YAML
PredefinedMetricType: String
Properties
PredefinedMetricType
The metric type. The following predefined metrics are available.

• ASGAverageCPUUtilization - Average CPU utilization of the Auto Scaling group.
• ASGAverageNetworkIn - Average number of bytes received on all network interfaces by the
Auto Scaling group.
• ASGAverageNetworkOut - Average number of bytes sent out on all network interfaces by the
Auto Scaling group.

1018
• ALBRequestCountPerTarget - Number of requests completed per target in an Application Load

Balancer target group.
Required: Yes
Type: String
Allowed Values: ALBRequestCountPerTarget | ASGAverageCPUUtilization |

ASGAverageNetworkIn | ASGAverageNetworkOut

ResourceLabel
Identifies the resource associated with the metric type. You can't specify a resource label unless
the metric type is ALBRequestCountPerTarget and there is a target group attached to the Auto
Scaling group.
The format is app/load-balancer-name/load-balancer-id/targetgroup/target-group-

name/target-group-id , where
• app/load-balancer-name/load-balancer-id is the final portion of the load balancer ARN,
and
• targetgroup/target-group-name/target-group-id is the final portion of the target
group ARN.
Type: String
Minimum: 1
Maximum: 1023
AWS::AutoScaling::ScalingPolicy StepAdjustment
StepAdjustments is a subproperty of ScalingPolicy that represents a step adjustment for a step scaling
policy.
For the following examples, suppose that you have an alarm with a breach threshold of 50:
• To trigger a step adjustment when the metric is greater than or equal to 50 and less than 60, specify a
lower bound of 0 and an upper bound of 10.
• To trigger a step adjustment when the metric is greater than 40 and less than or equal to 50, specify a
lower bound of -10 and an upper bound of 0.
For more information, see Step Adjustments in the Amazon EC2 Auto Scaling User Guide.
Syntax
JSON
{
"MetricIntervalLowerBound" : Double,

1019
"MetricIntervalUpperBound" : Double,
}
YAML
MetricIntervalLowerBound: Double
MetricIntervalUpperBound: Double
Properties
MetricIntervalLowerBound
The lower bound for the difference between the alarm threshold and the CloudWatch metric. If the
metric value is above the breach threshold, the lower bound is inclusive (the metric must be greater
than or equal to the threshold plus the lower bound). Otherwise, it is exclusive (the metric must be
greater than the threshold plus the lower bound). A null value indicates negative infinity.
Type: Double

MetricIntervalUpperBound
The upper bound for the difference between the alarm threshold and the CloudWatch metric. If the
metric value is above the breach threshold, the upper bound is exclusive (the metric must be less
than the threshold plus the upper bound). Otherwise, it is inclusive (the metric must be less than or
equal to the threshold plus the upper bound). A null value indicates positive infinity.
Type: Double

ScalingAdjustment
The amount by which to scale. The adjustment is based on the value that you specified in the
AdjustmentType property (either an absolute number or a percentage). A positive value adds to
the current capacity and a negative number subtracts from the current capacity.
Required: Yes
Type: Integer
AWS::AutoScaling::ScalingPolicy TargetTrackingConfiguration
TargetTrackingConfiguration is a subproperty of ScalingPolicy that specifies a target tracking
scaling policy to use with Amazon EC2 Auto Scaling.
For more information, see PutScalingPolicy in the Amazon EC2 Auto Scaling API Reference. For more
information about scaling policies, see Dynamic Scaling in the Amazon EC2 Auto Scaling User Guide.

1020
Syntax
JSON
{
"CustomizedMetricSpecification" : CustomizedMetricSpecification (p. 1016),
"PredefinedMetricSpecification" : PredefinedMetricSpecification (p. 1018),
}
YAML
CustomizedMetricSpecification:
CustomizedMetricSpecification (p. 1016)
PredefinedMetricSpecification (p. 1018)
TargetValue: Double
Properties
CustomizedMetricSpecification
A customized metric. You must specify either a predefined metric or a customized metric.
Type: CustomizedMetricSpecification (p. 1016)

DisableScaleIn
Indicates whether scaling in by the target tracking scaling policy is disabled. If scaling in is disabled,
the target tracking scaling policy doesn't remove instances from the Auto Scaling group. Otherwise,
the target tracking scaling policy can remove instances from the Auto Scaling group. The default is
false.
Required: No
Type: Boolean

PredefinedMetricSpecification
A predefined metric. You must specify either a predefined metric or a customized metric.
Type: PredefinedMetricSpecification (p. 1018)

TargetValue
The target value for the metric.
Required: Yes
Type: Double

1021
Specifies a scheduled scaling action for an Amazon EC2 Auto Scaling group, changing the number of
servers available for your application in response to predictable load changes.
Important
When you update a stack with an Auto Scaling group and scheduled action, AWS
CloudFormation always sets the min size, max size, and desired capacity properties of your
group to the values that are defined in the AWS::AutoScaling::AutoScalingGroup section
of your template. However, you might not want CloudFormation to do that when you have a
scheduled action in effect. You can use an UpdatePolicy attribute to prevent CloudFormation
from changing the min size, max size, or desired capacity property values during a stack update
unless you modified the individual values in your template.
If you have rolling updates enabled, before you can update the Auto Scaling group, you must
suspend scheduled actions by specifying an UpdatePolicy attribute for the Auto Scaling
group. You can find sample update policies for rolling updates in the Examples section of the
For more information, see Scheduled Scaling and Suspending and Resuming Scaling Processes in the
Syntax
JSON
{
"Type" : "AWS::AutoScaling::ScheduledAction",
"Properties" : {
"DesiredCapacity" : Integer,
"EndTime" : String,
"MaxSize" : Integer,
"MinSize" : Integer,
"Recurrence" : String,
"StartTime" : String
}
}
YAML
Type: AWS::AutoScaling::ScheduledAction
Properties:
DesiredCapacity: Integer
EndTime: String
MaxSize: Integer
MinSize: Integer
Recurrence: String
StartTime: String
Properties
The name or Amazon Resource Name (ARN) of the Auto Scaling group.

1022
Required: Yes
Type: String

DesiredCapacity
The number of Amazon EC2 instances that should be running in the Auto Scaling group.
You must specify at least one of the following properties: MaxSize, MinSize, or
DesiredCapacity.
Type: Integer

EndTime
The date and time in UTC for the recurring schedule to end. For example,
"2019-06-01T00:00:00Z".
Required: No
Type: String

MaxSize
The maximum number of Amazon EC2 instances in the Auto Scaling group.
DesiredCapacity.
Type: Integer

MinSize
The minimum number of Amazon EC2 instances in the Auto Scaling group.
DesiredCapacity.
Type: Integer

Recurrence
The recurring schedule for this action, in Unix cron syntax format. For more information about cron
syntax, see Crontab.
Specifying the StartTime and EndTime properties with Recurrence property forms the start and
stop boundaries of the recurring action.

1023
Required: No
Type: String

StartTime
The date and time in UTC for this action to start. For example, "2019-06-01T00:00:00Z".
Required: No
Type: String
Return Values
Ref
name. For example: mystack-myscheduledaction-NT5EUXTNTXXD.
Examples
The following example schedule scaling actions for an Auto Scaling group.
Scheduled Scaling Action
The following template snippet includes two scheduled actions that scale the number of instances
in an Auto Scaling group. The ScheduledActionOut action starts at 7 AM every day and sets
the Auto Scaling group to a minimum of five Amazon EC2 instances with a maximum of 10. The
ScheduledActionIn action starts at 7 PM every day and sets the Auto Scaling group to a minimum
and maximum of one Amazon EC2 instance.
JSON
{
"ScheduledActionOut":{
"Type":"AWS::AutoScaling::ScheduledAction",
"Properties":{
"Ref":"myASG"
},
"MaxSize":"10",
"MinSize":"5",
"Recurrence":"0 7 * * *"
}
},
"ScheduledActionIn":{
"Type":"AWS::AutoScaling::ScheduledAction",
"Properties":{
"Ref":"myASG"
},
"MaxSize":"1",
"MinSize":"1",
"Recurrence":"0 19 * * *"
}

1024
AWS Backup
}
}
YAML
ScheduledActionOut:
Properties:
Ref: "myASG"
MaxSize: 10
MinSize: 5
Recurrence: "0 7 * * *"
ScheduledActionIn:
Properties:
Ref: "myASG"
MaxSize: 1
MinSize: 1
Recurrence: "0 19 * * *"
AWS Backup Resource Type Reference

Resource Types
• AWS::Backup::BackupPlan (p. 1025)

• AWS::Backup::BackupSelection (p. 1030)
• AWS::Backup::BackupVault (p. 1033)
AWS::Backup::BackupPlan
Contains an optional backup plan display name and an array of BackupRule objects, each of which
specifies a backup rule. Each rule in a backup plan is a separate scheduled task and can back up a
different selection of AWS resources.
Syntax
JSON
{
"Type" : "AWS::Backup::BackupPlan",
"Properties" : {
"BackupPlan" : BackupPlanResourceType (p. 1026),
"BackupPlanTags" : Json
}
}
YAML
Type: AWS::Backup::BackupPlan
Properties:
BackupPlan:
BackupPlanResourceType (p. 1026)

1025
AWS Backup
BackupPlanTags: Json
Properties
BackupPlan
Uniquely identifies the backup plan to be associated with the selection of resources.
Required: Yes
Type: BackupPlanResourceType (p. 1026)

BackupPlanTags
To help organize your resources, you can assign your own metadata to the resources that you create.
Each tag is a key-value pair. The specified tags are assigned to all backups created with this plan.
Required: No
Type: Json
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns BackupPlanId.
Fn::GetAtt
BackupPlanArn
An Amazon Resource Name (ARN) that uniquely identifies a backup plan; for example,
arn:aws:backup:us-east-1:123456789012:plan:8F81F553-3A74-4A3F-B93D-
B3360DC80C50.
BackupPlanId
Uniquely identifies a backup plan.

VersionId
Unique, randomly generated, Unicode, UTF-8 encoded strings that are at most 1,024 bytes long.
Version Ids cannot be edited.
AWS::Backup::BackupPlan BackupPlanResourceType
Specifies an object containing properties used to create a backup plan.

1026
AWS Backup
Syntax
JSON
{
"BackupPlanName" : String,
"BackupPlanRule" : [ BackupRuleResourceType (p. 1027), ... ]
}
YAML
BackupPlanName: String
BackupPlanRule:
- BackupRuleResourceType (p. 1027)
Properties
BackupPlanName
The display name of a backup plan.
Required: Yes
Type: String

BackupPlanRule
An array of BackupRule objects, each of which specifies a scheduled task that is used to back up a
selection of resources.
Required: Yes
Type: List of BackupRuleResourceType (p. 1027)
AWS::Backup::BackupPlan BackupRuleResourceType
Specifies an object containing properties used to schedule a task to back up a selection of resources.
Syntax
JSON
{
"CompletionWindowMinutes" : Double,
"Lifecycle" : LifecycleResourceType (p. 1029),
"RecoveryPointTags" : Json,
"RuleName" : String,
"ScheduleExpression" : String,
"StartWindowMinutes" : Double,
"TargetBackupVault" : String

1027
AWS Backup
YAML
CompletionWindowMinutes: Double
Lifecycle:
LifecycleResourceType (p. 1029)
RecoveryPointTags: Json
RuleName: String
ScheduleExpression: String
StartWindowMinutes: Double
TargetBackupVault: String
Properties
CompletionWindowMinutes
A value in minutes after a backup job is successfully started before it must be completed or it is
canceled by AWS Backup.
Required: No
Type: Double

Lifecycle
The lifecycle defines when a protected resource is transitioned to cold storage and when it expires.
AWS Backup transitions and expires backups automatically according to the lifecycle that you define.
Required: No
Type: LifecycleResourceType (p. 1029)

RecoveryPointTags
To help organize your resources, you can assign your own metadata to the resources that you create.
Each tag is a key-value pair.
Required: No
Type: Json

RuleName
A display name for a backup rule.
Required: Yes
Type: String

ScheduleExpression
A CRON expression specifying when AWS Backup initiates a backup job.
Required: No

1028
AWS Backup
Type: String

StartWindowMinutes
An optional value that specifies a period of time in minutes after a backup is scheduled before a job
is canceled if it doesn't start successfully.
Required: No
Type: Double

TargetBackupVault
The name of a logical container where backups are stored. Backup vaults are identified by names
that are unique to the account used to create them and the AWS Region where they are created.
They consist of lowercase letters, numbers, and hyphens.
Required: Yes
Type: String
AWS::Backup::BackupPlan LifecycleResourceType
Specifies an object containing an array of Transition objects that determine how long in days before a
recovery point transitions to cold storage or is deleted.
Syntax
JSON
{
"DeleteAfterDays" : Double,
"MoveToColdStorageAfterDays" : Double
}
YAML
DeleteAfterDays: Double
MoveToColdStorageAfterDays: Double
Properties
DeleteAfterDays
Specifies the number of days after creation that a recovery point is deleted. Must be greater than
MoveToColdStorageAfterDays.
Required: No
Type: Double

1029
AWS Backup
MoveToColdStorageAfterDays
Specifies the number of days after creation that a recovery point is moved to cold storage.
Required: No
Type: Double
AWS::Backup::BackupSelection
Specifies a set of resources to assign to a backup plan.
Syntax
JSON
{
"Type" : "AWS::Backup::BackupSelection",
"Properties" : {
"BackupPlanId" : String,
"BackupSelection" : BackupSelectionResourceType (p. 1031)
}
}
YAML
Type: AWS::Backup::BackupSelection
Properties:
BackupPlanId: String
BackupSelection:
BackupSelectionResourceType (p. 1031)
Properties
BackupPlanId
Required: Yes
Type: String

BackupSelection
Specifies the body of a request to assign a set of resources to a backup plan.
It includes an array of resources, an optional array of patterns to exclude resources, an optional role
to provide access to the AWS service the resource belongs to, and an optional array of tags used to
identify a set of resources.
Required: Yes
Type: BackupSelectionResourceType (p. 1031)

1030
AWS Backup
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns
BackupSelectionId.
Fn::GetAtt
BackupPlanId

SelectionId
Uniquely identifies a request to assign a set of resources to a backup plan.
AWS::Backup::BackupSelection BackupSelectionResourceType
Specifies an object containing properties used to assign a set of resources to a backup plan.
Syntax
JSON
{
"IamRoleArn" : String,
"ListOfTags" : [ ConditionResourceType (p. 1032), ... ],
"Resources" : [ String, ... ],
"SelectionName" : String
}
YAML
IamRoleArn: String
ListOfTags:
- ConditionResourceType (p. 1032)
Resources:
- String
SelectionName: String
Properties
IamRoleArn
The ARN of the IAM role that AWS Backup uses to authenticate when restoring the target resource;
for example, arn:aws:iam::123456789012:role/S3Access.

1031
AWS Backup
Required: Yes
Type: String

ListOfTags
An array of conditions used to specify a set of resources to assign to a backup plan; for example,
"StringEquals": {"ec2:ResourceTag/Department": "accounting".
Required: No
Type: List of ConditionResourceType (p. 1032)

Resources
An array of strings that either contain Amazon Resource Names (ARNs) or match patterns such as
"arn:aws:ec2:us-east-1:123456789012:volume/*" of resources to assign to a backup plan.
Required: No

SelectionName
The display name of a resource selection document.
Required: Yes
Type: String
AWS::Backup::BackupSelection ConditionResourceType
Specifies an object that contains an array of triplets made up of a condition type (such as
StringEquals), a key, and a value. Conditions are used to filter resources in a selection that is assigned
to a backup plan.
Syntax
JSON
{
"ConditionKey" : String,
"ConditionType" : String,
"ConditionValue" : String
}
YAML
ConditionKey: String
ConditionType: String

1032
AWS Backup
ConditionValue: String
Properties
ConditionKey
The key in a key-value pair. For example, in "ec2:ResourceTag/Department": "accounting",

"ec2:ResourceTag/Department" is the key.
Required: Yes
Type: String

ConditionType
An operation, such as StringEquals, that is applied to a key-value pair used to filter resources in a
selection.
Required: Yes
Type: String

ConditionValue
The value in a key-value pair. For example, in "ec2:ResourceTag/Department":

"accounting", "accounting" is the value.
Required: Yes
Type: String
AWS::Backup::BackupVault
Creates a logical container where backups are stored. A CreateBackupVault request includes a name,
optionally one or more resource tags, an encryption key, and a request ID.
Note
Sensitive data, such as passport numbers, should not be included the name of a backup vault.
Syntax
JSON
{
"Type" : "AWS::Backup::BackupVault",
"Properties" : {
"AccessPolicy" : Json,
"BackupVaultName" : String,
"BackupVaultTags" : Json,
"EncryptionKeyArn" : String,
"Notifications" : NotificationObjectType (p. 1035)
}

1033
AWS Backup
YAML
Type: AWS::Backup::BackupVault
Properties:
AccessPolicy: Json
BackupVaultName: String
BackupVaultTags: Json
EncryptionKeyArn: String
Notifications:
NotificationObjectType (p. 1035)
Properties
AccessPolicy
A resource-based policy that is used to manage access permissions on the target backup vault.
Required: No
Type: Json

BackupVaultName
that are unique to the account used to create them and the AWS Region where they are created.
They consist of lowercase letters, numbers, and hyphens.
Required: Yes
Type: String
Pattern: ^[a-zA-Z0-9\-\_\.]{1,50}$

BackupVaultTags
Metadata that you can assign to help organize the resources that you create. Each tag is a key-value
pair.
Required: No
Type: Json

EncryptionKeyArn
The server-side encryption key that is used to protect your backups; for example,
arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
Required: No
Type: String

Notifications
The SNS event notifications for the specified backup vault.

1034
AWS Backup
Required: No
Type: NotificationObjectType (p. 1035)
Return Values
Ref
BackupVaultName.
Fn::GetAtt
BackupVaultArn
An Amazon Resource Name (ARN) that uniquely identifies a backup vault; for example,
arn:aws:backup:us-east-1:123456789012:vault:aBackupVault.
BackupVaultName
that are unique to the account used to create them and the Region where they are created. They
consist of lowercase letters, numbers, and hyphens.
AWS::Backup::BackupVault NotificationObjectType
Specifies an object containing SNS event notification properties for the target backup vault.
Syntax
JSON
{
"BackupVaultEvents" : [ String, ... ],
"SNSTopicArn" : String
}
YAML
BackupVaultEvents:
- String
SNSTopicArn: String
Properties
BackupVaultEvents
An array of events that indicate the status of jobs to back up resources to the backup vault.

1035
AWS Batch
Required: Yes

SNSTopicArn
An ARN that uniquely identifies an Amazon Simple Notification Service (Amazon SNS) topic; for
example, arn:aws:sns:us-west-2:111122223333:MyTopic.
Required: Yes
Type: String
AWS Batch Resource Type Reference

Resource Types
• AWS::Batch::ComputeEnvironment (p. 1036)

• AWS::Batch::JobDefinition (p. 1044)
• AWS::Batch::JobQueue (p. 1060)
AWS::Batch::ComputeEnvironment
The AWS::Batch::ComputeEnvironment resource defines your AWS Batch compute environment. For
more information, see Compute Environments in the AWS Batch User Guide.
Syntax
JSON
{
"Type" : "AWS::Batch::ComputeEnvironment",
"Properties" : {
"ComputeEnvironmentName" : String,
"ComputeResources" : ComputeResources (p. 1039),
"ServiceRole" : String,
"State" : String,
"Type" : String
}
}
YAML
Type: AWS::Batch::ComputeEnvironment
Properties:
ComputeEnvironmentName: String
ComputeResources:
ComputeResources (p. 1039)
ServiceRole: String
State: String
Type: String

1036
AWS Batch
Properties
ComputeEnvironmentName
The name for your compute environment. Up to 128 letters (uppercase and lowercase), numbers,
hyphens, and underscores are allowed.
Required: No
Type: String

ComputeResources
The ComputeResources property type specifies details of the compute resources managed by the
compute environment. This parameter is required for managed compute environments. For more
information, see Compute Environments in the AWS Batch User Guide.
Required: No
Type: ComputeResources (p. 1039)

ServiceRole
The full Amazon Resource Name (ARN) of the IAM role that allows AWS Batch to make calls to other
AWS services on your behalf.
If your specified role has a path other than /, then you must either specify the full role ARN (this is
recommended) or prefix the role name with the path.
Note
Depending on how you created your AWS Batch service role, its ARN may contain the
service-role path prefix. When you only specify the name of the service role, AWS Batch
assumes that your ARN does not use the service-role path prefix. Because of this, we
recommend that you specify the full ARN of your service role when you create compute
environments.
Required: Yes
Type: String

State
The state of the compute environment. If the state is ENABLED, then the compute environment
accepts jobs from a queue and can scale out automatically based on queues.
Required: No
Type: String

Type
The type of the compute environment. For more information, see Compute Environments in the AWS
Batch User Guide.
Required: Yes

1037
AWS Batch
Type: String
Allowed Values: MANAGED | UNMANAGED
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the
compute environment ARN, such as arn:aws:batch:us-east-1:555555555555:compute-
environment/M4OnDemand.
Examples
Managed Compute Environment
The following example creates a managed compute environment called C4OnDemand that uses C4 On-
Demand instances and a custom AMI.
JSON
{
"ComputeEnvironment": {
"Type": "AWS::Batch::ComputeEnvironment",
"Properties": {
"Type": "MANAGED",
"ServiceRole": "arn:aws:iam::111122223333:role/service-role/AWSBatchServiceRole",
"ComputeEnvironmentName": "C4OnDemand",
"ComputeResources": {
"MaxvCpus": 128,
"SecurityGroupIds": [
"sg-abcd1234"
],
"Type": "EC2",
"Subnets": [
"subnet-aaaaaaaa",
"subnet-bbbbbbbb",
"subnet-cccccccc"
],
"MinvCpus": 0,
"ImageId": "ami-a1b2c3d4",
"InstanceRole": "ecsInstanceRole",
"InstanceTypes": [
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge"
],
"Ec2KeyPair": "id_rsa",
"Tags": {
"Name": "Batch Instance - C4OnDemand"
},
"DesiredvCpus": 48
},
"State": "ENABLED"
}
}

1038
AWS Batch
YAML
ComputeEnvironment:
Type: AWS::Batch::ComputeEnvironment
Properties:
Type: MANAGED
ServiceRole: arn:aws:iam::111122223333:role/service-role/AWSBatchServiceRole
ComputeEnvironmentName: C4OnDemand
ComputeResources:
MaxvCpus: 128
SecurityGroupIds:
- sg-abcd1234
Type: EC2
Subnets:
- subnet-aaaaaaaa
- subnet-bbbbbbbb
- subnet-cccccccc
MinvCpus: 0
ImageId: ami-a1b2c3d4
InstanceRole: ecsInstanceRole
InstanceTypes:
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
Ec2KeyPair: id_rsa
Tags: {"Name" : "Batch Instance - C4OnDemand"}
DesiredvCpus: 48
State: ENABLED
See Also
• Compute Environments in the AWS Batch User Guide.
AWS::Batch::ComputeEnvironment ComputeResources
Details of the compute resources managed by the compute environment. This parameter is required for
managed compute environments. For more information, see Compute Environments in the AWS Batch
User Guide.
Syntax
JSON
{
"AllocationStrategy" : String,
"BidPercentage" : Integer,
"DesiredvCpus" : Integer,
"Ec2KeyPair" : String,
"ImageId" : String,
"InstanceRole" : String,
"InstanceTypes" : [ String, ... ],
"MaxvCpus" : Integer,
"MinvCpus" : Integer,
"PlacementGroup" : String,

1039
AWS Batch

"SpotIamFleetRole" : String,
"Subnets" : [ String, ... ],
"Tags" : Json,
"Type" : String
}
YAML
AllocationStrategy: String
BidPercentage: Integer
DesiredvCpus: Integer
Ec2KeyPair: String
ImageId: String
InstanceRole: String
InstanceTypes:
- String
LaunchTemplate:
MaxvCpus: Integer
MinvCpus: Integer
PlacementGroup: String
SecurityGroupIds:
- String
SpotIamFleetRole: String
Subnets:
- String
Tags: Json
Type: String
Properties
AllocationStrategy
The allocation strategy to use for the compute resource in case not enough instances of the best
fitting instance type can be allocated. This could be due to availability of the instance type in the
region or Amazon EC2 service limits. If this is not specified, the default is BEST_FIT, which will use
only the best fitting instance type, waiting for additional capacity if it's not available. This allocation
strategy keeps costs lower but can limit scaling. If you are using Spot Fleets with BEST_FIT then
the Spot Fleet IAM Role must be specified. BEST_FIT_PROGRESSIVE will select additional instance
types that are large enough to meet the requirements of the jobs in the queue, with a preference for
instance types with a lower cost per vCPU. SPOT_CAPACITY_OPTIMIZED is only available for Spot
Instance compute resources and will select additional instance types that are large enough to meet
the requirements of the jobs in the queue, with a preference for instance types that are less likely to
be interrupted. For more information, see Allocation Strategies in the AWS Batch User Guide.
Required: No
Type: String
Allowed Values: BEST_FIT | BEST_FIT_PROGRESSIVE | SPOT_CAPACITY_OPTIMIZED

BidPercentage
The maximum percentage that a Spot Instance price can be when compared with the On-Demand
price for that instance type before instances are launched. For example, if your maximum percentage
is 20%, then the Spot price must be below 20% of the current On-Demand price for that Amazon
EC2 instance. You always pay the lowest (market) price and never more than your maximum
percentage. If you leave this field empty, the default value is 100% of the On-Demand price.

1040
AWS Batch
Required: No
Type: Integer

DesiredvCpus
The desired number of Amazon EC2 vCPUS in the compute environment.
Required: No
Type: Integer

Ec2KeyPair
The Amazon EC2 key pair that is used for instances launched in the compute environment.
Required: No
Type: String

ImageId
The Amazon Machine Image (AMI) ID used for instances launched in the compute environment.
Required: No
Type: String

InstanceRole
The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment.
You can specify the short name or full Amazon Resource Name (ARN) of an instance profile.
For example, ecsInstanceRole or arn:aws:iam::<aws_account_id>:instance-
profile/ecsInstanceRole . For more information, see Amazon ECS Instance Role in the AWS
Batch User Guide.
Required: Yes
Type: String

InstanceTypes
The instances types that may be launched. You can specify instance families to launch any instance
type within those families (for example, c5 or p3), or you can specify specific sizes within a family
(such as c5.8xlarge). You can also choose optimal to pick instance types (from the C, M, and R
instance families) on the fly that match the demand of your job queues.
Required: Yes

LaunchTemplate
The launch template to use for your compute resources. Any other compute resource parameters
that you specify in a CreateComputeEnvironment API operation override the same parameters in the

1041
AWS Batch
launch template. You must specify either the launch template ID or launch template name in the
request, but not both. For more information, see Launch Template Support in the AWS Batch User
Guide.
Required: No

MaxvCpus
The maximum number of Amazon EC2 vCPUs that an environment can reach.
Required: Yes
Type: Integer

MinvCpus
The minimum number of Amazon EC2 vCPUs that an environment should maintain (even if the
compute environment is DISABLED).
Required: Yes
Type: Integer

PlacementGroup
The Amazon EC2 placement group to associate with your compute resources. If you intend to submit
multi-node parallel jobs to your compute environment, you should consider creating a cluster
placement group and associate it with your compute resources. This keeps your multi-node parallel
job on a logical grouping of instances within a single Availability Zone with high network flow
potential. For more information, see Placement Groups in the Amazon EC2 User Guide for Linux
Instances.
Required: No
Type: String

SecurityGroupIds
The Amazon EC2 security groups associated with instances launched in the compute environment.
One or more security groups must be specified, either in securityGroupIds or using a
launch template referenced in launchTemplate. If security groups are specified using both
securityGroupIds and launchTemplate, the values in securityGroupIds will be used.
Required: No

SpotIamFleetRole
The Amazon Resource Name (ARN) of the Amazon EC2 Spot Fleet IAM role applied to a SPOT
compute environment. This role is required if the allocation strategy set to BEST_FIT or if the
allocation strategy is not specified. For more information, see Amazon EC2 Spot Fleet Role in the
AWS Batch User Guide.

1042
AWS Batch
Required: No
Type: String

Subnets
The VPC subnets into which the compute resources are launched. For more information, see VPCs
and Subnets in the Amazon VPC User Guide.
Required: Yes

Tags
Key-value pair tags to be applied to resources that are launched in the compute environment. For
AWS Batch, these take the form of "String1": "String2", where String1 is the tag key and String2 is
the tag value—for example, { "Name": "AWS Batch Instance - C4OnDemand" }.
Required: No
Type: Json

Type
The type of compute environment: EC2 or SPOT.
Required: Yes
Type: String
Allowed Values: EC2 | SPOT
See Also
• Compute Environments in the AWS Batch User Guide.
AWS::Batch::ComputeEnvironment LaunchTemplateSpecification
An object representing a launch template associated with a compute resource. You must specify either
the launch template ID or launch template name in the request, but not both.
Syntax
JSON
{
"Version" : String
}

1043
AWS Batch
YAML
Version: String
Properties
LaunchTemplateId
The ID of the launch template.
Required: No
Type: String

LaunchTemplateName
The name of the launch template.
Required: No
Type: String

Version
The version number of the launch template.
Default: The default version of the launch template.
Required: No
Type: String
See Also
• Launch Template Support in the AWS Batch User Guide.
AWS::Batch::JobDefinition
The AWS::Batch::JobDefinition resource specifies the parameters for an AWS Batch job definition.
For more information, see Job Definitions in the AWS Batch User Guide.
Syntax
JSON
{
"Type" : "AWS::Batch::JobDefinition",
"Properties" : {
"ContainerProperties" : ContainerProperties (p. 1047),
"JobDefinitionName" : String,

1044
AWS Batch
"NodeProperties" : NodeProperties (p. 1054),

"Parameters" : Json,
"RetryStrategy" : RetryStrategy (p. 1057),
"Timeout" : Timeout (p. 1058),
"Type" : String
}
}
YAML
Type: AWS::Batch::JobDefinition
Properties:
ContainerProperties:
ContainerProperties (p. 1047)
JobDefinitionName: String
NodeProperties:
NodeProperties (p. 1054)
Parameters: Json
RetryStrategy:
RetryStrategy (p. 1057)
Timeout:
Timeout (p. 1058)
Type: String
Properties
ContainerProperties
An object with various properties specific to container-based jobs.
Required: No
Type: ContainerProperties (p. 1047)

JobDefinitionName
The name of the job definition.
Required: No
Type: String

NodeProperties
An object with various properties specific to multi-node parallel jobs.
Required: No
Type: NodeProperties (p. 1054)

Parameters
Default parameters or parameter substitution placeholders that are set in the job definition.
Parameters are specified as a key-value pair mapping. Parameters in a SubmitJob request override
any corresponding parameter defaults from the job definition. For more information about
specifying parameters, see Job Definition Parameters in the AWS Batch User Guide.
Required: No

1045
AWS Batch
Type: Json

RetryStrategy
The retry strategy to use for failed jobs that are submitted with this job definition.
Required: No
Type: RetryStrategy (p. 1057)

Timeout
The timeout configuration for jobs that are submitted with this job definition. You can specify a
timeout duration after which AWS Batch terminates your jobs if they have not finished.
Required: No
Type: Timeout (p. 1058)

Type
The type of job definition.
Required: Yes
Type: String
Allowed Values: container | multinode
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the job definition
ARN, such as arn:aws:batch:us-east-1:111122223333:job-definition/test-gpu:2.
Examples
Test nvidia-smi
The following example tests the nvidia-smi command on a GPU instance to verify that the GPU is
working inside the container. For more information, see Test GPU Functionality in the AWS Batch User
Guide.
JSON
{
"JobDefinition": {
"Type": "AWS::Batch::JobDefinition",
"Properties": {
"Type": "container",
"JobDefinitionName": "nvidia-smi",
"ContainerProperties": {

1046
AWS Batch
"MountPoints": [
{
"ReadOnly": false,
"SourceVolume": "nvidia",
"ContainerPath": "/usr/local/nvidia"
}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest"
},
"Name": "nvidia"
}
],
"Command": [
"nvidia-smi"
],
"Memory": 2000,
"Privileged": true,
"JobRoleArn": "String",
"ReadonlyRootFilesystem": true,
"Vcpus": 2,
"Image": "nvidia/cuda"
}
}
}
}
YAML
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Memory: 2000
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
Vcpus: 2
Image: nvidia/cuda
See Also
• Job Definition Parameters in the AWS Batch User Guide.
AWS::Batch::JobDefinition ContainerProperties
Container properties are used in job definitions to describe the container that is launched as part of a
job.

1047
AWS Batch
Syntax
JSON
{
"Command" : [ String, ... ],
"Environment" : [ Environment (p. 1052), ... ],
"Image" : String,
"JobRoleArn" : String,
"LinuxParameters" : LinuxParameters (p. 1053),
"Memory" : Integer,
"MountPoints" : [ MountPoints (p. 1053), ... ],
"Privileged" : Boolean,
"ReadonlyRootFilesystem" : Boolean,
"ResourceRequirements" : [ ResourceRequirement (p. 1056), ... ],
"Ulimits" : [ Ulimit (p. 1058), ... ],
"User" : String,
"Vcpus" : Integer,
"Volumes" : [ Volumes (p. 1059), ... ]
}
YAML
Command:
- String
Environment:
- Environment (p. 1052)
Image: String
JobRoleArn: String
LinuxParameters:
LinuxParameters (p. 1053)
Memory: Integer
MountPoints:
- MountPoints (p. 1053)
Privileged: Boolean
ReadonlyRootFilesystem: Boolean
ResourceRequirements:
- ResourceRequirement (p. 1056)
Ulimits:
- Ulimit (p. 1058)
User: String
Vcpus: Integer
Volumes:
- Volumes (p. 1059)
Properties
Command
The command that is passed to the container. This parameter maps to Cmd in the Create a container
section of the Docker Remote API and the COMMAND parameter to docker run. For more information,
see https://docs.docker.com/engine/reference/builder/#cmd.
Required: No

1048
AWS Batch
Environment
The environment variables to pass to a container. This parameter maps to Env in the Create a
container section of the Docker Remote API and the --env option to docker run.
Important
We do not recommend using plaintext environment variables for sensitive information, such
as credential data.
Note
Environment variables must not start with AWS_BATCH; this naming convention is reserved
for variables that are set by the AWS Batch service.
Required: No
Type: List (p. 1052) of Environment (p. 1052)

Image
The image used to start a container. This string is passed directly to the Docker daemon. Images
in the Docker Hub registry are available by default. Other repositories are specified with
repository-url/image:tag . Up to 255 letters (uppercase and lowercase), numbers, hyphens,
underscores, colons, periods, forward slashes, and number signs are allowed. This parameter maps
to Image in the Create a container section of the Docker Remote API and the IMAGE parameter of
docker run.
• Images in Amazon ECR repositories use the full registry and repository URI (for example,
012345678910.dkr.ecr.<region-name>.amazonaws.com/<repository-name>).
• Images in official repositories on Docker Hub use a single name (for example, ubuntu or mongo).
• Images in other repositories on Docker Hub are qualified with an organization name (for example,
amazon/amazon-ecs-agent).
• Images in other online repositories are qualified further by a domain name (for example,
quay.io/assemblyline/ubuntu).
Required: Yes
Type: String

InstanceType
The instance type to use for a multi-node parallel job. Currently all node groups in a multi-node
parallel job must use the same instance type. This parameter is not valid for single-node container
jobs.
Required: No
Type: String

JobRoleArn
The Amazon Resource Name (ARN) of the IAM role that the container can assume for AWS
permissions.
Required: No
Type: String

1049
AWS Batch
LinuxParameters
Linux-specific modifications that are applied to the container, such as details for device mappings.
Required: No
Type: LinuxParameters (p. 1053)

Memory
The hard limit (in MiB) of memory to present to the container. If your container attempts to exceed
the memory specified here, the container is killed. This parameter maps to Memory in the Create
a container section of the Docker Remote API and the --memory option to docker run. You must
specify at least 4 MiB of memory for a job.
Note
If you are trying to maximize your resource utilization by providing your jobs as much
memory as possible for a particular instance type, see Memory Management in the AWS
Batch User Guide.
Required: Yes
Type: Integer

MountPoints
The mount points for data volumes in your container. This parameter maps to Volumes in the
Create a container section of the Docker Remote API and the --volume option to docker run.
Required: No
Type: List (p. 1053) of MountPoints (p. 1053)

Privileged
When this parameter is true, the container is given elevated privileges on the host container instance
(similar to the root user). This parameter maps to Privileged in the Create a container section of
the Docker Remote API and the --privileged option to docker run.
Required: No
Type: Boolean

ReadonlyRootFilesystem
When this parameter is true, the container is given read-only access to its root file system. This
parameter maps to ReadonlyRootfs in the Create a container section of the Docker Remote API
and the --read-only option to docker run.
Required: No
Type: Boolean

ResourceRequirements
The type and amount of a resource to assign to a container. Currently, the only supported resource is
GPU.

1050
AWS Batch
Required: No
Type: List of ResourceRequirement (p. 1056)

Ulimits
A list of ulimits to set in the container. This parameter maps to Ulimits in the Create a container
section of the Docker Remote API and the --ulimit option to docker run.
Required: No
Type: List of Ulimit (p. 1058)

User
The user name to use inside the container. This parameter maps to User in the Create a container
section of the Docker Remote API and the --user option to docker run.
Required: No
Type: String

Vcpus
The number of vCPUs reserved for the container. This parameter maps to CpuShares in the Create
a container section of the Docker Remote API and the --cpu-shares option to docker run. Each
vCPU is equivalent to 1,024 CPU shares. You must specify at least one vCPU.
Required: Yes
Type: Integer

Volumes
A list of data volumes used in a job.
Required: No
Type: List (p. 1059) of Volumes (p. 1059)
AWS::Batch::JobDefinition Device
An object representing a container instance host device.
Syntax
JSON
{
"ContainerPath" : String,
"HostPath" : String,
"Permissions" : [ String, ... ]
}

1051
AWS Batch
YAML
ContainerPath: String
HostPath: String
Permissions:
- String
Properties
ContainerPath
The path inside the container at which to expose the host device. By default the hostPath value is
used.
Required: No
Type: String

HostPath
The path for the device on the host container instance.
Required: No
Type: String

Permissions
The explicit permissions to provide to the container for the device. By default, the container has
permissions for read, write, and mknod for the device.
Required: No
AWS::Batch::JobDefinition Environment
The Environment property type specifies environment variables to use in a job definition.
Syntax
JSON
{
"Name" : String,
"Value" : String
}
YAML
Name: String
Value: String

1052
AWS Batch
Properties
Name
The name of the environment variable.
Required: No
Type: String

Value
The value of the environment variable.
Required: No
Type: String
AWS::Batch::JobDefinition LinuxParameters
Linux-specific modifications that are applied to the container, such as details for device mappings.
Syntax
JSON
{
"Devices" : [ Device (p. 1051), ... ]
}
YAML
Devices:
- Device (p. 1051)
Properties
Devices
Any host devices to expose to the container. This parameter maps to Devices in the Create a
container section of the Docker Remote API and the --device option to docker run.
Required: No
Type: List of Device (p. 1051)
AWS::Batch::JobDefinition MountPoints
Details on a Docker volume mount point that is used in a job's container properties. This parameter maps
to Volumes in the Create a container section of the Docker Remote API and the --volume option to
docker run.

1053
AWS Batch
Syntax
JSON
{
"ReadOnly" : Boolean,
"SourceVolume" : String
}
YAML
ReadOnly: Boolean
SourceVolume: String
Properties
ContainerPath
The path on the container at which to mount the host volume.
Required: No
Type: String

ReadOnly
If this value is true, the container has read-only access to the volume; otherwise, the container can
write to the volume. The default value is false.
Required: No
Type: Boolean

SourceVolume
The name of the volume to mount.
Required: No
Type: String
AWS::Batch::JobDefinition NodeProperties
An object representing the node properties of a multi-node parallel job.
Syntax
JSON

1054
AWS Batch
"MainNode" : Integer,
"NodeRangeProperties" : [ NodeRangeProperty (p. 1055), ... ],
"NumNodes" : Integer
}
YAML
MainNode: Integer
NodeRangeProperties:
- NodeRangeProperty (p. 1055)
NumNodes: Integer
Properties
MainNode
Specifies the node index for the main node of a multi-node parallel job. This node index value must
be fewer than the number of nodes.
Required: Yes
Type: Integer

NodeRangeProperties
A list of node ranges and their properties associated with a multi-node parallel job.
Required: Yes
Type: List of NodeRangeProperty (p. 1055)

NumNodes
The number of nodes associated with a multi-node parallel job.
Required: Yes
Type: Integer
See Also
• Multi-node Parallel Jobs in the AWS Batch User Guide.
AWS::Batch::JobDefinition NodeRangeProperty
An object representing the properties of the node range for a multi-node parallel job.
Syntax
JSON
{
"Container" : ContainerProperties (p. 1047),

1055
AWS Batch
"TargetNodes" : String
}
YAML
Container:
ContainerProperties (p. 1047)
TargetNodes: String
Properties
Container
The container details for the node range.
Required: No
Type: ContainerProperties (p. 1047)

TargetNodes
The range of nodes, using node index values. A range of 0:3 indicates nodes with index values of 0
through 3. If the starting range value is omitted (:n), then 0 is used to start the range. If the ending
range value is omitted (n:), then the highest possible node index is used to end the range. Your
accumulative node ranges must account for all nodes (0:n). You may nest node ranges, for example
0:10 and 4:5, in which case the 4:5 range properties override the 0:10 properties.
Required: Yes
Type: String
See Also
• Multi-node Parallel Jobs in the AWS Batch User Guide.
AWS::Batch::JobDefinition ResourceRequirement
The type and amount of a resource to assign to a container. Currently, the only supported resource type
is GPU.
Syntax
JSON
{
"Type" : String,
"Value" : String
}
YAML
Type: String

1056
AWS Batch
Value: String
Properties
Type
The type of resource to assign to a container. Currently, the only supported resource type is GPU.
Required: No
Type: String
Allowed Values: GPU

Value
The number of physical GPUs to reserve for the container. The number of GPUs reserved for all
containers in a job should not exceed the number of available GPUs on the compute resource that
the job is launched on.
Required: No
Type: String
AWS::Batch::JobDefinition RetryStrategy
The retry strategy associated with a job.
Syntax
JSON
{
"Attempts" : Integer
}
YAML
Attempts: Integer
Properties
Attempts
The number of times to move a job to the RUNNABLE status. You may specify between 1 and 10
attempts. If the value of attempts is greater than one, the job is retried on failure the same number
of attempts as the value.
Required: No
Type: Integer

1057
AWS Batch
AWS::Batch::JobDefinition Timeout
An object representing a job timeout configuration.
Syntax
JSON
{
"AttemptDurationSeconds" : Integer
}
YAML
AttemptDurationSeconds: Integer
Properties
AttemptDurationSeconds
The time duration in seconds (measured from the job attempt's startedAt timestamp) after which
AWS Batch terminates your jobs if they have not finished.
Required: No
Type: Integer
See Also
• JobTimeout in the AWS Batch API Reference.
AWS::Batch::JobDefinition Ulimit
The ulimit settings to pass to the container.
Syntax
JSON
{
"HardLimit" : Integer,
"Name" : String,
"SoftLimit" : Integer
}
YAML
HardLimit: Integer
Name: String
SoftLimit: Integer

1058
AWS Batch
Properties
HardLimit
The hard limit for the ulimit type.
Required: Yes
Type: Integer

Name
The type of the ulimit.
Required: Yes
Type: String

SoftLimit
The soft limit for the ulimit type.
Required: Yes
Type: Integer
AWS::Batch::JobDefinition Volumes
A list of volumes associated with the job.
Syntax
JSON
{
"Host" : VolumesHost (p. 1060),
"Name" : String
}
YAML
Host:
VolumesHost (p. 1060)
Name: String
Properties
Host
The contents of the host parameter determine whether your data volume persists on the host
container instance and where it is stored. If the host parameter is empty, then the Docker daemon
assigns a host path for your data volume. However, the data is not guaranteed to persist after the
containers associated with it stop running.

1059
AWS Batch
Required: No
Type: VolumesHost (p. 1060)

Name
The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, hyphens, and
underscores are allowed. This name is referenced in the sourceVolume parameter of container
definition mountPoints.
Required: No
Type: String
AWS::Batch::JobDefinition VolumesHost
Determine whether your data volume persists on the host container instance and where it is stored. If
this parameter is empty, then the Docker daemon assigns a host path for your data volume, but the data
is not guaranteed to persist after the containers associated with it stop running.
Syntax
JSON
{
"SourcePath" : String
}
YAML
SourcePath: String
Properties
SourcePath
The path on the host container instance that is presented to the container. If this parameter is
empty, then the Docker daemon has assigned a host path for you. If this parameter contains a file
location, then the data volume persists at the specified location on the host container instance until
you delete it manually. If the source path location does not exist on the host container instance,
the Docker daemon creates it. If the location does exist, the contents of the source path folder are
exported.
Required: No
Type: String
AWS::Batch::JobQueue
The AWS::Batch::JobQueue resource specifies the parameters for an AWS Batch job queue definition.
For more information, see Job Queues in the AWS Batch User Guide.

1060
AWS Batch
Syntax
JSON
{
"Type" : "AWS::Batch::JobQueue",
"Properties" : {
"ComputeEnvironmentOrder" : [ ComputeEnvironmentOrder (p. 1063), ... ],
"JobQueueName" : String,
"Priority" : Integer,
"State" : String
}
}
YAML
Type: AWS::Batch::JobQueue
Properties:
ComputeEnvironmentOrder:
- ComputeEnvironmentOrder (p. 1063)
JobQueueName: String
Priority: Integer
State: String
Properties
ComputeEnvironmentOrder
The set of compute environments mapped to a job queue and their order relative to each other. The
job scheduler uses this parameter to determine which compute environment should execute a given
job. Compute environments must be in the VALID state before you can associate them with a job
queue. You can associate up to three compute environments with a job queue.
Required: Yes
Type: List (p. 1063) of ComputeEnvironmentOrder (p. 1063)

JobQueueName
The name of the job queue.
Required: No
Type: String

Priority
The priority of the job queue. Job queues with a higher priority (or a higher integer value for the
priority parameter) are evaluated first when associated with the same compute environment.
Priority is determined in descending order, for example, a job queue with a priority value of 10 is
given scheduling preference over a job queue with a priority value of 1.
Required: Yes
Type: Integer

1061
AWS Batch

State
The state of the job queue. If the job queue state is ENABLED, it is able to accept jobs.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the job queue
ARN, such as arn:aws:batch:us-east-1:111122223333:job-queue/HighPriority.
Examples
Job queue with two compute environments
The following example defines a job queue called HighPriority that has two compute environments
mapped to it.
JSON
{
"JobQueue": {
"Type": "AWS::Batch::JobQueue",
"Properties": {
"ComputeEnvironmentOrder": [
{
"Order": 1,
"ComputeEnvironment": "C4OnDemand"
},
{
"Order": 2,
"ComputeEnvironment": "M4Spot"
}
],
"State": "ENABLED",
"Priority": 1,
"JobQueueName": "HighPriority"
}
}
}
YAML
JobQueue:
Type: AWS::Batch::JobQueue
Properties:
ComputeEnvironmentOrder:
- Order: 1

1062
AWS Budgets
ComputeEnvironment: C4OnDemand
- Order: 2
ComputeEnvironment: M4Spot
State: ENABLED
Priority: 1
JobQueueName: HighPriority
AWS::Batch::JobQueue ComputeEnvironmentOrder
The order in which compute environments are tried for job placement within a queue. Compute
environments are tried in ascending order. For example, if two compute environments are associated
with a job queue, the compute environment with a lower order integer value is tried for job placement
first.
Syntax
JSON
{
"ComputeEnvironment" : String,
"Order" : Integer
}
YAML
ComputeEnvironment: String
Order: Integer
Properties
ComputeEnvironment
The Amazon Resource Name (ARN) of the compute environment.
Required: Yes
Type: String

Order
The order of the compute environment.
Required: Yes
Type: Integer
AWS Billing and Cost Management Budgets Resource

Type Reference
Resource Types

1063
AWS Budgets
• AWS::Budgets::Budget (p. 1064)
AWS::Budgets::Budget
The AWS::Budgets::Budget resource creates, replaces, or deletes budgets for Billing and Cost
Management. For more information, see Managing Your Costs with Budgets in the AWS Billing and Cost
Management User Guide.
Syntax
JSON
{
"Type" : "AWS::Budgets::Budget",
"Properties" : {
"Budget" : BudgetData (p. 1067),
"NotificationsWithSubscribers" : [ NotificationWithSubscribers (p. 1074), ... ]
}
}
YAML
Type: AWS::Budgets::Budget
Properties:
Budget:
BudgetData (p. 1067)
NotificationsWithSubscribers:
- NotificationWithSubscribers (p. 1074)
Properties
Budget
The budget object that you want to create.
Required: Yes
Type: BudgetData (p. 1067)

NotificationsWithSubscribers
A notification that you want to associate with a budget. A budget can have up to five notifications,
and each notification can have one SNS subscriber and up to 10 email subscribers. If you include
notifications and subscribers in your CreateBudget call, AWS creates the notifications and
subscribers for you.
Required: No
Type: List of NotificationWithSubscribers (p. 1074)
Maximum: 5

1064
AWS Budgets
Return Values
Ref
budget that is created by the template.
Examples
Budget for 100 USD with two notifications
The following example creates a budget for 100 USD amount of costs, with notifications for
when you have spent over 80 USD or over 99 USD. The notifications are sent to the subscribers
email@example.com and email2@example.com.
JSON
{
"Description": "Basic Budget test",
"Resources": {
"Budget": {
"Type": "AWS::Budgets::Budget",
"Properties": {
"Budget": {
"BudgetLimit": {
"Amount": "100",
"Unit": "USD"
},
"TimeUnit": "MONTHLY",
"TimePeriod": {
"Start": "1225864800",
"End": "1926864800"
},
"BudgetType": "COST",
"CostFilters": {
"AZ": [
"us-east-1",
"us-west-1",
"us-east-2"
]
}
},
"NotificationsWithSubscribers": [
{
"Notification": {
"NotificationType": "ACTUAL",
"ComparisonOperator": "GREATER_THAN",
"Threshold": 99
},
"Subscribers": [
{
"SubscriptionType": "EMAIL",
"Address": "email@example.com"
},
{
"Address": "email2@example.com"
}
]
},
{
"Notification": {

1065
AWS Budgets
"NotificationType": "ACTUAL",
"Threshold": 80
},
"Subscribers": [
{
"Address": "email@example.com"
}
]
}
]
}
}
},
"Outputs": {
"BudgetId": {
"Value": "BudgetExample"
}
}
}
YAML
---
Description: "Basic Budget test"
Resources:
BudgetExample:
Type: "AWS::Budgets::Budget"
Properties:
Budget:
BudgetLimit:
Amount: 100
Unit: USD
TimeUnit: MONTHLY
TimePeriod:
Start: 1225864800
End: 1926864800
BudgetType: COST
CostFilters:
AZ:
- us-east-1
- us-west-1
- us-east-2
NotificationsWithSubscribers:
- Notification:
NotificationType: ACTUAL
ComparisonOperator: GREATER_THAN
Threshold: 99
Subscribers:
- SubscriptionType: EMAIL
Address: email@example.com
Address: email2@example.com
- Notification:
NotificationType: ACTUAL
Threshold: 80
Subscribers:
Address: email@example.com
Outputs:
BudgetId:
Value: !Ref BudgetExample

1066
AWS Budgets
See Also
• CreateBudget in the AWS Cost Explorer Service Cost Management APIs
AWS::Budgets::Budget BudgetData
Represents the output of the CreateBudget operation. The content consists of the detailed metadata
and data file information, and the current status of the budget object.
This is the ARN pattern for a budget:
arn:aws:budgets::AccountId:budget/budgetName
Syntax
JSON
{
"BudgetLimit" : Spend (p. 1075),
"BudgetName" : String,
"BudgetType" : String,
"CostFilters" : Json,
"CostTypes" : CostTypes (p. 1070),
"PlannedBudgetLimits" : Json,
"TimePeriod" : TimePeriod (p. 1077),
"TimeUnit" : String
}
YAML
BudgetLimit:
Spend (p. 1075)
BudgetName: String
BudgetType: String
CostFilters: Json
CostTypes:
CostTypes (p. 1070)
PlannedBudgetLimits: Json
TimePeriod:
TimePeriod (p. 1077)
TimeUnit: String
Properties
BudgetLimit
The total amount of cost, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings
Plans coverage that you want to track with your budget.
BudgetLimit is required for cost or usage budgets, but optional for RI or Savings Plans utilization
or coverage budgets. RI and Savings Plans utilization or coverage budgets default to 100, which
is the only valid value for RI or Savings Plans utilization or coverage budgets. You can't use
BudgetLimit with PlannedBudgetLimits for CreateBudget and UpdateBudget actions.
Required: No
Type: Spend (p. 1075)

1067
AWS Budgets

BudgetName
The name of a budget. The value must be unique within an account. BudgetName can't include
: and \ characters. If you don't include value for BudgetName in the template, Billing and Cost
Management assigns your budget a randomly generated name.
Required: No
Type: String

BudgetType
Whether this budget tracks costs, usage, RI utilization, RI coverage, Savings Plans utilization, or
Savings Plans coverage.
Required: Yes
Type: String
Allowed Values: COST | RI_COVERAGE | RI_UTILIZATION | SAVINGS_PLANS_COVERAGE |

SAVINGS_PLANS_UTILIZATION | USAGE

CostFilters
The cost filters, such as service or tag, that are applied to a budget.
AWS Budgets supports the following services as a filter for RI budgets:

• Amazon Elastic Compute Cloud - Compute
• Amazon Redshift
• Amazon Relational Database Service
• Amazon ElastiCache
• Amazon Elasticsearch Service
Required: No
Type: Json

CostTypes
The types of costs that are included in this COST budget.
USAGE, RI_UTILIZATION, RI_COVERAGE, SAVINGS_PLANS_UTILIZATION, and

SAVINGS_PLANS_COVERAGE budgets do not have CostTypes.
Required: No
Type: CostTypes (p. 1070)

PlannedBudgetLimits
A map containing multiple BudgetLimit, including current or future limits.
PlannedBudgetLimits is available for cost or usage budget and supports monthly and quarterly
TimeUnit.

1068
AWS Budgets
For monthly budgets, provide 12 months of PlannedBudgetLimits values. This must start from
the current month and include the next 11 months. The key is the start of the month, UTC in epoch
seconds.
For quarterly budgets, provide 4 quarters of PlannedBudgetLimits value entries in standard

calendar quarter increments. This must start from the current quarter and include the next 3
quarters. The key is the start of the quarter, UTC in epoch seconds.
If the planned budget expires before 12 months for monthly or 4 quarters for quarterly, provide the
PlannedBudgetLimits values only for the remaining periods.
If the budget begins at a date in the future, provide PlannedBudgetLimits values from the start
date of the budget.
After all of the BudgetLimit values in PlannedBudgetLimits are used, the budget continues
to use the last limit as the BudgetLimit. At that point, the planned budget provides the same
experience as a fixed budget.
DescribeBudget and DescribeBudgets response along with PlannedBudgetLimits

will also contain BudgetLimit representing the current month or quarter limit present in
PlannedBudgetLimits. This only applies to budgets created with PlannedBudgetLimits.
Budgets created without PlannedBudgetLimits will only contain BudgetLimit, and no
PlannedBudgetLimits.
Required: No
Type: Json

TimePeriod
The period of time that is covered by a budget. The period has a start date and an end date. The
start date must come before the end date. There are no restrictions on the end date.
The start date for a budget. If you created your budget and didn't specify a start date, the start date
defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example,
if you create your budget on January 24, 2019, choose MONTHLY, and don't set a start date, the start
date defaults to 01/01/19 00:00 UTC. The defaults are the same for the AWS Billing and Cost
Management console and the API.
You can change your start date with the UpdateBudget operation.
After the end date, AWS deletes the budget and all associated notifications and subscribers.
Required: No
Type: TimePeriod (p. 1077)

TimeUnit
The length of time until a budget resets the actual and forecasted spend. DAILY is available only for
RI_UTILIZATION and RI_COVERAGE budgets.
Required: Yes
Type: String
Allowed Values: ANNUALLY | DAILY | MONTHLY | QUARTERLY

1069
AWS Budgets
See Also
• Budget in the AWS Cost Explorer Service Cost Management APIs
AWS::Budgets::Budget CostTypes
The types of cost that are included in a COST budget, such as tax and subscriptions.
USAGE, RI_UTILIZATION, RI_COVERAGE, SAVINGS_PLANS_UTILIZATION, and

SAVINGS_PLANS_COVERAGE budgets do not have CostTypes.
Syntax
JSON
{
"IncludeCredit" : Boolean,
"IncludeDiscount" : Boolean,
"IncludeOtherSubscription" : Boolean,
"IncludeRecurring" : Boolean,
"IncludeRefund" : Boolean,
"IncludeSubscription" : Boolean,
"IncludeSupport" : Boolean,
"IncludeTax" : Boolean,
"IncludeUpfront" : Boolean,
"UseAmortized" : Boolean,
"UseBlended" : Boolean
}
YAML
IncludeCredit: Boolean
IncludeDiscount: Boolean
IncludeOtherSubscription: Boolean
IncludeRecurring: Boolean
IncludeRefund: Boolean
IncludeSubscription: Boolean
IncludeSupport: Boolean
IncludeTax: Boolean
IncludeUpfront: Boolean
UseAmortized: Boolean
UseBlended: Boolean
Properties
IncludeCredit
Specifies whether a budget includes credits.
The default value is true.
Required: No
Type: Boolean

1070
AWS Budgets

IncludeDiscount
Specifies whether a budget includes discounts.
Required: No
Type: Boolean

IncludeOtherSubscription
Specifies whether a budget includes non-RI subscription costs.
Required: No
Type: Boolean

IncludeRecurring
Specifies whether a budget includes recurring fees such as monthly RI fees.
Required: No
Type: Boolean

IncludeRefund
Specifies whether a budget includes refunds.
Required: No
Type: Boolean

IncludeSubscription
Specifies whether a budget includes subscriptions.
Required: No
Type: Boolean

IncludeSupport
Specifies whether a budget includes support subscription fees.

1071
AWS Budgets
Required: No
Type: Boolean

IncludeTax
Specifies whether a budget includes taxes.
Required: No
Type: Boolean

IncludeUpfront
Specifies whether a budget includes upfront RI costs.
Required: No
Type: Boolean

UseAmortized
Specifies whether a budget uses the amortized rate.
Required: No
Type: Boolean

UseBlended
Specifies whether a budget uses a blended rate.
Required: No
Type: Boolean
See Also
• CostTypes in the AWS Cost Explorer Service Cost Management APIs
AWS::Budgets::Budget Notification
A notification that is associated with a budget. A budget can have up to five notifications.
Each notification must have at least one subscriber. A notification can have one SNS subscriber and up to
10 email subscribers, for a total of 11 subscribers.

1072
AWS Budgets
For example, if you have a budget for 200 dollars and you want to be notified when you go over 160
dollars, create a notification with the following parameters:
• A notificationType of ACTUAL
• A thresholdType of PERCENTAGE
• A comparisonOperator of GREATER_THAN
• A notification threshold of 80
Syntax
JSON
{
"ComparisonOperator" : String,
"NotificationType" : String,
"Threshold" : Double,
"ThresholdType" : String
}
YAML
ComparisonOperator: String
NotificationType: String
Threshold: Double
ThresholdType: String
Properties
ComparisonOperator
The comparison that is used for this notification.
Required: Yes
Type: String
Allowed Values: EQUAL_TO | GREATER_THAN | LESS_THAN

NotificationType
Whether the notification is for how much you have spent (ACTUAL) or for how much you're
forecasted to spend (FORECASTED).
Required: Yes
Type: String
Allowed Values: ACTUAL | FORECASTED

Threshold
The threshold that is associated with a notification. Thresholds are always a percentage, and many
customers find value being alerted between 50% - 200% of the budgeted amount. The maximum
limit for your threshold is 1,000,000% above the budgeted amount.

1073
AWS Budgets
Required: Yes
Type: Double

ThresholdType
The type of threshold for a notification. For ABSOLUTE_VALUE thresholds, AWS notifies you when
you go over or are forecasted to go over your total cost threshold. For PERCENTAGE thresholds, AWS
notifies you when you go over or are forecasted to go over a certain percentage of your forecasted
spend. For example, if you have a budget for 200 dollars and you have a PERCENTAGE threshold of
80%, AWS notifies you when you go over 160 dollars.
Required: No
Type: String
Allowed Values: ABSOLUTE_VALUE | PERCENTAGE
See Also
• Notification in the AWS Cost Explorer Service Cost Management APIs
AWS::Budgets::Budget NotificationWithSubscribers
A notification with subscribers. A notification can have one SNS subscriber and up to 10 email
subscribers, for a total of 11 subscribers.
Syntax
JSON
{
"Notification" : Notification (p. 1072),
"Subscribers" : [ Subscriber (p. 1076), ... ]
}
YAML
Notification:
Notification (p. 1072)
Subscribers:
- Subscriber (p. 1076)
Properties
Notification
The notification that is associated with a budget.
Required: Yes
Type: Notification (p. 1072)

1074
AWS Budgets
Subscribers
A list of subscribers who are subscribed to this notification.
Required: Yes
Type: List of Subscriber (p. 1076)
Maximum: 11
See Also
• NotificationWithSubscribers in the AWS Cost Explorer Service Cost Management APIs
AWS::Budgets::Budget Spend
The amount of cost or usage that is measured for a budget.
For example, a Spend for 3 GB of S3 usage would have the following parameters:
• An Amount of 3
• A unit of GB
Syntax
JSON
{
"Amount" : Double,
"Unit" : String
}
YAML
Amount: Double
Unit: String
Properties
Amount
The cost or usage amount that is associated with a budget forecast, actual spend, or budget
threshold.
Required: Yes
Type: Double

Unit
The unit of measurement that is used for the budget forecast, actual spend, or budget threshold,
such as dollars or GB.

1075
AWS Budgets
Required: Yes
Type: String
See Also
• Spend in the AWS Cost Explorer Service Cost Management APIs
AWS::Budgets::Budget Subscriber
The Subscriber property type specifies who to notify for a Billing and Cost Management budget
notification. The subscriber consists of a subscription type, and either an Amazon SNS topic or an email
address.
For example, an email subscriber would have the following parameters:
• A subscriptionType of EMAIL
• An address of example@example.com
Syntax
JSON
{
"Address" : String,
"SubscriptionType" : String
}
YAML
Address: String
SubscriptionType: String
Properties
Address
The address that AWS sends budget notifications to, either an SNS topic or an email.
When you create a subscriber, the value of Address can't contain line breaks.
Required: Yes
Type: String

SubscriptionType
The type of notification that AWS sends to a subscriber.
Required: Yes
Type: String

1076
AWS Budgets
Allowed Values: EMAIL | SNS
See Also
• Subscriber in the AWS Cost Explorer Service Cost Management APIs
AWS::Budgets::Budget TimePeriod
The period of time that is covered by a budget. The period has a start date and an end date. The start
date must come before the end date. There are no restrictions on the end date.
Syntax
JSON
{
"End" : String,
"Start" : String
}
YAML
End: String
Start: String
Properties
End
The end date for a budget. If you didn't specify an end date, AWS set your end date to 06/15/87
00:00 UTC. The defaults are the same for the AWS Billing and Cost Management console and the
API.
After the end date, AWS deletes the budget and all associated notifications and subscribers. You can
change your end date with the UpdateBudget operation.
Required: No
Type: String

Start
The start date for a budget. If you created your budget and didn't specify a start date, the start date
defaults to the start of the chosen time period (MONTHLY, QUARTERLY, or ANNUALLY). For example,
if you create your budget on January 24, 2019, choose MONTHLY, and don't set a start date, the start
date defaults to 01/01/19 00:00 UTC. The defaults are the same for the AWS Billing and Cost
Management console and the API.
You can change your start date with the UpdateBudget operation.
Valid values depend on the value of BudgetType:

1077
Certificate Manager
• If BudgetType is COST or USAGE: Valid values are MONTHLY, QUARTERLY, and ANNUALLY.
• If BudgetType is RI_UTILIZATION or RI_COVERAGE: Valid values are DAILY, MONTHLY,
QUARTERLY, and ANNUALLY.
Required: No
Type: String
See Also
• TimePeriod in the AWS Cost Explorer Service Cost Management APIs
AWS Certificate Manager Resource Type Reference

Resource Types
• AWS::CertificateManager::Certificate (p. 1078)
AWS::CertificateManager::Certificate
The AWS::CertificateManager::Certificate resource requests an AWS Certificate Manager (ACM)
certificate that you can use to enable secure connections. For example, you can deploy an ACM certificate
to an Elastic Load Balancer to enable HTTPS support. For more information, see RequestCertificate in the
AWS Certificate Manager API Reference.
Important
When you use the AWS::CertificateManager::Certificate resource in an AWS
CloudFormation stack, the stack will remain in the CREATE_IN_PROGRESS state. Further stack
operations will be delayed until you validate the certificate request, either by acting upon the
instructions in the validation email, or by adding a CNAME record to your DNS configuration.
For more information, see Use Email to Validate Domain Ownership and Use DNS to Validate
Domain Ownership.
Syntax
JSON
{
"Type" : "AWS::CertificateManager::Certificate",
"Properties" : {
"DomainValidationOptions" : [ DomainValidationOption (p. 1081), ... ],
"SubjectAlternativeNames" : [ String, ... ],
"Tags" : [ Tag, ... ],
"ValidationMethod" : String
}
}
YAML
Type: AWS::CertificateManager::Certificate

1078
Properties:
DomainName: String
DomainValidationOptions:
- DomainValidationOption (p. 1081)
SubjectAlternativeNames:
- String
Tags:
- Tag
ValidationMethod: String
Properties
DomainName
The fully qualified domain name (FQDN), such as www.example.com, with which you want to secure
an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the
same domain. For example, *.example.com protects www.example.com, site.example.com,
and images.example.com.
Required: Yes
Type: String
Minimum: 1
Maximum: 253
Pattern: ^(\*\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\.)+((?!-)[A-Za-z0-9-]
{1,62}[A-Za-z0-9])$

DomainValidationOptions
Domain information that domain name registrars use to verify your identity.
Required: No
Type: List of DomainValidationOption (p. 1081)
Maximum: 100

SubjectAlternativeNames
Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate.
For example, you can add www.example.net to a certificate for which the DomainName field is
www.example.com if users can reach your site by using either name.
Required: No
Maximum: 100

Tags
Key-value pairs that can identity the certificate.
Required: No

1079
Type: List of Tag
Maximum: 50

ValidationMethod
The method you want to use to validate that you own or control the domain associated with a public
certificate. You can validate with DNS or validate with email. We recommend that you use DNS
validation.
Required: No
Type: String
Allowed Values: DNS | EMAIL
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the certificate's
Amazon Resource Name (ARN).
Examples
Declaring an Amazon Certificate Manager Certificate Resource
The following example shows how to declare an AWS::CertificateManager::Certificate

resource to create an ACM certificate.
JSON
"mycert" : {
"Type" : "AWS::CertificateManager::Certificate",
"Properties" : {
"DomainName" : "example.com",
"DomainValidationOptions" : [{
"ValidationDomain" : "example.com"
}]
}
}
YAML
mycert:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: example.com
DomainValidationOptions:
- DomainName: example.com
ValidationDomain: example.com
```

1080
AWS::CertificateManager::Certificate DomainValidationOption
DomainValidationOption is a property of the AWS::CertificateManager::Certificate resource that
specifies the AWS Certificate Manager (ACM) certificate domain to which ACM will send validation emails.
Syntax
JSON
{
"ValidationDomain" : String
}
YAML
DomainName: String
ValidationDomain: String
Properties
DomainName
A fully qualified domain name (FQDN) in the certificate request.
Required: Yes
Type: String
Minimum: 1
Maximum: 253
{1,62}[A-Za-z0-9])$

ValidationDomain
The domain name to which you want ACM to send validation emails. This domain name is the
suffix of the email addresses that you want ACM to use. This must be the same as the DomainName
value or a superdomain of the DomainName value. For example, if you request a certificate for
testing.example.com, you can specify example.com as this value. In that case, ACM sends
domain validation emails to the following five addresses:
• admin@example.com
• administrator@example.com
• hostmaster@example.com
• postmaster@example.com
• webmaster@example.com
Required: Yes
Type: String
Minimum: 1

1081
AWS Cloud9
Maximum: 253
{1,62}[A-Za-z0-9])$
AWS Cloud9 Resource Type Reference

Resource Types
• AWS::Cloud9::EnvironmentEC2 (p. 1082)
AWS::Cloud9::EnvironmentEC2
The AWS::Cloud9::EnvironmentEC2 resource creates an Amazon EC2 development environment in
AWS Cloud9. For more information, see Creating an Environment in the AWS Cloud9 User Guide.
Syntax
JSON
{
"Type" : "AWS::Cloud9::EnvironmentEC2",
"Properties" : {
"AutomaticStopTimeMinutes" : Integer,
"Name" : String,
"OwnerArn" : String,
"Repositories" : [ Repository (p. 1084), ... ],
"SubnetId" : String
}
}
YAML
Type: AWS::Cloud9::EnvironmentEC2
Properties:
AutomaticStopTimeMinutes: Integer
Description: String
Name: String
OwnerArn: String
Repositories:
- Repository (p. 1084)
SubnetId: String
Properties
AutomaticStopTimeMinutes
The number of minutes until the running instance is shut down after the environment was last used.
Required: No

1082
AWS Cloud9
Type: Integer
Maximum: 20160

Description
The description of the environment to create.
Required: No
Type: String
Maximum: 200

InstanceType
The type of instance to connect to the environment (for example, t2.micro).
Required: Yes
Type: String
Minimum: 5
Maximum: 20
Pattern: ^[a-z][1-9][.][a-z0-9]+$

Name
The name of the environment.
Required: No
Type: String

OwnerArn
The Amazon Resource Name (ARN) of the environment owner. This ARN can be the ARN of any AWS
Identity and Access Management (IAM) principal. If this value is not specified, the ARN defaults to
this environment's creator.
Required: No
Type: String
Pattern: ârn:aws:(iam|sts)::\d+:(root|(user\/[\w+=/:,.@-]{1,64}|federated-
user\/[\w+=/:,.@-]{2,32}|assumed-role\/[\w+=/:,.@-]{1,64}\/[\w+=/:,.@-]
{1,64}))$

Repositories
Any AWS CodeCommit source code repositories to be cloned into the development environment.
Required: No
Type: List of Repository (p. 1084)

1083
AWS Cloud9

SubnetId
The ID of the subnet in Amazon Virtual Private Cloud (Amazon VPC) that AWS Cloud9 will use to
communicate with the Amazon Elastic Compute Cloud (Amazon EC2) instance.
Required: No
Type: String
Minimum: 5
Maximum: 30
Return Values
Ref
development environment, such as 2bc3642873c342e485f7e0c561234567.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the development environment, such as

arn:aws:cloud9:us-
east-2:123456789012:environment:2bc3642873c342e485f7e0c561234567.
Name
The name of the environment.
AWS::Cloud9::EnvironmentEC2 Repository
The Repository property type specifies an AWS CodeCommit source code repository to be cloned into
an AWS Cloud9 development environment.
Syntax
JSON
{
"PathComponent" : String,
"RepositoryUrl" : String
}

1084
CloudFormation
YAML
PathComponent: String
RepositoryUrl: String
Properties
PathComponent
The path within the development environment's default file system location to clone the AWS
CodeCommit repository into. For example, /REPOSITORY_NAME would clone the repository into the
/home/USER_NAME/environment/REPOSITORY_NAME directory in the environment.
Required: Yes
Type: String

RepositoryUrl
The clone URL of the AWS CodeCommit repository to be cloned. For example, for an AWS
CodeCommit repository this might be https://git-codecommit.us-east-2.amazonaws.com/
v1/repos/REPOSITORY_NAME.
Required: Yes
Type: String
CloudFormation Resource Type Reference

Resource Types
• AWS::CloudFormation::CustomResource (p. 1085)

• AWS::CloudFormation::Macro (p. 1088)
• AWS::CloudFormation::Stack (p. 1090)
• AWS::CloudFormation::WaitCondition (p. 1094)
• AWS::CloudFormation::WaitConditionHandle (p. 1097)
AWS::CloudFormation::CustomResource
In a CloudFormation template, you use the AWS::CloudFormation::CustomResource or
Custom::String resource type to specify custom resources.
Custom resources provide a way for you to write custom provisioning logic in CloudFormation template
and have CloudFormation run it during a stack operation, such as when you create, update or delete a
stack. For more information, see Custom Resources.
Note
If you use the VPC Endpoints feature, custom resources in the VPC must have access to
CloudFormation-specific Amazon Simple Storage Service (Amazon S3) buckets. Custom
resources must send responses to a pre-signed Amazon S3 URL. If they can't send responses to
Amazon S3, CloudFormation won't receive a response and the stack operation fails. For more
information, see Setting Up VPC Endpoints for AWS CloudFormation.

1085
CloudFormation
Syntax
JSON
{
"Type" : "AWS::CloudFormation::CustomResource",
"Properties" : {
"ServiceToken" : String
}
}
YAML
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken: String
Properties
ServiceToken
Note
Only one property is defined by AWS for a custom resource: ServiceToken. All other
properties are defined by the service provider.
The service token that was given to the template developer by the service provider to access the
service, such as an Amazon SNS topic ARN or Lambda function ARN. The service token must be from
the same region in which you are creating the stack.
Updates are not supported.
Required: Yes
Type: String
Remarks
Specifying Custom Resource Type Names
For custom resources, you can specify AWS::CloudFormation::CustomResource as the

resource type, or you can specify your own resource type name. For example, instead of using
AWS::CloudFormation::CustomResource, you can use Custom::MyCustomResourceTypeName.
Custom resource type names can include alphanumeric characters and the following characters: _@-. You
can specify a custom resource type name up to a maximum length of 60 characters. You cannot change
the type during an update.
Using your own resource type names helps you quickly differentiate the types of custom resources
in your stack. For example, if you had two custom resources that conduct two different ping tests,
you could name their type as Custom::PingTester to make them easily identifiable as ping testers
(instead of using AWS::CloudFormation::CustomResource).
Replacing a Custom Resource During an Update

1086
CloudFormation
You can update custom resources that require a replacement of the underlying physical resource.
When you update a custom resource in a CloudFormation template, CloudFormation sends an update
request to that custom resource. If the custom resource requires a replacement, the new custom
resource must send a response with the new physical ID. When CloudFormation receives the response, it
compares the PhysicalResourceId between the old and new custom resources. If they are different,
CloudFormation recognizes the update as a replacement and sends a delete request to the old resource.
For a step-by-step walkthrough of this process, see Stack Updates.
Note the following:
• You can monitor the progress of the update in the Events tab. For more information, see Viewing Stack
Data and Resources.
• For more information about resource behavior during updates, see AWS CloudFormation Stacks
Updates.
Retrieving Return Values
For a custom resource, return values are defined by the custom resource provider, and are retrieved by
calling Fn::GetAtt on the provider-defined attributes.
Examples
Creating a Custom Resource Definition in a Template
The following example demonstrates how to create a custom resource definition in a template.
All properties other than ServiceToken, and all Fn::GetAtt resource attributes, are defined by the
custom resource provider.
JSON
{
"Resources" : {
"MyFrontEndTest" : {
"Type": "Custom::PingTester",
"Version" : "1.0",
"Properties" : {
"ServiceToken": "arn:aws:sns:us-east-1:84969EXAMPLE:CRTest",
"key1" : "string",
"key2" : [ "list" ],
"key3" : { "key4" : "map" }
}
}
},
"Outputs" : {
"CustomResourceAttribute1" : {
"Value" : { "Fn::GetAtt" : ["MyFrontEndTest", "responseKey1"] }
},
"CustomResourceAttribute2" : {
"Value" : { "Fn::GetAtt" : ["MyFrontEndTest", "responseKey2"] }
}
}
}
YAML
Resources:

1087
CloudFormation
MyFrontEndTest:
Type: "Custom::PingTester"
Version: "1.0"
Properties:
ServiceToken: "arn:aws:sns:us-east-1:84969EXAMPLE:CRTest"
key1: string
key2:
- list
key3:
key4: map
Outputs:
CustomResourceAttribute1:
Value:
Fn::GetAtt:
- MyFrontEndTest
- responseKey1
CustomResourceAttribute2:
Value:
Fn::GetAtt:
- MyFrontEndTest
- responseKey2
Using an AWS Lambda Function in a Custom Resource
With Lambda functions and custom resources, you can run custom code in response to stack events
(create, update, and delete). The following custom resource invokes a Lambda function and sends it the
StackName property as input. The function uses this property to get outputs from the appropriate stack.
JSON
"MyCustomResource" : {
"Type" : "Custom::TestLambdaCrossStackRef",
"Properties" : {
"ServiceToken": { "Fn::Join": [ "", [ "arn:aws:lambda:", { "Ref": "AWS::Region" }, ":",
{ "Ref": "AWS::AccountId" }, ":function:", {"Ref" : "LambdaFunctionName"} ] ] },
"StackName": {
"Ref": "NetworkStackName"
}
}
}
YAML
MyCustomResource:
Type: "Custom::TestLambdaCrossStackRef"
Properties:
ServiceToken:
!Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaFunctionName}
StackName:
Ref: "NetworkStackName"
AWS::CloudFormation::Macro
The AWS::CloudFormation::Macro resource is an CloudFormation resource type that creates
an CloudFormation macro to perform custom processing on CloudFormation templates. For more
information, see Using AWS CloudFormation Macros to Perform Custom Processing on Templates.
Syntax

1088
CloudFormation
JSON
{
"Type" : "AWS::CloudFormation::Macro",
"Properties" : {
"FunctionName" : String,
"LogGroupName" : String,
"LogRoleARN" : String,
"Name" : String
}
}
YAML
Type: AWS::CloudFormation::Macro
Properties:
Description: String
FunctionName: String
LogGroupName: String
LogRoleARN: String
Name: String
Properties
Description
A description of the macro.
Required: No
Type: String

FunctionName
The Amazon Resource Name (ARN) of the underlying AWS Lambda function that you want AWS
CloudFormation to invoke when the macro is run.
Required: Yes
Type: String

LogGroupName
The Amazon CloudWatch log group to which AWS CloudFormation sends error logging information
when invoking the macro's underlying AWS Lambda function.
Required: No
Type: String

LogRoleARN
The ARN of the role AWS CloudFormation should assume when sending log entries to CloudWatch
logs.

1089
CloudFormation
Required: No
Type: String

Name
The name of the macro. The name of the macro must be unique across all macros in the account.
Required: Yes
Type: String
Return Values
Ref
name. For example:
{ "Ref": "myMacro" }
For the macro myMacro, Ref returns the name of the macro.
See Also
• Using AWS CloudFormation Macros to Perform Custom Processing on Templates
AWS::CloudFormation::Stack
The AWS::CloudFormation::Stack type nests a stack as a resource in a top-level template.
You can add output values from a nested stack within the containing template. You use the GetAtt
function with the nested stack's logical name and the name of the output value in the nested stack in the
format Outputs.NestedStackOutputName.
Important
We strongly recommend that updates to nested stacks are run from the parent stack.
When you apply template changes to update a top-level stack, CloudFormation updates the top-level
stack and initiates an update to its nested stacks. CloudFormation updates the resources of modified
nested stacks, but does not update the resources of unmodified nested stacks. For more information, see
CloudFormation Stacks Updates.
Note
You must acknowledge IAM capabilities for nested stacks that contain IAM resources. Also, verify
that you have cancel update stack permissions, which is required if an update rolls back. For
more information about IAM and CloudFormation, see Controlling Access with AWS Identity and
Access Management.
Syntax

1090
CloudFormation
JSON
{
"Properties" : {
"NotificationARNs" : [ String, ... ],
"Parameters" : {Key : Value, ...},
"Tags" : [ Tag, ... ],
"TemplateURL" : String,
"TimeoutInMinutes" : Integer
}
}
YAML
Properties:
NotificationARNs:
- String
Parameters:
Key : Value
Tags:
- Tag
TemplateURL: String
TimeoutInMinutes: Integer
Properties
NotificationARNs
The Simple Notification Service (SNS) topic ARNs to publish stack related events. You can find your
SNS topic ARNs using the SNS console or your Command Line Interface (CLI).
Required: No
Maximum: 5

Parameters
The set value pairs that represent the parameters passed to CloudFormation when this nested stack
is created. Each parameter has a name corresponding to a parameter defined in the embedded
template and a value representing the value that you want to set for the parameter.
Note
If you use the Ref function to pass a parameter value to a nested stack, comma-delimited
list parameters must be of type String. In other words, you cannot pass values that are of
type CommaDelimitedList to nested stacks.
Conditional. Required if the nested stack requires input parameters.
Whether an update causes interruptions depends on the resources that are being updated. An
update never causes a nested stack to be replaced.
Type: Map of String

1091
CloudFormation
Tags
Key-value pairs to associate with this stack. AWS CloudFormation also propagates these tags to the
resources created in the stack. A maximum number of 50 tags can be specified.
Required: No
Type: List of Tag
Maximum: 50

TemplateURL
Location of file containing the template body. The URL must point to a template (max size: 460,800
bytes) that is located in an Amazon S3 bucket. For more information, see Template Anatomy.
Whether an update causes interruptions depends on the resources that are being updated. An
update never causes a nested stack to be replaced.
Required: Yes
Type: String
Minimum: 1
Maximum: 1024

TimeoutInMinutes
The length of time, in minutes, that CloudFormation waits for the nested stack to reach the
CREATE_COMPLETE state. The default is no timeout. When CloudFormation detects that the
nested stack has reached the CREATE_COMPLETE state, it marks the nested stack resource as
CREATE_COMPLETE in the parent stack and resumes creating the parent stack. If the timeout period
expires before the nested stack reaches CREATE_COMPLETE, CloudFormation marks the nested stack
as failed and rolls back both the nested stack and parent stack.
Required: No
Type: Integer
Minimum: 1
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the stack ID. For
example:
arn:aws:cloudformation:us-east-2:123456789012:stack/mystack-mynestedstack-
sggfrhxhum7w/f449b250-b969-11e0-a185-5081d0136786

1092
CloudFormation
Examples
Specify Stack Parameters
The sample template EC2ChooseAMI.template contains the following Parameters section:
JSON
"Parameters" : {
"InstanceType" : {
"Type" : "String",
"Default" : "m1.small",
"Description" : "EC2 instance type, e.g. m1.small, m1.large, etc."
},
"WebServerPort" : {
"Type" : "String",
"Default" : "80",
"Description" : "TCP/IP port of the web server"
},
"KeyName" : {
"Type" : "String",
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to the web
server"
}
}
YAML
Parameters:
InstanceType:
Type: "String"
Default: "m1.small"
Description: "EC2 instance type, e.g. m1.small, m1.large, etc."
WebServerPort:
Type: "String"
Default: "80"
Description: "TCP/IP port of the web server"
KeyName:
Type: "String"
Description: "Name of an existing EC2 KeyPair to enable SSH access to the web server"
Nested Stack
You could use the following template to embed a stack (myStackWithParams) using the
EC2ChooseAMI.template and use the Parameters property in the AWS::CloudFormation::Stack resource
to specify an InstanceType and KeyName.
JSON
{
"Resources" : {
"myStackWithParams" : {
"Properties" : {
"Parameters" : {
"KeyName" : "mykey"
}

1093
CloudFormation
}
}
}
}
YAML
Resources:
myStackWithParams:
Properties:
TemplateURL: "https://s3.amazonaws.com/cloudformation-templates-us-east-2/
EC2ChooseAMI.template"
Parameters:
InstanceType: "t1.micro"
KeyName: "mykey"
See Also
• For sample template snippets, see Nested Stacks in CloudFormation Template Snippets.
• If you have nested stacks that are stuck in an in-progress operation, see Troubleshooting Errors in
Troubleshooting AWS CloudFormation.
AWS::CloudFormation::WaitCondition
Important
successfully.
You can use a wait condition for situations like the following:
• To coordinate stack resource creation with configuration actions that are external to the stack creation
• To track the status of a configuration process
For these situations, we recommend that you associate a CreationPolicy attribute with the wait condition
so that you don't have to use a wait condition handle. For more information and an example, see
Creating Wait Conditions in a Template. If you use a CreationPolicy with a wait condition, do not specify
any of the wait condition's properties.
Note
If you use the VPC Endpoints feature, resources in the VPC that respond to wait conditions must
have access to CloudFormation-specific Amazon Simple Storage Service (Amazon S3) buckets.
Resources must send wait condition responses to a pre-signed Amazon S3 URL. If they can't
send responses to Amazon S3, CloudFormation won't receive a response and the stack operation
fails. For more information, see Setting Up VPC Endpoints for AWS CloudFormation.
Syntax
JSON
{

1094
CloudFormation
"Properties" : {
"Count" : Integer,
"Handle" : String,
"Timeout" : String
}
}
YAML
Properties:
Count: Integer
Handle: String
Timeout: String
Properties
Count
The number of success signals that CloudFormation must receive before it continues the stack
creation process. When the wait condition receives the requisite number of success signals,
CloudFormation resumes the creation of the stack. If the wait condition does not receive the
specified number of success signals before the Timeout period expires, CloudFormation assumes
that the wait condition has failed and rolls the stack back.
Required: No
Type: Integer

Handle
A reference to the wait condition handle used to signal this wait condition. Use the Ref intrinsic
function to specify an AWS::CloudFormation::WaitConditionHandle resource.
Anytime you add a WaitCondition resource during a stack update, you must associate the wait
condition with a new WaitConditionHandle resource. Do not reuse an old wait condition handle that
has already been defined in the template. If you reuse a wait condition handle, the wait condition
might evaluate old signals from a previous create or update stack command.
Required: No
Type: String

Timeout
The length of time (in seconds) to wait for the number of signals that the Count property specifies.
Timeout is a minimum-bound property, meaning the timeout occurs no sooner than the time you
specify, but can occur shortly thereafter. The maximum time that can be specified for this property is
12 hours (43200 seconds).
Required: No

1095
CloudFormation
Type: String
Return Values
Ref
name.
Fn::GetAtt
Data
A JSON object that contains the UniqueId and Data values from the wait condition signal(s) for
the specified wait condition. For more information about wait condition signals, see Wait Condition
Signal JSON Format.
Example return value for a wait condition with 2 signals:
{ "Signal1" : "Step 1 complete." , "Signal2" : "Step 2 complete." }
Examples
WaitCondition that Waits for the Desired Number of Instances in a Web Server Group
JSON
"Properties" : {
"MinSize" : "1",
"MaxSize" : "5",
"DesiredCapacity" : { "Ref" : "WebServerCapacity" },
}
},
"WaitHandle" : {
"Type" : "AWS::CloudFormation::WaitConditionHandle"
},
"WaitCondition" : {
"DependsOn" : "WebServerGroup",
"Properties" : {
"Handle" : { "Ref" : "WaitHandle" },
"Timeout" : "300",
"Count" : { "Ref" : "WebServerCapacity" }

1096
CloudFormation
}
}
YAML
WebServerGroup:
Properties:
AvailabilityZones:
Fn::GetAZs: ""
Ref: "LaunchConfig"
MinSize: "1"
MaxSize: "5"
DesiredCapacity:
Ref: "WebServerCapacity"
LoadBalancerNames:
-
Ref: "ElasticLoadBalancer"
WaitHandle:
WaitCondition:
DependsOn: "WebServerGroup"
Properties:
Handle:
Ref: "WaitHandle"
Timeout: "300"
Count:
Ref: "WebServerCapacity"
See Also
• Creating Wait Conditions in a Template
• DependsOn Attribute
AWS::CloudFormation::WaitConditionHandle
Important
successfully.
For more information, see Deploying Applications on Amazon EC2 with AWS CloudFormation.
The AWS::CloudFormation::WaitConditionHandle type has no properties. When you reference

the WaitConditionHandle resource by using the Ref function, AWS CloudFormation returns a
presigned URL. You pass this URL to applications or scripts that are running on your Amazon EC2
instances to send signals to that URL. An associated AWS::CloudFormation::WaitCondition
resource checks the URL for the required number of success signals or for a failure signal.
Important
Anytime you add a WaitCondition resource during a stack update or update a resource with
a wait condition, you must associate the wait condition with a new WaitConditionHandle
resource. Do not reuse an old wait condition handle that has already been defined in the
template. If you reuse a wait condition handle, the wait condition might evaluate old signals
from a previous create or update stack command.
Note
Updates are not supported for this resource.

1097
CloudFront
Syntax
JSON
{
"Properties" : {
}
}
YAML
Properties:
See Also
• For information about how to use wait conditions, see Creating Wait Conditions in a Template.
CloudFront Resource Type Reference

Resource Types
• AWS::CloudFront::CloudFrontOriginAccessIdentity (p. 1098)

• AWS::CloudFront::Distribution (p. 1100)
• AWS::CloudFront::StreamingDistribution (p. 1133)
AWS::CloudFront::CloudFrontOriginAccessIdentity
The request to create a new origin access identity (OAI). An origin access identity is a special CloudFront
user that you can associate with Amazon S3 origins, so that you can secure all or just some of your
Amazon S3 content. For more information, see Restricting Access to Amazon S3 Content by Using an
Origin Access Identity in the Amazon CloudFront Developer Guide.
Syntax
JSON
{
"Type" : "AWS::CloudFront::CloudFrontOriginAccessIdentity",
"Properties" : {
"CloudFrontOriginAccessIdentityConfig" : CloudFrontOriginAccessIdentityConfig (p. 1100)

}
}
YAML
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity

1098
CloudFront
Properties:
CloudFrontOriginAccessIdentityConfig:
CloudFrontOriginAccessIdentityConfig (p. 1100)
Properties
CloudFrontOriginAccessIdentityConfig
The current configuration information for the identity.
Required: Yes
Type: CloudFrontOriginAccessIdentityConfig (p. 1100)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the origin access
identity, such as E15MNIMTCFKK4C.
Fn::GetAtt
S3CanonicalUserId
The Amazon S3 canonical user ID for the origin access identity, used when giving
the origin access identity read permission to an object in Amazon S3. For example:
b970b42360b81c8ddbd79d2f5df0069ba9033c8a79655752abe380cd6d63ba8bcf23384d568fcf89fc49700
Examples
Specify the comment for an origin access identity
JSON
{
"Resources": {
"cloudfrontoriginaccessidentity": {
"Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
"Properties": {
"CloudFrontOriginAccessIdentityConfig": {
"Comment": "string-value"
}
}
}
}
}

1099
CloudFront
YAML
Resources:
cloudfrontoriginaccessidentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: string-value
See Also
• OriginAccessIdentity in the Amazon CloudFront API Reference
AWS::CloudFront::CloudFrontOriginAccessIdentity
CloudFrontOriginAccessIdentityConfig
Origin access identity configuration. Send a GET request to the /CloudFront API version/
CloudFront/identity ID/config resource.
Syntax
JSON
{
"Comment" : String
}
YAML
Comment: String
Properties
Comment
Any comments you want to include about the origin access identity.
Required: Yes
Type: String
See Also
• CloudFrontOriginAccessIdentityConfig in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution
A distribution tells CloudFront where you want content to be delivered from, and the details about how
to track and manage content delivery.

1100
CloudFront
Syntax
JSON
{
"Properties" : {
"DistributionConfig" : DistributionConfig (p. 1116),
"Tags" : [ Tag, ... ]
}
}
YAML
Properties:
DistributionConfig:
DistributionConfig (p. 1116)
Tags:
- Tag
Properties
DistributionConfig
The current configuration information for the distribution. Send a GET request to the /CloudFront
API version/distribution ID/config resource.
Required: Yes
Type: DistributionConfig (p. 1116)

Tags
A complex type that contains zero or more Tag elements.
Required: No
Type: List of Tag
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the CloudFront
distribution ID. For example: E27LVI50CSW06W.
Fn::GetAtt

1101
CloudFront
DomainName
The domain name of the resource, such as sct27g85mgx04.cloudfront.net.
Examples
Create a distribution
The following example specifies a distribution and assigns it a single tag.
JSON
{
"Resources": {
"cloudfrontdistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"CacheBehaviors": [
{
"LambdaFunctionAssociations": [
{
"EventType": "string-value",
"LambdaFunctionARN": "string-value"
}
]
}
],
"DefaultCacheBehavior": {
"LambdaFunctionAssociations": [
{
"EventType": "string-value",
"LambdaFunctionARN": "string-value"
}
]
},
"IPV6Enabled": "boolean-value",
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": "integer-value",
"OriginReadTimeout": "integer-value"
}
}
]
},
"Tags": [
{
"Key": "string-value",
"Value": "string-value"
}
]
}
}
}
}
YAML

1102
CloudFront
Resources:
cloudfrontdistribution:
Properties:
DistributionConfig:
CacheBehaviors:
- LambdaFunctionAssociations:
- EventType: string-value
LambdaFunctionARN: string-value
LambdaFunctionAssociations:
- EventType: string-value
LambdaFunctionARN: string-value
IPV6Enabled: boolean-value
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: integer-value
OriginReadTimeout: integer-value
Tags:
- Key: string-value
Value: string-value
See Also
• CreateDistribution in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution CacheBehavior
A complex type that describes how CloudFront processes requests.
You must create at least as many cache behaviors (including the default cache behavior) as you have
origins if you want CloudFront to distribute objects from all of the origins. Each cache behavior specifies
the one origin from which you want CloudFront to get objects. If you have two origins and only the
default cache behavior, the default cache behavior will cause CloudFront to get objects from one of the
origins, but the other origin is never used.
For the current limit on the number of cache behaviors that you can add to a distribution, see Amazon
CloudFront Limits in the AWS General Reference.
If you don't want to specify any cache behaviors, include only an empty CacheBehaviors element.
Don't include an empty CacheBehavior element, or CloudFront returns a MalformedXML error.
To delete all cache behaviors in an existing distribution, update the distribution configuration and
include only an empty CacheBehaviors element.
To add, change, or remove one or more cache behaviors, update the distribution configuration and
specify all of the cache behaviors that you want to include in the updated distribution.
For more information about cache behaviors, see Cache Behaviors in the Amazon CloudFront Developer
Guide.
Syntax
JSON
{
"AllowedMethods" : [ String, ... ],
"CachedMethods" : [ String, ... ],

1103
CloudFront
"Compress" : Boolean,
"DefaultTTL" : Double,
"FieldLevelEncryptionId" : String,
"ForwardedValues" : ForwardedValues (p. 1121),
"LambdaFunctionAssociations" : [ LambdaFunctionAssociation (p. 1124), ... ],
"MaxTTL" : Double,
"MinTTL" : Double,
"PathPattern" : String,
"SmoothStreaming" : Boolean,
"TargetOriginId" : String,
"TrustedSigners" : [ String, ... ],
"ViewerProtocolPolicy" : String
}
YAML
AllowedMethods:
- String
CachedMethods:
- String
Compress: Boolean
DefaultTTL: Double
FieldLevelEncryptionId: String
ForwardedValues:
ForwardedValues (p. 1121)
- LambdaFunctionAssociation (p. 1124)
MaxTTL: Double
MinTTL: Double
PathPattern: String
SmoothStreaming: Boolean
TargetOriginId: String
TrustedSigners:
- String
ViewerProtocolPolicy: String
Properties
AllowedMethods
A complex type that controls which HTTP methods CloudFront processes and forwards to your
Amazon S3 bucket or your custom origin. There are three choices:
• CloudFront forwards only GET and HEAD requests.
• CloudFront forwards only GET, HEAD, and OPTIONS requests.
• CloudFront forwards GET, HEAD, OPTIONS, PUT, PATCH, POST, and DELETE requests.
If you pick the third choice, you may need to restrict access to your Amazon S3 bucket or to your
custom origin so users can't perform operations that you don't want them to. For example, you
might not want users to have permissions to delete objects from your origin.
Required: No

CachedMethods
A complex type that controls whether CloudFront caches the response to requests using the
specified HTTP methods. There are two choices:
• CloudFront caches responses to GET and HEAD requests.

1104
CloudFront
• CloudFront caches responses to GET, HEAD, and OPTIONS requests.
If you pick the second choice for your Amazon S3 Origin, you may need to forward Access-Control-
Request-Method, Access-Control-Request-Headers, and Origin headers for the responses to be
cached correctly.
Required: No

Compress
Whether you want CloudFront to automatically compress certain files for this cache behavior. If so,
specify true; if not, specify false. For more information, see Serving Compressed Files in the Amazon
CloudFront Developer Guide.
Required: No
Type: Boolean

DefaultTTL
The default amount of time that you want objects to stay in CloudFront caches before CloudFront
forwards another request to your origin to determine whether the object has been updated. The
value that you specify applies only when your origin does not add HTTP headers such as Cache-
Control max-age, Cache-Control s-maxage, and Expires to objects. For more information,
see Managing How Long Content Stays in an Edge Cache (Expiration) in the Amazon CloudFront
Developer Guide.
Required: No
Type: Double

FieldLevelEncryptionId
The value of ID for the field-level encryption configuration that you want CloudFront to use for
encrypting specific fields of data for a cache behavior or for the default cache behavior in your
distribution.
Required: No
Type: String

ForwardedValues
A complex type that specifies how CloudFront handles query strings, cookies, and HTTP headers.
Required: Yes
Type: ForwardedValues (p. 1121)

LambdaFunctionAssociations
A complex type that contains zero or more Lambda function associations for a cache behavior.

1105
CloudFront
Required: No
Type: List of LambdaFunctionAssociation (p. 1124)

MaxTTL
The maximum amount of time that you want objects to stay in CloudFront caches before CloudFront
forwards another request to your origin to determine whether the object has been updated.
The value that you specify applies only when your origin adds HTTP headers such as Cache-
Developer Guide.
Required: No
Type: Double

MinTTL
The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront
forwards another request to your origin to determine whether the object has been updated. For
more information, see Managing How Long Content Stays in an Edge Cache (Expiration) in the
Amazon CloudFront Developer Guide.
You must specify 0 for MinTTL if you configure CloudFront to forward all headers to your origin
(under Headers, if you specify 1 for Quantity and * for Name).
Required: No
Type: Double

PathPattern
The pattern (for example, images/*.jpg) that specifies which requests to apply the behavior to.
When CloudFront receives a viewer request, the requested path is compared with path patterns in
the order in which cache behaviors are listed in the distribution.
Note
You can optionally include a slash (/) at the beginning of the path pattern. For example, /
images/*.jpg. CloudFront behavior is the same with or without the leading /.
The path pattern for the default cache behavior is * and cannot be changed. If the request for an
object does not match the path pattern for any cache behaviors, CloudFront applies the behavior in
the default cache behavior.
For more information, see Path Pattern in the Amazon CloudFront Developer Guide.
Required: Yes
Type: String

SmoothStreaming
Indicates whether you want to distribute media files in the Microsoft Smooth Streaming format
using the origin that is associated with this cache behavior. If so, specify true; if not, specify false.

1106
CloudFront
If you specify true for SmoothStreaming, you can still distribute other content using this cache
behavior if the content matches the value of PathPattern.
Required: No
Type: Boolean

TargetOriginId
The value of ID for the origin that you want CloudFront to route requests to when a request
matches the path pattern either for a cache behavior or for the default cache behavior in your
distribution.
Required: Yes
Type: String

TrustedSigners
Specifies the AWS accounts, if any, that you want to allow to create signed URLs for private content.
If you want to require signed URLs in requests for objects in the target origin that match the
PathPattern for this cache behavior, specify a list of AWS account IDs. For more information, see
Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.
Required: No

ViewerProtocolPolicy
The protocol that viewers can use to access the files in the origin specified by TargetOriginId
when a request matches the path pattern in PathPattern. You can specify the following options:
• allow-all: Viewers can use HTTP or HTTPS.
• redirect-to-https: If a viewer submits an HTTP request, CloudFront returns an HTTP status
code of 301 (Moved Permanently) to the viewer along with the HTTPS URL. The viewer then
resubmits the request using the new URL.
• https-only: If a viewer sends an HTTP request, CloudFront returns an HTTP status code of 403
(Forbidden).
For more information about requiring the HTTPS protocol, see Using an HTTPS Connection to Access
Your Objects in the Amazon CloudFront Developer Guide.
Note
The only way to guarantee that viewers retrieve an object that was fetched from the origin
using HTTPS is never to use any other protocol to fetch the object. If you have recently
changed from HTTP to HTTPS, we recommend that you clear your objects' cache because
cached objects are protocol agnostic. That means that an edge location will return an object
from the cache regardless of whether the current request protocol matches the protocol
used previously. For more information, see Managing How Long Content Stays in an Edge
Cache (Expiration) in the Amazon CloudFront Developer Guide.
Required: Yes
Type: String
Allowed Values: allow-all | https-only | redirect-to-https

1107
CloudFront
See Also
• CacheBehavior in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution Cookies
A complex type that specifies whether you want CloudFront to forward cookies to the origin and, if so,
which ones. For more information about forwarding cookies to the origin, see How CloudFront Forwards,
Caches, and Logs Cookies in the Amazon CloudFront Developer Guide.
Syntax
JSON
{
"Forward" : String,
"WhitelistedNames" : [ String, ... ]
}
YAML
Forward: String
WhitelistedNames:
- String
Properties
Forward
Specifies which cookies to forward to the origin for this cache behavior: all, none, or the list of
cookies specified in the WhitelistedNames complex type.
Amazon S3 doesn't process cookies. When the cache behavior is forwarding requests to an Amazon
S3 origin, specify none for the Forward element.
Required: Yes
Type: String
Allowed Values: all | none | whitelist

WhitelistedNames
Required if you specify whitelist for the value of Forward:. A complex type that specifies how
many different cookies you want CloudFront to forward to the origin for this cache behavior and, if
you want to forward selected cookies, the names of those cookies.
If you specify all or none for the value of Forward, omit WhitelistedNames. If you change the
value of Forward from whitelist to all or none and you don't delete the WhitelistedNames
element and its child elements, CloudFront deletes them automatically.
For the current limit on the number of cookie names that you can whitelist for each cache behavior,
see CloudFront Limits in the AWS General Reference.

1108
CloudFront
See Also
• CookiePreference in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution CustomErrorResponse
A complex type that controls:
• Whether CloudFront replaces HTTP status codes in the 4xx and 5xx range with custom error messages
before returning the response to the viewer.
• How long CloudFront caches HTTP status codes in the 4xx and 5xx range.
For more information about custom error pages, see Customizing Error Responses in the Amazon
Syntax
JSON
{
"ErrorCachingMinTTL" : Double,
"ErrorCode" : Integer,
"ResponseCode" : Integer,
"ResponsePagePath" : String
}
YAML
ErrorCachingMinTTL: Double
ErrorCode: Integer
ResponseCode: Integer
ResponsePagePath: String
Properties
ErrorCachingMinTTL
The minimum amount of time, in seconds, that you want CloudFront to cache the HTTP status
code specified in ErrorCode. When this time period has elapsed, CloudFront queries your origin to
see whether the problem that caused the error has been resolved and the requested object is now
available.
For more information, see Customizing Error Responses in the Amazon CloudFront Developer Guide.
Required: No
Type: Double

1109
CloudFront
ErrorCode
The HTTP status code for which you want to specify a custom error page and/or a caching duration.
Required: Yes
Type: Integer

ResponseCode
The HTTP status code that you want CloudFront to return to the viewer along with the custom error
page. There are a variety of reasons that you might want CloudFront to return a status code different
from the status code that your origin returned to CloudFront, for example:
• Some Internet devices (some firewalls and corporate proxies, for example) intercept HTTP 4xx
and 5xx and prevent the response from being returned to the viewer. If you substitute 200, the
response typically won't be intercepted.
• If you don't care about distinguishing among different client errors or server errors, you can
specify 400 or 500 as the ResponseCode for all 4xx or 5xx errors.
• You might want to return a 200 status code (OK) and static website so your customers don't know
that your website is down.
If you specify a value for ResponseCode, you must also specify a value for ResponsePagePath.
Type: Integer

ResponsePagePath
The path to the custom error page that you want CloudFront to return to a viewer when your
origin returns the HTTP status code specified by ErrorCode, for example, /4xx-errors/403-
forbidden.html. If you want to store your objects and your custom error pages in different
locations, your distribution must include a cache behavior for which the following is true:
• The value of PathPattern matches the path to your custom error messages. For example,
suppose you saved custom error pages for 4xx errors in an Amazon S3 bucket in a directory named
/4xx-errors. Your distribution must include a cache behavior for which the path pattern routes
requests for your custom error pages to that location, for example, /4xx-errors/*.
• The value of TargetOriginId specifies the value of the ID element for the origin that contains
your custom error pages.
If you specify a value for ResponsePagePath, you must also specify a value for ResponseCode.
We recommend that you store custom error pages in an Amazon S3 bucket. If you store custom error
pages on an HTTP server and the server starts to return 5xx errors, CloudFront can't get the files
that you want to return to viewers because the origin server is unavailable.
Type: String
See Also
• CustomErrorResponse in the Amazon CloudFront API Reference

1110
CloudFront
AWS::CloudFront::Distribution CustomOriginConfig
A custom origin or an Amazon S3 bucket configured as a website endpoint.
Syntax
JSON
{
"HTTPPort" : Integer,
"HTTPSPort" : Integer,
"OriginKeepaliveTimeout" : Integer,
"OriginProtocolPolicy" : String,
"OriginReadTimeout" : Integer,
"OriginSSLProtocols" : [ String, ... ]
}
YAML
HTTPPort: Integer
HTTPSPort: Integer
OriginKeepaliveTimeout: Integer
OriginProtocolPolicy: String
OriginReadTimeout: Integer
OriginSSLProtocols:
- String
Properties
HTTPPort
The HTTP port the custom origin listens on.
Required: No
Type: Integer

HTTPSPort
The HTTPS port the custom origin listens on.
Required: No
Type: Integer

OriginKeepaliveTimeout
You can create a custom keep-alive timeout. All timeout units are in seconds. The default keep-alive
timeout is 5 seconds, but you can configure custom timeout lengths using the CloudFront API. The
minimum timeout length is 1 second; the maximum is 60 seconds.
If you need to increase the maximum time limit, contact the AWS Support Center.
Required: No
Type: Integer

1111
CloudFront

OriginProtocolPolicy
The origin protocol policy to apply to your origin.
Required: Yes
Type: String
Allowed Values: http-only | https-only | match-viewer

OriginReadTimeout
You can create a custom origin read timeout. All timeout units are in seconds. The default origin read
timeout is 30 seconds, but you can configure custom timeout lengths using the CloudFront API. The
minimum timeout length is 4 seconds; the maximum is 60 seconds.
If you need to increase the maximum time limit, contact the AWS Support Center.
Required: No
Type: Integer

OriginSSLProtocols
The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over
HTTPS.
Required: No
See Also
• CustomOriginConfig in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution DefaultCacheBehavior
A complex type that describes the default cache behavior if you don't specify a CacheBehavior element
or if files don't match any of the values of PathPattern in CacheBehavior elements. You must create
exactly one default cache behavior.
Syntax
JSON
{
"AllowedMethods" : [ String, ... ],
"CachedMethods" : [ String, ... ],
"Compress" : Boolean,
"DefaultTTL" : Double,
"FieldLevelEncryptionId" : String,
"ForwardedValues" : ForwardedValues (p. 1121),

1112
CloudFront
"LambdaFunctionAssociations" : [ LambdaFunctionAssociation (p. 1124), ... ],

"MaxTTL" : Double,
"MinTTL" : Double,
"SmoothStreaming" : Boolean,
"TargetOriginId" : String,
"TrustedSigners" : [ String, ... ],
"ViewerProtocolPolicy" : String
}
YAML
AllowedMethods:
- String
CachedMethods:
- String
Compress: Boolean
DefaultTTL: Double
FieldLevelEncryptionId: String
ForwardedValues:
ForwardedValues (p. 1121)
- LambdaFunctionAssociation (p. 1124)
MaxTTL: Double
MinTTL: Double
SmoothStreaming: Boolean
TargetOriginId: String
TrustedSigners:
- String
ViewerProtocolPolicy: String
Properties
AllowedMethods
A complex type that controls which HTTP methods CloudFront processes and forwards to your
Amazon S3 bucket or your custom origin. There are three choices:
• CloudFront forwards only GET and HEAD requests.
• CloudFront forwards only GET, HEAD, and OPTIONS requests.
• CloudFront forwards GET, HEAD, OPTIONS, PUT, PATCH, POST, and DELETE requests.
If you pick the third choice, you may need to restrict access to your Amazon S3 bucket or to your
custom origin so users can't perform operations that you don't want them to. For example, you
might not want users to have permissions to delete objects from your origin.
Required: No

CachedMethods
A complex type that controls whether CloudFront caches the response to requests using the
specified HTTP methods. There are two choices:
• CloudFront caches responses to GET and HEAD requests.
• CloudFront caches responses to GET, HEAD, and OPTIONS requests.
If you pick the second choice for your Amazon S3 Origin, you may need to forward Access-Control-
Request-Method, Access-Control-Request-Headers, and Origin headers for the responses to be
cached correctly.

1113
CloudFront
Required: No

Compress
Whether you want CloudFront to automatically compress certain files for this cache behavior. If
so, specify true; if not, specify false. For more information, see Serving Compressed Files in the
Required: No
Type: Boolean

DefaultTTL
The default amount of time that you want objects to stay in CloudFront caches before CloudFront
forwards another request to your origin to determine whether the object has been updated. The
value that you specify applies only when your origin does not add HTTP headers such as Cache-
Developer Guide.
Required: No
Type: Double

FieldLevelEncryptionId
The value of ID for the field-level encryption configuration that you want CloudFront to use for
encrypting specific fields of data for a cache behavior or for the default cache behavior in your
distribution.
Required: No
Type: String

ForwardedValues
Required: Yes
Type: ForwardedValues (p. 1121)

LambdaFunctionAssociations
A complex type that contains zero or more Lambda function associations for a cache behavior.
Required: No
Type: List of LambdaFunctionAssociation (p. 1124)

1114
CloudFront
MaxTTL
The maximum amount of time that you want objects to stay in CloudFront caches before CloudFront
forwards another request to your origin to determine whether the object has been updated.
The value that you specify applies only when your origin adds HTTP headers such as Cache-
Developer Guide.
Required: No
Type: Double

MinTTL
The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront
forwards another request to your origin to determine whether the object has been updated. For
more information, see Managing How Long Content Stays in an Edge Cache (Expiration) in the
You must specify 0 for MinTTL if you configure CloudFront to forward all headers to your origin
(under Headers, if you specify 1 for Quantity and * for Name).
Required: No
Type: Double

SmoothStreaming
Indicates whether you want to distribute media files in the Microsoft Smooth Streaming format
using the origin that is associated with this cache behavior. If so, specify true; if not, specify false.
If you specify true for SmoothStreaming, you can still distribute other content using this cache
behavior if the content matches the value of PathPattern.
Required: No
Type: Boolean

TargetOriginId
The value of ID for the origin that you want CloudFront to route requests to when a request
matches the path pattern either for a cache behavior or for the default cache behavior in your
distribution.
Required: Yes
Type: String

TrustedSigners
If you want to require signed URLs in requests for objects in the target origin, specify a list of AWS
account IDs. For more information, see Serving Private Content through CloudFront in the Amazon

1115
CloudFront
Required: No

ViewerProtocolPolicy
The protocol that viewers can use to access the files in the origin specified by TargetOriginId
when a request matches the path pattern in PathPattern. You can specify the following options:
• allow-all: Viewers can use HTTP or HTTPS.
• redirect-to-https: If a viewer submits an HTTP request, CloudFront returns an HTTP status
code of 301 (Moved Permanently) to the viewer along with the HTTPS URL. The viewer then
resubmits the request using the new URL.
• https-only: If a viewer sends an HTTP request, CloudFront returns an HTTP status code of 403
(Forbidden).
For more information about requiring the HTTPS protocol, see Using an HTTPS Connection to Access
Your Objects in the Amazon CloudFront Developer Guide.
Note
The only way to guarantee that viewers retrieve an object that was fetched from the origin
using HTTPS is never to use any other protocol to fetch the object. If you have recently
changed from HTTP to HTTPS, we recommend that you clear your objects' cache because
cached objects are protocol agnostic. That means that an edge location will return an object
from the cache regardless of whether the current request protocol matches the protocol
used previously. For more information, see Managing How Long Content Stays in an Edge
Cache (Expiration) in the Amazon CloudFront Developer Guide.
Required: Yes
Type: String
Allowed Values: allow-all | https-only | redirect-to-https
See Also
• DefaultCacheBehavior in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution DistributionConfig
A distribution configuration.
Syntax
JSON
{
"Aliases" : [ String, ... ],
"CacheBehaviors" : [ CacheBehavior (p. 1103), ... ],
"Comment" : String,
"CustomErrorResponses" : [ CustomErrorResponse (p. 1109), ... ],
"DefaultCacheBehavior" : DefaultCacheBehavior (p. 1112),
"DefaultRootObject" : String,

1116
CloudFront
"HttpVersion" : String,
"IPV6Enabled" : Boolean,
"Origins" : [ Origin (p. 1126), ... ],
"PriceClass" : String,
"Restrictions" : Restrictions (p. 1129),
"ViewerCertificate" : ViewerCertificate (p. 1131),
"WebACLId" : String
}
YAML
Aliases:
- String
CacheBehaviors:
- CacheBehavior (p. 1103)
Comment: String
- CustomErrorResponse (p. 1109)
DefaultCacheBehavior (p. 1112)
DefaultRootObject: String
Enabled: Boolean
HttpVersion: String
IPV6Enabled: Boolean
Logging:
Logging (p. 1125)
Origins:
- Origin (p. 1126)
PriceClass: String
Restrictions:
Restrictions (p. 1129)
ViewerCertificate:
ViewerCertificate (p. 1131)
WebACLId: String
Properties
Aliases
A complex type that contains information about CNAMEs (alternate domain names), if any, for this
distribution.
Required: No

CacheBehaviors
A complex type that contains zero or more CacheBehavior elements.
Required: No
Type: List of CacheBehavior (p. 1103)

Comment
Any comments you want to include about the distribution.
If you don't want to specify a comment, include an empty Comment element.

1117
CloudFront
To delete an existing comment, update the distribution configuration and include an empty
Comment element.
To add or change a comment, update the distribution configuration and specify the new comment.
Required: No
Type: String

CustomErrorResponses
A complex type that controls the following:

• Whether CloudFront replaces HTTP status codes in the 4xx and 5xx range with custom error
messages before returning the response to the viewer.
• How long CloudFront caches HTTP status codes in the 4xx and 5xx range.
For more information about custom error pages, see Customizing Error Responses in the Amazon
Required: No
Type: List of CustomErrorResponse (p. 1109)

DefaultCacheBehavior
A complex type that describes the default cache behavior if you don't specify a CacheBehavior
element or if files don't match any of the values of PathPattern in CacheBehavior elements. You
must create exactly one default cache behavior.
Required: No
Type: DefaultCacheBehavior (p. 1112)

DefaultRootObject
The object that you want CloudFront to request from your origin (for example, index.html)
when a viewer requests the root URL for your distribution (http://www.example.com) instead
of an object in your distribution (http://www.example.com/product-description.html).
Specifying a default root object avoids exposing the contents of your distribution.
Specify only the object name, for example, index.html. Don't add a / before the object name.
If you don't want to specify a default root object when you create a distribution, include an empty
DefaultRootObject element.
To delete the default root object from an existing distribution, update the distribution configuration
and include an empty DefaultRootObject element.
To replace the default root object, update the distribution configuration and specify the new object.
For more information about the default root object, see Creating a Default Root Object in the
Required: No
Type: String

1118
CloudFront
Enabled
From this field, you can enable or disable the selected distribution.
Required: Yes
Type: Boolean

HttpVersion
(Optional) Specify the maximum HTTP version that you want viewers to use to communicate with
CloudFront. The default value for new web distributions is http2. Viewers that don't support HTTP/2
automatically use an earlier HTTP version.
For viewers and CloudFront to use HTTP/2, viewers must support TLS 1.2 or later, and must support
Server Name Identification (SNI).
In general, configuring CloudFront to communicate with viewers using HTTP/2 reduces latency. You
can improve performance by optimizing for HTTP/2. For more information, do an Internet search for
"http/2 optimization."
Required: No
Type: String
Allowed Values: http1.1 | http2

IPV6Enabled
If you want CloudFront to respond to IPv6 DNS requests with an IPv6 address for your distribution,
specify true. If you specify false, CloudFront responds to IPv6 DNS requests with the DNS
response code NOERROR and with no IP addresses. This allows viewers to submit a second request,
for an IPv4 address for your distribution.
In general, you should enable IPv6 if you have users on IPv6 networks who want to access your
content. However, if you're using signed URLs or signed cookies to restrict access to your content,
and if you're using a custom policy that includes the IpAddress parameter to restrict the IP
addresses that can access your content, don't enable IPv6. If you want to restrict access to some
content by IP address and not restrict access to other content (or restrict access but not by IP
address), you can create two distributions. For more information, see Creating a Signed URL Using a
Custom Policy in the Amazon CloudFront Developer Guide.
If you're using an Amazon Route 53 alias resource record set to route traffic to your CloudFront
distribution, you need to create a second alias resource record set when both of the following are
true:
• You enable IPv6 for the distribution
• You're using alternate domain names in the URLs for your objects
For more information, see Routing Traffic to an Amazon CloudFront Web Distribution by Using Your
Domain Name in the Amazon Route 53 Developer Guide.
If you created a CNAME resource record set, either with Amazon Route 53 or with another DNS
service, you don't need to make any changes. A CNAME record will route traffic to your distribution
regardless of the IP address format of the viewer request.
Required: No
Type: Boolean

1119
CloudFront

Logging
A complex type that controls whether access logs are written for the distribution.
For more information about logging, see Access Logs in the Amazon CloudFront Developer Guide.
Required: No

Origins
A complex type that contains information about origins for this distribution.
Required: No
Type: List of Origin (p. 1126)

PriceClass
The price class that corresponds with the maximum price that you want to pay for CloudFront
service. If you specify PriceClass_All, CloudFront responds to requests for your objects from all
CloudFront edge locations.
If you specify a price class other than PriceClass_All, CloudFront serves your objects from the
CloudFront edge location that has the lowest latency among the edge locations in your price class.
Viewers who are in or near regions that are excluded from your specified price class may encounter
slower performance.
For more information about price classes, see Choosing the Price Class for a CloudFront Distribution
in the Amazon CloudFront Developer Guide. For information about CloudFront pricing, including how
price classes (such as Price Class 100) map to CloudFront regions, see Amazon CloudFront Pricing.
For price class information, scroll down to see the table at the bottom of the page.
Required: No
Type: String
Allowed Values: PriceClass_100 | PriceClass_200 | PriceClass_All

Restrictions
A complex type that identifies ways in which you want to restrict distribution of your content.
Required: No
Type: Restrictions (p. 1129)

ViewerCertificate
A complex type that specifies whether you want viewers to use HTTP or HTTPS to request your
objects, whether you're using an alternate domain name with HTTPS, and if so, if you're using AWS
Certificate Manager (ACM) or a third-party certificate authority.
Required: No

1120
CloudFront
Type: ViewerCertificate (p. 1131)

WebACLId
A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution.
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that
are forwarded to CloudFront, and lets you control access to your content. Based on conditions that
you specify, such as the IP addresses that requests originate from or the values of query strings,
CloudFront responds to requests either with the requested content or with an HTTP 403 status code
(Forbidden). You can also configure CloudFront to return a custom error page when a request is
blocked. For more information about AWS WAF, see the AWS WAF Developer Guide.
Required: No
Type: String
See Also
• DistributionConfig in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution ForwardedValues
Syntax
JSON
{
"Cookies" : Cookies (p. 1108),
"Headers" : [ String, ... ],
"QueryString" : Boolean,
"QueryStringCacheKeys" : [ String, ... ]
}
YAML
Cookies:
Cookies (p. 1108)
Headers:
- String
QueryString: Boolean
QueryStringCacheKeys:
- String
Properties
Cookies
A complex type that specifies whether you want CloudFront to forward cookies to the origin and, if
so, which ones. For more information about forwarding cookies to the origin, see How CloudFront
Forwards, Caches, and Logs Cookies in the Amazon CloudFront Developer Guide.

1121
CloudFront
Required: No
Type: Cookies (p. 1108)

Headers
A complex type that specifies the Headers, if any, that you want CloudFront to forward to the
origin for this cache behavior (whitelisted headers). For the headers that you specify, CloudFront also
caches separate versions of a specified object that is based on the header values in viewer requests.
For more information, see Caching Content Based on Request Headers in the Amazon CloudFront
Developer Guide.
Required: No

QueryString
Indicates whether you want CloudFront to forward query strings to the origin that is associated with
this cache behavior and cache based on the query string parameters. CloudFront behavior depends
on the value of QueryString and on the values that you specify for QueryStringCacheKeys, if
any:
If you specify true for QueryString and you don't specify any values for QueryStringCacheKeys,
CloudFront forwards all query string parameters to the origin and caches based on all query
string parameters. Depending on how many query string parameters and values you have, this can
adversely affect performance because CloudFront must forward more requests to the origin.
If you specify true for QueryString and you specify one or more values for
QueryStringCacheKeys, CloudFront forwards all query string parameters to the origin, but it only
caches based on the query string parameters that you specify.
If you specify false for QueryString, CloudFront doesn't forward any query string parameters to
the origin, and doesn't cache based on query string parameters.
For more information, see Configuring CloudFront to Cache Based on Query String Parameters in the
Required: Yes
Type: Boolean

QueryStringCacheKeys
A complex type that contains information about the query string parameters that you want
CloudFront to use for caching for this cache behavior.
Required: No
See Also
• ForwardedValues in the Amazon CloudFront API Reference

1122
CloudFront
AWS::CloudFront::Distribution GeoRestriction
A complex type that controls the countries in which your content is distributed. CloudFront determines
the location of your users using MaxMind GeoIP databases.
Syntax
JSON
{
"Locations" : [ String, ... ],
"RestrictionType" : String
}
YAML
Locations:
- String
RestrictionType: String
Properties
Locations
A complex type that contains a Location element for each country in which you want CloudFront
either to distribute your content (whitelist) or not distribute your content (blacklist).
The Location element is a two-letter, uppercase country code for a country that you want to
include in your blacklist or whitelist. Include one Location element for each country.
CloudFront and MaxMind both use ISO 3166 country codes. For the current list of countries and
the corresponding codes, see ISO 3166-1-alpha-2 code on the International Organization for
Standardization website. You can also refer to the country list on the CloudFront console, which
includes both country names and codes.

RestrictionType
The method that you want to use to restrict distribution of your content by country:
• none: No geo restriction is enabled, meaning access to content is not restricted by client geo
location.
• blacklist: The Location elements specify the countries in which you don't want CloudFront to
distribute your content.
• whitelist: The Location elements specify the countries in which you want CloudFront to
distribute your content.
Required: Yes
Type: String
Allowed Values: blacklist | none | whitelist

1123
CloudFront
See Also
• GeoRestriction in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution LambdaFunctionAssociation
A complex type that contains a Lambda function association.
Syntax
JSON
{
"EventType" : String,
"LambdaFunctionARN" : String
}
YAML
EventType: String
LambdaFunctionARN: String
Properties
EventType
Specifies the event type that triggers a Lambda function invocation. You can specify the following
values:
• viewer-request: The function executes when CloudFront receives a request from a viewer and
before it checks to see whether the requested object is in the edge cache.
• origin-request: The function executes only when CloudFront forwards a request to your origin.
When the requested object is in the edge cache, the function doesn't execute.
• origin-response: The function executes after CloudFront receives a response from the origin
and before it caches the object in the response. When the requested object is in the edge cache,
the function doesn't execute.
• viewer-response: The function executes before CloudFront returns the requested object to the
viewer. The function executes regardless of whether the object was already in the edge cache.
If the origin returns an HTTP status code other than HTTP 200 (OK), the function doesn't execute.
Required: No
Type: String
Allowed Values: origin-request | origin-response | viewer-request | viewer-

response

LambdaFunctionARN
The ARN of the Lambda function. You must specify the ARN of a function version; you can't specify a
Lambda alias or $LATEST.

1124
CloudFront
Required: No
Type: String
See Also
• LambdaFunctionAssociation in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution Logging
A complex type that controls whether access logs are written for the distribution.
Syntax
JSON
{
"Bucket" : String,
"IncludeCookies" : Boolean,
"Prefix" : String
}
YAML
Bucket: String
IncludeCookies: Boolean
Prefix: String
Properties
Bucket
The Amazon S3 bucket to store the access logs in, for example,
myawslogbucket.s3.amazonaws.com.
Required: Yes
Type: String

IncludeCookies
Specifies whether you want CloudFront to include cookies in access logs, specify true for
IncludeCookies. If you choose to include cookies in logs, CloudFront logs all cookies regardless
of how you configure the cache behaviors for this distribution. If you don't want to include cookies
when you create a distribution or if you want to disable include cookies for an existing distribution,
specify false for IncludeCookies.
Required: No
Type: Boolean

1125
CloudFront
Prefix
An optional string that you want CloudFront to prefix to the access log filenames for this
distribution, for example, myprefix/. If you want to enable logging, but you don't want to specify a
prefix, you still must include an empty Prefix element in the Logging element.
Required: No
Type: String
See Also
• LoggingConfig in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution Origin
A complex type that describes the Amazon S3 bucket, HTTP server (for example, a web server), Amazon
MediaStore, or other server from which CloudFront gets your files. This can also be an origin group, if
you've created an origin group. You must specify at least one origin or origin group.
For the current limit on the number of origins or origin groups that you can specify for a distribution, see
Amazon CloudFront Limits in the AWS General Reference.
Syntax
JSON
{
"CustomOriginConfig" : CustomOriginConfig (p. 1111),
"Id" : String,
"OriginCustomHeaders" : [ OriginCustomHeader (p. 1128), ... ],
"OriginPath" : String,
"S3OriginConfig" : S3OriginConfig (p. 1130)
}
YAML
CustomOriginConfig:
CustomOriginConfig (p. 1111)
DomainName: String
Id: String
OriginCustomHeaders:
- OriginCustomHeader (p. 1128)
OriginPath: String
S3OriginConfig:
S3OriginConfig (p. 1130)
Properties
CustomOriginConfig
A complex type that contains information about a custom origin. If the origin is an Amazon S3
bucket, use the S3OriginConfig element instead.

1126
CloudFront
Type: CustomOriginConfig (p. 1111)

DomainName
Amazon S3 origins: The DNS name of the Amazon S3 bucket from which you want CloudFront to
get objects for this origin, for example, myawsbucket.s3.amazonaws.com. If you set up your
bucket to be configured as a website endpoint, enter the Amazon S3 static website hosting endpoint
for the bucket.
For more information about specifying this value for different types of origins, see Origin Domain
Name in the Amazon CloudFront Developer Guide.
Constraints for Amazon S3 origins:

• If you configured Amazon S3 Transfer Acceleration for your bucket, don't specify the s3-
accelerate endpoint for DomainName.
• The bucket name must be between 3 and 63 characters long (inclusive).
• The bucket name must contain only lowercase characters, numbers, periods, underscores, and
dashes.
• The bucket name must not contain adjacent periods.
Custom Origins: The DNS domain name for the HTTP server from which you want CloudFront to get
objects for this origin, for example, www.example.com.
Constraints for custom origins:

• DomainName must be a valid DNS name that contains only a-z, A-Z, 0-9, dot (.), hyphen (-), or
underscore (_) characters.
• The name cannot exceed 128 characters.
Required: Yes
Type: String

Id
A unique identifier for the origin or origin group. The value of Id must be unique within the
distribution.
When you specify the value of TargetOriginId for the default cache behavior or for another
cache behavior, you indicate the origin to which you want the cache behavior to route requests by
specifying the value of the Id element for that origin. When a request matches the path pattern for
that cache behavior, CloudFront routes the request to the specified origin. For more information, see
Cache Behavior Settings in the Amazon CloudFront Developer Guide.
Required: Yes
Type: String

OriginCustomHeaders
A complex type that contains names and values for the custom headers that you want.
Required: No

1127
CloudFront
Type: List of OriginCustomHeader (p. 1128)

OriginPath
An optional element that causes CloudFront to request your content from a directory in your
Amazon S3 bucket or your custom origin. When you include the OriginPath element, specify
the directory name, beginning with a /. CloudFront appends the directory name to the value of
DomainName, for example, example.com/production. Do not include a / at the end of the
directory name.
For example, suppose you've specified the following values for your distribution:
• DomainName: An Amazon S3 bucket named myawsbucket.
• OriginPath: /production
• CNAME: example.com
When a user enters example.com/index.html in a browser, CloudFront sends a request to

Amazon S3 for myawsbucket/production/index.html.
When a user enters example.com/acme/index.html in a browser, CloudFront sends a request to

Amazon S3 for myawsbucket/production/acme/index.html.
Required: No
Type: String

S3OriginConfig
A complex type that contains information about the Amazon S3 origin. If the origin is a custom
origin, use the CustomOriginConfig element instead.
Type: S3OriginConfig (p. 1130)
See Also
• Origin in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution OriginCustomHeader
A complex type that contains HeaderName and HeaderValue elements, if any, for this distribution.
Syntax
JSON
{
"HeaderName" : String,
"HeaderValue" : String
}

1128
CloudFront
YAML
HeaderName: String
HeaderValue: String
Properties
HeaderName
The name of a header that you want CloudFront to forward to your origin. For more information,
see Forwarding Custom Headers to Your Origin (Web Distributions Only) in the Amazon CloudFront
Developer Guide.
Required: Yes
Type: String

HeaderValue
The value for the header that you specified in the HeaderName field.
Required: Yes
Type: String
See Also
• OriginCustomHeader in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution Restrictions
A complex type that identifies ways in which you want to restrict distribution of your content.
Syntax
JSON
{
"GeoRestriction" : GeoRestriction (p. 1123)
}
YAML
GeoRestriction:
GeoRestriction (p. 1123)
Properties
GeoRestriction
A complex type that controls the countries in which your content is distributed. CloudFront
determines the location of your users using MaxMind GeoIP databases.

1129
CloudFront
Required: Yes
Type: GeoRestriction (p. 1123)
See Also
• Restrictions in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution S3OriginConfig
A complex type that contains information about the Amazon S3 origin. If the origin is a custom origin,
use the CustomOriginConfig element instead.
Syntax
JSON
{
"OriginAccessIdentity" : String
}
YAML
OriginAccessIdentity: String
Properties
OriginAccessIdentity
The CloudFront origin access identity to associate with the origin. Use an origin access identity
to configure the origin so that viewers can only access objects in an Amazon S3 bucket through
CloudFront. The format of the value is:
origin-access-identity/cloudfront/ID-of-origin-access-identity
where ID-of-origin-access-identity is the value that CloudFront returned in the ID

element when you created the origin access identity.
If you want viewers to be able to access objects using either the CloudFront URL or the Amazon S3
URL, specify an empty OriginAccessIdentity element.
To delete the origin access identity from an existing distribution, update the distribution
configuration and include an empty OriginAccessIdentity element.
To replace the origin access identity, update the distribution configuration and specify the new origin
access identity.
For more information about the origin access identity, see Serving Private Content through
CloudFront in the Amazon CloudFront Developer Guide.
Required: No
Type: String

1130
CloudFront
See Also
• S3OriginConfig in the Amazon CloudFront API Reference
AWS::CloudFront::Distribution ViewerCertificate
A complex type that specifies the following:
• Whether you want viewers to use HTTP or HTTPS to request your objects.
• If you want viewers to use HTTPS, whether you're using an alternate domain name,
such as example.com, or the CloudFront domain name for your distribution, such as
d111111abcdef8.cloudfront.net.
• If you're using an alternate domain name, whether AWS Certificate Manager (ACM) provided the
certificate, or you purchased a certificate from a third-party certificate authority and imported it into
ACM or uploaded it to the IAM certificate store.
Specify only one of the following values:
• ACMCertificateArn
• IAMCertificateId
• CloudFrontDefaultCertificate
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront
Developer Guide.
Syntax
JSON
{
"AcmCertificateArn" : String,
"CloudFrontDefaultCertificate" : Boolean,
"IamCertificateId" : String,
"MinimumProtocolVersion" : String,
"SslSupportMethod" : String
}
YAML
AcmCertificateArn: String
CloudFrontDefaultCertificate: Boolean
IamCertificateId: String
MinimumProtocolVersion: String
SslSupportMethod: String
Properties
AcmCertificateArn
If you want viewers to use HTTPS to request your objects and you're using an alternate domain
name, you must choose the type of certificate that you want to use. If ACM provided your certificate,

1131
CloudFront
specify the Amazon Resource Name (ARN) for the ACM certificate that you want to use for this
distribution. CloudFront only supports ACM certificates in the US East (N. Virginia) Region (us-
east-1).
If you specify an ACM certificate ARN, you must also specify an SSL support method (sni-only or
vip).
Required: No
Type: String

CloudFrontDefaultCertificate
If you're using the CloudFront domain name for your distribution, such as
d111111abcdef8.cloudfront.net, specify this value as true.
Type: Boolean

IamCertificateId
If you want viewers to use HTTPS to request your objects and you're using an alternate domain
name, you must choose the type of certificate that you want to use. If you purchased your certificate
from a third-party certificate authority and uploaded it to the IAM certificate store, specify the
certificate ID that you want to use for this distribution.
If you specify a certificate ID, you must also specify an SSL support method (sni-only or vip).
Required: No
Type: String

MinimumProtocolVersion
Specify the security policy that you want CloudFront to use for HTTPS connections. A security policy
determines two settings:
• The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.
• The cipher that CloudFront uses to encrypt the content that it returns to viewers.
Note
On the CloudFront console, this setting is called Security Policy.
We recommend that you specify TLSv1.1_2016 unless your viewers are using browsers or devices
that do not support TLSv1.1 or later.
When both of the following are true, you must specify TLSv1 or later for the security policy:
• You're using a custom certificate; that is, you specified a value for ACMCertificateArn or for
IAMCertificateId.
• You're using SNI; that is, you specified sni-only for SSLSupportMethod.
If you specify true for CloudFrontDefaultCertificate, CloudFront automatically sets the

security policy to TLSv1 regardless of the value that you specify here.
For information about the relationship between the security policy that you choose and the
protocols and ciphers that CloudFront uses to communicate with viewers, see Supported SSL/

1132
CloudFront
TLS Protocols and Ciphers for Communication Between Viewers and CloudFront in the Amazon
Type: String
Allowed Values: SSLv3 | TLSv1 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1_2016

SslSupportMethod
If you specify a value for ACMCertificateArn or for IAMCertificateId, you must also specify how you
want CloudFront to serve HTTPS requests: using a method that works for browsers and clients
released after 2010, or one that works for all clients.
• sni-only: CloudFront can respond to HTTPS requests from viewers that support Server Name
Indication (SNI). All modern browsers support SNI, but there are a few that don't. For a current list
of the browsers that support SNI, see the Wikipedia entry Server Name Indication. To learn about
options to explore if you have viewers with browsers that don't include SNI support, see Choosing
How CloudFront Serves HTTPS Requests in the Amazon CloudFront Developer Guide.
• vip: CloudFront uses dedicated IP addresses for your content and can respond to HTTPS requests
from any viewer. However, there are additional monthly charges. For details, including specific
pricing information, see Custom SSL options for Amazon CloudFront on the AWS marketing site.
Don't specify a value here if you specified CloudFrontDefaultCertificate as true.
For more information, see Choosing How CloudFront Serves HTTPS Requests in the Amazon
Type: String
Allowed Values: sni-only | vip
See Also
• ViewerCertificate in the Amazon CloudFront API Reference
AWS::CloudFront::StreamingDistribution
A streaming distribution tells CloudFront where you want RTMP content to be delivered from, and the
details about how to track and manage content delivery.
Syntax
JSON
{
"Type" : "AWS::CloudFront::StreamingDistribution",
"Properties" : {
"StreamingDistributionConfig" : StreamingDistributionConfig (p. 1138),
"Tags" : [ Tag, ... ]
}

1133
CloudFront
YAML
Type: AWS::CloudFront::StreamingDistribution
Properties:
StreamingDistributionConfig:
StreamingDistributionConfig (p. 1138)
Tags:
- Tag
Properties
StreamingDistributionConfig
The current configuration information for the RTMP distribution.
Required: Yes
Type: StreamingDistributionConfig (p. 1138)

Tags
A complex type that contains zero or more Tag elements.
Required: Yes
Type: List of Tag
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the streaming
distribution ID, such as E1E7FEN9T35R9W.
Fn::GetAtt
DomainName
The domain name of the resource, such as sct27g85mgx04.cloudfront.net.
Examples
Create a streaming distribution
The following example specifies a streaming distribution and assigns it a single tag.

1134
CloudFront
JSON
{
"Resources": {
"streamingdistribution": {
"Type": "AWS::CloudFront::StreamingDistribution",
"Properties": {
"StreamingDistributionConfig": {
"Aliases": [
"string-values"
],
"Comment": "string-value",
"Enabled": "boolean-value",
"Logging": {
"Bucket": "string-value",
"Prefix": "string-value"
},
"PriceClass": "string-value",
"S3Origin": {
"DomainName": "string-value",
"OriginAccessIdentity": "string-value"
},
"TrustedSigners": {
"AwsAccountNumbers": [
"string-values"
]
}
},
"Tags": [
{
"Key": "string-value",
"Value": "string-value"
}
]
}
}
}
}
YAML
Resources:
streamingdistribution:
Type: AWS::CloudFront::StreamingDistribution
Properties:
StreamingDistributionConfig:
Aliases:
- string-values
Comment: string-value
Enabled: boolean-value
Logging:
Bucket: string-value
Prefix: string-value
PriceClass: string-value
S3Origin:
DomainName: string-value
OriginAccessIdentity: string-value
TrustedSigners:

1135
CloudFront
AwsAccountNumbers:
- string-values
Tags:
- Key: string-value
Value: string-value
AWS::CloudFront::StreamingDistribution Logging
A complex type that controls whether access logs are written for the streaming distribution.
Syntax
JSON
{
"Bucket" : String,
"Prefix" : String
}
YAML
Bucket: String
Enabled: Boolean
Prefix: String
Properties
Bucket
The Amazon S3 bucket to store the access logs in, for example,
myawslogbucket.s3.amazonaws.com.
Required: Yes
Type: String

Enabled
Specifies whether you want CloudFront to save access logs to an Amazon S3 bucket. If you don't
want to enable logging when you create a streaming distribution or if you want to disable logging
for an existing streaming distribution, specify false for Enabled, and specify empty Bucket and
Prefix elements. If you specify false for Enabled but you specify values for Bucket and Prefix,
the values are automatically deleted.
Required: Yes
Type: Boolean

Prefix
An optional string that you want CloudFront to prefix to the access log filenames for this streaming
distribution, for example, myprefix/. If you want to enable logging, but you don't want to specify a
prefix, you still must include an empty Prefix element in the Logging element.

1136
CloudFront
Required: Yes
Type: String
See Also
• StreamingLoggingConfig in the Amazon CloudFront API Reference
AWS::CloudFront::StreamingDistribution S3Origin
A complex type that contains information about the Amazon S3 bucket from which you want CloudFront
to get your media files for distribution.
Syntax
JSON
{
"OriginAccessIdentity" : String
}
YAML
DomainName: String
OriginAccessIdentity: String
Properties
DomainName
The DNS name of the Amazon S3 origin.
Required: Yes
Type: String

OriginAccessIdentity
The CloudFront origin access identity to associate with the distribution. Use an origin access identity
to configure the distribution so that end users can only access objects in an Amazon S3 bucket
through CloudFront.
If you want end users to be able to access objects using either the CloudFront URL or the Amazon S3
URL, specify an empty OriginAccessIdentity element.
To delete the origin access identity from an existing distribution, update the distribution
configuration and include an empty OriginAccessIdentity element.
To replace the origin access identity, update the distribution configuration and specify the new origin
access identity.

1137
CloudFront
For more information, see Using an Origin Access Identity to Restrict Access to Your Amazon S3
Content in the Amazon CloudFront Developer Guide.
Required: Yes
Type: String
See Also
• S3Origin in the Amazon CloudFront API Reference
AWS::CloudFront::StreamingDistribution StreamingDistributionConfig
The RTMP distribution's configuration information.
Syntax
JSON
{
"Aliases" : [ String, ... ],
"Comment" : String,
"PriceClass" : String,
"S3Origin" : S3Origin (p. 1137),
"TrustedSigners" : TrustedSigners (p. 1140)
}
YAML
Aliases:
- String
Comment: String
Enabled: Boolean
Logging:
Logging (p. 1136)
PriceClass: String
S3Origin:
S3Origin (p. 1137)
TrustedSigners:
TrustedSigners (p. 1140)
Properties
Aliases
A complex type that contains information about CNAMEs (alternate domain names), if any, for this
streaming distribution.
Required: No

1138
CloudFront
Comment
Any comments you want to include about the streaming distribution.
Required: Yes
Type: String

Enabled
Whether the streaming distribution is enabled to accept user requests for content.
Required: Yes
Type: Boolean

Logging
A complex type that controls whether access logs are written for the streaming distribution.
Required: No

PriceClass
A complex type that contains information about price class for this streaming distribution.
Required: No
Type: String
Allowed Values: PriceClass_100 | PriceClass_200 | PriceClass_All

S3Origin
A complex type that contains information about the Amazon S3 bucket from which you want
CloudFront to get your media files for distribution.
Required: Yes
Type: S3Origin (p. 1137)

TrustedSigners
A complex type that specifies any AWS accounts that you want to permit to create signed URLs for
private content. If you want the distribution to use signed URLs, include this element; if you want
the distribution to use public URLs, remove this element. For more information, see Serving Private
Content through CloudFront in the Amazon CloudFront Developer Guide.
Required: Yes
Type: TrustedSigners (p. 1140)

1139
CloudFront
See Also
• StreamingDistributionConfig in the Amazon CloudFront API Reference
AWS::CloudFront::StreamingDistribution TrustedSigners
If you want to require signed URLs in requests for objects in the target origin, specify true for Enabled,
and specify a list of AWS account IDs. For more information, see Serving Private Content through
CloudFront in the Amazon CloudFront Developer Guide.
If you don't want to require signed URLs in requests for objects, specify false for Enabled and omit the
list of AWS account IDs.
Syntax
JSON
{
"AwsAccountNumbers" : [ String, ... ],
"Enabled" : Boolean
}
YAML
AwsAccountNumbers:
- String
Enabled: Boolean
Properties
AwsAccountNumbers
An AWS account that is included in the TrustedSigners complex type for this distribution. Valid
values include:
• self, which is the AWS account used to create the distribution.
• An AWS account number.
Required: No

Enabled
Specifies whether you want to require viewers to use signed URLs to access the files specified by
PathPattern and TargetOriginId.
Required: Yes
Type: Boolean

1140
AWS Cloud Map
See Also
• TrustedSigners in the Amazon CloudFront API Reference
AWS Cloud Map Resource Type Reference

Resource Types
• AWS::ServiceDiscovery::HttpNamespace (p. 1141)

• AWS::ServiceDiscovery::Instance (p. 1143)
• AWS::ServiceDiscovery::PrivateDnsNamespace (p. 1146)
• AWS::ServiceDiscovery::PublicDnsNamespace (p. 1148)
• AWS::ServiceDiscovery::Service (p. 1150)
AWS::ServiceDiscovery::HttpNamespace
The HttpNamespace resource is a Cloud Map resource type that contains information about an HTTP
namespace. Service instances that you register using an HTTP namespace can be discovered using a
DiscoverInstances request but can't be discovered using DNS.
For the current limit on the number of namespaces that you can create using the same AWS account, see
AWS Cloud Map Limits in the AWS Cloud Map Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ServiceDiscovery::HttpNamespace",
"Properties" : {
"Name" : String
}
}
YAML
Type: AWS::ServiceDiscovery::HttpNamespace
Properties:
Description: String
Name: String
Properties
Description
A description for the namespace.
Required: No
Type: String
Maximum: 1024

1141
AWS Cloud Map

Name
The name that you want to assign to this namespace.
Required: Yes
Type: String
Maximum: 1024
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Id for the
namespace, such as ns-e4anhexample0004.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the namespace, such as arn:aws:service-discovery:us-

east-1:123456789012:http-namespace/http-namespace-a1bzhi.
Id
The ID of the namespace.
Examples
Create an HTTP namespace
The following example creates an HTTP namespace named example-namespace.
JSON
{
"Type" : "AWS::ServiceDiscovery::HttpNamespace",
"Properties" : {
"Description" : "Cloud Map HTTP namespace for resources for example.com website",
"Name" : "example-namespace"
}
}
YAML
Type: 'AWS::ServiceDiscovery::HttpNamespace'
Properties:

1142
AWS Cloud Map
Description: Cloud Map HTTP namespace for resources for example.com website
Name: example-namespace
See Also
• CreateHttpNamespace in the AWS Cloud Map API Reference
AWS::ServiceDiscovery::Instance
A complex type that contains information about an instance that AWS Cloud Map creates when you
submit a RegisterInstance request.
Syntax
JSON
{
"Type" : "AWS::ServiceDiscovery::Instance",
"Properties" : {
"InstanceAttributes" : Json,
"ServiceId" : String
}
}
YAML
Type: AWS::ServiceDiscovery::Instance
Properties:
InstanceAttributes: Json
InstanceId: String
ServiceId: String
Properties
InstanceAttributes
A string map that contains the following information for the service that you specify in ServiceId:
• The attributes that apply to the records that are defined in the service.
• For each attribute, the applicable value.
Supported attribute keys include the following:
AWS_ALIAS_DNS_NAME
If you want AWS Cloud Map to create a Route 53 alias record that routes traffic to an Elastic Load
Balancing load balancer, specify the DNS name that is associated with the load balancer. For
information about how to get the DNS name, see "DNSName" in the topic AliasTarget.
Note the following:

• The configuration for the service that is specified by ServiceId must include settings for an A
record, an AAAA record, or both.
• In the service that is specified by ServiceId, the value of RoutingPolicy must be WEIGHTED.

1143
AWS Cloud Map
• If the service that is specified by ServiceId includes HealthCheckConfig settings, AWS Cloud
Map will create the health check, but it won't associate the health check with the alias record.
• Auto naming currently doesn't support creating alias records that route traffic to AWS resources
other than ELB load balancers.
• If you specify a value for AWS_ALIAS_DNS_NAME, don't specify values for any of the
AWS_INSTANCE attributes.
AWS_INSTANCE_CNAME
If the service configuration includes a CNAME record, the domain name that you want Route 53 to
return in response to DNS queries, for example, example.com.
This value is required if the service specified by ServiceId includes settings for an CNAME record.
AWS_INSTANCE_IPV4
If the service configuration includes an A record, the IPv4 address that you want Route 53 to return
in response to DNS queries, for example, 192.0.2.44.
This value is required if the service specified by ServiceId includes settings for an A record. If the
service includes settings for an SRV record, you must specify a value for AWS_INSTANCE_IPV4,
AWS_INSTANCE_IPV6, or both.
AWS_INSTANCE_IPV6
If the service configuration includes an AAAA record, the IPv6 address that you want Route 53 to
return in response to DNS queries, for example, 2001:0db8:85a3:0000:0000:abcd:0001:2345.
This value is required if the service specified by ServiceId includes settings for an AAAA record. If
the service includes settings for an SRV record, you must specify a value for AWS_INSTANCE_IPV4,
AWS_INSTANCE_IPV6, or both.
AWS_INSTANCE_PORT
If the service includes an SRV record, the value that you want Route 53 to return for the port.
If the service includes HealthCheckConfig, the port on the endpoint that you want Route 53 to
send requests to.
This value is required if you specified settings for an SRV record or a Route 53 health check when
you created the service.
Required: Yes
Type: Json

InstanceId
An identifier that you want to associate with the instance. Note the following:
• If the service that is specified by ServiceId includes settings for an SRV record, the value
of InstanceId is automatically included as part of the value for the SRV record. For more
information, see DnsRecord > Type.
• You can use this value to update an existing instance.
• To register a new instance, you must specify a value that is unique among instances that you
register by using the same service.
• If you specify an existing InstanceId and ServiceId, AWS Cloud Map updates the existing DNS
records. If there's also an existing health check, AWS Cloud Map deletes the old health check and
creates a new one.

1144
AWS Cloud Map
Note
The health check isn't deleted immediately, so it will still appear for a while if you submit
a ListHealthChecks request, for example.
Required: No
Type: String
Maximum: 64

ServiceId
The ID of the service that you want to use for settings for the instance.
Required: Yes
Type: String
Maximum: 64
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the value of Id
for the instance, such as i-abcd1234.
Examples
Provide IP addresses for an instance
The following example provides IPv4 and IPV6 IP addresses for the instance that has an ID of i-
abcd1234. The instance was registered using the service that has an ID of srv-e4anhexample0004.
JSON
{
"Type": "AWS::ServiceDiscovery::Instance",
"Properties": {
"InstanceAttributes": {
"AWS_INSTANCE_IPV4": "192.0.2.44",
"AWS_INSTANCE_IPV6": "2001:0db8:85a3:0000:0000:abcd:0001:2345"
},
"InstanceId": "i-abcd1234",
"ServiceId": "srv-e4anhexample0004"
}
}
YAML
Type: AWS::ServiceDiscovery::Instance
Properties:
InstanceAttributes:
AWS_INSTANCE_IPV4: 192.0.2.44
AWS_INSTANCE_IPV6: 2001:0db8:85a3:0000:0000:abcd:0001:2345

1145
AWS Cloud Map
InstanceId: i-abcd1234
ServiceId: srv-e4anhexample0004
See Also
• RegisterInstance in the AWS Cloud Map API Reference
AWS::ServiceDiscovery::PrivateDnsNamespace
Creates a private namespace based on DNS, which will be visible only inside a specified Amazon
VPC. The namespace defines your service naming scheme. For example, if you name your namespace
example.com and name your service backend, the resulting DNS name for the service will be
backend.example.com. For the current limit on the number of namespaces that you can create using
the same AWS account, see AWS Cloud Map Limits in the AWS Cloud Map Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ServiceDiscovery::PrivateDnsNamespace",
"Properties" : {
"Name" : String,
"Vpc" : String
}
}
YAML
Type: AWS::ServiceDiscovery::PrivateDnsNamespace
Properties:
Description: String
Name: String
Vpc: String
Properties
Description
Required: No
Type: String
Maximum: 1024

Name
The name that you want to assign to this namespace. When you create a private DNS namespace,
AWS Cloud Map automatically creates an Amazon Route 53 private hosted zone that has the same
name as the namespace.
Required: Yes

1146
AWS Cloud Map
Type: String
Maximum: 1024

Vpc
The ID of the Amazon VPC that you want to associate the namespace with.
Required: Yes
Type: String
Maximum: 64
Return Values
Ref
for the namespace, such as ns-e4anhexample0004.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the private namespace.

Id
The ID of the private namespace.
Examples
Create a private DNS namespace
The following example creates a private DNS namespace named private-example.com.
JSON
{
"Type" : "AWS::ServiceDiscovery::PrivateDnsNamespace",
"Properties" : {
"Description" : "Cloud Map private DNS namespace for resources for example.com
website",
"Vpc" : "vpc-12345678",
"Name" : "private-example.com"
}
}

1147
AWS Cloud Map
YAML
Type: 'AWS::ServiceDiscovery::PrivateDnsNamespace'
Properties:
Description: Cloud Map private DNS namespace for resources for example.com website
Vpc: vpc-12345678
Name: private-example.com
See Also
• CreatePrivateDnsNamespace in the AWS Cloud Map API Reference
AWS::ServiceDiscovery::PublicDnsNamespace
Creates a public namespace based on DNS, which will be visible on the internet. The namespace defines
your service naming scheme. For example, if you name your namespace example.com and name your
service backend, the resulting DNS name for the service will be backend.example.com. For the
current limit on the number of namespaces that you can create using the same AWS account, see AWS
Cloud Map Limits in the AWS Cloud Map Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ServiceDiscovery::PublicDnsNamespace",
"Properties" : {
"Name" : String
}
}
YAML
Type: AWS::ServiceDiscovery::PublicDnsNamespace
Properties:
Description: String
Name: String
Properties
Description
Required: No
Type: String
Maximum: 1024

Name
The name that you want to assign to this namespace.

1148
AWS Cloud Map
Required: Yes
Type: String
Maximum: 1024
Return Values
Ref
for the namespace, such as ns-e4anhexample0004.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the public namespace.

Id
The ID of the public namespace.
Examples
Create a public DNS namespace
The following example creates a public DNS namespace named example.com.
JSON
{
"Type" : "AWS::ServiceDiscovery::PublicDnsNamespace",
"Properties" : {
"Description" : "Cloud Map public DNS namespace for example.com website",
"Name" : "example.com"
}
}
YAML
Type: 'AWS::ServiceDiscovery::PublicDnsNamespace'
Properties:
Description: Cloud Map public DNS namespace for example.com website
Name: example.com
See Also
• CreatePublicDnsNamespace in the AWS Cloud Map API Reference

1149
AWS Cloud Map
AWS::ServiceDiscovery::Service
A complex type that contains information about a service, which defines the configuration of the
following entities:
• For public and private DNS namespaces, one of the following combinations of DNS records in Amazon
Route 53:
• A
• AAAA
• A and AAAA
• SRV
• CNAME
• Optionally, a health check
Syntax
JSON
{
"Type" : "AWS::ServiceDiscovery::Service",
"Properties" : {
"DnsConfig" : DnsConfig (p. 1153),
"HealthCheckConfig" : HealthCheckConfig (p. 1157),
"HealthCheckCustomConfig" : HealthCheckCustomConfig (p. 1159),
"Name" : String,
"NamespaceId" : String
}
}
YAML
Type: AWS::ServiceDiscovery::Service
Properties:
Description: String
DnsConfig:
DnsConfig (p. 1153)
HealthCheckConfig:
HealthCheckConfig (p. 1157)
HealthCheckCustomConfig:
HealthCheckCustomConfig (p. 1159)
Name: String
NamespaceId: String
Properties
Description
The description of the service.
Required: No
Type: String
Maximum: 1024

1150
AWS Cloud Map

DnsConfig
A complex type that contains information about the Route 53 DNS records that you want AWS Cloud
Map to create when you register an instance.
Required: No
Type: DnsConfig (p. 1153)

HealthCheckConfig
Public DNS and HTTP namespaces only. A complex type that contains settings for an optional health
check. If you specify settings for a health check, AWS Cloud Map associates the health check with the
records that you specify in DnsConfig.
For information about the charges for health checks, see Amazon Route 53 Pricing.
Required: No
Type: HealthCheckConfig (p. 1157)

HealthCheckCustomConfig
A complex type that contains information about an optional custom health check.
Important
If you specify a health check configuration, you can specify either
HealthCheckCustomConfig or HealthCheckConfig but not both.
Required: No
Type: HealthCheckCustomConfig (p. 1159)

Name
The name of the service.
Required: No
Type: String
Pattern: ((?=^.{1,127}$)^([a-zA-Z0-9_][a-zA-Z0-9-_]{0,61}[a-zA-Z0-9_]|[a-zA-
Z0-9])(\.([a-zA-Z0-9_][a-zA-Z0-9-_]{0,61}[a-zA-Z0-9_]|[a-zA-Z0-9]))*$)|(^\.
$)

NamespaceId
The ID of the namespace that was used to create the service.

Important
You must specify a value for NamespaceId either for the service properties or for
DnsConfig. Don't specify a value in both places.
Required: No

1151
AWS Cloud Map
Type: String
Maximum: 64
Return Values
Ref
for the service, such as srv-e4anhexample0004.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the service.

Id
The ID of the service.

Name
The name that you assigned to the service.
Examples
Create a service
The following example creates a service based on a public DNS namespace. The service includes settings
for Amazon Route 53 A and AAAA records that have a routing policy of WEIGHTED. It also includes a
Route 53 health check.
JSON
{
"Type" : "AWS::ServiceDiscovery::Service",
"Properties" : {
"Description" : "Service based on a public DNS namespace",
"DnsConfig" : {
"DnsRecords" : [
{
"Type" : "A",
"TTL" : 60
},
{
"Type" : "AAAA",
"TTL" : 60
}
],

1152
AWS Cloud Map
"RoutingPolicy" : "WEIGHTED"
},
"HealthCheckConfig" : {
"FailureThreshold" : 3,
"ResourcePath" : "/",
"Type" : "HTTPS"
},
"Name" : "example-public-DNS-service",
"NamespaceId" : "ns-e4anhexample0004"
}
}
YAML
Type: 'AWS::ServiceDiscovery::Service'
Properties:
Description: Service based on a public DNS namespace
DnsConfig:
DnsRecords:
- Type: A
TTL: 60
- Type: AAAA
TTL: 60
RoutingPolicy: WEIGHTED
HealthCheckConfig:
FailureThreshold: 3
ResourcePath: /
Type: HTTPS
Name: example-public-DNS-service
NamespaceId: ns-e4anhexample0004
See Also
• CreateService in the AWS Cloud Map API Reference
AWS::ServiceDiscovery::Service DnsConfig
A complex type that contains information about the Amazon Route 53 DNS records that you want AWS
Cloud Map to create when you register an instance.
Syntax
JSON
{
"DnsRecords" : [ DnsRecord (p. 1155), ... ],
"NamespaceId" : String,
"RoutingPolicy" : String
}
YAML
DnsRecords:
- DnsRecord (p. 1155)
NamespaceId: String
RoutingPolicy: String

1153
AWS Cloud Map
Properties
DnsRecords
An array that contains one DnsRecord object for each Route 53 DNS record that you want AWS
Cloud Map to create when you register an instance.
Required: Yes
Type: List of DnsRecord (p. 1155)

NamespaceId
The ID of the namespace to use for DNS configuration.

Important
You must specify a value for NamespaceId either for DnsConfig or for the service
properties. Don't specify a value in both places.
Required: No
Type: String
Maximum: 64

RoutingPolicy
The routing policy that you want to apply to all Route 53 DNS records that AWS Cloud Map creates
when you register an instance and specify this service.
Note
If you want to use this service to register instances that create alias records, specify
WEIGHTED for the routing policy.
You can specify the following values:
MULTIVALUE
If you define a health check for the service and the health check is healthy, Route 53 returns the
applicable value for up to eight instances.
For example, suppose the service includes configurations for one A record and a health check, and
you use the service to register 10 instances. Route 53 responds to DNS queries with IP addresses for
up to eight healthy instances. If fewer than eight instances are healthy, Route 53 responds to every
DNS query with the IP addresses for all of the healthy instances.
If you don't define a health check for the service, Route 53 assumes that all instances are healthy
and returns the values for up to eight instances.
For more information about the multivalue routing policy, see Multivalue Answer Routing in the
Route 53 Developer Guide.
WEIGHTED
Route 53 returns the applicable value from one randomly selected instance from among the
instances that you registered using the same service. Currently, all records have the same weight, so
you can't route more or less traffic to any instances.
For example, suppose the service includes configurations for one A record and a health check, and
you use the service to register 10 instances. Route 53 responds to DNS queries with the IP address

1154
AWS Cloud Map
for one randomly selected instance from among the healthy instances. If no instances are healthy,
Route 53 responds to DNS queries as if all of the instances were healthy.
If you don't define a health check for the service, Route 53 assumes that all instances are healthy
and returns the applicable value for one randomly selected instance.
For more information about the weighted routing policy, see Weighted Routing in the Route 53
Developer Guide.
Required: No
Type: String
Allowed Values: MULTIVALUE | WEIGHTED
See Also
• DnsConfig in the AWS Cloud Map API Reference
AWS::ServiceDiscovery::Service DnsRecord
A complex type that contains information about the Route 53 DNS records that you want AWS Cloud
Map to create when you register an instance.
Syntax
JSON
{
"TTL" : Double,
"Type" : String
}
YAML
TTL: Double
Type: String
Properties
TTL
The amount of time, in seconds, that you want DNS resolvers to cache the settings for this record.
Note
Alias records don't include a TTL because Route 53 uses the TTL for the AWS resource that
an alias record routes traffic to. If you include the AWS_ALIAS_DNS_NAME attribute when
you submit a RegisterInstance request, the TTL value is ignored. Always specify a TTL for
the service; you can use a service to register instances that create either alias or non-alias
records.
Required: Yes
Type: Double

1155
AWS Cloud Map

Type
The type of the resource, which indicates the type of value that Route 53 returns in response to DNS
queries. You can specify values for Type in the following combinations:
• A
• AAAA
• A and AAAA
• SRV
• CNAME
If you want AWS Cloud Map to create a Route 53 alias record when you register an instance, specify
A or AAAA for Type.
You specify other settings, such as the IP address for A and AAAA records, when you register an
instance. For more information, see RegisterInstance.
The following values are supported:
Route 53 returns the IP address of the resource in IPv4 format, such as 192.0.2.44.
AAAA
Route 53 returns the IP address of the resource in IPv6 format, such as

2001:0db8:85a3:0000:0000:abcd:0001:2345.
CNAME
Route 53 returns the domain name of the resource, such as www.example.com. Note the following:
• You specify the domain name that you want to route traffic to when you register an instance. For
more information, see Attributes in the topic RegisterInstance.
• You must specify WEIGHTED for the value of RoutingPolicy.
• You can't specify both CNAME for Type and settings for HealthCheckConfig. If you do, the
request will fail with an InvalidInput error.
SRV
Route 53 returns the value for an SRV record. The value for an SRV record uses the following values:
priority weight port service-hostname
Note the following about the values:

• The values of priority and weight are both set to 1 and can't be changed.
• The value of port comes from the value that you specify for the AWS_INSTANCE_PORT attribute
when you submit a RegisterInstance request.
• The value of service-hostname is a concatenation of the following values:
• The value that you specify for InstanceId when you register an instance.
• The name of the service.
• The name of the namespace.
For example, if the value of InstanceId is test, the name of the service is backend, and the
name of the namespace is example.com, the value of service-hostname is:
test.backend.example.com

1156
AWS Cloud Map
If you specify settings for an SRV record and if you specify values for AWS_INSTANCE_IPV4,
AWS_INSTANCE_IPV6, or both in the RegisterInstance request, AWS Cloud Map automatically
creates A and/or AAAA records that have the same name as the value of service-hostname in the
SRV record. You can ignore these records.
Required: Yes
Type: String
Allowed Values: A | AAAA | CNAME | SRV
See Also
• DnsRecord in the AWS Cloud Map API Reference
AWS::ServiceDiscovery::Service HealthCheckConfig
Public DNS and HTTP namespaces only. A complex type that contains settings for an optional health
check. If you specify settings for a health check, AWS Cloud Map associates the health check with the
records that you specify in DnsConfig.
Important
If you specify a health check configuration, you can specify either HealthCheckCustomConfig
or HealthCheckConfig but not both.
Health checks are basic Route 53 health checks that monitor an AWS endpoint. For information about
pricing for health checks, see Amazon Route 53 Pricing.
Note the following about configuring health checks.
A and AAAA records
If DnsConfig includes configurations for both A and AAAA records, AWS Cloud Map creates a health
check that uses the IPv4 address to check the health of the resource. If the endpoint that is specified by
the IPv4 address is unhealthy, Route 53 considers both the A and AAAA records to be unhealthy.
CNAME records
You can't specify settings for HealthCheckConfig when the DNSConfig includes CNAME for the value
of Type. If you do, the CreateService request will fail with an InvalidInput error.
Request interval
A Route 53 health checker in each health-checking region sends a health check request to an endpoint
every 30 seconds. On average, your endpoint receives a health check request about every two seconds.
However, health checkers don't coordinate with one another, so you'll sometimes see several requests
per second followed by a few seconds with no health checks at all.
Health checking regions
Health checkers perform checks from all Route 53 health-checking regions. For a list of the current
regions, see Regions.
Alias records
When you register an instance, if you include the AWS_ALIAS_DNS_NAME attribute, AWS Cloud Map
creates a Route 53 alias record. Note the following:

1157
AWS Cloud Map
• Route 53 automatically sets EvaluateTargetHealth to true for alias records. When

EvaluateTargetHealth is true, the alias record inherits the health of the referenced AWS resource.
such as an ELB load balancer. For more information, see EvaluateTargetHealth.
• If you include HealthCheckConfig and then use the service to register an instance that creates an
alias record, Route 53 doesn't create the health check.
Charges for health checks
Health checks are basic Route 53 health checks that monitor an AWS endpoint. For information about
pricing for health checks, see Amazon Route 53 Pricing.
Syntax
JSON
{
"FailureThreshold" : Double,
"Type" : String
}
YAML
FailureThreshold: Double
Type: String
Properties
FailureThreshold
The number of consecutive health checks that an endpoint must pass or fail for Route 53 to change
the current status of the endpoint from unhealthy to healthy or vice versa. For more information, see
How Route 53 Determines Whether an Endpoint Is Healthy in the Route 53 Developer Guide.
Required: No
Type: Double
Minimum: 1
Maximum: 10

ResourcePath
The path that you want Route 53 to request when performing health checks. The path can be any
value for which your endpoint will return an HTTP status code of 2xx or 3xx when the endpoint is
healthy, such as the file /docs/route53-health-check.html. Route 53 automatically adds the
DNS name for the service. If you don't specify a value for ResourcePath, the default value is /.
If you specify TCP for Type, you must not specify a value for ResourcePath.
Required: No
Type: String

1158
AWS Cloud Map
Maximum: 255

Type
The type of health check that you want to create, which indicates how Route 53 determines whether
an endpoint is healthy.
Important
You can't change the value of Type after you create a health check.
You can create the following types of health checks:

• HTTP: Route 53 tries to establish a TCP connection. If successful, Route 53 submits an HTTP
request and waits for an HTTP status code of 200 or greater and less than 400.
• HTTPS: Route 53 tries to establish a TCP connection. If successful, Route 53 submits an HTTPS
request and waits for an HTTP status code of 200 or greater and less than 400.
Important
If you specify HTTPS for the value of Type, the endpoint must support TLS v1.0 or later.
• TCP: Route 53 tries to establish a TCP connection.
If you specify TCP for Type, don't specify a value for ResourcePath.
For more information, see How Route 53 Determines Whether an Endpoint Is Healthy in the Route
53 Developer Guide.
Required: Yes
Type: String
Allowed Values: HTTP | HTTPS | TCP
See Also
• HealthCheckConfig in the AWS Cloud Map API Reference
AWS::ServiceDiscovery::Service HealthCheckCustomConfig
A complex type that contains information about an optional custom health check. A custom health
check, which requires that you use a third-party health checker to evaluate the health of your resources,
is useful in the following circumstances:
• You can't use a health check that is defined by HealthCheckConfig because the resource isn't
available over the internet. For example, you can use a custom health check when the instance is in an
Amazon VPC. (To check the health of resources in a VPC, the health checker must also be in the VPC.)
• You want to use a third-party health checker regardless of where your resources are.
Important
If you specify a health check configuration, you can specify either HealthCheckCustomConfig
or HealthCheckConfig but not both.
To change the status of a custom health check, submit an UpdateInstanceCustomHealthStatus

request. Cloud Map doesn't monitor the status of the resource, it just keeps a record of the status
specified in the most recent UpdateInstanceCustomHealthStatus request.

1159
AWS Cloud Map
Here's how custom health checks work:
1. You create a service and specify a value for FailureThreshold.
The failure threshold indicates the number of 30-second intervals you want AWS Cloud Map to wait
between the time that your application sends an UpdateInstanceCustomHealthStatus request and the
time that AWS Cloud Map stops routing internet traffic to the corresponding resource.
2. You register an instance.
3. You configure a third-party health checker to monitor the resource that is associated with the new
instance.
Note
AWS Cloud Map doesn't check the health of the resource directly.
4. The third-party health-checker determines that the resource is unhealthy and notifies your
application.
5. Your application submits an UpdateInstanceCustomHealthStatus request.
6. AWS Cloud Map waits for (FailureThreshold x 30) seconds.
7. If another UpdateInstanceCustomHealthStatus request doesn't arrive during that time to
change the status back to healthy, AWS Cloud Map stops routing traffic to the resource.
Syntax
JSON
{
"FailureThreshold" : Double
}
YAML
FailureThreshold: Double
Properties
FailureThreshold
The number of 30-second intervals that you want Cloud Map to wait after receiving an
UpdateInstanceCustomHealthStatus request before it changes the health status of a service
instance. For example, suppose you specify a value of 2 for FailureTheshold, and then your
application sends an UpdateInstanceCustomHealthStatus request. Cloud Map waits for
approximately 60 seconds (2 x 30) before changing the status of the service instance based on that
request.
Sending a second or subsequent UpdateInstanceCustomHealthStatus request with the same

value before FailureThreshold x 30 seconds has passed doesn't accelerate the change. Cloud
Map still waits FailureThreshold x 30 seconds after the first request to make the change.
Required: No
Type: Double
Minimum: 1
Maximum: 10

1160
CloudTrail
See Also
• HealthCheckCustomConfig in the AWS Cloud Map API Reference
CloudTrail Resource Type Reference

Resource Types
• AWS::CloudTrail::Trail (p. 1161)
AWS::CloudTrail::Trail
Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket.
Syntax
JSON
{
"Type" : "AWS::CloudTrail::Trail",
"Properties" : {
"CloudWatchLogsLogGroupArn" : String,
"CloudWatchLogsRoleArn" : String,
"EnableLogFileValidation" : Boolean,
"EventSelectors" : [ EventSelector (p. 1170), ... ],
"IncludeGlobalServiceEvents" : Boolean,
"IsLogging" : Boolean,
"IsMultiRegionTrail" : Boolean,
"KMSKeyId" : String,
"S3BucketName" : String,
"S3KeyPrefix" : String,
"SnsTopicName" : String,
"Tags" : [ Tag, ... ],
"TrailName" : String
}
}
YAML
Type: AWS::CloudTrail::Trail
Properties:
CloudWatchLogsLogGroupArn: String
CloudWatchLogsRoleArn: String
EnableLogFileValidation: Boolean
EventSelectors:
- EventSelector (p. 1170)
IncludeGlobalServiceEvents: Boolean
IsLogging: Boolean
IsMultiRegionTrail: Boolean
KMSKeyId: String
S3BucketName: String
S3KeyPrefix: String
SnsTopicName: String
Tags:

1161
CloudTrail
- Tag
TrailName: String
Properties
CloudWatchLogsLogGroupArn
Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that
represents the log group to which CloudTrail logs will be delivered. Not required unless you specify
CloudWatchLogsRoleArn.
Type: String

CloudWatchLogsRoleArn
Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
Type: String

EnableLogFileValidation
Specifies whether log file validation is enabled. The default is false.

Note
When you disable log file integrity validation, the chain of digest files is broken after
one hour. CloudTrail will not create digest files for log files that were delivered during a
period in which log file integrity validation was disabled. For example, if you enable log file
integrity validation at noon on January 1, disable it at noon on January 2, and re-enable
it at noon on January 10, digest files will not be created for the log files delivered from
noon on January 2 to noon on January 10. The same applies whenever you stop CloudTrail
logging or delete a trail.
Required: No
Type: Boolean

EventSelectors
Use event selectors to further specify the management and data event settings for your trail.
By default, trails created without specific event selectors will be configured to log all read and
write management events, and no data events. When an event occurs in your account, CloudTrail
evaluates the event selector for all trails. For each trail, if the event matches any event selector, the
trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log
the event.
You can configure up to five event selectors for a trail.
Required: No
Type: List of EventSelector (p. 1170)

1162
CloudTrail
IncludeGlobalServiceEvents
Specifies whether the trail is publishing events from global services such as IAM to the log files.
Required: No
Type: Boolean

IsLogging
Whether the CloudTrail is currently logging AWS API calls.
Required: Yes
Type: Boolean

IsMultiRegionTrail
Specifies whether the trail applies only to the current region or to all regions. The default is false. If
the trail exists only in the current region and this value is set to true, shadow trails (replications of
the trail) will be created in the other regions. If the trail exists in all regions and this value is set to
false, the trail will remain in the region where it was created, and its shadow trails in other regions
will be deleted. As a best practice, consider using trails that log events in all regions.
Required: No
Type: Boolean

KMSKeyId
Specifies the KMS key ID to use to encrypt the logs delivered by CloudTrail. The value can be an
alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a
globally unique identifier.
Examples:
• alias/MyAliasName
• arn:aws:kms:us-east-2:123456789012:alias/MyAliasName
• arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012
• 12345678-1234-1234-1234-123456789012
Required: No
Type: String

S3BucketName
Specifies the name of the Amazon S3 bucket designated for publishing log files. See Amazon S3
Bucket Naming Requirements.
Required: Yes
Type: String

1163
CloudTrail
S3KeyPrefix
Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for
log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is
200 characters.
Required: No
Type: String

SnsTopicName
Specifies the name of the Amazon SNS topic defined for notification of log file delivery. The
maximum length is 256 characters.
Required: No
Type: String

Tags
An arbitrary set of tags (key–value pairs) for this trail.
Required: No
Type: List of Tag

TrailName
Specifies the name of the trail or trail ARN. If Name is a trail name, the string must meet the
following requirements:
• Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
• Start with a letter or number, and end with a letter or number
• Be between 3 and 128 characters
• Have no adjacent periods, underscores or dashes. Names like my-_namespace and my--
namespace are invalid.
• Not be in IP address format (for example, 192.168.5.4)
If Name is a trail ARN, it must be in the format:
arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail
Required: No
Type: String
Return Values
Ref
name.

1164
CloudTrail
Fn::GetAtt
Arn
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN
of the CloudTrail trail, such as arn:aws:cloudtrail:us-east-2:123456789012:trail/
myCloudTrail.
SnsTopicArn
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN
of the Amazon SNS topic that's associated with the CloudTrail trail, such as arn:aws:sns:us-
east-2:123456789012:mySNSTopic.
Examples
Example
The following example creates a trail that logs events in all regions, an Amazon S3 bucket where logs are
published, and an SNS topic where notifications are sent. The bucket and topic policies allow CloudTrail
(from the specified regions) to publish logs to the S3 bucket and to send notifications to an email that
you specify. For information about CloudTrail bucket policies, see Amazon S3 Bucket Policy in the AWS
CloudTrail User Guide.
JSON
{
"Parameters": {
"OperatorEmail": {
"Description": "Email address to notify when new logs are published.",
"Type": "String"
}
},
"Resources": {
"S3Bucket": {
"Properties": {
}
},
"BucketPolicy": {
"Properties": {
"Bucket": {
"Ref": "S3Bucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",

1165
CloudTrail
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "S3Bucket"
}
]
]
}
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
},
"Action": "s3:PutObject",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "S3Bucket"
},
"/AWSLogs/",
{
"Ref": "AWS::AccountId"
},
"/*"
]
]
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
}
},
"Topic": {
"Properties": {
"Subscription": [
{
"Endpoint": {
"Ref": "OperatorEmail"
},
"Protocol": "email"
}
]
}
},
"TopicPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"Topics": [

1166
CloudTrail
{
"Ref": "Topic"
}
],
"PolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailSNSPolicy",
"Effect": "Allow",
"Principal": {
},
"Resource": "*",
"Action": "SNS:Publish"
}
]
}
}
},
"myTrail": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
},
"IsLogging": true,
"IsMultiRegionTrail": true
}
}
}
}
YAML
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
S3Bucket:
Properties: {}
BucketPolicy:
Properties:
Bucket:
Ref: S3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
-

1167
CloudTrail
Sid: "AWSCloudTrailAclCheck"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource:
!Sub |-
arn:aws:s3:::${S3Bucket}
-
Sid: "AWSCloudTrailWrite"
Effect: "Allow"
Principal:
Action: "s3:PutObject"
Resource:
!Sub |-
arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
Topic:
Properties:
Subscription:
-
Endpoint:
Ref: OperatorEmail
Protocol: email
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- Ref: "Topic"
PolicyDocument:
Version: "2008-10-17"
Statement:
-
Sid: "AWSCloudTrailSNSPolicy"
Effect: "Allow"
Principal:
Resource: "*"
Action: "SNS:Publish"
myTrail:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: true
IsMultiRegionTrail: true
AWS::CloudTrail::Trail DataResource
The Amazon S3 buckets or AWS Lambda functions that you specify in your event selectors for your trail
to log data events. Data events provide information about the resource operations performed on or
within a resource itself. These are also known as data plane operations. You can specify up to 250 data
resources for a trail.

1168
CloudTrail
Note
The total number of allowed data resources is 250. This number can be distributed between 1
and 5 event selectors, but the total cannot exceed 250 across all selectors.
The following example demonstrates how logging works when you configure logging of all data events
for an S3 bucket named bucket-1. In this example, the CloudTrail user specified an empty prefix, and
the option to log both Read and Write data events.
1. A user uploads an image file to bucket-1.

2. The PutObject API operation is an Amazon S3 object-level API. It is recorded as a data event in
CloudTrail. Because the CloudTrail user specified an S3 bucket with an empty prefix, events that occur
on any object in that bucket are logged. The trail processes and logs the event.
3. A user uploads an object to an Amazon S3 bucket named arn:aws:s3:::bucket-2.
4. The PutObject API operation occurred for an object in an S3 bucket that the CloudTrail user didn't
specify for the trail. The trail doesn’t log the event.
The following example demonstrates how logging works when you configure logging of AWS Lambda
data events for a Lambda function named MyLambdaFunction, but not for all AWS Lambda functions.
1. A user runs a script that includes a call to the MyLambdaFunction function and the
MyOtherLambdaFunction function.
2. The Invoke API operation on MyLambdaFunction is an AWS Lambda API. It is recorded as a data event
in CloudTrail. Because the CloudTrail user specified logging data events for MyLambdaFunction, any
invocations of that function are logged. The trail processes and logs the event.
3. The Invoke API operation on MyOtherLambdaFunction is an AWS Lambda API. Because the CloudTrail
user did not specify logging data events for all Lambda functions, the Invoke operation for
MyOtherLambdaFunction does not match the function specified for the trail. The trail doesn’t log the
event.
Syntax
JSON
{
"Type" : String,
}
YAML
Type: String
Values:
- String
Properties
Type
The resource type in which you want to log data events. You can specify AWS::S3::Object or
AWS::Lambda::Function resources.
Required: Yes

1169
CloudTrail
Type: String

Values
An array of Amazon Resource Name (ARN) strings or partial ARN strings for the specified objects.
• To log data events for all objects in all S3 buckets in your AWS account, specify the prefix as
arn:aws:s3:::.
Note
This will also enable logging of data event activity performed by any user or role in your
AWS account, even if that activity is performed on a bucket that belongs to another AWS
account.
• To log data events for all objects in an S3 bucket, specify the bucket and an empty object prefix
such as arn:aws:s3:::bucket-1/. The trail logs data events for all objects in this S3 bucket.
• To log data events for specific objects, specify the S3 bucket and object prefix such as
arn:aws:s3:::bucket-1/example-images. The trail logs data events for objects in this S3
bucket that match the prefix.
• To log data events for all functions in your AWS account, specify the prefix as arn:aws:lambda.
Note
This will also enable logging of Invoke activity performed by any user or role in your
AWS account, even if that activity is performed on a function that belongs to another
AWS account.
• To log data events for a specific Lambda function, specify the function ARN.
Note
Lambda function ARNs are exact. For example, if you specify a function ARN
arn:aws:lambda:us-west-2:111111111111:function:helloworld, data events will only be
logged for arn:aws:lambda:us-west-2:111111111111:function:helloworld. They will not be
logged for arn:aws:lambda:us-west-2:111111111111:function:helloworld2.
Required: No
AWS::CloudTrail::Trail EventSelector
Use event selectors to further specify the management and data event settings for your trail. By default,
trails created without specific event selectors will be configured to log all read and write management
events, and no data events. When an event occurs in your account, CloudTrail evaluates the event
selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs
the event. If the event doesn't match any event selector, the trail doesn't log the event.
You can configure up to five event selectors for a trail.
Syntax
JSON
{
"DataResources" : [ DataResource (p. 1168), ... ],
"IncludeManagementEvents" : Boolean,
"ReadWriteType" : String

1170
CloudWatch
YAML
DataResources:
- DataResource (p. 1168)
IncludeManagementEvents: Boolean
ReadWriteType: String
Properties
DataResources
CloudTrail supports data event logging for Amazon S3 objects and AWS Lambda functions. You can
specify up to 250 resources for an individual event selector, but the total number of data resources
cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure
resource logging for all data events.
For more information, see Data Events and Limits in AWS CloudTrail in the AWS CloudTrail User
Guide.
Required: No
Type: List of DataResource (p. 1168)

IncludeManagementEvents
Specify if you want your event selector to include management events for your trail.
For more information, see Management Events in the AWS CloudTrail User Guide.
By default, the value is true.
Required: No
Type: Boolean

ReadWriteType
Specify if you want your trail to log read-only events, write-only events, or all. For example, the EC2
GetConsoleOutput is a read-only API operation and RunInstances is a write-only API operation.
By default, the value is All.
Required: No
Type: String
Allowed Values: All | ReadOnly | WriteOnly
CloudWatch Resource Type Reference

Resource Types

1171
CloudWatch
• AWS::CloudWatch::Alarm (p. 1172)

• AWS::CloudWatch::AnomalyDetector (p. 1187)
• AWS::CloudWatch::Dashboard (p. 1192)
• AWS::CloudWatch::InsightRule (p. 1193)
AWS::CloudWatch::Alarm
The AWS::CloudWatch::Alarm type specifies an alarm and associates it with the specified metric or
metric math expression.
When this operation creates an alarm, the alarm state is immediately set to INSUFFICIENT_DATA. The
alarm is then evaluated and its state is set appropriately. Any actions associated with the new state are
then executed.
When you update an existing alarm, its state is left unchanged, but the update completely overwrites the
previous configuration of the alarm.
Syntax
JSON
{
"Type" : "AWS::CloudWatch::Alarm",
"Properties" : {
"ActionsEnabled" : Boolean,
"AlarmActions" : [ String, ... ],
"AlarmDescription" : String,
"AlarmName" : String,
"DatapointsToAlarm" : Integer,
"Dimensions" : [ Dimension (p. 1180), ... ],
"EvaluateLowSampleCountPercentile" : String,
"EvaluationPeriods" : Integer,
"ExtendedStatistic" : String,
"InsufficientDataActions" : [ String, ... ],
"Metrics" : [ MetricDataQuery (p. 1183), ... ],
"OKActions" : [ String, ... ],
"Period" : Integer,
"ThresholdMetricId" : String,
"TreatMissingData" : String,
"Unit" : String
}
}
YAML
Properties:
ActionsEnabled: Boolean
AlarmActions:
- String
AlarmDescription: String
AlarmName: String

1172
CloudWatch
DatapointsToAlarm: Integer
Dimensions:
- Dimension (p. 1180)
EvaluateLowSampleCountPercentile: String
EvaluationPeriods: Integer
ExtendedStatistic: String
InsufficientDataActions:
- String
MetricName: String
Metrics:
- MetricDataQuery (p. 1183)
Namespace: String
OKActions:
- String
Period: Integer
Statistic: String
Threshold: Double
ThresholdMetricId: String
TreatMissingData: String
Unit: String
Properties
ActionsEnabled
Indicates whether actions should be executed during any changes to the alarm state. The default is
TRUE.
Required: No
Type: Boolean

AlarmActions
The list of actions to execute when this alarm transitions into an ALARM state from any other state.
Specify each action as an Amazon Resource Name (ARN). For more information about creating
alarms and the actions that you can specify, see PutMetricAlarm in the Amazon CloudWatch API
Reference.
Required: No
Maximum: 5

AlarmDescription
The description of the alarm.
Required: No
Type: String
Minimum: 0
Maximum: 1024

1173
CloudWatch
AlarmName
The name of the alarm. If you don't specify a name, AWS CloudFormation generates a unique
physical ID and uses that ID for the alarm name.
Important
Required: No
Type: String
Minimum: 1
Maximum: 255

ComparisonOperator
The arithmetic operation to use when comparing the specified statistic and threshold. The specified
statistic value is used as the first operand.
You can specify the following values: GreaterThanThreshold,

GreaterThanOrEqualToThreshold, LessThanThreshold, or LessThanOrEqualToThreshold.
Required: Yes
Type: String
Allowed Values: GreaterThanOrEqualToThreshold | GreaterThanThreshold |

GreaterThanUpperThreshold | LessThanLowerOrGreaterThanUpperThreshold |
LessThanLowerThreshold | LessThanOrEqualToThreshold | LessThanThreshold

DatapointsToAlarm
The number of datapoints that must be breaching to trigger the alarm. This is used only if you are
setting an "M out of N" alarm. In that case, this value is the M. For more information, see Evaluating
an Alarm in the Amazon CloudWatch User Guide.
Required: No
Type: Integer
Minimum: 1

Dimensions
The dimensions for the metric associated with the alarm. For an alarm based on a math expression,
you can't specify Dimensions. Instead, you use Metrics.
Required: No
Type: List of Dimension (p. 1180)
Maximum: 10

1174
CloudWatch
EvaluateLowSampleCountPercentile
Used only for alarms based on percentiles. If ignore, the alarm state does not change during
periods with too few data points to be statistically significant. If evaluate or this parameter is not
used, the alarm is always evaluated and possibly changes state no matter how many data points are
available.
Required: No
Type: String
Minimum: 1
Maximum: 255

EvaluationPeriods
The number of periods over which data is compared to the specified threshold.
Required: Yes
Type: Integer
Minimum: 1

ExtendedStatistic
The percentile statistic for the metric associated with the alarm. Specify a value between p0.0 and
p100.
For an alarm based on a math expression, you can't specify ExtendedStatistic. Instead, you use
Metrics.
Required: No
Type: String
Pattern: p(\d{1,2}(\.\d{0,2})?|100)

InsufficientDataActions
The actions to execute when this alarm transitions to the INSUFFICIENT_DATA state from any
other state. Each action is specified as an Amazon Resource Name (ARN).
Required: No
Maximum: 5

MetricName
The name of the metric associated with the alarm. This is required for an alarm based on a
metric. For an alarm based on a math expression, you use Metrics instead and you can't specify
MetricName.

1175
CloudWatch
Required: No
Type: String
Minimum: 1
Maximum: 255

Metrics
An array that enables you to create an alarm based on the result of a metric math expression. Each
item in the array either retrieves a metric or performs a math expression.
If you specify the Metrics parameter, you cannot specify MetricName, Dimensions, Period,
Namespace, Statistic, or ExtendedStatistic.
Required: No
Type: List of MetricDataQuery (p. 1183)

Namespace
The namespace of the metric associated with the alarm. This is required for an alarm based on
a metric. For an alarm based on a math expression, you can't specify Namespace and you use
Metrics instead.
Required: No
Type: String
Minimum: 1
Maximum: 255
Pattern: [^:].*

OKActions
The actions to execute when this alarm transitions to the OK state from any other state. Each action
is specified as an Amazon Resource Name (ARN).
Required: No
Maximum: 5

Period
The period, in seconds, over which the statistic is applied. This is required for an alarm based on a
metric. For an alarm based on a math expression, you can't specify Period, and instead you use the
Metrics parameter.
Required: No

1176
CloudWatch
Type: Integer
Minimum: 1

Statistic
The statistic for the metric associated with the alarm, other than percentile. For percentile statistics,
use ExtendedStatistic.
For an alarm based on a math expression, you can't specify Statistic. Instead, you use Metrics.
Required: No
Type: String

Threshold
The value to compare with the specified statistic.
Required: No
Type: Double

ThresholdMetricId
In an alarm based on an anomaly detection model, this is the ID of the ANOMALY_DETECTION_BAND

function used as the threshold for the alarm.
Required: No
Type: String
Minimum: 1
Maximum: 255

TreatMissingData
Sets how this alarm is to handle missing data points. Valid values are breaching, notBreaching,
ignore, and missing. For more information, see Configuring How CloudWatch Alarms Treat
Missing Data in the Amazon CloudWatch User Guide.
If you omit this parameter, the default behavior of missing is used.
Required: No
Type: String
Minimum: 1
Maximum: 255

1177
CloudWatch
Unit
The unit of the metric associated with the alarm. You can specify the following values: Seconds,
Microseconds, Milliseconds, Bytes, Kilobytes, Megabytes, Gigabytes, Terabytes, Bits, Kilobits,
Megabits, Gigabits, Terabits, Percent, Count, Bytes/Second, Kilobytes/Second, Megabytes/Second,
Gigabytes/Second, Terabytes/Second, Bits/Second, Kilobits/Second, Megabits/Second, Gigabits/
Second, Terabits/Second, Count/Second, or None.
Required: No
Type: String
Allowed Values: Bits | Bits/Second | Bytes | Bytes/Second | Count | Count/Second

| Gigabits | Gigabits/Second | Gigabytes | Gigabytes/Second | Kilobits
| Kilobits/Second | Kilobytes | Kilobytes/Second | Megabits | Megabits/
Second | Megabytes | Megabytes/Second | Microseconds | Milliseconds | None
| Percent | Seconds | Terabits | Terabits/Second | Terabytes | Terabytes/
Second
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the alarm name,
such as TestAlarm.
Fn::GetAtt
Arn
The ARN of the CloudWatch alarm, such as arn:aws:cloudwatch:us-

west-2:123456789012:alarm:myCloudWatchAlarm-CPUAlarm-UXMMZK36R55Z.
Examples
Alarm Based on an Anomaly Detector
This example creates an alarm that is based on an anomaly detector.
JSON
"Resources": {
"LambdaInvocationsAnomalyDetector": {
"Type": "AWS::CloudWatch::AnomalyDetector",
"Properties": {
"MetricName": "Invocations",
"Namespace": "AWS/Lambda",
"Stat": "Sum"
}
},

1178
CloudWatch
"LambdaInvocationsAlarm": {
"Properties": {
"AlarmDescription": "Lambda invocations",
"AlarmName": "LambdaInvocationsAlarm",
"ComparisonOperator": "LessThanLowerOrGreaterThanUpperThreshold",
"EvaluationPeriods": 1,
"Metrics": [
{
"Expression": "ANOMALY_DETECTION_BAND(m1, 2)",
"Id": "ad1"
},
{
"Id": "m1",
"MetricStat": {
"Metric": {
"MetricName": "Invocations",
"Namespace": "AWS/Lambda"
},
"Period": 86400,
"Stat": "Sum"
}
}
],
"ThresholdMetricId": "ad1",
"TreatMissingData": "breaching"
}
}
}
YAML
Resources:
LambdaInvocationsAnomalyDetector:
Type: AWS::CloudWatch::AnomalyDetector
Properties:
MetricName: Invocations
Namespace: AWS/Lambda
Stat: Sum
LambdaInvocationsAlarm:
Properties:
AlarmDescription: Lambda invocations
AlarmName: LambdaInvocationsAlarm
ComparisonOperator: LessThanLowerOrGreaterThanUpperThreshold
EvaluationPeriods: 1
Metrics:
- Expression: ANOMALY_DETECTION_BAND(m1, 2)
Id: ad1
- Id: m1
MetricStat:
Metric:
MetricName: Invocations
Namespace: AWS/Lambda
Period: !!int 86400
Stat: Sum
ThresholdMetricId: ad1
TreatMissingData: breaching
See Also
• Amazon CloudWatch Template Snippets

1179
CloudWatch
AWS::CloudWatch::Alarm Dimension
Dimension is an embedded property of the AWS::CloudWatch::Alarm type. Dimensions are arbitrary
name/value pairs that can be associated with a CloudWatch metric. You can specify a maximum of 10
dimensions for a given metric.
Syntax
JSON
{
"Name" : String,
"Value" : String
}
YAML
Name: String
Value: String
Properties
Name
The name of the dimension, from 1–255 characters in length.
Required: Yes
Type: String
Minimum: 1
Maximum: 255

Value
The value for the dimension, from 1–255 characters in length.
Required: Yes
Type: String
Minimum: 1
Maximum: 255
Examples
Two CloudWatch alarms with dimension values supplied by the Ref function
The Ref and GetAtt intrinsic functions are often used to supply values for CloudWatch metric
dimensions. Here is an example using the Ref function.

1180
CloudWatch
JSON
{
"CPUAlarmHigh": {
"Properties": {
"AlarmDescription": "Scale-up if CPU is greater than 90% for 10 minutes",
"Period": "300",
"Threshold": "90",
"AlarmActions": [
{
"Ref": "WebServerScaleUpPolicy"
}
],
"Dimensions": [
{
"Value": {
"Ref": "WebServerGroup"
}
}
],
}
},
"CPUAlarmLow": {
"Properties": {
"AlarmDescription": "Scale-down if CPU is less than 70% for 10 minutes",
"Period": "300",
"Threshold": "70",
"AlarmActions": [
{
"Ref": "WebServerScaleDownPolicy"
}
],
"Dimensions": [
{
"Value": {
"Ref": "WebServerGroup"
}
}
],
"ComparisonOperator": "LessThanThreshold"
}
}
}
YAML
CPUAlarmHigh:
Type: 'AWS::CloudWatch::Alarm'
Properties:
AlarmDescription: Scale-up if CPU is greater than 90% for 10 minutes

1181
CloudWatch
Namespace: AWS/EC2
Statistic: Average
Period: '300'
Threshold: '90'
AlarmActions:
- !Ref WebServerScaleUpPolicy
Dimensions:
Value: !Ref WebServerGroup
CPUAlarmLow:
Properties:
AlarmDescription: Scale-down if CPU is less than 70% for 10 minutes
Namespace: AWS/EC2
Statistic: Average
Period: '300'
Threshold: '70'
AlarmActions:
- !Ref WebServerScaleDownPolicy
Dimensions:
Value: !Ref WebServerGroup
ComparisonOperator: LessThanThreshold
AWS::CloudWatch::Alarm Metric
The Metric property type represents a specific metric. Metric is a property of the MetricStat property
type.
Syntax
JSON
{
"Namespace" : String
}
YAML
Dimensions:
MetricName: String
Namespace: String
Properties
Dimensions
The dimensions for the metric.
Required: No

1182
CloudWatch
Maximum: 10

MetricName
The name of the metric. This is a required field.
Required: No
Type: String
Minimum: 1
Maximum: 255

Namespace
Required: No
Type: String
Minimum: 1
Maximum: 255
Pattern: [^:].*
AWS::CloudWatch::Alarm MetricDataQuery
The MetricDataQuery property type specifies the metric data to return, and whether this call is just
retrieving a batch set of data for one metric, or is performing a math expression on metric data.
Any expression used must return a single time series. For more information, see Metric Math Syntax and
Functions in the Amazon CloudWatch User Guide.
Syntax
JSON
{
"Expression" : String,
"Id" : String,
"Label" : String,
"MetricStat" : MetricStat (p. 1185),
"Period" : Integer,
"ReturnData" : Boolean
}
YAML
Expression: String

1183
CloudWatch
Id: String
Label: String
MetricStat:
MetricStat (p. 1185)
Period: Integer
ReturnData: Boolean
Properties
Expression
The math expression to be performed on the returned data, if this object is performing a math
expression. This expression can use the Id of the other metrics to refer to those metrics, and can
also use the Id of other expressions to use the result of those expressions. For more information
about metric math expressions, see Metric Math Syntax and Functions in the Amazon CloudWatch
User Guide.
Within each MetricDataQuery object, you must specify either Expression or MetricStat but not
both.
Required: No
Type: String
Minimum: 1
Maximum: 1024

Id
A short name used to tie this object to the results in the response. This name must be unique within
a single call to GetMetricData. If you are performing math expressions on this set of data, this
name represents that data and can serve as a variable in the mathematical expression. The valid
characters are letters, numbers, and underscore. The first character must be a lowercase letter.
Required: Yes
Type: String
Minimum: 1
Maximum: 255

Label
A human-readable label for this metric or expression. This is especially useful if this is an expression,
so that you know what the value represents. If the metric or expression is shown in a CloudWatch
dashboard widget, the label is shown. If Label is omitted, CloudWatch generates a default.
Required: No
Type: String

MetricStat
The metric to be returned, along with statistics, period, and units. Use this parameter only if this
object is retrieving a metric and not performing a math expression on returned data.

1184
CloudWatch
Within one MetricDataQuery object, you must specify either Expression or MetricStat but not
both.
Required: No
Type: MetricStat (p. 1185)

Period
The granularity, in seconds, of the returned data points. For metrics with regular resolution, a period
can be as short as one minute (60 seconds) and must be a multiple of 60. For high-resolution metrics
that are collected at intervals of less than one minute, the period can be 1, 5, 10, 30, 60, or any
multiple of 60. High-resolution metrics are those metrics stored by a PutMetricData operation
that includes a StorageResolution of 1 second.
If you are performing a GetMetricData operation, use this field only if you are specifying an
Expression. Do not use this field when you are specifying a MetricStat in a GetMetricData
operation.
Required: No
Type: Integer
Minimum: 1

ReturnData
This option indicates whether to return the timestamps and raw data values of this metric. If you are
performing this call just to do math expressions and do not also need the raw data returned, you can
specify False. If you omit this, the default of True is used.
Required: No
Type: Boolean
AWS::CloudWatch::Alarm MetricStat
This structure defines the metric to be returned, along with the statistics, period, and units.
MetricStat is a property of the MetricDataQuery property type.
Syntax
JSON
{
"Metric" : Metric (p. 1182),
"Period" : Integer,
"Stat" : String,
"Unit" : String
}

1185
CloudWatch
YAML
Metric:
Metric (p. 1182)
Period: Integer
Stat: String
Unit: String
Properties
Metric
The metric to return, including the metric name, namespace, and dimensions.
Required: Yes
Type: Metric (p. 1182)

Period
The granularity, in seconds, of the returned data points. For metrics with regular resolution, a period
can be as short as one minute (60 seconds) and must be a multiple of 60. For high-resolution metrics
that are collected at intervals of less than one minute, the period can be 1, 5, 10, 30, 60, or any
multiple of 60. High-resolution metrics are those metrics stored by a PutMetricData call that
includes a StorageResolution of 1 second.
If the StartTime parameter specifies a time stamp that is greater than 3 hours ago, you must
specify the period as follows or no data points in that time range is returned:
• Start time between 3 hours and 15 days ago - Use a multiple of 60 seconds (1 minute).
• Start time between 15 and 63 days ago - Use a multiple of 300 seconds (5 minutes).
• Start time greater than 63 days ago - Use a multiple of 3600 seconds (1 hour).
Required: Yes
Type: Integer
Minimum: 1

Stat
The statistic to return. It can include any CloudWatch statistic or extended statistic. For a list of valid
values, see the table in Statistics in the Amazon CloudWatch User Guide.
Required: Yes
Type: String

Unit
The unit to use for the returned data points.
Valid values are: Seconds, Microseconds, Milliseconds, Bytes, Kilobytes, Megabytes, Gigabytes,
Terabytes, Bits, Kilobits, Megabits, Gigabits, Terabits, Percent, Count, Bytes/Second, Kilobytes/
Second, Megabytes/Second, Gigabytes/Second, Terabytes/Second, Bits/Second, Kilobits/Second,
Megabits/Second, Gigabits/Second, Terabits/Second, Count/Second, or None.

1186
CloudWatch
Required: No
Type: String
Allowed Values: Bits | Bits/Second | Bytes | Bytes/Second | Count | Count/Second

| Gigabits | Gigabits/Second | Gigabytes | Gigabytes/Second | Kilobits
| Kilobits/Second | Kilobytes | Kilobytes/Second | Megabits | Megabits/
Second | Megabytes | Megabytes/Second | Microseconds | Milliseconds | None
| Percent | Seconds | Terabits | Terabits/Second | Terabytes | Terabytes/
Second
AWS::CloudWatch::AnomalyDetector
The AWS::CloudWatch::AnomalyDetector type specifies an anomaly detection band for a certain
metric and statistic. The band represents the expected "normal" range for the metric values. Anomaly
detection bands can be used for visualization of a metric's expected values, and for alarms.
Syntax
JSON
{
"Type" : "AWS::CloudWatch::AnomalyDetector",
"Properties" : {
"Configuration" : Configuration (p. 1189),
"Stat" : String
}
}
YAML
Properties:
Configuration:
Configuration (p. 1189)
Dimensions:
MetricName: String
Namespace: String
Stat: String
Properties
Configuration
Specifies details about how the anomaly detection model is to be trained, including time ranges to
exclude when training and updating the model. The configuration can also include the time zone to
use for the metric.
Required: No

1187
CloudWatch
Type: Configuration (p. 1189)

Dimensions
The dimensions of the metric associated with the anomaly detection band.
Required: No

MetricName
The name of the metric associated with the anomaly detection band.
Required: Yes
Type: String

Namespace
The namespace of the metric associated with the anomaly detection band.
Required: Yes
Type: String

Stat
The statistic of the metric associated with the anomaly detection band.
Required: Yes
Type: String
Examples
Anomaly Detector
This example creates an anomaly detector model for the metric named JvmMetric with the dimension
value of UsedMemory. It excludes a time range from the model training.
JSON
{
"Description": "AnomalyDetectorOnUsedMemory",
"Resources": {
"AnomalyDetectorOnUsedMemory": {
"Type": "AWS::CloudWatch::AnomalyDetector",
"Properties": {
"MetricName": "JvmMetric",
"Namespace": "AWSSDK/Java",
"Stat": "Average",

1188
CloudWatch
"Dimensions": [
{
"Name": "Memory",
"Value": "UsedMemory"
}
],
"Configuration": {
"MetricTimeZone": "UTC",
"ExcludedTimeRanges": [
{
"StartTime": "2019-07-01T00:00:00",
"EndTime": "2019-07-01T23:59:59"
}
]
}
}
}
}
}
YAML
Description: AnomalyDetectorOnUsedMemory
Resources:
AnomalyDetectorOnUsedMemory:
Properties:
MetricName: JvmMetric
Namespace: AWSSDK/Java
Stat: Average
Dimensions:
- Name: Memory
Value: UsedMemory
Configuration:
MetricTimeZone: UTC
ExcludedTimeRanges:
- StartTime: 2019-07-01T00:00:00
EndTime: 2019-07-01T23:59:59
AWS::CloudWatch::AnomalyDetector Configuration
Specifies details about how the anomaly detection model is to be trained, including time ranges to
exclude when training and updating the model. The configuration can also include the time zone to use
for the metric.
Syntax
JSON
{
"ExcludedTimeRanges" : [ Range (p. 1191), ... ],
"MetricTimeZone" : String
}
YAML
ExcludedTimeRanges:
- Range (p. 1191)

1189
CloudWatch
MetricTimeZone: String
Properties
ExcludedTimeRanges
Specifies an array of time ranges to exclude from use when the anomaly detection model is trained
and updated. Use this to make sure that events that could cause unusual values for the metric, such
as deployments, aren't used when CloudWatch creates or updates the model.
Required: No
Type: List of Range (p. 1191)

MetricTimeZone
The time zone to use for the metric. This is useful to enable the model to automatically account for
daylight savings time changes if the metric is sensitive to such time changes.
To specify a time zone, use the name of the time zone as specified in the standard tz database. For
more information, see tz database.
Required: No
Type: String
AWS::CloudWatch::AnomalyDetector Dimension
Expands the identity of a metric.
Syntax
JSON
{
"Name" : String,
"Value" : String
}
YAML
Name: String
Value: String
Properties
Name
Required: Yes
Type: String

1190
CloudWatch
Minimum: 1
Maximum: 255

Value
The value representing the dimension measurement.
Required: Yes
Type: String
Minimum: 1
Maximum: 255
AWS::CloudWatch::AnomalyDetector Range
Each Range specifies one range of days or times to exclude from use for training or updating an anomaly
detection model.
Syntax
JSON
{
"EndTime" : String,
"StartTime" : String
}
YAML
EndTime: String
StartTime: String
Properties
EndTime
The end time of the range to exclude. The format is yyyy-MM-dd'T'HH:mm:ss. For example,
2019-07-01T23:59:59.
Required: Yes
Type: String

StartTime
The start time of the range to exclude. The format is yyyy-MM-dd'T'HH:mm:ss. For example,
2019-07-01T23:59:59.
Required: Yes

1191
CloudWatch
Type: String
AWS::CloudWatch::Dashboard
The AWS::CloudWatch::Dashboard resource specifies an Amazon CloudWatch dashboard. A
dashboard is a customizable home page in the CloudWatch console that you can use to monitor your
AWS resources in a single view.
All dashboards in your account are global, not region-specific.
Syntax
JSON
{
"Type" : "AWS::CloudWatch::Dashboard",
"Properties" : {
"DashboardBody" : String,
"DashboardName" : String
}
}
YAML
Properties:
DashboardBody: String
DashboardName: String
Properties
DashboardBody
The detailed information about the dashboard in JSON format, including the widgets to include and
their location on the dashboard. This parameter is required.
For more information about the syntax, see Dashboard Body Structure and Syntax.
Required: Yes
Type: String

DashboardName
The name of the dashboard. The name must be between 1 and 255 characters. If you do not specify
a name, one will be generated automatically.
Required: No
Type: String

1192
CloudWatch
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the value of
DashboardName.
See Also
• Amazon CloudWatch Template Snippets
AWS::CloudWatch::InsightRule
Creates or updates a Contributor Insights rule. Rules evaluate log events in a CloudWatch Logs log group,
enabling you to find contributor data for the log events in that log group. For more information, see
Using Contributor Insights to Analyze High-Cardinality Data in the Amazon CloudWatch User Guide.
Syntax
JSON
{
"Type" : "AWS::CloudWatch::InsightRule",
"Properties" : {
"RuleBody" : String,
"RuleState" : String
}
}
YAML
Type: AWS::CloudWatch::InsightRule
Properties:
RuleBody: String
RuleName: String
RuleState: String
Properties
RuleBody
The definition of the rule, as a JSON object. For details about the syntax, see Contributor Insights
Rule Syntax in the Amazon CloudWatch User Guide.
Required: Yes
Type: String

RuleName
The name of the rule.

1193
CloudWatch Logs
Required: Yes
Type: String

RuleState
The current state of the rule.
Required: Yes
Type: String
Return Values
Ref
rule.
Fn::GetAtt
Arn
The ARN of the Contributor Insights rule, such as arn:aws:cloudwatch:us-

west-2:123456789012:insight-rule/MyInsightRuleName.
RuleName
The name of the Contributor Insights rule.
CloudWatch Logs Resource Type Reference

Resource Types
• AWS::Logs::Destination (p. 1194)

• AWS::Logs::LogGroup (p. 1197)
• AWS::Logs::LogStream (p. 1199)
• AWS::Logs::MetricFilter (p. 1201)
• AWS::Logs::SubscriptionFilter (p. 1204)
AWS::Logs::Destination
The AWS::Logs::Destination resource specifies a CloudWatch Logs destination. A destination encapsulates
a physical resource (such as an Amazon Kinesis data stream) and enables you to subscribe that resource
to a stream of log events.

1194
CloudWatch Logs
Syntax
JSON
{
"Type" : "AWS::Logs::Destination",
"Properties" : {
"DestinationName" : String,
"DestinationPolicy" : String,
"RoleArn" : String,
"TargetArn" : String
}
}
YAML
Type: AWS::Logs::Destination
Properties:
DestinationName: String
DestinationPolicy: String
RoleArn: String
TargetArn: String
Properties
DestinationName
The name of the destination.
Required: Yes
Type: String
Minimum: 1
Maximum: 512
Pattern: [^:*]*

DestinationPolicy
An IAM policy document that governs which AWS accounts can create subscription filters against this
destination.
Required: Yes
Type: String
Minimum: 1

RoleArn
The ARN of an IAM role that permits CloudWatch Logs to send data to the specified AWS resource.

1195
CloudWatch Logs
Required: Yes
Type: String
Minimum: 1

TargetArn
The Amazon Resource Name (ARN) of the physical target to where the log events are delivered (for
example, a Kinesis stream).
Required: Yes
Type: String
Minimum: 1
Return Values
Ref
name, such as TestDestination.
Fn::GetAtt
Arn
The ARN of the CloudWatch Logs destination, such as arn:aws:logs:us-

west-1:123456789012:destination:MyDestination.
Examples
Create a Destination
In the following example, the target stream (TestStream) can receive log events from the logger IAM
user that is in the account 234567890123. The user can call only the PutSubscriptionFilter action
against the TestDestination destination.
JSON
"DestinationWithName" : {
"Type" : "AWS::Logs::Destination",
"Properties" : {
"DestinationName": "TestDestination",

1196
CloudWatch Logs
"RoleArn": "arn:aws:iam::123456789012:role/LogKinesisRole",
"TargetArn": "arn:aws:kinesis:us-east-1:123456789012:stream/TestStream",
"DestinationPolicy": "{\"Version\" : \"2012-10-17\",\"Statement\" : [{\"Effect\" :
\"Allow\", \"Principal\" : {\"AWS\" : \"arn:aws:iam::234567890123:user/logger\"},
\"Action\" : \"logs:PutSubscriptionFilter\", \"Resource\" : \"arn:aws:logs:us-
east-1:123456789012:destination:TestDestination\"}]}"
}
}
YAML
DestinationWithName:
Type: AWS::Logs::Destination
Properties:
DestinationName: "TestDestination"
RoleArn: "arn:aws:iam::123456789012:role/LogKinesisRole"
TargetArn: "arn:aws:kinesis:us-east-1:123456789012:stream/TestStream"
DestinationPolicy: >
{"Version" : "2012-10-17","Statement" : [{"Effect" : "Allow", "Principal" : {"AWS" :
"arn:aws:iam::234567890123:user/logger"},"Action" : "logs:PutSubscriptionFilter",
"Resource" : "arn:aws:logs:us-east-1:123456789012:destination:TestDestination"}]}
AWS::Logs::LogGroup
The AWS::Logs::LogGroup resource specifies a log group. A log group defines common properties
for log streams, such as their retention and access control rules. Each log stream must belong to one log
group.
You can create up to 5000 log groups per account. You must use the following guidelines when naming a
log group:
• Log group names must be unique within a Region for an AWS account.
• Log group names can be between 1 and 512 characters long.
• Log group names consist of the following characters: a-z, A-Z, 0-9, '_' (underscore), '-' (hyphen),
'/' (forward slash), and '.' (period).
If you associate a AWS Key Management Service (AWS KMS) customer master key (CMK) with the log
group, ingested data is encrypted using the CMK. This association is stored as long as the data encrypted
with the CMK is still within Amazon CloudWatch Logs. This enables Amazon CloudWatch Logs to decrypt
this data whenever it is requested.
If you attempt to associate a CMK with the log group but the CMK doesn't exist or the CMK is disabled,
you will receive an InvalidParameterException error.
Syntax
JSON
{
"Type" : "AWS::Logs::LogGroup",
"Properties" : {
"RetentionInDays" : Integer
}
}

1197
CloudWatch Logs
YAML
Properties:
RetentionInDays: Integer
Properties
LogGroupName
The name of the log group. If you don't specify a name, AWS CloudFormation generates a unique ID
for the log group.
Required: No
Type: String
Minimum: 1
Maximum: 512
Pattern: [\.\-_/#A-Za-z0-9]+

RetentionInDays
The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7,
14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.
Required: No
Type: Integer
Return Values
Ref
name.
Fn::GetAtt
Arn
The ARN of the log group, such as arn:aws:logs:us-west-1:123456789012:log-group:/

mystack-testgroup-12ABC1AB12A1:*. .

1198
CloudWatch Logs
Examples
Create a Log Group
The following example creates a log group that retains events for 7 days.
JSON
"myLogGroup": {
"Properties": {
}
}
YAML
myLogGroup:
Properties:
RetentionInDays: 7
AWS::Logs::LogStream
The AWS::Logs::LogStream resource specifies an Amazon CloudWatch Logs log stream in a specific
log group. A log stream represents the sequence of events coming from an application instance or
resource that you are monitoring.
There is no limit on the number of log streams that you can create for a log group.
You must use the following guidelines when naming a log stream:
• Log stream names must be unique within the log group.

• Log stream names can be between 1 and 512 characters long.
• The ':' (colon) and '*' (asterisk) characters are not allowed.
Syntax
JSON
{
"Type" : "AWS::Logs::LogStream",
"Properties" : {
"LogStreamName" : String
}
}
YAML
Type: AWS::Logs::LogStream
Properties:

1199
CloudWatch Logs
LogStreamName: String
Properties
LogGroupName
The name of the log group where the log stream is created.
Required: Yes
Type: String
Minimum: 1
Maximum: 512
Pattern: [\.\-_/#A-Za-z0-9]+

LogStreamName
The name of the log stream. The name must be unique within the log group.
Required: No
Type: String
Minimum: 1
Maximum: 512
Pattern: [^:*]*
Return Values
Ref
name, such as MyAppLogStream.
Examples
Create a Log Stream
The following example creates a log stream named MyAppLogStream in the exampleLogGroup log
group.
JSON
"LogStream": {
"Type": "AWS::Logs::LogStream",
"Properties": {
"LogGroupName" : "exampleLogGroup",
"LogStreamName": "MyAppLogStream"
}

1200
CloudWatch Logs
YAML
LogStream:
Type: AWS::Logs::LogStream
Properties:
LogGroupName: "exampleLogGroup"
LogStreamName: "MyAppLogStream"
The AWS::Logs::MetricFilter resource specifies a metric filter that describes how CloudWatch Logs
extracts information from logs and transforms it into Amazon CloudWatch metrics. If you have multiple
metric filters that are associated with a log group, all the filters are applied to the log streams in that
group.
The maximum number of metric filters that can be associated with a log group is 100.
Syntax
JSON
{
"Type" : "AWS::Logs::MetricFilter",
"Properties" : {
"FilterPattern" : String,
"MetricTransformations" : [ MetricTransformation (p. 1203), ... ]
}
}
YAML
Properties:
FilterPattern: String
- MetricTransformation (p. 1203)
Properties
FilterPattern
A filter pattern for extracting metric data out of ingested log events.
Required: Yes
Type: String

LogGroupName
The name of an existing log group that you want to associate with this metric filter.

1201
CloudWatch Logs
Required: Yes
Type: String
Minimum: 1
Maximum: 512
Pattern: [\.\-_/#A-Za-z0-9]+

MetricTransformations
The metric transformations.
Required: Yes
Type: List of MetricTransformation (p. 1203)
Maximum: 1
Examples
Create a Metric Filter
The following example sends a value of 1 to the 404Count metric whenever the status code field
includes a 404 value.
JSON
"Properties": {
"LogGroupName": { "Ref": "myLogGroup" },
"FilterPattern": "[ip, identity, user_id, timestamp, request, status_code = 404,
size]",
{
"MetricValue": "1",
"MetricNamespace": "WebServer/404s",
"MetricName": "404Count"
}
]
}
}
YAML
404MetricFilter:
Properties:
LogGroupName:
Ref: "myLogGroup"
FilterPattern: "[ip, identity, user_id, timestamp, request, status_code = 404, size]"
-
MetricValue: "1"

1202
CloudWatch Logs
MetricNamespace: "WebServer/404s"
MetricName: "404Count"
AWS::Logs::MetricFilter MetricTransformation
MetricTransformation is a property of the AWS::Logs::MetricFilter resource that describes
how to transform log streams into a CloudWatch metric.
Syntax
JSON
{
"DefaultValue" : Double,
"MetricNamespace" : String,
"MetricValue" : String
}
YAML
DefaultValue: Double
MetricName: String
MetricNamespace: String
MetricValue: String
Properties
DefaultValue
(Optional) The value to emit when a filter pattern does not match a log event. This value can be null.
Required: No
Type: Double

MetricName
The name of the CloudWatch metric.
Required: Yes
Type: String

MetricNamespace
The namespace of the CloudWatch metric.
Required: Yes
Type: String
Maximum: 255

1203
CloudWatch Logs
Pattern: [^:*$]*

MetricValue
The value that is published to the CloudWatch metric. For example, if you're counting the
occurrences of a particular term like Error, specify 1 for the metric value. If you're counting the
number of bytes transferred, reference the value that is in the log event by using $ followed by the
name of the field that you specified in the filter pattern, such as $size.
Required: Yes
Type: String
The AWS::Logs::SubscriptionFilter resource specifies a subscription filter and associates it with
the specified log group. Subscription filters allow you to subscribe to a real-time stream of log events
and have them delivered to a specific destination. Currently, the supported destinations are:
• An Amazon Kinesis data stream belonging to the same account as the subscription filter, for same-
account delivery.
• A logical destination that belongs to a different account, for cross-account delivery.
• An Amazon Kinesis Firehose delivery stream that belongs to the same account as the subscription
filter, for same-account delivery.
• An AWS Lambda function that belongs to the same account as the subscription filter, for same-account
delivery.
There can only be one subscription filter associated with a log group.
Syntax
JSON
{
"Type" : "AWS::Logs::SubscriptionFilter",
"Properties" : {
"FilterPattern" : String,
"RoleArn" : String
}
}
YAML
Type: AWS::Logs::SubscriptionFilter
Properties:
FilterPattern: String
RoleArn: String

1204
CloudWatch Logs
Properties
DestinationArn
The Amazon Resource Name (ARN) of the destination.
Required: Yes
Type: String
Minimum: 1

FilterPattern
The filtering expressions that restrict what gets delivered to the destination AWS resource. For more
information about the filter pattern syntax, see Filter and Pattern Syntax.
Required: Yes
Type: String

LogGroupName
The log group to associate with the subscription filter. All log events that are uploaded to this log
group are filtered and delivered to the specified AWS resource if the filter pattern matches the log
events.
Required: Yes
Type: String
Minimum: 1
Maximum: 512
Pattern: [\.\-_/#A-Za-z0-9]+

RoleArn
The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log events to
the destination stream.
Required: No
Type: String
Minimum: 1
Return Values
Ref
name.

1205
Amazon EventBridge
Examples
Create a Subscription Filter
The following example sends log events that are associated with the Root user to a Kinesis data stream.
JSON
"SubscriptionFilter" : {
"Type" : "AWS::Logs::SubscriptionFilter",
"Properties" : {
"RoleArn" : { "Fn::GetAtt" : [ "CloudWatchIAMRole", "Arn" ] },
"LogGroupName" : { "Ref" : "LogGroup" },
"FilterPattern" : "{$.userIdentity.type = Root}",
"DestinationArn" : { "Fn::GetAtt" : [ "KinesisStream", "Arn" ] }
}
}
YAML
SubscriptionFilter:
Type: AWS::Logs::SubscriptionFilter
Properties:
RoleArn:
Fn::GetAtt:
- "CloudWatchIAMRole"
- "Arn"
LogGroupName:
Ref: "LogGroup"
FilterPattern: "{$.userIdentity.type = Root}"
DestinationArn:
Fn::GetAtt:
- "KinesisStream"
- "Arn"
Amazon EventBridge Resource Type Reference

Resource Types
• AWS::Events::EventBus (p. 1206)

• AWS::Events::EventBusPolicy (p. 1208)
• AWS::Events::Rule (p. 1213)
AWS::Events::EventBus
The AWS::Events::EventBus resource creates or updates a partner event bus or custom event bus.
Partner event buses can receive events from applications and services created by AWS SaaS partners. You
need to create a partner event bus for each partner event source that you want to receive events from.
Custom event buses can receive events from your own custom applications.
To review the limit for how many rules each event bus may have, see Service Limits.
Syntax

1206
Amazon EventBridge
JSON
{
"Type" : "AWS::Events::EventBus",
"Properties" : {
"EventSourceName" : String,
"Name" : String
}
}
YAML
Type: AWS::Events::EventBus
Properties:
EventSourceName: String
Name: String
Properties
EventSourceName
The name of the partner event source to associate with this event bus, if you are creating a partner
event bus.
Type: String

Name
The name of the event bus you are creating. The names of custom event buses can't contain the /
character. You can't use the name default for a custom event bus.
If you are creating a partner event bus, this name must exactly match the name of the partner event
source that this bus is matched to.
Required: Yes
Type: String
Return Values
Ref
The name of the new event bus.
Fn::GetAtt
The ARN of the task definition to use. If no task revision is supplied, it defaults to the most recent
revision at the time of resource creation.
Arn
The ARN of the event bus, such as arn:aws:events:us-east-2:123456789012:event-bus/

aws.partner/PartnerName/acct1/repo1.

1207
Amazon EventBridge
Name
The name of the event bus, such as PartnerName/acct1/repo1.

Policy
The policy for the event bus in JSON form.
Examples
Create a partner event bus
The following example creates a partner event bus named aws.partner/PartnerName/acct1/

repo1.
JSON
"SamplePartnerEventBus": {
"Type": "AWS::Events::EventBus",
"Properties": {
"EventSourceName": "aws.partner/PartnerName/acct1/repo1",
"Name": "aws.partner/PartnerName/acct1/repo1"
}
}
YAML
SamplePartnerEventBus:
Properties:
EventSourceName: "aws.partner/PartnerName/acct1/repo1"
Name: "aws.partner/PartnerName/acct1/repo1"
Create a custom event bus
The following example creates a custom event bus named MyCustomEventBus.
JSON
"SampleCustomEventBus": {
"Type": "AWS::Events::EventBus",
"Properties": {
"Name": "aws.partner/PartnerName/acct1/repo1"
}
}
YAML
SampleCustomEventBus:
Properties:
Name: "aws.partner/PartnerName/acct1/repo1"
AWS::Events::EventBusPolicy
The AWS::Events::EventBusPolicy resource creates an event bus policy for Amazon EventBridge.
An event bus policy enables your account to receive events from other AWS accounts. These events can

1208
Amazon EventBridge
trigger EventBridge rules created in your account. For more information, see Sending and Receiving
Events Between AWS Accounts in the Amazon EventBridge User Guide.
If you grant permissions using Condition and specifying an organization, then accounts in that
organization must specify a RoleArn with proper permissions when they use PutTarget to add your
account's event bus as a target.
The permission policy on the default event bus can't exceed 10 KB in size.
Syntax
JSON
{
"Type" : "AWS::Events::EventBusPolicy",
"Properties" : {
"Action" : String,
"Condition" : Condition (p. 1212),
"EventBusName" : String,
"Principal" : String,
"StatementId" : String
}
}
YAML
Type: AWS::Events::EventBusPolicy
Properties:
Action: String
Condition:
Condition (p. 1212)
EventBusName: String
Principal: String
StatementId: String
Properties
Action
The action that you're enabling the other account to perform. Currently, this must be
events:PutEvents.
Required: Yes
Type: String
Minimum: 1
Maximum: 64
Pattern: events:[a-zA-Z]+

Condition
Condition is a JSON string that you can use to limit the event bus permissions that you're granting
only to accounts that fulfill the condition. Currently, the only supported condition is membership

1209
Amazon EventBridge
in a certain AWS organization. For more information about AWS Organizations, see What Is AWS
Organizations? in the AWS Organizations User Guide.
Condition is a property of the AWS::Events::EventBusPolicy resource type.
If you specify Condition with an AWS organization ID and specify "*" as the value for Principal,
you grant permission to all the accounts in the named organization.
Required: No
Type: Condition (p. 1212)

EventBusName
The name of the event bus to associate with this policy.
Required: No
Type: String

Principal
The 12-digit AWS account ID that you are permitting to put events to your default event bus. Specify
"*" to permit any account to put events to your default event bus.
If you specify "*" without specifying Condition, avoid creating rules that might match undesirable
events. To create more secure rules, make sure that the event pattern for each rule contains an
account field with a specific account ID to receive events from. Rules that have an account field
match events sent only from accounts that are listed in the rule's account field.
Required: Yes
Type: String
Minimum: 1
Maximum: 12
Pattern: (\d{12}|\*)

StatementId
An identifier string for the external account that you're granting permissions to. If you later want to
revoke the permission for this external account, you must specify this StatementId.
Required: Yes
Type: String
Minimum: 1
Maximum: 64
Pattern: [a-zA-Z0-9-_]+

1210
Amazon EventBridge
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the event bus
policy ID, such as EventBusPolicy-1aBCdeFGh2J3.
Examples
Grant Permission to One Account
The following example grants permission to one AWS account with an account ID of 111122223333.
JSON
"SampleEventBusPolicy": {
"Type": "AWS::Events::EventBusPolicy",
"Properties": {
"Action": "events:PutEvents",
"Principal": "111122223333",
"StatementId": "MyStatement"
}
}
YAML
SampleEventBusPolicy:
Properties:
Action: "events:PutEvents"
Principal: "111122223333"
StatementId: "MyStatement"
Grant Permission to an Organization

The following example grants permission to all AWS accounts in the organization with an organization ID
of o-1234567890.
JSON
"SampleEventBusPolicy": {
"Type": "AWS::Events::EventBusPolicy",
"Properties": {
"Action": "events:PutEvents",
"Principal": "*",
"StatementId": "MyStatement",
"Condition": {
"Type": "StringEquals",
"Key": "aws:PrincipalOrgID",
"Value": "o-1234567890"
}
}
}
YAML
SampleEventBusPolicy:

1211
Amazon EventBridge
Properties:
Action: "events:PutEvents"
Principal: "*"
StatementId: "MyStatement"
Condition:
Type: "StringEquals"
Key: "aws:PrincipalOrgID"
Value: "o-1234567890"
AWS::Events::EventBusPolicy Condition
A JSON string that you can use to limit the event bus permissions that you're granting to only accounts
that fulfill the condition. Currently, the only supported condition is membership in a certain AWS
organization. The string must contain Type, Key, and Value fields. The Value field specifies the ID of
the AWS organization. The following is an example value for Condition:
'{"Type" : "StringEquals", "Key": "aws:PrincipalOrgID", "Value":

"o-1234567890"}'
Syntax
JSON
{
"Key" : String,
"Type" : String,
"Value" : String
}
YAML
Key: String
Type: String
Value: String
Properties
Key
The key for the condition. Currently, the only supported key is aws:PrincipalOrgID.
Required: No
Type: String

Type
The type of condition. Currently, the only supported value is StringEquals.
Required: No
Type: String

Value
The value for the key. Currently, this must be the ID of the organization.

1212
Amazon EventBridge
Required: No
Type: String
AWS::Events::Rule
The AWS::Events::Rule resource creates a rule that matches incoming events and routes them to one
or more targets for processing. For more information, see What Is Amazon Eventbridge?.
A rule must contain at least an EventPattern or ScheduleExpression. Rules with EventPattern

are triggered when a matching event is observed. Rules with ScheduleExpression self-trigger based
on the given schedule. A rule can have both an EventPattern and a ScheduleExpression, in which
case the rule triggers on matching events as well as on a schedule.
Most services in AWS treat : or / as the same character in Amazon Resource Names (ARNs). However,
EventBridge uses an exact match in event patterns and rules. Be sure to use the correct ARN characters
when creating event patterns so that they match the ARN syntax in the event that you want to match.
Syntax
JSON
{
"Type" : "AWS::Events::Rule",
"Properties" : {
"EventBusName" : String,
"EventPattern" : Json,
"Name" : String,
"RoleArn" : String,
"ScheduleExpression" : String,
"State" : String,
"Targets" : [ Target (p. 1229), ... ]
}
}
YAML
Type: AWS::Events::Rule
Properties:
Description: String
EventBusName: String
EventPattern: Json
Name: String
RoleArn: String
State: String
Targets:
- Target (p. 1229)
Properties
Description
The description of the rule.

1213
Amazon EventBridge
Required: No
Type: String
Maximum: 512

EventBusName
The event bus to associate with this rule. If you omit this, the default event bus is used.
Required: No
Type: String
Minimum: 1
Maximum: 256
Pattern: [/\.\-_A-Za-z0-9]+

EventPattern
Describes which events are routed to the specified target. For more information, see Events and
Event Patterns in EventBridge in the Amazon EventBridge User Guide.
When using CloudFormation, you must enclose each part of the event pattern in square brackets, as
follows:
"EventPattern": { "source": [ "aws.ec2" ], "detail-type": [ "EC2 Instance

State-change Notification" ] }
A rule must contain either EventPattern or ScheduleExpression.
Type: Json

Name
The name of the rule. If you don't specify a name, AWS CloudFormation generates a unique physical
ID and uses that ID for the rule name.
Important
If you specify a name, you can't perform updates that require replacement of this resource.
You can perform updates that require no or some interruption. If you must replace the
resource, specify a new name.
Required: No
Type: String
Minimum: 1
Maximum: 64
Pattern: [\.\-_A-Za-z0-9]+

1214
Amazon EventBridge

RoleArn
The Amazon Resource Name (ARN) of the role that is used for target invocation.
If you're setting an event bus in another account as the target and that account granted permission
to your account through an organization instead of directly by the account ID, you must specify a
RoleArn with proper permissions in the Target structure, instead of here in this parameter.
Required: No
Type: String
Minimum: 1
Maximum: 1600

ScheduleExpression
The scheduling expression that determines when and how often the rule runs. For more information,
see Schedule Expressions for Rules.
A rule must contain either ScheduleExpression or EventPattern.
Type: String
Maximum: 256

State
Indicates whether the rule is enabled.
Required: No
Type: String

Targets
The AWS resources that are invoked when the rule is triggered. For information about valid targets,
see PutTargets.
If you're setting the event bus of another account as the target and that account granted permission
RoleArn with proper permissions in the Target structure. For more information, see Sending and
Receiving Events Between AWS Accounts in the Amazon EventBridge User Guide.
Required: No
Type: List of Target (p. 1229)

1215
Amazon EventBridge
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns event rule ID, such
as mystack-ScheduledRule-ABCDEFGHIJK.
Fn::GetAtt
Arn
The ARN of the rule, such as arn:aws:events:us-east-2:123456789012:rule/example.
Examples
Regularly Invoke Lambda Function
The following example creates a rule that invokes the specified Lambda function every 10 minutes.
The PermissionForEventsToInvokeLambda resource grants EventBridge permission to invoke the
associated function.
JSON
"ScheduledRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"Description": "ScheduledRule",
"ScheduleExpression": "rate(10 minutes)",
"State": "ENABLED",
"Targets": [{
"Arn": { "Fn::GetAtt": ["LambdaFunction", "Arn"] },
"Id": "TargetFunctionV1"
}]
}
},
"PermissionForEventsToInvokeLambda": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": { "Ref": "LambdaFunction" },
"Action": "lambda:InvokeFunction",
"Principal": "events.amazonaws.com",
"SourceArn": { "Fn::GetAtt": ["ScheduledRule", "Arn"] }
}
}
YAML
ScheduledRule:
Properties:
Description: "ScheduledRule"
ScheduleExpression: "rate(10 minutes)"
State: "ENABLED"
Targets:
-
Arn:
Fn::GetAtt:

1216
Amazon EventBridge
- "LambdaFunction"
- "Arn"
Id: "TargetFunctionV1"
PermissionForEventsToInvokeLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName:
Ref: "LambdaFunction"
Action: "lambda:InvokeFunction"
Principal: "events.amazonaws.com"
SourceArn:
Fn::GetAtt:
- "ScheduledRule"
- "Arn"
Invoke Lambda Function in Response to an Event
The following example creates a rule that invokes the specified Lambda function when any EC2
instance's state changes to stopping.
JSON
"EventRule": {
"Properties": {
"Description": "EventRule",
"EventPattern": {
"source": [
"aws.ec2"
],
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [
"stopping"
]
}
},
"State": "ENABLED",
"Targets": [{
"Arn": { "Fn::GetAtt": ["LambdaFunction", "Arn"] },
"Id": "TargetFunctionV1"
}]
}
},
"PermissionForEventsToInvokeLambda": {
"Properties": {
"FunctionName": { "Ref": "LambdaFunction" },
"Principal": "events.amazonaws.com",
"SourceArn": { "Fn::GetAtt": ["EventRule", "Arn"] }
}
}
YAML
EventRule:
Properties:
Description: "EventRule"
EventPattern:

1217
Amazon EventBridge
source:
- "aws.ec2"
detail-type:
- "EC2 Instance State-change Notification"
detail:
state:
- "stopping"
State: "ENABLED"
Targets:
-
Arn:
Fn::GetAtt:
- "LambdaFunction"
- "Arn"
Id: "TargetFunctionV1"
PermissionForEventsToInvokeLambda:
Properties:
FunctionName:
Ref: "LambdaFunction"
Principal: "events.amazonaws.com"
SourceArn:
Fn::GetAtt:
- "EventRule"
- "Arn"
Notify a Topic in Response to a Log Entry
The following example creates a rule that notifies an Amazon Simple Notification Service topic if an AWS
CloudTrail log entry contains a call by the Root user. The EventTopicPolicy resource grants Amazon
EventBridge permission to notify the associated Amazon SNS topic.
JSON
"OpsEventRule": {
"Properties": {
"Description": "EventRule",
"EventPattern": {
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"userIdentity": {
"type": [ "Root" ]
}
}
},
"State": "ENABLED",
"Targets": [
{
"Arn": { "Ref": "MySNSTopic" },
"Id": "OpsTopic"
}
]
}
}
"EventTopicPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "events.amazonaws.com" },

1218
Amazon EventBridge
"Action": "sns:Publish",
"Resource": "*"
}
]
},
"Topics": [ { "Ref": "MySNSTopic" } ]
}
}
YAML
OpsEventRule:
Properties:
Description: "EventRule"
EventPattern:
detail-type:
- "AWS API Call via CloudTrail"
detail:
userIdentity:
type:
- "Root"
State: "ENABLED"
Targets:
-
Arn:
Ref: "MySNSTopic"
Id: "OpsTopic"
EventTopicPolicy:
Type: 'AWS::SNS::TopicPolicy'
Properties:
PolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: 'sns:Publish'
Resource: '*'
Topics:
- !Ref MySNSTopic
AWS::Events::Rule AwsVpcConfiguration
This structure specifies the VPC subnets and security groups for the task and whether a public IP address
is to be used. This structure is relevant only for ECS tasks that use the awsvpc network mode.
Syntax
JSON
{
"AssignPublicIp" : String,
"Subnets" : [ String, ... ]
}
YAML
AssignPublicIp: String

1219
Amazon EventBridge
SecurityGroups:
- String
Subnets:
- String
Properties
AssignPublicIp
Specifies whether the task's elastic network interface receives a public IP address. You can specify
ENABLED only when LaunchType in EcsParameters is set to FARGATE.
Required: No
Type: String

SecurityGroups
Specifies the security groups associated with the task. These security groups must all be in the
same VPC. You can specify as many as five security groups. If you don't specify a security group, the
default security group for the VPC is used.
Required: No

Subnets
Specifies the subnets associated with the task. These subnets must all be in the same VPC. You can
specify as many as 16 subnets.
Required: Yes
See Also
• AwsVpcConfiguration
AWS::Events::Rule BatchArrayProperties
The array properties for the submitted job, such as the size of the array. The array size can be between 2
and 10,000. If you specify array properties for a job, it becomes an array job. This parameter is used only
if the target is an AWS Batch job.
Syntax
JSON

1220
Amazon EventBridge
"Size" : Integer
}
YAML
Size: Integer
Properties
Size
The size of the array, if this is an array batch job. Valid values are integers between 2 and 10,000.
Required: No
Type: Integer
AWS::Events::Rule BatchParameters
The custom parameters to be used when the target is an AWS Batch job.
Syntax
JSON
{
"ArrayProperties" : BatchArrayProperties (p. 1220),
"JobDefinition" : String,
"JobName" : String,
"RetryStrategy" : BatchRetryStrategy (p. 1222)
}
YAML
ArrayProperties:
BatchArrayProperties (p. 1220)
JobDefinition: String
JobName: String
RetryStrategy:
BatchRetryStrategy (p. 1222)
Properties
ArrayProperties
The array properties for the submitted job, such as the size of the array. The array size can be
between 2 and 10,000. If you specify array properties for a job, it becomes an array job. This
parameter is used only if the target is an AWS Batch job.
Required: No
Type: BatchArrayProperties (p. 1220)

1221
Amazon EventBridge
JobDefinition
The ARN or name of the job definition to use if the event target is an AWS Batch job. This job
definition must already exist.
Required: Yes
Type: String

JobName
The name to use for this execution of the job, if the target is an AWS Batch job.
Required: Yes
Type: String

RetryStrategy
The retry strategy to use for failed jobs if the target is an AWS Batch job. The retry strategy is the
number of times to retry the failed job execution. Valid values are 1–10. When you specify a retry
strategy here, it overrides the retry strategy defined in the job definition.
Required: No
Type: BatchRetryStrategy (p. 1222)
AWS::Events::Rule BatchRetryStrategy
The retry strategy to use for failed jobs if the target is an AWS Batch job. If you specify a retry strategy
here, it overrides the retry strategy defined in the job definition.
Syntax
JSON
{
"Attempts" : Integer
}
YAML
Attempts: Integer
Properties
Attempts
The number of times to attempt to retry, if the job fails. Valid values are 1–10.
Required: No
Type: Integer

1222
Amazon EventBridge
AWS::Events::Rule EcsParameters
The EcsParameters property type specifies custom parameters to be used when the target is an
Amazon ECS task.
EcsParameters is a property of the Target property type.
Syntax
JSON
{
"Group" : String,
"LaunchType" : String,
"NetworkConfiguration" : NetworkConfiguration (p. 1226),
"PlatformVersion" : String,
"TaskCount" : Integer,
"TaskDefinitionArn" : String
}
YAML
Group: String
LaunchType: String
NetworkConfiguration:
NetworkConfiguration (p. 1226)
PlatformVersion: String
TaskCount: Integer
TaskDefinitionArn: String
Properties
Group
Specifies an ECS task group for the task. The maximum length is 255 characters. For more
information, see Task Groups.
Required: No
Type: String

LaunchType
Specifies the launch type on which your task is running. The launch type that you specify here must
match one of the launch type (compatibilities) of the target task. The FARGATE value is supported
only in the Regions where AWS Fargate with Amazon ECS is supported. For more information, see
AWS Fargate on Amazon ECS in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: String
Allowed Values: EC2 | FARGATE

1223
Amazon EventBridge
NetworkConfiguration
Use this structure if the ECS task uses the awsvpc network mode. This structure specifies the VPC
subnets and security groups associated with the task and whether a public IP address is to be used.
This structure is required if LaunchType is FARGATE because the awsvpc mode is required for
Fargate tasks.
If you specify NetworkConfiguration when the target ECS task doesn't use the awsvpc network
mode, the task fails.
Required: No
Type: NetworkConfiguration (p. 1226)

PlatformVersion
Specifies the platform version for the task. Specify only the numeric portion of the platform version,
such as 1.1.0. If you omit this, the latest platform version is used.
This structure is used only if LaunchType is FARGATE. For more information about valid platform
versions, see AWS Fargate Platform Versions in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: String

TaskCount
The number of tasks to create based on TaskDefinition. The default is 1.
Required: No
Type: Integer
Minimum: 1

TaskDefinitionArn
The ARN of the task definition to use. If no task revision is supplied, it defaults to the most recent
revision at the time of resource creation.
Required: Yes
Type: String
Minimum: 1
Maximum: 1600
AWS::Events::Rule InputTransformer
The InputTransformer property type specifies settings that provide custom input to an EventBridge
target based on certain event data.
InputTransformer is a property of the Target property type.

1224
Amazon EventBridge
Syntax
JSON
{
"InputPathsMap" : {Key : Value, ...},
"InputTemplate" : String
}
YAML
InputPathsMap:
Key : Value
InputTemplate: String
Properties
InputPathsMap
Map of JSON paths to be extracted from the event. You can then insert these in the template in
InputTemplate to produce the output to be sent to the target.
InputPathsMap is an array key-value pairs, where each value is a valid JSON path. You can have as
many as 10 key-value pairs. You must use JSON dot notation, not bracket notation.
The keys can't start with "AWS".
Required: No
Type: Map of String

InputTemplate
Input template where you specify placeholders that will be filled with the values of the keys from
InputPathsMap to customize the data sent to the target. Enclose each InputPathsMaps value in
brackets: <value> The InputTemplate must be valid JSON.
Required: Yes
Type: String
Minimum: 1
Maximum: 8192
AWS::Events::Rule KinesisParameters
The KinesisParameters property type specifies settings that control shard assignment for a Kinesis
data stream target.
KinesisParameters is a property of the Target property type.
This object enables you to specify a JSON path to extract from the event and use as the partition key for
the Amazon Kinesis data stream, so that you can control the shard that the event goes to. If you don't
include this parameter, the default is to use the eventId as the partition key.

1225
Amazon EventBridge
Syntax
JSON
{
"PartitionKeyPath" : String
}
YAML
PartitionKeyPath: String
Properties
PartitionKeyPath
The JSON path to be extracted from the event and used as the partition key. For more information,
see Partition Key in the Amazon Kinesis Data Streams Developer Guide.
Required: Yes
Type: String
Maximum: 256
AWS::Events::Rule NetworkConfiguration
This structure specifies the network configuration for an ECS task.
Syntax
JSON
{
"AwsVpcConfiguration" : AwsVpcConfiguration (p. 1219)
}
YAML
AwsVpcConfiguration:
AwsVpcConfiguration (p. 1219)
Properties
AwsVpcConfiguration
Use this structure to specify the VPC subnets and security groups for the task and whether a public
IP address is to be used. This structure is relevant only for ECS tasks that use the awsvpc network
mode.
Required: No

1226
Amazon EventBridge
Type: AwsVpcConfiguration (p. 1219)
See Also
• NetworkConfiguration
AWS::Events::Rule RunCommandParameters
The RunCommandParameters property type specifies the parameters to use when a rule invokes the
AWS Systems Manager Run Command.
RunCommandParameters is a property of the Target property type.
This parameter contains the criteria (either InstanceIds or a tag) used to specify which EC2 instances are
to be sent the command.
Syntax
JSON
{
"RunCommandTargets" : [ RunCommandTarget (p. 1227), ... ]
}
YAML
RunCommandTargets:
- RunCommandTarget (p. 1227)
Properties
RunCommandTargets
The criteria (either InstanceIds or a tag) that specifies which EC2 instances the command is sent to.
Note
Currently, you can include only one RunCommandTarget block, which specifies a list of
InstanceIds or a tag.
Required: Yes
Type: List of RunCommandTarget (p. 1227)
Maximum: 5
AWS::Events::Rule RunCommandTarget
The RunCommandTarget property type specifies information about the Amazon EC2 instances that the
Run Command is sent to. A RunCommandTarget block can include only one key, but the key can specify
multiple values.

1227
Amazon EventBridge
RunCommandTarget is a property of the RunCommandParameters property type.
Information about the EC2 instances that are to be sent the command, specified as key-value pairs. Each
RunCommandTarget block can include only one key, but this key may specify multiple values.
Syntax
JSON
{
"Key" : String,
}
YAML
Key: String
Values:
- String
Properties
Key
Can be either tag: tag-key or InstanceIds.
Required: Yes
Type: String
Minimum: 1
Maximum: 128
Pattern: ^[\p{L}\p{Z}\p{N}_.:/=+\-@]*$

Values
If Key is tag: tag-key, Values is a list of tag values. If Key is InstanceIds, Values is a list of
Amazon EC2 instance IDs.
Required: Yes
Maximum: 50
AWS::Events::Rule SqsParameters
The SqsParameters property type specifies the custom parameter to be used when the target is an
Amazon SQS FIFO queue.
SqsParameters is a property of the Target property type.

1228
Amazon EventBridge
Syntax
JSON
{
"MessageGroupId" : String
}
YAML
MessageGroupId: String
Properties
MessageGroupId
The FIFO message group ID to use as the target.
Required: Yes
Type: String
AWS::Events::Rule Target
The Target property type specifies a target, such as an AWS Lambda function or an Amazon Kinesis
data stream, that EventBridge invokes when a rule is triggered.
The Targets property of the AWS::Events::Rule resource contains a list of one or more Target property
types.
Syntax
JSON
{
"Arn" : String,
"BatchParameters" : BatchParameters (p. 1221),
"EcsParameters" : EcsParameters (p. 1223),
"Id" : String,
"Input" : String,
"InputPath" : String,
"InputTransformer" : InputTransformer (p. 1224),
"KinesisParameters" : KinesisParameters (p. 1225),
"RoleArn" : String,
"RunCommandParameters" : RunCommandParameters (p. 1227),
"SqsParameters" : SqsParameters (p. 1228)
}
YAML
Arn: String

1229
Amazon EventBridge
BatchParameters:
BatchParameters (p. 1221)
EcsParameters:
EcsParameters (p. 1223)
Id: String
Input: String
InputPath: String
InputTransformer:
InputTransformer (p. 1224)
KinesisParameters:
KinesisParameters (p. 1225)
RoleArn: String
RunCommandParameters:
RunCommandParameters (p. 1227)
SqsParameters:
SqsParameters (p. 1228)
Properties
Arn
The Amazon Resource Name (ARN) of the target.
Required: Yes
Type: String
Minimum: 1
Maximum: 1600

BatchParameters
If the event target is an AWS Batch job, this contains the job definition, job name, and other
parameters. For more information, see Jobs in the AWS Batch User Guide.
Required: No
Type: BatchParameters (p. 1221)

EcsParameters
Contains the Amazon ECS task definition and task count to be used if the event target is an Amazon
ECS task. For more information about Amazon ECS tasks, see Task Definitions in the Amazon EC2
Container Service Developer Guide.
Required: No
Type: EcsParameters (p. 1223)

Id
A name for the target. Use a string that will help you identify the target. Each target associated with
a rule must have an Id unique for that rule.
The Id can include alphanumeric characters, periods (.), hyphens (-), and underscores (_).
Required: Yes

1230
Amazon EventBridge
Type: String
Minimum: 1
Maximum: 64
Pattern: [\.\-_A-Za-z0-9]+

Input
Valid JSON text passed to the target. If you use this property, nothing from the event text itself is
passed to the target.
Required: No
Type: String
Maximum: 8192

InputPath
When you don't want to pass the entire matched event, InputPath describes which part of the
event to pass to the target.
Required: No
Type: String
Maximum: 256

InputTransformer
Settings to enable you to provide custom input to a target based on certain event data. You can
extract one or more key-value pairs from the event and then use that data to send customized input
to the target.
Required: No
Type: InputTransformer (p. 1224)

KinesisParameters
The custom parameter that you can use to control the shard assignment when the target is a Kinesis
data stream. If you don't include this parameter, the default is to use the eventId as the partition
key.
Required: No
Type: KinesisParameters (p. 1225)

RoleArn
The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is
triggered. If one rule triggers multiple targets, you can use a different IAM role for each target.

1231
Amazon EventBridge
If you're setting an event bus in another account as the target and that account granted permission
RoleArn with proper permissions here in this parameter.
Required: No
Type: String
Minimum: 1
Maximum: 1600

RunCommandParameters
Parameters used when you are using the rule to invoke Amazon EC2 Run Command.
Required: No
Type: RunCommandParameters (p. 1227)

SqsParameters
Contains the message group ID to use when the target is a FIFO queue.
If you specify an SQS FIFO queue as a target, the queue must have content-based deduplication
enabled.
Required: No
Type: SqsParameters (p. 1228)
Examples
Target with KinesisParameters
The following snippet creates a Kinesis data stream target.
JSON
"MyEventsRule": {
"Properties": {
"Description": "Events Rule with KinesisParameters",
"EventPattern": {
"source": [
"aws.ec2"
]
},
"RoleArn": {
"Fn::GetAtt": [
"EventsInvokeKinesisTargetRole",
"Arn"
]
},

1232
Amazon EventBridge
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"MyFirstStream",
"Arn"
]
},
"Id": "Id123",
"RoleArn": {
"Fn::GetAtt": [
"EventsInvokeKinesisTargetRole",
"Arn"
]
},
"KinesisParameters": {
"PartitionKeyPath": "$"
}
}
]
}
}
YAML
MyEventsRule:
Properties:
Description: Events Rule with KinesisParameters
EventPattern:
source:
- aws.ec2
RoleArn: !GetAtt
- EventsInvokeKinesisTargetRole
- Arn
ScheduleExpression: rate(5 minutes)
State: ENABLED
Targets:
- Arn: !GetAtt
- MyFirstStream
- Arn
Id: Id123
RoleArn: !GetAtt
- EventsInvokeKinesisTargetRole
- Arn
KinesisParameters:
PartitionKeyPath: $
Target with EcsParameters
The following snippet creates an Amazon ECS task target.
JSON
"MyEventsRule": {
"Properties": {
"Description": "Events Rule with EcsParameters",
"EventPattern": {
"source": [
"aws.ec2"
],

1233
Amazon EventBridge
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [
"stopping"
]
}
},
"State": "DISABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"MyCluster",
"Arn"
]
},
"RoleArn": {
"Fn::GetAtt": [
"ECSTaskRole",
"Arn"
]
},
"Id": "Id345",
"EcsParameters": {
"TaskCount": 1,
"TaskDefinitionArn": {
"Ref": "MyECSTask"
}
}
}
]
}
}
YAML
MyEventsRule:
Properties:
Description: Events Rule with EcsParameters
EventPattern:
source:
- aws.ec2
detail-type:
- EC2 Instance State-change Notification
detail:
state:
- stopping
ScheduleExpression: rate(15 minutes)
State: DISABLED
Targets:
- Arn: !GetAtt
- MyCluster
- Arn
RoleArn: !GetAtt
- ECSTaskRole
- Arn
Id: Id345
EcsParameters:
TaskCount: 1
TaskDefinitionArn: !Ref MyECSTask

1234
CodeBuild
CodeBuild Resource Type Reference

Resource Types
• AWS::CodeBuild::Project (p. 1235)

• AWS::CodeBuild::SourceCredential (p. 1269)
AWS::CodeBuild::Project
The AWS::CodeBuild::Project resource configures how AWS CodeBuild builds your source code. For
example, it tells CodeBuild where to get the source code and which build environment to use.
Syntax
JSON
{
"Type" : "AWS::CodeBuild::Project",
"Properties" : {
"Artifacts" : Artifacts (p. 1247),
"BadgeEnabled" : Boolean,
"Cache" : ProjectCache (p. 1257),
"EncryptionKey" : String,
"Environment" : Environment (p. 1251),
"LogsConfig" : LogsConfig (p. 1256),
"Name" : String,
"QueuedTimeoutInMinutes" : Integer,
"SecondaryArtifacts" : [ Artifacts (p. 1247), ... ],
"SecondarySources" : [ Source (p. 1263), ... ],
"SecondarySourceVersions" : [ ProjectSourceVersion (p. 1259), ... ],
"Source" : Source (p. 1263),
"SourceVersion" : String,
"Tags" : [ Tag, ... ],
"TimeoutInMinutes" : Integer,
"Triggers" : ProjectTriggers (p. 1260),
}
}
YAML
Type: AWS::CodeBuild::Project
Properties:
Artifacts:
Artifacts (p. 1247)
BadgeEnabled: Boolean
Cache:
ProjectCache (p. 1257)
Description: String
EncryptionKey: String
Environment:
Environment (p. 1251)
LogsConfig:
LogsConfig (p. 1256)
Name: String

1235
CodeBuild
QueuedTimeoutInMinutes: Integer
SecondaryArtifacts:
- Artifacts (p. 1247)
SecondarySources:
- Source (p. 1263)
SecondarySourceVersions:
- ProjectSourceVersion (p. 1259)
ServiceRole: String
Source:
Source (p. 1263)
SourceVersion: String
Tags:
- Tag
TimeoutInMinutes: Integer
Triggers:
ProjectTriggers (p. 1260)
VpcConfig:
VpcConfig (p. 1267)
Properties
Artifacts
Artifacts is a property of the AWS::CodeBuild::Project resource that specifies output settings for
artifacts generated by an AWS CodeBuild build.
Required: Yes
Type: Artifacts (p. 1247)

BadgeEnabled
Indicates whether AWS CodeBuild generates a publicly accessible URL for your project's build badge.
For more information, see Build Badges Sample in the AWS CodeBuild User Guide.
Note
Including build badges with your project is currently not supported if the source type is
CodePipeline. If you specify CODEPIPELINE for the Source property, do not specify the
BadgeEnabled property.
Required: No
Type: Boolean

Cache
Settings that AWS CodeBuild uses to store and reuse build dependencies.
Required: No
Type: ProjectCache (p. 1257)

Description
A description that makes the build project easy to identify.
Required: No

1236
CodeBuild
Type: String
Minimum: 0
Maximum: 255

EncryptionKey
The alias or Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS)
customer master key (CMK) that CodeBuild uses to encrypt the build output. If you don't specify a
value, CodeBuild uses the AWS-managed CMK for Amazon Simple Storage Service (Amazon S3).
Note
You can use a cross-account KMS key to encrypt the build output artifacts if your service
role has permission to that key.
You can specify either the Amazon Resource Name (ARN) of the CMK or, if available, the CMK's alias
(using the format alias/alias-name ).
Required: No
Type: String
Minimum: 1

Environment
The build environment settings for the project, such as the environment type or the environment
variables to use for the build environment.
Required: Yes
Type: Environment (p. 1251)

LogsConfig
Information about logs for the build project. A project can create logs in Amazon CloudWatch Logs,
an S3 bucket, or both.
Required: No
Type: LogsConfig (p. 1256)

Name
The name of the build project. The name must be unique across all of the projects in your AWS
account.
Required: No
Type: String
Minimum: 2
Maximum: 255

1237
CodeBuild
Pattern: [A-Za-z0-9][A-Za-z0-9\-_]{1,254}

QueuedTimeoutInMinutes
The number of minutes a build is allowed to be queued before it times out.
Required: No
Type: Integer
Minimum: 5
Maximum: 480

SecondaryArtifacts
A list of Artifacts objects. Each artifacts object specifies output settings that the project
generates during a build.
Required: No
Type: List of Artifacts (p. 1247)
Maximum: 12

SecondarySources
An array of ProjectSource objects.
Required: No
Type: List of Source (p. 1263)
Maximum: 12

SecondarySourceVersions
An array of ProjectSourceVersion objects. If secondarySourceVersions is specified at the

build level, then they take over these secondarySourceVersions (at the project level).
Required: No
Type: List of ProjectSourceVersion (p. 1259)
Maximum: 12

ServiceRole
The ARN of the AWS Identity and Access Management (IAM) role that enables AWS CodeBuild to
interact with dependent AWS services on behalf of the AWS account.
Required: Yes
Type: String

1238
CodeBuild
Minimum: 1

Source
The source code settings for the project, such as the source code's repository type and location.
Required: Yes
Type: Source (p. 1263)

SourceVersion
A version of the build input to be built for this project. If not specified, the latest version is used. If
specified, it must be one of:
• For AWS CodeCommit: the commit ID, branch, or Git tag to use.
• For GitHub: the commit ID, pull request ID, branch name, or tag name that corresponds to the
version of the source code you want to build. If a pull request ID is specified, it must use the
format pr/pull-request-ID (for example pr/25). If a branch name is specified, the branch's
HEAD commit ID is used. If not specified, the default branch's HEAD commit ID is used.
• For Bitbucket: the commit ID, branch name, or tag name that corresponds to the version of the
source code you want to build. If a branch name is specified, the branch's HEAD commit ID is used.
If not specified, the default branch's HEAD commit ID is used.
• For Amazon Simple Storage Service (Amazon S3): the version ID of the object that represents the
build input ZIP file to use.
If sourceVersion is specified at the build level, then that version takes precedence over this
sourceVersion (at the project level).
For more information, see Source Version Sample with CodeBuild in the AWS CodeBuild User Guide.
Required: No
Type: String

Tags
An arbitrary set of tags (key-value pairs) for the AWS CodeBuild project.
These tags are available for use by AWS services that support AWS CodeBuild build project tags.
Required: No
Type: List of Tag
Maximum: 50

TimeoutInMinutes
How long, in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait before timing out any
related build that did not get marked as completed. The default is 60 minutes.
Required: No
Type: Integer

1239
CodeBuild
Minimum: 5
Maximum: 480

Triggers
For an existing AWS CodeBuild build project that has its source code stored in a GitHub repository,
enables AWS CodeBuild to begin automatically rebuilding the source code every time a code change
is pushed to the repository.
Required: No
Type: ProjectTriggers (p. 1260)

VpcConfig
VpcConfig specifies settings that enable AWS CodeBuild to access resources in an Amazon VPC. For
more information, see Use AWS CodeBuild with Amazon Virtual Private Cloud in the AWS CodeBuild
User Guide.
Required: No
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the name of the
AWS CodeBuild project, such as myProjectName.
Fn::GetAtt
attributes and sample return values. For more information about using Fn::GetAtt, see Fn::GetAtt.
Arn
The ARN of the AWS CodeBuild project, such as arn:aws:codebuild:us-

west-2:123456789012:project/myProjectName.
Examples
Create a project
The following example creates an AWS CodeBuild project.
JSON
{
"Project": {

1240
CodeBuild
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Name": "myProjectName",
"Description": "A description about my project",
"ServiceRole": { "Fn::GetAtt": [ "ServiceRole", "Arn" ] },
"Artifacts": {
"Type": "no_artifacts"
},
"Environment": {
"Type": "LINUX_CONTAINER",
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "aws/codebuild/java:openjdk-8",
"EnvironmentVariables": [
{
"Name": "varName",
"Value": "varValue"
}
]
},
"Source": {
"Location": "codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c",
"Type": "S3"
},
"TimeoutInMinutes": 10,
"Tags": [
{
"Key": "Key1",
"Value": "Value1"
},
{
"Key": "Key2",
"Value": "Value2"
}
]
}
}
}
YAML
Project:
Properties:
Name: myProjectName
Description: A description about my project
ServiceRole: !GetAtt ServiceRole.Arn
Artifacts:
Type: no_artifacts
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/java:openjdk-8
- Name: varName
Value: varValue
Source:
Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
Type: S3
TimeoutInMinutes: 10
Tags:
- Key: Key1
Value: Value1
- Key: Key2
Value: Value2

1241
CodeBuild
Create a project with two filter groups.
The following example creates a project with two filter groups. Together, they trigger a build when one
or both evaluate to true:
• The first filter group specifies pull requests are created or updated on branches with Git reference
names that match the regular expression ^refs/heads/master$ by a GitHub user that does not
have account ID 12345.
• The second filter group specifies push requests are created on files with names that match the regular
expression READ_ME in branches with Git reference names that match the regular expression ^refs/
heads/.*.
For this example, the name of the service role is my-example-service-role. The name of the source
location is my-example-source-location.
YAML
CodeBuildProject:
Properties:
Name: MyProject
ServiceRole: my-example-service-role
Artifacts:
Type: NO_ARTIFACTS
Environment:
Image: aws/codebuild/standard:1.0
Source:
Type: GITHUB
Location: my-example-source-location
Triggers:
Webhook: true
FilterGroups:
- - Type: EVENT
Pattern: PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED
- Type: BASE_REF
Pattern: ^refs/heads/master$
ExcludeMatchedPattern: false
- Type: ACTOR_ACCOUNT_ID
Pattern: 12345
ExcludeMatchedPattern: true
- - Type: EVENT
Pattern: PUSH
- Type: HEAD_REF
Pattern: ^refs/heads/.*
- Type: FILE_PATH
Pattern: READ_ME
ExcludeMatchedPattern: true
JSON
{
"CodeBuildProject": {
"Properties": {
"Name": "MyProject",
"ServiceRole": "my-example-service-role",
"Artifacts": {
"Type": "NO_ARTIFACTS"
},

1242
CodeBuild
"Environment": {
"Image": "aws/codebuild/standard:1.0"
},
"Source": {
"Type": "GITHUB",
"Location": "my-example-source-location"
},
"Triggers": {
"Webhook": true,
"FilterGroups": [
[
{
"Type": "EVENT",
"Pattern": "PULL_REQUEST_CREATED,PULL_REQUEST_UPDATED"
},
{
"Type": "BASE_REF",
"Pattern": "^refs/heads/master$",
"ExcludeMatchedPattern": false
},
{
"Type": "ACTOR_ACCOUNT_ID",
"Pattern": 12345,
"ExcludeMatchedPattern": true
}
],
[
{
"Type": "EVENT",
"Pattern": "PUSH"
},
{
"Type": "HEAD_REF",
"Pattern": "^refs/heads/.*"
},
{
"Type": "FILE_PATH",
"Pattern": "READ_ME",
"ExcludeMatchedPattern": true
}
]
]
}
}
}
}
Create a project using Amazon S3 and Amazon VPC
The following example creates a project that caches build dependencies in Amazon S3 and uses
resources in an Amazon VPC.
YAML
Resources:
CodeBuildProject:
Properties:
ServiceRole: !GetAtt CodeBuildRole.Arn
Artifacts:
Type: CODEPIPELINE
Environment:

1243
CodeBuild
Image: aws/codebuild/ubuntu-base:14.04
- Name: varName1
Value: varValue1
- Name: varName2
Value: varValue2
Type: PLAINTEXT
- Name: varName3
Value: /CodeBuild/testParameter
Type: PARAMETER_STORE
Source:
Type: CODEPIPELINE
TimeoutInMinutes: 10
VpcConfig:
VpcId: !Ref CodeBuildVPC
Subnets: [!Ref CodeBuildSubnet]
SecurityGroupIds: [!Ref CodeBuildSecurityGroup]
Cache:
Type: S3
Location: mybucket/prefix
CodeBuildRole:
Properties:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
Service: [codebuild.amazonaws.com]
Version: '2012-10-17'
Path: /
Policies:
- PolicyName: CodeBuildAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'logs:*'
- 'ec2:CreateNetworkInterface'
- 'ec2:DescribeNetworkInterfaces'
- 'ec2:DeleteNetworkInterface'
- 'ec2:DescribeSubnets'
- 'ec2:DescribeSecurityGroups'
- 'ec2:DescribeDhcpOptions'
- 'ec2:DescribeVpcs'
- 'ec2:CreateNetworkInterfacePermission'
Effect: Allow
Resource: '*'
CodeBuildVPC:
Type: AWS::EC2::VPC
Properties:
Tags:
- Key: name
Value: codebuild
CodeBuildSubnet:
Properties:
VpcId:
Ref: CodeBuildVPC
CodeBuildSecurityGroup:

1244
CodeBuild
Properties:
GroupName: Codebuild Internet Group
GroupDescription: 'CodeBuild SecurityGroup'
VpcId: !Ref CodeBuildVPC
JSON
{
"Resources": {
"CodeBuildProject": {
"Properties": {
"ServiceRole": {
"Fn::GetAtt": [
"CodeBuildRole",
"Arn"
]
},
"Artifacts": {
"Type": "CODEPIPELINE"
},
"Environment": {
"Image": "aws/codebuild/ubuntu-base:14.04",
"EnvironmentVariables": [
{
"Name": "varName1",
"Value": "varValue1"
},
{
"Name": "varName2",
"Value": "varValue2",
"Type": "PLAINTEXT"
},
{
"Name": "varName3",
"Value": "/CodeBuild/testParameter",
"Type": "PARAMETER_STORE"
}
]
},
"Source": {
"Type": "CODEPIPELINE"
},
"TimeoutInMinutes": 10,
"VpcConfig": {
"VpcId": {
"Ref": "CodeBuildVPC"
},
"Subnets": [
{
"Ref": "CodeBuildSubnet"
}
],
{
"Ref": "CodeBuildSecurityGroup"
}
]
},
"Cache": {
"Type": "S3",

1245
CodeBuild
"Location": "mybucket/prefix"
}
}
},
"CodeBuildRole": {
"Properties": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"codebuild.amazonaws.com"
]
}
}
],
"Version": "2012-10-17"
},
"Path": "/",
"Policies": [
{
"PolicyName": "CodeBuildAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeDhcpOptions",
"ec2:DescribeVpcs",
"ec2:CreateNetworkInterfacePermission"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
}
]
}
},
"CodeBuildVPC": {
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsSupport": "true",
"EnableDnsHostnames": "true",
"Tags": [
{
"Key": "name",
"Value": "codebuild"
}
]
}
},
"CodeBuildSubnet": {

1246
CodeBuild
"Properties": {
"VpcId": {
},
"CidrBlock": "10.0.1.0/24"
}
},
"CodeBuildSecurityGroup": {
"Properties": {
"GroupName": "Codebuild Internet Group",
"GroupDescription": "CodeBuild SecurityGroup",
"VpcId": {
}
}
}
}
}
See Also
• CreateProject in the AWS CodeBuild API Reference
AWS::CodeBuild::Project Artifacts
Artifacts is a property of the AWS::CodeBuild::Project resource that specifies output settings for
artifacts generated by an AWS CodeBuild build.
Syntax
JSON
{
"ArtifactIdentifier" : String,
"EncryptionDisabled" : Boolean,
"Location" : String,
"Name" : String,
"NamespaceType" : String,
"OverrideArtifactName" : Boolean,
"Packaging" : String,
"Path" : String,
"Type" : String
}
YAML
ArtifactIdentifier: String
EncryptionDisabled: Boolean
Location: String
Name: String
NamespaceType: String
OverrideArtifactName: Boolean
Packaging: String
Path: String
Type: String

1247
CodeBuild
Properties
ArtifactIdentifier
An identifier for this artifact definition.
Required: No
Type: String

EncryptionDisabled
Set to true if you do not want your output artifacts encrypted. This option is valid only if your
artifacts type is Amazon Simple Storage Service (Amazon S3). If this is set with another artifacts
type, an invalidInputException is thrown.
Required: No
Type: Boolean

Location
Information about the build output artifact location:

• If type is set to CODEPIPELINE, AWS CodePipeline ignores this value if specified. This is because
AWS CodePipeline manages its build output locations instead of AWS CodeBuild.
• If type is set to NO_ARTIFACTS, this value is ignored if specified, because no build output is
produced.
• If type is set to S3, this is the name of the output bucket.
If you specify CODEPIPELINE or NO_ARTIFACTS for the Type property, don't specify this property.
For all of the other types, you must specify this property.
Type: String

Name
Along with path and namespaceType, the pattern that AWS CodeBuild uses to name and store the
output artifact:
AWS CodePipeline manages its build output names instead of AWS CodeBuild.
produced.
• If type is set to S3, this is the name of the output artifact object. If you set the name to be a
forward slash ("/"), the artifact is stored in the root of the output bucket.
For example:
• If path is set to MyArtifacts, namespaceType is set to BUILD_ID, and name is set
to MyArtifact.zip, then the output artifact is stored in MyArtifacts/build-ID/
MyArtifact.zip.
• If path is empty, namespaceType is set to NONE, and name is set to "/", the output artifact is
stored in the root of the output bucket.

1248
CodeBuild
• If path is set to MyArtifacts, namespaceType is set to BUILD_ID, and name is set to "/", the
output artifact is stored in MyArtifacts/build-ID .
If you specify CODEPIPELINE or NO_ARTIFACTS for the Type property, don't specify this property.
For all of the other types, you must specify this property.
Type: String

NamespaceType
Along with path and name, the pattern that AWS CodeBuild uses to determine the name and
location to store the output artifact:
produced.
• If type is set to S3, valid values include:
• BUILD_ID: Include the build ID in the location of the build output artifact.
• NONE: Do not include the build ID. This is the default if namespaceType is not specified.
For example, if path is set to MyArtifacts, namespaceType is set to BUILD_ID, and name is set
to MyArtifact.zip, the output artifact is stored in MyArtifacts/build-ID/MyArtifact.zip.
Required: No
Type: String
Allowed Values: BUILD_ID | NONE

OverrideArtifactName
If set to true a name specified in the buildspec file overrides the artifact name. The name specified in
a buildspec file is calculated at build time and uses the Shell command language. For example, you
can append a date and time to your artifact name so that it is always unique.
Required: No
Type: Boolean

Packaging
The type of build output artifact to create:

AWS CodePipeline manages its build output artifacts instead of AWS CodeBuild.
produced.
• If type is set to S3, valid values include:
• NONE: AWS CodeBuild creates in the output bucket a folder that contains the build output. This
is the default if packaging is not specified.
• ZIP: AWS CodeBuild creates in the output bucket a ZIP file that contains the build output.
Required: No

1249
CodeBuild
Type: String
Allowed Values: NONE | ZIP

Path
Along with namespaceType and name, the pattern that AWS CodeBuild uses to name and store the
output artifact:
produced.
• If type is set to S3, this is the path to the output artifact. If path is not specified, path is not
used.
For example, if path is set to MyArtifacts, namespaceType is set to NONE, and name is set
to MyArtifact.zip, the output artifact is stored in the output bucket at MyArtifacts/
MyArtifact.zip.
Required: No
Type: String

Type
The type of build output artifact. Valid values include:

• CODEPIPELINE: The build project has build output generated through AWS CodePipeline.
Note
The CODEPIPELINE type is not supported for secondaryArtifacts.
• NO_ARTIFACTS: The build project does not produce any build output.
• S3: The build project stores build output in Amazon Simple Storage Service (Amazon S3).
Required: Yes
Type: String
Allowed Values: CODEPIPELINE | NO_ARTIFACTS | S3
AWS::CodeBuild::Project CloudWatchLogsConfig
CloudWatchLogs is a property of the AWS CodeBuild Project LogsConfig property type that specifies
settings for CloudWatch logs generated by an AWS CodeBuild build.
Syntax
JSON
{
"GroupName" : String,
"Status" : String,

1250
CodeBuild
"StreamName" : String
}
YAML
GroupName: String
Status: String
StreamName: String
Properties
GroupName
The group name of the logs in Amazon CloudWatch Logs. For more information, see Working with
Log Groups and Log Streams.
Required: No
Type: String

Status
The current status of the logs in Amazon CloudWatch Logs for a build project. Valid values are:
• ENABLED: Amazon CloudWatch Logs are enabled for this build project.
• DISABLED: Amazon CloudWatch Logs are not enabled for this build project.
Required: Yes
Type: String

StreamName
The prefix of the stream name of the Amazon CloudWatch Logs. For more information, see Working
with Log Groups and Log Streams.
Required: No
Type: String
See Also
• CloudWatchLogsConfig in the AWS CodeBuild API Reference
AWS::CodeBuild::Project Environment
Environment is a property of the AWS::CodeBuild::Project resource that specifies the environment for
an AWS CodeBuild project.
Syntax

1251
CodeBuild
JSON
{
"Certificate" : String,
"ComputeType" : String,
"Image" : String,
"ImagePullCredentialsType" : String,
"PrivilegedMode" : Boolean,
"RegistryCredential" : RegistryCredential (p. 1260),
"Type" : String
}
YAML
Certificate: String
ComputeType: String
Image: String
ImagePullCredentialsType: String
PrivilegedMode: Boolean
RegistryCredential:
RegistryCredential (p. 1260)
Type: String
Properties
Certificate
The certificate to use with this build project.
Required: No
Type: String

ComputeType
The type of compute environment. This determines the number of CPU cores and memory the build
environment uses. Available values include:
• BUILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds.
• BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds.
• BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds.
For more information, see Build Environment Compute Types in the AWS CodeBuild User Guide.
Required: Yes
Type: String

A set of environment variables to make available to builds for this build project.
Required: No

1252
CodeBuild

Image
The image tag or image digest that identifies the Docker image to use for this build project. Use the
following formats:
• For an image tag: registry/repository:tag. For example, to specify an image with the tag
"latest," use registry/repository:latest.
• For an image digest: registry/repository@digest. For example, to specify an image with the
digest "sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf," use
registry/
repository@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf.
Required: Yes
Type: String
Minimum: 1

ImagePullCredentialsType
The type of credentials AWS CodeBuild uses to pull images in your build. There are two valid values:
• CODEBUILD specifies that AWS CodeBuild uses its own credentials. This requires that you modify
your ECR repository policy to trust AWS CodeBuild's service principal.
• SERVICE_ROLE specifies that AWS CodeBuild uses your build project's service role.
When you use a cross-account or private registry image, you must use SERVICE_ROLE credentials.
When you use an AWS CodeBuild curated image, you must use CODEBUILD credentials.
Required: No
Type: String
Allowed Values: CODEBUILD | SERVICE_ROLE

PrivilegedMode
Enables running the Docker daemon inside a Docker container. Set to true only if the build project is
used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon
fails. The default setting is false.
You can initialize the Docker daemon during the install phase of your build by adding one of the
following sets of commands to the install phase of your buildspec file:
If the operating system's base image is Ubuntu Linux:
- nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --

host=tcp://0.0.0.0:2375 --storage-driver=overlay&
- timeout 15 sh -c "until docker info; do echo .; sleep 1; done"
If the operating system's base image is Alpine Linux and the previous command does not work, add
the -t argument to timeout:
- nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --

host=tcp://0.0.0.0:2375 --storage-driver=overlay&
- timeout -t 15 sh -c "until docker info; do echo .; sleep 1; done"

1253
CodeBuild
Required: No
Type: Boolean

RegistryCredential
RegistryCredential is a property of the AWS::CodeBuild::Project Environment property that

specifies information about credentials that provide access to a private Docker registry. When this is
set:
• imagePullCredentialsType must be set to SERVICE_ROLE.
• images cannot be curated or an Amazon ECR image.
Required: No
Type: RegistryCredential (p. 1260)

Type
The type of build environment to use for related builds.

• The environment type ARM_CONTAINER is available only in regions US East (N. Virginia), US East
(Ohio), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai), Asia Pacific (Tokyo), Asia Pacific
(Sydney), and EU (Frankfurt).
• The environment type LINUX_CONTAINER with compute type build.general1.2xlarge is
available only in regions US East (N. Virginia), US East (N. Virginia), US West (Oregon), Canada
(Central), EU (Ireland), EU (London), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia
Pacific (Singapore), Asia Pacific (Sydney), China (Beijing), and China (Ningxia).
• The environment type LINUX_GPU_CONTAINER is available only in regions US East (N. Virginia),
US East (N. Virginia), US West (Oregon), Canada (Central), EU (Ireland), EU (London), EU
(Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney) ,
China (Beijing), and China (Ningxia).
Required: Yes
Type: String
Allowed Values: ARM_CONTAINER | LINUX_CONTAINER | LINUX_GPU_CONTAINER |

WINDOWS_CONTAINER
AWS::CodeBuild::Project EnvironmentVariable
EnvironmentVariable is a property of the AWS CodeBuild Project Environment property type that
specifies the name and value of an environment variable for an AWS CodeBuild project environment.
When you use the environment to run a build, these variables are available for your builds to use.
EnvironmentVariable contains a list of EnvironmentVariable property types.
Syntax
JSON
{
"Name" : String,

1254
CodeBuild
"Type" : String,
"Value" : String
}
YAML
Name: String
Type: String
Value: String
Properties
Name
The name or key of the environment variable.
Required: Yes
Type: String
Minimum: 1

Type
The type of environment variable. Valid values include:

• PARAMETER_STORE: An environment variable stored in Amazon EC2 Systems Manager Parameter
Store.
• PLAINTEXT: An environment variable in plain text format.
• SECRETS_MANAGER: An environment variable stored in AWS Secrets Manager.
Required: No
Type: String
Allowed Values: PARAMETER_STORE | PLAINTEXT | SECRETS_MANAGER

Value
The value of the environment variable.

Important
We strongly discourage the use of environment variables to store sensitive values, especially
AWS secret key IDs and secret access keys. Environment variables can be displayed in plain
text using the AWS CodeBuild console and the AWS Command Line Interface (AWS CLI).
Required: Yes
Type: String
AWS::CodeBuild::Project FilterGroup
A list of WebhookFilter objects used to determine which webhook events are triggered. At least one
WebhookFilter in the list must specify EVENT as its type. The FilterGroups property of the AWS
CodeBuild Project ProjectTriggers property type is a list of FilterGroup objects.

1255
CodeBuild
Required: No
Type: A list of WebhookFilter objects
AWS::CodeBuild::Project GitSubmodulesConfig
GitSubmodulesConfig is a property of the AWS CodeBuild Project Source property type that specifies
information about the Git submodules configuration for the build project.
Syntax
JSON
{
"FetchSubmodules" : Boolean
}
YAML
FetchSubmodules: Boolean
Properties
FetchSubmodules
Set to true to fetch Git submodules for your AWS CodeBuild build project.
Required: Yes
Type: Boolean
See Also
• GitSubmodulesConfig in the AWS CodeBuild API Reference
AWS::CodeBuild::Project LogsConfig
LogsConfig is a property of the AWS CodeBuild Project resource that specifies information about logs
for a build project. These can be logs in Amazon CloudWatch Logs, built in a specified S3 bucket, or both.
Syntax
JSON
{
"CloudWatchLogs" : CloudWatchLogsConfig (p. 1250),
"S3Logs" : S3LogsConfig (p. 1261)
}

1256
CodeBuild
YAML
CloudWatchLogs:
CloudWatchLogsConfig (p. 1250)
S3Logs:
S3LogsConfig (p. 1261)
Properties
CloudWatchLogs
Information about Amazon CloudWatch Logs for a build project. Amazon CloudWatch Logs are
enabled by default.
Required: No
Type: CloudWatchLogsConfig (p. 1250)

S3Logs
Information about logs built to an S3 bucket for a build project. S3 logs are not enabled by default.
Required: No
Type: S3LogsConfig (p. 1261)
See Also
• LogsConfig in the AWS CodeBuild API Reference
AWS::CodeBuild::Project ProjectCache
ProjectCache is a property of the AWS CodeBuild Project resource that specifies information about
the cache for the build project. If ProjectCache is not specified, then both of its properties default to
NO_CACHE.
Syntax
JSON
{
"Modes" : [ String, ... ],
"Type" : String
}
YAML
Location: String
Modes:
- String

1257
CodeBuild
Type: String
Properties
Location
Information about the cache location:

• NO_CACHE or LOCAL: This value is ignored.
• S3: This is the S3 bucket name/prefix.
Required: No
Type: String

Modes
If you use a LOCAL cache, the local cache mode. You can use one or more local cache modes at the
same time.
• LOCAL_SOURCE_CACHE mode caches Git metadata for primary and secondary sources. After the
cache is created, subsequent builds pull only the change between commits. This mode is a good
choice for projects with a clean working directory and a source that is a large Git repository. If you
choose this option and your project does not use a Git repository (GitHub, GitHub Enterprise, or
Bitbucket), the option is ignored.
• LOCAL_DOCKER_LAYER_CACHE mode caches existing Docker layers. This mode is a good choice
for projects that build or pull large Docker images. It can prevent the performance issues caused
by pulling large Docker images down from the network.
Note
• You can use a Docker layer cache in the Linux environment only.
• The privileged flag must be set so that your project has the required Docker
permissions.
• You should consider the security implications before you use a Docker layer cache.
• LOCAL_CUSTOM_CACHE mode caches directories you specify in the buildspec file. This mode is a
good choice if your build scenario is not suited to one of the other three local cache modes. If you
use a custom cache:
• Only directories can be specified for caching. You cannot specify individual files.
• Symlinks are used to reference cached directories.
• Cached directories are linked to your build before it downloads its project sources. Cached items
are overridden if a source item has the same name. Directories are specified using cache paths in
the buildspec file.
Required: No

Type
The type of cache used by the build project. Valid values include:
• NO_CACHE: The build project does not use any cache.
• S3: The build project reads and writes from and to S3.
• LOCAL: The build project stores a cache locally on a build host that is only available to that build
host.
Required: Yes

1258
CodeBuild
Type: String
Allowed Values: LOCAL | NO_CACHE | S3
See Also
• ProjectCache in the AWS CodeBuild API Reference
AWS::CodeBuild::Project ProjectSourceVersion
A source identifier and its corresponding version.
Syntax
JSON
{
"SourceIdentifier" : String,
"SourceVersion" : String
}
YAML
SourceIdentifier: String
SourceVersion: String
Properties
SourceIdentifier
An identifier for a source in the build project.
Required: Yes
Type: String

SourceVersion
The source version for the corresponding source identifier. If specified, must be one of:
• For AWS CodeCommit: the commit ID, branch, or Git tag to use.
• For GitHub: the commit ID, pull request ID, branch name, or tag name that corresponds to the
version of the source code you want to build. If a pull request ID is specified, it must use the
format pr/pull-request-ID (for example, pr/25). If a branch name is specified, the branch's
HEAD commit ID is used. If not specified, the default branch's HEAD commit ID is used.
• For Bitbucket: the commit ID, branch name, or tag name that corresponds to the version of the
source code you want to build. If a branch name is specified, the branch's HEAD commit ID is used.
If not specified, the default branch's HEAD commit ID is used.
• For Amazon Simple Storage Service (Amazon S3): the version ID of the object that represents the
build input ZIP file to use.
For more information, see Source Version Sample with CodeBuild in the AWS CodeBuild User Guide.

1259
CodeBuild
Required: No
Type: String
AWS::CodeBuild::Project ProjectTriggers
ProjectTriggers is a property of the AWS CodeBuild Project resource that specifies webhooks that
trigger an AWS CodeBuild build.
Syntax
JSON
{
"FilterGroups" : [ FilterGroup (p. 1255), ... ],
"Webhook" : Boolean
}
YAML
FilterGroups:
- FilterGroup (p. 1255)
Webhook: Boolean
Properties
FilterGroups
A list of lists of WebhookFilter objects used to determine which webhook events are triggered. At
least one WebhookFilter in the array must specify EVENT as its type.
Required: No
Type: List of FilterGroup (p. 1255)

Webhook
Specifies whether or not to begin automatically rebuilding the source code every time a code change
is pushed to the repository.
Required: No
Type: Boolean
AWS::CodeBuild::Project RegistryCredential
RegistryCredential is a property of the AWS CodeBuild Project Environment property type that
specifies information about credentials that provide access to a private Docker registry. When this is set:
• imagePullCredentialsType must be set to SERVICE_ROLE.

1260
CodeBuild
• images cannot be curated or an Amazon ECR image.
For more information, see Private Registry with AWS Secrets Manager Sample for AWS CodeBuild.
Syntax
JSON
{
"Credential" : String,
"CredentialProvider" : String
}
YAML
Credential: String
CredentialProvider: String
Properties
Credential
The Amazon Resource Name (ARN) or name of credentials created using AWS Secrets Manager.
Note
The credential can use the name of the credentials only if they exist in your current
region.
Required: Yes
Type: String
Minimum: 1

CredentialProvider
The service that created the credentials to access a private Docker registry. The valid value,
SECRETS_MANAGER, is for AWS Secrets Manager.
Required: Yes
Type: String
Allowed Values: SECRETS_MANAGER
See Also
• RegistryCredential in the AWS CodeBuild API Reference
AWS::CodeBuild::Project S3LogsConfig
S3Logs is a property of the AWS CodeBuild Project LogsConfig property type that specifies settings for
logs generated by an AWS CodeBuild build in an S3 bucket.

1261
CodeBuild
Syntax
JSON
{
"EncryptionDisabled" : Boolean,
"Status" : String
}
YAML
EncryptionDisabled: Boolean
Location: String
Status: String
Properties
EncryptionDisabled
Set to true if you do not want your S3 build log output encrypted. By default S3 build logs are
encrypted.
Required: No
Type: Boolean

Location
The ARN of an S3 bucket and the path prefix for S3 logs. If your Amazon S3 bucket name is my-
bucket, and your path prefix is build-log, then acceptable formats are my-bucket/build-log
or arn:aws:s3:::my-bucket/build-log.
Required: No
Type: String

Status
The current status of the S3 build logs. Valid values are:

• ENABLED: S3 build logs are enabled for this build project.
• DISABLED: S3 build logs are not enabled for this build project.
Required: Yes
Type: String
See Also
• S3LogsConfig in the AWS CodeBuild API Reference

1262
CodeBuild
AWS::CodeBuild::Project Source
Source is a property of the AWS::CodeBuild::Project resource that specifies the source code settings for
the project, such as the source code's repository type and location.
Syntax
JSON
{
"Auth" : SourceAuth (p. 1266),
"GitCloneDepth" : Integer,
"GitSubmodulesConfig" : GitSubmodulesConfig (p. 1256),
"InsecureSsl" : Boolean,
"ReportBuildStatus" : Boolean,
"SourceIdentifier" : String,
"Type" : String
}
YAML
Auth:
SourceAuth (p. 1266)
BuildSpec: String
GitCloneDepth: Integer
GitSubmodulesConfig:
GitSubmodulesConfig (p. 1256)
InsecureSsl: Boolean
Location: String
ReportBuildStatus: Boolean
Type: String
Properties
Auth
Information about the authorization settings for AWS CodeBuild to access the source code to be
built.
This information is for the AWS CodeBuild console's use only. Your code should not get or set Auth
directly.
Required: No
Type: SourceAuth (p. 1266)

BuildSpec
The build specification for the project. If this value is not provided, then the source code must
contain a buildspec file named buildspec.yml at the root level. If this value is provided, it
can be either a single string containing the entire build specification, or the path to an alternate
buildspec file relative to the value of the built-in environment variable CODEBUILD_SRC_DIR. The
alternate buildspec file can have a name other than buildspec.yml, for example myspec.yml or

1263
CodeBuild
build_spec_qa.yml or similar. For more information, see the Build Spec Reference in the AWS
CodeBuild User Guide.
Required: No
Type: String

GitCloneDepth
The depth of history to download. Minimum value is 0. If this value is 0, greater than 25, or not
provided, then the full history is downloaded with each build project. If your source type is Amazon
S3, this value is not supported.
Required: No
Type: Integer
Minimum: 0

GitSubmodulesConfig
Information about the Git submodules configuration for the build project.
Required: No
Type: GitSubmodulesConfig (p. 1256)

InsecureSsl
This is used with GitHub Enterprise only. Set to true to ignore SSL warnings while connecting to your
GitHub Enterprise project repository. The default value is false. InsecureSsl should be used for
testing purposes only. It should not be used in a production environment.
Required: No
Type: Boolean

Location
Information about the location of the source code to be built. Valid values include:
• For source code settings that are specified in the source action of a pipeline in AWS CodePipeline,
location should not be specified. If it is specified, AWS CodePipeline ignores it. This is because
AWS CodePipeline uses the settings in a pipeline's source action instead of this value.
• For source code in an AWS CodeCommit repository, the HTTPS clone URL to the repository that
contains the source code and the build spec (for example, https://git-codecommit.region-
ID.amazonaws.com/v1/repos/repo-name ).
• For source code in an Amazon Simple Storage Service (Amazon S3) input bucket, one of the
following.
• The path to the ZIP file that contains the source code (for example, bucket-
name/path/to/object-name.zip).
• The path to the folder that contains the source code (for example, bucket-
name/path/to/source-code/folder/).

1264
CodeBuild
• For source code in a GitHub repository, the HTTPS clone URL to the repository that contains the
source and the build spec. You must connect your AWS account to your GitHub account. Use the
AWS CodeBuild console to start creating a build project. When you use the console to connect
(or reconnect) with GitHub, on the GitHub Authorize application page, for Organization access,
choose Request access next to each repository you want to allow AWS CodeBuild to have access
to, and then choose Authorize application. (After you have connected to your GitHub account,
you do not need to finish creating the build project. You can leave the AWS CodeBuild console.) To
instruct AWS CodeBuild to use this connection, in the source object, set the auth object's type
value to OAUTH.
• For source code in a Bitbucket repository, the HTTPS clone URL to the repository that contains the
source and the build spec. You must connect your AWS account to your Bitbucket account. Use the
AWS CodeBuild console to start creating a build project. When you use the console to connect (or
reconnect) with Bitbucket, on the Bitbucket Confirm access to your account page, choose Grant
access. (After you have connected to your Bitbucket account, you do not need to finish creating
the build project. You can leave the AWS CodeBuild console.) To instruct AWS CodeBuild to use
this connection, in the source object, set the auth object's type value to OAUTH.
If you specify CODEPIPELINE for the Type property, don't specify this property. For all of the other
types, you must specify Location.
Required: No
Type: String

ReportBuildStatus
Set to true to report the status of a build's start and finish to your source provider. This option is
valid only when your source provider is GitHub, GitHub Enterprise, or Bitbucket. If this is set and you
use a different source provider, an invalidInputException is thrown.
Required: No
Type: Boolean

SourceIdentifier
An identifier for this project source.
Required: No
Type: String

Type
The type of repository that contains the source code to be built. Valid values include:
• BITBUCKET: The source code is in a Bitbucket repository.
• CODECOMMIT: The source code is in an AWS CodeCommit repository.
• CODEPIPELINE: The source code settings are specified in the source action of a pipeline in AWS
CodePipeline.
• GITHUB: The source code is in a GitHub repository.
• GITHUB_ENTERPRISE: The source code is in a GitHub Enterprise repository.
• NO_SOURCE: The project does not have input source code.
• S3: The source code is in an Amazon Simple Storage Service (Amazon S3) input bucket.

1265
CodeBuild
Required: Yes
Type: String
Allowed Values: BITBUCKET | CODECOMMIT | CODEPIPELINE | GITHUB |

GITHUB_ENTERPRISE | NO_SOURCE | S3
AWS::CodeBuild::Project SourceAuth
SourceAuth is a property of the AWS CodeBuild Project Source property type that specifies
authorization settings for AWS CodeBuild to access the source code to be built.
SourceAuth is for use by the CodeBuild console only. Do not get or set it directly.
Syntax
JSON
{
"Resource" : String,
"Type" : String
}
YAML
Resource: String
Type: String
Properties
Resource
The resource value that applies to the specified authorization type.

Note
This data type is used by the AWS CodeBuild console only.
Required: No
Type: String

Type
The authorization type to use. The only valid value is OAUTH, which represents the OAuth
authorization type.
Note
This data type is used by the AWS CodeBuild console only.
Required: Yes
Type: String
Allowed Values: OAUTH

1266
CodeBuild
AWS::CodeBuild::Project VpcConfig
VpcConfig is a property of the AWS::CodeBuild::Project resource that enable AWS CodeBuild to access
resources in an Amazon VPC. For more information, see Use AWS CodeBuild with Amazon Virtual Private
Cloud in the AWS CodeBuild User Guide.
Syntax
JSON
{
"VpcId" : String
}
YAML
SecurityGroupIds:
- String
Subnets:
- String
VpcId: String
Properties
SecurityGroupIds
A list of one or more security groups IDs in your Amazon VPC. The maximum count is 5.
Required: No
Maximum: 5

Subnets
A list of one or more subnet IDs in your Amazon VPC. The maximum count is 16.
Required: No
Maximum: 16

VpcId
The ID of the Amazon VPC.
Required: No
Type: String

1267
CodeBuild
Minimum: 1
See Also
• VpcConfig in the AWS CodeBuild API Reference
AWS::CodeBuild::Project WebhookFilter
WebhookFilter is a structure of the FilterGroups property on the AWS CodeBuild Project
ProjectTriggers property type that specifies which webhooks trigger an AWS CodeBuild build.
Syntax
JSON
{
"ExcludeMatchedPattern" : Boolean,
"Pattern" : String,
"Type" : String
}
YAML
ExcludeMatchedPattern: Boolean
Pattern: String
Type: String
Properties
ExcludeMatchedPattern
Used to indicate that the pattern determines which webhook events do not trigger a build. If true,
then a webhook event that does not match the pattern triggers a build. If false, then a webhook
event that matches the pattern triggers a build.
Required: No
Type: Boolean

Pattern
For a WebHookFilter that uses EVENT type, a comma-separated string that specifies
one or more events. For example, the webhook filter PUSH, PULL_REQUEST_CREATED,
PULL_REQUEST_UPDATED allows all push, pull request created, and pull request updated events to
trigger a build.
For a WebHookFilter that uses any of the other filter types, a regular expression pattern. For
example, a WebHookFilter that uses HEAD_REF for its type and the pattern ^refs/heads/
triggers a build when the head reference is a branch with a reference name refs/heads/branch-
name.
Required: Yes

1268
CodeBuild
Type: String

Type
The type of webhook filter. There are five webhook filter types: EVENT, ACTOR_ACCOUNT_ID,
HEAD_REF, BASE_REF, and FILE_PATH.
EVENT
A webhook event triggers a build when the provided pattern matches one of four event types:
PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, and PULL_REQUEST_REOPENED.
The EVENT patterns are specified as a comma-separated string. For example, PUSH,
PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED filters all push, pull request created, and
pull request updated events.
Note
The PULL_REQUEST_REOPENED works with GitHub and GitHub Enterprise only.
ACTOR_ACCOUNT_ID
A webhook event triggers a build when a GitHub, GitHub Enterprise, or Bitbucket account ID
matches the regular expression pattern.
HEAD_REF
A webhook event triggers a build when the head reference matches the regular expression
pattern. For example, refs/heads/branch-name and refs/tags/tag-name.
Works with GitHub and GitHub Enterprise push, GitHub and GitHub Enterprise pull request,
Bitbucket push, and Bitbucket pull request events.
BASE_REF
A webhook event triggers a build when the base reference matches the regular expression
pattern. For example, refs/heads/branch-name.
Note
Works with pull request events only.
FILE_PATH
A webhook triggers a build when the path of a changed file matches the regular expression
pattern.
Note
Works with GitHub and GitHub Enterprise push events only.
Required: Yes
Type: String
Allowed Values: ACTOR_ACCOUNT_ID | BASE_REF | EVENT | FILE_PATH | HEAD_REF
AWS::CodeBuild::SourceCredential
Information about the credentials for a GitHub, GitHub Enterprise, or Bitbucket repository. We strongly
recommend that you use AWS Secrets Manager to store your credentials or the NoEcho parameter to
mask your credentials. If you use Secrets Manager, you must have secrets in your secrets manager. For
more information, see Using Dynamic References to Specify Template Values.

1269
CodeBuild
Important
For security purposes, do not use plain text in your CloudFormation template to store your
credentials.
Syntax
JSON
{
"Type" : "AWS::CodeBuild::SourceCredential",
"Properties" : {
"ServerType" : String,
"Token" : String,
"Username" : String
}
}
YAML
Type: AWS::CodeBuild::SourceCredential
Properties:
AuthType: String
ServerType: String
Token: String
Username: String
Properties
AuthType
The type of authentication used by the credentials. Valid options are OAUTH, BASIC_AUTH, or
PERSONAL_ACCESS_TOKEN.
Required: Yes
Type: String
Allowed Values: BASIC_AUTH | OAUTH | PERSONAL_ACCESS_TOKEN

ServerType
The type of source provider. The valid options are GITHUB, GITHUB_ENTERPRISE, or BITBUCKET.
Required: Yes
Type: String
Allowed Values: BITBUCKET | GITHUB | GITHUB_ENTERPRISE

Token
For GitHub or GitHub Enterprise, this is the personal access token. For Bitbucket, this is the app
password.

1270
CodeBuild
Required: Yes
Type: String
Minimum: 1

Username
The Bitbucket username when the authType is BASIC_AUTH. This parameter is not valid for other
types of source providers or connections.
Required: No
Type: String
Minimum: 1
Examples
Create Bitbucket source credentials using AWS Secrets Manager
YAML
CodeBuildSourceCredential:
Type: 'AWS::CodeBuild::SourceCredential'
Properties:
Token: '{{resolve:secretsmanager:bitbucket:SecretString:token}}'
ServerType: BITBUCKET
Username: '{{resolve:secretsmanager:bitbucket:SecretString:username}}'
AuthType: BASIC_AUTH
JSON
{
"CodeBuildSourceCredential": {
"Type": "AWS::CodeBuild::SourceCredential",
"Properties": {
"Token": "{{resolve:secretsmanager:bitbucket:SecretString:token}}",
"ServerType": "BITBUCKET",
"Username": "{{resolve:secretsmanager:bitbucket:SecretString:username}}",
"AuthType": "BASIC_AUTH"
}
}
}
Create GitHub Enterprise source credentials using AWS Secrets Manager
YAML
Resources:
Properties:
Token: '{{resolve:secretsmanager:github_enterprise:SecretString:token}}'
ServerType: GITHUB_ENTERPRISE

1271
CodeBuild
AuthType: PERSONAL_ACCESS_TOKEN
JSON
{
"Resources": {
"Properties": {
"Token": "{{resolve:secretsmanager:github_enterprise:SecretString:token}}",
"ServerType": "GITHUB_ENTERPRISE",
"AuthType": "PERSONAL_ACCESS_TOKEN"
}
}
}
}
Create GitHub source credentials using AWS Secrets Manager
YAML
Resources:
Properties:
Token: '{{resolve:secretsmanager:github:SecretString:token}}'
ServerType: GITHUB
JSON
{
"Resources": {
"Properties": {
"Token": "{{resolve:secretsmanager:github:SecretString:token}}",
"ServerType": "GITHUB",
}
}
}
}
Create Bitbucket source credentials using NoEcho
YAML
Parameters:
BitbucketToken:
Type: String
NoEcho: true
BitbucketUsername:
Type: String
NoEcho: true
Resources:
Type: AWS::CodeBuild::SourceCredential
Properties:
Token: !Ref BitbucketToken

1272
CodeBuild
Username: !Ref BitbucketUsername

ServerType: BITBUCKET
AuthType: BASIC_AUTH
JSON
{
"Parameters": {
"BitbucketToken": {
"Type": "String",
"NoEcho": true
},
"BitbucketUsername": {
"Type": "String",
"NoEcho": true
}
},
"Resources": {
"Properties": {
"Token": {
"Ref" : "BitbucketToken"
},
"Username": {
"Ref" : "BitbucketUsername"
},
"ServerType": "BITBUCKET",
"AuthType": "BASIC_AUTH"
}
}
}
}
Create GitHub Enterprise source credentials using NoEcho
YAML
Parameters:
GitHubEnterpriseToken:
Type: String
NoEcho: true
Resources:
Properties:
Token: !Ref GitHubEnterpriseToken
ServerType: GITHUB_ENTERPRISE
JSON
{
"Parameters": {
"GitHubEnterpriseToken": {
"Type": "String",
"NoEcho": true
}
},
"Resources": {

1273
CodeCommit
"Properties": {
"Token": {
"Ref" : "GitHubEnterpriseToken"
},
"ServerType": "GITHUB_ENTERPRISE",
}
}
}
}
Create GitHub source credentials using NoEcho
YAML
Parameters:
GitHubToken:
Type: String
NoEcho: true
Resources:
Properties:
Token: !Ref GitHubToken
ServerType: GITHUB
JSON
{
"Parameters": {
"GitHubToken": {
"Type": "String",
"NoEcho": true
}
},
"Resources": {
"Properties": {
"Token": {
"Ref" : "GitHubToken"
},
"ServerType": "GITHUB",
}
}
}
}
CodeCommit Resource Type Reference

Resource Types
• AWS::CodeCommit::Repository (p. 1274)
AWS::CodeCommit::Repository
Creates a new, empty repository.

1274
CodeCommit
Syntax
JSON
{
"Type" : "AWS::CodeCommit::Repository",
"Properties" : {
"Code" : Code (p. 1278),
"RepositoryDescription" : String,
"RepositoryName" : String,
"Tags" : [ Tag, ... ],
"Triggers" : [ RepositoryTrigger (p. 1278), ... ]
}
}
YAML
Type: AWS::CodeCommit::Repository
Properties:
Code:
Code (p. 1278)
RepositoryDescription: String
RepositoryName: String
Tags:
- Tag
Triggers:
- RepositoryTrigger (p. 1278)
Properties
Code
Information about code to be committed to a repository after it is created in an AWS

CloudFormation stack.
Required: No
Type: Code (p. 1278)

RepositoryDescription
A comment or description about the new repository.

Note
The description field for a repository accepts all HTML characters and all valid Unicode
characters. Applications that do not HTML-encode the description and display it in a
webpage can expose users to potentially malicious code. Make sure that you HTML-
encode the description field in any application that uses this API to display the repository
description on a webpage.
Required: No
Type: String
Maximum: 1000

1275
CodeCommit
RepositoryName
The name of the new repository to be created.

Note
The repository name must be unique across the calling AWS account. Repository names are
limited to 100 alphanumeric, dash, and underscore characters, and cannot include certain
characters. For more information about the limits on repository names, see Limits in the
AWS CodeCommit User Guide. The suffix .git is prohibited.
Required: Yes
Type: String
Minimum: 1
Maximum: 100
Pattern: [\w\.-]+

Tags
One or more tag key-value pairs to use when tagging this repository.
Required: No
Type: List of Tag

Triggers
The JSON block of configuration information for each trigger.
Required: No
Type: List of RepositoryTrigger (p. 1278)
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the repository
ID.
Fn::GetAtt
Arn
When you pass the logical ID of this resource, the function returns the Amazon Resource Name (ARN)
of the repository.

1276
CodeCommit
CloneUrlHttp
When you pass the logical ID of this resource, the function returns the URL to use for cloning the
repository over HTTPS.
CloneUrlSsh
When you pass the logical ID of this resource, the function returns the URL to use for cloning the
repository over SSH.
Name
When you pass the logical ID of this resource, the function returns the repository's name.
Examples
Example
The following example creates a CodeCommit repository with a trigger for all events in the Master
branch.
JSON
{
"MyRepo": {
"Type": "AWS: : CodeCommit: : Repository",
"Properties": {
"RepositoryName": "MyRepoName",
"RepositoryDescription": "a description",
"Triggers": [
{
"Name": "MasterTrigger",
"CustomData": "Project ID 12345",
"DestinationArn": {
"Ref": "SNSarn"
},
"Branches": [
"Master"
],
"Events": [
"all"
]
}
]
}
}
}
YAML
MyRepo:
Type: AWS::CodeCommit::Repository
Properties:
RepositoryName: MyRepoName
RepositoryDescription: a description
Triggers:
- Name: MasterTrigger
CustomData: Project ID 12345
DestinationArn:
Ref: SNSarn
Branches:
- Master

1277
CodeCommit
Events:
- all
AWS::CodeCommit::Repository Code
Information about code to be committed.
Syntax
JSON
{
"S3" : S3 (p. 1280)
}
YAML
S3:
S3 (p. 1280)
Properties
S3
Information about the Amazon S3 bucket that contains a ZIP file of code to be committed to the
repository.
Required: Yes
Type: S3 (p. 1280)
AWS::CodeCommit::Repository RepositoryTrigger
Information about a trigger for a repository.
Syntax
JSON
{
"Branches" : [ String, ... ],
"CustomData" : String,
"Events" : [ String, ... ],
"Name" : String
}
YAML
Branches:
- String
CustomData: String

1278
CodeCommit
Events:
- String
Name: String
Properties
Branches
The branches to be included in the trigger configuration. If you specify an empty array, the trigger
applies to all branches.
Note
Although no content is required in the array, you must include the array itself.
Required: No

CustomData
Any custom data associated with the trigger to be included in the information sent to the target of
the trigger.
Required: No
Type: String

DestinationArn
The ARN of the resource that is the target for a trigger (for example, the ARN of a topic in Amazon
SNS).
Required: Yes
Type: String

Events
The repository events that cause the trigger to run actions in another service, such as sending a
notification through Amazon SNS.
Note
The valid value "all" cannot be used with any other values.
Required: Yes

Name
The name of the trigger.
Required: Yes
Type: String

1279
CodeDeploy
AWS::CodeCommit::Repository S3
Information about the Amazon S3 bucket that contains the code that will be committed to the new
repository.
Syntax
JSON
{
"Bucket" : String,
"Key" : String,
"ObjectVersion" : String
}
YAML
Bucket: String
Key: String
ObjectVersion: String
Properties
Bucket
The name of the Amazon S3 bucket that contains the ZIP file with the content that will be
committed to the new repository.
Required: Yes
Type: String

Key
The key to use for accessing the Amazon S3 bucket.
Required: Yes
Type: String

ObjectVersion
The object version of the ZIP file, if versioning is enabled for the Amazon S3 bucket.
Required: No
Type: String
CodeDeploy Resource Type Reference

Resource Types

1280
CodeDeploy
• AWS::CodeDeploy::Application (p. 1281)

• AWS::CodeDeploy::DeploymentConfig (p. 1283)
• AWS::CodeDeploy::DeploymentGroup (p. 1286)
AWS::CodeDeploy::Application
The AWS::CodeDeploy::Application resource creates an AWS CodeDeploy application. In
CodeDeploy, an application is a name that functions as a container to ensure that the correct
combination of revision, deployment configuration, and deployment group are referenced during a
deployment. You can use the AWS::CodeDeploy::DeploymentGroup resource to associate the
application with a CodeDeploy deployment group. For more information, see CodeDeploy Deployments
in the AWS CodeDeploy User Guide.
Syntax
JSON
{
"Type" : "AWS::CodeDeploy::Application",
"Properties" : {
"ApplicationName" : String,
"ComputePlatform" : String
}
}
YAML
Type: AWS::CodeDeploy::Application
Properties:
ApplicationName: String
ComputePlatform: String
Properties
ApplicationName
A name for the application. If you don't specify a name, AWS CloudFormation generates a unique
physical ID and uses that ID for the application name. For more information, see Name Type.
Note
Updates to ApplicationName are not supported.
Required: No
Type: String
Minimum: 1
Maximum: 100

ComputePlatform
The compute platform that CodeDeploy deploys the application to.

1281
CodeDeploy
Required: No
Type: String
Allowed Values: ECS | Lambda | Server
Return Values
Ref
When you pass the logical ID of an AWS::CodeDeploy::Application resource to the intrinsic Ref
function, the function returns the application name, such as myapplication-a123d0d1.
Examples
Specify an application with a Lambda compute platform
The following example specifies a CodeDeploy application with a Lambda compute platform.
JSON
"CodeDeployApplication": {
"Type": "AWS::CodeDeploy::Application",
"Properties": {
"ComputePlatform": "Lambda"
}
}
YAML
CodeDeployApplication:
Properties:
ComputePlatform: Lambda
Specify an application with a Server compute platform
The following example creates a CodeDeploy application with a Server compute platform.
JSON
"CodeDeployApplication": {
"Type": "AWS::CodeDeploy::Application",
"Properties": {
"ComputePlatform": "Server"
}
}
YAML
CodeDeployApplication:
Properties:

1282
CodeDeploy
ComputePlatform: Server
See Also
• For configuring your deployment and specifying your application revisions, see
AWS::CodeDeploy::DeploymentConfig and AWS::CodeDeploy::DeploymentGroup.
AWS::CodeDeploy::DeploymentConfig
The AWS::CodeDeploy::DeploymentConfig resource creates a set of deployment rules, deployment
success conditions, and deployment failure conditions that AWS CodeDeploy uses during a deployment.
The deployment configuration specifies, through the use of a MinimumHealthyHosts value, the
number or percentage of instances that must remain available at any time during a deployment.
Syntax
JSON
{
"Type" : "AWS::CodeDeploy::DeploymentConfig",
"Properties" : {
"DeploymentConfigName" : String,
"MinimumHealthyHosts" : MinimumHealthyHosts (p. 1285)
}
}
YAML
Type: AWS::CodeDeploy::DeploymentConfig
Properties:
DeploymentConfigName: String
MinimumHealthyHosts:
MinimumHealthyHosts (p. 1285)
Properties
DeploymentConfigName
A name for the deployment configuration. If you don't specify a name, AWS CloudFormation
generates a unique physical ID and uses that ID for the deployment configuration name. For more
information, see Name Type.
Important
Required: No
Type: String
Minimum: 1
Maximum: 100

1283
CodeDeploy
MinimumHealthyHosts
The minimum number of healthy instances that should be available at any time during the
deployment. There are two parameters expected in the input: type and value.
The type parameter takes either of the following values:

• HOST_COUNT: The value parameter represents the minimum number of healthy instances as an
absolute value.
• FLEET_PERCENT: The value parameter represents the minimum number of healthy instances as a
percentage of the total number of instances in the deployment. If you specify FLEET_PERCENT, at
the start of the deployment, AWS CodeDeploy converts the percentage to the equivalent number
of instance and rounds up fractional instances.
The value parameter takes an integer.
For example, to set a minimum of 95% healthy instance, specify a type of FLEET_PERCENT and a
value of 95.
For more information about instance health, see CodeDeploy Instance Health in the AWS
CodeDeploy User Guide.
Required: No
Type: MinimumHealthyHosts (p. 1285)
Return Values
Ref
When you pass the logical ID of an AWS::CodeDeploy::DeploymentConfig resource to the intrinsic
Ref function, the function returns the deployment configuration name, such as mydeploymentconfig-
a123d0d1.
Examples
Specifying minimum healthy hosts
The following example requires at least 75% of the fleet to be healthy. For example, if you had a fleet of
four instances, the deployment proceeds one instance at a time.
JSON
"TwentyFivePercentAtATime" : {
"Type" : "AWS::CodeDeploy::DeploymentConfig",
"Properties" : {
"MinimumHealthyHosts" : {
"Type" : "FLEET_PERCENT",
"Value" : 75
}
}
}
YAML
TwentyFivePercentAtATime:

1284
CodeDeploy
Properties:
Type: "FLEET_PERCENT"
Value: 75
AWS::CodeDeploy::DeploymentConfig MinimumHealthyHosts
MinimumHealthyHosts is a property of the DeploymentConfig resource that defines how many
instances must remain healthy during an AWS CodeDeploy deployment.
Syntax
JSON
{
"Type" : String,
"Value" : Integer
}
YAML
Type: String
Value: Integer
Properties
Type
The minimum healthy instance type:

• HOST_COUNT: The minimum number of healthy instance as an absolute value.
• FLEET_PERCENT: The minimum number of healthy instance as a percentage of the total number
of instance in the deployment.
In an example of nine instance, if a HOST_COUNT of six is specified, deploy to up to three instances

at a time. The deployment is successful if six or more instances are deployed to successfully.
Otherwise, the deployment fails. If a FLEET_PERCENT of 40 is specified, deploy to up to five instance
at a time. The deployment is successful if four or more instance are deployed to successfully.
Otherwise, the deployment fails.
Note
In a call to GetDeploymentConfig, CodeDeployDefault.OneAtATime returns a minimum
healthy instance type of MOST_CONCURRENCY and a value of 1. This means a deployment
to only one instance at a time. (You cannot set the type to MOST_CONCURRENCY, only
to HOST_COUNT or FLEET_PERCENT.) In addition, with CodeDeployDefault.OneAtATime,
AWS CodeDeploy attempts to ensure that all instances but one are kept in a healthy state
during the deployment. Although this allows one instance at a time to be taken offline for a
new deployment, it also means that if the deployment to the last instance fails, the overall
deployment is still successful.
For more information, see AWS CodeDeploy Instance Health in the AWS CodeDeploy User Guide.
Required: Yes
Type: String

1285
CodeDeploy
Allowed Values: FLEET_PERCENT | HOST_COUNT

Value
The minimum healthy instance value.
Required: Yes
Type: Integer
AWS::CodeDeploy::DeploymentGroup
The AWS::CodeDeploy::DeploymentGroup resource creates an AWS CodeDeploy deployment group
that specifies which instances your application revisions are deployed to, along with other deployment
options. For more information, see CreateDeploymentGroup in the CodeDeploy API Reference.
Syntax
JSON
{
"Type" : "AWS::CodeDeploy::DeploymentGroup",
"Properties" : {
"AlarmConfiguration" : AlarmConfiguration (p. 1304),
"AutoRollbackConfiguration" : AutoRollbackConfiguration (p. 1305),
"AutoScalingGroups" : [ String, ... ],
"Deployment" : Deployment (p. 1306),
"DeploymentConfigName" : String,
"DeploymentGroupName" : String,
"DeploymentStyle" : DeploymentStyle (p. 1307),
"Ec2TagFilters" : [ EC2TagFilter (p. 1308), ... ],
"Ec2TagSet" : EC2TagSet (p. 1309),
"LoadBalancerInfo" : LoadBalancerInfo (p. 1312),
"OnPremisesInstanceTagFilters" : [ TagFilter (p. 1317), ... ],
"OnPremisesTagSet" : OnPremisesTagSet (p. 1313),
"ServiceRoleArn" : String,
"TriggerConfigurations" : [ TriggerConfig (p. 1319), ... ]
}
}
YAML
Type: AWS::CodeDeploy::DeploymentGroup
Properties:
AlarmConfiguration:
AlarmConfiguration (p. 1304)
AutoRollbackConfiguration:
AutoRollbackConfiguration (p. 1305)
AutoScalingGroups:
- String
Deployment:
Deployment (p. 1306)
DeploymentConfigName: String

1286
CodeDeploy
DeploymentGroupName: String
DeploymentStyle:
DeploymentStyle (p. 1307)
Ec2TagFilters:
- EC2TagFilter (p. 1308)
Ec2TagSet:
EC2TagSet (p. 1309)
LoadBalancerInfo:
LoadBalancerInfo (p. 1312)
OnPremisesInstanceTagFilters:
OnPremisesTagSet:
OnPremisesTagSet (p. 1313)
ServiceRoleArn: String
TriggerConfigurations:
- TriggerConfig (p. 1319)
Properties
AlarmConfiguration
Information about the Amazon CloudWatch alarms that are associated with the deployment group.
Required: No
Type: AlarmConfiguration (p. 1304)

ApplicationName
The name of an existing CodeDeploy application to associate this deployment group with.
Required: Yes
Type: String
Minimum: 1
Maximum: 100

AutoRollbackConfiguration
Information about the automatic rollback configuration that is associated with the deployment
group. If you specify this property, don't specify the Deployment property.
Required: No
Type: AutoRollbackConfiguration (p. 1305)

AutoScalingGroups
A list of associated Auto Scaling groups that CodeDeploy automatically deploys revisions to when
new instances are created. Duplicates are not allowed.
Required: No

1287
CodeDeploy
Deployment
The application revision to deploy to this deployment group. If you specify this property, your target
application revision is deployed as soon as the provisioning process is complete. If you specify this
property, don't specify the AutoRollbackConfiguration property.
Required: No
Type: Deployment (p. 1306)

DeploymentConfigName
A deployment configuration name or a predefined configuration name. With predefined

configurations, you can deploy application revisions to one instance at a time, half of the instances
at a time, or all the instances at once. For more information and valid values, see Working with
Deployment Configurations in the AWS CodeDeploy User Guide.
Required: No
Type: String
Minimum: 1
Maximum: 100

DeploymentGroupName
A name for the deployment group. If you don't specify a name, AWS CloudFormation generates
a unique physical ID and uses that ID for the deployment group name. For more information, see
Name Type.
Important
Required: No
Type: String
Minimum: 1
Maximum: 100

DeploymentStyle
Attributes that determine the type of deployment to run and whether to route deployment traffic
behind a load balancer.
If you specify this property with a blue/green deployment type, don't specify the
AutoScalingGroups, LoadBalancerInfo, or Deployment properties.
Note
For blue/green deployments, AWS CloudFormation supports deployments on Lambda
compute platforms only.
Required: No

1288
CodeDeploy
Type: DeploymentStyle (p. 1307)

Ec2TagFilters
The EC2 tags that are already applied to EC2 instances that you want to include in the deployment
group. CodeDeploy includes all EC2 instances identified by any of the tags you specify in this
deployment group. Duplicates are not allowed.
You can specify EC2TagFilters or Ec2TagSet, but not both.
Required: No
Type: List of EC2TagFilter (p. 1308)

Ec2TagSet
Information about groups of tags applied to EC2 instances. The deployment group includes only EC2
instances identified by all the tag groups. Cannot be used in the same call as ec2TagFilter.
Required: No
Type: EC2TagSet (p. 1309)

LoadBalancerInfo
Information about the load balancer to use in a deployment. For more information, see Integrating
CodeDeploy with Elastic Load Balancing in the AWS CodeDeploy User Guide.
Required: No
Type: LoadBalancerInfo (p. 1312)

OnPremisesInstanceTagFilters
The on-premises instance tags already applied to on-premises instances that you want to include
in the deployment group. CodeDeploy includes all on-premises instances identified by any of the
tags you specify in this deployment group. To register on-premises instances with CodeDeploy, see
Working with On-Premises Instances for CodeDeploy in the AWS CodeDeploy User Guide. Duplicates
are not allowed.
You can specify OnPremisesInstanceTagFilters or OnPremisesInstanceTagSet, but not

both.
Required: No

OnPremisesTagSet
Information about groups of tags applied to on-premises instances. The deployment group includes
only on-premises instances identified by all the tag groups.
You can specify OnPremisesInstanceTagFilters or OnPremisesInstanceTagSet, but not

both.

1289
CodeDeploy
Required: No
Type: OnPremisesTagSet (p. 1313)

ServiceRoleArn
A service role Amazon Resource Name (ARN) that grants CodeDeploy permission to make calls to
AWS services on your behalf. For more information, see Create a Service Role for AWS CodeDeploy in
the AWS CodeDeploy User Guide.
Note
In some cases, you might need to add a dependency on the service role's policy. For more
information, see IAM role policy in DependsOn Attribute.
Required: Yes
Type: String

TriggerConfigurations
Information about triggers associated with the deployment group. Duplicates are not allowed
Required: No
Type: List of TriggerConfig (p. 1319)
Return Values
Ref
When you pass the logical ID of an AWS::CodeDeploy::DeploymentGroup resource to the intrinsic

Ref function, the function returns the deployment group name, such as mydeploymentgroup-
a123d0d1.
Examples
Revision in GitHub
The following example creates a deployment group that is associated with Auto Scaling groups and uses
an application revision that is stored in a GitHub repository. You specify the repository information as
input parameters.
JSON
"DeploymentGroup" : {
"Properties" : {
"ApplicationName" : {"Ref" : "ApplicationName"},
"AutoScalingGroups" : [ {"Ref" : "CodeDeployAutoScalingGroups" } ],
"Deployment" : {
"Description" : "A sample deployment",
"IgnoreApplicationStopFailures" : "true",
"Revision" : {
"RevisionType" : "GitHub",

1290
CodeDeploy
"GitHubLocation" : {
"CommitId" : {"Ref" : "CommitId"},
"Repository" : {"Ref" : "Repository"}
}
}
},
"ServiceRoleArn" : {
"Fn::GetAtt" : [
"RoleArn",
"Arn"
]
}
}
}
YAML
DeploymentGroup:
Properties:
ApplicationName:
Ref: "ApplicationName"
AutoScalingGroups:
- Ref: CodeDeployAutoScalingGroups
Deployment:
Description: "A sample deployment"
IgnoreApplicationStopFailures: true
Revision:
RevisionType: GitHub
GitHubLocation:
CommitId:
Ref: CommitId
Repository:
Ref: Repository
ServiceRoleArn:
Fn::GetAtt: [ RoleArn, Arn ]
Associate EC2 Instances

The following example creates a deployment group that uses instance tags to associate EC2 instances
with the deployment group. The deployment group uses an application revision that is stored in an S3
bucket.
JSON
"DeploymentGroup" : {
"Properties" : {
"ApplicationName" : {"Ref" : "Application"},
"Deployment" : {
"Description" : "First time",
"IgnoreApplicationStopFailures" : "true",
"Revision" : {
"RevisionType" : "S3",
"S3Location" : {
"Bucket" : {"Ref" : "Bucket"},
"Key" : {"Ref" : "Key"},
"BundleType" : "Zip",
"ETag" : {"Ref" : "ETag"},
"Version" : {"Ref" : "Version"}
}
}
},

1291
CodeDeploy
"Ec2TagFilters" : [{
"Key" : {"Ref" : "TagKey"},
"Value" : {"Ref" : "TagValue"},
"Type" : "KEY_AND_VALUE"
}],
"ServiceRoleArn" : {
"Fn::GetAtt" : [
"RoleArn",
"Arn"
]
}
}
}
YAML
DeploymentGroup:
Properties:
ApplicationName:
Ref: "Application"
Deployment:
Description: "First time"
IgnoreApplicationStopFailures: true
Revision:
RevisionType: S3
S3Location:
Bucket:
Ref: Bucket
Key:
Ref: Key
BundleType: Zip
ETag:
Ref: ETag
Version:
Ref: Version
Ec2TagFilters:
-
Key:
Ref: TagKey
Value:
Ref: TagValue
Type: "KEY_AND_VALUE"
ServiceRoleArn:
Fn::GetAtt: [ RoleArn, Arn ]
Deployment Style
The following example creates deployment group with a BLUE_GREEN deployment type.
JSON
"CodeDeployDeploymentGroup": {
"Type": "AWS::CodeDeploy::DeploymentGroup",
"Properties": {
"ApplicationName": {
"Ref": "CodeDeployApplication"
},
"DeploymentConfigName": "CodeDeployDefault.LambdaCanary10Percent5Minutes",
"DeploymentStyle": {
"DeploymentType": "BLUE_GREEN",
"DeploymentOption": "WITH_TRAFFIC_CONTROL"
},

1292
CodeDeploy
"ServiceRoleArn": {
"Fn::GetAtt": [
"CodeDeployServiceRole",
"Arn"
]
}
}
}
YAML
CodeDeployDeploymentGroup:
Type: 'AWS::CodeDeploy::DeploymentGroup'
Properties:
ApplicationName: !Ref CodeDeployApplication
DeploymentConfigName: CodeDeployDefault.LambdaCanary10Percent5Minutes
DeploymentStyle:
DeploymentType: BLUE_GREEN
DeploymentOption: WITH_TRAFFIC_CONTROL
ServiceRoleArn: !GetAtt CodeDeployServiceRole.Arn
Alarm and Trigger
The following example configures a billing alarm and a notification trigger for the deployment group.
JSON
{
"Parameters": {
"EC2TagKey0": {
"Type": "String",
"Default": "ec2TagKey0"
},
"EC2TagValue0": {
"Type": "String",
"Default": "ec2TagValue0"
},
"EC2TagKey1": {
"Type": "String",
},
"EC2TagValue1": {
"Type": "String",
},
"CodeDeployServiceRole": {
"Type": "String"
},
"DeploymentGroupName": {
"Type": "String"
}
},
"Resources": {
"myAlarm": {
"Properties": {
"Period": "21600",

1293
CodeDeploy
"Threshold": 1000,
}
},
"mySNSTopic": {
"Properties": {}
},
"Application": {
"Type": "AWS::CodeDeploy::Application"
},
"DeploymentConfig": {
"Type": "AWS::CodeDeploy::DeploymentConfig",
"Properties": {
"MinimumHealthyHosts": {
"Type": "FLEET_PERCENT",
"Value": "25"
}
}
},
"DeploymentGroup": {
"Properties": {
"AlarmConfiguration": {
"Alarms": [
{
"Name": {
"Ref": "myAlarm"
}
}
]
},
"Ref": "Application"
},
"DeploymentConfigName": {
"Ref": "DeploymentConfig"
},
"Ref": "DeploymentGroupName"
},
"Ec2TagFilters": [
{
"Key": {
"Ref": "EC2TagKey0"
},
"Value": {
"Ref": "EC2TagValue0"
},
"Type": "KEY_AND_VALUE"
},
{
"Key": {
"Ref": "EC2TagKey1"
},
"Type": "KEY_ONLY"
},
{
"Value": {
},
"Type": "VALUE_ONLY"
}
],
"ServiceRoleArn": {
"Fn::GetAtt": [

1294
CodeDeploy
"Arn"
]
},
"TriggerConfigurations": [
{
"TriggerEvents": [
"DeploymentSuccess",
"DeploymentRollback"
],
"TriggerName": "MyTarget",
"TriggerTargetArn": {
"Ref": "mySNSTopic"
}
}
]
}
}
}
}
YAML
Parameters:
EC2TagKey0:
Type: String
Default: ec2TagKey0
EC2TagValue0:
Type: String
Default: ec2TagValue0
EC2TagKey1:
Type: String
Default: ec2TagKey1
EC2TagValue1:
Type: String
CodeDeployServiceRole:
Type: String
DeploymentGroupName:
Type: String
Resources:
myAlarm:
Properties:
Statistic: Maximum
Period: '21600'
Threshold: 1000
mySNSTopic:
Properties: {}
Application:
DeploymentConfig:
Properties:
Type: FLEET_PERCENT
Value: '25'
DeploymentGroup:

1295
CodeDeploy
Properties:
AlarmConfiguration:
Alarms:
- Name: !Ref myAlarm
ApplicationName: !Ref Application
DeploymentConfigName: !Ref DeploymentConfig
DeploymentGroupName: !Ref DeploymentGroupName
Ec2TagFilters:
- Key: !Ref EC2TagKey0
Value: !Ref EC2TagValue0
Type: KEY_AND_VALUE
Type: KEY_ONLY
- Value: !Ref EC2TagValue1
Type: VALUE_ONLY
- TriggerEvents:
- DeploymentSuccess
- DeploymentRollback
TriggerName: MyTarget
TriggerTargetArn: !Ref mySNSTopic
Automatic Rollback Configuration
The following example configures automatic rollback for the deployment group.
YAML
Parameters:
EC2TagKey0:
Type: String
Default: ec2TagKey0
EC2TagValue0:
Type: String
EC2TagKey1:
Type: String
Default: ec2TagKey1
EC2TagValue1:
Type: String
Type: String
Type: String
Resources:
myAlarm:
Properties:
Statistic: Maximum
Period: '21600'
Threshold: 1000
mySNSTopic:
Properties: {}
Application:
DeploymentConfig:

1296
CodeDeploy
Properties:
Type: FLEET_PERCENT
Value: '25'
DeploymentGroup:
Properties:
AlarmConfiguration:
Alarms:
- Name: !Ref myAlarm
AutoRollbackConfiguration:
Enabled: 'true'
Events:
- DEPLOYMENT_FAILURE
Ec2TagFilters:
Type: KEY_AND_VALUE
Type: KEY_ONLY
- Value: !Ref EC2TagValue1
Type: VALUE_ONLY
- TriggerEvents:
- DeploymentSuccess
- DeploymentRollback
JSON
{
"Parameters": {
"EC2TagKey0": {
"Type": "String",
},
"EC2TagValue0": {
"Type": "String",
},
"EC2TagKey1": {
"Type": "String",
},
"EC2TagValue1": {
"Type": "String",
},
"Type": "String"
},
"Type": "String"
}
},
"Resources": {
"myAlarm": {

1297
CodeDeploy
"Properties": {
"Period": "21600",
"Threshold": 1000,
}
},
"mySNSTopic": {
"Properties": {}
},
"Application": {
},
"Properties": {
"Value": "25"
}
}
},
"Properties": {
"AlarmConfiguration": {
"Alarms": [
{
"Name": { "Ref": "myAlarm" }
}
]
},
},
"AutoRollbackConfiguration": {
"Enabled": "true",
"Events": [ "DEPLOYMENT_FAILURE" ]
},
},
},
"Ec2TagFilters": [
{
"Key": {
"Ref": "EC2TagKey0"
},
"Value": {
},
},
{
"Key": {
"Ref": "EC2TagKey1"
},
"Type": "KEY_ONLY"
},
{

1298
CodeDeploy
"Value": {
},
"Type": "VALUE_ONLY"
}
],
"ServiceRoleArn": {
"Fn::GetAtt": [
"Arn"
]
},
{
"TriggerEvents": [ "DeploymentSuccess", "DeploymentRollback" ],
"TriggerTargetArn": { "Ref": "mySNSTopic" }
}
]
}
}
}
}
Load Balancer
The following example configures an Elastic Load Balancing load balancer for the deployment group.
YAML
Parameters:
EC2TagKey0:
Type: String
Default: ec2TagKey0
EC2TagValue0:
Type: String
EC2TagKey1:
Type: String
Default: ec2TagKey1
EC2TagValue1:
Type: String
Type: String
Type: String
VpcCidr:
Type: String
SubnetCidr:
Type: String
Resources:
myVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcCidr
mySubnet:
Properties:
VpcId: !Ref myVpc
CidrBlock: !Ref SubnetCidr
InternetGateway:
AttachGateway:

1299
CodeDeploy
Properties:
VpcId: !Ref myVpc
myELB:
Properties:
Listeners:
- InstancePort: '8000'
LoadBalancerPort: '80'
Protocol: HTTP
Subnets:
- !Ref mySubnet
mySNSTopic:
Properties: {}
Application:
DeploymentConfig:
Properties:
Type: FLEET_PERCENT
Value: '25'
DeploymentGroup:
Properties:
Ec2TagFilters:
Type: KEY_AND_VALUE
Type: KEY_ONLY
LoadBalancerInfo:
ElbInfoList:
- Name: !Ref myELB
DeploymentStyle:
- TriggerEvents:
- DeploymentSuccess
- DeploymentFailure
Outputs:
ELB:
Description: ELB for DeploymentGroup
Value: !Ref myELB
JSON
{
"Parameters": {
"EC2TagKey0": {
"Type": "String",
},
"EC2TagValue0": {
"Type": "String",

1300
CodeDeploy
},
"EC2TagKey1": {
"Type": "String",
},
"EC2TagValue1": {
"Type": "String",
},
"Type": "String"
},
"Type": "String"
},
"VpcCidr": {
"Type": "String"
},
"SubnetCidr": {
"Type": "String"
}
},
"Resources": {
"myVpc": {
"Properties": {
"CidrBlock": { "Ref": "VpcCidr" }
}
},
"mySubnet" : {
"Properties" : {
"VpcId" : { "Ref" : "myVpc" },
"CidrBlock" : { "Ref": "SubnetCidr" }
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway"
},
"AttachGateway" : {
"Properties" : {
"VpcId" : { "Ref" : "myVpc" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"myELB": {
"Properties": {
"Listeners": [{
"Protocol": "HTTP"
}],
"Subnets": [ { "Ref" : "mySubnet" } ]
}
},
"mySNSTopic": {
"Properties": {}
},
"Application": {
},

1301
CodeDeploy
"Properties": {
"Value": "25"
}
}
},
"Properties": {
},
},
},
"Ec2TagFilters": [
{
"Key": {
"Ref": "EC2TagKey0"
},
"Value": {
},
},
{
"Key": {
"Ref": "EC2TagKey1"
},
"Type": "KEY_ONLY"
}
],
"LoadBalancerInfo": {
"ElbInfoList": [{
"Name": { "Ref" : "myELB" }
}]
},
},
"ServiceRoleArn": {
"Fn::GetAtt": [
"Arn"
]
},
{
"TriggerEvents": [ "DeploymentSuccess", "DeploymentFailure" ],
"TriggerTargetArn": { "Ref": "mySNSTopic" }
}
]
}
}
},
"Outputs": {
"ELB": {
"Description": "ELB for DeploymentGroup",
"Value" : { "Ref" : "myELB" }
}
}

1302
CodeDeploy
Target Group Info
The following example specifies the target group to use in a deployment. Instances are registered as
targets in a target group, and traffic is routed to the target group.
YAML
Resources:
AppDeploymentGroup:
Properties:
ApplicationName: MyApp
DeploymentStyle:
LoadBalancerInfo:
TargetGroupInfoList:
- Name: !GetAtt MyTargetGroup.TargetGroupName
ServiceRoleArn: 'arn:aws:iam::12345678:role/CodeDeployServiceRole'
JSON
{
"Resources": {
"AppDeploymentGroup": {
"Properties": {
"ApplicationName": "MyApp",
},
"LoadBalancerInfo": {
"TargetGroupInfoList": [
{
"Name": { "Fn::GetAtt": ["MyTargetGroup", "TargetGroupName"] }
}
]
},
"ServiceRoleArn": "arn:aws:iam::12345678:role/CodeDeployServiceRole"
}
}
}
}
AWS::CodeDeploy::DeploymentGroup Alarm
The Alarm property type specifies a CloudWatch alarm to use for an AWS CodeDeploy deployment
group. The Alarm property of the CodeDeploy DeploymentGroup AlarmConfiguration property
contains a list of Alarm property types.
Syntax
JSON

1303
CodeDeploy
"Name" : String
}
YAML
Name: String
Properties
Name
The name of the alarm. Maximum length is 255 characters. Each alarm name can be used only once
in a list of alarms.
Required: No
Type: String
AWS::CodeDeploy::DeploymentGroup AlarmConfiguration
The AlarmConfiguration property type configuresCloudWatch alarms for an AWS CodeDeploy
deployment group. AlarmConfiguration is a property of the DeploymentGroup resource.
Syntax
JSON
{
"Alarms" : [ Alarm (p. 1303), ... ],
"IgnorePollAlarmFailure" : Boolean
}
YAML
Alarms:
- Alarm (p. 1303)
Enabled: Boolean
IgnorePollAlarmFailure: Boolean
Properties
Alarms
A list of alarms configured for the deployment group. A maximum of 10 alarms can be added to a
deployment group.
Required: No
Type: List of Alarm (p. 1303)

1304
CodeDeploy
Enabled
Indicates whether the alarm configuration is enabled.
Required: No
Type: Boolean

IgnorePollAlarmFailure
Indicates whether a deployment should continue if information about the current state of alarms
cannot be retrieved from Amazon CloudWatch. The default value is false.
• true: The deployment proceeds even if alarm status information can't be retrieved from Amazon
CloudWatch.
• false: The deployment stops if alarm status information can't be retrieved from Amazon
CloudWatch.
Required: No
Type: Boolean
AWS::CodeDeploy::DeploymentGroup AutoRollbackConfiguration
The AutoRollbackConfiguration property type configures automatic rollback for an AWS
CodeDeploy deployment group when a deployment is not completed successfully. For more information,
see Automatic Rollbacks in the AWS CodeDeploy User Guide.
AutoRollbackConfiguration is a property of the DeploymentGroup resource.
Syntax
JSON
{
"Events" : [ String, ... ]
}
YAML
Enabled: Boolean
Events:
- String
Properties
Enabled
Indicates whether a defined automatic rollback configuration is currently enabled.
Required: No

1305
CodeDeploy
Type: Boolean

Events
The event type or types that trigger a rollback. Valid values are DEPLOYMENT_FAILURE,
DEPLOYMENT_STOP_ON_ALARM, or DEPLOYMENT_STOP_ON_REQUEST.
Required: No
AWS::CodeDeploy::DeploymentGroup Deployment
Deployment is a property of the DeploymentGroup resource that specifies an AWS CodeDeploy
application revision to be deployed to instances in the deployment group. If you specify an application
revision, your target revision is deployed as soon as the provisioning process is complete.
Syntax
JSON
{
"IgnoreApplicationStopFailures" : Boolean,
"Revision" : RevisionLocation (p. 1315)
}
YAML
Description: String
IgnoreApplicationStopFailures: Boolean
Revision:
RevisionLocation (p. 1315)
Properties
Description
A comment about the deployment.
Required: No
Type: String

IgnoreApplicationStopFailures
If true, then if an ApplicationStop, BeforeBlockTraffic, or AfterBlockTraffic

deployment lifecycle event to an instance fails, then the deployment continues to the next
deployment lifecycle event. For example, if ApplicationStop fails, the deployment continues with
DownloadBundle. If BeforeBlockTraffic fails, the deployment continues with BlockTraffic. If
AfterBlockTraffic fails, the deployment continues with ApplicationStop.

1306
CodeDeploy
If false or not specified, then if a lifecycle event fails during a deployment to an instance, that
deployment fails. If deployment to that instance is part of an overall deployment and the number of
healthy hosts is not less than the minimum number of healthy hosts, then a deployment to the next
instance is attempted.
During a deployment, the AWS CodeDeploy agent runs the scripts specified for ApplicationStop,
BeforeBlockTraffic, and AfterBlockTraffic in the AppSpec file from the previous successful
deployment. (All other scripts are run from the AppSpec file in the current deployment.) If one of
these scripts contains an error and does not run successfully, the deployment can fail.
If the cause of the failure is a script from the last successful deployment that will never run
successfully, create a new deployment and use ignoreApplicationStopFailures to specify
that the ApplicationStop, BeforeBlockTraffic, and AfterBlockTraffic failures should be
ignored.
Required: No
Type: Boolean

Revision
Information about the location of stored application artifacts and the service from which to retrieve
them.
Required: Yes
Type: RevisionLocation (p. 1315)
AWS::CodeDeploy::DeploymentGroup DeploymentStyle
Information about the type of deployment, either in-place or blue/green, you want to run and whether
to route deployment traffic behind a load balancer.
Syntax
JSON
{
"DeploymentOption" : String,
"DeploymentType" : String
}
YAML
DeploymentOption: String
DeploymentType: String
Properties
DeploymentOption
Indicates whether to route deployment traffic behind a load balancer.

1307
CodeDeploy
Note
An EC2 Application Load Balancer or Network Load Balancer is required for an Amazon ECS
deployment.
Required: No
Type: String
Allowed Values: WITH_TRAFFIC_CONTROL | WITHOUT_TRAFFIC_CONTROL

DeploymentType
Indicates whether to run an in-place or blue/green deployment.
AWS CloudFormation supports blue/green deployments on AWS Lambda compute platforms only.
For more information about deploying on an AWS Lambda compute platform, see Deployments on
an AWS Lambda Compute Platform in the AWS CodeDeploy User Guide.
Required: No
Type: String
Allowed Values: BLUE_GREEN | IN_PLACE
See Also
• EC2TagFilter in the AWS CodeDeploy API Reference.
AWS::CodeDeploy::DeploymentGroup EC2TagFilter
Information about an EC2 tag filter.
For more information about using tags and tag groups to help manage your Amazon EC2 instances and
on-premises instances, see Tagging Instances for Deployment Groups in AWS CodeDeploy in the AWS
Syntax
JSON
{
"Key" : String,
"Type" : String,
"Value" : String
}
YAML
Key: String
Type: String
Value: String

1308
CodeDeploy
Properties
Key
The tag filter key.
Required: No
Type: String

Type
The tag filter type:

• KEY_ONLY: Key only.
• VALUE_ONLY: Value only.
• KEY_AND_VALUE: Key and value.
Required: No
Type: String
Allowed Values: KEY_AND_VALUE | KEY_ONLY | VALUE_ONLY

Value
The tag filter value.
Required: No
Type: String
AWS::CodeDeploy::DeploymentGroup EC2TagSet
The EC2TagSet property type specifies information about groups of tags applied to EC2 instances. The
deployment group includes only EC2 instances identified by all the tag groups. EC2TagSet cannot be
used in the same template as EC2TagFilter.
For information about using tags and tag groups to help manage your Amazon EC2 instances and on-
premises instances, see Tagging Instances for Deployment Groups in AWS CodeDeploy.
Syntax
JSON
{
"Ec2TagSetList" : [ EC2TagSetListObject (p. 1310), ... ]
}
YAML
Ec2TagSetList:
- EC2TagSetListObject (p. 1310)

1309
CodeDeploy
Properties
Ec2TagSetList
The EC2 tags that are already applied to EC2 instances that you want to include in the deployment
group. CodeDeploy includes all EC2 instances identified by any of the tags you specify in this
deployment group.
Required: No
Type: List of EC2TagSetListObject (p. 1310)
See Also
• EC2TagSet in the AWS CodeDeploy API Reference.
AWS::CodeDeploy::DeploymentGroup EC2TagSetListObject
The EC2TagSet property type specifies information about groups of tags applied to EC2 instances. The
deployment group includes only EC2 instances identified by all the tag groups. Cannot be used in the
same template as EC2TagFilters.
EC2TagSet is a property of the DeploymentGroup resource type.
Syntax
JSON
{
"Ec2TagGroup" : [ EC2TagFilter (p. 1308), ... ]
}
YAML
Ec2TagGroup:
- EC2TagFilter (p. 1308)
Properties
Ec2TagGroup
A list that contains other lists of EC2 instance tag groups. For an instance to be included in the
deployment group, it must be identified by all of the tag groups in the list.
Required: No
Type: List of EC2TagFilter (p. 1308)

1310
CodeDeploy
See Also
• EC2TagSet in the AWS CodeDeploy API Reference.
AWS::CodeDeploy::DeploymentGroup ELBInfo
The ELBInfo property type specifies information about the Elastic Load Balancing load balancer used
for an AWS CodeDelpoy deployment group.
If you specify the ELBInfo property, the DeploymentStyle.DeploymentOption property must be

set to WITH_TRAFFIC_CONTROL for AWS CodeDeploy to route your traffic using the specified load
balancers.
ELBInfo is a property of the AWS CodeDeploy DeploymentGroup LoadBalancerInfo property type.
Syntax
JSON
{
"Name" : String
}
YAML
Name: String
Properties
Name
For blue/green deployments, the name of the load balancer that is used to route traffic from original
instances to replacement instances in a blue/green deployment. For in-place deployments, the name
of the load balancer that instances are deregistered from so they are not serving traffic during a
deployment, and then re-registered with after the deployment is complete.
Note
AWS CloudFormation supports blue/green deployments on AWS Lambda compute
platforms only.
Required: No
Type: String
AWS::CodeDeploy::DeploymentGroup GitHubLocation
GitHubLocation is a property of the CodeDeploy DeploymentGroup Revision property that specifies
the location of an application revision that is stored in GitHub.
Syntax

1311
CodeDeploy
JSON
{
"CommitId" : String,
"Repository" : String
}
YAML
CommitId: String
Repository: String
Properties
CommitId
The SHA1 commit ID of the GitHub commit that represents the bundled artifacts for the application
revision.
Required: Yes
Type: String

Repository
The GitHub account and repository pair that stores a reference to the commit that represents the
bundled artifacts for the application revision.
Specify the value as account/repository.
Required: Yes
Type: String
AWS::CodeDeploy::DeploymentGroup LoadBalancerInfo
The LoadBalancerInfo property type specifies information about the load balancer or target group
used for an AWS CodeDeploy deployment group. For more information, see Integrating CodeDeploy
with Elastic Load Balancing in the AWS CodeDeploy User Guide.
For AWS CloudFormation to use the properties specified in LoadBalancerInfo, the

DeploymentStyle.DeploymentOption property must be set to WITH_TRAFFIC_CONTROL. If
DeploymentStyle.DeploymentOption is not set to WITH_TRAFFIC_CONTROL, AWS CloudFormation
ignores any settings specified in LoadBalancerInfo.
Note
AWS CloudFormation supports blue/green deployments on the AWS Lambda compute platform
only.
LoadBalancerInfo is a property of the DeploymentGroup resource.
Syntax

1312
CodeDeploy
JSON
{
"ElbInfoList" : [ ELBInfo (p. 1311), ... ],
"TargetGroupInfoList" : [ TargetGroupInfo (p. 1318), ... ]
}
YAML
ElbInfoList:
- ELBInfo (p. 1311)
TargetGroupInfoList:
- TargetGroupInfo (p. 1318)
Properties
ElbInfoList
An array that contains information about the load balancer to use for load balancing in a
deployment. In Elastic Load Balancing, load balancers are used with Classic Load Balancers.
Note
Adding more than one load balancer to the array is not supported.
Required: No
Type: List of ELBInfo (p. 1311)

TargetGroupInfoList
An array that contains information about the target group to use for load balancing in a
deployment. In Elastic Load Balancing, target groups are used with Application Load Balancers.
Note
Adding more than one target group to the array is not supported.
Type: List of TargetGroupInfo (p. 1318)
AWS::CodeDeploy::DeploymentGroup OnPremisesTagSet
The OnPremisesTagSet property type specifies a list containing other lists of on-premises instance tag
groups. In order for an instance to be included in the deployment group, it must be identified by all the
tag groups in the list.
OnPremisesTagSet is a property of the DeploymentGroup resource.
Syntax

1313
CodeDeploy
JSON
{
"OnPremisesTagSetList" : [ OnPremisesTagSetListObject (p. 1314), ... ]
}
YAML
OnPremisesTagSetList:
- OnPremisesTagSetListObject (p. 1314)
Properties
OnPremisesTagSetList
A list that contains other lists of on-premises instance tag groups. For an instance to be included in
the deployment group, it must be identified by all of the tag groups in the list.
Required: No
Type: List of OnPremisesTagSetListObject (p. 1314)
AWS::CodeDeploy::DeploymentGroup OnPremisesTagSetListObject
The OnPremisesTagSetListObject property type specifies lists of on-premises instance tag groups.
In order for an instance to be included in the deployment group, it must be identified by all the tag
groups in the list.
OnPremisesTagSetListObject is a property of the CodeDeploy DeploymentGroup

OnPremisesTagSet property type.
Syntax
JSON
{
"OnPremisesTagGroup" : [ TagFilter (p. 1317), ... ]
}
YAML
OnPremisesTagGroup:
Properties
OnPremisesTagGroup
Information about groups of on-premises instance tags.
Required: No

1314
CodeDeploy
AWS::CodeDeploy::DeploymentGroup RevisionLocation
RevisionLocation is a property that defines the location of the CodeDeploy application revision to
deploy.
Syntax
JSON
{
"GitHubLocation" : GitHubLocation (p. 1311),
"RevisionType" : String,
"S3Location" : S3Location (p. 1316)
}
YAML
GitHubLocation:
GitHubLocation (p. 1311)
RevisionType: String
S3Location:
S3Location (p. 1316)
Properties
GitHubLocation
Information about the location of application artifacts stored in GitHub.
Required: No
Type: GitHubLocation (p. 1311)

RevisionType
The type of application revision:

• S3: An application revision stored in Amazon S3.
• GitHub: An application revision stored in GitHub (EC2/On-premises deployments only).
• String: A YAML-formatted or JSON-formatted string (AWS Lambda deployments only).
Required: No
Type: String
Allowed Values: AppSpecContent | GitHub | S3 | String

S3Location
Information about the location of a revision stored in Amazon S3.

1315
CodeDeploy
Required: No
AWS::CodeDeploy::DeploymentGroup S3Location
S3Location is a property of the CodeDeploy DeploymentGroup Revision property that specifies the
location of an application revision that is stored in Amazon Simple Storage Service (S3).
Syntax
JSON
{
"Bucket" : String,
"BundleType" : String,
"ETag" : String,
"Key" : String,
"Version" : String
}
YAML
Bucket: String
BundleType: String
ETag: String
Key: String
Version: String
Properties
Bucket
The name of the Amazon S3 bucket where the application revision is stored.
Required: Yes
Type: String

BundleType
The file type of the application revision. Must be one of the following:
• JSON
• tar: A tar archive file.
• tgz: A compressed tar archive file.
• YAML
• zip: A zip archive file.
Required: No
Type: String

1316
CodeDeploy
Allowed Values: JSON | tar | tgz | YAML | zip

ETag
The ETag of the Amazon S3 object that represents the bundled artifacts for the application revision.
If the ETag is not specified as an input parameter, ETag validation of the object is skipped.
Required: No
Type: String

Key
The name of the Amazon S3 object that represents the bundled artifacts for the application revision.
Required: Yes
Type: String

Version
A specific version of the Amazon S3 object that represents the bundled artifacts for the application
revision.
If the version is not specified, the system uses the most recent version by default.
Required: No
Type: String
AWS::CodeDeploy::DeploymentGroup TagFilter
TagFilter is a property type of the AWS::CodeDeploy::DeploymentGroup resource that specifies which
on-premises instances to associate with the deployment group. To register on-premise instances with
AWS CodeDeploy, see Configure Existing On-Premises Instances by Using AWS CodeDeploy in the AWS
Syntax
JSON
{
"Key" : String,
"Type" : String,
"Value" : String
}

1317
CodeDeploy
YAML
Key: String
Type: String
Value: String
Properties
Key
The on-premises instance tag filter key.
Required: No
Type: String

Type
The on-premises instance tag filter type:

• KEY_ONLY: Key only.
• VALUE_ONLY: Value only.
• KEY_AND_VALUE: Key and value.
Required: No
Type: String
Allowed Values: KEY_AND_VALUE | KEY_ONLY | VALUE_ONLY

Value
The on-premises instance tag filter value.
Required: No
Type: String
AWS::CodeDeploy::DeploymentGroup TargetGroupInfo
The TargetGroupInfo property type specifies information about a target group in Elastic Load
Balancing to use in a deployment. Instances are registered as targets in a target group, and traffic is
routed to the target group. For more information, see TargetGroupInfo in the AWS CodeDeploy API
Reference
If you specify the TargetGroupInfo property, the DeploymentStyle.DeploymentOption property

must be set to WITH_TRAFFIC_CONTROL for CodeDeploy to route your traffic using the specified target
groups.
TargetGroupInfo is a property of the LoadBalancerInfo property type.
Syntax

1318
CodeDeploy
JSON
{
"Name" : String
}
YAML
Name: String
Properties
Name
For blue/green deployments, the name of the target group that instances in the original
environment are deregistered from, and instances in the replacement environment registered with.
For in-place deployments, the name of the target group that instances are deregistered from, so
they are not serving traffic during a deployment, and then re-registered with after the deployment
completes. No duplicates allowed.
Note
AWS CloudFormation supports blue/green deployments on AWS Lambda compute
platforms only.
This value cannot exceed 32 characters, so you should use the Name property of the target group, or
the TargetGroupName attribute with the Fn::GetAtt intrinsic function, as shown in the following
example. Don't use the group's Amazon Resource Name (ARN) or TargetGroupFullName attribute.
Required: No
Type: String
AWS::CodeDeploy::DeploymentGroup TriggerConfig
Information about notification triggers for the deployment group.
Syntax
JSON
{
"TriggerEvents" : [ String, ... ],
"TriggerName" : String,
"TriggerTargetArn" : String
}
YAML
TriggerEvents:
- String
TriggerName: String
TriggerTargetArn: String

1319
CodePipeline
Properties
TriggerEvents
The event type or types that trigger notifications.
Required: No

TriggerName
The name of the notification trigger.
Required: No
Type: String

TriggerTargetArn
The ARN of the Amazon Simple Notification Service topic through which notifications about
deployment or instance events are sent.
Required: No
Type: String
CodePipeline Resource Type Reference

Resource Types
• AWS::CodePipeline::CustomActionType (p. 1320)

• AWS::CodePipeline::Pipeline (p. 1329)
• AWS::CodePipeline::Webhook (p. 1345)
AWS::CodePipeline::CustomActionType
The AWS::CodePipeline::CustomActionType resource creates a custom action for activities that
aren't included in the CodePipeline default actions, such as running an internally developed build process
or a test suite. You can use these custom actions in the stage of a pipeline. For more information, see
Create and Add a Custom Action in AWS CodePipeline in the AWS CodePipeline User Guide.
Syntax
JSON
{
"Type" : "AWS::CodePipeline::CustomActionType",
"Properties" : {
"Category" : String,

1320
CodePipeline
"ConfigurationProperties" : [ ConfigurationProperties (p. 1325), ... ],

"InputArtifactDetails" : ArtifactDetails (p. 1324),
"OutputArtifactDetails" : ArtifactDetails (p. 1324),
"Provider" : String,
"Settings" : Settings (p. 1327),
"Tags" : [ Tag, ... ],
"Version" : String
}
}
YAML
Type: AWS::CodePipeline::CustomActionType
Properties:
Category: String
ConfigurationProperties:
- ConfigurationProperties (p. 1325)
InputArtifactDetails:
ArtifactDetails (p. 1324)
OutputArtifactDetails:
ArtifactDetails (p. 1324)
Provider: String
Settings:
Settings (p. 1327)
Tags:
- Tag
Version: String
Properties
Category
The category of the custom action, such as a build action or a test action.
Note
Although Source and Approval are listed as valid values, they are not currently
functional. These values are reserved for future use.
Required: Yes
Type: String
Allowed Values: Approval | Build | Deploy | Invoke | Source | Test

ConfigurationProperties
The configuration properties for the custom action.

Note
You can refer to a name in the configuration properties of the custom action within the URL
templates by following the format of {Config:name}, as long as the configuration property
is both required and not secret. For more information, see Create a Custom Action for a
Pipeline.
Required: No
Type: List (p. 1325) of ConfigurationProperties (p. 1325)
Maximum: 10

1321
CodePipeline
InputArtifactDetails
The details of the input artifact for the action, such as its commit ID.
Required: Yes
Type: ArtifactDetails (p. 1324)

OutputArtifactDetails
The details of the output artifact of the action, such as its commit ID.
Required: Yes
Type: ArtifactDetails (p. 1324)

Provider
The provider of the service used in the custom action, such as AWS CodeDeploy.
Required: Yes
Type: String
Minimum: 1
Maximum: 25
Pattern: [0-9A-Za-z_-]+

Settings
URLs that provide users information about this custom action.
Required: No
Type: Settings (p. 1327)

Tags
The tags for the custom action.
Required: No
Type: List of Tag

Version
The version identifier of the custom action.
Required: Yes
Type: String
Minimum: 1

1322
CodePipeline
Maximum: 9
Pattern: [0-9A-Za-z_-]+
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the custom action
name, such as custo-MyCus-A1BCDEFGHIJ2.
Examples
Custom Action Type Resource Configuration
The following example is a custom build action that requires users to specify one property: a project
name.
JSON
"MyCustomActionType": {
"Type": "AWS::CodePipeline::CustomActionType",
"Properties": {
"Category": "Build",
"Provider": "My-Build-Provider-Name",
"Version": { "Ref" : "Version" },
"ConfigurationProperties": [
{
"Description": "The name of the build project must be provided when this action is
added to the pipeline.",
"Key": "true",
"Name": "MyProjectName",
"Queryable": "false",
"Required": "true",
"Secret": "false",
"Type": "String"
}
],
"InputArtifactDetails": {
"MaximumCount": "1",
"MinimumCount": "1"
},
"OutputArtifactDetails": {
"MaximumCount": { "Ref" : "MaximumCountForOutputArtifactDetails" },
"MinimumCount": "0"
},
"Settings": {
"EntityUrlTemplate": "https://my-build-instance/job/{Config:ProjectName}/",
"ExecutionUrlTemplate": "https://my-build-instance/job/{Config:ProjectName}/
lastSuccessfulBuild/{ExternalExecutionId}/"
},
"Tags": [
{
"Key": "Project",
"Value": "ProjectA"
},
{
"Key": "Team",

1323
CodePipeline
"Value": "Admins"
}
]
}
}
YAML
MyCustomActionType:
Type: AWS::CodePipeline::CustomActionType
Properties:
Category: Build
Provider: "My-Build-Provider-Name"
Version:
Ref: Version
-
Description: "The name of the build project must be provided when this action is
added to the pipeline."
Key: true
Name: MyProjectName
Queryable: false
Required: true
Secret: false
Type: String
InputArtifactDetails:
MaximumCount: 1
MinimumCount: 1
OutputArtifactDetails:
MaximumCount:
Ref: MaximumCountForOutputArtifactDetails
MinimumCount: 0
Settings:
EntityUrlTemplate: "https://my-build-instance/job/{Config:ProjectName}/"
ExecutionUrlTemplate: "https://my-build-instance/job/{Config:ProjectName}/
lastSuccessfulBuild/{ExternalExecutionId}/"
Tags:
- Key: Project
Value: ProjectA
- Key: Team
Value: Admins
AWS::CodePipeline::CustomActionType ArtifactDetails
Returns information about the details of an artifact.
Syntax
JSON
{
"MaximumCount" : Integer,
"MinimumCount" : Integer
}
YAML
MaximumCount: Integer
MinimumCount: Integer

1324
CodePipeline
Properties
MaximumCount
The maximum number of artifacts allowed for the action type.
Required: Yes
Type: Integer
Minimum: 0
Maximum: 5

MinimumCount
The minimum number of artifacts allowed for the action type.
Required: Yes
Type: Integer
Minimum: 0
Maximum: 5
AWS::CodePipeline::CustomActionType ConfigurationProperties
The configuration properties for the custom action.
Note
You can refer to a name in the configuration properties of the custom action within the URL
templates by following the format of {Config:name}, as long as the configuration property is
both required and not secret. For more information, see Create a Custom Action for a Pipeline.
Syntax
JSON
{
"Key" : Boolean,
"Name" : String,
"Queryable" : Boolean,
"Required" : Boolean,
"Secret" : Boolean,
"Type" : String
}
YAML
Description: String
Key: Boolean

1325
CodePipeline
Name: String
Queryable: Boolean
Required: Boolean
Secret: Boolean
Type: String
Properties
Description
The description of the action configuration property that is displayed to users.
Required: No
Type: String
Minimum: 1
Maximum: 160

Key
Whether the configuration property is a key.
Required: Yes
Type: Boolean

Name
The name of the action configuration property.
Required: Yes
Type: String
Minimum: 1
Maximum: 50

Queryable
Indicates that the property is used with PollForJobs. When creating a custom action, an action
can have up to one queryable property. If it has one, that property must be both required and not
secret.
If you create a pipeline with a custom action type, and that custom action contains a queryable
property, the value for that configuration property is subject to other restrictions. The value must
be less than or equal to twenty (20) characters. The value can contain only alphanumeric characters,
underscores, and hyphens.
Required: No
Type: Boolean

1326
CodePipeline
Required
Whether the configuration property is a required value.
Required: Yes
Type: Boolean

Secret
Whether the configuration property is secret. Secrets are hidden from all calls except for
GetJobDetails, GetThirdPartyJobDetails, PollForJobs, and PollForThirdPartyJobs.
When updating a pipeline, passing * * * * * without changing any other values of the action preserves
the previous value of the secret.
Required: Yes
Type: Boolean

Type
The type of the configuration property.
Required: No
Type: String
Allowed Values: Boolean | Number | String
AWS::CodePipeline::CustomActionType Settings
Settings is a property of the AWS::CodePipeline::CustomActionType resource that provides
URLs that users can access to view information about the CodePipeline custom action.
Syntax
JSON
{
"EntityUrlTemplate" : String,
"ExecutionUrlTemplate" : String,
"RevisionUrlTemplate" : String,
"ThirdPartyConfigurationUrl" : String
}
YAML
EntityUrlTemplate: String
ExecutionUrlTemplate: String
RevisionUrlTemplate: String
ThirdPartyConfigurationUrl: String

1327
CodePipeline
Properties
EntityUrlTemplate
The URL returned to the AWS CodePipeline console that provides a deep link to the resources of the
external system, such as the configuration page for an AWS CodeDeploy deployment group. This link
is provided as part of the action display in the pipeline.
Required: No
Type: String
Minimum: 1
Maximum: 2048

ExecutionUrlTemplate
The URL returned to the AWS CodePipeline console that contains a link to the top-level landing page
for the external system, such as the console page for AWS CodeDeploy. This link is shown on the
pipeline view page in the AWS CodePipeline console and provides a link to the execution entity of
the external action.
Required: No
Type: String
Minimum: 1
Maximum: 2048

RevisionUrlTemplate
The URL returned to the AWS CodePipeline console that contains a link to the page where customers
can update or change the configuration of the external action.
Required: No
Type: String
Minimum: 1
Maximum: 2048

ThirdPartyConfigurationUrl
The URL of a sign-up page where users can sign up for an external service and perform initial
configuration of the action provided by that service.
Required: No
Type: String
Minimum: 1
Maximum: 2048

1328
CodePipeline
AWS::CodePipeline::Pipeline
The AWS::CodePipeline::Pipeline resource creates a CodePipeline pipeline that describes how
software changes go through a release process. For more information, see What Is CodePipeline? in the
AWS CodePipeline User Guide.
Syntax
JSON
{
"Type" : "AWS::CodePipeline::Pipeline",
"Properties" : {
"ArtifactStore" : ArtifactStore (p. 1338),
"ArtifactStores" : [ ArtifactStoreMap (p. 1339), ... ],
"DisableInboundStageTransitions" : [ StageTransition (p. 1344), ... ],
"Name" : String,
"RestartExecutionOnUpdate" : Boolean,
"RoleArn" : String,
"Stages" : [ StageDeclaration (p. 1343), ... ],
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::CodePipeline::Pipeline
Properties:
ArtifactStore:
ArtifactStore (p. 1338)
ArtifactStores:
- ArtifactStoreMap (p. 1339)
DisableInboundStageTransitions:
- StageTransition (p. 1344)
Name: String
RestartExecutionOnUpdate: Boolean
RoleArn: String
Stages:
- StageDeclaration (p. 1343)
Tags:
- Tag
Properties
ArtifactStore
The Amazon S3 bucket where artifacts for the pipeline are stored.
Note
You must include either artifactStore or artifactStores in your pipeline, but
you cannot use both. If you create a cross-region action in your pipeline, you must use
artifactStores.
Type: ArtifactStore (p. 1338)

1329
CodePipeline
ArtifactStores
A mapping of artifactStore objects and their corresponding AWS Regions. There must be an
artifact store for the pipeline Region and for each cross-region action in the pipeline.
Note
artifactStores.
Type: List of ArtifactStoreMap (p. 1339)

DisableInboundStageTransitions
Represents the input of a DisableStageTransition action.
Required: No
Type: List of StageTransition (p. 1344)

Name
The name of the pipeline.
Required: No
Type: String
Minimum: 1
Maximum: 100
Pattern: [A-Za-z0-9.@\-_]+

RestartExecutionOnUpdate
Indicates whether to rerun the CodePipeline pipeline after you update it.
Required: No
Type: Boolean

RoleArn
The Amazon Resource Name (ARN) for AWS CodePipeline to use to either perform actions with no
actionRoleArn, or to use to assume roles for actions with an actionRoleArn.
Required: Yes
Type: String
Maximum: 1024
Pattern: arn:aws(-[\w]+)*:iam::[0-9]{12}:role/.*

1330
CodePipeline

Stages
Represents information about a stage and its definition.
Required: Yes
Type: List of StageDeclaration (p. 1343)

Tags
Specifies the tags applied to the pipeline.
Required: No
Type: List of Tag
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the pipeline
name, such as mysta-MyPipeline-A1BCDEFGHIJ2.
Fn::GetAtt
Version
The version of the pipeline.

Note
A new pipeline is always assigned a version number of 1. This number increments when a
pipeline is updated.
Examples
Pipeline Resource Configuration
The following example creates a pipeline with a source, beta, and release stage. For the source stage,
CodePipeline detects changes to the application that is stored in the S3 bucket and pulls them into the
pipeline. The beta stage deploys those changes to EC2 instances by using CodeDeploy. For the release
stage, inbound transitions are disabled, which enables you to control when the changes are ready to be
deployed to release.
JSON
"AppPipeline": {

1331
CodePipeline
"Type": "AWS::CodePipeline::Pipeline",
"Properties": {
"RoleArn": { "Ref" : "CodePipelineServiceRole" },
"Stages": [
{
"Name": "Source",
"Actions": [
{
"Name": "SourceAction",
"ActionTypeId": {
"Category": "Source",
"Owner": "AWS",
"Version": "1",
"Provider": "S3"
},
"OutputArtifacts": [
{ "Name": "SourceOutput"
}
],
"Configuration": {
"S3Bucket": { "Ref" : "SourceS3Bucket" },
"S3ObjectKey": { "Ref" : "SourceS3ObjectKey" }
},
"RunOrder": 1
}
]
},
{
"Name": "Beta",
"Actions": [
{
"Name": "BetaAction",
"InputArtifacts": [
{
"Name": "SourceOutput"
}
],
"ActionTypeId": {
"Category": "Deploy",
"Owner": "AWS",
"Version": "1",
"Provider": "CodeDeploy"
},
"Configuration": {
"ApplicationName": {"Ref" : "ApplicationName"},
"DeploymentGroupName": {"Ref" : "DeploymentGroupName"}
},
"RunOrder": 1
}
]
},
{
"Name": "Release",
"Actions": [
{
"Name": "ReleaseAction",
"InputArtifacts": [
{
"Name": "SourceOutput"
}
],
"ActionTypeId": {
"Category": "Deploy",
"Owner": "AWS",
"Version": "1",
"Provider": "CodeDeploy"

1332
CodePipeline
},
"Configuration": {
"ApplicationName": {"Ref" : "ApplicationName"},
"DeploymentGroupName": {"Ref" : "DeploymentGroupName"}
},
"RunOrder": 1
}
]
}
],
"ArtifactStore": {
"Type": "S3",
"Location": { "Ref" : "ArtifactStoreS3Location" },
"EncryptionKey": {
"Id": "arn:aws:kms:useast-1:ACCOUNT-ID:key/KEY-ID",
"Type": "KMS"
},
"DisableInboundStageTransitions": [
{
"StageName": "Release",
"Reason": "Disabling the transition until integration tests are completed"
}
],
"Tags": [
{
"Key": "Project",
"Value": "ProjectA"
},
{
"Key": "IsContainerBased",
"Value": "true"
}
]
}
}
YAML
AppPipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
RoleArn:
Ref: CodePipelineServiceRole
Stages:
-
Name: Source
Actions:
-
Name: SourceAction
ActionTypeId:
Category: Source
Owner: AWS
Version: 1
Provider: S3
OutputArtifacts:
-
Name: SourceOutput
Configuration:
S3Bucket:
Ref: SourceS3Bucket
S3ObjectKey:
Ref: SourceS3ObjectKey
RunOrder: 1
-

1333
CodePipeline
Name: Beta
Actions:
-
Name: BetaAction
InputArtifacts:
-
Name: SourceOutput
ActionTypeId:
Category: Deploy
Owner: AWS
Version: 1
Provider: CodeDeploy
Configuration:
ApplicationName:
Ref: ApplicationName
Ref: DeploymentGroupName
RunOrder: 1
-
Name: Release
Actions:
-
Name: ReleaseAction
InputArtifacts:
-
Name: SourceOutput
ActionTypeId:
Category: Deploy
Owner: AWS
Version: 1
Provider: CodeDeploy
Configuration:
ApplicationName:
Ref: ApplicationName
Ref: DeploymentGroupName
RunOrder: 1
ArtifactStore:
Type: S3
Location:
Ref: ArtifactStoreS3Location
EncryptionKey:
Id: arn:aws:kms:useast-1:ACCOUNT-ID:key/KEY-ID
Type: KMS
DisableInboundStageTransitions:
-
StageName: Release
Reason: "Disabling the transition until integration tests are completed"
Tags:
- Key: Project
Value: ProjectA
- Key: IsContainerBased
Value: 'true'
AWS::CodePipeline::Pipeline ActionDeclaration
Represents information about an action declaration.
Syntax

1334
CodePipeline
JSON
{
"ActionTypeId" : ActionTypeId (p. 1337),
"Configuration" : Json,
"InputArtifacts" : [ InputArtifact (p. 1342), ... ],
"Name" : String,
"OutputArtifacts" : [ OutputArtifact (p. 1343), ... ],
"Region" : String,
"RoleArn" : String,
"RunOrder" : Integer
}
YAML
ActionTypeId:
ActionTypeId (p. 1337)
Configuration: Json
InputArtifacts:
- InputArtifact (p. 1342)
Name: String
Namespace: String
OutputArtifacts:
- OutputArtifact (p. 1343)
Region: String
RoleArn: String
RunOrder: Integer
Properties
ActionTypeId
Specifies the action type and the provider of the action.
Required: Yes
Type: ActionTypeId (p. 1337)

Configuration
The action's configuration. These are key-value pairs that specify input values for an action. For
more information, see Action Structure Requirements in CodePipeline. For the list of configuration
properties for the AWS CloudFormation action type in CodePipeline, see Configuration Properties
Reference in the AWS CloudFormation User Guide. For template snippets with examples, see Using
Parameter Override Functions with CodePipeline Pipelines in the AWS CloudFormation User Guide.
The values can be represented in either JSON or YAML format. For example, the JSON configuration
item format is as follows:
JSON:
"Configuration" : { Key : Value },
Required: No
Type: Json

1335
CodePipeline
InputArtifacts
The name or ID of the artifact consumed by the action, such as a test or build artifact.
Required: No
Type: List of InputArtifact (p. 1342)

Name
The action declaration's name.
Required: Yes
Type: String
Minimum: 1
Maximum: 100

Namespace
The variable namespace associated with the action. All variables produced as output by this action
fall under this namespace.
Required: No
Type: String
Minimum: 1
Maximum: 100
Pattern: [A-Za-z0-9@\-_]+

OutputArtifacts
The name or ID of the result of the action declaration, such as a test or build artifact.
Required: No
Type: List of OutputArtifact (p. 1343)

Region
The action declaration's AWS Region, such as us-east-1.
Required: No
Type: String
Minimum: 4
Maximum: 30

1336
CodePipeline

RoleArn
The ARN of the IAM service role that performs the declared action. This is assumed through the
roleArn for the pipeline.
Required: No
Type: String
Maximum: 1024
Pattern: arn:aws(-[\w]+)*:iam::[0-9]{12}:role/.*

RunOrder
The order in which actions are run.
Required: No
Type: Integer
Minimum: 1
Maximum: 999
AWS::CodePipeline::Pipeline ActionTypeId
Represents information about an action type.
Syntax
JSON
{
"Category" : String,
"Owner" : String,
"Provider" : String,
"Version" : String
}
YAML
Category: String
Owner: String
Provider: String
Version: String
Properties
Category
A category defines what kind of action can be taken in the stage, and constrains the provider type
for the action. Valid categories are limited to one of the values below.

1337
CodePipeline
• Source
• Build
• Test
• Deploy
• Invoke
• Approval
Required: Yes
Type: String

Owner
The creator of the action being called.
Required: Yes
Type: String

Provider
The provider of the service being called by the action. Valid providers are determined by the
action category. For example, an action in the Deploy category type might have a provider of AWS
CodeDeploy, which would be specified as CodeDeploy. For more information, see Valid Action Types
and Providers in CodePipeline.
Required: Yes
Type: String

Version
A string that describes the action version.
Required: Yes
Type: String
AWS::CodePipeline::Pipeline ArtifactStore
The Amazon S3 bucket where artifacts for the pipeline are stored.
Note
You must include either artifactStore or artifactStores in your pipeline, but you cannot
use both. If you create a cross-region action in your pipeline, you must use artifactStores.
Syntax
JSON

1338
CodePipeline
"EncryptionKey" : EncryptionKey (p. 1341),

"Type" : String
}
YAML
EncryptionKey:
EncryptionKey (p. 1341)
Location: String
Type: String
Properties
EncryptionKey
The encryption key used to encrypt the data in the artifact store, such as an AWS Key Management
Service (AWS KMS) key. If this is undefined, the default key for Amazon S3 is used. To see an example
artifact store encryption key field, see the example structure here: AWS::CodePipeline::Pipeline.
Required: No
Type: EncryptionKey (p. 1341)

Location
The Amazon S3 bucket used for storing the artifacts for a pipeline. You can specify the name of an
S3 bucket but not a folder in the bucket. A folder to contain the pipeline artifacts is created for you
based on the name of the pipeline. You can use any Amazon S3 bucket in the same AWS Region as
the pipeline to store your pipeline artifacts.
Required: Yes
Type: String
Minimum: 3
Maximum: 63
Pattern: [a-zA-Z0-9\-\.]+

Type
The type of the artifact store, such as S3.
Required: Yes
Type: String
Allowed Values: S3
AWS::CodePipeline::Pipeline ArtifactStoreMap
A mapping of artifactStore objects and their corresponding AWS Regions. There must be an artifact
store for the pipeline Region and for each cross-region action in the pipeline.

1339
CodePipeline
Note
You must include either artifactStore or artifactStores in your pipeline, but you cannot
use both. If you create a cross-region action in your pipeline, you must use artifactStores.
Syntax
JSON
{
"ArtifactStore" : ArtifactStore (p. 1338),
"Region" : String
}
YAML
ArtifactStore:
ArtifactStore (p. 1338)
Region: String
Properties
ArtifactStore
Represents information about the Amazon S3 bucket where artifacts are stored for the pipeline.
Note
artifactStores.
Type: ArtifactStore (p. 1338)

Region
The action declaration's AWS Region, such as us-east-1.
Required: Yes
Type: String
Minimum: 4
Maximum: 30
AWS::CodePipeline::Pipeline BlockerDeclaration
Reserved for future use.
Syntax

1340
CodePipeline
JSON
{
"Name" : String,
"Type" : String
}
YAML
Name: String
Type: String
Properties
Name
Required: Yes
Type: String
Minimum: 1
Maximum: 100

Type
Required: Yes
Type: String
Allowed Values: Schedule
AWS::CodePipeline::Pipeline EncryptionKey
Represents information about the key used to encrypt data in the artifact store, such as an AWS Key
Management Service (AWS KMS) key.
Syntax
JSON
{
"Id" : String,
"Type" : String
}
YAML
Id: String

1341
CodePipeline
Type: String
Properties
Id
The ID used to identify the key. For an AWS KMS key, you can use the key ID, the key ARN, or the
alias ARN.
Note
Aliases are recognized only in the account that created the customer master key (CMK). For
cross-account actions, you can only use the key ID or key ARN to identify the key.
Required: Yes
Type: String

Type
The type of encryption key, such as an AWS Key Management Service (AWS KMS) key. When creating
or updating a pipeline, the value must be set to 'KMS'.
Required: Yes
Type: String
AWS::CodePipeline::Pipeline InputArtifact
Represents information about an artifact to be worked on, such as a test or build artifact.
Syntax
JSON
{
"Name" : String
}
YAML
Name: String
Properties
Name
The name of the artifact to be worked on (for example, "My App").
The input artifact of an action must exactly match the output artifact declared in a preceding action,
but the input artifact does not have to be the next action in strict sequence from the action that
provided the output artifact. Actions in parallel can declare different output artifacts, which are in
turn consumed by different following actions.

1342
CodePipeline
Required: Yes
Type: String
Minimum: 1
Maximum: 100
Pattern: [a-zA-Z0-9_\-]+
AWS::CodePipeline::Pipeline OutputArtifact
Represents information about the output of an action.
Syntax
JSON
{
"Name" : String
}
YAML
Name: String
Properties
Name
The name of the output of an artifact, such as "My App".
The input artifact of an action must exactly match the output artifact declared in a preceding action,
but the input artifact does not have to be the next action in strict sequence from the action that
provided the output artifact. Actions in parallel can declare different output artifacts, which are in
turn consumed by different following actions.
Output artifact names must be unique within a pipeline.
Required: Yes
Type: String
Minimum: 1
Maximum: 100
Pattern: [a-zA-Z0-9_\-]+
AWS::CodePipeline::Pipeline StageDeclaration
Represents information about a stage and its definition.

1343
CodePipeline
Syntax
JSON
{
"Actions" : [ ActionDeclaration (p. 1334), ... ],
"Blockers" : [ BlockerDeclaration (p. 1340), ... ],
"Name" : String
}
YAML
Actions:
- ActionDeclaration (p. 1334)
Blockers:
- BlockerDeclaration (p. 1340)
Name: String
Properties
Actions
The actions included in a stage.
Required: Yes
Type: List of ActionDeclaration (p. 1334)

Blockers
Required: No
Type: List of BlockerDeclaration (p. 1340)

Name
The name of the stage.
Required: Yes
Type: String
Minimum: 1
Maximum: 100
AWS::CodePipeline::Pipeline StageTransition
The name of the pipeline in which you want to disable the flow of artifacts from one stage to another.

1344
CodePipeline
Syntax
JSON
{
"Reason" : String,
}
YAML
Reason: String
StageName: String
Properties
Reason
The reason given to the user that a stage is disabled, such as waiting for manual approval or manual
tests. This message is displayed in the pipeline console UI.
Required: Yes
Type: String
Minimum: 1
Maximum: 300
Pattern: [a-zA-Z0-9!@ \.\*\?\-]+

StageName
The name of the stage where you want to disable the inbound or outbound transition of artifacts.
Required: Yes
Type: String
Minimum: 1
Maximum: 100
AWS::CodePipeline::Webhook
The AWS::CodePipeline::Webhook resource creates and registers your webhook. After the webhook
is created and registered, it triggers your pipeline to start every time an external event occurs. For more
information, see Configure Your GitHub Pipelines to Use Webhooks for Change Detection in the AWS
CodePipeline User Guide.

1345
CodePipeline
We strongly recommend that you use AWS Secrets Manager to store your credentials. If you use Secrets
Manager, you must have secrets in your secrets manager. For more information, see Using Dynamic
References to Specify Template Values.
Important
When passing secret parameters, do not enter the value directly into the template. The value
is rendered as plain text and is readable. For security purposes, do not use plain text in your
CloudFormation template to store your credentials.
Syntax
JSON
{
"Type" : "AWS::CodePipeline::Webhook",
"Properties" : {
"Authentication" : String,
"AuthenticationConfiguration" : WebhookAuthConfiguration (p. 1349),
"Filters" : [ WebhookFilterRule (p. 1350), ... ],
"Name" : String,
"RegisterWithThirdParty" : Boolean,
"TargetAction" : String,
"TargetPipeline" : String,
"TargetPipelineVersion" : Integer
}
}
YAML
Type: AWS::CodePipeline::Webhook
Properties:
Authentication: String
WebhookAuthConfiguration (p. 1349)
Filters:
- WebhookFilterRule (p. 1350)
Name: String
RegisterWithThirdParty: Boolean
TargetAction: String
TargetPipeline: String
TargetPipelineVersion: Integer
Properties
Authentication
Supported options are GITHUB_HMAC, IP, and UNAUTHENTICATED.

• For information about the authentication scheme implemented by GITHUB_HMAC, see Securing
your webhooks on the GitHub Developer website.
• IP rejects webhooks trigger requests unless they originate from an IP address in the IP range
whitelisted in the authentication configuration.
• UNAUTHENTICATED accepts all webhook trigger requests regardless of origin.
Required: Yes
Type: String
Allowed Values: GITHUB_HMAC | IP | UNAUTHENTICATED

1346
CodePipeline

AuthenticationConfiguration
Properties that configure the authentication applied to incoming webhook trigger requests. The
required properties depend on the authentication type. For GITHUB_HMAC, only the SecretToken
property must be set. For IP, only the AllowedIPRange property must be set to a valid CIDR range.
For UNAUTHENTICATED, no properties can be set.
Required: Yes
Type: WebhookAuthConfiguration (p. 1349)

Filters
A list of rules applied to the body/payload sent in the POST request to a webhook URL. All defined
rules must pass for the request to be accepted and the pipeline started.
Required: Yes
Type: List of WebhookFilterRule (p. 1350)
Maximum: 5

Name
The name of the webhook.
Required: No
Type: String
Minimum: 1
Maximum: 100

RegisterWithThirdParty
Configures a connection between the webhook that was created and the external tool with events to
be detected.
Required: No
Type: Boolean

TargetAction
The name of the action in a pipeline you want to connect to the webhook. The action must be from
the source (first) stage of the pipeline.
Required: Yes
Type: String

1347
CodePipeline
Minimum: 1
Maximum: 100

TargetPipeline
The name of the pipeline you want to connect to the webhook.
Required: Yes
Type: String
Minimum: 1
Maximum: 100

TargetPipelineVersion
The version number of the pipeline to be connected to the trigger request.
Required: Yes
Type: Integer
Required: Yes
Type: Integer
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the webhook
name, such as MyFirstPipeline-SourceAction1-Webhook-utb9LrOl24Kk.
Fn::GetAtt
Url
The webhook URL generated by AWS CodePipeline, such as https://eu-central-1.webhooks.aws/

trigger123456.

1348
CodePipeline
Examples
Webhook Resource Configuration
The following example creates a webhook named MyWebhook and registers the webhook for the
pipeline's GitHub source repository. In this example, WebhookPipeline is the logical ID of the pipeline to
which you want to add the webhook.
JSON
{
"Webhook": {
"Type": "AWS::CodePipeline::Webhook",
"Properties": {
"SecretToken": "secret"
},
"Filters": [
{
"JsonPath": "$.ref",
"MatchEquals": "refs/heads/{Branch}"
}
],
"Authentication": "GITHUB_HMAC",
"TargetPipeline": { "Ref" : "WebhookPipeline" },
"TargetAction": "Source",
"Name": "MyWebhook",
"TargetPipelineVersion": { "Fn::GetAtt" : [ "WebhookPipeline", "Version" ] },
"RegisterWithThirdParty": "true"
}
}
}
YAML
Webhook:
Type: 'AWS::CodePipeline::Webhook'
Properties:
SecretToken: secret
Filters:
- JsonPath: "$.ref"
MatchEquals: refs/heads/{Branch}
Authentication: GITHUB_HMAC
TargetPipeline: !Ref WebhookPipeline
TargetAction: Source
Name: MyWebhook
TargetPipelineVersion: !GetAtt WebhookPipeline.Version
RegisterWithThirdParty: 'true'
AWS::CodePipeline::Webhook WebhookAuthConfiguration
The authentication applied to incoming webhook trigger requests.
Syntax
JSON

1349
CodePipeline
"AllowedIPRange" : String,
"SecretToken" : String
}
YAML
AllowedIPRange: String
SecretToken: String
Properties
AllowedIPRange
The property used to configure acceptance of webhooks in an IP address range. For IP, only the
AllowedIPRange property must be set. This property must be set to a valid CIDR range.
Required: No
Type: String
Minimum: 1
Maximum: 100

SecretToken
The property used to configure GitHub authentication. For GITHUB_HMAC, only the SecretToken
property must be set.
Required: No
Type: String
Minimum: 1
Maximum: 100
AWS::CodePipeline::Webhook WebhookFilterRule
The event criteria that specify when a webhook notification is sent to your URL.
Syntax
JSON
{
"JsonPath" : String,
"MatchEquals" : String
}
YAML
JsonPath: String

1350
CodeStar
MatchEquals: String
Properties
JsonPath
A JsonPath expression that is applied to the body/payload of the webhook. The value selected by
the JsonPath expression must match the value specified in the MatchEquals field. Otherwise, the
request is ignored. For more information, see Java JsonPath implementation in GitHub.
Required: Yes
Type: String
Minimum: 1
Maximum: 150

MatchEquals
The value selected by the JsonPath expression must match what is supplied in the MatchEquals
field. Otherwise, the request is ignored. Properties from the target action configuration can be
included as placeholders in this value by surrounding the action configuration key with curly
brackets. For example, if the value supplied here is "refs/heads/{Branch}" and the target action has
an action configuration property called "Branch" with a value of "master", the MatchEquals value
is evaluated as "refs/heads/master". For a list of action configuration properties for built-in action
types, see Pipeline Structure Reference Action Requirements.
Required: No
Type: String
Minimum: 1
Maximum: 150
CodeStar Resource Type Reference

Resource Types
• AWS::CodeStar::GitHubRepository (p. 1351)
AWS::CodeStar::GitHubRepository
The AWS::CodeStar::GitHubRepository resource creates a GitHub repository where users can store
source code for use with AWS workflows. You must provide a location for the source code ZIP file in
the AWS CloudFormation template, so the code can be uploaded to the created repository. You must
have created a personal access token in GitHub to provide in the AWS CloudFormation template. AWS
uses this token to connect to GitHub on your behalf. For more information about using a GitHub source
repository with AWS CodeStar projects, see AWS CodeStar Project Files and Resources.
Syntax

1351
CodeStar
JSON
{
"Type" : "AWS::CodeStar::GitHubRepository",
"Properties" : {
"Code" : Code (p. 1354),
"EnableIssues" : Boolean,
"IsPrivate" : Boolean,
"RepositoryAccessToken" : String,
"RepositoryDescription" : String,
"RepositoryOwner" : String
}
}
YAML
Type: AWS::CodeStar::GitHubRepository
Properties:
Code:
Code (p. 1354)
EnableIssues: Boolean
IsPrivate: Boolean
RepositoryAccessToken: String
RepositoryDescription: String
RepositoryOwner: String
Properties
Code
Information about code to be committed to a repository after it is created in an AWS

CloudFormation stack.
Required: No
Type: Code (p. 1354)
Update requires: Updates are not supported.

EnableIssues
Indicates whether to enable issues for the GitHub repository. You can use GitHub issues to track
information and bugs for your repository.
Required: No
Type: Boolean

IsPrivate
Indicates whether the GitHub repository is a private repository. If so, you choose who can see and
commit to this repository.
Required: No
Type: Boolean

1352
CodeStar
RepositoryAccessToken
The GitHub user's personal access token for the GitHub repository.
Required: Yes
Type: String

RepositoryDescription
A comment or description about the new repository. This description is displayed in GitHub after the
repository is created.
Required: No
Type: String

RepositoryName
The name of the repository you want to create in GitHub with AWS CloudFormation stack creation.
Required: Yes
Type: String

RepositoryOwner
The GitHub user name for the owner of the GitHub repository to be created. If this repository should
be owned by a GitHub organization, provide its name.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a string
combination of the repository owner and the repository name, such as my-github-account/my-
github-repo.
Examples
GitHub Repository Resource Configuration
The following example for the AWS::CodeStar::GitHubRepository resource creates a private
GitHub repository with issues enabled.
When passing secret parameters, do not enter the value directly into the template. The value is rendered
as plain text and is readable. Instead, enter secret parameters using one of the following methods:
• Pass the value in as a NoEcho parameter. For more information, see Referencing a Parameter in a
Template.

1353
CodeStar
• Store the GitHub token in AWS Secrets Manager and retrieve it through the resource property.
The following example shows the token ID as the parameter stored in AWS Secrets Manager with
this value: resolve:secretsmanager:your-secret-manager-name:SecretString:your-
secret-manager-key.
JSON
{
"MyRepo": {
"Type": "AWS::CodeStar::GitHubRepository",
"Properties": {
"Code": {
"S3": {
"S3Bucket": "my-bucket",
"S3Key": "sourcecode.zip",
"ObjectVersion": "1"
}
},
"EnableIssues": true,
"IsPrivate": true,
"RepositoryAccessToken": "{{resolve:secretsmanager:your-secret-manager-
name:SecretString:your-secret-manager-key}}",
"RepositoryDescription": "a description",
"RepositoryName": "my-github-repo",
"RepositoryOwner": "my-github-account"
}
}
}
YAML
MyRepo:
Type: AWS::CodeStar::GitHubRepository
Properties:
Code:
S3:
S3Bucket: "my-bucket"
S3Key: "sourcecode.zip"
ObjectVersion: "1"
EnableIssues: true
IsPrivate: true
RepositoryAccessToken: '{{resolve:secretsmanager:your-secret-manager-
name:SecretString:your-secret-manager-key}}'
RepositoryDescription: a description
RepositoryName: my-github-repo
RepositoryOwner: my-github-account
AWS::CodeStar::GitHubRepository Code
The Code property type specifies information about code to be committed.
Code is a property of the AWS::CodeStar::GitHubRepository resource.
Syntax
JSON

1354
CodeStar
"S3" : S3 (p. 1355)

}
YAML
S3:
S3 (p. 1355)
Properties
S3
Information about the Amazon S3 bucket that contains a ZIP file of code to be committed to the
repository.
Required: Yes
Type: S3 (p. 1355)
AWS::CodeStar::GitHubRepository S3
The S3 property type specifies information about the Amazon S3 bucket that contains the code to be
committed to the new repository.
S3 is a property of the AWS::CodeStar::GitHubRepository resource.
Syntax
JSON
{
"Bucket" : String,
"Key" : String,
}
YAML
Bucket: String
Key: String
Properties
Bucket
The name of the Amazon S3 bucket that contains the ZIP file with the content to be committed to
the new repository.
Required: Yes
Type: String

1355
CodeStarNotifications
Key
The S3 object key or file name for the ZIP file.
Required: Yes
Type: String

ObjectVersion
The object version of the ZIP file, if versioning is enabled for the Amazon S3 bucket.
Required: No
Type: String
CodeStarNotifications Resource Type Reference

Resource Types
• AWS::CodeStarNotifications::NotificationRule (p. 1356)
AWS::CodeStarNotifications::NotificationRule
Creates a notification rule for a resource. The rule specifies the events you want notifications about and
the targets (such as SNS topics) where you want to receive them.
Syntax
JSON
{
"Type" : "AWS::CodeStarNotifications::NotificationRule",
"Properties" : {
"DetailType" : String,
"EventTypeIds" : [ String, ... ],
"Name" : String,
"Resource" : String,
"Status" : String,
"Tags" : Json,
"Targets" : [ Target (p. 1358), ... ]
}
}
YAML
Type: AWS::CodeStarNotifications::NotificationRule
Properties:
DetailType: String
EventTypeIds:
- String
Name: String
Resource: String

1356
Status: String
Tags: Json
Targets:
- Target (p. 1358)
Properties
DetailType
The level of detail to include in the notifications for this resource. BASIC will include only the
contents of the event as it would appear in AWS CloudWatch. FULL will include any supplemental
information provided by AWS CodeStar Notifications and/or the service for the resource for which
the notification is created.
Required: Yes
Type: String
Allowed Values: BASIC | FULL

EventTypeIds
A list of event types associated with this notification rule.
Required: Yes

Name
The name of the attribute you want to use to filter the returned notification rules.
Required: Yes
Type: String
Allowed Values: CREATED_BY | EVENT_TYPE_ID | RESOURCE | TARGET_ADDRESS

Resource
The Amazon Resource Name (ARN) of the resource to associate with the notification rule. Supported
resources include pipelines in AWS CodePipeline, repositories in AWS CodeCommit, and build
projects in AWS CodeBuild.
Required: Yes
Type: String
Pattern: ârn:aws[^:\s]*:[^:\s]*:[^:\s]*:[0-9]{12}:[^\s]+$

Status
The status of the notification rule. The default value is ENABLED. If the status is set to DISABLED,
notifications aren't sent for the notification rule.
Required: No

1357
Type: String

Tags
A list of tags to apply to this notification rule. Key names cannot start with "aws".
Required: No
Type: Json

Targets
A list of Amazon Resource Names (ARNs) of SNS topics to associate with the notification rule.
Required: Yes
Type: List of Target (p. 1358)
Maximum: 10
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the notification
rule ARN.
AWS::CodeStarNotifications::NotificationRule Target
Information about the SNS topics associated with a notification rule.
Syntax
JSON
{
"TargetAddress" : String,
"TargetType" : String
}
YAML
TargetAddress: String
TargetType: String
Properties
TargetAddress
The Amazon Resource Name (ARN) of the SNS topic.

1358
Amazon Cognito
Required: No
Type: String
Minimum: 1
Maximum: 320

TargetType
The target type. Can be an Amazon SNS topic.
Required: No
Type: String
Pattern: ^[A-Za-z]+$
Amazon Cognito Resource Type Reference

Resource Types
• AWS::Cognito::IdentityPool (p. 1359)

• AWS::Cognito::IdentityPoolRoleAttachment (p. 1365)
• AWS::Cognito::UserPool (p. 1371)
• AWS::Cognito::UserPoolClient (p. 1394)
• AWS::Cognito::UserPoolDomain (p. 1400)
• AWS::Cognito::UserPoolGroup (p. 1404)
• AWS::Cognito::UserPoolIdentityProvider (p. 1406)
• AWS::Cognito::UserPoolResourceServer (p. 1408)
• AWS::Cognito::UserPoolRiskConfigurationAttachment (p. 1412)
• AWS::Cognito::UserPoolUICustomizationAttachment (p. 1423)
• AWS::Cognito::UserPoolUser (p. 1425)
• AWS::Cognito::UserPoolUserToGroupAttachment (p. 1429)
AWS::Cognito::IdentityPool
The AWS::Cognito::IdentityPool resource creates an Amazon Cognito identity pool.
Note
To avoid deleting the resource accidentally from AWS CloudFormation, use DeletionPolicy
Attribute and the UpdateReplacePolicy Attribute to retain the resource on deletion or
replacement.
Syntax
JSON

1359
Amazon Cognito
"Type" : "AWS::Cognito::IdentityPool",
"Properties" : {
"AllowClassicFlow" : Boolean,
"AllowUnauthenticatedIdentities" : Boolean,
"CognitoEvents" : Json,
"CognitoIdentityProviders" : [ CognitoIdentityProvider (p. 1362), ... ],
"CognitoStreams" : CognitoStreams (p. 1363),
"DeveloperProviderName" : String,
"IdentityPoolName" : String,
"OpenIdConnectProviderARNs" : [ String, ... ],
"PushSync" : PushSync (p. 1364),
"SamlProviderARNs" : [ String, ... ],
"SupportedLoginProviders" : Json
}
}
YAML
Type: AWS::Cognito::IdentityPool
Properties:
AllowClassicFlow: Boolean
AllowUnauthenticatedIdentities: Boolean
CognitoEvents: Json
CognitoIdentityProviders:
- CognitoIdentityProvider (p. 1362)
CognitoStreams:
CognitoStreams (p. 1363)
DeveloperProviderName: String
IdentityPoolName: String
OpenIdConnectProviderARNs:
- String
PushSync:
PushSync (p. 1364)
SamlProviderARNs:
- String
SupportedLoginProviders: Json
Properties
AllowClassicFlow
Enables the Basic (Classic) authentication flow.
Required: No
Type: Boolean

AllowUnauthenticatedIdentities
Specifies whether the identity pool supports unauthenticated logins.
Required: Yes
Type: Boolean

CognitoEvents
The events to configure.

1360
Amazon Cognito
Required: No
Type: Json

CognitoIdentityProviders
An array of Amazon Cognito user pools and their client IDs.
Required: No
Type: List of CognitoIdentityProvider (p. 1362)

CognitoStreams
Configuration options for configuring Amazon Cognito streams.
Required: No
Type: CognitoStreams (p. 1363)

DeveloperProviderName
The "domain" Amazon Cognito uses when referencing your users. This name acts as a placeholder
that allows your backend and the Amazon Cognito service to communicate about the developer
provider. For the DeveloperProviderName, you can use letters and periods (.), underscores (_), and
dashes (-).
Minimum length: 1
Maximum length: 100
Required: No
Type: String

IdentityPoolName
The name of your Amazon Cognito identity pool.
Minimum length: 1
Maximum length: 128
Pattern: [\w ]+
Required: No
Type: String

OpenIdConnectProviderARNs
A list of ARNs for the OpendID Connect provider.
Required: No

1361
Amazon Cognito

PushSync
Configuration options to be applied to the identity pool.
Required: No
Type: PushSync (p. 1364)

SamlProviderARNs
A list of Amazon Resource Names (ARNs) of Security Assertion Markup Language (SAML) providers.
Required: No

SupportedLoginProviders
Key-value pairs that map provider names to provider app IDs.
Required: No
Type: Json
Return Values
Ref
IdentityPoolId, such as us-east-2:0d01f4d7-1305-4408-b437-12345EXAMPLE.
Fn::GetAtt
Name
The name of the Amazon Cognito identity pool, returned as a string.
AWS::Cognito::IdentityPool CognitoIdentityProvider
CognitoIdentityProvider is a property of the AWS::Cognito::IdentityPool resource that represents
an Amazon Cognito user pool and its client ID.

1362
Amazon Cognito
Syntax
JSON
{
"ProviderName" : String,
"ServerSideTokenCheck" : Boolean
}
YAML
ClientId: String
ProviderName: String
ServerSideTokenCheck: Boolean
Properties
ClientId
The client ID for the Amazon Cognito user pool.
Required: No
Type: String

ProviderName
The provider name for an Amazon Cognito user pool. For example: cognito-idp.us-
east-2.amazonaws.com/us-east-2_123456789.
Required: No
Type: String

ServerSideTokenCheck
TRUE if server-side token validation is enabled for the identity provider’s token.
After you set the ServerSideTokenCheck to TRUE for an identity pool, that identity pool checks
with the integrated user pools to make sure the user has not been globally signed out or deleted
before the identity pool provides an OIDC token or AWS credentials for the user.
If the user is signed out or deleted, the identity pool returns a 400 Not Authorized error.
Required: No
Type: Boolean
AWS::Cognito::IdentityPool CognitoStreams
CognitoStreams is a property of the AWS::Cognito::IdentityPool resource that defines configuration
options for Amazon Cognito streams.

1363
Amazon Cognito
Syntax
JSON
{
"RoleArn" : String,
"StreamingStatus" : String,
}
YAML
RoleArn: String
StreamingStatus: String
StreamName: String
Properties
RoleArn
The Amazon Resource Name (ARN) of the role Amazon Cognito can assume to publish to the
stream. This role must grant access to Amazon Cognito (cognito-sync) to invoke PutRecord on your
Amazon Cognito stream.
Required: No
Type: String

StreamingStatus
Status of the Amazon Cognito streams. Valid values are: ENABLED or DISABLED.
Required: No
Type: String

StreamName
The name of the Amazon Cognito stream to receive updates. This stream must be in the developer's
account and in the same Region as the identity pool.
Required: No
Type: String
AWS::Cognito::IdentityPool PushSync
PushSync is a property of the AWS::Cognito::IdentityPool resource that defines the configuration
options to be applied to an Amazon Cognito identity pool.
Syntax

1364
Amazon Cognito
JSON
{
"ApplicationArns" : [ String, ... ],
"RoleArn" : String
}
YAML
ApplicationArns:
- String
RoleArn: String
Properties
ApplicationArns
A list of Amazon SNS platform application ARNs that could be used by clients.
Required: No

RoleArn
An IAM role configured to allow Amazon Cognito to call Amazon SNS on behalf of the developer.
Required: No
Type: String
AWS::Cognito::IdentityPoolRoleAttachment
The AWS::Cognito::IdentityPoolRoleAttachment resource manages the role configuration for an
Amazon Cognito identity pool.
Syntax
JSON
{
"Type" : "AWS::Cognito::IdentityPoolRoleAttachment",
"Properties" : {
"IdentityPoolId" : String,
"RoleMappings" : Json,
"Roles" : Json
}
}
YAML
Type: AWS::Cognito::IdentityPoolRoleAttachment

1365
Amazon Cognito
Properties:
IdentityPoolId: String
RoleMappings: Json
Roles: Json
Properties
IdentityPoolId
An identity pool ID in the format REGION:GUID.
Required: Yes
Type: String

RoleMappings
How users for a specific identity provider are mapped to roles. This is a string to the RoleMapping
object map. The string identifies the identity provider. For example: "graph.facebook.com" or
"cognito-idp-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id".
If the IdentityProvider field isn't provided in this object, the string is used as the identity
provider name.
Required: No
Type: Json

Roles
The map of the roles associated with this pool. For a given role, the key is either "authenticated" or
"unauthenticated". The value is the role ARN.
Required: No
Type: Json
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a generated ID,
such as IdentityPoolRoleAttachment-EXAMPLEwnOR3n.
Examples
Setting the roles for an identity pool
The following example sets roles for an identity pool. It sets “authenticated” and “unauthenticated” roles
and maps two identity providers to them. The first identity provider is “graph.facebook.com”. The second
is using a reference to set the identity provider name.

1366
Amazon Cognito
JSON
{
"IdentityPoolRoleAttachment": {
"Type": "AWS::Cognito::IdentityPoolRoleAttachment",
"Properties": {
"IdentityPoolId": { "Ref" : "IdentityPool" },
"Roles": {
"authenticated": { "Fn::GetAtt" : [ "AuthenticatedRole", "Arn" ] },
"unauthenticated": { "Fn::GetAtt" : [ "UnAuthenticatedRole", "Arn" ] }
},
"RoleMappings": {
"graph.facebook.com": {
"IdentityProvider": "graph.facebook.com",
"AmbiguousRoleResolution": "Deny",
"Type": "Rules",
"RulesConfiguration": {
"Rules": [
{
"Claim": "sub",
"MatchType": "Equals",
"RoleARN": { "Fn::GetAtt" : [ "AuthenticatedRole",
"Arn" ] },
"Value": "goodvalue"
}
]
}
},
"userpool1": {
"IdentityProvider": { "Ref" : "CognitoUserPool" },
"AmbiguousRoleResolution": "Deny",
"Type": "Rules",
"RulesConfiguration": {
"Rules": [
{
"Claim": "sub",
"MatchType": "Equals",
"RoleARN": { "Fn::GetAtt" : [ "AuthenticatedRole",
"Arn" ] },
"Value": "goodvalue"
}
]
}
}
}
}
}
}
YAML
IdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
"authenticated": !GetAtt AuthenticatedRole.Arn
"unauthenticated": !GetAtt UnAuthenticatedRole.Arn
RoleMappings:
"graph.facebook.com":
IdentityProvider: "graph.facebook.com"
AmbiguousRoleResolution: Deny
Type: Rules
RulesConfiguration:

1367
Amazon Cognito
Rules:
- Claim: "sub"
MatchType: "Equals"
RoleARN: !GetAtt AuthenticatedRole.Arn
Value: "goodvalue"
"userpool1":
IdentityProvider: !Ref CognitoUserPool
AmbiguousRoleResolution: Deny
Type: Rules
RulesConfiguration:
Rules:
- Claim: "sub"
MatchType: "Equals"
RoleARN: !GetAtt AuthenticatedRole.Arn
Value: "goodvalue"
AWS::Cognito::IdentityPoolRoleAttachment MappingRule
Defines how to map a claim to a role ARN.
Syntax
JSON
{
"Claim" : String,
"MatchType" : String,
"RoleARN" : String,
"Value" : String
}
YAML
Claim: String
MatchType: String
RoleARN: String
Value: String
Properties
Claim
The claim name that must be present in the token. For example: "isAdmin" or "paid".
Required: Yes
Type: String

MatchType
The match condition that specifies how closely the claim value in the IdP token must match Value.
Valid values are: Equals, Contains, StartsWith, and NotEqual.
Required: Yes
Type: String

1368
Amazon Cognito

RoleARN
The Amazon Resource Name (ARN) of the role.
Required: Yes
Type: String

Value
A brief string that the claim must match. For example, "paid" or "yes".
Required: Yes
Type: String
AWS::Cognito::IdentityPoolRoleAttachment RoleMapping
RoleMapping is a property of the AWS::Cognito::IdentityPoolRoleAttachment resource that defines the
role-mapping attributes of an Amazon Cognito identity pool.
Syntax
JSON
{
"AmbiguousRoleResolution" : String,
"IdentityProvider" : String,
"RulesConfiguration" : RulesConfigurationType (p. 1370),
"Type" : String
}
YAML
AmbiguousRoleResolution: String
IdentityProvider: String
RulesConfiguration:
RulesConfigurationType (p. 1370)
Type: String
Properties
AmbiguousRoleResolution
Specifies the action to be taken if either no rules match the claim value for the Rules type, or there
is no cognito:preferred_role claim and there are multiple cognito:roles matches for the
Token type. If you specify Token or Rules as the Type, AmbiguousRoleResolution is required.
Valid values are AuthenticatedRole or Deny.
Required: No
Type: String

1369
Amazon Cognito

IdentityProvider
Identifier for the identity provider for which the role is mapped. For example: "graph.facebook.com"
or "cognito-idp-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id (http://cognito-idp-
east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id)". This is the identity provider that is used
by the user for authentication.
If the identity provider property isn't provided, the key of the entry in the RoleMappings map is
used as the identity provider.
Required: No
Type: String

RulesConfiguration
The rules to be used for mapping users to roles. If you specify "Rules" as the role-mapping type,
RulesConfiguration is required.
Required: No
Type: RulesConfigurationType (p. 1370)

Type
The role-mapping type. Token uses cognito:roles and cognito:preferred_role claims from
the Amazon Cognito identity provider token to map groups to roles. Rules attempts to match
claims from the token to map to a role.
Valid values are Token or Rules.
Required: Yes
Type: String
AWS::Cognito::IdentityPoolRoleAttachment RulesConfigurationType
RulesConfigurationType is a subproperty of the RoleMapping property that defines the rules to be
used for mapping users to roles.
Syntax
JSON
{
"Rules" : [ MappingRule (p. 1368), ... ]
}
YAML
Rules:

1370
Amazon Cognito
- MappingRule (p. 1368)
Properties
Rules
A list of rules. You can specify up to 25 rules per identity provider.
Required: Yes
Type: List of MappingRule (p. 1368)
AWS::Cognito::UserPool
The AWS::Cognito::UserPool resource creates an Amazon Cognito user pool. For more information
on working with Amazon Cognito user pools, see Amazon Cognito User Pools and CreateUserPool.
Syntax
JSON
{
"Type" : "AWS::Cognito::UserPool",
"Properties" : {
"AdminCreateUserConfig" : AdminCreateUserConfig (p. 1377),
"AliasAttributes" : [ String, ... ],
"AutoVerifiedAttributes" : [ String, ... ],
"DeviceConfiguration" : DeviceConfiguration (p. 1378),
"EmailConfiguration" : EmailConfiguration (p. 1378),
"EmailVerificationMessage" : String,
"EmailVerificationSubject" : String,
"EnabledMfas" : [ String, ... ],
"LambdaConfig" : LambdaConfig (p. 1382),
"MfaConfiguration" : String,
"Policies" : Policies (p. 1388),
"Schema" : [ SchemaAttribute (p. 1388), ... ],
"SmsAuthenticationMessage" : String,
"SmsConfiguration" : SmsConfiguration (p. 1390),
"SmsVerificationMessage" : String,
"UsernameAttributes" : [ String, ... ],
"UserPoolAddOns" : UserPoolAddOns (p. 1392),
"UserPoolName" : String,
"UserPoolTags" : Json,
"VerificationMessageTemplate" : VerificationMessageTemplate (p. 1392)
}
}
YAML
Type: AWS::Cognito::UserPool
Properties:
AdminCreateUserConfig:
AdminCreateUserConfig (p. 1377)
AliasAttributes:
- String
AutoVerifiedAttributes:

1371
Amazon Cognito
- String
DeviceConfiguration:
DeviceConfiguration (p. 1378)
EmailConfiguration:
EmailConfiguration (p. 1378)
EmailVerificationMessage: String
EmailVerificationSubject: String
EnabledMfas:
- String
LambdaConfig:
LambdaConfig (p. 1382)
MfaConfiguration: String
Policies:
Policies (p. 1388)
Schema:
- SchemaAttribute (p. 1388)
SmsAuthenticationMessage: String
SmsConfiguration:
SmsConfiguration (p. 1390)
SmsVerificationMessage: String
UsernameAttributes:
- String
UserPoolAddOns:
UserPoolAddOns (p. 1392)
UserPoolName: String
UserPoolTags: Json
VerificationMessageTemplate:
VerificationMessageTemplate (p. 1392)
Properties
AdminCreateUserConfig
The configuration for creating a new user profile.
Required: No
Type: AdminCreateUserConfig (p. 1377)

AliasAttributes
Attributes supported as an alias for this user pool. Possible values: phone_number, email, or
preferred_username.
Note
This user pool property cannot be updated.
Required: No

AutoVerifiedAttributes
The attributes to be auto-verified. Possible values: email, phone_number.
Required: No

1372
Amazon Cognito
DeviceConfiguration
The device configuration.
Required: No
Type: DeviceConfiguration (p. 1378)

EmailConfiguration
The email configuration.
Required: No
Type: EmailConfiguration (p. 1378)

EmailVerificationMessage
A string representing the email verification message.
Required: No
Type: String
Minimum: 6
Maximum: 20000
Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*\{####\}
[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*

EmailVerificationSubject
A string representing the email verification subject.
Required: No
Type: String
Minimum: 1
Maximum: 140
Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}\s]+

EnabledMfas
Enables MFA on a specified user pool. To disable all MFAs after it has been enabled, set
MfaConfiguration to “OFF” and remove EnabledMfas. MFAs can only be all disabled if
MfaConfiguration is OFF. Once SMS_MFA is enabled, SMS_MFA can only be disabled by setting
MfaConfiguration to “OFF”. Can be one of the following values:
• SMS_MFA - Enables SMS MFA for the user pool. SMS_MFA can only be enabled if SMS
configuration is provided.
• SOFTWARE_TOKEN_MFA - Enables software token MFA for the user pool.
Allowed values: SMS_MFA | SOFTWARE_TOKEN_MFA

1373
Amazon Cognito
Required: No

LambdaConfig
The Lambda trigger configuration information for the new user pool.
Note
In a push model, event sources (such as Amazon S3 and custom applications) need
permission to invoke a function. So you will need to make an extra call to add permission
for these event sources to invoke your Lambda function.
For more information on using the Lambda API to add permission, see AddPermission .
For adding permission using the AWS CLI, see add-permission .
Required: No
Type: LambdaConfig (p. 1382)

MfaConfiguration
The multi-factor (MFA) configuration. Valid values include:

• OFF MFA will not be used for any users.
• ON MFA is required for all users to sign in.
• OPTIONAL MFA will be required only for individual users who have an MFA factor enabled.
Required: No
Type: String
Allowed Values: OFF | ON | OPTIONAL

Policies
The policy associated with a user pool.
Required: No
Type: Policies (p. 1388)

Schema
An array of schema attributes for the new user pool. These attributes can be standard or custom
attributes.
Note
During a user pool update, you can add new schema attributes but you cannot modify or
delete an existing schema attribute.
Required: No
Type: List of SchemaAttribute (p. 1388)
Maximum: 50

1374
Amazon Cognito
SmsAuthenticationMessage
A string representing the SMS authentication message.
Required: No
Type: String
Minimum: 6
Maximum: 140
Pattern: .*\{####\}.*

SmsConfiguration
The SMS configuration.
Required: No
Type: SmsConfiguration (p. 1390)

SmsVerificationMessage
A string representing the SMS verification message.
Required: No
Type: String
Minimum: 6
Maximum: 140
Pattern: .*\{####\}.*

UsernameAttributes
Determines whether email addresses or phone numbers can be specified as user names when a user
signs up. Possible values: phone_number or email.
This user pool property cannot be updated.
Required: No

UserPoolAddOns
Used to enable advanced security risk detection. Set the key AdvancedSecurityMode to the value
"AUDIT".
Required: No
Type: UserPoolAddOns (p. 1392)

1375
Amazon Cognito
UserPoolName
A string used to name the user pool.
Required: No
Type: String
Minimum: 1
Maximum: 128
Pattern: [\w\s+=,.@-]+

UserPoolTags
The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and
manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
Required: No
Type: Json

VerificationMessageTemplate
The template for the verification message that the user sees when the app requests permission to
access the user's information.
Required: No
Type: VerificationMessageTemplate (p. 1392)
Return Values
Ref
such as us-east-2_zgaEXAMPLE.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the user pool, such as arn:aws:cognito-idp:us-
east-1:123412341234:userpool/us-east-1_123412341.
ProviderName
The provider name of the Amazon Cognito user pool, specified as a String.

1376
Amazon Cognito
ProviderURL
The URL of the provider of the Amazon Cognito user pool, specified as a String.
AWS::Cognito::UserPool AdminCreateUserConfig
The configuration for AdminCreateUser requests.
Syntax
JSON
{
"AllowAdminCreateUserOnly" : Boolean,
"InviteMessageTemplate" : InviteMessageTemplate (p. 1381),
"UnusedAccountValidityDays" : Integer
}
YAML
AllowAdminCreateUserOnly: Boolean
InviteMessageTemplate:
InviteMessageTemplate (p. 1381)
UnusedAccountValidityDays: Integer
Properties
AllowAdminCreateUserOnly
Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign
themselves up via an app.
Required: No
Type: Boolean

InviteMessageTemplate
The message template to be used for the welcome message to new users.
See also Customizing User Invitation Messages.
Required: No
Type: InviteMessageTemplate (p. 1381)

UnusedAccountValidityDays
The user account expiration limit, in days, after which the account is no longer usable. To reset the
account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the
MessageAction parameter. The default value for this parameter is 7.
Note
If you set a value for TemporaryPasswordValidityDays in PasswordPolicy, that value
will be used and UnusedAccountValidityDays will be deprecated for that user pool.

1377
Amazon Cognito
Required: No
Type: Integer
Minimum: 0
Maximum: 365
AWS::Cognito::UserPool DeviceConfiguration
The configuration for the user pool's device tracking.
Syntax
JSON
{
"ChallengeRequiredOnNewDevice" : Boolean,
"DeviceOnlyRememberedOnUserPrompt" : Boolean
}
YAML
ChallengeRequiredOnNewDevice: Boolean
DeviceOnlyRememberedOnUserPrompt: Boolean
Properties
ChallengeRequiredOnNewDevice
Indicates whether a challenge is required on a new device. Only applicable to a new device.
Required: No
Type: Boolean

DeviceOnlyRememberedOnUserPrompt
If true, a device is only remembered on user prompt.
Required: No
Type: Boolean
AWS::Cognito::UserPool EmailConfiguration
The email configuration.
Syntax

1378
Amazon Cognito
JSON
{
"ConfigurationSet" : String,
"EmailSendingAccount" : String,
"From" : String,
"ReplyToEmailAddress" : String,
"SourceArn" : String
}
YAML
ConfigurationSet: String
EmailSendingAccount: String
From: String
ReplyToEmailAddress: String
SourceArn: String
Properties
ConfigurationSet
The set of configuration rules that can be applied to emails sent using Amazon SES. A configuration
set is applied to an email by including a reference to the configuration set in the headers of the
email. Once applied, all of the rules in that configuration set are applied to the email. Configuration
sets can be used to apply the following types of rules to emails:
• Event publishing – Amazon SES can track the number of send, delivery, open, click, bounce, and
complaint events for each email sent. Use event publishing to send information about these
events to other AWS services such as SNS and CloudWatch.
• IP pool management – When leasing dedicated IP addresses with Amazon SES, you can create
groups of IP addresses, called dedicated IP pools. You can then associate the dedicated IP pools
with configuration sets.
Required: No
Type: String
Minimum: 1
Maximum: 64
Pattern: ^[a-zA-Z0-9_-]+$

EmailSendingAccount
Specifies whether Amazon Cognito emails your users by using its built-in email functionality or your
Amazon SES email configuration. Specify one of the following values:
COGNITO_DEFAULT
When Amazon Cognito emails your users, it uses its built-in email functionality. When you use
the default option, Amazon Cognito allows only a limited number of emails each day for your
user pool. For typical production environments, the default email limit is below the required
delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon
SES email configuration.
To look up the email delivery limit for the default option, see Limits in Amazon Cognito in the
Amazon Cognito Developer Guide.

1379
Amazon Cognito
The default FROM address is no-reply@verificationemail.com. To customize the FROM address,

provide the ARN of an Amazon SES verified email address for the SourceArn parameter.
DEVELOPER
When Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon
Cognito calls Amazon SES on your behalf to send email from your verified email address. When
you use this option, the email delivery limits are the same limits that apply to your Amazon SES
verified email address in your AWS account.
If you use this option, you must provide the ARN of an Amazon SES verified email address for
the SourceArn parameter.
Before Amazon Cognito can email your users, it requires additional permissions to call Amazon
SES on your behalf. When you update your user pool with this option, Amazon Cognito creates
a service-linked role, which is a type of IAM role, in your AWS account. This role contains the
permissions that allow Amazon Cognito to access Amazon SES and send email messages with
your address. For more information about the service-linked role that Amazon Cognito creates,
see Using Service-Linked Roles for Amazon Cognito in the Amazon Cognito Developer Guide.
Required: No
Type: String
Allowed Values: COGNITO_DEFAULT | DEVELOPER

From
Identifies either the sender's email address or the sender's name with their email address. For
example, testuser@example.com or Test User <testuser@example.com>. This address
appears before the body of the email.
Required: No
Type: String

ReplyToEmailAddress
The destination to which the receiver of the email should reply to.
Required: No
Type: String
Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}]+@[\p{L}\p{M}\p{S}\p{N}\p{P}]+

SourceArn
The Amazon Resource Name (ARN) of a verified email address in Amazon SES. This email
address is used in one of the following ways, depending on the value that you specify for the
EmailSendingAccount parameter:
• If you specify COGNITO_DEFAULT, Amazon Cognito uses this address as the custom FROM address
when it emails your users by using its built-in email account.
• If you specify DEVELOPER, Amazon Cognito emails your users with this address by calling Amazon
SES on your behalf.
Required: No

1380
Amazon Cognito
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?
AWS::Cognito::UserPool InviteMessageTemplate
The message template to be used for the welcome message to new users.
See also Customizing User Invitation Messages.
Syntax
JSON
{
"EmailMessage" : String,
"EmailSubject" : String,
"SMSMessage" : String
}
YAML
EmailMessage: String
EmailSubject: String
SMSMessage: String
Properties
EmailMessage
The message template for email messages.
Required: No
Type: String
Minimum: 6
Maximum: 20000
[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*

EmailSubject
The subject line for email messages.
Required: No

1381
Amazon Cognito
Type: String
Minimum: 1
Maximum: 140

SMSMessage
The message template for SMS messages.
Required: No
Type: String
Minimum: 6
Maximum: 140
Pattern: .*\{####\}.*
AWS::Cognito::UserPool LambdaConfig
Specifies the configuration for AWS Lambda triggers.
Syntax
JSON
{
"CreateAuthChallenge" : String,
"CustomMessage" : String,
"DefineAuthChallenge" : String,
"PostAuthentication" : String,
"PostConfirmation" : String,
"PreAuthentication" : String,
"PreSignUp" : String,
"PreTokenGeneration" : String,
"UserMigration" : String,
"VerifyAuthChallengeResponse" : String
}
YAML
CreateAuthChallenge: String
CustomMessage: String
DefineAuthChallenge: String
PostAuthentication: String
PostConfirmation: String
PreAuthentication: String
PreSignUp: String
PreTokenGeneration: String
UserMigration: String
VerifyAuthChallengeResponse: String

1382
Amazon Cognito
Properties
CreateAuthChallenge
Creates an authentication challenge.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

CustomMessage
A custom Message AWS Lambda trigger.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

DefineAuthChallenge
Defines the authentication challenge.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

PostAuthentication
A post-authentication AWS Lambda trigger.
Required: No
Type: String
Minimum: 20
Maximum: 2048

1383
Amazon Cognito
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

PostConfirmation
A post-confirmation AWS Lambda trigger.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

PreAuthentication
A pre-authentication AWS Lambda trigger.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

PreSignUp
A pre-registration AWS Lambda trigger.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

PreTokenGeneration
A Lambda trigger that is invoked before token generation.
Required: No
Type: String
Minimum: 20

1384
Amazon Cognito
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

UserMigration
The user migration Lambda config type.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

VerifyAuthChallengeResponse
Verifies the authentication challenge response.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?
AWS::Cognito::UserPool NumberAttributeConstraints
The minimum and maximum value of an attribute that is of the number data type.
Syntax
JSON
{
"MaxValue" : String,
"MinValue" : String
}
YAML
MaxValue: String
MinValue: String

1385
Amazon Cognito
Properties
MaxValue
The maximum value of an attribute that is of the number data type.
Required: No
Type: String

MinValue
The minimum value of an attribute that is of the number data type.
Required: No
Type: String
AWS::Cognito::UserPool PasswordPolicy
The password policy type.
Syntax
JSON
{
"MinimumLength" : Integer,
"RequireLowercase" : Boolean,
"RequireNumbers" : Boolean,
"RequireSymbols" : Boolean,
"RequireUppercase" : Boolean,
"TemporaryPasswordValidityDays" : Integer
}
YAML
MinimumLength: Integer
RequireLowercase: Boolean
RequireNumbers: Boolean
RequireSymbols: Boolean
RequireUppercase: Boolean
TemporaryPasswordValidityDays: Integer
Properties
MinimumLength
The minimum length of the password policy that you have set. Cannot be less than 6.
Required: No
Type: Integer
Minimum: 6

1386
Amazon Cognito
Maximum: 99

RequireLowercase
In the password policy that you have set, refers to whether you have required users to use at least
one lowercase letter in their password.
Required: No
Type: Boolean

RequireNumbers
one number in their password.
Required: No
Type: Boolean

RequireSymbols
one symbol in their password.
Required: No
Type: Boolean

RequireUppercase
one uppercase letter in their password.
Required: No
Type: Boolean

TemporaryPasswordValidityDays
In the password policy you have set, refers to the number of days a temporary password is valid. If
the user does not sign-in during this time, their password will need to be reset by an administrator.
Note
When you set TemporaryPasswordValidityDays for a user pool, you will no longer be
able to set the deprecated UnusedAccountValidityDays value for that user pool.
Required: No
Type: Integer
Minimum: 0
Maximum: 365

1387
Amazon Cognito
AWS::Cognito::UserPool Policies
The policy associated with a user pool.
Syntax
JSON
{
"PasswordPolicy" : PasswordPolicy (p. 1386)
}
YAML
PasswordPolicy:
PasswordPolicy (p. 1386)
Properties
PasswordPolicy
The password policy.
Required: No
Type: PasswordPolicy (p. 1386)
AWS::Cognito::UserPool SchemaAttribute
Contains information about the schema attribute.
Syntax
JSON
{
"AttributeDataType" : String,
"DeveloperOnlyAttribute" : Boolean,
"Mutable" : Boolean,
"Name" : String,
"NumberAttributeConstraints" : NumberAttributeConstraints (p. 1385),
"Required" : Boolean,
"StringAttributeConstraints" : StringAttributeConstraints (p. 1391)
}
YAML
AttributeDataType: String
DeveloperOnlyAttribute: Boolean
Mutable: Boolean
Name: String
NumberAttributeConstraints:

1388
Amazon Cognito
NumberAttributeConstraints (p. 1385)

Required: Boolean
StringAttributeConstraints:
StringAttributeConstraints (p. 1391)
Properties
AttributeDataType
The attribute data type.
Required: No
Type: String
Allowed Values: Boolean | DateTime | Number | String

DeveloperOnlyAttribute
Specifies whether the attribute type is developer only.
Required: No
Type: Boolean

Mutable
Specifies whether the value of the attribute can be changed.
For any user pool attribute that's mapped to an identity provider attribute, you must set this
parameter to true. Amazon Cognito updates mapped attributes when users sign in to your
application through an identity provider. If an attribute is immutable, Amazon Cognito throws
an error when it attempts to update the attribute. For more information, see Specifying Identity
Provider Attribute Mappings for Your User Pool.
Required: No
Type: Boolean

Name
A schema attribute of the name type.
Required: No
Type: String
Minimum: 1
Maximum: 20

NumberAttributeConstraints
Specifies the constraints for an attribute of the number type.

1389
Amazon Cognito
Required: No
Type: NumberAttributeConstraints (p. 1385)

Required
Specifies whether a user pool attribute is required. If the attribute is required and the user does not
provide a value, registration or sign-in will fail.
Required: No
Type: Boolean

StringAttributeConstraints
Specifies the constraints for an attribute of the string type.
Required: No
Type: StringAttributeConstraints (p. 1391)
AWS::Cognito::UserPool SmsConfiguration
The SMS configuration type that includes the settings the Cognito User Pool needs to call for the
Amazon SNS service to send an SMS message from your AWS account. The Cognito User Pool makes the
request to the Amazon SNS Service by using an AWS IAM role that you provide for your AWS account.
Syntax
JSON
{
"ExternalId" : String,
"SnsCallerArn" : String
}
YAML
ExternalId: String
SnsCallerArn: String
Properties
ExternalId
The external ID is a value. We recommend you use ExternalIdto add security to your IAM role,
which is used to call Amazon SNS to send SMS messages for your user pool. If you provide an
ExternalId, the Cognito User Pool uses it when attempting to assume your IAM role. You can also
set your roles trust policy to require the ExternalID. If you use the Cognito Management Console
to create a role for SMS MFA, Cognito creates a role with the required permissions and a trust policy
that uses ExternalId.

1390
Amazon Cognito
Required: No
Type: String

SnsCallerArn
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller. This is
the ARN of the IAM role in your AWS account which Cognito will use to send SMS messages.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?
AWS::Cognito::UserPool StringAttributeConstraints
The StringAttributeConstraints property type defines the string attribute constraints of an
Amazon Cognito user pool. StringAttributeConstraints is a subproperty of the SchemaAttribute
property type.
Syntax
JSON
{
"MaxLength" : String,
"MinLength" : String
}
YAML
MaxLength: String
MinLength: String
Properties
MaxLength
The maximum length.
Required: No
Type: String

MinLength
The minimum length.

1391
Amazon Cognito
Required: No
Type: String
AWS::Cognito::UserPool UserPoolAddOns
The user pool add-ons type.
Syntax
JSON
{
"AdvancedSecurityMode" : String
}
YAML
AdvancedSecurityMode: String
Properties
AdvancedSecurityMode
The advanced security mode.
Required: No
Type: String
Allowed Values: AUDIT | ENFORCED | OFF
AWS::Cognito::UserPool VerificationMessageTemplate
The template for verification messages.
Syntax
JSON
{
"DefaultEmailOption" : String,
"EmailMessage" : String,
"EmailMessageByLink" : String,
"EmailSubject" : String,
"EmailSubjectByLink" : String,
"SmsMessage" : String
}

1392
Amazon Cognito
YAML
DefaultEmailOption: String
EmailMessage: String
EmailMessageByLink: String
EmailSubject: String
EmailSubjectByLink: String
SmsMessage: String
Properties
DefaultEmailOption
The default email option.
Required: No
Type: String
Allowed Values: CONFIRM_WITH_CODE | CONFIRM_WITH_LINK

EmailMessage
The email message template.
Required: No
Type: String
Minimum: 6
Maximum: 20000
[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*

EmailMessageByLink
The email message template for sending a confirmation link to the user.
Required: No
Type: String
Minimum: 6
Maximum: 20000
Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*\{##[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*##
\}[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*

EmailSubject
The subject line for the email message template.
Required: No
Type: String

1393
Amazon Cognito
Minimum: 1
Maximum: 140

EmailSubjectByLink
The subject line for the email message template for sending a confirmation link to the user.
Required: No
Type: String
Minimum: 1
Maximum: 140

SmsMessage
The SMS message template.
Required: No
Type: String
Minimum: 6
Maximum: 140
Pattern: .*\{####\}.*
AWS::Cognito::UserPoolClient
The AWS::Cognito::UserPoolClient resource specifies an Amazon Cognito user pool client.
Syntax
JSON
{
"Type" : "AWS::Cognito::UserPoolClient",
"Properties" : {
"AllowedOAuthFlows" : [ String, ... ],
"AllowedOAuthFlowsUserPoolClient" : Boolean,
"AllowedOAuthScopes" : [ String, ... ],
"AnalyticsConfiguration" : AnalyticsConfiguration (p. 1399),
"CallbackURLs" : [ String, ... ],
"ClientName" : String,
"DefaultRedirectURI" : String,
"ExplicitAuthFlows" : [ String, ... ],

1394
Amazon Cognito
"GenerateSecret" : Boolean,
"LogoutURLs" : [ String, ... ],
"PreventUserExistenceErrors" : String,
"ReadAttributes" : [ String, ... ],
"RefreshTokenValidity" : Integer,
"SupportedIdentityProviders" : [ String, ... ],
"UserPoolId" : String,
"WriteAttributes" : [ String, ... ]
}
}
YAML
Type: AWS::Cognito::UserPoolClient
Properties:
AllowedOAuthFlows:
- String
AllowedOAuthFlowsUserPoolClient: Boolean
AllowedOAuthScopes:
- String
AnalyticsConfiguration:
AnalyticsConfiguration (p. 1399)
CallbackURLs:
- String
ClientName: String
DefaultRedirectURI: String
ExplicitAuthFlows:
- String
GenerateSecret: Boolean
LogoutURLs:
- String
PreventUserExistenceErrors: String
ReadAttributes:
- String
RefreshTokenValidity: Integer
SupportedIdentityProviders:
- String
UserPoolId: String
WriteAttributes:
- String
Properties
AllowedOAuthFlows
Set to code to initiate a code grant flow, which provides an authorization code as the response. This
code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based
on scopes) directly.
Required: No
Maximum: 3

AllowedOAuthFlowsUserPoolClient
Set to True if the client is allowed to follow the OAuth protocol when interacting with Cognito user
pools.

1395
Amazon Cognito
Required: No
Type: Boolean

AllowedOAuthScopes
A list of allowed OAuth scopes. Currently supported values are "phone", "email", "openid",
and "Cognito". In addition to these values, custom scopes created in Resource Servers are also
supported.
Required: No
Maximum: 50

AnalyticsConfiguration
The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.
Required: No
Type: AnalyticsConfiguration (p. 1399)

CallbackURLs
A list of allowed redirect (callback) URLs for the identity providers.
A redirect URI must:

• Be an absolute URI.
• Be registered with the authorization server.
• Not include a fragment component.
See OAuth 2.0 - Redirection Endpoint.
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.
Required: No
Maximum: 100

ClientName
The client name for the user pool client you would like to create.
Required: No
Type: String
Minimum: 1
Maximum: 128

1396
Amazon Cognito

DefaultRedirectURI
The default redirect URI. Must be in the CallbackURLs list.
A redirect URI must:

• Be an absolute URI.
• Be registered with the authorization server.
• Not include a fragment component.
See OAuth 2.0 - Redirection Endpoint.
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.
Required: No
Type: String
Minimum: 1
Maximum: 1024

ExplicitAuthFlows
The authentication flows that are supported by the user pool clients. Flow names without the
ALLOW_ prefix are deprecated in favor of new names with the ALLOW_ prefix. Note that values with
ALLOW_ prefix cannot be used along with values without ALLOW_ prefix.
Valid values include:

• ALLOW_ADMIN_USER_PASSWORD_AUTH: Enable admin based user password authentication flow
ADMIN_USER_PASSWORD_AUTH. This setting replaces the ADMIN_NO_SRP_AUTH setting. With this
authentication flow, Cognito receives the password in the request instead of using the SRP (Secure
Remote Password protocol) protocol to verify passwords.
• ALLOW_CUSTOM_AUTH: Enable Lambda trigger based authentication.
• ALLOW_USER_PASSWORD_AUTH: Enable user password-based authentication. In this flow, Cognito
receives the password in the request instead of using the SRP protocol to verify passwords.
• ALLOW_USER_SRP_AUTH: Enable SRP based authentication.
• ALLOW_REFRESH_TOKEN_AUTH: Enable authflow to refresh tokens.
Required: No

GenerateSecret
Boolean to specify whether you want to generate a secret for the user pool client being created.
Required: No
Type: Boolean

1397
Amazon Cognito

LogoutURLs
A list of allowed logout URLs for the identity providers.
Required: No
Maximum: 100

PreventUserExistenceErrors
Use this setting to choose which errors and responses are returned by Cognito APIs during
authentication, account confirmation, and password recovery when the user does not exist in
the user pool. When set to ENABLED and the user does not exist, authentication returns an error
indicating either the username or password was incorrect, and account confirmation and password
recovery return a response indicating a code was sent to a simulated destination. When set to
LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in
the user pool.
Required: No
Type: String
Allowed Values: ENABLED | LEGACY

ReadAttributes
The read attributes.
Required: No

RefreshTokenValidity
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
Required: No
Type: Integer
Minimum: 0
Maximum: 3650

SupportedIdentityProviders
A list of provider names for the identity providers that are supported on this client. The following are
supported: COGNITO, Facebook, Google and LoginWithAmazon.
Required: No

1398
Amazon Cognito

UserPoolId
The user pool ID for the user pool where you want to create a user pool client.
Required: Yes
Type: String
Minimum: 1
Maximum: 55
Pattern: [\w-]+_[0-9a-zA-Z]+

WriteAttributes
The user pool attributes that the app client can write to.
If your app client allows users to sign in through an identity provider, this array must include all
attributes that are mapped to identity provider attributes. Amazon Cognito updates mapped
attributes when users sign in to your application through an identity provider. If your app client lacks
write access to a mapped attribute, Amazon Cognito throws an error when it attempts to update the
attribute. For more information, see Specifying Identity Provider Attribute Mappings for Your User
Pool.
Required: No
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon
Cognito user pool client ID, such as 1h57kf5cpq17m0eml12EXAMPLE.
AWS::Cognito::UserPoolClient AnalyticsConfiguration
The Amazon Pinpoint analytics configuration for collecting metrics for a user pool.
Syntax
JSON
{
"ApplicationId" : String,
"RoleArn" : String,
"UserDataShared" : Boolean
}

1399
Amazon Cognito
YAML
ApplicationId: String
ExternalId: String
RoleArn: String
UserDataShared: Boolean
Properties
ApplicationId
The application ID for an Amazon Pinpoint application.
Required: No
Type: String
Pattern: ^[0-9a-fA-F]+$

ExternalId
The external ID.
Required: No
Type: String

RoleArn
The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint
analytics.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

UserDataShared
If UserDataShared is true, Amazon Cognito will include user data in the events it publishes to
Amazon Pinpoint analytics.
Required: No
Type: Boolean
AWS::Cognito::UserPoolDomain
The AWS::Cognito::UserPoolDomain resource creates a new domain for a user pool.

1400
Amazon Cognito
Syntax
JSON
{
"Type" : "AWS::Cognito::UserPoolDomain",
"Properties" : {
"CustomDomainConfig" : CustomDomainConfigType (p. 1403),
"Domain" : String,
}
}
YAML
Type: AWS::Cognito::UserPoolDomain
Properties:
CustomDomainConfig:
CustomDomainConfigType (p. 1403)
Domain: String
UserPoolId: String
Properties
CustomDomainConfig
The configuration for a custom domain that hosts the sign-up and sign-in pages for your application.
Use this object to specify an SSL certificate that is managed by ACM.
Required: No
Type: CustomDomainConfigType (p. 1403)

Domain
The domain name for the domain that hosts the sign-up and sign-in pages for your application. For
example: auth.example.com. If you're using a prefix domain, this field denotes the first part of the
domain before .auth.[region].amazoncognito.com.
This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first
or last character. Use periods to separate subdomain names.
Required: Yes
Type: String
Minimum: 1
Maximum: 63
Pattern: ^[a-z0-9](?:[a-z0-9\-]{0,61}[a-z0-9])?$

UserPoolId
The user pool ID for the user pool where you want to associate a user pool domain.
Required: Yes

1401
Amazon Cognito
Type: String
Minimum: 1
Maximum: 55
Return Values
Ref
physicalResourceId, which is “Domain". For example:
{ "Ref": "your-test-domain" }
For the Amazon Cognito user pool domain your-test-domain, Ref returns the name of the user pool
domain.
Examples
Creating a new custom domain for a user pool
The following example creates a custom domain, "my-test-user-pool-domain", in the referenced user
pool.
JSON
{
"UserPoolDomain": {
"Type": "AWS::Cognito::UserPoolDomain",
"Properties": { "UserPoolId": {"Ref" : "UserPool"},
"Domain": "my-test-user-pool-domain.myapplication.com",
"CustomDomainConfig": {
"CertificateArn": {"Ref" : "CertificateArn"}
}
}
}
}
YAML
UserPoolDomain:
Properties:
UserPoolId: !Ref UserPool
Domain: "my-test-user-pool-domain.myapplication.com"
CustomDomainConfig:
CertificateArn: !Ref CertificateArn
Creating a new default domain for a user pool
The following example creates a new default domain, "my-test-user-pool-domain", in the referenced user
pool.

1402
Amazon Cognito
JSON
{
"UserPoolDomain": {
"Type": "AWS::Cognito::UserPoolDomain",
"Properties": {
"UserPoolId": {"Ref" : "UserPool"},
"Domain": "my-test-user-pool-domain"
}
}
}
YAML
UserPoolDomain:
Properties:
Domain: "my-test-user-pool-domain"
AWS::Cognito::UserPoolDomain CustomDomainConfigType
The configuration for a custom domain that hosts the sign-up and sign-in webpages for your application.
Syntax
JSON
{
"CertificateArn" : String
}
YAML
Properties
CertificateArn
The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate. You use this
certificate for the subdomain of your custom domain.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

1403
Amazon Cognito
AWS::Cognito::UserPoolGroup
Specifies a new group in the identified user pool.
Calling this action requires developer credentials.
Syntax
JSON
{
"Type" : "AWS::Cognito::UserPoolGroup",
"Properties" : {
"Precedence" : Double,
"RoleArn" : String,
}
}
YAML
Type: AWS::Cognito::UserPoolGroup
Properties:
Description: String
GroupName: String
Precedence: Double
RoleArn: String
UserPoolId: String
Properties
Description
A string containing the description of the group.
Required: No
Type: String
Maximum: 2048

GroupName
The name of the group. Must be unique.
Required: No
Type: String
Minimum: 1
Maximum: 128

1404
Amazon Cognito

Precedence
A nonnegative integer value that specifies the precedence of this group relative to the other groups
that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower
Precedence values take precedence over groups with higher or null Precedence values. If a user
belongs to two or more groups, it is the group with the lowest precedence value whose role ARN will
be used in the cognito:roles and cognito:preferred_role claims in the user's tokens.
Two groups can have the same Precedence value. If this happens, neither group takes precedence
over the other. If two groups with the same Precedence have the same role ARN, that role is used
in the cognito:preferred_role claim in tokens for users in each group. If the two groups have
different role ARNs, the cognito:preferred_role claim is not set in users' tokens.
The default Precedence value is null.
Required: No
Type: Double
Minimum: 0

RoleArn
The role ARN for the group.
Required: No
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?

UserPoolId
The user pool ID for the user pool.
Required: Yes
Type: String
Minimum: 1
Maximum: 55
Return Values
Ref
user pool group. For example: Admins.

1405
Amazon Cognito
AWS::Cognito::UserPoolIdentityProvider
The AWS::Cognito::UserPoolIdentityProvider resource creates an identity provider for a user
pool.
Syntax
JSON
{
"Type" : "AWS::Cognito::UserPoolIdentityProvider",
"Properties" : {
"AttributeMapping" : Json,
"IdpIdentifiers" : [ String, ... ],
"ProviderDetails" : Json,
"ProviderName" : String,
"ProviderType" : String,
}
}
YAML
Type: AWS::Cognito::UserPoolIdentityProvider
Properties:
AttributeMapping: Json
IdpIdentifiers:
- String
ProviderDetails: Json
ProviderName: String
ProviderType: String
UserPoolId: String
Properties
AttributeMapping
A mapping of identity provider attributes to standard and custom user pool attributes.
Required: No
Type: Json

IdpIdentifiers
A list of identity provider identifiers.
Required: No
Maximum: 50

1406
Amazon Cognito
ProviderDetails
The identity provider details, such as MetadataURL and MetadataFile.
Required: No
Type: Json

ProviderName
The identity provider name.
Required: Yes
Type: String
Minimum: 1
Maximum: 32
Pattern: [^_][\p{L}\p{M}\p{S}\p{N}\p{P}][^_]+

ProviderType
The identity provider type.
Required: Yes
Type: String
Allowed Values: Facebook | Google | LoginWithAmazon | OIDC | SAML |

SignInWithApple

UserPoolId
The user pool ID.
Required: Yes
Type: String
Minimum: 1
Maximum: 55
Return Values
Ref
physicalResourceId, which is “ProviderName". For example:
{ "Ref": "testProvider" }

1407
Amazon Cognito
For the Amazon Cognito identity provider testProvider, Ref returns the name of the identity provider.
Examples
Creating a new identity provider
The following example creates the identity provider "YourProviderName" in the referenced user pool.
JSON
{
"UserPoolIdentityProvider": {
"Type": "AWS::Cognito::UserPoolIdentityProvider",
"Properties": {
"UserPoolId": {"Ref": "UserPool"},
"ProviderName": "YourProviderName",
"ProviderDetails": {
"MetadataURL": "YourMetadataURL"
},
"ProviderType": "SAML",
"AttributeMapping": {
"Email": "Attribute"
},
"IdpIdentifiers": [
"IdpIdentifier"
]
}
}
}
YAML
UserPoolIdentityProvider:
Type: AWS::Cognito::UserPoolIdentityProvider
Properties:
ProviderName: "YourProviderName"
ProviderDetails:
MetadataURL: "YourMetadataURL"
ProviderType: "SAML"
AttributeMapping:
Email: "Attribute"
IdpIdentifiers:
- "IdpIdentifier"
AWS::Cognito::UserPoolResourceServer
The AWS::Cognito::UserPoolResourceServer resource creates a new OAuth2.0 resource server
and defines custom scopes in it.
Syntax
JSON

1408
Amazon Cognito
"Type" : "AWS::Cognito::UserPoolResourceServer",
"Properties" : {
"Identifier" : String,
"Name" : String,
"Scopes" : [ ResourceServerScopeType (p. 1411), ... ],
}
}
YAML
Type: AWS::Cognito::UserPoolResourceServer
Properties:
Identifier: String
Name: String
Scopes:
- ResourceServerScopeType (p. 1411)
UserPoolId: String
Properties
Identifier
A unique resource server identifier for the resource server. This could be an HTTPS endpoint where
the resource server is located. For example: https://my-weather-api.example.com.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
Pattern: [\x21\x23-\x5B\x5D-\x7E]+

Name
A friendly name for the resource server.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

Scopes
A list of scopes. Each scope is a map, where the keys are name and the values are description for
the scope.
Required: No
Type: List of ResourceServerScopeType (p. 1411)

1409
Amazon Cognito
Maximum: 100

UserPoolId
Required: Yes
Type: String
Minimum: 1
Maximum: 55
Return Values
Ref
physicalResourceId, which is the resource server identifier “Identifier". For example:
{ "Ref": "yourResourceServerIdentifier" }
For the Amazon Cognito resource server yourResourceServerIdentifier, Ref returns the name of
the resource server.
Examples
Creating a new resource server for a user pool
The following example creates a resource server "Name" with the identifier "Identifier" in the referenced
user pool.
JSON
{
"UserPoolResourceServer": {
"Type": "AWS::Cognito::UserPoolResourceServer",
"Properties": {
"Identifier": "Identifier",
"Name": "Name",
"Scopes": [
{ "ScopeName": "ScopeName1",
"ScopeDescription": "description"
},
{
"ScopeName": "ScopeName2",
"ScopeDescription": "description"
}
]
}
}

1410
Amazon Cognito
YAML
UserPoolResourceServer:
Type: AWS::Cognito::UserPoolResourceServer
Properties:
Identifier: "Identifier"
Name: "Name"
Scopes:
- ScopeName: "ScopeName1"
ScopeDescription: "description"
- ScopeName: "ScopeName2"
ScopeDescription: "description"
AWS::Cognito::UserPoolResourceServer ResourceServerScopeType
A resource server scope.
Syntax
JSON
{
"ScopeDescription" : String,
"ScopeName" : String
}
YAML
ScopeDescription: String
ScopeName: String
Properties
ScopeDescription
A description of the scope.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

ScopeName
The name of the scope.
Required: Yes
Type: String

1411
Amazon Cognito
Minimum: 1
Maximum: 256
Pattern: [\x21\x23-\x2E\x30-\x5B\x5D-\x7E]+
AWS::Cognito::UserPoolRiskConfigurationAttachment
The AWS::Cognito::UserPoolRiskConfigurationAttachment resource sets the risk configuration
that is used for Amazon Cognito advanced security features.
You can specify risk configuration for a single client (with a specific clientId) or for all clients (by
setting the clientId to ALL). If you specify ALL, the default configuration is used for every client that
has had no risk configuration set previously. If you specify risk configuration for a particular client, it no
longer falls back to the ALL configuration.
Syntax
JSON
{
"Type" : "AWS::Cognito::UserPoolRiskConfigurationAttachment",
"Properties" : {
"AccountTakeoverRiskConfiguration" : AccountTakeoverRiskConfigurationType (p. 1417),
"CompromisedCredentialsRiskConfiguration" : CompromisedCredentialsRiskConfigurationType (p. 1419),

"RiskExceptionConfiguration" : RiskExceptionConfigurationType (p. 1422),
}
}
YAML
Type: AWS::Cognito::UserPoolRiskConfigurationAttachment
Properties:
AccountTakeoverRiskConfiguration:
AccountTakeoverRiskConfigurationType (p. 1417)
ClientId: String
CompromisedCredentialsRiskConfiguration:
CompromisedCredentialsRiskConfigurationType (p. 1419)
RiskExceptionConfiguration:
RiskExceptionConfigurationType (p. 1422)
UserPoolId: String
Properties
AccountTakeoverRiskConfiguration
The account takeover risk configuration object including the NotifyConfiguration object and
Actions to take in the case of an account takeover.
Required: No
Type: AccountTakeoverRiskConfigurationType (p. 1417)

1412
Amazon Cognito

ClientId
The app client ID. You can specify the risk configuration for a single client (with a specific ClientId) or
for all clients (by setting the ClientId to ALL).
Required: Yes
Type: String
Minimum: 1
Maximum: 128
Pattern: [\w+]+

CompromisedCredentialsRiskConfiguration
The compromised credentials risk configuration object including the EventFilter and the
EventAction
Required: No
Type: CompromisedCredentialsRiskConfigurationType (p. 1419)

RiskExceptionConfiguration
The configuration to override the risk decision.
Required: No
Type: RiskExceptionConfigurationType (p. 1422)

UserPoolId
The user pool ID.
Required: Yes
Type: String
Minimum: 1
Maximum: 55
Return Values
Ref
physicalResourceId, which is “UserPoolRiskConfigurationAttachment-UserPoolId-ClientId". For example:

1413
Amazon Cognito
{ "Ref": “UserPoolRiskConfigurationAttachment-us-
east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh” }
For the Amazon Cognito risk configuration attachment UserPoolRiskConfigurationAttachment-

us-east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh, Ref returns the name of the risk
configuration attachment.
Examples
Creating a new risk configuration attachment for a user pool
The following example sets risk configurations in the referenced user pool and client.
JSON
{
"UserPoolRiskConfiguration": {
"Type": "AWS::Cognito::UserPoolRiskConfigurationAttachment",
"Properties": {
"ClientId": {"Ref": "Client"},
"AccountTakeoverRiskConfiguration": {
"Actions": {
"HighAction": {
"EventAction": "MFA_REQUIRED",
"Notify": true,
},
"MediumAction": {
"EventAction": "MFA_IF_CONFIGURED",
"Notify": true
},
"LowAction": {
"EventAction": {"Ref": "EventAction"},
"Notify": false
}
},
"NotifyConfiguration": {
"BlockEmail": {
"HtmlBody": "html body",
"Subject": "Your account got blocked",
"TextBody": "Your account got blocked"
},
"MfaEmail": {
"HtmlBody": "html body",
"Subject": "Your account needs MFA verification",
"TextBody": "Your account needs MFA verification"
},
"NoActionEmail": {
"HtmlBody": {"Ref": "HtmlBody"},
"Subject": {"Ref": "Subject"},
"TextBody": {"Ref": "TextBody"},
}, "From": "your-from-email@amazon.com",
"SourceArn": {"Ref": "SourceArn"},
"ReplyTo": "your-reply-to@amazon.com"
}
},
"CompromisedCredentialsRiskConfiguration": {
"Actions": {
"EventAction": "BLOCKED"
},
"EventFilter": [
{"Ref": "EventFilter"},

1414
Amazon Cognito
]
},
"RiskExceptionConfiguration": {
"BlockedIPRangeList": [
"198.0.0.1"
],
"SkippedIPRangeList": [
"198.0.0.1"
]
}
}
}
}
YAML
UserPoolRiskConfiguration:
Type: AWS::Cognito::UserPoolRiskConfigurationAttachment
Properties:
ClientId: !Ref Client
AccountTakeoverRiskConfiguration:
Actions:
HighAction:
EventAction: "MFA_REQUIRED"
Notify: True
MediumAction:
EventAction: "MFA_IF_CONFIGURED"
Notify: True
LowAction:
EventAction: !Ref LowEventAction
Notify: False
NotifyConfiguration:
BlockEmail:
HtmlBody: "html body"
Subject: "Your account got blocked"
TextBody: "Your account got blocked"
MfaEmail:
HtmlBody: "html body"
Subject: : "Your account needs MFA verification"
TextBody: "Your account needs MFA verification"
NoActionEmail:
HtmlBody: !Ref HtmlBody
Subject: !Ref Subject
TextBody: !Ref TextBody
From: "your-from-email@amazon.com"
SourceArn: !Ref SourceArn
ReplyTo: "your-reply-to@amazon.com"
CompromisedCredentialsRiskConfiguration:
Actions:
EventAction: "BLOCKED"
EventFilter:
- !Ref EventFilter
RiskExceptionConfiguration:
BlockedIPRangeList:
- "198.0.0.1"
SkippedIPRangeList:
- "198.0.0.1"
AccountTakeoverActionsType
Account takeover actions type.

1415
Amazon Cognito
Syntax
JSON
{
"HighAction" : AccountTakeoverActionType (p. 1416),
"LowAction" : AccountTakeoverActionType (p. 1416),
"MediumAction" : AccountTakeoverActionType (p. 1416)
}
YAML
HighAction:
AccountTakeoverActionType (p. 1416)
LowAction:
MediumAction:
Properties
HighAction
Action to take for a high risk.
Required: No
Type: AccountTakeoverActionType (p. 1416)

LowAction
Action to take for a low risk.
Required: No

MediumAction
Action to take for a medium risk.
Required: No
AccountTakeoverActionType
Account takeover action type.
Syntax

1416
Amazon Cognito
JSON
{
"EventAction" : String,
"Notify" : Boolean
}
YAML
EventAction: String
Notify: Boolean
Properties
EventAction
The event action.

• BLOCK Choosing this action will block the request.
• MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.
• MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.
• NO_ACTION Allow the user sign-in.
Required: Yes
Type: String
Allowed Values: BLOCK | MFA_IF_CONFIGURED | MFA_REQUIRED | NO_ACTION

Notify
Flag specifying whether to send a notification.
Required: Yes
Type: Boolean
AccountTakeoverRiskConfigurationType
Configuration for mitigation actions and notification for different levels of risk detected for a potential
account takeover.
Syntax
JSON
{
"Actions" : AccountTakeoverActionsType (p. 1415),
"NotifyConfiguration" : NotifyConfigurationType (p. 1419)
}

1417
Amazon Cognito
YAML
Actions:
AccountTakeoverActionsType (p. 1415)
NotifyConfiguration:
NotifyConfigurationType (p. 1419)
Properties
Actions
Account takeover risk configuration actions
Required: Yes
Type: AccountTakeoverActionsType (p. 1415)

NotifyConfiguration
The notify configuration used to construct email notifications.
Required: No
Type: NotifyConfigurationType (p. 1419)
CompromisedCredentialsActionsType
The compromised credentials actions type
Syntax
JSON
{
"EventAction" : String
}
YAML
EventAction: String
Properties
EventAction
The event action.
Required: Yes
Type: String
Allowed Values: BLOCK | NO_ACTION

1418
Amazon Cognito
CompromisedCredentialsRiskConfigurationType
The compromised credentials risk configuration type.
Syntax
JSON
{
"Actions" : CompromisedCredentialsActionsType (p. 1418),
"EventFilter" : [ String, ... ]
}
YAML
Actions:
CompromisedCredentialsActionsType (p. 1418)
EventFilter:
- String
Properties
Actions
The compromised credentials risk configuration actions.
Required: Yes
Type: CompromisedCredentialsActionsType (p. 1418)

EventFilter
Perform the action for these events. The default is to perform all events if no event filter is specified.
Required: No
AWS::Cognito::UserPoolRiskConfigurationAttachment NotifyConfigurationType
The notify configuration type.
Syntax
JSON

1419
Amazon Cognito
"BlockEmail" : NotifyEmailType (p. 1421),

"From" : String,
"MfaEmail" : NotifyEmailType (p. 1421),
"NoActionEmail" : NotifyEmailType (p. 1421),
"ReplyTo" : String,
"SourceArn" : String
}
YAML
BlockEmail:
NotifyEmailType (p. 1421)
From: String
MfaEmail:
NoActionEmail:
ReplyTo: String
SourceArn: String
Properties
BlockEmail
Email template used when a detected risk event is blocked.
Required: No
Type: NotifyEmailType (p. 1421)

From
The email address that is sending the email. It must be either individually verified with Amazon SES,
or from a domain that has been verified with Amazon SES.
Required: No
Type: String

MfaEmail
The MFA email template used when MFA is challenged as part of a detected risk.
Required: No

NoActionEmail
The email template used when a detected risk event is allowed.
Required: No

1420
Amazon Cognito
ReplyTo
The destination to which the receiver of an email should reply to.
Required: No
Type: String

SourceArn
The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization
policy. It permits Amazon Cognito to send for the email address specified in the From parameter.
Required: Yes
Type: String
Minimum: 20
Maximum: 2048
Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:
[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?
AWS::Cognito::UserPoolRiskConfigurationAttachment NotifyEmailType
The notify email type.
Syntax
JSON
{
"HtmlBody" : String,
"Subject" : String,
"TextBody" : String
}
YAML
HtmlBody: String
Subject: String
TextBody: String
Properties
HtmlBody
The HTML body.
Required: No
Type: String
Minimum: 6

1421
Amazon Cognito
Maximum: 20000
Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}\s*]+

Subject
The subject.
Required: Yes
Type: String
Minimum: 1
Maximum: 140

TextBody
The text body.
Required: No
Type: String
Minimum: 6
Maximum: 20000
Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}\s*]+
RiskExceptionConfigurationType
The type of the configuration to override the risk decision.
Syntax
JSON
{
"BlockedIPRangeList" : [ String, ... ],
"SkippedIPRangeList" : [ String, ... ]
}
YAML
BlockedIPRangeList:
- String
SkippedIPRangeList:
- String

1422
Amazon Cognito
Properties
BlockedIPRangeList
Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR
notation: a compact representation of an IP address and its associated routing prefix.
Required: No
Maximum: 20

SkippedIPRangeList
Risk detection is not performed on the IP addresses in the range list. The IP range is in CIDR
notation.
Required: No
Maximum: 20
AWS::Cognito::UserPoolUICustomizationAttachment
The AWS::Cognito::UserPoolUICustomizationAttachment resource sets the UI customization
information for a user pool's built-in app UI.
You can specify app UI customization settings for a single client (with a specific clientId) or for all
clients (by setting the clientId to ALL). If you specify ALL, the default configuration is used for every
client that has had no UI customization set previously. If you specify UI customization settings for a
particular client, it no longer falls back to the ALL configuration.
Note
Before you create this resource, your user pool must have a domain associated with it. You can
create an AWS::Cognito::UserPoolDomain resource first in this user pool.
Setting a logo image isn't supported from AWS CloudFormation. Use the Amazon Cognito
SetUICustomization API operation to set the image.
Syntax
JSON
{
"Type" : "AWS::Cognito::UserPoolUICustomizationAttachment",
"Properties" : {
"CSS" : String,
}
}

1423
Amazon Cognito
YAML
Type: AWS::Cognito::UserPoolUICustomizationAttachment
Properties:
ClientId: String
CSS: String
UserPoolId: String
Properties
ClientId
The client ID for the client app. You can specify the UI customization settings for a single client (with
a specific clientId) or for all clients (by setting the clientId to ALL).
Required: Yes
Type: String
Minimum: 1
Maximum: 128
Pattern: [\w+]+

CSS
The CSS values in the UI customization.
Required: No
Type: String

UserPoolId
Required: Yes
Type: String
Minimum: 1
Maximum: 55
Return Values
Ref
physicalResourceId, which is “UserPoolUICustomizationAttachment-UserPoolId-ClientId". For example:
{ "Ref": "UserPoolUICustomizationAttachment-us-
east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh" }

1424
Amazon Cognito
For the Amazon Cognito user pool domain UserPoolUICustomizationAttachment-us-

east-1_FAKEPOOLID-2asc123fakeclientidajjulj6bh, Ref returns the name of the UI
customization attachment.
Examples
Creating a new UI customization attachment for a user pool
The following example sets UI customization settings in the referenced user pool and client.
JSON
{
"UserPoolUICustomization": {
"Type": "AWS::Cognito::UserPoolUICustomizationAttachment",
"Properties": {
"ClientId": {"Ref": "Client"},
"CSS": ".banner-customizable {\nbackground: linear-gradient(#9940B8,
#C27BDB)\n}"
}
}
}
YAML
UserPoolUICustomization:
Type: AWS::Cognito::UserPoolUICustomizationAttachment
Properties:
ClientId: !Ref Client
CSS: ".banner-customizable {
background: linear-gradient(#9940B8, #C27BDB)
}"
AWS::Cognito::UserPoolUser
The AWS::Cognito::UserPoolUser resource creates an Amazon Cognito user pool user.
Syntax
JSON
{
"Type" : "AWS::Cognito::UserPoolUser",
"Properties" : {
"ClientMetadata" : Json,
"DesiredDeliveryMediums" : [ String, ... ],
"ForceAliasCreation" : Boolean,
"MessageAction" : String,
"UserAttributes" : [ AttributeType (p. 1429), ... ],
"Username" : String,
"UserPoolId" : String,
"ValidationData" : [ AttributeType (p. 1429), ... ]
}

1425
Amazon Cognito
YAML
Type: AWS::Cognito::UserPoolUser
Properties:
ClientMetadata: Json
DesiredDeliveryMediums:
- String
ForceAliasCreation: Boolean
MessageAction: String
UserAttributes:
- AttributeType (p. 1429)
Username: String
UserPoolId: String
ValidationData:
- AttributeType (p. 1429)
Properties
ClientMetadata
A map of custom key-value pairs that you can provide as input for the custom workflow that is
invoked by the pre sign-up trigger.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you
create a UserPoolUser resource and include the ClientMetadata property, Amazon Cognito
invokes the function that is assigned to the pre sign-up trigger. When Amazon Cognito invokes
this function, it passes a JSON payload, which the function receives as input. This payload contains
a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata
property. In your function code in AWS Lambda, you can process the clientMetadata value to
enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon
Cognito Developer Guide.
Note
Take the following limitations into consideration when you use the ClientMetadata
parameter:
• Amazon Cognito does not store the ClientMetadata value. This data is available only to
AWS Lambda triggers that are assigned to a user pool to support custom workflows. If
your user pool configuration does not include triggers, the ClientMetadata parameter
serves no purpose.
• Amazon Cognito does not validate the ClientMetadata value.
• Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide
sensitive information.
Required: No
Type: Json

DesiredDeliveryMediums
Specify "EMAIL" if email will be used to send the welcome message. Specify "SMS" if the phone
number will be used. The default value is "SMS". More than one value can be specified.
Required: No

1426
Amazon Cognito

ForceAliasCreation
This parameter is only used if the phone_number_verified or email_verified attribute is set

to True. Otherwise, it is ignored.
If this parameter is set to True and the phone number or email address specified in the
UserAttributes parameter already exists as an alias with a different user, the API call will migrate the
alias from the previous user to the newly created user. The previous user will no longer be able to
log in using that alias.
If this parameter is set to False, the API throws an AliasExistsException error if the alias
already exists. The default value is False.
Required: No
Type: Boolean

MessageAction
Set to "RESEND" to resend the invitation message to a user that already exists and reset the
expiration limit on the user's account. Set to "SUPPRESS" to suppress sending the message. Only
one value can be specified.
Required: No
Type: String
Allowed Values: RESEND | SUPPRESS

UserAttributes
An array of name-value pairs that contain user attributes and attribute values to be set for the
user to be created. You can create a user without specifying any attributes other than Username.
However, any attributes that you specify as required (in https://docs.aws.amazon.com/cognito-user-
identity-pools/latest/APIReference/API_CreateUserPool.html or in the Attributes tab of the console)
must be supplied either by you (in your call to AdminCreateUser) or by the user (when they sign up
in response to your welcome message).
For custom attributes, you must prepend the custom: prefix to the attribute name.
To send a message inviting the user to sign up, you must specify the user's email address or phone
number. This can be done in your call to AdminCreateUser or in the Users tab of the Amazon
Cognito console for managing your user pools.
In your call to AdminCreateUser, you can set the email_verified attribute to True,
and you can set the phone_number_verified attribute to True. (You can also do this by
calling https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/
API_AdminUpdateUserAttributes.html.)
• email: The email address of the user to whom the message that contains the code and user name
will be sent. Required if the email_verified attribute is set to True, or if "EMAIL" is specified
in the DesiredDeliveryMediums parameter.
• phone_number: The phone number of the user to whom the message that contains the code and
user name will be sent. Required if the phone_number_verified attribute is set to True, or if
"SMS" is specified in the DesiredDeliveryMediums parameter.

1427
Amazon Cognito
Required: No
Type: List of AttributeType (p. 1429)

Username
The username for the user. Must be unique within the user pool. Must be a UTF-8 string between 1
and 128 characters. After the user is created, the username cannot be changed.
Required: No
Type: String
Minimum: 1
Maximum: 128

UserPoolId
The user pool ID for the user pool where the user will be created.
Required: Yes
Type: String
Minimum: 1
Maximum: 55

ValidationData
The user's validation data. This is an array of name-value pairs that contain user attributes and
attribute values that you can use for custom validation, such as restricting the types of user accounts
that can be registered. For example, you might choose to allow or disallow user sign-up based on the
user's domain.
To configure custom validation, you must create a Pre Sign-up Lambda trigger for the user pool as
described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data
and uses it in the validation process.
The user's validation data is not persisted.
Required: No
Type: List of AttributeType (p. 1429)
Return Values
Ref
user. For example: admin.

1428
Amazon Cognito
AWS::Cognito::UserPoolUser AttributeType
Specifies whether the attribute is standard or custom.
Syntax
JSON
{
"Name" : String,
"Value" : String
}
YAML
Name: String
Value: String
Properties
Name
The name of the attribute.
Required: No
Type: String
Minimum: 1
Maximum: 32

Value
The value of the attribute.
Required: No
Type: String
Maximum: 2048
AWS::Cognito::UserPoolUserToGroupAttachment
Adds the specified user to the specified group.
Calling this action requires developer credentials.

1429
Amazon Cognito
Syntax
JSON
{
"Type" : "AWS::Cognito::UserPoolUserToGroupAttachment",
"Properties" : {
"Username" : String,
}
}
YAML
Type: AWS::Cognito::UserPoolUserToGroupAttachment
Properties:
GroupName: String
Username: String
UserPoolId: String
Properties
GroupName
The group name.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

Username
The username for the user.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

UserPoolId
Required: Yes

1430
Config
Type: String
Minimum: 1
Maximum: 55
Return Values
Ref
such as UserToGroupAttachment-YejJvzrEXAMPLE.
Config Resource Type Reference

Resource Types
• AWS::Config::AggregationAuthorization (p. 1431)

• AWS::Config::ConfigRule (p. 1440)
• AWS::Config::ConfigurationAggregator (p. 1450)
• AWS::Config::ConfigurationRecorder (p. 1454)
• AWS::Config::DeliveryChannel (p. 1458)
• AWS::Config::OrganizationConfigRule (p. 1462)
• AWS::Config::RemediationConfiguration (p. 1470)
AWS::Config::AggregationAuthorization
An object that represents the authorizations granted to aggregator accounts and regions.
Syntax
JSON
{
"Type" : "AWS::Config::AggregationAuthorization",
"Properties" : {
"AuthorizedAccountId" : String,
"AuthorizedAwsRegion" : String
}
}
YAML
Type: AWS::Config::AggregationAuthorization
Properties:
AuthorizedAccountId: String

1431
Config
AuthorizedAwsRegion: String
Properties
AuthorizedAccountId
The 12-digit account ID of the account authorized to aggregate data.
Required: Yes
Type: String
Pattern: \d{12}

AuthorizedAwsRegion
The region authorized to collect aggregated data.
Required: Yes
Type: String
Minimum: 1
Maximum: 64
Return Values
Ref
AggregationAuthorization, such as arn:aws:config:us-east-1:123456789012:aggregation-
authorization/987654321012/us-west-2.
Examples
Authorize Another Account
The following example creates an AggregationAuthorization that authorizes another account to

aggregate your AWS Config data into a specific region.
JSON
"AggregationAuthorization": {
"Type": "AWS::Config::AggregationAuthorization",
"Properties": {
"AuthorizedAccountId": 123456789012,
"AuthorizedAwsRegion": "us-west-2"
}
}
YAML
AggregationAuthorization:

1432
Config
Type: "AWS::Config::AggregationAuthorization"
Properties:
AuthorizedAccountId: 123456789012
AuthorizedAwsRegion: us-west-2
Aggregation Authorization
The following example enables AWS Config and creates an AWS Config rule, an aggregator, and an
authorization.
JSON
{
"Description": "Enable AWS Config",
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Configuration Recorder Configuration"
},
"Parameters": [
"GlobalResourceTypesRegion"
]
},
{
"Label": {
"default": "Configuration Aggregator Configuration"
},
"Parameters": [
"AggregatorAccount",
"AggregatorRegion",
"SourceAccounts",
"SourceRegions"
]
}
],
"ParameterLabels": {
"GlobalResourceTypesRegion": {
"default": "Global resource types region"
},
"AggregatorAccount": {
"default": "Aggregator account"
},
"AggregatorRegion": {
"default": "Aggregator account"
},
"SourceAccounts": {
"default": "Source accounts"
},
"SourceRegions": {
"default": "Source regions"
}
}
}
},
"Parameters": {
"GlobalResourceTypesRegion": {
"Type": "String",
"Default": "us-east-1",
"Description": "AWS region used to record global resources types"
},
"AggregatorAccount": {

1433
Config
"Type": "String",
"Description": "Account ID of the aggregator"
},
"AggregatorRegion": {
"Type": "String",
"Default": "us-east-1",
"Description": "AWS region of the aggregator"
},
"SourceAccounts": {
"Description": "List of source accounts to aggregate"
},
"SourceRegions": {
"Description": "List of regions to aggregate"
}
},
"Conditions": {
"IncludeGlobalResourceTypes": {
"Fn::Equals": [
{
"Ref": "GlobalResourceTypesRegion"
},
{
}
]
},
"CreateAggregator": {
"Fn::And": [
{
"Fn::Equals": [
{
"Ref": "AggregatorAccount"
},
{
}
]
},
{
"Fn::Equals": [
{
"Ref": "AggregatorRegion"
},
{
}
]
}
]
},
"CreateAuthorization": {
"Fn::Not": [
{
"Fn::Equals": [
{
},
{
}
]
}
]
}

1434
Config
},
"Resources": {
"ConfigBucket": {
},
"ConfigBucketPolicy": {
"Properties": {
"Bucket": {
"Ref": "ConfigBucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com"
]
},
"Action": "s3:GetBucketAcl",
"Resource": [
{
"Fn::Sub": "arn:aws:s3:::${ConfigBucket}"
}
]
},
{
"Sid": "AWSConfigBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": [
]
},
"Action": "s3:PutObject",
"Resource": [
{
"Fn::Sub": "arn:aws:s3:::${ConfigBucket}/AWSLogs/
${AWS::AccountId}/*"
}
]
}
]
}
}
},
"ConfigRecorderRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
]
},
"Action": [
"sts:AssumeRole"
]

1435
Config
}
]
},
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSConfigRole"
]
}
},
"ConfigRecorder": {
"Type": "AWS::Config::ConfigurationRecorder",
"DependsOn": [
"ConfigRecorderRole",
"ConfigBucketPolicy"
],
"Properties": {
"RoleARN": {
"Fn::GetAtt": [
"ConfigRecorderRole",
"Arn"
]
},
"RecordingGroup": {
"AllSupported": true,
"IncludeGlobalResourceTypes": {
"Fn::If": [
"IncludeGlobalResourceTypes",
true,
false
]
}
}
}
},
"DeliveryChannel": {
"Type": "AWS::Config::DeliveryChannel",
"DependsOn": [
"ConfigBucketPolicy"
],
"Properties": {
"Name": "default",
"S3BucketName": {
"Ref": "ConfigBucket"
}
}
},
"S3BucketPublicReadRule": {
"Type": "AWS::Config::ConfigRule",
"DependsOn": [
"ConfigRecorder"
],
"Properties": {
"ConfigRuleName": "stackset-s3-bucket-public-read-prohibited",
"Description": "s3-bucket-public-read-prohibited from stackset",
"Scope": {
"ComplianceResourceTypes": [
"AWS::S3::Bucket"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
}
},
"ConfigAggregator": {

1436
Config
"Type": "AWS::Config::ConfigurationAggregator",
"Condition": "CreateAggregator",
"Properties": {
"Name": "default",
"AccountAggregationSources": [
{
"AccountIds": {
"Ref": "SourceAccounts"
},
"AwsRegions": {
"Ref": "SourceRegions"
}
}
]
}
},
"AggregationAuthorization": {
"Type": "AWS::Config::AggregationAuthorization",
"Condition": "CreateAuthorization",
"Properties": {
"AuthorizedAccountId": {
},
"AuthorizedAwsRegion": {
"Ref": "AggregatorRegion"
}
}
}
}
}
YAML
Description: Enable AWS Config
Metadata:
ParameterGroups:
- Label:
default: Configuration Recorder Configuration
Parameters:
- GlobalResourceTypesRegion
- Label:
default: Configuration Aggregator Configuration
Parameters:
- AggregatorAccount
- AggregatorRegion
- SourceAccounts
- SourceRegions
ParameterLabels:
GlobalResourceTypesRegion:
default: Global resource types region
AggregatorAccount:
default: Aggregator account
AggregatorRegion:
default: Aggregator region
SourceAccounts:
default: Source accounts
SourceRegions:
default: Source regions
Parameters:
GlobalResourceTypesRegion:

1437
Config
Type: String
Default: us-east-1
Description: AWS region used to record global resources types
AggregatorAccount:
Type: String
Description: Account ID of the aggregator
AggregatorRegion:
Type: String
Default: us-east-1
Description: AWS region of the aggregator
SourceAccounts:
Description: List of source accounts to aggregate
SourceRegions:
Description: List of regions to aggregate
Conditions:
IncludeGlobalResourceTypes: !Equals
- !Ref GlobalResourceTypesRegion
- !Ref AWS::Region
CreateAggregator: !And
- !Equals
- !Ref AggregatorAccount
- !Ref AWS::AccountId
- !Equals
- !Ref AggregatorRegion
- !Ref AWS::Region
CreateAuthorization: !Not
- !Equals
- !Ref AggregatorAccount
- !Ref AWS::AccountId
Resources:
ConfigBucket:
ConfigBucketPolicy:
Properties:
Bucket: !Ref ConfigBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSConfigBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:GetBucketAcl
Resource:
- !Sub "arn:aws:s3:::${ConfigBucket}"
- Sid: AWSConfigBucketDelivery
Effect: Allow
Principal:
Service:
Action: s3:PutObject
Resource:
- !Sub "arn:aws:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"
ConfigRecorderRole:
Properties:

1438
Config
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSConfigRole
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
DependsOn:
- ConfigRecorderRole
- ConfigBucketPolicy
Properties:
RoleARN: !GetAtt ConfigRecorderRole.Arn
RecordingGroup:
AllSupported: True
IncludeGlobalResourceTypes: !If
- IncludeGlobalResourceTypes
- True
- False
DeliveryChannel:
Type: AWS::Config::DeliveryChannel
DependsOn:
- ConfigBucketPolicy
Properties:
Name: default
S3BucketName: !Ref ConfigBucket
S3BucketPublicReadRule:
Type: AWS::Config::ConfigRule
DependsOn:
- ConfigRecorder
Properties:
ConfigRuleName: stackset-s3-bucket-public-read-prohibited
Description: s3-bucket-public-read-prohibited from stackset
Scope:
ComplianceResourceTypes:
- AWS::S3::Bucket
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
ConfigAggregator:
Type: AWS::Config::ConfigurationAggregator
Condition: CreateAggregator
Properties:
ConfigurationAggregatorName: default
AccountAggregationSources:
- AccountIds: !Ref SourceAccounts
AwsRegions: !Ref SourceRegions
AggregationAuthorization:
Type: AWS::Config::AggregationAuthorization
Condition: CreateAuthorization
Properties:
AuthorizedAccountId: !Ref AggregatorAccount
AuthorizedAwsRegion: !Ref AggregatorRegion

1439
Config
AWS::Config::ConfigRule
Specifies an AWS Config rule for evaluating whether your AWS resources comply with your desired
configurations.
You can use this action for custom AWS Config rules and AWS managed Config rules. A custom AWS
Config rule is a rule that you develop and maintain. An AWS managed Config rule is a customizable,
predefined rule that AWS Config provides.
If you are adding a new custom AWS Config rule, you must first create the AWS Lambda function that
the rule invokes to evaluate your resources. When you use the PutConfigRule action to add the rule
to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the
function. Specify the ARN for the SourceIdentifier key. This key is part of the Source object, which
is part of the ConfigRule object.
If you are adding an AWS managed Config rule, specify the rule's identifier for the SourceIdentifier
key. To reference AWS managed Config rule identifiers, see About AWS Managed Config Rules.
For any new rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify
the ConfigRuleArn or the ConfigRuleId. These values are generated by AWS Config for new rules.
If you are updating a rule that you added previously, you can specify the rule by ConfigRuleName,
ConfigRuleId, or ConfigRuleArn in the ConfigRule data type that you use in this request.
The maximum number of rules that AWS Config supports is 150.
For information about requesting a rule limit increase, see AWS Config Limits in the AWS General
Reference Guide.
For more information about developing and using AWS Config rules, see Evaluating AWS Resource
Configurations with AWS Config in the AWS Config Developer Guide.
Syntax
JSON
{
"Type" : "AWS::Config::ConfigRule",
"Properties" : {
"ConfigRuleName" : String,
"InputParameters" : Json,
"MaximumExecutionFrequency" : String,
"Scope" : Scope (p. 1446),
"Source" : Source (p. 1447)
}
}
YAML
Properties:
ConfigRuleName: String
Description: String
InputParameters: Json
MaximumExecutionFrequency: String
Scope:
Scope (p. 1446)
Source:

1440
Config
Source (p. 1447)
Properties
ConfigRuleName
A name for the AWS Config rule. If you don't specify a name, AWS CloudFormation generates a
unique physical ID and uses that ID for the rule name. For more information, see Name Type.
Required: No
Type: String
Minimum: 1
Maximum: 64

Description
The description that you provide for the AWS Config rule.
Required: No
Type: String
Minimum: 0
Maximum: 256

InputParameters
A string, in JSON format, that is passed to the AWS Config rule Lambda function.
Required: No
Type: Json
Minimum: 1
Maximum: 1024

MaximumExecutionFrequency
The maximum frequency with which AWS Config runs evaluations for a rule. You can specify a value
for MaximumExecutionFrequency when:
• You are using an AWS managed rule that is triggered at a periodic frequency.
• Your custom rule is triggered when AWS Config delivers the configuration snapshot. For more
information, see ConfigSnapshotDeliveryProperties.
Note
By default, rules with a periodic trigger are evaluated every 24 hours. To change the
frequency, specify a valid value for the MaximumExecutionFrequency parameter.
Required: No
Type: String
Allowed Values: One_Hour | Six_Hours | Three_Hours | Twelve_Hours |

TwentyFour_Hours

1441
Config

Scope
Defines which resources can trigger an evaluation for the rule. The scope can include one or more
resource types, a combination of one resource type and one resource ID, or a combination of a tag
key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule.
If you do not specify a scope, evaluations are triggered when any resource in the recording group
changes.
Required: No
Type: Scope (p. 1446)

Source
Provides the rule owner (AWS or customer), the rule identifier, and the notifications that cause the
function to evaluate your AWS resources.
Required: Yes
Type: Source (p. 1447)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the rule name,
such as mystack-MyConfigRule-12ABCFPXHV4OV.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the AWS Config rule, such as arn:aws:config:us-
east-1:123456789012:config-rule/config-rule-a1bzhi.
Compliance.Type
The compliance status of an AWS Config rule, such as COMPLIANT or NON_COMPLIANT.

ConfigRuleId
The ID of the AWS Config rule, such as config-rule-a1bzhi.
Examples
Config Rule
The following example uses an AWS managed rule that checks whether EC2 volumes resource types have
a CostCenter tag.

1442
Config
JSON
"ConfigRuleForVolumeTags": {
"Properties": {
"InputParameters": {"tag1Key": "CostCenter"},
"Scope": {
"ComplianceResourceTypes": ["AWS::EC2::Volume"]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "REQUIRED_TAGS"
}
}
}
YAML
ConfigRuleForVolumeTags:
Properties:
InputParameters:
tag1Key: CostCenter
Scope:
- "AWS::EC2::Volume"
Source:
Owner: AWS
SourceIdentifier: "REQUIRED_TAGS"
Rule Using Lambda Function
The following example creates a custom configuration rule that uses a Lambda function. The function
checks whether an EC2 volume has the AutoEnableIO property set to true. Note that the configuration
rule has a dependency on the Lambda policy so that the rule calls the function only after it's permitted
to do so.
JSON
"ConfigPermissionToCallLambda": {
"Properties": {
"FunctionName": {"Fn::GetAtt": ["VolumeAutoEnableIOComplianceCheck", "Arn"]},
"Principal": "config.amazonaws.com"
}
},
"VolumeAutoEnableIOComplianceCheck": {
"Properties": {
"Code": {
"ZipFile": {"Fn::Join": ["\n", [
"var aws = require('aws-sdk');",
"var config = new aws.ConfigService();",
"var ec2 = new aws.EC2();",

" compliance = evaluateCompliance(event, function(compliance, event) {",
" var configurationItem =
JSON.parse(event.invokingEvent).configurationItem;",
" var putEvaluationsRequest = {",

1443
Config
" Evaluations: [{",

" ComplianceResourceType: configurationItem.resourceType,",
" ComplianceResourceId: configurationItem.resourceId,",
" ComplianceType: compliance,",
" OrderingTimestamp:
configurationItem.configurationItemCaptureTime",
" }],",
" ResultToken: event.resultToken",
" };",
" config.putEvaluations(putEvaluationsRequest, function(err, data) {",

" if (err) context.fail(err);",
" else context.succeed(data);",
" });",
" });",
"};",
"function evaluateCompliance(event, doReturn) {",

" var configurationItem = JSON.parse(event.invokingEvent).configurationItem;",
" var status = configurationItem.configurationItemStatus;",
" if (configurationItem.resourceType !== 'AWS::EC2::Volume' ||
event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered'))",
" doReturn('NOT_APPLICABLE', event);",
" else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId,
Attribute: 'autoEnableIO'}, function(err, data) {",
" if (err) context.fail(err);",
" else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event);",
" else doReturn('NON_COMPLIANT', event);",
" });",
"}"
]]}
},
"Runtime": "nodejs8.10",
"Timeout": "30",
"Role": {"Fn::GetAtt": ["LambdaExecutionRole", "Arn"]}
}
},
"ConfigRuleForVolumeAutoEnableIO": {
"Properties": {
"ConfigRuleName": "ConfigRuleForVolumeAutoEnableIO",
"Scope": {
"ComplianceResourceId": {"Ref": "Ec2Volume"},
"ComplianceResourceTypes": ["AWS::EC2::Volume"]
},
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceDetails": [{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}],
"SourceIdentifier": {"Fn::GetAtt": ["VolumeAutoEnableIOComplianceCheck", "Arn"]}
}
},
"DependsOn": "ConfigPermissionToCallLambda"
}
YAML
ConfigPermissionToCallLambda:
Properties:
FunctionName:

1444
Config
Fn::GetAtt:
- VolumeAutoEnableIOComplianceCheck
- Arn
Principal: "config.amazonaws.com"
VolumeAutoEnableIOComplianceCheck:
Properties:
Code:
ZipFile:
!Sub |
var aws = require('aws-sdk');
var config = new aws.ConfigService();
var ec2 = new aws.EC2();
compliance = evaluateCompliance(event, function(compliance, event) {
var configurationItem =
JSON.parse(event.invokingEvent).configurationItem;
var putEvaluationsRequest = {
Evaluations: [{
ComplianceResourceType: configurationItem.resourceType,
ComplianceResourceId: configurationItem.resourceId,
ComplianceType: compliance,
OrderingTimestamp:
configurationItem.configurationItemCaptureTime
}],
ResultToken: event.resultToken
};
config.putEvaluations(putEvaluationsRequest, function(err, data) {
if (err) context.fail(err);
else context.succeed(data);
});
});
};
function evaluateCompliance(event, doReturn) {
var configurationItem = JSON.parse(event.invokingEvent).configurationItem;
var status = configurationItem.configurationItemStatus;
if (configurationItem.resourceType !== 'AWS::EC2::Volume' ||
event.eventLeftScope || (status !== 'OK' && status !== 'ResourceDiscovered'))
doReturn('NOT_APPLICABLE', event);
else ec2.describeVolumeAttribute({VolumeId: configurationItem.resourceId,
Attribute: 'autoEnableIO'}, function(err, data) {
if (err) context.fail(err);
else if (data.AutoEnableIO.Value) doReturn('COMPLIANT', event);
else doReturn('NON_COMPLIANT', event);
});
}
Handler: "index.handler"
Runtime: nodejs8.10
Timeout: 30
Role:
Fn::GetAtt:
- LambdaExecutionRole
- Arn
ConfigRuleForVolumeAutoEnableIO:
Properties:
ConfigRuleName: ConfigRuleForVolumeAutoEnableIO
Scope:
ComplianceResourceId:
Ref: Ec2Volume
Source:
Owner: "CUSTOM_LAMBDA"
SourceDetails:

1445
Config
-
EventSource: "aws.config"
MessageType: "ConfigurationItemChangeNotification"
SourceIdentifier:
Fn::GetAtt:
- VolumeAutoEnableIOComplianceCheck
- Arn
DependsOn: ConfigPermissionToCallLambda
AWS::Config::ConfigRule Scope
Defines which resources trigger an evaluation for an AWS Config rule. The scope can include one or
more resource types, a combination of a tag key and value, or a combination of one resource type
and one resource ID. Specify a scope to constrain which resources trigger an evaluation for a rule.
Otherwise, evaluations for the rule are triggered when any resource in your recording group changes in
configuration.
Syntax
JSON
{
"ComplianceResourceId" : String,
"ComplianceResourceTypes" : [ String, ... ],
"TagKey" : String,
"TagValue" : String
}
YAML
ComplianceResourceId: String
- String
TagKey: String
TagValue: String
Properties
ComplianceResourceId
The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a
resource ID, you must specify one resource type for ComplianceResourceTypes.
Required: No
Type: String
Minimum: 1
Maximum: 768

ComplianceResourceTypes
The resource types of only those AWS resources that you want to trigger an evaluation for the rule.
You can only specify one type if you also specify a resource ID for ComplianceResourceId.
Required: No

1446
Config
Maximum: 100

TagKey
The tag key that is applied to only those AWS resources that you want to trigger an evaluation for
the rule.
Required: No
Type: String
Minimum: 1
Maximum: 128

TagValue
The tag value applied to only those AWS resources that you want to trigger an evaluation for the
rule. If you specify a value for TagValue, you must also specify a value for TagKey.
Required: No
Type: String
Minimum: 1
Maximum: 256
AWS::Config::ConfigRule Source
Provides the AWS Config rule owner (AWS or customer), the rule identifier, and the events that trigger
the evaluation of your AWS resources.
Syntax
JSON
{
"Owner" : String,
"SourceDetails" : [ SourceDetail (p. 1448), ... ],
"SourceIdentifier" : String
}
YAML
Owner: String
SourceDetails:
- SourceDetail (p. 1448)

1447
Config
Properties
Owner
Indicates whether AWS or the customer owns and manages the AWS Config rule.
Required: Yes
Type: String
Allowed Values: AWS | CUSTOM_LAMBDA

SourceDetails
Provides the source and type of the event that causes AWS Config to evaluate your AWS resources.
Required: No
Type: List of SourceDetail (p. 1448)
Maximum: 25

SourceIdentifier
For AWS Config managed rules, a predefined identifier from a list. For example,
IAM_PASSWORD_POLICY is a managed rule. To reference a managed rule, see Using AWS Managed
Config Rules.
For custom rules, the identifier is the Amazon Resource Name (ARN)
of the rule's AWS Lambda function, such as arn:aws:lambda:us-
east-2:123456789012:function:custom_rule_name.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
AWS::Config::ConfigRule SourceDetail
Provides the source and the message types that trigger AWS Config to evaluate your AWS resources
against a rule. It also provides the frequency with which you want AWS Config to run evaluations for
the rule if the trigger type is periodic. You can specify the parameter values for SourceDetail only for
custom rules.
Syntax
JSON

1448
Config
"EventSource" : String,
"MessageType" : String
}
YAML
EventSource: String
MessageType: String
Properties
EventSource
The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS
resources.
Required: Yes
Type: String
Allowed Values: aws.config

The frequency at which you want AWS Config to run evaluations for a custom rule with a periodic
trigger. If you specify a value for MaximumExecutionFrequency, then MessageType must use the
ScheduledNotification value.
Note
Based on the valid value you choose, AWS Config runs evaluations once for each valid value.
For example, if you choose Three_Hours, AWS Config runs evaluations once every three
hours. In this case, Three_Hours is the frequency of this rule.
Required: No
Type: String

TwentyFour_Hours

MessageType
The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the
following notification types:
• ConfigurationItemChangeNotification - Triggers an evaluation when AWS Config delivers
a configuration item as a result of a resource change.
• OversizedConfigurationItemChangeNotification - Triggers an evaluation when AWS
Config delivers an oversized configuration item. AWS Config may generate this notification type
when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.
• ScheduledNotification - Triggers a periodic evaluation at the frequency specified for
MaximumExecutionFrequency.

1449
Config
• ConfigurationSnapshotDeliveryCompleted - Triggers a periodic evaluation when AWS

Config delivers a configuration snapshot.
If you want your custom rule to be triggered by configuration changes, specify two
SourceDetail objects, one for ConfigurationItemChangeNotification and one for
OversizedConfigurationItemChangeNotification.
Required: Yes
Type: String
Allowed Values: ConfigurationItemChangeNotification

| ConfigurationSnapshotDeliveryCompleted |
OversizedConfigurationItemChangeNotification | ScheduledNotification
AWS::Config::ConfigurationAggregator
The details about the configuration aggregator, including information about source accounts, regions,
and metadata of the aggregator.
Syntax
JSON
{
"Type" : "AWS::Config::ConfigurationAggregator",
"Properties" : {
"AccountAggregationSources" : [ AccountAggregationSource (p. 1452), ... ],
"ConfigurationAggregatorName" : String,
"OrganizationAggregationSource" : OrganizationAggregationSource (p. 1453)
}
}
YAML
Type: AWS::Config::ConfigurationAggregator
Properties:
- AccountAggregationSource (p. 1452)
ConfigurationAggregatorName: String
OrganizationAggregationSource:
OrganizationAggregationSource (p. 1453)
Properties
AccountAggregationSources
Provides a list of source accounts and regions to be aggregated.
Required: No
Type: List of AccountAggregationSource (p. 1452)
Maximum: 1

1450
Config

ConfigurationAggregatorName
The name of the aggregator.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
Pattern: [\w\-]+

OrganizationAggregationSource
Provides an organization and list of regions to be aggregated.
Required: No
Type: OrganizationAggregationSource (p. 1453)
Return Values
Ref
ConfigurationAggregatorName, such as myConfigurationAggregator.
Examples
Configuration Aggregator With Multiple Accounts Multiple Regions
The following example creates a ConfigurationAggregator.
JSON
"ConfigurationAggregator": {
"Properties": {
"AccountAggregationSources": [
{
"AccountIds": [
"123456789012",
"987654321012"
],
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": false
}
],
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}

1451
Config
YAML
ConfigurationAggregator:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
- AccountIds:
- '123456789012'
- '987654321012'
AwsRegions:
- us-west-2
- us-east-1
AllAwsRegions: false
ConfigurationAggregatorName: MyConfigurationAggregator
Configuration Aggregator for an Organization

The following example creates a ConfigurationAggregator for an organization.
JSON
"ConfigurationAggregator": {
"Properties": {
"OrganizationAggregationSource": {
"RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/
organizations.amazonaws.com/AWSServiceRoleForOrganizations",
"AwsRegions": [
"us-west-2",
"us-east-1"
],
"AllAwsRegions": false
}
"ConfigurationAggregatorName": "MyConfigurationAggregator"
}
}
YAML
ConfigurationAggregator:
Type: 'AWS::Config::ConfigurationAggregator'
Properties:
OrganizationAggregationSource:
RoleArn: >-
arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/
AWSServiceRoleForOrganizations
AwsRegions:
- us-west-2
- us-east-1
AllAwsRegions: false
ConfigurationAggregatorName: MyConfigurationAggregator
AWS::Config::ConfigurationAggregator AccountAggregationSource
A collection of accounts and regions.
Syntax

1452
Config
JSON
{
"AccountIds" : [ String, ... ],
"AllAwsRegions" : Boolean,
"AwsRegions" : [ String, ... ]
}
YAML
AccountIds:
- String
AllAwsRegions: Boolean
AwsRegions:
- String
Properties
AccountIds
The 12-digit account ID of the account being aggregated.
Required: Yes

AllAwsRegions
If true, aggregate existing AWS Config regions and future regions.
Required: No
Type: Boolean

AwsRegions
The source regions being aggregated.
Required: No
AWS::Config::ConfigurationAggregator OrganizationAggregationSource
This object contains regions to set up the aggregator and an IAM role to retrieve organization details.
Syntax
JSON
{
"AllAwsRegions" : Boolean,
"AwsRegions" : [ String, ... ],

1453
Config
"RoleArn" : String
}
YAML
AllAwsRegions: Boolean
AwsRegions:
- String
RoleArn: String
Properties
AllAwsRegions
If true, aggregate existing AWS Config regions and future regions.
Required: No
Type: Boolean

AwsRegions
The source regions being aggregated.
Required: No

RoleArn
ARN of the IAM role used to retrieve AWS Organization details associated with the aggregator
account.
Required: Yes
Type: String
AWS::Config::ConfigurationRecorder
The AWS::Config::ConfigurationRecorder resource describes the AWS resource types for which AWS
Config records configuration changes. The configuration recorder stores the configurations of the
supported resources in your account as configuration items.
Note
To enable AWS Config, you must create a configuration recorder and a delivery channel. AWS
Config uses the delivery channel to deliver the configuration changes to your Amazon S3 bucket
or Amazon SNS topic. For more information, see AWS::Config::DeliveryChannel.
AWS CloudFormation starts the recorder as soon as the delivery channel is available. To stop the
recorder, delete the configuration recorder from your stack. For more information, see Configuration
Recorder in the AWS Config Developer Guide.
Syntax

1454
Config
JSON
{
"Type" : "AWS::Config::ConfigurationRecorder",
"Properties" : {
"Name" : String,
"RecordingGroup" : RecordingGroup (p. 1456),
"RoleARN" : String
}
}
YAML
Properties:
Name: String
RecordingGroup:
RecordingGroup (p. 1456)
RoleARN: String
Properties
Name
A name for the configuration recorder. If you don't specify a name, AWS CloudFormation generates
a unique physical ID and uses that ID for the configuration recorder name. For more information, see
Name Type.
Note
After you create a configuration recorder, you cannot rename it. If you don't want a name
that AWS CloudFormation generates, specify a value for this property.
Required: No
Type: String
Minimum: 1
Maximum: 256

RecordingGroup
Indicates whether to record configurations for all supported resources or for a list of resource types.
The resource types that you list must be supported by AWS Config.
Required: No
Type: RecordingGroup (p. 1456)

RoleARN
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role
that is used to make read or write requests to the delivery channel that you specify and to get
configuration details for supported AWS resources. For more information, see Permissions for the
IAM Role Assigned to AWS Config in the AWS Config Developer Guide.

1455
Config
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the configuration
recorder name, such as default.
Examples
Configuration Recorder
The following example creates a configuration recorder for EC2 volumes.
JSON
"ConfigRecorder": {
"Type": "AWS::Config::ConfigurationRecorder",
"Properties": {
"Name": "default",
"RecordingGroup": {
"ResourceTypes": ["AWS::EC2::Volume"]
},
"RoleARN": {"Fn::GetAtt": ["ConfigRole", "Arn"]}
}
}
YAML
ConfigRecorder:
Properties:
Name: default
RecordingGroup:
ResourceTypes:
RoleARN:
Fn::GetAtt:
- ConfigRole
- Arn
AWS::Config::ConfigurationRecorder RecordingGroup
Specifies the types of AWS resource for which AWS Config records configuration changes.
In the recording group, you specify whether all supported types or specific types of resources are
recorded.
By default, AWS Config records configuration changes for all supported types of regional resources that
AWS Config discovers in the region in which it is running. Regional resources are tied to a region and can
be used only in that region. Examples of regional resources are EC2 instances and EBS volumes.

1456
Config
You can also have AWS Config record configuration changes for supported types of global resources
(for example, IAM resources). Global resources are not tied to an individual region and can be used in all
regions.
Important
The configuration details for any global resource are the same in all regions. If you customize
AWS Config in multiple regions to record global resources, it will create multiple configuration
items each time a global resource changes: one configuration item for each region. These
configuration items will contain identical data. To prevent duplicate configuration items, you
should consider customizing AWS Config in only one region to record global resources, unless
you want the configuration items to be available in multiple regions.
If you don't want AWS Config to record all resources, you can specify which types of resources it will
record with the resourceTypes parameter.
For a list of supported resource types, see Supported Resource Types.
For more information, see Selecting Which Resources AWS Config Records.
Syntax
JSON
{
"AllSupported" : Boolean,
"IncludeGlobalResourceTypes" : Boolean,
"ResourceTypes" : [ String, ... ]
}
YAML
AllSupported: Boolean
IncludeGlobalResourceTypes: Boolean
ResourceTypes:
- String
Properties
AllSupported
Specifies whether AWS Config records configuration changes for every supported type of regional
resource.
If you set this option to true, when AWS Config adds support for a new type of regional resource, it
starts recording resources of that type automatically.
If you set this option to true, you cannot enumerate a list of resourceTypes.
Required: No
Type: Boolean

IncludeGlobalResourceTypes
Specifies whether AWS Config includes all supported types of global resources (for example, IAM
resources) with the resources that it records.

1457
Config
Before you can set this option to true, you must set the allSupported option to true.
If you set this option to true, when AWS Config adds support for a new type of global resource, it
starts recording resources of that type automatically.
The configuration details for any global resource are the same in all regions. To prevent duplicate
configuration items, you should consider customizing AWS Config in only one region to record global
resources.
Required: No
Type: Boolean

ResourceTypes
A comma-separated list that specifies the types of AWS resources for which AWS Config records
configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail).
Before you can set this option to true, you must set the allSupported option to false.
If you set this option to true, when AWS Config adds support for a new type of resource, it will not
record resources of that type unless you manually add that type to your recording group.
For a list of valid resourceTypes values, see the resourceType Value column in Supported AWS
Resource Types.
Required: No
AWS::Config::DeliveryChannel
Specifies a delivery channel object to deliver configuration information to an Amazon S3 bucket and
Amazon SNS topic.
Before you can create a delivery channel, you must create a configuration recorder.
You can use this action to change the Amazon S3 bucket or an Amazon SNS topic of the existing delivery
channel. To change the Amazon S3 bucket or an Amazon SNS topic, call this action and specify the
changed values for the S3 bucket and the SNS topic. If you specify a different value for either the S3
bucket or the SNS topic, this action will keep the existing value for the parameter that is not changed.
Note
You can have only one delivery channel per region in your account.
When you create the delivery channel, you can specify; how often AWS Config delivers configuration
snapshots to your Amazon S3 bucket (for example, 24 hours), the S3 bucket to which AWS Config
sends configuration snapshots and configuration history files, and the Amazon SNS topic to which AWS
Config sends notifications about configuration changes, such as updated resources, AWS Config rule
evaluations, and when AWS Config delivers the configuration snapshot to your S3 bucket. For more
information, see Deliver Configuration Items in the AWS Config Developer Guide.
Note
To enable AWS Config, you must create a configuration recorder and a delivery channel. If you
want to create the resources separately, you must create a configuration recorder before you can
create a delivery channel. AWS Config uses the configuration recorder to capture configuration
changes to your resources. For more information, see AWS::Config::ConfigurationRecorder.

1458
Config
For more information, see Managing the Delivery Channel in the AWS Config Developer Guide.
Syntax
JSON
{
"Type" : "AWS::Config::DeliveryChannel",
"Properties" : {
"ConfigSnapshotDeliveryProperties" : ConfigSnapshotDeliveryProperties (p. 1461),
"Name" : String,
"S3KeyPrefix" : String,
"SnsTopicARN" : String
}
}
YAML
Properties:
ConfigSnapshotDeliveryProperties:
ConfigSnapshotDeliveryProperties (p. 1461)
Name: String
S3KeyPrefix: String
SnsTopicARN: String
Properties
ConfigSnapshotDeliveryProperties
The options for how often AWS Config delivers configuration snapshots to the Amazon S3 bucket.
Required: No
Type: ConfigSnapshotDeliveryProperties (p. 1461)

Name
A name for the delivery channel. If you don't specify a name, AWS CloudFormation generates a
unique physical ID and uses that ID for the delivery channel name. For more information, see Name
Type.
Updates are not supported. To change the name, you must run two separate updates. In the first
update, delete this resource, and then recreate it with a new name in the second update.
Required: No
Type: String
Minimum: 1
Maximum: 256

1459
Config
S3BucketName
The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and
configuration history files.
If you specify a bucket that belongs to another AWS account, that bucket must have policies that
grant access permissions to AWS Config. For more information, see Permissions for the Amazon S3
Bucket in the AWS Config Developer Guide.
Required: Yes
Type: String

S3KeyPrefix
The prefix for the specified Amazon S3 bucket.
Required: No
Type: String

SnsTopicARN
The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config sends
notifications about configuration changes.
If you choose a topic from another account, the topic must have policies that grant access
permissions to AWS Config. For more information, see Permissions for the Amazon SNS Topic in the
AWS Config Developer Guide.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the delivery
channel name, such as default.
Examples
Delivery Channel
The following example creates a delivery channel that sends notifications to the specified Amazon SNS
topic. The delivery channel also sends configuration changes and snapshots to the specified S3 bucket.
JSON
"DeliveryChannel": {
"Type": "AWS::Config::DeliveryChannel",
"Properties": {
"ConfigSnapshotDeliveryProperties": {

1460
Config
"DeliveryFrequency": "Six_Hours"
},
"S3BucketName": {"Ref": "ConfigBucket"},
"SnsTopicARN": {"Ref": "ConfigTopic"}
}
}
YAML
DeliveryChannel:
Properties:
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: "Six_Hours"
S3BucketName:
Ref: ConfigBucket
SnsTopicARN:
Ref: ConfigTopic
AWS::Config::DeliveryChannel ConfigSnapshotDeliveryProperties
Provides options for how often AWS Config delivers configuration snapshots to the Amazon S3 bucket in
your delivery channel.
Note
If you want to create a rule that triggers evaluations for your resources when AWS Config
delivers the configuration snapshot, see the following:
The frequency for a rule that triggers evaluations for your resources when AWS Config delivers the
configuration snapshot is set by one of two values, depending on which is less frequent:
• The value for the deliveryFrequency parameter within the delivery channel configuration, which
sets how often AWS Config delivers configuration snapshots. This value also sets how often AWS
Config invokes evaluations for AWS Config rules.
• The value for the MaximumExecutionFrequency parameter, which sets the maximum frequency
with which AWS Config invokes evaluations for the rule. For more information, see ConfigRule.
If the deliveryFrequency value is less frequent than the MaximumExecutionFrequency value for a
rule, AWS Config invokes the rule only as often as the deliveryFrequency value.
1. For example, you want your rule to run evaluations when AWS Config delivers the configuration
snapshot.
2. You specify the MaximumExecutionFrequency value for Six_Hours.
3. You then specify the delivery channel deliveryFrequency value for TwentyFour_Hours.
4. Because the value for deliveryFrequency is less frequent than MaximumExecutionFrequency,
AWS Config invokes evaluations for the rule every 24 hours.
You should set the MaximumExecutionFrequency value to be at least as frequent as the

deliveryFrequency value. You can view the deliveryFrequency value by using the
DescribeDeliveryChannnels action.
To update the deliveryFrequency with which AWS Config delivers your configuration snapshots, use
the PutDeliveryChannel action.
Syntax

1461
Config
JSON
{
"DeliveryFrequency" : String
}
YAML
DeliveryFrequency: String
Properties
DeliveryFrequency
The frequency with which AWS Config delivers configuration snapshots.
Required: No
Type: String

TwentyFour_Hours
AWS::Config::OrganizationConfigRule
An organization config rule that has information about config rules that AWS Config creates in member
accounts. Only a master account can create or update an organization config rule.
OrganizationConfigRule resource enables organization service access through

EnableAWSServiceAccess action and creates a service linked role in the master account of your
organization. The service linked role is created only when the role does not exist in the master account.
AWS Config verifies the existence of role with GetRole action.
Syntax
JSON
{
"Type" : "AWS::Config::OrganizationConfigRule",
"Properties" : {
"ExcludedAccounts" : [ String, ... ],
"OrganizationConfigRuleName" : String,
"OrganizationCustomRuleMetadata" : OrganizationCustomRuleMetadata (p. 1465),
"OrganizationManagedRuleMetadata" : OrganizationManagedRuleMetadata (p. 1468)
}
}
YAML
Type: AWS::Config::OrganizationConfigRule
Properties:
ExcludedAccounts:
- String
OrganizationConfigRuleName: String

1462
Config
OrganizationCustomRuleMetadata:
OrganizationCustomRuleMetadata (p. 1465)
OrganizationManagedRuleMetadata:
OrganizationManagedRuleMetadata (p. 1468)
Properties
ExcludedAccounts
A comma-separated list of accounts excluded from organization config rule.
Required: No
Maximum: 1000

OrganizationConfigRuleName
The name that you assign to organization config rule.
Required: Yes
Type: String
Minimum: 1
Maximum: 64
Pattern: .*\S.*

OrganizationCustomRuleMetadata
An OrganizationCustomRuleMetadata object.
Required: No
Type: OrganizationCustomRuleMetadata (p. 1465)

OrganizationManagedRuleMetadata
An OrganizationManagedRuleMetadata object.
Required: No
Type: OrganizationManagedRuleMetadata (p. 1468)
Return Values
Ref
OrganizationConfigRuleName.

1463
Config
Examples
Managed Rule
The following example creates a managed organization config rule.
JSON
{
"BasicOrganizationConfigRule": {
"Type": "AWS::Config::OrganizationConfigRule",
"Properties": {
"OrganizationConfigRuleName": "OrganizationConfigRuleName",
"OrganizationManagedRuleMetadata": {
"RuleIdentifier": "CLOUD_TRAIL_ENABLED",
"Description": "Cloudtrail enabled rule"
},
"ExcludedAccounts": [
"accountId"
]
}
}
}
YAML
BasicOrganizationConfigRule:
Type: "AWS::Config::OrganizationConfigRule"
Properties:
OrganizationConfigRuleName: "OrganizationConfigRuleName"
OrganizationManagedRuleMetadata:
RuleIdentifier: "CLOUD_TRAIL_ENABLED"
Description: "Cloudtrail enabled rule"
ExcludedAccounts:
- "accountId"
Custom Rule
The following example creates a custom organization config rule.
JSON
{
"BasicOrganizationConfigRule": {
"Type": "AWS::Config::OrganizationConfigRule",
"Properties": {
"OrganizationConfigRuleName": "OrganizationConfigRuleName",
"OrganizationCustomRuleMetadata": {
"LambdaFunctionArn": "CustomRuleLambdaArn",
"OrganizationConfigRuleTriggerTypes": [
"ScheduledNotification"
]
},
"ExcludedAccounts": [
"accountId"
]
}
}

1464
Config
YAML
BasicOrganizationConfigRule:
Type: "AWS::Config::OrganizationConfigRule"
Properties:
OrganizationConfigRuleName: "OrganizationConfigRuleName"
OrganizationCustomRuleMetadata:
LambdaFunctionArn: "CustomRuleLambdaArn"
OrganizationConfigRuleTriggerTypes:
- "ScheduledNotification"
ExcludedAccounts:
- "accountId"
AWS::Config::OrganizationConfigRule OrganizationCustomRuleMetadata
An object that specifies organization custom rule metadata such as resource type, resource ID of AWS
resource, Lamdba function ARN, and organization trigger types that trigger AWS Config to evaluate your
AWS resources against a rule. It also provides the frequency with which you want AWS Config to run
evaluations for the rule if the trigger type is periodic.
Syntax
JSON
{
"InputParameters" : String,
"LambdaFunctionArn" : String,
"OrganizationConfigRuleTriggerTypes" : [ String, ... ],
"ResourceIdScope" : String,
"ResourceTypesScope" : [ String, ... ],
"TagKeyScope" : String,
"TagValueScope" : String
}
YAML
Description: String
InputParameters: String
LambdaFunctionArn: String
OrganizationConfigRuleTriggerTypes:
- String
ResourceIdScope: String
ResourceTypesScope:
- String
TagKeyScope: String
TagValueScope: String
Properties
Description
The description that you provide for organization config rule.

1465
Config
Required: No
Type: String
Minimum: 0
Maximum: 256

InputParameters
A string, in JSON format, that is passed to organization config rule Lambda function.
Required: No
Type: String
Minimum: 1
Maximum: 2048

LambdaFunctionArn
The lambda function ARN.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

The maximum frequency with which AWS Config runs evaluations for a rule. Your custom rule
is triggered when AWS Config delivers the configuration snapshot. For more information, see
ConfigSnapshotDeliveryProperties.
Note
Required: No
Type: String

TwentyFour_Hours

OrganizationConfigRuleTriggerTypes
The type of notification that triggers AWS Config to run an evaluation for a rule. You can specify the
following notification types:
• ConfigurationItemChangeNotification - Triggers an evaluation when AWS Config delivers
a configuration item as a result of a resource change.

1466
Config
• OversizedConfigurationItemChangeNotification - Triggers an evaluation when AWS

Config delivers an oversized configuration item. AWS Config may generate this notification type
when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.
• ScheduledNotification - Triggers a periodic evaluation at the frequency specified for
MaximumExecutionFrequency.
Required: Yes

ResourceIdScope
The ID of the AWS resource that was evaluated.
Required: No
Type: String
Minimum: 1
Maximum: 768

ResourceTypesScope
The type of the AWS resource that was evaluated.
Required: No
Maximum: 100

TagKeyScope
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for
more specific tag values.
Required: No
Type: String
Minimum: 1
Maximum: 128

TagValueScope
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag
category (key).
Required: No
Type: String
Minimum: 1

1467
Config
Maximum: 256
AWS::Config::OrganizationConfigRule OrganizationManagedRuleMetadata
An object that specifies organization managed rule metadata such as resource type and ID of AWS
resource along with the rule identifier. It also provides the frequency with which you want AWS Config to
run evaluations for the rule if the trigger type is periodic.
Syntax
JSON
{
"InputParameters" : String,
"ResourceIdScope" : String,
"ResourceTypesScope" : [ String, ... ],
"RuleIdentifier" : String,
"TagKeyScope" : String,
"TagValueScope" : String
}
YAML
Description: String
InputParameters: String
ResourceIdScope: String
ResourceTypesScope:
- String
RuleIdentifier: String
TagKeyScope: String
TagValueScope: String
Properties
Description
The description that you provide for organization config rule.
Required: No
Type: String
Minimum: 0
Maximum: 256

InputParameters
A string, in JSON format, that is passed to organization config rule Lambda function.
Required: No

1468
Config
Type: String
Minimum: 1
Maximum: 2048

The maximum frequency with which AWS Config runs evaluations for a rule. You are using an AWS
managed rule that is triggered at a periodic frequency.
Note
Required: No
Type: String

TwentyFour_Hours

ResourceIdScope
The ID of the AWS resource that was evaluated.
Required: No
Type: String
Minimum: 1
Maximum: 768

ResourceTypesScope
The type of the AWS resource that was evaluated.
Required: No
Maximum: 100

RuleIdentifier
For organization config managed rules, a predefined identifier from a list. For example,
IAM_PASSWORD_POLICY is a managed rule. To reference a managed rule, see Using AWS Managed
Config Rules.
Required: Yes
Type: String
Minimum: 1

1469
Config
Maximum: 256

TagKeyScope
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for
more specific tag values.
Required: No
Type: String
Minimum: 1
Maximum: 128

TagValueScope
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag
category (key).
Required: No
Type: String
Minimum: 1
Maximum: 256
AWS::Config::RemediationConfiguration
An object that represents the details about the remediation configuration that includes the remediation
action, parameters, and data to execute the action.
Syntax
JSON
{
"Type" : "AWS::Config::RemediationConfiguration",
"Properties" : {
"Automatic" : Boolean,
"ConfigRuleName" : String,
"ExecutionControls" : ExecutionControls (p. 1474),
"MaximumAutomaticAttempts" : Integer,
"ResourceType" : String,
"RetryAttemptSeconds" : Integer,
"TargetId" : String,
"TargetType" : String,
"TargetVersion" : String
}
}

1470
Config
YAML
Type: AWS::Config::RemediationConfiguration
Properties:
Automatic: Boolean
ConfigRuleName: String
ExecutionControls:
ExecutionControls (p. 1474)
MaximumAutomaticAttempts: Integer
Parameters: Json
ResourceType: String
RetryAttemptSeconds: Integer
TargetId: String
TargetType: String
TargetVersion: String
Properties
Automatic
The remediation is triggered automatically.
Required: No
Type: Boolean

ConfigRuleName
The name of the AWS Config rule.
Required: Yes
Type: String
Minimum: 1
Maximum: 128
Pattern: .*\S.*

ExecutionControls
An ExecutionControls object.
Required: No
Type: ExecutionControls (p. 1474)

MaximumAutomaticAttempts
The maximum number of failed attempts for auto-remediation. If you do not select a number, the
default is 5.
For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptsSeconds as 50

seconds, AWS Config throws an exception after the 5th failed attempt within 50 seconds.
Required: No

1471
Config
Type: Integer
Minimum: 1
Maximum: 25

Parameters
An object of the RemediationParameterValue.

Note
The type is a map of strings to RemediationParameterValue.
Required: No
Type: Json

ResourceType
The type of a resource.
Required: No
Type: String

RetryAttemptSeconds
Maximum time in seconds that AWS Config runs auto-remediation. If you do not select a number,
the default is 60 seconds.
For example, if you specify RetryAttemptsSeconds as 50 seconds and MaximumAutomaticAttempts

as 5, AWS Config will run auto-remediations 5 times within 50 seconds before throwing an
exception.
Required: No
Type: Integer

TargetId
Target ID is the name of the public document.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

TargetType
The type of the target. Target executes remediation. For example, SSM document.

1472
Config
Required: Yes
Type: String
Allowed Values: SSM_DOCUMENT

TargetVersion
Version of the target. For example, version of the SSM document.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the remediation
action with the associated SSM document.
Examples
Remeditation Configuration
The following example creates a remediation configuration using AWS Systems Manager document.
JSON
{
"BasicRemediationConfiguration": {
"Type": "AWS::Config::RemediationConfiguration",
"Properties": {
"ConfigRuleName": "configRuleName",
"Parameters": {
"AutomationAssumeRole": {
"StaticValue": {
"Values": [
"automationAssumeRole"
]
}
},
"InstanceId": {
"StaticValue": {
"Values": [
"instanceId"
]
}
}
},
"TargetId": "AWS-StartEC2Instance",
"TargetType": "SSM_DOCUMENT",
"TargetVersion": "1"
}
}

1473
Config
YAML
BasicRemediationConfiguration:
Type: "AWS::Config::RemediationConfiguration"
Properties:
ConfigRuleName: configRuleName
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- automationAssumeRole
InstanceId:
StaticValue:
Values:
- instanceId
TargetId: "AWS-StartEC2Instance"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
AWS::Config::RemediationConfiguration ExecutionControls
The controls that AWS Config uses for executing remediations.
Syntax
JSON
{
"SsmControls" : SsmControls (p. 1476)
}
YAML
SsmControls:
SsmControls (p. 1476)
Properties
SsmControls
A SsmControls object.
Required: No
Type: SsmControls (p. 1476)
AWS::Config::RemediationConfiguration RemediationParameterValue
The value is either a dynamic (resource) value or a static value. You must select either a dynamic value or
a static value.

1474
Config
Syntax
JSON
{
"ResourceValue" : ResourceValue (p. 1475),
"StaticValue" : StaticValue (p. 1477)
}
YAML
ResourceValue:
ResourceValue (p. 1475)
StaticValue:
StaticValue (p. 1477)
Properties
ResourceValue
The value is dynamic and changes at run-time.
Required: No
Type: ResourceValue (p. 1475)

StaticValue
The value is static and does not change at run-time.
Required: No
Type: StaticValue (p. 1477)
AWS::Config::RemediationConfiguration ResourceValue
The dynamic value of the resource.
Syntax
JSON
{
"Value" : String
}
YAML
Value: String

1475
Config
Properties
Value
The value is a resource ID.
Required: No
Type: String
Allowed Values: RESOURCE_ID
AWS::Config::RemediationConfiguration SsmControls
AWS Systems Manager (SSM) specific remediation controls.
Syntax
JSON
{
"ConcurrentExecutionRatePercentage" : Integer,
"ErrorPercentage" : Integer
}
YAML
ConcurrentExecutionRatePercentage: Integer
ErrorPercentage: Integer
Properties
ConcurrentExecutionRatePercentage
The maximum percentage of remediation actions allowed to run in parallel on the non-compliant
resources for that specific rule. You can specify a percentage, such as 10%. The default value is 10.
Required: No
Type: Integer
Minimum: 1
Maximum: 100

ErrorPercentage
The percentage of errors that are allowed before SSM stops running automations on non-compliant
resources for that specific rule. You can specify a percentage of errors, for example 10%. If you do
not specifiy a percentage, the default is 50%. For example, if you set the ErrorPercentage to 40%
for 10 non-compliant resources, then SSM stops running the automations when the fifth error is
received.

1476
AWS Data Pipeline
Required: No
Type: Integer
Minimum: 1
Maximum: 100
AWS::Config::RemediationConfiguration StaticValue
The static value of the resource.
Syntax
JSON
{
}
YAML
Values:
- String
Properties
Values
A list of values. For example, the ARN of the assumed role.
Required: No
Maximum: 25
AWS Data Pipeline Resource Type Reference

Resource Types
• AWS::DataPipeline::Pipeline (p. 1477)
AWS::DataPipeline::Pipeline
The AWS::DataPipeline::Pipeline resource specifies a data pipeline that you can use to automate the
movement and transformation of data. In each pipeline, you define pipeline objects, such as activities,
schedules, data nodes, and resources. For information about pipeline objects and components that you
can use, see Pipeline Object Reference in the AWS Data Pipeline Developer Guide.

1477
AWS Data Pipeline
The AWS::DataPipeline::Pipeline resource adds tasks, schedules, and preconditions to the

specified pipeline. You can use PutPipelineDefinition to populate a new pipeline.
PutPipelineDefinition also validates the configuration as it adds it to the pipeline. Changes to the
pipeline are saved unless one of the following validation errors exist in the pipeline.
• An object is missing a name or identifier field.

• A string or reference field is empty.
• The number of objects in the pipeline exceeds the allowed maximum number of objects.
• The pipeline is in a FINISHED state.
Pipeline object definitions are passed to the PutPipelineDefinition action and returned by the
GetPipelineDefinition action.
Syntax
JSON
{
"Type" : "AWS::DataPipeline::Pipeline",
"Properties" : {
"Activate" : Boolean,
"Name" : String,
"ParameterObjects" : [ ParameterObject (p. 1489), ... ],
"ParameterValues" : [ ParameterValue (p. 1489), ... ],
"PipelineObjects" : [ PipelineObject (p. 1490), ... ],
"PipelineTags" : [ PipelineTag (p. 1491), ... ]
}
}
YAML
Type: AWS::DataPipeline::Pipeline
Properties:
Activate: Boolean
Description: String
Name: String
ParameterObjects:
- ParameterObject (p. 1489)
ParameterValues:
- ParameterValue (p. 1489)
PipelineObjects:
- PipelineObject (p. 1490)
PipelineTags:
- PipelineTag (p. 1491)
Properties
Activate
Indicates whether to validate and start the pipeline or stop an active pipeline. By default, the value is
set to true.
Required: No
Type: Boolean

1478
AWS Data Pipeline

Description
A description of the pipeline.
Required: No
Type: String
Minimum: 0
Maximum: 1024

Name
Required: Yes
Type: String
Minimum: 1
Maximum: 1024
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\n\t]*

ParameterObjects
The parameter objects used with the pipeline.
Required: Yes
Type: List of ParameterObject (p. 1489)

ParameterValues
The parameter values used with the pipeline.
Required: No
Type: List of ParameterValue (p. 1489)

PipelineObjects
The objects that define the pipeline. These objects overwrite the existing pipeline definition. Not
all objects, fields, and values can be updated. For information about restrictions, see Editing Your
Pipeline in the AWS Data Pipeline Developer Guide.
Required: No
Type: List of PipelineObject (p. 1490)

1479
AWS Data Pipeline
PipelineTags
A list of arbitrary tags (key-value pairs) to associate with the pipeline, which you can use to control
permissions. For more information, see Controlling Access to Pipelines and Resources in the AWS
Data Pipeline Developer Guide.
Required: No
Type: List of PipelineTag (p. 1491)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the pipeline ID.
Examples
The following data pipeline backs up data from an Amazon DynamoDB table to an Amazon S3 bucket.
The pipeline uses the HiveCopyActivity activity to copy the data, and runs it once a day. The roles for
the pipeline and the pipeline resource are declared elsewhere in the same template.
JSON
"DynamoDBInputS3OutputHive": {
"Type": "AWS::DataPipeline::Pipeline",
"Properties": {
"Name": "DynamoDBInputS3OutputHive",
"Description": "Pipeline to backup DynamoDB data to S3",
"Activate": "true",
"ParameterObjects": [
{
"Id": "myDDBReadThroughputRatio",
"Attributes": [
{
"Key": "description",
"StringValue": "DynamoDB read throughput ratio"
},
{
"Key": "type",
"StringValue": "Double"
},
{
"Key": "default",
"StringValue": "0.2"
}
]
},
{
"Id": "myOutputS3Loc",
"Attributes": [
{
"StringValue": "S3 output bucket"
},
{
"Key": "type",
"StringValue": "AWS::S3::ObjectKey"

1480
AWS Data Pipeline
},
{
"Key": "default",
"StringValue": { "Fn::Join" : [ "", [ "s3://", { "Ref": "S3OutputLoc" } ] ] }
}
]
},
{
"Id": "myDDBTableName",
"Attributes": [
{
"StringValue": "DynamoDB Table Name "
},
{
"Key": "type",
"StringValue": "String"
}
]
}
],
"ParameterValues": [
{
"Id": "myDDBTableName",
"StringValue": { "Ref": "TableName" }
}
],
"PipelineObjects": [
{
"Id": "S3BackupLocation",
"Name": "Copy data to this S3 location",
"Fields": [
{
"Key": "type",
"StringValue": "S3DataNode"
},
{
"Key": "dataFormat",
"RefValue": "DDBExportFormat"
},
{
"Key": "directoryPath",
"StringValue": "#{myOutputS3Loc}/#{format(@scheduledStartTime, 'YYYY-MM-dd-HH-
mm-ss')}"
}
]
},
{
"Id": "DDBSourceTable",
"Name": "DDBSourceTable",
"Fields": [
{
"Key": "tableName",
"StringValue": "#{myDDBTableName}"
},
{
"Key": "type",
"StringValue": "DynamoDBDataNode"
},
{
"Key": "dataFormat",
"RefValue": "DDBExportFormat"
},
{
"Key": "readThroughputPercent",
"StringValue": "#{myDDBReadThroughputRatio}"

1481
AWS Data Pipeline
}
]
},
{
"Id": "DDBExportFormat",
"Name": "DDBExportFormat",
"Fields": [
{
"Key": "type",
"StringValue": "DynamoDBExportDataFormat"
}
]
},
{
"Id": "TableBackupActivity",
"Name": "TableBackupActivity",
"Fields": [
{
"Key": "resizeClusterBeforeRunning",
"StringValue": "true"
},
{
"Key": "type",
"StringValue": "HiveCopyActivity"
},
{
"Key": "input",
"RefValue": "DDBSourceTable"
},
{
"Key": "runsOn",
"RefValue": "EmrClusterForBackup"
},
{
"Key": "output",
"RefValue": "S3BackupLocation"
}
]
},
{
"Id": "DefaultSchedule",
"Name": "RunOnce",
"Fields": [
{
"Key": "occurrences",
"StringValue": "1"
},
{
"Key": "startAt",
"StringValue": "FIRST_ACTIVATION_DATE_TIME"
},
{
"Key": "type",
"StringValue": "Schedule"
},
{
"Key": "period",
"StringValue": "1 Day"
}
]
},
{
"Id": "Default",
"Name": "Default",
"Fields": [
{

1482
AWS Data Pipeline
"Key": "type",
"StringValue": "Default"
},
{
"Key": "scheduleType",
"StringValue": "cron"
},
{
"Key": "failureAndRerunMode",
"StringValue": "CASCADE"
},
{
"Key": "role",
"StringValue": "DataPipelineDefaultRole"
},
{
"Key": "resourceRole",
"StringValue": "DataPipelineDefaultResourceRole"
},
{
"Key": "schedule",
"RefValue": "DefaultSchedule"
}
]
},
{
"Id": "EmrClusterForBackup",
"Name": "EmrClusterForBackup",
"Fields": [
{
"Key": "terminateAfter",
"StringValue": "2 Hours"
},
{
"Key": "amiVersion",
"StringValue": "3.3.2"
},
{
"Key": "masterInstanceType",
"StringValue": "m1.medium"
},
{
"Key": "coreInstanceType",
"StringValue": "m1.medium"
},
{
"Key": "coreInstanceCount",
"StringValue": "1"
},
{
"Key": "type",
"StringValue": "EmrCluster"
}
]
}
]
}
}
YAML
DynamoDBInputS3OutputHive:
Type: AWS::DataPipeline::Pipeline
Properties:

1483
AWS Data Pipeline
Name: DynamoDBInputS3OutputHive
Description: "Pipeline to backup DynamoDB data to S3"
Activate: true
ParameterObjects:
-
Id: "myDDBReadThroughputRatio"
Attributes:
-
Key: "description"
StringValue: "DynamoDB read throughput ratio"
-
Key: "type"
StringValue: "Double"
-
Key: "default"
StringValue: "0.2"
-
Id: "myOutputS3Loc"
Attributes:
-
Key: "description"
StringValue: "S3 output bucket"
-
Key: "type"
StringValue: "AWS::S3::ObjectKey"
-
Key: "default"
StringValue:
Fn::Join:
- ""
-
- "s3://"
-
Ref: "S3OutputLoc"
-
Id: "myDDBTableName"
Attributes:
-
Key: "description"
StringValue: "DynamoDB Table Name "
-
Key: "type"
StringValue: "String"
ParameterValues:
-
Id: "myDDBTableName"
StringValue:
Ref: "TableName"
PipelineObjects:
-
Id: "S3BackupLocation"
Name: "Copy data to this S3 location"
Fields:
-
Key: "type"
StringValue: "S3DataNode"
-
Key: "dataFormat"
RefValue: "DDBExportFormat"
-
Key: "directoryPath"
StringValue: "#{myOutputS3Loc}/#{format(@scheduledStartTime, 'YYYY-MM-dd-HH-mm-
ss')}"
-
Id: "DDBSourceTable"
Name: "DDBSourceTable"

1484
AWS Data Pipeline
Fields:
-
Key: "tableName"
StringValue: "#{myDDBTableName}"
-
Key: "type"
StringValue: "DynamoDBDataNode"
-
Key: "dataFormat"
RefValue: "DDBExportFormat"
-
Key: "readThroughputPercent"
StringValue: "#{myDDBReadThroughputRatio}"
-
Id: "DDBExportFormat"
Name: "DDBExportFormat"
Fields:
-
Key: "type"
StringValue: "DynamoDBExportDataFormat"
-
Id: "TableBackupActivity"
Name: "TableBackupActivity"
Fields:
-
Key: "resizeClusterBeforeRunning"
StringValue: "true"
-
Key: "type"
StringValue: "HiveCopyActivity"
-
Key: "input"
RefValue: "DDBSourceTable"
-
Key: "runsOn"
RefValue: "EmrClusterForBackup"
-
Key: "output"
RefValue: "S3BackupLocation"
-
Id: "DefaultSchedule"
Name: "RunOnce"
Fields:
-
Key: "occurrences"
StringValue: "1"
-
Key: "startAt"
StringValue: "FIRST_ACTIVATION_DATE_TIME"
-
Key: "type"
StringValue: "Schedule"
-
Key: "period"
StringValue: "1 Day"
-
Id: "Default"
Name: "Default"
Fields:
-
Key: "type"
StringValue: "Default"
-
Key: "scheduleType"
StringValue: "cron"
-

1485
AWS Data Pipeline
Key: "failureAndRerunMode"
StringValue: "CASCADE"
-
Key: "role"
StringValue: "DataPipelineDefaultRole"
-
Key: "resourceRole"
StringValue: "DataPipelineDefaultResourceRole"
-
Key: "schedule"
RefValue: "DefaultSchedule"
-
Id: "EmrClusterForBackup"
Name: "EmrClusterForBackup"
Fields:
-
Key: "terminateAfter"
StringValue: "2 Hours"
-
Key: "amiVersion"
StringValue: "3.3.2"
-
Key: "masterInstanceType"
StringValue: "m1.medium"
-
Key: "coreInstanceType"
StringValue: "m1.medium"
-
Key: "coreInstanceCount"
StringValue: "1"
-
Key: "type"
StringValue: "EmrCluster"
See Also
• Pipeline Object Reference in the AWS Data Pipeline Developer Guide.
• PutPipelineDefinition in the AWS Data Pipeline API Reference.
AWS::DataPipeline::Pipeline Field
A key-value pair that describes a property of a PipelineObject. The value is specified as either a string
value (StringValue) or a reference to another object (RefValue) but not as both. To view fields for a
data pipeline object, see Pipeline Object Reference in the AWS Data Pipeline Developer Guide.
Syntax
JSON
{
"Key" : String,
"RefValue" : String,
"StringValue" : String
}
YAML
Key: String

1486
AWS Data Pipeline
RefValue: String
StringValue:
String
Properties
Key
Specifies the name of a field for a particular object. To view valid values for a particular field, see
Pipeline Object Reference in the AWS Data Pipeline Developer Guide.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

RefValue
A field value that you specify as an identifier of another object in the same pipeline definition.
Note
You can specify the field value as either a string value (StringValue) or a reference to
another object (RefValue), but not both.
Required if the key that you are using requires it.
Type: String
Minimum: 1
Maximum: 256

StringValue
A field value that you specify as a string. To view valid values for a particular field, see Pipeline
Object Reference in the AWS Data Pipeline Developer Guide.
Note
You can specify the field value as either a string value (StringValue) or a reference to
another object (RefValue), but not both.
Required if the key that you are using requires it.
Type: String
Minimum: 0
Maximum: 10240

1487
AWS Data Pipeline
AWS::DataPipeline::Pipeline ParameterAttribute
Attribute is a property of ParameterObject that defines the attributes of a parameter object as key-
value pairs.
Syntax
JSON
{
"Key" : String,
}
YAML
Key: String
StringValue:
String
Properties
Key
The field identifier.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

StringValue
The field value, expressed as a String.
Required: Yes
Type: String
Minimum: 0
Maximum: 10240

1488
AWS Data Pipeline
AWS::DataPipeline::Pipeline ParameterObject
Contains information about a parameter object.
Syntax
JSON
{
"Attributes" : [ ParameterAttribute (p. 1488), ... ],
"Id" : String
}
YAML
Attributes:
- ParameterAttribute (p. 1488)
Id: String
Properties
Attributes
The attributes of the parameter object.
Required: Yes
Type: List of ParameterAttribute (p. 1488)

Id
The ID of the parameter object.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
AWS::DataPipeline::Pipeline ParameterValue
A value or list of parameter values.
Syntax
JSON

1489
AWS Data Pipeline
"Id" : String,
}
YAML
Id: String
StringValue:
String
Properties
Id
The ID of the parameter value.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

StringValue
The field value, expressed as a String.
Required: Yes
Type: String
Minimum: 0
Maximum: 10240
AWS::DataPipeline::Pipeline PipelineObject
PipelineObject is property of the AWS::DataPipeline::Pipeline resource that contains information about
a pipeline object. This can be a logical, physical, or physical attempt pipeline object. The complete set of
components of a pipeline defines the pipeline.
Syntax
JSON
{
"Fields" : [ Field (p. 1486), ... ],

1490
AWS Data Pipeline
"Id" : String,
"Name" : String
}
YAML
Fields:
- Field (p. 1486)
Id: String
Name: String
Properties
Fields
Key-value pairs that define the properties of the object.
Required: Yes
Type: List of Field (p. 1486)

Id
The ID of the object.
Required: Yes
Type: String
Minimum: 1
Maximum: 1024

Name
The name of the object.
Required: Yes
Type: String
Minimum: 1
Maximum: 1024
AWS::DataPipeline::Pipeline PipelineTag
A list of arbitrary tags (key-value pairs) to associate with the pipeline, which you can use to control
permissions. For more information, see Controlling Access to Pipelines and Resources in the AWS Data
Pipeline Developer Guide.

1491
DAX
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The key name of a tag.
Required: Yes
Type: String

Value
The value to associate with the key name.
Required: Yes
Type: String
DAX Resource Type Reference

Resource Types
• AWS::DAX::Cluster (p. 1492)

• AWS::DAX::ParameterGroup (p. 1499)
• AWS::DAX::SubnetGroup (p. 1501)
AWS::DAX::Cluster
Creates a DAX cluster. All nodes in the cluster run the same DAX caching software.
Syntax
JSON

1492
DAX
"Type" : "AWS::DAX::Cluster",
"Properties" : {
"ClusterName" : String,
"IAMRoleARN" : String,
"NodeType" : String,
"NotificationTopicARN" : String,
"ParameterGroupName" : String,
"PreferredMaintenanceWindow" : String,
"ReplicationFactor" : Integer,
"SSESpecification" : SSESpecification (p. 1498),
"SubnetGroupName" : String,
"Tags" : Json
}
}
YAML
Type: AWS::DAX::Cluster
Properties:
AvailabilityZones:
- String
ClusterName: String
Description: String
IAMRoleARN: String
NodeType: String
NotificationTopicARN: String
ParameterGroupName: String
PreferredMaintenanceWindow: String
ReplicationFactor: Integer
SecurityGroupIds:
- String
SSESpecification:
SSESpecification (p. 1498)
SubnetGroupName: String
Tags: Json
Properties
AvailabilityZones
The Availability Zones (AZs) in which the cluster nodes will reside after the cluster has been created
or updated. If provided, the length of this list must equal the ReplicationFactor parameter.
If you omit this parameter, DAX will spread the nodes across Availability Zones for the highest
availability.
Required: No

ClusterName
The name of the DAX cluster.
Required: No
Type: String

1493
DAX
Description
The description of the cluster.
Required: No
Type: String

IAMRoleARN
A valid Amazon Resource Name (ARN) that identifies an IAM role. At runtime, DAX will assume this
role and use the role's permissions to access DynamoDB on your behalf.
Required: Yes
Type: String

NodeType
The node type for the nodes in the cluster. (All nodes in a DAX cluster are of the same type.)
Required: Yes
Type: String

NotificationTopicARN
The Amazon Resource Name (ARN) of the Amazon SNS topic to which notifications will be sent.
Note
The Amazon SNS topic owner must be same as the DAX cluster owner.
Required: No
Type: String

ParameterGroupName
The parameter group to be associated with the DAX cluster.
Required: No
Type: String

PreferredMaintenanceWindow
A range of time when maintenance of DAX cluster software will be performed. For example:
sun:01:00-sun:09:00. Cluster maintenance normally takes less than 30 minutes, and is
performed automatically within the maintenance window.
Required: No
Type: String

1494
DAX
ReplicationFactor
The number of nodes in the DAX cluster. A replication factor of 1 will create a single-node cluster,
without any read replicas. For additional fault tolerance, you can create a multiple node cluster
with one or more read replicas. To do this, set ReplicationFactor to a number between
3 (one primary and two read replicas) and 10 (one primary and nine read replicas). If the
AvailabilityZones parameter is provided, its length must equal the ReplicationFactor.
Note
AWS recommends that you have at least two read replicas per cluster.
Required: Yes
Type: Integer

SecurityGroupIds
A list of security group IDs to be assigned to each node in the DAX cluster. (Each of the security
group ID is system-generated.)
If this parameter is not specified, DAX assigns the default VPC security group to each node.
Required: No

SSESpecification
Represents the settings used to enable server-side encryption on the cluster.
Required: No
Type: SSESpecification (p. 1498)

SubnetGroupName
The name of the subnet group to be used for the replication group.
Important
DAX clusters can only run in an Amazon VPC environment. All of the subnets that you
specify in a subnet group must exist in the same VPC.
Required: No
Type: String

Tags
A set of tags to associate with the DAX cluster.
Required: No
Type: Json

1495
DAX
Return Values
Ref
created DAX cluster. For example:
{ "Ref": "MyResource" }
Returns a value similar to the following:
MyDAXCluster
Fn::GetAtt
Arn
Returns the ARN of the DAX cluster. For example:
{ "Fn::GetAtt": ["MyDAXCluster", "Arn"] }
arn:aws:dax:us-east-1:111122223333:cache/MyDAXCluster
ClusterDiscoveryEndpoint
Returns the configuration endpoint of the DAX cluster. For example:
{ "Fn::GetAtt": ["MyDAXCluster", "ClusterDiscoveryEndpoint"] }
mydaxcluster.0h3d6x.clustercfg.dax.use1.cache.amazonaws.com:8111
Examples
Create Cluster
The following example creates a DAX cluster.
JSON

1496
DAX
"Description": "Create a DAX cluster",
"Resources": {
"daxCluster": {
"Type": "AWS::DAX::Cluster",
"Properties": {
"ClusterName": "MyDAXCluster",
"NodeType": "dax.r3.large",
"ReplicationFactor": 1,
"IAMRoleARN": "arn:aws:iam::111122223333:role/DaxAccess",
"Description": "DAX cluster created with CloudFormation",
"SubnetGroupName": {"Ref":"subnetGroupClu"}
}
},
"subnetGroupClu": {
"Type": "AWS::DAX::SubnetGroup",
"Properties": {
"SubnetGroupName": "MySubnetGroup",
"Description": "Subnet group for DAX cluster",
"SubnetIds": [
{"Ref":"subnet1"},
{"Ref":"subnet2"}
]
}
},
"subnet1": {
"Properties": {
"VpcId": {"Ref":"daxVpc"},
"CidrBlock": "172.13.17.0/24",
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
}
}
},
"subnet2": {
"Properties": {
"VpcId": {"Ref":"daxVpc"},
"CidrBlock": "172.13.18.0/24",
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]
}
}
},
"daxVpc": {
"Properties": {
"CidrBlock": "172.13.0.0/16"
}
}
},
"Outputs": {
"Cluster": {
"Value": {"Ref":"daxCluster"}
}

1497
DAX
}
}
YAML
Description: "Create a DAX cluster"
Resources:
daxCluster:
Type: AWS::DAX::Cluster
Properties:
ClusterName: "MyDAXCluster"
NodeType: "dax.r3.large"
ReplicationFactor: 1
IAMRoleARN: "arn:aws:iam::111122223333:role/DaxAccess"
Description: "DAX cluster created with CloudFormation"
SubnetGroupName: !Ref subnetGroupClu
subnetGroupClu:
Type: AWS::DAX::SubnetGroup
Properties:
SubnetGroupName: "CFNClusterSubnetGrp"
Description: "Subnet group for DAX cluster"
SubnetIds:
- !Ref subnet1
- !Ref subnet2
subnet1:
Properties:
VpcId:
!Ref daxVpc
CidrBlock: 172.13.17.0/24
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
subnet2:
Properties:
VpcId:
!Ref daxVpc
CidrBlock: 172.13.18.0/24
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
daxVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 172.13.0.0/16
Outputs:
Cluster:
Value: !Ref daxCluster
AWS::DAX::Cluster SSESpecification
Represents the settings used to enable server-side encryption.
Syntax

1498
DAX
JSON
{
"SSEEnabled" : Boolean
}
YAML
SSEEnabled: Boolean
Properties
SSEEnabled
Indicates whether server-side encryption is enabled (true) or disabled (false) on the cluster.
Required: No
Type: Boolean
AWS::DAX::ParameterGroup
A named set of parameters that are applied to all of the nodes in a DAX cluster.
Syntax
JSON
{
"Type" : "AWS::DAX::ParameterGroup",
"Properties" : {
"ParameterGroupName" : String,
"ParameterNameValues" : Json
}
}
YAML
Type: AWS::DAX::ParameterGroup
Properties:
Description: String
ParameterGroupName: String
ParameterNameValues: Json
Properties
Description
A description of the parameter group.
Required: No

1499
DAX
Type: String

ParameterGroupName
The name of the parameter group.
Required: No
Type: String

ParameterNameValues
An array of name-value pairs for the parameters in the group. Each element in the array represents a
single parameter.
Required: No
Type: Json
Return Values
Ref
created parameter group. For example:
{ "Ref": "MyDAXParameterGroup" }
my-dax-parameter-group
Examples
Create Parameter Group
The following example creates a DAX parameter group.
JSON
{
"Description": "DAX parameter group",
"Resources": {
"daxParamGroup": {
"Type": "AWS::DAX::ParameterGroup",
"Properties": {
"ParameterGroupName": "MyDAXParameterGroup",
"Description": "Description for my DAX parameter group",
"ParameterNameValues": {
"query-ttl-millis": "75000",

1500
DAX
"record-ttl-millis": "88000"
}
}
}
},
"Outputs": {
"ParameterGroup": {
"Value": {
"Ref": "daxParamGroup"
}
}
}
}
YAML
Description: "DAX parameter group"
Resources:
daxParamGroup:
Type: AWS::DAX::ParameterGroup
Properties:
ParameterGroupName: "MyDAXParameterGroup"
Description: "Description for my DAX parameter group"
ParameterNameValues:
"query-ttl-millis" : "75000"
"record-ttl-millis" : "88000"
Outputs:
ParameterGroup:
Value: !Ref daxParamGroup
AWS::DAX::SubnetGroup
Creates a new subnet group.
Syntax
JSON
{
"Type" : "AWS::DAX::SubnetGroup",
"Properties" : {
"SubnetGroupName" : String,
}
}
YAML
Properties:
Description: String
SubnetGroupName: String
SubnetIds:

1501
DAX
- String
Properties
Description
The description of the subnet group.
Required: No
Type: String

SubnetGroupName
The name of the subnet group.
Required: No
Type: String

SubnetIds
A list of VPC subnet IDs for the subnet group.
Required: Yes
Return Values
Ref
created subnet group. For example
{ "Ref": "MyDAXSubnetGroup" }
my-dax-subnet-group
Examples
Create Subnet group
The following example creates a DAX subnet group.
JSON

1502
DAX
"Description": "Create a DAX subnet group",
"Resources": {
"MyDAXSubnetGroup": {
"Type": "AWS::DAX::SubnetGroup",
"Properties": {
"SubnetGroupName": "my-dax-subnet-group",
"Description": "Description of my DAX subnet group",
"SubnetIds": [
"subnet1",
"subnet2"
]
}
},
"subnet1": {
"Properties": {
"VpcId": "daxVPC",
"CidrBlock": "172.13.17.0/24",
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
}
}
},
"subnet2": {
"Properties": {
"VpcId": "daxVPC",
"CidrBlock": "172.13.18.0/24",
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]
}
}
},
"daxVpc": {
"Properties": {
"CidrBlock": "172.13.0.0/16"
}
}
},
"Outputs": {
"ParameterGroup": {
"Value": "MyDAXSubnetGroup"
}
}
}
YAML
Description: "DAX subnet group"

1503
Directory Service
Resources:
MyDAXSubnetGroup:
Properties:
SubnetGroupName: "my-dax-subnet-group"
Description: "Description of my DAX subnet group"
SubnetIds:
- !Ref subnet1
- !Ref subnet2
subnet1:
Properties:
VpcId:
!Ref daxVpc
CidrBlock: 172.13.17.0/24
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
subnet2:
Properties:
VpcId:
!Ref daxVpc
CidrBlock: 172.13.18.0/24
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
daxVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 172.13.0.0/16
Outputs:
ParameterGroup:
Value: !Ref MyDAXSubnetGroup
AWS Directory Service Resource Type Reference

Resource Types
• AWS::DirectoryService::MicrosoftAD (p. 1504)

• AWS::DirectoryService::SimpleAD (p. 1508)
AWS::DirectoryService::MicrosoftAD
The AWS::DirectoryService::MicrosoftAD resource specifies a Microsoft Active Directory in AWS
so that your directory users and groups can access the AWS Management Console and AWS applications
using their existing credentials. For more information, see AWS Managed Microsoft AD in the AWS
Directory Service Admin Guide.
Syntax
JSON
{
"Type" : "AWS::DirectoryService::MicrosoftAD",

1504
Directory Service
"Properties" : {
"CreateAlias" : Boolean,
"Edition" : String,
"EnableSso" : Boolean,
"Name" : String,
"ShortName" : String,
"VpcSettings" : VpcSettings (p. 1508)
}
}
YAML
Type: AWS::DirectoryService::MicrosoftAD
Properties:
CreateAlias: Boolean
Edition: String
EnableSso: Boolean
Name: String
Password: String
ShortName: String
VpcSettings:
VpcSettings (p. 1508)
Properties
CreateAlias
Specifies an alias for a directory and assigns the alias to the directory. The alias is used to construct
the access URL for the directory, such as http://<alias>.awsapps.com. By default, AWS
CloudFormation does not create an alias.
Important
After an alias has been created, it cannot be deleted or reused, so this operation should only
be used when absolutely necessary.
Required: No
Type: Boolean

Edition
AWS Managed Microsoft AD is available in two editions: Standard and Enterprise. Enterprise
is the default.
Required: No
Type: String
Allowed Values: Enterprise | Standard

EnableSso
Whether to enable single sign-on for a Microsoft Active Directory in AWS. Single sign-on allows users
in your directory to access certain AWS services from a computer joined to the directory without
having to enter their credentials separately. If you don't specify a value, AWS CloudFormation
disables single sign-on by default.
Required: No

1505
Directory Service
Type: Boolean

Name
The fully qualified domain name for the AWS Managed Microsoft AD directory, such as
corp.example.com. This name will resolve inside your VPC only. It does not need to be publicly
resolvable.
Required: Yes
Type: String
Pattern: ^([a-zA-Z0-9]+[\\.-])+([a-zA-Z0-9])+$

Password
The password for the default administrative user named Admin.
If you need to change the password for the administrator account, see the ResetUserPassword API
call in the AWS Directory Service API Reference.
Required: Yes
Type: String
Pattern: (?=^.{8,64}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[Â-Za-
z0-9\s])(?=.*[a-z])|(?=.*[Â-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?
=.*[A-Z])(?=.*[Â-Za-z0-9\s]))^.*

ShortName
The NetBIOS name for your domain, such as CORP. If you don't specify a NetBIOS name, it
will default to the first part of your directory DNS. For example, CORP for the directory DNS
corp.example.com.
Required: No
Type: String
Pattern: ^[^\\/:*?\"\<\>|.]+[^\\/:*?\"<>|]*$

VpcSettings
Specifies the VPC settings of the Microsoft AD directory server in AWS.
Required: Yes
Type: VpcSettings (p. 1508)
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource ID.

1506
Directory Service
In the following sample, the Ref function returns the ID of the myDirectory directory, such as
d-12345ab592.
{ "Ref": "myDirectory" }
Fn::GetAtt
Alias
The alias for a directory. For example: d-12373a053a or alias4-mydirectory-12345abcgmzsk

(if you have the CreateAlias property set to true).
DnsIpAddresses
The IP addresses of the DNS servers for the directory, such as [ "192.0.2.1", "192.0.2.2" ].
Examples
The following example creates a Microsoft Active Directory in AWS, where the directory DNS name is
corp.example.com:
Create an AWS Managed Microsoft Directory
JSON
"myDirectory" : {
"Type" : "AWS::DirectoryService::MicrosoftAD",
"Properties" : {
"Name" : "corp.example.com",
"Password" : { "Ref" : "MicrosoftADPW" },
"ShortName" : { "Ref" : "MicrosoftADShortName" },
"VpcSettings" : {
"SubnetIds" : [ { "Ref" : "subnetID1" }, { "Ref" : "subnetID2" } ],
"VpcId" : { "Ref" : "vpcID" }
}
}
}
YAML
myDirectory:
Type: AWS::DirectoryService::MicrosoftAD
Properties:
Name: "corp.example.com"
Password:
Ref: MicrosoftADPW
ShortName:
Ref: MicrosoftADShortName
VpcSettings:
SubnetIds:
- Ref: subnetID1
- Ref: subnetID2
VpcId:

1507
Directory Service
Ref: vpcID
See Also
• Getting Started with AWS Managed Microsoft AD in the AWS Directory Service Admin Guide..
• CreateMicrosoftAD in the AWS Directory Service API Reference.
AWS::DirectoryService::MicrosoftAD VpcSettings
Contains VPC information for the CreateDirectory or CreateMicrosoftAD operation.
Syntax
JSON
{
"VpcId" : String
}
YAML
SubnetIds:
- String
VpcId: String
Properties
SubnetIds
The identifiers of the subnets for the directory servers. The two subnets must be in different
Availability Zones. AWS Directory Service specifies a directory server and a DNS server in each of
these subnets.
Required: Yes

VpcId
The identifier of the VPC in which to create the directory.
Required: Yes
Type: String
Pattern: ^(vpc-[0-9a-f]{8}|vpc-[0-9a-f]{17})$
AWS::DirectoryService::SimpleAD
The AWS::DirectoryService::SimpleAD resource specifies an AWS Directory Service Simple Active
Directory (Simple AD) in AWS so that your directory users and groups can access the AWS Management

1508
Directory Service
Console and AWS applications using their existing credentials. Simple AD is a Microsoft Active Directory–
compatible directory. For more information, see Simple Active Directory in the AWS Directory Service
Admin Guide.
Syntax
JSON
{
"Type" : "AWS::DirectoryService::SimpleAD",
"Properties" : {
"CreateAlias" : Boolean,
"EnableSso" : Boolean,
"Name" : String,
"ShortName" : String,
"Size" : String,
"VpcSettings" : VpcSettings (p. 1512)
}
}
YAML
Type: AWS::DirectoryService::SimpleAD
Properties:
CreateAlias: Boolean
Description: String
EnableSso: Boolean
Name: String
Password: String
ShortName: String
Size: String
VpcSettings:
VpcSettings (p. 1512)
Properties
CreateAlias
If set to true, specifies an alias for a directory and assigns the alias to the directory. The alias is used
to construct the access URL for the directory, such as http://<alias>.awsapps.com. By default,
this property is set to false.
Important
After an alias has been created, it cannot be deleted or reused, so this operation should only
be used when absolutely necessary.
Required: No
Type: Boolean

Description
A description for the directory.
Required: No

1509
Directory Service
Type: String
Minimum: 0
Maximum: 128
Pattern: ^([a-zA-Z0-9_])[\\a-zA-Z0-9_@#%*+=:?./!\s-]*$

EnableSso
Whether to enable single sign-on for a directory. If you don't specify a value, AWS CloudFormation
disables single sign-on by default.
Required: No
Type: Boolean

Name
The fully qualified name for the directory, such as corp.example.com.
Required: Yes
Type: String
Pattern: ^([a-zA-Z0-9]+[\\.-])+([a-zA-Z0-9])+$

Password
The password for the directory administrator. The directory creation process creates a directory
administrator account with the user name Administrator and this password.
If you need to change the password for the administrator account, see the ResetUserPassword API
call in the AWS Directory Service API Reference.
Required: Yes
Type: String
Pattern: (?=^.{8,64}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[Â-Za-
z0-9\s])(?=.*[a-z])|(?=.*[Â-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?
=.*[A-Z])(?=.*[Â-Za-z0-9\s]))^.*

ShortName
The NetBIOS name of the directory, such as CORP.
Required: No
Type: String
Pattern: ^[^\\/:*?\"\<\>|.]+[^\\/:*?\"<>|]*$

Size
The size of the directory. For valid values, see CreateDirectory in the AWS Directory Service API
Reference.

1510
Directory Service
Required: Yes
Type: String
Allowed Values: Large | Small

VpcSettings
A DirectoryVpcSettings object that contains additional information for the operation.
Required: Yes
Type: VpcSettings (p. 1512)
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource ID.
In the following sample, the Ref function returns the ID of the myDirectory directory, such as
d-1a2b3c4d5e.
{ "Ref": "myDirectory" }
Fn::GetAtt
Alias
The alias for a directory. For example: d-12373a053a or alias4-mydirectory-12345abcgmzsk

(if you have the CreateAlias property set to true).
DnsIpAddresses
The IP addresses of the DNS servers for the directory, such as [ "172.31.3.154",
"172.31.63.203" ].
Examples
The following example creates a Simple AD directory, where the directory DNS name is
corp.example.com:
Create a Simple AD Directory
JSON
"myDirectory" : {
"Type" : "AWS::DirectoryService::SimpleAD",
"Properties" : {
"Name" : "corp.example.com",

1511
Directory Service
"Password" : { "Ref" : "SimpleADPW" },

"Size" : "Small",
"VpcSettings" : {
"SubnetIds" : [ { "Ref" : "subnetID1" }, { "Ref" : "subnetID2" } ],
"VpcId" : { "Ref" : "vpcID" }
}
}
}
YAML
myDirectory:
Type: AWS::DirectoryService::SimpleAD
Properties:
Name: "corp.example.com"
Password:
Ref: SimpleADPW
Size: "Small"
VpcSettings:
SubnetIds:
- Ref: subnetID1
- Ref: subnetID2
VpcId:
Ref: vpcID
See Also
• Getting Started with Simple AD in the AWS Directory Service Admin Guide..
• CreateDirectory in the AWS Directory Service API Reference.
AWS::DirectoryService::SimpleAD VpcSettings
Contains VPC information for the CreateDirectory or CreateMicrosoftAD operation.
Syntax
JSON
{
"VpcId" : String
}
YAML
SubnetIds:
- String
VpcId: String
Properties
SubnetIds
The identifiers of the subnets for the directory servers. The two subnets must be in different
Availability Zones. AWS Directory Service specifies a directory server and a DNS server in each of
these subnets.

1512
DLM
Required: Yes

VpcId
The identifier of the VPC in which to create the directory.
Required: Yes
Type: String
Pattern: ^(vpc-[0-9a-f]{8}|vpc-[0-9a-f]{17})$
DLM Resource Type Reference

Resource Types
• AWS::DLM::LifecyclePolicy (p. 1513)
AWS::DLM::LifecyclePolicy
Specifies a lifecycle policy, which is used to automate operations on Amazon EBS resources.
The properties are required when you add a lifecycle policy and optional when you update a lifecycle
policy.
Syntax
JSON
{
"Type" : "AWS::DLM::LifecyclePolicy",
"Properties" : {
"ExecutionRoleArn" : String,
"PolicyDetails" : PolicyDetails (p. 1519),
"State" : String
}
}
YAML
Type: AWS::DLM::LifecyclePolicy
Properties:
Description: String
ExecutionRoleArn: String
PolicyDetails:
PolicyDetails (p. 1519)
State: String

1513
DLM
Properties
Description
A description of the lifecycle policy. The characters ^[0-9A-Za-z _-]+$ are supported.
Type: String
Minimum: 0
Maximum: 500
Pattern: [0-9A-Za-z _-]+

ExecutionRoleArn
The Amazon Resource Name (ARN) of the IAM role used to run the operations specified by the
lifecycle policy.
Type: String
Minimum: 0
Maximum: 2048
Pattern: arn:aws:iam::\d+:role/.*

PolicyDetails
The configuration details of the lifecycle policy.
Type: PolicyDetails (p. 1519)

State
The activation state of the lifecycle policy.
Type: String
Allowed Values: DISABLED | ENABLED | ERROR
Return Values
Ref
lifecycle policy.

1514
DLM
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the lifecycle policy.
Examples
Creating a Lifecycle Policy
The following example demonstrates how to create a basic lifecycle policy.
YAML
Description: "Basic LifecyclePolicy"

Resources:
BasicLifecyclePolicy:
Type: "AWS::DLM::LifecyclePolicy"
Properties:
Description: "Lifecycle Policy using CloudFormation"
State: "ENABLED"
ExecutionRoleArn: "arn:aws:iam::123456789012:role/AWSDataLifecycleManagerDefaultRole"
PolicyDetails:
ResourceTypes:
- "VOLUME"
TargetTags:
-
Key: "costcenter"
Value: "115"
Schedules:
-
Name: "Daily Snapshots"
TagsToAdd:
-
Key: "type"
Value: "DailySnapshot"
CreateRule:
Interval: 12
IntervalUnit: "HOURS"
Times:
- "13:00"
RetainRule:
Count: 1
CopyTags: true
JSON
{
"Description": "Basic LifecyclePolicy",
"Resources": {
"BasicLifecyclePolicy": {
"Type": "AWS::DLM::LifecyclePolicy",
"Properties": {

1515
DLM
"Description": "Lifecycle Policy using CloudFormation",

"State": "ENABLED",
"ExecutionRoleArn": "arn:aws:iam::123456789012:role/
AWSDataLifecycleManagerDefaultRole",
"PolicyDetails": {
"ResourceTypes": [
"VOLUME"
],
"TargetTags": [
{
"Key": "costcenter",
"Value": "115"
}
],
"Schedules": [
{
"Name": "Daily Snapshots",
"TagsToAdd": [
{
"Key": "type",
"Value": "DailySnapshot"
}
],
"CreateRule": {
"Interval": 12,
"IntervalUnit": "HOURS",
"Times": [
"13:00"
]
},
"RetainRule": {
"Count": 1
},
"CopyTags": true
}
]
}
}
}
}
See Also
• CreateLifecyclePolicy in the Amazon Data Lifecycle Manager API Reference
• Automating the Amazon EBS Snapshot Lifecycle in the Amazon Elastic Compute Cloud User Guide
AWS::DLM::LifecyclePolicy CreateRule
Specifies when to create snapshots of EBS volumes.
Syntax
JSON
{
"Interval" : Integer,
"IntervalUnit" : String,
"Times" : [ String, ... ]
}

1516
DLM
YAML
Interval: Integer
IntervalUnit: String
Times:
- String
Properties
Interval
The interval between snapshots. The supported values are 2, 3, 4, 6, 8, 12, and 24.
Required: Yes
Type: Integer
Minimum: 1

IntervalUnit
The interval unit.
Required: Yes
Type: String
Allowed Values: HOURS

Times
The time, in UTC, to start the operation. The supported format is hh:mm.
The operation occurs within a one-hour window following the specified time.
Required: No
Maximum: 1
AWS::DLM::LifecyclePolicy FastRestoreRule
Specifies a rule for enabling fast snapshot restore. You can enable fast snapshot restore based on either
a count or a time interval.
Syntax
JSON
{
"Count" : Integer
}

1517
DLM
YAML
AvailabilityZones:
- String
Count: Integer
Properties
AvailabilityZones
The Availability Zones in which to enable fast snapshot restore.
Required: No
Maximum: 10

Count
The number of snapshots to be enabled with fast snapshot restore.
Required: Yes
Type: Integer
Minimum: 1
Maximum: 1000
AWS::DLM::LifecyclePolicy Parameters
Optional parameters that can be added to the policy. The set of valid parameters depends on the
combination of policyType and resourceType values.
Syntax
JSON
{
"ExcludeBootVolume" : Boolean
}
YAML
ExcludeBootVolume: Boolean
Properties
ExcludeBootVolume
When executing an EBS Snapshot Management – Instance policy, execute all CreateSnapshots
calls with the excludeBootVolume set to the supplied field. Defaults to false. Only valid for EBS
Snapshot Management – Instance policies.

1518
DLM
Required: No
Type: Boolean
AWS::DLM::LifecyclePolicy PolicyDetails
Specifies the configuration of a lifecycle policy.
Syntax
JSON
{
"Parameters" : Parameters (p. 1518),
"ResourceTypes" : [ String, ... ],
"Schedules" : [ Schedule (p. 1521), ... ],
"TargetTags" : [ Tag, ... ]
}
YAML
Parameters:
Parameters (p. 1518)
PolicyType: String
ResourceTypes:
- String
Schedules:
- Schedule (p. 1521)
TargetTags:
- Tag
Properties
Parameters
A set of optional parameters that can be provided by the policy.
Required: No
Type: Parameters (p. 1518)

PolicyType
This field determines the valid target resource types and actions a policy can manage. This field
defaults to EBS_SNAPSHOT_MANAGEMENT if not present.
Required: No
Type: String
Allowed Values: EBS_SNAPSHOT_MANAGEMENT

1519
DLM
ResourceTypes
The resource type.
Required: No
Maximum: 1

Schedules
The schedule of policy-defined actions.
Required: No
Type: List of Schedule (p. 1521)
Maximum: 1

TargetTags
The single tag that identifies targeted resources for this policy.
Required: No
Type: List of Tag
Maximum: 50
See Also
• PolicyDetails in the Amazon Data Lifecycle Manager API Reference
AWS::DLM::LifecyclePolicy RetainRule
Specifies the retention rule for a lifecycle policy. You can retain snapshots based on either a count or a
time interval.
Syntax
JSON
{
"Count" : Integer
}
YAML
Count: Integer

1520
DLM
Properties
Count
The number of snapshots to retain for each volume, up to a maximum of 1000.
Required: Yes
Type: Integer
Minimum: 1
Maximum: 1000
AWS::DLM::LifecyclePolicy Schedule
Specifies a backup schedule.
Syntax
JSON
{
"CopyTags" : Boolean,
"CreateRule" : CreateRule (p. 1516),
"FastRestoreRule" : FastRestoreRule (p. 1517),
"Name" : String,
"RetainRule" : RetainRule (p. 1520),
"TagsToAdd" : [ Tag, ... ],
"VariableTags" : [ Tag, ... ]
}
YAML
CopyTags: Boolean
CreateRule:
CreateRule (p. 1516)
FastRestoreRule:
FastRestoreRule (p. 1517)
Name: String
RetainRule:
RetainRule (p. 1520)
TagsToAdd:
- Tag
VariableTags:
- Tag
Properties
CopyTags
Copy all user-defined tags on a source volume to snapshots of the volume created by this policy.
Required: No
Type: Boolean

1521
DLM

CreateRule
The create rule.
Required: No
Type: CreateRule (p. 1516)

FastRestoreRule
Enable fast snapshot restore.
Required: No
Type: FastRestoreRule (p. 1517)

Name
The name of the schedule.
Required: No
Type: String
Minimum: 0
Maximum: 500
Pattern: [\p{all}]*

RetainRule
The retention rule.
Required: No
Type: RetainRule (p. 1520)

TagsToAdd
The tags to apply to policy-created resources. These user-defined tags are in addition to the AWS-
added lifecycle tags.
Required: No
Type: List of Tag
Maximum: 50

VariableTags
A collection of key/value pairs with values determined dynamically when the policy is executed.
Keys may be any valid Amazon EC2 tag key. Values must be in one of the two following formats:
$(instance-id) or $(timestamp). Variable tags are only valid for EBS Snapshot Management –
Instance policies.

1522
DMS
Required: No
Type: List of Tag
Maximum: 50
DMS Resource Type Reference

Resource Types
• AWS::DMS::Certificate (p. 1523)

• AWS::DMS::Endpoint (p. 1525)
• AWS::DMS::EventSubscription (p. 1537)
• AWS::DMS::ReplicationInstance (p. 1540)
• AWS::DMS::ReplicationSubnetGroup (p. 1545)
• AWS::DMS::ReplicationTask (p. 1547)
AWS::DMS::Certificate
The AWS::DMS::Certificate resource creates an SSL certificate that encrypts connections between
AWS DMS endpoints and the replication instance.
Syntax
JSON
{
"Type" : "AWS::DMS::Certificate",
"Properties" : {
"CertificateIdentifier" : String,
"CertificatePem" : String,
"CertificateWallet" : String
}
}
YAML
Type: AWS::DMS::Certificate
Properties:
CertificateIdentifier: String
CertificatePem: String
CertificateWallet: String
Properties
CertificateIdentifier
A customer-assigned name for the certificate. Identifiers must begin with a letter; must contain
only ASCII letters, digits, and hyphens; and must not end with a hyphen or contain two consecutive
hyphens.

1523
DMS
Required: No
Type: String

CertificatePem
The contents of a .pem file, which contains an X.509 certificate.
Required: No
Type: String

CertificateWallet
The location of an imported Oracle Wallet certificate for use with SSL.
Required: No
Type: String
Return Values
Ref
Resource Name (ARN) of the certificate.
Examples
JSON
{
"Description": "Certificate test",
"Resources": {
"BasicCertificate": {
"Type": "AWS::DMS::Certificate",
"Properties": {
"CertificatePem": "-----BEGIN CERTIFICATE-----\n MIID/
DCCAuSgAwIBAgIBUDANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCVVMx...mqfEEuC7uUoPofXdBp2ObQ==\n
-----END CERTIFICATE-----\n"
}
}
}
}
YAML
Description: "Certificate test"
Resources:
BasicCertificate:
Properties:

1524
DMS
CertificatePem: |-
-----BEGIN CERTIFICATE-----
MIID/
DCCAuSgAwIBAgABCDEFgkqhkiG9w0BAQsFADCBijEXAMPLE1UEBhMCVVMx...mqfEEuC7uUoPofXdBp2ObQ==
-----END CERTIFICATE-----
Type: "AWS::DMS::Certificate"
See Also
• ImportCertificate in the AWS Database Migration Service API Reference
AWS::DMS::Endpoint
The AWS::DMS::Endpoint resource creates an AWS DMS endpoint.
Syntax
JSON
{
"Type" : "AWS::DMS::Endpoint",
"Properties" : {
"DynamoDbSettings" : DynamoDbSettings (p. 1530),
"ElasticsearchSettings" : ElasticsearchSettings (p. 1531),
"EndpointIdentifier" : String,
"EngineName" : String,
"ExtraConnectionAttributes" : String,
"KinesisSettings" : KinesisSettings (p. 1532),
"MongoDbSettings" : MongoDbSettings (p. 1533),
"Port" : Integer,
"S3Settings" : S3Settings (p. 1535),
"ServerName" : String,
"SslMode" : String,
"Tags" : [ Tag, ... ],
"Username" : String
}
}
YAML
Type: AWS::DMS::Endpoint
Properties:
DynamoDbSettings:
DynamoDbSettings (p. 1530)
ElasticsearchSettings:
ElasticsearchSettings (p. 1531)
EndpointIdentifier: String
EngineName: String
ExtraConnectionAttributes: String

1525
DMS
KinesisSettings:
KinesisSettings (p. 1532)
KmsKeyId: String
MongoDbSettings:
MongoDbSettings (p. 1533)
Password: String
Port: Integer
S3Settings:
S3Settings (p. 1535)
ServerName: String
SslMode: String
Tags:
- Tag
Username: String
Properties
CertificateArn
The Amazon Resource Name (ARN) for the certificate.
Required: No
Type: String

DatabaseName
The name of the endpoint database.
Required: No
Type: String

DynamoDbSettings
Settings in JSON format for the target Amazon DynamoDB endpoint. For more information about
the available settings, see Using Object Mapping to Migrate Data to DynamoDB in the AWS Database
Migration Service User Guide.
Required: No
Type: DynamoDbSettings (p. 1530)

ElasticsearchSettings
Settings in JSON format for the target Elasticsearch endpoint. For more information about the
available settings, see Extra Connection Attributes When Using Elasticsearch as a Target for AWS
DMS in the AWS Database Migration User Guide.
Required: No
Type: ElasticsearchSettings (p. 1531)

EndpointIdentifier
The database endpoint identifier. Identifiers must begin with a letter; must contain only ASCII
letters, digits, and hyphens; and must not end with a hyphen or contain two consecutive hyphens.

1526
DMS
Required: No
Type: String

EndpointType
The type of endpoint. Valid values are source and target.
Required: Yes
Type: String
Allowed Values: source | target

EngineName
The type of engine for the endpoint. Valid values, depending on the EndpointType value, include
mysql, oracle, postgres, mariadb, aurora, aurora-postgresql, redshift, s3, db2,
azuredb, sybase, dynamodb, mongodb, and sqlserver.
Required: Yes
Type: String

ExtraConnectionAttributes
Additional attributes associated with the connection. Each attribute is specified as a name-value
pair associated by an equal sign (=). Multiple attributes are separated by a semicolon (;) with no
additional white space. For information on the attributes available for connecting your source or
target endpoint, see Working with AWS DMS Endpoints in the AWS Database Migration Service User
Guide.
Required: No
Type: String

KinesisSettings
Settings in JSON format for the target Amazon Kinesis Data Streams endpoint. For more information
about the available settings, see Using Object Mapping to Migrate Data to a Kinesis Data Stream in
the AWS Database Migration User Guide.
Required: No
Type: KinesisSettings (p. 1532)

KmsKeyId
An AWS KMS key identifier that is used to encrypt the connection parameters for the endpoint.
If you don't specify a value for the KmsKeyId parameter, then AWS DMS uses your default
encryption key.
AWS KMS creates the default encryption key for your AWS account. Your AWS account has a
different default encryption key for each AWS Region.

1527
DMS
Required: No
Type: String

MongoDbSettings
Settings in JSON format for the source MongoDB endpoint. For more information about the
available settings, see the configuration properties section in Using MongoDB as a Target for AWS
Database Migration Service in the AWS Database Migration Service User Guide.
Required: No
Type: MongoDbSettings (p. 1533)

Password
The password to be used to log in to the endpoint database.
Required: No
Type: String

Port
The port used by the endpoint database.
Required: No
Type: Integer

S3Settings
Settings in JSON format for the target Amazon S3 endpoint. For more information about the
available settings, see Extra Connection Attributes When Using Amazon S3 as a Target for AWS DMS
in the AWS Database Migration Service User Guide.
Required: No
Type: S3Settings (p. 1535)

ServerName
The name of the server where the endpoint database resides.
Required: No
Type: String

SslMode
The Secure Sockets Layer (SSL) mode to use for the SSL connection. The default is none
Required: No

1528
DMS
Type: String
Allowed Values: none | require | verify-ca | verify-full

Tags
One or more tags to be assigned to the endpoint.
Required: No
Type: List of Tag

Username
The user name to be used to log in to the endpoint database.
Required: No
Type: String
Return Values
Ref
endpoint.
Fn::GetAtt
ExternalId
A value that can be used for cross-account validation.
Examples
JSON
{
"Resources": {
"myBasicEndpoint": {
"Type": "AWS::DMS::Endpoint",
"Properties": {
"EngineName": "mysql",
"EndpointType": "source",
"Username": "username",
"Password": {

1529
DMS
"Ref": "PasswordParameter"
},
"ServerName": "source.db.amazon.com",
"Port": 1234,
"DatabaseName": "source-db"
}
}
}
}
YAML
Description: "Endpoint test"
Resources:
BasicEndpoint:
Properties:
DatabaseName: my-db
EndpointType: target
EngineName: mysql
Password: PasswordParameter
Port: 1234
ServerName: server.db.amazon.com
Tags:
-
Key: type
Value: new
Username: username
Type: "AWS::DMS::Endpoint"
See Also
• CreateEndpoint in the AWS Database Migration Service API Reference
AWS::DMS::Endpoint DynamoDbSettings
Syntax
JSON
{
"ServiceAccessRoleArn" : String
}
YAML
ServiceAccessRoleArn: String
Properties
ServiceAccessRoleArn
The Amazon Resource Name (ARN) used by the service access IAM role.
Required: No

1530
DMS
Type: String
AWS::DMS::Endpoint ElasticsearchSettings
Syntax
JSON
{
"EndpointUri" : String,
"ErrorRetryDuration" : Integer,
"FullLoadErrorPercentage" : Integer,
}
YAML
EndpointUri: String
ErrorRetryDuration: Integer
FullLoadErrorPercentage: Integer
Properties
EndpointUri
The endpoint for the Elasticsearch cluster.
Required: No
Type: String

ErrorRetryDuration
The maximum number of seconds that DMS retries failed API requests to the Elasticsearch cluster.
Required: No
Type: Integer

FullLoadErrorPercentage
The maximum percentage of records that can fail to be written before a full load operation stops.
Required: No
Type: Integer

The Amazon Resource Name (ARN) used by service to access the IAM role.

1531
DMS
Required: No
Type: String
AWS::DMS::Endpoint KinesisSettings
Syntax
JSON
{
"MessageFormat" : String,
"ServiceAccessRoleArn" : String,
"StreamArn" : String
}
YAML
MessageFormat: String
StreamArn: String
Properties
MessageFormat
The output format for the records created on the endpoint. The message format is JSON.
Required: No
Type: String
Allowed Values: json

The Amazon Resource Name (ARN) for the IAM role that DMS uses to write to the Amazon Kinesis
data stream.
Required: No
Type: String

StreamArn
The Amazon Resource Name (ARN) for the Amazon Kinesis Data Streams endpoint.
Required: No
Type: String

1532
DMS
AWS::DMS::Endpoint MongoDbSettings
Syntax
JSON
{
"AuthMechanism" : String,
"AuthSource" : String,
"DocsToInvestigate" : String,
"ExtractDocId" : String,
"NestingLevel" : String,
"Port" : Integer,
"ServerName" : String,
"Username" : String
}
YAML
AuthMechanism: String
AuthSource: String
AuthType: String
DocsToInvestigate: String
ExtractDocId: String
NestingLevel: String
Password: String
Port: Integer
ServerName: String
Username: String
Properties
AuthMechanism
The authentication mechanism you use to access the MongoDB source endpoint.
Valid values: DEFAULT, MONGODB_CR, SCRAM_SHA_1
DEFAULT – For MongoDB version 2.x, use MONGODB_CR. For MongoDB version 3.x, use
SCRAM_SHA_1. This setting is not used when authType=No.
Required: No
Type: String
Allowed Values: default | mongodb_cr | scram_sha_1

AuthSource
The MongoDB database name. This setting is not used when authType=NO.
The default is admin.
Required: No

1533
DMS
Type: String

AuthType
The authentication type you use to access the MongoDB source endpoint.
Valid values: NO, PASSWORD
When NO is selected, user name and password parameters are not used and can be empty.
Required: No
Type: String
Allowed Values: no | password

DatabaseName
The database name on the MongoDB source endpoint.
Required: No
Type: String

DocsToInvestigate
Indicates the number of documents to preview to determine the document organization. Use this
setting when NestingLevel is set to ONE.
Must be a positive value greater than 0. Default value is 1000.
Required: No
Type: String

ExtractDocId
Specifies the document ID. Use this setting when NestingLevel is set to NONE.
Default value is false.
Required: No
Type: String

NestingLevel
Specifies either document or table mode.
Valid values: NONE, ONE
Default value is NONE. Specify NONE to use document mode. Specify ONE to use table mode.
Required: No
Type: String

1534
DMS
Allowed Values: none | one

Password
The password for the user account you use to access the MongoDB source endpoint.
Required: No
Type: String

Port
The port value for the MongoDB source endpoint.
Required: No
Type: Integer

ServerName
The name of the server on the MongoDB source endpoint.
Required: No
Type: String

Username
The user name you use to access the MongoDB source endpoint.
Required: No
Type: String
AWS::DMS::Endpoint S3Settings
Settings for exporting data to Amazon S3.
Syntax
JSON
{
"BucketFolder" : String,
"BucketName" : String,
"CompressionType" : String,
"CsvDelimiter" : String,
"CsvRowDelimiter" : String,
"ExternalTableDefinition" : String,
}

1535
DMS
YAML
BucketFolder: String
BucketName: String
CompressionType: String
CsvDelimiter: String
CsvRowDelimiter: String
ExternalTableDefinition: String
Properties
BucketFolder
An optional parameter to set a folder name in the S3 bucket. If provided, tables are created in the
path bucketFolder/schema_name/table_name/. If this parameter is not specified, then the
path used is schema_name/table_name/.
Required: No
Type: String

BucketName
The name of the S3 bucket.
Required: No
Type: String

CompressionType
An optional parameter to use GZIP to compress the target files. Set to GZIP to compress the target
files. Set to NONE (the default) or do not use to leave the files uncompressed. Applies to both .csv
and .parquet file formats.
Required: No
Type: String
Allowed Values: gzip | none

CsvDelimiter
The delimiter used to separate columns in the source files. The default is a comma.
Required: No
Type: String

CsvRowDelimiter
The delimiter used to separate rows in the source files. The default is a carriage return (\n).
Required: No
Type: String

1536
DMS

ExternalTableDefinition
The external table definition.
Required: No
Type: String

The Amazon Resource Name (ARN) used by the service access IAM role.
Required: No
Type: String
AWS::DMS::EventSubscription
Use the AWS::DMS::EventSubscription resource to get notifications for AWS Database Migration
Service events through the Amazon Simple Notification Service. For more information, see Using AWS
DMS Event Notification in the AWS Database Migration Service User Guide.
Syntax
JSON
{
"Type" : "AWS::DMS::EventSubscription",
"Properties" : {
"EventCategories" : [ String, ... ],
"SnsTopicArn" : String,
"SourceIds" : [ String, ... ],
"SourceType" : String,
"SubscriptionName" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::DMS::EventSubscription
Properties:
Enabled: Boolean
EventCategories:
- String
SnsTopicArn: String
SourceIds:
- String
SourceType: String
SubscriptionName: String
Tags:
- Tag

1537
DMS
Properties
Enabled
Indicates whether to activate the subscription. If you don't specify this property, AWS
CloudFormation activates the subscription.
Required: No
Type: Boolean

EventCategories
A list of event categories for a source type that you want to subscribe to. If you don't specify this
property, you are notified about all event categories. For more information, see Working with Events
and Notifications in the AWS Database Migration Service User Guide.
Required: No

SnsTopicArn
The Amazon Resource Name (ARN) of the Amazon SNS topic created for event notification. The ARN
is created by Amazon SNS when you create a topic and subscribe to it.
Required: Yes
Type: String

SourceIds
A list of identifiers for which AWS DMS provides notification events.
If you don't specify a value, notifications are provided for all sources.
If you specify multiple values, they must be of the same type. For example, if you specify a database
instance ID, then all of the other values must be database instance IDs.
Required: No

SourceType
The type of AWS DMS resource that generates the events. For example, if you want to be notified of
events generated by a replication instance, you set this parameter to replication-instance. If
this value is not specified, all events are returned.
Valid values: replication-instance | replication-task
Required: No
Type: String

1538
DMS
SubscriptionName
The name of the AWS DMS event notification subscription. This name must be less than 255
characters.
Required: No
Type: String

Tags
One or more tags to be assigned to the event subscription.
Required: No
Type: List of Tag
Return Values
Ref
name. For example:
{ "Ref": "myEventSubscription" }
For the resource with the logical ID myEventSubscription, Ref returns the AWS DMS event subscription
name, such as: mystack-myEventSubscription-1DDYF1E3B3I.
Examples
The following snippet creates an event subscription for an existing replication instance rep-
instance-1, which is declared elsewhere in the same template.
JSON
{
"Resources": {
"myEventSubscription": {
"Type": "AWS::DMS::EventSubscription",
"Properties": {
"EventCategories": [
"configuration change",
"failure",
"deletion"
],
"SnsTopicArn": "arn:aws:sns:us-west-2:123456789012:example-topic",
"SourceIds": [
"rep-instance-1"
],
"SourceType": "replication-instance",
"Enabled": false
}
}

1539
DMS
}
}
YAML
Resources:
myEventSubscription:
Properties:
Enabled: false
EventCategories:
- "configuration change"
- failure
- deletion
SnsTopicArn: "arn:aws:sns:us-west-2:123456789012:example-topic"
SourceIds:
- rep-instance-1
SourceType: replication-instance
Type: "AWS::DMS::EventSubscription"
See Also
• CreateEventSubscription in the AWS Database Migration Service API Reference
AWS::DMS::ReplicationInstance
The AWS::DMS::ReplicationInstance resource creates an AWS DMS replication instance.
Syntax
JSON
{
"Type" : "AWS::DMS::ReplicationInstance",
"Properties" : {
"AllocatedStorage" : Integer,
"AllowMajorVersionUpgrade" : Boolean,
"AvailabilityZone" : String,
"MultiAZ" : Boolean,
"PubliclyAccessible" : Boolean,
"ReplicationInstanceClass" : String,
"ReplicationInstanceIdentifier" : String,
"ReplicationSubnetGroupIdentifier" : String,
"Tags" : [ Tag, ... ],
"VpcSecurityGroupIds" : [ String, ... ]
}
}
YAML
Type: AWS::DMS::ReplicationInstance

1540
DMS
Properties:
AllocatedStorage: Integer
AllowMajorVersionUpgrade: Boolean
AvailabilityZone: String
KmsKeyId: String
MultiAZ: Boolean
PubliclyAccessible: Boolean
ReplicationInstanceClass: String
ReplicationInstanceIdentifier: String
ReplicationSubnetGroupIdentifier: String
Tags:
- Tag
- String
Properties
AllocatedStorage
The amount of storage (in gigabytes) to be initially allocated for the replication instance.
Required: No
Type: Integer

AllowMajorVersionUpgrade
Indicates that major version upgrades are allowed. Changing this parameter does not result in an
outage, and the change is asynchronously applied as soon as possible.
This parameter must be set to true when specifying a value for the EngineVersion parameter
that is a different major version than the replication instance's current version.
Required: No
Type: Boolean

Indicates whether minor engine upgrades will be applied automatically to the replication instance
during the maintenance window. This parameter defaults to true.
Default: true
Required: No
Type: Boolean

AvailabilityZone
The Availability Zone that the replication instance will be created in.
The default value is a random, system-chosen Availability Zone in the endpoint's AWS Region, for
example: us-east-1d
Required: No

1541
DMS
Type: String

EngineVersion
The engine version number of the replication instance.
Required: No
Type: String

KmsKeyId
An AWS KMS key identifier that is used to encrypt the data on the replication instance.
If you don't specify a value for the KmsKeyId parameter, then AWS DMS uses your default
encryption key.
Required: No
Type: String

MultiAZ
Specifies whether the replication instance is a Multi-AZ deployment. You cannot set the
AvailabilityZone parameter if the Multi-AZ parameter is set to true.
Required: No
Type: Boolean

The weekly time range during which system maintenance can occur, in Universal Coordinated Time
(UTC).
Format: ddd:hh24:mi-ddd:hh24:mi
Default: A 30-minute window selected at random from an 8-hour block of time per AWS Region,
occurring on a random day of the week.
Valid Days: Mon, Tue, Wed, Thu, Fri, Sat, Sun
Constraints: Minimum 30-minute window.
Required: No
Type: String

PubliclyAccessible
Specifies the accessibility options for the replication instance. A value of true represents an instance
with a public IP address. A value of false represents an instance with a private IP address. The
default value is true.

1542
DMS
Required: No
Type: Boolean

ReplicationInstanceClass
The compute and memory capacity of the replication instance as specified by the replication
instance class.
Valid Values: dms.t2.micro | dms.t2.small | dms.t2.medium | dms.t2.large |

dms.c4.large | dms.c4.xlarge | dms.c4.2xlarge | dms.c4.4xlarge
Required: Yes
Type: String

ReplicationInstanceIdentifier
The replication instance identifier. This parameter is stored as a lowercase string.
Constraints:
• Must contain from 1 to 63 alphanumeric characters or hyphens.
• First character must be a letter.
• Cannot end with a hyphen or contain two consecutive hyphens.
Example: myrepinstance
Required: No
Type: String

ReplicationSubnetGroupIdentifier
A subnet group to associate with the replication instance.
Required: No
Type: String

Tags
One or more tags to be assigned to the replication instance.
Required: No
Type: List of Tag

VpcSecurityGroupIds
Specifies the VPC security group to be used with the replication instance. The VPC security group
must work with the VPC containing the replication instance.
Required: No

1543
DMS
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the replication
instance ARN.
Fn::GetAtt
ReplicationInstancePrivateIpAddresses
One or more private IP addresses for the replication instance.

ReplicationInstancePublicIpAddresses
One or more public IP addresses for the replication instance.
Examples
JSON
{
"Resources": {
"BasicReplicationInstance": {
"Type": "AWS::DMS::ReplicationInstance",
"Properties": {
"ReplicationInstanceClass": "dms.t2.small"
}
}
}
}
YAML
Resources:
BasicReplicationInstance:
Properties:
ReplicationInstanceClass: dms.t2.small
Type: "AWS::DMS::ReplicationInstance"
See Also
• CreateReplicationInstance in the AWS Database Migration Service API Reference

1544
DMS
AWS::DMS::ReplicationSubnetGroup
The AWS::DMS::ReplicationSubnetGroup resource creates an AWS DMS replication subnet group.
Subnet groups must contain at least two subnets in two different Availability Zones in the same region.
Note
Resource creation will fail if the dms-vpc-role IAM role doesn't already exist. For more
information, see Creating the IAM Roles to Use With the AWS CLI and AWS DMS API in the AWS
Database Migration Service User Guide.
Syntax
JSON
{
"Type" : "AWS::DMS::ReplicationSubnetGroup",
"Properties" : {
"ReplicationSubnetGroupDescription" : String,
"ReplicationSubnetGroupIdentifier" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::DMS::ReplicationSubnetGroup
Properties:
ReplicationSubnetGroupDescription: String
ReplicationSubnetGroupIdentifier: String
SubnetIds:
- String
Tags:
- Tag
Properties
ReplicationSubnetGroupDescription
The description for the subnet group.
Required: Yes
Type: String

ReplicationSubnetGroupIdentifier
The identifier for the replication subnet group. If you don't specify a name, AWS CloudFormation
generates a unique ID and uses that ID for the identifier.
Required: No
Type: String

1545
DMS

SubnetIds
One or more subnet IDs to be assigned to the subnet group.
Required: Yes

Tags
One or more tags to be assigned to the subnet group.
Required: No
Type: List of Tag
Return Values
Ref
replication subnet group, such as mystack-myrepsubnetgroup-0a12bc456789de0fg.
Examples
JSON
{
"Resources": {
"myReplicationSubnetGroup": {
"Type": "AWS::DMS::ReplicationSubnetGroup",
"Properties": {
"ReplicationSubnetGroupIdentifier": "identifier",
"ReplicationSubnetGroupDescription": "description",
"SubnetIds": [
"subnet-7b5b4112",
"subnet-7b5b4115"
],
"Tags": [
{
"Key": "String",
"Value": "String"
}
]
}
}
}
}
YAML

1546
DMS
Resources:
myReplicationSubnetGroup:
Properties:
ReplicationSubnetGroupDescription: description
ReplicationSubnetGroupIdentifier: identifier
SubnetIds:
- subnet-7b5b4112
- subnet-7b5b4115
Tags:
-
Key: String
Value: String
Type: "AWS::DMS::ReplicationSubnetGroup"
See Also
• CreateReplicationSubnetGroup in the AWS Database Migration Service API Reference
AWS::DMS::ReplicationTask
The AWS::DMS::ReplicationTask resource creates an AWS DMS replication task.
Syntax
JSON
{
"Type" : "AWS::DMS::ReplicationTask",
"Properties" : {
"CdcStartPosition" : String,
"CdcStartTime" : Double,
"CdcStopPosition" : String,
"MigrationType" : String,
"ReplicationInstanceArn" : String,
"ReplicationTaskIdentifier" : String,
"ReplicationTaskSettings" : String,
"SourceEndpointArn" : String,
"TableMappings" : String,
"Tags" : [ Tag, ... ],
"TargetEndpointArn" : String
}
}
YAML
Type: AWS::DMS::ReplicationTask
Properties:
CdcStartPosition: String
CdcStartTime: Double
CdcStopPosition: String
MigrationType: String
ReplicationInstanceArn: String
ReplicationTaskIdentifier: String
ReplicationTaskSettings: String
SourceEndpointArn: String
TableMappings: String
Tags:

1547
DMS
- Tag
TargetEndpointArn: String
Properties
CdcStartPosition
Indicates when you want a change data capture (CDC) operation to start. Use either CdcStartPosition
or CdcStartTime to specify when you want a CDC operation to start. Specifying both values results in
an error.
The value can be in date, checkpoint, or LSN/SCN format.
Date Example: --cdc-start-position “2018-03-08T12:12:12”
Checkpoint Example: --cdc-start-position "checkpoint:V1#27#mysql-

bin-changelog.157832:1975:-1:2002:677883278264080:mysql-bin-
changelog.157832:1876#0#0#*#0#93"
LSN Example: --cdc-start-position “mysql-bin-changelog.000024:373”

Note
When you use this task setting with a source PostgreSQL database, a logical replication slot
should already be created and associated with the source endpoint. You can verify this by
setting the slotName extra connection attribute to the name of this logical replication slot.
For more information, see Extra Connection Attributes When Using PostgreSQL as a Source
for AWS DMS.
Required: No
Type: String

CdcStartTime
Indicates the start time for a change data capture (CDC) operation.
Required: No
Type: Double

CdcStopPosition
Indicates when you want a change data capture (CDC) operation to stop. The value can be either
server time or commit time.
Server time example: --cdc-stop-position “server_time:3018-02-09T12:12:12”
Commit time example: --cdc-stop-position “commit_time: 3018-02-09T12:12:12 “
Required: No
Type: String

MigrationType
The migration type. Valid values: full-load | cdc | full-load-and-cdc
Required: Yes

1548
DMS
Type: String
Allowed Values: cdc | full-load | full-load-and-cdc

ReplicationInstanceArn
The Amazon Resource Name (ARN) of a replication instance.
Required: Yes
Type: String

ReplicationTaskIdentifier
An identifier for the replication task.
Constraints:
• Must contain from 1 to 255 alphanumeric characters or hyphens.
• First character must be a letter.
Required: No
Type: String

ReplicationTaskSettings
Overall settings for the task, in JSON format. For more information, see Task Settings in the AWS
Database Migration User Guide.
Required: No
Type: String

SourceEndpointArn
An Amazon Resource Name (ARN) that uniquely identifies the source endpoint.
Required: Yes
Type: String

TableMappings
The table mappings for the task, in JSON format. For more information, see Table Mapping in the
AWS Database Migration User Guide.
Required: Yes
Type: String

Tags
One or more tags to be assigned to the replication task.

1549
DMS
Required: No
Type: List of Tag

TargetEndpointArn
An Amazon Resource Name (ARN) that uniquely identifies the target endpoint.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the replication
task ARN.
Examples
JSON
{
"Resources": {
"myReplicationTask": {
"Type": "AWS::DMS::ReplicationTask",
"Properties": {
"SourceEndpointArn": 11,
"TargetEndpointArn": "12ff",
"ReplicationInstanceArn": "ert1",
"MigrationType": "full-load",
"TableMappings": "{ \"rules\": [ { \"rule-type\": \"selection\", \"rule-id
\": \"1\", \"rule-name\": \"1\", \"object-locator\": { \"schema-name\": \"%\", \"table-name
\": \"%\" }, \"rule-action\": \"include\" } ] }"
}
}
}
}
YAML
Resources:
myReplicationTask:
Properties:
MigrationType: full-load
ReplicationInstanceArn: ReplicationInstance
SourceEndpointArn: SourceEndpoint
TableMappings: "{ \"rules\": [ { \"rule-type\": \"selection\", \"rule-id\": \"1\",
\"rule-name\": \"1\", \"object-locator\": { \"schema-name\": \"%\", \"table-name\": \"%
\" }, \"rule-action\": \"include\" } ] }"
TargetEndpointArn: TargetEndpoint

1550
Amazon DocumentDB
Type: "AWS::DMS::ReplicationTask"
See Also
• CreateReplicationTask in the AWS Database Migration Service API Reference
Amazon DocumentDB Resource Type Reference

Resource Types
• AWS::DocDB::DBCluster (p. 1551)

• AWS::DocDB::DBClusterParameterGroup (p. 1557)
• AWS::DocDB::DBInstance (p. 1560)
• AWS::DocDB::DBSubnetGroup (p. 1563)
AWS::DocDB::DBCluster
The AWS::DocDB::DBCluster Amazon DocumentDB (with MongoDB compatibility) resource describes
a DBCluster. Amazon DocumentDB is a fully managed, MongoDB-compatible document database engine.
For more information, see DBCluster in the Amazon DocumentDB Developer Guide.
Syntax
JSON
{
"Type" : "AWS::DocDB::DBCluster",
"Properties" : {
"BackupRetentionPeriod" : Integer,
"DBClusterIdentifier" : String,
"DBClusterParameterGroupName" : String,
"DBSubnetGroupName" : String,
"EnableCloudwatchLogsExports" : [ String, ... ],
"MasterUsername" : String,
"MasterUserPassword" : String,
"Port" : Integer,
"PreferredBackupWindow" : String,
"SnapshotIdentifier" : String,
"StorageEncrypted" : Boolean,
"Tags" : [ Tag, ... ],
}
}
YAML
Type: AWS::DocDB::DBCluster
Properties:
AvailabilityZones:

1551
Amazon DocumentDB
- String
BackupRetentionPeriod: Integer
DBClusterIdentifier: String
DBClusterParameterGroupName: String
DBSubnetGroupName: String
EnableCloudwatchLogsExports:
- String
KmsKeyId: String
MasterUsername: String
MasterUserPassword: String
Port: Integer
PreferredBackupWindow: String
SnapshotIdentifier: String
StorageEncrypted: Boolean
Tags:
- Tag
- String
Properties
AvailabilityZones
A list of Amazon EC2 Availability Zones that instances in the cluster can be created in.
Required: No

BackupRetentionPeriod
The number of days for which automated backups are retained. You must specify a minimum value
of 1.
Default: 1
Constraints:
• Must be a value from 1 to 35.
Required: No
Type: Integer

DBClusterIdentifier
The cluster identifier. This parameter is stored as a lowercase string.
Constraints:
• Must contain from 1 to 63 letters, numbers, or hyphens.
• The first character must be a letter.
Example: my-cluster
Required: No
Type: String

1552
Amazon DocumentDB

DBClusterParameterGroupName
The name of the cluster parameter group to associate with this cluster.
Required: No
Type: String

DBSubnetGroupName
A subnet group to associate with this cluster.
Constraints: Must match the name of an existing DBSubnetGroup. Must not be default.
Example: mySubnetgroup
Required: No
Type: String

EnableCloudwatchLogsExports
A list of log types that need to be enabled for exporting to Amazon CloudWatch Logs.
Required: No

EngineVersion
The version number of the database engine to use.
Required: No
Type: String

KmsKeyId
The AWS KMS key identifier for an encrypted cluster.
The AWS KMS key identifier is the Amazon Resource Name (ARN) for the AWS KMS encryption key. If
you are creating a cluster using the same AWS account that owns the AWS KMS encryption key that
is used to encrypt the new cluster, you can use the AWS KMS key alias instead of the ARN for the
AWS KMS encryption key.
If an encryption key is not specified in KmsKeyId:

• If ReplicationSourceIdentifier identifies an encrypted source, then Amazon DocumentDB
uses the encryption key that is used to encrypt the source. Otherwise, Amazon DocumentDB uses
your default encryption key.
• If the StorageEncrypted parameter is true and ReplicationSourceIdentifier is not
specified, Amazon DocumentDB uses your default encryption key.

1553
Amazon DocumentDB
If you create a replica of an encrypted cluster in another AWS Region, you must set KmsKeyId to a
KMS key ID that is valid in the destination AWS Region. This key is used to encrypt the replica in that
AWS Region.
Required: No
Type: String

MasterUsername
The name of the master user for the cluster.
Constraints:
• Must be from 1 to 63 letters or numbers.
• Cannot be a reserved word for the chosen database engine.
Type: String

MasterUserPassword
The password for the master database user. This password can contain any printable ASCII character
except forward slash (/), double quote ("), or the "at" symbol (@).
Constraints: Must contain from 8 to 100 characters.
Type: String

Port
Specifies the port that the database engine is listening on.
Required: No
Type: Integer

PreferredBackupWindow
The daily time range during which automated backups are created if automated backups are
enabled using the BackupRetentionPeriod parameter.
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS
Region.
Constraints:
• Must be in the format hh24:mi-hh24:mi.
• Must be in Universal Coordinated Time (UTC).
• Must not conflict with the preferred maintenance window.
• Must be at least 30 minutes.

1554
Amazon DocumentDB
Required: No
Type: String

The weekly time range during which system maintenance can occur, in Universal Coordinated Time
(UTC).
Region, occurring on a random day of the week.
Valid days: Mon, Tue, Wed, Thu, Fri, Sat, Sun
Required: No
Type: String

SnapshotIdentifier
The identifier for the snapshot or cluster snapshot to restore from.
You can use either the name or the Amazon Resource Name (ARN) to specify a cluster snapshot.
However, you can use only the ARN to specify a snapshot.
Constraints:
• Must match the identifier of an existing snapshot.
Required: No
Type: String

StorageEncrypted
Specifies whether the cluster is encrypted.
Type: Boolean

Tags
The tags to be assigned to the cluster.
Required: No
Type: List of Tag

VpcSecurityGroupIds
A list of EC2 VPC security groups to associate with this cluster.

1555
Amazon DocumentDB
Required: No
Return Values
Ref
DBClusterIdentifier, such as mycluster.
Fn::GetAtt
ClusterResourceId
The resource id for the cluster; for example: cluster-ABCD1234EFGH5678IJKL90MNOP. The

cluster ID uniquely identifies the cluster and is used in things like IAM authentication policies.
Endpoint
The connection endpoint for the cluster, such as sample-cluster.cluster-cozrlsfrcjoc.us-

east-1.docdb.amazonaws.com.
Port
The port number on which the cluster accepts connections. For example: 27017.
ReadEndpoint
The reader endpoint for the cluster. For example: sample-cluster.cluster-ro-

cozrlsfrcjoc.us-east-1.docdb.amazonaws.com.
Examples
JSON
{
"Resources" : {
"myDBInstance" : {
"Type" : "AWS::DocDB::DBCluster",
"Properties" : {
"BackupRetentionPeriod" : 8,
"DBClusterIdentifier" : "sample-cluster",
"DBClusterParameterGroupName" : "default.docdb3.6",
"DBSubnetGroupName" : "default",
"KmsKeyId" : "your-kms-key-id",
"MasterUsername" : "your-master-username",
"MasterUserPassword" : "your-master-user-password",
"Port" : "27017",
"PreferredBackupWindow" : "07:34-08:04",

1556
Amazon DocumentDB
"PreferredMaintenanceWindow" : "sat:04:51-sat:05:21",
"SnapshotIdentifier" : "sample-cluster-snapshot-id",
"StorageEncrypted" : true,
"Tags" : [ {"Key" : "String", "Value" : "String"} ]
}
}
}
}
YAML
Resources:
myDBInstance:
Type: "AWS::DocDB::DBCluster"
Properties:
BackupRetentionPeriod : 8
DBClusterIdentifier : "sample-cluster"
DBClusterParameterGroupName : "default.docdb3.6"
DBSubnetGroupName : "default"
KmsKeyId : "your-kms-key-id"
MasterUsername : "your-master-username"
MasterUserPassword : "your-master-user-password"
Port : "27017"
PreferredBackupWindow : "07:34-08:04"
PreferredMaintenanceWindow : "sat:04:51-sat:05:21"
SnapshotIdentifier : "sample-cluster-snapshot-id"
StorageEncrypted : true
Tags:
-
Key: "String"
Value: "String"
See Also
• DBCluster
• CreateDBCluster
• DeleteDBCluster
• DescribeDBClusters
• ModifyDBCluster
AWS::DocDB::DBClusterParameterGroup
The AWS::DocDB::DBClusterParameterGroup Amazon DocumentDB (with MongoDB compatibility)
resource describes a DBClusterParameterGroup. For more information, see DBClusterParameterGroup in
the Amazon DocumentDB Developer Guide.
Parameters in a cluster parameter group apply to all of the instances in a cluster.
A cluster parameter group is initially created with the default parameters for the database engine used
by instances in the cluster. To provide custom values for any of the parameters, you must modify the
group after you create it. After you create a DB cluster parameter group, you must associate it with your
cluster. For the new cluster parameter group and associated settings to take effect, you must then reboot
the DB instances in the cluster without failover.
Important
After you create a cluster parameter group, you should wait at least 5 minutes before creating
your first cluster that uses that cluster parameter group as the default parameter group. This

1557
Amazon DocumentDB
allows Amazon DocumentDB to fully complete the create action before the cluster parameter
group is used as the default for a new cluster. This step is especially important for parameters
that are critical when creating the default database for a cluster, such as the character set for
the default database defined by the character_set_database parameter.
Syntax
JSON
{
"Type" : "AWS::DocDB::DBClusterParameterGroup",
"Properties" : {
"Family" : String,
"Name" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::DocDB::DBClusterParameterGroup
Properties:
Description: String
Family: String
Name: String
Parameters: Json
Tags:
- Tag
Properties
Description
The description for the cluster parameter group.
Required: Yes
Type: String

Family
The cluster parameter group family name.
Required: Yes
Type: String

Name
The name of the cluster parameter group.
Constraints:
• Must match the name of an existing DBClusterParameterGroup.

1558
Amazon DocumentDB
Note
This value is stored as a lowercase string.
Required: No
Type: String

Parameters
Provides a list of parameters for the cluster parameter group.
Required: Yes
Type: Json

Tags
The tags to be assigned to the cluster parameter group.
Required: No
Type: List of Tag
Return Values
Ref
DBClusterParameterGroup's name, such as sample-db-cluster-param-group.
Examples
JSON
{
"Type" : "AWS::DocDB::DBClusterParameterGroup",
"Properties" : {
"Description" : "description",
"Family" : "docdb3.6",
"Name" : "sampleParameterGroup",
"Parameters" : [
"audit_logs": "disabled",
"tls": "enabled",
"ttl_monitor": "enabled"
],
"Tags" : [{ "Key": "String","Value": "String" }]
}
}
YAML
Type: "AWS::DocDB::DBClusterParameterGroup"
Properties:

1559
Amazon DocumentDB
Description: "description"
Family: "docdb3.6"
Name: "sampleParameterGroup"
Parameters:
audit_logs: "disabled"
tls: "enabled"
ttl_monitor: "enabled"
Tags:
-
Key: "String"
Value: "String"
See Also
• DBClusterParameterGroup
• CreateDBClusterParameterGroup
• DeleteDBClusterParameterGroup
• DescribeDBClusterParameterGroups
• ModifyDBClusterParameterGroup
AWS::DocDB::DBInstance
The AWS::DocDB::DBInstance Amazon DocumentDB (with MongoDB compatibility) resource
describes a DBInstance. For more information, see DBInstance in the Amazon DocumentDB Developer
Guide.
Syntax
JSON
{
"Type" : "AWS::DocDB::DBInstance",
"Properties" : {
"DBClusterIdentifier" : String,
"DBInstanceClass" : String,
"DBInstanceIdentifier" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::DocDB::DBInstance
Properties:
DBClusterIdentifier: String
DBInstanceClass: String
DBInstanceIdentifier: String
Tags:
- Tag

1560
Amazon DocumentDB
Properties
Indicates that minor engine upgrades are applied automatically to the instance during the
maintenance window.
Default: true
Required: No
Type: Boolean

AvailabilityZone
The Amazon EC2 Availability Zone that the instance is created in.
Default: A random, system-chosen Availability Zone in the endpoint's AWS Region.
Example: us-east-1d
Constraint: The AvailabilityZone parameter can't be specified if the MultiAZ parameter is set
to true. The specified Availability Zone must be in the same AWS Region as the current endpoint.
Required: No
Type: String

DBClusterIdentifier
The identifier of the cluster that the instance will belong to.
Required: Yes
Type: String

DBInstanceClass
The compute and memory capacity of the instance; for example, db.m4.large. If you change the
class of an instance there can be some interruption in the cluster's service.
Required: Yes
Type: String

DBInstanceIdentifier
The instance identifier. This parameter is stored as a lowercase string.
Constraints:
• Must contain from 1 to 63 letters, numbers, or hyphens.
Example: mydbinstance

1561
Amazon DocumentDB
Required: No
Type: String

The time range each week during which system maintenance can occur, in Universal Coordinated
Time (UTC).
Region, occurring on a random day of the week.
Valid days: Mon, Tue, Wed, Thu, Fri, Sat, Sun
Required: No
Type: String

Tags
The tags to be assigned to the instance. You can assign up to 10 tags to an instance.
Required: No
Type: List of Tag
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the DBInstance's
name, such as sample-cluster-instance.
Fn::GetAtt
Endpoint
The connection endpoint for the instance. For example: sample-cluster.cluster-

abcdefghijkl.us-east-1.docdb.amazonaws.com.
Port
The port number on which the database accepts connections, such as 27017.

1562
Amazon DocumentDB
Examples
JSON
{
"Type" : "AWS::DocDB::DBInstance",
"Properties" : {
"AutoMinorVersionUpgrade" : true,
"AvailabilityZone" : "us-east-1c",
"DBClusterIdentifier" : "sample-cluster",
"DBInstanceClass" : "db.r5.large",
"DBInstanceIdentifier" : "sample-cluster-instance-0",
"PreferredMaintenanceWindow" : "sat:06:54-sat:07:24",
"Tags" : [{ "Key": "String","Value": "String" }]
}
}
YAML
Type: "AWS::DocDB::DBInstance"
Properties:
AutoMinorVersionUpgrade: true
AvailabilityZone: "us-east-1c"
DBClusterIdentifier: "sample-cluster"
DBInstanceClass: "db.r5.large"
DBInstanceIdentifier: "sample-cluster-instance-0"
PreferredMaintenanceWindow: "sat:06:54-sat:07:24"
Tags:
-
Key: "String"
Value: "String"
See Also
• DBInstance
• CreateDBInstance
• DeleteDBInstance
• DescribeDBInstances
• ModifyDBInstance
AWS::DocDB::DBSubnetGroup
The AWS::DocDB::DBSubnetGroup Amazon DocumentDB (with MongoDB compatibility) resource
describes a DBSubnetGroup. subnet groups must contain at least one subnet in at least two Availability
Zones in the AWS Region. For more information, see DBSubnetGroup in the Amazon DocumentDB
Developer Guide.
Syntax
JSON
{
"Type" : "AWS::DocDB::DBSubnetGroup",
"Properties" : {

1563
Amazon DocumentDB
"DBSubnetGroupDescription" : String,
"DBSubnetGroupName" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::DocDB::DBSubnetGroup
Properties:
DBSubnetGroupDescription: String
DBSubnetGroupName: String
SubnetIds:
- String
Tags:
- Tag
Properties
DBSubnetGroupDescription
The description for the subnet group.
Required: Yes
Type: String

DBSubnetGroupName
The name for the subnet group. This value is stored as a lowercase string.
Constraints: Must contain no more than 255 letters, numbers, periods, underscores, spaces, or
hyphens. Must not be default.
Example: mySubnetgroup
Required: No
Type: String

SubnetIds
The Amazon EC2 subnet IDs for the subnet group.
Required: Yes

Tags
The tags to be assigned to the subnet group.
Required: No
Type: List of Tag

1564
DynamoDB
Return Values
Ref
DBSubnetGroup's name, such as default.
Examples
JSON
{
"Resources" : {
"myDBSubnetGroup" : {
"Type" : "AWS::DocDB::DBSubnetGroup",
"Properties" : {
"DBSubnetGroupDescription" : "description",
"SubnetIds" : [ "subnet-7b5b4112", "subnet-7b5b4115" ],
"Tags" : [ {"Key" : "String", "Value" : "String"} ]
}
}
}
}
YAML
Resources:
myDBSubnetGroup:
Type: "AWS::DocDB::DBSubnetGroup"
Properties:
DBSubnetGroupDescription: "description"
SubnetIds:
- "subnet-7b5b4112"
- "subnet-7b5b4115"
Tags:
-
Key: "String"
Value: "String"
See Also
• Subnet
• DBSubnetGroup
• CreateDBSubnetGroup
• DeleteDBSubnetGroup
• DescribeDBSubnetGroups
• ModifyDBSubnetGroup
DynamoDB Resource Type Reference

Resource Types

1565
DynamoDB
• AWS::DynamoDB::Table (p. 1566)
AWS::DynamoDB::Table
The AWS::DynamoDB::Table resource creates a DynamoDB table. For more information, see
CreateTable in the Amazon DynamoDB API Reference.
You should be aware of the following behaviors when working with DynamoDB tables:
• AWS CloudFormation typically creates DynamoDB tables in parallel. However, if your template includes
multiple DynamoDB tables with indexes, you must declare dependencies so that the tables are created
sequentially. Amazon DynamoDB limits the number of tables with secondary indexes that are in the
creating state. If you create multiple tables with indexes at the same time, DynamoDB returns an error
and the stack operation fails. For an example, see DynamoDB Table with a DependsOn Attribute.
Syntax
JSON
{
"Properties" : {
"AttributeDefinitions" : [ AttributeDefinition (p. 1579), ... ],
"BillingMode" : String,
"GlobalSecondaryIndexes" : [ GlobalSecondaryIndex (p. 1580), ... ],
"KeySchema" : [ KeySchema (p. 1581), ... ],
"LocalSecondaryIndexes" : [ LocalSecondaryIndex (p. 1582), ... ],
"PointInTimeRecoverySpecification" : PointInTimeRecoverySpecification (p. 1584),
"ProvisionedThroughput" : ProvisionedThroughput (p. 1585),
"SSESpecification" : SSESpecification (p. 1586),
"StreamSpecification" : StreamSpecification (p. 1587),
"TableName" : String,
"Tags" : [ Tag, ... ],
"TimeToLiveSpecification" : TimeToLiveSpecification (p. 1588)
}
}
YAML
Properties:
- AttributeDefinition (p. 1579)
BillingMode: String
- GlobalSecondaryIndex (p. 1580)
KeySchema:
- KeySchema (p. 1581)
LocalSecondaryIndexes:
- LocalSecondaryIndex (p. 1582)
PointInTimeRecoverySpecification:
PointInTimeRecoverySpecification (p. 1584)
ProvisionedThroughput (p. 1585)
SSESpecification:
SSESpecification (p. 1586)
StreamSpecification:

1566
DynamoDB
StreamSpecification (p. 1587)

TableName: String
Tags:
- Tag
TimeToLiveSpecification:
TimeToLiveSpecification (p. 1588)
Properties
AttributeDefinitions
A list of attributes that describe the key schema for the table and indexes. Duplicates are allowed.
This property is required to create a DynamoDB table.
Update requires: Some interruptions. Replacement if you edit an existing AttributeDefinition.
Type: List of AttributeDefinition (p. 1579)

BillingMode
Specify how you are charged for read and write throughput and how you manage capacity.
Valid values include:

• PROVISIONED - We recommend using PROVISIONED for predictable workloads. PROVISIONED
sets the billing mode to Provisioned Mode.
• PAY_PER_REQUEST - We recommend using PAY_PER_REQUEST for unpredictable workloads.
PAY_PER_REQUEST sets the billing mode to On-Demand Mode.
If not specified, the default is PROVISIONED.
Required: No
Type: String
Allowed Values: PAY_PER_REQUEST | PROVISIONED

GlobalSecondaryIndexes
Global secondary indexes to be created on the table. You can create up to 20 global secondary
indexes.
Important
If you update a table to include a new global secondary index, AWS CloudFormation
initiates the index creation and then proceeds with the stack update. AWS CloudFormation
doesn't wait for the index to complete creation because the backfilling phase can take
a long time, depending on the size of the table. You can't use the index or update the
table until the index's status is ACTIVE. You can track its status by using the DynamoDB
DescribeTable command.
If you add or delete an index during an update, we recommend that you don't update any
other resources. If your stack fails to update and is rolled back while adding a new index,
you must manually delete the index.
Updates are not supported. The following are exceptions:
• If you update only the provisioned throughput values of global secondary indexes, you
can update the table without interruption.

1567
DynamoDB
• You can delete or add one global secondary index without interruption. If you do both in
the same update (for example, by changing the index's logical ID), the update fails.
Required: No
Type: List of GlobalSecondaryIndex (p. 1580)

KeySchema
Specifies the attributes that make up the primary key for the table. The attributes in the KeySchema
property must also be defined in the AttributeDefinitions property.
Required: Yes
Type: List (p. 1581) of KeySchema (p. 1581)

LocalSecondaryIndexes
Local secondary indexes to be created on the table. You can create up to 5 local secondary indexes.
Each index is scoped to a given hash key value. The size of each hash key can be up to 10 gigabytes.
Required: No
Type: List of LocalSecondaryIndex (p. 1582)

PointInTimeRecoverySpecification
The settings used to enable point in time recover.
Required: No
Type: PointInTimeRecoverySpecification (p. 1584)

ProvisionedThroughput
Throughput for the specified table, which consists of values for ReadCapacityUnits and
WriteCapacityUnits. For more information about the contents of a provisioned throughput
structure, see Amazon DynamoDB Table ProvisionedThroughput.
If you set BillingMode as PROVISIONED, you must specify this property. If you set BillingMode
as PAY_PER_REQUEST, you cannot specify this property.
Type: ProvisionedThroughput (p. 1585)

SSESpecification
Specifies the settings to enable server-side encryption.
Update requires: Some interruptions.
Required: No
Type: SSESpecification (p. 1586)

1568
DynamoDB
StreamSpecification
The settings for the DynamoDB table stream, which capture changes to items stored in the table.
Required: No
Type: StreamSpecification (p. 1587)

TableName
A name for the table. If you don't specify a name, AWS CloudFormation generates a unique physical
ID and uses that ID for the table name. For more information, see Name Type.
Important
Required: No
Type: String
Minimum: 3
Maximum: 255
Pattern: [a-zA-Z0-9_.-]+

Tags
An array of key-value pairs to apply to this resource.
For more information, see Tag.
Required: No
Type: List of Tag

TimeToLiveSpecification
Specifies the Time to Live (TTL) settings for the table.

Note
For detailed information about the limits in DynamoDB, see Limits in Amazon DynamoDB in
the Amazon DynamoDB Developer Guide.
Required: No
Type: TimeToLiveSpecification (p. 1588)
Return Values
Ref
name. For example:

1569
DynamoDB
{ "Ref": "MyResource" }
For the resource with the logical ID myDynamoDBTable, Ref will return the DynamoDB table name.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the DynamoDB table, such as arn:aws:dynamodb:us-
east-2:123456789012:table/myDynamoDBTable.
StreamArn
The ARN of the DynamoDB stream, such as arn:aws:dynamodb:us-

east-1:123456789012:table/testddbstack-myDynamoDBTable-012A1SL7SMP5Q/
stream/2015-11-30T20:10:00.000.
Note
You must specify the StreamSpecification property to use this attribute.
Examples
DynamoDB Table with Local and Secondary Indexes
The following sample creates a DynamoDB table with Album, Artist, Sales, NumberOfSongs as
attributes. The primary key includes the Album attribute as the hash key and Artist attribute as the
range key. The table also includes two global and one secondary index. For querying the number of sales
for a given artist, the global secondary index uses the Sales attribute as the hash key and the Artist
attribute as the range key.
For querying the sales based on the number of songs, the global secondary index uses the
NumberOfSongs attribute as the hash key and the Sales attribute as the range key.
For querying the sales of an album, the local secondary index uses the same hash key as the table but
uses the Sales attribute as the range key.
JSON
{
"Resources" : {
"myDynamoDBTable" : {
"Properties" : {
{
"AttributeName" : "Album",
},
{

1570
DynamoDB
"AttributeName" : "Artist",
},
{
"AttributeName" : "Sales",
"AttributeType" : "N"
},
{
"AttributeName" : "NumberOfSongs",
"AttributeType" : "N"
}
],
"KeySchema" : [
{
"KeyType" : "HASH"
},
{
"KeyType" : "RANGE"
}
],
},
"TableName" : "myTableName",
"IndexName" : "myGSI",
"KeySchema" : [
{
"KeyType" : "HASH"
},
{
"KeyType" : "RANGE"
}
],
"Projection" : {
"NonKeyAttributes" : ["Album","NumberOfSongs"],
"ProjectionType" : "INCLUDE"
},
}
},
{
"IndexName" : "myGSI2",
"KeySchema" : [
{
"AttributeName" : "NumberOfSongs",
"KeyType" : "HASH"
},
{
"KeyType" : "RANGE"
}
],
"Projection" : {
"NonKeyAttributes" : ["Album","Artist"],
},

1571
DynamoDB
}
}],
"LocalSecondaryIndexes" :[{
"IndexName" : "myLSI",
"KeySchema" : [
{
"KeyType" : "HASH"
},
{
"KeyType" : "RANGE"
}
],
"Projection" : {
"NonKeyAttributes" : ["Artist","NumberOfSongs"],
}
}]
}
}
}
}
YAML
Resources:
myDynamoDBTable:
Properties:
-
AttributeName: "Album"
AttributeType: "S"
-
AttributeName: "Artist"
AttributeType: "S"
-
AttributeName: "Sales"
AttributeType: "N"
-
AttributeName: "NumberOfSongs"
AttributeType: "N"
KeySchema:
-
KeyType: "HASH"
-
KeyType: "RANGE"
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
TableName: "myTableName"
-
IndexName: "myGSI"
KeySchema:
-

1572
DynamoDB
KeyType: "HASH"
-
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Album"
- "NumberOfSongs"
ProjectionType: "INCLUDE"
-
IndexName: "myGSI2"
KeySchema:
-
AttributeName: "NumberOfSongs"
KeyType: "HASH"
-
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Album"
- "Artist"
LocalSecondaryIndexes:
-
IndexName: "myLSI"
KeySchema:
-
KeyType: "HASH"
-
KeyType: "RANGE"
Projection:
NonKeyAttributes:
- "Artist"
- "NumberOfSongs"
DynamoDB Table with a DependsOn Attribute
If you include multiple DynamoDB tables with indexes in a single template, you must include
dependencies so that the tables are created sequentially. DynamoDB limits the number of tables with
secondary indexes that are in the creating state. If you create multiple tables with indexes at the same
time, DynamoDB returns an error and the stack operation fails.
The following sample assumes that the myFirstDDBTable table is declared in the same template as the
mySecondDDBTable table, and both tables include a secondary index. The mySecondDDBTable table
includes a dependency on the myFirstDDBTable table so that AWS CloudFormation creates the tables
one at a time.
JSON
"mySecondDDBTable" : {

1573
DynamoDB
"DependsOn" : "myFirstDDBTable" ,
"Properties" : {
{
"AttributeName" : "ArtistId",
},
{
"AttributeName" : "Concert",
},
{
"AttributeName" : "TicketSales",
}
],
"KeySchema" : [
{
"AttributeName" : "ArtistId",
"KeyType" : "HASH"
},
{
"AttributeName" : "Concert",
"KeyType" : "RANGE"
}
],
"ReadCapacityUnits" : {"Ref" : "ReadCapacityUnits"},
"WriteCapacityUnits" : {"Ref" : "WriteCapacityUnits"}
},
"IndexName" : "myGSI",
"KeySchema" : [
{
"AttributeName" : "TicketSales",
"KeyType" : "HASH"
}
],
"Projection" : {
"ProjectionType" : "KEYS_ONLY"
},
"ReadCapacityUnits" : {"Ref" : "ReadCapacityUnits"},
"WriteCapacityUnits" : {"Ref" : "WriteCapacityUnits"}
}
}],
"Tags": [
{
"Key": "foo",
"Value": "bar"
}
]
}
}
YAML
mySecondDDBTable:
DependsOn: "myFirstDDBTable"
Properties:

1574
DynamoDB
-
AttributeType: "S"
-
AttributeType: "S"
-
AttributeType: "S"
KeySchema:
-
KeyType: "HASH"
-
KeyType: "RANGE"
ReadCapacityUnits:
Ref: "ReadCapacityUnits"
WriteCapacityUnits:
Ref: "WriteCapacityUnits"
-
IndexName: "myGSI"
KeySchema:
-
KeyType: "HASH"
Projection:
ReadCapacityUnits:
Ref: "ReadCapacityUnits"
WriteCapacityUnits:
Ref: "WriteCapacityUnits"
Tags:
- Key: foo
Value: bar
DynamoDB Table with Application Auto Scaling
This example sets up Application Auto Scaling for a AWS::DynamoDB::Table resource. The template
defines a TargetTrackingScaling scaling policy that scales up the WriteCapacityUnits
throughput for the table.
JSON
{
"Resources": {
"DDBTable": {
"Properties": {
{
},
{
},
{

1575
DynamoDB
}
],
"KeySchema": [
{
"KeyType": "HASH"
},
{
"KeyType": "RANGE"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "GSI",
"KeySchema": [
{
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "KEYS_ONLY"
},
}
}
],
}
}
},
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"MaxCapacity": 15,
"MinCapacity": 5,
"ResourceId": { "Fn::Join": [
"/",
[
"table",
{ "Ref": "DDBTable" }
]
] },
"RoleARN": {
"Fn::GetAtt": ["ScalingRole", "Arn"]
},
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb"
}
},
"ScalingRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [

1576
DynamoDB
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"cloudwatch:GetMetricStatistics",
"cloudwatch:SetAlarmState",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}
}
]
}
},
"WriteScalingPolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "WriteAutoScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration": {
"TargetValue": 50.0,
"ScaleInCooldown": 60,
"ScaleOutCooldown": 60,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "DynamoDBWriteCapacityUtilization"
}
}
}
}
}
}
YAML
Resources:
DDBTable:
Properties:
-

1577
DynamoDB
AttributeType: "S"
-
AttributeType: "S"
-
AttributeType: "S"
KeySchema:
-
KeyType: "HASH"
-
KeyType: "RANGE"
-
IndexName: "GSI"
KeySchema:
-
KeyType: "HASH"
Projection:
Properties:
MaxCapacity: 15
MinCapacity: 5
ResourceId: !Join
- /
- - table
- !Ref DDBTable
RoleARN: !GetAtt ScalingRole.Arn
ScalingRole:
Properties:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- application-autoscaling.amazonaws.com
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "dynamodb:DescribeTable"

1578
DynamoDB
- "dynamodb:UpdateTable"
- "cloudwatch:PutMetricAlarm"
- "cloudwatch:DescribeAlarms"
- "cloudwatch:GetMetricStatistics"
- "cloudwatch:SetAlarmState"
- "cloudwatch:DeleteAlarms"
Resource: "*"
WriteScalingPolicy:
Properties:
TargetValue: 50.0
ScaleInCooldown: 60
AWS::DynamoDB::Table AttributeDefinition
Represents an attribute for describing the key schema for the table and indexes.
Syntax
JSON
{
"AttributeName" : String,
"AttributeType" : String
}
YAML
AttributeName: String
AttributeType: String
Properties
AttributeName
A name for the attribute.
Required: Yes
Type: String
Minimum: 1
Maximum: 255

AttributeType
The data type for the attribute, where:

• S - the attribute is of type String
• N - the attribute is of type Number

1579
DynamoDB
• B - the attribute is of type Binary
Required: Yes
Type: String
Allowed Values: B | N | S
AWS::DynamoDB::Table GlobalSecondaryIndex
Represents the properties of a global secondary index.
Syntax
JSON
{
"IndexName" : String,
"Projection" : Projection (p. 1584),
"ProvisionedThroughput" : ProvisionedThroughput (p. 1585)
}
YAML
IndexName: String
KeySchema:
Projection:
Projection (p. 1584)
ProvisionedThroughput (p. 1585)
Properties
IndexName
The name of the global secondary index. The name must be unique among all other indexes on this
table.
Required: Yes
Type: String
Minimum: 3
Maximum: 255

KeySchema
The complete key schema for a global secondary index, which consists of one or more pairs of
attribute names and key types:

1580
DynamoDB
• HASH - partition key

• RANGE - sort key
Note
The partition key of an item is also known as its hash attribute. The term "hash attribute"
derives from DynamoDB's usage of an internal hash function to evenly distribute data items
across partitions, based on their partition key values.
The sort key of an item is also known as its range attribute. The term "range attribute"
derives from the way DynamoDB stores items with the same partition key physically close
together, in sorted order by the sort key value.
Required: Yes
Maximum: 2

Projection
Represents attributes that are copied (projected) from the table into the global secondary index.
These are in addition to the primary key attributes and index key attributes, which are automatically
projected.
Required: Yes
Type: Projection (p. 1584)

ProvisionedThroughput
Represents the provisioned throughput settings for the specified global secondary index.
For current minimum and maximum provisioned throughput values, see Limits in the Amazon
DynamoDB Developer Guide.
Required: No
Type: ProvisionedThroughput (p. 1585)
AWS::DynamoDB::Table KeySchema
Represents a single element of a key schema. A key schema specifies the attributes that make up the
primary key of a table, or the key attributes of an index.
A KeySchemaElement represents exactly one attribute of the primary key. For example, a
simple primary key would be represented by one KeySchemaElement (for the partition key). A
composite primary key would require one KeySchemaElement for the partition key, and another
KeySchemaElement for the sort key.
A KeySchemaElement must be a scalar, top-level attribute (not a nested attribute). The data type must
be one of String, Number, or Binary. The attribute cannot be nested within a List or a Map.
Syntax

1581
DynamoDB
JSON
{
"KeyType" : String
}
YAML
KeyType: String
Properties
AttributeName
The name of a key attribute.
Required: Yes
Type: String
Minimum: 1
Maximum: 255

KeyType
The role that this key attribute will assume:

Note
Required: Yes
Type: String
Allowed Values: HASH | RANGE
See Also
For an example of a declared key schema, see AWS::DynamoDB::Table.
AWS::DynamoDB::Table LocalSecondaryIndex
Represents the properties of a local secondary index.

1582
DynamoDB
Syntax
JSON
{
"IndexName" : String,
"Projection" : Projection (p. 1584)
}
YAML
IndexName: String
KeySchema:
Projection:
Projection (p. 1584)
Properties
IndexName
The name of the local secondary index. The name must be unique among all other indexes on this
table.
Required: Yes
Type: String
Minimum: 3
Maximum: 255

KeySchema
The complete key schema for the local secondary index, consisting of one or more pairs of attribute
names and key types:
Note
Required: Yes
Maximum: 2

1583
DynamoDB
Projection
Represents attributes that are copied (projected) from the table into the local secondary index.
These are in addition to the primary key attributes and index key attributes, which are automatically
projected.
Required: Yes
Type: Projection (p. 1584)
See Also
For an example of a declared local secondary index, see AWS::DynamoDB::Table.
AWS::DynamoDB::Table PointInTimeRecoverySpecification
The settings used to enable point in time recovery.
Syntax
JSON
{
"PointInTimeRecoveryEnabled" : Boolean
}
YAML
PointInTimeRecoveryEnabled: Boolean
Properties
PointInTimeRecoveryEnabled
Indicates whether point in time recovery is enabled (true) or disabled (false) on the table.
Required: No
Type: Boolean
See Also
PointInTimeRecoverySpecification in the Amazon DynamoDB API Reference.
AWS::DynamoDB::Table Projection
Represents attributes that are copied (projected) from the table into an index. These are in addition to
the primary key attributes and index key attributes, which are automatically projected.
Syntax

1584
DynamoDB
JSON
{
"NonKeyAttributes" : [ String, ... ],
"ProjectionType" : String
}
YAML
NonKeyAttributes:
- String
ProjectionType: String
Properties
NonKeyAttributes
Represents the non-key attribute names which will be projected into the index.
For local secondary indexes, the total count of NonKeyAttributes summed across all of the local
secondary indexes, must not exceed 20. If you project the same attribute into two different indexes,
this counts as two distinct attributes when determining the total.
Required: No
Maximum: 20

ProjectionType
The set of attributes that are projected into the index:

• KEYS_ONLY - Only the index and primary keys are projected into the index.
• INCLUDE - Only the specified table attributes are projected into the index. The list of projected
attributes is in NonKeyAttributes.
• ALL - All of the table attributes are projected into the index.
Required: No
Type: String
Allowed Values: ALL | INCLUDE | KEYS_ONLY
AWS::DynamoDB::Table ProvisionedThroughput
Throughput for the specified table, which consists of values for ReadCapacityUnits and
WriteCapacityUnits. For more information about the contents of a provisioned throughput structure,
see Amazon DynamoDB Table ProvisionedThroughput.
Syntax

1585
DynamoDB
JSON
{
"ReadCapacityUnits" : Long,
"WriteCapacityUnits" : Long
}
YAML
ReadCapacityUnits: Long
WriteCapacityUnits: Long
Properties
ReadCapacityUnits
The maximum number of strongly consistent reads consumed per second before DynamoDB returns
a ThrottlingException. For more information, see Specifying Read and Write Requirements in
the Amazon DynamoDB Developer Guide.
If read/write capacity mode is PAY_PER_REQUEST the value is set to 0.
Required: Yes
Type: Long

WriteCapacityUnits
The maximum number of writes consumed per second before DynamoDB returns a
ThrottlingException. For more information, see Specifying Read and Write Requirements in the
Amazon DynamoDB Developer Guide.
If read/write capacity mode is PAY_PER_REQUEST the value is set to 0.
Required: Yes
Type: Long
AWS::DynamoDB::Table SSESpecification
Represents the settings used to enable server-side encryption.
Syntax
JSON
{
"KMSMasterKeyId" : String,
"SSEEnabled" : Boolean,
"SSEType" : String
}

1586
DynamoDB
YAML
KMSMasterKeyId: String
SSEEnabled: Boolean
SSEType: String
Properties
KMSMasterKeyId
The AWS KMS customer master key (CMK) that should be used for the AWS KMS encryption. To
specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. Note that
you should only provide this parameter if the key is different from the default DynamoDB customer
master key alias/aws/dynamodb.
Required: No
Type: String

SSEEnabled
Indicates whether server-side encryption is done using an AWS managed CMK or an AWS owned
CMK. If enabled (true), server-side encryption type is set to KMS and an AWS managed CMK is used
(AWS KMS charges apply). If disabled (false) or not specified, server-side encryption is set to AWS
owned CMK.
Required: Yes
Type: Boolean

SSEType
Server-side encryption type. The only supported value is:

• KMS - Server-side encryption that uses AWS Key Management Service. The key is stored in your
account and is managed by AWS KMS (AWS KMS charges apply).
Required: No
Type: String
AWS::DynamoDB::Table StreamSpecification
Represents the DynamoDB Streams configuration for a table in DynamoDB.
Syntax
JSON
{
"StreamViewType" : String
}

1587
DynamoDB
YAML
StreamViewType: String
Properties
StreamViewType
When an item in the table is modified, StreamViewType determines what information is written to
the stream for this table. Valid values for StreamViewType are:
• KEYS_ONLY - Only the key attributes of the modified item are written to the stream.
• NEW_IMAGE - The entire item, as it appears after it was modified, is written to the stream.
• OLD_IMAGE - The entire item, as it appeared before it was modified, is written to the stream.
• NEW_AND_OLD_IMAGES - Both the new and the old item images of the item are written to the
stream.
Required: Yes
Type: String
Allowed Values: KEYS_ONLY | NEW_AND_OLD_IMAGES | NEW_IMAGE | OLD_IMAGE
AWS::DynamoDB::Table TimeToLiveSpecification
Represents the settings used to enable or disable Time to Live (TTL) for the specified table.
Syntax
JSON
{
"Enabled" : Boolean
}
YAML
Enabled: Boolean
Properties
AttributeName
The name of the TTL attribute used to store the expiration time for items in the table.
Required: Yes
Type: String
Minimum: 1
Maximum: 255

1588
EC2

Enabled
Indicates whether TTL is to be enabled (true) or disabled (false) on the table.
Required: Yes
Type: Boolean
EC2 Resource Type Reference

Resource Types
• AWS::EC2::CapacityReservation (p. 1590)

• AWS::EC2::ClientVpnAuthorizationRule (p. 1595)
• AWS::EC2::ClientVpnEndpoint (p. 1597)
• AWS::EC2::ClientVpnRoute (p. 1605)
• AWS::EC2::ClientVpnTargetNetworkAssociation (p. 1607)
• AWS::EC2::CustomerGateway (p. 1608)
• AWS::EC2::DHCPOptions (p. 1610)
• AWS::EC2::EC2Fleet (p. 1613)
• AWS::EC2::EgressOnlyInternetGateway (p. 1626)
• AWS::EC2::EIP (p. 1627)
• AWS::EC2::EIPAssociation (p. 1629)
• AWS::EC2::FlowLog (p. 1634)
• AWS::EC2::Host (p. 1637)
• AWS::EC2::Instance (p. 1639)
• AWS::EC2::InternetGateway (p. 1667)
• AWS::EC2::LaunchTemplate (p. 1669)
• AWS::EC2::NatGateway (p. 1697)
• AWS::EC2::NetworkAcl (p. 1699)
• AWS::EC2::NetworkAclEntry (p. 1700)
• AWS::EC2::NetworkInterface (p. 1705)
• AWS::EC2::NetworkInterfaceAttachment (p. 1711)
• AWS::EC2::NetworkInterfacePermission (p. 1713)
• AWS::EC2::PlacementGroup (p. 1715)
• AWS::EC2::Route (p. 1716)
• AWS::EC2::RouteTable (p. 1719)
• AWS::EC2::SecurityGroup (p. 1721)
• AWS::EC2::SecurityGroupEgress (p. 1730)
• AWS::EC2::SecurityGroupIngress (p. 1734)
• AWS::EC2::SpotFleet (p. 1742)
• AWS::EC2::Subnet (p. 1771)
• AWS::EC2::SubnetCidrBlock (p. 1774)
• AWS::EC2::SubnetNetworkAclAssociation (p. 1775)
• AWS::EC2::SubnetRouteTableAssociation (p. 1777)

1589
EC2
• AWS::EC2::TrafficMirrorFilter (p. 1778)

• AWS::EC2::TrafficMirrorFilterRule (p. 1780)
• AWS::EC2::TrafficMirrorSession (p. 1785)
• AWS::EC2::TrafficMirrorTarget (p. 1788)
• AWS::EC2::TransitGateway (p. 1791)
• AWS::EC2::TransitGatewayAttachment (p. 1794)
• AWS::EC2::TransitGatewayRoute (p. 1796)
• AWS::EC2::TransitGatewayRouteTable (p. 1797)
• AWS::EC2::TransitGatewayRouteTableAssociation (p. 1798)
• AWS::EC2::TransitGatewayRouteTablePropagation (p. 1799)
• AWS::EC2::Volume (p. 1800)
• AWS::EC2::VolumeAttachment (p. 1805)
• AWS::EC2::VPC (p. 1807)
• AWS::EC2::VPCCidrBlock (p. 1810)
• AWS::EC2::VPCDHCPOptionsAssociation (p. 1813)
• AWS::EC2::VPCEndpoint (p. 1815)
• AWS::EC2::VPCEndpointConnectionNotification (p. 1819)
• AWS::EC2::VPCEndpointService (p. 1820)
• AWS::EC2::VPCEndpointServicePermissions (p. 1821)
• AWS::EC2::VPCGatewayAttachment (p. 1822)
• AWS::EC2::VPCPeeringConnection (p. 1824)
• AWS::EC2::VPNConnection (p. 1833)
• AWS::EC2::VPNConnectionRoute (p. 1837)
• AWS::EC2::VPNGateway (p. 1839)
• AWS::EC2::VPNGatewayRoutePropagation (p. 1840)
AWS::EC2::CapacityReservation
Creates a new Capacity Reservation with the specified attributes. For more information, see Capacity
Reservations in the Amazon Elastic Compute Cloud User Guide.
Syntax
JSON
{
"Type" : "AWS::EC2::CapacityReservation",
"Properties" : {
"EndDate" : String,
"EndDateType" : String,
"EphemeralStorage" : Boolean,
"InstanceCount" : Integer,
"InstanceMatchCriteria" : String,
"InstancePlatform" : String,
"TagSpecifications" : [ TagSpecification (p. 1594), ... ],
"Tenancy" : String
}

1590
EC2
YAML
Type: AWS::EC2::CapacityReservation
Properties:
EndDate: String
EndDateType: String
EphemeralStorage: Boolean
InstanceCount: Integer
InstanceMatchCriteria: String
InstancePlatform: String
TagSpecifications:
- TagSpecification (p. 1594)
Tenancy: String
Properties
AvailabilityZone
The Availability Zone in which to create the Capacity Reservation.
Required: Yes
Type: String

EbsOptimized
Indicates whether the Capacity Reservation supports EBS-optimized instances. This optimization
provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide
optimal I/O performance. This optimization isn't available with all instance types. Additional usage
charges apply when using an EBS- optimized instance.
Required: No
Type: Boolean

EndDate
The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires,
the reserved capacity is released and you can no longer launch instances into it. The Capacity
Reservation's state changes to expired when it reaches its end date and time.
You must provide an EndDate value if EndDateType is limited. Omit EndDate if EndDateType is
unlimited.
If the EndDateType is limited, the Capacity Reservation is cancelled within an hour from the
specified time. For example, if you specify 5/31/2019, 13:30:55, the Capacity Reservation is
guaranteed to end between 13:30:55 and 14:30:55 on 5/31/2019.
Required: No
Type: String

1591
EC2
EndDateType
Indicates the way in which the Capacity Reservation ends. A Capacity Reservation can have one of
the following end types:
• unlimited - The Capacity Reservation remains active until you explicitly cancel it. Do not provide
an EndDate if the EndDateType is unlimited.
• limited - The Capacity Reservation expires automatically at a specified date and time. You must
provide an EndDate value if the EndDateType value is limited.
Required: No
Type: String
Allowed Values: limited | unlimited

EphemeralStorage
Indicates whether the Capacity Reservation supports instances with temporary, block-level storage.
Required: No
Type: Boolean

InstanceCount
The number of instances for which to reserve capacity.
Required: Yes
Type: Integer

InstanceMatchCriteria
Indicates the type of instance launches that the Capacity Reservation accepts. The options include:
• open - The Capacity Reservation automatically matches all instances that have matching
attributes (instance type, platform, and Availability Zone). Instances that have matching attributes
run in the Capacity Reservation automatically without specifying any additional parameters.
• targeted - The Capacity Reservation only accepts instances that have matching attributes
(instance type, platform, and Availability Zone), and explicitly target the Capacity Reservation. This
ensures that only permitted instances can use the reserved capacity.
Default: open
Required: No
Type: String
Allowed Values: open | targeted

InstancePlatform
The type of operating system for which to reserve capacity.
Required: Yes

1592
EC2
Type: String
Allowed Values: Linux with SQL Server Enterprise | Linux with SQL Server
Standard | Linux with SQL Server Web | Linux/UNIX | Red Hat Enterprise Linux
| SUSE Linux | Windows | Windows with SQL Server | Windows with SQL Server
Enterprise | Windows with SQL Server Standard | Windows with SQL Server Web

InstanceType
The instance type for which to reserve capacity. For more information, see Instance Types in the
Amazon Elastic Compute Cloud User Guide.
Required: Yes
Type: String

TagSpecifications
The tags to apply to the Capacity Reservation during launch.
Required: No
Type: List of TagSpecification (p. 1594)

Tenancy
Indicates the tenancy of the Capacity Reservation. A Capacity Reservation can have one of the
following tenancy settings:
• default - The Capacity Reservation is created on hardware that is shared with other AWS
accounts.
• dedicated - The Capacity Reservation is created on single-tenant hardware that is dedicated to a
single AWS account.
Required: No
Type: String
Allowed Values: dedicated | default
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource ID,
such as cr-1234ab5cd6789e0f1.
Fn::GetAtt

1593
EC2
AvailabilityZone
Returns the Availability Zone in which the capacity is reserved. For example: us-east-1a.
AvailableInstanceCount
Returns the remaining capacity, which indicates the number of instances that can be launched in the
Capacity Reservation. For example: 9.
InstanceType
Returns the type of instance for which the capacity is reserved. For example: m4.large.
Tenancy
Returns the tenancy of the Capacity Reservation. For example: dedicated.

TotalInstanceCount
Returns the total number of instances for which the Capacity Reservation reserves capacity. For
example: 15.
See Also
• On-Demand Capacity Reservations in the Amazon Elastic Compute Cloud User Guide for Linux Instances
AWS::EC2::CapacityReservation TagSpecification
Syntax
JSON
{
"Tags" : [ Tag, ... ]
}
YAML
Tags:
- Tag
Properties
ResourceType
The type of resource to tag. Specify capacity-reservation.
Required: No
Type: String
Allowed Values: client-vpn-endpoint | customer-gateway | dedicated-host | dhcp-

options | elastic-ip | fleet | fpga-image | host-reservation | image |

1594
EC2
instance | internet-gateway | launch-template | natgateway | network-acl

| network-interface | reserved-instances | route-table | security-group |
snapshot | spot-fleet-request | spot-instances-request | subnet | traffic-
mirror-filter | traffic-mirror-session | traffic-mirror-target | transit-
gateway | transit-gateway-attachment | transit-gateway-multicast-domain |
transit-gateway-route-table | volume | vpc | vpc-peering-connection | vpn-
connection | vpn-gateway

Tags
The tags to apply to the resource.
Required: No
Type: List of Tag
AWS::EC2::ClientVpnAuthorizationRule
Specifies an ingress authorization rule to add to a Client VPN endpoint. Ingress authorization rules act
as firewall rules that grant access to networks. You must configure ingress authorization rules to enable
clients to access resources in AWS or on-premises networks.
Syntax
JSON
{
"Type" : "AWS::EC2::ClientVpnAuthorizationRule",
"Properties" : {
"AccessGroupId" : String,
"AuthorizeAllGroups" : Boolean,
"ClientVpnEndpointId" : String,
"TargetNetworkCidr" : String
}
}
YAML
Type: AWS::EC2::ClientVpnAuthorizationRule
Properties:
AccessGroupId: String
AuthorizeAllGroups: Boolean
ClientVpnEndpointId: String
Description: String
TargetNetworkCidr: String
Properties
AccessGroupId
The ID of the Active Directory group to grant access.

1595
EC2
Required: No
Type: String

AuthorizeAllGroups
Indicates whether to grant access to all clients. Use true to grant all clients who successfully
establish a VPN connection access to the network.
Required: No
Type: Boolean

ClientVpnEndpointId
The ID of the Client VPN endpoint.
Required: Yes
Type: String

Description
A brief description of the authorization rule.
Required: No
Type: String

TargetNetworkCidr
The IPv4 address range, in CIDR notation, of the network for which access is being authorized.
Required: Yes
Type: String
Examples
Adding an authorization rule to a Client VPN endpoint
The following example adds an authorization rule that grants all users access to the internet.
YAML
myAuthRule:
Type: "AWS::EC2::ClientVpnAuthorizationRule"
Properties:
ClientVpnEndpointId:
Ref: myClientVpnEndpoint
AuthorizeAllGroups: true
TargetNetworkCidr: "0.0.0.0/0"
Description: "myAuthRule"

1596
EC2
JSON
"myAuthRule": {
"Type": "AWS::EC2::ClientVpnAuthorizationRule",
"Properties": {
"ClientVpnEndpointId": {
"Ref": "myClientVpnEndpoint"
},
"AuthorizeAllGroups": true,
"TargetNetworkCidr": "0.0.0.0/0",
"Description": "myAuthRule"
}
}
See Also
• Getting Started with Client VPN in the AWS Client VPN Administrator Guide
• Authorization Rules in the AWS Client VPN Administrator Guide
AWS::EC2::ClientVpnEndpoint
Specifies a Client VPN endpoint. A Client VPN endpoint is the resource you create and configure to
enable and manage client VPN sessions. It is the destination endpoint at which all client VPN sessions are
terminated.
Syntax
JSON
{
"Type" : "AWS::EC2::ClientVpnEndpoint",
"Properties" : {
"AuthenticationOptions" : [ ClientAuthenticationRequest (p. 1601), ... ],
"ClientCidrBlock" : String,
"ConnectionLogOptions" : ConnectionLogOptions (p. 1602),
"DnsServers" : [ String, ... ],
"ServerCertificateArn" : String,
"SplitTunnel" : Boolean,
"TransportProtocol" : String
}
}
YAML
Type: AWS::EC2::ClientVpnEndpoint
Properties:
AuthenticationOptions:
- ClientAuthenticationRequest (p. 1601)
ClientCidrBlock: String
ConnectionLogOptions:
ConnectionLogOptions (p. 1602)
Description: String
DnsServers:
- String
ServerCertificateArn: String

1597
EC2
SplitTunnel: Boolean
TagSpecifications:
TransportProtocol: String
Properties
AuthenticationOptions
Information about the authentication method to be used to authenticate clients.
Required: Yes
Type: List of ClientAuthenticationRequest (p. 1601)

ClientCidrBlock
The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address
range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the
routes that you add manually. The address range cannot be changed after the Client VPN endpoint
has been created. The CIDR block should be /22 or greater.
Required: Yes
Type: String

ConnectionLogOptions
Information about the client connection logging options.
If you enable client connection logging, data about client connections is sent to a Cloudwatch Logs
log stream. The following information is logged:
• Client connection requests
• Client connection results (successful and unsuccessful)
• Reasons for unsuccessful client connection requests
• Client connection termination time
Required: Yes
Type: ConnectionLogOptions (p. 1602)

Description
A brief description of the Client VPN endpoint.
Required: No
Type: String

DnsServers
Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have
up to two DNS servers. If no DNS server is specified, the DNS address configured on the device is
used for the DNS server.

1598
EC2
Required: No

ServerCertificateArn
The ARN of the server certificate. For more information, see the AWS Certificate Manager User
Guide.
Required: Yes
Type: String

SplitTunnel
Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.
By default, split-tunnel on a VPN endpoint is disabled.
For information about split-tunnel VPN endpoints, see Split-Tunnel AWS Client VPN Endpoint in the
AWS Client VPN Administrator Guide.
Required: No
Type: Boolean

TagSpecifications
The tags to apply to the Client VPN endpoint during creation.
Required: No

TransportProtocol
The transport protocol to be used by the VPN session.
Default value: udp
Required: No
Type: String
Allowed Values: tcp | udp
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Client VPN
endpoint ID. For example: cvpn-endpoint-1234567890abcdef0.

1599
EC2
Examples
Creating a Client VPN endpoint
The following example creates a Client VPN endpoint that uses Active Directory authentication and
assigns client IP addresses from the 10.0.0.0/22 CIDR range.
YAML
myClientVpnEndpoint:
Type: AWS::EC2::ClientVpnEndpoint
Properties:
AuthenticationOptions:
- Type: "directory-service-authentication"
ActiveDirectory:
DirectoryId: d-926example
ClientCidrBlock: "10.0.0.0/22"
ConnectionLogOptions:
Enabled: false
Description: "My Client VPN Endpoint"
DnsServers:
- "11.11.0.1"
ServerCertificateArn: "arn:aws:acm:us-
east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012"
TagSpecifications:
- ResourceType: "client-vpn-endpoint"
Tags:
- Key: "Purpose"
Value: "Production"
TransportProtocol: "udp"
JSON
"myClientVpnEndpoint": {
"Type": "AWS::EC2::ClientVpnEndpoint",
"Properties": {
"AuthenticationOptions": [
{
"Type": "directory-service-authentication",
"ActiveDirectory": {
"DirectoryId": "d-926example"
}
}
],
"ClientCidrBlock": "10.0.0.0/22",
"ConnectionLogOptions": {
"Enabled": false
},
"Description": "My Client VPN Endpoint",
"DnsServers": [
"11.11.0.1"
],
"ServerCertificateArn": "arn:aws:acm:us-
east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012",
"TagSpecifications": [
{
"ResourceType": "client-vpn-endpoint",
"Tags": [
{
"Key": "Purpose",
"Value": "Production"
}
]

1600
EC2
}
],
"TransportProtocol": "udp"
}
}
See Also
• Client VPN Endpoints in the AWS Client VPN Administrator Guide
AWS::EC2::ClientVpnEndpoint CertificateAuthenticationRequest
Information about the client certificate to be used for authentication.
Syntax
JSON
{
"ClientRootCertificateChainArn" : String
}
YAML
ClientRootCertificateChainArn: String
Properties
ClientRootCertificateChainArn
The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it
must be provisioned in AWS Certificate Manager (ACM).
Required: Yes
Type: String
AWS::EC2::ClientVpnEndpoint ClientAuthenticationRequest
Describes the authentication method to be used by a Client VPN endpoint. Client VPN supports Active
Directory and mutual authentication. For more information, see Authentication in the AWS Client VPN
Administrator Guide.
Syntax
JSON
{
"ActiveDirectory" : DirectoryServiceAuthenticationRequest (p. 1603),

1601
EC2
"MutualAuthentication" : CertificateAuthenticationRequest (p. 1601),

"Type" : String
}
YAML
ActiveDirectory:
DirectoryServiceAuthenticationRequest (p. 1603)
MutualAuthentication:
CertificateAuthenticationRequest (p. 1601)
Type: String
Properties
ActiveDirectory
Information about the Active Directory to be used, if applicable. You must provide this information if
Type is directory-service-authentication.
Required: No
Type: DirectoryServiceAuthenticationRequest (p. 1603)

MutualAuthentication
Information about the authentication certificates to be used, if applicable. You must provide this
information if Type is certificate-authentication.
Required: No
Type: CertificateAuthenticationRequest (p. 1601)

Type
The type of client authentication to be used. Specify certificate-authentication to use

certificate-based authentication, or directory-service-authentication to use Active
Directory authentication.
Required: Yes
Type: String
Allowed Values: certificate-authentication | directory-service-authentication
AWS::EC2::ClientVpnEndpoint ConnectionLogOptions
Describes the client connection logging options for the Client VPN endpoint.
Syntax
JSON

1602
EC2
"CloudwatchLogGroup" : String,
"CloudwatchLogStream" : String,
"Enabled" : Boolean
}
YAML
CloudwatchLogGroup: String
CloudwatchLogStream: String
Enabled: Boolean
Properties
CloudwatchLogGroup
The name of the CloudWatch Logs log group.
Required: No
Type: String

CloudwatchLogStream
The name of the CloudWatch Logs log stream to which the connection data is published.
Required: No
Type: String

Enabled
Indicates whether connection logging is enabled.
Required: Yes
Type: Boolean
AWS::EC2::ClientVpnEndpoint DirectoryServiceAuthenticationRequest
Describes the Active Directory to be used for client authentication.
Syntax
JSON
{
"DirectoryId" : String
}
YAML
DirectoryId: String

1603
EC2
Properties
DirectoryId
The ID of the Active Directory to be used for authentication.
Required: Yes
Type: String
AWS::EC2::ClientVpnEndpoint TagSpecification
The tags to apply to a resource when the resource is being created.
Syntax
JSON
{
"Tags" : [ Tag, ... ]
}
YAML
Tags:
- Tag
Properties
ResourceType
The type of resource to tag.
Required: Yes
Type: String


Tags

1604
EC2
Required: Yes
Type: List of Tag
AWS::EC2::ClientVpnRoute
Specifies a network route to add to a Client VPN endpoint. Each Client VPN endpoint has a route table
that describes the available destination network routes. Each route in the route table specifies the path
for traffic to specific resources or networks.
A target network association must be created before you can specify a route. If you're setting up all
the components of a Client VPN endpoint at the same time, you must use the DependsOn Attribute to
declare a dependency on the AWS::EC2::ClientVpnTargetNetworkAssociation resource.
Syntax
JSON
{
"Type" : "AWS::EC2::ClientVpnRoute",
"Properties" : {
"DestinationCidrBlock" : String,
"TargetVpcSubnetId" : String
}
}
YAML
Type: AWS::EC2::ClientVpnRoute
Properties:
Description: String
DestinationCidrBlock: String
TargetVpcSubnetId: String
Properties
ClientVpnEndpointId
The ID of the Client VPN endpoint to which to add the route.
Required: Yes
Type: String

Description
A brief description of the route.
Required: No

1605
EC2
Type: String

DestinationCidrBlock
The IPv4 address range, in CIDR notation, of the route destination. For example:
• To add a route for Internet access, enter 0.0.0.0/0
• To add a route for a peered VPC, enter the peered VPC's IPv4 CIDR range
• To add a route for an on-premises network, enter the AWS Site-to-Site VPN connection's IPv4
CIDR range
Route address ranges cannot overlap with the CIDR range specified for client allocation.
Required: Yes
Type: String

TargetVpcSubnetId
The ID of the subnet through which you want to route traffic. The specified subnet must be an
existing target network of the Client VPN endpoint.
Required: Yes
Type: String
Examples
Adding a route to a Client VPN endpoint
The following example adds a route for internet access to a Client VPN endpoint.
YAML
myRoute:
Type: "AWS::EC2::ClientVpnRoute"
Properties:
TargetVpcSubnetId:
Ref: mySubnet
DestinationCidrBlock: "0.0.0.0/0"
Description: "myRoute"
JSON
"myRoute": {
"Type": "AWS::EC2::ClientVpnRoute",
"Properties": {
},
"TargetVpcSubnetId": {
"Ref": "mySubnet"
},

1606
EC2
"Description": "myRoute"
}
}
See Also
• Routes in the AWS Client VPN Administrator Guide
AWS::EC2::ClientVpnTargetNetworkAssociation
Specifies a target network to associate with a Client VPN endpoint. A target network is a subnet in a VPC.
You can associate multiple subnets from the same VPC with a Client VPN endpoint. You can associate
only one subnet in each Availability Zone. We recommend that you associate at least two subnets to
provide Availability Zone redundancy.
Syntax
JSON
{
"Type" : "AWS::EC2::ClientVpnTargetNetworkAssociation",
"Properties" : {
"SubnetId" : String
}
}
YAML
Type: AWS::EC2::ClientVpnTargetNetworkAssociation
Properties:
SubnetId: String
Properties
ClientVpnEndpointId
The ID of the Client VPN endpoint.
Required: Yes
Type: String

SubnetId
The ID of the subnet to associate with the Client VPN endpoint.
Required: Yes
Type: String

1607
EC2
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the association ID.
For example: cvpn-assoc-1234567890abcdef0.
Examples
Associating a target subnet with a Client VPN endpoint
The following example associates a target network with a Client VPN endpoint.
YAML
myNetworkAssociation:
Type: "AWS::EC2::ClientVpnTargetNetworkAssociation"
Properties:
SubnetId:
Ref: mySubnet
JSON
"myNetworkAssociation": {
"Type": "AWS::EC2::ClientVpnTargetNetworkAssociation",
"Properties": {
},
"SubnetId": {
"Ref": "mySubnet"
}
}
}
See Also
• Target Networks in the AWS Client VPN Administrator Guide
AWS::EC2::CustomerGateway
Specifies a customer gateway.
Syntax
JSON
{
"Type" : "AWS::EC2::CustomerGateway",
"Properties" : {

1608
EC2
"BgpAsn" : Integer,
"IpAddress" : String,
"Tags" : [ Tag, ... ],
"Type" : String
}
}
YAML
Type: AWS::EC2::CustomerGateway
Properties:
BgpAsn: Integer
IpAddress: String
Tags:
- Tag
Type: String
Properties
BgpAsn
For devices that support BGP, the customer gateway's BGP ASN.
Default: 65000
Required: Yes
Type: Integer

IpAddress
The Internet-routable IP address for the customer gateway's outside interface. The address must be
static.
Required: Yes
Type: String

Tags
One or more tags for the customer gateway.
Required: No
Type: List of Tag

Type
The type of VPN connection that this customer gateway supports (ipsec.1).
Required: Yes
Type: String
Allowed Values: ipsec.1

1609
EC2
Return Values
Ref
customer gateway.
Examples
YAML
myCustomerGateway:
Type: AWS::EC2::CustomerGateway
Properties:
Type: ipsec.1
BgpAsn: 65534
IpAddress: 12.1.2.3
JSON
{
"myCustomerGateway" : {
"Type" : "AWS::EC2::CustomerGateway",
"Properties" : {
"Type" : "ipsec.1",
"BgpAsn" : "65534",
"IpAddress" : "12.1.2.3"
}
}
}
See Also
• CreateCustomerGateway in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::DHCPOptions
Specifies a set of DHCP options for your VPC.
You must specify at least one of the following properties: DomainNameServers,

NetbiosNameServers, NtpServers. If you specify NetbiosNameServers, you must specify
NetbiosNodeType.
Syntax
JSON
{
"Type" : "AWS::EC2::DHCPOptions",
"Properties" : {
"DomainNameServers" : [ String, ... ],
"NetbiosNameServers" : [ String, ... ],

1610
EC2
"NetbiosNodeType" : Integer,
"NtpServers" : [ String, ... ],
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::EC2::DHCPOptions
Properties:
DomainName: String
DomainNameServers:
- String
NetbiosNameServers:
- String
NetbiosNodeType: Integer
NtpServers:
- String
Tags:
- Tag
Properties
DomainName
This value is used to complete unqualified DNS hostnames. If you're using AmazonProvidedDNS in
us-east-1, specify ec2.internal. If you're using AmazonProvidedDNS in another Region, specify
region.compute.internal (for example, ap-northeast-1.compute.internal). Otherwise,
specify a domain name (for example, MyCompany.com).
Required: No
Type: String

DomainNameServers
The IPv4 addresses of up to four domain name servers, or AmazonProvidedDNS. The default DHCP
option set specifies AmazonProvidedDNS. If specifying more than one domain name server, specify
the IP addresses in a single parameter, separated by commas. To have your instance to receive a
custom DNS hostname as specified in DomainName, you must set this to a custom DNS server.

NetbiosNameServers
The IPv4 addresses of up to four NetBIOS name servers.

NetbiosNodeType
The NetBIOS node type (1, 2, 4, or 8). We recommend that you specify 2 (broadcast and multicast
are not currently supported).

1611
EC2
Required: No
Type: Integer

NtpServers
The IPv4 addresses of up to four Network Time Protocol (NTP) servers.

Tags
Any tags assigned to the DHCP options set.
Required: No
Type: List of Tag
Return Values
Ref
name.
Examples
YAML
myDhcpOptions:
Type: AWS::EC2::DHCPOptions
Properties:
DomainName: example.com
DomainNameServers:
- AmazonProvidedDNS
NtpServers:
- 10.2.5.1
NetbiosNameServers:
- 10.2.5.1
NetbiosNodeType: 2
Tags:
- Key: project
Value: 123
JSON
{
"myDhcpOptions" : {

1612
EC2
"Type" : "AWS::EC2::DHCPOptions",
"Properties" : {
"DomainNameServers" : [ "AmazonProvidedDNS" ],
"NtpServers" : [ "10.2.5.1" ],
"NetbiosNameServers" : [ "10.2.5.1" ],
"NetbiosNodeType" : 2,
"Tags" : [ { "Key" : "project", "Value" : "123" } ]
}
}
}
See Also
• CreateDhcpOptions in the Amazon Elastic Compute Cloud API Reference
• DHCP Options Sets in the Amazon Virtual Private Cloud User Guide
AWS::EC2::EC2Fleet
Specifies the configuration information to launch a fleet—or group—of instances. An EC2 Fleet can
launch multiple instance types across multiple Availability Zones, using the On-Demand Instance,
Reserved Instance, and Spot Instance purchasing models together. Using EC2 Fleet, you can define
separate On-Demand and Spot capacity targets, specify the instance types that work best for your
applications, and specify how Amazon EC2 should distribute your fleet capacity within each purchasing
model. For more information, see Launching an EC2 Fleet in the Amazon EC2 User Guide for Linux
Instances.
Syntax
JSON
{
"Type" : "AWS::EC2::EC2Fleet",
"Properties" : {
"ExcessCapacityTerminationPolicy" : String,
"LaunchTemplateConfigs" : [ FleetLaunchTemplateConfigRequest (p. 1616), ... ],
"OnDemandOptions" : OnDemandOptionsRequest (p. 1620),
"ReplaceUnhealthyInstances" : Boolean,
"SpotOptions" : SpotOptionsRequest (p. 1621),
"TargetCapacitySpecification" : TargetCapacitySpecificationRequest (p. 1624),
"TerminateInstancesWithExpiration" : Boolean,
"Type" : String,
"ValidFrom" : String,
"ValidUntil" : String
}
}
YAML
Type: AWS::EC2::EC2Fleet
Properties:
ExcessCapacityTerminationPolicy: String
LaunchTemplateConfigs:
- FleetLaunchTemplateConfigRequest (p. 1616)
OnDemandOptions:
OnDemandOptionsRequest (p. 1620)

1613
EC2
ReplaceUnhealthyInstances: Boolean
SpotOptions:
SpotOptionsRequest (p. 1621)
TagSpecifications:
TargetCapacitySpecification:
TargetCapacitySpecificationRequest (p. 1624)
TerminateInstancesWithExpiration: Boolean
Type: String
ValidFrom: String
ValidUntil: String
Properties
ExcessCapacityTerminationPolicy
Indicates whether running instances should be terminated if the total target capacity of the EC2
Fleet is decreased below the current size of the EC2 Fleet.
Required: No
Type: String
Allowed Values: no-termination | termination

LaunchTemplateConfigs
The configuration for the EC2 Fleet.
Required: Yes
Type: List of FleetLaunchTemplateConfigRequest (p. 1616)
Maximum: 50

OnDemandOptions
Describes the configuration of On-Demand Instances in an EC2 Fleet.
Required: No
Type: OnDemandOptionsRequest (p. 1620)

ReplaceUnhealthyInstances
Indicates whether EC2 Fleet should replace unhealthy instances.
Required: No
Type: Boolean

SpotOptions
Describes the configuration of Spot Instances in an EC2 Fleet.
Required: No

1614
EC2
Type: SpotOptionsRequest (p. 1621)

TagSpecifications
The key-value pair for tagging the EC2 Fleet request on creation. The value for ResourceType must
be fleet, otherwise the fleet request fails. To tag instances at launch, specify the tags in the launch
template. For information about tagging after launch, see Tagging Your Resources.
Required: No

TargetCapacitySpecification
The number of units to request.
Required: Yes
Type: TargetCapacitySpecificationRequest (p. 1624)

TerminateInstancesWithExpiration
Indicates whether running instances should be terminated when the EC2 Fleet expires.
Required: No
Type: Boolean

Type
The type of the request. By default, the EC2 Fleet places an asynchronous request for your desired
capacity, and maintains it by replenishing interrupted Spot Instances (maintain). A value of
instant places a synchronous one-time request, and returns errors for any instances that could not
be launched. A value of request places an asynchronous one-time request without maintaining
capacity or submitting requests in alternative capacity pools if capacity is unavailable. For more
information, see EC2 Fleet Request Types in the Amazon Elastic Compute Cloud User Guide.
Required: No
Type: String
Allowed Values: instant | maintain | request

ValidFrom
The start date and time of the request, in UTC format (for example, YYYY-MM-DDTHH:MM:SSZ). The
default is to start fulfilling the request immediately.
Required: No
Type: String

1615
EC2
ValidUntil
The end date and time of the request, in UTC format (for example, YYYY-MM-DDTHH:MM:SSZ). At
this point, no new EC2 Fleet requests are placed or able to fulfill the request. If no value is specified,
the request remains until you cancel it.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the fleet ID, such
as fleet-1fe24079-d272-4023-8e7c-70e10784cb0e.
See Also
• CreateFleet in the Amazon EC2 API Reference
AWS::EC2::EC2Fleet FleetLaunchTemplateConfigRequest
Specifies a launch template and overrides for an EC2 Fleet.
FleetLaunchTemplateConfigRequest is a property of the AWS::EC2::EC2Fleet resource.
Syntax
JSON
{
"LaunchTemplateSpecification" : FleetLaunchTemplateSpecificationRequest (p. 1619),
"Overrides" : [ FleetLaunchTemplateOverridesRequest (p. 1617), ... ]
}
YAML
FleetLaunchTemplateSpecificationRequest (p. 1619)
Overrides:
- FleetLaunchTemplateOverridesRequest (p. 1617)
Properties
The launch template to use. You must specify either the launch template ID or launch template
name in the request.
Required: No

1616
EC2
Type: FleetLaunchTemplateSpecificationRequest (p. 1619)

Overrides
Any parameters that you specify override the same parameters in the launch template.
Required: No
Type: List of FleetLaunchTemplateOverridesRequest (p. 1617)
Maximum: 50
See Also
• FleetLaunchTemplateConfigRequest in the Amazon EC2 API Reference
AWS::EC2::EC2Fleet FleetLaunchTemplateOverridesRequest
Specifies overrides for a launch template for an EC2 Fleet.
FleetLaunchTemplateOverridesRequest is a property of the FleetLaunchTemplateConfigRequest

property type.
Syntax
JSON
{
"MaxPrice" : String,
"Priority" : Double,
"SubnetId" : String,
"WeightedCapacity" : Double
}
YAML
MaxPrice: String
Priority: Double
SubnetId: String
WeightedCapacity: Double
Properties
AvailabilityZone
The Availability Zone in which to launch the instances.
Required: No
Type: String

1617
EC2

InstanceType
The instance type.
Required: No
Type: String
Allowed Values: a1.2xlarge | a1.4xlarge | a1.large | a1.medium | a1.metal |

a1.xlarge | c1.medium | c1.xlarge | c3.2xlarge | c3.4xlarge | c3.8xlarge
| c3.large | c3.xlarge | c4.2xlarge | c4.4xlarge | c4.8xlarge | c4.large
| c4.xlarge | c5.12xlarge | c5.18xlarge | c5.24xlarge | c5.2xlarge |
c5.4xlarge | c5.9xlarge | c5.large | c5.metal | c5.xlarge | c5d.12xlarge
| c5d.18xlarge | c5d.24xlarge | c5d.2xlarge | c5d.4xlarge | c5d.9xlarge
| c5d.large | c5d.metal | c5d.xlarge | c5n.18xlarge | c5n.2xlarge |
c5n.4xlarge | c5n.9xlarge | c5n.large | c5n.xlarge | cc1.4xlarge |
cc2.8xlarge | cg1.4xlarge | cr1.8xlarge | d2.2xlarge | d2.4xlarge |
d2.8xlarge | d2.xlarge | f1.16xlarge | f1.2xlarge | f1.4xlarge | g2.2xlarge
| g2.8xlarge | g3.16xlarge | g3.4xlarge | g3.8xlarge | g3s.xlarge |
g4dn.12xlarge | g4dn.16xlarge | g4dn.2xlarge | g4dn.4xlarge | g4dn.8xlarge
| g4dn.xlarge | h1.16xlarge | h1.2xlarge | h1.4xlarge | h1.8xlarge |
hi1.4xlarge | hs1.8xlarge | i2.2xlarge | i2.4xlarge | i2.8xlarge | i2.xlarge
| i3.16xlarge | i3.2xlarge | i3.4xlarge | i3.8xlarge | i3.large | i3.metal
| i3.xlarge | i3en.12xlarge | i3en.24xlarge | i3en.2xlarge | i3en.3xlarge
| i3en.6xlarge | i3en.large | i3en.metal | i3en.xlarge | inf1.24xlarge
| inf1.2xlarge | inf1.6xlarge | inf1.xlarge | m1.large | m1.medium |
m1.small | m1.xlarge | m2.2xlarge | m2.4xlarge | m2.xlarge | m3.2xlarge |
m3.large | m3.medium | m3.xlarge | m4.10xlarge | m4.16xlarge | m4.2xlarge |
m4.4xlarge | m4.large | m4.xlarge | m5.12xlarge | m5.16xlarge | m5.24xlarge
| m5.2xlarge | m5.4xlarge | m5.8xlarge | m5.large | m5.metal | m5.xlarge
| m5a.12xlarge | m5a.16xlarge | m5a.24xlarge | m5a.2xlarge | m5a.4xlarge
| m5a.8xlarge | m5a.large | m5a.xlarge | m5ad.12xlarge | m5ad.16xlarge |
m5ad.24xlarge | m5ad.2xlarge | m5ad.4xlarge | m5ad.8xlarge | m5ad.large
| m5ad.xlarge | m5d.12xlarge | m5d.16xlarge | m5d.24xlarge | m5d.2xlarge
| m5d.4xlarge | m5d.8xlarge | m5d.large | m5d.metal | m5d.xlarge |
m5dn.12xlarge | m5dn.16xlarge | m5dn.24xlarge | m5dn.2xlarge | m5dn.4xlarge
| m5dn.8xlarge | m5dn.large | m5dn.xlarge | m5n.12xlarge | m5n.16xlarge
| m5n.24xlarge | m5n.2xlarge | m5n.4xlarge | m5n.8xlarge | m5n.large |
m5n.xlarge | p2.16xlarge | p2.8xlarge | p2.xlarge | p3.16xlarge | p3.2xlarge
| p3.8xlarge | p3dn.24xlarge | r3.2xlarge | r3.4xlarge | r3.8xlarge |
r3.large | r3.xlarge | r4.16xlarge | r4.2xlarge | r4.4xlarge | r4.8xlarge |
r4.large | r4.xlarge | r5.12xlarge | r5.16xlarge | r5.24xlarge | r5.2xlarge
| r5.4xlarge | r5.8xlarge | r5.large | r5.metal | r5.xlarge | r5a.12xlarge
| r5a.16xlarge | r5a.24xlarge | r5a.2xlarge | r5a.4xlarge | r5a.8xlarge
| r5a.large | r5a.xlarge | r5ad.12xlarge | r5ad.16xlarge | r5ad.24xlarge
| r5ad.2xlarge | r5ad.4xlarge | r5ad.8xlarge | r5ad.large | r5ad.xlarge
| r5d.12xlarge | r5d.16xlarge | r5d.24xlarge | r5d.2xlarge | r5d.4xlarge
| r5d.8xlarge | r5d.large | r5d.metal | r5d.xlarge | r5dn.12xlarge |
r5dn.16xlarge | r5dn.24xlarge | r5dn.2xlarge | r5dn.4xlarge | r5dn.8xlarge
| r5dn.large | r5dn.xlarge | r5n.12xlarge | r5n.16xlarge | r5n.24xlarge
| r5n.2xlarge | r5n.4xlarge | r5n.8xlarge | r5n.large | r5n.xlarge |
t1.micro | t2.2xlarge | t2.large | t2.medium | t2.micro | t2.nano | t2.small
| t2.xlarge | t3.2xlarge | t3.large | t3.medium | t3.micro | t3.nano |
t3.small | t3.xlarge | t3a.2xlarge | t3a.large | t3a.medium | t3a.micro
| t3a.nano | t3a.small | t3a.xlarge | u-12tb1.metal | u-18tb1.metal |
u-24tb1.metal | u-6tb1.metal | u-9tb1.metal | x1.16xlarge | x1.32xlarge
| x1e.16xlarge | x1e.2xlarge | x1e.32xlarge | x1e.4xlarge | x1e.8xlarge

1618
EC2
| x1e.xlarge | z1d.12xlarge | z1d.2xlarge | z1d.3xlarge | z1d.6xlarge |

z1d.large | z1d.metal | z1d.xlarge

MaxPrice
The maximum price per unit hour that you are willing to pay for a Spot Instance.
Required: No
Type: String

Priority
The priority for the launch template override. If AllocationStrategy is set to prioritized, EC2
Fleet uses priority to determine which launch template override to use first in fulfilling On-Demand
capacity. The highest priority is launched first. Valid values are whole numbers starting at 0. The
lower the number, the higher the priority. If no number is set, the launch template override has the
lowest priority.
Required: No
Type: Double

SubnetId
The ID of the subnet in which to launch the instances.
Required: No
Type: String

WeightedCapacity
The number of units provided by the specified instance type.
Required: No
Type: Double
See Also
• FleetLaunchTemplateOverridesRequest in the Amazon EC2 API Reference
AWS::EC2::EC2Fleet FleetLaunchTemplateSpecificationRequest
Specifies the launch template to use for an EC2 Fleet. You must specify either the launch template ID or
launch template name in the request.
FleetLaunchTemplateSpecificationRequest is a property of the

FleetLaunchTemplateConfigRequest property type.
Syntax

1619
EC2
JSON
{
"Version" : String
}
YAML
Version: String
Properties
LaunchTemplateId
Required: No
Type: String

LaunchTemplateName
Required: No
Type: String
Minimum: 3
Maximum: 128
Pattern: [a-zA-Z0-9\.\-/_]+

Version
The version number of the launch template. Note: This is a required parameter and will be updated
soon.
Required: No
Type: String
See Also
• FleetLaunchTemplateSpecificationRequest in the Amazon EC2 API Reference
AWS::EC2::EC2Fleet OnDemandOptionsRequest
Specifies the allocation strategy of On-Demand Instances in an EC2 Fleet.

1620
EC2
OnDemandOptionsRequest is a property of the AWS::EC2::EC2Fleet resource.
Syntax
JSON
{
"AllocationStrategy" : String
}
YAML
Properties
AllocationStrategy
The order of the launch template overrides to use in fulfilling On-Demand capacity. If you specify
lowest-price, EC2 Fleet uses price to determine the order, launching the lowest price first. If
you specify prioritized, EC2 Fleet uses the priority that you assigned to each launch template
override, launching the highest priority first. If you do not specify a value, EC2 Fleet defaults to
lowest-price.
Required: No
Type: String
Allowed Values: lowest-price | prioritized
See Also
• OnDemandOptionsRequest in the Amazon EC2 API Reference
AWS::EC2::EC2Fleet SpotOptionsRequest
Specifies the configuration of Spot Instances for an EC2 Fleet.
SpotOptionsRequest is a property of the AWS::EC2::EC2Fleet resource.
Syntax
JSON
{
"InstanceInterruptionBehavior" : String,
"InstancePoolsToUseCount" : Integer
}

1621
EC2
YAML
InstanceInterruptionBehavior: String
InstancePoolsToUseCount: Integer
Properties
AllocationStrategy
Indicates how to allocate the target Spot Instance capacity across the Spot Instance pools specified
by the EC2 Fleet.
If the allocation strategy is lowestPrice, EC2 Fleet launches instances from the Spot Instance
pools with the lowest price. This is the default allocation strategy.
If the allocation strategy is diversified, EC2 Fleet launches instances from all the Spot Instance
pools that you specify.
If the allocation strategy is capacityOptimized, EC2 Fleet launches instances from Spot Instance
pools that are optimally chosen based on the available Spot Instance capacity.
Allowed Values: lowestPrice | diversified | capacityOptimized
Required: No
Type: String

InstanceInterruptionBehavior
The behavior when a Spot Instance is interrupted. The default is terminate.
Required: No
Type: String
Allowed Values: hibernate | stop | terminate

InstancePoolsToUseCount
The number of Spot pools across which to allocate your target Spot capacity. Valid only when Spot
AllocationStrategy is set to lowest-price. EC2 Fleet selects the cheapest Spot pools and evenly
allocates your target Spot capacity across the number of Spot pools that you specify.
Required: No
Type: Integer
See Also
• SpotOptionsRequest in the Amazon EC2 API Reference
AWS::EC2::EC2Fleet TagRequest
Specifies the tag key and value pair to use.

1622
EC2
TagRequest is a property of the AWS::EC2::TagSpecification resource.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 255 Unicode characters.
Required: No
Type: String

Value
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not
begin with aws:.
Required: No
Type: String
AWS::EC2::EC2Fleet TagSpecification
Specifies the tags to apply to a resource when the resource is being created for an EC2 Fleet.
TagSpecification is a property of the AWS::EC2::EC2Fleet resource.
Syntax
JSON

1623
EC2
"Tags" : [ TagRequest (p. 1622), ... ]
}
YAML
Tags:
- TagRequest (p. 1622)
Properties
ResourceType
The type of resource to tag. ResourceType must be fleet.
Required: No
Type: String


Tags
Required: No
Type: List of TagRequest (p. 1622)
See Also
• TagSpecification in the Amazon EC2 API Reference
AWS::EC2::EC2Fleet TargetCapacitySpecificationRequest
Specifies the number of units to request for an EC2 Fleet. You can choose to set the target capacity in
terms of instances or a performance characteristic that is important to your application workload, such
as vCPUs, memory, or I/O. If the request type is maintain, you can specify a target capacity of 0 and
add capacity later.
TargetCapacitySpecificationRequest is a property of the AWS::EC2::EC2Fleet resource.
Syntax

1624
EC2
JSON
{
"DefaultTargetCapacityType" : String,
"OnDemandTargetCapacity" : Integer,
"SpotTargetCapacity" : Integer,
"TotalTargetCapacity" : Integer
}
YAML
DefaultTargetCapacityType: String
OnDemandTargetCapacity: Integer
SpotTargetCapacity: Integer
TotalTargetCapacity: Integer
Properties
DefaultTargetCapacityType
The default TotalTargetCapacity, which is either Spot or On-Demand.
Required: No
Type: String
Allowed Values: on-demand | spot

OnDemandTargetCapacity
The number of On-Demand units to request.
Required: No
Type: Integer

SpotTargetCapacity
The number of Spot units to request.
Required: No
Type: Integer

TotalTargetCapacity
The number of units to request, filled using DefaultTargetCapacityType.
Required: Yes
Type: Integer
See Also
• TargetCapacitySpecificationRequest in the Amazon EC2 API Reference

1625
EC2
AWS::EC2::EgressOnlyInternetGateway
[IPv6 only] Specifies an egress-only internet gateway for your VPC. An egress-only internet gateway
is used to enable outbound communication over IPv6 from instances in your VPC to the internet, and
prevents hosts outside of your VPC from initiating an IPv6 connection with your instance.
Syntax
JSON
{
"Type" : "AWS::EC2::EgressOnlyInternetGateway",
"Properties" : {
"VpcId" : String
}
}
YAML
Properties:
VpcId: String
Properties
VpcId
The ID of the VPC for which to create the egress-only internet gateway.
Required: Yes
Type: String
Return Values
Ref
egress-only Internet gateway (the physical resource ID).
Examples
YAML
myEgressOnlyInternetGateway:
Properties:
VpcId: vpc-1a2b3c4d

1626
EC2
JSON
{
"myEgressOnlyInternetGateway" : {
"Type" : "AWS::EC2::EgressOnlyInternetGateway",
"Properties" : {
"VpcId" : "vpc-1a2b3c4d"
}
}
}
See Also
• CreateEgressOnlyInternetGateway in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::EIP
Specifies an Elastic IP (EIP) address and can, optionally, associate it with an Amazon EC2 instance.
You can allocate an Elastic IP address from an address pool owned by AWS or from an address pool
created from a public IPv4 address range that you have brought to AWS for use with your AWS resources
using bring your own IP addresses (BYOIP). For more information, see Bring Your Own IP Addresses
(BYOIP) in the Amazon Elastic Compute Cloud User Guide.
[EC2-VPC] If you release an Elastic IP address, you might be able to recover it. You cannot recover an
Elastic IP address that you released after it is allocated to another AWS account. You cannot recover an
Elastic IP address for EC2-Classic. To attempt to recover an Elastic IP address that you released, specify it
in this operation.
An Elastic IP address is for use either in the EC2-Classic platform or in a VPC. By default, you can allocate
5 Elastic IP addresses for EC2-Classic per Region and 5 Elastic IP addresses for EC2-VPC per Region.
For more information, see Elastic IP Addresses in the Amazon Elastic Compute Cloud User Guide.
Syntax
JSON
{
"Properties" : {
"Domain" : String,
"PublicIpv4Pool" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::EC2::EIP
Properties:
Domain: String
InstanceId: String
PublicIpv4Pool: String
Tags:

1627
EC2
- Tag
Properties
Domain
Set to vpc to allocate the address for use with instances in a VPC.
Default: The address is for use with instances in EC2-Classic.
If you define an Elastic IP address and associate it with a VPC that is defined in the same template,
you must declare a dependency on the VPC-gateway attachment by using the DependsOn Attribute
on this resource.
Required when allocating an address to a VPC
Type: String
Allowed Values: standard | vpc

InstanceId
The ID of the instance.
Required: No
Type: String

PublicIpv4Pool
The ID of an address pool that you own. Use this parameter to let Amazon EC2 select an address
from the address pool.
Required: No
Type: String

Tags
Any tags assigned to the Elastic IP address.
Required: No
Type: List of Tag
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Elastic IP
address.

1628
EC2
Fn::GetAtt
AllocationId
The ID that AWS assigns to represent the allocation of the address for use with Amazon VPC. This is
returned only for VPC elastic IP addresses. For example, eipalloc-5723d13e.
Examples
Allocating an Amazon EC2 Elastic IP Using AWS::EC2::EIP.
This example shows how to allocate an Amazon EC2 Elastic IP address and assign it to an Amazon EC2
instance using a AWS::EC2::EIP resource.
JSON
"MyEIP" : {
"Properties" : {
"InstanceId" : { "Ref" : "logical name of an AWS::EC2::Instance resource" }
}
}
YAML
MyEIP:
Type: AWS::EC2::EIP
Properties:
AWS::EC2::EIPAssociation
Associates an Elastic IP address with an instance or a network interface. Before you can use an Elastic IP
address, you must allocate it to your account.
An Elastic IP address is for use in either the EC2-Classic platform or in a VPC. For more information, see
Elastic IP Addresses in the Amazon Elastic Compute Cloud User Guide.
[EC2-Classic, VPC in an EC2-VPC-only account] If the Elastic IP address is already associated with a
different instance, it is disassociated from that instance and associated with the specified instance. If
you associate an Elastic IP address with an instance that has an existing Elastic IP address, the existing
address is disassociated from the instance, but remains allocated to your account.
[VPC in an EC2-Classic account] If you don't specify a private IP address, the Elastic IP address is
associated with the primary IP address. If the Elastic IP address is already associated with a different
instance or a network interface, you get an error unless you allow reassociation. You cannot associate an
Elastic IP address with an instance or network interface that has an existing Elastic IP address.
Syntax

1629
EC2
JSON
{
"Properties" : {
"AllocationId" : String,
"EIP" : String,
"NetworkInterfaceId" : String,
"PrivateIpAddress" : String
}
}
YAML
Properties:
AllocationId: String
EIP: String
InstanceId: String
NetworkInterfaceId: String
PrivateIpAddress: String
Properties
AllocationId
[EC2-VPC] The allocation ID. This is required for EC2-VPC.
Type: String

EIP
The Elastic IP address to associate with the instance. This is required for EC2-Classic.
Type: String

InstanceId
The ID of the instance. This is required for EC2-Classic. For EC2-VPC, you can specify either the
instance ID or the network interface ID, but not both. The operation fails if you specify an instance ID
unless exactly one network interface is attached.
Type: String

NetworkInterfaceId
[EC2-VPC] The ID of the network interface. If the instance has more than one network interface, you
must specify a network interface ID.
For EC2-VPC, you can specify either the instance ID or the network interface ID, but not both.

1630
EC2
Type: String

PrivateIpAddress
[EC2-VPC] The primary or secondary private IP address to associate with the Elastic IP address. If no
private IP address is specified, the Elastic IP address is associated with the primary private IP address.
Required: No
Type: String
Return Values
Ref
name.
Examples
Associating an Elastic IP address to an instance
The following example creates an instance with two elastic network interfaces (ENI). The example
assumes that you have an existing VPC.
For additional examples, see Assigning an Amazon EC2 Elastic IP Using AWS::EC2::EIP Snippet.
JSON
"Resources" : {
"ControlPortAddress" : {
"Properties" : {
"Domain" : "vpc"
}
},
"AssociateControlPort" : {
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : [ "ControlPortAddress", "AllocationId" ]},
"NetworkInterfaceId" : { "Ref" : "controlXface" }
}
},
"WebPortAddress" : {
"Properties" : {
"Domain" : "vpc"
}
},
"AssociateWebPort" : {
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : [ "WebPortAddress", "AllocationId" ]},
"NetworkInterfaceId" : { "Ref" : "webXface" }
}

1631
EC2
},
"SSHSecurityGroup" : {
"Properties" : {
"SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : "22",
"ToPort" : "22", "CidrIp" : "0.0.0.0/0" } ]
}
},
"WebSecurityGroup" : {
"Properties" : {
"GroupDescription" : "Enable HTTP access via user defined port",
"SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" :
80, "CidrIp" : "0.0.0.0/0" } ]
}
},
"controlXface" : {
"Properties" : {
"Description" :"Interface for control traffic such as SSH",
"GroupSet" : [ {"Ref" : "SSHSecurityGroup"} ],
"Tags" : [ {"Key" : "Network", "Value" : "Control"}]
}
},
"webXface" : {
"Properties" : {
"Description" :"Interface for web traffic",
"GroupSet" : [ {"Ref" : "WebSecurityGroup"} ],
"Tags" : [ {"Key" : "Network", "Value" : "Web"}]
}
},
"Ec2Instance" : {
"Properties" : {
"AMI" ]},
"NetworkInterfaces" : [ { "NetworkInterfaceId" : {"Ref" : "controlXface"},
"DeviceIndex" : "0" }, { "NetworkInterfaceId" : {"Ref" : "webXface"}, "DeviceIndex" :
"1" }],
"UserData" : {"Fn::Base64" : { "Fn::Join" : ["",["#!/bin/bash -ex","\n",
"\n","yum install ec2-net-utils -y","\n", "ec2ifup eth1","\n", "service httpd start"]]}}
}
}
}
YAML
Resources:
ControlPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateControlPort:

1632
EC2
Properties:
AllocationId: !GetAtt ControlPortAddress.AllocationId
WebPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateWebPort:
Properties:
AllocationId: !GetAtt WebPortAddress.AllocationId
SSHSecurityGroup:
Properties:
VpcId: !Ref VpcId
- CidrIp: 0.0.0.0/0
FromPort: 22
IpProtocol: tcp
ToPort: 22
WebSecurityGroup:
Properties:
VpcId: !Ref VpcId
GroupDescription: Enable HTTP access via user defined port
- CidrIp: 0.0.0.0/0
FromPort: 80
IpProtocol: tcp
ToPort: 80
controlXface:
Properties:
GroupSet:
- !Ref SSHSecurityGroup
Tags:
- Key: Network
Value: Control
webXface:
Properties:
GroupSet:
- !Ref WebSecurityGroup
Tags:
- Key: Network
Value: Web
Ec2Instance:
Properties:
ImageId: !FindInMap [ RegionMap, !Ref 'AWS::Region', AMI ]
NetworkInterfaces:
- NetworkInterfaceId: !Ref controlXface
DeviceIndex: 0
- NetworkInterfaceId: !Ref webXface
DeviceIndex: 1
Tags:
- Key: Role

1633
EC2

UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install ec2-net-utils -y
ec2ifup eth1
service httpd start
AWS::EC2::FlowLog
Specifies an Amazon Elastic Compute Cloud (Amazon EC2) flow log that captures IP traffic for a specified
network interface, subnet, or VPC. To view the log data, use Amazon CloudWatch Logs (CloudWatch
Logs) to help troubleshoot connection issues. For example, you can use a flow log to investigate why
certain traffic isn't reaching an instance, which can help you diagnose overly restrictive security group
rules. For more information, see VPC Flow Logs in the Amazon VPC User Guide.
Syntax
JSON
{
"Type" : "AWS::EC2::FlowLog",
"Properties" : {
"DeliverLogsPermissionArn" : String,
"LogDestination" : String,
"LogDestinationType" : String,
"TrafficType" : String
}
}
YAML
Type: AWS::EC2::FlowLog
Properties:
DeliverLogsPermissionArn: String
LogDestination: String
LogDestinationType: String
ResourceId: String
TrafficType: String
Properties
DeliverLogsPermissionArn
The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log
group in your account.
If you specify LogDestinationType as s3, do not specify DeliverLogsPermissionArn or

LogGroupName.
Required: No
Type: String

1634
EC2

LogDestination
Specifies the destination to which the flow log data is to be published. Flow log data can be
published to a CloudWatch Logs log group or an Amazon S3 bucket. The value specified for this
parameter depends on the value specified for LogDestinationType.
If LogDestinationType is not specified or cloud-watch-logs, specify the Amazon Resource

Name (ARN) of the CloudWatch Logs log group. For example, to publish to a log group called my-
logs, specify arn:aws:logs:us-east-1:123456789012:log-group:my-logs. Alternatively,
use LogGroupName instead.
If LogDestinationType is s3, specify the ARN of the Amazon S3 bucket. You can also specify a
subfolder in the bucket. To specify a subfolder in the bucket, use the following ARN format:
bucket_ARN/subfolder_name/. For example, to specify a subfolder named my-logs in a bucket
named my-bucket, use the following ARN: arn:aws:s3:::my-bucket/my-logs/. You cannot
use AWSLogs as a subfolder name. This is a reserved term.
Required: No
Type: String

LogDestinationType
Specifies the type of destination to which the flow log data is to be published. Flow log data can be
published to CloudWatch Logs or Amazon S3. To publish flow log data to CloudWatch Logs, specify
cloud-watch-logs. To publish flow log data to Amazon S3, specify s3.

LogGroupName.
Default: cloud-watch-logs
Required: No
Type: String
Allowed Values: cloud-watch-logs | s3

LogGroupName
The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow
logs.

LogGroupName.
Required: No
Type: String

ResourceId
The ID of the subnet, network interface, or VPC for which you want to create a flow log.
Constraints: Maximum of 1000 resources
Required: Yes

1635
EC2
Type: String

ResourceType
The type of resource for which to create the flow log. For example, if you specified a VPC ID for the
ResourceId property, specify VPC for this property.
Required: Yes
Type: String
Allowed Values: NetworkInterface | Subnet | VPC

TrafficType
The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
Required: Yes
Type: String
Allowed Values: ACCEPT | ALL | REJECT
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the flow log ID,
such as fl-1a23b456.
Examples
Creating a flow log that monitors all traffic types
The following example creates a flow log for the VPC called MyVPC and logs all traffic types. Amazon
EC2 publishes the logs to the FlowLogsGroup log group.
JSON
"MyFlowLog" : {
"Type" : "AWS::EC2::FlowLog",
"Properties" : {
"DeliverLogsPermissionArn" : { "Fn::GetAtt" : ["FlowLogRole", "Arn"] },
"LogGroupName" : "FlowLogsGroup",
"ResourceId" : { "Ref" : "MyVPC" },
"ResourceType" : "VPC",
"TrafficType" : "ALL"
}
}
YAML
MyFlowLog:
Type: AWS::EC2::FlowLog

1636
EC2
Properties:
DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn
LogGroupName: FlowLogsGroup
ResourceId: !Ref MyVPC
ResourceType: VPC
TrafficType: ALL
AWS::EC2::Host
Allocates a fully dedicated physical server for launching EC2 instances. Because the host is fully
dedicated for your use, it can help you address compliance requirements and reduce costs by allowing
you to use your existing server-bound software licenses. For more information, see Dedicated Hosts in
Syntax
JSON
{
"Type" : "AWS::EC2::Host",
"Properties" : {
"AutoPlacement" : String,
"HostRecovery" : String,
"InstanceType" : String
}
}
YAML
Type: AWS::EC2::Host
Properties:
AutoPlacement: String
HostRecovery: String
Properties
AutoPlacement
Indicates whether the host accepts any untargeted instance launches that match its instance type
configuration, or if it only accepts Host tenancy instance launches that specify its unique host ID. For
more information, see Understanding Instance Placement and Host Affinity in the Amazon EC2 User
Guide for Linux Instances.
Default: on
Required: No
Type: String
Allowed Values: off | on

AvailabilityZone
The Availability Zone in which to allocate the Dedicated Host.

1637
EC2
Required: Yes
Type: String

HostRecovery
Indicates whether to enable or disable host recovery for the Dedicated Host. Host recovery is
disabled by default. For more information, see Host Recovery in the Amazon Elastic Compute Cloud
User Guide.
Default: off
Required: No
Type: String
Allowed Values: off | on

InstanceType
Specifies the instance type to be supported by the Dedicated Hosts. If you specify an instance type,
the Dedicated Hosts support instances of the specified instance type only.
If you want the Dedicated Hosts to support multiple instance types in a specific instance family,
omit this parameter and specify InstanceFamily instead. You cannot specify InstanceType and
InstanceFamily in the same request.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the host ID, such
as h-0ab123c45d67ef89.
Examples
Allocating a Dedicated Host
The following example allocates a dedicated host for c3.large instances in the us-east-1a
Availability Zone.
JSON
"Host" : {
"Type" : "AWS::EC2::Host",
"Properties" : {
"AutoPlacement" : "on",
"InstanceType" : "c3.large"
}

1638
EC2
YAML
Host:
Type: AWS::EC2::Host
Properties:
AutoPlacement: on
InstanceType: c3.large
AWS::EC2::Instance
Specifies an EC2 instance.
If an Elastic IP address is attached to your instance, AWS CloudFormation reattaches the Elastic
IP address after it updates the instance. For more information about updating stacks, see AWS
CloudFormation Stacks Updates.
Syntax
JSON
{
"Properties" : {
"AdditionalInfo" : String,
"Affinity" : String,
"CpuOptions" : CpuOptions (p. 1654),
"CreditSpecification" : CreditSpecification (p. 1655),
"DisableApiTermination" : Boolean,
"ElasticGpuSpecifications" : [ ElasticGpuSpecification (p. 1658), ... ],
"ElasticInferenceAccelerators" : [ ElasticInferenceAccelerator (p. 1659), ... ],
"HostId" : String,
"IamInstanceProfile" : String,
"ImageId" : String,
"InstanceInitiatedShutdownBehavior" : String,
"Ipv6AddressCount" : Integer,
"Ipv6Addresses" : [ InstanceIpv6Address (p. 1660), ... ],
"KeyName" : String,
"LicenseSpecifications" : [ LicenseSpecification (p. 1661), ... ],
"Monitoring" : Boolean,
"NetworkInterfaces" : [ NetworkInterface (p. 1662), ... ],
"PlacementGroupName" : String,
"PrivateIpAddress" : String,
"RamdiskId" : String,
"SourceDestCheck" : Boolean,
"SsmAssociations" : [ SsmAssociation (p. 1666), ... ],
"Tags" : [ Tag, ... ],
"Tenancy" : String,
"UserData" : String,

1639
EC2
"Volumes" : [ Volume (p. 1667), ... ]

}
}
YAML
Properties:
AdditionalInfo: String
Affinity: String
CpuOptions:
CpuOptions (p. 1654)
CreditSpecification (p. 1655)
DisableApiTermination: Boolean
ElasticGpuSpecifications:
- ElasticGpuSpecification (p. 1658)
ElasticInferenceAccelerators:
- ElasticInferenceAccelerator (p. 1659)
HostId: String
IamInstanceProfile: String
ImageId: String
InstanceInitiatedShutdownBehavior: String
Ipv6AddressCount: Integer
Ipv6Addresses:
- InstanceIpv6Address (p. 1660)
KernelId: String
KeyName: String
LaunchTemplate:
LicenseSpecifications:
- LicenseSpecification (p. 1661)
Monitoring: Boolean
NetworkInterfaces:
- NetworkInterface (p. 1662)
PlacementGroupName: String
RamdiskId: String
SecurityGroupIds:
- String
SecurityGroups:
- String
SourceDestCheck: Boolean
SsmAssociations:
- SsmAssociation (p. 1666)
SubnetId: String
Tags:
- Tag
Tenancy: String
UserData: String
Volumes:
- Volume (p. 1667)
Properties
AdditionalInfo
Reserved.

1640
EC2
Required: No
Type: String

Affinity
Indicates whether the instance is associated with a dedicated host. If you want the instance to
always restart on the same host on which it was launched, specify host. If you want the instance to
restart on any available host, but try to launch onto the last host it ran on (on a best-effort basis),
specify default.
Required: No
Type: String

AvailabilityZone
The Availability Zone of the instance.
If not specified, an Availability Zone will be automatically chosen for you based on the load
balancing criteria for the Region.
Required: No
Type: String

BlockDeviceMappings
The block device mapping entries that defines the block devices to attach to the instance at launch.
By default, the block devices specified in the block device mapping for the AMI are used. You can
override the AMI block device mapping using the instance block device mapping. For the root
volume, you can only override the volume size, volume type, and DeleteOnTermination setting.
After the instance is running, you can only modify the DeleteOnTermination settings of the
attached EBS volumes.
Required: No

CpuOptions
The CPU options for the instance.
Required: No
Type: CpuOptions (p. 1654)

CreditSpecification
The credit option for CPU usage of the burstable performance instance. Valid values are standard
and unlimited. To change this attribute after launch, use ModifyInstanceCreditSpecification. For
more information, see Burstable Performance Instances in the Amazon Elastic Compute Cloud User
Guide.

1641
EC2
Default: standard (T2 instances) or unlimited (T3/T3a instances)
Required: No
Type: CreditSpecification (p. 1655)

DisableApiTermination
If you set this parameter to true, you can't terminate the instance using the Amazon EC2 console,
CLI, or API; otherwise, you can. To change this attribute after launch, use ModifyInstanceAttribute.
Alternatively, if you set InstanceInitiatedShutdownBehavior to terminate, you can
terminate the instance by running the shutdown command from the instance.
Default: false
Required: No
Type: Boolean

EbsOptimized
Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides
dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal
Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional
usage charges apply when using an EBS-optimized instance.
Default: false
Required: No
Type: Boolean

ElasticGpuSpecifications
An elastic GPU to associate with the instance. An Elastic GPU is a GPU resource that you can attach
to your Windows instance to accelerate the graphics performance of your applications. For more
information, see Amazon EC2 Elastic GPUs in the Amazon Elastic Compute Cloud User Guide.
Required: No
Type: List of ElasticGpuSpecification (p. 1658)

ElasticInferenceAccelerators
An elastic inference accelerator to associate with the instance. Elastic inference accelerators are
a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL)
inference workloads.
Required: No
Type: List of ElasticInferenceAccelerator (p. 1659)

HostId
If you specify host for the Affinity property, the ID of a dedicated host that the instance is
associated with. If you don't specify an ID, Amazon EC2 launches the instance onto any available,

1642
EC2
compatible dedicated host in your account. This type of launch is called an untargeted launch. Note
that for untargeted launches, you must have a compatible, dedicated host available to successfully
launch instances.
Required: No
Type: String

IamInstanceProfile
The IAM instance profile.
Required: No
Type: String

ImageId
The ID of the AMI. An AMI ID is required to launch an instance and must be specified here or in a
launch template.
Type: String

InstanceInitiatedShutdownBehavior
Indicates whether an instance stops or terminates when you initiate shutdown from the instance
(using the operating system command for system shutdown).
Default: stop
Required: No
Type: String
Allowed Values: stop | terminate

InstanceType
The instance type. For more information, see Instance Types in the Amazon Elastic Compute Cloud
User Guide.
Default: m1.small
Required: No
Type: String


1643
EC2


Ipv6AddressCount
[EC2-VPC] The number of IPv6 addresses to associate with the primary network interface. Amazon
EC2 chooses the IPv6 addresses from the range of your subnet. You cannot specify this option and
the option to assign specific IPv6 addresses in the same request. You can specify this option if you've
specified a minimum number of instances to launch.
You cannot specify this option and the network interfaces option in the same request.
Required: No
Type: Integer

1644
EC2

Ipv6Addresses
[EC2-VPC] The IPv6 addresses from the range of the subnet to associate with the primary network
interface. You cannot specify this option and the option to assign a number of IPv6 addresses in the
same request. You cannot specify this option if you've specified a minimum number of instances to
launch.
Required: No
Type: List of InstanceIpv6Address (p. 1660)

KernelId
The ID of the kernel.

Important
information, see PV-GRUB in the Amazon Elastic Compute Cloud User Guide.
Required: No
Type: String

KeyName
The name of the key pair. You can create a key pair using CreateKeyPair or ImportKeyPair.
Important
that is configured to allow users another way to log in.
Required: No
Type: String

LaunchTemplate
The launch template to use to launch the instances. Any parameters that you specify in the AWS
CloudFormation template override the same parameters in the launch template. You can specify
either the name or ID of a launch template, but not both.
Required: No

LicenseSpecifications
The license configurations.
Required: No
Type: List of LicenseSpecification (p. 1661)

1645
EC2

Monitoring
Specifies whether detailed monitoring is enabled for the instance.
Required: No
Type: Boolean

NetworkInterfaces
The network interfaces to associate with the instance.

Note
If you use this property to point to a network interface, you must terminate the original
interface before attaching a new one to allow the update of the instance to succeed.
If this resource has a public IP address and is also in a VPC that is defined in the same
template, you must use the DependsOn Attribute to declare a dependency on the VPC-
gateway attachment.
Required: No
Type: List of NetworkInterface (p. 1662)

PlacementGroupName
The name of an existing placement group that you want to launch the instance into (for cluster
instances).
Required: No
Type: String

PrivateIpAddress
[EC2-VPC] The primary IPv4 address. You must specify a value from the IPv4 address range of the
subnet.
Only one private IP address can be designated as primary. You can't specify this option if you've
specified the option to designate a private IP address as the primary IP address in a network
interface specification. You cannot specify this option if you're launching more than one instance in
the request.
If you make an update to an instance that requires replacement, you must assign a new private IP
address. During a replacement, AWS CloudFormation creates a new instance but doesn't delete the
old instance until the stack has successfully updated. If the stack update fails, AWS CloudFormation
uses the old instance in order to roll back the stack to the previous working state. The old and new
instances cannot have the same private IP address.
Required: No
Type: String

1646
EC2
RamdiskId
The ID of the RAM disk to select. Some kernels require additional drivers at launch. Check the
kernel requirements for information about whether you need to specify a RAM disk. To find kernel
requirements, go to the AWS Resource Center and search for the kernel ID.
Important
information, see PV-GRUB in the Amazon Elastic Compute Cloud User Guide.
Required: No
Type: String

SecurityGroupIds
The IDs of the security groups. You can create a security group using CreateSecurityGroup.
If you specify a network interface, you must specify any security groups as part of the network
interface.

SecurityGroups
[EC2-Classic, default VPC] The names of the security groups. For a nondefault VPC, you must use
security group IDs instead.
You cannot specify this option and the network interfaces option in the same request. The
list can contain both the name of existing Amazon EC2 security groups or references to
AWS::EC2::SecurityGroup resources created in the template.
Default: Amazon EC2 uses the default security group.
Required: No

SourceDestCheck
Specifies whether to enable an instance launched in a VPC to perform NAT. This controls whether
source/destination checking is enabled on the instance. A value of true means that checking is
enabled, and false means that checking is disabled. The value must be false for the instance
to perform NAT. For more information, see NAT Instances in the Amazon Virtual Private Cloud User
Guide.
Required: No
Type: Boolean

SsmAssociations
The SSM document and parameter values in AWS Systems Manager to associate with this instance.
To use this property, you must specify an IAM instance profile role for the instance. For more
information, see Create an Instance Profile for Systems Manager in the AWS Systems Manager User
Guide.

1647
EC2
Note
You can currently associate only one document with an instance.
Required: No
Type: List of SsmAssociation (p. 1666)

SubnetId
[EC2-VPC] The ID of the subnet to launch the instance into.
If you specify a network interface, you must specify any subnets as part of the network interface.
Required: No
Type: String

Tags
The tags to apply to the resources during launch. You can only tag instances and volumes on launch.
The specified tags are applied to all instances or volumes that are created during launch. To tag a
resource after it has been created, see CreateTags.
Required: No
Type: List of Tag

Tenancy
The tenancy of the instance (if the instance is running in a VPC). An instance with a tenancy of
dedicated runs on single-tenant hardware.
Required: No
Type: String
Allowed Values: dedicated | default | host

UserData
The user data to make available to the instance. For more information, see Running Commands on
Your Linux Instance at Launch (Linux) and Adding User Data (Windows). If you are using a command
line tool, base64-encoding is performed for you, and you can load the text from a file. Otherwise,
you must provide base64-encoded text. User data is limited to 16 KB.
Required: No
Type: String

Volumes
The volumes to attach to the instance.
Required: No
Type: List of Volume (p. 1667)

1648
EC2
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the instance ID.
For example: i-1234567890abcdef0.
Fn::GetAtt
AvailabilityZone
The Availability Zone where the specified instance is launched. For example: us-east-1b.
You can retrieve a list of all Availability Zones for a Region by using the Fn::GetAZs intrinsic function.
PrivateDnsName
The private DNS name of the specified instance. For example: ip-10-24-34-0.ec2.internal.
PrivateIp
The private IP address of the specified instance. For example: 10.24.34.0.

PublicDnsName
The public DNS name of the specified instance. For example:

ec2-107-20-50-45.compute-1.amazonaws.com.
PublicIp
The public IP address of the specified instance. For example: 192.0.2.0.
Examples
EC2 Instance with an EBS Block Device Mapping
JSON
"MyEC2Instance" : {
"Properties" : {
"ImageId" : "ami-79fd7eee",
{
"Ebs" : {
"Iops" : "200",
"VolumeSize" : "20"
}
},

1649
EC2
{
"DeviceName" : "/dev/sdk",
"NoDevice" : {}
}
]
}
}
YAML
MyEC2Instance:
Properties:
ImageId: "ami-79fd7eee"
KeyName: "testkey"
- DeviceName: "/dev/sdm"
Ebs:
VolumeType: "io1"
Iops: "200"
DeleteOnTermination: "false"
VolumeSize: "20"
- DeviceName: "/dev/sdk"
NoDevice: {}
Automatically Assign a Public IP Address
You can associate a public IP address with a network interface only if it has a device index of 0 and if it is
a new network interface (not an existing one).
JSON
"Ec2Instance" : {
"Properties" : {
"NetworkInterfaces": [ {
"DeviceIndex": "0",
"GroupSet": [{ "Ref" : "myVPCEC2SecurityGroup" }],
"SubnetId": { "Ref" : "PublicSubnet" }
} ]
}
}
YAML
Ec2Instance:
Properties:
ImageId:
Fn::FindInMap:
- "RegionMap"
- "AMI"
KeyName:
Ref: "KeyName"
NetworkInterfaces:
- AssociatePublicIpAddress: "true"
DeviceIndex: "0"

1650
EC2
GroupSet:
- Ref: "myVPCEC2SecurityGroup"
SubnetId:
Ref: "PublicSubnet"
See Also
• RunInstances in the Amazon EC2 API Reference
• EBS-Optimized Instances in the Amazon EC2 API Reference
AWS::EC2::Instance AssociationParameter
Specifies input parameter values for an SSM document in AWS Systems Manager.
AssociationParameter is a property of the Amazon EC2 Instance SsmAssociation property.
Syntax
JSON
{
"Key" : String,
"Value" : [ String, ... ]
}
YAML
Key: String
Value:
- String
Properties
Key
The name of an input parameter that is in the associated SSM document.
Required: Yes
Type: String

Value
The value of an input parameter.
Required: Yes
AWS::EC2::Instance BlockDeviceMapping
Specifies a block device mapping for an instance.

1651
EC2
BlockDeviceMapping is a property of the AWS::EC2::Instance resource.
Syntax
JSON
{
"Ebs" : Ebs (p. 1655),
"NoDevice" : NoDevice (p. 1665),
}
YAML
DeviceName: String
Ebs:
Ebs (p. 1655)
NoDevice:
NoDevice (p. 1665)
VirtualName: String
Properties
DeviceName
The device name (for example, /dev/sdh or xvdh).
Required: Yes
Type: String

Ebs
Parameters used to automatically set up EBS volumes when the instance is launched.
Type: Ebs (p. 1655)

NoDevice
Suppresses the specified device included in the block device mapping of the AMI.
Required: No
Type: NoDevice (p. 1665)

VirtualName
The virtual device name (ephemeralN). The name must be in the form ephemeralX where X is a
number starting from zero (0). For example, an instance type with 2 available instance store volumes
can specify mappings for ephemeral0 and ephemeral1. The number of available instance store

1652
EC2
volumes depends on the instance type. After you connect to the instance, you must mount the
volume.
NVMe instance store volumes are automatically enumerated and assigned a device name. Including
them in your block device mapping has no effect.
Constraints: For M3 instances, you must specify instance store volumes in the block device mapping
for the instance. When you launch an M3 instance, we ignore any instance store volumes specified in
the block device mapping for the AMI.
Type: String
Examples
Block Device Mapping with two EBS Volumes
This example sets the EBS-backed root device (/dev/sda1) size to 50 GiB, and another EBS-backed device
mapped to /dev/sdm that is 100 GiB in size.
JSON
{
"DeviceName" : "/dev/sda1",
},
{
}
]
YAML
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 50
- DeviceName: /dev/sdm
Ebs:
VolumeSize: 100
Block Device Mapping with an Ephemeral Drive
This example maps an ephemeral drive to device /dev/sdc.
JSON
{
}

1653
EC2
YAML
- DeviceName: /dev/sdc
Unmapping an AMI-defined Device
To unmap a device defined in the AMI, set the NoDevice property to an empty map, as shown here:
JSON
{
"DeviceName":"/dev/sde",
"NoDevice": {}
}
]
YAML
- DeviceName: /dev/sde
NoDevice:
See Also
• Amazon EC2 Instance Store in the Amazon Elastic Compute Cloud User Guide.
AWS::EC2::Instance CpuOptions
The CPU options for the instance.
Syntax
JSON
{
"CoreCount" : Integer,
"ThreadsPerCore" : Integer
}
YAML
CoreCount: Integer
ThreadsPerCore: Integer
Properties
CoreCount
The number of CPU cores for the instance.

1654
EC2
Required: No
Type: Integer

ThreadsPerCore
The number of threads per CPU core.
Required: No
Type: Integer
AWS::EC2::Instance CreditSpecification
Specifies the credit option for CPU usage of a T2 or T3 instance.
CreditSpecification is a property of the AWS::EC2::Instance resource.
Syntax
JSON
{
"CPUCredits" : String
}
YAML
CPUCredits: String
Properties
CPUCredits
The credit option for CPU usage of the instance. Valid values are standard and unlimited. T3
instances launch as unlimited by default. T2 instances launch as standard by default.
Required: No
Type: String
AWS::EC2::Instance Ebs
Specifies a block device for an EBS volume.
Ebs is a property of the Amazon EC2 BlockDeviceMapping property.
Syntax

1655
EC2
JSON
{
"Iops" : Integer,
}
YAML
Encrypted: Boolean
Iops: Integer
KmsKeyId: String
SnapshotId: String
VolumeSize: Integer
VolumeType: String
Properties
DeleteOnTermination
Indicates whether the EBS volume is deleted on instance termination. For more information, see
Preserving Amazon EBS Volumes on Instance Termination in the Amazon Elastic Compute Cloud
User Guide.
Required: No
Type: Boolean

Encrypted
Specifies whether the volume should be encrypted. The effect of setting the encryption state to
true depends on the volume origin (new or from a snapshot), starting encryption state, ownership,
and whether encryption by default is enabled. For more information, see Encryption by Default in
the Amazon Elastic Compute Cloud User Guide.
Encrypted Amazon EBS volumes must be attached to instances that support Amazon EBS
encryption. For more information, see Supported Instance Types.
Required: No
Type: Boolean

Iops
The number of I/O operations per second (IOPS) that the volume supports. For io1 volumes, this
represents the number of IOPS that are provisioned for the volume. For gp2 volumes, this represents
the baseline performance of the volume and the rate at which the volume accumulates I/O credits
for bursting. For more information, see Amazon EBS Volume Types in the Amazon Elastic Compute
Cloud User Guide.
Constraints: Range is 100-16,000 IOPS for gp2 volumes and 100 to 64,000IOPS for io1 volumes
in most Regions. Maximum io1 IOPS of 64,000 is guaranteed only on Nitro-based instances. Other

1656
EC2
instance families guarantee performance up to 32,000 IOPS. For more information, see Amazon EBS
Volume Types in the Amazon Elastic Compute Cloud User Guide.
Condition: This parameter is required for requests to create io1 volumes; it is not used in requests to
create gp2, st1, sc1, or standard volumes.
Type: Integer

KmsKeyId
Identifier (key ID, key alias, ID ARN, or alias ARN) for a customer managed CMK under which the EBS
volume is encrypted.
Required: No
Type: String

SnapshotId
The ID of the snapshot.
If you specify both SnapshotId and VolumeSize,VolumeSize must be equal or greater than the
size of the snapshot.
Type: String

VolumeSize
The size of the volume, in GiB.
Default: If you're creating the volume from a snapshot and don't specify a volume size, the default is
the snapshot size.
Constraints: 1-16384 for General Purpose SSD (gp2), 4-16384 for Provisioned IOPS SSD (io1),
500-16384 for Throughput Optimized HDD (st1), 500-16384 for Cold HDD (sc1), and 1-1024 for
Magnetic (standard) volumes. If you specify a snapshot, the volume size must be equal to or larger
than the snapshot size.
Type: Integer

VolumeType
The volume type. If you set the type to io1, you must also specify the IOPS that the volume
supports.
Default: gp2
Required: No

1657
EC2
Type: String
Allowed Values: gp2 | io1 | sc1 | st1 | standard
Examples
Creating an EBS volume from a snapshot
This example creates a 50GB io1 EBS volume from a snapshot, and configures it to support 1000 IOPS
and to persist after terminating the instance to which it is attached.
JSON
{
"DeviceName": "/dev/sdc",
"Ebs": {
"SnapshotId": "snap-xxxxxxxx",
"VolumeSize": "50",
"VolumeType": "io1",
"Iops": "1000",
"DeleteOnTermination": "false"
}
}
YAML
- DeviceName: /dev/sdc
Ebs:
SnapshotId: snap-xxxxxxxx
VolumeSize: 50
VolumeType: io1
Iops: 1000
See Also
• CreateVolume in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::Instance ElasticGpuSpecification
Specifies the type of Elastic GPU. An Elastic GPU is a GPU resource that you can attach to your Amazon
EC2 instance to accelerate the graphics performance of your applications. For more information, see
Amazon EC2 Elastic GPUs in the Amazon EC2 User Guide for Windows Instances.
ElasticGpuSpecification is a property of the AWS::EC2::Instance resource.
Syntax
JSON
{
"Type" : String

1658
EC2
YAML
Type: String
Properties
Type
The type of Elastic Graphics accelerator. For more information about the values to specify for Type,
see Elastic Graphics Basics, specifically the Elastic Graphics accelerator column, in the Amazon Elastic
Compute Cloud User Guide for Windows Instances.
Required: Yes
Type: String
AWS::EC2::Instance ElasticInferenceAccelerator
Specifies the Elastic Inference Accelerator for the instance.
ElasticInferenceAccelerator is a property of the AWS::EC2::Instance resource.
Syntax
JSON
{
"Count" : Integer,
"Type" : String
}
YAML
Count: Integer
Type: String
Properties
Count
Not supported.
Required: No
Type: Integer

Type
The type of elastic inference accelerator. The possible values are eia1.medium, eia1.large, and
eia1.xlarge.

1659
EC2
Required: Yes
Type: String
AWS::EC2::Instance InstanceIpv6Address
Specifies the IPv6 address for the instance.
InstanceIpv6Address is a property of the AWS::EC2::Instance resource.
Syntax
JSON
{
"Ipv6Address" : String
}
YAML
Ipv6Address: String
Properties
Ipv6Address
The IPv6 address.
Required: Yes
Type: String
AWS::EC2::Instance LaunchTemplateSpecification
Specifies a launch template. You must specify either the launch template ID or launch template name.
LaunchTemplateSpecification is a property of the AWS::EC2::Instance resource.
Syntax
JSON
{
"Version" : String
}

1660
EC2
YAML
Version: String
Properties
LaunchTemplateId
Type: String

LaunchTemplateName
Type: String

Version
The version number of the launch template.AWS CloudFormation does not support specifying
$Latest, or $Default for the template version number.
Required: Yes
Type: String
See Also
• LaunchTemplateSpecification in the Amazon EC2 API Reference
AWS::EC2::Instance LicenseSpecification
Specifies the license configuration to use.
LicenseSpecification is a property of the AWS::EC2::Instance resource.
Syntax
JSON
{
"LicenseConfigurationArn" : String
}

1661
EC2
YAML
LicenseConfigurationArn: String
Properties
LicenseConfigurationArn
The Amazon Resource Name (ARN) of the license configuration.
Required: Yes
Type: String
AWS::EC2::Instance NetworkInterface
Specifies a network interface that is to be attached to an instance.
NetworkInterface is a property of the AWS::EC2::Instance resource.
Syntax
JSON
{
"DeviceIndex" : String,
"GroupSet" : [ String, ... ],
"PrivateIpAddresses" : [ PrivateIpAddressSpecification (p. 1665), ... ],
"SecondaryPrivateIpAddressCount" : Integer,
"SubnetId" : String
}
YAML
Description: String
DeviceIndex: String
GroupSet:
- String
Ipv6Addresses:
PrivateIpAddresses:
- PrivateIpAddressSpecification (p. 1665)
SecondaryPrivateIpAddressCount: Integer

1662
EC2
SubnetId: String
Properties
Indicates whether to assign a public IPv4 address to an instance you launch in a VPC. The public IP
address can only be assigned to a network interface for eth0, and can only be assigned to a new
network interface, not an existing one. You cannot specify more than one network interface in the
request. If launching into a default subnet, the default value is true.
Required: No
Type: Boolean

DeleteOnTermination
If set to true, the interface is deleted when the instance is terminated. You can specify true only if
creating a new network interface when launching an instance.
Required: No
Type: Boolean

Description
The description of the network interface. Applies only if creating a network interface when
launching an instance.
Required: No
Type: String

DeviceIndex
The position of the network interface in the attachment order. A primary network interface has a
device index of 0.
If you specify a network interface when launching an instance, you must specify the device index.
Type: String

GroupSet
The IDs of the security groups for the network interface. Applies only if creating a network interface
when launching an instance.
Required: No

1663
EC2
Ipv6AddressCount
A number of IPv6 addresses to assign to the network interface. Amazon EC2 chooses the IPv6
addresses from the range of the subnet. You cannot specify this option and the option to assign
specific IPv6 addresses in the same request. You can specify this option if you've specified a
minimum number of instances to launch.
Required: No
Type: Integer

Ipv6Addresses
The IPv6 addresses associated with the network interface.
Required: No

NetworkInterfaceId
The ID of the network interface.
Required: No
Type: String

PrivateIpAddress
The private IPv4 address of the network interface. Applies only if creating a network interface when
launching an instance. You cannot specify this option if you're launching more than one instance in a
RunInstances request.
Required: No
Type: String

PrivateIpAddresses
One or more private IPv4 addresses to assign to the network interface. Only one private IPv4
address can be designated as primary. You cannot specify this option if you're launching more than
one instance in a RunInstances request.
Required: No
Type: List of PrivateIpAddressSpecification (p. 1665)

SecondaryPrivateIpAddressCount
The number of secondary private IPv4 addresses. You can't specify this option and specify more than
one private IP address using the private IP addresses option. You cannot specify this option if you're
launching more than one instance in a RunInstances request.

1664
EC2
Required: No
Type: Integer

SubnetId
The ID of the subnet.
Required: No
Type: String
AWS::EC2::Instance NoDevice
Suppresses the specified device included in the block device mapping of the AMI. To suppress a device,
specify an empty string.
NoDevice is a property of the Amazon EC2 BlockDeviceMapping property.
Syntax
JSON
{
}
YAML
AWS::EC2::Instance PrivateIpAddressSpecification
Specifies a secondary private IPv4 address for a network interface.
PrivateIpAddressSpecification is a property of the AWS::EC2::NetworkInterface resource.
Syntax
JSON
{
"Primary" : Boolean,
}
YAML
Primary: Boolean

1665
EC2
Properties
Primary
Indicates whether the private IPv4 address is the primary private IPv4 address. Only one IPv4
address can be designated as primary.
Required: Yes
Type: Boolean

PrivateIpAddress
The private IPv4 addresses.
Required: Yes
Type: String
AWS::EC2::Instance SsmAssociation
Specifies the SSM document and parameter values in AWS Systems Manager to associate with an
instance.
SsmAssociations is a property of the AWS::EC2::Instance resource.
Syntax
JSON
{
"AssociationParameters" : [ AssociationParameter (p. 1651), ... ],
"DocumentName" : String
}
YAML
AssociationParameters:
- AssociationParameter (p. 1651)
DocumentName: String
Properties
AssociationParameters
The input parameter values to use with the associated SSM document.
Required: No
Type: List of AssociationParameter (p. 1651)

1666
EC2
DocumentName
The name of an SSM document to associate with the instance.
Required: Yes
Type: String
AWS::EC2::Instance Volume
Specifies a volume to attach to an instance.
Volume is property is an embedded property of the AWS::EC2::Instance resource.
Syntax
JSON
{
"Device" : String,
"VolumeId" : String
}
YAML
Device: String
VolumeId: String
Properties
Device
Required: Yes
Type: String

VolumeId
The ID of the EBS volume. The volume and instance must be within the same Availability Zone.
Required: Yes
Type: String
Allocates an internet gateway for use with a VPC. After creating the Internet gateway, you then attach it
to a VPC.

1667
EC2
Syntax
JSON
{
"Properties" : {
"Tags" : [ Tag, ... ]
}
}
YAML
Properties:
Tags:
- Tag
Properties
Tags
Any tags to assign to the internet gateway.
Required: No
Type: List of Tag
Return Values
Ref
name.
Examples
Creating an Internet Gateway
The following example creates an Internet gateway and assigns it a tag.
JSON
"Resources" : {
"myInternetGateway" : {
"Properties" : {
"Tags" : [ {"Key" : "foo", "Value" : "bar"}]
}
}
}

1668
EC2
YAML
myInternetGateway:
Properties:
Tags:
- Key: foo
Value: bar
See Also
• CreateInternetGateway in the Amazon EC2 API Reference
• InternetGateways in the Amazon Virtual Private Cloud User Guide
• Use the AWS::EC2::VPCGatewayAttachment resource to associate an Internet gateway with a VPC
AWS::EC2::LaunchTemplate
Specifies a launch template for an Amazon EC2 instance. A launch template contains the parameters to
launch an instance.
Syntax
JSON
{
"Type" : "AWS::EC2::LaunchTemplate",
"Properties" : {
"LaunchTemplateData" : LaunchTemplateData (p. 1680),
"LaunchTemplateName" : String
}
}
YAML
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateData:
LaunchTemplateData (p. 1680)
Properties
LaunchTemplateData
The information for the launch template.
Required: No
Type: LaunchTemplateData (p. 1680)

LaunchTemplateName
A name for the launch template.

1669
EC2
Required: No
Type: String
Minimum: 3
Maximum: 128
Pattern: [a-zA-Z0-9\.\-/_]+
Return Values
Ref
launch template, for example, lt-01238c059e3466abc.
Fn::GetAtt
DefaultVersionNumber
The default version of the launch template, such as 2.

Note
The default version of a launch template cannot be specified in AWS CloudFormation. The
default version can be set in the Amazon EC2 Console or by using the modify-launch-
template AWS CLI command.
LatestVersionNumber
The latest version of the launch template, such as 5.
See Also
• CreateLaunchTemplate in the Amazon EC2 API Reference
AWS::EC2::LaunchTemplate BlockDeviceMapping
Information about a block device mapping for an Amazon EC2 launch template.
BlockDeviceMapping is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData

property type.
Syntax
JSON

1670
EC2
"Ebs" : Ebs (p. 1675),
"NoDevice" : String,
}
YAML
DeviceName: String
Ebs:
Ebs (p. 1675)
NoDevice: String
VirtualName: String
Properties
DeviceName
Required: No
Type: String

Ebs
Required: No
Type: Ebs (p. 1675)

NoDevice
Required: No
Type: String

VirtualName
The virtual device name (ephemeralN). Instance store volumes are numbered starting from 0. An
instance type with 2 available instance store volumes can specify mappings for ephemeral0 and
ephemeral1. The number of available instance store volumes depends on the instance type. After
you connect to the instance, you must mount the volume.
Required: No
Type: String
See Also
• LaunchTemplateBlockDeviceMappingRequest in the Amazon Elastic Compute Cloud API Reference

1671
EC2
AWS::EC2::LaunchTemplate CapacityReservationPreference
Indicates the instance's Capacity Reservation preferences. This is a string value. Possible preferences
include the following:
• open - The instance can run in any open Capacity Reservation that has matching attributes (instance
type, platform, Availability Zone).
• none - The instance avoids running in a Capacity Reservation even if one is available. The instance runs
in On-Demand capacity.
CapacityReservationPreference is a property of the Amazon EC2 LaunchTemplate

CapacityReservationSpecification property type.
AWS::EC2::LaunchTemplate CapacityReservationSpecification
Specifies an instance's Capacity Reservation targeting option. You can specify only one option at a time.
CapacityReservationSpecification is a property of the Amazon EC2 LaunchTemplate

LaunchTemplateData property type.
Syntax
JSON
{
"CapacityReservationPreference" : CapacityReservationPreference (p. 1672),
"CapacityReservationTarget" : CapacityReservationTarget (p. 1673)
}
YAML
CapacityReservationPreference:
CapacityReservationPreference (p. 1672)
CapacityReservationTarget:
CapacityReservationTarget (p. 1673)
Properties
CapacityReservationPreference
Indicates the instance's Capacity Reservation preferences. Possible preferences include:

• open - The instance can run in any open Capacity Reservation that has matching attributes
(instance type, platform, Availability Zone).
• none - The instance avoids running in a Capacity Reservation even if one is available. The instance
runs in On-Demand capacity.
Required: No
Type: CapacityReservationPreference (p. 1672)
Allowed Values: none | open

CapacityReservationTarget
Information about the target Capacity Reservation.

1672
EC2
Required: No
Type: CapacityReservationTarget (p. 1673)
AWS::EC2::LaunchTemplate CapacityReservationTarget
Specifies a target Capacity Reservation.
CapacityReservationTarget is a property of the Amazon EC2 LaunchTemplate

Syntax
JSON
{
"CapacityReservationId" : String
}
YAML
CapacityReservationId: String
Properties
CapacityReservationId
The ID of the Capacity Reservation.
Required: No
Type: String
AWS::EC2::LaunchTemplate CpuOptions
Specifies the CPU options for an instance.
CpuOptions is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData property type.
Syntax
JSON
{
"CoreCount" : Integer,
"ThreadsPerCore" : Integer
}

1673
EC2
YAML
CoreCount: Integer
ThreadsPerCore: Integer
Properties
CoreCount
Required: No
Type: Integer

ThreadsPerCore
Required: No
Type: Integer
AWS::EC2::LaunchTemplate CreditSpecification
Specifies the credit option for CPU usage of a T2 or T3 instance.
CreditSpecification is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData

property type.
Syntax
JSON
{
"CpuCredits" : String
}
YAML
CpuCredits: String
Properties
CpuCredits
The credit option for CPU usage of a T2 or T3 instance. Valid values are standard and unlimited.
Required: No
Type: String

1674
EC2
See Also
• CreditSpecificationRequest in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::LaunchTemplate Ebs
Parameters for a block device for an EBS volume in an Amazon EC2 launch template.
Ebs is a property of the Amazon EC2 LaunchTemplate BlockDeviceMapping property type.
Syntax
JSON
{
"Iops" : Integer,
}
YAML
Encrypted: Boolean
Iops: Integer
KmsKeyId: String
SnapshotId: String
VolumeSize: Integer
VolumeType: String
Properties
DeleteOnTermination
Indicates whether the EBS volume is deleted on instance termination.
Required: No
Type: Boolean

Encrypted
Indicates whether the EBS volume is encrypted. Encrypted volumes can only be attached to
instances that support Amazon EBS encryption. If you are creating a volume from a snapshot, you
can't specify an encryption value.
Required: No
Type: Boolean

1675
EC2

Iops
The number of I/O operations per second (IOPS) that the volume supports. For io1, this represents
the number of IOPS that are provisioned for the volume. For gp2, this represents the baseline
performance of the volume and the rate at which the volume accumulates I/O credits for bursting.
For more information about General Purpose SSD baseline performance, I/O credits, and bursting,
see Amazon EBS Volume Types in the Amazon Elastic Compute Cloud User Guide.
Required: No
Type: Integer

KmsKeyId
The ARN of the AWS Key Management Service (AWS KMS) CMK used for encryption.
Required: No
Type: String

SnapshotId
Required: No
Type: String

VolumeSize
the snapshot size.
Required: No
Type: Integer

VolumeType
The volume type.
Required: No
Type: String

1676
EC2
See Also
• LaunchTemplateEbsBlockDeviceRequest in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::LaunchTemplate ElasticGpuSpecification
Specifies a specification for an Elastic GPU for an Amazon EC2 launch template.
ElasticGpuSpecification is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData

property type.
Syntax
JSON
{
"Type" : String
}
YAML
Type: String
Properties
Type
The type of Elastic Graphics accelerator. For more information about the values to specify for Type,
see Elastic Graphics Basics, specifically the Elastic Graphics accelerator column, in the Amazon Elastic
Compute Cloud User Guide for Windows Instances.
Required: No
Type: String
See Also
• ElasticGpuSpecification in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::LaunchTemplate HibernationOptions
Specifies whether your instance is configured for hibernation. This parameter is valid only if the instance
meets the hibernation prerequisites. Hibernation is currently supported only for Amazon Linux. For more
information, see Hibernate Your Instance in the Amazon Elastic Compute Cloud User Guide.
HibernationOptions is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData property

type.
Syntax

1677
EC2
JSON
{
"Configured" : Boolean
}
YAML
Configured: Boolean
Properties
Configured
If you set this parameter to true, the instance is enabled for hibernation.
Default: false
Required: No
Type: Boolean
AWS::EC2::LaunchTemplate IamInstanceProfile
Specifies an IAM instance profile. You must provide either the name or the ARN of the instance profile.
IamInstanceProfile is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData property

type.
Syntax
JSON
{
"Arn" : String,
"Name" : String
}
YAML
Arn: String
Name: String
Properties
Arn
The Amazon Resource Name (ARN) of the instance profile.
Required: No
Type: String

1678
EC2

Name
The name of the instance profile.
Required: No
Type: String
See Also
• LaunchTemplateIamInstanceProfileSpecificationRequest in the Amazon Elastic Compute Cloud API

Reference
AWS::EC2::LaunchTemplate InstanceMarketOptions
Specifies the market (purchasing) option for an instance.
InstanceMarketOptions is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData

property type.
Syntax
JSON
{
"MarketType" : String,
"SpotOptions" : SpotOptions (p. 1694)
}
YAML
MarketType: String
SpotOptions:
SpotOptions (p. 1694)
Properties
MarketType
The market type.
Type: String
Allowed Values: spot

SpotOptions
The options for Spot Instances.

1679
EC2
Required: No
Type: SpotOptions (p. 1694)
See Also
• LaunchTemplateInstanceMarketOptionsRequest in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::LaunchTemplate Ipv6Add
Specifies an IPv6 address in an Amazon EC2 launch template.
Ipv6Add is a property of the Amazon EC2 LaunchTemplate NetworkInterface property type.
Syntax
JSON
{
}
YAML
Ipv6Address: String
Properties
Ipv6Address
One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet. You can't use
this option if you're specifying a number of IPv6 addresses.
Required: No
Type: String
See Also
• InstanceIpv6AddressRequest in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::LaunchTemplate LaunchTemplateData
The information to include in the launch template.
Syntax

1680
EC2
JSON
{
"CapacityReservationSpecification" : CapacityReservationSpecification (p. 1672),
"CpuOptions" : CpuOptions (p. 1673),
"CreditSpecification" : CreditSpecification (p. 1674),
"DisableApiTermination" : Boolean,
"ElasticGpuSpecifications" : [ ElasticGpuSpecification (p. 1677), ... ],
"ElasticInferenceAccelerators" : [ LaunchTemplateElasticInferenceAccelerator (p. 1687), ... ],

"HibernationOptions" : HibernationOptions (p. 1677),
"IamInstanceProfile" : IamInstanceProfile (p. 1678),
"ImageId" : String,
"InstanceInitiatedShutdownBehavior" : String,
"InstanceMarketOptions" : InstanceMarketOptions (p. 1679),
"KeyName" : String,
"LicenseSpecifications" : [ LicenseSpecification (p. 1688), ... ],
"Monitoring" : Monitoring (p. 1688),
"NetworkInterfaces" : [ NetworkInterface (p. 1689), ... ],
"Placement" : Placement (p. 1692),
"RamDiskId" : String,
"UserData" : String
}
YAML
CapacityReservationSpecification:
CapacityReservationSpecification (p. 1672)
CpuOptions:
CpuOptions (p. 1673)
CreditSpecification (p. 1674)
DisableApiTermination: Boolean
ElasticGpuSpecifications:
- ElasticGpuSpecification (p. 1677)
ElasticInferenceAccelerators:
- LaunchTemplateElasticInferenceAccelerator (p. 1687)
HibernationOptions:
HibernationOptions (p. 1677)
IamInstanceProfile:
IamInstanceProfile (p. 1678)
ImageId: String
InstanceInitiatedShutdownBehavior: String
InstanceMarketOptions:
InstanceMarketOptions (p. 1679)
KernelId: String
KeyName: String
LicenseSpecifications:
- LicenseSpecification (p. 1688)
Monitoring:
Monitoring (p. 1688)
NetworkInterfaces:
- NetworkInterface (p. 1689)

1681
EC2
Placement:
Placement (p. 1692)
RamDiskId: String
SecurityGroupIds:
- String
SecurityGroups:
- String
TagSpecifications:
UserData: String
Properties
BlockDeviceMappings
The block device mapping.
Required: No

CapacityReservationSpecification
The Capacity Reservation targeting option. If you do not specify this parameter, the instance's
Capacity Reservation preference defaults to open, which enables it to run in any open Capacity
Reservation that has matching attributes (instance type, platform, Availability Zone).
Required: No
Type: CapacityReservationSpecification (p. 1672)

CpuOptions
The CPU options for the instance. For more information, see Optimizing CPU Options in the Amazon
Elastic Compute Cloud User Guide.
Required: No
Type: CpuOptions (p. 1673)

CreditSpecification
The credit option for CPU usage of the instance. Valid for T2 or T3 instances only.
Required: No
Type: CreditSpecification (p. 1674)

DisableApiTermination
If you set this parameter to true, you can't terminate the instance using the Amazon EC2 console,
CLI, or API; otherwise, you can. To change this attribute after launch, use ModifyInstanceAttribute.
Alternatively, if you set InstanceInitiatedShutdownBehavior to terminate, you can
terminate the instance by running the shutdown command from the instance.
Required: No

1682
EC2
Type: Boolean

EbsOptimized
Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides
dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal
Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional
usage charges apply when using an EBS-optimized instance.
Required: No
Type: Boolean

ElasticGpuSpecifications
An elastic GPU to associate with the instance.
Required: No
Type: List of ElasticGpuSpecification (p. 1677)

ElasticInferenceAccelerators
The elastic inference accelerator for the instance.
Required: No
Type: List of LaunchTemplateElasticInferenceAccelerator (p. 1687)

HibernationOptions
Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance
meets the hibernation prerequisites. For more information, see Hibernate Your Instance in the
Amazon Elastic Compute Cloud User Guide.
Required: No
Type: HibernationOptions (p. 1677)

IamInstanceProfile
Required: No
Type: IamInstanceProfile (p. 1678)

ImageId
The ID of the AMI.
Required: No
Type: String

1683
EC2

InstanceInitiatedShutdownBehavior
Indicates whether an instance stops or terminates when you initiate shutdown from the instance
(using the operating system command for system shutdown).
Default: stop
Required: No
Type: String
Allowed Values: stop | terminate

InstanceMarketOptions
The market (purchasing) option for the instances.
Required: No
Type: InstanceMarketOptions (p. 1679)

InstanceType
The instance type. For more information, see Instance Types in the Amazon Elastic Compute Cloud
User Guide.
Required: No
Type: String


1684
EC2


KernelId
We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see
User Provided Kernels in the Amazon Elastic Compute Cloud User Guide.
Required: No
Type: String

KeyName
The name of the key pair. You can create a key pair using CreateKeyPair or ImportKeyPair.
Important
that is configured to allow users another way to log in.
Required: No
Type: String

LicenseSpecifications
The license configurations.
Required: No
Type: List of LicenseSpecification (p. 1688)

1685
EC2

Monitoring
The monitoring for the instance.
Required: No
Type: Monitoring (p. 1688)

NetworkInterfaces
One or more network interfaces. If you specify a network interface, you must specify any security
groups and subnets as part of the network interface.
Required: No
Type: List of NetworkInterface (p. 1689)

Placement
The placement for the instance.
Required: No
Type: Placement (p. 1692)

RamDiskId
The ID of the RAM disk.

Important
information, see User Provided Kernels in the Amazon Elastic Compute Cloud User Guide.
Required: No
Type: String

SecurityGroupIds
One or more security group IDs. You can create a security group using CreateSecurityGroup. You
cannot specify both a security group ID and security name in the same request.
Required: No

SecurityGroups
[EC2-Classic, default VPC] One or more security group names. For a nondefault VPC, you must use
security group IDs instead. You cannot specify both a security group ID and security name in the
same request.
Required: No

1686
EC2

TagSpecifications
The tags to apply to the resources during launch. You can only tag instances and volumes on launch.
The specified tags are applied to all instances or volumes that are created during launch. To tag a
resource after it has been created, see CreateTags.
Required: No

UserData
The Base64-encoded user data to make available to the instance. For more information, see Running
Commands on Your Linux Instance at Launch (Linux) and Adding User Data (Windows).
Required: No
Type: String
See Also
• RequestLaunchTemplateData in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::LaunchTemplate LaunchTemplateElasticInferenceAccelerator
Specifies an elastic inference accelerator.
LaunchTemplateElasticInferenceAccelerator is a property of the Amazon EC2 LaunchTemplate

Syntax
JSON
{
"Type" : String
}
YAML
Type: String
Properties
Type
The type of elastic inference accelerator. The possible values are eia1.medium, eia1.large, and
eia1.xlarge.
Required: No

1687
EC2
Type: String
AWS::EC2::LaunchTemplate LicenseSpecification
Specifies a license configuration for an instance.
LicenseSpecification is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData

property type.
Syntax
JSON
{
"LicenseConfigurationArn" : String
}
YAML
LicenseConfigurationArn: String
Properties
LicenseConfigurationArn
The Amazon Resource Name (ARN) of the license configuration.
Required: No
Type: String
AWS::EC2::LaunchTemplate Monitoring
Specifies whether detailed monitoring is enabled for an instance.
Monitoring is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData property type.
Syntax
JSON
{
"Enabled" : Boolean
}
YAML
Enabled: Boolean

1688
EC2
Properties
Enabled
Specify true to enable detailed monitoring. Otherwise, basic monitoring is enabled.
Required: No
Type: Boolean
See Also
• LaunchTemplatesMonitoringRequest in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::LaunchTemplate NetworkInterface
Specifies the parameters for a network interface.
NetworkInterface is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData property

type.
Syntax
JSON
{
"DeviceIndex" : Integer,
"InterfaceType" : String,
"Ipv6Addresses" : [ Ipv6Add (p. 1680), ... ],
"PrivateIpAddresses" : [ PrivateIpAdd (p. 1693), ... ],
"SubnetId" : String
}
YAML
Description: String
DeviceIndex: Integer
Groups:
- String
InterfaceType: String
Ipv6Addresses:
- Ipv6Add (p. 1680)
PrivateIpAddresses:

1689
EC2
- PrivateIpAdd (p. 1693)

SubnetId: String
Properties
Associates a public IPv4 address with eth0 for a new network interface.
Required: No
Type: Boolean

DeleteOnTermination
Indicates whether the network interface is deleted when the instance is terminated.
Required: No
Type: Boolean

Description
A description for the network interface.
Required: No
Type: String

DeviceIndex
The device index for the network interface attachment.
Required: No
Type: Integer

Groups
The IDs of one or more security groups.
Required: No

InterfaceType
The type of network interface. To create an Elastic Fabric Adapter (EFA), specify efa. For more
information, see Elastic Fabric Adapter in the Amazon Elastic Compute Cloud User Guide.
If you are not creating an EFA, specify interface or omit this parameter.
Valid values: interface | efa

1690
EC2
Required: No
Type: String

Ipv6AddressCount
The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects
the IPv6 addresses from the subnet range. You can't use this option if specifying specific IPv6
addresses.
Required: No
Type: Integer

Ipv6Addresses
One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet. You can't use
this option if you're specifying a number of IPv6 addresses.
Required: No
Type: List of Ipv6Add (p. 1680)

NetworkInterfaceId
Required: No
Type: String

PrivateIpAddress
The primary private IPv4 address of the network interface.
Required: No
Type: String

PrivateIpAddresses
One or more private IPv4 addresses.
Required: No
Type: List of PrivateIpAdd (p. 1693)

The number of secondary private IPv4 addresses to assign to a network interface.
Required: No
Type: Integer

1691
EC2

SubnetId
The ID of the subnet for the network interface.
Required: No
Type: String
See Also
• LaunchTemplateInstanceNetworkInterfaceSpecificationRequest in the Amazon Elastic Compute Cloud

API Reference
AWS::EC2::LaunchTemplate Placement
Specifies the placement of an instance.
Placement is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData property type.
Syntax
JSON
{
"Affinity" : String,
"HostId" : String,
"Tenancy" : String
}
YAML
Affinity: String
GroupName: String
HostId: String
Tenancy: String
Properties
Affinity
The affinity setting for an instance on a Dedicated Host.
Required: No
Type: String

AvailabilityZone
The Availability Zone for the instance.

1692
EC2
Required: No
Type: String

GroupName
The name of the placement group for the instance.
Required: No
Type: String

HostId
The ID of the Dedicated Host for the instance.
Required: No
Type: String

Tenancy
dedicated runs on single-tenant hardware.
Required: No
Type: String
See Also
• LaunchTemplatePlacementRequest in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::LaunchTemplate PrivateIpAdd
Specifies a secondary private IPv4 address for a network interface.
PrivateIpAdd is a property of the Amazon EC2 LaunchTemplate NetworkInterface property type.
Syntax
JSON
{
}

1693
EC2
YAML
Primary: Boolean
Properties
Primary
Required: No
Type: Boolean

PrivateIpAddress
Required: No
Type: String
See Also
• PrivateIpAddressSpecification in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::LaunchTemplate SpotOptions
Specifies options for Spot instances.
SpotOptions is a property of the Amazon EC2 LaunchTemplate InstanceMarketOptions property type.
Syntax
JSON
{
"BlockDurationMinutes" : Integer,
"MaxPrice" : String,
"SpotInstanceType" : String,
}
YAML
BlockDurationMinutes: Integer
MaxPrice: String
SpotInstanceType: String

1694
EC2
ValidUntil: String
Properties
BlockDurationMinutes
The required duration for the Spot Instances (also known as Spot blocks), in minutes. This value
must be a multiple of 60 (60, 120, 180, 240, 300, or 360).
Required: No
Type: Integer

Required: No
Type: String

MaxPrice
The maximum hourly price you're willing to pay for the Spot Instances.
Required: No
Type: String

SpotInstanceType
The Spot Instance request type.
If you are using Spot Instances with an Auto Scaling group, use one-time requests, as the Amazon
EC2 Auto Scaling service handles requesting new Spot Instances whenever the group is below its
desired capacity.
Required: No
Type: String
Allowed Values: one-time | persistent

ValidUntil
The end date of the request. For a one-time request, the request remains active until all instances
launch, the request is canceled, or this date is reached. If the request is persistent, it remains active
until it is canceled or this date and time is reached. The default end date is 7 days from the current
date.
Required: No
Type: String

1695
EC2
See Also
• LaunchTemplateSpotMarketOptionsRequest in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::LaunchTemplate TagSpecification
Specifies tags to apply to a resource when the resource is created.
TagSpecification is a property of the Amazon EC2 LaunchTemplate LaunchTemplateData property

type.
Syntax
JSON
{
"Tags" : [ Tag, ... ]
}
YAML
Tags:
- Tag
Properties
ResourceType
The type of resource to tag. Currently, the resource types that support tagging on creation are
instance and volume. To tag a resource after it has been created, see CreateTags.
Required: No
Type: String


Tags
Required: No
Type: List of Tag

1696
EC2
See Also
• LaunchTemplateTagSpecificationRequest in the Amazon Elastic Compute Cloud API Reference
Specifies a network address translation (NAT) gateway in the specified public subnet. Use a NAT gateway
to allow instances in a private subnet to connect to the Internet or to other AWS services, but prevent
the Internet from initiating a connection with those instances. For more information and a sample
architectural diagram, see NAT Gateways in the Amazon VPC User Guide.
If you add a default route (AWS::EC2::Route resource) that points to a NAT gateway, specify the NAT
gateway ID for the route's NatGatewayId property.
Syntax
JSON
{
"Type" : "AWS::EC2::NatGateway",
"Properties" : {
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::EC2::NatGateway
Properties:
SubnetId: String
Tags:
- Tag
Properties
AllocationId
The allocation ID of an Elastic IP address to associate with the NAT gateway. If the Elastic IP address
is associated with another resource, you must first disassociate it.
Required: Yes
Type: String

SubnetId
The public subnet in which to create the NAT gateway.
Required: Yes

1697
EC2
Type: String

Tags
The tags (key–value pairs) to associate with this resource.
Required: No
Type: List of Tag
Return Values
Ref
name. For example, nat-0a12bc456789de0fg.
Examples
NAT Gateway
The following example creates a NAT gateway and a route that associates the NAT gateway with a route
table. The route table must be associated with an Internet gateway so that the NAT gateway can connect
to the Internet.
JSON
"NAT" : {
"Type" : "AWS::EC2::NatGateway",
"Properties" : {
"AllocationId" : { "Fn::GetAtt" : ["EIP", "AllocationId"]},
"SubnetId" : { "Ref" : "Subnet"},
"Tags" : [ {"Key" : "foo", "Value" : "bar" } ]
}
},
"EIP" : {
"DependsOn" : "VPCGatewayAttach",
"Properties" : {
"Domain" : "vpc"
}
},
"Route" : {
"Properties" : {
"RouteTableId" : { "Ref" : "RouteTable" },
"NatGatewayId" : { "Ref" : "NAT" }
}
}
YAML
NAT:

1698
EC2
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- EIP
- AllocationId
SubnetId:
Ref: Subnet
Tags:
- Key: foo
Value: bar
EIP:
DependsOn: VPCGatewayAttach
Type: AWS::EC2::EIP
Properties:
Domain: vpc
Route:
Properties:
RouteTableId:
Ref: RouteTable
NatGatewayId:
Ref: NAT
Specifies a network ACL for your VPC.
Syntax
JSON
{
"Type" : "AWS::EC2::NetworkAcl",
"Properties" : {
"Tags" : [ Tag, ... ],
"VpcId" : String
}
}
YAML
Type: AWS::EC2::NetworkAcl
Properties:
Tags:
- Tag
VpcId: String
Properties
Tags
An arbitrary set of tags (key–value pairs) for this ACL.
Required: No
Type: List of Tag

1699
EC2

VpcId
The ID of the VPC for the network ACL.
Required: Yes
Type: String
Return Values
Ref
name.
Examples
Network ACL
The following example creates a Network ACL in a VPC.
JSON
"myNetworkAcl" : {
"Type" : "AWS::EC2::NetworkAcl",
"Properties" : {
"VpcId" : { "Ref" : "myVPC" },
"Tags" : [ { "Key" : "foo", "Value" : "bar" } ]
}
}
YAML
myNetworkAcl:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId:
Ref: myVPC
Tags:
- Key: foo
Value: bar
See Also
• CreateNetworkAcl in the Amazon EC2 API Reference
• Network ACLs in the Amazon Virtual Private Cloud User Guide
AWS::EC2::NetworkAclEntry
Specifies an entry, known as a rule, in a network ACL with a rule number you specify. Each network ACL
has a set of numbered ingress rules and a separate set of numbered egress rules.

1700
EC2
For information about the protocol value, see Protocol Numbers on the Internet Assigned Numbers
Authority (IANA) website.
Syntax
JSON
{
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"CidrBlock" : String,
"Egress" : Boolean,
"Icmp" : Icmp (p. 1704),
"Ipv6CidrBlock" : String,
"NetworkAclId" : String,
"PortRange" : PortRange (p. 1705),
"Protocol" : Integer,
"RuleAction" : String,
"RuleNumber" : Integer
}
}
YAML
Type: AWS::EC2::NetworkAclEntry
Properties:
CidrBlock: String
Egress: Boolean
Icmp:
Icmp (p. 1704)
Ipv6CidrBlock: String
NetworkAclId: String
PortRange:
PortRange (p. 1705)
Protocol: Integer
RuleAction: String
RuleNumber: Integer
Properties
CidrBlock
The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). Requirement is
conditional: You must specify the CidrBlock or Ipv6CidrBlock property.
Required: No
Type: String

Egress
Whether this rule applies to egress traffic from the subnet (true) or ingress traffic to the subnet
(false). By default, AWS CloudFormation specifies false.
Required: No
Type: Boolean

1701
EC2

Icmp
The Internet Control Message Protocol (ICMP) code and type. Requirement is conditional: Required if
specifying 1 (ICMP) for the protocol parameter.
Required: No
Type: Icmp (p. 1704)

Ipv6CidrBlock
The IPv6 network range to allow or deny, in CIDR notation. Requirement is conditional: You must
specify the CidrBlock or Ipv6CidrBlock property.
Required: No
Type: String

NetworkAclId
The ID of the ACL for the entry.
Required: Yes
Type: String

PortRange
The range of port numbers for the UDP/TCP protocol. Conditional required if specifying 6 (TCP) or
17 (UDP) for the protocol parameter.
Required: No
Type: PortRange (p. 1705)

Protocol
The IP protocol that the rule applies to. You must specify -1 or a protocol number. You can specify -1
for all protocols.
Note
If you specify -1, all ports are opened and the PortRange property is ignored.
Required: Yes
Type: Integer

RuleAction
Whether to allow or deny traffic that matches the rule; valid values are "allow" or "deny".
Required: Yes

1702
EC2
Type: String
Allowed Values: allow | deny

RuleNumber
Rule number to assign to the entry, such as 100. ACL entries are processed in ascending order by
rule number. Entries can't use the same rule number unless one is an egress rule and the other is an
ingress rule.
Required: Yes
Type: Integer
Return Values
Ref
name.
Examples
Network ACL Entry
The following example creates an entry in a network ACL with a specified rule number.
JSON
"myNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "myNetworkAcl" },
"RuleNumber" : "100",
"Protocol" : "-1",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "172.16.0.0/24",
"Icmp" : { "Code" : "-1", "Type" : "-1" },
"PortRange" : { "From" : "53", "To" : "53" }
}
}
YAML
myNetworkAclEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: myNetworkAcl
RuleNumber: '100'
Protocol: "-1"
RuleAction: allow
Egress: 'true'

1703
EC2
CidrBlock: 172.16.0.0/24
Icmp:
Code: "-1"
Type: "-1"
PortRange:
From: '53'
To: '53'
See Also
• NetworkAclEntry in the Amazon EC2 API Reference
• Network ACLs in the Amazon Virtual Private Cloud User Guide
AWS::EC2::NetworkAclEntry Icmp
Describes the ICMP type and code.
Syntax
JSON
{
"Code" : Integer,
"Type" : Integer
}
YAML
Code: Integer
Type: Integer
Properties
Code
The Internet Control Message Protocol (ICMP) code. You can use -1 to specify all ICMP codes for
the given ICMP type. Requirement is conditional: Required if you specify 1 (ICMP) for the protocol
parameter.
Required: No
Type: Integer

Type
The Internet Control Message Protocol (ICMP) type. You can use -1 to specify all ICMP types.
Conditional requirement: Required if you specify 1 (ICMP) for the CreateNetworkAclEntry
protocol parameter.
Required: No
Type: Integer

1704
EC2
AWS::EC2::NetworkAclEntry PortRange
Describes a range of ports.
Syntax
JSON
{
"From" : Integer,
"To" : Integer
}
YAML
From: Integer
To: Integer
Properties
From
The first port in the range. Required if you specify 6 (TCP) or 17 (UDP) for the protocol parameter.
Required: No
Type: Integer

To
The last port in the range. Required if you specify 6 (TCP) or 17 (UDP) for the protocol parameter.
Required: No
Type: Integer
Describes a network interface in an Elastic Compute Cloud (EC2) instance for AWS CloudFormation.
Syntax
JSON
{
"Properties" : {
"GroupSet" : [ String, ... ],

1705
EC2
"InterfaceType" : String,
"Ipv6Addresses" : InstanceIpv6Address (p. 1710),
"SourceDestCheck" : Boolean,
"Tags" : [ Tag, ... ]
}
}
YAML
Properties:
Description: String
GroupSet:
- String
InterfaceType: String
Ipv6Addresses:
InstanceIpv6Address (p. 1710)
PrivateIpAddresses:
SourceDestCheck: Boolean
SubnetId: String
Tags:
- Tag
Properties
Description
A description for the network interface.
Required: No
Type: String

GroupSet
A list of security group IDs associated with this network interface.
Required: No

InterfaceType
Indicates the type of network interface. To create an Elastic Fabric Adapter (EFA), specify efa. For
more information, see Elastic Fabric Adapter in the Amazon Elastic Compute Cloud User Guide.
Required: No
Type: String

1706
EC2
Allowed Values: efa

Ipv6AddressCount
The number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically
selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the
Ipv6Addresses property and don't specify this property.
Required: No
Type: Integer

Ipv6Addresses
One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with
the network interface. If you're specifying a number of IPv6 addresses, use the Ipv6AddressCount
property and don't specify this property.
Required: No
Type: InstanceIpv6Address (p. 1710)

PrivateIpAddress
Assigns a single private IP address to the network interface, which is used as the primary private IP
address. If you want to specify multiple private IP address, use the PrivateIpAddresses property.
Required: No
Type: String

PrivateIpAddresses
Assigns a list of private IP addresses to the network interface. You can specify a
primary private IP address by setting the value of the Primary property to true in the
PrivateIpAddressSpecification property. If you want EC2 to automatically assign private
IP addresses, use the SecondaryPrivateIpAddressCount property and do not specify this
property.
Required: No

The number of secondary private IPv4 addresses to assign to a network interface. When you specify
a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's
IPv4 CIDR range. You can't specify this option and specify more than one private IP address using
privateIpAddresses.
The number of IP addresses you can assign to a network interface varies by instance type. For more
information, see IP Addresses Per ENI Per Instance Type in the Amazon Virtual Private Cloud User
Guide.

1707
EC2
Required: No
Type: Integer

SourceDestCheck
Indicates whether traffic to or from the instance is validated.
Required: No
Type: Boolean

SubnetId
The ID of the subnet to associate with the network interface.
Required: Yes
Type: String

Tags
An arbitrary set of tags (key–value pairs) for this network interface.
Required: No
Type: List of Tag
Return Values
Ref
name.
Fn::GetAtt
PrimaryPrivateIpAddress
Returns the primary private IP address of the network interface. For example, 10.0.0.192.
SecondaryPrivateIpAddresses
Returns the secondary private IP addresses of the network interface. For example, ["10.0.0.161",
"10.0.0.162", "10.0.0.163"].

1708
EC2
Examples
Tip
For more NetworkInterface template examples, see Elastic Network Interface (ENI) Template
Snippets.
Simple Standalone ENI
This is a simple standalone Elastic Network Interface (ENI), using all of the available properties.
JSON
"myENI" : {
"Properties" : {
"Tags": [{"Key":"foo","Value":"bar"}],
"Description": "A nice description.",
"SourceDestCheck": "false",
"GroupSet": ["sg-75zzz219"],
"SubnetId": "subnet-3z648z53",
"PrivateIpAddress": "10.0.0.16"
}
}
YAML
myENI:
Properties:
Tags:
- Key: foo
Value: bar
Description: A nice description.
SourceDestCheck: 'false'
GroupSet:
- sg-75zzz219
SubnetId: subnet-3z648z53
PrivateIpAddress: 10.0.0.16
ENI on an EC2 instance
This is an example of an ENI on an EC2 instance. In this example, one ENI is added to the instance.
If you want to add more than one ENI, you can specify a list for the NetworkInterface property.
However, you can specify multiple ENIs only if all the ENIs have just private IP addresses (no
associated public IP address). If you have an ENI with a public IP address, specify it and then use the
AWS::EC2::NetworkInterfaceAttachment resource to add additional ENIs.
JSON
"Ec2Instance" : {
"Properties" : {
"SecurityGroupIds" : [{ "Ref" : "WebSecurityGroup" }],
"NetworkInterfaces" : [ {
"NetworkInterfaceId" : {"Ref" : "controlXface"}, "DeviceIndex" : "1" } ],

1709
EC2
"UserData" : { "Fn::Base64" : { "Ref" : "WebServerPort" }}

}
}
YAML
Ec2Instance:
Properties:
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- AMI
KeyName:
Ref: KeyName
SecurityGroupIds:
- Ref: WebSecurityGroup
SubnetId:
Ref: SubnetId
NetworkInterfaces:
- NetworkInterfaceId:
Ref: controlXface
DeviceIndex: '0'
Tags:
- Key: Role
UserData:
Fn::Base64:
Ref: WebServerPort
See Also
• NetworkInterface in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::NetworkInterface InstanceIpv6Address
Describes an IPv6 address to associate with the network interface.
Syntax
JSON
{
}
YAML
Ipv6Address: String
Properties
Ipv6Address
The IPv6 address to associate with the network interface.

1710
EC2
Required: Yes
Type: String
AWS::EC2::NetworkInterface PrivateIpAddressSpecification
Describes a secondary private IPv4 address for a network interface.
Syntax
JSON
{
}
YAML
Primary: Boolean
Properties
Primary
Sets the private IP address as the primary private address. You can set only one primary private
IP address. If you don't specify a primary private IP address, Amazon EC2 automatically assigns a
primary private IP address.
Required: Yes
Type: Boolean

PrivateIpAddress
The private IP address of the network interface.
Required: Yes
Type: String
AWS::EC2::NetworkInterfaceAttachment
Attaches an elastic network interface (ENI) to an Amazon EC2 instance. You can use this resource type to
attach additional network interfaces to an instance without interruption.
Syntax

1711
EC2
JSON
{
"Type" : "AWS::EC2::NetworkInterfaceAttachment",
"Properties" : {
"DeviceIndex" : String,
"NetworkInterfaceId" : String
}
}
YAML
Type: AWS::EC2::NetworkInterfaceAttachment
Properties:
DeviceIndex: String
InstanceId: String
Properties
DeleteOnTermination
Whether to delete the network interface when the instance terminates. By default, this value is set
to true.
Required: No
Type: Boolean

DeviceIndex
The network interface's position in the attachment order. For example, the first attached network
interface has a DeviceIndex of 0.
Required: Yes
Type: String

InstanceId
The ID of the instance to which you will attach the ENI.
Required: Yes
Type: String

NetworkInterfaceId
The ID of the ENI that you want to attach.
Required: Yes
Type: String

1712
EC2
Return Values
Ref
name.
Examples
Network Interface Attachment
The following example attaches MyNetworkInterface to MyInstance.
JSON
"NetworkInterfaceAttachment" : {
"Type" : "AWS::EC2::NetworkInterfaceAttachment",
"Properties" : {
"InstanceId" : {"Ref" : "MyInstance"},
"NetworkInterfaceId" : {"Ref" : "MyNetworkInterface"},
"DeviceIndex" : "1"
}
}
YAML
NetworkInterfaceAttachment:
Type: AWS::EC2::NetworkInterfaceAttachment
Properties:
InstanceId:
Ref: MyInstance
NetworkInterfaceId:
Ref: MyNetworkInterface
DeviceIndex: 1
AWS::EC2::NetworkInterfacePermission
Specifies a permission for an Amazon EC2 network interface. For example, you can grant an AWS
authorized partner account permission to attach the specified network interface to an instance in their
account.
Syntax
JSON
{
"Type" : "AWS::EC2::NetworkInterfacePermission",
"Properties" : {
"AwsAccountId" : String,
"Permission" : String
}

1713
EC2
YAML
Type: AWS::EC2::NetworkInterfacePermission
Properties:
AwsAccountId: String
Permission: String
Properties
AwsAccountId
The AWS account ID.
Required: Yes
Type: String

NetworkInterfaceId
Required: Yes
Type: String

Permission
The type of permission to grant: INSTANCE-ATTACH or EIP-ASSOCIATE.
Required: Yes
Type: String
Allowed Values: EIP-ASSOCIATE | INSTANCE-ATTACH
Return Values
Ref
name. For example: eni-perm-055663b682ea24b48.
Examples
Grant INSTANCE-ATTACH Permission
The following example creates a permission (INSTANCE-ATTACH) for a specified network interface and
AWS account.

1714
EC2
JSON
"MyNetworkInterfacePermission": {
"Type": "AWS::EC2::NetworkInterfacePermission",
"Properties": {
"NetworkInterfaceId": "eni-030e3xxx",
"AwsAccountId": "11111111111",
"Permission": "INSTANCE-ATTACH"
}
}
YAML
MyNetworkInterfacePermission:
Type: AWS::EC2::NetworkInterfacePermission
Properties:
NetworkInterfaceId: eni-030e3xxx
AwsAccountId: '11111111111'
Permission: INSTANCE-ATTACH
AWS::EC2::PlacementGroup
Specifies a placement group in which to launch instances. The strategy of the placement group
determines how the instances are organized within the group.
A cluster placement group is a logical grouping of instances within a single Availability Zone that
benefit from low network latency, high network throughput. A spread placement group places
instances on distinct hardware. A partition placement group places groups of instances in different
partitions, where instances in one partition do not share the same hardware with instances in another
partition.
For more information, see Placement Groups in the Amazon Elastic Compute Cloud User Guide.
Syntax
JSON
{
"Type" : "AWS::EC2::PlacementGroup",
"Properties" : {
"Strategy" : String
}
}
YAML
Type: AWS::EC2::PlacementGroup
Properties:
Strategy: String
Properties
Strategy
The placement strategy.

1715
EC2
Required: No
Type: String
Allowed Values: cluster | partition | spread
Return Values
Ref
placement group.
Examples
Create a Placement Group
The following example declares a placement group with a cluster placement strategy.
JSON
"PlacementGroup" : {
"Type" : "AWS::EC2::PlacementGroup",
"Properties" : {
"Strategy" : "cluster"
}
}
YAML
PlacementGroup:
Type: AWS::EC2::PlacementGroup
Properties:
Strategy: cluster
AWS::EC2::Route
Specifies a route in a route table within a VPC.
You must specify one of the following targets: EgressOnlyInternetGatewayId,

GatewayId, InstanceId, NatGatewayId, NetworkInterfaceId, TransitGatewayId, or
VpcPeeringConnectionId.
Syntax
JSON
{
"Properties" : {

1716
EC2
"DestinationIpv6CidrBlock" : String,
"EgressOnlyInternetGatewayId" : String,
"GatewayId" : String,
"NatGatewayId" : String,
"RouteTableId" : String,
"TransitGatewayId" : String,
"VpcPeeringConnectionId" : String
}
}
YAML
Properties:
DestinationIpv6CidrBlock: String
EgressOnlyInternetGatewayId: String
GatewayId: String
InstanceId: String
NatGatewayId: String
RouteTableId: String
TransitGatewayId: String
VpcPeeringConnectionId: String
Properties
The IPv4 CIDR block used for the destination match.
You must specify the DestinationCidrBlock or DestinationIpv6CidrBlock property.
Required: No
Type: String

DestinationIpv6CidrBlock
The IPv6 CIDR block used for the destination match.
You must specify the DestinationCidrBlock or DestinationIpv6CidrBlock property.
Required: No
Type: String

EgressOnlyInternetGatewayId
The ID of the egress-only internet gateway.
Required: No
Type: String

1717
EC2
GatewayId
The ID of an internet gateway or virtual private gateway attached to your VPC.
Required: No
Type: String

InstanceId
The ID of a NAT instance in your VPC.
Required: No
Type: String

NatGatewayId
The ID of a NAT gateway.
Required: No
Type: String

NetworkInterfaceId
Required: No
Type: String

RouteTableId
The ID of the route table. The routing table must be associated with the same VPC that the virtual
private gateway is attached to.
Required: Yes
Type: String

TransitGatewayId
The ID of a transit gateway.
Required: No
Type: String

VpcPeeringConnectionId
The ID of a VPC peering connection.

1718
EC2
Required: No
Type: String
Return Values
Ref
route.
Examples
Add a Route
The following example adds a route that is added to a gateway.
JSON
"myRoute" : {
"DependsOn" : "GatewayToInternet",
"Properties" : {
"RouteTableId" : { "Ref" : "myRouteTable" },
"GatewayId" : { "Ref" : "myInternetGateway" }
}
}
YAML
myRoute:
DependsOn: GatewayToInternet
Properties:
RouteTableId:
Ref: myRouteTable
GatewayId:
See Also
• CreateRoute in the Amazon EC2 API Reference
• Route Tables in the Amazon VPC User Guide
Specifies a route table for a specified VPC. After you create a route table, you can add routes and
associate the table with a subnet.
For more information, see Route Tables in the Amazon Virtual Private Cloud User Guide.

1719
EC2
Syntax
JSON
{
"Properties" : {
"Tags" : [ Tag, ... ],
"VpcId" : String
}
}
YAML
Properties:
Tags:
- Tag
VpcId: String
Properties
Tags
Any tags assigned to the route table.
Required: No
Type: List of Tag

VpcId
The ID of the VPC.
Required: Yes
Type: String
Return Values
Ref
route table.
Examples
Route Table
The following example uses the VPC ID from a VPC named myVPC that was declared elsewhere in the
same template.

1720
EC2
JSON
"myRouteTable" : {
"Properties" : {
}
}
YAML
myRouteTable:
Properties:
VpcId:
Ref: myVPC
Tags:
- Key: foo
Value: bar
See Also
• AWS::EC2::Route
• CreateRouteTable in the Amazon EC2 API Reference
• Route Tables in the Amazon VPC User Guide
• Using Tags in the Amazon Elastic Compute Cloud User Guide
Specifies a security group. To create a security group, use the VpcId property to specify the VPC for which
to create the security group.
This type supports updates. For more information about updating stacks, see AWS CloudFormation
Stacks Updates.
Important
If you want to cross-reference two security groups in the ingress and egress rules of those
security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress
resources to define your rules. Do not use the embedded ingress and egress rules in the
AWS::EC2::SecurityGroup. Doing so creates a circular dependency, which CloudFormation
doesn't allow.
Syntax
JSON
{
"Properties" : {
"GroupDescription" : String,
"SecurityGroupEgress" : [ Egress (p. 1725), ... ],
"SecurityGroupIngress" : [ Ingress (p. 1727), ... ],
"Tags" : [ Tag, ... ],

1721
EC2
"VpcId" : String
}
}
YAML
Properties:
GroupDescription: String
GroupName: String
- Egress (p. 1725)
- Ingress (p. 1727)
Tags:
- Tag
VpcId: String
Properties
GroupDescription
A description for the security group. This is informational only.
Constraints: Up to 255 characters in length
Constraints for EC2-Classic: ASCII characters
Constraints for EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
Required: Yes
Type: String

GroupName
The name of the security group.
Constraints: Up to 255 characters in length. Cannot start with sg-.
Required: No
Type: String

SecurityGroupEgress
[VPC only] The outbound rules associated with the security group.
Required: No
Type: List of Egress (p. 1725)

1722
EC2
SecurityGroupIngress
The inbound rules associated with the security group.
Required: No
Type: List of Ingress (p. 1727)

Tags
Any tags assigned to the security group.
Required: No
Type: List of Tag

VpcId
[VPC only] The ID of the VPC for the security group.
Required: No
Type: String
Return Values
Ref
ID. For security groups that were created without specifying a VPC (EC2-Classic or a default VPC), Ref
returns the resource name.
Fn::GetAtt
GroupId
The group ID of the specified security group, such as sg-94b3a1f6.

VpcId
The physical ID of the VPC. You can obtain the physical ID by using a reference to an AWS::EC2::VPC,
such as: { "Ref" : "myVPC" }.
Examples
Define Basic Ingress and Egress Rules
The following example specifies a security group with an ingress and egress rule.

1723
EC2
JSON
"Properties" : {
"GroupDescription" : "Allow http to client host",
"VpcId" : {"Ref" : "myVPC"},
"FromPort" : 80,
"ToPort" : 80,
"CidrIp" : "0.0.0.0/0"
}],
"SecurityGroupEgress" : [{
"FromPort" : 80,
"ToPort" : 80,
"CidrIp" : "0.0.0.0/0"
}]
}
}
YAML
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Remove Default Rule
When you specify a VPC security group, Amazon EC2 creates a default egress rule that allows egress
traffic on all ports and IP protocols to any location. The default rule is removed only when you specify
one or more egress rules. If you want to remove the default rule and limit egress traffic to just the
localhost (127.0.0.1/32), use the following example.
JSON
"sgwithoutegress": {
"Properties": {
"GroupDescription": "Limits security group egress traffic",
"SecurityGroupEgress": [
{
"CidrIp": "127.0.0.1/32",
"IpProtocol": "-1"
}
],
"VpcId": { "Ref": "myVPC"}
}

1724
EC2
YAML
sgwithoutegress:
Properties:
GroupDescription: Limits security group egress traffic
- CidrIp: 127.0.0.1/32
IpProtocol: "-1"
VpcId:
Ref: myVPC
See Also
• Security Groups for Your VPC in the Amazon VPC User Guide
• EC2-Classic in the Amazon EC2 User Guide for Linux Instances for information about accounts that
support EC2-Classic security groups
• Amazon EC2 Security Groups for Linux Instances in the Amazon EC2 User Guide for Linux Instances
AWS::EC2::SecurityGroup Egress
Specifies an outbound rule for a security group. An outbound rule permits instances to send traffic to the
specified IPv4 or IPv6 CIDR address ranges, or to the instances associated with the specified destination
security groups.
You must specify only one of the following properties: CidrIp, CidrIpv6,
DestinationPrefixListId, or DestinationSecurityGroupId.
The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup type.
Syntax
JSON
{
"CidrIp" : String,
"CidrIpv6" : String,
"DestinationPrefixListId" : String,
"DestinationSecurityGroupId" : String,
"FromPort" : Integer,
"IpProtocol" : String,
"ToPort" : Integer
}
YAML
CidrIp: String
CidrIpv6: String
Description: String
DestinationPrefixListId: String
DestinationSecurityGroupId: String
FromPort: Integer
IpProtocol: String

1725
EC2
ToPort: Integer
Properties
CidrIp
The IPv4 address range, in CIDR format.
Required: No
Type: String

CidrIpv6
[EC2-VPC only] The IPv6 ranges.
Required: No
Type: String

Description
A description for the security group rule.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/
()#,@[]+=;{}!$*
Required: No
Type: String

DestinationPrefixListId
[EC2-VPC only] The prefix list IDs for an AWS service. This is the AWS service that you want to access
through a VPC endpoint from instances associated with the security group.
Required: No
Type: String

DestinationSecurityGroupId
The ID of the destination VPC security group.
Required: No
Type: String

FromPort
The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of
-1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.

1726
EC2
Required: No
Type: Integer

IpProtocol
The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
[VPC only] Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a
protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any
port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port
range is optional; if you omit the port range, traffic for all types and codes is allowed.
Required: Yes
Type: String

ToPort
The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1
indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.
Required: No
Type: Integer
AWS::EC2::SecurityGroup Ingress
Specifies an inbound rule for a security group. An inbound rule permits instances to receive traffic
from the specified IPv4 or IPv6 CIDR address range, or from the instances associated with the specified
security group.
You must specify only one of the following properties: CidrIp, CidrIpv6, SourcePrefixListId,
SourceSecurityGroupId, or SourceSecurityGroupName.
The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup type.
Syntax
JSON
{
"CidrIp" : String,
"SourcePrefixListId" : String,
"SourceSecurityGroupId" : String,
"SourceSecurityGroupName" : String,
"SourceSecurityGroupOwnerId" : String,
"ToPort" : Integer
}

1727
EC2
YAML
CidrIp: String
CidrIpv6: String
Description: String
FromPort: Integer
IpProtocol: String
SourcePrefixListId: String
SourceSecurityGroupId: String
SourceSecurityGroupName: String
SourceSecurityGroupOwnerId: String
ToPort: Integer
Properties
CidrIp
Required: No
Type: String

CidrIpv6
Required: No
Type: String

Description
A description for the security group rule.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/
()#,@[]+=;{}!$*
Required: No
Type: String

FromPort
Required: No
Type: Integer

IpProtocol

1728
EC2
Required: Yes
Type: String

SourcePrefixListId
Required: No
Type: String

SourceSecurityGroupId
The ID of the security group. You must specify either the security group ID or the security group
name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
Required: No
Type: String

SourceSecurityGroupName
[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter in
combination with the following parameters: the CIDR IP address range, the start of the port range,
the IP protocol, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP
access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead.
For EC2-VPC, the source security group must be in the same VPC.
Required: No
Type: String

SourceSecurityGroupOwnerId
[nondefault VPC] The AWS account ID for the source security group, if the source security group is in
a different account. You can't specify this parameter in combination with the following parameters:
the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range.
Creates rules that grant full ICMP, UDP, and TCP access.
If you specify SourceSecurityGroupName or SourceSecurityGroupId and that security

group is owned by a different account than the account creating the stack, you must specify the
SourceSecurityGroupOwnerId; otherwise, this property is optional.
Type: String

1729
EC2
ToPort
Required: No
Type: Integer
AWS::EC2::SecurityGroupEgress
[EC2-VPC only] Adds the specified egress rules to a security group for use with a VPC.
An outbound rule permits instances to send traffic to the specified destination IPv4 or IPv6 CIDR address
ranges, or to the specified destination security groups for the same VPC.
You specify a protocol for each rule (for example, TCP). For the TCP and UDP protocols, you must also
specify the destination port or port range. For the ICMP protocol, you must also specify the ICMP type
and code. You can use -1 for the type or code to mean all types or all codes.
Rule changes are propagated to affected instances as quickly as possible. However, a small delay might
occur.
For more information about VPC security group limits, see Amazon VPC Limits.
Use AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress only when

necessary, typically to allow security groups to reference each other in ingress and egress rules.
Otherwise, use the embedded ingress and egress rules of the security group. For more information, see
Amazon EC2 Security Groups.
Syntax
JSON
{
"Type" : "AWS::EC2::SecurityGroupEgress",
"Properties" : {
"CidrIp" : String,
"DestinationPrefixListId" : String,
"DestinationSecurityGroupId" : String,
"GroupId" : String,
"ToPort" : Integer
}
}
YAML
Type: AWS::EC2::SecurityGroupEgress
Properties:
CidrIp: String
CidrIpv6: String
Description: String

1730
EC2
DestinationPrefixListId: String
DestinationSecurityGroupId: String
FromPort: Integer
GroupId: String
IpProtocol: String
ToPort: Integer
Properties
CidrIp
The IPv4 ranges.
You must specify a destination security group (DestinationPrefixListId or

DestinationSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).
Required: No
Type: String

CidrIpv6
The IPv6 ranges.

Required: No
Type: String

Description
The description of an egress (outbound) security group rule.
Required: No
Type: String

DestinationPrefixListId

Required: No
Type: String

DestinationSecurityGroupId
The ID of the security group.


1731
EC2
Required: No
Type: String

FromPort
Required: No
Type: Integer

GroupId
Required: Yes
Type: String

IpProtocol
Required: Yes
Type: String

ToPort
Required: No
Type: Integer
Return Values
Ref
security egress rule.

1732
EC2
Examples
VPC Security Groups Example
In some cases, you might have an originating (source) security group to which you want to add an
outbound rule that allows traffic to a destination (target) security group. The target security group also
needs an inbound rule that allows traffic from the source security group. Note that you cannot use the
Ref function to specify the outbound and inbound rules for each security group. Doing so creates a
circular dependency; you cannot have two resources that depend on each other. Instead, use the egress
and ingress resources to declare these outbound and inbound rules, as shown in the following template
example.
JSON
"SourceSG": {
"Properties": {
"VpcId" : "vpc-1a2b3c4d",
"GroupDescription": "Sample source security group"
}
},
"TargetSG": {
"Properties": {
"GroupDescription": "Sample target security group"
}
},
"OutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties":{
"FromPort": 0,
"ToPort": 65535,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
}
}
},
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties":{
"FromPort": 0,
"ToPort": 65535,
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"

1733
EC2
]
}
}
}
YAML
SourceSG:
Properties:
VpcId: vpc-1a2b3c4d
GroupDescription: Sample source security group
TargetSG:
Properties:
VpcId: vpc-1a2b3c4d
GroupDescription: Sample target security group
OutboundRule:
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId
AWS::EC2::SecurityGroupIngress
Adds an inbound rule to a security group.
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range,
or from the instances associated with the specified security group.
You specify a protocol for each rule (for example, TCP). For TCP and UDP, you must also specify a port or
port range. For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. You can use -1 to
mean all types or all codes.
You must specify a source security group (SourcePrefixListId, SourceSecurityGroupId, or

SourceSecurityGroupName) or a CIDR range (CidrIp or CidrIpv6).
Rule changes are propagated to instances within the security group as quickly as possible. However, a
small delay might occur.

1734
EC2
Syntax
JSON
{
"Properties" : {
"CidrIp" : String,
"GroupId" : String,
"SourcePrefixListId" : String,
"SourceSecurityGroupId" : String,
"SourceSecurityGroupName" : String,
"SourceSecurityGroupOwnerId" : String,
"ToPort" : Integer
}
}
YAML
Properties:
CidrIp: String
CidrIpv6: String
Description: String
FromPort: Integer
GroupId: String
GroupName: String
IpProtocol: String
SourcePrefixListId: String
SourceSecurityGroupId: String
SourceSecurityGroupName: String
SourceSecurityGroupOwnerId: String
ToPort: Integer
Properties
CidrIp
The IPv4 ranges.
Required: No
Type: String

CidrIpv6
[VPC only] The IPv6 ranges.
Required: No
Type: String

1735
EC2
Description
Updates the description of an ingress (inbound) security group rule. You can replace an existing
description, or add a description to a rule that did not have one previously.
Required: No
Type: String

FromPort
Use this for ICMP and any protocol that uses ports.
Required: No
Type: Integer

GroupId
You must specify the GroupName property or the GroupId property. For security groups that are in
a VPC, you must use the GroupId property.
Required: No
Type: String

GroupName
The name of the security group.
Constraints: Up to 255 characters in length. Cannot start with sg-.
Required: No
Type: String

IpProtocol
Required: Yes
Type: String

1736
EC2

SourcePrefixListId
Required: No
Type: String

SourceSecurityGroupId
name. For security groups in a nondefault VPC, you must specify the security group ID.
Required: No
Type: String

SourceSecurityGroupName
[EC2-Classic, default VPC] The name of the source security group.
You must specify the GroupName property or the GroupId property. For security groups that are in
a VPC, you must use the GroupId property.
Required: No
Type: String

SourceSecurityGroupOwnerId
[nondefault VPC] The AWS account ID for the source security group, if the source security group is in
a different account. You can't specify this parameter in combination with the following parameters:
the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range.
Creates rules that grant full ICMP, UDP, and TCP access.
If you specify SourceSecurityGroupName or SourceSecurityGroupId and that security

group is owned by a different account than the account creating the stack, you must specify the
SourceSecurityGroupOwnerId; otherwise, this property is optional.
Type: String

ToPort
indicates all ICMP/ICMPv6 codes for the specified ICMP type. If you specify all ICMP/ICMPv6 types,
you must specify all codes.
Use this for ICMP and any protocol that uses ports.
Required: No
Type: Integer

1737
EC2
Examples
EC2 Security Group and Ingress Rule
To declare an Amazon EC2 (non-VPC) security group and an ingress rule, use the
SourceSecurityGroupName property in the ingress rule.
The following template example defines an EC2 security group with an ingress rule that allows incoming
traffic on port 80 from any other host in the security group.
JSON
"SGBase": {
"Properties": {
"GroupDescription": "Base Security Group",
{
"CidrIp": "0.0.0.0/0",
"FromPort": 22,
"ToPort": 22
}
]
}
},
"SGBaseIngress": {
"Properties": {
"GroupName": {
"Ref": "SGBase"
},
"FromPort": 80,
"ToPort": 80,
"Fn::GetAtt": [
"SGBase",
"GroupId"
]
}
}
}
YAML
SGBase:
Properties:
GroupDescription: Base Security Group
- IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: 22
ToPort: 22
SGBaseIngress:
Type: 'AWS::EC2::SecurityGroupIngress'
Properties:
GroupName: !Ref SGBase
IpProtocol: tcp
FromPort: 80
ToPort: 80

1738
EC2
SourceSecurityGroupId: !GetAtt SGBase.GroupId
Allow Traffic from a Security Group in a Peered VPC
Like the previous example, the following example allows one-way traffic from an originating (source)
security group to a destination (target) security group. However, in this example the security groups
are in peered VPCs across AWS accounts. You might want to allow cross-account traffic if, for example,
you create a security scanning resource in one AWS account that you'll use to run diagnostics in another
account. This example adds an ingress rule to a target VPC security group that allows incoming traffic
from a source security group in a different AWS account. Note that the source security group also needs
an egress rule that allows outgoing traffic to the target security group. Because the source security group
is in a different account, the following example doesn't use the Ref function to reference the source
security group ID but instead directly specifies the security group ID sg-12345678.
JSON
{
"Resources": {
"TargetSG": {
"Properties": {
"VpcId": "vpc-1a2b3c4d",
"GroupDescription": "Security group allowing ingress for security scanners"
}
},
"InboundRule": {
"Properties": {
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupId": "sg-12345678",
"SourceSecurityGroupOwnerId": "123456789012"
}
}
}
}
YAML
Resources:
TargetSG:
Properties:
VpcId: vpc-1a2b3c4d
GroupDescription: Security group allowing ingress for security scanners
InboundRule:
Type: 'AWS::EC2::SecurityGroupIngress'
Properties:
GroupId: !GetAtt TargetSG.GroupId
IpProtocol: tcp
FromPort: '80'
ToPort: '80'
SourceSecurityGroupId: sg-12345678

1739
EC2
SourceSecurityGroupOwnerId: '123456789012'
VPC Security Groups with Egress and Ingress Rules

In some cases, you might have an originating (source) security group to which you want to add an
outbound rule that allows traffic to a destination (target) security group. The target security group also
needs an inbound rule that allows traffic from the source security group. Note that you cannot use the
Ref function to specify the outbound and inbound rules for each security group. Doing so creates a
circular dependency; you cannot have two resources that depend on each other. Instead, use the egress
and ingress resources to declare these outbound and inbound rules, as shown in the following template
example.
JSON
"Resources": {
"SourceSG": {
"Properties": {
"GroupDescription": "Sample source security group"
}
},
"TargetSG": {
"Properties": {
"GroupDescription": "Sample target security group"
}
},
"OutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties":{
"FromPort": 0,
"ToPort": 65535,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
}
}
},
"InboundRule": {
"Properties":{
"FromPort": 0,
"ToPort": 65535,
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",

1740
EC2
"GroupId"
]
}
}
}
}
YAML
SourceSG:
Properties:
VpcId: vpc-1a2b3c4d
GroupDescription: Sample source security group
TargetSG:
Properties:
VpcId: vpc-1a2b3c4d
GroupDescription: Sample target security group
OutboundRule:
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId
Allow Ping Requests
To allow ping requests, add the ICMP protocol type and specify 8 (echo request) for the ICMP type and
either 0 or -1 (all) for the ICMP code.
JSON
"SGPing" : {
"DependsOn": "VPC",
"Properties" : {
"GroupDescription" : "SG to test ping",
"VpcId" : {"Ref" : "VPC"},
{ "IpProtocol" : "tcp", "FromPort" : 22, "ToPort" : 22, "CidrIp" : "10.0.0.0/24" },

1741
EC2
{ "IpProtocol" : "icmp", "FromPort" : 8, "ToPort" : -1, "CidrIp" : "10.0.0.0/24" }

]
}
}
YAML
SGPing:
DependsOn: VPC
Properties:
GroupDescription: SG to test ping
VpcId:
Ref: VPC
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 10.0.0.0/24
- IpProtocol: icmp
FromPort: 8
ToPort: -1
CidrIp: 10.0.0.0/24
AWS::EC2::SpotFleet
Specifies a Spot Fleet request. A Spot Fleet request contains the configuration information to launch a
fleet, or group, of instances.
The Spot Fleet request specifies the total target capacity and the On-Demand target capacity for the
fleet. Amazon EC2 calculates the difference between the total capacity and On-Demand capacity, and
launches the difference as Spot capacity.
The Spot Fleet request can include multiple launch specifications that vary by instance type, AMI,
Availability Zone, or subnet.
By default, the Spot Fleet requests Spot Instances in the Spot pool where the price per unit is the lowest.
Each launch specification can include its own instance weighting that reflects the value of the instance
type to your application workload.
Alternatively, you can specify that the Spot Fleet distribute the target capacity across the Spot pools
included in its launch specifications. By ensuring that the Spot Instances in your Spot Fleet are in
different Spot pools, you can improve the availability of your fleet.
You can specify tags for the Spot Instances. You cannot tag other resource types in a Spot Fleet request
because only the instance resource type is supported.
For more information, see Spot Fleet Requests in the Amazon EC2 User Guide for Linux Instances.
Syntax
JSON
{
"Type" : "AWS::EC2::SpotFleet",
"Properties" : {
"SpotFleetRequestConfigData" : SpotFleetRequestConfigData (p. 1764)
}
}

1742
EC2
YAML
Type: AWS::EC2::SpotFleet
Properties:
SpotFleetRequestConfigData:
SpotFleetRequestConfigData (p. 1764)
Properties
SpotFleetRequestConfigData
Describes the configuration of a Spot Fleet request.
Required: Yes
Type: SpotFleetRequestConfigData (p. 1764)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the Spot
Fleet.
Examples
Spot Fleet
The following example specifies a Spot Fleet with two launch specifications. The weighted capacities
are the same, so Amazon EC2 launches the same number of instances for each specification. For more
information, see How Spot Fleet Works in the Amazon EC2 User Guide for Linux Instances.
JSON
"SpotFleet": {
"Type": "AWS::EC2::SpotFleet",
"Properties": {
"SpotFleetRequestConfigData": {
"IamFleetRole": { "Fn::GetAtt": [ "IAMFleetRole", "Arn"] },
"SpotPrice": "1000",
"TargetCapacity": { "Ref": "TargetCapacity" },
"LaunchSpecifications": [
{
"EbsOptimized": "false",
{ "Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref":
]},
"SubnetId": { "Ref": "Subnet1" },
"WeightedCapacity": "8"
},
{
"EbsOptimized": "true",
{ "Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref":

1743
EC2
]},
"Monitoring": { "Enabled": "true" },
"SecurityGroups": [ { "GroupId": { "Fn::GetAtt": [ "SG0", "GroupId" ] } } ],
"SubnetId": { "Ref": "Subnet0" },
"IamInstanceProfile": { "Arn": { "Fn::GetAtt": [ "RootInstanceProfile",
"Arn" ] } },
"WeightedCapacity": "8"
}
]
}
}
}
YAML
SpotFleet:
Type: AWS::EC2::SpotFleet
Properties:
SpotFleetRequestConfigData:
IamFleetRole: !GetAtt [IAMFleetRole, Arn]
SpotPrice: '1000'
TargetCapacity:
Ref: TargetCapacity
LaunchSpecifications:
- EbsOptimized: 'false'
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- Ref: InstanceType
- Arch
SubnetId:
Ref: Subnet1
WeightedCapacity: '8'
- EbsOptimized: 'true'
InstanceType:
Ref: InstanceType
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- Ref: InstanceType
- Arch
Monitoring:
Enabled: 'true'
SecurityGroups:
- GroupId:
Fn::GetAtt:
- SG0
- GroupId
SubnetId:
Ref: Subnet0
IamInstanceProfile:
Arn:
Fn::GetAtt:
- RootInstanceProfile
- Arn
WeightedCapacity: '8'

1744
EC2
See Also
• AWS::ApplicationAutoScaling::ScalableTarget
• AWS::ApplicationAutoScaling::ScalingPolicy
AWS::EC2::SpotFleet BlockDeviceMapping
Specifies a block device mapping.
You can specify Ebs or VirtualName, but not both.
Syntax
JSON
{
"Ebs" : EbsBlockDevice (p. 1747),
"NoDevice" : String,
}
YAML
DeviceName: String
Ebs:
EbsBlockDevice (p. 1747)
NoDevice: String
VirtualName: String
Properties
DeviceName
Required: Yes
Type: String

Ebs
Type: EbsBlockDevice (p. 1747)

NoDevice
Required: No

1745
EC2
Type: String

VirtualName
The virtual device name (ephemeralN). Instance store volumes are numbered starting from 0. An
instance type with 2 available instance store volumes can specify mappings for ephemeral0 and
ephemeral1. The number of available instance store volumes depends on the instance type. After
you connect to the instance, you must mount the volume.
NVMe instance store volumes are automatically enumerated and assigned a device name. Including
them in your block device mapping has no effect.
Constraints: For M3 instances, you must specify instance store volumes in the block device mapping
for the instance. When you launch an M3 instance, we ignore any instance store volumes specified in
the block device mapping for the AMI.
Type: String
AWS::EC2::SpotFleet ClassicLoadBalancer
Specifies a Classic Load Balancer.
Syntax
JSON
{
"Name" : String
}
YAML
Name: String
Properties
Name
The name of the load balancer.
Required: Yes
Type: String
AWS::EC2::SpotFleet ClassicLoadBalancersConfig
Specifies the Classic Load Balancers to attach to a Spot Fleet. Spot Fleet registers the running Spot
Instances with these Classic Load Balancers.

1746
EC2
Syntax
JSON
{
"ClassicLoadBalancers" : [ ClassicLoadBalancer (p. 1746), ... ]
}
YAML
ClassicLoadBalancers:
- ClassicLoadBalancer (p. 1746)
Properties
ClassicLoadBalancers
One or more Classic Load Balancers.
Required: Yes
Type: List of ClassicLoadBalancer (p. 1746)
Maximum: 5
AWS::EC2::SpotFleet EbsBlockDevice
Describes a block device for an EBS volume.
Syntax
JSON
{
"Iops" : Integer,
}
YAML
Encrypted: Boolean
Iops: Integer
SnapshotId: String
VolumeSize: Integer
VolumeType: String

1747
EC2
Properties
DeleteOnTermination
Indicates whether the EBS volume is deleted on instance termination. For more information, see
Preserving Amazon EBS Volumes on Instance Termination in the Amazon Elastic Compute Cloud
User Guide.
Required: No
Type: Boolean

Encrypted
Indicates whether the encryption state of an EBS volume is changed while being restored from a
backing snapshot. The effect of setting the encryption state to true depends on the volume origin
(new or from a snapshot), starting encryption state, ownership, and whether encryption by default
is enabled. For more information, see Amazon EBS Encryption in the Amazon Elastic Compute Cloud
User Guide.
In no case can you remove encryption from an encrypted volume.
Encrypted volumes can only be attached to instances that support Amazon EBS encryption. For
more information, see Supported Instance Types.
Required: No
Type: Boolean

Iops
The number of I/O operations per second (IOPS) that the volume supports. For io1 volumes, this
represents the number of IOPS that are provisioned for the volume. For gp2 volumes, this represents
the baseline performance of the volume and the rate at which the volume accumulates I/O credits
for bursting. For more information, see Amazon EBS Volume Types in the Amazon Elastic Compute
Cloud User Guide.
Constraints: Range is 100-16,000 IOPS for gp2 volumes and 100 to 64,000IOPS for io1 volumes
in most Regions. Maximum io1 IOPS of 64,000 is guaranteed only on Nitro-based instances. Other
instance families guarantee performance up to 32,000 IOPS. For more information, see Amazon EBS
Volume Types in the Amazon Elastic Compute Cloud User Guide.
Required: No
Type: Integer

SnapshotId
Required: No
Type: String

1748
EC2
VolumeSize
the snapshot size.
Constraints: 1-16384 for General Purpose SSD (gp2), 4-16384 for Provisioned IOPS SSD (io1),
500-16384 for Throughput Optimized HDD (st1), 500-16384 for Cold HDD (sc1), and 1-1024 for
Magnetic (standard) volumes. If you specify a snapshot, the volume size must be equal to or larger
than the snapshot size.
Required: No
Type: Integer

VolumeType
The volume type. If you set the type to io1, you must also specify the IOPS that the volume
supports.
Default: gp2
Required: No
Type: String
AWS::EC2::SpotFleet FleetLaunchTemplateSpecification
Describes a launch template.
Syntax
JSON
{
"Version" : String
}
YAML
Version: String
Properties
LaunchTemplateId
The ID of the launch template. You must specify either a template ID or a template name.

1749
EC2
Type: String

LaunchTemplateName
The name of the launch template. You must specify either a template name or a template ID.
Minimum length of 3. Maximum length of 128. Names must match the following pattern: [a-zA-
Z0-9\.-/_]+
Type: String
Minimum: 3
Maximum: 128
Pattern: [a-zA-Z0-9\.\-/_]+

Version
The version number of the launch template. You must specify a version number. AWS
CloudFormation does not support specifying $Latest or $Default for the template version
number.
Minimum length of 1. Maximum length of 255. Versions must fit the following pattern: [\u0020-
\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*
Required: Yes
Type: String
AWS::EC2::SpotFleet GroupIdentifier
Describes a security group.
Syntax
JSON
{
"GroupId" : String
}
YAML
GroupId: String
Properties
GroupId
The ID of the security group.
Required: Yes

1750
EC2
Type: String
AWS::EC2::SpotFleet IamInstanceProfileSpecification
Describes an IAM instance profile.
Syntax
JSON
{
"Arn" : String
}
YAML
Arn: String
Properties
Arn
The Amazon Resource Name (ARN) of the instance profile.
Required: No
Type: String
AWS::EC2::SpotFleet InstanceIpv6Address
Describes an IPv6 address.
Syntax
JSON
{
}
YAML
Ipv6Address: String
Properties
Ipv6Address
The IPv6 address.

1751
EC2
Required: Yes
Type: String
AWS::EC2::SpotFleet InstanceNetworkInterfaceSpecification
Describes a network interface.
Syntax
JSON
{
"DeviceIndex" : Integer,
"SubnetId" : String
}
YAML
Description: String
DeviceIndex: Integer
Groups:
- String
Ipv6Addresses:
PrivateIpAddresses:
SubnetId: String
Properties
Indicates whether to assign a public IPv4 address to an instance you launch in a VPC. The public IP
address can only be assigned to a network interface for eth0, and can only be assigned to a new
network interface, not an existing one. You cannot specify more than one network interface in the
request. If launching into a default subnet, the default value is true.
Required: No
Type: Boolean

1752
EC2
DeleteOnTermination
If set to true, the interface is deleted when the instance is terminated. You can specify true only if
creating a new network interface when launching an instance.
Required: No
Type: Boolean

Description
The description of the network interface. Applies only if creating a network interface when
launching an instance.
Required: No
Type: String

DeviceIndex
The position of the network interface in the attachment order. A primary network interface has a
device index of 0.
If you specify a network interface when launching an instance, you must specify the device index.
Type: Integer

Groups
The IDs of the security groups for the network interface. Applies only if creating a network interface
when launching an instance.
Required: No

Ipv6AddressCount
A number of IPv6 addresses to assign to the network interface. Amazon EC2 chooses the IPv6
addresses from the range of the subnet. You cannot specify this option and the option to assign
specific IPv6 addresses in the same request. You can specify this option if you've specified a
minimum number of instances to launch.
Required: No
Type: Integer

Ipv6Addresses
One or more IPv6 addresses to assign to the network interface. You cannot specify this option and
the option to assign a number of IPv6 addresses in the same request. You cannot specify this option
if you've specified a minimum number of instances to launch.
Required: No

1753
EC2

NetworkInterfaceId
Required: No
Type: String

PrivateIpAddresses
One or more private IPv4 addresses to assign to the network interface. Only one private IPv4
address can be designated as primary. You cannot specify this option if you're launching more than
one instance in a RunInstances request.
Required: No

The number of secondary private IPv4 addresses. You can't specify this option and specify more than
one private IP address using the private IP addresses option. You cannot specify this option if you're
launching more than one instance in a RunInstances request.
Required: No
Type: Integer

SubnetId
The ID of the subnet associated with the network interface. Applies only if creating a network
interface when launching an instance.
Required: No
Type: String
AWS::EC2::SpotFleet LaunchTemplateConfig
Specifies a launch template and overrides.
Syntax
JSON
{
"LaunchTemplateSpecification" : FleetLaunchTemplateSpecification (p. 1749),
"Overrides" : [ LaunchTemplateOverrides (p. 1755), ... ]
}

1754
EC2
YAML
FleetLaunchTemplateSpecification (p. 1749)
Overrides:
- LaunchTemplateOverrides (p. 1755)
Properties
The launch template.
Required: No
Type: FleetLaunchTemplateSpecification (p. 1749)

Overrides
Any parameters that you specify override the same parameters in the launch template.
Required: No
Type: List of LaunchTemplateOverrides (p. 1755)
AWS::EC2::SpotFleet LaunchTemplateOverrides
Specifies overrides for a launch template.
Syntax
JSON
{
}
YAML
SpotPrice: String
SubnetId: String
Properties
AvailabilityZone
The Availability Zone in which to launch the instances.

1755
EC2
Required: No
Type: String

InstanceType
The instance type.
Required: No
Type: String


1756
EC2


SpotPrice
The maximum price per unit hour that you are willing to pay for a Spot Instance.
Required: No
Type: String

SubnetId
The ID of the subnet in which to launch the instances.
Required: No
Type: String

WeightedCapacity
The number of units provided by the specified instance type.
Required: No
Type: Double
AWS::EC2::SpotFleet LoadBalancersConfig
Specifies the Classic Load Balancers and target groups to attach to a Spot Fleet request.
Syntax
JSON
{
"ClassicLoadBalancersConfig" : ClassicLoadBalancersConfig (p. 1746),
"TargetGroupsConfig" : TargetGroupsConfig (p. 1770)
}
YAML
ClassicLoadBalancersConfig:
ClassicLoadBalancersConfig (p. 1746)
TargetGroupsConfig:
TargetGroupsConfig (p. 1770)

1757
EC2
Properties
ClassicLoadBalancersConfig
The Classic Load Balancers.
Required: No
Type: ClassicLoadBalancersConfig (p. 1746)

TargetGroupsConfig
The target groups.
Required: No
Type: TargetGroupsConfig (p. 1770)
AWS::EC2::SpotFleet PrivateIpAddressSpecification
Describes a secondary private IPv4 address for a network interface.
Syntax
JSON
{
}
YAML
Primary: Boolean
Properties
Primary
Required: No
Type: Boolean

PrivateIpAddress
Required: Yes

1758
EC2
Type: String
AWS::EC2::SpotFleet SpotFleetLaunchSpecification
Specifies the launch specification for one or more Spot Instances. If you include On-Demand
capacity in your fleet request, you can't use SpotFleetLaunchSpecification; you must use
LaunchTemplateConfig.
Syntax
JSON
{
"IamInstanceProfile" : IamInstanceProfileSpecification (p. 1751),
"ImageId" : String,
"KeyName" : String,
"Monitoring" : SpotFleetMonitoring (p. 1763),
"NetworkInterfaces" : [ InstanceNetworkInterfaceSpecification (p. 1752), ... ],
"Placement" : SpotPlacement (p. 1768),
"RamdiskId" : String,
"SecurityGroups" : [ GroupIdentifier (p. 1750), ... ],
"TagSpecifications" : [ SpotFleetTagSpecification (p. 1768), ... ],
"UserData" : String,
}
YAML
IamInstanceProfile:
IamInstanceProfileSpecification (p. 1751)
ImageId: String
KernelId: String
KeyName: String
Monitoring:
SpotFleetMonitoring (p. 1763)
NetworkInterfaces:
- InstanceNetworkInterfaceSpecification (p. 1752)
Placement:
SpotPlacement (p. 1768)
RamdiskId: String
SecurityGroups:
- GroupIdentifier (p. 1750)
SpotPrice: String
SubnetId: String
TagSpecifications:
- SpotFleetTagSpecification (p. 1768)
UserData: String

1759
EC2
Properties
BlockDeviceMappings
One or more block devices that are mapped to the Spot Instances. You can't specify both a snapshot
ID and an encryption value. This is because only blank volumes can be encrypted on creation. If a
snapshot is the basis for a volume, it is not blank and its encryption status is used for the volume
encryption status.
Required: No

EbsOptimized
Indicates whether the instances are optimized for EBS I/O. This optimization provides dedicated
throughput to Amazon EBS and an optimized configuration stack to provide optimal EBS I/O
performance. This optimization isn't available with all instance types. Additional usage charges apply
when using an EBS Optimized instance.
Default: false
Required: No
Type: Boolean

IamInstanceProfile
Required: No
Type: IamInstanceProfileSpecification (p. 1751)

ImageId
The ID of the AMI.
Required: Yes
Type: String

InstanceType
The instance type.
Required: Yes
Type: String


1760
EC2


KernelId
Required: No
Type: String

1761
EC2
KeyName
The name of the key pair.
Required: No
Type: String

Monitoring
Enable or disable monitoring for the instances.
Required: No
Type: SpotFleetMonitoring (p. 1763)

NetworkInterfaces
One or more network interfaces. If you specify a network interface, you must specify subnet IDs and
security group IDs using the network interface.
Required: No
Type: List of InstanceNetworkInterfaceSpecification (p. 1752)

Placement
The placement information.
Required: No
Type: SpotPlacement (p. 1768)

RamdiskId
The ID of the RAM disk. Some kernels require additional drivers at launch. Check the kernel
requirements for information about whether you need to specify a RAM disk. To find kernel
requirements, refer to the AWS Resource Center and search for the kernel ID.
Required: No
Type: String

SecurityGroups
One or more security groups. When requesting instances in a VPC, you must specify the IDs of the
security groups. When requesting instances in EC2-Classic, you can specify the names or the IDs of
the security groups.
Required: No
Type: List of GroupIdentifier (p. 1750)

1762
EC2
SpotPrice
The maximum price per unit hour that you are willing to pay for a Spot Instance. If this value is not
specified, the default is the Spot price specified for the fleet. To determine the Spot price per unit
hour, divide the Spot price by the value of WeightedCapacity.
Required: No
Type: String

SubnetId
The IDs of the subnets in which to launch the instances. To specify multiple subnets, separate them
using commas; for example, "subnet-1234abcdeexample1, subnet-0987cdef6example2".
Required: No
Type: String

TagSpecifications
The tags to apply during creation.
Required: No
Type: List of SpotFleetTagSpecification (p. 1768)

UserData
The Base64-encoded user data that instances use when starting up.
Required: No
Type: String

WeightedCapacity
The number of units provided by the specified instance type. These are the same units that you
chose to set the target capacity in terms of instances, or a performance characteristic such as vCPUs,
memory, or I/O.
If the target capacity divided by this value is not a whole number, Amazon EC2 rounds the number
of instances to the next whole number. If this value is not specified, the default is 1.
Required: No
Type: Double
AWS::EC2::SpotFleet SpotFleetMonitoring
Describes whether monitoring is enabled.
Syntax

1763
EC2
JSON
{
"Enabled" : Boolean
}
YAML
Enabled: Boolean
Properties
Enabled
Enables monitoring for the instance.
Default: false
Required: No
Type: Boolean
AWS::EC2::SpotFleet SpotFleetRequestConfigData
Specifies the configuration of a Spot Fleet request. For more information, see How Spot Fleet Works in
You must specify either LaunchSpecifications or LaunchTemplateConfigs.
Syntax
JSON
{
"ExcessCapacityTerminationPolicy" : String,
"IamFleetRole" : String,
"LaunchSpecifications" : [ SpotFleetLaunchSpecification (p. 1759), ... ],
"LaunchTemplateConfigs" : [ LaunchTemplateConfig (p. 1754), ... ],
"LoadBalancersConfig" : LoadBalancersConfig (p. 1757),
"ReplaceUnhealthyInstances" : Boolean,
"TargetCapacity" : Integer,
"TerminateInstancesWithExpiration" : Boolean,
"Type" : String,
"ValidFrom" : String,
}
YAML
ExcessCapacityTerminationPolicy: String
IamFleetRole: String

1764
EC2
- SpotFleetLaunchSpecification (p. 1759)
LaunchTemplateConfigs:
- LaunchTemplateConfig (p. 1754)
LoadBalancersConfig:
LoadBalancersConfig (p. 1757)
ReplaceUnhealthyInstances: Boolean
SpotPrice: String
TargetCapacity: Integer
TerminateInstancesWithExpiration: Boolean
Type: String
ValidFrom: String
ValidUntil: String
Properties
AllocationStrategy
Indicates how to allocate the target Spot Instance capacity across the Spot Instance pools specified
by the Spot Fleet request.
If the allocation strategy is lowestPrice, Spot Fleet launches instances from the Spot Instance
pools with the lowest price. This is the default allocation strategy.
If the allocation strategy is diversified, Spot Fleet launches instances from all the Spot Instance
pools that you specify.
If the allocation strategy is capacityOptimized, Spot Fleet launches instances from Spot Instance
pools with optimal capacity for the number of instances that are launching.
Required: No
Type: String
Allowed Values: capacityOptimized | diversified | lowestPrice

ExcessCapacityTerminationPolicy
Indicates whether running Spot Instances should be terminated if you decrease the target capacity
of the Spot Fleet request below the current size of the Spot Fleet.
Required: No
Type: String
Allowed Values: default | noTermination

IamFleetRole
The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that
grants the Spot Fleet the permission to request, launch, terminate, and tag instances on your behalf.
For more information, see Spot Fleet Prerequisites in the Amazon EC2 User Guide for Linux Instances.
Spot Fleet can terminate Spot Instances on your behalf when you cancel its Spot Fleet request or
when the Spot Fleet request expires, if you set TerminateInstancesWithExpiration.
Required: Yes
Type: String

1765
EC2

Required: No
Type: String

LaunchSpecifications
The launch specifications for the Spot Fleet request. If you specify LaunchSpecifications, you
can't specify LaunchTemplateConfigs.
Type: List of SpotFleetLaunchSpecification (p. 1759)

LaunchTemplateConfigs
The launch template and overrides. If you specify LaunchTemplateConfigs, you can't specify
LaunchSpecifications.
Type: List of LaunchTemplateConfig (p. 1754)

LoadBalancersConfig
One or more Classic Load Balancers and target groups to attach to the Spot Fleet request. Spot Fleet
registers the running Spot Instances with the specified Classic Load Balancers and target groups.
With Network Load Balancers, Spot Fleet cannot register instances that have the following instance
types: C1, CC1, CC2, CG1, CG2, CR1, CS1, G1, G2, HI1, HS1, M1, M2, M3, and T1.
Required: No
Type: LoadBalancersConfig (p. 1757)

ReplaceUnhealthyInstances
Indicates whether Spot Fleet should replace unhealthy instances.
Required: No
Type: Boolean

SpotPrice
The maximum price per unit hour that you are willing to pay for a Spot Instance. The default is the
On-Demand price.
Required: No

1766
EC2
Type: String

TargetCapacity
The number of units to request for the Spot Fleet. You can choose to set the target capacity in terms
of instances or a performance characteristic that is important to your application workload, such as
vCPUs, memory, or I/O. If the request type is maintain, you can specify a target capacity of 0 and
add capacity later.
Required: Yes
Type: Integer

TerminateInstancesWithExpiration
Indicates whether running Spot Instances are terminated when the Spot Fleet request expires.
Required: No
Type: Boolean

Type
The type of request. Indicates whether the Spot Fleet only requests the target capacity or also
attempts to maintain it. When this value is request, the Spot Fleet only places the required
requests. It does not attempt to replenish Spot Instances if capacity is diminished, nor does it submit
requests in alternative Spot pools if capacity is not available. When this value is maintain, the Spot
Fleet maintains the target capacity. The Spot Fleet places the required requests to meet capacity and
automatically replenishes any interrupted instances. Default: maintain. instant is listed but is not
used by Spot Fleet.
Required: No
Type: String
Allowed Values: instant | maintain | request

ValidFrom
The start date and time of the request, in UTC format (YYYY-MM-DDTHH:MM:SSZ). By default,
Amazon EC2 starts fulfilling the request immediately.
Required: No
Type: String

ValidUntil
The end date and time of the request, in UTC format (YYYY-MM-DDTHH:MM:SSZ). After the end
date and time, no new Spot Instance requests are placed or able to fulfill the request. If no value is
specified, the Spot Fleet request remains until you cancel it.
Required: No
Type: String

1767
EC2
AWS::EC2::SpotFleet SpotFleetTagSpecification
The tags for a Spot Fleet resource.
Syntax
JSON
{
"Tags" : [ Tag, ... ]
}
YAML
Tags:
- Tag
Properties
ResourceType
The type of resource. Currently, the only resource type that is supported is instance.
Required: No
Type: String


Tags
The tags.
Required: No
Type: List of Tag
AWS::EC2::SpotFleet SpotPlacement
Describes Spot Instance placement.

1768
EC2
Syntax
JSON
{
"Tenancy" : String
}
YAML
GroupName: String
Tenancy: String
Properties
AvailabilityZone
The Availability Zone.
To specify multiple Availability Zones, separate them using commas; for example, "us-west-2a, us-
west-2b".
Required: No
Type: String

GroupName
The name of the placement group.
Required: No
Type: String

Tenancy
dedicated runs on single-tenant hardware. The host tenancy is not supported for Spot Instances.
Required: No
Type: String
AWS::EC2::SpotFleet TargetGroup
Describes a load balancer target group.

1769
EC2
Syntax
JSON
{
"Arn" : String
}
YAML
Arn: String
Properties
Arn
The Amazon Resource Name (ARN) of the target group.
Required: Yes
Type: String
AWS::EC2::SpotFleet TargetGroupsConfig
Describes the target groups to attach to a Spot Fleet. Spot Fleet registers the running Spot Instances
with these target groups.
Syntax
JSON
{
"TargetGroups" : [ TargetGroup (p. 1769), ... ]
}
YAML
TargetGroups:
- TargetGroup (p. 1769)
Properties
TargetGroups
One or more target groups.
Required: Yes
Type: List of TargetGroup (p. 1769)
Maximum: 5

1770
EC2
AWS::EC2::Subnet
Specifies a subnet for a VPC.
When you create each subnet, you provide the VPC ID and IPv4 CIDR block for the subnet. After you
create a subnet, you can't change its CIDR block. The size of the subnet's IPv4 CIDR block can be the
same as a VPC's IPv4 CIDR block, or a subset of a VPC's IPv4 CIDR block. If you create more than one
subnet in a VPC, the subnets' CIDR blocks must not overlap. The smallest IPv4 subnet (and VPC) you
can create uses a /28 netmask (16 IPv4 addresses), and the largest uses a /16 netmask (65,536 IPv4
addresses).
If you've associated an IPv6 CIDR block with your VPC, you can create a subnet with an IPv6 CIDR block
that uses a /64 prefix length.
Syntax
JSON
{
"Properties" : {
"AssignIpv6AddressOnCreation" : Boolean,
"MapPublicIpOnLaunch" : Boolean,
"Tags" : [ Tag, ... ],
"VpcId" : String
}
}
YAML
Properties:
AssignIpv6AddressOnCreation: Boolean
CidrBlock: String
MapPublicIpOnLaunch: Boolean
Tags:
- Tag
VpcId: String
Properties
AssignIpv6AddressOnCreation
Indicates whether a network interface created in this subnet receives an IPv6 address. The default
value is false.
If you specify AssignIpv6AddressOnCreation, you must also specify Ipv6CidrBlock.
If you specify AssignIpv6AddressOnCreation, you cannot specify MapPublicIpOnLaunch.

1771
EC2
Required: No
Type: Boolean

AvailabilityZone
The Availability Zone of the subnet.
If you update this property, you must also update the CidrBlock property.
Required: No
Type: String

CidrBlock
The IPv4 CIDR block assigned to the subnet.
If you update this property, you must also update the AvailabilityZone property.
Required: Yes
Type: String

Ipv6CidrBlock
The IPv6 CIDR block.
If you specify AssignIpv6AddressOnCreation, you must also specify Ipv6CidrBlock.
Type: String

MapPublicIpOnLaunch
Indicates whether instances launched in this subnet receive a public IPv4 address.
If you specify MapPublicIpOnLaunch, you cannot specify AssignIpv6AddressOnCreation.
Required: No
Type: Boolean

Tags
Any tags assigned to the subnet.
Required: No
Type: List of Tag

VpcId
The ID of the VPC the subnet is in.

1772
EC2
If you update this property, you must also update the CidrBlock property.
Required: Yes
Type: String
Return Values
Ref
subnet.
Fn::GetAtt
AvailabilityZone
The Availability Zone of this subnet. For example:
{ "Fn::GetAtt" : [ "mySubnet", "AvailabilityZone" ] }

Ipv6CidrBlocks
The IPv6 CIDR blocks that are associated with the subnet, such as
[ 2001:db8:1234:1a00::/64 ].
NetworkAclAssociationId
The ID of the network ACL that is associated with the subnet's VPC, such as acl-5fb85d36.
VpcId
The ID of the subnet's VPC, such as vpc-11ad4878.
Examples
Subnet
The following example uses the VPC ID from a VPC named myVPC that was declared elsewhere in the
same template.
JSON
"mySubnet" : {
"Properties" : {
"CidrBlock" : "10.0.0.0/24",
}

1773
EC2
YAML
mySubnet:
Properties:
VpcId:
Ref: myVPC
Tags:
- Key: foo
Value: bar
See Also
• CreateSubnet in the Amazon EC2 API Reference
• Your VPC and Subnets in the Amazon Virtual Private Cloud User Guide
AWS::EC2::SubnetCidrBlock
Associates a single IPv6 CIDR block with a VPC subnet.
Syntax
JSON
{
"Type" : "AWS::EC2::SubnetCidrBlock",
"Properties" : {
"SubnetId" : String
}
}
YAML
Type: AWS::EC2::SubnetCidrBlock
Properties:
SubnetId: String
Properties
Ipv6CidrBlock
The IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 prefix
length.
Required: Yes
Type: String

1774
EC2
SubnetId
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the subnet CIDR
block.
Examples
Subnet CIDR Block Association
The following example associates an IPv6 CIDR block (with a prefix length of /64) with the
Ipv6TestSubnet subnet.
JSON
"Ipv6TestSubnetCidrBlock": {
"Type": "AWS::EC2::SubnetCidrBlock",
"Properties": {
"Ipv6CidrBlock": { "Ref" : "Ipv6SubnetCidrBlock" },
"SubnetId": { "Ref" : "Ipv6TestSubnet" }
}
}
YAML
Ipv6TestSubnetCidrBlock:
Type: AWS::EC2::SubnetCidrBlock
Properties:
Ipv6CidrBlock: !Ref Ipv6SubnetCidrBlock
SubnetId: !Ref Ipv6TestSubnet
AWS::EC2::SubnetNetworkAclAssociation
Associates a subnet with a network ACL. For more information, see ReplaceNetworkAclAssociation in the
Amazon Elastic Compute Cloud API Reference.
When AWS::EC2::SubnetNetworkAclAssociation resources are created during create or update

operations, AWS CloudFormation adopts existing resources that share the same key properties (the
properties that contribute to uniquely identify the resource). However, if the operation fails and rolls
back, AWS CloudFormation deletes the previously out-of-band resources. You can protect against this
behavior by using Retain deletion policies. For more information, see DeletionPolicy Attribute.
Syntax

1775
EC2
JSON
{
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"NetworkAclId" : String,
"SubnetId" : String
}
}
YAML
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
NetworkAclId: String
SubnetId: String
Properties
NetworkAclId
The ID of the network ACL.
Required: Yes
Type: String

SubnetId
Required: Yes
Type: String
Return Values
Ref
subnet network ACL association.
Fn::GetAtt
AssociationId
Returns the value of this object's SubnetId property.
Examples
Subnet Network ACL Association
The following example associates subnet mySubnet with the myNetworkAcl network ACL.

1776
EC2
JSON
"mySubnetNetworkAclAssociation" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "mySubnet" },
"NetworkAclId" : { "Ref" : "myNetworkAcl" }
}
}
YAML
mySubnetNetworkAclAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId:
Ref: mySubnet
NetworkAclId:
Ref: myNetworkAcl
AWS::EC2::SubnetRouteTableAssociation
Associates a subnet with a route table. The subnet and route table must be in the same VPC. This
association causes traffic originating from the subnet to be routed according to the routes in the route
table. A route table can be associated with multiple subnets.
Syntax
JSON
{
"Properties" : {
"RouteTableId" : String,
"SubnetId" : String
}
}
YAML
Properties:
RouteTableId: String
SubnetId: String
Properties
RouteTableId
The ID of the route table.
The physical ID changes when the route table ID is changed.
Required: Yes

1777
EC2
Type: String

SubnetId
Required: Yes
Type: String
Return Values
Ref
subnet route table association.
Examples
Subnet Route Table Association
The following example associates a subnet with a route table.
JSON
"mySubnetRouteTableAssociation" : {
"Properties" : {
"SubnetId" : { "Ref" : "mySubnet" },
"RouteTableId" : { "Ref" : "myRouteTable" }
}
}
YAML
mySubnetRouteTableAssociation:
Properties:
SubnetId:
Ref: mySubnet
RouteTableId:
Ref: myRouteTable
See Also
• AssociateRouteTable in the Amazon EC2 API Reference
• Route Tables in the Amazon Virtual Private Cloud User Guide
AWS::EC2::TrafficMirrorFilter
Specifies a Traffic Mirror filter.

1778
EC2
A Traffic Mirror filter is a set of rules that defines the traffic to mirror.
By default, no traffic is mirrored. To mirror traffic, use AWS::EC2::TrafficMirrorFilterRule to add Traffic

Mirror rules to the filter. The rules you add define what traffic gets mirrored.
Syntax
JSON
{
"Type" : "AWS::EC2::TrafficMirrorFilter",
"Properties" : {
"NetworkServices" : [ String, ... ],
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::EC2::TrafficMirrorFilter
Properties:
Description: String
NetworkServices:
- String
Tags:
- Tag
Properties
Description
The description of the Traffic Mirror filter.
Required: No
Type: String

NetworkServices
The network service traffic that is associated with the Traffic Mirror filter.
Valid values are amazon-dns.
Required: No

Tags
The tags to assign to a Traffic Mirror filter.
Required: No
Type: List of Tag

1779
EC2
Return Values
Ref
Traffic Mirror filter.
Examples
Create a Traffic Mirror Filter
This is a filter that you can use when you create a traffic mirror session. This filter also configures
mirroring of Amazon DNS network services.
JSON
{
"SampleTrafficMirrorFilter": {
"Type": "AWS::EC2::TrafficMirrorFilter",
"Properties": {
"Description": "Example traffic mirror filter",
"NetworkServices": [
"amazon-dns"
],
"Tags": [
{
"Key": "Name",
"Value": "SampleFilter"
}
]
}
}
}
YAML
SampleTrafficMirrorFilter:
Type: "AWS::EC2::TrafficMirrorFilter"
Properties:
Description: "Example traffic mirror filter"
NetworkServices:
- "amazon-dns"
Tags:
- Key: "Name"
Value: "SampleFilter"
See Also
• Traffic Mirror Filters and Filter Rules in Traffic Mirroring
• CreateTrafficMirrorFilter in the Amazon EC2 API Reference
AWS::EC2::TrafficMirrorFilterRule
Creates a Traffic Mirror filter rule.

1780
EC2
A Traffic Mirror rule defines the Traffic Mirror source traffic to mirror.
You need the Traffic Mirror filter ID when you create the rule.
Syntax
JSON
{
"Type" : "AWS::EC2::TrafficMirrorFilterRule",
"Properties" : {
"DestinationPortRange" : TrafficMirrorPortRange (p. 1784),
"Protocol" : Integer,
"RuleAction" : String,
"RuleNumber" : Integer,
"SourceCidrBlock" : String,
"SourcePortRange" : TrafficMirrorPortRange (p. 1784),
"TrafficDirection" : String,
"TrafficMirrorFilterId" : String
}
}
YAML
Type: AWS::EC2::TrafficMirrorFilterRule
Properties:
Description: String
DestinationPortRange:
TrafficMirrorPortRange (p. 1784)
Protocol: Integer
RuleAction: String
RuleNumber: Integer
SourceCidrBlock: String
SourcePortRange:
TrafficMirrorPortRange (p. 1784)
TrafficDirection: String
TrafficMirrorFilterId: String
Properties
Description
The description of the Traffic Mirror rule.
Required: No
Type: String

The destination CIDR block to assign to the Traffic Mirror rule.
Required: Yes
Type: String

1781
EC2

DestinationPortRange
The destination port range.
Required: No
Type: TrafficMirrorPortRange (p. 1784)

Protocol
The protocol, for example UDP, to assign to the Traffic Mirror rule.
For information about the protocol value, see Protocol Numbers on the Internet Assigned Numbers
Authority (IANA) website.
Required: No
Type: Integer

RuleAction
The action to take (accept | reject) on the filtered traffic.
Required: Yes
Type: String
Allowed Values: accept | reject

RuleNumber
The number of the Traffic Mirror rule. This number must be unique for each Traffic Mirror rule in a
given direction. The rules are processed in ascending order by rule number.
Required: Yes
Type: Integer

SourceCidrBlock
The source CIDR block to assign to the Traffic Mirror rule.
Required: Yes
Type: String

SourcePortRange
The source port range.
Required: No
Type: TrafficMirrorPortRange (p. 1784)

1782
EC2

TrafficDirection
The type of traffic (ingress | egress).
Required: Yes
Type: String
Allowed Values: egress | ingress

TrafficMirrorFilterId
The ID of the filter that this rule is associated with.
Required: Yes
Type: String
Return Values
Ref
Traffic Mirror filter rule.
Examples
Create a Traffic Mirror Filter Rule for inbound UDP Traffic
This is a filter rule for UDP traffic.
JSON
{
"SampleTrafficMirrorFilterRule": {
"Type": "AWS::EC2::TrafficMirrorFilterRule",
"Properties": {
"Description": "Example traffic mirror filter rule",
"TrafficMirrorFilterId": "tmf-04812ff784EXAMPLE",
"TrafficDirection": "ingress",
"RuleNumber": 10,
"SourceCidrBlock": "10.0.0.0/16",
"RuleAction": "accept",
"Protocol": 17,
"SourcePortRange": {
"FromPort": 10,
"ToPort": 50
},
"DestinationPortRange": {
"FromPort": 50,
"ToPort": 100
}
}

1783
EC2
}
}
YAML
SampleTrafficMirrorFilterRule:
Type: "AWS::EC2::TrafficMirrorFilterRule"
Properties:
Description: "Example traffic mirror filter rule"
TrafficMirrorFilterId: "tmf-04812ff784EXAMPLE"
TrafficDirection: "ingress"
RuleNumber: 10
DestinationCidrBlock: "10.0.0.0/16"
SourceCidrBlock: "10.0.0.0/16"
RuleAction: "accept"
Protocol: 17
SourcePortRange:
FromPort: 10
ToPort: 50
DestinationPortRange:
FromPort: 50
ToPort: 100
See Also
• Traffic Mirror Filters and Filter Rules in Traffic Mirroring
• CreateTrafficMirrorFilterRule in the Amazon EC2 API Reference
AWS::EC2::TrafficMirrorFilterRule TrafficMirrorPortRange
Describes the Traffic Mirror port range.
Syntax
JSON
{
"ToPort" : Integer
}
YAML
FromPort: Integer
ToPort: Integer
Properties
FromPort
The start of the Traffic Mirror port range. This applies to the TCP and UDP protocols.
Required: Yes
Type: Integer

1784
EC2

ToPort
The end of the Traffic Mirror port range. This applies to the TCP and UDP protocols.
Required: Yes
Type: Integer
AWS::EC2::TrafficMirrorSession
Creates a Traffic Mirror session.
A Traffic Mirror session actively copies packets from a Traffic Mirror source to a Traffic Mirror target.
Create a filter, and then assign it to the session to define a subset of the traffic to mirror, for example all
TCP traffic.
The Traffic Mirror source and the Traffic Mirror target (monitoring appliances) can be in the same VPC, or
in a different VPC connected via VPC peering or a transit gateway.
By default, no traffic is mirrored. Use AWS::EC2::TrafficMirrorFilterRule to specify filter rules that specify
the traffic to mirror.
Syntax
JSON
{
"Type" : "AWS::EC2::TrafficMirrorSession",
"Properties" : {
"PacketLength" : Integer,
"SessionNumber" : Integer,
"Tags" : [ Tag, ... ],
"TrafficMirrorFilterId" : String,
"TrafficMirrorTargetId" : String,
"VirtualNetworkId" : Integer
}
}
YAML
Type: AWS::EC2::TrafficMirrorSession
Properties:
Description: String
PacketLength: Integer
SessionNumber: Integer
Tags:
- Tag
TrafficMirrorFilterId: String
TrafficMirrorTargetId: String
VirtualNetworkId: Integer

1785
EC2
Properties
Description
The description of the Traffic Mirror session.
Required: No
Type: String

NetworkInterfaceId
The ID of the source network interface.
Required: Yes
Type: String

PacketLength
The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do not
specify this parameter when you want to mirror the entire packet. To mirror a subset of the packet,
set this to the length (in bytes) that you want to mirror. For example, if you set this value to 100,
then the first 100 bytes that meet the filter criteria are copied to the target.
If you do not want to mirror the entire packet, use the PacketLength parameter to specify the
number of bytes in each packet to mirror.
Required: No
Type: Integer

SessionNumber
The session number determines the order in which sessions are evaluated when an interface is used
by multiple sessions. The first session with a matching filter is the one that mirrors the packets.
Valid values are 1-32766.
Required: Yes
Type: Integer

Tags
The tags to assign to a Traffic Mirror session.
Required: No
Type: List of Tag

TrafficMirrorFilterId
The ID of the Traffic Mirror filter.
Required: Yes

1786
EC2
Type: String

TrafficMirrorTargetId
The ID of the Traffic Mirror target.
Required: Yes
Type: String

VirtualNetworkId
The VXLAN ID for the Traffic Mirror session. For more information about the VXLAN protocol, see
RFC 7348. If you do not specify a VirtualNetworkId, an account-wide unique id is chosen at
random.
Required: No
Type: Integer
Return Values
Ref
Traffic Mirror Session.
Examples
Create a Traffic Mirror Session
This is a traffic mirror session that mirrors the first 100 bytes in each packet.
JSON
{
"SampleTrafficMirrorSession": {
"Type": "AWS::EC2::TrafficMirrorSession",
"Properties": {
"Description": "Example traffic mirror session",
"NetworkInterfaceId": "eni-070203a001EXAMPLE",
"TrafficMirrorTargetId": "tmt-5319fsEXAMPLE",
"TrafficMirrorFilterId": "tmf-1tdbhqEXAMPLE",
"SessionNumber": 1,
"PacketLength": 100,
"VirtualNetworkId": 1234,
"Tags": [
{
"Key": "Name",
"Value": "SampleSession"
}
]
}
}
}

1787
EC2
YAML
SampleTrafficMirrorSession:
Type: "AWS::EC2::TrafficMirrorSession"
Properties:
Description: "Example traffic mirror session"
NetworkInterfaceId: "eni-070203a001EXAMPLE"
TrafficMirrorTargetId: "tmt-5319fsEXAMPLE"
TrafficMirrorFilterId: "tmf-1tdbhqEXAMPLE"
SessionNumber: 1
PacketLength: 100
VirtualNetworkId: 1234
Tags:
- Key: "Name"
Value: "SampleSession"
See Also
• Traffic Mirror Sessions in Traffic Mirroring
• CreateTrafficMirrorSession in the Amazon EC2 API Reference
AWS::EC2::TrafficMirrorTarget
Specifies a target for your Traffic Mirror session.
A Traffic Mirror target is the destination for mirrored traffic. The Traffic Mirror source and the Traffic
Mirror target (monitoring appliances) can be in the same VPC, or in different VPCs connected via VPC
peering or a transit gateway.
A Traffic Mirror target can be a network interface, or a Network Load Balancer.
To use the target in a Traffic Mirror session, use AWS::EC2::TrafficMirrorSession.
Syntax
JSON
{
"Type" : "AWS::EC2::TrafficMirrorTarget",
"Properties" : {
"NetworkLoadBalancerArn" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::EC2::TrafficMirrorTarget
Properties:
Description: String
NetworkLoadBalancerArn: String
Tags:

1788
EC2
- Tag
Properties
Description
The description of the Traffic Mirror target.
Required: No
Type: String

NetworkInterfaceId
The network interface ID that is associated with the target.
Required: No
Type: String

NetworkLoadBalancerArn
The Amazon Resource Name (ARN) of the Network Load Balancer that is associated with the target.
Required: No
Type: String

Tags
The tags to assign to the Traffic Mirror target.
Required: No
Type: List of Tag
Return Values
Ref
Traffic Mirror target.
Examples
Create a Traffic Mirror Target Associated with a Network Load Balancer
This is a traffic mirror target associated with a network load balancer.
JSON

1789
EC2
"SampleNLBTrafficMirrorTarget": {
"Type": "AWS::EC2::TrafficMirrorTarget",
"Properties": {
"Description": "Example traffic mirror target associated with a network load
balancer",
"NetworkLoadBalancerArn": "arn:aws:elasticloadbalancing:us-
east-1:724145273726:loadbalancer/net/NLB/7cabvhEXAMPLE",
"Tags": [
{
"Key": "Name",
"Value": "SampleNLBTarget"
}
]
}
}
}
YAML
SampleNLBTrafficMirrorTarget:
Type: "AWS::EC2::TrafficMirrorTarget"
Properties:
Description: "Example traffic mirror target associated with a network load balancer",
NetworkLoadBalancerArn: "arn:aws:elasticloadbalancing:us-
east-1:724145273726:loadbalancer/net/NLB/7cabvhEXAMPLE"
Tags:
- Key: "Name"
Value: "SampleNLBTarget"
Create a Traffic Mirror Target Associated with a Network Interface

This is a traffic mirror target associated with a network interface.
JSON
{
"SampleNetworkInterfaceTarget": {
"Type": "AWS::EC2::TrafficMirrorTarget",
"Properties": {
"Description": "Example traffic mirror target associated with a network interface",
"NetworkInterfaceId": "eni-070203a001EXAMPLE",
"Tags": [
{
"Key": "Name",
"Value": "SampleNetworkInterfaceTarget"
}
]
}
}
}
YAML
SampleNetworkInterfaceTarget:
Type: "AWS::EC2::TrafficMirrorTarget"
Properties:
Description: "Example traffic mirror target associated with a network interface"
NetworkInterfaceId: "eni-070203a001EXAMPLE"
Tags:
- Key: "Name"
Value: "SampleNetworkInterfaceTarget"

1790
EC2
See Also
• Traffic Mirror Targets in Traffic Mirroring
• CreateTrafficMirrorTarget in the Amazon EC2 API Reference
AWS::EC2::TransitGateway
Specifies a transit gateway.
You can use a transit gateway to interconnect your virtual private clouds (VPC) and on-premises
networks. After the transit gateway enters the available state, you can attach your VPCs and VPN
connections to the transit gateway.
To attach your VPCs, use AWS::EC2::TransitGatewayAttachment.
To attach a VPN connection, use AWS::EC2::CustomerGateway to create a customer gateway and specify
the ID of the customer gateway and the ID of the transit gateway in a call to AWS::EC2::VPNConnection.
When you create a transit gateway, we create a default transit gateway route table and use
it as the default association route table and the default propagation route table. You can use
AWS::EC2::TransitGatewayRouteTable to create additional transit gateway route tables. If you
disable automatic route propagation, we do not create a default transit gateway route table. You
can use AWS::EC2::TransitGatewayRouteTablePropagation to propagate routes from a resource
attachment to a transit gateway route table. If you disable automatic associations, you can use
AWS::EC2::TransitGatewayRouteTableAssociation to associate a resource attachment with a transit
gateway route table.
Syntax
JSON
{
"Type" : "AWS::EC2::TransitGateway",
"Properties" : {
"AmazonSideAsn" : Integer,
"AutoAcceptSharedAttachments" : String,
"DefaultRouteTableAssociation" : String,
"DefaultRouteTablePropagation" : String,
"DnsSupport" : String,
"Tags" : [ Tag, ... ],
"VpnEcmpSupport" : String
}
}
YAML
Type: AWS::EC2::TransitGateway
Properties:
AmazonSideAsn: Integer
AutoAcceptSharedAttachments: String
DefaultRouteTableAssociation: String
DefaultRouteTablePropagation: String
Description: String

1791
EC2
DnsSupport: String
Tags:
- Tag
VpnEcmpSupport: String
Properties
AmazonSideAsn
A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is
64512 to 65534 for 16-bit ASNs.
Required: No
Type: Integer

AutoAcceptSharedAttachments
Indicates whether attachment requests are automatically accepted.
Required: No
Type: String
Allowed Values: disable | enable

DefaultRouteTableAssociation
Indicates whether resource attachments are automatically associated with the default association
route table.
Required: No
Type: String

DefaultRouteTablePropagation
Indicates whether resource attachments automatically propagate routes to the default propagation
route table.
Required: No
Type: String

Description
The description of the transit gateway.
Required: No
Type: String

1792
EC2
DnsSupport
Indicates whether DNS support is enabled.
Required: No
Type: String

Tags
The tags for the transit gateway.
Required: No
Type: List of Tag

VpnEcmpSupport
Indicates whether Equal Cost Multipath Protocol support is enabled.
Required: No
Type: String
Return Values
Ref
transit gateway.
Examples
Transit Gateway
The following example declares a transit gateway.
JSON
"myTransitGateway": {
"Type": "AWS::EC2::TransitGateway",
"Properties": {
"AmazonSideAsn": 65000,
"Description": "TGW Route Integration Test",
"AutoAcceptSharedAttachments": "disable",
"DefaultRouteTableAssociation": "enable",
"DnsSupport": "enable",
"VpnEcmpSupport": "enable",
"Tags": [
{
"Key": "Application",

1793
EC2
"Value": {
}
}
]
}
}
YAML
myTransitGateway:
Type: "AWS::EC2::TransitGateway"
Properties:
AmazonSideAsn: 65000
Description: "TGW Route Integration Test"
AutoAcceptSharedAttachments: "disable"
DefaultRouteTableAssociation: "enable"
DnsSupport: "enable"
VpnEcmpSupport: "enable"
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
See Also
• CreateTransitGateway in the Amazon EC2 API Reference
AWS::EC2::TransitGatewayAttachment
Attaches a VPC to a transit gateway.
If you attach a VPC with a CIDR range that overlaps the CIDR range of a VPC that is already attached, the
new VPC CIDR range is not propagated to the default propagation route table.
To send VPC traffic to an attached transit gateway, add a route to the VPC route table using
AWS::EC2::TransitGatewayRoute.
Syntax
JSON
{
"Type" : "AWS::EC2::TransitGatewayAttachment",
"Properties" : {
"Tags" : [ Tag, ... ],
"VpcId" : String
}
}
YAML
Type: AWS::EC2::TransitGatewayAttachment
Properties:
SubnetIds:

1794
EC2
- String
Tags:
- Tag
VpcId: String
Properties
SubnetIds
The IDs of one or more subnets. You can specify only one subnet per Availability Zone. You must
specify at least one subnet, but we recommend that you specify two subnets for better availability.
The transit gateway uses one IP address from each specified subnet.
Required: Yes

Tags
The tags for the attachment.
Required: No
Type: List of Tag

TransitGatewayId
The ID of the transit gateway.
Required: Yes
Type: String

VpcId
The ID of the VPC.
Required: Yes
Type: String
Return Values
Ref
name.
See Also
• CreateTransitGatewayVpcAttachment in the Amazon EC2 API Reference.

1795
EC2
• ModifyTransitGatewayVpcAttachment in the Amazon EC2 API Reference
AWS::EC2::TransitGatewayRoute
Specifies a static route for a transit gateway route table.
Syntax
JSON
{
"Type" : "AWS::EC2::TransitGatewayRoute",
"Properties" : {
"Blackhole" : Boolean,
"TransitGatewayAttachmentId" : String,
"TransitGatewayRouteTableId" : String
}
}
YAML
Type: AWS::EC2::TransitGatewayRoute
Properties:
Blackhole: Boolean
TransitGatewayAttachmentId: String
TransitGatewayRouteTableId: String
Properties
Blackhole
Indicates whether to drop traffic that matches this route.
Required: No
Type: Boolean

The CIDR block used for destination matches.
Required: No
Type: String

TransitGatewayAttachmentId
The ID of the attachment.
Required: No
Type: String

1796
EC2

TransitGatewayRouteTableId
The ID of the transit gateway route table.
Required: Yes
Type: String
Return Values
Ref
name.
See Also
• CreateTransitGatewayRoute in the Amazon EC2 API Reference
AWS::EC2::TransitGatewayRouteTable
Specifies a route table for a transit gateway.
Syntax
JSON
{
"Type" : "AWS::EC2::TransitGatewayRouteTable",
"Properties" : {
"Tags" : [ Tag, ... ],
"TransitGatewayId" : String
}
}
YAML
Type: AWS::EC2::TransitGatewayRouteTable
Properties:
Tags:
- Tag
Properties
Tags
Any tags assigned to the route table.
Required: No

1797
EC2
Type: List of Tag

TransitGatewayId
The ID of the transit gateway.
Required: Yes
Type: String
Return Values
Ref
name.
See Also
• CreateTransitGatewayRouteTable in the Amazon EC2 API Reference
AWS::EC2::TransitGatewayRouteTableAssociation
Associates the specified attachment with the specified transit gateway route table. You can associate
only one route table with an attachment.
Note
The TransitGatewayRouteTableId value changes when you use
AWS::EC2::TransitGatewayRouteTableAssociation. To update the route table on the
resource, detach the route table and update the Cloud Formation stack. After you have the new
TransitGatewayRouteTableId, perform another Cloud Formation stack update with the
new ID. For more information, see Update Behaviors of Stack Resources.
Syntax
JSON
{
"Type" : "AWS::EC2::TransitGatewayRouteTableAssociation",
"Properties" : {
}
}
YAML
Type: AWS::EC2::TransitGatewayRouteTableAssociation
Properties:

1798
EC2
Properties
Required: Yes
Type: String

The ID of the route table for the transit gateway.
Required: Yes
Type: String
Return Values
Ref
transit gateway route table association.
See Also
• AssociateTransitGatewayRouteTable in the Amazon EC2 API Reference
AWS::EC2::TransitGatewayRouteTablePropagation
Enables the specified attachment to propagate routes to the specified propagation route table.
For more information about enabling transit gateway route propagation, see
EnableVgwRoutePropagation in the Amazon Elastic Compute Cloud API Reference.
Syntax
JSON
{
"Type" : "AWS::EC2::TransitGatewayRouteTablePropagation",
"Properties" : {
}

1799
EC2
YAML
Type: AWS::EC2::TransitGatewayRouteTablePropagation
Properties:
Properties
Required: Yes
Type: String

The ID of the propagation route table.
Required: Yes
Type: String
Return Values
Ref
transit gateway route table that is propagated.
See Also
• EnableTransitGatewayRouteTablePropagation in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::Volume
Specifies an Amazon Elastic Block Store (Amazon EBS) volume.
When you use AWS CloudFormation to update an Amazon EBS volume that modifies Iops, Size, or
VolumeType, there is a cooldown period before another operation can occur. This can cause your stack
to report being in UPDATE_IN_PROGRESS or UPDATE_ROLLBACK_IN_PROGRESS for long periods of
time.
Amazon EBS does not support modifying a Magnetic volume. For more information, see Requirements
for Modifying EBS Volumes.
Amazon EBS does not support sizing down an Amazon EBS volume. AWS CloudFormation will not
attempt to modify an Amazon EBS volume to a smaller size on rollback.

1800
EC2
Some common scenarios when you might encounter a cooldown period for Amazon EBS include:
• You successfully update an Amazon EBS volume and the update succeeds. When you attempt another
update within the cooldown window, that update will be subject to a cooldown period.
• You successfully update an Amazon EBS volume and the update succeeds but another change in your
update-stack call fails. The rollback will be subject to a cooldown period.
For more information on the cooldown period, see Requirements for Modifying EBS Volumes.
To control how AWS CloudFormation handles the volume when the stack is deleted, set a deletion policy
for your volume. You can choose to retain the volume, to delete the volume, or to create a snapshot of
the volume. For more information, see DeletionPolicy Attribute.
Note
If you set a deletion policy that creates a snapshot, all tags on the volume are included in the
snapshot.
Syntax
JSON
{
"Properties" : {
"AutoEnableIO" : Boolean,
"Iops" : Integer,
"Size" : Integer,
"Tags" : [ Tag, ... ],
}
}
YAML
Properties:
AutoEnableIO: Boolean
Encrypted: Boolean
Iops: Integer
KmsKeyId: String
Size: Integer
SnapshotId: String
Tags:
- Tag
VolumeType: String
Properties
AutoEnableIO
Indicates whether the volume is auto-enabled for I/O operations. By default, Amazon EBS disables I/
O to the volume from attached EC2 instances when it determines that a volume's data is potentially
inconsistent. If the consistency of the volume is not a concern, and you prefer that the volume be

1801
EC2
made available immediately if it's impaired, you can configure the volume to automatically enable I/
O.
Required: No
Type: Boolean

AvailabilityZone
The Availability Zone in which to create the volume.
Required: Yes
Type: String

Encrypted
Specifies whether the volume should be encrypted. The effect of setting the encryption state to
true depends on the volume origin (new or from a snapshot), starting encryption state, ownership,
and whether encryption by default is enabled. For more information, see Encryption by Default in
the Amazon Elastic Compute Cloud User Guide.
Encrypted Amazon EBS volumes must be attached to instances that support Amazon EBS
encryption. For more information, see Supported Instance Types.
Required: No
Type: Boolean

Iops
The number of I/O operations per second (IOPS) to provision for the volume, with a maximum ratio
of 50 IOPS/GiB. Range is 100 to 64,000 IOPS for volumes in most Regions. Maximum IOPS of 64,000
is guaranteed only on Nitro-based instances. Other instance families guarantee performance up to
32,000 IOPS. For more information, see Amazon EBS Volume Types in the Amazon Elastic Compute
Cloud User Guide.
This parameter is valid only for Provisioned IOPS SSD (io1) volumes.
Required: No
Type: Integer

KmsKeyId
The identifier of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use for
Amazon EBS encryption. If this parameter is not specified, your AWS managed CMK for EBS is used.
If KmsKeyId is specified, the encrypted state must be true.
You can specify the CMK using any of the following:

• Key ID. For example, key/1234abcd-12ab-34cd-56ef-1234567890ab.
• Key alias. For example, alias/ExampleAlias.
• Key ARN. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-
a123b4cd56ef.
• Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.

1802
EC2
AWS authenticates the CMK asynchronously. Therefore, if you specify an ID, alias, or ARN that is not
valid, the action can appear to complete, but eventually fails.
Required: No
Type: String

Size
The size of the volume, in GiBs.
Constraints: 1-16,384 for gp2, 4-16,384 for io1, 500-16,384 for st1, 500-16,384 for sc1, and
1-1,024 for standard. If you specify a snapshot, the volume size must be equal to or larger than the
snapshot size.
the snapshot size.
Note
At least one of Size or SnapshotId is required.
Required: No
Type: Integer

SnapshotId
The snapshot from which to create the volume.

Note
At least one of Size or SnapshotId are required.
Required: No
Type: String

Tags
The tags to apply to the volume during creation.
Required: No
Type: List of Tag

VolumeType
The volume type. This can be gp2 for General Purpose SSD, io1 for Provisioned IOPS SSD, st1 for
Throughput Optimized HDD, sc1 for Cold HDD, or standard for Magnetic volumes.
Default: gp2
Required: No
Type: String

1803
EC2
Return Values
Ref
name. For example: vol-5cb85026.
Examples
Encrypted Amazon EBS Volume with DeletionPolicy to Make a Snapshot on Delete
JSON
"NewVolume" : {
"Properties" : {
"Size" : "100",
"Encrypted" : "true",
"AvailabilityZone" : { "Fn::GetAtt" : [ "Ec2Instance", "AvailabilityZone" ] },
"Tags" : [ {
"Key" : "MyTag",
"Value" : "TagValue"
} ]
},
}
YAML
NewVolume:
Properties:
Size: 100
Encrypted: true
Tags:
- Key: MyTag
Value: TagValue
Amazon EBS Volume with 100 Provisioned IOPS
JSON
"NewVolume" : {
"Properties" : {
"Size" : "100",
"Iops" : "100",
"AvailabilityZone" : { "Fn::GetAtt" : [ "EC2Instance", "AvailabilityZone" ] }
}
}
YAML
NewVolume:

1804
EC2
Properties:
Size: 100
VolumeType: io1
Iops: 100
See Also
• CreateVolume in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::VolumeAttachment
Attaches an Amazon EBS volume to a running instance and exposes it to the instance with the specified
device name.
Before this resource can be deleted (and therefore the volume detached), you must first unmount the
volume in the instance. Failure to do so results in the volume being stuck in the busy state while it is
trying to detach, which could possibly damage the file system or the data it contains.
If an Amazon EBS volume is the root device of an instance, it cannot be detached while the instance is in
the "running" state. To detach the root volume, stop the instance first.
If the root volume is detached from an instance with an AWS Marketplace product code, then the AWS
Marketplace product codes from that volume are no longer associated with the instance.
Syntax
JSON
{
"Properties" : {
"Device" : String,
"VolumeId" : String
}
}
YAML
Properties:
Device: String
InstanceId: String
VolumeId: String
Properties
Device
Required: Yes
Type: String

1805
EC2
InstanceId
The ID of the instance to which the volume attaches. This value can be a reference to an
AWS::EC2::Instance resource, or it can be the physical ID of an existing EC2 instance.
Required: Yes
Type: String

VolumeId
The ID of the Amazon EBS volume. The volume and instance must be within the same Availability
Zone. This value can be a reference to an AWS::EC2::Volume resource, or it can be the volume ID
of an existing Amazon EBS volume.
Required: Yes
Type: String
Examples
Attach an EBS Volume to a Running Instance
This example attaches an EC2 EBS volume to the EC2 instance with the logical name "Ec2Instance".
JSON
"NewVolume" : {
"Properties" : {
"Size" : "100",
"AvailabilityZone" : { "Fn::GetAtt" : [ "Ec2Instance", "AvailabilityZone" ] },
"Tags" : [ {
"Key" : "MyTag",
"Value" : "TagValue"
} ]
}
},
"MountPoint" : {
"Properties" : {
"InstanceId" : { "Ref" : "Ec2Instance" },
}
}
YAML
NewVolume:
Properties:
Size: 100
Tags:
- Key: MyTag
Value: TagValue

1806
EC2
MountPoint:
Properties:
InstanceId: !Ref Ec2Instance
VolumeId: !Ref NewVolume
Device: /dev/sdh
See Also
• Amazon Elastic Block Store (Amazon EBS) in the Amazon Elastic Compute Cloud User Guide
• Attaching a Volume to an Instance in the Amazon Elastic Compute Cloud User Guide
• Detaching an Amazon EBS Volume from an Instance in the Amazon Elastic Compute Cloud User Guide
• AttachVolume in the Amazon Elastic Compute Cloud API Reference
• DetachVolume in the Amazon Elastic Compute Cloud API Reference
AWS::EC2::VPC
Specifies a VPC with the specified IPv4 CIDR block. The smallest VPC you can create uses a /28 netmask
(16 IPv4 addresses), and the largest uses a /16 netmask (65,536 IPv4 addresses). For more information
about how large to make your VPC, see Your VPC and Subnets in the Amazon Virtual Private Cloud User
Guide.
Syntax
JSON
{
"Properties" : {
"EnableDnsHostnames" : Boolean,
"EnableDnsSupport" : Boolean,
"InstanceTenancy" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::EC2::VPC
Properties:
CidrBlock: String
EnableDnsHostnames: Boolean
EnableDnsSupport: Boolean
InstanceTenancy: String
Tags:
- Tag
Properties
CidrBlock
The primary IPv4 CIDR block for the VPC.

1807
EC2
Required: Yes
Type: String

EnableDnsHostnames
Indicates whether the instances launched in the VPC get DNS hostnames. If enabled, instances in the
VPC get DNS hostnames; otherwise, they do not. Disabled by default for nondefault VPCs. For more
information, see DNS Support in Your VPC.
You can only enable DNS hostnames if you've enabled DNS support.
Required: No
Type: Boolean

EnableDnsSupport
Indicates whether the DNS resolution is supported for the VPC. If enabled, queries to the Amazon
provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of
the VPC network range "plus two" succeed. If disabled, the Amazon provided DNS service in the VPC
that resolves public DNS hostnames to IP addresses is not enabled. Enabled by default. For more
information, see DNS Support in Your VPC.
Required: No
Type: Boolean

InstanceTenancy
The allowed tenancy of instances launched into the VPC.

• "default": An instance launched into the VPC runs on shared hardware by default, unless you
explicitly specify a different tenancy during instance launch.
• "dedicated": An instance launched into the VPC is a Dedicated Instance by default, unless you
explicitly specify a tenancy of host during instance launch. You cannot specify a tenancy of default
during instance launch.
Updating InstanceTenancy requires no replacement only if you are updating its value from
"dedicated" to "default". Updating InstanceTenancy from "default" to "dedicated"
requires replacement.
Required: No
Type: String

Tags
The tags for the VPC.
Required: No
Type: List of Tag

1808
EC2
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the VPC.
Fn::GetAtt
CidrBlock
The set of IP addresses for the VPC. For example, 10.0.0.0/16.

CidrBlockAssociations
A list of IPv4 CIDR block association IDs for the VPC. For example, [ vpc-cidr-
assoc-0280ab6b ].
DefaultNetworkAcl
The default network ACL ID that is associated with the VPC. For example, acl-814dafe3.
DefaultSecurityGroup
The default security group ID that is associated with the VPC. For example, sg-b178e0d3.
Ipv6CidrBlocks
A list of IPv6 CIDR blocks that are associated with the VPC, such as
[ 2001:db8:1234:1a00::/56 ].
Examples
VPC
The following example specifies a VPC.
JSON
"myVPC" : {
"Properties" : {
"CidrBlock" : "10.0.0.0/16",
"EnableDnsSupport" : "false",
"EnableDnsHostnames" : "false",
"InstanceTenancy" : "dedicated",
"Tags" : [ {"Key" : "foo", "Value" : "bar"} ]
}
}
YAML
myVPC:
Type: AWS::EC2::VPC
Properties:

1809
EC2
EnableDnsSupport: 'false'
EnableDnsHostnames: 'false'
InstanceTenancy: dedicated
Tags:
- Key: foo
Value: bar
See Also
• CreateVpc in the Amazon EC2 API Reference
• Your VPC and Subnets in the Amazon Virtual Private Cloud User Guide
AWS::EC2::VPCCidrBlock
Associates a CIDR block with your VPC. You can only associate a single IPv6 CIDR block with your VPC.
The IPv6 CIDR block size is fixed at /56.
For more information about associating CIDR blocks with your VPC and applicable restrictions, see VPC
and Subnet Sizing in the Amazon Virtual Private Cloud User Guide.
Syntax
JSON
{
"Type" : "AWS::EC2::VPCCidrBlock",
"Properties" : {
"AmazonProvidedIpv6CidrBlock" : Boolean,
"VpcId" : String
}
}
YAML
Type: AWS::EC2::VPCCidrBlock
Properties:
AmazonProvidedIpv6CidrBlock: Boolean
CidrBlock: String
VpcId: String
Properties
AmazonProvidedIpv6CidrBlock
Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot
specify the range of IPv6 addresses, or the size of the CIDR block.
Required: No
Type: Boolean

CidrBlock
An IPv4 CIDR block to associate with the VPC.

1810
EC2
Required: No
Type: String

VpcId
The ID of the VPC.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the VPC CIDR
block.
Examples
Associate an Amazon-provided IPv6 CIDR block
The following example associates an Amazon-provided IPv6 CIDR block (with a prefix length of /56) with
the TestVPCIpv6 VPC.
JSON
"Ipv6VPCCidrBlock": {
"Type": "AWS::EC2::VPCCidrBlock",
"Properties": {
"AmazonProvidedIpv6CidrBlock": true,
"VpcId": { "Ref" : "TestVPCIpv6" }
}
}
YAML
Ipv6VPCCidrBlock:
Properties:
AmazonProvidedIpv6CidrBlock: true
VpcId: !Ref TestVPCIpv6
Associate an IPv4 CIDR block and Amazon-provided IPv6 CIDR block
The following example associates an IPv4 CIDR block and an Amazon-provided IPv6 CIDR block with a
VPC. It also outputs the list of IPv4 CIDR block association IDs and IPv6 CIDR blocks that are associated
with the VPC.
JSON

1811
EC2
"Resources": {
"VPC": {
"Properties": {
"CidrBlock": "10.0.0.0/24"
}
},
"VpcCidrBlock": {
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "192.0.0.0/24"
}
},
"VpcCidrBlockIpv6": {
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"AmazonProvidedIpv6CidrBlock": true
}
}
},
"Outputs": {
"VpcId": {
"Value": {
"Ref": "VPC"
}
},
"PrimaryCidrBlock": {
"Value": {
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
}
},
"Ipv6CidrBlock": {
"Value": {
"Fn::Select": [
0,
{
"Fn::GetAtt": [
"VPC",
"Ipv6CidrBlocks"
]
}
]
}
},
"CidrBlockAssociation": {
"Value": {
"Fn::Select": [
0,
{
"Fn::GetAtt": [
"VPC",
"CidrBlockAssociations"
]
}
]
}
}

1812
EC2
}
}
YAML
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
VpcCidrBlock:
Properties:
VpcId: !Ref VPC
CidrBlock: 192.0.0.0/24
VpcCidrBlockIpv6:
Properties:
VpcId: !Ref VPC
AmazonProvidedIpv6CidrBlock: true
Outputs:
VpcId:
Value: !Ref VPC
PrimaryCidrBlock:
Value: !GetAtt VPC.CidrBlock
Ipv6CidrBlock:
Value: !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ]
CidrBlockAssociation:
Value: !Select [ 0, !GetAtt VPC.CidrBlockAssociations ]
AWS::EC2::VPCDHCPOptionsAssociation
Associates a set of DHCP options with a VPC, or associates no DHCP options with the VPC.
After you associate the options with the VPC, any existing instances and all new instances that
you launch in that VPC use the options. You don't need to restart or relaunch the instances. They
automatically pick up the changes within a few hours, depending on how frequently the instance renews
its DHCP lease. You can explicitly renew the lease using the operating system on the instance.
Syntax
JSON
{
"Type" : "AWS::EC2::VPCDHCPOptionsAssociation",
"Properties" : {
"DhcpOptionsId" : String,
"VpcId" : String
}
}
YAML
Type: AWS::EC2::VPCDHCPOptionsAssociation
Properties:
DhcpOptionsId: String

1813
EC2
VpcId: String
Properties
DhcpOptionsId
The ID of the DHCP options set, or default to associate no DHCP options with the VPC.
Required: Yes
Type: String

VpcId
The ID of the VPC.
Required: Yes
Type: String
Return Values
Ref
DHCP options association.
Examples
VPC DHCP Options Association
The following example uses the Ref intrinsic function to associate the myDHCPOptions DHCP
options with the myVPC VPC. The VPC and DHCP options can be declared in the same template or
added as input parameters. For more information about the VPC or the DHCP options resources, see
AWS::EC2::VPC or AWS::EC2::DHCPOptions.
JSON
"myVPCDHCPOptionsAssociation" : {
"Type" : "AWS::EC2::VPCDHCPOptionsAssociation",
"Properties" : {
"VpcId" : {"Ref" : "myVPC"},
"DhcpOptionsId" : {"Ref" : "myDHCPOptions"}
}
}
YAML
myVPCDHCPOptionsAssociation:
Type: AWS::EC2::VPCDHCPOptionsAssociation
Properties:
VpcId:

1814
EC2
Ref: myVPC
DhcpOptionsId:
Ref: myDHCPOptions
See Also
• AssociateDhcpOptions in the Amazon EC2 API Reference
• DHCP Options Sets in the Amazon Virtual Private Cloud User Guide
AWS::EC2::VPCEndpoint
Specifies a VPC endpoint for a service. An endpoint enables you to create a private connection between
your VPC and the service. The service may be provided by AWS, an AWS Marketplace partner, or another
AWS account. For more information, see VPC Endpoints in the Amazon Virtual Private Cloud User Guide.
A gateway endpoint serves as a target for a route in your route table for traffic destined for the AWS
service. You can specify an endpoint policy to attach to the endpoint that will control access to the
service from your VPC. You can also specify the VPC route tables that use the endpoint.
An interface endpoint is a network interface in your subnet that serves as an endpoint for
communicating with the specified service. You can specify the subnets in which to create an endpoint,
and the security groups to associate with the endpoint network interface.
Syntax
JSON
{
"Type" : "AWS::EC2::VPCEndpoint",
"Properties" : {
"PolicyDocument" : Json,
"PrivateDnsEnabled" : Boolean,
"RouteTableIds" : [ String, ... ],
"ServiceName" : String,
"VpcEndpointType" : String,
"VpcId" : String
}
}
YAML
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument: Json
PrivateDnsEnabled: Boolean
RouteTableIds:
- String
SecurityGroupIds:
- String
ServiceName: String
SubnetIds:
- String
VpcEndpointType: String
VpcId: String

1815
EC2
Properties
PolicyDocument
A policy to attach to the endpoint that controls access to the service. The policy must be in valid
JSON format. If this parameter is not specified, we attach a default policy that allows full access to
the service.
Required: No
Type: Json

PrivateDnsEnabled
(Interface endpoint) Indicate whether to associate a private hosted zone with the specified VPC.
The private hosted zone contains a record set for the default public DNS name for the service for
the Region (for example, kinesis.us-east-1.amazonaws.com) which resolves to the private
IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to
the default public DNS name for the service instead of the public DNS names that are automatically
generated by the VPC endpoint service.
To use a private hosted zone, you must set the following VPC attributes to true:
enableDnsHostnames and enableDnsSupport.
Default: false
Required: No
Type: Boolean

RouteTableIds
(Gateway endpoint) One or more route table IDs.
Required: No

SecurityGroupIds
(Interface endpoint) The ID of one or more security groups to associate with the endpoint network
interface.
This field is required when the endpoint is an interface.

ServiceName
The service name. To get a list of available services, use the DescribeVpcEndpointServices request, or
get the name from the service provider.
Required: Yes

1816
EC2
Type: String

SubnetIds
(Interface endpoint) The ID of one or more subnets in which to create an endpoint network interface.

VpcEndpointType
The type of endpoint.
Default: Gateway
Required: No
Type: String
Allowed Values: Gateway | Interface

VpcId
The ID of the VPC in which the endpoint will be used.
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the VPC
endpoint.
Fn::GetAtt
CreationTimestamp
The date and time the VPC endpoint was created. For example: Fri Sep 28 23:34:36 UTC
2018.

1817
EC2
DnsEntries
(Interface endpoint) The DNS entries for the endpoint. Each entry is a combination of the hosted
zone ID and the DNS name. The entries are ordered as follows: regional public DNS, zonal public
DNS, private DNS, and wildcard DNS. This order is not enforced for AWS Marketplace services.
The following is an example. In the first entry, the hosted zone ID is Z1HUB23UULQXV and the DNS
name is vpce-01abc23456de78f9g-12abccd3.ec2.us-east-1.vpce.amazonaws.com.
["Z1HUB23UULQXV:vpce-01abc23456de78f9g-12abccd3.ec2.us-east-1.vpce.amazonaws.com",
"Z1HUB23UULQXV:vpce-01abc23456de78f9g-12abccd3-us-east-1a.ec2.us-
east-1.vpce.amazonaws.com", "Z1C12344VYDITB0:ec2.us-east-1.amazonaws.com"]
If you update the PrivateDnsEnabled or SubnetIds properties, the DNS entries in the list will
change.
NetworkInterfaceIds
(Interface endpoint) One or more network interface IDs. If you update the PrivateDnsEnabled or
SubnetIds properties, the items in this list might change.
Examples
VPC Endpoint
The following example specifies a VPC endpoint that allows only the s3:GetObject action on the
examplebucket bucket. Traffic to S3 within subnets that are associated with the routetableA and
routetableB route tables is automatically routed through the VPC endpoint.
JSON
"S3Endpoint" : {
"Type" : "AWS::EC2::VPCEndpoint",
"Properties" : {
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}]
},
"RouteTableIds" : [ {"Ref" : "routetableA"}, {"Ref" : "routetableB"} ],
"ServiceName" : { "Fn::Sub": "com.amazonaws.${AWS::Region}.s3" },
"VpcId" : {"Ref" : "VPCID"}
}
}
YAML
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument: '{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]

1818
EC2
}]
}'
RouteTableIds:
- !Ref routetableA
- !Ref routetableB
ServiceName: !Sub com.amazonaws.${AWS::Region}.s3
VpcId: !Ref VPCID
AWS::EC2::VPCEndpointConnectionNotification
Specifies a connection notification for a VPC endpoint or VPC endpoint service. A connection notification
notifies you of specific endpoint events. You must create an SNS topic to receive notifications. For more
information, see Create a Topic in the Amazon Simple Notification Service Developer Guide.
You can create a connection notification for interface endpoints only.
Syntax
JSON
{
"Type" : "AWS::EC2::VPCEndpointConnectionNotification",
"Properties" : {
"ConnectionEvents" : [ String, ... ],
"ConnectionNotificationArn" : String,
"ServiceId" : String,
"VPCEndpointId" : String
}
}
YAML
Type: AWS::EC2::VPCEndpointConnectionNotification
Properties:
ConnectionEvents:
- String
ConnectionNotificationArn: String
ServiceId: String
VPCEndpointId: String
Properties
ConnectionEvents
One or more endpoint events for which to receive notifications. Valid values are Accept, Connect,
Delete, and Reject.
Required: Yes

ConnectionNotificationArn
The ARN of the SNS topic for the notifications.
Required: Yes

1819
EC2
Type: String

ServiceId
The ID of the endpoint service.
Required: No
Type: String

VPCEndpointId
The ID of the endpoint.
Required: No
Type: String
Return Values
Ref
endpoint connection.
AWS::EC2::VPCEndpointService
Specifies a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users,
and IAM roles) can connect. Service consumers can create an interface VPC endpoint to connect to your
service.
To create an endpoint service configuration, you must first create a Network Load Balancer for your
service.
Syntax
JSON
{
"Type" : "AWS::EC2::VPCEndpointService",
"Properties" : {
"AcceptanceRequired" : Boolean,
"NetworkLoadBalancerArns" : [ String, ... ]
}
}
YAML
Type: AWS::EC2::VPCEndpointService
Properties:

1820
EC2
AcceptanceRequired: Boolean
NetworkLoadBalancerArns:
- String
Properties
AcceptanceRequired
Indicates whether requests from service consumers to create an endpoint to your service must be
accepted.
Required: No
Type: Boolean

NetworkLoadBalancerArns
The Amazon Resource Names (ARNs) of one or more Network Load Balancers for your service.
Required: Yes
Return Values
Ref
endpoint service configuration.
See Also
• CreateVpcEndpointServiceConfiguration in the Amazon EC2 API Reference
• VPC Endpoint Services in the Amazon Virtual Private Cloud User Guide
AWS::EC2::VPCEndpointServicePermissions
Grant or revoke permissions for service consumers (IAM users, IAM roles, and AWS accounts) to connect
to a VPC endpoint service.
If you grant permissions to all principals, the service is public. Any users who know the name of a public
service can send a request to attach an endpoint. If the service does not require manual approval,
attachments are automatically approved.
Syntax
JSON

1821
EC2
"Type" : "AWS::EC2::VPCEndpointServicePermissions",
"Properties" : {
"AllowedPrincipals" : [ String, ... ],
"ServiceId" : String
}
}
YAML
Type: AWS::EC2::VPCEndpointServicePermissions
Properties:
AllowedPrincipals:
- String
ServiceId: String
Properties
AllowedPrincipals
The Amazon Resource Names (ARN) of one or more principals (IAM users, IAM roles, and AWS
accounts). Permissions are granted to the principals in this list. To grant permissions to all principals,
specify an asterisk (*). Permissions are revoked for principals not in this list. If the list is empty, then
all permissions are revoked.
Required: No

ServiceId
The ID of the service.
Required: Yes
Type: String
Return Values
Ref
endpoint service permissions.
AWS::EC2::VPCGatewayAttachment
Attaches an internet gateway, or a virtual private gateway to a VPC, enabling connectivity between the
internet and the VPC.
Syntax

1822
EC2
JSON
{
"Properties" : {
"InternetGatewayId" : String,
"VpcId" : String,
"VpnGatewayId" : String
}
}
YAML
Properties:
InternetGatewayId: String
VpcId: String
VpnGatewayId: String
Properties
InternetGatewayId
The ID of the internet gateway.
You must specify either InternetGatewayId or VpnGatewayId, but not both.
Required: No
Type: String

VpcId
The ID of the VPC.
Required: Yes
Type: String

VpnGatewayId
The ID of the virtual private gateway.
You must specify either InternetGatewayId or VpnGatewayId, but not both.
Required: No
Type: String
Return Values
Ref
gateway attachment.

1823
EC2
Examples
VPN Gateway Attachment
To attach both an Internet gateway and a VPN gateway to a VPC, you must specify two separate
AWS::EC2::VPCGatewayAttachment resources:
JSON
"AttachGateway" : {
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "myInternetGateway" }
}
},
"AttachVpnGateway" : {
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"VpnGatewayId" : { "Ref" : "myVPNGateway" }
}
}
YAML
AttachGateway:
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
AttachVpnGateway:
Properties:
VpcId:
Ref: VPC
VpnGatewayId:
Ref: myVPNGateway
See Also
• AttachVpnGateway in the Amazon EC2 API Reference
• InternetGateways in the Amazon Virtual Private Cloud User Guide
AWS::EC2::VPCPeeringConnection
Requests a VPC peering connection between two VPCs: a requester VPC that you own and an accepter
VPC with which to create the connection. The accepter VPC can belong to another AWS account and
can be in a different Region to the requester VPC. The requester VPC and accepter VPC cannot have
overlapping CIDR blocks.
Note
Limitations and rules apply to a VPC peering connection. For more information, see the
limitations section in the VPC Peering Guide.

1824
EC2
The owner of the accepter VPC must accept the peering request to activate the peering connection. The
VPC peering connection request expires after 7 days, after which it cannot be accepted or rejected.
If you create a VPC peering connection request between VPCs with overlapping CIDR blocks, the VPC
peering connection has a status of failed.
Syntax
JSON
{
"Type" : "AWS::EC2::VPCPeeringConnection",
"Properties" : {
"PeerOwnerId" : String,
"PeerRegion" : String,
"PeerRoleArn" : String,
"PeerVpcId" : String,
"Tags" : [ Tag, ... ],
"VpcId" : String
}
}
YAML
Type: AWS::EC2::VPCPeeringConnection
Properties:
PeerOwnerId: String
PeerRegion: String
PeerRoleArn: String
PeerVpcId: String
Tags:
- Tag
VpcId: String
Properties
PeerOwnerId
The AWS account ID of the owner of the accepter VPC.
Default: Your AWS account ID
Required: No
Type: String

PeerRegion
The Region code for the accepter VPC, if the accepter VPC is located in a Region other than the
Region in which you make the request.
Default: The Region in which you make the request.
Required: No
Type: String

1825
EC2

PeerRoleArn
The Amazon Resource Name (ARN) of the VPC peer role for the peering connection in another AWS
account.
This is required when you are peering a VPC in a different AWS account.
Type: String

PeerVpcId
The ID of the VPC with which you are creating the VPC peering connection. You must specify this
parameter in the request.
Required: Yes
Type: String

Tags
Any tags assigned to the resource.
Required: No
Type: List of Tag

VpcId
The ID of the VPC.
Required: Yes
Type: String
Return Values
Ref
peering connection.
Examples
VPC Peering Connection
The following example creates two VPCs (myVPC and myPrivateVPC) and a subnet in each VPC. The
subnet in myVPC is a public subnet. The example then creates a VPC peering connection between the
VPCs and launches an instance in each VPC. You can test the peering connection by connecting to the
instance in the public subnet and pinging the private IP address of the instance in the subnet of the

1826
EC2
private VPC. The security group rules for the instance in the private subnet allow incoming ICMP traffic
(and therefore allow the ping command).
JSON
{
"Description": "Creates two VPCs, peers the VPCs, and launches an instance in each
VPC.",
"Parameters": {
"EC2KeyPairName": {
instances",
},
"myVPCIDCIDRRange": {
"Description": "The IP address range for your new VPC.",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.1.0.0/16",
},
"myPrivateVPCIDCIDRRange": {
"Description": "The IP address range for your new Private VPC.",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.0.0.0/16",
},
"EC2SubnetCIDRRange": {
"Description": "The IP address range for a subnet in myPrivateVPC.",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.0.0.0/24",
},
"EC2PublicSubnetCIDRRange": {
"Description": "The IP address range for a subnet in myVPC.",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.1.0.0/24",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\
\d{1,2})",
}
},
"Mappings": {
"AWSRegionToAMI": {
"us-east-1": {
"64": "ami-0ff8a91507f77f867"
},
"us-west-2": {
"64": "ami-a0cfeed8"
},
"us-west-1": {
"64": "ami-0bdb828fd58c52235"
},

1827
EC2
"eu-west-1": {
"64": "ami-047bb4163c506cd98"
},
"ap-southeast-1": {
"64": "ami-08569b978cc4dfa10"
},
"ap-southeast-2": {
"64": "ami-09b42976632b27e9b"
},
"ap-northeast-2": {
"64": "ami-0d097db2fb6e0f05e"
},
"ap-northeast-1": {
"64": "ami-06cd52961ce9f0d85"
},
"sa-east-1": {
"64": "ami-07b14488da8ea02a0"
}
}
},
"Resources": {
"myPrivateVPC": {
"Properties": {
"CidrBlock": {"Ref": "myPrivateVPCIDCIDRRange"},
}
},
"myPrivateEC2Subnet" : {
"Properties" : {
"VpcId" : { "Ref" : "myPrivateVPC" },
"CidrBlock" : {"Ref": "EC2SubnetCIDRRange"}
}
},
"RouteTable" : {
"Properties" : {
"VpcId" : {"Ref" : "myPrivateVPC"}
}
},
"PeeringRoute1" : {
"Properties" : {
"RouteTableId" : { "Ref" : "RouteTable" },
"VpcPeeringConnectionId" : { "Ref" : "myVPCPeeringConnection" }
}
},
"SubnetRouteTableAssociation" : {
"Properties" : {
"SubnetId" : { "Ref" : "myPrivateEC2Subnet" },
"RouteTableId" : { "Ref" : "RouteTable" }
}
},
"myVPC": {
"Properties": {
"CidrBlock": {"Ref": "myVPCIDCIDRRange"},
"EnableDnsSupport": true,
"EnableDnsHostnames": true,
}

1828
EC2
},
"PublicSubnet": {
"Properties": {
"CidrBlock": {"Ref": "EC2PublicSubnetCIDRRange"},
"VpcId": {
"Ref": "myVPC"
}
}
},
"myInternetGateway": {
},
"AttachGateway": {
"Properties": {
"VpcId": {
"Ref": "myVPC"
},
"Ref": "myInternetGateway"
}
}
},
"PublicRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "myVPC"
}
}
},
"PeeringRoute2" : {
"Properties" : {
"DestinationCidrBlock": { "Ref" : "myPrivateVPCIDCIDRRange" },
"RouteTableId" : { "Ref" : "PublicRouteTable" },
"VpcPeeringConnectionId" : { "Ref" : "myVPCPeeringConnection" }
}
},
"PublicRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": "AttachGateway",
"Properties": {
"RouteTableId": {
},
"GatewayId": {
"Ref": "myInternetGateway"
}
}
},
"PublicSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
},
"RouteTableId": {
}
}
},
"myPrivateVPCEC2SecurityGroup" : {

1829
EC2
"Properties" : {
"GroupDescription": "Private instance security group",
"VpcId" : { "Ref" : "myPrivateVPC" },
{"IpProtocol" : "icmp", "FromPort" : "-1", "ToPort" : "-1", "CidrIp" :
"0.0.0.0/0"}
]
}
},
"myVPCEC2SecurityGroup" : {
"Properties" : {
"GroupDescription": "Public instance security group",
"0.0.0.0/0"}
]
}
},
"myPrivateInstance" : {
"Properties" : {
"SecurityGroupIds" : [{ "Ref" : "myPrivateVPCEC2SecurityGroup" }],
"SubnetId" : { "Ref" : "myPrivateEC2Subnet" },
"KeyName": {
"Ref": "EC2KeyPairName"
},
"ImageId": {
"Fn::FindInMap": [
"AWSRegionToAMI",
{"Ref": "AWS::Region"},
"64"
]
}
}
},
"myInstance" : {
"Properties" : {
"NetworkInterfaces": [ {
"DeviceIndex": "0",
"GroupSet": [{ "Ref" : "myVPCEC2SecurityGroup" }],
"SubnetId": { "Ref" : "PublicSubnet" }
} ],
"KeyName": {
"Ref": "EC2KeyPairName"
},
"ImageId": {
"Fn::FindInMap": [
"AWSRegionToAMI",
{"Ref": "AWS::Region"},
"64"
]
}
}
},
"myVPCPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"VpcId": {"Ref": "myVPC"},
"PeerVpcId": {"Ref": "myPrivateVPC"}
}

1830
EC2
}
}
}
YAML
Description: 'Creates two VPCs, peers the VPCs, and launches an instance in each VPC.'
Parameters:
EC2KeyPairName:
myVPCIDCIDRRange:
Description: The IP address range for your new VPC.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.1.0.0/16
myPrivateVPCIDCIDRRange:
Description: The IP address range for your new Private VPC.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.0.0.0/16
EC2SubnetCIDRRange:
Description: The IP address range for a subnet in myPrivateVPC.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.0.0.0/24
EC2PublicSubnetCIDRRange:
Description: The IP address range for a subnet in myVPC.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 10.1.0.0/24
Mappings:
AWSRegionToAMI:
us-east-1:
'64': ami-0ff8a91507f77f867
us-west-2:
'64': ami-a0cfeed8
us-west-1:
'64': ami-0bdb828fd58c52235
eu-west-1:
'64': ami-047bb4163c506cd98
ap-southeast-1:
'64': ami-08569b978cc4dfa10
ap-southeast-2:
'64': ami-09b42976632b27e9b
ap-northeast-2:
'64': ami-0d097db2fb6e0f05e
ap-northeast-1:
'64': ami-06cd52961ce9f0d85
sa-east-1:

1831
EC2
'64': ami-07b14488da8ea02a0
Resources:
myPrivateVPC:
Properties:
CidrBlock: !Ref myPrivateVPCIDCIDRRange
myPrivateEC2Subnet:
Properties:
VpcId: !Ref myPrivateVPC
CidrBlock: !Ref EC2SubnetCIDRRange
RouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
PeeringRoute1:
Properties:
VpcPeeringConnectionId: !Ref myVPCPeeringConnection
SubnetRouteTableAssociation:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref myPrivateEC2Subnet
myVPC:
Properties:
CidrBlock: !Ref myVPCIDCIDRRange
EnableDnsSupport: true
EnableDnsHostnames: true
PublicSubnet:
Properties:
CidrBlock: !Ref EC2PublicSubnetCIDRRange
VpcId: !Ref myVPC
myInternetGateway:
Type: 'AWS::EC2::InternetGateway'
AttachGateway:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
VpcId: !Ref myVPC
InternetGatewayId: !Ref myInternetGateway
PublicRouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref myVPC
PeeringRoute2:
Properties:
DestinationCidrBlock: !Ref myPrivateVPCIDCIDRRange
VpcPeeringConnectionId: !Ref myVPCPeeringConnection
PublicRoute:
Properties:
GatewayId: !Ref myInternetGateway
PublicSubnetRouteTableAssociation:

1832
EC2
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
myPrivateVPCEC2SecurityGroup:
Properties:
GroupDescription: Private instance security group
- IpProtocol: icmp
FromPort: '-1'
ToPort: '-1'
CidrIp: 0.0.0.0/0
myVPCEC2SecurityGroup:
Properties:
GroupDescription: Public instance security group
VpcId: !Ref myVPC
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
myPrivateInstance:
Properties:
SecurityGroupIds:
- !Ref myPrivateVPCEC2SecurityGroup
SubnetId: !Ref myPrivateEC2Subnet
KeyName: !Ref EC2KeyPairName
ImageId: !FindInMap
- AWSRegionToAMI
- '64'
myInstance:
Properties:
NetworkInterfaces:
- AssociatePublicIpAddress: 'true'
DeviceIndex: '0'
GroupSet:
- !Ref myVPCEC2SecurityGroup
KeyName: !Ref EC2KeyPairName
ImageId: !FindInMap
- AWSRegionToAMI
- '64'
myVPCPeeringConnection:
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
VpcId: !Ref myVPC
PeerVpcId: !Ref myPrivateVPC
AWS::EC2::VPNConnection
Specifies a VPN connection between a virtual private gateway and a VPN customer gateway or a transit
gateway and a VPN customer gateway.
To specify a VPN connection between a transit gateway and customer gateway, use the
TransitGatewayId and CustomerGatewayId properties.

1833
EC2
To specify a VPN connection between a virtual private gateway and customer gateway, use the
VpnGatewayId and CustomerGatewayId properties.
For more information, see AWS Site-to-Site VPN in the AWS Site-to-Site VPN User Guide.
Syntax
JSON
{
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"CustomerGatewayId" : String,
"StaticRoutesOnly" : Boolean,
"Tags" : [ Tag, ... ],
"Type" : String,
"VpnGatewayId" : String,
"VpnTunnelOptionsSpecifications" : [ VpnTunnelOptionsSpecification (p. 1836), ... ]
}
}
YAML
Type: AWS::EC2::VPNConnection
Properties:
CustomerGatewayId: String
StaticRoutesOnly: Boolean
Tags:
- Tag
Type: String
VpnTunnelOptionsSpecifications:
- VpnTunnelOptionsSpecification (p. 1836)
Properties
CustomerGatewayId
The ID of the customer gateway at your end of the VPN connection.
Required: Yes
Type: String

StaticRoutesOnly
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices
that don't support BGP.
If you are creating a VPN connection for a device that does not support Border Gateway Protocol
(BGP), you must specify true.
Required: No
Type: Boolean

1834
EC2

Tags
Any tags assigned to the VPN connection.
Required: No
Type: List of Tag

TransitGatewayId
The ID of the transit gateway associated with the VPN connection.
You must specify either TransitGatewayId or VpnGatewayId, but not both.
Type: String

Type
The type of VPN connection.
Required: Yes
Type: String

VpnGatewayId
The ID of the virtual private gateway at the AWS side of the VPN connection.
You must specify either TransitGatewayId or VpnGatewayId, but not both.
Type: String

VpnTunnelOptionsSpecifications
The tunnel options for a VPN connection.
Required: No
Type: List of VpnTunnelOptionsSpecification (p. 1836)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the VPN
connection.

1835
EC2
Examples
VPN Connection
The following example specifies a VPN connection between myVPNGateway and MyCustomerGateway.
JSON
"myVPNConnection" : {
"Type" : "AWS::EC2::VPNConnection",
"Properties" : {
"Type" : "ipsec.1",
"StaticRoutesOnly" : "true",
"CustomerGatewayId" : {"Ref" : "myCustomerGateway"},
"VpnGatewayId" : {"Ref" : "myVPNGateway"}
}
}
YAML
myVPNConnection:
Type: AWS::EC2::VPNConnection
Properties:
Type: ipsec.1
StaticRoutesOnly: true
CustomerGatewayId:
!Ref myCustomerGateway
VpnGatewayId:
!Ref myVPNGateway
See Also
• VPNConnection in the Amazon EC2 API Reference
AWS::EC2::VPNConnection VpnTunnelOptionsSpecification
The tunnel options for a VPN connection.
Syntax
JSON
{
"PreSharedKey" : String,
"TunnelInsideCidr" : String
}
YAML
PreSharedKey: String
TunnelInsideCidr: String

1836
EC2
Properties
PreSharedKey
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and
customer gateway.
Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must
be between 8 and 64 characters in length and cannot start with zero (0).
Required: No
Type: String

TunnelInsideCidr
The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be unique across all
VPN connections that use the same virtual private gateway.
Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are
reserved and cannot be used:
• 169.254.0.0/30
• 169.254.1.0/30
• 169.254.2.0/30
• 169.254.3.0/30
• 169.254.4.0/30
• 169.254.5.0/30
• 169.254.169.252/30
Required: No
Type: String
AWS::EC2::VPNConnectionRoute
Specifies a static route for a VPN connection between an existing virtual private gateway and a VPN
customer gateway. The static route allows traffic to be routed from the virtual private gateway to the
VPN customer gateway.
Syntax
JSON
{
"Type" : "AWS::EC2::VPNConnectionRoute",
"Properties" : {
"VpnConnectionId" : String
}

1837
EC2
YAML
Type: AWS::EC2::VPNConnectionRoute
Properties:
VpnConnectionId: String
Properties
The CIDR block associated with the local subnet of the customer network.
Required: Yes
Type: String

VpnConnectionId
The ID of the VPN connection.
Required: Yes
Type: String
Return Values
Ref
connection route.
Examples
VPN Connection Route
The following example specifies a VPN connection route.
JSON
"MyConnectionRoute0" : {
"Type" : "AWS::EC2::VPNConnectionRoute",
"Properties" : {
"VpnConnectionId" : {"Ref" : "Connection0"}
}
}
YAML
MyConnectionRoute0:

1838
EC2
Type: AWS::EC2::VPNConnectionRoute
Properties:
VpnConnectionId:
!Ref Connection0
See Also
• CreateVpnConnectionRoute in the Amazon EC2 API Reference
AWS::EC2::VPNGateway
Specifies a virtual private gateway. A virtual private gateway is the endpoint on the VPC side of your VPN
connection. You can create a virtual private gateway before creating the VPC itself.
Syntax
JSON
{
"Type" : "AWS::EC2::VPNGateway",
"Properties" : {
"AmazonSideAsn" : Long,
"Tags" : [ Tag, ... ],
"Type" : String
}
}
YAML
Type: AWS::EC2::VPNGateway
Properties:
AmazonSideAsn: Long
Tags:
- Tag
Type: String
Properties
AmazonSideAsn
The private Autonomous System Number (ASN) for the Amazon side of a BGP session.
Required: No
Type: Long

Tags
Any tags assigned to the virtual private gateway.
Required: No

1839
EC2
Type: List of Tag

Type
The type of VPN connection the virtual private gateway supports.
Required: Yes
Type: String
Return Values
Ref
gateway.
Examples
VPN Gateway
The following example declares a VPN gateway that uses IPSec 1.
JSON
"myVPNGateway" : {
"Type" : "AWS::EC2::VPNGateway",
"Properties" : {
"Type" : "ipsec.1",
"Tags" : [ { "Key" : "Use", "Value" : "Test" } ]
}
}
YAML
myVPNGateway:
Type: AWS::EC2::VPNGateway
Properties:
Type: ipsec.1
Tags:
- Key: Use
Value: Test
See Also
• CreateVPNGateway in the Amazon EC2 API Reference
AWS::EC2::VPNGatewayRoutePropagation
Enables a virtual private gateway (VGW) to propagate routes to the specified route table of a VPC.

1840
EC2
If you reference a VPN gateway that is in the same template as your VPN gateway route
propagation, you must explicitly declare a dependency on the VPN gateway attachment.
The AWS::EC2::VPNGatewayRoutePropagation resource cannot use the VPN
gateway until it has successfully attached to the VPC. Add a DependsOn Attribute in the
AWS::EC2::VPNGatewayRoutePropagation resource to explicitly declare a dependency on the VPN
gateway attachment.
Syntax
JSON
{
"Type" : "AWS::EC2::VPNGatewayRoutePropagation",
"Properties" : {
"RouteTableIds" : [ String, ... ],
"VpnGatewayId" : String
}
}
YAML
Type: AWS::EC2::VPNGatewayRoutePropagation
Properties:
RouteTableIds:
- String
Properties
RouteTableIds
The ID of the route table. The routing table must be associated with the same VPC that the virtual
private gateway is attached to.
Required: Yes

VpnGatewayId
The ID of the virtual private gateway that is attached to a VPC. The virtual private gateway must be
attached to the same VPC that the routing tables are associated with.
Required: Yes
Type: String
Return Values
Ref
gateway.

1841
Amazon ECR
Examples
VPN Gateway Route Propagation
The following example enables route propagation for the private route table named PrivateRouteTable .
JSON
"myVPNGatewayRouteProp" : {
"Type" : "AWS::EC2::VPNGatewayRoutePropagation",
"Properties" : {
"RouteTableIds" : [{"Ref" : "PrivateRouteTable"}],
"VpnGatewayId" : {"Ref" : "VPNGateway"}
}
}
YAML
Type: AWS::EC2::VPNGatewayRoutePropagation
Properties:
RouteTableIds:
- !Ref PrivateRouteTable
VpnGatewayId: !Ref VPNGateway
See Also
• EnableVgwRoutePropagation in the Amazon EC2 API Reference
Amazon ECR Resource Type Reference

Resource Types
• AWS::ECR::Repository (p. 1842)
AWS::ECR::Repository
The AWS::ECR::Repository resource specifies an Amazon Elastic Container Registry (Amazon ECR)
repository, where users can push and pull Docker images. For more information, see Amazon ECR
Repositories in the Amazon Elastic Container Registry User Guide.
Syntax
JSON
{
"Type" : "AWS::ECR::Repository",
"Properties" : {
"LifecyclePolicy" : LifecyclePolicy (p. 1846),
"RepositoryPolicyText" : Json,
"Tags" : [ Tag, ... ]

1842
Amazon ECR
}
}
YAML
Type: AWS::ECR::Repository
Properties:
LifecyclePolicy:
LifecyclePolicy (p. 1846)
RepositoryPolicyText: Json
Tags:
- Tag
Properties
LifecyclePolicy
Creates or updates a lifecycle policy. For information about lifecycle policy syntax, see Lifecycle
Policy Template.
Required: No
Type: LifecyclePolicy (p. 1846)

RepositoryName
The name to use for the repository. The repository name may be specified on its own (such as
nginx-web-app) or it can be prepended with a namespace to group the repository into a category
(such as project-a/nginx-web-app). If you don't specify a name, AWS CloudFormation generates
a unique physical ID and uses that ID for the repository name. For more information, see Name Type.
Note
Required: No
Type: String
Minimum: 2
Maximum: 256
Pattern: (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*

RepositoryPolicyText
The JSON repository policy text to apply to the repository. For more information, see Amazon ECR
Repository Policy Examples in the Amazon Elastic Container Registry User Guide.
Required: No
Type: Json
Minimum: 0

1843
Amazon ECR
Maximum: 10240

Tags
Required: No
Type: List of Tag
Return Values
Ref
name, such as test-repository.
Fn::GetAtt
Arn
Returns the Amazon Resource Name (ARN) for the specified AWS::ECR::Repository resource. For
example, arn:aws:ecr:eu-west-1:123456789012:repository/test-repository .
Examples
Specify a repository
The following example specifies a repository named test-repository. Its policy permits the users Bob
and Alice to push and pull images. Note that the IAM users actually need to exist, or stack creation will
fail.
JSON
"MyRepository": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName" : "test-repository",
"RepositoryPolicyText" : {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/Bob",
"arn:aws:iam::123456789012:user/Alice"

1844
Amazon ECR
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
}
}
YAML
MyRepository:
Properties:
RepositoryName: "test-repository"
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
-
Sid: AllowPushPull
Effect: Allow
Principal:
AWS:
- "arn:aws:iam::123456789012:user/Bob"
- "arn:aws:iam::123456789012:user/Alice"
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"
Specify a repository with a lifecycle policy
The following example creates a repository with a lifecycle policy.
JSON
{
"Parameters": {
"lifecyclePolicyText": {
"Type": "String"
},
"repositoryName": {
"Type": "String"
},
"registryId": {
"Type": "String"
}
},
"Resources": {
"MyRepository": {
"Type": "AWS::ECR::Repository",

1845
Amazon ECR
"Properties": {
"LifecyclePolicy": {
"LifecyclePolicyText": {
"Ref": "lifecyclePolicyText"
},
"RegistryId": {
"Ref": "registryId"
}
},
"RepositoryName": {
"Ref": "repositoryName"
}
}
}
},
"Outputs": {
"Arn": {
"Value": {
"Fn::GetAtt": [
"MyRepository",
"Arn"
]
}
}
}
}
YAML
Parameters:
lifecyclePolicyText:
Type: String
repositoryName:
Type: String
registryId:
Type: String
Resources:
MyRepository:
Properties:
LifecyclePolicy:
LifecyclePolicyText: !Ref lifecyclePolicyText
RegistryId: !Ref registryId
RepositoryName: !Ref repositoryName
Outputs:
Arn:
Value: !GetAtt MyRepository.Arn
See Also
• Creating a Lifecycle Policy in the Amazon Elastic Container Registry User Guide
• PutLifecyclePolicy in the Amazon Elastic Container Registry API Reference
AWS::ECR::Repository LifecyclePolicy
The LifecyclePolicy property type specifies a lifecycle policy. For information about lifecycle policy
syntax, see Lifecycle Policy Template.
Syntax

1846
ECS
JSON
{
"LifecyclePolicyText" : String,
"RegistryId" : String
}
YAML
LifecyclePolicyText: String
RegistryId: String
Properties
LifecyclePolicyText
The JSON repository policy text to apply to the repository.
Required: No
Type: String
Minimum: 100
Maximum: 30720

RegistryId
The AWS account ID associated with the registry that contains the repository. If you do
not specify a registry, the default registry is assumed.
Required: No
Type: String
Pattern: [0-9]{12}
See Also
• Creating a Lifecycle Policy in the Amazon Elastic Container Registry User Guide
• PutLifecyclePolicy in the Amazon Elastic Container Registry API Reference
ECS Resource Type Reference

Resource Types
• AWS::ECS::Cluster (p. 1848)

• AWS::ECS::PrimaryTaskSet (p. 1850)
• AWS::ECS::Service (p. 1852)
• AWS::ECS::TaskDefinition (p. 1873)
• AWS::ECS::TaskSet (p. 1922)

1847
ECS
AWS::ECS::Cluster
The AWS::ECS::Cluster resource creates an Amazon Elastic Container Service (Amazon ECS) cluster.
Syntax
JSON
{
"Type" : "AWS::ECS::Cluster",
"Properties" : {
"ClusterSettings" : [ ClusterSetting (p. 1850), ... ],
"Tags" : [ Tag, ... ]
}
}
YAML
Properties:
ClusterName: String
ClusterSettings:
- ClusterSetting (p. 1850)
Tags:
- Tag
Properties
ClusterName
A user-generated string that you use to identify your cluster. If you don't specify a name, AWS
CloudFormation generates a unique physical ID for the name.
Required: No
Type: String

ClusterSettings
The setting to use when creating a cluster. This parameter is used to enable CloudWatch Container
Insights for a cluster. If this value is specified, it will override the containerInsights value set
with PutAccountSetting or PutAccountSettingDefault.
Required: No
Type: List of ClusterSetting (p. 1850)

Tags
The metadata that you apply to the cluster to help you categorize and organize them. Each tag
consists of a key and an optional value, both of which you define.
The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50

1848
ECS
• For each resource, each tag key must be unique, and each tag key can have only one value.
• Maximum key length - 128 Unicode characters in UTF-8
• Maximum value length - 256 Unicode characters in UTF-8
• If your tagging schema is used across multiple services and resources, remember that other
services may have restrictions on allowed characters. Generally allowed characters are: letters,
numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
• Tag keys and values are case-sensitive.
• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys
or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix.
Tags with this prefix do not count against your tags per resource limit.
Required: No
Type: List of Tag
Maximum: 50
Return Values
Ref
name.
In the following example, the Ref function returns the name of the MyECSCluster cluster, such as
MyStack-MyECSCluster-NT5EUXTNTXXD.
{ "Ref": "MyECSCluster" }
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the Amazon ECS cluster, such as arn:aws:ecs:us-
east-2:123456789012:cluster/MyECSCluster.
Examples
Creating an Amazon ECS cluster
The following sample declares an Amazon ECS cluster:
JSON
"MyCluster": {
"Type": "AWS::ECS::Cluster"
}

1849
ECS
YAML
MyCluster:
AWS::ECS::Cluster ClusterSetting
The settings to use when creating a cluster. This parameter is used to enable CloudWatch Container
Insights for a cluster.
Syntax
JSON
{
"Name" : String,
"Value" : String
}
YAML
Name: String
Value: String
Properties
Name
The name of the cluster setting. The only supported value is containerInsights.
Required: Yes
Type: String
Allowed Values: containerInsights

Value
The value to set for the cluster setting. The supported values are enabled and disabled. If
enabled is specified, CloudWatch Container Insights will be enabled for the cluster, otherwise
it will be disabled unless the containerInsights account setting is enabled. If a cluster value
is specified, it will override the containerInsights value set with PutAccountSetting or
PutAccountSettingDefault.
Required: Yes
Type: String
AWS::ECS::PrimaryTaskSet
Specifies which task set in a service is the primary task set. Any parameters that are updated on the
primary task set in a service will transition to the service. This is used when a service uses the EXTERNAL

1850
ECS
deployment controller type. For more information, see Amazon ECS Deployment Types in the Amazon
Elastic Container Service Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ECS::PrimaryTaskSet",
"Properties" : {
"Cluster" : String,
"Service" : String,
"TaskSetId" : String
}
}
YAML
Type: AWS::ECS::PrimaryTaskSet
Properties:
Cluster: String
Service: String
TaskSetId: String
Properties
Cluster
The short name or full Amazon Resource Name (ARN) of the cluster that hosts the service that the
task set exists in.
Required: Yes
Type: String

Service
The short name or full Amazon Resource Name (ARN) of the service that the task set exists in.
Required: Yes
Type: String

TaskSetId
The short name or full Amazon Resource Name (ARN) of the task set to set as the primary task set in
the deployment.
Required: Yes
Type: String

1851
ECS
Return Values
Ref
name.
AWS::ECS::Service
The AWS::ECS::Service resource creates an Amazon Elastic Container Service (Amazon ECS) service
that runs and maintains the requested number of tasks and associated load balancers.
Syntax
JSON
{
"Type" : "AWS::ECS::Service",
"Properties" : {
"Cluster" : String,
"DeploymentConfiguration" : DeploymentConfiguration (p. 1865),
"DeploymentController" : DeploymentController (p. 1867),
"DesiredCount" : Integer,
"EnableECSManagedTags" : Boolean,
"HealthCheckGracePeriodSeconds" : Integer,
"LoadBalancers" : [ LoadBalancer (p. 1867), ... ],
"PlacementConstraints" : [ PlacementConstraint (p. 1870), ... ],
"PlacementStrategies" : [ PlacementStrategy (p. 1871), ... ],
"PropagateTags" : String,
"Role" : String,
"SchedulingStrategy" : String,
"ServiceName" : String,
"ServiceRegistries" : [ ServiceRegistry (p. 1872), ... ],
"Tags" : [ Tag, ... ],
"TaskDefinition" : String
}
}
YAML
Properties:
Cluster: String
DeploymentConfiguration:
DeploymentConfiguration (p. 1865)
DeploymentController:
DeploymentController (p. 1867)
DesiredCount: Integer
EnableECSManagedTags: Boolean
HealthCheckGracePeriodSeconds: Integer
LaunchType: String
LoadBalancers:
- LoadBalancer (p. 1867)

1852
ECS

PlacementConstraints:
- PlacementConstraint (p. 1870)
PlacementStrategies:
- PlacementStrategy (p. 1871)
PropagateTags: String
Role: String
SchedulingStrategy: String
ServiceName: String
ServiceRegistries:
- ServiceRegistry (p. 1872)
Tags:
- Tag
TaskDefinition: String
Properties
Cluster
The short name or full Amazon Resource Name (ARN) of the cluster on which to run your service. If
you do not specify a cluster, the default cluster is assumed.
Required: No
Type: String

DeploymentConfiguration
Optional deployment parameters that control how many tasks run during the deployment and the
ordering of stopping and starting tasks.
Required: No
Type: DeploymentConfiguration (p. 1865)

DeploymentController
The deployment controller to use for the service.
Required: No
Type: DeploymentController (p. 1867)

DesiredCount
The number of instantiations of the specified task definition to place and keep running on your
cluster.
This is required if schedulingStrategy is REPLICA or is not specified. If schedulingStrategy is

DAEMON then this is not required.
Type: Integer

1853
ECS
EnableECSManagedTags
Specifies whether to enable Amazon ECS managed tags for the tasks within the service. For more
information, see Tagging Your Amazon ECS Resources in the Amazon Elastic Container Service
Developer Guide.
Required: No
Type: Boolean

HealthCheckGracePeriodSeconds
The period of time, in seconds, that the Amazon ECS service scheduler should ignore unhealthy
Elastic Load Balancing target health checks after a task has first started. This is only valid if your
service is configured to use a load balancer. If your service's tasks take a while to start and respond
to Elastic Load Balancing health checks, you can specify a health check grace period of up to
2,147,483,647 seconds. During that time, the ECS service scheduler ignores health check status. This
grace period can prevent the ECS service scheduler from marking tasks as unhealthy and stopping
them before they have time to come up.
Required: No
Type: Integer

LaunchType
The launch type on which to run your service. For more information, see Amazon ECS Launch Types
in the Amazon Elastic Container Service Developer Guide.
If a launchType is specified, the capacityProviderStrategy parameter must be omitted.
Required: No
Type: String

LoadBalancers
A list of load balancer objects to associate with the cluster. If you specify the Role property,
LoadBalancers must be specified as well. For information about the number of load balancers
that you can specify per service, see Service Load Balancing in the Amazon Elastic Container Service
Developer Guide.
Required: No
Type: List of LoadBalancer (p. 1867)

The network configuration for the service. This parameter is required for task definitions that use
the awsvpc network mode to receive their own elastic network interface, and it is not supported for
other network modes. For more information, see Task Networking in the Amazon Elastic Container
Service Developer Guide.
Required: No

1854
ECS

PlacementConstraints
An array of placement constraint objects to use for tasks in your service. You can specify a maximum
of 10 constraints per task (this limit includes constraints in the task definition and those specified at
runtime).
Required: No
Type: List of PlacementConstraint (p. 1870)

PlacementStrategies
The placement strategy objects to use for tasks in your service. You can specify a maximum of five
strategy rules per service. For more information, see Task Placement Strategies in the Amazon Elastic
Required: No
Type: List of PlacementStrategy (p. 1871)

PlatformVersion
The platform version that your tasks in the service are running on. A platform version is specified
only for tasks using the Fargate launch type. If one isn't specified, the LATEST platform version is
used by default. For more information, see AWS Fargate Platform Versions in the Amazon Elastic
Required: No
Type: String

PropagateTags
Specifies whether to propagate the tags from the task definition or the service to the tasks in the
service. If no value is specified, the tags are not propagated. Tags can only be propagated to the
tasks within the service during service creation. To add tags to a task after service creation, use the
TagResource API action.
Required: No
Type: String
Allowed Values: SERVICE | TASK_DEFINITION

Role
The name or full Amazon Resource Name (ARN) of the IAM role that allows Amazon ECS to make
calls to your load balancer on your behalf. This parameter is only permitted if you are using a load
balancer with your service and your task definition does not use the awsvpc network mode. If you
specify the role parameter, you must also specify a load balancer object with the loadBalancers
parameter.

1855
ECS
Important
If your account has already created the Amazon ECS service-linked role, that role is used by
default for your service unless you specify a role here. The service-linked role is required
if your task definition uses the awsvpc network mode or if the service is configured
to use service discovery, an external deployment controller, multiple target groups,
or Elastic Inference accelerators in which case you should not specify a role here. For
more information, see Using Service-Linked Roles for Amazon ECS in the Amazon Elastic
If your specified role has a path other than /, then you must either specify the full role ARN (this
is recommended) or prefix the role name with the path. For example, if a role with the name bar
has a path of /foo/ then you would specify /foo/bar as the role name. For more information, see
Friendly Names and Paths in the IAM User Guide.
Required: No
Type: String

SchedulingStrategy
The scheduling strategy to use for the service. For more information, see Services.
There are two service scheduler strategies available:

• REPLICA-The replica scheduling strategy places and maintains the desired number of tasks across
your cluster. By default, the service scheduler spreads tasks across Availability Zones. You can use
task placement strategies and constraints to customize task placement decisions. This scheduler
strategy is required if the service is using the CODE_DEPLOY or EXTERNAL deployment controller
types.
• DAEMON-The daemon scheduling strategy deploys exactly one task on each active container
instance that meets all of the task placement constraints that you specify in your cluster. When
you're using this strategy, you don't need to specify a desired number of tasks, a task placement
strategy, or use Service Auto Scaling policies.
Note
Tasks using the Fargate launch type or the CODE_DEPLOY or EXTERNAL deployment
controller types don't support the DAEMON scheduling strategy.
Required: No
Type: String
Allowed Values: DAEMON | REPLICA

ServiceName
The name of your service. Up to 255 letters (uppercase and lowercase), numbers, and hyphens are
allowed. Service names must be unique within a cluster, but you can have similarly named services in
multiple clusters within a Region or across multiple Regions.
Required: No
Type: String

ServiceRegistries
The details of the service discovery registries to assign to this service. For more information, see
Service Discovery.

1856
ECS
Note
Service discovery is supported for Fargate tasks if you are using platform version v1.1.0 or
later. For more information, see AWS Fargate Platform Versions.
Required: No
Type: List of ServiceRegistry (p. 1872)

Tags
The metadata that you apply to the service to help you categorize and organize them. Each tag
consists of a key and an optional value, both of which you define. When a service is deleted, the tags
are deleted as well.

Required: No
Type: List of Tag
Maximum: 50

TaskDefinition
The family and revision (family:revision) or full ARN of the task definition to run in your
service. The revision is required in order for the resource to stabilize.
A task definition must be specified if the service is using the ECS deployment controller.
Required: No
Type: String
Return Values
Ref
Resource Name (ARN).
In the following example, the Ref function returns the ARN of the MyECSService service, such as
arn:aws:ecs:us-west-2:123456789012:service/sample-webapp.

1857
ECS
{ "Ref": "MyECSService" }
Fn::GetAtt
Name
The name of the Amazon ECS service, such as sample-webapp.
Examples
Define a Basic Amazon ECS Service
The following example defines an Amazon ECS service that uses a cluster and task definition that are
declared elsewhere in the same template.
JSON
"WebApp": {
"Type": "AWS::ECS::Service",
"Properties" : {
"Cluster": { "Ref": "cluster" },
"DesiredCount": { "Ref": "desiredcount" },
"TaskDefinition" : { "Ref": "taskdefinition" }
}
}
YAML
WebApp:
Properties:
Cluster:
Ref: "cluster"
DesiredCount:
Ref: "desiredcount"
TaskDefinition:
Ref: "taskdefinition"
Associate an Application Load Balancer with a Service
The following example associates an Application Load Balancer with an Amazon ECS service by
referencing an AWS::ElasticLoadBalancingV2::TargetGroup resource.
Note
The Amazon ECS service requires an explicit dependency on the Application Load Balancer
listener rule and the Application Load Balancer listener. This prevents the service from starting
before the listener is ready.
JSON
"service" : {

1858
ECS
"Type" : "AWS::ECS::Service",
"DependsOn": ["Listener"],
"Properties" : {
"Role" : { "Ref" : "ECSServiceRole" },
"TaskDefinition" : { "Ref" : "taskdefinition" },
"DesiredCount" : "1",
"LoadBalancers" : [{
"TargetGroupArn" : { "Ref" : "TargetGroup" },
"ContainerPort" : "80",
"ContainerName" : "sample-app"
}],
"Cluster" : { "Ref" : "ECSCluster" }
}
}
YAML
service:
DependsOn:
- Listener
Properties:
Role:
Ref: ECSServiceRole
TaskDefinition:
Ref: taskdefinition
DesiredCount: 1
LoadBalancers:
- TargetGroupArn:
Ref: TargetGroup
ContainerPort: 80
ContainerName: sample-app
Cluster:
Ref: ECSCluster
Define a Service with a Health Check Grace Period

The following example defines a service with a parameter that enables users to specify how many
seconds that the Amazon ECS service scheduler should ignore unhealthy Elastic Load Balancing target
health checks after a task has first started.
JSON
{
"Description" : "Creating ECS service",
"Parameters": {
"AppName": {
"Type":"String",
"Description": "Name of app requiring ELB exposure",
"Default": "simple-app"
},
"AppContainerPort": {
"Type":"Number",
"Description": "Container port of app requiring ELB exposure",
"Default": "80"
},
"AppHostPort": {
"Type":"Number",
"Description": "Host port of app requiring ELB exposure",
"Default": "80"
},
"ServiceName": {

1859
ECS
"Type": "String"
},
"LoadBalancerName": {
"Type": "String"
},
"HealthCheckGracePeriodSeconds": {
"Type": "String"
}
},
"Resources": {
"cluster": {
"Type": "AWS::ECS::Cluster"
},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties" : {
"ContainerDefinitions" : [
{
"Name": {"Ref": "AppName"},
"MountPoints": [
{
"SourceVolume": "my-vol",
"ContainerPath": "/var/www/my-vol"
}
],
"Cpu": "10",
"PortMappings":[
{
"ContainerPort": {"Ref":"AppContainerPort"},
"HostPort": {"Ref":"AppHostPort"}
}
],
"EntryPoint": [
"-D",
"FOREGROUND"
],
"Memory":"500",
"Essential": "true"
},
{
"Name": "busybox",
"Image": "busybox",
"Cpu": "10",
"EntryPoint": [
"sh",
"-c"
],
"Memory": "500",
"Command": [
\""
],
"Essential" : "false",
"VolumesFrom": [
{
"SourceContainer": {"Ref":"AppName"}
}
]
}
],
"Volumes": [
{
"Host": {
"SourcePath": "/var/lib/docker/vfs/dir/"

1860
ECS
},
"Name": "my-vol"
}
]
}
},
"service": {
"Type": "AWS::ECS::Service",
"Properties" : {
"Cluster": {"Ref": "cluster"},
"DeploymentConfiguration": {
"MaximumPercent": 200,
"MinimumHealthyPercent": 100
},
"DesiredCount": 0,
"HealthCheckGracePeriodSeconds": {"Ref": "HealthCheckGracePeriodSeconds"},
"LoadBalancers": [{
"ContainerName": {"Ref" : "AppName"},
"LoadBalancerName": {"Ref": "elb"}
}],
"PlacementStrategies": [{
"Type" : "binpack",
"Field": "memory"
}, {
"Type": "spread",
"Field": "host"
}],
"PlacementConstraints": [{
"Type": "memberOf",
"Expression": "attribute:ecs.availability-zone != us-east-1d"
}, {
"Type": "distinctInstance"
}],
"TaskDefinition" : {"Ref":"taskdefinition"},
"ServiceName": {"Ref": "ServiceName"},
"Role": {"Ref": "Role"}
}
},
"elb": {
"Properties": {
"LoadBalancerName": {"Ref": "LoadBalancerName"},
"Listeners": [{
"InstancePort": {"Ref": "AppHostPort"},
"Protocol": "HTTP"
}],
"Subnets": [{"Ref":"Subnet1"}]
},
"DependsOn": "GatewayAttachment"
},
"VPC": {
"Properties": {
"CidrBlock": "10.0.0.0/24"
}
},
"Subnet1": {
"Properties": {
"CidrBlock": "10.0.0.0/25"
}
},
"InternetGateway": {

1861
ECS
},
"GatewayAttachment": {
"Properties": {
"InternetGatewayId": {"Ref": "InternetGateway"},
"VpcId": {"Ref": "VPC"}
}
},
"Role": {
"Properties": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
}
]
},
AmazonEC2ContainerServiceRole"]
}
}
},
"Outputs" : {
"Cluster": {
"Value": {"Ref" : "cluster"}
}
}
}
YAML
Description: Creating ECS service
Parameters:
AppName:
Type: String
Description: Name of app requiring ELB exposure
Default: simple-app
AppContainerPort:
Type: Number
Description: Container port of app requiring ELB exposure
Default: '80'
AppHostPort:
Type: Number
Description: Host port of app requiring ELB exposure
Default: '80'
ServiceName:
Type: String
LoadBalancerName:
Type: String
HealthCheckGracePeriodSeconds:
Type: String
Resources:
cluster:
taskdefinition:

1862
ECS
Properties:
- Name: !Ref AppName
MountPoints:
- SourceVolume: my-vol
ContainerPath: /var/www/my-vol
Image: amazon/amazon-ecs-sample
Cpu: '10'
PortMappings:
- ContainerPort: !Ref AppContainerPort
HostPort: !Ref AppHostPort
EntryPoint:
- /usr/sbin/apache2
- '-D'
- FOREGROUND
Memory: '500'
Essential: true
- Name: busybox
Image: busybox
Cpu: '10'
EntryPoint:
- sh
- '-c'
Memory: '500'
Command:
- >-
/bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep
1; done"
Essential: false
VolumesFrom:
- SourceContainer: !Ref AppName
Volumes:
- Host:
SourcePath: /var/lib/docker/vfs/dir/
Name: my-vol
service:
Properties:
Cluster: !Ref cluster
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 100
DesiredCount: 0
HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds
LoadBalancers:
- ContainerName: !Ref AppName
ContainerPort: !Ref AppContainerPort
LoadBalancerName: !Ref elb
PlacementStrategies:
- Type: binpack
Field: memory
- Type: spread
Field: host
- Type: memberOf
Expression: 'attribute:ecs.availability-zone != us-east-1d'
- Type: distinctInstance
TaskDefinition: !Ref taskdefinition
ServiceName: !Ref ServiceName
Role: !Ref Role
elb:
Properties:
LoadBalancerName: !Ref LoadBalancerName
Listeners:

1863
ECS
- InstancePort: !Ref AppHostPort

LoadBalancerPort: '80'
Protocol: HTTP
Subnets:
- !Ref Subnet1
DependsOn: GatewayAttachment
VPC:
Type: AWS::EC2::VPC
Properties:
Subnet1:
Properties:
VpcId: !Ref VPC
InternetGateway:
GatewayAttachment:
Properties:
VpcId: !Ref VPC
Role:
Properties:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ecs.amazonaws.com
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole'
Outputs:
Cluster:
Value: !Ref cluster
AWS::ECS::Service AwsVpcConfiguration
The AwsVpcConfiguration property specifies an object representing the networking details for a task
or service.
Syntax
JSON
{
}
YAML
SecurityGroups:
- String
Subnets:

1864
ECS
- String
Properties
AssignPublicIp
Whether the task's elastic network interface receives a public IP address. The default value is
DISABLED.
Required: No
Type: String

SecurityGroups
The security groups associated with the task or service. If you do not specify a security group, the
default security group for the VPC is used. There is a limit of 5 security groups that can be specified
per AwsVpcConfiguration.
Note
All specified security groups must be from the same VPC.
Required: No

Subnets
The subnets associated with the task or service. There is a limit of 16 subnets that can be specified
Note
All specified subnets must be from the same VPC.
Required: Yes
AWS::ECS::Service DeploymentConfiguration
The DeploymentConfiguration property specifies optional deployment parameters that control how
many tasks run during the deployment and the ordering of stopping and starting tasks.
Syntax
JSON
{
"MaximumPercent" : Integer,
"MinimumHealthyPercent" : Integer

1865
ECS
YAML
MaximumPercent: Integer
MinimumHealthyPercent: Integer
Properties
MaximumPercent
If a service is using the rolling update (ECS) deployment type, the maximum percent parameter
represents an upper limit on the number of tasks in a service that are allowed in the RUNNING or
PENDING state during a deployment, as a percentage of the desired number of tasks (rounded
down to the nearest integer), and while any container instances are in the DRAINING state if
the service contains tasks using the EC2 launch type. This parameter enables you to define the
deployment batch size. For example, if your service has a desired number of four tasks and a
maximum percent value of 200%, the scheduler may start four new tasks before stopping the four
older tasks (provided that the cluster resources required to do this are available). The default value
for maximum percent is 200%.
If a service is using the blue/green (CODE_DEPLOY) or EXTERNAL deployment types and tasks that
use the EC2 launch type, the maximum percent value is set to the default value and is used to
define the upper limit on the number of the tasks in the service that remain in the RUNNING state
while the container instances are in the DRAINING state. If the tasks in the service use the Fargate
launch type, the maximum percent value is not used, although it is returned when describing your
service.
Required: No
Type: Integer

MinimumHealthyPercent
If a service is using the rolling update (ECS) deployment type, the minimum healthy percent
represents a lower limit on the number of tasks in a service that must remain in the RUNNING state
during a deployment, as a percentage of the desired number of tasks (rounded up to the nearest
integer), and while any container instances are in the DRAINING state if the service contains tasks
using the EC2 launch type. This parameter enables you to deploy without using additional cluster
capacity. For example, if your service has a desired number of four tasks and a minimum healthy
percent of 50%, the scheduler may stop two existing tasks to free up cluster capacity before starting
two new tasks. Tasks for services that do not use a load balancer are considered healthy if they are in
the RUNNING state; tasks for services that do use a load balancer are considered healthy if they are
in the RUNNING state and they are reported as healthy by the load balancer. The default value for
minimum healthy percent is 100%.
If a service is using the blue/green (CODE_DEPLOY) or EXTERNAL deployment types and tasks that
use the EC2 launch type, the minimum healthy percent value is set to the default value and is used
to define the lower limit on the number of the tasks in the service that remain in the RUNNING state
while the container instances are in the DRAINING state. If the tasks in the service use the Fargate
launch type, the minimum healthy percent value is not used, although it is returned when describing
your service.
Required: No
Type: Integer

1866
ECS
AWS::ECS::Service DeploymentController
The deployment controller to use for the service. For more information, see Amazon ECS Deployment
Types in the Amazon Elastic Container Service Developer Guide.
Syntax
JSON
{
"Type" : String
}
YAML
Type: String
Properties
Type
The deployment controller type to use.
There are three deployment controller types available:

ECS
The rolling update (ECS) deployment type involves replacing the current running version
of the container with the latest version. The number of containers Amazon ECS adds or
removes from the service during a rolling update is controlled by adjusting the minimum and
maximum number of healthy tasks allowed during a service deployment, as specified in the
DeploymentConfiguration.
CODE_DEPLOY
The blue/green (CODE_DEPLOY) deployment type uses the blue/green deployment model
powered by AWS CodeDeploy, which allows you to verify a new deployment of a service before
sending production traffic to it.
EXTERNAL
The external (EXTERNAL) deployment type enables you to use any third-party deployment
controller for full control over the deployment process for an Amazon ECS service.
Required: No
Type: String
Allowed Values: CODE_DEPLOY | ECS | EXTERNAL
AWS::ECS::Service LoadBalancer
The LoadBalancer property specifies details on a load balancer that is used with a service.

1867
ECS
If the service is using the ECS deployment controller, you are limited to one load balancer or target
group.
If the service is using the CODE_DEPLOY deployment controller, the service is required to use either
an Application Load Balancer or Network Load Balancer. When you are creating an AWS CodeDeploy
deployment group, you specify two target groups (referred to as a targetGroupPair). Each target
group binds to a separate task set in the deployment. The load balancer can also have up to two
listeners, a required listener for production traffic and an optional listener that allows you to test new
revisions of the service before routing production traffic to it.
Services with tasks that use the awsvpc network mode (for example, those with the Fargate launch type)
only support Application Load Balancers and Network Load Balancers. Classic Load Balancers are not
supported. Also, when you create any target groups for these services, you must choose ip as the target
type, not instance. Tasks that use the awsvpc network mode are associated with an elastic network
interface, not an Amazon EC2 instance.
Syntax
JSON
{
"ContainerName" : String,
"ContainerPort" : Integer,
"LoadBalancerName" : String,
"TargetGroupArn" : String
}
YAML
ContainerName: String
ContainerPort: Integer
LoadBalancerName: String
TargetGroupArn: String
Properties
ContainerName
The name of the container (as it appears in a container definition) to associate with the load
balancer.
Required: No
Type: String

ContainerPort
The port on the container to associate with the load balancer. This port must correspond to a
containerPort in the task definition the tasks in the service are using. For tasks that use the EC2
launch type, the container instance they are launched on must allow ingress traffic on the hostPort
of the port mapping.
Required: Yes
Type: Integer

1868
ECS

LoadBalancerName
The name of the load balancer to associate with the Amazon ECS service or task set.
A load balancer name is only specified when using a Classic Load Balancer. If you are using an
Application Load Balancer or a Network Load Balancer this should be omitted.
Required: No
Type: String

TargetGroupArn
The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups
associated with a service or task set.
A target group ARN is only specified when using an Application Load Balancer or Network Load
Balancer. If you are using a Classic Load Balancer this should be omitted.
For services using the ECS deployment controller, you can specify one or multiple target groups.
For more information, see Registering Multiple Target Groups with a Service in the Amazon Elastic
For services using the CODE_DEPLOY deployment controller, you are required to define two target
groups for the load balancer. For more information, see Blue/Green Deployment with CodeDeploy in
the Amazon Elastic Container Service Developer Guide.
Important
If your service's task definition uses the awsvpc network mode (which is required for the
Fargate launch type), you must choose ip as the target type, not instance, when creating
your target groups because tasks that use the awsvpc network mode are associated with an
elastic network interface, not an Amazon EC2 instance.
Required: No
Type: String
AWS::ECS::Service NetworkConfiguration
The NetworkConfiguration property specifies an object representing the network configuration for a
task or service.
Syntax
JSON
{
"AwsvpcConfiguration" : AwsVpcConfiguration (p. 1864)
}
YAML
AwsvpcConfiguration:

1869
ECS
Properties
AwsvpcConfiguration
The VPC subnets and security groups associated with a task.

Note
All specified subnets and security groups must be from the same VPC.
Required: No
AWS::ECS::Service PlacementConstraint
The PlacementConstraint property specifies an object representing a constraint on task placement
in the task definition. For more information, see Task Placement Constraints in the Amazon Elastic
Syntax
JSON
{
"Type" : String
}
YAML
Expression: String
Type: String
Properties
Expression
A cluster query language expression to apply to the constraint. You cannot specify an expression if
the constraint type is distinctInstance. For more information, see Cluster Query Language in
Required: No
Type: String

Type
The type of constraint. Use distinctInstance to ensure that each task in a particular group is
running on a different container instance. Use memberOf to restrict the selection to a group of valid
candidates.
Required: Yes

1870
ECS
Type: String
Allowed Values: distinctInstance | memberOf
AWS::ECS::Service PlacementStrategy
The PlacementStrategy property specifies the task placement strategy for a task or service. For more
information, see Task Placement Strategies in the Amazon Elastic Container Service Developer Guide.
Syntax
JSON
{
"Field" : String,
"Type" : String
}
YAML
Field: String
Type: String
Properties
Field
The field to apply the placement strategy against. For the spread placement strategy, valid values
are instanceId (or host, which has the same effect), or any platform or custom attribute that is
applied to a container instance, such as attribute:ecs.availability-zone. For the binpack
placement strategy, valid values are cpu and memory. For the random placement strategy, this field
is not used.
Required: No
Type: String

Type
The type of placement strategy. The random placement strategy randomly places tasks on available
candidates. The spread placement strategy spreads placement across available candidates evenly
based on the field parameter. The binpack strategy places tasks on available candidates that
have the least available amount of the resource that is specified with the field parameter. For
example, if you binpack on memory, a task is placed on the instance with the least amount of
remaining memory (but still enough to run the task).
Required: Yes
Type: String
Allowed Values: binpack | random | spread

1871
ECS
AWS::ECS::Service ServiceRegistry
The ServiceRegistry property specifies details of the service registry.
Syntax
JSON
{
"Port" : Integer,
"RegistryArn" : String
}
YAML
Port: Integer
RegistryArn: String
Properties
ContainerName
The container name value, already specified in the task definition, to be used for your service
discovery service. If the task definition that your service task specifies uses the bridge or host
network mode, you must specify a containerName and containerPort combination from the
task definition. If the task definition that your service task specifies uses the awsvpc network mode
and a type SRV DNS record is used, you must specify either a containerName and containerPort
combination or a port value, but not both.
Required: No
Type: String

ContainerPort
The port value, already specified in the task definition, to be used for your service discovery service.
If the task definition your service task specifies uses the bridge or host network mode, you must
specify a containerName and containerPort combination from the task definition. If the task
definition your service task specifies uses the awsvpc network mode and a type SRV DNS record is
used, you must specify either a containerName and containerPort combination or a port value,
but not both.
Required: No
Type: Integer

Port
The port value used if your service discovery service specified an SRV record. This field may be used
if both the awsvpc network mode and SRV records are used.

1872
ECS
Required: No
Type: Integer

RegistryArn
The Amazon Resource Name (ARN) of the service registry. The currently supported service registry is
AWS Cloud Map. For more information, see CreateService.
Required: No
Type: String
The AWS::ECS::TaskDefinition resource describes the container and volume definitions of an
Amazon Elastic Container Service (Amazon ECS) task. You can specify which Docker images to use, the
required resources, and other configurations related to launching the task definition through an Amazon
ECS service or task.
Syntax
JSON
{
"Type" : "AWS::ECS::TaskDefinition",
"Properties" : {
"ContainerDefinitions" : [ ContainerDefinition (p. 1882), ... ],
"Cpu" : String,
"Family" : String,
"InferenceAccelerators" : [ InferenceAccelerator (p. 1903), ... ],
"IpcMode" : String,
"Memory" : String,
"NetworkMode" : String,
"PidMode" : String,
"PlacementConstraints" : [ TaskDefinitionPlacementConstraint (p. 1917), ... ],
"ProxyConfiguration" : ProxyConfiguration (p. 1912),
"RequiresCompatibilities" : [ String, ... ],
"Tags" : [ Tag, ... ],
"TaskRoleArn" : String,
"Volumes" : [ Volume (p. 1920), ... ]
}
}
YAML
Properties:
- ContainerDefinition (p. 1882)
Cpu: String
Family: String

1873
ECS
InferenceAccelerators:
- InferenceAccelerator (p. 1903)
IpcMode: String
Memory: String
NetworkMode: String
PidMode: String
- TaskDefinitionPlacementConstraint (p. 1917)
ProxyConfiguration:
ProxyConfiguration (p. 1912)
RequiresCompatibilities:
- String
Tags:
- Tag
TaskRoleArn: String
Volumes:
- Volume (p. 1920)
Properties
ContainerDefinitions
A list of container definitions in JSON format that describe the different containers that make up
your task. For more information about container definition parameters and defaults, see Amazon
ECS Task Definitions in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: List of ContainerDefinition (p. 1882)

Cpu
The number of cpu units used by the task. If you are using the EC2 launch type, this field is optional
and any value can be used. If you are using the Fargate launch type, this field is required and you
must use one of the following values, which determines your range of valid values for the memory
parameter:
• 256 (.25 vCPU) - Available memory values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB)
• 512 (.5 vCPU) - Available memory values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB)
• 1024 (1 vCPU) - Available memory values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB),
6144 (6 GB), 7168 (7 GB), 8192 (8 GB)
• 2048 (2 vCPU) - Available memory values: Between 4096 (4 GB) and 16384 (16 GB) in increments
of 1024 (1 GB)
• 4096 (4 vCPU) - Available memory values: Between 8192 (8 GB) and 30720 (30 GB) in increments
of 1024 (1 GB)
Required: No
Type: String

ExecutionRoleArn
The Amazon Resource Name (ARN) of the task execution role that containers in this task can assume.
All containers in this task are granted the permissions that are specified in this role.
Required: No
Type: String

1874
ECS

Family
The name of a family that this task definition is registered to. A family groups multiple versions of a
task definition. Amazon ECS gives the first task definition that you registered to a family a revision
number of 1. Amazon ECS gives sequential revision numbers to each task definition that you add.
Note
To use revision numbers when you update a task definition, specify this property. If you
don't specify a value, AWS CloudFormation generates a new task definition each time that
you update it.
Required: No
Type: String

InferenceAccelerators
The Elastic Inference accelerators to use for the containers in the task.
Required: No
Type: List of InferenceAccelerator (p. 1903)

IpcMode
The IPC resource namespace to use for the containers in the task. The valid values are host, task,
or none. If host is specified, then all containers within the tasks that specified the host IPC mode
on the same container instance share the same IPC resources with the host Amazon EC2 instance.
If task is specified, all containers within the specified task share the same IPC resources. If none is
specified, then IPC resources within the containers of a task are private and not shared with other
containers in a task or on the container instance. If no value is specified, then the IPC resource
namespace sharing depends on the Docker daemon setting on the container instance. For more
information, see IPC settings in the Docker run reference.
If the host IPC mode is used, be aware that there is a heightened risk of undesired IPC namespace
expose. For more information, see Docker security.
If you are setting namespaced kernel parameters using systemControls for the containers in the
task, the following will apply to your IPC resource namespace. For more information, see System
Controls in the Amazon Elastic Container Service Developer Guide.
• For tasks that use the host IPC mode, IPC namespace related systemControls are not
supported.
• For tasks that use the task IPC mode, IPC namespace related systemControls will apply to all
containers within a task.
Note
This parameter is not supported for Windows containers or tasks using the Fargate launch
type.
Required: No
Type: String
Allowed Values: host | none | task

1875
ECS
Memory
The amount (in MiB) of memory used by the task.
If using the EC2 launch type, this field is optional and any value can be used. If a task-level memory
value is specified then the container-level memory value is optional.
If using the Fargate launch type, this field is required and you must use one of the following values,
which determines your range of valid values for the cpu parameter:
• 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) - Available cpu values: 256 (.25 vCPU)
• 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) - Available cpu values: 512 (.5 vCPU)
• 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) -
Available cpu values: 1024 (1 vCPU)
• Between 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) - Available cpu values:
2048 (2 vCPU)
• Between 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) - Available cpu values:
4096 (4 vCPU)
Required: No
Type: String

NetworkMode
The Docker networking mode to use for the containers in the task. The valid values are none,
bridge, awsvpc, and host. The default Docker network mode is bridge. If you are using the
Fargate launch type, the awsvpc network mode is required. If you are using the EC2 launch type, any
network mode can be used. If the network mode is set to none, you cannot specify port mappings in
your container definitions, and the tasks containers do not have external connectivity. The host and
awsvpc network modes offer the highest networking performance for containers because they use
the EC2 network stack instead of the virtualized network stack provided by the bridge mode.
With the host and awsvpc network modes, exposed container ports are mapped directly to the
corresponding host port (for the host network mode) or the attached elastic network interface port
(for the awsvpc network mode), so you cannot take advantage of dynamic host port mappings.
If the network mode is awsvpc, the task is allocated an elastic network interface, and you must
specify a NetworkConfiguration value when you create a service or run a task with the task
definition. For more information, see Task Networking in the Amazon Elastic Container Service
Developer Guide.
Note
Currently, only Amazon ECS-optimized AMIs, other Amazon Linux variants with the ecs-
init package, or AWS Fargate infrastructure support the awsvpc network mode.
If the network mode is host, you cannot run multiple instantiations of the same task on a single
container instance when port mappings are used.
Docker for Windows uses different network modes than Docker for Linux. When you register a task
definition with Windows containers, you must not specify a network mode. If you use the console to
register a task definition with Windows containers, you must choose the <default> network mode
object.
For more information, see Network settings in the Docker run reference.
Required: No
Type: String

1876
ECS
Allowed Values: awsvpc | bridge | host | none

PidMode
The process namespace to use for the containers in the task. The valid values are host or task. If
host is specified, then all containers within the tasks that specified the host PID mode on the same
container instance share the same process namespace with the host Amazon EC2 instance. If task
is specified, all containers within the specified task share the same process namespace. If no value is
specified, the default is a private namespace. For more information, see PID settings in the Docker
run reference.
If the host PID mode is used, be aware that there is a heightened risk of undesired process
namespace expose. For more information, see Docker security.
Note
type.
Required: No
Type: String
Allowed Values: host | task

PlacementConstraints
An array of placement constraint objects to use for tasks. This field is not valid if you are using the
Fargate launch type for your task.
Required: No
Type: List of TaskDefinitionPlacementConstraint (p. 1917)

ProxyConfiguration
The ProxyConfiguration property specifies the configuration details for the App Mesh proxy.
Your Amazon ECS container instances require at least version 1.26.0 of the container agent and at
least version 1.26.0-1 of the ecs-init package to enable a proxy configuration. If your container
instances are launched from the Amazon ECS-optimized AMI version 20190301 or later, then they
contain the required versions of the container agent and ecs-init. For more information, see
Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: ProxyConfiguration (p. 1912)

RequiresCompatibilities
The launch type the task requires. If no value is specified, it will default to EC2. Valid values include
EC2 and FARGATE.
Required: No

1877
ECS

Tags
The metadata that you apply to the task definition to help you categorize and organize them. Each
tag consists of a key and an optional value, both of which you define.

Required: No
Type: List of Tag
Maximum: 50

TaskRoleArn
The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management
(IAM) role that grants containers in the task permission to call AWS APIs on your behalf. For more
information, see Amazon ECS Task Role in the Amazon Elastic Container Service Developer Guide.
IAM roles for tasks on Windows require that the -EnableTaskIAMRole option is set when you
launch the Amazon ECS-optimized Windows AMI. Your containers must also run some configuration
code in order to take advantage of the feature. For more information, see Windows IAM Roles for
Tasks in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: String

Volumes
The list of volume definitions for the task.
If your tasks are using the Fargate launch type, the host and sourcePath parameters are not
supported.
For more information about volume definition parameters and defaults, see Amazon ECS Task
Definitions in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: List of Volume (p. 1920)

1878
ECS
Return Values
Ref
In the following example, the Ref function returns the ARN of the MyTaskDefinition task definition,
such as arn:aws:ecs:us-west-2:123456789012:task-definition/TaskDefinitionFamily:1.
{ "Ref": "MyTaskDefinition" }
Examples
Creating an Amazon ECS task definition
The following example defines an Amazon ECS task definition, which includes two container definitions
and one volume definition.
JSON
"taskdefinition": {
"Properties" : {
"ContainerDefinitions" : [
{
"Name": {"Ref": "AppName"},
"MountPoints": [
{
}
],
"Cpu": "10",
"PortMappings":[
{
"HostPort": {"Ref":"AppHostPort"}
}
],
"EntryPoint": [
"-D",
"FOREGROUND"
],
"Memory":"0.5GB",
"Essential": "true"
},
{
"Name": "busybox",
"Image": "busybox",
"Cpu": "10",
"EntryPoint": [
"sh",
"-c"
],
"Memory": "0.5GB",
"Command": [
"/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\""
],

1879
ECS
"Essential" : "false",
"VolumesFrom": [
{
"SourceContainer": {"Ref":"AppName"}
}
]
}],
"Volumes": [
{
"Host": {
},
"Name": "my-vol"
}]
}
}
YAML
taskdefinition:
Properties:
-
Name:
Ref: "AppName"
MountPoints:
-
SourceVolume: "my-vol"
ContainerPath: "/var/www/my-vol"
Image: "amazon/amazon-ecs-sample"
Cpu: "10"
PortMappings:
-
ContainerPort:
Ref: "AppContainerPort"
HostPort:
Ref: "AppHostPort"
EntryPoint:
- "/usr/sbin/apache2"
- "-D"
- "FOREGROUND"
Memory: "0.5GB"
Essential: true
-
Name: "busybox"
Image: "busybox"
Cpu: "10"
EntryPoint:
- "sh"
- "-c"
Memory: "0.5GB"
Command:
- "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\""
Essential: false
VolumesFrom:
-
SourceContainer:
Ref: "AppName"
Volumes:
-
Host:
SourcePath: "/var/lib/docker/vfs/dir/"
Name: "my-vol"

1880
ECS
Creating an Amazon ECS task definition

The following example defines an Amazon ECS task definition that specifies EC2 and FARGATE as
required compatibilities.
JSON
{
"Resources": {
"taskdefinition": {
"Properties": {
"RequiresCompatibilities": [
"EC2",
"FARGATE"
],
"ContainerDefinitions": [
{
"Name": "my-app",
"MountPoints": [
{
}
],
"Image": "amazon/amazon-ecs-sample",
"Cpu": "10",
"EntryPoint": [
"-D",
"FOREGROUND"
],
"Memory": "0.5GB",
"Essential": "true"
},
{
"Name": "busybox",
"Image": "busybox",
"Cpu": "10",
"EntryPoint": [
"sh",
"-c"
],
"Memory": "0.5GB",
"Command": [
\""
],
"Essential": "false",
"DependsOn": [
"ContainerName": "my-app",
"Condition": "START"
],
"VolumesFrom": [
{
"SourceContainer": "my-app"
}
]
}
],
"Volumes": [
{
"Host": {

1881
ECS
},
"Name": "my-vol"
}
]
}
}
}
}
YAML
Resources:
taskdefinition:
Properties:
RequiresCompatibilities:
- "EC2"
- "FARGATE"
-
Name: "my-app"
MountPoints:
-
SourceVolume: "my-vol"
ContainerPath: "/var/www/my-vol"
Image: "amazon/amazon-ecs-sample"
Cpu: "10"
EntryPoint:
- "/usr/sbin/apache2"
- "-D"
- "FOREGROUND"
Memory: "0.5GB"
Essential: true
-
Name: "busybox"
Image: "busybox"
Cpu: "10"
EntryPoint:
- "sh"
- "-c"
Memory: "0.5GB"
Command:
- "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done
\""
Essential: false
DependsOn:
- ContainerName: my-app
Condition: START
VolumesFrom:
-
SourceContainer: "my-app"
Volumes:
-
Host:
SourcePath: "/var/lib/docker/vfs/dir/"
Name: "my-vol"
AWS::ECS::TaskDefinition ContainerDefinition
The ContainerDefinition property specifies a container definition. Container definitions are used in
task definitions to describe the different containers that are launched as part of a task.

1882
ECS
Syntax
JSON
{
"Cpu" : Integer,
"DependsOn" : [ ContainerDependency (p. 1896), ... ],
"DisableNetworking" : Boolean,
"DnsSearchDomains" : [ String, ... ],
"DnsServers" : [ String, ... ],
"DockerLabels" : {Key : Value, ...},
"DockerSecurityOptions" : [ String, ... ],
"EntryPoint" : [ String, ... ],
"Environment" : [ KeyValuePair (p. 1905), ... ],
"Essential" : Boolean,
"ExtraHosts" : [ HostEntry (p. 1902), ... ],
"FirelensConfiguration" : FirelensConfiguration (p. 1899),
"Hostname" : String,
"Image" : String,
"Interactive" : Boolean,
"Links" : [ String, ... ],
"LinuxParameters" : LinuxParameters (p. 1906),
"LogConfiguration" : LogConfiguration (p. 1908),
"Memory" : Integer,
"MemoryReservation" : Integer,
"MountPoints" : [ MountPoint (p. 1910), ... ],
"Name" : String,
"PortMappings" : [ PortMapping (p. 1911), ... ],
"Privileged" : Boolean,
"PseudoTerminal" : Boolean,
"ReadonlyRootFilesystem" : Boolean,
"RepositoryCredentials" : RepositoryCredentials (p. 1914),
"ResourceRequirements" : [ ResourceRequirement (p. 1914), ... ],
"Secrets" : [ Secret (p. 1915), ... ],
"StartTimeout" : Integer,
"StopTimeout" : Integer,
"SystemControls" : [ SystemControl (p. 1916), ... ],
"Ulimits" : [ Ulimit (p. 1919), ... ],
"User" : String,
"VolumesFrom" : [ VolumeFrom (p. 1921), ... ],
"WorkingDirectory" : String
}
YAML
Command:
- String
Cpu: Integer
DependsOn:
- ContainerDependency (p. 1896)
DisableNetworking: Boolean
DnsSearchDomains:
- String
DnsServers:
- String
DockerLabels:
Key : Value
DockerSecurityOptions:
- String
EntryPoint:

1883
ECS
- String
Environment:
- KeyValuePair (p. 1905)
Essential: Boolean
ExtraHosts:
- HostEntry (p. 1902)
FirelensConfiguration:
FirelensConfiguration (p. 1899)
HealthCheck:
Hostname: String
Image: String
Interactive: Boolean
Links:
- String
LinuxParameters:
LinuxParameters (p. 1906)
LogConfiguration:
LogConfiguration (p. 1908)
Memory: Integer
MemoryReservation: Integer
MountPoints:
- MountPoint (p. 1910)
Name: String
PortMappings:
- PortMapping (p. 1911)
Privileged: Boolean
PseudoTerminal: Boolean
ReadonlyRootFilesystem: Boolean
RepositoryCredentials:
RepositoryCredentials (p. 1914)
ResourceRequirements:
- ResourceRequirement (p. 1914)
Secrets:
- Secret (p. 1915)
StartTimeout: Integer
StopTimeout: Integer
SystemControls:
- SystemControl (p. 1916)
Ulimits:
- Ulimit (p. 1919)
User: String
VolumesFrom:
- VolumeFrom (p. 1921)
WorkingDirectory: String
Properties
Command
The command that is passed to the container. This parameter maps to Cmd in the Create a container
section of the Docker Remote API and the COMMAND parameter to docker run. For more information,
see https://docs.docker.com/engine/reference/builder/#cmd. If there are multiple arguments, each
argument should be a separated string in the array.
Required: No

Cpu
The number of cpu units reserved for the container. This parameter maps to CpuShares in the
Create a container section of the Docker Remote API and the --cpu-shares option to docker run.

1884
ECS
This field is optional for tasks using the Fargate launch type, and the only requirement is that the
total amount of CPU reserved for all containers within a task be lower than the task-level cpu value.
Note
You can determine the number of CPU units that are available per EC2 instance type by
multiplying the vCPUs listed for that instance type on the Amazon EC2 Instances detail
page by 1,024.
For example, if you run a single-container task on a single-core instance type with 512 CPU units
specified for that container, and that is the only task running on the container instance, that
container could use the full 1,024 CPU unit share at any given time. However, if you launched
another copy of the same task on that container instance, each task would be guaranteed a
minimum of 512 CPU units when needed, and each container could float to higher CPU usage if the
other container was not using it, but if both tasks were 100% active all of the time, they would be
limited to 512 CPU units.
Linux containers share unallocated CPU units with other containers on the container instance with
the same ratio as their allocated amount. For example, if you run a single-container task on a single-
core instance type with 512 CPU units specified for that container, and that is the only task running
on the container instance, that container could use the full 1,024 CPU unit share at any given time.
However, if you launched another copy of the same task on that container instance, each task would
be guaranteed a minimum of 512 CPU units when needed, and each container could float to higher
CPU usage if the other container was not using it, but if both tasks were 100% active all of the time,
they would be limited to 512 CPU units.
On Linux container instances, the Docker daemon on the container instance uses the CPU value to
calculate the relative CPU share ratios for running containers. For more information, see CPU share
constraint in the Docker documentation. The minimum valid CPU share value that the Linux kernel
allows is 2. However, the CPU parameter is not required, and you can use CPU values below 2 in your
container definitions. For CPU values below 2 (including null), the behavior varies based on your
Amazon ECS container agent version:
• Agent versions less than or equal to 1.1.0: Null and zero CPU values are passed to Docker as 0,
which Docker then converts to 1,024 CPU shares. CPU values of 1 are passed to Docker as 1, which
the Linux kernel converts to two CPU shares.
• Agent versions greater than or equal to 1.2.0: Null, zero, and CPU values of 1 are passed to
Docker as 2.
On Windows container instances, the CPU limit is enforced as an absolute limit, or a quota. Windows
containers only have access to the specified amount of CPU that is described in the task definition.
Required: No
Type: Integer

DependsOn
The dependencies defined for container startup and shutdown. A container can contain multiple
dependencies. When a dependency is defined for container startup, for container shutdown it is
reversed.
For tasks using the EC2 launch type, the container instances require at least version 1.26.0 of
the container agent to enable container dependencies. However, we recommend using the latest
container agent version. For information about checking your agent version and updating to the
latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container
Service Developer Guide. If you are using an Amazon ECS-optimized Linux AMI, your instance needs
at least version 1.26.0-1 of the ecs-init package. If your container instances are launched from
version 20190301 or later, then they contain the required versions of the container agent and ecs-

1885
ECS
init. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container
For tasks using the Fargate launch type, the task or service requires platform version 1.3.0 or later.
Required: No
Type: List of ContainerDependency (p. 1896)

DisableNetworking
When this parameter is true, networking is disabled within the container. This parameter maps to
NetworkDisabled in the Create a container section of the Docker Remote API.
Note
This parameter is not supported for Windows containers.
Required: No
Type: Boolean

DnsSearchDomains
A list of DNS search domains that are presented to the container. This parameter maps to
DnsSearch in the Create a container section of the Docker Remote API and the --dns-search
option to docker run.
Note
Required: No

DnsServers
A list of DNS servers that are presented to the container. This parameter maps to Dns in the Create a
container section of the Docker Remote API and the --dns option to docker run.
Note
Required: No

DockerLabels
A key/value map of labels to add to the container. This parameter maps to Labels in the Create a
container section of the Docker Remote API and the --label option to docker run. This parameter
requires version 1.18 of the Docker Remote API or greater on your container instance. To check the
Docker Remote API version on your container instance, log in to your container instance and run the
following command: sudo docker version --format '{{.Server.APIVersion}}'
Required: No
Type: Map of String

1886
ECS

DockerSecurityOptions
A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems.
This field is not valid for containers in tasks using the Fargate launch type.
With Windows containers, this parameter can be used to reference a credential spec file when
configuring a container for Active Directory authentication. For more information, see Using gMSAs
for Windows Containers in the Amazon Elastic Container Service Developer Guide.
This parameter maps to SecurityOpt in the Create a container section of the Docker Remote API
and the --security-opt option to docker run.
Note
The Amazon ECS container agent running on a container instance must register with
the ECS_SELINUX_CAPABLE=true or ECS_APPARMOR_CAPABLE=true environment
variables before containers placed on that instance can use these security options. For
more information, see Amazon ECS Container Agent Configuration in the Amazon Elastic
Required: No

EntryPoint
Important
Early versions of the Amazon ECS container agent do not properly handle entryPoint
parameters. If you have problems using entryPoint, update your container agent or enter
your commands and arguments as command array items instead.
The entry point that is passed to the container. This parameter maps to Entrypoint in the Create a
container section of the Docker Remote API and the --entrypoint option to docker run. For more
information, see https://docs.docker.com/engine/reference/builder/#entrypoint.
Required: No

Environment
The environment variables to pass to a container. This parameter maps to Env in the Create a
container section of the Docker Remote API and the --env option to docker run.
Important
We do not recommend using plaintext environment variables for sensitive information, such
as credential data.
Required: No
Type: List of KeyValuePair (p. 1905)

Essential
If the essential parameter of a container is marked as true, and that container fails or stops for
any reason, all other containers that are part of the task are stopped. If the essential parameter

1887
ECS
of a container is marked as false, then its failure does not affect the rest of the containers in a task.
If this parameter is omitted, a container is assumed to be essential.
All tasks must have at least one essential container. If you have an application that is composed
of multiple containers, you should group containers that are used for a common purpose into
components, and separate the different components into multiple task definitions. For more
information, see Application Architecture in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: Boolean

ExtraHosts
A list of hostnames and IP address mappings to append to the /etc/hosts file on the container.
This parameter maps to ExtraHosts in the Create a container section of the Docker Remote API
and the --add-host option to docker run.
Note
This parameter is not supported for Windows containers or tasks that use the awsvpc
network mode.
Required: No
Type: List of HostEntry (p. 1902)

FirelensConfiguration
The FireLens configuration for the container. This is used to specify and configure a log router for
container logs. For more information, see Custom Log Routing in the Amazon Elastic Container
Required: No
Type: FirelensConfiguration (p. 1899)

HealthCheck
The health check command and associated configuration parameters for the container. This
parameter maps to HealthCheck in the Create a container section of the Docker Remote API and
the HEALTHCHECK parameter of docker run.
Required: No

Hostname
The hostname to use for your container. This parameter maps to Hostname in the Create a container
section of the Docker Remote API and the --hostname option to docker run.
Note
The hostname parameter is not supported if you are using the awsvpc network mode.
Required: No
Type: String

1888
ECS

Image
The image used to start a container. This string is passed directly to the Docker daemon. Images
in the Docker Hub registry are available by default. Other repositories are specified with either
repository-url/image:tag or repository-url/image@digest . Up to 255 letters
(uppercase and lowercase), numbers, hyphens, underscores, colons, periods, forward slashes, and
number signs are allowed. This parameter maps to Image in the Create a container section of the
Docker Remote API and the IMAGE parameter of docker run.
• When a new task starts, the Amazon ECS container agent pulls the latest version of the specified
image and tag for the container to use. However, subsequent updates to a repository image are
not propagated to already running tasks.
• Images in Amazon ECR repositories can be specified by either using the full
registry/repository:tag or registry/repository@digest. For example,
012345678910.dkr.ecr.<region-name>.amazonaws.com/<repository-name>:latest
or 012345678910.dkr.ecr.<region-name>.amazonaws.com/<repository-
name>@sha256:94afd1f2e64d908bc90dbca0035a5b567EXAMPLE.
• Images in official repositories on Docker Hub use a single name (for example, ubuntu or mongo).
• Images in other repositories on Docker Hub are qualified with an organization name (for example,
amazon/amazon-ecs-agent).
• Images in other online repositories are qualified further by a domain name (for example,
quay.io/assemblyline/ubuntu).
Required: No
Type: String

Interactive
When this parameter is true, this allows you to deploy containerized applications that require
stdin or a tty to be allocated. This parameter maps to OpenStdin in the Create a container
section of the Docker Remote API and the --interactive option to docker run.
Required: No
Type: Boolean

Links
The links parameter allows containers to communicate with each other without the need for port
mappings. This parameter is only supported if the network mode of a task definition is bridge.
The name:internalName construct is analogous to name:alias in Docker links. Up to 255 letters
(uppercase and lowercase), numbers, and hyphens are allowed. For more information about linking
Docker containers, go to Legacy container links in the Docker documentation. This parameter maps
to Links in the Create a container section of the Docker Remote API and the --link option to
docker run.
Note
Important
Containers that are collocated on a single container instance may be able to communicate
with each other without requiring links or host port mappings. Network isolation is achieved
on the container instance using security groups and VPC settings.
Required: No

1889
ECS

LinuxParameters
Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. For
more information see KernelCapabilities.
Note
Required: No
Type: LinuxParameters (p. 1906)

LogConfiguration
The log configuration specification for the container.
If you are using the Fargate launch type, the only supported value is awslogs.
This parameter maps to LogConfig in the Create a container section of the Docker Remote API and
the --log-driver option to docker run. By default, containers use the same logging driver that
the Docker daemon uses. However the container may use a different logging driver than the Docker
daemon by specifying a log driver with this parameter in the container definition. To use a different
logging driver for a container, the log system must be configured properly on the container instance
(or on a different log server for remote logging options). For more information on the options for
different supported log drivers, see Configure logging drivers in the Docker documentation.
Note
Amazon ECS currently supports a subset of the logging drivers available to the Docker
daemon (shown in the LogConfiguration data type). Additional log drivers may be available
in future releases of the Amazon ECS container agent.
This parameter requires version 1.18 of the Docker Remote API or greater on your container
instance. To check the Docker Remote API version on your container instance, log in to your
container instance and run the following command: sudo docker version --format
'{{.Server.APIVersion}}'
Note
The Amazon ECS container agent running on a container instance must register the
logging drivers available on that instance with the ECS_AVAILABLE_LOGGING_DRIVERS
environment variable before containers placed on that instance can use these log
configuration options. For more information, see Amazon ECS Container Agent
Configuration in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: LogConfiguration (p. 1908)

Memory
The amount (in MiB) of memory to present to the container. If your container attempts to exceed
the memory specified here, the container is killed. The total amount of memory reserved for
all containers within a task must be lower than the task memory value, if one is specified. This
parameter maps to Memory in the Create a container section of the Docker Remote API and the --
memory option to docker run.
If using the Fargate launch type, this parameter is optional.

1890
ECS
If using the EC2 launch type, you must specify either a task-level memory value or a container-
level memory value. If you specify both a container-level memory and memoryReservation value,
memory must be greater than memoryReservation. If you specify memoryReservation, then that
value is subtracted from the available memory resources for the container instance on which the
container is placed. Otherwise, the value of memory is used.
The Docker daemon reserves a minimum of 4 MiB of memory for a container, so you should not
specify fewer than 4 MiB of memory for your containers.
Required: No
Type: Integer

MemoryReservation
The soft limit (in MiB) of memory to reserve for the container. When system memory is under
heavy contention, Docker attempts to keep the container memory to this soft limit. However, your
container can consume more memory when it needs to, up to either the hard limit specified with
the memory parameter (if applicable), or all of the available memory on the container instance,
whichever comes first. This parameter maps to MemoryReservation in the Create a container
section of the Docker Remote API and the --memory-reservation option to docker run.
If a task-level memory value is not specified, you must specify a non-zero integer for one or both
of memory or memoryReservation in a container definition. If you specify both, memory must
be greater than memoryReservation. If you specify memoryReservation, then that value is
subtracted from the available memory resources for the container instance on which the container is
placed. Otherwise, the value of memory is used.
For example, if your container normally uses 128 MiB of memory, but occasionally bursts to 256
MiB of memory for short periods of time, you can set a memoryReservation of 128 MiB, and a
memory hard limit of 300 MiB. This configuration would allow the container to only reserve 128 MiB
of memory from the remaining resources on the container instance, but also allow the container to
consume more memory resources when needed.
The Docker daemon reserves a minimum of 4 MiB of memory for a container, so you should not
specify fewer than 4 MiB of memory for your containers.
Required: No
Type: Integer

MountPoints
The mount points for data volumes in your container.
This parameter maps to Volumes in the Create a container section of the Docker Remote API and
the --volume option to docker run.
Windows containers can mount whole directories on the same drive as $env:ProgramData.
Windows containers cannot mount directories on a different drive, and mount point cannot be
across drives.
Required: No
Type: List of MountPoint (p. 1910)

1891
ECS
Name
The name of a container. If you are linking multiple containers together in a task definition, the name
of one container can be entered in the links of another container to connect the containers. Up to
255 letters (uppercase and lowercase), numbers, and hyphens are allowed. This parameter maps to
name in the Create a container section of the Docker Remote API and the --name option to docker
run.
Required: No
Type: String

PortMappings
The list of port mappings for the container. Port mappings allow containers to access ports on the
host container instance to send or receive traffic.
For task definitions that use the awsvpc network mode, you should only specify the
containerPort. The hostPort can be left blank or it must be the same value as the
containerPort.
Port mappings on Windows use the NetNAT gateway address rather than localhost. There is no
loopback for port mappings on Windows, so you cannot access a container's mapped port from the
host itself.
This parameter maps to PortBindings in the Create a container section of the Docker Remote API
and the --publish option to docker run. If the network mode of a task definition is set to none,
then you can't specify port mappings. If the network mode of a task definition is set to host, then
host ports must either be undefined or they must match the container port in the port mapping.
Note
After a task reaches the RUNNING status, manual and automatic host and container
port assignments are visible in the Network Bindings section of a container description
for a selected task in the Amazon ECS console. The assignments are also visible in the
networkBindings section DescribeTasks responses.
Required: No
Type: List of PortMapping (p. 1911)

Privileged
When this parameter is true, the container is given elevated privileges on the host container instance
(similar to the root user). This parameter maps to Privileged in the Create a container section of
the Docker Remote API and the --privileged option to docker run.
Note
type.
Required: No
Type: Boolean

PseudoTerminal
When this parameter is true, a TTY is allocated. This parameter maps to Tty in the Create a
container section of the Docker Remote API and the --tty option to docker run.

1892
ECS
Required: No
Type: Boolean

ReadonlyRootFilesystem
When this parameter is true, the container is given read-only access to its root file system. This
parameter maps to ReadonlyRootfs in the Create a container section of the Docker Remote API
and the --read-only option to docker run.
Note
Required: No
Type: Boolean

RepositoryCredentials
The private repository authentication credentials to use.
Required: No
Type: RepositoryCredentials (p. 1914)

ResourceRequirements
The type and amount of a resource to assign to a container. The only supported resource is a GPU.
Required: No
Type: List of ResourceRequirement (p. 1914)

Secrets
The secrets to pass to the container. For more information, see Specifying Sensitive Data in the
Required: No
Type: List of Secret (p. 1915)

StartTimeout
Time duration (in seconds) to wait before giving up on resolving dependencies for a container.
For example, you specify two containers in a task definition with containerA having a dependency
on containerB reaching a COMPLETE, SUCCESS, or HEALTHY status. If a startTimeout value is
specified for containerB and it does not reach the desired status within that time then containerA
will give up and not start. This results in the task transitioning to a STOPPED state.
For tasks using the EC2 launch type, the container instances require at least version 1.26.0 of the
container agent to enable a container start timeout value. However, we recommend using the latest
container agent version. For information about checking your agent version and updating to the
latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container

1893
ECS
Service Developer Guide. If you are using an Amazon ECS-optimized Linux AMI, your instance needs
at least version 1.26.0-1 of the ecs-init package. If your container instances are launched from
version 20190301 or later, then they contain the required versions of the container agent and ecs-
init. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container
Required: No
Type: Integer

StopTimeout
Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally
on its own.
For tasks using the Fargate launch type, the max stopTimeout value is 2 minutes and the task or
service requires platform version 1.3.0 or later.
For tasks using the EC2 launch type, the stop timeout value for the container takes precedence over
the ECS_CONTAINER_STOP_TIMEOUT container agent configuration parameter, if used. Container
instances require at least version 1.26.0 of the container agent to enable a container stop timeout
value. However, we recommend using the latest container agent version. For information about
checking your agent version and updating to the latest version, see Updating the Amazon ECS
Container Agent in the Amazon Elastic Container Service Developer Guide. If you are using an Amazon
ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the ecs-init package.
If your container instances are launched from version 20190301 or later, then they contain the
required versions of the container agent and ecs-init. For more information, see Amazon ECS-
optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: Integer

SystemControls
A list of namespaced kernel parameters to set in the container. This parameter maps to Sysctls in
the Create a container section of the Docker Remote API and the --sysctl option to docker run.
Note
It is not recommended that you specify network-related systemControls parameters
for multiple containers in a single task that also uses either the awsvpc or host network
modes. For tasks that use the awsvpc network mode, the container that is started last
determines which systemControls parameters take effect. For tasks that use the host
network mode, it changes the container instance's namespaced kernel parameters as well as
the containers.
Required: No
Type: List of SystemControl (p. 1916)

Ulimits
A list of ulimits to set in the container. This parameter maps to Ulimits in the Create a container
section of the Docker Remote API and the --ulimit option to docker run. Valid naming values are

1894
ECS
displayed in the Ulimit data type. This parameter requires version 1.18 of the Docker Remote API
or greater on your container instance. To check the Docker Remote API version on your container
instance, log in to your container instance and run the following command: sudo docker version
--format '{{.Server.APIVersion}}'
Note
Required: No
Type: List of Ulimit (p. 1919)

User
The user name to use inside the container. This parameter maps to User in the Create a container
section of the Docker Remote API and the --user option to docker run.
You can use the following formats. If specifying a UID or GID, you must specify it as a positive
integer.
• user
• user:group
• uid
• uid:gid
• user:gid
• uid:group
Note
Required: No
Type: String

VolumesFrom
Data volumes to mount from another container. This parameter maps to VolumesFrom in the
Create a container section of the Docker Remote API and the --volumes-from option to docker
run.
Required: No
Type: List of VolumeFrom (p. 1921)

WorkingDirectory
The working directory in which to run commands inside the container. This parameter maps to
WorkingDir in the Create a container section of the Docker Remote API and the --workdir option
to docker run.
Required: No
Type: String

1895
ECS
AWS::ECS::TaskDefinition ContainerDependency
The ContainerDependency property specifies the dependencies defined for container startup and
shutdown. A container can contain multiple dependencies. When a dependency is defined for container
startup, for container shutdown it is reversed.
Your Amazon ECS container instances require at least version 1.26.0 of the container agent to enable
container dependencies. However, we recommend using the latest container agent version. For
information about checking your agent version and updating to the latest version, see Updating the
Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide. If you are using
an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the ecs-init
package. If your container instances are launched from version 20190301 or later, then they contain
the required versions of the container agent and ecs-init. For more information, see Amazon ECS-
optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
Note
If you are using tasks that use the Fargate launch type, container dependency parameters are
not supported.
Syntax
JSON
{
"ContainerName" : String
}
YAML
Condition: String
Properties
Condition
The dependency condition of the container. The following are the available conditions and their
behavior:
• START - This condition emulates the behavior of links and volumes today. It validates that a
dependent container is started before permitting other containers to start.
• COMPLETE - This condition validates that a dependent container runs to completion (exits) before
permitting other containers to start. This can be useful for nonessential containers that run a
script and then exit.
• SUCCESS - This condition is the same as COMPLETE, but it also requires that the container exits
with a zero status.
• HEALTHY - This condition validates that the dependent container passes its Docker health check
before permitting other containers to start. This requires that the dependent container has health
checks configured. This condition is confirmed only at task startup.
Required: Yes
Type: String
Allowed Values: COMPLETE | HEALTHY | START | SUCCESS

1896
ECS

ContainerName
The name of a container.
Required: Yes
Type: String
AWS::ECS::TaskDefinition Device
The Device property specifies an object representing a container instance host device.
Syntax
JSON
{
"HostPath" : String,
"Permissions" : [ String, ... ]
}
YAML
HostPath: String
Permissions:
- String
Properties
ContainerPath
The path inside the container at which to expose the host device.
Required: No
Type: String

HostPath
The path for the device on the host container instance.
Required: Yes
Type: String

Permissions
The explicit permissions to provide to the container for the device. By default, the container has
permissions for read, write, and mknod for the device.

1897
ECS
Required: No
AWS::ECS::TaskDefinition DockerVolumeConfiguration
The DockerVolumeConfiguration property specifies a Docker volume configuration and is used
when you use Docker volumes. Docker volumes are only supported when you are using the EC2 launch
type. Windows containers only support the use of the local driver. To use bind mounts, specify a host
instead.
Syntax
JSON
{
"Autoprovision" : Boolean,
"Driver" : String,
"DriverOpts" : {Key : Value, ...},
"Labels" : {Key : Value, ...},
"Scope" : String
}
YAML
Autoprovision: Boolean
Driver: String
DriverOpts:
Key : Value
Labels:
Key : Value
Scope: String
Properties
Autoprovision
If this value is true, the Docker volume is created if it does not already exist.
Note
This field is only used if the scope is shared.
Required: No
Type: Boolean

Driver
The Docker volume driver to use. The driver value must match the driver name provided by Docker
because it is used for task placement. If the driver was installed using the Docker plugin CLI, use
docker plugin ls to retrieve the driver name from your container instance. If the driver was
installed using another method, use Docker plugin discovery to retrieve the driver name. For more
information, see Docker plugin discovery. This parameter maps to Driver in the Create a volume
section of the Docker Remote API and the xxdriver option to docker volume create.

1898
ECS
Required: No
Type: String

DriverOpts
A map of Docker driver-specific options passed through. This parameter maps to DriverOpts in the
Create a volume section of the Docker Remote API and the xxopt option to docker volume create.
Required: No
Type: Map of String

Labels
Custom metadata to add to your Docker volume. This parameter maps to Labels in the Create a
volume section of the Docker Remote API and the xxlabel option to docker volume create.
Required: No
Type: Map of String

Scope
The scope for the Docker volume that determines its lifecycle. Docker volumes that are scoped to a
task are automatically provisioned when the task starts and destroyed when the task stops. Docker
volumes that are scoped as shared persist after the task stops.
Required: No
Type: String
Allowed Values: shared | task
AWS::ECS::TaskDefinition FirelensConfiguration
The FireLens configuration for the container. This is used to specify and configure a log router for
container logs. For more information, see Custom Log Routing in the Amazon Elastic Container Service
Developer Guide.
Syntax
JSON
{
"Options" : {Key : Value, ...},
"Type" : String
}
YAML
Options:

1899
ECS
Key : Value
Type: String
Properties
Options
The options to use when configuring the log router. This field is optional and can be used to add
additional metadata, such as the task, task definition, cluster, and container instance details to the
log event.
If specified, valid option keys are:

• enable-ecs-log-metadata, which can be true or false
• config-file-type, which can be s3 or file
• config-file-value, which is either an S3 ARN or a file path
Required: No
Type: Map of String

Type
The log router to use. The valid values are fluentd or fluentbit.
Required: Yes
Type: String
Allowed Values: fluentbit | fluentd
AWS::ECS::TaskDefinition HealthCheck
The HealthCheck property specifies an object representing a container health check. Health check
parameters that are specified in a container definition override any Docker health checks that exist in the
container image (such as those specified in a parent image or from the image's Dockerfile).
The following are notes about container health check support:
• Container health checks require version 1.17.0 or greater of the Amazon ECS container agent. For
more information, see Updating the Amazon ECS Container Agent.
• Container health checks are supported for Fargate tasks if you are using platform version 1.1.0 or
greater. For more information, see AWS Fargate Platform Versions.
• Container health checks are not supported for tasks that are part of a service that is configured to use
a Classic Load Balancer.
Syntax
JSON
{
"Interval" : Integer,

1900
ECS
"Retries" : Integer,
"StartPeriod" : Integer,
"Timeout" : Integer
}
YAML
Command:
- String
Interval: Integer
Retries: Integer
StartPeriod: Integer
Timeout: Integer
Properties
Command
A string array representing the command that the container runs to determine if it is healthy. The
string array must start with CMD to execute the command arguments directly, or CMD-SHELL to run
the command with the container's default shell. For example:
[ "CMD-SHELL", "curl -f http://localhost/ || exit 1" ]
An exit code of 0 indicates success, and non-zero exit code indicates failure. For more information,
see HealthCheck in the Create a container section of the Docker Remote API.
Required: Yes

Interval
The time period in seconds between each health check execution. You may specify between 5 and
300 seconds. The default value is 30 seconds.
Required: No
Type: Integer

Retries
The number of times to retry a failed health check before the container is considered unhealthy. You
may specify between 1 and 10 retries. The default value is 3.
Required: No
Type: Integer

StartPeriod
The optional grace period within which to provide containers time to bootstrap before failed health
checks count towards the maximum number of retries. You may specify between 0 and 300 seconds.
The startPeriod is disabled by default.
Note
If a health check succeeds within the startPeriod, then the container is considered
healthy and any subsequent failures count toward the maximum number of retries.

1901
ECS
Required: No
Type: Integer

Timeout
The time period in seconds to wait for a health check to succeed before it is considered a failure. You
may specify between 2 and 60 seconds. The default value is 5.
Required: No
Type: Integer
AWS::ECS::TaskDefinition HostEntry
The HostEntry property specifies a hostname and an IP address that are added to the /etc/hosts file
of a container through the extraHosts parameter of its ContainerDefinition resource.
Syntax
JSON
{
"Hostname" : String,
"IpAddress" : String
}
YAML
Hostname: String
IpAddress: String
Properties
Hostname
The hostname to use in the /etc/hosts entry.
Required: Yes
Type: String

IpAddress
The IP address to use in the /etc/hosts entry.
Required: Yes
Type: String

1902
ECS
AWS::ECS::TaskDefinition HostVolumeProperties
The HostVolumeProperties property specifies details on a container instance bind mount host
volume.
Syntax
JSON
{
}
YAML
SourcePath: String
Properties
SourcePath
When the host parameter is used, specify a sourcePath to declare the path on the host container
instance that is presented to the container. If this parameter is empty, then the Docker daemon
has assigned a host path for you. If the host parameter contains a sourcePath file location, then
the data volume persists at the specified location on the host container instance until you delete
it manually. If the sourcePath value does not exist on the host container instance, the Docker
daemon creates it. If the location does exist, the contents of the source path folder are exported.
If you are using the Fargate launch type, the sourcePath parameter is not supported.
Required: No
Type: String
AWS::ECS::TaskDefinition InferenceAccelerator
Details on an Elastic Inference accelerator. For more information, see Working with Amazon Elastic
Inference on Amazon ECS in the Amazon Elastic Container Service Developer Guide.
Syntax
JSON
{
"DeviceType" : String
}
YAML
DeviceName: String

1903
ECS
DeviceType: String
Properties
DeviceName
The Elastic Inference accelerator device name. The deviceName must also be referenced in a
container definition as a ResourceRequirement.
Required: No
Type: String

DeviceType
The Elastic Inference accelerator type to use.
Required: No
Type: String
AWS::ECS::TaskDefinition KernelCapabilities
The KernelCapabilities property specifies the Linux capabilities for the container that are added
to or dropped from the default configuration that is provided by Docker. For more information on
the default capabilities and the non-default available capabilities, see Runtime privilege and Linux
capabilities in the Docker run reference. For more detailed information on these Linux capabilities, see the
capabilities(7) Linux manual page.
Syntax
JSON
{
"Add" : [ String, ... ],
"Drop" : [ String, ... ]
}
YAML
Add:
- String
Drop:
- String
Properties
Add
The Linux capabilities for the container that have been added to the default configuration provided
by Docker. This parameter maps to CapAdd in the Create a container section of the Docker Remote
API and the --cap-add option to docker run.

1904
ECS
Note
If you are using tasks that use the Fargate launch type, the add parameter is not supported.
Valid values: "ALL" | "AUDIT_CONTROL" | "AUDIT_WRITE" | "BLOCK_SUSPEND"

| "CHOWN" | "DAC_OVERRIDE" | "DAC_READ_SEARCH" | "FOWNER" | "FSETID"
| "IPC_LOCK" | "IPC_OWNER" | "KILL" | "LEASE" | "LINUX_IMMUTABLE" |
"MAC_ADMIN" | "MAC_OVERRIDE" | "MKNOD" | "NET_ADMIN" | "NET_BIND_SERVICE"
| "NET_BROADCAST" | "NET_RAW" | "SETFCAP" | "SETGID" | "SETPCAP" | "SETUID"
| "SYS_ADMIN" | "SYS_BOOT" | "SYS_CHROOT" | "SYS_MODULE" | "SYS_NICE" |
"SYS_PACCT" | "SYS_PTRACE" | "SYS_RAWIO" | "SYS_RESOURCE" | "SYS_TIME" |
"SYS_TTY_CONFIG" | "SYSLOG" | "WAKE_ALARM"
Required: No

Drop
The Linux capabilities for the container that have been removed from the default configuration
provided by Docker. This parameter maps to CapDrop in the Create a container section of the
Docker Remote API and the --cap-drop option to docker run.
Valid values: "ALL" | "AUDIT_CONTROL" | "AUDIT_WRITE" | "BLOCK_SUSPEND"

| "CHOWN" | "DAC_OVERRIDE" | "DAC_READ_SEARCH" | "FOWNER" | "FSETID"
| "IPC_LOCK" | "IPC_OWNER" | "KILL" | "LEASE" | "LINUX_IMMUTABLE" |
"MAC_ADMIN" | "MAC_OVERRIDE" | "MKNOD" | "NET_ADMIN" | "NET_BIND_SERVICE"
| "NET_BROADCAST" | "NET_RAW" | "SETFCAP" | "SETGID" | "SETPCAP" | "SETUID"
| "SYS_ADMIN" | "SYS_BOOT" | "SYS_CHROOT" | "SYS_MODULE" | "SYS_NICE" |
"SYS_PACCT" | "SYS_PTRACE" | "SYS_RAWIO" | "SYS_RESOURCE" | "SYS_TIME" |
"SYS_TTY_CONFIG" | "SYSLOG" | "WAKE_ALARM"
Required: No
AWS::ECS::TaskDefinition KeyValuePair
The KeyValuePair property specifies a key-value pair object.
Syntax
JSON
{
"Name" : String,
"Value" : String
}
YAML
Name: String

1905
ECS
Value: String
Properties
Name
The name of the key-value pair. For environment variables, this is the name of the environment
variable.
Required: No
Type: String

Value
The value of the key-value pair. For environment variables, this is the value of the environment
variable.
Required: No
Type: String
AWS::ECS::TaskDefinition LinuxParameters
The LinuxParameters property specifies Linux-specific options that are applied to the container, such
as Linux KernelCapabilities.
Syntax
JSON
{
"Capabilities" : KernelCapabilities (p. 1904),
"Devices" : [ Device (p. 1897), ... ],
"InitProcessEnabled" : Boolean,
"MaxSwap" : Integer,
"SharedMemorySize" : Integer,
"Swappiness" : Integer,
"Tmpfs" : [ Tmpfs (p. 1918), ... ]
}
YAML
Capabilities:
KernelCapabilities (p. 1904)
Devices:
- Device (p. 1897)
InitProcessEnabled: Boolean
MaxSwap: Integer
SharedMemorySize: Integer
Swappiness: Integer
Tmpfs:
- Tmpfs (p. 1918)

1906
ECS
Properties
Capabilities
The Linux capabilities for the container that are added to or dropped from the default configuration
provided by Docker.
Note
If you are using tasks that use the Fargate launch type, capabilities is supported but the
add parameter is not supported.
Required: No
Type: KernelCapabilities (p. 1904)

Devices
Any host devices to expose to the container. This parameter maps to Devices in the Create a
container section of the Docker Remote API and the --device option to docker run.
Note
If you are using tasks that use the Fargate launch type, the devices parameter is not
supported.
Required: No

InitProcessEnabled
Run an init process inside the container that forwards signals and reaps processes. This parameter
maps to the --init option to docker run. This parameter requires version 1.25 of the Docker
Remote API or greater on your container instance. To check the Docker Remote API version on your
container instance, log in to your container instance and run the following command: sudo docker
version --format '{{.Server.APIVersion}}'
Required: No
Type: Boolean

MaxSwap
The total amount of swap memory (in MiB) a container can use. This parameter will be translated
to the --memory-swap option to docker run where the value would be the sum of the container
memory plus the maxSwap value.
If a maxSwap value of 0 is specified, the container will not use swap. Accepted values are 0 or any
positive integer. If the maxSwap parameter is omitted, the container will use the swap configuration
for the container instance it is running on. A maxSwap value must be set for the swappiness
parameter to be used.
Note
If you are using tasks that use the Fargate launch type, the maxSwap parameter is not
supported.
Required: No
Type: Integer

1907
ECS

SharedMemorySize
The value for the size (in MiB) of the /dev/shm volume. This parameter maps to the --shm-size
Note
If you are using tasks that use the Fargate launch type, the sharedMemorySize parameter
is not supported.
Required: No
Type: Integer

Swappiness
This allows you to tune a container's memory swappiness behavior. A swappiness value of 0 will
cause swapping to not happen unless absolutely necessary. A swappiness value of 100 will cause
pages to be swapped very aggressively. Accepted values are whole numbers between 0 and 100. If
the swappiness parameter is not specified, a default value of 60 is used. If a value is not specified
for maxSwap then this parameter is ignored. This parameter maps to the --memory-swappiness
Note
If you are using tasks that use the Fargate launch type, the swappiness parameter is not
supported.
Required: No
Type: Integer

Tmpfs
The container path, mount options, and size (in MiB) of the tmpfs mount. This parameter maps to
the --tmpfs option to docker run.
Note
If you are using tasks that use the Fargate launch type, the tmpfs parameter is not
supported.
Required: No
Type: List (p. 1918) of Tmpfs (p. 1918)
AWS::ECS::TaskDefinition LogConfiguration
The LogConfiguration property specifies log configuration options to send to a custom log driver for
the container.
Syntax
JSON
{
"LogDriver" : String,

1908
ECS
"Options" : {Key : Value, ...},

"SecretOptions" : [ Secret (p. 1915), ... ]
}
YAML
LogDriver: String
Options:
Key : Value
SecretOptions:
- Secret (p. 1915)
Properties
LogDriver
The log driver to use for the container. The valid values listed earlier are log drivers that the Amazon
ECS container agent can communicate with by default.
For tasks using the Fargate launch type, the supported log drivers are awslogs, splunk, and
awsfirelens.
For tasks using the EC2 launch type, the supported log drivers are awslogs, fluentd, gelf, json-
file, journald, logentries,syslog, splunk, and awsfirelens.
For more information about using the awslogs log driver, see Using the awslogs Log Driver in the
For more information about using the awsfirelens log driver, see Custom Log Routing in the
Note
If you have a custom driver that is not listed, you can fork the Amazon ECS container agent
project that is available on GitHub and customize it to work with that driver. We encourage
you to submit pull requests for changes that you would like to have included. However, we
do not currently provide support for running modified copies of this software.
Required: Yes
Type: String
Allowed Values: awsfirelens | awslogs | fluentd | gelf | journald | json-file |

splunk | syslog

Options
The configuration options to send to the log driver. This parameter requires version 1.19 of the
Docker Remote API or greater on your container instance. To check the Docker Remote API version
on your container instance, log in to your container instance and run the following command: sudo
docker version --format '{{.Server.APIVersion}}'
Required: No
Type: Map of String

SecretOptions
The secrets to pass to the log configuration. For more information, see Specifying Sensitive Data in

1909
ECS
Required: No
Type: List of Secret (p. 1915)
AWS::ECS::TaskDefinition MountPoint
The MountPoint property specifies details on a volume mount point that is used in a container
definition.
Syntax
JSON
{
"SourceVolume" : String
}
YAML
ReadOnly: Boolean
SourceVolume: String
Properties
ContainerPath
The path on the container to mount the host volume at.
Required: No
Type: String

ReadOnly
If this value is true, the container has read-only access to the volume. If this value is false, then
the container can write to the volume. The default value is false.
Required: No
Type: Boolean

SourceVolume
The name of the volume to mount. Must be a volume name referenced in the name parameter of
task definition volume.
Required: No
Type: String

1910
ECS
AWS::ECS::TaskDefinition PortMapping
The PortMapping property specifies a port mapping. Port mappings allow containers to access ports on
the host container instance to send or receive traffic. Port mappings are specified as part of the container
definition.
If you are using containers in a task with the awsvpc or host network mode, exposed ports should be
specified using containerPort. The hostPort can be left blank or it must be the same value as the
containerPort.
After a task reaches the RUNNING status, manual and automatic host and container port assignments are
visible in the networkBindings section of DescribeTasks API responses.
Syntax
JSON
{
"HostPort" : Integer,
"Protocol" : String
}
YAML
HostPort: Integer
Protocol: String
Properties
ContainerPort
The port number on the container that is bound to the user-specified or automatically assigned host
port.
If you are using containers in a task with the awsvpc or host network mode, exposed ports should
be specified using containerPort.
If you are using containers in a task with the bridge network mode and you specify a container port
and not a host port, your container automatically receives a host port in the ephemeral port range.
For more information, see hostPort. Port mappings that are automatically assigned in this way do
not count toward the 100 reserved ports limit of a container instance.
Important
You cannot expose the same container port for multiple protocols. An error will be returned
if this is attempted.
Required: No
Type: Integer

1911
ECS
HostPort
The port number on the container instance to reserve for your container.
If you are using containers in a task with the awsvpc or host network mode, the hostPort can
either be left blank or set to the same value as the containerPort.
If you are using containers in a task with the bridge network mode, you can specify a non-reserved
host port for your container port mapping, or you can omit the hostPort (or set it to 0) while
specifying a containerPort and your container automatically receives a port in the ephemeral
port range for your container instance operating system and Docker version.
The default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under /
proc/sys/net/ipv4/ip_local_port_range. If this kernel parameter is unavailable, the default
ephemeral port range from 49153 through 65535 is used. Do not attempt to specify a host port in
the ephemeral port range as these are reserved for automatic assignment. In general, ports below
32768 are outside of the ephemeral port range.
Note
The default ephemeral port range from 49153 through 65535 is always used for Docker
versions before 1.6.0.
The default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS
container agent ports 51678-51680. Any host port that was previously specified in a running task
is also reserved while the task is running (after a task stops, the host port is released). The current
reserved ports are displayed in the remainingResources of DescribeContainerInstances output. A
container instance can have up to 100 reserved ports at a time, including the default reserved ports.
Automatically assigned ports don't count toward the 100 reserved ports limit.
Required: No
Type: Integer

Protocol
The protocol used for the port mapping. Valid values are tcp and udp. The default is tcp.
Required: No
Type: String
Allowed Values: tcp | udp
AWS::ECS::TaskDefinition ProxyConfiguration
The ProxyConfiguration property specifies the details for the App Mesh proxy.
For tasks using the EC2 launch type, the container instances require at least version 1.26.0 of the
container agent and at least version 1.26.0-1 of the ecs-init package to enable a proxy configuration.
If your container instances are launched from the Amazon ECS-optimized AMI version 20190301 or later,
then they contain the required versions of the container agent and ecs-init. For more information, see
Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
Syntax

1912
ECS
JSON
{
"ProxyConfigurationProperties" : [ KeyValuePair (p. 1905), ... ],
"Type" : String
}
YAML
ProxyConfigurationProperties:
- KeyValuePair (p. 1905)
Type: String
Properties
ContainerName
The name of the container that will serve as the App Mesh proxy.
Required: Yes
Type: String

ProxyConfigurationProperties
The set of network configuration parameters to provide the Container Network Interface (CNI)
plugin, specified as key-value pairs.
• IgnoredUID - (Required) The user ID (UID) of the proxy container as defined by the user
parameter in a container definition. This is used to ensure the proxy ignores its own traffic. If
IgnoredGID is specified, this field can be empty.
• IgnoredGID - (Required) The group ID (GID) of the proxy container as defined by the user
parameter in a container definition. This is used to ensure the proxy ignores its own traffic. If
IgnoredUID is specified, this field can be empty.
• AppPorts - (Required) The list of ports that the application uses. Network traffic to these ports is
forwarded to the ProxyIngressPort and ProxyEgressPort.
• ProxyIngressPort - (Required) Specifies the port that incoming traffic to the AppPorts is
directed to.
• ProxyEgressPort - (Required) Specifies the port that outgoing traffic from the AppPorts is
directed to.
• EgressIgnoredPorts - (Required) The egress traffic going to the specified ports is ignored and
not redirected to the ProxyEgressPort. It can be an empty list.
• EgressIgnoredIPs - (Required) The egress traffic going to the specified IP addresses is ignored
and not redirected to the ProxyEgressPort. It can be an empty list.
Required: No
Type: List of KeyValuePair (p. 1905)

Type
The proxy type. The only supported value is APPMESH.
Required: No

1913
ECS
Type: String
Allowed Values: APPMESH
AWS::ECS::TaskDefinition RepositoryCredentials
The RepositoryCredentials property specifies the repository credentials for private registry
authentication.
Syntax
JSON
{
"CredentialsParameter" : String
}
YAML
CredentialsParameter: String
Properties
CredentialsParameter
The Amazon Resource Name (ARN) of the secret containing the private repository credentials.
Note
When you are using the Amazon ECS API, AWS CLI, or AWS SDK, if the secret exists in the
same Region as the task that you are launching then you can use either the full ARN or the
name of the secret. When you are using the AWS Management Console, you must specify
the full ARN of the secret.
Required: No
Type: String
AWS::ECS::TaskDefinition ResourceRequirement
The ResourceRequirement property specifies the type and amount of a resource to assign to a
container. The only supported resource is a GPU. For more information, see Working with GPUs on
Amazon ECS in the Amazon Elastic Container Service Developer Guide
Syntax
JSON
{
"Type" : String,
"Value" : String

1914
ECS
YAML
Type: String
Value: String
Properties
Type
The type of resource to assign to a container. The supported values are GPU or
InferenceAccelerator.
Required: Yes
Type: String
Allowed Values: GPU | InferenceAccelerator

Value
The value for the specified resource type.
If the GPU type is used, the value is the number of physical GPUs the Amazon ECS container agent
will reserve for the container. The number of GPUs reserved for all containers in a task should not
exceed the number of available GPUs on the container instance the task is launched on.
If the InferenceAccelerator type is used, the value should match the DeviceName for an
InferenceAccelerator specified in a task definition.
Required: Yes
Type: String
AWS::ECS::TaskDefinition Secret
The Secret property specifies an object representing the secret to expose to your container. For more
information, see Specifying Sensitive Data in the Amazon Elastic Container Service Developer Guide.
Syntax
JSON
{
"Name" : String,
"ValueFrom" : String
}
YAML
Name: String
ValueFrom: String

1915
ECS
Properties
Name
The name of the secret.
Required: Yes
Type: String

ValueFrom
The secret to expose to the container. The supported values are either the full ARN of the AWS
Secrets Manager secret or the full ARN of the parameter in the AWS Systems Manager Parameter
Store.
Note
If the AWS Systems Manager Parameter Store parameter exists in the same Region as the
task you are launching, then you can use either the full ARN or name of the parameter. If
the parameter exists in a different Region, then the full ARN must be specified.
Required: Yes
Type: String
AWS::ECS::TaskDefinition SystemControl
A list of namespaced kernel parameters to set in the container. This parameter maps to Sysctls in the
Create a container section of the Docker Remote API and the --sysctl option to docker run.
It is not recommended that you specify network-related systemControls parameters for multiple
containers in a single task that also uses either the awsvpc or host network mode for the following
reasons:
• For tasks that use the awsvpc network mode, if you set systemControls for any container, it applies
to all containers in the task. If you set different systemControls for multiple containers in a single
task, the container that is started last determines which systemControls take effect.
• For tasks that use the host network mode, the systemControls parameter applies to the container
instance's kernel parameter as well as that of all containers of any tasks running on that container
instance.
Syntax
JSON
{
"Value" : String
}
YAML
Namespace: String

1916
ECS
Value: String
Properties
Namespace
The namespaced kernel parameter for which to set a value.
Required: Yes
Type: String

Value
The value for the namespaced kernel parameter specified in namespace.
Required: Yes
Type: String
AWS::ECS::TaskDefinition TaskDefinitionPlacementConstraint
The TaskDefinitionPlacementConstraint property specifies an object representing a constraint on
task placement in the task definition.
If you are using the Fargate launch type, task placement constraints are not supported.
For more information, see Task Placement Constraints in the Amazon Elastic Container Service Developer
Guide.
Syntax
JSON
{
"Type" : String
}
YAML
Expression: String
Type: String
Properties
Expression
A cluster query language expression to apply to the constraint. For more information, see Cluster
Query Language in the Amazon Elastic Container Service Developer Guide.
Required: No
Type: String

1917
ECS

Type
The type of constraint. The MemberOf constraint restricts selection to be from a group of valid
candidates.
Required: Yes
Type: String
Allowed Values: memberOf
AWS::ECS::TaskDefinition Tmpfs
The Tmpfs property specifies the container path, mount options, and size of the tmpfs mount.
Syntax
JSON
{
"MountOptions" : [ String, ... ],
"Size" : Integer
}
YAML
MountOptions:
- String
Size: Integer
Properties
ContainerPath
The absolute file path where the tmpfs volume is to be mounted.
Required: No
Type: String

MountOptions
The list of tmpfs volume mount options.
Valid values: "defaults" | "ro" | "rw" | "suid" | "nosuid" | "dev" | "nodev"

| "exec" | "noexec" | "sync" | "async" | "dirsync" | "remount" | "mand"
| "nomand" | "atime" | "noatime" | "diratime" | "nodiratime" | "bind" |
"rbind" | "unbindable" | "runbindable" | "private" | "rprivate" | "shared"
| "rshared" | "slave" | "rslave" | "relatime" | "norelatime" | "strictatime"
| "nostrictatime" | "mode" | "uid" | "gid" | "nr_inodes" | "nr_blocks" |
"mpol"

1918
ECS
Required: No

Size
The size (in MiB) of the tmpfs volume.
Required: Yes
Type: Integer
AWS::ECS::TaskDefinition Ulimit
The Ulimit property specifies the ulimit settings to pass to the container.
Syntax
JSON
{
"HardLimit" : Integer,
"Name" : String,
"SoftLimit" : Integer
}
YAML
HardLimit: Integer
Name: String
SoftLimit: Integer
Properties
HardLimit
The hard limit for the ulimit type.
Required: Yes
Type: Integer

Name
The type of the ulimit.
Required: Yes
Type: String
Allowed Values: core | cpu | data | fsize | locks | memlock | msgqueue | nice |
nofile | nproc | rss | rtprio | rttime | sigpending | stack

1919
ECS

SoftLimit
The soft limit for the ulimit type.
Required: Yes
Type: Integer
AWS::ECS::TaskDefinition Volume
The Volume property specifies a data volume used in a task definition. For tasks that use a Docker
volume, specify a DockerVolumeConfiguration. For tasks that use a bind mount host volume, specify
a host and optional sourcePath. For more information, see Using Data Volumes in Tasks.
Syntax
JSON
{
"DockerVolumeConfiguration" : DockerVolumeConfiguration (p. 1898),
"Host" : HostVolumeProperties (p. 1903),
"Name" : String
}
YAML
DockerVolumeConfiguration:
DockerVolumeConfiguration (p. 1898)
Host:
HostVolumeProperties (p. 1903)
Name: String
Properties
DockerVolumeConfiguration
This parameter is specified when you are using Docker volumes. Docker volumes are only supported
when you are using the EC2 launch type. Windows containers only support the use of the local
driver. To use bind mounts, specify a host instead.
Required: No
Type: DockerVolumeConfiguration (p. 1898)

Host
This parameter is specified when you are using bind mount host volumes. Bind mount host volumes
are supported when you are using either the EC2 or Fargate launch types. The contents of the host
parameter determine whether your bind mount host volume persists on the host container instance
and where it is stored. If the host parameter is empty, then the Docker daemon assigns a host path
for your data volume. However, the data is not guaranteed to persist after the containers associated
with it stop running.

1920
ECS
Windows containers can mount whole directories on the same drive as $env:ProgramData.
Windows containers cannot mount directories on a different drive, and mount point cannot be
across drives. For example, you can mount C:\my\path:C:\my\path and D:\:D:\, but not D:\my
\path:C:\my\path or D:\:C:\my\path.
Required: No
Type: HostVolumeProperties (p. 1903)

Name
The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, and hyphens
are allowed. This name is referenced in the sourceVolume parameter of container definition
mountPoints.
Required: No
Type: String
AWS::ECS::TaskDefinition VolumeFrom
The VolumeFrom property specifies details on a data volume from another container in the same task
definition.
Syntax
JSON
{
"SourceContainer" : String
}
YAML
ReadOnly: Boolean
SourceContainer: String
Properties
ReadOnly
If this value is true, the container has read-only access to the volume. If this value is false, then
the container can write to the volume. The default value is false.
Required: No
Type: Boolean

SourceContainer
The name of another container within the same task definition from which to mount volumes.

1921
ECS
Required: No
Type: String
AWS::ECS::TaskSet
Create a task set in the specified cluster and service. This is used when a service uses the EXTERNAL
deployment controller type. For more information, see Amazon ECS Deployment Types in the Amazon
Elastic Container Service Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ECS::TaskSet",
"Properties" : {
"Cluster" : String,
"LoadBalancers" : [ LoadBalancer (p. 1926), ... ],
"Scale" : Scale (p. 1928),
"Service" : String,
"ServiceRegistries" : [ ServiceRegistry (p. 1928), ... ],
"TaskDefinition" : String
}
}
YAML
Type: AWS::ECS::TaskSet
Properties:
Cluster: String
ExternalId: String
LaunchType: String
LoadBalancers:
- LoadBalancer (p. 1926)
Scale:
Scale (p. 1928)
Service: String
ServiceRegistries:
- ServiceRegistry (p. 1928)
TaskDefinition: String
Properties
Cluster
The short name or full Amazon Resource Name (ARN) of the cluster that hosts the service to create
the task set in.

1922
ECS
Required: Yes
Type: String

ExternalId
An optional non-unique tag that identifies this task set in external systems. If the task
set is associated with a service discovery registry, the tasks in this task set will have the
ECS_TASK_SET_EXTERNAL_ID AWS Cloud Map attribute set to the provided value.
Required: No
Type: String

LaunchType
The launch type that new tasks in the task set will use. For more information, see Amazon ECS
Launch Types in the Amazon Elastic Container Service Developer Guide.
If a launchType is specified, the capacityProviderStrategy parameter must be omitted.
Required: No
Type: String

LoadBalancers
A load balancer object representing the load balancer to use with the task set. The supported load
balancer types are either an Application Load Balancer or a Network Load Balancer.
Required: No
Type: List of LoadBalancer (p. 1926)

The network configuration for the task set.
Required: No

PlatformVersion
The platform version that the tasks in the task set should use. A platform version is specified only
for tasks using the Fargate launch type. If one isn't specified, the LATEST platform version is used by
default.
Required: No
Type: String

1923
ECS
Scale
A floating-point percentage of the desired number of tasks to place and keep running in the task set.
Required: No
Type: Scale (p. 1928)

Service
The short name or full Amazon Resource Name (ARN) of the service to create the task set in.
Required: Yes
Type: String

ServiceRegistries
The details of the service discovery registries to assign to this task set. For more information, see
Service Discovery.
Required: No
Type: List of ServiceRegistry (p. 1928)

TaskDefinition
The task definition for the tasks in the task set to use.
Required: Yes
Type: String
Return Values
Ref
name.
Fn::GetAtt
Id
The ID of the task set.

1924
ECS
AWS::ECS::TaskSet AwsVpcConfiguration
The networking details for a task.
Syntax
JSON
{
}
YAML
SecurityGroups:
- String
Subnets:
- String
Properties
AssignPublicIp
Whether the task's elastic network interface receives a public IP address. The default value is
DISABLED.
Required: No
Type: String

SecurityGroups
The security groups associated with the task or service. If you do not specify a security group, the
default security group for the VPC is used. There is a limit of 5 security groups that can be specified
Note
All specified security groups must be from the same VPC.
Required: No

Subnets
The subnets associated with the task or service. There is a limit of 16 subnets that can be specified
Note
All specified subnets must be from the same VPC.
Required: Yes

1925
ECS
AWS::ECS::TaskSet LoadBalancer
Details on the load balancer or load balancers to use with a task set.
Syntax
JSON
{
"TargetGroupArn" : String
}
YAML
Properties
ContainerName
The name of the container (as it appears in a container definition) to associate with the load
balancer.
Required: No
Type: String

ContainerPort
The port on the container to associate with the load balancer. This port must correspond to a
containerPort in the task definition the tasks in the service are using. For tasks that use the EC2
launch type, the container instance they are launched on must allow ingress traffic on the hostPort
of the port mapping.
Required: No
Type: Integer

LoadBalancerName
The name of the load balancer to associate with the Amazon ECS service or task set.
A load balancer name is only specified when using a Classic Load Balancer. If you are using an
Application Load Balancer or a Network Load Balancer this should be omitted.

1926
ECS
Required: No
Type: String

TargetGroupArn
The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups
associated with a service or task set.
A target group ARN is only specified when using an Application Load Balancer or Network Load
Balancer. If you are using a Classic Load Balancer this should be omitted.
For services using the ECS deployment controller, you can specify one or multiple target groups.
For more information, see Registering Multiple Target Groups with a Service in the Amazon Elastic
For services using the CODE_DEPLOY deployment controller, you are required to define two target
groups for the load balancer. For more information, see Blue/Green Deployment with CodeDeploy in
Important
If your service's task definition uses the awsvpc network mode (which is required for the
Fargate launch type), you must choose ip as the target type, not instance, when creating
your target groups because tasks that use the awsvpc network mode are associated with an
elastic network interface, not an Amazon EC2 instance.
Required: No
Type: String
AWS::ECS::TaskSet NetworkConfiguration
The network configuration for a task.
Syntax
JSON
{
"AwsVpcConfiguration" : AwsVpcConfiguration (p. 1925)
}
YAML
AwsVpcConfiguration:
Properties
AwsVpcConfiguration
The VPC subnets and security groups associated with a task.

1927
ECS
Note
All specified subnets and security groups must be from the same VPC.
Required: No
AWS::ECS::TaskSet Scale
A floating-point percentage of the desired number of tasks to place and keep running in the task set.
Syntax
JSON
{
"Unit" : String,
"Value" : Double
}
YAML
Unit: String
Value: Double
Properties
Unit
The unit of measure for the scale value.
Required: No
Type: String
Allowed Values: PERCENT

Value
The value, specified as a percent total of a service's desiredCount, to scale the task set. Accepted
values are numbers between 0 and 100.
Required: No
Type: Double
AWS::ECS::TaskSet ServiceRegistry
Details of the service registry.

1928
ECS
Syntax
JSON
{
"Port" : Integer,
"RegistryArn" : String
}
YAML
Port: Integer
RegistryArn: String
Properties
ContainerName
The container name value, already specified in the task definition, to be used for your service
discovery service. If the task definition that your service task specifies uses the bridge or host
network mode, you must specify a containerName and containerPort combination from the
task definition. If the task definition that your service task specifies uses the awsvpc network mode
and a type SRV DNS record is used, you must specify either a containerName and containerPort
combination or a port value, but not both.
Required: No
Type: String

ContainerPort
The port value, already specified in the task definition, to be used for your service discovery service.
If the task definition your service task specifies uses the bridge or host network mode, you must
specify a containerName and containerPort combination from the task definition. If the task
definition your service task specifies uses the awsvpc network mode and a type SRV DNS record is
used, you must specify either a containerName and containerPort combination or a port value,
but not both.
Required: No
Type: Integer

Port
The port value used if your service discovery service specified an SRV record. This field may be used
if both the awsvpc network mode and SRV records are used.
Required: No
Type: Integer

1929
EFS

RegistryArn
The Amazon Resource Name (ARN) of the service registry. The currently supported service registry is
AWS Cloud Map. For more information, see CreateService.
Required: No
Type: String
EFS Resource Type Reference

Resource Types
• AWS::EFS::FileSystem (p. 1930)

• AWS::EFS::MountTarget (p. 1936)
AWS::EFS::FileSystem
The AWS::EFS::FileSystem resource creates a new, empty file system in Amazon Elastic File System
(Amazon EFS). You must create a mount target (AWS::EFS::MountTarget) to mount your EFS file system
on an Amazon Elastic Compute Cloud (Amazon EC2) instance or another resource.
Syntax
JSON
{
"Type" : "AWS::EFS::FileSystem",
"Properties" : {
"FileSystemTags" : [ ElasticFileSystemTag (p. 1934), ... ],
"LifecyclePolicies" : [ LifecyclePolicy (p. 1935), ... ],
"PerformanceMode" : String,
"ProvisionedThroughputInMibps" : Double,
"ThroughputMode" : String
}
}
YAML
Properties:
Encrypted: Boolean
FileSystemTags:
- ElasticFileSystemTag (p. 1934)
KmsKeyId: String
LifecyclePolicies:
- LifecyclePolicy (p. 1935)
PerformanceMode: String
ProvisionedThroughputInMibps: Double

1930
EFS
ThroughputMode: String
Properties
Encrypted
A Boolean value that, if true, creates an encrypted file system. When creating an encrypted file
system, you have the option of specifying a KmsKeyId for an existing AWS Key Management Service
(AWS KMS) customer master key (CMK). If you don't specify a CMK, then the default CMK for Amazon
EFS, /aws/elasticfilesystem, is used to protect the encrypted file system.
Type: Boolean

FileSystemTags
A value that specifies to create one or more tags associated with the file system. Each
tag is a user-defined key-value pair. Name your file system on creation by including a
"Key":"Name","Value":"{value}" key-value pair.
Required: No
Type: List of ElasticFileSystemTag (p. 1934)

KmsKeyId
The ID of the AWS KMS CMK to be used to protect the encrypted file system. This parameter is only
required if you want to use a nondefault CMK. If this parameter is not specified, the default CMK for
Amazon EFS is used. This ID can be in one of the following formats:
• Key ID - A unique identifier of the key, for example
1234abcd-12ab-34cd-56ef-1234567890ab.
• ARN - An Amazon Resource Name (ARN) for the key, for example arn:aws:kms:us-
west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.
• Key alias - A previously created display name for a key, for example alias/projectKey1.
• Key alias ARN - An ARN for a key alias, for example arn:aws:kms:us-
west-2:444455556666:alias/projectKey1.
If KmsKeyId is specified, the Encrypted parameter must be set to true.
Required: No
Type: String
Minimum: 1
Maximum: 2048

LifecyclePolicies
A list of policies used by EFS lifecycle management to transition files to the Infrequent Access (IA)
storage class.
Required: No

1931
EFS
Type: List of LifecyclePolicy (p. 1935)

PerformanceMode
The performance mode of the file system. We recommend generalPurpose performance mode
for most file systems. File systems using the maxIO performance mode can scale to higher levels
of aggregate throughput and operations per second with a tradeoff of slightly higher latencies
for most file operations. The performance mode can't be changed after the file system has been
created.
Required: No
Type: String
Allowed Values: generalPurpose | maxIO

ProvisionedThroughputInMibps
The throughput, measured in MiB/s, that you want to provision for a file system that you're creating.
Valid values are 1-1024. Required if ThroughputMode is set to provisioned. The upper limit for
throughput is 1024 MiB/s. You can get this limit increased by contacting AWS Support. For more
information, see Amazon EFS Limits That You Can Increase in the Amazon EFS User Guide.
Type: Double

ThroughputMode
The throughput mode for the file system to be created. There are two throughput modes to
choose from for your file system: bursting and provisioned. If you set ThroughputMode to
provisioned, you must also set a value for ProvisionedThroughPutInMibps. You can decrease
your file system's throughput in Provisioned Throughput mode or change between the throughput
modes as long as it’s been more than 24 hours since the last decrease or throughput mode change.
For more, see Specifying Throughput with Provisioned Mode in the Amazon EFS User Guide.
Required: No
Type: String
Allowed Values: bursting | provisioned
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource ID.
For example:
{"Ref":"fs-12345678"}.
For the Amazon EFS file system fs-12345678, Ref returns the file system ID.

1932
EFS
Examples
Create an Encrypted File System
The following example declares an encrypted Amazon EFS file system.
JSON
"Resources": {
"filesystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"Encrypted": true,
"KmsKeyId": {
"Fn::GetAtt": [
"key",
"Arn"
]
}
}
},
"key": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
},
":root"
]
]
}
},
"Action": [
"kms:*"
],
"Resource": "*"
}
]
}
}
}
},
"Outputs": {
"KeyId": {
"Value": {
"Fn::GetAtt": [
"key",
"Arn"
]

1933
EFS
}
}
}
}
YAML
Resources:
filesystem:
Properties:
Encrypted: true
KmsKeyId: !GetAtt
- key
- Arn
key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: !Join
- ''
- - 'arn:aws:iam::'
- ':root'
Action:
- 'kms:*'
Resource: '*'
Outputs:
KeyId:
Value: !GetAtt
- key
- Arn
See Also
• Amazon EFS: How It Works
• Creating an Amazon Elastic File System
AWS::EFS::FileSystem ElasticFileSystemTag
A tag is a key-value pair attached to a file system. Allowed characters in the Key and Value properties
are letters, white space, and numbers that can be represented in UTF-8, and the following characters: +
- = . _ : /
Syntax
JSON
{
"Key" : String,
"Value" : String
}

1934
EFS
YAML
Key: String
Value: String
Properties
Key
The tag key (String). The key can't start with aws:.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

Value
The value of the tag key.
Required: Yes
Type: String
Maximum: 256
AWS::EFS::FileSystem LifecyclePolicy
Describes a policy used by EFS lifecycle management to transition files to the Infrequent Access (IA)
storage class.
Syntax
JSON
{
"TransitionToIA" : String
}
YAML
TransitionToIA: String
Properties
TransitionToIA
A value that describes the period of time that a file is not accessed, after which it transitions to the
IA storage class. Metadata operations such as listing the contents of a directory don't count as file
access events.

1935
EFS
Required: Yes
Type: String
Allowed Values: AFTER_14_DAYS | AFTER_30_DAYS | AFTER_60_DAYS | AFTER_7_DAYS |

AFTER_90_DAYS
AWS::EFS::MountTarget
The AWS::EFS::MountTarget resource is an Amazon EFS resource that creates a mount target for
an EFS file system. You can then mount the file system on Amazon EC2 instances or other resources by
using the mount target.
Syntax
JSON
{
"Type" : "AWS::EFS::MountTarget",
"Properties" : {
"FileSystemId" : String,
"IpAddress" : String,
"SubnetId" : String
}
}
YAML
Properties:
FileSystemId: String
IpAddress: String
SecurityGroups:
- String
SubnetId: String
Properties
FileSystemId
The ID of the file system for which to create the mount target.
Required: Yes
Type: String

IpAddress
Valid IPv4 address within the address range of the specified subnet.
Required: No

1936
EFS
Type: String

SecurityGroups
Up to five VPC security group IDs, of the form sg-xxxxxxxx. These must be for the same VPC as
subnet specified.
Required: Yes
Maximum: 5

SubnetId
The ID of the subnet to add the mount target in.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource ID.
For example:
{"Ref":"fsmt-12345678"}.
For the Amazon EFS file system mount target fsmt-12345678, Ref returns the mount target ID.
Fn::GetAtt
IpAddress
The IPv4 address of the mount target.
Examples
Declare a Mount Target for an EFS File System
The following example declares a mount target that is associated with a file system, subnet, and security
group, which are all declared in the same template. EC2 instances that are in the same Availability
Zone (AZ) as the mount target can use the mount target to connect to the associated file system. For
information about mounting file systems on EC2 instances, see Mounting File Systems in the EFS User
Guide.

1937
EKS
JSON
"MountTarget": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": { "Ref": "FileSystem" },
"SubnetId": { "Ref": "Subnet" },
"SecurityGroups": [ { "Ref": "MountTargetSecurityGroup" } ]
}
}
YAML
MountTarget:
Properties:
FileSystemId:
Ref: "FileSystem"
SubnetId:
Ref: "Subnet"
SecurityGroups:
-
Ref: "MountTargetSecurityGroup"
See Also
• Amazon EFS: How It Works
• Creating Mount Targets
• Walkthrough: Mounting a File System On-Premises
EKS Resource Type Reference

Resource Types
• AWS::EKS::Cluster (p. 1938)

• AWS::EKS::Nodegroup (p. 1942)
AWS::EKS::Cluster
Creates an Amazon EKS control plane.
The Amazon EKS control plane consists of control plane instances that run the Kubernetes software, such
as etcd and the API server. The control plane runs in an account managed by AWS, and the Kubernetes
API is exposed via the Amazon EKS API server endpoint. Each Amazon EKS cluster control plane is single-
tenant and unique and runs on its own set of Amazon EC2 instances.
The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load
Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC
subnets to provide connectivity from the control plane instances to the worker nodes (for example, to
support kubectl exec, logs, and proxy data flows).
Amazon EKS worker nodes run in your AWS account and connect to your cluster's control plane via the
Kubernetes API server endpoint and a certificate file that is created for your cluster.
Cluster creation typically takes between 10 and 15 minutes. After you create an Amazon EKS cluster, you
must configure your Kubernetes tooling to communicate with the API server and launch worker nodes

1938
EKS
into your cluster. For more information, see Managing Cluster Authentication and Launching Amazon
EKS Worker Nodes in the Amazon EKS User Guide.
Syntax
JSON
{
"Type" : "AWS::EKS::Cluster",
"Properties" : {
"Name" : String,
"ResourcesVpcConfig" : ResourcesVpcConfig (p. 1941),
"RoleArn" : String,
"Version" : String
}
}
YAML
Type: AWS::EKS::Cluster
Properties:
Name: String
ResourcesVpcConfig:
ResourcesVpcConfig (p. 1941)
RoleArn: String
Version: String
Properties
Name
The unique name to give to your cluster.
Required: No
Type: String

ResourcesVpcConfig
The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have
specific requirements to work properly with Kubernetes. For more information, see Cluster VPC
Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. You must
specify at least two subnets. You can specify up to five security groups, but we recommend that you
use a dedicated security group for your cluster control plane.
Required: Yes
Type: ResourcesVpcConfig (p. 1941)

RoleArn
The Amazon Resource Name (ARN) of the IAM role that provides permissions for Amazon EKS to
make calls to other AWS API operations on your behalf. For more information, see Amazon EKS
Service IAM Role in the Amazon EKS User Guide .
Required: Yes

1939
EKS
Type: String

Version
The desired Kubernetes version for your cluster. If you don't specify a value here, the latest version
available in Amazon EKS is used.
Required: No
Type: String
Return Values
Ref
name. For example:
{ "Ref": "myCluster" }
For the Amazon EKS cluster myCluster, Ref returns the name of the cluster.
Fn::GetAtt
Arn
The ARN of the cluster, such as arn:aws:eks:us-west-2:666666666666:cluster/prod.

CertificateAuthorityData
The certificate-authority-data for your cluster.

ClusterSecurityGroupId
The cluster security group that was created by Amazon EKS for the cluster. Managed node groups
use this security group for control plane to data plane communication.
This parameter is only returned by Amazon EKS clusters that support managed node groups. For
more information, see Managed Node Groups in the Amazon EKS User Guide.
Endpoint
The endpoint for your Kubernetes API server, such as

https://5E1D0CEXAMPLEA591B746AFC5AB30262.yl4.us-west-2.eks.amazonaws.com.
Examples
Create a Cluster
The following example creates an Amazon EKS cluster called prod.

1940
EKS
JSON
{
"Resources": {
"myCluster": {
"Type": "AWS::EKS::Cluster",
"Properties": {
"Name": "prod",
"Version": "1.11",
"RoleArn": "arn:aws:iam::012345678910:role/eks-service-role-
AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI",
"ResourcesVpcConfig": {
"sg-6979fe18"
]
},
"SubnetIds": [
"subnet-6782e71e",
"subnet-e7e761ac"
]
}
}
}
}
YAML
Resources:
myCluster:
Type: 'AWS::EKS::Cluster'
Properties:
Name: prod
Version: '1.11'
RoleArn: >-
arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-
EXAMPLEBQ4PI
ResourcesVpcConfig:
SecurityGroupIds:
- sg-6979fe18
SubnetIds:
- subnet-6782e71e
- subnet-e7e761ac
See Also
• Clusters in the Amazon EKS User Guide .
• CreateCluster in the Amazon EKS API Reference .
AWS::EKS::Cluster ResourcesVpcConfig
An object representing the VPC configuration to use for an Amazon EKS cluster.
Syntax
JSON
{

1941
EKS

}
YAML
SecurityGroupIds:
- String
SubnetIds:
- String
Properties
SecurityGroupIds
Specify one or more security groups for the cross-account elastic network interfaces that Amazon
EKS creates to use to allow communication between your worker nodes and the Kubernetes control
plane. If you don't specify a security group, the default security group for your VPC is used.
Required: No

SubnetIds
Specify subnets for your Amazon EKS worker nodes. Amazon EKS creates cross-account elastic
network interfaces in these subnets to allow communication between your worker nodes and the
Kubernetes control plane.
Required: Yes
AWS::EKS::Nodegroup
Creates a managed worker node group for an Amazon EKS cluster. You can only create a node group for
your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created
with the latest AMI release version for the respective minor Kubernetes version of the cluster.
An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2
instances that are managed by AWS for an Amazon EKS cluster. Each node group uses a version of the
Amazon EKS-optimized Amazon Linux 2 AMI.
You can only create a managed node group for Amazon EKS clusters that support managed nodes. For
more information, see Managed Node Groups in the Amazon EKS User Guide.
Syntax
JSON
{
"Type" : "AWS::EKS::Nodegroup",
"Properties" : {

1942
EKS
"AmiType" : String,
"DiskSize" : Double,
"ForceUpdateEnabled" : Boolean,
"InstanceTypes" : [ String, ... ],
"Labels" : Json,
"NodegroupName" : String,
"NodeRole" : String,
"ReleaseVersion" : String,
"RemoteAccess" : RemoteAccess (p. 1947),
"ScalingConfig" : ScalingConfig (p. 1948),
"Tags" : Json,
"Version" : String
}
}
YAML
Type: AWS::EKS::Nodegroup
Properties:
AmiType: String
ClusterName: String
DiskSize: Double
ForceUpdateEnabled: Boolean
InstanceTypes:
- String
Labels: Json
NodegroupName: String
NodeRole: String
ReleaseVersion: String
RemoteAccess:
RemoteAccess (p. 1947)
ScalingConfig:
ScalingConfig (p. 1948)
Subnets:
- String
Tags: Json
Version: String
Properties
AmiType
The AMI type for your node group. GPU instance types should use the AL2_x86_64_GPU AMI type,
which uses the Amazon EKS-optimized Linux AMI with GPU support. Non-GPU instances should use
the AL2_x86_64 AMI type, which uses the Amazon EKS-optimized Linux AMI.
Required: No
Type: String

ClusterName
The name of the cluster to create the node group in.
Required: Yes
Type: String

1943
EKS
DiskSize
The root device disk size (in GiB) for your node group instances. The default disk size is 20 GiB.
Required: No
Type: Double

ForceUpdateEnabled
Force the update if the existing node group's pods are unable to be drained due to a pod disruption
budget issue. If an update fails because pods could not be drained, you can force the update after it
fails to terminate the old node whether or not any pods are running on the node.
Required: No
Type: Boolean

InstanceTypes
The instance type to use for your node group. Currently, you can specify a single instance type for a
node group. The default value for this parameter is t3.medium. If you choose a GPU instance type,
be sure to specify the AL2_x86_64_GPU with the amiType parameter.
Required: No

Labels
The Kubernetes labels to be applied to the nodes in the node group when they are created.
Required: No
Type: Json

NodegroupName
The unique name to give your node group.
Required: No
Type: String

NodeRole
The IAM role associated with your node group. The Amazon EKS worker node kubelet daemon
makes calls to AWS APIs on your behalf. Worker nodes receive permissions for these API calls
through an IAM instance profile and associated policies. Before you can launch worker nodes and
register them into a cluster, you must create an IAM role for those worker nodes to use when they
are launched. For more information, see Amazon EKS Worker Node IAM Role in the Amazon EKS
User Guide .
Required: Yes

1944
EKS
Type: String

ReleaseVersion
The AMI version of the Amazon EKS-optimized AMI to use with your node group (for example,
1.14.7-YYYYMMDD). By default, the latest available AMI version for the node group's current
Kubernetes version is used. For more information, see Amazon EKS-Optimized Linux AMI Versions in
the Amazon EKS User Guide.
Note
Changing this value triggers an update of the node group if one is available. However,
only the latest available AMI release version is valid as an input. You cannot roll back to a
previous AMI release version.
Required: No
Type: String

RemoteAccess
The remote access (SSH) configuration to use with your node group.
Required: No
Type: RemoteAccess (p. 1947)

ScalingConfig
The scaling configuration details for the Auto Scaling group that is created for your node group.
Required: No
Type: ScalingConfig (p. 1948)

Subnets
The subnets to use for the Auto Scaling group that is created for your node group. These subnets
must have the tag key kubernetes.io/cluster/CLUSTER_NAME with a value of shared, where
CLUSTER_NAME is replaced with the name of your cluster.
Required: Yes

Tags
The metadata to apply to the node group to assist with categorization and organization. Each
tag consists of a key and an optional value, both of which you define. Node group tags do not
propagate to any other resources associated with the node group, such as the Amazon EC2 instances
or subnets.
Required: No
Type: Json

1945
EKS
Version
The Kubernetes version to use for your managed nodes. By default, the Kubernetes version of the
cluster is used, and this is the only accepted specified value.
Required: No
Type: String
Return Values
Ref
name. For example:
{ "Ref": "myNodegroup" }
For the Amazon EKS node group myNodegroup, Ref returns the physical resource ID of the node group.
For example, <cluster_name>/<nodegroup_name>.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) associated with the managed node group.
ClusterName
The name of the cluster that the managed node group resides in.
NodegroupName
The name associated with an Amazon EKS managed node group.
Examples
Create a managed node group
The following example creates an Amazon EKS managed node group called standard in the prod
cluster.
JSON
{
"Resources": {
"EKSNodegroup": {
"Type": "AWS::EKS::Nodegroup",
"Properties": {
"ClusterName": "prod",
"NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
"ScalingConfig": {

1946
EKS
"MinSize": 3,
"DesiredSize": 5,
"MaxSize": 7
},
"Labels": {
"Key1": "Value1",
"Key2": "Value2"
},
"Subnets": [
"subnet-6782e71e",
"subnet-e7e761ac"
]
}
}
}
}
YAML
Resources:
EKSNodegroup:
Type: 'AWS::EKS::Nodegroup'
Properties:
ClusterName: prod
NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
ScalingConfig:
MinSize: 3
DesiredSize: 5
MaxSize: 7
Labels:
Key1: Value1
Key2: Value2
Subnets:
- subnet-6782e71e
- subnet-e7e761ac
See Also
• Managed Node Groups in the Amazon EKS User Guide .
• CreateNodegroup in the Amazon EKS API Reference .
AWS::EKS::Nodegroup RemoteAccess
An object representing the remote access configuration for the managed node group.
Syntax
JSON
{
"Ec2SshKey" : String,
"SourceSecurityGroups" : [ String, ... ]
}
YAML
Ec2SshKey: String

1947
EKS
SourceSecurityGroups:
- String
Properties
Ec2SshKey
The Amazon EC2 SSH key that provides access for SSH communication with the worker nodes in
the managed node group. For more information, see Amazon EC2 Key Pairs in the Amazon Elastic
Compute Cloud User Guide for Linux Instances.
Required: Yes
Type: String

SourceSecurityGroups
The security groups that are allowed SSH access (port 22) to the worker nodes. If you specify an
Amazon EC2 SSH key but do not specify a source security group when you create a managed node
group, then port 22 on the worker nodes is opened to the internet (0.0.0.0/0). For more information,
see Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.
Required: No
AWS::EKS::Nodegroup ScalingConfig
An object representing the scaling configuration details for the Auto Scaling group that is associated
with your node group.
Syntax
JSON
{
"DesiredSize" : Double,
"MaxSize" : Double,
"MinSize" : Double
}
YAML
DesiredSize: Double
MaxSize: Double
MinSize: Double
Properties
DesiredSize
The current number of worker nodes that the managed node group should maintain.
Required: No

1948
ElastiCache
Type: Double

MaxSize
The maximum number of worker nodes that the managed node group can scale out to. Managed
node groups can support up to 100 nodes by default.
Required: No
Type: Double

MinSize
The minimum number of worker nodes that the managed node group can scale in to. This number
must be greater than zero.
Required: No
Type: Double
ElastiCache Resource Type Reference

Resource Types
• AWS::ElastiCache::CacheCluster (p. 1949)

• AWS::ElastiCache::ParameterGroup (p. 1959)
• AWS::ElastiCache::ReplicationGroup (p. 1961)
• AWS::ElastiCache::SecurityGroup (p. 1974)
• AWS::ElastiCache::SecurityGroupIngress (p. 1975)
• AWS::ElastiCache::SubnetGroup (p. 1976)
AWS::ElastiCache::CacheCluster
The AWS::ElastiCache::CacheCluster type creates an Amazon ElastiCache cache cluster.
Syntax
JSON
{
"Type" : "AWS::ElastiCache::CacheCluster",
"Properties" : {
"AZMode" : String,
"CacheNodeType" : String,
"CacheParameterGroupName" : String,
"CacheSecurityGroupNames" : [ String, ... ],
"CacheSubnetGroupName" : String,
"Engine" : String,

1949
ElastiCache
"NotificationTopicArn" : String,
"NumCacheNodes" : Integer,
"Port" : Integer,
"PreferredAvailabilityZone" : String,
"PreferredAvailabilityZones" : [ String, ... ],
"SnapshotArns" : [ String, ... ],
"SnapshotName" : String,
"SnapshotRetentionLimit" : Integer,
"SnapshotWindow" : String,
"Tags" : [ Tag, ... ],
}
}
YAML
Type: AWS::ElastiCache::CacheCluster
Properties:
AZMode: String
CacheNodeType: String
CacheParameterGroupName: String
CacheSecurityGroupNames:
- String
CacheSubnetGroupName: String
ClusterName: String
Engine: String
NotificationTopicArn: String
NumCacheNodes: Integer
Port: Integer
PreferredAvailabilityZone: String
PreferredAvailabilityZones:
- String
SnapshotArns:
- String
SnapshotName: String
SnapshotRetentionLimit: Integer
SnapshotWindow: String
Tags:
- Tag
- String
Properties
This parameter is currently disabled.
Required: No
Type: Boolean

AZMode
Specifies whether the nodes in this Memcached cluster are created in a single Availability Zone or
created across multiple Availability Zones in the cluster's region.

1950
ElastiCache
This parameter is only supported for Memcached clusters.
If the AZMode and PreferredAvailabilityZones are not specified, ElastiCache assumes

single-az mode.
Required: No
Type: String
Allowed Values: cross-az | single-az

CacheNodeType
The compute and memory capacity of the nodes in the node group (shard).
The following node types are supported by ElastiCache. Generally speaking, the current generation
types provide more memory and computational power at lower cost when compared to their
equivalent previous generation counterparts.
• General purpose:
• Current generation:
M5 node types: cache.m5.large, cache.m5.xlarge, cache.m5.2xlarge,

cache.m5.4xlarge, cache.m5.12xlarge, cache.m5.24xlarge

cache.m4.4xlarge, cache.m4.10xlarge
T2 node types: cache.t2.micro, cache.t2.small, cache.t2.medium

• Previous generation: (not recommended)
T1 node types: cache.t1.micro
M1 node types: cache.m1.small, cache.m1.medium, cache.m1.large,

cache.m1.xlarge
M3 node types: cache.m3.medium, cache.m3.large, cache.m3.xlarge,

cache.m3.2xlarge
• Compute optimized:
C1 node types: cache.c1.xlarge

• Memory optimized:
R5 node types: cache.r5.large, cache.r5.xlarge, cache.r5.2xlarge,

cache.r5.4xlarge, cache.r5.12xlarge, cache.r5.24xlarge

M2 node types: cache.m2.xlarge, cache.m2.2xlarge, cache.m2.4xlarge

cache.r3.4xlarge, cache.r3.8xlarge
Additional node type info

1951
ElastiCache
• All current generation instance types are created in Amazon VPC by default.
• Redis append-only files (AOF) are not supported for T1 or T2 instances.
• Redis Multi-AZ with automatic failover is not supported on T1 instances.
• Redis configuration variables appendonly and appendfsync are not supported on Redis version
2.8.22 and later.
Required: Yes
Type: String

CacheParameterGroupName
The name of the parameter group to associate with this cluster. If this argument is omitted, the
default parameter group for the specified engine is used. You cannot use any parameter group which
has cluster-enabled='yes' when creating a cluster.
Required: No
Type: String

CacheSecurityGroupNames
A list of security group names to associate with this cluster.
Use this parameter only when you are creating a cluster outside of an Amazon Virtual Private Cloud
(Amazon VPC).
Required: No

CacheSubnetGroupName
The name of the subnet group to be used for the cluster.
Use this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon
VPC).
Important
If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group
before you start creating a cluster. For more information, see Subnets and Subnet Groups.
Required: No
Type: String

ClusterName
A name for the cache cluster. If you don't specify a name, AWSCloudFormation generates a unique
physical ID and uses that ID for the cache cluster. For more information, see Name Type.
The name must contain 1 to 20 alphanumeric characters or hyphens. The name must start with a
letter and cannot end with a hyphen or contain two consecutive hyphens.
Required: No

1952
ElastiCache
Type: String

Engine
The name of the cache engine to be used for this cluster.
Valid values for this parameter are: memcached | redis
Required: Yes
Type: String

EngineVersion
The version number of the cache engine to be used for this cluster. To view the supported cache
engine versions, use the DescribeCacheEngineVersions operation.
Important: You can upgrade to a newer engine version (see Selecting a Cache Engine and Version),
but you cannot downgrade to an earlier engine version. If you want to use an earlier engine version,
you must delete the existing cluster or replication group and create it anew with the earlier engine
version.
Required: No
Type: String

NotificationTopicArn
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) topic to which
notifications are sent.
Note
The Amazon SNS topic owner must be the same as the cluster owner.
Required: No
Type: String

NumCacheNodes
The number of cache nodes that the cache cluster should have.
Note
However, if the PreferredAvailabilityZone and PreferredAvailabilityZones
properties were not previously specified and you don't specify any new values, an update
requires replacement.
Required: Yes
Type: Integer

Port
The port number on which each of the cache nodes accepts connections.
Required: No

1953
ElastiCache
Type: Integer

PreferredAvailabilityZone
The EC2 Availability Zone in which the cluster is created.
All nodes belonging to this Memcached cluster are placed in the preferred Availability Zone. If you
want to create your nodes across multiple Availability Zones, use PreferredAvailabilityZones.
Default: System chosen Availability Zone.
Required: No
Type: String

PreferredAvailabilityZones
A list of the Availability Zones in which cache nodes are created. The order of the zones in the list is
not important.
This option is only supported on Memcached.

Note
If you are creating your cluster in an Amazon VPC (recommended) you can only locate nodes
in Availability Zones that are associated with the subnets in the selected subnet group.
The number of Availability Zones listed must equal the value of NumCacheNodes.
If you want all the nodes in the same Availability Zone, use PreferredAvailabilityZone instead,
or repeat the Availability Zone multiple times in the list.
Default: System chosen Availability Zones.
Required: No

Specifies the weekly time range during which maintenance on the cluster is performed. It is specified
as a range in the format ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). The minimum maintenance
window is a 60 minute period. Valid values for ddd are:
window is a 60 minute period.
Valid values for ddd are:

• sun
• mon
• tue
• wed
• thu
• fri
• sat
Example: sun:23:00-mon:01:30

1954
ElastiCache
Required: No
Type: String

SnapshotArns
A single-element string list containing an Amazon Resource Name (ARN) that uniquely identifies a
Redis RDB snapshot file stored in Amazon S3. The snapshot file is used to populate the node group
(shard). The Amazon S3 object name in the ARN cannot contain any commas.
Note
This parameter is only valid if the Engine parameter is redis.
Example of an Amazon S3 ARN: arn:aws:s3:::my_bucket/snapshot1.rdb
Required: No

SnapshotName
The name of a Redis snapshot from which to restore data into the new node group (shard). The
snapshot status changes to restoring while the new node group (shard) is being created.
Note
Required: No
Type: String

SnapshotRetentionLimit
The number of days for which ElastiCache retains automatic snapshots before deleting them. For
example, if you set SnapshotRetentionLimit to 5, a snapshot taken today is retained for 5 days
before being deleted.
Note
Default: 0 (i.e., automatic backups are disabled for this cache cluster).
Required: No
Type: Integer

SnapshotWindow
The daily time range (in UTC) during which ElastiCache begins taking a daily snapshot of your node
group (shard).
Example: 05:00-09:00
If you do not specify this parameter, ElastiCache automatically chooses an appropriate time range.
Note
Required: No

1955
ElastiCache
Type: String

Tags
A list of cost allocation tags to be added to this resource.
Required: No
Type: List of Tag

VpcSecurityGroupIds
One or more VPC security groups associated with the cluster.
Use this parameter only when you are creating a cluster in an Amazon Virtual Private Cloud (Amazon
VPC).
Required: No
Return Values
Ref
name.
Fn::GetAtt
ConfigurationEndpoint.Address
The DNS hostname of the cache node.

Note
Redis (cluster mode disabled) replication groups don't have this attribute. Therefore,
Fn::GetAtt returns a value for this attribute only if the replication group is clustered.
Otherwise, Fn::GetAtt fails.
ConfigurationEndpoint.Port
The port number of the configuration endpoint for the Memcached cache cluster.
RedisEndpoint.Address
The DNS address of the configuration endpoint for the Redis cache cluster.
RedisEndpoint.Port
The port number of the configuration endpoint for the Redis cache cluster.

1956
ElastiCache
Examples
Cluster in a Default VPC
The following snippet describes an Elasticache cluster in a security group that is in a default VPC. Usually,
a security group in a VPC requires the VPC ID to be specified. In this case, no VPC ID is needed because
the security group uses the default VPC. If you want to specify a VPC for the security group, specify its
VpcId property.
For the cache cluster, the VpcSecurityGroupIds property is used to associate the cluster with the
security group. Because the VpcSecurityGroupIds property requires security group IDs (not security
group names), the template snippet uses the Fn::GetAtt function instead of a Ref function on the
ElasticacheSecurityGroup resource. The Ref function will return the security group name. If you
specify a VPC ID for the security group, Ref returns the security group ID.
Note that InstanceSecurityGroup refers to the logical name of a security group that is not
actually defined in this example. To learn more about the SourceSecurityGroupName property, see
AWS::EC2::SecurityGroupIngress.
JSON
{
"ElasticacheSecurityGroup": {
"Properties": {
"GroupDescription": "Elasticache Security Group",
{
"FromPort": "11211",
"ToPort": "11211",
"SourceSecurityGroupName": {
}
}
]
}
},
"ElasticacheCluster": {
"Type": "AWS::ElastiCache::CacheCluster",
"Properties": {
"AutoMinorVersionUpgrade": "true",
"Engine": "memcached",
"CacheNodeType": "cache.t2.micro",
"NumCacheNodes": "1",
"VpcSecurityGroupIds": [
{
"Fn::GetAtt": [
"ElasticacheSecurityGroup",
"GroupId"
]
}
]
}
}
}
YAML
ElasticacheSecurityGroup:

1957
ElastiCache
Properties:
GroupDescription: Elasticache Security Group
- IpProtocol: tcp
FromPort: '11211'
ToPort: '11211'
SourceSecurityGroupName: !Ref InstanceSecurityGroup
ElasticacheCluster:
Type: 'AWS::ElastiCache::CacheCluster'
Properties:
AutoMinorVersionUpgrade: 'true'
Engine: memcached
CacheNodeType: cache.t2.micro
NumCacheNodes: '1'
- !GetAtt
- ElasticacheSecurityGroup
- GroupId
Memcached Nodes in Multiple Availability Zones
The following example launches a cache cluster with three nodes, where two nodes are created in us-
west-2a and one is created in us-west-2b.
JSON
{
"myCacheCluster": {
"Type": "AWS::ElastiCache::CacheCluster",
"Properties": {
"AZMode": "cross-az",
"CacheNodeType": "cache.m3.medium",
"Engine": "memcached",
"NumCacheNodes": "3",
"PreferredAvailabilityZones": [
"us-west-2a",
"us-west-2a",
"us-west-2b"
]
}
}
}
YAML
myCacheCluster:
Type: 'AWS::ElastiCache::CacheCluster'
Properties:
AZMode: cross-az
CacheNodeType: cache.m3.medium
Engine: memcached
NumCacheNodes: '3'
PreferredAvailabilityZones:
- us-west-2a
- us-west-2a
- us-west-2b
See Also
• CreateCacheParameterGroup in the Amazon ElastiCache API Reference Guide
• ModifyCacheParameterGroup in the Amazon ElastiCache API Reference Guide

1958
ElastiCache
AWS::ElastiCache::ParameterGroup
The AWS::ElastiCache::ParameterGroup type creates a new cache parameter group. Cache
parameter groups control the parameters for a cache cluster.
Note
Syntax
JSON
{
"Type" : "AWS::ElastiCache::ParameterGroup",
"Properties" : {
"CacheParameterGroupFamily" : String,
"Properties" : {Key : Value, ...}
}
}
YAML
Type: AWS::ElastiCache::ParameterGroup
Properties:
CacheParameterGroupFamily: String
Description: String
Properties:
Key : Value
Properties
CacheParameterGroupFamily
The name of the cache parameter group family that this cache parameter group is compatible with.
Valid values are: memcached1.4 | memcached1.5 | redis2.6 | redis2.8 | redis3.2 | redis4.0

| redis5.0 |
Required: Yes
Type: String

Description
The description for this cache parameter group.
Required: Yes
Type: String

Properties
A comma-delimited list of parameter name/value pairs. For more information, see

ModifyCacheParameterGroup in the Amazon ElastiCache API Reference Guide.

1959
ElastiCache
For example:
"Properties" : {
"cas_disabled" : "1",
"chunk_size_growth_factor" : "1.02"
}
Required: No
Type: Map of String
Return Values
Ref
name.
Examples
JSON
{
"MyParameterGroup": {
"Type": "AWS::ElastiCache::ParameterGroup",
"Properties": {
"Description": "MyNewParameterGroup",
"CacheParameterGroupFamily": "memcached1.4",
"Properties": {
"cas_disabled": "1",
"chunk_size_growth_factor": "1.02"
}
}
}
}
YAML
MyParameterGroup:
Type: 'AWS::ElastiCache::ParameterGroup'
Properties:
Description: MyNewParameterGroup
CacheParameterGroupFamily: memcached1.4
Properties:
cas_disabled: '1'
chunk_size_growth_factor: '1.02'
See Also
• CreateCacheParameterGroup in the Amazon ElastiCache API Reference Guide
• ModifyCacheParameterGroup in the Amazon ElastiCache API Reference Guide

1960
ElastiCache
AWS::ElastiCache::ReplicationGroup
The AWS::ElastiCache::ReplicationGroup resource creates an Amazon ElastiCache Redis
replication group. A replication group is a collection of cache clusters, where one of the clusters is a
primary read-write cluster and the others are read-only replicas.
Syntax
JSON
{
"Type" : "AWS::ElastiCache::ReplicationGroup",
"Properties" : {
"AtRestEncryptionEnabled" : Boolean,
"AuthToken" : String,
"AutomaticFailoverEnabled" : Boolean,
"CacheNodeType" : String,
"CacheParameterGroupName" : String,
"CacheSecurityGroupNames" : [ String, ... ],
"Engine" : String,
"NodeGroupConfiguration" : [ NodeGroupConfiguration (p. 1973), ... ],
"NotificationTopicArn" : String,
"NumCacheClusters" : Integer,
"NumNodeGroups" : Integer,
"Port" : Integer,
"PreferredCacheClusterAZs" : [ String, ... ],
"PrimaryClusterId" : String,
"ReplicasPerNodeGroup" : Integer,
"ReplicationGroupDescription" : String,
"ReplicationGroupId" : String,
"SnapshotArns" : [ String, ... ],
"SnapshotName" : String,
"SnapshotRetentionLimit" : Integer,
"SnapshottingClusterId" : String,
"SnapshotWindow" : String,
"Tags" : [ Tag, ... ],
"TransitEncryptionEnabled" : Boolean
}
}
YAML
Type: AWS::ElastiCache::ReplicationGroup
Properties:
AtRestEncryptionEnabled: Boolean
AuthToken: String
AutomaticFailoverEnabled: Boolean
CacheNodeType: String
CacheParameterGroupName: String
CacheSecurityGroupNames:
- String
Engine: String

1961
ElastiCache
KmsKeyId: String
NodeGroupConfiguration:
- NodeGroupConfiguration (p. 1973)
NotificationTopicArn: String
NumCacheClusters: Integer
NumNodeGroups: Integer
Port: Integer
PreferredCacheClusterAZs:
- String
PrimaryClusterId: String
ReplicasPerNodeGroup: Integer
ReplicationGroupDescription: String
ReplicationGroupId: String
SecurityGroupIds:
- String
SnapshotArns:
- String
SnapshotName: String
SnapshotRetentionLimit: Integer
SnapshottingClusterId: String
SnapshotWindow: String
Tags:
- Tag
TransitEncryptionEnabled: Boolean
Properties
AtRestEncryptionEnabled
A flag that enables encryption at rest when set to true.
You cannot modify the value of AtRestEncryptionEnabled after the replication group is created.
To enable encryption at rest on a replication group you must set AtRestEncryptionEnabled to
true when you create the replication group.
Required: Only available when creating a replication group in an Amazon VPC using redis version
3.2.6 or 4.x onward.
Default: false
Required: No
Type: Boolean

AuthToken
Reserved parameter. The password used to access a password protected server.
AuthToken can be specified only on replication groups where TransitEncryptionEnabled is

true.
Important
For HIPAA compliance, you must specify TransitEncryptionEnabled as true, an
AuthToken, and a CacheSubnetGroup.
Password constraints:
• Must be only printable ASCII characters.
• Must be at least 16 characters and no more than 128 characters in length.

1962
ElastiCache
• The only permitted printable special characters are !, &, #, $, ^, <, >, and -. Other printable special
characters cannot be used in the AUTH token.
For more information, see AUTH password at http://redis.io/commands/AUTH.
Required: No
Type: String

AutomaticFailoverEnabled
Specifies whether a read-only replica is automatically promoted to read/write primary if the existing
primary fails.
If true, Multi-AZ is enabled for this replication group. If false, Multi-AZ is disabled for this
replication group.
AutomaticFailoverEnabled must be enabled for Redis (cluster mode enabled) replication

groups.
Default: false
Amazon ElastiCache for Redis does not support Multi-AZ with automatic failover on:
• Redis versions earlier than 2.8.6.
• Redis (cluster mode disabled): T1 node types.
• Redis (cluster mode enabled): T1 node types.
Required: No
Type: Boolean

This parameter is currently disabled.
Required: No
Type: Boolean

CacheNodeType
The compute and memory capacity of the nodes in the node group (shard).
The following node types are supported by ElastiCache. Generally speaking, the current generation
types provide more memory and computational power at lower cost when compared to their
equivalent previous generation counterparts.
• General purpose:

cache.m5.4xlarge, cache.m5.12xlarge, cache.m5.24xlarge

cache.m4.4xlarge, cache.m4.10xlarge
T2 node types: cache.t2.micro, cache.t2.small, cache.t2.medium

1963
ElastiCache
T1 node types: cache.t1.micro
M1 node types: cache.m1.small, cache.m1.medium, cache.m1.large,

cache.m1.xlarge
M3 node types: cache.m3.medium, cache.m3.large, cache.m3.xlarge,

cache.m3.2xlarge
• Compute optimized:
C1 node types: cache.c1.xlarge

• Memory optimized:


M2 node types: cache.m2.xlarge, cache.m2.2xlarge, cache.m2.4xlarge

cache.r3.4xlarge, cache.r3.8xlarge
Required: No
Type: String

CacheParameterGroupName
The name of the parameter group to associate with this replication group. If this argument is
omitted, the default cache parameter group for the specified engine is used.
Note
If you are restoring to an engine version that is different than the original,
you must specify the default version of that version. For example,
CacheParameterGroupName=default.redis4.0.
If you are running Redis version 3.2.4 or later, only one node group (shard), and want to use a
default parameter group, we recommend that you specify the parameter group by name.
• To create a Redis (cluster mode disabled) replication group, use
CacheParameterGroupName=default.redis3.2.
• To create a Redis (cluster mode enabled) replication group, use
CacheParameterGroupName=default.redis3.2.cluster.on.
Required: No
Type: String

CacheSecurityGroupNames
A list of cache security group names to associate with this replication group.

1964
ElastiCache
Required: No

The name of the cache subnet group to be used for the replication group.
Important
If you're going to launch your cluster in an Amazon VPC, you need to create a subnet group
before you start creating a cluster. For more information, see Subnets and Subnet Groups.
Required: No
Type: String

Engine
The name of the cache engine to be used for the clusters in this replication group.
Required: No
Type: String

EngineVersion
The version number of the cache engine to be used for the clusters in this replication group. To view
the supported cache engine versions, use the DescribeCacheEngineVersions operation.
Important: You can upgrade to a newer engine version (see Selecting a Cache Engine and Version)
in the ElastiCache User Guide, but you cannot downgrade to an earlier engine version. If you want to
use an earlier engine version, you must delete the existing cluster or replication group and create it
anew with the earlier engine version.
Required: No
Type: String

KmsKeyId
The ID of the KMS key used to encrypt the disk on the cluster.
Required: No
Type: String

NodeGroupConfiguration
NodeGroupConfiguration is a property of the AWS::ElastiCache::ReplicationGroup

resource that configures an Amazon ElastiCache (ElastiCache) Redis cluster node group.
If you set UseOnlineResharding to true, you can update NodeGroupConfiguration without

interruption. When UseOnlineResharding is set to false, or is not specified, updating
NodeGroupConfiguration results in replacement.

1965
ElastiCache
Required: No
Type: List (p. 1973) of NodeGroupConfiguration (p. 1973)

NotificationTopicArn
The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) topic to which
notifications are sent.
Note
The Amazon SNS topic owner must be the same as the cluster owner.
Required: No
Type: String

NumCacheClusters
The number of clusters this replication group initially has.
This parameter is not used if there is more than one node group (shard). You should use
ReplicasPerNodeGroup instead.
If AutomaticFailoverEnabled is true, the value of this parameter must be at least 2. If

AutomaticFailoverEnabled is false you can omit this parameter (it will default to 1), or you
can explicitly set it to a value between 2 and 6.
The maximum permitted value for NumCacheClusters is 6 (1 primary plus 5 replicas).
Required: No
Type: Integer

NumNodeGroups
An optional parameter that specifies the number of node groups (shards) for this Redis (cluster
mode enabled) replication group. For Redis (cluster mode disabled) either omit this parameter or set
it to 1.
If you set UseOnlineResharding to true, you can update NumNodeGroups without interruption.
When UseOnlineResharding is set to false, or is not specified, updating NumNodeGroups
results in replacement.
Default: 1
Required: No
Type: Integer

Port
The port number on which each member of the replication group accepts connections.
Required: No
Type: Integer

1966
ElastiCache

PreferredCacheClusterAZs
A list of EC2 Availability Zones in which the replication group's clusters are created. The order of the
Availability Zones in the list is the order in which clusters are allocated. The primary cluster is created
in the first AZ in the list.
This parameter is not used if there is more than one node group (shard). You should use
NodeGroupConfiguration instead.
Note
If you are creating your replication group in an Amazon VPC (recommended), you can only
locate clusters in Availability Zones associated with the subnets in the selected subnet
group.
The number of Availability Zones listed must equal the value of NumCacheClusters.
Default: system chosen Availability Zones.
Required: No

window is a 60 minute period. Valid values for ddd are:
window is a 60 minute period.
Valid values for ddd are:

• sun
• mon
• tue
• wed
• thu
• fri
• sat
Example: sun:23:00-mon:01:30
Required: No
Type: String

PrimaryClusterId
The identifier of the cluster that serves as the primary for this replication group. This cluster must
already exist and have a status of available.
This parameter is not required if NumCacheClusters, NumNodeGroups, or

ReplicasPerNodeGroup is specified.
Required: No

1967
ElastiCache
Type: String

ReplicasPerNodeGroup
An optional parameter that specifies the number of replica nodes in each node group (shard). Valid
values are 0 to 5.
Required: No
Type: Integer

ReplicationGroupDescription
A user-created description for the replication group.
Required: Yes
Type: String

ReplicationGroupId
The replication group identifier. This parameter is stored as a lowercase string.
Constraints:
• A name must contain from 1 to 40 alphanumeric characters or hyphens.
• A name cannot end with a hyphen or contain two consecutive hyphens.
Required: No
Type: String

SecurityGroupIds
One or more Amazon VPC security groups associated with this replication group.
Use this parameter only when you are creating a replication group in an Amazon Virtual Private
Cloud (Amazon VPC).
Required: No

SnapshotArns
A list of Amazon Resource Names (ARN) that uniquely identify the Redis RDB snapshot files stored
in Amazon S3. The snapshot files are used to populate the new replication group. The Amazon
S3 object name in the ARN cannot contain any commas. The new replication group will have the
number of node groups (console: shards) specified by the parameter NumNodeGroups or the number
of node groups configured by NodeGroupConfiguration regardless of the number of ARNs specified
here.
Example of an Amazon S3 ARN: arn:aws:s3:::my_bucket/snapshot1.rdb

1968
ElastiCache
Required: No

SnapshotName
The name of a snapshot from which to restore data into the new replication group. The snapshot
status changes to restoring while the new replication group is being created.
Required: No
Type: String

SnapshotRetentionLimit
The number of days for which ElastiCache retains automatic snapshots before deleting them. For
example, if you set SnapshotRetentionLimit to 5, a snapshot that was taken today is retained
for 5 days before being deleted.
Default: 0 (i.e., automatic backups are disabled for this cluster).
Required: No
Type: Integer

SnapshottingClusterId
The cluster ID that is used as the daily snapshot source for the replication group. This parameter
cannot be set for Redis (cluster mode enabled) replication groups.
Required: No
Type: String

SnapshotWindow
The daily time range (in UTC) during which ElastiCache begins taking a daily snapshot of your node
group (shard).
Example: 05:00-09:00
If you do not specify this parameter, ElastiCache automatically chooses an appropriate time range.
Required: No
Type: String

Tags
A list of cost allocation tags to be added to this resource. Tags are comma-separated key,value
pairs (e.g. Key=myKey, Value=myKeyValue. You can include multiple tags as shown following:
Key=myKey, Value=myKeyValue Key=mySecondKey, Value=mySecondKeyValue.
Required: No

1969
ElastiCache
Type: List of Tag

TransitEncryptionEnabled
A flag that enables in-transit encryption when set to true.
You cannot modify the value of TransitEncryptionEnabled after the cluster is created. To
enable in-transit encryption on a cluster you must set TransitEncryptionEnabled to true when
you create a cluster.
This parameter is valid only if the Engine parameter is redis, the EngineVersion parameter is
3.2.6 or 4.x or 5.x, and the cluster is being created in an Amazon VPC.
If you enable in-transit encryption, you must also specify a value for CacheSubnetGroup.
Required: Only available when creating a replication group in an Amazon VPC using redis version
3.2.6 or 4.x onward.
Default: false
Important
For HIPAA compliance, you must specify TransitEncryptionEnabled as true, an
AuthToken, and a CacheSubnetGroup.
Required: No
Type: Boolean
Return Values
Ref
name.
Fn::GetAtt
ConfigurationEndPoint.Address
The DNS hostname of the cache node.

Note
Redis (cluster mode disabled) replication groups don't have this attribute. Therefore,
Fn::GetAtt returns a value for this attribute only if the replication group is clustered.
Otherwise, Fn::GetAtt fails.
ConfigurationEndPoint.Port
The port number that the cache engine is listening on.

1970
ElastiCache
PrimaryEndPoint.Address
The DNS address of the primary read-write cache node.

PrimaryEndPoint.Port
The number of the port that the primary read-write cache engine is listening on.
ReadEndPoint.Addresses
A string with a list of endpoints for the read-only replicas. The order of the addresses maps to the
order of the ports from the ReadEndPoint.Ports attribute.
ReadEndPoint.Addresses.List
A string with a list of endpoints for the read-only replicas. The order of the addresses maps to the
order of the ports from the ReadEndPoint.Ports attribute.
ReadEndPoint.Ports
A string with a list of ports for the read-only replicas. The order of the ports maps to the order of the
addresses from the ReadEndPoint.Addresses attribute.
ReadEndPoint.Ports.List
A string with a list of ports for the read-only replicas. The order of the ports maps to the order of the
addresses from the ReadEndPoint.Addresses attribute.
Examples
Declare a Replication Group with Two Nodes
The following example declares a replication group with two nodes and automatic failover enabled.
JSON
{
"myReplicationGroup": {
"Type": "AWS::ElastiCache::ReplicationGroup",
"Properties": {
"ReplicationGroupDescription": "my description",
"NumCacheClusters": "2",
"Engine": "redis",
"CacheNodeType": "cache.m3.medium",
"AutoMinorVersionUpgrade": "true",
"AutomaticFailoverEnabled": "true",
"CacheSubnetGroupName": "subnetgroup",
"PreferredMaintenanceWindow": "wed:09:25-wed:22:30",
"SnapshotRetentionLimit": "4",
"SnapshotWindow": "03:30-05:30"
}
}
}
YAML
myReplicationGroup:
Type: 'AWS::ElastiCache::ReplicationGroup'
Properties:
ReplicationGroupDescription: my description
NumCacheClusters: '2'
Engine: redis

1971
ElastiCache
CacheNodeType: cache.m3.medium
AutoMinorVersionUpgrade: 'true'
AutomaticFailoverEnabled: 'true'
CacheSubnetGroupName: subnetgroup
EngineVersion: 2.8.6
PreferredMaintenanceWindow: 'wed:09:25-wed:22:30'
SnapshotRetentionLimit: '4'
SnapshotWindow: '03:30-05:30'
Declare a Replication Group with Two Node Groups
The following example declares a replication group with two nodes groups (shards) with three replicas in
each group.
JSON
{
"BasicReplicationGroup": {
"Type": "AWS::ElastiCache::ReplicationGroup",
"Properties": {
"AutomaticFailoverEnabled": true,
"AutoMinorVersionUpgrade": true,
"CacheNodeType": "cache.r3.large",
"CacheSubnetGroupName": {
"Ref": "CacheSubnetGroup"
},
"Engine": "redis",
"EngineVersion": "3.2",
"NumNodeGroups": "2",
"ReplicasPerNodeGroup": "3",
"Port": 6379,
"PreferredMaintenanceWindow": "sun:05:00-sun:09:00",
"ReplicationGroupDescription": "A sample replication group",
{
"Ref": "ReplicationGroupSG"
}
],
"SnapshotRetentionLimit": 5,
"SnapshotWindow": "10:00-12:00"
}
}
}
YAML
BasicReplicationGroup:
Type: 'AWS::ElastiCache::ReplicationGroup'
Properties:
AutomaticFailoverEnabled: true
AutoMinorVersionUpgrade: true
CacheNodeType: cache.r3.large
CacheSubnetGroupName: !Ref CacheSubnetGroup
Engine: redis
EngineVersion: '3.2'
NumNodeGroups: '2'
ReplicasPerNodeGroup: '3'
Port: 6379
PreferredMaintenanceWindow: 'sun:05:00-sun:09:00'
ReplicationGroupDescription: A sample replication group
SecurityGroupIds:
- !Ref ReplicationGroupSG
SnapshotRetentionLimit: 5

1972
ElastiCache
SnapshotWindow: '10:00-12:00'
See Also
CreateReplicationGroup in the Amazon ElastiCache API Reference Guide
AWS::ElastiCache::ReplicationGroup NodeGroupConfiguration
NodeGroupConfiguration is a property of the AWS::ElastiCache::ReplicationGroup resource
that configures an Amazon ElastiCache (ElastiCache) Redis cluster node group.
Syntax
JSON
{
"NodeGroupId" : String,
"PrimaryAvailabilityZone" : String,
"ReplicaAvailabilityZones" : [ String, ... ],
"ReplicaCount" : Integer,
"Slots" : String
}
YAML
NodeGroupId: String
PrimaryAvailabilityZone: String
ReplicaAvailabilityZones:
- String
ReplicaCount: Integer
Slots: String
Properties
NodeGroupId
Either the ElastiCache for Redis supplied 4-digit id or a user supplied id for the node group these
configuration values apply to.
Required: No
Type: String
Minimum: 1
Maximum: 4
Pattern: \d+

PrimaryAvailabilityZone
The Availability Zone where the primary node of this node group (shard) is launched.
Required: No
Type: String

1973
ElastiCache
ReplicaAvailabilityZones
A list of Availability Zones to be used for the read replicas. The number of Availability Zones in this
list must match the value of ReplicaCount or ReplicasPerNodeGroup if not specified.
Required: No

ReplicaCount
The number of read replica nodes in this node group (shard).
Required: No
Type: Integer

Slots
A string of comma-separated values where the first set of values are the slot numbers (zero based),
and the second set of values are the keyspaces for each slot. The following example specifies three
slots (numbered 0, 1, and 2): 0,1,2,0-4999,5000-9999,10000-16,383.
If you don't specify a value, ElastiCache allocates keys equally among each slot.
When you use an UseOnlineResharding update policy to update the number of node groups
without interruption, ElastiCache evenly distributes the keyspaces between the specified number of
slots. This cannot be updated later. Therefore, after updating the number of node groups in this way,
you should remove the value specified for the Slots property of each NodeGroupConfiguration
from the stack template, as it no longer reflects the actual values in each node group. For more
information, see UseOnlineResharding Policy.
Required: No
Type: String
AWS::ElastiCache::SecurityGroup
The AWS::ElastiCache::SecurityGroup resource creates a cache security group. For more
information about cache security groups, go to CacheSecurityGroups in the Amazon ElastiCache User
Guide or go to CreateCacheSecurityGroup in the Amazon ElastiCache API Reference Guide.
For more information, see CreateCacheSubnetGroup.

Note
Syntax
JSON
{
"Type" : "AWS::ElastiCache::SecurityGroup",
"Properties" : {

1974
ElastiCache
"Description" : String
}
}
YAML
Type: AWS::ElastiCache::SecurityGroup
Properties:
Description: String
Properties
Description
A description for the cache security group.
Required: Yes
Type: String
Return Values
Ref
name.
AWS::ElastiCache::SecurityGroupIngress
The AWS::ElastiCache::SecurityGroupIngress type authorizes ingress to a cache security group from hosts
in specified Amazon EC2 security groups. For more information about ElastiCache security group ingress,
go to AuthorizeCacheSecurityGroupIngress in the Amazon ElastiCache API Reference Guide.
Note
Syntax
JSON
{
"Type" : "AWS::ElastiCache::SecurityGroupIngress",
"Properties" : {
"CacheSecurityGroupName" : String,
"EC2SecurityGroupName" : String,
"EC2SecurityGroupOwnerId" : String
}
}
YAML
Type: AWS::ElastiCache::SecurityGroupIngress

1975
ElastiCache
Properties:
CacheSecurityGroupName: String
EC2SecurityGroupName: String
EC2SecurityGroupOwnerId: String
Properties
CacheSecurityGroupName
The name of the Cache Security Group to authorize.
Required: Yes
Type: String

EC2SecurityGroupName
Name of the EC2 Security Group to include in the authorization.
Required: Yes
Type: String

EC2SecurityGroupOwnerId
Specifies the AWS Account ID of the owner of the EC2 security group specified in the
EC2SecurityGroupName property. The AWS access key ID is not an acceptable value.
Required: No
Type: String
Return Values
Ref
name.
AWS::ElastiCache::SubnetGroup
Creates a cache subnet group. For more information about cache subnet groups, go to Cache Subnet
Groups in the Amazon ElastiCache User Guide or go to CreateCacheSubnetGroup in the Amazon
ElastiCache API Reference Guide.
Syntax
JSON

1976
ElastiCache
"Type" : "AWS::ElastiCache::SubnetGroup",
"Properties" : {
}
}
YAML
Type: AWS::ElastiCache::SubnetGroup
Properties:
Description: String
SubnetIds:
- String
Properties
The name for the cache subnet group. This value is stored as a lowercase string.
Constraints: Must contain no more than 255 alphanumeric characters or hyphens.
Example: mysubnetgroup
Required: No
Type: String

Description
The description for the cache subnet group.
Required: Yes
Type: String

SubnetIds
The EC2 subnet IDs for the cache subnet group.
Required: Yes
Return Values
Ref
name.

1977
Elasticsearch
Examples
JSON
{
"SubnetGroup": {
"Type": "AWS::ElastiCache::SubnetGroup",
"Properties": {
"Description": "Cache Subnet Group",
"SubnetIds": [
{
"Ref": "Subnet1"
},
{
"Ref": "Subnet2"
}
]
}
}
}
YAML
SubnetGroup:
Type: 'AWS::ElastiCache::SubnetGroup'
Properties:
Description: Cache Subnet Group
SubnetIds:
- !Ref Subnet1
- !Ref Subnet2
Elasticsearch Resource Type Reference

Resource Types
• AWS::Elasticsearch::Domain (p. 1978)
AWS::Elasticsearch::Domain
The AWS::Elasticsearch::Domain resource creates an Amazon Elasticsearch Service (Amazon ES) domain
that encapsulates the Amazon ES engine instances.
Syntax
JSON
{
"Type" : "AWS::Elasticsearch::Domain",
"Properties" : {
"AccessPolicies" : Json,
"AdvancedOptions" : {Key : Value, ...},
"CognitoOptions" : CognitoOptions (p. 1987),
"EBSOptions" : EBSOptions (p. 1988),
"ElasticsearchClusterConfig" : ElasticsearchClusterConfig (p. 1989),

1978
Elasticsearch
"ElasticsearchVersion" : String,
"EncryptionAtRestOptions" : EncryptionAtRestOptions (p. 1991),
"LogPublishingOptions" : {Key : Value, ...},
"NodeToNodeEncryptionOptions" : NodeToNodeEncryptionOptions (p. 1993),
"SnapshotOptions" : SnapshotOptions (p. 1993),
"Tags" : [ Tag, ... ],
"VPCOptions" : VPCOptions (p. 1994)
}
}
YAML
Type: AWS::Elasticsearch::Domain
Properties:
AccessPolicies: Json
AdvancedOptions:
Key : Value
CognitoOptions:
CognitoOptions (p. 1987)
DomainName: String
EBSOptions:
EBSOptions (p. 1988)
ElasticsearchClusterConfig:
ElasticsearchClusterConfig (p. 1989)
ElasticsearchVersion: String
EncryptionAtRestOptions:
EncryptionAtRestOptions (p. 1991)
LogPublishingOptions:
Key : Value
NodeToNodeEncryptionOptions:
NodeToNodeEncryptionOptions (p. 1993)
SnapshotOptions:
SnapshotOptions (p. 1993)
Tags:
- Tag
VPCOptions:
VPCOptions (p. 1994)
Properties
AccessPolicies
An AWS Identity and Access Management (IAM) policy document that specifies who can access the
Amazon ES domain and their permissions. For more information, see Configuring Access Policies in
the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: Json

AdvancedOptions
Additional options to specify for the Amazon ES domain. For more information, see Configuring
Advanced Options in the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: Map of String

1979
Elasticsearch
CognitoOptions
Configures Amazon ES to use Amazon Cognito authentication for Kibana.
Required: No
Type: CognitoOptions (p. 1987)

DomainName
A name for the Amazon ES domain. For valid values, see the DomainName data type in the Amazon
Elasticsearch Service Developer Guide. If you don't specify a name, AWS CloudFormation generates a
unique physical ID and uses that ID for the domain name. For more information, see Name Type.
Important
Required: No
Type: String

EBSOptions
The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data
nodes in the Amazon ES domain. For more information, see Configuring EBS-based Storage in the
Amazon Elasticsearch Service Developer Guide.
Required: No
Type: EBSOptions (p. 1988)

ElasticsearchClusterConfig
ElasticsearchClusterConfig is a property of the AWS::Elasticsearch::Domain resource that configures

the cluster of an Amazon Elasticsearch Service (Amazon ES) domain.
Required: No
Type: ElasticsearchClusterConfig (p. 1989)

ElasticsearchVersion
The version of Elasticsearch to use, such as 2.3. If not specified, 1.5 is used as the default. For
information about the versions that Amazon ES supports, see the Elasticsearch-Version parameter
for the CreateElasticsearchDomain action in the Amazon Elasticsearch Service Developer Guide.
If you set the UpgradeElasticsearchVersion update policy to true, you can update
ElasticsearchVersion without interruption. When UpgradeElasticsearchVersion is set to
false, or is not specified, updating ElasticsearchVersion results in replacement.
Required: No
Type: String

1980
Elasticsearch

EncryptionAtRestOptions
Whether the domain should encrypt data at rest, and if so, the AWS Key Management Service (KMS)
key to use. Can only be used to create a new domain, not update an existing one.
Required: No
Type: EncryptionAtRestOptions (p. 1991)

LogPublishingOptions
Key-value pairs to configure slow log publishing.
Required: No
Type: Map of LogPublishingOption (p. 1992)

NodeToNodeEncryptionOptions
Specifies whether node-to-node encryption is enabled.
Required: No
Type: NodeToNodeEncryptionOptions (p. 1993)

SnapshotOptions
The automated snapshot configuration for the Amazon ES domain indices.
Required: No
Type: SnapshotOptions (p. 1993)

Tags
An arbitrary set of tags (key–value pairs) to associate with the Amazon ES domain.
Required: No
Type: List of Tag

VPCOptions
The virtual private cloud (VPC) configuration for the Amazon ES domain. For more information,
see VPC Support for Amazon Elasticsearch Service Domains in the Amazon Elasticsearch Service
Developer Guide.
Required: No
Type: VPCOptions (p. 1994)

1981
Elasticsearch
Return Values
Ref
name, such as mystack-elasticsea-abc1d2efg3h4. For more information about using the Ref
function, see Ref.
Fn::GetAtt
Fn::GetAtt returns a value for a specified attribute of this type. For more information, see Fn::GetAtt. The
following are the available attributes and sample return values.
Arn
The Amazon Resource Name (ARN) of the domain, such as arn:aws:es:us-

west-2:123456789012:domain/mystack-elasti-1ab2cdefghij. This returned value is the
same as the one returned by AWS::Elasticsearch::Domain.DomainArn.
DomainArn
The Amazon Resource Name (ARN) of the domain, such as arn:aws:es:us-

west-2:123456789012:domain/mystack-elasti-1ab2cdefghij. This returned value is the
same as the one returned by AWS::Elasticsearch::Domain.Arn.
DomainEndpoint
The domain-specific endpoint that's used to submit index, search, and data upload
requests to an Amazon ES domain, such as search-mystack-elasti-1ab2cdefghij-
ab1c2deckoyb3hofw7wpqa3cm.us-west-2.es.amazonaws.com.
Examples
Create an Amazon ES domain that contains two data nodes and three master nodes
The following example create an Amazon ES domain that contains two data nodes and three master
nodes. Automated snapshots of the indices are taken daily between midnight and 1:00 AM (UTC). The
access policy permits the IAM user es-user to take all Amazon ES actions on the domain, such as
es:UpdateElasticsearchDomainConfig.
JSON
"ElasticsearchDomain":{
"Type":"AWS::Elasticsearch::Domain",
"Properties":{
"DomainName":"test",
"ElasticsearchClusterConfig":{
"DedicatedMasterEnabled":"true",
"InstanceCount":"2",
"ZoneAwarenessEnabled":"true",
"InstanceType":"m3.medium.elasticsearch",
"DedicatedMasterType":"m3.medium.elasticsearch",
"DedicatedMasterCount":"3"
},
"EBSOptions":{
"EBSEnabled":true,
"Iops":0,
"VolumeSize":20,
"VolumeType":"gp2"
},

1982
Elasticsearch
"SnapshotOptions":{
"AutomatedSnapshotStartHour":"0"
},
"AccessPolicies":{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123456789012:user/es-user"
},
"Action":"es:*",
"Resource":"arn:aws:es:us-east-1:123456789012:domain/test/*"
}
]
},
"AdvancedOptions":{
"rest.action.multi.allow_explicit_index":"true"
}
}
}
YAML
ElasticsearchDomain:
Properties:
DomainName: "test"
DedicatedMasterEnabled: "true"
InstanceCount: "2"
ZoneAwarenessEnabled: "true"
InstanceType: "m3.medium.elasticsearch"
DedicatedMasterType: "m3.medium.elasticsearch"
DedicatedMasterCount: "3"
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 20
VolumeType: "gp2"
SnapshotOptions:
AutomatedSnapshotStartHour: "0"
AccessPolicies:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::123456789012:user/es-user"
Action: "es:*"
Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*"
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
Create a domain with VPC options
The following example creates a domain with VPC options.
JSON
{
"Description": "ElasticsearchDomain resource",

1983
Elasticsearch
"Parameters": {
"DomainName" : {
"Description" : "User defined Elasticsearch Domain name",
"Type" : "String"
},
"ElasticsearchVersion" : {
"Description" : "User defined Elasticsearch Version",
"Type" : "String"
},
"InstanceType" : {
"Type" : "String"
},
"AvailabilityZone" : {
"Type" : "String"
},
"CidrBlock" : {
"Type" : "String"
},
"GroupDescription" : {
"Type" : "String"
},
"SGName" : {
"Type" : "String"
}
},
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": { "Ref": "DomainName" },
"ElasticsearchVersion": { "Ref": "ElasticsearchVersion" },
"ElasticsearchClusterConfig": {
"InstanceCount": "1",
"InstanceType": { "Ref": "InstanceType" }
},
"EBSOptions": {
"EBSEnabled" : "true",
"Iops" : 0,
"VolumeSize" : 10,
"VolumeType" : "standard"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": "0"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "*"
}]
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true"
},
"Tags": [{
"Key": "foo",
"Value": "bar"
}],
"VPCOptions" : {
"SubnetIds" : [
{"Ref" : "subnet"}
],

1984
Elasticsearch
"SecurityGroupIds" : [
{"Ref" : "mySecurityGroup"}
]
}
}
},
"vpc" : {
"Properties" : {
"CidrBlock" : "10.0.0.0/16"
}
},
"subnet" : {
"Properties" : {
"VpcId" : {"Ref": "vpc"},
"CidrBlock" : {"Ref" : "CidrBlock"},
"AvailabilityZone" : {"Ref" : "AvailabilityZone"}
}
},
"mySecurityGroup": {
"Properties": {
"GroupDescription": {"Ref" : "GroupDescription"},
"VpcId" : {"Ref" : "vpc"},
"GroupName": {"Ref" : "SGName"},
{
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
}
]
}
}
},
"Outputs": {
"DomainArn": {
"Value": {
"Fn::GetAtt": ["ElasticsearchDomain", "DomainArn"]
}
},
"DomainEndpoint": {
"Value": {
"Fn::GetAtt": ["ElasticsearchDomain", "DomainEndpoint"]
}
},
"SecurityGroupId": {
"Value": {
"Ref": "mySecurityGroup"
}
},
"SubnetId": {
"Value": {
"Ref": "subnet"
}
}
}
}
YAML

1985
Elasticsearch
Description: ElasticsearchDomain resource

Parameters:
DomainName:
Description: User defined Elasticsearch Domain name
Type: String
ElasticsearchVersion:
Description: User defined Elasticsearch Version
Type: String
InstanceType:
Type: String
AvailabilityZone:
Type: String
CidrBlock:
Type: String
GroupDescription:
Type: String
SGName:
Type: String
Resources:
ElasticsearchDomain:
Properties:
DomainName: !Ref DomainName
ElasticsearchVersion: !Ref ElasticsearchVersion
InstanceCount: '1'
EBSOptions:
EBSEnabled: 'true'
Iops: 0
VolumeSize: 10
VolumeType: standard
SnapshotOptions:
AutomatedSnapshotStartHour: '0'
AccessPolicies:
Version: 2012-10-17
Statement:
- Effect: Deny
Principal:
AWS: '*'
Action: 'es:*'
Resource: '*'
AdvancedOptions:
rest.action.multi.allow_explicit_index: 'true'
Tags:
- Key: foo
Value: bar
VPCOptions:
SubnetIds:
- !Ref subnet
SecurityGroupIds:
- !Ref mySecurityGroup
vpc:
Type: AWS::EC2::VPC
Properties:
subnet:
Properties:
VpcId: !Ref vpc
CidrBlock: !Ref CidrBlock
AvailabilityZone: !Ref AvailabilityZone
mySecurityGroup:
Properties:
GroupDescription: !Ref GroupDescription

1986
Elasticsearch
VpcId: !Ref vpc

GroupName: !Ref SGName
- FromPort: '443'
IpProtocol: tcp
ToPort: '443'
CidrIp: 0.0.0.0/0
Outputs:
DomainArn:
Value: !GetAtt ElasticsearchDomain.DomainArn
DomainEndpoint:
Value: !GetAtt ElasticsearchDomain.DomainEndpoint
SecurityGroupId:
Value: !Ref mySecurityGroup
SubnetId:
Value: !Ref subnet
AWS::Elasticsearch::Domain CognitoOptions
Configures Amazon ES to use Amazon Cognito authentication for Kibana.
Syntax
JSON
{
"IdentityPoolId" : String,
"RoleArn" : String,
}
YAML
Enabled: Boolean
IdentityPoolId: String
RoleArn: String
UserPoolId: String
Properties
Enabled
Whether to enable or disable Amazon Cognito authentication for Kibana. See Amazon Cognito
Authentication for Kibana.
Required: No
Type: Boolean

IdentityPoolId
The Amazon Cognito identity pool ID that you want Amazon ES to use for Kibana authentication.
Required: No
Type: String

1987
Elasticsearch

RoleArn
The AmazonESCognitoAccess role that allows Amazon ES to configure your user pool and identity
pool.
Required: No
Type: String

UserPoolId
The Amazon Cognito user pool ID that you want Amazon ES to use for Kibana authentication.
Required: No
Type: String
AWS::Elasticsearch::Domain EBSOptions
The configurations of Amazon Elastic Block Store (Amazon EBS) volumes that are attached to data nodes
in the Amazon ES domain. For more information, see Configuring EBS-based Storage in the Amazon
Elasticsearch Service Developer Guide.
Syntax
JSON
{
"EBSEnabled" : Boolean,
"Iops" : Integer,
}
YAML
EBSEnabled: Boolean
Iops: Integer
VolumeSize: Integer
VolumeType: String
Properties
EBSEnabled
Specifies whether Amazon EBS volumes are attached to data nodes in the Amazon ES domain.
Required: No
Type: Boolean

1988
Elasticsearch
Iops
The number of I/O operations per second (IOPS) that the volume supports. This property applies
only to the Provisioned IOPS (SSD) EBS volume type.
Required: No
Type: Integer

VolumeSize
The size (in GiB) of the EBS volume for each data node. The minimum and maximum size of an EBS
volume depends on the EBS volume type and the instance type to which it is attached. For more
information, see Configuring EBS-based Storage in the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: Integer

VolumeType
The EBS volume type to use with the Amazon ES domain, such as standard, gp2, io1, st1, or sc1. For
more information about each type, see Amazon EBS Volume Types in the Amazon EC2 User Guide for
Linux Instances.
Required: No
Type: String
AWS::Elasticsearch::Domain ElasticsearchClusterConfig
The cluster configuration for the Amazon ES domain. You can specify options such as the instance type
and the number of instances. For more information, see Configuring Amazon ES Domains in the Amazon
Syntax
JSON
{
"DedicatedMasterCount" : Integer,
"DedicatedMasterEnabled" : Boolean,
"DedicatedMasterType" : String,
"ZoneAwarenessConfig" : ZoneAwarenessConfig (p. 1995),
"ZoneAwarenessEnabled" : Boolean
}
YAML
DedicatedMasterCount: Integer
DedicatedMasterEnabled: Boolean

1989
Elasticsearch
DedicatedMasterType: String
ZoneAwarenessConfig:
ZoneAwarenessConfig (p. 1995)
ZoneAwarenessEnabled: Boolean
Properties
DedicatedMasterCount
The number of instances to use for the master node. If you specify this property, you must specify
true for the DedicatedMasterEnabled property.
Required: No
Type: Integer

DedicatedMasterEnabled
Indicates whether to use a dedicated master node for the Amazon ES domain. A dedicated master
node is a cluster node that performs cluster management tasks, but doesn't hold data or respond
to data upload requests. Dedicated master nodes offload cluster management tasks to increase the
stability of your search clusters.
Required: No
Type: Boolean

DedicatedMasterType
The hardware configuration of the computer that hosts the dedicated master node, such as
m3.medium.elasticsearch. If you specify this property, you must specify true for the
DedicatedMasterEnabled property. For valid values, see Supported Instance Types in the Amazon
Required: No
Type: String

InstanceCount
The number of data nodes (instances) to use in the Amazon ES domain.
Required: No
Type: Integer

InstanceType
The instance type for your data nodes, such as m3.medium.elasticsearch. For valid values, see
Supported Instance Types in the Amazon Elasticsearch Service Developer Guide.
Required: No
Type: String

1990
Elasticsearch

ZoneAwarenessConfig
Specifies zone awareness configuration options. Only use if ZoneAwarenessEnabled is true.
Required: No
Type: ZoneAwarenessConfig (p. 1995)

ZoneAwarenessEnabled
Indicates whether to enable zone awareness for the Amazon ES domain. When you enable zone
awareness, Amazon ES allocates the nodes and replica index shards that belong to a cluster across
two Availability Zones (AZs) in the same region to prevent data loss and minimize downtime in the
event of node or data center failure. Don't enable zone awareness if your cluster has no replica index
shards or is a single-node cluster. For more information, see Enabling Zone Awareness in the Amazon
Required: No
Type: Boolean
AWS::Elasticsearch::Domain EncryptionAtRestOptions
Whether the domain should encrypt data at rest, and if so, the AWS Key Management Service (KMS) key
to use. Can only be used to create a new domain, not update an existing one.
Syntax
JSON
{
"KmsKeyId" : String
}
YAML
Enabled: Boolean
KmsKeyId: String
Properties
Enabled
Specify true to enable encryption at rest.
Required: No
Type: Boolean

1991
Elasticsearch
KmsKeyId
The KMS key ID. Takes the form 1a2a3a4-1a2a-3a4a-5a6a-1a2a3a4a5a6a.
Required: No
Type: String
See Also
• CreateElasticsearchDomain in the Amazon Elasticsearch Service Developer Guide.
AWS::Elasticsearch::Domain LogPublishingOption
Specifies whether the Amazon ES domain publishes the Elasticsearch application and slow logs to
Amazon CloudWatch. You still have to enable the collection of slow logs using the Elasticsearch REST API.
To learn more, see Setting Elasticsearch Logging Thresholds for Slow Logs.
Syntax
JSON
{
"CloudWatchLogsLogGroupArn" : String,
"Enabled" : Boolean
}
YAML
CloudWatchLogsLogGroupArn: String
Enabled: Boolean
Properties
CloudWatchLogsLogGroupArn
Specifies the CloudWatch log group to publish to.
Required: No
Type: String

Enabled
If true, enables the publishing of logs to CloudWatch.
Default: false.
Required: No
Type: Boolean

1992
Elasticsearch
AWS::Elasticsearch::Domain NodeToNodeEncryptionOptions
Specifies whether node-to-node encryption is enabled.
Syntax
JSON
{
"Enabled" : Boolean
}
YAML
Enabled: Boolean
Properties
Enabled
Specifies whether node-to-node encryption is enabled, as a Boolean.
Required: No
Type: Boolean
AWS::Elasticsearch::Domain SnapshotOptions
The automated snapshot configuration for the Amazon ES domain indices.
Syntax
JSON
{
"AutomatedSnapshotStartHour" : Integer
}
YAML
AutomatedSnapshotStartHour: Integer
Properties
AutomatedSnapshotStartHour
The hour in UTC during which the service takes an automated daily snapshot of the indices in
the Amazon ES domain. For example, if you specify 0, Amazon ES takes an automated snapshot
everyday between midnight and 1 am. You can specify a value between 0 and 23.

1993
Elasticsearch
Required: No
Type: Integer
AWS::Elasticsearch::Domain VPCOptions
The virtual private cloud (VPC) configuration for the Amazon ES domain. For more information, see VPC
Support for Amazon Elasticsearch Service Domains in the Amazon Elasticsearch Service Developer Guide.
Syntax
JSON
{
}
YAML
SecurityGroupIds:
- String
SubnetIds:
- String
Properties
SecurityGroupIds
The list of security group IDs that are associated with the VPC endpoints for the domain. If you don't
provide a security group ID, Amazon ES uses the default security group for the VPC. To learn more,
see Security Groups for your VPC in the Amazon VPC User Guide.
Required: No

SubnetIds
Provide one subnet ID for each Availability Zone that your domain uses. For example, you must
specify three subnet IDs for a three Availability Zone domain. To learn more, see VPCs and Subnets
in the Amazon VPC User Guide.
Required: No
See Also
• VPC Support for Amazon Elasticsearch Service Domains in the Amazon Elasticsearch Service Developer
Guide.

1994
Elastic Beanstalk
AWS::Elasticsearch::Domain ZoneAwarenessConfig
Specifies zone awareness configuration options. Only use if ZoneAwarenessEnabled is true.
Syntax
JSON
{
"AvailabilityZoneCount" : Integer
}
YAML
AvailabilityZoneCount: Integer
Properties
AvailabilityZoneCount
If you enabled multiple Availability Zones (AZs), the number of AZs that you want the domain to use.
Valid values are 2 and 3. Default is 2.
Required: No
Type: Integer
AWS Elastic Beanstalk Resource Type Reference

Resource Types
• AWS::ElasticBeanstalk::Application (p. 1995)

• AWS::ElasticBeanstalk::ApplicationVersion (p. 2001)
• AWS::ElasticBeanstalk::ConfigurationTemplate (p. 2004)
• AWS::ElasticBeanstalk::Environment (p. 2009)
AWS::ElasticBeanstalk::Application
The AWS::ElasticBeanstalk::Application resource is an AWS Elastic Beanstalk resource type that specifies
an Elastic Beanstalk application.
Syntax
JSON
{
"Type" : "AWS::ElasticBeanstalk::Application",

1995
Elastic Beanstalk
"Properties" : {
"ResourceLifecycleConfig" : ApplicationResourceLifecycleConfig (p. 1997)
}
}
YAML
Properties:
Description: String
ResourceLifecycleConfig:
ApplicationResourceLifecycleConfig (p. 1997)
Properties
ApplicationName
A name for the Elastic Beanstalk application. If you don't specify a name, AWS CloudFormation
generates a unique physical ID and uses that ID for the application name. For more information, see
Name Type.
Important
Required: No
Type: String
Minimum: 1
Maximum: 100

Description
Your description of the application.
Required: No
Type: String
Maximum: 200

ResourceLifecycleConfig
Specifies an application resource lifecycle configuration to prevent your application from

accumulating too many versions.
Required: No
Type: ApplicationResourceLifecycleConfig (p. 1997)

1996
Elastic Beanstalk
Return Values
Ref
name.
Examples
JSON
{
"Type" : "AWS::ElasticBeanstalk::Application",
"Properties" : {
"ApplicationName" : "SampleAWSElasticBeanstalkApplication",
"Description" : "AWS Elastic Beanstalk PHP Sample Application"
}
}
YAML
Properties:
ApplicationName: "SampleAWSElasticBeanstalkApplication"
Description: "AWS Elastic Beanstalk PHP Sample Application"
See Also
• For a complete Elastic Beanstalk sample template, see Elastic Beanstalk Template Snippets.
AWS::ElasticBeanstalk::Application ApplicationResourceLifecycleConfig
The resource lifecycle configuration for an application. Defines lifecycle settings for resources that
belong to the application, and the service role that Elastic Beanstalk assumes in order to apply lifecycle
settings. The version lifecycle configuration defines lifecycle settings for application versions.
ApplicationResourceLifecycleConfig is a property of the AWS::ElasticBeanstalk::Application

resource.
Syntax
JSON
{
"VersionLifecycleConfig" : ApplicationVersionLifecycleConfig (p. 1998)
}
YAML
ServiceRole: String

1997
Elastic Beanstalk
VersionLifecycleConfig:
ApplicationVersionLifecycleConfig (p. 1998)
Properties
ServiceRole
The ARN of an IAM service role that Elastic Beanstalk has permission to assume.
The ServiceRole property is required the first time that you provide a
ResourceLifecycleConfig for the application. After you provide it once, Elastic Beanstalk
persists the Service Role with the application, and you don't need to specify it again. You can,
however, specify it in subsequent updates to change the Service Role to another value.
Required: No
Type: String

VersionLifecycleConfig
Defines lifecycle settings for application versions.
Required: No
Type: ApplicationVersionLifecycleConfig (p. 1998)
AWS::ElasticBeanstalk::Application ApplicationVersionLifecycleConfig
The application version lifecycle settings for an application. Defines the rules that Elastic Beanstalk
applies to an application's versions in order to avoid hitting the per-region limit for application versions.
When Elastic Beanstalk deletes an application version from its database, you can no longer deploy that
version to an environment. The source bundle remains in S3 unless you configure the rule to delete it.
ApplicationVersionLifecycleConfig is a property of the ApplicationResourceLifecycleConfig

property type.
Syntax
JSON
{
"MaxAgeRule" : MaxAgeRule (p. 1999),
"MaxCountRule" : MaxCountRule (p. 2000)
}
YAML
MaxAgeRule:
MaxAgeRule (p. 1999)
MaxCountRule:
MaxCountRule (p. 2000)

1998
Elastic Beanstalk
Properties
MaxAgeRule
Specify a max age rule to restrict the length of time that application versions are retained for an
application.
Required: No
Type: MaxAgeRule (p. 1999)

MaxCountRule
Specify a max count rule to restrict the number of application versions that are retained for an
application.
Required: No
Type: MaxCountRule (p. 2000)
AWS::ElasticBeanstalk::Application MaxAgeRule
A lifecycle rule that deletes application versions after the specified number of days.
MaxAgeRule is a property of the ApplicationVersionLifecycleConfig property type.
Syntax
JSON
{
"DeleteSourceFromS3" : Boolean,
"MaxAgeInDays" : Integer
}
YAML
DeleteSourceFromS3: Boolean
Enabled: Boolean
MaxAgeInDays: Integer
Properties
DeleteSourceFromS3
Set to true to delete a version's source bundle from Amazon S3 when Elastic Beanstalk deletes the
application version.
Required: No
Type: Boolean

1999
Elastic Beanstalk
Enabled
Specify true to apply the rule, or false to disable it.
Required: No
Type: Boolean

MaxAgeInDays
Specify the number of days to retain an application versions.
Required: No
Type: Integer
AWS::ElasticBeanstalk::Application MaxCountRule
A lifecycle rule that deletes the oldest application version when the maximum count is exceeded.
MaxCountRule is a property of the ApplicationVersionLifecycleConfig property type.
Syntax
JSON
{
"DeleteSourceFromS3" : Boolean,
"MaxCount" : Integer
}
YAML
DeleteSourceFromS3: Boolean
Enabled: Boolean
MaxCount: Integer
Properties
DeleteSourceFromS3
Set to true to delete a version's source bundle from Amazon S3 when Elastic Beanstalk deletes the
Required: No
Type: Boolean

Enabled
Specify true to apply the rule, or false to disable it.

2000
Elastic Beanstalk
Required: No
Type: Boolean

MaxCount
Specify the maximum number of application versions to retain.
Required: No
Type: Integer
AWS::ElasticBeanstalk::ApplicationVersion
The AWS::ElasticBeanstalk::ApplicationVersion resource is an AWS Elastic Beanstalk resource type that
specifies an application version, an iteration of deployable code, for an Elastic Beanstalk application.
Note
After you create an application version with a specified Amazon S3 bucket and key location, you
can't change that Amazon S3 location. If you change the Amazon S3 location, an attempt to
launch an environment from the application version will fail.
Syntax
JSON
{
"Type" : "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties" : {
"SourceBundle" : SourceBundle (p. 2003)
}
}
YAML
Properties:
Description: String
SourceBundle:
SourceBundle (p. 2003)
Properties
ApplicationName
The name of the Elastic Beanstalk application that is associated with this application version.
Required: Yes
Type: String

2001
Elastic Beanstalk
Minimum: 1
Maximum: 100

Description
A description of this application version.
Required: No
Type: String
Maximum: 200

SourceBundle
The Amazon S3 bucket and key that identify the location of the source bundle for this version.
Note
The Amazon S3 bucket must be in the same region as the environment.
Required: Yes
Type: SourceBundle (p. 2003)
Return Values
Ref
name.
Examples
JSON
"myAppVersion": {
"Type" : "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties" : {
"ApplicationName" : {"Ref" : "myApp"},
"Description" : "my sample version",
"SourceBundle" : {
"S3Bucket" : { "Fn::Join" :
["-", [ "elasticbeanstalk-samples", { "Ref" : "AWS::Region" } ] ] },
"S3Key" : "php-newsample-app.zip"
}
}
}
YAML
myAppVersion:

2002
Elastic Beanstalk
Properties:
ApplicationName:
Ref: "myApp"
Description: "my sample version"
SourceBundle:
S3Bucket:
Fn::Join:
- "-"
-
- "elasticbeanstalk-samples"
S3Key: "php-newsample-app.zip"
See Also
AWS::ElasticBeanstalk::ApplicationVersion SourceBundle
The SourceBundle property is an embedded property of the AWS::ElasticBeanstalk::ApplicationVersion
resource. It specifies the Amazon S3 location of the source bundle for an AWS Elastic Beanstalk
Syntax
JSON
{
"S3Bucket" : String,
"S3Key" : String
}
YAML
S3Bucket: String
S3Key: String
Properties
S3Bucket
The Amazon S3 bucket where the data is located.
Required: Yes
Type: String
Maximum: 255

S3Key
The Amazon S3 key where the data is located.
Required: Yes
Type: String

2003
Elastic Beanstalk
Maximum: 1024
AWS::ElasticBeanstalk::ConfigurationTemplate
The AWS::ElasticBeanstalk::ConfigurationTemplate resource is an AWS Elastic Beanstalk resource type
that specifies an Elastic Beanstalk configuration template, associated with a specific Elastic Beanstalk
application. You define application configuration settings in a configuration template. You can then use
the configuration template to deploy different versions of the application with the same configuration
settings.
Note
The Elastic Beanstalk console and documentation often refer to configuration templates as
saved configurations. When you set configuration options in a saved configuration (configuration
template), Elastic Beanstalk applies them with a particular precedence as part of applying
options from multiple sources. For more information, see Configuration Options in the AWS
Elastic Beanstalk Developer Guide.
Syntax
JSON
{
"Type" : "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties" : {
"EnvironmentId" : String,
"OptionSettings" : [ ConfigurationOptionSetting (p. 2007), ... ],
"PlatformArn" : String,
"SolutionStackName" : String,
"SourceConfiguration" : SourceConfiguration (p. 2008)
}
}
YAML
Properties:
Description: String
EnvironmentId: String
OptionSettings:
- ConfigurationOptionSetting (p. 2007)
PlatformArn: String
SolutionStackName: String
SourceConfiguration:
SourceConfiguration (p. 2008)
Properties
ApplicationName
The name of the Elastic Beanstalk application to associate with this configuration template.
Required: Yes

2004
Elastic Beanstalk
Type: String
Minimum: 1
Maximum: 100

Description
An optional description for this configuration.
Required: No
Type: String
Maximum: 200

EnvironmentId
The ID of an environment whose settings you want to use to create the configuration template.
You must specify EnvironmentId if you don't specify PlatformArn, SolutionStackName, or
SourceConfiguration.
Type: String

OptionSettings
Option values for the Elastic Beanstalk configuration, such as the instance type. If specified, these
values override the values obtained from the solution stack or the source configuration template.
For a complete list of Elastic Beanstalk configuration options, see Option Values in the AWS Elastic
Beanstalk Developer Guide.
Required: No
Type: List of ConfigurationOptionSetting (p. 2007)

PlatformArn
The Amazon Resource Name (ARN) of the custom platform. For more information, see Custom
Platforms in the AWS Elastic Beanstalk Developer Guide.
Note
If you specify PlatformArn, then don't specify SolutionStackName.
Required: No
Type: String

SolutionStackName
The name of an Elastic Beanstalk solution stack (platform version) that this configuration uses.
For example, 64bit Amazon Linux 2013.09 running Tomcat 7 Java 7. A solution stack
specifies the operating system, runtime, and application server for a configuration template. It also
determines the set of configuration options as well as the possible and default values. For more
information, see Supported Platforms in the AWS Elastic Beanstalk Developer Guide.

2005
Elastic Beanstalk
You must specify SolutionStackName if you don't specify PlatformArn, EnvironmentId, or

Use the ListAvailableSolutionStacks API to obtain a list of available solution stacks.
Type: String

SourceConfiguration
An Elastic Beanstalk configuration template to base this one on. If specified, Elastic Beanstalk uses
the configuration values from the specified configuration template to create a new configuration.
Values specified in OptionSettings override any values obtained from the

You must specify SourceConfiguration if you don't specify PlatformArn, EnvironmentId, or

SolutionStackName.
Constraint: If both solution stack name and source configuration are specified, the solution stack of
the source configuration template must match the specified solution stack name.
Type: SourceConfiguration (p. 2008)
Return Values
Ref
name.
Examples
JSON
"myConfigTemplate" : {
"Type" : "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties" : {
"ApplicationName" :{"Ref" : "myApp"},
"Description" : "my sample configuration template",
"EnvironmentId" : "",
"SourceConfiguration" : {
"ApplicationName" : {"Ref" : "mySecondApp"},
"TemplateName" : {"Ref" : "mySourceTemplate"}
},
"SolutionStackName" : "64bit Amazon Linux running PHP 5.3",
"OptionSettings" : [ {
"Namespace" : "aws:autoscaling:launchconfiguration",
"OptionName" : "EC2KeyName",
"Value" : { "Ref" : "KeyName" }
} ]
}

2006
Elastic Beanstalk
YAML
myConfigTemplate:
Properties:
ApplicationName:
Ref: "myApp"
Description: "my sample configuration template"
EnvironmentId: ""
SourceConfiguration:
ApplicationName:
Ref: "mySecondApp"
TemplateName:
Ref: "mySourceTemplate"
SolutionStackName: "64bit Amazon Linux running PHP 5.3"
OptionSettings:
-
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "EC2KeyName"
Value:
Ref: "KeyName"
See Also
• AWS::ElasticBeanstalk::Application
• Configuration Options in the AWS Elastic Beanstalk Developer Guide
AWS::ElasticBeanstalk::ConfigurationTemplate ConfigurationOptionSetting
The ConfigurationOptionSetting property type specifies an option for an AWS Elastic Beanstalk
configuration template.
The OptionSettings property of the AWS::ElasticBeanstalk::ConfigurationTemplate resource contains

a list of ConfigurationOptionSetting property types.
For a list of possible namespaces and option values, see Option Values in the AWS Elastic Beanstalk
Developer Guide.
Syntax
JSON
{
"OptionName" : String,
"ResourceName" : String,
"Value" : String
}
YAML
Namespace: String
OptionName: String

2007
Elastic Beanstalk
ResourceName: String
Value: String
Properties
Namespace
A unique namespace that identifies the option's associated AWS resource.
Required: Yes
Type: String

OptionName
The name of the configuration option.
Required: Yes
Type: String

ResourceName
A unique resource name for the option setting. Use it for a time–based scaling configuration option.
Required: No
Type: String
Minimum: 1
Maximum: 256

Value
The current value for the configuration option.
Required: No
Type: String
See Also
• ConfigurationOptionSetting in the AWS Elastic Beanstalk API Reference

AWS::ElasticBeanstalk::ConfigurationTemplate SourceConfiguration
An AWS Elastic Beanstalk configuration template to base a new one on. You can use it to define a
AWS::ElasticBeanstalk::ConfigurationTemplate resource.
Syntax

2008
Elastic Beanstalk
JSON
{
"TemplateName" : String
}
YAML
TemplateName: String
Properties
ApplicationName
The name of the application associated with the configuration.
Required: Yes
Type: String
Minimum: 1
Maximum: 100

TemplateName
The name of the configuration template.
Required: Yes
Type: String
Minimum: 1
Maximum: 100
AWS::ElasticBeanstalk::Environment
The AWS::ElasticBeanstalk::Environment resource is an AWS Elastic Beanstalk resource type that specifies
an Elastic Beanstalk environment.
Syntax
JSON
{
"Type" : "AWS::ElasticBeanstalk::Environment",
"Properties" : {
"CNAMEPrefix" : String,

2009
Elastic Beanstalk
"EnvironmentName" : String,
"OptionSettings" : [ OptionSetting (p. 2022), ... ],
"PlatformArn" : String,
"SolutionStackName" : String,
"Tags" : [ Tag, ... ],
"TemplateName" : String,
"Tier" : Tier (p. 2023),
"VersionLabel" : String
}
}
YAML
Properties:
CNAMEPrefix: String
Description: String
EnvironmentName: String
OptionSettings:
- OptionSetting (p. 2022)
PlatformArn: String
SolutionStackName: String
Tags:
- Tag
TemplateName: String
Tier:
Tier (p. 2023)
VersionLabel: String
Properties
ApplicationName
The name of the application that is associated with this environment.
Required: Yes
Type: String
Minimum: 1
Maximum: 100

CNAMEPrefix
If specified, the environment attempts to use this value as the prefix for the CNAME in your Elastic
Beanstalk environment URL. If not specified, the CNAME is generated automatically by appending a
random alphanumeric string to the environment name.
Required: No
Type: String
Minimum: 4
Maximum: 63

2010
Elastic Beanstalk
Description
Your description for this environment.
Required: No
Type: String
Maximum: 200

EnvironmentName
A unique name for the environment.
Constraint: Must be from 4 to 40 characters in length. The name can contain only letters, numbers,
and hyphens. It can't start or end with a hyphen. This name must be unique within a region in your
account.
If you don't specify the CNAMEPrefix parameter, the environment name becomes part of the
CNAME, and therefore part of the visible URL for your application.
If you don't specify an environment name, AWS CloudFormation generates a unique physical ID and
uses that ID for the environment name. For more information, see Name Type.
Important
Required: No
Type: String
Minimum: 4
Maximum: 40

OptionSettings
Key-value pairs defining configuration options for this environment, such as the instance type. These
options override the values that are defined in the solution stack or the configuration template. If
you remove any options during a stack update, the removed options retain their current values.
Required: Yes. The IamInstanceProfile option is required.
Required: No
Type: List of OptionSetting (p. 2022)

PlatformArn
The Amazon Resource Name (ARN) of the custom platform to use with the environment. For more
information, see Custom Platforms in the AWS Elastic Beanstalk Developer Guide.
Note
If you specify PlatformArn, don't specify SolutionStackName.
Required: No

2011
Elastic Beanstalk
Type: String

SolutionStackName
The name of an Elastic Beanstalk solution stack (platform version) to use with the environment.
If specified, Elastic Beanstalk sets the configuration values to the default values associated with
the specified solution stack. For a list of current solution stacks, see Elastic Beanstalk Supported
Platforms in the AWS Elastic Beanstalk Platforms guide.
Note
If you specify SolutionStackName, don't specify PlatformArn or TemplateName.
Required: No
Type: String

Tags
Specifies the tags applied to resources in the environment.
Required: No
Type: List of Tag

TemplateName
The name of the Elastic Beanstalk configuration template to use with the environment.
Note
If you specify TemplateName, then don't specify SolutionStackName.
Required: No
Type: String
Minimum: 1
Maximum: 100

Tier
Specifies the tier to use in creating this environment. The environment tier that you choose
determines whether Elastic Beanstalk provisions resources to support a web application that handles
HTTP(S) requests or a web application that handles background-processing tasks.
Required: No
Type: Tier (p. 2023)

VersionLabel
The name of the application version to deploy.
Default: If not specified, Elastic Beanstalk attempts to deploy the sample application.
Required: No

2012
Elastic Beanstalk
Type: String
Minimum: 1
Maximum: 100
Return Values
Ref
name.
Fn::GetAtt
EndpointURL
For load-balanced, autoscaling environments, the URL to the load balancer. For single-instance
environments, the IP address of the instance.
Example load balancer URL:
awseb-myst-myen-132MQC4KRLAMD-1371280482.us-east-2.elb.amazonaws.com
Example instance IP address:
192.0.2.0
Examples
Simple Environment
JSON
{
"Properties" : {
"ApplicationName" : { "Ref" : "sampleApplication" },
"Description" : "AWS Elastic Beanstalk Environment running PHP Sample Application",
"EnvironmentName" : "SamplePHPEnvironment",
"TemplateName" : "DefaultConfiguration",
"VersionLabel" : "Initial Version"
}
}
YAML

2013
Elastic Beanstalk
Properties:
ApplicationName:
Description: "AWS Elastic Beanstalk Environment running PHP Sample Application"
EnvironmentName: SamplePHPEnvironment
TemplateName: DefaultConfiguration
VersionLabel: "Initial Version"
Environment with Embedded Option Settings
JSON
{
"Properties" : {
"ApplicationName" : { "Ref" : "sampleApplication" },
"Description" : "AWS Elastic Beanstalk Environment running Python Sample
Application",
"EnvironmentName" : "SamplePythonEnvironment",
"SolutionStackName" : "64bit Amazon Linux 2017.03 v2.5.0 running Python 2.7",
"OptionSettings" : [ {
"Namespace" : "aws:autoscaling:launchconfiguration",
"OptionName" : "EC2KeyName",
"Value" : { "Ref" : "KeyName" }
} ],
"VersionLabel" : "Initial Version"
}
}
YAML
Properties:
ApplicationName:
Description: "AWS Elastic Beanstalk Environment running Python Sample Application"
EnvironmentName: SamplePythonEnvironment
SolutionStackName: "64bit Amazon Linux 2017.03 v2.5.0 running Python 2.7"
OptionSettings:
-
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: EC2KeyName
Value:
Ref: KeyName
VersionLabel: "Initial Version"
Custom or Supported Platform
The following example contains parameters that enable specifying PlatformArn for a custom platform
or SolutionStackName for a supported platform when creating the stack.
JSON
{
"Description": "Elasticbeanstalk test template",
"Parameters": {
"BeanstalkService": {
"Type": "String"
},
"Ec2Service": {

2014
Elastic Beanstalk
"Type": "String"
},
"Partition":{
"Type": "String"
},
"SolutionStackName": {
"Type": "String"
},
"PlatformArn": {
"Type": "String"
}
},
"Resources": {
"Application": {
"Properties": {
"ApplicationVersions": [
{
"Description": "Version 1.0",
"SourceBundle": {
"S3Bucket": {
"Fn::Join": ["", ["elasticbeanstalk-samples-", {"Ref": "AWS::Region"}]]
},
"S3Key": "python-sample-20150402.zip"
},
"VersionLabel": "Initial Version"
}
],
"Description": "AWS Elastic Beanstalk Python Sample Application"
},
"Type": "AWS::ElasticBeanstalk::Application"
},
"Environment": {
"Properties": {
},
"Description": "AWS Elastic Beanstalk Environment running Python Sample
Application",
"PlatformArn": { "Ref" : "PlatformArn"},
"SolutionStackName": {
"Ref": "SolutionStackName"
},
"VersionLabel": "Initial Version",
"OptionSettings": [
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": {
"Ref": "InstanceProfile"
}
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "ServiceRole",
"Value": {
"Ref": "ServiceRole"
}
}
]
},
"Type": "AWS::ElasticBeanstalk::Environment"
},
"ServiceRole": {
"Properties": {

2015
Elastic Beanstalk
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": {"Ref": "BeanstalkService"}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "elasticbeanstalk"
}
}
}
]
},
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeInstanceHealth",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:GetConsoleOutput",
"ec2:AssociateAddress",
"ec2:DescribeAddresses",
"ec2:DescribeSecurityGroups",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeNotificationConfigurations"
],
"Resource": [
"*"
]
}
]
}
}
],
"Path": "/"
}
},
"InstanceProfile": {
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "InstanceProfileRole"
}
]
}
},
"InstanceProfileRole": {
"Properties": {

2016
Elastic Beanstalk
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
{"Ref": "Ec2Service"}
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketAccess",
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "Partition"
},
":s3:::elasticbeanstalk-*-",
{
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "Partition"
},
{
},
"/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",

2017
Elastic Beanstalk
{
"Ref": "Partition"
},
{
},
"-*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "Partition"
},
{
},
"-*/*"
]
]
}
]
},
{
"Sid": "ECSAccess",
"Effect": "Allow",
"Action": [
"ecs:StartTask",
"ecs:StopTask",
"ecs:RegisterContainerInstance",
"ecs:DeregisterContainerInstance",
"ecs:DescribeContainerInstances",
"ecs:DiscoverPollEndpoint",
"ecs:Submit*",
"ecs:Poll"
],
"Resource": "*"
},
{
"Sid": "QueueAccess",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "DynamoPeriodicTasks",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem"

2018
Elastic Beanstalk
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "Partition"
},
":dynamodb:*:",
{
},
":table/*-stack-AWSEBWorkerCronLeaderRegistry*"
]
]
}
]
},
{
"Sid": "MetricsAccess",
"Action": [
"cloudwatch:PutMetricData"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
}
],
"Path": "/"
}
}
}
}
YAML
Description: Elasticbeanstalk test template
Parameters:
BeanstalkService:
Type: String
Ec2Service:
Type: String
Partition:
Type: String
SolutionStackName:
Type: String
PlatformArn:
Type: String
Resources:
Application:
Properties:
ApplicationVersions:
- Description: Version 1.0
SourceBundle:
S3Bucket: !Join
- ''
- - elasticbeanstalk-samples-

2019
Elastic Beanstalk
S3Key: python-sample-20150402.zip
VersionLabel: Initial Version
Description: AWS Elastic Beanstalk Python Sample Application
Environment:
Properties:
Description: AWS Elastic Beanstalk Environment running Python Sample Application
PlatformArn: !Ref PlatformArn
SolutionStackName: !Ref SolutionStackName
VersionLabel: Initial Version
OptionSettings:
- Namespace: 'aws:autoscaling:launchconfiguration'
OptionName: IamInstanceProfile
Value: !Ref InstanceProfile
- Namespace: 'aws:elasticbeanstalk:environment'
OptionName: ServiceRole
Value: !Ref ServiceRole
ServiceRole:
Properties:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Ref BeanstalkService
Condition:
StringEquals:
'sts:ExternalId': elasticbeanstalk
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'elasticloadbalancing:DescribeInstanceHealth'
- 'ec2:DescribeInstances'
- 'ec2:DescribeInstanceStatus'
- 'ec2:GetConsoleOutput'
- 'ec2:AssociateAddress'
- 'ec2:DescribeAddresses'
- 'ec2:DescribeSecurityGroups'
- 'sqs:GetQueueAttributes'
- 'sqs:GetQueueUrl'
- 'autoscaling:DescribeAutoScalingGroups'
- 'autoscaling:DescribeAutoScalingInstances'
- 'autoscaling:DescribeScalingActivities'
- 'autoscaling:DescribeNotificationConfigurations'
Resource:
- '*'
Path: /
InstanceProfile:
Properties:
Path: /
Roles:
- !Ref InstanceProfileRole
InstanceProfileRole:
Properties:

2020
Elastic Beanstalk
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- !Ref Ec2Service
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: BucketAccess
Action:
- 's3:Get*'
- 's3:List*'
- 's3:PutObject'
Effect: Allow
Resource:
- !Join
- ''
- - 'arn:'
- !Ref Partition
- ':s3:::elasticbeanstalk-*-'
- !Join
- ''
- - 'arn:'
- !Ref Partition
- /*
- !Join
- ''
- - 'arn:'
- !Ref Partition
- '-*'
- !Join
- ''
- - 'arn:'
- !Ref Partition
- '-*/*'
- Sid: ECSAccess
Effect: Allow
Action:
- 'ecs:StartTask'
- 'ecs:StopTask'
- 'ecs:RegisterContainerInstance'
- 'ecs:DeregisterContainerInstance'
- 'ecs:DescribeContainerInstances'
- 'ecs:DiscoverPollEndpoint'
- 'ecs:Submit*'
- 'ecs:Poll'
Resource: '*'
- Sid: QueueAccess
Action:
- 'sqs:ChangeMessageVisibility'
- 'sqs:DeleteMessage'
- 'sqs:ReceiveMessage'
- 'sqs:SendMessage'
Effect: Allow

2021
Elastic Beanstalk
Resource: '*'
- Sid: DynamoPeriodicTasks
Action:
- 'dynamodb:BatchGetItem'
- 'dynamodb:BatchWriteItem'
- 'dynamodb:DeleteItem'
- 'dynamodb:GetItem'
- 'dynamodb:PutItem'
- 'dynamodb:Query'
- 'dynamodb:Scan'
- 'dynamodb:UpdateItem'
Effect: Allow
Resource:
- !Join
- ''
- - 'arn:'
- !Ref Partition
- ':dynamodb:*:'
- ':table/*-stack-AWSEBWorkerCronLeaderRegistry*'
- Sid: MetricsAccess
Action:
- 'cloudwatch:PutMetricData'
Effect: Allow
Resource: '*'
Path: /
See Also
• Creating an AWS Elastic Beanstalk Environment in the AWS Elastic Beanstalk Developer Guide
• Managing Environments in the AWS Elastic Beanstalk Developer Guide
AWS::ElasticBeanstalk::Environment OptionSetting
The OptionSetting property type specifies an option for an AWS Elastic Beanstalk environment.
The OptionSettings property of the AWS::ElasticBeanstalk::Environment resource contains a list of

OptionSetting property types.
For a list of possible namespaces and option values, see Option Values in the AWS Elastic Beanstalk
Developer Guide.
Syntax
JSON
{
"OptionName" : String,
"ResourceName" : String,
"Value" : String
}
YAML
Namespace: String

2022
Elastic Beanstalk
OptionName: String
ResourceName: String
Value: String
Properties
Namespace
A unique namespace that identifies the option's associated AWS resource.
Required: Yes
Type: String

OptionName
The name of the configuration option.
Required: Yes
Type: String

ResourceName
A unique resource name for the option setting. Use it for a time–based scaling configuration option.
Required: No
Type: String
Minimum: 1
Maximum: 256

Value
The current value for the configuration option.
Required: No
Type: String
See Also
• ConfigurationOptionSetting in the AWS Elastic Beanstalk API Reference

AWS::ElasticBeanstalk::Environment Tier
Describes the environment tier for an AWS::ElasticBeanstalk::Environment resource. For more
information, see Environment Tiers in the AWS Elastic Beanstalk Developer Guide.

2023
Elastic Beanstalk
Syntax
JSON
{
"Name" : String,
"Type" : String,
"Version" : String
}
YAML
Name: String
Type: String
Version: String
Properties
Name
The name of this environment tier.
Valid values:
• For Web server tier – WebServer
• For Worker tier – Worker
Required: No
Type: String

Type
The type of this environment tier.
Valid values:
• For Web server tier – Standard
• For Worker tier – SQS/HTTP
Required: No
Type: String

Version
The version of this environment tier. When you don't set a value to it, Elastic Beanstalk uses the
latest compatible worker tier version.
Note
This member is deprecated. Any specific version that you set may become out of date. We
recommend leaving it unspecified.
Required: No
Type: String

2024
Elastic Load Balancing Resource Type Reference

Resource Types
• AWS::ElasticLoadBalancing::LoadBalancer (p. 2025)
AWS::ElasticLoadBalancing::LoadBalancer
Specifies a Classic Load Balancer.
You can specify the AvailabilityZones or Subnets property, but not both.
If this resource has a public IP address and is also in a VPC that is defined in the same template, you must
use the DependsOn attribute to declare a dependency on the VPC-gateway attachment.
Syntax
JSON
{
"Properties" : {
"AccessLoggingPolicy" : AccessLoggingPolicy (p. 2030),
"AppCookieStickinessPolicy" : [ AppCookieStickinessPolicy (p. 2031), ... ],
"ConnectionDrainingPolicy" : ConnectionDrainingPolicy (p. 2032),
"ConnectionSettings" : ConnectionSettings (p. 2033),
"CrossZone" : Boolean,
"Instances" : [ String, ... ],
"LBCookieStickinessPolicy" : [ LBCookieStickinessPolicy (p. 2035), ... ],
"Listeners" : [ Listeners (p. 2036), ... ],
"Policies" : [ Policies (p. 2038), ... ],
"Scheme" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Properties:
AccessLoggingPolicy:
AccessLoggingPolicy (p. 2030)
AppCookieStickinessPolicy:
- AppCookieStickinessPolicy (p. 2031)
AvailabilityZones:
- String
ConnectionDrainingPolicy:
ConnectionDrainingPolicy (p. 2032)
ConnectionSettings:
ConnectionSettings (p. 2033)

2025
CrossZone: Boolean
HealthCheck:
Instances:
- String
LBCookieStickinessPolicy:
- LBCookieStickinessPolicy (p. 2035)
Listeners:
- Listeners (p. 2036)
Policies:
- Policies (p. 2038)
Scheme: String
SecurityGroups:
- String
Subnets:
- String
Tags:
- Tag
Properties
AccessLoggingPolicy
Information about where and how access logs are stored for the load balancer.
Required: No
Type: AccessLoggingPolicy (p. 2030)

AppCookieStickinessPolicy
Information about a policy for application-controlled session stickiness.
Required: No
Type: List (p. 2031) of AppCookieStickinessPolicy (p. 2031)

AvailabilityZones
The Availability Zones for the load balancer. For load balancers in a VPC, specify Subnets instead.
Update requires replacement if you did not previously specify an Availability Zone or if you are
removing all Availability Zones. Otherwise, update requires no interruption.
Required: No

ConnectionDrainingPolicy
If enabled, the load balancer allows existing requests to complete before the load balancer shifts
traffic away from a deregistered or unhealthy instance.
For more information, see Configure Connection Draining in the Classic Load Balancers Guide.
Required: No
Type: ConnectionDrainingPolicy (p. 2032)

2026

ConnectionSettings
If enabled, the load balancer allows the connections to remain idle (no data is sent over the
connection) for the specified duration.
By default, Elastic Load Balancing maintains a 60-second idle connection timeout for both front-
end and back-end connections of your load balancer. For more information, see Configure Idle
Connection Timeout in the Classic Load Balancers Guide.
Required: No
Type: ConnectionSettings (p. 2033)

CrossZone
If enabled, the load balancer routes the request traffic evenly across all instances regardless of the
Availability Zones.
For more information, see Configure Cross-Zone Load Balancing in the Classic Load Balancers Guide.
Required: No
Type: Boolean

HealthCheck
The health check settings to use when evaluating the health of your EC2 instances.
Update requires replacement if you did not previously specify health check settings or if you are
removing the health check settings. Otherwise, update requires no interruption.
Required: No

Instances
The IDs of the instances for the load balancer.
Required: No

LBCookieStickinessPolicy
Information about a policy for duration-based session stickiness.
Required: No
Type: List (p. 2035) of LBCookieStickinessPolicy (p. 2035)

Listeners
The listeners for the load balancer. You can specify at most one listener per port.

2027
If you update the properties for a listener, AWS CloudFormation deletes the existing listener and
creates a new one with the specified properties. While the new listener is being created, clients
cannot connect to the load balancer.
Required: Yes
Type: List (p. 2036) of Listeners (p. 2036)

LoadBalancerName
The name of the load balancer. This name must be unique within your set of load balancers for the
region.
If you don't specify a name, AWS CloudFormation generates a unique physical ID for the load
balancer. For more information, see Name Type. If you specify a name, you cannot perform updates
that require replacement of this resource, but you can perform other updates. To replace the
resource, specify a new name.
Required: No
Type: String

Policies
The policies defined for your Classic Load Balancer. Specify only back-end server policies.
Required: No
Type: List (p. 2038) of Policies (p. 2038)

Scheme
The type of load balancer. Valid only for load balancers in a VPC.
If Scheme is internet-facing, the load balancer has a public DNS name that resolves to a public
IP address.
If Scheme is internal, the load balancer has a public DNS name that resolves to a private IP
address.
Required: No
Type: String

SecurityGroups
The security groups for the load balancer. Valid only for load balancers in a VPC.
Required: No

Subnets
The IDs of the subnets for the load balancer. You can specify at most one subnet per Availability
Zone.

2028
Update requires replacement if you did not previously specify a subnet or if you are removing all
subnets. Otherwise, update requires no interruption. To update to a different subnet in the current
Availability Zone, you must first update to a subnet in a different Availability Zone, then update to
the new subnet in the original Availability Zone.
Required: No

Tags
The tags associated with a load balancer.
Required: No
Type: List of Tag
Return Values
Ref
load balancer.
Fn::GetAtt
CanonicalHostedZoneName
The name of the Route 53 hosted zone that is associated with the load balancer. Internal-facing load
balancers don't use this value, use DNSName instead.
CanonicalHostedZoneNameID
The ID of the Route 53 hosted zone name that is associated with the load balancer.
DNSName
The DNS name for the load balancer.

SourceSecurityGroup.GroupName
The name of the security group that you can use as part of your inbound rules for your load
balancer's back-end instances.
SourceSecurityGroup.OwnerAlias
The owner of the source security group.
See Also
• Elastic Load Balancing Template Snippets

2029
• CreateLoadBalancer in the Elastic Load Balancing API Reference (version 2012-06-01)

• ModifyLoadBalancerAttributes in the Elastic Load Balancing API Reference (version 2012-06-01)
• ConfigureHealthCheck in the Elastic Load Balancing API Reference (version 2012-06-01)
• User Guide for Classic Load Balancers
AWS::ElasticLoadBalancing::LoadBalancer AccessLoggingPolicy
Specifies where and how access logs are stored for your Classic Load Balancer.
Syntax
JSON
{
"EmitInterval" : Integer,
"S3BucketPrefix" : String
}
YAML
EmitInterval: Integer
Enabled: Boolean
S3BucketPrefix: String
Properties
EmitInterval
The interval for publishing the access logs. You can specify an interval of either 5 minutes or 60
minutes.
Default: 60 minutes
Required: No
Type: Integer

Enabled
Specifies whether access logs are enabled for the load balancer.
Required: Yes
Type: Boolean

S3BucketName
The name of the Amazon S3 bucket where the access logs are stored.
Required: Yes

2030
Type: String

S3BucketPrefix
The logical hierarchy you created for your Amazon S3 bucket, for example my-bucket-prefix/
prod. If the prefix is not provided, the log is placed at the root level of the bucket.
Required: No
Type: String
See Also

• Access Logs in the User Guide for Classic Load Balancers
AWS::ElasticLoadBalancing::LoadBalancer AppCookieStickinessPolicy
Specifies a policy for application-controlled session stickiness for your Classic Load Balancer.
To associate a policy with a listener, use the PolicyNames property for the listener.
Syntax
JSON
{
"CookieName" : String,
"PolicyName" : String
}
YAML
CookieName: String
PolicyName: String
Properties
CookieName
The name of the application cookie used for stickiness.
Required: Yes
Type: String

PolicyName
The mnemonic name for the policy being created. The name must be unique within a set of policies
for this load balancer.

2031
Required: Yes
Type: String
See Also
• CreateAppCookieStickinessPolicy in the Elastic Load Balancing API Reference (version 2012-06-01)

• Sticky Sessions in the User Guide for Classic Load Balancers
AWS::ElasticLoadBalancing::LoadBalancer ConnectionDrainingPolicy
Specifies the connection draining settings for your Classic Load Balancer.
Syntax
JSON
{
"Timeout" : Integer
}
YAML
Enabled: Boolean
Timeout: Integer
Properties
Enabled
Specifies whether connection draining is enabled for the load balancer.
Required: Yes
Type: Boolean

Timeout
The maximum time, in seconds, to keep the existing connections open before deregistering the
instances.
Required: No
Type: Integer
See Also

2032
• Connection Draining in the User Guide for Classic Load Balancers
AWS::ElasticLoadBalancing::LoadBalancer ConnectionSettings
Specifies the idle timeout value for your Classic Load Balancer.
Syntax
JSON
{
"IdleTimeout" : Integer
}
YAML
IdleTimeout: Integer
Properties
IdleTimeout
The time, in seconds, that the connection is allowed to be idle (no data has been sent over the
connection) before it is closed by the load balancer.
Required: Yes
Type: Integer
Minimum: 1
Maximum: 3600
See Also

• Idle Connection Timeout in the User Guide for Classic Load Balancers
AWS::ElasticLoadBalancing::LoadBalancer HealthCheck
Specifies health check settings for your Classic Load Balancer.
Syntax
JSON
{
"HealthyThreshold" : String,
"Interval" : String,
"Target" : String,

2033
"Timeout" : String,
"UnhealthyThreshold" : String
}
YAML
HealthyThreshold: String
Interval: String
Target: String
Timeout: String
UnhealthyThreshold: String
Properties
HealthyThreshold
The number of consecutive health checks successes required before moving the instance to the
Healthy state.
Required: Yes
Type: String
Minimum: 2
Maximum: 10

Interval
The approximate interval, in seconds, between health checks of an individual instance.
Required: Yes
Type: String
Minimum: 5
Maximum: 300

Target
The instance being checked. The protocol is either TCP, HTTP, HTTPS, or SSL. The range of valid
ports is one (1) through 65535.
TCP is the default, specified as a TCP: port pair, for example "TCP:5000". In this case, a health check
simply attempts to open a TCP connection to the instance on the specified port. Failure to connect
within the configured timeout is considered unhealthy.
SSL is also specified as SSL: port pair, for example, SSL:5000.
For HTTP/HTTPS, you must include a ping path in the string. HTTP is specified as a
HTTP:port;/;PathToPing; grouping, for example "HTTP:80/weather/us/wa/seattle". In this case, a
HTTP GET request is issued to the instance on the given port and path. Any answer other than "200
OK" within the timeout period is considered unhealthy.
The total length of the HTTP ping target must be 1024 16-bit Unicode characters or less.
Required: Yes

2034
Type: String

Timeout
The amount of time, in seconds, during which no response means a failed health check.
This value must be less than the Interval value.
Required: Yes
Type: String
Minimum: 2
Maximum: 60

UnhealthyThreshold
The number of consecutive health check failures required before moving the instance to the
Unhealthy state.
Required: Yes
Type: String
Minimum: 2
Maximum: 10
See Also
• ConfigureHealthCheck in the Elastic Load Balancing API Reference (version 2012-06-01)

• Configure Health Checks in the User Guide for Classic Load Balancers
AWS::ElasticLoadBalancing::LoadBalancer LBCookieStickinessPolicy
Specifies a policy for duration-based session stickiness for your Classic Load Balancer.
To associate a policy with a listener, use the PolicyNames property for the listener.
Syntax
JSON
{
"CookieExpirationPeriod" : String,
}
YAML
CookieExpirationPeriod: String

2035
PolicyName: String
Properties
CookieExpirationPeriod
The time period, in seconds, after which the cookie should be considered stale. If this parameter is
not specified, the stickiness session lasts for the duration of the browser session.
Required: No
Type: String

PolicyName
The name of the policy. This name must be unique within the set of policies for this load balancer.
Required: No
Type: String
See Also
• CreateLBCookieStickinessPolicy in the Elastic Load Balancing API Reference (version 2012-06-01)

• Sticky Sessions in the User Guide for Classic Load Balancers
AWS::ElasticLoadBalancing::LoadBalancer Listeners
Specifies a listener for your Classic Load Balancer.
Syntax
JSON
{
"InstancePort" : String,
"InstanceProtocol" : String,
"LoadBalancerPort" : String,
"PolicyNames" : [ String, ... ],
"SSLCertificateId" : String
}
YAML
InstancePort: String
InstanceProtocol: String
LoadBalancerPort: String
PolicyNames:
- String
Protocol: String
SSLCertificateId: String

2036
Properties
InstancePort
The port on which the instance is listening.
Required: Yes
Type: String
Minimum: 1
Maximum: 65535

InstanceProtocol
The protocol to use for routing traffic to instances: HTTP, HTTPS, TCP, or SSL.
If the front-end protocol is HTTP, HTTPS, TCP, or SSL, InstanceProtocol must be at the same
protocol.
If there is another listener with the same InstancePort whose InstanceProtocol is secure,
(HTTPS or SSL), the listener's InstanceProtocol must also be secure.
If there is another listener with the same InstancePort whose InstanceProtocol is HTTP or
TCP, the listener's InstanceProtocol must be HTTP or TCP.
Required: No
Type: String

LoadBalancerPort
The port on which the load balancer is listening. On EC2-VPC, you can specify any port from the
range 1-65535. On EC2-Classic, you can specify any port from the following list: 25, 80, 443, 465,
587, 1024-65535.
Required: Yes
Type: String

PolicyNames
The names of the policies to associate with the listener.
Required: No

Protocol
The load balancer transport protocol to use for routing: HTTP, HTTPS, TCP, or SSL.
Required: Yes
Type: String

2037

SSLCertificateId
The Amazon Resource Name (ARN) of the server certificate.
Required: No
Type: String
See Also
• CreateLoadBalancerListeners in the Elastic Load Balancing API Reference (version 2012-06-01)

• Listeners in the User Guide for Classic Load Balancers
• HTTPS Listeners in the User Guide for Classic Load Balancers
AWS::ElasticLoadBalancing::LoadBalancer Policies
Specifies policies for your Classic Load Balancer.
To associate policies with a listener, use the PolicyNames property for the listener.
Syntax
JSON
{
"Attributes" : [ Json, ... ],
"InstancePorts" : [ String, ... ],
"LoadBalancerPorts" : [ String, ... ],
"PolicyType" : String
}
YAML
Attributes:
- Json
InstancePorts:
- String
LoadBalancerPorts:
- String
PolicyName: String
PolicyType: String
Properties
Attributes
The policy attributes.
Required: Yes
Type: List of Json

2038
ElasticLoadBalancingV2

InstancePorts
The instance ports for the policy. Required only for some policy types.
Required: No

LoadBalancerPorts
The load balancer ports for the policy. Required only for some policy types.
Required: No

PolicyName
The name of the policy.
Required: Yes
Type: String

PolicyType
The name of the policy type.
Required: Yes
Type: String
See Also
• CreateLoadBalancerPolicy in the Elastic Load Balancing API Reference (version 2012-06-01)
ElasticLoadBalancingV2 Resource Type Reference

Resource Types
• AWS::ElasticLoadBalancingV2::Listener (p. 2039)

• AWS::ElasticLoadBalancingV2::ListenerCertificate (p. 2052)
• AWS::ElasticLoadBalancingV2::ListenerRule (p. 2054)
• AWS::ElasticLoadBalancingV2::LoadBalancer (p. 2095)
• AWS::ElasticLoadBalancingV2::TargetGroup (p. 2100)
Specifies a listener for an Application Load Balancer or Network Load Balancer.

2039
Syntax
JSON
{
"Type" : "AWS::ElasticLoadBalancingV2::Listener",
"Properties" : {
"Certificates" : [ Certificate (p. 2049), ... ],
"DefaultActions" : [ Action (p. 2042), ... ],
"LoadBalancerArn" : String,
"Port" : Integer,
"SslPolicy" : String
}
}
YAML
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
Certificates:
- Certificate (p. 2049)
DefaultActions:
- Action (p. 2042)
LoadBalancerArn: String
Port: Integer
Protocol: String
SslPolicy: String
Properties
Certificates
The default SSL server certificate. You must provide exactly one certificate if the listener protocol is
HTTPS or TLS.
To create a certificate list for the listener, use AWS::ElasticLoadBalancingV2::ListenerCertificate.
Type: List of Certificate (p. 2049)

DefaultActions
The actions for the default rule.
Required: Yes
Type: List of Action (p. 2042)

LoadBalancerArn
The Amazon Resource Name (ARN) of the load balancer.
Required: Yes

2040
Type: String

Port
The port on which the load balancer is listening.
Required: Yes
Type: Integer
Minimum: 1
Maximum: 65535

Protocol
The protocol for connections from clients to the load balancer. For Application Load Balancers, the
supported protocols are HTTP and HTTPS. For Network Load Balancers, the supported protocols are
TCP, TLS, UDP, and TCP_UDP.
Required: Yes
Type: String
Allowed Values: HTTP | HTTPS | TCP | TCP_UDP | TLS | UDP

SslPolicy
[HTTPS and TLS listeners] The security policy that defines which ciphers and protocols are
supported. The default is the current predefined security policy.
Required: No
Type: String
Return Values
Ref
Resource Name (ARN) of the listener.
Examples
The following example creates a listener with a default action that redirects HTTP requests on port 80 to
HTTPS requests on port 443, retaining the original host name, path, and query string.
YAML
HTTPlistener:
Type: "AWS::ElasticLoadBalancingV2::Listener"

2041
Properties:
DefaultActions:
- Type: "redirect"
RedirectConfig:
Protocol: "HTTPS"
Port: "443"
Host: "#{host}"
Path: "/#{path}"
Query: "#{query}"
StatusCode: "HTTP_301"
LoadBalancerArn: !Ref myLoadBalancer
Port: 80
Protocol: "HTTP"
JSON
"HTTPlistener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [
{
"Type": "redirect",
"RedirectConfig": {
"Protocol": "HTTPS",
"Port": "443",
"Host": "#{host}",
"Path": "/#{path}",
"Query": "#{query}",
"StatusCode": "HTTP_301"
}
}
],
"LoadBalancerArn": {
"Ref": "myLoadBalancer"
},
"Port": 80,
"Protocol": "HTTP"
}
}
See Also
• CreateListener in the Elastic Load Balancing API Reference (version 2015-12-01)
• Listeners in the User Guide for Application Load Balancers
• Listeners in the User Guide for Network Load Balancers
AWS::ElasticLoadBalancingV2::Listener Action
Specifies an action for a listener rule.
Syntax
JSON
{
"AuthenticateCognitoConfig" : AuthenticateCognitoConfig (p. 2044),
"AuthenticateOidcConfig" : AuthenticateOidcConfig (p. 2046),

2042
"FixedResponseConfig" : FixedResponseConfig (p. 2049),

"Order" : Integer,
"RedirectConfig" : RedirectConfig (p. 2050),
"TargetGroupArn" : String,
"Type" : String
}
YAML
AuthenticateCognitoConfig:
AuthenticateCognitoConfig (p. 2044)
AuthenticateOidcConfig:
AuthenticateOidcConfig (p. 2046)
FixedResponseConfig:
FixedResponseConfig (p. 2049)
Order: Integer
RedirectConfig:
RedirectConfig (p. 2050)
Type: String
Properties
AuthenticateCognitoConfig
[HTTPS listeners] Information for using Amazon Cognito to authenticate users. Specify only when
Type is authenticate-cognito.
Required: No
Type: AuthenticateCognitoConfig (p. 2044)

AuthenticateOidcConfig
[HTTPS listeners] Information about an identity provider that is compliant with OpenID Connect
(OIDC). Specify only when Type is authenticate-oidc.
Required: No
Type: AuthenticateOidcConfig (p. 2046)

FixedResponseConfig
[Application Load Balancer] Information for creating an action that returns a custom HTTP response.
Specify only when Type is fixed-response.
Required: No
Type: FixedResponseConfig (p. 2049)

Order
The order for the action. This value is required for rules with multiple actions. The action with
the lowest value for order is performed first. The last action to be performed must be one of the
following types of actions: a forward, fixed-response, or redirect.
Required: No

2043
Type: Integer
Minimum: 1
Maximum: 50000

RedirectConfig
[Application Load Balancer] Information for creating a redirect action. Specify only when Type is
redirect.
Required: No
Type: RedirectConfig (p. 2050)

TargetGroupArn
The Amazon Resource Name (ARN) of the target group. Specify only when Type is forward and you
want to route to a single target group. To route to one or more target groups, use ForwardConfig
instead.
Required: No
Type: String

Type
The type of action.
Required: Yes
Type: String
Allowed Values: authenticate-cognito | authenticate-oidc | fixed-response |

forward | redirect
AWS::ElasticLoadBalancingV2::Listener AuthenticateCognitoConfig
Specifies information required when integrating with Amazon Cognito to authenticate users.
Syntax
JSON
{
"AuthenticationRequestExtraParams" : {Key : Value, ...},
"OnUnauthenticatedRequest" : String,
"Scope" : String,
"SessionCookieName" : String,
"SessionTimeout" : Long,
"UserPoolArn" : String,
"UserPoolClientId" : String,
"UserPoolDomain" : String

2044
YAML
AuthenticationRequestExtraParams:
Key : Value
OnUnauthenticatedRequest: String
Scope: String
SessionCookieName: String
SessionTimeout: Long
UserPoolArn: String
UserPoolClientId: String
UserPoolDomain: String
Properties
AuthenticationRequestExtraParams
The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
Required: No
Type: Map of String

OnUnauthenticatedRequest
The behavior if the user is not authenticated. The following are possible values:
• deny - Return an HTTP 401 Unauthorized error.
• allow - Allow the request to be forwarded to the target.
• authenticate - Redirect the request to the IdP authorization endpoint. This is the default value.
Required: No
Type: String
Allowed Values: allow | authenticate | deny

Scope
The set of user claims to be requested from the IdP. The default is openid.
To verify which scope values your IdP supports and how to separate multiple values, see the
documentation for your IdP.
Required: No
Type: String

SessionCookieName
The name of the cookie used to maintain session information. The default is
AWSELBAuthSessionCookie.
Required: No
Type: String

2045

SessionTimeout
The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7
days).
Required: No
Type: Long

UserPoolArn
The Amazon Resource Name (ARN) of the Amazon Cognito user pool.
Required: Yes
Type: String

UserPoolClientId
The ID of the Amazon Cognito user pool client.
Required: Yes
Type: String

UserPoolDomain
The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.
Required: Yes
Type: String
AWS::ElasticLoadBalancingV2::Listener AuthenticateOidcConfig
Specifies information required using an identity provide (IdP) that is compliant with OpenID Connect
(OIDC) to authenticate users.
Syntax
JSON
{
"AuthorizationEndpoint" : String,
"Issuer" : String,
"Scope" : String,

2046
"TokenEndpoint" : String,
"UserInfoEndpoint" : String
}
YAML
Key : Value
AuthorizationEndpoint: String
ClientId: String
Issuer: String
Scope: String
TokenEndpoint: String
UserInfoEndpoint: String
Properties
Required: No
Type: Map of String

AuthorizationEndpoint
The authorization endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the
domain, and the path.
Required: Yes
Type: String

ClientId
The OAuth 2.0 client identifier.
Required: Yes
Type: String

ClientSecret
The OAuth 2.0 client secret. This parameter is required if you are creating a rule. If you are modifying
a rule, you can omit this parameter if you set UseExistingClientSecret to true.
Required: Yes
Type: String

2047
Issuer
The OIDC issuer identifier of the IdP. This must be a full URL, including the HTTPS protocol, the
Required: Yes
Type: String

Required: No
Type: String

Scope
Required: No
Type: String

SessionCookieName
Required: No
Type: String

SessionTimeout
days).
Required: No
Type: Long

TokenEndpoint
The token endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain,
and the path.

2048
Required: Yes
Type: String

UserInfoEndpoint
The user info endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the
Required: Yes
Type: String
AWS::ElasticLoadBalancingV2::Listener Certificate
Specifies an SSL server certificate for use with your load balancer.
Syntax
JSON
{
}
YAML
Properties
CertificateArn
The Amazon Resource Name (ARN) of the certificate.
Required: No
Type: String
AWS::ElasticLoadBalancingV2::Listener FixedResponseConfig
Specifies information required when returning a custom HTTP response.
Syntax
JSON

2049
"MessageBody" : String,
}
YAML
ContentType: String
MessageBody: String
StatusCode: String
Properties
ContentType
The content type.
Valid Values: text/plain | text/css | text/html | application/javascript | application/json
Required: No
Type: String
Minimum: 0
Maximum: 32

MessageBody
The message.
Required: No
Type: String
Minimum: 0
Maximum: 1024

StatusCode
The HTTP response code (2XX, 4XX, or 5XX).
Required: Yes
Type: String
Pattern: ^(2|4|5)\d\d$
AWS::ElasticLoadBalancingV2::Listener RedirectConfig
Information about a redirect action.
A URI consists of the following components: protocol://hostname:port/path?query. You must modify at

least one of the following components to avoid a redirect loop: protocol, hostname, port, or path. Any
components that you do not modify retain their original values.

2050
You can reuse URI components using the following reserved keywords:
• #{protocol}
• #{host}
• #{port}
• #{path} (the leading "/" is removed)
• #{query}
For example, you can change the path to "/new/#{path}", the hostname to "example.#{host}", or the
query to "#{query}&value=xyz".
Syntax
JSON
{
"Host" : String,
"Path" : String,
"Port" : String,
"Query" : String,
}
YAML
Host: String
Path: String
Port: String
Protocol: String
Query: String
StatusCode: String
Properties
Host
The hostname. This component is not percent-encoded. The hostname can contain #{host}.
Required: No
Type: String
Minimum: 1
Maximum: 128

Path
The absolute path, starting with the leading "/". This component is not percent-encoded. The path
can contain #{host}, #{path}, and #{port}.
Required: No
Type: String

2051
Minimum: 1
Maximum: 128

Port
The port. You can specify a value from 1 to 65535 or #{port}.
Required: No
Type: String

Protocol
The protocol. You can specify HTTP, HTTPS, or #{protocol}. You can redirect HTTP to HTTP, HTTP to
HTTPS, and HTTPS to HTTPS. You cannot redirect HTTPS to HTTP.
Required: No
Type: String
Pattern: ^(HTTPS?|#\{protocol\})$

Query
The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the
leading "?", as it is automatically added. You can specify any of the reserved keywords.
Required: No
Type: String
Minimum: 0
Maximum: 128

StatusCode
The HTTP redirect code. The redirect is either permanent (HTTP 301) or temporary (HTTP 302).
Required: Yes
Type: String
Allowed Values: HTTP_301 | HTTP_302
AWS::ElasticLoadBalancingV2::ListenerCertificate
Specifies a certificate list for an HTTPS listener.
Syntax

2052
JSON
{
"Type" : "AWS::ElasticLoadBalancingV2::ListenerCertificate",
"Properties" : {
"Certificates" : [ Certificate (p. 2053), ... ],
"ListenerArn" : String
}
}
YAML
Type: AWS::ElasticLoadBalancingV2::ListenerCertificate
Properties:
Certificates:
- Certificate (p. 2053)
ListenerArn: String
Properties
Certificates
The certificates to add. Duplicates are not allowed.
Required: Yes
Type: List of Certificate (p. 2053)

ListenerArn
The Amazon Resource Name (ARN) of the listener.
Required: Yes
Type: String
See Also
• AddListenerCertificates in the Elastic Load Balancing API Reference (version 2015-12-01)
• SSL Certificates in the User Guide for Application Load Balancers
AWS::ElasticLoadBalancingV2::ListenerCertificate Certificate
Specifies an SSL server certificate.
Syntax
JSON
{
}

2053
YAML
Properties
CertificateArn
The Amazon Resource Name (ARN) of the certificate.
Required: No
Type: String
Specifies a listener rule.
Syntax
JSON
{
"Type" : "AWS::ElasticLoadBalancingV2::ListenerRule",
"Properties" : {
"Actions" : [ Action (p. 2078), ... ],
"Conditions" : [ RuleCondition (p. 2092), ... ],
"ListenerArn" : String,
"Priority" : Integer
}
}
YAML
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- Action (p. 2078)
Conditions:
- RuleCondition (p. 2092)
ListenerArn: String
Priority: Integer
Properties
Actions
The actions.
Required: Yes

2054
Conditions
The conditions.
Required: Yes
Type: List of RuleCondition (p. 2092)

ListenerArn
The Amazon Resource Name (ARN) of the listener.
Required: Yes
Type: String

Priority
The rule priority. A listener can't have multiple rules with the same priority.
If you try to reorder rules by updating their priorities, do not specify a new priority if an existing rule
already uses this priority, as this can cause an error. If you need to reuse a priority with a different
rule, you must remove it as a priority first, and then specify it in a subsequent update.
Required: Yes
Type: Integer
Minimum: 1
Maximum: 50000
Return Values
Ref
Resource Name (ARN) of the listener rule.
Examples
HTTP Header Rule Example
YAML
Parameters:
CidrBlockForVPC:
Default: 187.0.0.0/24
Description: CidrBlockForVPC
Type: String
CidrBlockForSubnet1:
Default: 187.0.0.0/25
Description: Cidr Block For Subnet1
Type: String

2055
Default: 187.0.0.128/25
Type: String
AvailabilityZoneForSubnet1:
Default: us-east-1c
Description: AvailabilityZone For Subnet1
Type: String
Default: us-east-1b
Type: String
Resources:
VPC:
Properties:
CidrBlock: !Ref CidrBlockForVPC
Subnet1:
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Ref AvailabilityZoneForSubnet1
CidrBlock: !Ref CidrBlockForSubnet1
Subnet2:
Properties:
VpcId: !Ref VPC
LoadBalancer:
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Properties:
Scheme: internal
Subnets:
- !Ref Subnet1
- !Ref Subnet2
TargetGroup1:
Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
Properties:
Port: 1000
Protocol: HTTP
VpcId: !Ref VPC
TargetGroup2:
Properties:
Port: 2000
Protocol: HTTP
VpcId: !Ref VPC
ListenerRule1:
Type: 'AWS::ElasticLoadBalancingV2::ListenerRule'
Properties:
Actions:
- Type: forward
TargetGroupArn: !Ref TargetGroup1
Conditions:
- Field: http-header
HttpHeaderConfig:
HttpHeaderName: User-Agent
Values:
- Mozilla
HttpHeaderConfig:
HttpHeaderName: Referer
Values:
- 'https://www.amazon.com/'
ListenerArn: !Ref Listener

2056
Priority: 1
ListenerRule2:
Properties:
Actions:
- Type: forward
Conditions:
HttpHeaderConfig:
HttpHeaderName: User-Agent
Values:
- Chrome
Priority: 2
Listener:
Type: 'AWS::ElasticLoadBalancingV2::Listener'
Properties:
DefaultActions:
- Type: forward
LoadBalancerArn: !Ref LoadBalancer
Port: '8000'
Protocol: HTTP
LoadBalancerAlarm:
Properties:
Dimensions:
Value: !GetAtt
- LoadBalancer
- Name: TargetGroup
Value: !GetAtt
- TargetGroup1
- TargetGroupFullName
MetricName: UnHealthyHostCount
Period: 60
Statistic: Average
Threshold: 0
Outputs:
LoadBalancer:
Value: !Ref LoadBalancer
TargetGroup1:
Value: !Ref TargetGroup1
TargetGroup2:
ListenerArn:
Value: !Ref Listener
ListenerRule1Arn:
Value: !Ref ListenerRule1
ListenerRule2Arn:
LoadBalancersAssociatedWithTargetGroup1:
Description: LoadBalancers associated with TargetGroup
Value: !Select
- '0'
- !GetAtt
- TargetGroup1
- LoadBalancerArns
Value: !Select

2057
- '0'
- !GetAtt
- TargetGroup2
- LoadBalancerArns
TargetGroupFullName1:
Description: FullName of TargetGroup1
Value: !GetAtt
- TargetGroup1
Value: !GetAtt
- TargetGroup2
JSON
{
"Parameters": {
"CidrBlockForVPC" : {
"Default" : "187.0.0.0/24",
"Description" : "CidrBlockForVPC",
"Type" : "String"
},
"CidrBlockForSubnet1" : {
"Default" : "187.0.0.0/25",
"Description" : "Cidr Block For Subnet1",
"Type" : "String"
},
"Default" : "187.0.0.128/25",
"Type" : "String"
},
"AvailabilityZoneForSubnet1" : {
"Default" : "us-east-1c",
"Description" : "AvailabilityZone For Subnet1",
"Type" : "String"
},
"Default" : "us-east-1b",
"Type" : "String"
}
},
"Resources": {
"VPC": {
"Properties": {
"CidrBlock": {"Ref" : "CidrBlockForVPC"}
}
},
"Subnet1": {
"Properties": {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone": { "Ref": "AvailabilityZoneForSubnet1" },
"CidrBlock": {"Ref" : "CidrBlockForSubnet1"}
}
},
"Subnet2": {
"Properties": {
"VpcId" : { "Ref" : "VPC" },

2058

}
},
"LoadBalancer" : {
"Properties": {
"Scheme" : "internal",
"Subnets" : [ {"Ref": "Subnet1"}, {"Ref" : "Subnet2"} ]
}
},
"TargetGroup1" : {
"Type" : "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties" : {
"Port": 1000,
"Protocol": "HTTP",
"VpcId": { "Ref" : "VPC" }
}
},
"TargetGroup2" : {
"Properties" : {
"Port": 2000,
"Protocol": "HTTP",
}
},
"ListenerRule1": {
"Type": "AWS::ElasticLoadBalancingV2::ListenerRule",
"Properties": {
"Actions": [{
"Type": "forward",
"TargetGroupArn": { "Ref": "TargetGroup1" }
}],
"Conditions": [{
"Field": "http-header",
"HttpHeaderConfig": {
"HttpHeaderName": "User-Agent",
"Values": ["Mozilla"]
}
},
{
"HttpHeaderName": "Referer",
"Values": ["https://www.amazon.com/"]
}
}],
"ListenerArn": { "Ref": "Listener" },
"Priority": 1
}
},
"ListenerRule2": {
"Properties": {
"Actions": [{
"Type": "forward",
}],
"Conditions": [{
"HttpHeaderName": "User-Agent",
"Values": ["Chrome"]
}
}],

2059

"Priority": 2
}
},
"Listener": {
"Properties": {
"DefaultActions": [{
"Type": "forward",
}],
"LoadBalancerArn": { "Ref": "LoadBalancer" },
"Port": "8000",
"Protocol": "HTTP"
}
},
"LoadBalancerAlarm": {
"Properties": {
"Namespace": "AWS/ApplicationELB",
"Dimensions": [
{
"Name": "LoadBalancer",
"Value": {"Fn::GetAtt" : ["LoadBalancer", "LoadBalancerFullName"]}
},
{
"Name": "TargetGroup",
"Value": {"Fn::GetAtt" : ["TargetGroup1", "TargetGroupFullName"]}
}
],
"MetricName": "UnHealthyHostCount",
"Period": 60,
"Threshold": 0,
"EvaluationPeriods": 1
}
}
},
"Outputs": {
"LoadBalancer": {
"Value": {
"Ref": "LoadBalancer"
}
},
"TargetGroup1": {
"Value": {
"Ref": "TargetGroup1"
}
},
"TargetGroup2": {
"Value": {
}
},
"ListenerArn": {
"Value": {
"Ref": "Listener"
}
},
"ListenerRule1Arn": {
"Value": {
"Ref": "ListenerRule1"
}
},

2060
"Value": {
}
},
"LoadBalancersAssociatedWithTargetGroup1" : {
"Description" : "LoadBalancers associated with TargetGroup",
"Value" : { "Fn::Select" : [ "0",
{ "Fn::GetAtt" : ["TargetGroup1", "LoadBalancerArns"] }
]
}
},
"Value" : { "Fn::Select" : [ "0",
]
}
},
"TargetGroupFullName1" : {
"Description" : "FullName of TargetGroup1",
"Value" : {"Fn::GetAtt" : ["TargetGroup1", "TargetGroupFullName"]}
},
}
}
}
HTTP Request Method Rule Example
YAML
Parameters:
CidrBlockForVPC:
Default: 187.0.0.0/24
Type: String
Default: 187.0.0.0/25
Type: String
Default: 187.0.0.128/25
Type: String
Default: us-east-1c
Type: String
Default: us-east-1b
Type: String
Resources:
VPC:
Properties:
Subnet1:
Properties:
VpcId: !Ref VPC

2061

Subnet2:
Properties:
VpcId: !Ref VPC
LoadBalancer:
Properties:
Scheme: internal
Subnets:
- !Ref Subnet1
- !Ref Subnet2
TargetGroup1:
Properties:
Port: 1000
Protocol: HTTP
VpcId: !Ref VPC
TargetGroup2:
Properties:
Port: 2000
Protocol: HTTP
VpcId: !Ref VPC
ListenerRule1:
Properties:
Actions:
- Type: forward
Conditions:
- Field: http-request-method
HttpRequestMethodConfig:
Values:
- GET_OR_HEAD
Priority: 1
ListenerRule2:
Properties:
Actions:
- Type: forward
Conditions:
- Field: http-request-method
Values:
- POST
Priority: 2
Listener:
Properties:
DefaultActions:
- Type: forward
Port: '8000'
Protocol: HTTP
LoadBalancerAlarm:
Properties:
Dimensions:

2062
Value: !GetAtt
- LoadBalancer
- Name: TargetGroup
Value: !GetAtt
- TargetGroup1
Period: 60
Statistic: Average
Threshold: 0
Outputs:
LoadBalancer:
TargetGroup1:
TargetGroup2:
ListenerArn:
ListenerRule1Arn:
ListenerRule2Arn:
Value: !Select
- '0'
- !GetAtt
- TargetGroup1
- LoadBalancerArns
Value: !Select
- '0'
- !GetAtt
- TargetGroup2
- LoadBalancerArns
Value: !GetAtt
- TargetGroup1
Value: !GetAtt
- TargetGroup2
JSON
{
"Parameters": {
"Default" : "187.0.0.0/24",
"Type" : "String"
},
"Default" : "187.0.0.0/25",

2063
"Type" : "String"
},
"Default" : "187.0.0.128/25",
"Type" : "String"
},
"Type" : "String"
},
"Type" : "String"
}
},
"Resources": {
"VPC": {
"Properties": {
}
},
"Subnet1": {
"Properties": {
"VpcId" : { "Ref" : "VPC" },
}
},
"Subnet2": {
"Properties": {
"VpcId" : { "Ref" : "VPC" },
}
},
"LoadBalancer" : {
"Properties": {
}
},
"TargetGroup1" : {
"Properties" : {
"Port": 1000,
"Protocol": "HTTP",
}
},
"TargetGroup2" : {
"Properties" : {
"Port": 2000,
"Protocol": "HTTP",
}
},
"ListenerRule1": {

2064
"Properties": {
"Actions": [{
"Type": "forward",
}],
"Conditions": [{
"Field": "http-request-method",
"HttpRequestMethodConfig": {
"Values": ["GET_OR_HEAD"]
}
}],
"Priority": 1
}
},
"ListenerRule2": {
"Properties": {
"Actions": [{
"Type": "forward",
}],
"Conditions": [{
"Field": "http-request-method",
"HttpRequestMethodConfig": {
"Values": ["POST"]
}
}],
"Priority": 2
}
},
"Listener": {
"Properties": {
"Type": "forward",
}],
"Port": "8000",
"Protocol": "HTTP"
}
},
"Properties": {
"Dimensions": [
{
},
{
}
],
"Period": 60,
"Threshold": 0,
}
}

2065
},
"Outputs": {
"LoadBalancer": {
"Value": {
}
},
"TargetGroup1": {
"Value": {
}
},
"TargetGroup2": {
"Value": {
}
},
"ListenerArn": {
"Value": {
"Ref": "Listener"
}
},
"Value": {
}
},
"Value": {
}
},
"Value" : { "Fn::Select" : [ "0",
]
}
},
"Value" : { "Fn::Select" : [ "0",
]
}
},
},
}
}
}
Query String Rule Example
YAML
Parameters:
CidrBlockForVPC:
Default: 187.0.0.0/24

2066
Type: String
Default: 187.0.0.0/25
Type: String
Default: 187.0.0.128/25
Type: String
Default: us-east-1c
Type: String
Default: us-east-1b
Type: String
Resources:
VPC:
Properties:
Subnet1:
Properties:
VpcId: !Ref VPC
Subnet2:
Properties:
VpcId: !Ref VPC
LoadBalancer:
Properties:
Scheme: internal
Subnets:
- !Ref Subnet1
- !Ref Subnet2
TargetGroup1:
Properties:
Port: 1000
Protocol: HTTP
VpcId: !Ref VPC
TargetGroup2:
Properties:
Port: 2000
Protocol: HTTP
VpcId: !Ref VPC
ListenerRule1:
Properties:
Actions:
- Type: forward
Conditions:
- Field: query-string
QueryStringConfig:
Values:
- Key: Foo
Value: Bar

2067
QueryStringConfig:
Values:
- Key: Bar
Value: Xyz
Priority: 1
ListenerRule2:
Properties:
Actions:
- Type: forward
Conditions:
QueryStringConfig:
Values:
- Key: Foo
Value: Baz
Priority: 2
Listener:
Properties:
DefaultActions:
- Type: forward
Port: '8000'
Protocol: HTTP
LoadBalancerAlarm:
Properties:
Dimensions:
Value: !GetAtt
- LoadBalancer
- Name: TargetGroup
Value: !GetAtt
- TargetGroup1
Period: 60
Statistic: Average
Threshold: 0
Outputs:
LoadBalancer:
TargetGroup1:
TargetGroup2:
ListenerArn:
ListenerRule1Arn:
ListenerRule2Arn:
Value: !Select
- '0'

2068
- !GetAtt
- TargetGroup1
- LoadBalancerArns
Value: !Select
- '0'
- !GetAtt
- TargetGroup2
- LoadBalancerArns
Value: !GetAtt
- TargetGroup1
Value: !GetAtt
- TargetGroup2
JSON
{
"Parameters": {
"Default" : "187.0.0.0/24",
"Type" : "String"
},
"Default" : "187.0.0.0/25",
"Type" : "String"
},
"Default" : "187.0.0.128/25",
"Type" : "String"
},
"Type" : "String"
},
"Type" : "String"
}
},
"Resources": {
"VPC": {
"Properties": {
}
},
"Subnet1": {
"Properties": {
"VpcId" : { "Ref" : "VPC" },

2069
}
},
"Subnet2": {
"Properties": {
"VpcId" : { "Ref" : "VPC" },
}
},
"LoadBalancer" : {
"Properties": {
}
},
"TargetGroup1" : {
"Properties" : {
"Port": 1000,
"Protocol": "HTTP",
}
},
"TargetGroup2" : {
"Properties" : {
"Port": 2000,
"Protocol": "HTTP",
}
},
"ListenerRule1": {
"Properties": {
"Actions": [{
"Type": "forward",
}],
"Conditions": [{
"Field": "query-string",
"QueryStringConfig": {
"Values": [{
"Key": "Foo",
"Value": "Bar"
}]
}
},
{
"Values": [{
"Key": "Bar",
"Value": "Xyz"
}]
}
}],
"Priority": 1
}
},
"ListenerRule2": {
"Properties": {
"Actions": [{

2070
"Type": "forward",
}],
"Conditions": [{
"Values": [{
"Key": "Foo",
"Value": "Baz"
}]
}
}],
"Priority": 2
}
},
"Listener": {
"Properties": {
"Type": "forward",
}],
"Port": "8000",
"Protocol": "HTTP"
}
},
"Properties": {
"Dimensions": [
{
},
{
}
],
"Period": 60,
"Threshold": 0,
}
}
},
"Outputs": {
"LoadBalancer": {
"Value": {
}
},
"TargetGroup1": {
"Value": {
}
},
"TargetGroup2": {
"Value": {
}

2071
},
"ListenerArn": {
"Value": {
"Ref": "Listener"
}
},
"Value": {
}
},
"Value": {
}
},
"Value" : { "Fn::Select" : [ "0",
]
}
},
"Value" : { "Fn::Select" : [ "0",
]
}
},
},
}
}
}
Source IP Rule Example
YAML
Parameters:
CidrBlockForVPC:
Default: 187.0.0.0/24
Type: String
Default: 187.0.0.0/25
Type: String
Default: 187.0.0.128/25
Type: String
Default: us-east-1c
Type: String
Default: us-east-1b

2072

Type: String
Resources:
VPC:
Properties:
Subnet1:
Properties:
VpcId: !Ref VPC
Subnet2:
Properties:
VpcId: !Ref VPC
LoadBalancer:
Properties:
Scheme: internal
Subnets:
- !Ref Subnet1
- !Ref Subnet2
TargetGroup1:
Properties:
Port: 1000
Protocol: HTTP
VpcId: !Ref VPC
TargetGroup2:
Properties:
Port: 2000
Protocol: HTTP
VpcId: !Ref VPC
ListenerRule1:
Properties:
Actions:
- Type: forward
Conditions:
- Field: source-ip
SourceIpConfig:
Values:
- 172.0.0.0/8
Priority: 1
ListenerRule2:
Properties:
Actions:
- Type: forward
Conditions:
- Field: source-ip
SourceIpConfig:
Values:
- 192.168.0.0/16
Priority: 2
Listener:

2073
Properties:
DefaultActions:
- Type: forward
Port: '8000'
Protocol: HTTP
LoadBalancerAlarm:
Properties:
Dimensions:
Value: !GetAtt
- LoadBalancer
- Name: TargetGroup
Value: !GetAtt
- TargetGroup1
Period: 60
Statistic: Average
Threshold: 0
Outputs:
LoadBalancer:
TargetGroup1:
TargetGroup2:
ListenerArn:
ListenerRule1Arn:
ListenerRule2Arn:
Value: !Select
- '0'
- !GetAtt
- TargetGroup1
- LoadBalancerArns
Value: !Select
- '0'
- !GetAtt
- TargetGroup2
- LoadBalancerArns
Value: !GetAtt
- TargetGroup1
Value: !GetAtt
- TargetGroup2

2074
JSON
{
"Parameters": {
"Default" : "187.0.0.0/24",
"Type" : "String"
},
"Default" : "187.0.0.0/25",
"Type" : "String"
},
"Default" : "187.0.0.128/25",
"Type" : "String"
},
"Type" : "String"
},
"Type" : "String"
}
},
"Resources": {
"VPC": {
"Properties": {
}
},
"Subnet1": {
"Properties": {
"VpcId" : { "Ref" : "VPC" },
}
},
"Subnet2": {
"Properties": {
"VpcId" : { "Ref" : "VPC" },
}
},
"LoadBalancer" : {
"Properties": {
}
},
"TargetGroup1" : {
"Properties" : {
"Port": 1000,
"Protocol": "HTTP",

2075

}
},
"TargetGroup2" : {
"Properties" : {
"Port": 2000,
"Protocol": "HTTP",
}
},
"ListenerRule1": {
"Properties": {
"Actions": [{
"Type": "forward",
}],
"Conditions": [{
"Field": "source-ip",
"SourceIpConfig": {
"Values": ["172.0.0.0/8"]
}
}],
"Priority": 1
}
},
"ListenerRule2": {
"Properties": {
"Actions": [{
"Type": "forward",
}],
"Conditions": [{
"Field": "source-ip",
"SourceIpConfig": {
"Values": ["192.168.0.0/16"]
}
}],
"Priority": 2
}
},
"Listener": {
"Properties": {
"Type": "forward",
}],
"Port": "8000",
"Protocol": "HTTP"
}
},
"Properties": {
"Dimensions": [
{
},

2076
{
}
],
"Period": 60,
"Threshold": 0,
}
}
},
"Outputs": {
"LoadBalancer": {
"Value": {
}
},
"TargetGroup1": {
"Value": {
}
},
"TargetGroup2": {
"Value": {
}
},
"ListenerArn": {
"Value": {
"Ref": "Listener"
}
},
"Value": {
}
},
"Value": {
}
},
"Value" : { "Fn::Select" : [ "0",
]
}
},
"Value" : { "Fn::Select" : [ "0",
]
}
},
},

2077
}
}
}
See Also
• CreateRule in the Elastic Load Balancing API Reference (version 2015-12-01)
• Listener Rules in the User Guide for Application Load Balancers
AWS::ElasticLoadBalancingV2::ListenerRule Action
Specifies an action for a listener rule.
Syntax
JSON
{
"AuthenticateCognitoConfig" : AuthenticateCognitoConfig (p. 2080),
"AuthenticateOidcConfig" : AuthenticateOidcConfig (p. 2082),
"FixedResponseConfig" : FixedResponseConfig (p. 2084),
"Order" : Integer,
"RedirectConfig" : RedirectConfig (p. 2090),
"TargetGroupArn" : String,
"Type" : String
}
YAML
AuthenticateCognitoConfig:
AuthenticateCognitoConfig (p. 2080)
AuthenticateOidcConfig:
AuthenticateOidcConfig (p. 2082)
FixedResponseConfig:
FixedResponseConfig (p. 2084)
Order: Integer
RedirectConfig:
RedirectConfig (p. 2090)
Type: String
Properties
AuthenticateCognitoConfig
[HTTPS listeners] Information for using Amazon Cognito to authenticate users. Specify only when
Type is authenticate-cognito.
Required: No
Type: AuthenticateCognitoConfig (p. 2080)

AuthenticateOidcConfig
[HTTPS listeners] Information about an identity provider that is compliant with OpenID Connect
(OIDC). Specify only when Type is authenticate-oidc.

2078
Required: No
Type: AuthenticateOidcConfig (p. 2082)

FixedResponseConfig
[Application Load Balancer] Information for creating an action that returns a custom HTTP response.
Specify only when Type is fixed-response.
Required: No
Type: FixedResponseConfig (p. 2084)

Order
The order for the action. This value is required for rules with multiple actions. The action with
the lowest value for order is performed first. The last action to be performed must be one of the
following types of actions: a forward, fixed-response, or redirect.
Required: No
Type: Integer
Minimum: 1
Maximum: 50000

RedirectConfig
[Application Load Balancer] Information for creating a redirect action. Specify only when Type is
redirect.
Required: No
Type: RedirectConfig (p. 2090)

TargetGroupArn
The Amazon Resource Name (ARN) of the target group. Specify only when Type is forward and you
want to route to a single target group. To route to one or more target groups, use ForwardConfig
instead.
Required: No
Type: String

Type
The type of action.
Required: Yes
Type: String

2079
Allowed Values: authenticate-cognito | authenticate-oidc | fixed-response |

forward | redirect
AWS::ElasticLoadBalancingV2::ListenerRule AuthenticateCognitoConfig
Specifies information required when integrating with Amazon Cognito to authenticate users.
Syntax
JSON
{
"Scope" : String,
"UserPoolArn" : String,
"UserPoolClientId" : String,
"UserPoolDomain" : String
}
YAML
Key : Value
Scope: String
UserPoolArn: String
UserPoolClientId: String
UserPoolDomain: String
Properties
Required: No
Type: Map of String

Required: No

2080
Type: String

Scope
Required: No
Type: String

SessionCookieName
Required: No
Type: String

SessionTimeout
days).
Required: No
Type: Long

UserPoolArn
The Amazon Resource Name (ARN) of the Amazon Cognito user pool.
Required: Yes
Type: String

UserPoolClientId
The ID of the Amazon Cognito user pool client.
Required: Yes
Type: String

UserPoolDomain
The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.
Required: Yes

2081
Type: String
AWS::ElasticLoadBalancingV2::ListenerRule AuthenticateOidcConfig
Specifies information required using an identity provide (IdP) that is compliant with OpenID Connect
(OIDC) to authenticate users.
Syntax
JSON
{
"AuthorizationEndpoint" : String,
"Issuer" : String,
"Scope" : String,
"TokenEndpoint" : String,
"UserInfoEndpoint" : String
}
YAML
Key : Value
AuthorizationEndpoint: String
ClientId: String
Issuer: String
Scope: String
TokenEndpoint: String
UserInfoEndpoint: String
Properties
Required: No
Type: Map of String

AuthorizationEndpoint
The authorization endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the

2082
Required: Yes
Type: String

ClientId
The OAuth 2.0 client identifier.
Required: Yes
Type: String

ClientSecret
The OAuth 2.0 client secret. This parameter is required if you are creating a rule. If you are modifying
a rule, you can omit this parameter if you set UseExistingClientSecret to true.
Required: Yes
Type: String

Issuer
The OIDC issuer identifier of the IdP. This must be a full URL, including the HTTPS protocol, the
Required: Yes
Type: String

Required: No
Type: String

Scope
Required: No
Type: String

2083

SessionCookieName
Required: No
Type: String

SessionTimeout
days).
Required: No
Type: Long

TokenEndpoint
The token endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain,
and the path.
Required: Yes
Type: String

UserInfoEndpoint
The user info endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the
Required: Yes
Type: String
AWS::ElasticLoadBalancingV2::ListenerRule FixedResponseConfig
Specifies information required when returning a custom HTTP response.
Syntax
JSON
{
"MessageBody" : String,
}

2084
YAML
ContentType: String
MessageBody: String
StatusCode: String
Properties
ContentType
The content type.
Valid Values: text/plain | text/css | text/html | application/javascript | application/json
Required: No
Type: String
Minimum: 0
Maximum: 32

MessageBody
The message.
Required: No
Type: String
Minimum: 0
Maximum: 1024

StatusCode
The HTTP response code (2XX, 4XX, or 5XX).
Required: Yes
Type: String
Pattern: ^(2|4|5)\d\d$
AWS::ElasticLoadBalancingV2::ListenerRule HostHeaderConfig
Information about a host header condition.
Syntax
JSON

2085

}
YAML
Values:
- String
Properties
Values
One or more host names. The maximum size of each name is 128 characters. The comparison is case
insensitive. The following wildcard characters are supported: * (matches 0 or more characters) and ?
(matches exactly 1 character).
If you specify multiple strings, the condition is satisfied if one of the strings matches the host name.
Required: No
AWS::ElasticLoadBalancingV2::ListenerRule HttpHeaderConfig
Information about an HTTP header condition.
There is a set of standard HTTP header fields. You can also define custom HTTP header fields.
Syntax
JSON
{
"HttpHeaderName" : String,
}
YAML
HttpHeaderName: String
Values:
- String
Properties
HttpHeaderName
The name of the HTTP header field. The maximum size is 40 characters. The header name is case
insensitive. The allowed characters are specified by RFC 7230. Wildcards are not supported.
Required: No
Type: String

2086

Values
One or more strings to compare against the value of the HTTP header. The maximum size of
each string is 128 characters. The comparison strings are case insensitive. The following wildcard
characters are supported: * (matches 0 or more characters) and ? (matches exactly 1 character).
If the same header appears multiple times in the request, we search them in order until a match is
found.
If you specify multiple strings, the condition is satisfied if one of the strings matches the value of the
HTTP header. To require that all of the strings are a match, create one condition per string.
Required: No
AWS::ElasticLoadBalancingV2::ListenerRule HttpRequestMethodConfig
Information about an HTTP method condition.
HTTP defines a set of request methods, also referred to as HTTP verbs. For more information, see the
HTTP Method Registry. You can also define custom HTTP methods.
Syntax
JSON
{
}
YAML
Values:
- String
Properties
Values
The name of the request method. The maximum size is 40 characters. The allowed characters are
A-Z, hyphen (-), and underscore (_). The comparison is case sensitive. Wildcards are not supported;
therefore, the method name must be an exact match.
If you specify multiple strings, the condition is satisfied if one of the strings matches the HTTP
request method. We recommend that you route GET and HEAD requests in the same way, because
the response to a HEAD request may be cached.
Required: No

2087
AWS::ElasticLoadBalancingV2::ListenerRule PathPatternConfig
Information about a path pattern condition.
Syntax
JSON
{
}
YAML
Values:
- String
Properties
Values
One or more path patterns to compare against the request URL. The maximum size of each string is
128 characters. The comparison is case sensitive. The following wildcard characters are supported: *
(matches 0 or more characters) and ? (matches exactly 1 character).
If you specify multiple strings, the condition is satisfied if one of them matches the request URL. The
path pattern is compared only to the path of the URL, not to its query string.
Required: No
AWS::ElasticLoadBalancingV2::ListenerRule QueryStringConfig
Information about a query string condition.
The query string component of a URI starts after the first '?' character and is terminated by either a
'#' character or the end of the URI. A typical query string contains key/value pairs separated by '&'
characters. The allowed characters are specified by RFC 3986. Any character can be percentage encoded.
Syntax
JSON
{
"Values" : [ QueryStringKeyValue (p. 2089), ... ]
}
YAML
Values:

2088
- QueryStringKeyValue (p. 2089)
Properties
Values
One or more key/value pairs or values to find in the query string. The maximum size of each string is
128 characters. The comparison is case insensitive. The following wildcard characters are supported:
* (matches 0 or more characters) and ? (matches exactly 1 character). To search for a literal '*' or '?'
character in a query string, you must escape these characters in Values using a '\' character.
If you specify multiple key/value pairs or values, the condition is satisfied if one of them is found in
the query string.
Required: No
Type: List of QueryStringKeyValue (p. 2089)
AWS::ElasticLoadBalancingV2::ListenerRule QueryStringKeyValue
Information about a key/value pair.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The key. You can omit the key.
Required: No
Type: String

Value
The value.
Required: No
Type: String

2089
AWS::ElasticLoadBalancingV2::ListenerRule RedirectConfig
Information about a redirect action.
A URI consists of the following components: protocol://hostname:port/path?query. You must modify at

least one of the following components to avoid a redirect loop: protocol, hostname, port, or path. Any
components that you do not modify retain their original values.
You can reuse URI components using the following reserved keywords:
• #{protocol}
• #{host}
• #{port}
• #{path} (the leading "/" is removed)
• #{query}
For example, you can change the path to "/new/#{path}", the hostname to "example.#{host}", or the
query to "#{query}&value=xyz".
Syntax
JSON
{
"Host" : String,
"Path" : String,
"Port" : String,
"Query" : String,
}
YAML
Host: String
Path: String
Port: String
Protocol: String
Query: String
StatusCode: String
Properties
Host
The hostname. This component is not percent-encoded. The hostname can contain #{host}.
Required: No
Type: String
Minimum: 1

2090
Maximum: 128

Path
The absolute path, starting with the leading "/". This component is not percent-encoded. The path
can contain #{host}, #{path}, and #{port}.
Required: No
Type: String
Minimum: 1
Maximum: 128

Port
The port. You can specify a value from 1 to 65535 or #{port}.
Required: No
Type: String

Protocol
The protocol. You can specify HTTP, HTTPS, or #{protocol}. You can redirect HTTP to HTTP, HTTP to
HTTPS, and HTTPS to HTTPS. You cannot redirect HTTPS to HTTP.
Required: No
Type: String
Pattern: ^(HTTPS?|#\{protocol\})$

Query
The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the
leading "?", as it is automatically added. You can specify any of the reserved keywords.
Required: No
Type: String
Minimum: 0
Maximum: 128

StatusCode
The HTTP redirect code. The redirect is either permanent (HTTP 301) or temporary (HTTP 302).
Required: Yes
Type: String

2091
Allowed Values: HTTP_301 | HTTP_302
AWS::ElasticLoadBalancingV2::ListenerRule RuleCondition
Specifies a condition for a listener rule.
Syntax
JSON
{
"Field" : String,
"HostHeaderConfig" : HostHeaderConfig (p. 2085),
"HttpHeaderConfig" : HttpHeaderConfig (p. 2086),
"HttpRequestMethodConfig" : HttpRequestMethodConfig (p. 2087),
"PathPatternConfig" : PathPatternConfig (p. 2088),
"QueryStringConfig" : QueryStringConfig (p. 2088),
"SourceIpConfig" : SourceIpConfig (p. 2094),
}
YAML
Field: String
HostHeaderConfig:
HostHeaderConfig (p. 2085)
HttpHeaderConfig:
HttpHeaderConfig (p. 2086)
HttpRequestMethodConfig (p. 2087)
PathPatternConfig:
PathPatternConfig (p. 2088)
QueryStringConfig:
QueryStringConfig (p. 2088)
SourceIpConfig:
SourceIpConfig (p. 2094)
Values:
- String
Properties
Field
The field in the HTTP request. The following are the possible values:
• http-header
• http-request-method
• host-header
• path-pattern
• query-string
• source-ip
Required: No
Type: String

2092
Maximum: 64

HostHeaderConfig
Information for a host header condition. Specify only when Field is host-header.
Required: No
Type: HostHeaderConfig (p. 2085)

HttpHeaderConfig
Information for an HTTP header condition. Specify only when Field is http-header.
Required: No
Type: HttpHeaderConfig (p. 2086)

HttpRequestMethodConfig
Information for an HTTP method condition. Specify only when Field is http-request-method.
Required: No
Type: HttpRequestMethodConfig (p. 2087)

PathPatternConfig
Information for a path pattern condition. Specify only when Field is path-pattern.
Conditional: Required if HttpHeaderConfig is used.
Required: No
Type: PathPatternConfig (p. 2088)

QueryStringConfig
Information for a query string condition. Specify only when Field is query-string.
Required: No
Type: QueryStringConfig (p. 2088)

SourceIpConfig
Information for a source IP condition. Specify only when Field is source-ip.
Required: No

2093
Type: SourceIpConfig (p. 2094)

Values
The condition value.
You can only use Values if the condition type is host-header and path-pattern. You can not
specify both Values and HostHeaderConfig at the same time.
If Field is host-header, you can specify a single host name (for example, my.example.com). A
host name is case insensitive, can be up to 128 characters in length, and can contain any of the
following characters.
• A-Z, a-z, 0-9
• -.
• * (matches 0 or more characters)
• ? (matches exactly 1 character)
If Field is path-pattern, you can specify a single path pattern (for example, /img/*). A path
pattern is case-sensitive, can be up to 128 characters in length, and can contain any of the following
characters.
• A-Z, a-z, 0-9
• _-.$/~"'@:+
• & (using &)
• * (matches 0 or more characters)
• ? (matches exactly 1 character)
Required: No
AWS::ElasticLoadBalancingV2::ListenerRule SourceIpConfig
Information about a source IP condition.
You can use this condition to route based on the IP address of the source that connects to the load
balancer. If a client is behind a proxy, this is the IP address of the proxy not the IP address of the client.
Syntax
JSON
{
}
YAML
Values:
- String

2094
Properties
Values
One or more source IP addresses, in CIDR format. You can use both IPv4 and IPv6 addresses.
Wildcards are not supported.
If you specify multiple addresses, the condition is satisfied if the source IP address of the request
matches one of the CIDR blocks. This condition is not satisfied by the addresses in the X-Forwarded-
For header.
Required: No
Specifies an Application Load Balancer or a Network Load Balancer.
Syntax
JSON
{
"Type" : "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {
"IpAddressType" : String,
"LoadBalancerAttributes" : [ LoadBalancerAttribute (p. 2098), ... ],
"Name" : String,
"Scheme" : String,
"SubnetMappings" : [ SubnetMapping (p. 2100), ... ],
"Tags" : [ Tag, ... ],
"Type" : String
}
}
YAML
Properties:
IpAddressType: String
LoadBalancerAttributes:
- LoadBalancerAttribute (p. 2098)
Name: String
Scheme: String
SecurityGroups:
- String
SubnetMappings:
- SubnetMapping (p. 2100)
Subnets:
- String
Tags:
- Tag
Type: String

2095
Properties
IpAddressType
The IP address type. The possible values are ipv4 (for IPv4 addresses) and dualstack (for IPv4 and
IPv6 addresses). Internal load balancers must use ipv4. Network Load Balancers must use ipv4.
Required: No
Type: String
Allowed Values: dualstack | ipv4

LoadBalancerAttributes
The load balancer attributes.
Required: No
Type: List of LoadBalancerAttribute (p. 2098)
Maximum: 20

Name
The name of the load balancer. This name must be unique per region per account, can have a
maximum of 32 characters, must contain only alphanumeric characters or hyphens, must not begin
or end with a hyphen, and must not begin with "internal-".
If you don't specify a name, AWS CloudFormation generates a unique physical ID for the load
balancer. If you specify a name, you cannot perform updates that require replacement of this
resource, but you can perform other updates. To replace the resource, specify a new name.
Required: No
Type: String

Scheme
The nodes of an Internet-facing load balancer have public IP addresses. The DNS name of an
Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes.
Therefore, Internet-facing load balancers can route requests from clients over the internet.
The nodes of an internal load balancer have only private IP addresses. The DNS name of an internal
load balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load
balancers can route requests only from clients with access to the VPC for the load balancer.
The default is an Internet-facing load balancer.
Required: No
Type: String
Allowed Values: internal | internet-facing

2096
SecurityGroups
[Application Load Balancers] The IDs of the security groups for the load balancer.
Required: No

SubnetMappings
The IDs of the public subnets. You can specify only one subnet per Availability Zone. You must
specify either subnets or subnet mappings.
[Application Load Balancers] You must specify subnets from at least two Availability Zones. You
cannot specify Elastic IP addresses for your subnets.
[Network Load Balancers] You can specify subnets from one or more Availability Zones. You can
specify one Elastic IP address per subnet if you need static IP addresses for your internet-facing load
balancer. For internal load balancers, you can specify one private IP address per subnet from the
IPv4 range of the subnet.
Required: No
Type: List of SubnetMapping (p. 2100)

Subnets
The IDs of the subnets. You can specify only one subnet per Availability Zone. You must specify
either subnets or subnet mappings.
[Application Load Balancers] You must specify subnets from at least two Availability Zones. When
you specify subnets for an existing Application Load Balancer, they replace the previously enabled
subnets.
[Network Load Balancers] You can specify subnets from one or more Availability Zones when you
create the load balancer. You can't change the subnets for an existing Network Load Balancer.
Required: No

Tags
One or more tags to assign to the load balancer.
Required: No
Type: List of Tag

Type
The type of load balancer. The default is application.
Required: No
Type: String
Allowed Values: application | network

2097
Return Values
Ref
Resource Name (ARN) of the load balancer.
Fn::GetAtt
CanonicalHostedZoneID
The ID of the Amazon Route 53 hosted zone associated with the load balancer. For example,
Z2P70J7EXAMPLE.
DNSName
The DNS name for the load balancer. For example, my-load-balancer-424835706.us-
west-2.elb.amazonaws.com.
LoadBalancerFullName
The full name of the load balancer. For example, app/my-load-balancer/50dc6c495c0c9188.

LoadBalancerName
The name of the load balancer. For example, my-load-balancer.

SecurityGroups
The IDs of the security groups for the load balancer.
See Also
• CreateLoadBalancer in the Elastic Load Balancing API Reference (version 2015-12-01)
• User Guide for Application Load Balancers
• User Guide for Network Load Balancers
AWS::ElasticLoadBalancingV2::LoadBalancer LoadBalancerAttribute
Specifies an attribute for an Application Load Balancer or a Network Load Balancer.
Syntax
JSON
{
"Key" : String,
"Value" : String

2098
YAML
Key: String
Value: String
Properties
Key
The following attributes are supported by both Application Load Balancers and Network Load
Balancers:
• access_logs.s3.enabled - Indicates whether access logs are enabled. The value is true or
false. The default is false.
• access_logs.s3.bucket - The name of the S3 bucket for the access logs. This attribute is
required if access logs are enabled. The bucket must exist in the same region as the load balancer
and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.
• access_logs.s3.prefix - The prefix for the location in the S3 bucket for the access logs.
• deletion_protection.enabled - Indicates whether deletion protection is enabled. The value
is true or false. The default is false.
The following attributes are supported by only Application Load Balancers:

• idle_timeout.timeout_seconds - The idle timeout value, in seconds. The valid range is
1-4000 seconds. The default is 60 seconds.
• routing.http.drop_invalid_header_fields.enabled - Indicates whether HTTP headers
with invalid header fields are removed by the load balancer (true) or routed to targets (false).
The default is false.
• routing.http2.enabled - Indicates whether HTTP/2 is enabled. The value is true or false.
The default is true. Elastic Load Balancing requires that message header names contain only
alphanumeric characters and hyphens.
The following attributes are supported by only Network Load Balancers:

• load_balancing.cross_zone.enabled - Indicates whether cross-zone load balancing is
enabled. The value is true or false. The default is false.
Required: No
Type: String
Maximum: 256
Pattern: ^[a-zA-Z0-9._]+$

Value
Required: No
Type: String
Maximum: 1024

2099
See Also

• Load Balancer Attributes in the User Guide for Application Load Balancers
• Load Balancer Attributes in the User Guide for Network Load Balancers
AWS::ElasticLoadBalancingV2::LoadBalancer SubnetMapping
Specifies a subnet to attach to an Application Load Balancer or a Network Load Balancer.
Syntax
JSON
{
"SubnetId" : String
}
YAML
SubnetId: String
Properties
AllocationId
[Network Load Balancers] The allocation ID of the Elastic IP address for an internet-facing load
balancer.
Required: Yes
Type: String

SubnetId
Required: Yes
Type: String
AWS::ElasticLoadBalancingV2::TargetGroup
Specifies a target group for an Application Load Balancer or Network Load Balancer.
Before you register a Lambda function as a target, you must create a AWS::Lambda::Permission
resource that grants the Elastic Load Balancing service principal permission to invoke the Lambda
function.

2100
Syntax
JSON
{
"Properties" : {
"HealthCheckEnabled" : Boolean,
"HealthCheckIntervalSeconds" : Integer,
"HealthCheckPath" : String,
"HealthCheckPort" : String,
"HealthCheckProtocol" : String,
"HealthCheckTimeoutSeconds" : Integer,
"HealthyThresholdCount" : Integer,
"Matcher" : Matcher (p. 2107),
"Name" : String,
"Port" : Integer,
"Tags" : [ Tag, ... ],
"TargetGroupAttributes" : [ TargetGroupAttribute (p. 2109), ... ],
"Targets" : [ TargetDescription (p. 2107), ... ],
"TargetType" : String,
"UnhealthyThresholdCount" : Integer,
"VpcId" : String
}
}
YAML
Properties:
HealthCheckEnabled: Boolean
HealthCheckIntervalSeconds: Integer
HealthCheckPath: String
HealthCheckPort: String
HealthCheckProtocol: String
HealthCheckTimeoutSeconds: Integer
HealthyThresholdCount: Integer
Matcher:
Matcher (p. 2107)
Name: String
Port: Integer
Protocol: String
Tags:
- Tag
TargetGroupAttributes:
- TargetGroupAttribute (p. 2109)
Targets:
- TargetDescription (p. 2107)
TargetType: String
UnhealthyThresholdCount: Integer
VpcId: String
Properties
HealthCheckEnabled
Indicates whether health checks are enabled. If the target type is lambda, health checks are disabled
by default but can be enabled. If the target type is instance or ip, health checks are always
enabled and cannot be disabled.

2101
Required: No
Type: Boolean

HealthCheckIntervalSeconds
The approximate amount of time, in seconds, between health checks of an individual target. For
HTTP and HTTPS health checks, the range is 5–300 seconds. For TCP health checks, the supported
values are 10 and 30 seconds. If the target type is instance or ip, the default is 30 seconds. If the
target type is lambda, the default is 35 seconds.
Required: No
Type: Integer
Minimum: 5
Maximum: 300

HealthCheckPath
[HTTP/HTTPS health checks] The ping path that is the destination on the targets for health checks.
The default is /.
Required: No
Type: String
Minimum: 1
Maximum: 1024

HealthCheckPort
The port the load balancer uses when performing health checks on targets. The default is traffic-
port, which is the port on which each target receives traffic from the load balancer.
Required: No
Type: String

HealthCheckProtocol
The protocol the load balancer uses when performing health checks on targets. For Application Load
Balancers, the default is HTTP. For Network Load Balancers, the default is TCP. The TCP protocol is
supported for health checks only if the protocol of the target group is TCP, TLS, UDP, or TCP_UDP.
The TLS, UDP, and TCP_UDP protocols are not supported for health checks.
Required: No
Type: String

2102
HealthCheckTimeoutSeconds
The amount of time, in seconds, during which no response from a target means a failed health
check. For target groups with a protocol of HTTP or HTTPS, the default is 5 seconds. For target
groups with a protocol of TCP or TLS, this value must be 6 seconds for HTTP health checks and 10
seconds for TCP and HTTPS health checks. If the target type is lambda, the default is 30 seconds.
Required: No
Type: Integer
Minimum: 2
Maximum: 120

HealthyThresholdCount
The number of consecutive health checks successes required before considering an unhealthy target
healthy. For target groups with a protocol of HTTP or HTTPS, the default is 5. For target groups with
a protocol of TCP or TLS, the default is 3. If the target type is lambda, the default is 5.
Required: No
Type: Integer
Minimum: 2
Maximum: 10

Matcher
[HTTP/HTTPS health checks] The HTTP codes to use when checking for a successful response from a
target.
Required: No
Type: Matcher (p. 2107)

Name
The name of the target group.
This name must be unique per region per account, can have a maximum of 32 characters, must
contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen.
Required: No
Type: String

Port
The port on which the targets receive traffic. This port is used unless you specify a port override
when registering the target. If the target is a Lambda function, this parameter does not apply.
Required: No
Type: Integer

2103
Minimum: 1
Maximum: 65535

Protocol
The protocol to use for routing traffic to the targets. For Application Load Balancers, the supported
protocols are HTTP and HTTPS. For Network Load Balancers, the supported protocols are TCP, TLS,
UDP, or TCP_UDP. A TCP_UDP listener must be associated with a TCP_UDP target group. If the target
is a Lambda function, this parameter does not apply.
Required: No
Type: String

Tags
The tags. Each resource can have a maximum of 10 tags.
Required: No
Type: List of Tag

TargetGroupAttributes
The attributes.
Required: No
Type: List of TargetGroupAttribute (p. 2109)

Targets
The targets.
Required: No
Type: List of TargetDescription (p. 2107)

TargetType
The type of target that you must specify when registering targets with this target group. You can't
specify targets for a target group using more than one target type.
• instance - Targets are specified by instance ID. This is the default value. If the target group
protocol is UDP or TCP_UDP, the target type must be instance.
• ip - Targets are specified by IP address. You can specify IP addresses from the subnets of the
virtual private cloud (VPC) for the target group, the RFC 1918 range (10.0.0.0/8, 172.16.0.0/12,
and 192.168.0.0/16), and the RFC 6598 range (100.64.0.0/10). You can't specify publicly routable
IP addresses.
• lambda - The target groups contains a single Lambda function.
Required: No

2104
Type: String
Allowed Values: instance | ip | lambda

UnhealthyThresholdCount
The number of consecutive health check failures required before considering a target unhealthy. For
target groups with a protocol of HTTP or HTTPS, the default is 2. For target groups with a protocol
of TCP or TLS, this value must be the same as the healthy threshold count. If the target type is
lambda, the default is 2.
Required: No
Type: Integer
Minimum: 2
Maximum: 10

VpcId
The identifier of the virtual private cloud (VPC). If the target is a Lambda function, this parameter
does not apply. Otherwise, this parameter is required.
Type: String
Return Values
Ref
Resource Name (ARN) of the target group.
Fn::GetAtt
LoadBalancerArns
The Amazon Resource Names (ARNs) of the load balancers that route traffic to this target group.
TargetGroupFullName
The full name of the target group. For example, targetgroup/my-target-group/

cbf133c568e0d028.
TargetGroupName
The name of the target group. For example, my-target-group.

2105
Examples
The following example creates a target group where the target is a Lambda function.
YAML
Resources:
MyLambdaInvokePermission:
Properties:
FunctionName: !GetAtt
- MyLambdaFunction
- Arn
Action: 'lambda:InvokeFunction'
Principal: elasticloadbalancing.amazonaws.com
MyTargetGroup:
Properties:
HealthCheckEnabled: false
Name: MyTargets
TargetType: lambda
Targets:
- Id: !GetAtt [ MyLambdaFunction, Arn ]
MyLambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
Handler: "index.handler"
Role: !GetAtt [ LambdaExecutionRole, Arn ]
Code:
ZipFile: !Sub |
import json
def handler(event, context):

response = {
"statusCode": 200,
"statusDescription": "200 OK",
"isBase64Encoded": False,
"headers": {
"Content-Type": "text/html; charset=utf-8"
}
}
response['body'] = """<html>
<head>
<title>Hello World!</title>
<style>
html, body {
margin: 0; padding: 0;
font-family: arial; font-weight: 700; font-size: 3em;
text-align: center;
}
</style>
</head>
<body>
<p>Hello World from Lambda</p>
</body>
</html>"""
return response
Runtime: "python3.6"
Timeout: "25"

2106
Type: "AWS::IAM::Role"
Properties:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: "sts:AssumeRole"
See Also
• CreateTargetGroup in the Elastic Load Balancing API Reference (version 2015-12-01)
• Target Groups in the User Guide for Application Load Balancers
• Target Groups in the User Guide for Network Load Balancers
AWS::ElasticLoadBalancingV2::TargetGroup Matcher
Specifies the HTTP codes that healthy targets must use when responding to an HTTP health check.
Syntax
JSON
{
"HttpCode" : String
}
YAML
HttpCode: String
Properties
HttpCode
The HTTP codes.
For Application Load Balancers, you can specify values between 200 and 499, and the default value
is 200. You can specify multiple values (for example, "200,202") or a range of values (for example,
"200-299").
For Network Load Balancers, this is 200–399.
Required: Yes
Type: String
AWS::ElasticLoadBalancingV2::TargetGroup TargetDescription
Specifies a target to add to a target group.

2107
Syntax
JSON
{
"Id" : String,
"Port" : Integer
}
YAML
Id: String
Port: Integer
Properties
AvailabilityZone
An Availability Zone or all. This determines whether the target receives traffic from the load
balancer nodes in the specified Availability Zone or from all enabled Availability Zones for the load
balancer.
This parameter is not supported if the target type of the target group is instance.
If the target type is ip and the IP address is in a subnet of the VPC for the target group, the
Availability Zone is automatically detected and this parameter is optional. If the IP address is outside
the VPC, this parameter is required.
With an Application Load Balancer, if the target type is ip and the IP address is outside the VPC for
the target group, the only supported value is all.
If the target type is lambda, this parameter is optional and the only supported value is all.
Required: No
Type: String

Id
The ID of the target. If the target type of the target group is instance, specify an instance ID. If the
target type is ip, specify an IP address. If the target type is lambda, specify the ARN of the Lambda
function.
Required: Yes
Type: String

Port
The port on which the target is listening. Not used if the target is a Lambda function.
Required: No
Type: Integer

2108
Minimum: 1
Maximum: 65535
AWS::ElasticLoadBalancingV2::TargetGroup TargetGroupAttribute
Specifies a target group attribute.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The following attribute is supported by both Application Load Balancers and Network Load
Balancers:
• deregistration_delay.timeout_seconds - The amount of time, in seconds, for Elastic Load
Balancing to wait before changing the state of a deregistering target from draining to unused.
The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function,
this attribute is not supported.
The following attributes are supported by Application Load Balancers if the target is not a Lambda
function:
• load_balancing.algorithm.type - The load balancing algorithm determines how
the load balancer selects targets when routing requests. The value is round_robin or
least_outstanding_requests. The default is round_robin.
• slow_start.duration_seconds - The time period, in seconds, during which a newly registered
target receives a linearly increasing share of the traffic to the target group. After this time period
ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). Slow
start mode is disabled by default.
• stickiness.enabled - Indicates whether sticky sessions are enabled. The value is true or
false. The default is false.
• stickiness.type - The type of sticky sessions. The possible value is lb_cookie.
• stickiness.lb_cookie.duration_seconds - The time period, in seconds, during which
requests from a client should be routed to the same target. After this time period expires, the load
balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds).
The default value is 1 day (86400 seconds).

2109
Amazon EMR
The following attribute is supported only if the target is a Lambda function.

• lambda.multi_value_headers.enabled - Indicates whether the request and response
headers exchanged between the load balancer and the Lambda function include arrays of values
or strings. The value is true or false. The default is false. If the value is false and the request
contains a duplicate header field name or query parameter key, the load balancer uses the last
value sent by the client.
The following attribute is supported only by Network Load Balancers:

• proxy_protocol_v2.enabled - Indicates whether Proxy Protocol version 2 is enabled. The
value is true or false. The default is false.
Required: No
Type: String
Maximum: 256
Pattern: ^[a-zA-Z0-9._]+$

Value
Required: No
Type: String
Amazon EMR Resource Type Reference

Resource Types
• AWS::EMR::Cluster (p. 2110)

• AWS::EMR::InstanceFleetConfig (p. 2160)
• AWS::EMR::InstanceGroupConfig (p. 2170)
• AWS::EMR::SecurityConfiguration (p. 2188)
• AWS::EMR::Step (p. 2189)
AWS::EMR::Cluster
The AWS::EMR::Cluster resource specifies an Amazon EMR cluster. This cluster is a collection of
Amazon EC2 instances that run open source big data frameworks and applications to process and
analyze vast amounts of data. For more information, see the Amazon EMR Management Guide.
Syntax
JSON
{
"Type" : "AWS::EMR::Cluster",

2110
Amazon EMR
"Properties" : {
"AdditionalInfo" : Json,
"Applications" : [ Application (p. 2126), ... ],
"AutoScalingRole" : String,
"BootstrapActions" : [ BootstrapActionConfig (p. 2129), ... ],
"Configurations" : [ Configuration (p. 2132), ... ],
"CustomAmiId" : String,
"EbsRootVolumeSize" : Integer,
"Instances" : JobFlowInstancesConfig (p. 2143),
"JobFlowRole" : String,
"KerberosAttributes" : KerberosAttributes (p. 2147),
"LogUri" : String,
"Name" : String,
"ReleaseLabel" : String,
"ScaleDownBehavior" : String,
"SecurityConfiguration" : String,
"Steps" : [ StepConfig (p. 2158), ... ],
"Tags" : [ Tag, ... ],
"VisibleToAllUsers" : Boolean
}
}
YAML
Type: AWS::EMR::Cluster
Properties:
AdditionalInfo: Json
Applications:
- Application (p. 2126)
AutoScalingRole: String
BootstrapActions:
- BootstrapActionConfig (p. 2129)
Configurations:
- Configuration (p. 2132)
CustomAmiId: String
EbsRootVolumeSize: Integer
Instances:
JobFlowInstancesConfig (p. 2143)
JobFlowRole: String
KerberosAttributes:
KerberosAttributes (p. 2147)
LogUri: String
Name: String
ReleaseLabel: String
ScaleDownBehavior: String
SecurityConfiguration: String
ServiceRole: String
Steps:
- StepConfig (p. 2158)
Tags:
- Tag
VisibleToAllUsers: Boolean
Properties
AdditionalInfo
A JSON string for selecting additional features.
Required: No
Type: Json

2111
Amazon EMR
Minimum: 0
Maximum: 10280

Applications
The applications to install on this cluster, for example, Spark, Flink, Oozie, Zeppelin, and so on.
Required: No
Type: List of Application (p. 2126)

AutoScalingRole
An IAM role for automatic scaling policies. The default role is EMR_AutoScaling_DefaultRole.
The IAM role provides permissions that the automatic scaling feature requires to launch and
terminate EC2 instances in an instance group.
Required: No
Type: String
Minimum: 0
Maximum: 10280

BootstrapActions
A list of bootstrap actions to run before Hadoop starts on the cluster nodes.
Required: No
Type: List of BootstrapActionConfig (p. 2129)

Configurations
Applies only to Amazon EMR releases 4.x and later. The list of Configurations supplied to the EMR
cluster.
Required: No
Type: List of Configuration (p. 2132)

CustomAmiId
Available only in Amazon EMR version 5.7.0 and later. The ID of a custom Amazon EBS-backed Linux
AMI if the cluster uses a custom AMI.
Required: No
Type: String

2112
Amazon EMR
Minimum: 0
Maximum: 256

EbsRootVolumeSize
The size, in GiB, of the EBS root device volume of the Linux AMI that is used for each EC2 instance.
Available in Amazon EMR version 4.x and later.
Required: No
Type: Integer

Instances
A specification of the number and type of Amazon EC2 instances.
Required: Yes
Type: JobFlowInstancesConfig (p. 2143)

JobFlowRole
Also called instance profile and EC2 role. An IAM role for an EMR cluster. The EC2 instances of the
cluster assume this role. The default role is EMR_EC2_DefaultRole. In order to use the default role,
you must have already created it using the CLI or console.
Required: Yes
Type: String
Minimum: 0
Maximum: 10280

KerberosAttributes
Attributes for Kerberos configuration when Kerberos authentication is enabled using a security
configuration. For more information see Use Kerberos Authentication in the EMR Management Guide.
Required: No
Type: KerberosAttributes (p. 2147)

LogUri
The path to the Amazon S3 location where logs for this cluster are stored.
Required: No
Type: String

2113
Amazon EMR

Name
The name of the cluster.
Required: Yes
Type: String

ReleaseLabel
The Amazon EMR release label, which determines the version of open-source application packages
installed on the cluster. Release labels are in the form emr-x.x.x, where x.x.x is an Amazon EMR
release version such as emr-5.14.0. For more information about Amazon EMR release versions
and included application versions and features, see https://docs.aws.amazon.com/emr/latest/
ReleaseGuide/. The release label applies only to Amazon EMR releases version 4.0 and later. Earlier
versions use AmiVersion.
Required: No
Type: String

ScaleDownBehavior
The way that individual Amazon EC2 instances terminate when an automatic scale-in activity occurs
or an instance group is resized. TERMINATE_AT_INSTANCE_HOUR indicates that Amazon EMR
terminates nodes at the instance-hour boundary, regardless of when the request to terminate
the instance was submitted. This option is only available with Amazon EMR 5.1.0 and later and is
the default for clusters created using that version. TERMINATE_AT_TASK_COMPLETION indicates
that Amazon EMR blacklists and drains tasks from nodes before terminating the Amazon EC2
instances, regardless of the instance-hour boundary. With either behavior, Amazon EMR removes
the least active nodes first and blocks instance termination if it could lead to HDFS corruption.
TERMINATE_AT_TASK_COMPLETION is available only in Amazon EMR version 4.1.0 and later, and is
the default for versions of Amazon EMR earlier than 5.1.0.
Required: No
Type: String
Allowed Values: TERMINATE_AT_INSTANCE_HOUR | TERMINATE_AT_TASK_COMPLETION

SecurityConfiguration
The name of the security configuration applied to the cluster.
Required: No
Type: String
Minimum: 0
Maximum: 10280

2114
Amazon EMR
ServiceRole
The IAM role that will be assumed by the Amazon EMR service to access AWS resources on your
behalf.
Required: Yes
Type: String

Steps
A list of steps to run.
Required: No
Type: List of StepConfig (p. 2158)

Tags
A list of tags associated with a cluster.
Required: No
Type: List of Tag

VisibleToAllUsers
Indicates whether the cluster is visible to all IAM users of the AWS account associated with the
cluster. If this value is set to true, all IAM users of that AWS account can view and manage
the cluster if they have the proper policy permissions set. If this value is false, only the IAM
user that created the cluster can view and manage it. This value can be changed using the
SetVisibleToAllUsers action.
Note
When you create clusters directly through the EMR console or API, this value is set to true
by default. However, for AWS::EMR::Cluster resources in CloudFormation, the default is
false.
Required: No
Type: Boolean
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns returns the cluster
ID, such as j-1ABCD123AB1A.
Fn::GetAtt

2115
Amazon EMR
MasterPublicDNS
The public DNS name of the master node (instance), such as ec2-12-123-123-123.us-
west-2.compute.amazonaws.com.
Examples
Create cluster examples.
Create a Cluster Using a Custom AMI for EC2 Instances
The following example template specifies a cluster using a custom Amazon Linux AMI for the EC2
instances in the cluster.
JSON
{
"Parameters" : {
"CustomAmiId" : {
"Type" : "String"
},
"InstanceType" : {
"Type" : "String"
},
"ReleaseLabel" : {
"Type" : "String"
},
"SubnetId" : {
"Type" : "String"
},
"TerminationProtected" : {
"Type" : "String",
"Default" : "false"
},
"ElasticMapReducePrincipal" : {
"Type" : "String"
},
"Ec2Principal" : {
"Type" : "String"
}
},
"Resources": {
"cluster": {
"Type": "AWS::EMR::Cluster",
"Properties": {
"CustomAmiId" : {"Ref" : "CustomAmiId"},
"Instances": {
"MasterInstanceGroup": {
"InstanceCount": 1,
"InstanceType": {"Ref" : "InstanceType"},
"Market": "ON_DEMAND",
"Name": "cfnMaster"
},
"CoreInstanceGroup": {
"InstanceCount": 1,
"Name": "cfnCore"
},

2116
Amazon EMR
"TerminationProtected" : {"Ref" : "TerminationProtected"},

"Ec2SubnetId" : {"Ref" : "SubnetId"}
},
"Name": "CFNtest",
"JobFlowRole" : {"Ref": "emrEc2InstanceProfile"},
"ServiceRole" : {"Ref": "emrRole"},
"ReleaseLabel" : {"Ref" : "ReleaseLabel"},
"VisibleToAllUsers" : true,
"Tags": [
{
"Key": "key1",
"Value": "value1"
}
]
}
},
"emrRole": {
"Properties": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": {"Ref" : "ElasticMapReducePrincipal"}
},
}
]
},
"Path": "/",
AmazonElasticMapReduceRole"]
}
},
"emrEc2Role": {
"Properties": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": {"Ref" : "Ec2Principal"}
},
}
]
},
"Path": "/",
AmazonElasticMapReduceforEC2Role"]
}
},
"emrEc2InstanceProfile": {
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "emrEc2Role"
} ]
}

2117
Amazon EMR
}
}
}
YAML
Parameters:
CustomAmiId:
Type: String
InstanceType:
Type: String
ReleaseLabel:
Type: String
SubnetId:
Type: String
TerminationProtected:
Type: String
Default: 'false'
ElasticMapReducePrincipal:
Type: String
Ec2Principal:
Type: String
Resources:
cluster:
Properties:
CustomAmiId: !Ref CustomAmiId
Instances:
MasterInstanceGroup:
InstanceCount: 1
Market: ON_DEMAND
Name: cfnMaster
CoreInstanceGroup:
InstanceCount: 1
Market: ON_DEMAND
Name: cfnCore
TerminationProtected: !Ref TerminationProtected
Ec2SubnetId: !Ref SubnetId
Name: CFNtest
JobFlowRole: !Ref emrEc2InstanceProfile
ServiceRole: !Ref emrRole
ReleaseLabel: !Ref ReleaseLabel
VisibleToAllUsers: true
Tags:
- Key: key1
Value: value1
emrRole:
Properties:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Ref ElasticMapReducePrincipal
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole'
emrEc2Role:

2118
Amazon EMR
Properties:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: !Ref Ec2Principal
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role'
emrEc2InstanceProfile:
Properties:
Path: /
Roles:
- !Ref emrEc2Role
Create a Cluster and Specify the Root Volume Size of EC2 Instances
The following example template enables you to specify the size of the EBS root volume for cluster
instances.
JSON
{
"Parameters" : {
"InstanceType" : {
"Type" : "String"
},
"ReleaseLabel" : {
"Type" : "String"
},
"SubnetId" : {
"Type" : "String"
},
"TerminationProtected" : {
"Type" : "String",
"Default" : "false"
},
"EbsRootVolumeSize" : {
"Type" : "String"
}
},
"Resources": {
"cluster": {
"Properties": {
"EbsRootVolumeSize" : {"Ref" : "EbsRootVolumeSize"},
"Instances": {
"InstanceCount": 1,
"Name": "cfnMaster"
},
"InstanceCount": 1,
"Name": "cfnCore"

2119
Amazon EMR
},
"TerminationProtected" : {"Ref" : "TerminationProtected"},
},
"Name": "CFNtest",
"Tags": [
{
"Key": "key1",
"Value": "value1"
}
]
}
},
"emrRole": {
"Properties": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "elasticmapreduce.amazonaws.com"
},
}
]
},
"Path": "/",
}
},
"emrEc2Role": {
"Properties": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
}
]
},
"Path": "/",
}
},
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "emrEc2Role"
} ]

2120
Amazon EMR
}
}
}
}
YAML
Parameters:
InstanceType:
Type: String
ReleaseLabel:
Type: String
SubnetId:
Type: String
TerminationProtected:
Type: String
Default: 'false'
EbsRootVolumeSize:
Type: String
Resources:
cluster:
Properties:
EbsRootVolumeSize: !Ref EbsRootVolumeSize
Instances:
InstanceCount: 1
Market: ON_DEMAND
Name: cfnMaster
CoreInstanceGroup:
InstanceCount: 1
Market: ON_DEMAND
Name: cfnCore
TerminationProtected: !Ref TerminationProtected
Name: CFNtest
Tags:
- Key: key1
Value: value1
emrRole:
Properties:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: elasticmapreduce.amazonaws.com
Path: /
ManagedPolicyArns:
emrEc2Role:
Properties:

2121
Amazon EMR
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ec2.amazonaws.com
Path: /
ManagedPolicyArns:
Properties:
Path: /
Roles:
- !Ref emrEc2Role
Create a Cluster with Kerberos Authentication
The following example template enables you to specify the Kerberos authentication configuration for an
EMR cluster.
JSON
{
"Parameters" : {
"CrossRealmTrustPrincipalPassword" : {
"Type" : "String"
},
"KdcAdminPassword" : {
"Type" : "String"
},
"Realm" : {
"Type" : "String"
},
"InstanceType" : {
"Type" : "String"
},
"ReleaseLabel" : {
"Type" : "String"
},
"SubnetId" : {
"Type" : "String"
}
},
"Resources": {
"cluster": {
"Properties": {
"Instances": {
"InstanceCount": 1,
"Name": "cfnMaster"
},
"InstanceCount": 1,
"Name": "cfnCore"
},

2122
Amazon EMR
},
"Name": "CFNtest2",
"KerberosAttributes" : {
"CrossRealmTrustPrincipalPassword" : "CfnIntegrationTest-1",
"KdcAdminPassword" : "CfnIntegrationTest-1",
"Realm": "EC2.INTERNAL"
},
"SecurityConfiguration" : {"Ref" : "securityConfiguration"},
"Tags": [
{
"Key": "key1",
"Value": "value1"
}
]
}
},
"key" : {
"Type" : "AWS::KMS::Key",
"Properties" : {
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": { "Fn::GetAtt" : ["emrEc2Role", "Arn"]}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": { "Fn::Join" : ["" , ["arn:aws:iam::", {"Ref" :
"AWS::AccountId"} ,":root" ]] }
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"securityConfiguration": {
"Type" : "AWS::EMR::SecurityConfiguration",
"Properties" : {
"SecurityConfiguration" : {
"KerberosConfiguration": {
"Provider": "ClusterDedicatedKdc",
"ClusterDedicatedKdcConfiguration": {
"TicketLifetimeInHours": 24,
"CrossRealmTrustConfiguration": {
"Realm": "AD.DOMAIN.COM",
"Domain": "ad.domain.com",
"AdminServer": "ad.domain.com",
"KdcServer": "ad.domain.com"
}
}

2123
Amazon EMR
}
}
}
}
},
"emrRole": {
"Properties": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "elasticmapreduce.amazonaws.com"
},
}
]
},
"Path": "/",
}
},
"emrEc2Role": {
"Properties": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
}
]
},
"Path": "/",
}
},
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "emrEc2Role"
} ]
}
}
},
"Outputs" : {
"keyArn" : {
"Value" : {"Fn::GetAtt" : ["key", "Arn"]}
}
}
}

2124
Amazon EMR
YAML
Parameters:
CrossRealmTrustPrincipalPassword:
Type: String
KdcAdminPassword:
Type: String
Realm:
Type: String
InstanceType:
Type: String
ReleaseLabel:
Type: String
SubnetId:
Type: String
Resources:
cluster:
Type: 'AWS::EMR::Cluster'
Properties:
Instances:
InstanceCount: 1
Market: ON_DEMAND
Name: cfnMaster
CoreInstanceGroup:
InstanceCount: 1
Market: ON_DEMAND
Name: cfnCore
Name: CFNtest2
KerberosAttributes:
CrossRealmTrustPrincipalPassword: CfnIntegrationTest-1
KdcAdminPassword: CfnIntegrationTest-1
Realm: EC2.INTERNAL
SecurityConfiguration: !Ref securityConfiguration
Tags:
- Key: key1
Value: value1
key:
Type: 'AWS::KMS::Key'
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !GetAtt
- emrEc2Role
- Arn
Action: 'kms:*'
Resource: '*'
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ''

2125
Amazon EMR
- - 'arn:aws:iam::'
- ':root'
Action: 'kms:*'
Resource: '*'
securityConfiguration:
Type: 'AWS::EMR::SecurityConfiguration'
Properties:
SecurityConfiguration:
KerberosConfiguration:
Provider: ClusterDedicatedKdc
ClusterDedicatedKdcConfiguration:
TicketLifetimeInHours: 24
CrossRealmTrustConfiguration:
Realm: AD.DOMAIN.COM
Domain: ad.domain.com
AdminServer: ad.domain.com
KdcServer: ad.domain.com
emrRole:
Properties:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: elasticmapreduce.amazonaws.com
Path: /
ManagedPolicyArns:
emrEc2Role:
Properties:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ec2.amazonaws.com
Path: /
ManagedPolicyArns:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Path: /
Roles:
- !Ref emrEc2Role
Outputs:
keyArn:
Value: !GetAtt
- key
- Arn
AWS::EMR::Cluster Application
Application is a property of AWS::EMR::Cluster. The Application property type defines the
open-source big data applications for EMR to install and configure when a cluster is created.

2126
Amazon EMR
With Amazon EMR release version 4.0 and later, the only accepted parameter is the application Name. To
pass arguments to these applications, you use configuration classifications specified using JSON objects
in a Configuration property. For more information, see Configuring Applications.
With earlier Amazon EMR releases, the application is any Amazon or third-party software that you can
add to the cluster. You can specify the version of the application and arguments to pass to it. Amazon
EMR accepts and forwards the argument list to the corresponding installation script as a bootstrap
action argument.
Syntax
JSON
{
"AdditionalInfo" : {Key : Value, ...},
"Args" : [ String, ... ],
"Name" : String,
"Version" : String
}
YAML
AdditionalInfo:
Key : Value
Args:
- String
Name: String
Version: String
Properties
AdditionalInfo
This option is for advanced users only. This is meta information about clusters and applications that
are used for testing and troubleshooting.
Required: No
Type: Map of String

Args
Arguments for Amazon EMR to pass to the application.
Required: No

Name
The name of the application.
Required: No
Type: String

2127
Amazon EMR

Version
The version of the application.
Required: No
Type: String
AWS::EMR::Cluster AutoScalingPolicy
AutoScalingPolicy is a subproperty of InstanceGroupConfig. AutoScalingPolicy defines
how an instance group dynamically adds and terminates EC2 instances in response to the value of a
CloudWatch metric. For more information, see Using Automatic Scaling in Amazon EMR in the Amazon
EMR Management Guide.
Syntax
JSON
{
"Constraints" : ScalingConstraints (p. 2152),
"Rules" : [ ScalingRule (p. 2153), ... ]
}
YAML
Constraints:
ScalingConstraints (p. 2152)
Rules:
- ScalingRule (p. 2153)
Properties
Constraints
The upper and lower EC2 instance limits for an automatic scaling policy. Automatic scaling activity
will not cause an instance group to grow above or below these limits.
Required: Yes
Type: ScalingConstraints (p. 2152)

Rules
The scale-in and scale-out rules that comprise the automatic scaling policy.
Required: Yes
Type: List of ScalingRule (p. 2153)

2128
Amazon EMR
AWS::EMR::Cluster BootstrapActionConfig
BootstrapActionConfig is a property of AWS::EMR::Cluster that can be used to run bootstrap
actions on EMR clusters. You can use a bootstrap action to install software and configure EC2 instances
for all cluster nodes before EMR installs and configures open-source big data applications on cluster
instances. For more information, see Create Bootstrap Actions to Install Additional Software in the
Amazon EMR Management Guide.
Syntax
JSON
{
"Name" : String,
"ScriptBootstrapAction" : ScriptBootstrapActionConfig (p. 2154)
}
YAML
Name: String
ScriptBootstrapAction:
ScriptBootstrapActionConfig (p. 2154)
Properties
Name
The name of the bootstrap action.
Required: Yes
Type: String
Minimum: 0
Maximum: 256

ScriptBootstrapAction
The script run by the bootstrap action.
Required: Yes
Type: ScriptBootstrapActionConfig (p. 2154)
AWS::EMR::Cluster CloudWatchAlarmDefinition
CloudWatchAlarmDefinition is a subproperty of the ScalingTrigger property, which determines
when to trigger an automatic scaling activity. Scaling activity begins when you satisfy the defined alarm
conditions.

2129
Amazon EMR
Syntax
JSON
{
"Period" : Integer,
"Unit" : String
}
YAML
Dimensions:
MetricName: String
Namespace: String
Period: Integer
Statistic: String
Threshold: Double
Unit: String
Properties
ComparisonOperator
Determines how the metric specified by MetricName is compared to the value specified by
Threshold.
Required: Yes
Type: String
Allowed Values: GREATER_THAN | GREATER_THAN_OR_EQUAL | LESS_THAN |

LESS_THAN_OR_EQUAL

Dimensions
A CloudWatch metric dimension.
Required: No

EvaluationPeriods
The number of periods, in five-minute increments, during which the alarm condition must exist
before the alarm triggers automatic scaling activity. The default value is 1.
Required: No

2130
Amazon EMR
Type: Integer

MetricName
The name of the CloudWatch metric that is watched to determine an alarm condition.
Required: Yes
Type: String

Namespace
The namespace for the CloudWatch metric. The default is AWS/ElasticMapReduce.
Required: No
Type: String

Period
The period, in seconds, over which the statistic is applied. EMR CloudWatch metrics are emitted
every five minutes (300 seconds), so if an EMR CloudWatch metric is specified, specify 300.
Required: Yes
Type: Integer

Statistic
The statistic to apply to the metric associated with the alarm. The default is AVERAGE.
Required: No
Type: String
Allowed Values: AVERAGE | MAXIMUM | MINIMUM | SAMPLE_COUNT | SUM

Threshold
The value against which the specified statistic is compared.
Required: Yes
Type: Double

Unit
The unit of measure associated with the CloudWatch metric being watched. The value specified for
Unit must correspond to the units specified in the CloudWatch metric.
Required: No
Type: String

2131
Amazon EMR
Allowed Values: BITS | BITS_PER_SECOND | BYTES | BYTES_PER_SECOND | COUNT

| COUNT_PER_SECOND | GIGA_BITS | GIGA_BITS_PER_SECOND | GIGA_BYTES |
GIGA_BYTES_PER_SECOND | KILO_BITS | KILO_BITS_PER_SECOND | KILO_BYTES
| KILO_BYTES_PER_SECOND | MEGA_BITS | MEGA_BITS_PER_SECOND | MEGA_BYTES
| MEGA_BYTES_PER_SECOND | MICRO_SECONDS | MILLI_SECONDS | NONE |
PERCENT | SECONDS | TERA_BITS | TERA_BITS_PER_SECOND | TERA_BYTES |
TERA_BYTES_PER_SECOND
AWS::EMR::Cluster Configuration
Note
Used only with Amazon EMR release 4.0 and later.
Configuration is a subproperty of InstanceFleetConfig or InstanceGroupConfig.

Configuration specifies optional configurations for customizing open-source big data applications
and environment parameters. A configuration consists of a classification, properties, and optional nested
configurations. A classification refers to an application-specific configuration file. Properties are the
settings you want to change in that file. For more information, see Configuring Applications in the
Amazon EMR Release Guide.
Syntax
JSON
{
"Classification" : String,
"ConfigurationProperties" : {Key : Value, ...},
"Configurations" : [ Configuration (p. 2132), ... ]
}
YAML
Classification: String
Key : Value
Configurations:
Properties
Classification
The classification within a configuration.
Required: No
Type: String

A list of additional configurations to apply within a configuration object.
Required: No

2132
Amazon EMR
Type: Map of String

Configurations
Required: No
AWS::EMR::Cluster EbsBlockDeviceConfig
EbsBlockDeviceConfig is a subproperty of the EbsConfiguration property type.
EbsBlockDeviceConfig defines the number and type of EBS volumes to associate with all EC2
instances in an EMR cluster.
Syntax
JSON
{
"VolumeSpecification" : VolumeSpecification (p. 2159),
"VolumesPerInstance" : Integer
}
YAML
VolumeSpecification:
VolumeSpecification (p. 2159)
VolumesPerInstance: Integer
Properties
VolumeSpecification
EBS volume specifications such as volume type, IOPS, and size (GiB) that will be requested for the
EBS volume attached to an EC2 instance in the cluster.
Required: Yes
Type: VolumeSpecification (p. 2159)

VolumesPerInstance
Number of EBS volumes with a specific volume configuration that will be associated with every
instance in the instance group
Required: No
Type: Integer

2133
Amazon EMR
AWS::EMR::Cluster EbsConfiguration
EbsConfiguration is a subproperty of InstanceFleetConfig or InstanceGroupConfig.
EbsConfiguration determines the EBS volumes to attach to EMR cluster instances.
Syntax
JSON
{
"EbsBlockDeviceConfigs" : [ EbsBlockDeviceConfig (p. 2133), ... ],
"EbsOptimized" : Boolean
}
YAML
EbsBlockDeviceConfigs:
- EbsBlockDeviceConfig (p. 2133)
Properties
EbsBlockDeviceConfigs
An array of Amazon EBS volume specifications attached to a cluster instance.
Required: No
Type: List of EbsBlockDeviceConfig (p. 2133)

EbsOptimized
Indicates whether an Amazon EBS volume is EBS-optimized.
Required: No
Type: Boolean
AWS::EMR::Cluster HadoopJarStepConfig
The HadoopJarStepConfig property type specifies a job flow step consisting of a JAR file whose main
function will be executed. The main function submits a job for the cluster to execute as a step on the
master node, and then waits for the job to finish or fail before executing subsequent steps.
Syntax
JSON
{

2134
Amazon EMR
"Jar" : String,
"MainClass" : String,
"StepProperties" : [ KeyValue (p. 2149), ... ]
}
YAML
Args:
- String
Jar: String
MainClass: String
StepProperties:
- KeyValue (p. 2149)
Properties
Args
A list of command line arguments passed to the JAR file's main function when executed.
Required: No

Jar
A path to a JAR file run during the step.
Required: Yes
Type: String
Minimum: 0
Maximum: 10280

MainClass
The name of the main class in the specified Java file. If not specified, the JAR file should specify a
Main-Class in its manifest file.
Required: No
Type: String
Minimum: 0
Maximum: 10280

StepProperties
A list of Java properties that are set when the step runs. You can use these properties to pass key
value pairs to your main function.

2135
Amazon EMR
Required: No
Type: List of KeyValue (p. 2149)
AWS::EMR::Cluster InstanceFleetConfig
Use InstanceFleetConfig to define instance fleets for an EMR cluster. A cluster can not use both
instance fleets and instance groups. For more information, see Configure Instance Fleets in the Amazon
Note
The instance fleet configuration is available only in Amazon EMR versions 4.8.0 and later,
excluding 5.0.x versions.
Syntax
JSON
{
"InstanceTypeConfigs" : [ InstanceTypeConfig (p. 2141), ... ],
"LaunchSpecifications" : InstanceFleetProvisioningSpecifications (p. 2138),
"Name" : String,
"TargetOnDemandCapacity" : Integer,
"TargetSpotCapacity" : Integer
}
YAML
InstanceTypeConfigs:
- InstanceTypeConfig (p. 2141)
InstanceFleetProvisioningSpecifications (p. 2138)
Name: String
TargetOnDemandCapacity: Integer
TargetSpotCapacity: Integer
Properties
InstanceTypeConfigs
The instance type configurations that define the EC2 instances in the instance fleet.
Required: No
Type: List of InstanceTypeConfig (p. 2141)

The launch specification for the instance fleet.
Required: No
Type: InstanceFleetProvisioningSpecifications (p. 2138)

2136
Amazon EMR
Name
The friendly name of the instance fleet.
Required: No
Type: String
Minimum: 0
Maximum: 256

TargetOnDemandCapacity
The target capacity of On-Demand units for the instance fleet, which determines how many
On-Demand instances to provision. When the instance fleet launches, Amazon EMR tries
to provision On-Demand instances as specified by InstanceTypeConfig. Each instance
configuration has a specified WeightedCapacity. When an On-Demand instance is provisioned,
the WeightedCapacity units count toward the target capacity. Amazon EMR provisions instances
until the target capacity is totally fulfilled, even if this results in an overage. For example, if there
are 2 units remaining to fulfill capacity, and Amazon EMR can only provision an instance with a
WeightedCapacity of 5 units, the instance is provisioned, and the target capacity is exceeded by 3
units.
Note
If not specified or set to 0, only Spot instances are provisioned for the instance
fleet using TargetSpotCapacity. At least one of TargetSpotCapacity and
TargetOnDemandCapacity should be greater than 0. For a master instance fleet, only one
of TargetSpotCapacity and TargetOnDemandCapacity can be specified, and its value
must be 1.
Required: No
Type: Integer
Minimum: 0

TargetSpotCapacity
The target capacity of Spot units for the instance fleet, which determines how many Spot
instances to provision. When the instance fleet launches, Amazon EMR tries to provision Spot
instances as specified by InstanceTypeConfig. Each instance configuration has a specified
WeightedCapacity. When a Spot instance is provisioned, the WeightedCapacity units count
toward the target capacity. Amazon EMR provisions instances until the target capacity is totally
fulfilled, even if this results in an overage. For example, if there are 2 units remaining to fulfill
capacity, and Amazon EMR can only provision an instance with a WeightedCapacity of 5 units, the
instance is provisioned, and the target capacity is exceeded by 3 units.
Note
If not specified or set to 0, only On-Demand instances are provisioned for the instance
fleet. At least one of TargetSpotCapacity and TargetOnDemandCapacity should
be greater than 0. For a master instance fleet, only one of TargetSpotCapacity and
TargetOnDemandCapacity can be specified, and its value must be 1.
Required: No
Type: Integer

2137
Amazon EMR
Minimum: 0
AWS::EMR::Cluster InstanceFleetProvisioningSpecifications
InstanceFleetProvisioningSpecification is a subproperty of InstanceFleetConfig.
InstanceFleetProvisioningSpecification defines the launch specification for Spot instances
in an instance fleet, which determines the defined duration and provisioning timeout behavior for Spot
instances.
Note
Syntax
JSON
{
"SpotSpecification" : SpotProvisioningSpecification (p. 2156)
}
YAML
SpotSpecification:
SpotProvisioningSpecification (p. 2156)
Properties
SpotSpecification
The launch specification for Spot instances in the fleet, which determines the defined duration and
provisioning timeout behavior.
Required: Yes
Type: SpotProvisioningSpecification (p. 2156)
AWS::EMR::Cluster InstanceGroupConfig
Use InstanceGroupConfig to define instance groups for an EMR cluster. A cluster can not use both
instance groups and instance fleets. For more information, see Create a Cluster with Instance Fleets or
Uniform Instance Groups in the Amazon EMR Management Guide.
Syntax
JSON

2138
Amazon EMR
"AutoScalingPolicy" : AutoScalingPolicy (p. 2128),

"BidPrice" : String,
"EbsConfiguration" : EbsConfiguration (p. 2134),
"Market" : String,
"Name" : String
}
YAML
AutoScalingPolicy:
AutoScalingPolicy (p. 2128)
BidPrice: String
Configurations:
EbsConfiguration:
EbsConfiguration (p. 2134)
Market: String
Name: String
Properties
AutoScalingPolicy
AutoScalingPolicy is a subproperty of the InstanceGroupConfig property type that specifies the

constraints and rules of an automatic scaling policy in Amazon EMR. The automatic scaling policy
defines how an instance group dynamically adds and terminates EC2 instances in response to the
value of a CloudWatch metric. Only core and task instance groups can use automatic scaling policies.
For more information, see Using Automatic Scaling in Amazon EMR.
Required: No
Type: AutoScalingPolicy (p. 2128)

BidPrice
The bid price for each EC2 Spot instance type as defined by InstanceType. Expressed in
USD. If neither BidPrice nor BidPriceAsPercentageOfOnDemandPrice is provided,
BidPriceAsPercentageOfOnDemandPrice defaults to 100%.
Required: No
Type: String
Minimum: 0
Maximum: 256

Configurations
Note
Amazon EMR releases 4.x or later.

2139
Amazon EMR
The list of configurations supplied for an EMR cluster instance group. You can specify a separate
configuration for each instance group (master, core, and task).
Required: No

EbsConfiguration
EBS configurations that will be attached to each EC2 instance in the instance group.
Required: No
Type: EbsConfiguration (p. 2134)

InstanceCount
Target number of instances for the instance group.
Required: Yes
Type: Integer

InstanceType
The EC2 instance type for all instances in the instance group.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

Market
Market type of the EC2 instances used to create a cluster node.
Required: No
Type: String
Allowed Values: ON_DEMAND | SPOT

Name
Friendly name given to the instance group.
Required: No
Type: String

2140
Amazon EMR
Minimum: 0
Maximum: 256
AWS::EMR::Cluster InstanceTypeConfig
Note
InstanceTypeConfig is a sub-property of InstanceFleetConfig. InstanceTypeConfig

determines the EC2 instances that Amazon EMR attempts to provision to fulfill On-Demand and Spot
target capacities. There can be a maximum of 5 instance type configurations in a fleet.
Syntax
JSON
{
"BidPriceAsPercentageOfOnDemandPrice" : Double,
"WeightedCapacity" : Integer
}
YAML
BidPrice: String
BidPriceAsPercentageOfOnDemandPrice: Double
Configurations:
EbsConfiguration:
WeightedCapacity: Integer
Properties
BidPrice
Required: No
Type: String
Minimum: 0
Maximum: 256

2141
Amazon EMR

BidPriceAsPercentageOfOnDemandPrice
The bid price, as a percentage of On-Demand price, for each EC2 Spot instance as
defined by InstanceType. Expressed as a number (for example, 20 specifies 20%).
If neither BidPrice nor BidPriceAsPercentageOfOnDemandPrice is provided,
Required: No
Type: Double

Configurations
A configuration classification that applies when provisioning cluster instances, which can include
configurations for applications and software that run on the cluster.
Required: No

EbsConfiguration
The configuration of Amazon Elastic Block Storage (EBS) attached to each instance as defined by
InstanceType.
Required: No

InstanceType
An EC2 instance type, such as m3.xlarge.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

WeightedCapacity
The number of units that a provisioned instance of this type provides toward fulfilling the target
capacities defined in InstanceFleetConfig. This value is 1 for a master instance fleet, and must
be 1 or greater for core and task instance fleets. Defaults to 1 if not specified.
Required: No
Type: Integer

2142
Amazon EMR
Minimum: 0
AWS::EMR::Cluster JobFlowInstancesConfig
JobFlowInstancesConfig is a property of the AWS::EMR::Cluster resource.
JobFlowInstancesConfig defines the instance groups or instance fleets that comprise the cluster.
JobFlowInstancesConfig must contain either InstanceFleetConfig or InstanceGroupConfig.
They cannot be used together.
Syntax
JSON
{
"AdditionalMasterSecurityGroups" : [ String, ... ],
"AdditionalSlaveSecurityGroups" : [ String, ... ],
"CoreInstanceFleet" : InstanceFleetConfig (p. 2136),
"CoreInstanceGroup" : InstanceGroupConfig (p. 2138),
"Ec2KeyName" : String,
"Ec2SubnetId" : String,
"Ec2SubnetIds" : [ String, ... ],
"EmrManagedMasterSecurityGroup" : String,
"EmrManagedSlaveSecurityGroup" : String,
"HadoopVersion" : String,
"KeepJobFlowAliveWhenNoSteps" : Boolean,
"MasterInstanceFleet" : InstanceFleetConfig (p. 2136),
"MasterInstanceGroup" : InstanceGroupConfig (p. 2138),
"Placement" : PlacementType (p. 2150),
"ServiceAccessSecurityGroup" : String,
"TerminationProtected" : Boolean
}
YAML
AdditionalMasterSecurityGroups:
- String
AdditionalSlaveSecurityGroups:
- String
CoreInstanceFleet:
InstanceFleetConfig (p. 2136)
CoreInstanceGroup:
InstanceGroupConfig (p. 2138)
Ec2KeyName: String
Ec2SubnetId: String
Ec2SubnetIds:
- String
EmrManagedMasterSecurityGroup: String
EmrManagedSlaveSecurityGroup: String
HadoopVersion: String
KeepJobFlowAliveWhenNoSteps: Boolean
MasterInstanceFleet:
InstanceFleetConfig (p. 2136)
InstanceGroupConfig (p. 2138)
Placement:
PlacementType (p. 2150)
ServiceAccessSecurityGroup: String

2143
Amazon EMR
TerminationProtected: Boolean
Properties
AdditionalMasterSecurityGroups
A list of additional Amazon EC2 security group IDs for the master node.
Required: No

AdditionalSlaveSecurityGroups
A list of additional Amazon EC2 security group IDs for the core and task nodes.
Required: No

CoreInstanceFleet
Describes the EC2 instances and instance configurations for the core instance fleet when using
clusters with the instance fleet configuration.
Required: No
Type: InstanceFleetConfig (p. 2136)

CoreInstanceGroup
Describes the EC2 instances and instance configurations for core instance groups when using clusters
with the uniform instance group configuration.
Required: No
Type: InstanceGroupConfig (p. 2138)

Ec2KeyName
The name of the EC2 key pair that can be used to ssh to the master node as the user called
"hadoop."
Required: No
Type: String
Minimum: 0
Maximum: 256

Ec2SubnetId
Applies to clusters that use the uniform instance group configuration. To launch the cluster in
Amazon Virtual Private Cloud (Amazon VPC), set this parameter to the identifier of the Amazon

2144
Amazon EMR
VPC subnet where you want the cluster to launch. If you do not specify this value and your account
supports EC2-Classic, the cluster launches in EC2-Classic.
Required: No
Type: String
Minimum: 0
Maximum: 256

Ec2SubnetIds
Applies to clusters that use the instance fleet configuration. When multiple EC2 subnet IDs are
specified, Amazon EMR evaluates them and launches instances in the optimal subnet.
Note
Required: No

EmrManagedMasterSecurityGroup
The identifier of the Amazon EC2 security group for the master node.
Required: No
Type: String
Minimum: 0
Maximum: 256

EmrManagedSlaveSecurityGroup
The identifier of the Amazon EC2 security group for the core and task nodes.
Required: No
Type: String
Minimum: 0
Maximum: 256

HadoopVersion
Applies only to Amazon EMR release versions earlier than 4.0. The Hadoop version for the cluster.
Valid inputs are "0.18" (deprecated), "0.20" (deprecated), "0.20.205" (deprecated), "1.0.3", "2.2.0", or

2145
Amazon EMR
"2.4.0". If you do not set this value, the default of 0.18 is used, unless the AmiVersion parameter is
set in the RunJobFlow call, in which case the default version of Hadoop for that AMI version is used.
Required: No
Type: String
Minimum: 0
Maximum: 256

KeepJobFlowAliveWhenNoSteps
Specifies whether the cluster should remain available after completing all steps.
Required: No
Type: Boolean

MasterInstanceFleet
Describes the EC2 instances and instance configurations for the master instance fleet when using
clusters with the instance fleet configuration.
Required: No
Type: InstanceFleetConfig (p. 2136)

MasterInstanceGroup
Describes the EC2 instances and instance configurations for the master instance group when using
clusters with the uniform instance group configuration.
Required: No
Type: InstanceGroupConfig (p. 2138)

Placement
The Availability Zone in which the cluster runs.
Required: No
Type: PlacementType (p. 2150)

ServiceAccessSecurityGroup
The identifier of the Amazon EC2 security group for the Amazon EMR service to access clusters in
VPC private subnets.
Required: No
Type: String
Minimum: 0

2146
Amazon EMR
Maximum: 256

TerminationProtected
Specifies whether to lock the cluster to prevent the Amazon EC2 instances from being terminated by
API call, user intervention, or in the event of a job-flow error.
Required: No
Type: Boolean
AWS::EMR::Cluster KerberosAttributes
KerberosAttributes is a property of the AWS::EMR::Cluster resource. KerberosAttributes
define the cluster-specific Kerberos configuration when Kerberos authentication is enabled using
a security configuration. The cluster-specific configuration must be compatible with the security
configuration. For more information see Use Kerberos Authentication in the EMR Management Guide.
Syntax
JSON
{
"ADDomainJoinPassword" : String,
"ADDomainJoinUser" : String,
"CrossRealmTrustPrincipalPassword" : String,
"KdcAdminPassword" : String,
"Realm" : String
}
YAML
ADDomainJoinPassword: String
ADDomainJoinUser: String
CrossRealmTrustPrincipalPassword: String
KdcAdminPassword: String
Realm: String
Properties
ADDomainJoinPassword
The Active Directory password for ADDomainJoinUser.
Required: No
Type: String
Minimum: 0
Maximum: 256

2147
Amazon EMR

ADDomainJoinUser
Required only when establishing a cross-realm trust with an Active Directory domain. A user with
sufficient privileges to join resources to the domain.
Required: No
Type: String
Minimum: 0
Maximum: 256

CrossRealmTrustPrincipalPassword
Required only when establishing a cross-realm trust with a KDC in a different realm. The cross-realm
principal password, which must be identical across realms.
Required: No
Type: String
Minimum: 0
Maximum: 256

KdcAdminPassword
The password used within the cluster for the kadmin service on the cluster-dedicated KDC, which
maintains Kerberos principals, password policies, and keytabs for the cluster.
Required: Yes
Type: String
Minimum: 0
Maximum: 256

Realm
The name of the Kerberos realm to which all nodes in a cluster belong. For example,
EC2.INTERNAL.
Required: Yes
Type: String
Minimum: 0

2148
Amazon EMR
Maximum: 256
AWS::EMR::Cluster KeyValue
KeyValue is a subproperty of the HadoopJarStepConfig property type. KeyValue is used to pass
parameters to a step.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The unique identifier of a key value pair.
Required: No
Type: String
Minimum: 0
Maximum: 10280

Value
The value part of the identified key.
Required: No
Type: String
Minimum: 0
Maximum: 10280

2149
Amazon EMR
AWS::EMR::Cluster MetricDimension
MetricDimension is a subproperty of the CloudWatchAlarmDefinition property type.
MetricDimension specifies a CloudWatch dimension, which is specified with a Key Value pair. The
key is known as a Name in CloudWatch. By default, Amazon EMR uses one dimension whose Key is
JobFlowID and Value is a variable representing the cluster ID, which is ${emr.clusterId}. This
enables the automatic scaling rule for EMR to bootstrap when the cluster ID becomes available during
cluster creation.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The dimension name.
Required: Yes
Type: String

Value
The dimension value.
Required: Yes
Type: String
AWS::EMR::Cluster PlacementType
PlacementType is a property of the AWS::EMR::Cluster resource. PlacementType determines the
Amazon EC2 Availability Zone configuration of the cluster (job flow).
Syntax
JSON

2150
Amazon EMR
"AvailabilityZone" : String
}
YAML
Properties
AvailabilityZone
The Amazon EC2 Availability Zone for the cluster. AvailabilityZone is used for uniform instance
groups, while AvailabilityZones (plural) is used for instance fleets.
Required: Yes
Type: String
Minimum: 0
Maximum: 10280
AWS::EMR::Cluster ScalingAction
ScalingAction is a subproperty of the ScalingRule property type. ScalingAction determines
the type of adjustment the automatic scaling activity makes when triggered, and the periodicity of the
adjustment.
Syntax
JSON
{
"Market" : String,
"SimpleScalingPolicyConfiguration" : SimpleScalingPolicyConfiguration (p. 2155)
}
YAML
Market: String
SimpleScalingPolicyConfiguration:
SimpleScalingPolicyConfiguration (p. 2155)
Properties
Market
Not available for instance groups. Instance groups use the market type specified for the group.
Required: No
Type: String

2151
Amazon EMR

SimpleScalingPolicyConfiguration
The type of adjustment the automatic scaling activity makes when triggered, and the periodicity of
the adjustment.
Required: Yes
Type: SimpleScalingPolicyConfiguration (p. 2155)
AWS::EMR::Cluster ScalingConstraints
ScalingConstraints is a subproperty of the AutoScalingPolicy property type.
ScalingConstraints defines the upper and lower EC2 instance limits for an automatic scaling policy.
Automatic scaling activities triggered by automatic scaling rules will not cause an instance group to grow
above or shrink below these limits.
Syntax
JSON
{
}
YAML
Properties
MaxCapacity
The upper boundary of EC2 instances in an instance group beyond which scaling activities are not
allowed to grow. Scale-out activities will not add instances beyond this boundary.
Required: Yes
Type: Integer

MinCapacity
The lower boundary of EC2 instances in an instance group below which scaling activities are not
allowed to shrink. Scale-in activities will not terminate instances below this boundary.
Required: Yes
Type: Integer

2152
Amazon EMR
AWS::EMR::Cluster ScalingRule
ScalingRule is a subproperty of the AutoScalingPolicy property type. ScalingRule defines
the scale-in or scale-out rules for scaling activity, including the CloudWatch metric alarm that triggers
activity, how EC2 instances are added or removed, and the periodicity of adjustments. The automatic
scaling policy for an instance group can comprise one or more automatic scaling rules.
Syntax
JSON
{
"Action" : ScalingAction (p. 2151),
"Name" : String,
"Trigger" : ScalingTrigger (p. 2154)
}
YAML
Action:
ScalingAction (p. 2151)
Description: String
Name: String
Trigger:
ScalingTrigger (p. 2154)
Properties
Action
The conditions that trigger an automatic scaling activity.
Required: Yes
Type: ScalingAction (p. 2151)

Description
A friendly, more verbose description of the automatic scaling rule.
Required: No
Type: String

Name
The name used to identify an automatic scaling rule. Rule names must be unique within a scaling
policy.
Required: Yes
Type: String

2153
Amazon EMR
Trigger
The CloudWatch alarm definition that determines when automatic scaling activity is triggered.
Required: Yes
Type: ScalingTrigger (p. 2154)
AWS::EMR::Cluster ScalingTrigger
ScalingTrigger is a subproperty of the ScalingRule property type. ScalingTrigger determines
the conditions that trigger an automatic scaling activity.
Syntax
JSON
{
"CloudWatchAlarmDefinition" : CloudWatchAlarmDefinition (p. 2129)
}
YAML
CloudWatchAlarmDefinition:
CloudWatchAlarmDefinition (p. 2129)
Properties
CloudWatchAlarmDefinition
The definition of a CloudWatch metric alarm. When the defined alarm conditions are met along with
other trigger parameters, scaling activity begins.
Required: Yes
Type: CloudWatchAlarmDefinition (p. 2129)
AWS::EMR::Cluster ScriptBootstrapActionConfig
ScriptBootstrapActionConfig is a subproperty of the BootstrapActionConfig property type.
ScriptBootstrapActionConfig specifies the arguments and location of the bootstrap script for EMR
to run on all cluster nodes before it installs open-source big data applications on them.
Syntax
JSON
{
"Path" : String

2154
Amazon EMR
YAML
Args:
- String
Path: String
Properties
Args
A list of command line arguments to pass to the bootstrap action script.
Required: No

Path
Location of the script to run during a bootstrap action. Can be either a location in Amazon S3 or on a
local file system.
Required: Yes
Type: String
Minimum: 0
Maximum: 10280
AWS::EMR::Cluster SimpleScalingPolicyConfiguration
SimpleScalingPolicyConfiguration is a subproperty of the ScalingAction property type.
SimpleScalingPolicyConfiguration determines how an automatic scaling action adds or
removes instances, the cooldown period, and the number of EC2 instances that are added each time the
CloudWatch metric alarm condition is satisfied.
Syntax
JSON
{
"CoolDown" : Integer,
}
YAML

2155
Amazon EMR
CoolDown: Integer
Properties
AdjustmentType
The way in which EC2 instances are added (if ScalingAdjustment is a positive number) or
terminated (if ScalingAdjustment is a negative number) each time the scaling activity is
triggered. CHANGE_IN_CAPACITY is the default. CHANGE_IN_CAPACITY indicates that the EC2
instance count increments or decrements by ScalingAdjustment, which should be expressed as
an integer. PERCENT_CHANGE_IN_CAPACITY indicates the instance count increments or decrements
by the percentage specified by ScalingAdjustment, which should be expressed as an integer.
For example, 20 indicates an increase in 20% increments of cluster capacity. EXACT_CAPACITY
indicates the scaling activity results in an instance group with the number of EC2 instances specified
by ScalingAdjustment, which should be expressed as a positive integer.
Required: No
Type: String
Allowed Values: CHANGE_IN_CAPACITY | EXACT_CAPACITY | PERCENT_CHANGE_IN_CAPACITY

CoolDown
The amount of time, in seconds, after a scaling activity completes before any further trigger-related
scaling activities can start. The default value is 0.
Required: No
Type: Integer

ScalingAdjustment
The amount by which to scale in or scale out, based on the specified AdjustmentType. A positive
value adds to the instance group's EC2 instance count while a negative number removes instances.
If AdjustmentType is set to EXACT_CAPACITY, the number should only be a positive integer.
If AdjustmentType is set to PERCENT_CHANGE_IN_CAPACITY, the value should express the
percentage as an integer. For example, -20 indicates a decrease in 20% increments of cluster
capacity.
Required: Yes
Type: Integer
AWS::EMR::Cluster SpotProvisioningSpecification
SpotProvisioningSpecification is a subproperty of the
InstanceFleetProvisioningSpecifications property type.
SpotProvisioningSpecification determines the launch specification for Spot instances in the
instance fleet, which includes the defined duration and provisioning timeout behavior.
Note

2156
Amazon EMR
Syntax
JSON
{
"TimeoutAction" : String,
"TimeoutDurationMinutes" : Integer
}
YAML
TimeoutAction: String
TimeoutDurationMinutes: Integer
Properties
The defined duration for Spot instances (also known as Spot blocks) in minutes. When specified, the
Spot instance does not terminate before the defined duration expires, and defined duration pricing
for Spot instances applies. Valid values are 60, 120, 180, 240, 300, or 360. The duration period starts
as soon as a Spot instance receives its instance ID. At the end of the duration, Amazon EC2 marks
the Spot instance for termination and provides a Spot instance termination notice, which gives the
instance a two-minute warning before it terminates.
Required: No
Type: Integer
Minimum: 0

TimeoutAction
The action to take when TargetSpotCapacity has not been fulfilled when the
TimeoutDurationMinutes has expired; that is, when all Spot instances could not be
provisioned within the Spot provisioning timeout. Valid values are TERMINATE_CLUSTER and
SWITCH_TO_ON_DEMAND. SWITCH_TO_ON_DEMAND specifies that if no Spot instances are available,
On-Demand Instances should be provisioned to fulfill any remaining Spot capacity.
Required: Yes
Type: String
Allowed Values: SWITCH_TO_ON_DEMAND | TERMINATE_CLUSTER

TimeoutDurationMinutes
The spot provisioning timeout period in minutes. If Spot instances are not provisioned within this
time period, the TimeOutAction is taken. Minimum value is 5 and maximum value is 1440. The
timeout applies only during initial provisioning, when the cluster is first created.
Required: Yes

2157
Amazon EMR
Type: Integer
Minimum: 0
AWS::EMR::Cluster StepConfig
StepConfig is a property of the AWS::EMR::Cluster resource. The StepConfig property type
specifies a cluster (job flow) step, which runs only on the master node. Steps are used to submit data
processing jobs to the cluster.
Syntax
JSON
{
"ActionOnFailure" : String,
"HadoopJarStep" : HadoopJarStepConfig (p. 2134),
"Name" : String
}
YAML
ActionOnFailure: String
HadoopJarStep:
HadoopJarStepConfig (p. 2134)
Name: String
Properties
ActionOnFailure
The action to take when the cluster step fails. Possible values are CANCEL_AND_WAIT and
CONTINUE.
Required: No
Type: String

HadoopJarStep
The JAR file used for the step.
Required: Yes
Type: HadoopJarStepConfig (p. 2134)

Name
The name of the step.
Required: Yes

2158
Amazon EMR
Type: String
Minimum: 0
Maximum: 256
AWS::EMR::Cluster VolumeSpecification
VolumeSpecification is a subproperty of the EbsBlockDeviceConfig property type.
VolumeSecification determines the volume type, IOPS, and size (GiB) for EBS volumes attached to
EC2 instances.
Syntax
JSON
{
"Iops" : Integer,
"SizeInGB" : Integer,
}
YAML
Iops: Integer
SizeInGB: Integer
VolumeType: String
Properties
Iops
The number of I/O operations per second (IOPS) that the volume supports.
Required: No
Type: Integer

SizeInGB
The volume size, in gibibytes (GiB). This can be a number from 1 - 1024. If the volume type is EBS-
optimized, the minimum value is 10.
Required: Yes
Type: Integer

VolumeType
The volume type. Volume types supported are gp2, io1, standard.

2159
Amazon EMR
Required: Yes
Type: String
AWS::EMR::InstanceFleetConfig
Use InstanceFleetConfig to define instance fleets for an EMR cluster. A cluster can not use both
instance fleets and instance groups. For more information, see Configure Instance Fleets in the Amazon
Note
Syntax
JSON
{
"Type" : "AWS::EMR::InstanceFleetConfig",
"Properties" : {
"ClusterId" : String,
"InstanceFleetType" : String,
"InstanceTypeConfigs" : [ InstanceTypeConfig (p. 2166), ... ],
"LaunchSpecifications" : InstanceFleetProvisioningSpecifications (p. 2165),
"Name" : String,
"TargetOnDemandCapacity" : Integer,
"TargetSpotCapacity" : Integer
}
}
YAML
Type: AWS::EMR::InstanceFleetConfig
Properties:
ClusterId: String
InstanceFleetType: String
InstanceTypeConfigs:
- InstanceTypeConfig (p. 2166)
InstanceFleetProvisioningSpecifications (p. 2165)
Name: String
TargetOnDemandCapacity: Integer
TargetSpotCapacity: Integer
Properties
ClusterId
The unique identifier of the EMR cluster.
Required: Yes
Type: String

2160
Amazon EMR
InstanceFleetType
The node type that the instance fleet hosts. Valid values are MASTER,CORE,and TASK.
Required: Yes
Type: String
Allowed Values: CORE | MASTER | TASK

InstanceTypeConfigs
InstanceTypeConfigs determine the EC2 instances that Amazon EMR attempts to provision
to fulfill On-Demand and Spot target capacities. There can be a maximum of 5 instance type
configurations in a fleet, each one specified using an InstanceTypeConfig.
Note
Required: No
Type: List of InstanceTypeConfig (p. 2166)

The launch specification for the instance fleet.
Required: No
Type: InstanceFleetProvisioningSpecifications (p. 2165)

Name
The friendly name of the instance fleet.
Required: No
Type: String
Minimum: 0
Maximum: 256

TargetOnDemandCapacity
The target capacity of On-Demand units for the instance fleet, which determines how many
On-Demand instances to provision. When the instance fleet launches, Amazon EMR tries
to provision On-Demand instances as specified by InstanceTypeConfig. Each instance
configuration has a specified WeightedCapacity. When an On-Demand instance is provisioned,
the WeightedCapacity units count toward the target capacity. Amazon EMR provisions instances
until the target capacity is totally fulfilled, even if this results in an overage. For example, if there
are 2 units remaining to fulfill capacity, and Amazon EMR can only provision an instance with a

2161
Amazon EMR
WeightedCapacity of 5 units, the instance is provisioned, and the target capacity is exceeded by 3
units.
Note
If not specified or set to 0, only Spot instances are provisioned for the instance
fleet using TargetSpotCapacity. At least one of TargetSpotCapacity and
TargetOnDemandCapacity should be greater than 0. For a master instance fleet, only one
of TargetSpotCapacity and TargetOnDemandCapacity can be specified, and its value
must be 1.
Required: No
Type: Integer
Minimum: 0

TargetSpotCapacity
The target capacity of Spot units for the instance fleet, which determines how many Spot
instances to provision. When the instance fleet launches, Amazon EMR tries to provision Spot
instances as specified by InstanceTypeConfig. Each instance configuration has a specified
WeightedCapacity. When a Spot instance is provisioned, the WeightedCapacity units count
toward the target capacity. Amazon EMR provisions instances until the target capacity is totally
fulfilled, even if this results in an overage. For example, if there are 2 units remaining to fulfill
capacity, and Amazon EMR can only provision an instance with a WeightedCapacity of 5 units, the
instance is provisioned, and the target capacity is exceeded by 3 units.
Note
If not specified or set to 0, only On-Demand instances are provisioned for the instance
fleet. At least one of TargetSpotCapacity and TargetOnDemandCapacity should
be greater than 0. For a master instance fleet, only one of TargetSpotCapacity and
TargetOnDemandCapacity can be specified, and its value must be 1.
Required: No
Type: Integer
Minimum: 0
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns returns the ID of
the instance fleet.
AWS::EMR::InstanceFleetConfig Configuration
Note
Used only with Amazon EMR release 4.0 and later.
Configuration specifies optional configurations for customizing open-source big data applications
and environment parameters. A configuration consists of a classification, properties, and optional nested
configurations. A classification refers to an application-specific configuration file. Properties are the

2162
Amazon EMR
settings you want to change in that file. For more information, see Configuring Applications in the
Amazon EMR Release Guide.
Syntax
JSON
{
}
YAML
Key : Value
Configurations:
Properties
Classification
Required: No
Type: String

Within a configuration classification, a set of properties that represent the settings that you want to
change in the configuration file. Duplicates not allowed.
Required: No
Type: Map of String

Configurations
Required: No
AWS::EMR::InstanceFleetConfig EbsBlockDeviceConfig
EbsBlockDeviceConfig is a subproperty of the EbsConfiguration property type.
EbsBlockDeviceConfig defines the number and type of EBS volumes to associate with all EC2
instances in an EMR cluster.

2163
Amazon EMR
Syntax
JSON
{
}
YAML
Properties
VolumeSpecification
Required: Yes

VolumesPerInstance
Required: No
Type: Integer
AWS::EMR::InstanceFleetConfig EbsConfiguration
Syntax
JSON
{
}
YAML

2164
Amazon EMR

Properties
Required: No

EbsOptimized
Required: No
Type: Boolean
AWS::EMR::InstanceFleetConfig InstanceFleetProvisioningSpecifications
Note
InstanceTypeConfig is a sub-property of InstanceFleetConfig. InstanceTypeConfig

determines the EC2 instances that Amazon EMR attempts to provision to fulfill On-Demand and Spot
target capacities. There can be a maximum of 5 instance type configurations in a fleet.
Syntax
JSON
{
"SpotSpecification" : SpotProvisioningSpecification (p. 2168)
}
YAML
SpotSpecification:
SpotProvisioningSpecification (p. 2168)
Properties
SpotSpecification
The launch specification for Spot instances in the fleet, which determines the defined duration and
provisioning timeout behavior.
Required: Yes

2165
Amazon EMR
Type: SpotProvisioningSpecification (p. 2168)
AWS::EMR::InstanceFleetConfig InstanceTypeConfig
InstanceType config is a subproperty of InstanceFleetConfig. An instance type configuration
specifies each instance type in an instance fleet. The configuration determines the EC2 instances Amazon
EMR attempts to provision to fulfill On-Demand and Spot target capacities. There can be a maximum of
5 instance type configurations in a fleet.
Note
Syntax
JSON
{
"BidPriceAsPercentageOfOnDemandPrice" : Double,
"WeightedCapacity" : Integer
}
YAML
BidPrice: String
BidPriceAsPercentageOfOnDemandPrice: Double
Configurations:
EbsConfiguration:
WeightedCapacity: Integer
Properties
BidPrice
Required: No
Type: String
Minimum: 0
Maximum: 256

2166
Amazon EMR
BidPriceAsPercentageOfOnDemandPrice
The bid price, as a percentage of On-Demand price, for each EC2 Spot instance as
defined by InstanceType. Expressed as a number (for example, 20 specifies 20%).
If neither BidPrice nor BidPriceAsPercentageOfOnDemandPrice is provided,
Required: No
Type: Double

Configurations
Note
An optional configuration specification to be used when provisioning cluster instances, which can
include configurations for applications and software bundled with Amazon EMR. A configuration
consists of a classification, properties, and optional nested configurations. A classification refers to
an application-specific configuration file. Properties are the settings you want to change in that file.
For more information, see Configuring Applications.
Required: No

EbsConfiguration
The configuration of Amazon Elastic Block Storage (EBS) attached to each instance as defined by
InstanceType.
Required: No

InstanceType
An EC2 instance type, such as m3.xlarge.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

WeightedCapacity
The number of units that a provisioned instance of this type provides toward fulfilling the target
capacities defined in InstanceFleetConfig. This value is 1 for a master instance fleet, and must
be 1 or greater for core and task instance fleets. Defaults to 1 if not specified.
Required: No

2167
Amazon EMR
Type: Integer
Minimum: 0
AWS::EMR::InstanceFleetConfig SpotProvisioningSpecification
SpotProvisioningSpecification is a subproperty of the
InstanceFleetProvisioningSpecifications property type.
SpotProvisioningSpecification determines the launch specification for Spot instances in the
instance fleet, which includes the defined duration and provisioning timeout behavior.
Note
Syntax
JSON
{
"TimeoutAction" : String,
"TimeoutDurationMinutes" : Integer
}
YAML
TimeoutAction: String
TimeoutDurationMinutes: Integer
Properties
The defined duration for Spot instances (also known as Spot blocks) in minutes. When specified, the
Spot instance does not terminate before the defined duration expires, and defined duration pricing
for Spot instances applies. Valid values are 60, 120, 180, 240, 300, or 360. The duration period starts
as soon as a Spot instance receives its instance ID. At the end of the duration, Amazon EC2 marks
the Spot instance for termination and provides a Spot instance termination notice, which gives the
instance a two-minute warning before it terminates.
Required: No
Type: Integer
Minimum: 0

TimeoutAction
The action to take when TargetSpotCapacity has not been fulfilled when the
TimeoutDurationMinutes has expired; that is, when all Spot instances could not be
provisioned within the Spot provisioning timeout. Valid values are TERMINATE_CLUSTER and

2168
Amazon EMR
SWITCH_TO_ON_DEMAND. SWITCH_TO_ON_DEMAND specifies that if no Spot instances are available,

On-Demand Instances should be provisioned to fulfill any remaining Spot capacity.
Required: Yes
Type: String
Allowed Values: SWITCH_TO_ON_DEMAND | TERMINATE_CLUSTER

TimeoutDurationMinutes
The spot provisioning timeout period in minutes. If Spot instances are not provisioned within this
time period, the TimeOutAction is taken. Minimum value is 5 and maximum value is 1440. The
timeout applies only during initial provisioning, when the cluster is first created.
Required: Yes
Type: Integer
Minimum: 0
AWS::EMR::InstanceFleetConfig VolumeSpecification
EC2 instances.
Syntax
JSON
{
"Iops" : Integer,
}
YAML
Iops: Integer
SizeInGB: Integer
VolumeType: String
Properties
Iops
Required: No
Type: Integer

2169
Amazon EMR
SizeInGB
Required: Yes
Type: Integer

VolumeType
Required: Yes
Type: String
AWS::EMR::InstanceGroupConfig
Use InstanceGroupConfig to define instance groups for an EMR cluster. A cluster can not use both
instance groups and instance fleets. For more information, see Create a Cluster with Instance Fleets or
Uniform Instance Groups in the Amazon EMR Management Guide.
Syntax
JSON
{
"Type" : "AWS::EMR::InstanceGroupConfig",
"Properties" : {
"AutoScalingPolicy" : AutoScalingPolicy (p. 2176),
"InstanceRole" : String,
"JobFlowId" : String,
"Market" : String,
"Name" : String
}
}
YAML
Type: AWS::EMR::InstanceGroupConfig
Properties:
AutoScalingPolicy:
AutoScalingPolicy (p. 2176)
BidPrice: String
Configurations:
EbsConfiguration:

2170
Amazon EMR
InstanceRole: String
JobFlowId: String
Market: String
Name: String
Properties
AutoScalingPolicy
AutoScalingPolicy is a subproperty of InstanceGroupConfig. AutoScalingPolicy defines

how an instance group dynamically adds and terminates EC2 instances in response to the value of
a CloudWatch metric. For more information, see Using Automatic Scaling in Amazon EMR in the
Amazon EMR Management Guide.
Required: No
Type: AutoScalingPolicy (p. 2176)

BidPrice
Required: No
Type: String
Minimum: 0
Maximum: 256

Configurations
Note
The list of configurations supplied for an EMR cluster instance group. You can specify a separate
configuration for each instance group (master, core, and task).
Required: No

EbsConfiguration
Required: No

InstanceCount
Target number of instances for the instance group.

2171
Amazon EMR
Required: Yes
Type: Integer

InstanceRole
The role of the instance group in the cluster.
Required: Yes
Type: String
Allowed Values: CORE | MASTER | TASK

InstanceType
The EC2 instance type for all instances in the instance group.
Required: Yes
Type: String
Minimum: 1
Maximum: 256

JobFlowId
The ID of an Amazon EMR cluster that you want to associate this instance group with.
Required: Yes
Type: String

Market
Market type of the EC2 instances used to create a cluster node.
Required: No
Type: String

Name
Friendly name given to the instance group.
Required: No
Type: String
Minimum: 0

2172
Amazon EMR
Maximum: 256
Return Values
Ref
the instance group.
Examples
Example instance group configuration specifications.
Add a task instance group
The following example adds a task instance group to a cluster named TestCluster.
JSON
"TestInstanceGroupConfig": {
"Type": "AWS: : EMR: : InstanceGroupConfig",
"Properties": {
"InstanceCount": 2,
"InstanceType": "m3.xlarge",
"InstanceRole": "TASK",
"Name": "cfnTask2",
"JobFlowId": {
"Ref": "cluster"
}
}
}
YAML
TestInstanceGroupConfig:
Properties:
InstanceCount: 2
InstanceRole: TASK
InstanceType: m3.xlarge
JobFlowId:
Ref: cluster
Market: ON_DEMAND
Name: cfnTask2
Type: "AWS::EMR::InstanceGroupConfig"
Specify an Automatic Scaling Policy
The following example defines an AutoScalingPolicy for an InstanceGroupConfig resource.
JSON
"MyInstanceGroupConfig": {

2173
Amazon EMR
"Type": "AWS::EMR::InstanceGroupConfig",
"Properties": {
"InstanceCount": 1,
"InstanceType": {
},
"InstanceRole": "TASK",
"Name": "cfnTask",
"JobFlowId": {
"Ref": "MyCluster"
},
"AutoScalingPolicy": {
"Constraints": {
"MinCapacity": {
"Ref": "MinCapacity"
},
"MaxCapacity": {
"Ref": "MaxCapacity"
}
},
"Rules": [
{
"Name": "Scale-out",
"Description": "Scale-out policy",
"Action": {
"SimpleScalingPolicyConfiguration": {
"AdjustmentType": "CHANGE_IN_CAPACITY",
"ScalingAdjustment": 1,
"CoolDown": 300
}
},
"Trigger": {
"CloudWatchAlarmDefinition": {
"Dimensions": [
{
"Key": "JobFlowId",
"Value": "${emr.clusterId}"
}
],
"Namespace": "AWS/ElasticMapReduce",
"Period": 300,
"ComparisonOperator": "LESS_THAN",
"Statistic": "AVERAGE",
"Threshold": 15,
"Unit": "PERCENT",
"MetricName": "YARNMemoryAvailablePercentage"
}
}
},
{
"Name": "Scale-in",
"Description": "Scale-in policy",
"Action": {
"SimpleScalingPolicyConfiguration": {
"AdjustmentType": "CHANGE_IN_CAPACITY",
"ScalingAdjustment": -1,
"CoolDown": 300
}
},
"Trigger": {
"CloudWatchAlarmDefinition": {
"Dimensions": [
{
"Key": "JobFlowId",

2174
Amazon EMR
"Value": "${emr.clusterId}"
}
],
"Namespace": "AWS/ElasticMapReduce",
"Period": 300,
"Statistic": "AVERAGE",
"Threshold": 75,
"Unit": "PERCENT",
"MetricName": "YARNMemoryAvailablePercentage"
}
}
}
]
}
}
}
YAML
MyInstanceGroupConfig:
Type: 'AWS::EMR::InstanceGroupConfig'
Properties:
InstanceCount: 1
InstanceRole: TASK
Market: ON_DEMAND
Name: cfnTask
JobFlowId: !Ref MyCluster
AutoScalingPolicy:
Constraints:
MinCapacity: !Ref MinCapacity
MaxCapacity: !Ref MaxCapacity
Rules:
- Name: Scale-out
Description: Scale-out policy
Action:
AdjustmentType: CHANGE_IN_CAPACITY
CoolDown: 300
Trigger:
Dimensions:
- Key: JobFlowId
Value: '${emr.clusterId}'
Namespace: AWS/ElasticMapReduce
Period: 300
ComparisonOperator: LESS_THAN
Statistic: AVERAGE
Threshold: 15
Unit: PERCENT
MetricName: YARNMemoryAvailablePercentage
- Name: Scale-in
Description: Scale-in policy
Action:
AdjustmentType: CHANGE_IN_CAPACITY
ScalingAdjustment: -1
CoolDown: 300
Trigger:

2175
Amazon EMR
Dimensions:
- Key: JobFlowId
Value: '${emr.clusterId}'
Namespace: AWS/ElasticMapReduce
Period: 300
Statistic: AVERAGE
Threshold: 75
Unit: PERCENT
MetricName: YARNMemoryAvailablePercentage
AWS::EMR::InstanceGroupConfig AutoScalingPolicy
AutoScalingPolicy defines how an instance group dynamically adds and terminates EC2 instances
in response to the value of a CloudWatch metric. For more information, see Using Automatic Scaling in
Amazon EMR in the Amazon EMR Management Guide.
Syntax
JSON
{
"Constraints" : ScalingConstraints (p. 2183),
"Rules" : [ ScalingRule (p. 2184), ... ]
}
YAML
Constraints:
ScalingConstraints (p. 2183)
Rules:
- ScalingRule (p. 2184)
Properties
Constraints
The upper and lower EC2 instance limits for an automatic scaling policy. Automatic scaling activity
will not cause an instance group to grow above or below these limits.
Required: Yes
Type: ScalingConstraints (p. 2183)

Rules
The scale-in and scale-out rules that comprise the automatic scaling policy.
Required: Yes
Type: List of ScalingRule (p. 2184)

2176
Amazon EMR
AWS::EMR::InstanceGroupConfig CloudWatchAlarmDefinition
CloudWatchAlarmDefinition is a subproperty of the ScalingTrigger property, which determines
when to trigger an automatic scaling activity. Scaling activity begins when you satisfy the defined alarm
conditions.
Syntax
JSON
{
"Period" : Integer,
"Unit" : String
}
YAML
Dimensions:
MetricName: String
Namespace: String
Period: Integer
Statistic: String
Threshold: Double
Unit: String
Properties
ComparisonOperator
Determines how the metric specified by MetricName is compared to the value specified by
Threshold.
Required: Yes
Type: String
Allowed Values: GREATER_THAN | GREATER_THAN_OR_EQUAL | LESS_THAN |

LESS_THAN_OR_EQUAL

Dimensions
A CloudWatch metric dimension.
Required: No

2177
Amazon EMR

EvaluationPeriods
The number of periods, in five-minute increments, during which the alarm condition must exist
before the alarm triggers automatic scaling activity. The default value is 1.
Required: No
Type: Integer

MetricName
The name of the CloudWatch metric that is watched to determine an alarm condition.
Required: Yes
Type: String

Namespace
The namespace for the CloudWatch metric. The default is AWS/ElasticMapReduce.
Required: No
Type: String

Period
The period, in seconds, over which the statistic is applied. EMR CloudWatch metrics are emitted
every five minutes (300 seconds), so if an EMR CloudWatch metric is specified, specify 300.
Required: Yes
Type: Integer

Statistic
The statistic to apply to the metric associated with the alarm. The default is AVERAGE.
Required: No
Type: String
Allowed Values: AVERAGE | MAXIMUM | MINIMUM | SAMPLE_COUNT | SUM

Threshold
The value against which the specified statistic is compared.
Required: Yes
Type: Double

2178
Amazon EMR
Unit
The unit of measure associated with the CloudWatch metric being watched. The value specified for
Unit must correspond to the units specified in the CloudWatch metric.
Required: No
Type: String
Allowed Values: BITS | BITS_PER_SECOND | BYTES | BYTES_PER_SECOND | COUNT

| COUNT_PER_SECOND | GIGA_BITS | GIGA_BITS_PER_SECOND | GIGA_BYTES |
GIGA_BYTES_PER_SECOND | KILO_BITS | KILO_BITS_PER_SECOND | KILO_BYTES
| KILO_BYTES_PER_SECOND | MEGA_BITS | MEGA_BITS_PER_SECOND | MEGA_BYTES
| MEGA_BYTES_PER_SECOND | MICRO_SECONDS | MILLI_SECONDS | NONE |
PERCENT | SECONDS | TERA_BITS | TERA_BITS_PER_SECOND | TERA_BYTES |
TERA_BYTES_PER_SECOND
AWS::EMR::InstanceGroupConfig Configuration
Configurations is a property of the AWS::EMR::Cluster resource that specifies the configuration of
applications on an Amazon EMR cluster.
Configurations are optional. You can use them to have EMR customize applications and software
bundled with Amazon EMR when a cluster is created. A configuration consists of a classification,
properties, and optional nested configurations. A classification refers to an application-specific
configuration file. Properties are the settings you want to change in that file. For more information, see
Configuring Applications.
Note
Applies only to Amazon EMR releases 4.0 and later.
Syntax
JSON
{
}
YAML
Key : Value
Configurations:
Properties
Classification

2179
Amazon EMR
Required: No
Type: String

Within a configuration classification, a set of properties that represent the settings that you want to
change in the configuration file. Duplicates not allowed.
Required: No
Type: Map of String

Configurations
Required: No
AWS::EMR::InstanceGroupConfig EbsBlockDeviceConfig
Configuration of requested EBS block device associated with the instance group with count of volumes
that will be associated to every instance.
Syntax
JSON
{
}
YAML
Properties
VolumeSpecification
Required: Yes

2180
Amazon EMR
VolumesPerInstance
Required: No
Type: Integer
AWS::EMR::InstanceGroupConfig EbsConfiguration
The Amazon EBS configuration of a cluster instance.
Syntax
JSON
{
}
YAML
Properties
Required: No

EbsOptimized
Required: No
Type: Boolean
AWS::EMR::InstanceGroupConfig MetricDimension
MetricDimension is a subproperty of the CloudWatchAlarmDefinition property type.
MetricDimension specifies a CloudWatch dimension, which is specified with a Key Value pair. The

2181
Amazon EMR
key is known as a Name in CloudWatch. By default, Amazon EMR uses one dimension whose Key is
JobFlowID and Value is a variable representing the cluster ID, which is ${emr.clusterId}. This
enables the automatic scaling rule for EMR to bootstrap when the cluster ID becomes available during
cluster creation.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The dimension name.
Required: Yes
Type: String

Value
The dimension value.
Required: Yes
Type: String
AWS::EMR::InstanceGroupConfig ScalingAction
ScalingAction is a subproperty of the ScalingRule property type. ScalingAction determines
the type of adjustment the automatic scaling activity makes when triggered, and the periodicity of the
adjustment.
Syntax
JSON
{
"Market" : String,

2182
Amazon EMR
"SimpleScalingPolicyConfiguration" : SimpleScalingPolicyConfiguration (p. 2186)

}
YAML
Market: String
SimpleScalingPolicyConfiguration (p. 2186)
Properties
Market
Not available for instance groups. Instance groups use the market type specified for the group.
Required: No
Type: String

SimpleScalingPolicyConfiguration
The type of adjustment the automatic scaling activity makes when triggered, and the periodicity of
the adjustment.
Required: Yes
Type: SimpleScalingPolicyConfiguration (p. 2186)
AWS::EMR::InstanceGroupConfig ScalingConstraints
ScalingConstraints is a subproperty of the AutoScalingPolicy property type.
ScalingConstraints defines the upper and lower EC2 instance limits for an automatic scaling policy.
Automatic scaling activities triggered by automatic scaling rules will not cause an instance group to grow
above or shrink below these limits.
Syntax
JSON
{
}
YAML

2183
Amazon EMR
Properties
MaxCapacity
The upper boundary of EC2 instances in an instance group beyond which scaling activities are not
allowed to grow. Scale-out activities will not add instances beyond this boundary.
Required: Yes
Type: Integer

MinCapacity
The lower boundary of EC2 instances in an instance group below which scaling activities are not
allowed to shrink. Scale-in activities will not terminate instances below this boundary.
Required: Yes
Type: Integer
AWS::EMR::InstanceGroupConfig ScalingRule
ScalingRule is a subproperty of the AutoScalingPolicy property type. ScalingRule defines
the scale-in or scale-out rules for scaling activity, including the CloudWatch metric alarm that triggers
activity, how EC2 instances are added or removed, and the periodicity of adjustments. The automatic
scaling policy for an instance group can comprise one or more automatic scaling rules.
Syntax
JSON
{
"Action" : ScalingAction (p. 2182),
"Name" : String,
"Trigger" : ScalingTrigger (p. 2185)
}
YAML
Action:
ScalingAction (p. 2182)
Description: String
Name: String
Trigger:
ScalingTrigger (p. 2185)
Properties
Action
The conditions that trigger an automatic scaling activity.
Required: Yes

2184
Amazon EMR
Type: ScalingAction (p. 2182)

Description
A friendly, more verbose description of the automatic scaling rule.
Required: No
Type: String

Name
The name used to identify an automatic scaling rule. Rule names must be unique within a scaling
policy.
Required: Yes
Type: String

Trigger
The CloudWatch alarm definition that determines when automatic scaling activity is triggered.
Required: Yes
Type: ScalingTrigger (p. 2185)
AWS::EMR::InstanceGroupConfig ScalingTrigger
ScalingTrigger is a subproperty of the ScalingRule property type. ScalingTrigger determines
the conditions that trigger an automatic scaling activity.
Syntax
JSON
{
"CloudWatchAlarmDefinition" : CloudWatchAlarmDefinition (p. 2177)
}
YAML
CloudWatchAlarmDefinition (p. 2177)
Properties
CloudWatchAlarmDefinition
The definition of a CloudWatch metric alarm. When the defined alarm conditions are met along with
other trigger parameters, scaling activity begins.

2185
Amazon EMR
Required: Yes
Type: CloudWatchAlarmDefinition (p. 2177)
AWS::EMR::InstanceGroupConfig SimpleScalingPolicyConfiguration
SimpleScalingPolicyConfiguration is a subproperty of the ScalingAction property type.
SimpleScalingPolicyConfiguration determines how an automatic scaling action adds or
removes instances, the cooldown period, and the number of EC2 instances that are added each time the
CloudWatch metric alarm condition is satisfied.
Syntax
JSON
{
"CoolDown" : Integer,
}
YAML
CoolDown: Integer
Properties
AdjustmentType
The way in which EC2 instances are added (if ScalingAdjustment is a positive number) or
terminated (if ScalingAdjustment is a negative number) each time the scaling activity is
triggered. CHANGE_IN_CAPACITY is the default. CHANGE_IN_CAPACITY indicates that the EC2
instance count increments or decrements by ScalingAdjustment, which should be expressed as
an integer. PERCENT_CHANGE_IN_CAPACITY indicates the instance count increments or decrements
by the percentage specified by ScalingAdjustment, which should be expressed as an integer.
For example, 20 indicates an increase in 20% increments of cluster capacity. EXACT_CAPACITY
indicates the scaling activity results in an instance group with the number of EC2 instances specified
by ScalingAdjustment, which should be expressed as a positive integer.
Required: No
Type: String
Allowed Values: CHANGE_IN_CAPACITY | EXACT_CAPACITY | PERCENT_CHANGE_IN_CAPACITY

CoolDown
The amount of time, in seconds, after a scaling activity completes before any further trigger-related
scaling activities can start. The default value is 0.
Required: No

2186
Amazon EMR
Type: Integer

ScalingAdjustment
The amount by which to scale in or scale out, based on the specified AdjustmentType. A positive
value adds to the instance group's EC2 instance count while a negative number removes instances.
If AdjustmentType is set to EXACT_CAPACITY, the number should only be a positive integer.
If AdjustmentType is set to PERCENT_CHANGE_IN_CAPACITY, the value should express the
percentage as an integer. For example, -20 indicates a decrease in 20% increments of cluster
capacity.
Required: Yes
Type: Integer
AWS::EMR::InstanceGroupConfig VolumeSpecification
EC2 instances.
Syntax
JSON
{
"Iops" : Integer,
}
YAML
Iops: Integer
SizeInGB: Integer
VolumeType: String
Properties
Iops
Required: No
Type: Integer

SizeInGB

2187
Amazon EMR
Required: Yes
Type: Integer

VolumeType
Required: Yes
Type: String
AWS::EMR::SecurityConfiguration
Use a SecurityConfiguration resource to configure data encryption, Kerberos authentication
(available in Amazon EMR release version 5.10.0 and later), and Amazon S3 authorization for EMRFS
(available in EMR 5.10.0 and later). You can re-use a security configuration for any number of clusters
in your account. For more information and example security configuration JSON objects, see Create a
Security Configuration in the Amazon EMR Management Guide.
Syntax
JSON
{
"Type" : "AWS::EMR::SecurityConfiguration",
"Properties" : {
"Name" : String,
"SecurityConfiguration" : Json
}
}
YAML
Type: AWS::EMR::SecurityConfiguration
Properties:
Name: String
SecurityConfiguration: Json
Properties
Name
The name of the security configuration.
Required: No
Type: String
Minimum: 0
Maximum: 10280

2188
Amazon EMR

The security configuration details in JSON format.
Required: Yes
Type: Json
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns returns the
security configuration name, such as mySecurityConfiguration.
AWS::EMR::Step
Use Step to specify a cluster (job flow) step, which runs only on the master node. Steps are used to
submit data processing jobs to a cluster.
Syntax
JSON
{
"Type" : "AWS::EMR::Step",
"Properties" : {
"ActionOnFailure" : String,
"HadoopJarStep" : HadoopJarStepConfig (p. 2190),
"JobFlowId" : String,
"Name" : String
}
}
YAML
Type: AWS::EMR::Step
Properties:
ActionOnFailure: String
HadoopJarStep:
HadoopJarStepConfig (p. 2190)
JobFlowId: String
Name: String
Properties
ActionOnFailure
This specifies what action to take when the cluster step fails. Possible values are CANCEL_AND_WAIT
and CONTINUE.

2189
Amazon EMR
Required: Yes
Type: String

HadoopJarStep
The HadoopJarStepConfig property type specifies a job flow step consisting of a JAR file whose
main function will be executed. The main function submits a job for the cluster to execute as a step
on the master node, and then waits for the job to finish or fail before executing subsequent steps.
Required: Yes
Type: HadoopJarStepConfig (p. 2190)

JobFlowId
A string that uniquely identifies the cluster (job flow).
Required: Yes
Type: String
Minimum: 0
Maximum: 256

Name
The name of the cluster step.
Required: Yes
Type: String
Return Values
Ref
the step.
AWS::EMR::Step HadoopJarStepConfig
A job flow step consisting of a JAR file whose main function will be executed. The main function submits
a job for Hadoop to execute and waits for the job to finish or fail.
Syntax

2190
Amazon EMR
JSON
{
"Jar" : String,
"MainClass" : String,
"StepProperties" : [ KeyValue (p. 2192), ... ]
}
YAML
Args:
- String
Jar: String
MainClass: String
StepProperties:
- KeyValue (p. 2192)
Properties
Args
A list of command line arguments passed to the JAR file's main function when executed.
Required: No

Jar
A path to a JAR file run during the step.
Required: Yes
Type: String
Minimum: 0
Maximum: 10280

MainClass
The name of the main class in the specified Java file. If not specified, the JAR file should specify a
Main-Class in its manifest file.
Required: No
Type: String
Minimum: 0
Maximum: 10280

2191
Amazon EMR
StepProperties
A list of Java properties that are set when the step runs. You can use these properties to pass key
value pairs to your main function.
Required: No
Type: List of KeyValue (p. 2192)
AWS::EMR::Step KeyValue
KeyValue is a subproperty of the HadoopJarStepConfig property type. KeyValue is used to pass
parameters to a step.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The unique identifier of a key value pair.
Required: No
Type: String
Minimum: 0
Maximum: 10280

Value
The value part of the identified key.
Required: No
Type: String
Minimum: 0

2192
EventSchemas
Maximum: 10280
EventSchemas Resource Type Reference

Resource Types
• AWS::EventSchemas::Discoverer (p. 2193)

• AWS::EventSchemas::Registry (p. 2195)
• AWS::EventSchemas::Schema (p. 2198)
AWS::EventSchemas::Discoverer
Use the AWS::EventSchemas::Discoverer resource to specify a discoverer that is associated with
an event bus. A discoverer allows the Amazon EventBridge Schema Registry to automatically generate
schemas based on events on an event bus.
Syntax
JSON
{
"Type" : "AWS::EventSchemas::Discoverer",
"Properties" : {
"SourceArn" : String,
"Tags" : [ TagsEntry (p. 2194), ... ]
}
}
YAML
Type: AWS::EventSchemas::Discoverer
Properties:
Description: String
SourceArn: String
Tags:
Properties
Description
A description for the discoverer.
Required: No
Type: String

2193
EventSchemas
SourceArn
The ARN of the event bus.
Required: Yes
Type: String

Tags
Tags associated with the resource.
Required: No
Return Values
Ref
When you provide the logical ID of this resource to the Ref intrinsic function, Ref returns the ARN of the
discoverer.
Fn::GetAtt
DiscovererArn
The ARN of the discoverer.

DiscovererId
The ID of the discoverer.
Examples
Generate Schemas for Events on the Default Event Bus
YAML
Resources:
MyDiscoverer:
Type: AWS::EventSchemas::Discoverer
Properties:
SourceArn: 'arn:aws:events:us-west-2:012345678910:event-bus/default'
Description: 'discover all custom schemas'
AWS::EventSchemas::Discoverer TagsEntry
Tags to associate with the discoverer.

2194
EventSchemas
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
They key of a key-value pair.
Required: Yes
Type: String

Value
They value of a key-value pair.
Required: Yes
Type: String
AWS::EventSchemas::Registry
Use the AWS::EventSchemas::Registry to specify a schema registry. Schema registries are
containers for Schemas. Registries collect and organize schemas so that your schemas are in logical
groups.
Syntax
JSON
{
"Type" : "AWS::EventSchemas::Registry",
"Properties" : {
"RegistryName" : String,
"Tags" : [ TagsEntry (p. 2197), ... ]
}
}

2195
EventSchemas
YAML
Type: AWS::EventSchemas::Registry
Properties:
Description: String
RegistryName: String
Tags:
Properties
Description
A description of the registry to be created.
Required: No
Type: String

RegistryName
The name of the schema registry.
Required: No
Type: String

Tags
Tags to associate with the registry.
Required: No
Return Values
Ref
schema. For example:
{ "Ref": "MyRegistry" }
arn:aws:schemas:us-east-1:012345678901:registry/MyRegistry
Fn::GetAtt

2196
EventSchemas
RegistryArn
The ARN of the registry.

RegistryName
The name of the registry.
Examples
Create a Schema Registry for Events Emitted by AWS Step Functions
YAML
Resources:
StatesSchemasRegistry:
Type: AWS::EventSchemas::Registry
Properties:
Name: 'aws.states'
Description: 'Contains the schemas of events emitted by AWS Step Functions'
AWS::EventSchemas::Registry TagsEntry
Tags to associate with the schema registry.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
Required: Yes
Type: String

Value

2197
EventSchemas
Required: Yes
Type: String
AWS::EventSchemas::Schema
Use the AWS::EventSchemas::Schema resource to specify an event schema.
Syntax
JSON
{
"Type" : "AWS::EventSchemas::Schema",
"Properties" : {
"Content" : String,
"RegistryName" : String,
"SchemaName" : String,
"Tags" : [ TagsEntry (p. 2200), ... ],
"Type" : String
}
}
YAML
Type: AWS::EventSchemas::Schema
Properties:
Content: String
Description: String
RegistryName: String
SchemaName: String
Tags:
Type: String
Properties
Content
The source of the schema definition.
Required: Yes
Type: String

Description
A description of the schema.
Required: No
Type: String

2198
EventSchemas

RegistryName
The name of the schema registry.
Required: Yes
Type: String

SchemaName
The name of the schema.
Required: No
Type: String

Tags
Tags associated with the schema.
Required: No

Type
The type of schema.
Required: Yes
Type: String
Return Values
Ref
schema. For example:
{ "Ref": "MySchema" }
arn:aws:schemas:us-east-1:012345678901:schema/MyRegistry/MySchema
Fn::GetAtt

2199
EventSchemas
SchemaArn
The ARN of the schema.

SchemaName
The name of the schema.

SchemaVersion
The version number of the schema.
Examples
YAML
Resources:
ExecutionStatusChangeSchema:
Type: AWS::EventSchemas::Schema
Properties:
Registry: 'aws.events'
Name: ExecutionStatusChange
Description: 'event emitted when the status of a state machine execution change'
Type: OpenApi3
Content: >
{
"openapi": "3.0.0",
"info": {
"version": "1.0.0",
"title": "StepFunctionsExecutionStatusChange"
},
"components": {
"schemas": {
"StepFunctionsExecutionStatusChange": {
"type": "object",
"required": [ "output", "input", "executionArn", "name", "stateMachineArn",
"startDate", "stopDate", "status" ],
"properties": {
"output": {"type": "string","nullable": true},
"input": {"type": "string"},
"executionArn": {"type": "string"},
"name": {"type": "string"},
"stateMachineArn": {"type": "string"},
"startDate": {"type": "integer","format": "int64"},
"stopDate": {"type": "integer","format": "int64","nullable": true},
"status": {"type": "string","enum": [ "FAILED", "RUNNING", "SUCCEEDED",
"ABORTED" ]}
}
}
}
}
}
AWS::EventSchemas::Schema TagsEntry
Tags to associate with the schema.
Syntax

2200
FSx
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
Required: Yes
Type: String

Value
Required: Yes
Type: String
FSx Resource Type Reference

Resource Types
• AWS::FSx::FileSystem (p. 2201)
AWS::FSx::FileSystem
The AWS::FSx::FileSystem resource is an Amazon FSx resource type that creates either an Amazon
FSx for Windows File Server file system or an Amazon FSx for Lustre file system.
Syntax
JSON
{
"Type" : "AWS::FSx::FileSystem",
"Properties" : {
"BackupId" : String,
"FileSystemType" : String,

2201
FSx
"LustreConfiguration" : LustreConfiguration (p. 2209),

"StorageCapacity" : Integer,
"Tags" : [ Tag, ... ],
"WindowsConfiguration" : WindowsConfiguration (p. 2213)
}
}
YAML
Type: AWS::FSx::FileSystem
Properties:
BackupId: String
FileSystemType: String
KmsKeyId: String
LustreConfiguration:
LustreConfiguration (p. 2209)
SecurityGroupIds:
- String
StorageCapacity: Integer
SubnetIds:
- String
Tags:
- Tag
WindowsConfiguration:
WindowsConfiguration (p. 2213)
Properties
BackupId
The ID of the backup. Specifies the backup to use if you're creating a file system from an existing
backup.
Required: No
Type: String

FileSystemType
The type of Amazon FSx file system, either LUSTRE or WINDOWS.
Required: Yes
Type: String
Allowed Values: LUSTRE | WINDOWS

KmsKeyId
The ID of the AWS Key Management Service (AWS KMS) key used to encrypt the file system's data
for an Amazon FSx for Windows File Server file system.
Required: No
Type: String

2202
FSx
LustreConfiguration
The Lustre configuration for the file system being created. This value is required if FileSystemType
is set to LUSTRE.
Type: LustreConfiguration (p. 2209)

SecurityGroupIds
A list of IDs specifying the security groups to apply to all network interfaces created for file system
access. This list isn't returned in later requests to describe the file system.
Required: No
Maximum: 50

StorageCapacity
The storage capacity of the file system being created.
For Windows file systems, valid values are 32 GiB - 65,536 GiB.
For Lustre file systems, valid values are 1,200, 2,400, 3,600, then continuing in increments of 3600
GiB.
Required: No
Type: Integer
Minimum: 1

SubnetIds
The ID of the subnet to contain the endpoint for the file system. One and only one is supported. The
file system is launched in the Availability Zone associated with this subnet.
Required: Yes
Maximum: 50

Tags
Required: No
Type: List of Tag
Maximum: 50

2203
FSx
WindowsConfiguration
The configuration object for the Microsoft Windows file system you are creating. This value is
required if FileSystemType is set to WINDOWS.
Type: WindowsConfiguration (p. 2213)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the function
returns the file system resource ID. For example:
{"Ref":"fs-01234567890123456"}
For the Amazon FSx file system fs-01234567890123456, Ref returns the file system ID.
Examples
Create an Amazon FSx for Lustre File System
The following examples create an Amazon FSx for Lustre file system.
JSON
{
"Resources": {
"BasicS3LinkedLustreFileSystem": {
"Type": "AWS::FSx::FileSystem",
"Properties": {
"FileSystemType": "LUSTRE",
"StorageCapacity": 3600,
"SubnetIds": [
{
"Fn::ImportValue": "MySubnet01"
}
],
{
"Fn::ImportValue": "LustreIngressSecurityGroupId"
}
],
"Tags": [
{
"Key": "Name",
"Value": "CFNs3linkedLustre"
}
],
"LustreConfiguration": {
"ImportPath": {
"Fn::Join": [
"",
[
"s3://",
{
"Fn::ImportValue": "LustreCFNS3ImportBucketName"

2204
FSx
}
]
]
},
"ExportPath": {
"Fn::Join": [
"",
[
"s3://",
{
"Fn::ImportValue": "LustreCFNS3ImportBucketName"
}
]
]
},
"WeeklyMaintenanceStartTime": "2:20:30"
}
}
}
},
"Outputs": {
"FileSystemId": {
"Value": {
"Ref": "BasicS3LinkedLustreFileSystem"
}
}
}
}
YAML
Resources:
BasicS3LinkedLustreFileSystem:
Type: AWS::FSx::FileSystem
Properties:
FileSystemType: "LUSTRE"
StorageCapacity: 3600
SubnetIds: [!ImportValue MySubnet01]
SecurityGroupIds: [!ImportValue LustreIngressSecurityGroupId]
Tags:
- Key: "Name"
Value: "CFNs3linkedLustre"
LustreConfiguration:
ImportPath: !Join ["", ["s3://", !ImportValue LustreCFNS3ImportBucketName]]
ExportPath: !Join ["", ["s3://", !ImportValue LustreCFNS3ImportBucketName]]
WeeklyMaintenanceStartTime: "2:20:30"
Outputs:
FileSystemId:
Value: !Ref BasicS3LinkedLustreFileSystem
Create an Amazon FSx for Windows File Server File System in a Self-managed Active Directory
The following examples create an Amazon FSx for Windows File Server file system joined to a Self-
managed active directory.
JSON
{
"Resources": {
"WindowsSelfManagedADFileSystemWithAllConfigs": {
"Properties": {

2205
FSx
"FileSystemType": "WINDOWS",
"SubnetIds": [
{
"Fn::ImportValue": "MySubnet01"
}
],
{
"Fn::ImportValue": "WindowsIngressSecurityGroupId"
}
],
"Tags": [
{
"Key": "Name",
"Value": "windows"
}
],
"WindowsConfiguration": {
"ThroughputCapacity": 8,
"WeeklyMaintenanceStartTime": "4:16:30",
"DailyAutomaticBackupStartTime": "01:00",
"AutomaticBackupRetentionDays": 2,
"CopyTagsToBackups": false,
"SelfManagedActiveDirectoryConfiguration": {
"DnsIps": [
{
"Fn::Select": [
0,
{
"Fn::Split": [
",",
{
"Fn::ImportValue":
"MySelfManagedADDnsIpAddresses"
}
]
}
]
}
],
"DomainName": {
"Fn::ImprtValue": "SelfManagedADDomainName"
},
"FileSystemAdministratorsGroup": "MyDomainAdminGroup",
"OrganizationalUnitDistinguishedName":
"OU=FileSystems,DC=corp,DC=example,DC=com",
"Username": "Admin",
"Password": {
"Fn::Join": [
":",
[
"{{resolve:secretsmanager",
{
"Fn::ImportValue": "MySelfManagedADCredentialName"
},
"SecretString}}"
]
]
}
}
}
}
}
},
"Outputs": {

2206
FSx
"FileSystemId": {
"Value": {
"Ref": "WindowsSelfManagedADFileSystemWithAllConfigs"
}
}
}
}
YAML
Resources:
WindowsSelfManagedADFileSystemWithAllConfigs:
Type: 'AWS::FSx::FileSystem'
Properties:
FileSystemType: WINDOWS
SubnetIds:
- !ImportValue MySubnet01
SecurityGroupIds:
- !ImportValue WindowsIngressSecurityGroupId
Tags:
- Key: Name
Value: windows
ThroughputCapacity: 8
WeeklyMaintenanceStartTime: '4:16:30'
DailyAutomaticBackupStartTime: '01:00'
AutomaticBackupRetentionDays: 2
CopyTagsToBackups: false
SelfManagedActiveDirectoryConfiguration:
DnsIps:
- !Select
- 0
- !Split
- ','
- !ImportValue MySelfManagedADDnsIpAddresses
DomainName:
'Fn::ImprtValue': SelfManagedADDomainName
FileSystemAdministratorsGroup: MyDomainAdminGroup
OrganizationalUnitDistinguishedName: 'OU=FileSystems,DC=corp,DC=example,DC=com'
Username: Admin
Password: !Join
- ':'
- - '{{resolve:secretsmanager'
- !ImportValue MySelfManagedADCredentialName
- 'SecretString}}'
Outputs:
FileSystemId:
Value: !Ref WindowsSelfManagedADFileSystemWithAllConfigs
Create an Amazon FSx for Windows File Server File System in an AWS Managed Active Directory
The following examples create an Amazon FSx for Windows File Server file system joined to an AWS
Managed Active Directory.
JSON
{
"Resources": {
"WindowsMadFileSystemWithAllConfigs": {
"Properties": {
"FileSystemType": "WINDOWS",

2207
FSx
"SubnetIds": [
{
"Fn::ImportValue": "CfnFsxMadSubnet01"
}
],
{
"Fn::ImportValue": "WindowsIngressSecurityGroupId"
}
],
"Tags": [
{
"Key": "Name",
"Value": "windows"
}
],
"WindowsConfiguration": {
"ActiveDirectoryId": {
"Fn::ImportValue": "CfnFsxMadDirectoryServiceId"
},
"ThroughputCapacity": 8,
"WeeklyMaintenanceStartTime": "4:16:30",
"DailyAutomaticBackupStartTime": "01:00",
"AutomaticBackupRetentionDays": 2,
"CopyTagsToBackups": false
}
}
}
},
"Outputs": {
"FileSystemId": {
"Value": {
"Ref": "WindowsMadFileSystemWithAllConfigs"
}
}
}
}
YAML
Resources:
WindowsMadFileSystemWithAllConfigs:
Type: 'AWS::FSx::FileSystem'
Properties:
FileSystemType: WINDOWS
SubnetIds:
- !ImportValue CfnFsxMadSubnet01
SecurityGroupIds:
- !ImportValue WindowsIngressSecurityGroupId
Tags:
- Key: Name
Value: windows
ActiveDirectoryId: !ImportValue CfnFsxMadDirectoryServiceId
ThroughputCapacity: 8
WeeklyMaintenanceStartTime: '4:16:30'
DailyAutomaticBackupStartTime: '01:00'
AutomaticBackupRetentionDays: 2
CopyTagsToBackups: false
Outputs:
FileSystemId:
Value: !Ref WindowsMadFileSystemWithAllConfigs

2208
FSx
AWS::FSx::FileSystem LustreConfiguration
The configuration for the Amazon FSx for Lustre file system.
Syntax
JSON
{
"ExportPath" : String,
"ImportedFileChunkSize" : Integer,
"ImportPath" : String,
"WeeklyMaintenanceStartTime" : String
}
YAML
ExportPath: String
ImportedFileChunkSize: Integer
ImportPath: String
WeeklyMaintenanceStartTime: String
Properties
ExportPath
(Optional) The path in Amazon S3 where the root of your Amazon FSx file system is exported.
The path must use the same Amazon S3 bucket as specified in ImportPath. You can provide an
optional prefix to which new and changed data is to be exported from your Amazon FSx for Lustre
file system. If an ExportPath value is not provided, Amazon FSx sets a default export path, s3://
import-bucket/FSxLustre[creation-timestamp]. The timestamp is in UTC format, for
example s3://import-bucket/FSxLustre20181105T222312Z.
The Amazon S3 export bucket must be the same as the import bucket specified by ImportPath.
If you only specify a bucket name, such as s3://import-bucket, you get a 1:1 mapping of file
system objects to S3 bucket objects. This mapping means that the input data in S3 is overwritten on
export. If you provide a custom prefix in the export path, such as s3://import-bucket/[custom-
optional-prefix], Amazon FSx exports the contents of your file system to that export prefix in
the Amazon S3 bucket.
Required: No
Type: String
Minimum: 3
Maximum: 900

ImportedFileChunkSize
(Optional) For files imported from a data repository, this value determines the stripe count and
maximum amount of data per file (in MiB) stored on a single physical disk. The maximum number of
disks that a single file can be striped across is limited by the total number of disks that make up the
file system.

2209
FSx
The chunk size default is 1,024 MiB (1 GiB) and can go as high as 512,000 MiB (500 GiB). Amazon S3
objects have a maximum size of 5 TB.
Required: No
Type: Integer
Minimum: 1
Maximum: 512000

ImportPath
(Optional) The path to the Amazon S3 bucket (including the optional prefix) that you're using as
the data repository for your Amazon FSx for Lustre file system. The root of your FSx for Lustre
file system will be mapped to the root of the Amazon S3 bucket you select. An example is s3://
import-bucket/optional-prefix. If you specify a prefix after the Amazon S3 bucket name,
only object keys with that prefix are loaded into the file system.
Required: No
Type: String
Minimum: 3
Maximum: 900

WeeklyMaintenanceStartTime
The preferred time to perform weekly maintenance, in the UTC time zone.
Required: No
Type: String
AWS::FSx::FileSystem SelfManagedActiveDirectoryConfiguration
The configuration that Amazon FSx uses to join the Windows File Server instance to your self-managed
(including on-premises) Microsoft Active Directory (AD) directory.
Syntax
JSON
{
"DnsIps" : [ String, ... ],
"FileSystemAdministratorsGroup" : String,
"OrganizationalUnitDistinguishedName" : String,
"UserName" : String

2210
FSx
YAML
DnsIps:
- String
DomainName: String
FileSystemAdministratorsGroup: String
Password: String
UserName: String
Properties
DnsIps
A list of up to two IP addresses of DNS servers or domain controllers in the self-managed AD

directory. The IP addresses need to be either in the same VPC CIDR range as the one in which your
Amazon FSx file system is being created, or in the private IP version 4 (Iv4) address ranges, as
specified in RFC 1918:
• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Required: No
Maximum: 2

DomainName
The fully qualified domain name of the self-managed AD directory, such as corp.example.com.
Required: No
Type: String

FileSystemAdministratorsGroup
(Optional) The name of the domain group whose members are granted administrative privileges for
the file system. Administrative privileges include taking ownership of files and folders, setting audit
controls (audit ACLs) on files and folders, and administering the file system remotely by using the
FSx Remote PowerShell. The group that you specify must already exist in your domain. If you don't
provide one, your AD domain's Domain Admins group is used.
Required: No
Type: String
Minimum: 1
Maximum: 256

2211
FSx
(Optional) The fully qualified distinguished name of the organizational unit within your self-
managed AD directory that the Windows File Server instance will join. Amazon FSx only accepts OU
as the direct parent of the file system. An example is OU=FSx,DC=yourdomain,DC=corp,DC=com.
To learn more, see RFC 2253. If none is provided, the FSx file system is created in the default
location of your self-managed AD directory.
Important
Only Organizational Unit (OU) objects can be the direct parent of the file system that you're
creating.
Required: No
Type: String
Minimum: 1
Maximum: 2000

Password
The password for the service account on your self-managed AD domain that Amazon FSx will use
to join to your AD domain. We strongly suggest that you follow best practices and do not embed
passwords in your CFN templates.
The recommended approach is to use AWS Secrets Manager to store your passwords. You can
retrieve them for use in your templates using the secretsmanager dynamic reference. There are
additional costs associated with using AWS Secrets Manager. To learn more, see Secrets Manager
Secrets in the AWS CloudFormation User Guide.
Alternatively, you can use the NoEcho property to obfuscate the password parameter value. For
more information, see Do Not Embed Credentials in Your Templates in the AWS CloudFormation User
Guide.
Required: No
Type: String
Minimum: 1
Maximum: 256

UserName
The user name for the service account on your self-managed AD domain that Amazon FSx will use to
join to your AD domain. This account must have the permission to join computers to the domain in
the organizational unit provided in OrganizationalUnitDistinguishedName, or in the default
location of your AD domain.
Required: No
Type: String
Minimum: 1
Maximum: 256

2212
FSx
AWS::FSx::FileSystem WindowsConfiguration
The Microsoft Windows configuration for the file system being created. This value is required if
FileSystemType is set to WINDOWS.
Syntax
JSON
{
"ActiveDirectoryId" : String,
"AutomaticBackupRetentionDays" : Integer,
"CopyTagsToBackups" : Boolean,
"DailyAutomaticBackupStartTime" : String,
"SelfManagedActiveDirectoryConfiguration" : SelfManagedActiveDirectoryConfiguration (p. 2210),

"ThroughputCapacity" : Integer,
"WeeklyMaintenanceStartTime" : String
}
YAML
ActiveDirectoryId: String
AutomaticBackupRetentionDays: Integer
CopyTagsToBackups: Boolean
DailyAutomaticBackupStartTime: String
SelfManagedActiveDirectoryConfiguration:
SelfManagedActiveDirectoryConfiguration (p. 2210)
ThroughputCapacity: Integer
WeeklyMaintenanceStartTime: String
Properties
ActiveDirectoryId
The ID for an existing AWS Managed Microsoft Active Directory (AD) instance that the file system
should join when it's created.
Required: No
Type: String
Minimum: 12
Maximum: 12
Pattern: ^d-[0-9a-f]{10}$

AutomaticBackupRetentionDays
The number of days to retain automatic backups. The default is to retain backups for 7 days. Setting
this value to 0 disables the creation of automatic backups. The maximum retention period for
backups is 35 days.

2213
FSx
Required: No
Type: Integer
Minimum: 0
Maximum: 35

CopyTagsToBackups
A boolean flag indicating whether tags for the file system should be copied to backups. This value
defaults to false. If it's set to true, all tags for the file system are copied to all automatic and user-
initiated backups where the user doesn't specify tags. If this value is true, and you specify one or
more tags, only the specified tags are copied to backups.
Required: No
Type: Boolean

DailyAutomaticBackupStartTime
The preferred time to take daily automatic backups, formatted HH:MM in the UTC time zone.
Required: No
Type: String

SelfManagedActiveDirectoryConfiguration
The configuration that Amazon FSx uses to join the Windows File Server instance to your self-
managed (including on-premises) Microsoft Active Directory (AD) directory.
Required: No
Type: SelfManagedActiveDirectoryConfiguration (p. 2210)

ThroughputCapacity
The throughput of an Amazon FSx file system, measured in megabytes per second, in 2 to the nth
increments, between 2^3 (8) and 2^11 (2048).
Required: No
Type: Integer
Minimum: 8
Maximum: 2048

WeeklyMaintenanceStartTime
The preferred start time to perform weekly maintenance, formatted d:HH:MM in the UTC time zone.
Required: No

2214
GameLift
Type: String
Amazon GameLift Resource Type Reference

Resource Types
• AWS::GameLift::Alias (p. 2215)

• AWS::GameLift::Build (p. 2219)
• AWS::GameLift::Fleet (p. 2224)
• AWS::GameLift::GameSessionQueue (p. 2240)
• AWS::GameLift::MatchmakingConfiguration (p. 2244)
• AWS::GameLift::MatchmakingRuleSet (p. 2252)
• AWS::GameLift::Script (p. 2254)
AWS::GameLift::Alias
The AWS::GameLift::Alias resource creates an alias for an Amazon GameLift (GameLift) fleet
destination. There are two types of routing strategies for aliases: simple and terminal. A simple alias
points to an active fleet. A terminal alias displays a message instead of routing players to an active fleet.
For example, a terminal alias might display a URL link that directs players to an upgrade site. You can use
aliases to define destinations in a game session queue or when requesting new game sessions.
Syntax
JSON
{
"Type" : "AWS::GameLift::Alias",
"Properties" : {
"Name" : String,
"RoutingStrategy" : RoutingStrategy (p. 2218)
}
}
YAML
Type: AWS::GameLift::Alias
Properties:
Description: String
Name: String
RoutingStrategy:
RoutingStrategy (p. 2218)
Properties
Description
A human-readable description of the alias.

2215
GameLift
Required: No
Type: String
Minimum: 1
Maximum: 1024

Name
A descriptive label that is associated with an alias. Alias names do not need to be unique.
Required: Yes
Type: String
Minimum: 1
Maximum: 1024
Pattern: .*\S.*

RoutingStrategy
A routing configuration that specifies where traffic is directed for this alias, such as to a fleet or to a
message.
Required: Yes
Type: RoutingStrategy (p. 2218)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the alias ID, such
as alias-1111aaaa-22bb-33cc-44dd-5555eeee66ff.
Examples
Create a Simple Alias
The following example creates a simple alias for a fleet. The template uses !Ref to reference a fleet
resource, which can be declared elsewhere in the same template.
JSON
{
"Resources": {
"AliasResource": {
"Properties": {
"Name": "MyAlias",
"Description": "My Alias Description",
"RoutingStrategy": {

2216
GameLift
"Type": "SIMPLE",
"FleetId": {
"Ref": "FleetResource"
}
}
},
"Type": "AWS::GameLift::Alias"
}
}
}
YAML
Resources:
AliasResource:
Properties:
Name: MyAlias
Description: My Alias Description
RoutingStrategy:
Type: SIMPLE
FleetId: !Ref FleetResource
Create terminal alias
The following example creates a terminal alias with a generic terminal message.
JSON
{
"Resources": {
"AliasResource": {
"Type": "AWS::GameLift::Alias",
"Properties": {
"Name": "MyTerminalAlias",
"Description": "A terminal alias",
"RoutingStrategy": {
"Type": "TERMINAL",
"Message": "Terminal routing strategy message"
}
}
}
}
}
YAML
Resources:
AliasResource:
Properties:
Name: MyTerminalAlias
Description: A terminal alias
RoutingStrategy:
Type: TERMINAL
Message: Terminal routing strategy message
See Also
• Create GameLift Resources Using AWS CloudFormation in the Amazon GameLift Developer Guide

2217
GameLift
• Add an Alias to a GameLift Fleet in the Amazon GameLift Developer Guide

• CreateAlias in the Amazon GameLift API Reference
AWS::GameLift::Alias RoutingStrategy
The routing configuration for a fleet alias.
Syntax
JSON
{
"FleetId" : String,
"Message" : String,
"Type" : String
}
YAML
FleetId: String
Message: String
Type: String
Properties
FleetId
A unique identifier for a fleet that the alias points to. If you specify SIMPLE for the Type property,
you must specify this property.
Type: String
Pattern: ^fleet-\S+

Message
The message text to be used with a terminal routing strategy. If you specify TERMINAL for the Type
property, you must specify this property.
Type: String

Type
A type of routing strategy.
Possible routing types include the following:

• SIMPLE - The alias resolves to one specific fleet. Use this type when routing to active fleets.

2218
GameLift
• TERMINAL - The alias does not resolve to a fleet but instead can be used to display a message to
the user. A terminal alias throws a TerminalRoutingStrategyException with the message
that you specified in the Message property.
Required: Yes
Type: String
Allowed Values: SIMPLE | TERMINAL
See Also
• Add an Alias to a GameLift Fleet in the Amazon GameLift Developer Guide
• RoutingStrategy in the Amazon GameLift API Reference
AWS::GameLift::Build
The AWS::GameLift::Build resource creates a game server build that is installed and run on instances
in an Amazon GameLift fleet. This resource points to an Amazon S3 location that contains a zip file with
all of the components of the game server build.
Syntax
JSON
{
"Type" : "AWS::GameLift::Build",
"Properties" : {
"Name" : String,
"OperatingSystem" : String,
"StorageLocation" : S3Location (p. 2222),
"Version" : String
}
}
YAML
Type: AWS::GameLift::Build
Properties:
Name: String
OperatingSystem: String
StorageLocation:
Version: String
Properties
Name
A descriptive label that is associated with a build. Build names do not need to be unique.
Required: No

2219
GameLift
Type: String
Minimum: 1
Maximum: 1024

OperatingSystem
The operating system that the game server binaries are built to run on. This value determines
the type of fleet resources that you can use for this build. If your game build contains multiple
executables, they all must run on the same operating system. If an operating system is not specified
when creating a build, Amazon GameLift uses the default value (WINDOWS_2012). This value
cannot be changed later.
Required: No
Type: String
Allowed Values: AMAZON_LINUX | AMAZON_LINUX_2 | WINDOWS_2012

StorageLocation
Information indicating where your game build files are stored. Use this parameter only when
creating a build with files stored in an Amazon S3 bucket that you own. The storage location must
specify an Amazon S3 bucket name and key. The location must also specify a role ARN that you set
up to allow Amazon GameLift to access your Amazon S3 bucket. The S3 bucket and your new build
must be in the same Region.
Required: No

Version
Version information that is associated with this build. Version strings do not need to be unique.
Required: No
Type: String
Minimum: 1
Maximum: 1024
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the build ID, such
as build-1111aaaa-22bb-33cc-44dd-5555eeee66ff.

2220
GameLift
Examples
Create a Custom Game Server Build
The following example creates a GameLift build named MyGameServerBuild. The build package is
located in an S3 bucket, specified by the S3Bucket and S3Key input parameters. The example also
creates the AWS Identity and Access Management (IAM) role that GameLift assumes so that it has
permissions to download the build package files.
JSON
{
"Resources": {
"IAMRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"cloudformation.amazonaws.com",
"gamelift.amazonaws.com"
]
},
}
]
},
"RoleName": "BuildIAMRole",
"Policies": [
{
"PolicyName": "gamelift-s3-access-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectMetadata",
"s3:*Object*"
],
"Resource": [
"arn:aws:s3:::MyBucketName/*"
]
}
]
}
}
]
}
},
"BuildResource": {
"Type": "AWS::GameLift::Build",
"Properties": {
"Name": "MyGameServerBuild",
"Version": "v1.0",
"OperatingSystem": "WINDOWS_2012",
"StorageLocation": {
"Bucket": "MyBucketName",

2221
GameLift
"Key": "MyGameBuildFiles.zip",
"RoleArn": {
"Fn::GetAtt": [
"IAMRole",
"Arn"
]
}
}
}
}
}
}
YAML
Resources:
IAMRole:
Properties:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: ["cloudformation.amazonaws.com", "gamelift.amazonaws.com"]
RoleName: "BuildIAMRole"
Policies:
- PolicyName: gamelift-s3-access-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "s3:GetObject"
- "s3:GetObjectVersion"
- "s3:GetObjectMetadata"
- "s3:*Object*"
Resource:
- "arn:aws:s3:::MyBucketName/*"
BuildResource:
Type: AWS::GameLift::Build
Properties:
Name: MyGameServerBuild
Version: v1.0
OperatingSystem: WINDOWS_2012
StorageLocation:
Bucket: "MyBucketName"
Key: "MyGameBuildFiles.zip"
RoleArn: !GetAtt IAMRole.Arn
See Also
• Create a Build with Files in Amazon S3 in the Amazon GameLift Developer Guide
• Upload Script Files in Amazon S3 in the Amazon GameLift Developer Guide
• CreateBuild in the Amazon GameLift API Reference
AWS::GameLift::Build S3Location
The location in Amazon S3 where build or script files are stored for access by Amazon GameLift.

2222
GameLift
Syntax
JSON
{
"Bucket" : String,
"Key" : String,
"ObjectVersion" : String,
"RoleArn" : String
}
YAML
Bucket: String
Key: String
RoleArn: String
Properties
Bucket
An Amazon S3 bucket identifier. This is the name of the S3 bucket.
Required: Yes
Type: String
Minimum: 1

Key
The name of the zip file that contains the build files or script files.
Required: Yes
Type: String
Minimum: 1

ObjectVersion
The version of the file, if object versioning is turned on for the bucket. Amazon GameLift uses this
information when retrieving files from your S3 bucket. To retrieve a specific version of the file,
provide an object version. To retrieve the latest version of the file, do not set this parameter.
Required: No
Type: String
Minimum: 1

RoleArn
The Amazon Resource Name (ARN) for an IAM role that allows Amazon GameLift to access the S3
bucket.
Required: Yes

2223
GameLift
Type: String
Minimum: 1
See Also
• Create a Build with Files in Amazon S3 in the Amazon GameLift Developer Guide
• S3Location in the Amazon GameLift API Reference
AWS::GameLift::Fleet
The AWS::GameLift::Fleet resource creates an Amazon GameLift (GameLift) fleet to host game
servers. A fleet is a set of EC2 instances, each of which can host multiple game sessions.
Syntax
JSON
{
"Type" : "AWS::GameLift::Fleet",
"Properties" : {
"BuildId" : String,
"CertificateConfiguration" : CertificateConfiguration (p. 2233),
"DesiredEC2Instances" : Integer,
"EC2InboundPermissions" : [ IpPermission (p. 2234), ... ],
"EC2InstanceType" : String,
"FleetType" : String,
"InstanceRoleArn" : String,
"LogPaths" : [ String, ... ],
"MaxSize" : Integer,
"MetricGroups" : [ String, ... ],
"MinSize" : Integer,
"Name" : String,
"NewGameSessionProtectionPolicy" : String,
"PeerVpcAwsAccountId" : String,
"PeerVpcId" : String,
"ResourceCreationLimitPolicy" : ResourceCreationLimitPolicy (p. 2236),
"RuntimeConfiguration" : RuntimeConfiguration (p. 2237),
"ScriptId" : String,
"ServerLaunchParameters" : String,
"ServerLaunchPath" : String
}
}
YAML
Type: AWS::GameLift::Fleet
Properties:
BuildId: String
CertificateConfiguration:
CertificateConfiguration (p. 2233)
Description: String

2224
GameLift
DesiredEC2Instances: Integer
EC2InboundPermissions:
- IpPermission (p. 2234)
EC2InstanceType: String
FleetType: String
InstanceRoleArn: String
LogPaths:
- String
MaxSize: Integer
MetricGroups:
- String
MinSize: Integer
Name: String
NewGameSessionProtectionPolicy: String
PeerVpcAwsAccountId: String
PeerVpcId: String
ResourceCreationLimitPolicy:
ResourceCreationLimitPolicy (p. 2236)
RuntimeConfiguration:
RuntimeConfiguration (p. 2237)
ScriptId: String
ServerLaunchParameters: String
ServerLaunchPath: String
Properties
BuildId
A unique identifier for a build to be deployed on the new fleet. If you are deploying the fleet with a
custom game build, you must specify this property. The build must have been successfully uploaded
to Amazon GameLift and be in a READY status. This fleet setting cannot be changed once the fleet is
created.
Type: String
Pattern: ^build-\S+

CertificateConfiguration
Indicates whether to generate a TLS/SSL certificate for the new fleet. TLS certificates are used for
encrypting traffic between game clients and game servers running on GameLift. If this parameter
is not set, certificate generation is disabled. This fleet setting cannot be changed once the fleet is
created. Learn more at Securing Client/Server Communication.
Note: This feature requires the AWS Certificate Manager (ACM) service, which is available in the AWS
global partition but not in all other partitions. When working in a partition that does not support
this feature, a request for a new fleet with certificate generation results fails with a 4xx unsupported
region error.
Required: No
Type: CertificateConfiguration (p. 2233)

Description
A human-readable description of a fleet.
Required: No

2225
GameLift
Type: String
Minimum: 1
Maximum: 1024

DesiredEC2Instances
The number of EC2 instances that you want this fleet to host. When creating a new fleet, GameLift
automatically sets this value to "1" and initiates a single instance. Once the fleet is active, update
this value to trigger GameLift to add or remove instances from the fleet.
Required: No
Type: Integer
Minimum: 0

EC2InboundPermissions
A range of IP addresses and port settings that allow inbound traffic to connect to server processes
on an Amazon GameLift server.
Required: No
Type: List of IpPermission (p. 2234)
Maximum: 50

EC2InstanceType
The name of an EC2 instance type that is supported in Amazon GameLift. A fleet instance type
determines the computing resources of each instance in the fleet, including CPU, memory, storage,
and networking capacity. Amazon GameLift supports the following EC2 instance types. See Amazon
EC2 Instance Types for detailed descriptions.
Required: Yes
Type: String
Allowed Values: c3.2xlarge | c3.4xlarge | c3.8xlarge | c3.large | c3.xlarge |

c4.2xlarge | c4.4xlarge | c4.8xlarge | c4.large | c4.xlarge | c5.12xlarge |
c5.18xlarge | c5.24xlarge | c5.2xlarge | c5.4xlarge | c5.9xlarge | c5.large
| c5.xlarge | m3.2xlarge | m3.large | m3.medium | m3.xlarge | m4.10xlarge |
m4.2xlarge | m4.4xlarge | m4.large | m4.xlarge | m5.12xlarge | m5.16xlarge |
m5.24xlarge | m5.2xlarge | m5.4xlarge | m5.8xlarge | m5.large | m5.xlarge |
r3.2xlarge | r3.4xlarge | r3.8xlarge | r3.large | r3.xlarge | r4.16xlarge |
r4.2xlarge | r4.4xlarge | r4.8xlarge | r4.large | r4.xlarge | r5.12xlarge |
r5.16xlarge | r5.24xlarge | r5.2xlarge | r5.4xlarge | r5.8xlarge | r5.large
| r5.xlarge | t2.large | t2.medium | t2.micro | t2.small

FleetType
Indicates whether to use On-Demand instances or Spot instances for this fleet. If empty, the default
is ON_DEMAND. Both categories of instances use identical hardware and configurations based on the
instance type selected for this fleet. Learn more about On-Demand versus Spot Instances.
Required: Yes

2226
GameLift
Type: String

InstanceRoleArn
A unique identifier for an AWS IAM role that manages access to your AWS services. With an instance
role ARN set, any application that runs on an instance in this fleet can assume the role, including
install scripts, server processes, and daemons (background processes). Create a role or look up a
role's ARN from the IAM dashboard in the AWS Management Console. Learn more about using on-
box credentials for your game servers at Access external resources from a game server.
Required: No
Type: String
Minimum: 1

LogPaths
This parameter is no longer used. When hosting a custom game build, specify where Amazon
GameLift should store log files using the Amazon GameLift server API call ProcessReady(). See
more information in the Server API Reference.
Required: No

MaxSize
The maximum value that is allowed for the fleet's instance count. When creating a new fleet,
GameLift automatically sets this value to "1". Once the fleet is active, you can change this value.
Required: No
Type: Integer
Minimum: 0

MetricGroups
The name of an Amazon CloudWatch metric group. A metric group aggregates the metrics for all
fleets in the group. Specify a string containing the metric group name. You can use an existing name
or use a new name to create a new metric group. Currently, this parameter can have only one string.
Required: No
Maximum: 1

MinSize
The minimum value allowed for the fleet's instance count. When creating a new fleet, GameLift
automatically sets this value to "0". After the fleet is active, you can change this value.
Required: No
Type: Integer

2227
GameLift
Minimum: 0

Name
A descriptive label that is associated with a fleet. Fleet names do not need to be unique.
Required: Yes
Type: String
Minimum: 1
Maximum: 1024

NewGameSessionProtectionPolicy
A game session protection policy to apply to all game sessions hosted on instances in this fleet.
When protected, active game sessions cannot be terminated during a scale-down event. If this
parameter is not set, instances in this fleet default to no protection. You can change a fleet's
protection policy to affect future game sessions on the fleet. You can also set protection for
individual game sessions.
Required: No
Type: String
Allowed Values: FullProtection | NoProtection

PeerVpcAwsAccountId
A unique identifier for the AWS account with the VPC that you want to peer your Amazon GameLift
fleet with. You can find your account ID in the AWS Management Console under account settings.
Required: No
Type: String
Minimum: 1
Maximum: 1024

PeerVpcId
A unique identifier for a VPC with resources to be accessed by your Amazon GameLift fleet. The VPC
must be in the same Region as your fleet. To look up a VPC ID, use the VPC Dashboard in the AWS
Management Console. Learn more about VPC peering in VPC Peering with Amazon GameLift Fleets.
Required: No
Type: String
Minimum: 1
Maximum: 1024

ResourceCreationLimitPolicy
A policy that limits the number of game sessions an individual player can create over a span of time
for this fleet.

2228
GameLift
Required: No
Type: ResourceCreationLimitPolicy (p. 2236)

RuntimeConfiguration
Instructions for launching server processes on each instance in the fleet. Server processes run
either a custom game build executable or a Realtime script. The runtime configuration defines the
server executables or launch script file, launch parameters, and the number of processes to run
concurrently on each instance. When creating a fleet, the runtime configuration must have at least
one server process configuration; otherwise the request fails with an invalid request exception.
This parameter is required unless the parameters ServerLaunchPath and

ServerLaunchParameters are defined. Runtime configuration has replaced these parameters, but
fleets that use them will continue to work.
Type: RuntimeConfiguration (p. 2237)

ScriptId
A unique identifier for a Realtime script to be deployed on a new Realtime Servers fleet. The script
must have been successfully uploaded to Amazon GameLift. This fleet setting cannot be changed
once the fleet is created.
Note: It is not currently possible to use the !Ref command to reference a script created with a
CloudFormation template for the fleet property ScriptId. Instead, use Fn::GetAtt Script.Arn
or Fn::GetAtt Script.Id to retrieve either of these properties as input for ScriptId.
Alternatively, enter a ScriptId string manually.
Type: String
Pattern: ^script-\S+|ârn:.*script-\S+

ServerLaunchParameters
This parameter is no longer used but is retained for backward compatibility. Instead, specify server
launch parameters in the RuntimeConfiguration parameter. A request must specify either a
runtime configuration or values for both ServerLaunchParameters and ServerLaunchPath.
Type: String
Minimum: 1
Maximum: 1024

ServerLaunchPath
This parameter is no longer used. Instead, specify a server launch path using the
RuntimeConfiguration parameter. Requests that specify a server launch path and launch
parameters instead of a runtime configuration will continue to work.

2229
GameLift
Type: String
Minimum: 1
Maximum: 1024
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the fleet ID, such
as fleet-1111aaaa-22bb-33cc-44dd-5555eeee66ff.
Examples
Create GameLift fleet with a Build
The following example creates and configures a GameLift fleet for a custom game build. The fleet uses
a Ref intrinsic function to specify a build, which can be declared elsewhere in the same template. The
example syntax for log path and server launch path uses values for a Windows build.
Note: the JSON example shows how to escape the slashes (\\).
JSON
{
"Resources": {
"FleetResource": {
"Type": "AWS::GameLift::Fleet",
"Properties": {
"BuildId": {
"Ref": "BuildResource"
},
"CertificateConfiguration": {
"CertificateType": "DISABLED"
},
"Description": "Description of my Fleet",
"DesiredEc2Instances": 1,
"EC2InboundPermissions": [
{
"FromPort": "1234",
"ToPort": "1324",
"IpRange": "0.0.0.0/24",
"Protocol": "TCP"
},
{
"FromPort": "1356",
"ToPort": "1578",
"IpRange": "192.168.0.0/24",
"Protocol": "UDP"
}
],
"EC2InstanceType": "c4.large",
"FleetType": "SPOT",
"LogPaths": [
"c:\\game\\testlog.log",

2230
GameLift
"c:\\game\\testlog2.log"
],
"MetricGroups": [
"MetricGroupName"
],
"Name": "MyGameFleet",
"NewGameSessionProtectionPolicy": "FullProtection",
"ResourceCreationLimitPolicy": {
"NewGameSessionsPerCreator": 5,
"PolicyPeriodInMinutes": 2
},
"RuntimeConfiguration": {
"GameSessionActivationTimeoutSeconds": 300,
"MaxConcurrentGameSessionActivations": 1,
"ServerProcesses": [
{
"ConcurrentExecutions": 1,
"LaunchPath": "c:\\game\\TestApplicationServer.exe"
}
]
}
}
}
}
}
YAML
Resources:
FleetResource:
Properties:
BuildId: !Ref BuildResource
CertificateType: DISABLED
Description: Description of my Game Fleet
DesiredEc2Instances: 1
- FromPort: '1234'
ToPort: '1324'
IpRange: 0.0.0.0/24
Protocol: TCP
- FromPort: '1356'
ToPort: '1578'
IpRange: 192.168.0.0/24
Protocol: UDP
EC2InstanceType: c4.large
FleetType: SPOT
LogPaths:
- c:\game\testlog.log
- c:\game\testlog2.log
MetricGroups:
- MetricGroupName
Name: MyGameFleet
NewGameSessionProtectionPolicy: FullProtection
NewGameSessionsPerCreator: 5
PolicyPeriodInMinutes: 2
GameSessionActivationTimeoutSeconds: 300
MaxConcurrentGameSessionActivations: 1
ServerProcesses:
- ConcurrentExecutions: 1
LaunchPath: c:\game\TestApplicationServer.exe

2231
GameLift
Create GameLift fleet with a Script
The following example creates and configures a GameLift fleet to run Realtime Servers. The fleet uses
a GetAtt intrinsic function to specify a script, which can be declared elsewhere in the same template.
Note that the syntax example for the log path and server launch path are for Linux, as all Realtime
Servers are deployed with Linux.
JSON
{
"Resources": {
"FleetResource": {
"Type": "AWS::GameLift::Fleet",
"Properties": {
"CertificateConfiguration": {
"CertificateType": "DISABLED"
},
"Description": "Description of my Game Fleet",
"DesiredEC2Instances": 1,
"EC2InboundPermissions": [
{
"FromPort": "1234",
"ToPort": "1324",
"IpRange": "0.0.0.0/24",
"Protocol": "TCP"
},
{
"FromPort": "1356",
"ToPort": "1578",
"IpRange": "192.168.0.0/24",
"Protocol": "UDP"
}
],
"EC2InstanceType": "c4.large",
"FleetType": "SPOT",
"LogPaths": [
"/local/game/testlog.log",
"/local/game/testlog2.log"
],
"MetricGroups": [
"MetricGroupName"
],
"Name": "MyGameFleet",
"NewGameSessionProtectionPolicy": "FullProtection",
"ResourceCreationLimitPolicy": {
"NewGameSessionsPerCreator": 5,
"PolicyPeriodInMinutes": 2
},
"RuntimeConfiguration": {
"GameSessionActivationTimeoutSeconds": 300,
"MaxConcurrentGameSessionActivations": 1,
"ServerProcesses": [
{
"ConcurrentExecutions": 1,
"LaunchPath": "/local/game/myscript.js"
}
]
},
"ScriptId": {
"Fn::GetAtt": [
"ScriptResource",
"Id"
]
}

2232
GameLift
}
}
}
}
YAML
Resources:
FleetResource:
Properties:
CertificateType: DISABLED
Description: Description of my game fleet
DesiredEC2Instances: 1
- FromPort: '1234'
ToPort: '1324'
IpRange: 0.0.0.0/24
Protocol: TCP
- FromPort: '1356'
ToPort: '1578'
IpRange: 192.168.0.0/24
Protocol: UDP
EC2InstanceType: c4.large
FleetType: SPOT
LogPaths:
- '/local/game/testlog.log'
- '/local/game/testlog2.log'
MetricGroups:
- MetricGroupName
Name: MyGameFleet
NewGameSessionProtectionPolicy: FullProtection
NewGameSessionsPerCreator: 5
PolicyPeriodInMinutes: 2
GameSessionActivationTimeoutSeconds: 300
MaxConcurrentGameSessionActivations: 1
ServerProcesses:
- ConcurrentExecutions: 1
LaunchPath: '/local/game/myscript.js'
ScriptId: !GetAtt ScriptResource.Id
See Also
• Setting Up GameLift Fleets in the Amazon GameLift Developer Guide
• CreateFleet in the Amazon GameLift API Reference
AWS::GameLift::Fleet CertificateConfiguration
Information about the use of a TLS/SSL certificate for a fleet. TLS certificate generation is enabled at
the fleet level, with one certificate generated for the fleet. When this feature is enabled, the certificate
can be retrieved using the GameLift Server SDK call GetInstanceCertificate. All instances in a fleet
share the same certificate.
Syntax

2233
GameLift
JSON
{
"CertificateType" : String
}
YAML
CertificateType: String
Properties
CertificateType
Indicates whether a TLS/SSL certificate is generated for the fleet.
Required: Yes
Type: String
Allowed Values: DISABLED | GENERATED
See Also
• Deploy a GameLift Fleet for a Custom Game Build in the Amazon GameLift Developer Guide
• Deploy a Realtime Servers Fleet in the Amazon GameLift Developer Guide
• CertificateConfiguration in the Amazon GameLift API Reference
AWS::GameLift::Fleet IpPermission
A range of IP addresses and port settings that allow inbound traffic to connect to server processes on
an Amazon GameLift hosting resource. New game sessions that are started on the fleet are assigned an
IP address/port number combination, which must fall into the fleet's allowed ranges. For fleets created
with a custom game server, the ranges reflect the server's game session assignments. For Realtime
Servers fleets, Amazon GameLift automatically opens two port ranges, one for TCP messaging and one
for UDP, for use by the Realtime servers.
Syntax
JSON
{
"IpRange" : String,
"ToPort" : Integer
}
YAML
FromPort: Integer

2234
GameLift
IpRange: String
Protocol: String
ToPort: Integer
Properties
FromPort
A starting value for a range of allowed port numbers.
Required: Yes
Type: Integer
Minimum: 1
Maximum: 60000

IpRange
A range of allowed IP addresses. This value must be expressed in CIDR notation. Example:
"000.000.000.000/[subnet mask]" or optionally the shortened version "0.0.0.0/[subnet
mask]".
Required: Yes
Type: String
Pattern: [^\s]+

Protocol
The network communication protocol used by the fleet.
Required: Yes
Type: String
Allowed Values: TCP | UDP

ToPort
An ending value for a range of allowed port numbers. Port numbers are end-inclusive. This value
must be higher than FromPort.
Required: Yes
Type: Integer
Minimum: 1
Maximum: 60000

2235
GameLift
See Also
• IpPermission in the Amazon GameLift API Reference
AWS::GameLift::Fleet ResourceCreationLimitPolicy
A policy that limits the number of game sessions a player can create on the same fleet. This optional
policy gives game owners control over how players can consume available game server resources. A
resource creation policy makes the following statement: "An individual player can create a maximum
number of new game sessions within a specified time period".
The policy is evaluated when a player tries to create a new game session. For example, assume you have
a policy of 10 new game sessions and a time period of 60 minutes. On receiving a CreateGameSession
request, Amazon GameLift checks that the player (identified by CreatorId) has created fewer than 10
game sessions in the past 60 minutes.
Syntax
JSON
{
"NewGameSessionsPerCreator" : Integer,
"PolicyPeriodInMinutes" : Integer
}
YAML
NewGameSessionsPerCreator: Integer
PolicyPeriodInMinutes: Integer
Properties
NewGameSessionsPerCreator
The maximum number of game sessions that an individual can create during the policy period.
Required: No
Type: Integer
Minimum: 0

PolicyPeriodInMinutes
The time span used in evaluating the resource creation limit policy.
Required: No
Type: Integer
Minimum: 0

2236
GameLift
See Also
• ResourceCreationLimitPolicy in the Amazon GameLift API Reference
AWS::GameLift::Fleet RuntimeConfiguration
A collection of server process configurations that describe the processes to run on each instance in a
fleet. All fleets must have a runtime configuration. Each instance in the fleet maintains server processes
as specified in the runtime configuration, launching new ones as existing processes end. Each instance
regularly checks for an updated runtime configuration makes adjustments as called for.
The runtime configuration enables the instances in a fleet to run multiple processes simultaneously.
Potential scenarios are as follows: (1) Run multiple processes of a single game server executable to
maximize usage of your hosting resources. (2) Run one or more processes of different executables, such
as your game server and a metrics tracking program. (3) Run multiple processes of a single game server
but with different launch parameters, for example to run one process on each instance in debug mode.
An Amazon GameLift instance is limited to 50 processes running simultaneously. A runtime configuration

must specify fewer than this limit. To calculate the total number of processes specified in a runtime
configuration, add the values of the ConcurrentExecutions parameter for each ServerProcess
object in the runtime configuration.
Syntax
JSON
{
"GameSessionActivationTimeoutSeconds" : Integer,
"MaxConcurrentGameSessionActivations" : Integer,
"ServerProcesses" : [ ServerProcess (p. 2238), ... ]
}
YAML
GameSessionActivationTimeoutSeconds: Integer
MaxConcurrentGameSessionActivations: Integer
ServerProcesses:
- ServerProcess (p. 2238)
Properties
GameSessionActivationTimeoutSeconds
The maximum amount of time (in seconds) that a game session can remain in status ACTIVATING.
If the game session is not active before the timeout, activation is terminated and the game session
status is changed to TERMINATED.
Required: No
Type: Integer

2237
GameLift
Minimum: 1
Maximum: 600

MaxConcurrentGameSessionActivations
The maximum number of game sessions with status ACTIVATING to allow on an instance
simultaneously. This setting limits the amount of instance resources that can be used for new game
activations at any one time.
Required: No
Type: Integer
Minimum: 1
Maximum: 2147483647

ServerProcesses
A collection of server process configurations that describe which server processes to run on each
instance in a fleet.
Required: No
Type: List of ServerProcess (p. 2238)
Maximum: 50
See Also
• Run Multiple Processes on a Fleet in the Amazon GameLift Developer Guide
• RuntimeConfiguration in the Amazon GameLift API Reference
AWS::GameLift::Fleet ServerProcess
A set of instructions for launching server processes on each instance in a fleet. Each instruction set
identifies the location of the server executable, optional launch parameters, and the number of server
processes with this configuration to maintain concurrently on the instance. Server process configurations
make up a fleet's RuntimeConfiguration.
Syntax
JSON

2238
GameLift
"ConcurrentExecutions" : Integer,
"LaunchPath" : String,
"Parameters" : String
}
YAML
ConcurrentExecutions: Integer
LaunchPath: String
Parameters: String
Properties
ConcurrentExecutions
The number of server processes that use this configuration to run concurrently on an instance.
Required: Yes
Type: Integer
Minimum: 1

LaunchPath
The location of the server executable in a custom game build or the name of the Realtime script file
that contains the Init() function. Game builds and Realtime scripts are installed on instances at
the root:
• Windows (for custom game builds only): C:\game. Example: "C:\game\MyGame\server.exe"
• Linux: /local/game. Examples: "/local/game/MyGame/server.exe" or "/local/game/
MyRealtimeScript.js"
Required: Yes
Type: String
Minimum: 1
Maximum: 1024

Parameters
An optional list of parameters to pass to the server executable or Realtime script on launch.
Required: No
Type: String
Minimum: 1
Maximum: 1024

2239
GameLift
See Also
• Run Multiple Processes on a Fleet in the Amazon GameLift Developer Guide
• ServerProcess in the Amazon GameLift API Reference
AWS::GameLift::GameSessionQueue
The AWS::GameLift::GameSessionQueue resource establishes a queue for processing requests to
create new game sessions. A queue identifies where new game sessions can be hosted by specifying a list
of destinations (fleets or aliases). It also sets how long requests can wait in the queue before timing out.
You can set up a queue with destinations in multiple Regions.
Syntax
JSON
{
"Type" : "AWS::GameLift::GameSessionQueue",
"Properties" : {
"Destinations" : [ Destination (p. 2243), ... ],
"Name" : String,
"PlayerLatencyPolicies" : [ PlayerLatencyPolicy (p. 2243), ... ],
"TimeoutInSeconds" : Integer
}
}
YAML
Type: AWS::GameLift::GameSessionQueue
Properties:
Destinations:
- Destination (p. 2243)
Name: String
PlayerLatencyPolicies:
- PlayerLatencyPolicy (p. 2243)
TimeoutInSeconds: Integer
Properties
Destinations
A list of fleets that can be used to fulfill game session placement requests in the queue. Fleets are
identified by either a fleet ARN or a fleet alias ARN. Destinations are listed in default preference
order.
Required: No
Type: List of Destination (p. 2243)

2240
GameLift
Name
A descriptive label that is associated with game session queue. Queue names must be unique within
each Region.
Required: Yes
Type: String
Minimum: 1
Maximum: 128
Pattern: [a-zA-Z0-9-]+

PlayerLatencyPolicies
A collection of latency policies to apply when processing game sessions placement requests with
player latency information. Multiple policies are evaluated in order of the maximum latency value,
starting with the lowest latency values. With just one policy, the policy is enforced at the start of
the game session placement for the duration period. With multiple policies, each policy is enforced
consecutively for its duration period. For example, a queue might enforce a 60-second policy
followed by a 120-second policy, and then no policy for the remainder of the placement. A player
latency policy must set a value for MaximumIndividualPlayerLatencyMilliseconds. If none is
set, this API request fails.
Required: No
Type: List of PlayerLatencyPolicy (p. 2243)

TimeoutInSeconds
The maximum time, in seconds, that a new game session placement request remains in the queue.
When a request exceeds this time, the game session placement changes to a TIMED_OUT status.
Required: No
Type: Integer
Minimum: 0
Return Values
Ref
game session queue, which is unique within each Region.
Fn::GetAtt

2241
GameLift
Arn
The unique Amazon Resource Name (ARN) for the GameSessionQueue.

Name
A descriptive label that is associated with a game session queue. Names are unique within each
Region.
Examples
Create a Game Session Queue
The following example creates a GameLift game session queue named MyGameSessionQueue. The
queue is configured with two destinations, one using a fleet ID and one using an alias ID. The queue has a
latency policy.
JSON
{
"Resources": {
"Queue": {
"Type": "AWS::GameLift::GameSessionQueue",
"Properties": {
"Name": "MyGameSessionQueue",
"TimeoutInSeconds": 60,
"Destinations": [
{
"DestinationArn": "arn:aws:gamelift:us-west-2:012345678912:fleet/
fleet-id"
},
{
"DestinationArn": "arn:aws:gamelift:us-west-2:012345678912:alias/
alias-id"
}
],
"PlayerLatencyPolicies": [
{
"MaximumIndividualPlayerLatencyMilliseconds": 1000,
"PolicyDurationSeconds": 60
}
]
}
}
}
}
YAML
Resources:
Queue:
Type: "AWS::GameLift::GameSessionQueue"
Properties:
Name: "MyGameSessionQueue"
TimeoutInSeconds: 60
Destinations:
# DestinationArn can be either an Alias arn or Fleet arn that you own
- DestinationArn: "arn:aws:gamelift:us-west-2:012345678912:fleet/fleet-id"
- DestinationArn: "arn:aws:gamelift:us-west-2:012345678912:alias/alias-id"
PlayerLatencyPolicies:
- MaximumIndividualPlayerLatencyMilliseconds: 1000

2242
GameLift
PolicyDurationSeconds: 60
See Also
• Using Multi-Region Queues in the Amazon GameLift Developer Guide
• CreateGameSessionQueue in the Amazon GameLift API Reference
AWS::GameLift::GameSessionQueue Destination
The fleet designated in a game session queue. Requests for new game sessions in the queue are fulfilled
by starting a new game session on any destination that is configured for a queue.
Syntax
JSON
{
"DestinationArn" : String
}
YAML
Properties
DestinationArn
An Amazon Resource Name (ARN) that is assigned to fleet or fleet alias. ARNs, which include a fleet
ID or alias ID and a Region name, provide a unique identifier across all Regions.
Required: No
Type: String
Minimum: 1
Maximum: 256
Pattern: [a-zA-Z0-9:/-]+
See Also
• Create a Queue in the Amazon GameLift Developer Guide
• GameSessionQueueDestination in the Amazon GameLift API Reference
AWS::GameLift::GameSessionQueue PlayerLatencyPolicy
The queue setting that determines the highest latency allowed for individual players when placing a
game session. When a latency policy is in force, a game session cannot be placed with any fleet in a

2243
GameLift
Region where a player reports latency higher than the cap. Latency policies are only enforced when the
placement request contains player latency information.
Syntax
JSON
{
"MaximumIndividualPlayerLatencyMilliseconds" : Integer,
"PolicyDurationSeconds" : Integer
}
YAML
MaximumIndividualPlayerLatencyMilliseconds: Integer
PolicyDurationSeconds: Integer
Properties
MaximumIndividualPlayerLatencyMilliseconds
The maximum latency value that is allowed for any player, in milliseconds. All policies must have a
value set for this property.
Required: No
Type: Integer
Minimum: 0

PolicyDurationSeconds
The length of time, in seconds, that the policy is enforced while placing a new game session. A null
value for this property means that the policy is enforced until the queue times out.
Required: No
Type: Integer
Minimum: 0
See Also
• Create a Queue in the Amazon GameLift Developer Guide
• PlayerLatencyPolicy in the Amazon GameLift API Reference
AWS::GameLift::MatchmakingConfiguration
The AWS::GameLift::MatchmakingConfiguration resource defines a new matchmaking
configuration for use with FlexMatch. A matchmaking configuration sets out guidelines for matching

2244
GameLift
players and starting game sessions for the match. You can set up multiple matchmaking configurations
to handle the scenarios needed for your game. Requests for matchmaking specify which configuration to
use and provides the player attribute values that are required for the configuration.
Syntax
JSON
{
"Type" : "AWS::GameLift::MatchmakingConfiguration",
"Properties" : {
"AcceptanceRequired" : Boolean,
"AcceptanceTimeoutSeconds" : Integer,
"AdditionalPlayerCount" : Integer,
"BackfillMode" : String,
"CustomEventData" : String,
"GameProperties" : [ GameProperty (p. 2251), ... ],
"GameSessionData" : String,
"GameSessionQueueArns" : [ String, ... ],
"Name" : String,
"NotificationTarget" : String,
"RequestTimeoutSeconds" : Integer,
"RuleSetName" : String
}
}
YAML
Type: AWS::GameLift::MatchmakingConfiguration
Properties:
AcceptanceRequired: Boolean
AcceptanceTimeoutSeconds: Integer
AdditionalPlayerCount: Integer
BackfillMode: String
CustomEventData: String
Description: String
GameProperties:
- GameProperty (p. 2251)
GameSessionData: String
GameSessionQueueArns:
- String
Name: String
NotificationTarget: String
RequestTimeoutSeconds: Integer
RuleSetName: String
Properties
AcceptanceRequired
A flag that determines whether a match that was created with this configuration must be accepted
by the matched players. To require acceptance, set to TRUE.
Required: Yes
Type: Boolean

2245
GameLift
AcceptanceTimeoutSeconds
The length of time (in seconds) to wait for players to accept a proposed match. If any player rejects
the match or fails to accept before the timeout, the ticket continues to look for an acceptable match.
Required: No
Type: Integer
Minimum: 1
Maximum: 600

AdditionalPlayerCount
The number of player slots in a match to keep open for future players. For example, assume that the
configuration's rule set specifies a match for a single 12-person team. If the additional player count
is set to 2, only 10 players are initially selected for the match.
Required: No
Type: Integer
Minimum: 0

BackfillMode
The method used to backfill game sessions that are created with this matchmaking configuration.
Specify MANUAL when your game manages backfill requests manually or does not use the match
backfill feature. Specify AUTOMATIC to have GameLift create a StartMatchBackfill request
whenever a game session has one or more open slots. Learn more about manual and automatic
backfill in Backfill Existing Games with FlexMatch.
Required: No
Type: String
Allowed Values: AUTOMATIC | MANUAL

CustomEventData
Information that is attached to all events related to the matchmaking configuration.
Required: No
Type: String
Minimum: 0
Maximum: 256

Description
A descriptive label that is associated with matchmaking configuration.
Required: No

2246
GameLift
Type: String
Minimum: 1
Maximum: 1024

GameProperties
A set of custom properties for a game session, formatted as key-value pairs. These properties are
passed to a game server process with a request to start a new game session. See Start a Game
Session.
Required: No
Type: List of GameProperty (p. 2251)
Maximum: 16

GameSessionData
A set of custom game session properties, formatted as a single string value. This data is passed to a
game server process with a request to start a new game session. See Start a Game Session.
Required: No
Type: String
Minimum: 1
Maximum: 4096

GameSessionQueueArns
An Amazon Resource Name (ARN) that is assigned to a game session queue and uniquely identifies
it. The format is arn:aws:gamelift:<region>:<aws account>:gamesessionqueue/<queue
name>. These queues are used when placing game sessions for matches that are created with this
matchmaking configuration. Queues can be located in any Region.
Required: Yes

Name
A unique identifier for a matchmaking configuration. Matchmaking requests use this name to
identify which matchmaking configuration to use.
Required: Yes
Type: String
Maximum: 128
Pattern: [a-zA-Z0-9-\.]*

2247
GameLift
NotificationTarget
An SNS topic ARN that is set up to receive matchmaking notifications. See Setting up Notifications
for Matchmaking for more information.
Required: No
Type: String
Minimum: 0
Maximum: 300
Pattern: [a-zA-Z0-9:_/-]*

RequestTimeoutSeconds
The maximum duration, in seconds, that a matchmaking ticket can remain in process before timing
out. Requests that fail due to timing out can be resubmitted as needed.
Required: Yes
Type: Integer
Minimum: 1
Maximum: 43200

RuleSetName
A unique identifier for a matchmaking rule set to use with this configuration. A matchmaking
configuration can only use rule sets that are defined in the same Region.
Required: Yes
Type: String
Maximum: 128
Return Values
Ref
MatchmakingConfiguration name, which is unique.
Fn::GetAtt

2248
GameLift
Arn
The unique Amazon Resource Name (ARN) for the MatchmakingConfiguration.

Name
The MatchmakingConfiguration name, which is unique.
Examples
Create a Matchmaking Configuration with a Rule Set and a Game Session Queue
The following example creates a matchmaking configuration for a game. It also uses a Ref intrinsic
function to specify the game session queue and rule set, which are also in the template.
JSON
{
"Resources": {
"QueueResource": {
"Type": "AWS::GameLift::GameSessionQueue",
"Properties": {
"Name": "MyGameSessionQueue"
}
},
"MatchmakingRuleSetResource": {
"Type": "AWS::GameLift::MatchmakingRuleSet",
"Properties": {
"Name": "MyRuleSet",
"RuleSetBody": {
"Fn::Sub": "{\"name\": \"MyMatchmakingRuleSet\",\"ruleLanguageVersion\":
\"1.0\", \"teams\": [{\"name\": \"MyTeam\",\"minPlayers\": 1,\"maxPlayers\": 20}]}"
}
}
},
"MatchmakingConfigurationResource": {
"Type": "AWS::GameLift::MatchmakingConfiguration",
"Properties": {
"Name": "MyMatchmakingConfiguration",
"AcceptanceRequired": true,
"AcceptanceTimeoutSeconds": 60,
"AdditionalPlayerCount": 8,
"BackfillMode": "AUTOMATIC",
"CustomEventData": "MyCustomEventData",
"Description": "A basic matchmaking configuration",
"GameSessionData": "MyGameSessionData",
"GameProperties": [
{
"Key": "level",
"Value": "10"
},
{
"Key": "gameMode",
"Value": "hard"
}
],
"GameSessionQueueArns": [
{
"Fn::GetAtt": [
"QueueResource",
"Arn"
]
}

2249
GameLift
],
"RequestTimeoutSeconds": 100,
"RuleSetName": {
"Ref": "MatchmakingRuleSetResource"
}
},
"DependsOn": [
"QueueResource",
"MatchmakingRuleSetResource"
]
}
}
}
YAML
Resources:
QueueResource:
Type: "AWS::GameLift::GameSessionQueue"
Properties:
Name: "MyGameSessionQueue"
MatchmakingRuleSetResource:
Type: "AWS::GameLift::MatchmakingRuleSet"
Properties:
Name: "MyRuleSet"
# Rule set body for a game of 20 players
RuleSetBody: !Sub |
{
"name": "MyMatchmakingRuleSet",
"ruleLanguageVersion": "1.0",
"teams": [{
"name": "MyTeam",
"minPlayers": 1,
"maxPlayers": 20
}]
}
MatchmakingConfigurationResource:
Type: "AWS::GameLift::MatchmakingConfiguration"
Properties:
Name: "MyMatchmakingConfiguration"
AcceptanceRequired: true
AcceptanceTimeoutSeconds: 60
AdditionalPlayerCount: 8
BackfillMode: "AUTOMATIC"
CustomEventData: "MyCustomEventData"
Description: "A basic matchmaking configuration"
GameSessionData: "MyGameSessionData"
GameProperties:
- Key: "level"
Value: "10"
- Key: "gameMode"
Value: "hard"
GameSessionQueueArns:
- !GetAtt QueueResource.Arn
RequestTimeoutSeconds: 100
RuleSetName: !Ref MatchmakingRuleSetResource
DependsOn:
- QueueResource
- MatchmakingRuleSetResource
See Also

2250
GameLift
• Setting Up GameLift FlexMatch Matchmakers in the Amazon GameLift Developer Guide

• MatchmakingConfiguration in the Amazon GameLift API Reference
AWS::GameLift::MatchmakingConfiguration GameProperty
A set of key-value pairs that contain information about a game session. When included in a game session
request, these properties communicate details to be used when setting up the new game session. For
example, a property might specify a game mode, level, or map. Game properties are passed to the game
server process when initiating a new game session.
Syntax
JSON
{
"Key" : String,
"Value" : String
}
YAML
Key: String
Value: String
Properties
Key
The game property identifier.
Required: Yes
Type: String
Maximum: 32

Value
The game property value.
Required: Yes
Type: String
Maximum: 96
See Also
• Design a FlexMatch Matchmaker in the Amazon GameLift Developer Guide
• GameProperty in the Amazon GameLift API Reference

2251
GameLift
AWS::GameLift::MatchmakingRuleSet
The AWS::GameLift::MatchmakingRuleSet resource creates a new rule set for FlexMatch
matchmaking. A rule set describes the type of match to create, such as the number and size of teams. It
also sets the parameters for acceptable player matches, such as minimum skill level or character type. A
rule set is used by a matchmaking configuration.
Syntax
JSON
{
"Type" : "AWS::GameLift::MatchmakingRuleSet",
"Properties" : {
"Name" : String,
"RuleSetBody" : String
}
}
YAML
Type: AWS::GameLift::MatchmakingRuleSet
Properties:
Name: String
RuleSetBody: String
Properties
Name
A unique identifier for a matchmaking rule set. A matchmaking configuration identifies the rule set it
uses by this name value. Note that the rule set name is different from the optional name field in the
rule set body.
Required: Yes
Type: String
Maximum: 128

RuleSetBody
A collection of matchmaking rules, formatted as a JSON string. Comments are not allowed in JSON,
but most elements support a description field.
Required: Yes
Type: String
Minimum: 1
Maximum: 65535

2252
GameLift
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the rule set name,
which is unique within each Region.
Fn::GetAtt
Arn
The unique Amazon Resource Name (ARN) assigned to the rule set.
Name
The unique name of the rule set.
Examples
Create a Matchmaking Rule Set
The following example creates a matchmaking rule set for GameLift FlexMatch named MyRuleSet. The
simple rule set defines a match with one team containing 1 to 20 players. In the YAML example, since
RuleSetBody must be in JSON format, the !Sub command is used to specify JSON content within the
YAML format.
JSON
{
"Resources": {
"MatchmakingRuleSet": {
"Type": "AWS::GameLift::MatchmakingRuleSet",
"Properties": {
"Name": "MyRuleSet",
"RuleSetBody": {
"Fn::Sub": "{\"name\": \"MyMatchmakingRuleSet\",\"ruleLanguageVersion\": \"1.0\",
\"teams\": [{\"name\": \"MyTeam\",\"minPlayers\": 1,\"maxPlayers\": 20}]}"
}
}
}
}
}
YAML
Resources:
MatchmakingRuleSet:
Type: "AWS::GameLift::MatchmakingRuleSet"
Properties:
Name: "MyRuleSet"

2253
GameLift
RuleSetBody: !Sub |
{
"name": "MyMatchmakingRuleSet",
"ruleLanguageVersion": "1.0",
"teams": [{
"name": "MyTeam",
"minPlayers": 1,
"maxPlayers": 20
}]
}
See Also
• Build a FlexMatch Rule Set in the Amazon GameLift Developer Guide
• CreateMatchmakingRuleSet in the Amazon GameLift API Reference
AWS::GameLift::Script
The AWS::GameLift::Script resource creates a new script record for your Realtime Servers script.
Realtime scripts are JavaScript that provide configuration settings and optional custom game logic for
your game. The script is deployed when you create a Realtime Servers fleet to host your game sessions.
Script logic is executed during an active game session.
Syntax
JSON
{
"Type" : "AWS::GameLift::Script",
"Properties" : {
"Name" : String,
"StorageLocation" : S3Location (p. 2257),
"Version" : String
}
}
YAML
Type: AWS::GameLift::Script
Properties:
Name: String
StorageLocation:
Version: String
Properties
Name
A descriptive label that is associated with a script. Script names do not need to be unique.
Required: No
Type: String

2254
GameLift
Minimum: 1
Maximum: 1024

StorageLocation
The location in Amazon S3 where build or script files are stored for access by Amazon GameLift.
Required: Yes

Version
The version that is associated with a build or script. Version strings do not need to be unique.
Required: No
Type: String
Minimum: 1
Maximum: 1024
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ScriptId,
such as script-1111aaaa-22bb-33cc-44dd-5555eeee66ff.
Fn::GetAtt
Arn
The unique Amazon Resource Name (ARN) for the script.

Id
A unique identifier for a Realtime script.
Examples
Create a Realtime Servers Script
The following example creates a GameLift script named MyRealtimeScript. The zipped script files
are located in an S3 bucket, specified by the S3Bucket and S3Key input parameters. The example

2255
GameLift
also creates the AWS Identity and Access Management (IAM) role that GameLift assumes so that it has
permissions to download the script files.
JSON
{
"Resources": {
"IAMRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"cloudformation.amazonaws.com",
"gamelift.amazonaws.com"
]
},
}
]
},
"RoleName": "ScriptIAMRole",
"Policies": [
{
"PolicyName": "ScriptResourceIAMPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectMetadata",
"s3:*Object*"
],
"Resource": [
"*"
]
}
]
}
}
]
}
},
"ScriptResource": {
"Type": "AWS::GameLift::Script",
"Properties": {
"Name": "MyRealtimeScript",
"Version": "v1.0",
"StorageLocation": {
"Bucket": "MyBucketName",
"Key": "MyScriptFiles.zip",
"RoleArn": {
"Fn::GetAtt": [
"IAMRole",
"Arn"
]
}
}

2256
GameLift
}
}
}
}
YAML
Resources:
IAMRole:
Properties:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: ["cloudformation.amazonaws.com", "gamelift.amazonaws.com"]
RoleName: "ScriptIAMRole"
Policies:
- PolicyName: ScriptResourceIAMPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "s3:GetObject"
- "s3:GetObjectVersion"
- "s3:GetObjectMetadata"
- "s3:*Object*"
Resource:
- "*"
ScriptResource:
Type: AWS::GameLift::Script
Properties:
Name: MyRealtimeScript
Version: v1.0
StorageLocation:
Bucket: "MyBucketName"
Key: "MyScriptFiles.zip"
RoleArn: !GetAtt IAMRole.Arn
See Also
• CreateScript in the Amazon GameLift API Reference
AWS::GameLift::Script S3Location
The location in Amazon S3 where build or script files can be stored for access by Amazon GameLift.
Syntax
JSON
{
"Bucket" : String,

2257
GameLift
"Key" : String,
"ObjectVersion" : String,
"RoleArn" : String
}
YAML
Bucket: String
Key: String
RoleArn: String
Properties
Bucket
An Amazon S3 bucket identifier. This is the name of the S3 bucket.
Required: Yes
Type: String
Minimum: 1

Key
The name of the zip file that contains the build files or script files.
Required: Yes
Type: String
Minimum: 1

ObjectVersion
The version of the file, if object versioning is turned on for the bucket. Amazon GameLift uses this
information when retrieving files from an S3 bucket that you own. Use this parameter to specify a
specific version of the file. If not set, the latest version of the file is retrieved.
Required: No
Type: String
Minimum: 1

RoleArn
The Amazon Resource Name (ARN) for an IAM role that allows Amazon GameLift to access the S3
bucket.
Required: Yes
Type: String
Minimum: 1

2258
AWS Glue
AWS Glue Resource Type Reference

Resource Types
• AWS::Glue::Classifier (p. 2259)

• AWS::Glue::Connection (p. 2265)
• AWS::Glue::Crawler (p. 2268)
• AWS::Glue::Database (p. 2280)
• AWS::Glue::DataCatalogEncryptionSettings (p. 2282)
• AWS::Glue::DevEndpoint (p. 2286)
• AWS::Glue::Job (p. 2290)
• AWS::Glue::MLTransform (p. 2299)
• AWS::Glue::Partition (p. 2306)
• AWS::Glue::SecurityConfiguration (p. 2315)
• AWS::Glue::Table (p. 2319)
• AWS::Glue::Trigger (p. 2328)
• AWS::Glue::Workflow (p. 2339)
AWS::Glue::Classifier
The AWS::Glue::Classifier resource creates an AWS Glue classifier that categorizes data sources
and specifies schemas. For more information, see Adding Classifiers to a Crawler and Classifier Structure
in the AWS Glue Developer Guide.
Syntax
JSON
{
"Type" : "AWS::Glue::Classifier",
"Properties" : {
"CsvClassifier" : CsvClassifier (p. 2260),
"GrokClassifier" : GrokClassifier (p. 2262),
"JsonClassifier" : JsonClassifier (p. 2263),
"XMLClassifier" : XMLClassifier (p. 2264)
}
}
YAML
Type: AWS::Glue::Classifier
Properties:
CsvClassifier:
CsvClassifier (p. 2260)
GrokClassifier:
GrokClassifier (p. 2262)
JsonClassifier:
JsonClassifier (p. 2263)
XMLClassifier:
XMLClassifier (p. 2264)

2259
AWS Glue
Properties
CsvClassifier
A classifier for comma-separated values (CSV).
Required: No
Type: CsvClassifier (p. 2260)

GrokClassifier
A classifier that uses grok.
Required: No
Type: GrokClassifier (p. 2262)

JsonClassifier
A classifier for JSON content.
Required: No
Type: JsonClassifier (p. 2263)

XMLClassifier
A classifier for XML content.
Required: No
Type: XMLClassifier (p. 2264)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the classifier
name.
AWS::Glue::Classifier CsvClassifier
A classifier for custom CSV content.
Syntax
JSON

2260
AWS Glue
"AllowSingleColumn" : Boolean,
"ContainsHeader" : String,
"Delimiter" : String,
"DisableValueTrimming" : Boolean,
"Header" : [ String, ... ],
"Name" : String,
"QuoteSymbol" : String
}
YAML
AllowSingleColumn: Boolean
ContainsHeader: String
Delimiter: String
DisableValueTrimming: Boolean
Header:
- String
Name: String
QuoteSymbol: String
Properties
AllowSingleColumn
Enables the processing of files that contain only one column.
Required: No
Type: Boolean

ContainsHeader
Indicates whether the CSV file contains a header.
Required: No
Type: String

Delimiter
A custom symbol to denote what separates each column entry in the row.
Required: No
Type: String

DisableValueTrimming
Specifies not to trim values before identifying the type of column values. The default value is true.
Required: No
Type: Boolean

Header
A list of strings representing column names.

2261
AWS Glue
Required: No

Name
The name of the classifier.
Required: No
Type: String

QuoteSymbol
A custom symbol to denote what combines content into a single column value. It must be different
from the column delimiter.
Required: No
Type: String
AWS::Glue::Classifier GrokClassifier
A classifier that uses grok patterns.
Syntax
JSON
{
"CustomPatterns" : String,
"GrokPattern" : String,
"Name" : String
}
YAML
CustomPatterns: String
GrokPattern: String
Name: String
Properties
Classification
An identifier of the data format that the classifier matches, such as Twitter, JSON, Omniture logs,
and so on.
Required: Yes
Type: String

2262
AWS Glue

CustomPatterns
Optional custom grok patterns defined by this classifier. For more information, see custom patterns
in Writing Custom Classifiers.
Required: No
Type: String

GrokPattern
The grok pattern applied to a data store by this classifier. For more information, see built-in patterns
in Writing Custom Classifiers.
Required: Yes
Type: String

Name
Required: No
Type: String
AWS::Glue::Classifier JsonClassifier
A classifier for JSON content.
Syntax
JSON
{
"JsonPath" : String,
"Name" : String
}
YAML
JsonPath: String
Name: String
Properties
JsonPath
A JsonPath string defining the JSON data for the classifier to classify. AWS Glue supports a subset
of JsonPath, as described in Writing JsonPath Custom Classifiers.
Required: Yes

2263
AWS Glue
Type: String

Name
Required: No
Type: String
See Also
• JsonClassifier Structure in the AWS Glue Developer Guide
AWS::Glue::Classifier XMLClassifier
A classifier for XML content.
Syntax
JSON
{
"Name" : String,
"RowTag" : String
}
YAML
Name: String
RowTag: String
Properties
Classification
An identifier of the data format that the classifier matches.
Required: Yes
Type: String

Name
Required: No
Type: String

2264
AWS Glue

RowTag
The XML tag designating the element that contains each record in an XML document being parsed.
This can't identify a self-closing element (closed by />). An empty row element that contains only
attributes can be parsed as long as it ends with a closing tag (for example, <row item_a="A"
item_b="B"></row> is okay, but <row item_a="A" item_b="B" /> is not).
Required: Yes
Type: String
See Also
• XMLClassifier Structure in the AWS Glue Developer Guide
AWS::Glue::Connection
The AWS::Glue::Connection resource specifies an AWS Glue connection to a data source. For more
information, see Adding a Connection to Your Data Store and Connection Structure in the AWS Glue
Developer Guide.
Syntax
JSON
{
"Type" : "AWS::Glue::Connection",
"Properties" : {
"CatalogId" : String,
"ConnectionInput" : ConnectionInput (p. 2266)
}
}
YAML
Type: AWS::Glue::Connection
Properties:
CatalogId: String
ConnectionInput:
ConnectionInput (p. 2266)
Properties
CatalogId
The ID of the data catalog to create the catalog object in. Currently, this should be the AWS account
ID.
Note
To specify the account ID, you can use the Ref intrinsic function with the AWS::AccountId
pseudo parameter. For example: !Ref AWS::AccountId.

2265
AWS Glue
Required: Yes
Type: String

ConnectionInput
The connection that you want to create.
Required: Yes
Type: ConnectionInput (p. 2266)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the connection
name.
AWS::Glue::Connection ConnectionInput
A structure that is used to specify a connection to create or update.
Syntax
JSON
{
"ConnectionProperties" : Json,
"MatchCriteria" : [ String, ... ],
"Name" : String,
"PhysicalConnectionRequirements" : PhysicalConnectionRequirements (p. 2267)
}
YAML
ConnectionProperties: Json
Description: String
MatchCriteria:
- String
Name: String
PhysicalConnectionRequirements:
PhysicalConnectionRequirements (p. 2267)
Properties
ConnectionProperties
These key-value pairs define parameters for the connection.

2266
AWS Glue
Required: Yes
Type: Json

ConnectionType
The type of the connection. Currently, only JDBC is supported; SFTP is not supported.
Required: Yes
Type: String

Description
The description of the connection.
Required: No
Type: String

MatchCriteria
A list of criteria that can be used in selecting this connection.
Required: No

Name
The name of the connection.
Required: No
Type: String

PhysicalConnectionRequirements
A map of physical connection requirements, such as virtual private cloud (VPC) and
SecurityGroup, that are needed to successfully make this connection.
Required: No
Type: PhysicalConnectionRequirements (p. 2267)
AWS::Glue::Connection PhysicalConnectionRequirements
Specifies the physical requirements for a connection.
Syntax

2267
AWS Glue
JSON
{
"SecurityGroupIdList" : [ String, ... ],
"SubnetId" : String
}
YAML
SecurityGroupIdList:
- String
SubnetId: String
Properties
AvailabilityZone
The connection's Availability Zone. This field is redundant because the specified subnet implies the
Availability Zone to be used. Currently the field must be populated, but it will be deprecated in the
future.
Required: No
Type: String

SecurityGroupIdList
The security group ID list used by the connection.
Required: No

SubnetId
The subnet ID used by the connection.
Required: No
Type: String
AWS::Glue::Crawler
The AWS::Glue::Crawler resource specifies an AWS Glue crawler. For more information, see
Cataloging Tables with a Crawler and Crawler Structure in the AWS Glue Developer Guide.
Syntax
JSON

2268
AWS Glue
"Type" : "AWS::Glue::Crawler",
"Properties" : {
"Classifiers" : [ String, ... ],
"Configuration" : String,
"CrawlerSecurityConfiguration" : String,
"Name" : String,
"Role" : String,
"Schedule" : Schedule (p. 2278),
"SchemaChangePolicy" : SchemaChangePolicy (p. 2278),
"TablePrefix" : String,
"Tags" : Json,
"Targets" : Targets (p. 2279)
}
}
YAML
Type: AWS::Glue::Crawler
Properties:
Classifiers:
- String
Configuration: String
CrawlerSecurityConfiguration: String
Description: String
Name: String
Role: String
Schedule:
Schedule (p. 2278)
SchemaChangePolicy:
SchemaChangePolicy (p. 2278)
TablePrefix: String
Tags: Json
Targets:
Targets (p. 2279)
Properties
Classifiers
A list of UTF-8 strings that specify the custom classifiers that are associated with the crawler.
Required: No

Configuration
Crawler configuration information. This versioned JSON string allows users to specify aspects of a
crawler's behavior. For more information, see Configuring a Crawler.
Required: No
Type: String

CrawlerSecurityConfiguration
The name of the SecurityConfiguration structure to be used by this crawler.

2269
AWS Glue
Required: No
Type: String

DatabaseName
The name of the database in which the crawler's output is stored.
Required: No
Type: String

Description
A description of the crawler.
Required: No
Type: String

Name
The name of the crawler.
Required: No
Type: String

Role
The Amazon Resource Name (ARN) of an IAM role that's used to access customer resources, such as
Amazon Simple Storage Service (Amazon S3) data.
Required: Yes
Type: String

Schedule
For scheduled crawlers, the schedule when the crawler runs.
Required: No
Type: Schedule (p. 2278)

SchemaChangePolicy
The policy that specifies update and delete behaviors for the crawler.
Required: No
Type: SchemaChangePolicy (p. 2278)

2270
AWS Glue
TablePrefix
The prefix added to the names of tables that are created.
Required: No
Type: String

Tags
The tags to use with this crawler.
Required: No
Type: Json

Targets
A collection of targets to crawl.
Required: Yes
Type: Targets (p. 2279)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the crawler name.
Examples
The following example creates a crawler for an Amazon S3 target.
JSON
{
"Description": "AWS Glue Crawler Test",
"Resources": {
"MyRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"glue.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"

2271
AWS Glue
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
},
"MyDatabase": {
"Type": "AWS::Glue::Database",
"Properties": {
"CatalogId": {
},
"DatabaseInput": {
"Name": "dbCrawler",
"Description": "TestDatabaseDescription",
"LocationUri": "TestLocationUri",
"Parameters": {
"key1": "value1",
"key2": "value2"
}
}
}
},
"MyClassifier": {
"Type": "AWS::Glue::Classifier",
"Properties": {
"GrokClassifier": {
"Name": "CrawlerClassifier",
"Classification": "wikiData",
"GrokPattern": "%{NOTSPACE:language} %{NOTSPACE:page_title}
%{NUMBER:hits:long} %{NUMBER:retrieved_size:long}"
}
}
},
"MyS3Bucket": {
"Properties": {
"BucketName": "crawlertesttarget",
"AccessControl": "BucketOwnerFullControl"
}
},
"MyCrawler2": {
"Type": "AWS::Glue::Crawler",
"Properties": {
"Name": "testcrawler1",
"Role": {
"Fn::GetAtt": [
"MyRole",
"Arn"
]

2272
AWS Glue
},
"DatabaseName": {
"Ref": "MyDatabase"
},
"Classifiers": [
{
"Ref": "MyClassifier"
}
],
"Targets": {
"S3Targets": [
{
"Path": {
"Ref": "MyS3Bucket"
}
}
]
},
"SchemaChangePolicy": {
"UpdateBehavior": "UPDATE_IN_DATABASE",
"DeleteBehavior": "LOG"
},
"Schedule": {
"ScheduleExpression": "cron(0/10 * ? * MON-FRI *)"
}
}
}
}
}
YAML
Resources:
MyRole:
Properties:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "glue.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
MyDatabase:
Type: AWS::Glue::Database
Properties:
CatalogId: !Ref AWS::AccountId
DatabaseInput:
Name: "dbCrawler"

2273
AWS Glue
Description: "TestDatabaseDescription"
LocationUri: "TestLocationUri"
Parameters:
key1 : "value1"
key2 : "value2"
MyClassifier:
Type: AWS::Glue::Classifier
Properties:
GrokClassifier:
Name: "CrawlerClassifier"
Classification: "wikiData"
GrokPattern: "%{NOTSPACE:language} %{NOTSPACE:page_title} %{NUMBER:hits:long}
%{NUMBER:retrieved_size:long}"
MyS3Bucket:
Properties:
BucketName: "crawlertesttarget"
AccessControl: "BucketOwnerFullControl"
MyCrawler2:
Properties:
Name: "testcrawler1"
Role: !GetAtt MyRole.Arn
DatabaseName: !Ref MyDatabase
Classifiers:
- !Ref MyClassifier
Targets:
S3Targets:
- Path: !Ref MyS3Bucket
SchemaChangePolicy:
UpdateBehavior: "UPDATE_IN_DATABASE"
DeleteBehavior: "LOG"
Schedule:
ScheduleExpression: "cron(0/10 * ? * MON-FRI *)"
Crawler Configuration
The following example specifies a configuration that controls a crawler's behavior.
JSON
{
"Type": "AWS::Glue::Crawler",
"Properties": {
"Role": "role1",
"Classifiers": [],
"Description": "example classifier",
"SchemaChangePolicy": "",
"Schedule": "Schedule",
"DatabaseName": "test",
"Targets": [],
"TablePrefix": "test-",
"Name": "my-crawler",
"Configuration": "{\"Version\":1.0,\"CrawlerOutput\":{\"Partitions\":
{\"AddOrUpdateBehavior\":\"InheritFromTable\"},\"Tables\":{\"AddOrUpdateBehavior\":
\"MergeNewColumns\"}}}"
}
}

2274
AWS Glue
YAML
Properties:
Role: role1
Classifiers:
- ''
Description: example classifier
SchemaChangePolicy: ''
Schedule: Schedule
DatabaseName: test
Targets:
- ''
TablePrefix: test-
Name: my-crawler
Configuration: "{\"Version\":1.0,\"CrawlerOutput\":{\"Partitions\":{\"AddOrUpdateBehavior
\":\"InheritFromTable\"},\"Tables\":{\"AddOrUpdateBehavior\":\"MergeNewColumns\"}}}"
AWS::Glue::Crawler CatalogTarget
Specifies an AWS Glue Data Catalog target.
Syntax
JSON
{
"Tables" : [ String, ... ]
}
YAML
Tables:
- String
Properties
DatabaseName
The name of the database to be synchronized.
Required: No
Type: String

Tables
A list of the tables to be synchronized.
Required: No

2275
AWS Glue
AWS::Glue::Crawler DynamoDBTarget
Specifies an Amazon DynamoDB table to crawl.
Syntax
JSON
{
"Path" : String
}
YAML
Path: String
Properties
Path
The name of the DynamoDB table to crawl.
Required: No
Type: String
AWS::Glue::Crawler JdbcTarget
Specifies a JDBC data store to crawl.
Syntax
JSON
{
"ConnectionName" : String,
"Exclusions" : [ String, ... ],
"Path" : String
}
YAML
ConnectionName: String
Exclusions:
- String
Path: String
Properties
ConnectionName
The name of the connection to use to connect to the JDBC target.

2276
AWS Glue
Required: No
Type: String

Exclusions
A list of glob patterns used to exclude from the crawl. For more information, see Catalog Tables with
a Crawler.
Required: No

Path
The path of the JDBC target.
Required: No
Type: String
AWS::Glue::Crawler S3Target
Specifies a data store in Amazon Simple Storage Service (Amazon S3).
Syntax
JSON
{
"Exclusions" : [ String, ... ],
"Path" : String
}
YAML
Exclusions:
- String
Path: String
Properties
Exclusions
A list of glob patterns used to exclude from the crawl. For more information, see Catalog Tables with
a Crawler.
Required: No

2277
AWS Glue

Path
The path to the Amazon S3 target.
Required: No
Type: String
AWS::Glue::Crawler Schedule
A scheduling object using a cron statement to schedule an event.
Syntax
JSON
{
"ScheduleExpression" : String
}
YAML
Properties
ScheduleExpression
A cron expression used to specify the schedule. For more information, see Time-Based Schedules
for Jobs and Crawlers. For example, to run something every day at 12:15 UTC, specify cron(15 12
* * ? *).
Required: No
Type: String
AWS::Glue::Crawler SchemaChangePolicy
A policy that specifies update and deletion behaviors for the crawler.
Syntax
JSON
{
"DeleteBehavior" : String,

2278
AWS Glue
"UpdateBehavior" : String
}
YAML
DeleteBehavior: String
UpdateBehavior: String
Properties
DeleteBehavior
The deletion behavior when the crawler finds a deleted object.
Required: No
Type: String

UpdateBehavior
The update behavior when the crawler finds a changed schema.
Required: No
Type: String
AWS::Glue::Crawler Targets
Specifies data stores to crawl.
Syntax
JSON
{
"CatalogTargets" : [ CatalogTarget (p. 2275), ... ],
"DynamoDBTargets" : [ DynamoDBTarget (p. 2276), ... ],
"JdbcTargets" : [ JdbcTarget (p. 2276), ... ],
"S3Targets" : [ S3Target (p. 2277), ... ]
}
YAML
CatalogTargets:
- CatalogTarget (p. 2275)
DynamoDBTargets:
- DynamoDBTarget (p. 2276)
JdbcTargets:
- JdbcTarget (p. 2276)
S3Targets:
- S3Target (p. 2277)

2279
AWS Glue
Properties
CatalogTargets
Specifies AWS Glue Data Catalog targets.
Required: No
Type: List of CatalogTarget (p. 2275)

DynamoDBTargets
Specifies Amazon DynamoDB targets.
Required: No
Type: List of DynamoDBTarget (p. 2276)

JdbcTargets
Specifies JDBC targets.
Required: No
Type: List of JdbcTarget (p. 2276)

S3Targets
Specifies Amazon Simple Storage Service (Amazon S3) targets.
Required: No
Type: List of S3Target (p. 2277)
AWS::Glue::Database
The AWS::Glue::Database resource specifies a logical grouping of tables in AWS Glue. For more
information, see Defining a Database in Your Data Catalog and Database Structure in the AWS Glue
Developer Guide.
Syntax
JSON
{
"Type" : "AWS::Glue::Database",
"Properties" : {
"DatabaseInput" : DatabaseInput (p. 2281)
}

2280
AWS Glue
YAML
Properties:
CatalogId: String
DatabaseInput:
DatabaseInput (p. 2281)
Properties
CatalogId
The AWS account ID for the account in which to create the catalog object.
Note
pseudo parameter. For example: !Ref AWS::AccountId
Required: Yes
Type: String

DatabaseInput
The metadata for the database.
Required: Yes
Type: DatabaseInput (p. 2281)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the database
name.
AWS::Glue::Database DatabaseInput
The structure used to create or update a database.
Syntax
JSON
{
"LocationUri" : String,

2281
AWS Glue
"Name" : String,
"Parameters" : Json
}
YAML
Description: String
LocationUri: String
Name: String
Parameters: Json
Properties
Description
A description of the database.
Required: No
Type: String

LocationUri
The location of the database (for example, an HDFS path).
Required: No
Type: String

Name
The name of the database. For Hive compatibility, this is folded to lowercase when it is stored.
Required: No
Type: String

Parameters
These key-value pairs define parameters and properties of the database.
These key-value pairs define parameters and properties of the database.
Required: No
Type: Json
AWS::Glue::DataCatalogEncryptionSettings
Sets the security configuration for a specified catalog. After the configuration has been set, the specified
encryption is applied to every catalog write thereafter.

2282
AWS Glue
Syntax
JSON
{
"Type" : "AWS::Glue::DataCatalogEncryptionSettings",
"Properties" : {
"DataCatalogEncryptionSettings" : DataCatalogEncryptionSettings (p. 2284)
}
}
YAML
Type: AWS::Glue::DataCatalogEncryptionSettings
Properties:
CatalogId: String
DataCatalogEncryptionSettings:
DataCatalogEncryptionSettings (p. 2284)
Properties
CatalogId
The ID of the Data Catalog in which the settings are created.
Required: Yes
Type: String

DataCatalogEncryptionSettings
Contains configuration information for maintaining Data Catalog security.
Required: Yes
Type: DataCatalogEncryptionSettings (p. 2284)
Return Values
Ref
AWS::Glue::DataCatalogEncryptionSettings ConnectionPasswordEncryption
The data structure used by the Data Catalog to encrypt the password as part of CreateConnection or
UpdateConnection and store it in the ENCRYPTED_PASSWORD field in the connection properties. You
can enable catalog encryption or only password encryption.
When a CreationConnection request arrives containing a password, the Data Catalog first encrypts
the password using your AWS KMS key. It then encrypts the whole connection object again if catalog
encryption is also enabled.

2283
AWS Glue
This encryption requires that you set AWS KMS key permissions to enable or restrict access on the
password key according to your security requirements. For example, you might want only administrators
to have decrypt permission on the password key.
Syntax
JSON
{
"ReturnConnectionPasswordEncrypted" : Boolean
}
YAML
KmsKeyId: String
ReturnConnectionPasswordEncrypted: Boolean
Properties
KmsKeyId
An AWS KMS key that is used to encrypt the connection password.
If connection password protection is enabled, the caller of CreateConnection and

UpdateConnection needs at least kms:Encrypt permission on the specified AWS KMS key, to
encrypt passwords before storing them in the Data Catalog. You can set the decrypt permission to
enable or restrict access on the password key according to your security requirements.
Required: No
Type: String

ReturnConnectionPasswordEncrypted
When the ReturnConnectionPasswordEncrypted flag is set to "true", passwords remain

encrypted in the responses of GetConnection and GetConnections. This encryption takes effect
independently from catalog encryption.
Required: No
Type: Boolean
AWS::Glue::DataCatalogEncryptionSettings DataCatalogEncryptionSettings
Contains configuration information for maintaining Data Catalog security.
Syntax

2284
AWS Glue
JSON
{
"ConnectionPasswordEncryption" : ConnectionPasswordEncryption (p. 2283),
"EncryptionAtRest" : EncryptionAtRest (p. 2285)
}
YAML
ConnectionPasswordEncryption:
ConnectionPasswordEncryption (p. 2283)
EncryptionAtRest:
EncryptionAtRest (p. 2285)
Properties
ConnectionPasswordEncryption
When connection password protection is enabled, the Data Catalog uses a customer-provided key
to encrypt the password as part of CreateConnection or UpdateConnection and store it in the
ENCRYPTED_PASSWORD field in the connection properties. You can enable catalog encryption or
only password encryption.
Required: No
Type: ConnectionPasswordEncryption (p. 2283)

EncryptionAtRest
Specifies the encryption-at-rest configuration for the Data Catalog.
Required: No
Type: EncryptionAtRest (p. 2285)
AWS::Glue::DataCatalogEncryptionSettings EncryptionAtRest
Specifies the encryption-at-rest configuration for the Data Catalog.
Syntax
JSON
{
"CatalogEncryptionMode" : String,
"SseAwsKmsKeyId" : String
}
YAML
CatalogEncryptionMode: String

2285
AWS Glue
SseAwsKmsKeyId: String
Properties
CatalogEncryptionMode
The encryption-at-rest mode for encrypting Data Catalog data.
Required: No
Type: String

SseAwsKmsKeyId
The ID of the AWS KMS key to use for encryption at rest.
Required: No
Type: String
AWS::Glue::DevEndpoint
The AWS::Glue::DevEndpoint resource specifies a development endpoint where a developer can
remotely debug ETL scripts for AWS Glue. For more information, see DevEndpoint Structure in the AWS
Glue Developer Guide.
Syntax
JSON
{
"Type" : "AWS::Glue::DevEndpoint",
"Properties" : {
"Arguments" : Json,
"EndpointName" : String,
"ExtraJarsS3Path" : String,
"ExtraPythonLibsS3Path" : String,
"GlueVersion" : String,
"NumberOfNodes" : Integer,
"NumberOfWorkers" : Integer,
"PublicKey" : String,
"RoleArn" : String,
"Tags" : Json,
"WorkerType" : String
}
}
YAML
Type: AWS::Glue::DevEndpoint

2286
AWS Glue
Properties:
Arguments: Json
EndpointName: String
ExtraJarsS3Path: String
ExtraPythonLibsS3Path: String
GlueVersion: String
NumberOfNodes: Integer
NumberOfWorkers: Integer
PublicKey: String
RoleArn: String
SecurityGroupIds:
- String
SubnetId: String
Tags: Json
WorkerType: String
Properties
Arguments
A map of arguments used to configure the DevEndpoint.
Valid arguments are:

• "--enable-glue-datacatalog": ""
• "GLUE_PYTHON_VERSION": "3"
• "GLUE_PYTHON_VERSION": "2"
You can specify a version of Python support for development endpoints by using the Arguments
parameter in the CreateDevEndpoint or UpdateDevEndpoint APIs. If no arguments are
provided, the version defaults to Python 2.
Required: No
Type: Json

EndpointName
The name of the DevEndpoint.
Required: No
Type: String

ExtraJarsS3Path
The path to one or more Java .jar files in an S3 bucket that should be loaded in your
DevEndpoint.
Note
You can only use pure Java/Scala libraries with a DevEndpoint.
Required: No
Type: String

2287
AWS Glue
ExtraPythonLibsS3Path
The paths to one or more Python libraries in an Amazon S3 bucket that should be loaded in your
DevEndpoint. Multiple values must be complete paths separated by a comma.
Note
You can only use pure Python libraries with a DevEndpoint. Libraries that rely on C
extensions, such as the pandas Python data analysis library, are not currently supported.
Required: No
Type: String

GlueVersion
Glue version determines the versions of Apache Spark and Python that AWS Glue supports. The
Python version indicates the version supported for running your ETL scripts on development
endpoints.
For more information about the available AWS Glue versions and corresponding Spark and Python
versions, see Glue version in the developer guide.
Development endpoints that are created without specifying a Glue version default to Glue 0.9.
You can specify a version of Python support for development endpoints by using the Arguments
parameter in the CreateDevEndpoint or UpdateDevEndpoint APIs. If no arguments are
provided, the version defaults to Python 2.
Required: No
Type: String

NumberOfNodes
The number of AWS Glue Data Processing Units (DPUs) allocated to this DevEndpoint.
Required: No
Type: Integer

NumberOfWorkers
The number of workers of a defined workerType that are allocated to the development endpoint.
The maximum number of workers you can define are 299 for G.1X, and 149 for G.2X.
Required: No
Type: Integer

PublicKey
The public key to be used by this DevEndpoint for authentication. This attribute is provided for
backward compatibility because the recommended attribute to use is public keys.

2288
AWS Glue
Required: No
Type: String

RoleArn
The Amazon Resource Name (ARN) of the IAM role used in this DevEndpoint.
Required: Yes
Type: String

The name of the SecurityConfiguration structure to be used with this DevEndpoint.
Required: No
Type: String

SecurityGroupIds
A list of security group identifiers used in this DevEndpoint.
Required: No

SubnetId
The subnet ID for this DevEndpoint.
Required: No
Type: String

Tags
The tags to use with this DevEndpoint.
Required: No
Type: Json

WorkerType
The type of predefined worker that is allocated to the development endpoint. Accepts a value of
Standard, G.1X, or G.2X.
• For the Standard worker type, each worker provides 4 vCPU, 16 GB of memory and a 50GB disk,
and 2 executors per worker.
• For the G.1X worker type, each worker maps to 1 DPU (4 vCPU, 16 GB of memory, 64 GB disk),
and provides 1 executor per worker. We recommend this worker type for memory-intensive jobs.

2289
AWS Glue
Known issue: when a development endpoint is created with the G.2X WorkerType configuration,
the Spark drivers for the development endpoint will run on 4 vCPU, 16 GB of memory, and a 64 GB
disk.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the endpoint
name.
See Also
• DevEndpoint Structure in the AWS Glue Developer Guide
AWS::Glue::Job
The AWS::Glue::Job resource specifies an AWS Glue job in the data catalog. For more information, see
Adding Jobs in AWS Glue and Job Structure in the AWS Glue Developer Guide.
Syntax
JSON
{
"Type" : "AWS::Glue::Job",
"Properties" : {
"AllocatedCapacity" : Double,
"Command" : JobCommand (p. 2297),
"Connections" : ConnectionsList (p. 2296),
"DefaultArguments" : Json,
"ExecutionProperty" : ExecutionProperty (p. 2297),
"LogUri" : String,
"MaxCapacity" : Double,
"MaxRetries" : Double,
"Name" : String,
"NotificationProperty" : NotificationProperty (p. 2298),
"Role" : String,
"Tags" : Json,
"Timeout" : Integer,
}

2290
AWS Glue
YAML
Type: AWS::Glue::Job
Properties:
AllocatedCapacity: Double
Command:
JobCommand (p. 2297)
Connections:
ConnectionsList (p. 2296)
DefaultArguments: Json
Description: String
ExecutionProperty:
ExecutionProperty (p. 2297)
GlueVersion: String
LogUri: String
MaxCapacity: Double
MaxRetries: Double
Name: String
NotificationProperty:
NotificationProperty (p. 2298)
Role: String
Tags: Json
Timeout: Integer
WorkerType: String
Properties
AllocatedCapacity
The number of capacity units that are allocated to this job.
Required: No
Type: Double

Command
The code that executes a job.
Required: Yes
Type: JobCommand (p. 2297)

Connections
The connections used for this job.
Required: No
Type: ConnectionsList (p. 2296)

DefaultArguments
The default arguments for this job, specified as name-value pairs.

2291
AWS Glue
You can specify arguments here that your own job-execution script consumes, in addition to
arguments that AWS Glue itself consumes.
For information about how to specify and consume your own job arguments, see Calling AWS Glue
APIs in Python in the AWS Glue Developer Guide.
For information about the key-value pairs that AWS Glue consumes to set up your job, see Special
Parameters Used by AWS Glue in the AWS Glue Developer Guide.
Required: No
Type: Json

Description
A description of the job.
Required: No
Type: String

ExecutionProperty
The maximum number of concurrent runs that are allowed for this job.
Required: No
Type: ExecutionProperty (p. 2297)

GlueVersion
Glue version determines the versions of Apache Spark and Python that AWS Glue supports. The
Python version indicates the version supported for jobs of type Spark.
For more information about the available AWS Glue versions and corresponding Spark and Python
versions, see Glue version in the developer guide.
Jobs that are created without specifying a Glue version default to Glue 0.9.
Required: No
Type: String

LogUri
This field is reserved for future use.
Required: No
Type: String

MaxCapacity
The number of AWS Glue data processing units (DPUs) that can be allocated when this job runs. A
DPU is a relative measure of processing power that consists of 4 vCPUs of compute capacity and 16
GB of memory.

2292
AWS Glue
Do not set Max Capacity if using WorkerType and NumberOfWorkers.
The value that can be allocated for MaxCapacity depends on whether you are running a Python
shell job or an Apache Spark ETL job:
• When you specify a Python shell job (JobCommand.Name="pythonshell"), you can allocate either
0.0625 or 1 DPU. The default is 0.0625 DPU.
• When you specify an Apache Spark ETL job (JobCommand.Name="glueetl"), you can allocate from
2 to 100 DPUs. The default is 10 DPUs. This job type cannot have a fractional DPU allocation.
Required: No
Type: Double

MaxRetries
The maximum number of times to retry this job after a JobRun fails.
Required: No
Type: Double

Name
The name you assign to this job definition.
Required: No
Type: String

NotificationProperty
Specifies configuration properties of a notification.
Required: No
Type: NotificationProperty (p. 2298)

NumberOfWorkers
The number of workers of a defined workerType that are allocated when a job runs.
The maximum number of workers you can define are 299 for G.1X, and 149 for G.2X.
Required: No
Type: Integer

Role
The name or Amazon Resource Name (ARN) of the IAM role associated with this job.
Required: Yes

2293
AWS Glue
Type: String

The name of the SecurityConfiguration structure to be used with this job.
Required: No
Type: String

Tags
The tags to use with this job.
Required: No
Type: Json

Timeout
The job timeout in minutes. This is the maximum time that a job run can consume resources before it
is terminated and enters TIMEOUT status. The default is 2,880 minutes (48 hours).
Required: No
Type: Integer

WorkerType
The type of predefined worker that is allocated when a job runs. Accepts a value of Standard, G.1X,
or G.2X.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the job name.

2294
AWS Glue
Examples
The following example creates a job with an associated role.
JSON
{
"Description": "AWS Glue Job Test",
"Resources": {
"MyJobRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
},
"MyJob": {
"Type": "AWS::Glue::Job",
"Properties": {
"Command": {
"Name": "glueetl",
"ScriptLocation": "s3://aws-glue-scripts//prod-job1"
},
"DefaultArguments": {
"--job-bookmark-option": "job-bookmark-enable"
},
"ExecutionProperty": {
"MaxConcurrentRuns": 2
},
"MaxRetries": 0,
"Name": "cf-job1",
"Role": {
"Ref": "MyJobRole"
}

2295
AWS Glue
}
}
}
}
YAML
---
Description: "AWS Glue Job Test"
Resources:
MyJobRole:
Properties:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
MyJob:
Properties:
Command:
Name: glueetl
ScriptLocation: "s3://aws-glue-scripts//prod-job1"
DefaultArguments:
ExecutionProperty:
MaxConcurrentRuns: 2
MaxRetries: 0
Name: cf-job1
Role: !Ref MyJobRole
AWS::Glue::Job ConnectionsList
Specifies the connections used by a job.
Syntax
JSON
{
"Connections" : [ String, ... ]
}

2296
AWS Glue
YAML
Connections:
- String
Properties
Connections
A list of connections used by the job.
Required: No
AWS::Glue::Job ExecutionProperty
An execution property of a job.
Syntax
JSON
{
"MaxConcurrentRuns" : Double
}
YAML
MaxConcurrentRuns: Double
Properties
MaxConcurrentRuns
The maximum number of concurrent runs allowed for the job. The default is 1. An error is returned
when this threshold is reached. The maximum value you can specify is controlled by a service limit.
Required: No
Type: Double
AWS::Glue::Job JobCommand
Specifies code executed when a job is run.
Syntax

2297
AWS Glue
JSON
{
"Name" : String,
"PythonVersion" : String,
"ScriptLocation" : String
}
YAML
Name: String
PythonVersion: String
ScriptLocation: String
Properties
Name
The name of the job command. For an Apache Spark ETL job, this must be glueetl. For a Python
shell job, it must be pythonshell.
Required: No
Type: String

PythonVersion
The Python version being used to execute a Python shell job. Allowed values are 2 or 3.
Required: No
Type: String

ScriptLocation
Specifies the Amazon Simple Storage Service (Amazon S3) path to a script that executes a job
(required).
Required: No
Type: String
AWS::Glue::Job NotificationProperty
Specifies configuration properties of a notification.
Syntax
JSON
{
"NotifyDelayAfter" : Integer

2298
AWS Glue
YAML
NotifyDelayAfter: Integer
Properties
NotifyDelayAfter
After a job run starts, the number of minutes to wait before sending a job run delay notification.
Required: No
Type: Integer
AWS::Glue::MLTransform
The AWS::Glue::MLTransform is an AWS Glue resource type that manages machine learning transforms.
Syntax
JSON
{
"Type" : "AWS::Glue::MLTransform",
"Properties" : {
"InputRecordTables" : InputRecordTables (p. 2305),
"MaxCapacity" : Double,
"Name" : String,
"Role" : String,
"Timeout" : Integer,
"TransformParameters" : TransformParameters (p. 2305),
}
}
YAML
Type: AWS::Glue::MLTransform
Properties:
Description: String
GlueVersion: String
InputRecordTables:
InputRecordTables (p. 2305)
MaxCapacity: Double
MaxRetries: Integer
Name: String
Role: String
Timeout: Integer

2299
AWS Glue
TransformParameters:
TransformParameters (p. 2305)
WorkerType: String
Properties
Description
A user-defined, long-form description text for the machine learning transform.
Required: No
Type: String

GlueVersion
This value determines which version of AWS Glue this machine learning transform is compatible
with. Glue 1.0 is recommended for most customers. If the value is not set, the Glue compatibility
defaults to Glue 0.9. For more information, see AWS Glue Versions in the developer guide.
Required: No
Type: String

InputRecordTables
A list of AWS Glue table definitions used by the transform.
Required: Yes
Type: InputRecordTables (p. 2305)

MaxCapacity
The number of AWS Glue data processing units (DPUs) that are allocated to task runs for this
transform. You can allocate from 2 to 100 DPUs; the default is 10. A DPU is a relative measure of
processing power that consists of 4 vCPUs of compute capacity and 16 GB of memory. For more
information, see the AWS Glue pricing page.
MaxCapacity is a mutually exclusive option with NumberOfWorkers and WorkerType.

• If either NumberOfWorkers or WorkerType is set, then MaxCapacity cannot be set.
• If MaxCapacity is set then neither NumberOfWorkers or WorkerType can be set.
• If WorkerType is set, then NumberOfWorkers is required (and vice versa).
• MaxCapacity and NumberOfWorkers must both be at least 1.
When the WorkerType field is set to a value other than Standard, the MaxCapacity field is set
automatically and becomes read-only.
Required: No
Type: Double

MaxRetries
The maximum number of times to retry after an MLTaskRun of the machine learning transform fails.

2300
AWS Glue
Required: No
Type: Integer

Name
A user-defined name for the machine learning transform. Names are required to be unique. Name is
optional:
• If you supply Name, the stack cannot be repeatedly created.
• If Name is not provided, a randomly generated name will be used instead.
Required: No
Type: String

NumberOfWorkers
The number of workers of a defined workerType that are allocated when a task of the transform
runs.
If WorkerType is set, then NumberOfWorkers is required (and vice versa).
Required: No
Type: Integer

Role
The name or Amazon Resource Name (ARN) of the IAM role with the required permissions. The
required permissions include both AWS Glue service role permissions to AWS Glue resources, and
Amazon S3 permissions required by the transform.
• This role needs AWS Glue service role permissions to allow access to resources in AWS Glue. See
Attach a Policy to IAM Users That Access AWS Glue.
• This role needs permission to your Amazon Simple Storage Service (Amazon S3) sources, targets,
temporary directory, scripts, and any libraries used by the task run for this transform.
Required: Yes
Type: String

Timeout
The timeout in minutes of the machine learning transform.
Required: No
Type: Integer

TransformParameters
The algorithm-specific parameters that are associated with the machine learning transform.
Required: Yes

2301
AWS Glue
Type: TransformParameters (p. 2305)

WorkerType
The type of predefined worker that is allocated when a task of this transform runs. Accepts a value
of Standard, G.1X, or G.2X.
• For the G.1X worker type, each worker provides 4 vCPU, 16 GB of memory and a 64GB disk, and 1
executor per worker.
• For the G.2X worker type, each worker provides 8 vCPU, 32 GB of memory and a 128GB disk, and
1 executor per worker.
MaxCapacity is a mutually exclusive option with NumberOfWorkers and WorkerType.

• If either NumberOfWorkers or WorkerType is set, then MaxCapacity cannot be set.
• If MaxCapacity is set then neither NumberOfWorkers or WorkerType can be set.
• If WorkerType is set, then NumberOfWorkers is required (and vice versa).
• MaxCapacity and NumberOfWorkers must both be at least 1.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the transform ID.
AWS::Glue::MLTransform FindMatchesParameters
The parameters to configure the find matches transform.
Syntax
JSON
{
"AccuracyCostTradeoff" : Double,
"EnforceProvidedLabels" : Boolean,
"PrecisionRecallTradeoff" : Double,
"PrimaryKeyColumnName" : String
}
YAML
AccuracyCostTradeoff: Double
EnforceProvidedLabels: Boolean
PrecisionRecallTradeoff: Double

2302
AWS Glue
PrimaryKeyColumnName: String
Properties
AccuracyCostTradeoff
The value that is selected when tuning your transform for a balance between accuracy and cost. A
value of 0.5 means that the system balances accuracy and cost concerns. A value of 1.0 means a
bias purely for accuracy, which typically results in a higher cost, sometimes substantially higher. A
value of 0.0 means a bias purely for cost, which results in a less accurate FindMatches transform,
sometimes with unacceptable accuracy.
Accuracy measures how well the transform finds true positives and true negatives. Increasing
accuracy requires more machine resources and cost. But it also results in increased recall.
Cost measures how many compute resources, and thus money, are consumed to run the transform.
Required: No
Type: Double

EnforceProvidedLabels
The value to switch on or off to force the output to match the provided labels from users. If the
value is True, the find matches transform forces the output to match the provided labels. The
results override the normal conflation results. If the value is False, the find matches transform
does not ensure all the labels provided are respected, and the results rely on the trained model.
Note that setting this value to true may increase the conflation execution time.
Required: No
Type: Boolean

PrecisionRecallTradeoff
The value selected when tuning your transform for a balance between precision and recall. A value
of 0.5 means no preference; a value of 1.0 means a bias purely for precision, and a value of 0.0
means a bias for recall. Because this is a tradeoff, choosing values close to 1.0 means very low recall,
and choosing values close to 0.0 results in very low precision.
The precision metric indicates how often your model is correct when it predicts a match.
The recall metric indicates that for an actual match, how often your model predicts the match.
Required: No
Type: Double

PrimaryKeyColumnName
The name of a column that uniquely identifies rows in the source table. Used to help identify
matching records.
Required: Yes
Type: String

2303
AWS Glue
AWS::Glue::MLTransform GlueTables
The database and table in the AWS Glue Data Catalog that is used for input or output data.
Syntax
JSON
{
"ConnectionName" : String,
"TableName" : String
}
YAML
CatalogId: String
ConnectionName: String
TableName: String
Properties
CatalogId
A unique identifier for the AWS Glue Data Catalog.
Required: No
Type: String

ConnectionName
The name of the connection to the AWS Glue Data Catalog.
Required: No
Type: String

DatabaseName
A database name in the AWS Glue Data Catalog.
Required: Yes
Type: String

TableName
A table name in the AWS Glue Data Catalog.

2304
AWS Glue
Required: Yes
Type: String
AWS::Glue::MLTransform InputRecordTables
A list of AWS Glue table definitions used by the transform.
Syntax
JSON
{
"GlueTables" : [ GlueTables (p. 2304), ... ]
}
YAML
GlueTables:
- GlueTables (p. 2304)
Properties
GlueTables
The database and table in the AWS Glue Data Catalog that is used for input or output data.
Required: No
Type: List (p. 2304) of GlueTables (p. 2304)
AWS::Glue::MLTransform TransformParameters
The algorithm-specific parameters that are associated with the machine learning transform.
Syntax
JSON
{
"FindMatchesParameters" : FindMatchesParameters (p. 2302),
"TransformType" : String
}
YAML
FindMatchesParameters:

2305
AWS Glue
FindMatchesParameters (p. 2302)

TransformType: String
Properties
FindMatchesParameters
The parameters for the find matches algorithm.
Required: No
Type: FindMatchesParameters (p. 2302)

TransformType
The type of machine learning transform. FIND_MATCHES is the only option.
For information about the types of machine learning transforms, see Creating Machine Learning
Transforms.
Required: Yes
Type: String
AWS::Glue::Partition
The AWS::Glue::Partition resource creates an AWS Glue partition, which represents a slice of table
data. For more information, see CreatePartition Action and Partition Structure in the AWS Glue Developer
Guide.
Syntax
JSON
{
"Type" : "AWS::Glue::Partition",
"Properties" : {
"PartitionInput" : PartitionInput (p. 2309),
}
}
YAML
Type: AWS::Glue::Partition
Properties:
CatalogId: String
PartitionInput:
PartitionInput (p. 2309)

2306
AWS Glue
TableName: String
Properties
CatalogId
The AWS account ID of the catalog in which the partion is to be created.

Note
pseudo parameter. For example: !Ref AWS::AccountId
Required: Yes
Type: String

DatabaseName
The name of the catalog database in which to create the partition.
Required: Yes
Type: String

PartitionInput
The structure used to create and update a partition.
Required: Yes
Type: PartitionInput (p. 2309)

TableName
The name of the metadata table in which the partition is to be created.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the partition
name.
See Also
• CreatePartition Action in the AWS Glue Developer Guide
• Partition Structure in the AWS Glue Developer Guide

2307
AWS Glue
AWS::Glue::Partition Column
A column in a Table.
Syntax
JSON
{
"Comment" : String,
"Name" : String,
"Type" : String
}
YAML
Comment: String
Name: String
Type: String
Properties
Comment
A free-form text comment.
Required: No
Type: String

Name
The name of the Column.
Required: Yes
Type: String

Type
The data type of the Column.
Required: No
Type: String
AWS::Glue::Partition Order
Specifies the sort order of a sorted column.
Syntax

2308
AWS Glue
JSON
{
"Column" : String (p. 2308),
"SortOrder" : Integer
}
YAML
Column: String (p. 2308)

SortOrder: Integer
Properties
Column
The name of the column.
Required: Yes
Type: String (p. 2308)

SortOrder
Indicates that the column is sorted in ascending order (== 1), or in descending order (==0).
Required: No
Type: Integer
AWS::Glue::Partition PartitionInput
The structure used to create and update a partition.
Syntax
JSON
{
"StorageDescriptor" : StorageDescriptor (p. 2312),
}
YAML
Parameters: Json
StorageDescriptor:
StorageDescriptor (p. 2312)
Values:
- String

2309
AWS Glue
Properties
Parameters
These key-value pairs define partition parameters.
Required: No
Type: Json

StorageDescriptor
Provides information about the physical location where the partition is stored.
Required: No
Type: StorageDescriptor (p. 2312)

Values
The values of the partition. Although this parameter is not required by the SDK, you must specify
this parameter for a valid input.
The values for the keys for the new partition must be passed as an array of String objects that must
be ordered in the same order as the partition keys appearing in the Amazon S3 prefix. Otherwise
AWS Glue will add the values to the wrong keys.
Required: Yes
See Also
• PartitionInput in the AWS Glue Developer Guide
AWS::Glue::Partition SerdeInfo
Information about a serialization/deserialization program (SerDe) that serves as an extractor and loader.
Syntax
JSON
{
"Name" : String,
"SerializationLibrary" : String
}
YAML
Name: String

2310
AWS Glue
Parameters: Json
SerializationLibrary: String
Properties
Name
Name of the SerDe.
Required: No
Type: String

Parameters
These key-value pairs define initialization parameters for the SerDe.
Required: No
Type: Json

SerializationLibrary
Usually the class that implements the SerDe. An example is

org.apache.hadoop.hive.serde2.columnar.ColumnarSerDe.
Required: No
Type: String
AWS::Glue::Partition SkewedInfo
Specifies skewed values in a table. Skewed values are those that occur with very high frequency.
Syntax
JSON
{
"SkewedColumnNames" : [ String, ... ],
"SkewedColumnValueLocationMaps" : Json,
"SkewedColumnValues" : [ String, ... ]
}
YAML
SkewedColumnNames:
- String
SkewedColumnValueLocationMaps: Json
SkewedColumnValues:
- String

2311
AWS Glue
Properties
SkewedColumnNames
A list of names of columns that contain skewed values.
Required: No

SkewedColumnValueLocationMaps
A mapping of skewed values to the columns that contain them.
Required: No
Type: Json

SkewedColumnValues
A list of values that appear so frequently as to be considered skewed.
Required: No
AWS::Glue::Partition StorageDescriptor
Describes the physical storage of table data.
Syntax
JSON
{
"BucketColumns" : [ String, ... ],
"Columns" : [ Column (p. 2308), ... ],
"Compressed" : Boolean,
"InputFormat" : String,
"NumberOfBuckets" : Integer,
"OutputFormat" : String,
"SerdeInfo" : SerdeInfo (p. 2310),
"SkewedInfo" : SkewedInfo (p. 2311),
"SortColumns" : [ Order (p. 2308), ... ],
"StoredAsSubDirectories" : Boolean
}
YAML
BucketColumns:
- String

2312
AWS Glue
Columns:
- Column (p. 2308)
Compressed: Boolean
InputFormat: String
Location: String
NumberOfBuckets: Integer
OutputFormat: String
Parameters: Json
SerdeInfo:
SerdeInfo (p. 2310)
SkewedInfo:
SkewedInfo (p. 2311)
SortColumns:
- Order (p. 2308)
StoredAsSubDirectories: Boolean
Properties
BucketColumns
A list of reducer grouping columns, clustering columns, and bucketing columns in the table.
Required: No

Columns
A list of the Columns in the table.
Required: No
Type: List of Column (p. 2308)

Compressed
True if the data in the table is compressed, or False if not.
Required: No
Type: Boolean

InputFormat
The input format: SequenceFileInputFormat (binary), or TextInputFormat, or a custom

format.
Required: No
Type: String

Location
The physical location of the table. By default, this takes the form of the warehouse location,
followed by the database location in the warehouse, followed by the table name.
Required: No

2313
AWS Glue
Type: String

NumberOfBuckets
The number of buckets.
You must specify this property if the partition contains any dimension columns.
Type: Integer

OutputFormat
The output format: SequenceFileOutputFormat (binary), or IgnoreKeyTextOutputFormat, or

a custom format.
Required: No
Type: String

Parameters
The user-supplied properties in key-value form.
Required: No
Type: Json

SerdeInfo
The serialization/deserialization (SerDe) information.
Required: No
Type: SerdeInfo (p. 2310)

SkewedInfo
The information about values that appear frequently in a column (skewed values).
Required: No
Type: SkewedInfo (p. 2311)

SortColumns
A list specifying the sort order of each bucket in the table.
Required: No
Type: List of Order (p. 2308)

2314
AWS Glue
StoredAsSubDirectories
True if the table data is stored in subdirectories, or False if not.
Required: No
Type: Boolean
AWS::Glue::SecurityConfiguration
Creates a new security configuration. A security configuration is a set of security properties that can
be used by AWS Glue. You can use a security configuration to encrypt data at rest. For information
about using security configurations in AWS Glue, see Encrypting Data Written by Crawlers, Jobs, and
Development Endpoints.
Syntax
JSON
{
"Type" : "AWS::Glue::SecurityConfiguration",
"Properties" : {
"EncryptionConfiguration" : EncryptionConfiguration (p. 2316),
"Name" : String
}
}
YAML
Type: AWS::Glue::SecurityConfiguration
Properties:
EncryptionConfiguration:
EncryptionConfiguration (p. 2316)
Name: String
Properties
EncryptionConfiguration
The encryption configuration associated with this security configuration.
Required: Yes
Type: EncryptionConfiguration (p. 2316)

Name
The name of the security configuration.
Required: Yes
Type: String

2315
AWS Glue
Return Values
Ref
AWS::Glue::SecurityConfiguration CloudWatchEncryption
Specifies how Amazon CloudWatch data should be encrypted.
Syntax
JSON
{
"CloudWatchEncryptionMode" : String,
"KmsKeyArn" : String
}
YAML
CloudWatchEncryptionMode: String
KmsKeyArn: String
Properties
CloudWatchEncryptionMode
The encryption mode to use for CloudWatch data.
Required: No
Type: String

KmsKeyArn
The Amazon Resource Name (ARN) of the KMS key to be used to encrypt the data.
Required: No
Type: String
AWS::Glue::SecurityConfiguration EncryptionConfiguration
Specifies an encryption configuration.
Syntax
JSON
{
"CloudWatchEncryption" : CloudWatchEncryption (p. 2316),
"JobBookmarksEncryption" : JobBookmarksEncryption (p. 2317),
"S3Encryptions" : S3Encryptions (p. 2319)

2316
AWS Glue
YAML
CloudWatchEncryption:
CloudWatchEncryption (p. 2316)
JobBookmarksEncryption:
JobBookmarksEncryption (p. 2317)
S3Encryptions:
S3Encryptions (p. 2319)
Properties
CloudWatchEncryption
The encryption configuration for Amazon CloudWatch.
Required: No
Type: CloudWatchEncryption (p. 2316)

JobBookmarksEncryption
The encryption configuration for job bookmarks.
Required: No
Type: JobBookmarksEncryption (p. 2317)

S3Encryptions
The encyption configuration for Amazon Simple Storage Service (Amazon S3) data.
Required: No
Type: S3Encryptions (p. 2319)
AWS::Glue::SecurityConfiguration JobBookmarksEncryption
Specifies how job bookmark data should be encrypted.
Syntax
JSON
{
"JobBookmarksEncryptionMode" : String,
"KmsKeyArn" : String
}
YAML
JobBookmarksEncryptionMode: String

2317
AWS Glue
KmsKeyArn: String
Properties
JobBookmarksEncryptionMode
The encryption mode to use for job bookmarks data.
Required: No
Type: String

KmsKeyArn
Required: No
Type: String
AWS::Glue::SecurityConfiguration S3Encryption
Specifies how Amazon Simple Storage Service (Amazon S3) data should be encrypted.
Syntax
JSON
{
"KmsKeyArn" : String,
"S3EncryptionMode" : String
}
YAML
KmsKeyArn: String
S3EncryptionMode: String
Properties
KmsKeyArn
Required: No
Type: String

S3EncryptionMode
The encryption mode to use for Amazon S3 data.

2318
AWS Glue
Required: No
Type: String
AWS::Glue::SecurityConfiguration S3Encryptions
The S3Encryptions property type specifies the encyption configuration for Amazon Simple Storage
Service (Amazon S3) data for a security configuration.
AWS::Glue::Table
The AWS::Glue::Table resource specifies tabular data in the AWS Glue data catalog. For more
information, see Defining Tables in the AWS Glue Data Catalog and Table Structure in the AWS Glue
Developer Guide.
Syntax
JSON
{
"Type" : "AWS::Glue::Table",
"Properties" : {
"TableInput" : TableInput (p. 2326)
}
}
YAML
Type: AWS::Glue::Table
Properties:
CatalogId: String
TableInput:
TableInput (p. 2326)
Properties
CatalogId
The ID of the Data Catalog in which to create the Table. If none is supplied, the AWS account ID is
used by default.
Required: Yes
Type: String

DatabaseName
The name of the database where the table metadata resides. For Hive compatibility, this must be all
lowercase.

2319
AWS Glue
Required: Yes
Type: String

TableInput
A structure used to define a table.
Required: Yes
Type: TableInput (p. 2326)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the table name.
AWS::Glue::Table Column
A column in a Table.
Syntax
JSON
{
"Comment" : String,
"Name" : String,
"Type" : String
}
YAML
Comment: String
Name: String
Type: String
Properties
Comment
A free-form text comment.
Required: No
Type: String

Name
The name of the Column.

2320
AWS Glue
Required: Yes
Type: String

Type
The data type of the Column.
Required: No
Type: String
See Also
• Column Structure in the AWS Glue Developer Guide
AWS::Glue::Table Order
Specifies the sort order of a sorted column.
Syntax
JSON
{
"Column" : String (p. 2320),
"SortOrder" : Integer
}
YAML
Column: String (p. 2320)

SortOrder: Integer
Properties
Column
The name of the column.
Required: Yes

SortOrder
Indicates that the column is sorted in ascending order (== 1), or in descending order (==0).
Required: Yes
Type: Integer

2321
AWS Glue
See Also
• Order Structure in the AWS Glue Developer Guide
AWS::Glue::Table SerdeInfo
Information about a serialization/deserialization program (SerDe) that serves as an extractor and loader.
Syntax
JSON
{
"Name" : String,
"SerializationLibrary" : String
}
YAML
Name: String
Parameters: Json
SerializationLibrary: String
Properties
Name
Name of the SerDe.
Required: No
Type: String

Parameters
These key-value pairs define initialization parameters for the SerDe.
Required: No
Type: Json

SerializationLibrary
Usually the class that implements the SerDe. An example is

org.apache.hadoop.hive.serde2.columnar.ColumnarSerDe.
Required: No
Type: String

2322
AWS Glue
See Also
• SerDeInfo Structure in the AWS Glue Developer Guide
AWS::Glue::Table SkewedInfo
Specifies skewed values in a table. Skewed values are those that occur with very high frequency.
Syntax
JSON
{
"SkewedColumnNames" : [ String, ... ],
"SkewedColumnValueLocationMaps" : Json,
"SkewedColumnValues" : [ String, ... ]
}
YAML
SkewedColumnNames:
- String
SkewedColumnValueLocationMaps: Json
SkewedColumnValues:
- String
Properties
SkewedColumnNames
A list of names of columns that contain skewed values.
Required: No

SkewedColumnValueLocationMaps
A mapping of skewed values to the columns that contain them.
Required: No
Type: Json

SkewedColumnValues
A list of values that appear so frequently as to be considered skewed.
Required: No

2323
AWS Glue
AWS::Glue::Table StorageDescriptor
Describes the physical storage of table data.
Syntax
JSON
{
"BucketColumns" : [ String, ... ],
"Columns" : [ Column (p. 2320), ... ],
"Compressed" : Boolean,
"InputFormat" : String,
"NumberOfBuckets" : Integer,
"OutputFormat" : String,
"SerdeInfo" : SerdeInfo (p. 2322),
"SkewedInfo" : SkewedInfo (p. 2323),
"SortColumns" : [ Order (p. 2321), ... ],
"StoredAsSubDirectories" : Boolean
}
YAML
BucketColumns:
- String
Columns:
- Column (p. 2320)
Compressed: Boolean
InputFormat: String
Location: String
NumberOfBuckets: Integer
OutputFormat: String
Parameters: Json
SerdeInfo:
SerdeInfo (p. 2322)
SkewedInfo:
SkewedInfo (p. 2323)
SortColumns:
- Order (p. 2321)
StoredAsSubDirectories: Boolean
Properties
BucketColumns
A list of reducer grouping columns, clustering columns, and bucketing columns in the table.
Required: No

Columns
A list of the Columns in the table.
Required: No

2324
AWS Glue

Compressed
True if the data in the table is compressed, or False if not.
Required: No
Type: Boolean

InputFormat
The input format: SequenceFileInputFormat (binary), or TextInputFormat, or a custom

format.
Required: No
Type: String

Location
The physical location of the table. By default, this takes the form of the warehouse location,
followed by the database location in the warehouse, followed by the table name.
Required: No
Type: String

NumberOfBuckets
Must be specified if the table contains any dimension columns.
Required: No
Type: Integer

OutputFormat
The output format: SequenceFileOutputFormat (binary), or IgnoreKeyTextOutputFormat, or

a custom format.
Required: No
Type: String

Parameters
The user-supplied properties in key-value form.
Required: No
Type: Json

2325
AWS Glue
SerdeInfo
The serialization/deserialization (SerDe) information.
Required: No
Type: SerdeInfo (p. 2322)

SkewedInfo
The information about values that appear frequently in a column (skewed values).
Required: No
Type: SkewedInfo (p. 2323)

SortColumns
A list specifying the sort order of each bucket in the table.
Required: No
Type: List of Order (p. 2321)

StoredAsSubDirectories
True if the table data is stored in subdirectories, or False if not.
Required: No
Type: Boolean
See Also
• StorageDescriptor Structure in the AWS Glue Developer Guide
AWS::Glue::Table TableInput
A structure used to define a table.
Syntax
JSON
{
"Name" : String,
"Owner" : String,
"PartitionKeys" : [ Column (p. 2320), ... ],
"Retention" : Integer,
"StorageDescriptor" : StorageDescriptor (p. 2324),
"TableType" : String,

2326
AWS Glue
"ViewExpandedText" : String,
"ViewOriginalText" : String
}
YAML
Description: String
Name: String
Owner: String
Parameters: Json
PartitionKeys:
- Column (p. 2320)
Retention: Integer
StorageDescriptor:
StorageDescriptor (p. 2324)
TableType: String
ViewExpandedText: String
ViewOriginalText: String
Properties
Description
A description of the table.
Required: No
Type: String

Name
The table name. For Hive compatibility, this is folded to lowercase when it is stored.
Required: No
Type: String

Owner
The table owner.
Required: No
Type: String

Parameters
These key-value pairs define properties associated with the table.
Required: No
Type: Json

PartitionKeys
A list of columns by which the table is partitioned. Only primitive types are supported as partition
keys.

2327
AWS Glue
When you create a table used by Amazon Athena, and you do not specify any partitionKeys, you
must at least set the value of partitionKeys to an empty list. For example:
"PartitionKeys": []
Required: No

Retention
The retention time for this table.
Required: No
Type: Integer

StorageDescriptor
A storage descriptor containing information about the physical storage of this table.
Required: No
Type: StorageDescriptor (p. 2324)

TableType
The type of this table (EXTERNAL_TABLE, VIRTUAL_VIEW, etc.).
Required: No
Type: String

ViewExpandedText
If the table is a view, the expanded text of the view; otherwise null.
Required: No
Type: String

ViewOriginalText
If the table is a view, the original text of the view; otherwise null.
Required: No
Type: String
AWS::Glue::Trigger
The AWS::Glue::Trigger resource specifies triggers that run AWS Glue jobs. For more information,
see Triggering Jobs in AWS Glue and Trigger Structure in the AWS Glue Developer Guide.

2328
AWS Glue
Syntax
JSON
{
"Type" : "AWS::Glue::Trigger",
"Properties" : {
"Actions" : [ Action (p. 2335), ... ],
"Name" : String,
"Predicate" : Predicate (p. 2338),
"Schedule" : String,
"StartOnCreation" : Boolean,
"Tags" : Json,
"Type" : String,
"WorkflowName" : String
}
}
YAML
Type: AWS::Glue::Trigger
Properties:
Actions:
- Action (p. 2335)
Description: String
Name: String
Predicate:
Predicate (p. 2338)
Schedule: String
StartOnCreation: Boolean
Tags: Json
Type: String
WorkflowName: String
Properties
Actions
The actions initiated by this trigger.
Required: Yes

Description
A description of this trigger.
Required: No
Type: String

Name
The name of the trigger.

2329
AWS Glue
Required: No
Type: String

Predicate
The predicate of this trigger, which defines when it will fire.
Required: No
Type: Predicate (p. 2338)

Schedule
A cron expression used to specify the schedule. For more information, see Time-Based Schedules
for Jobs and Crawlers in the AWS Glue Developer Guide. For example, to run something every day at
12:15 UTC, specify cron(15 12 * * ? *).
Required: No
Type: String

StartOnCreation
Set to true to start SCHEDULED and CONDITIONAL triggers when created. True is not supported for
ON_DEMAND triggers.
Required: No
Type: Boolean

Tags
The tags to use with this trigger.
Required: No
Type: Json

Type
The type of trigger that this is.
Required: Yes
Type: String

WorkflowName
The name of the workflow associated with the trigger.
Required: No

2330
AWS Glue
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the trigger name.
Examples
On-Demand Trigger
The following example creates an on-demand trigger that triggers one job.
JSON
{
"Resources": {
"OnDemandJobTrigger": {
"Type": "AWS::Glue::Trigger",
"Properties": {
"Type": "ON_DEMAND",
"Description": "DESCRIPTION_ON_DEMAND",
"Actions": [
{
"JobName": "prod-job2"
}
],
"Name": "prod-trigger1-ondemand"
}
}
}
}
YAML
Resources:
OnDemandJobTrigger:
Properties:
Type: ON_DEMAND
Description: DESCRIPTION_ON_DEMAND
Actions:
- JobName: prod-job2
Name: prod-trigger1-ondemand
Scheduled Trigger
The following example creates a scheduled trigger that runs every two hours and triggers two jobs. Note
that it declares an argument for prod-job3.
JSON
{
"Resources": {
"ScheduledJobTrigger": {

2331
AWS Glue
"Properties": {
"Type": "SCHEDULED",
"Description": "DESCRIPTION_SCHEDULED",
"Schedule": "cron(0 */2 * * ? *)",
"Actions": [
{
"JobName": "prod-job2"
},
{
"JobName": "prod-job3",
"Arguments": {
}
}
],
"Name": "prod-trigger1-scheduled"
}
}
}
}
YAML
Resources:
ScheduledJobTrigger:
Properties:
Type: SCHEDULED
Description: DESCRIPTION_SCHEDULED
Schedule: cron(0 */2 * * ? *)
Actions:
Arguments:
'--job-bookmark-option': job-bookmark-enable
Name: prod-trigger1-scheduled
Conditional Trigger
The following example creates a conditional trigger that starts a job based on the successful completion
of the job run.
JSON
{
"Description": "AWS Glue Trigger Test",
"Resources": {
"MyJobTriggerRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
]
},
"Action": [
"sts:AssumeRole"

2332
AWS Glue
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
},
"MyJob": {
"Type": "AWS::Glue::Job",
"Properties": {
"Name": "MyJobTriggerJob",
"LogUri": "wikiData",
"Role": {
"Ref": "MyJobTriggerRole"
},
"Command": {
"Name": "glueetl",
"ScriptLocation": "s3://testdata-bucket/s3-target/create-delete-job-xtf-ETL-s3-
json-to-csv.py"
},
"DefaultArguments": {
},
"MaxRetries": 0
}
},
"MyJobTrigger": {
"Properties": {
"Name": "MyJobTrigger",
"Type": "CONDITIONAL",
"Description": "Description for a conditional job trigger",
"Actions": [
{
"JobName": {
"Ref": "MyJob"
},
"Arguments": {
}
}
],
"Predicate": {
"Conditions": [
{
"LogicalOperator": "EQUALS",
"JobName": {
"Ref": "MyJob"
},
"State": "SUCCEEDED"
}

2333
AWS Glue
]
}
}
}
}
}
YAML
---
Description: "AWS Glue Trigger Test"
Resources:
MyJobTriggerRole:
Properties:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
-
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
MyJob:
Properties:
Name: "MyJobTriggerJob"
LogUri: "wikiData"
Role: !Ref MyJobTriggerRole
Command:
Name: "glueetl"
ScriptLocation: "s3://testdata-bucket/s3-target/create-delete-job-xtf-ETL-s3-json-
to-csv.py"
DefaultArguments:
MaxRetries: 0
MyJobTrigger:
Properties:
Name: "MyJobTrigger"
Type: "CONDITIONAL"
Description: "Description for a conditional job trigger"
Actions:
- JobName: !Ref MyJob
Arguments:
Predicate:
Conditions:
- LogicalOperator: EQUALS
JobName: !Ref MyJob
State: SUCCEEDED

2334
AWS Glue
AWS::Glue::Trigger Action
Defines an action to be initiated by a trigger.
Syntax
JSON
{
"Arguments" : Json,
"CrawlerName" : String,
"JobName" : String,
"NotificationProperty" : NotificationProperty (p. 2338),
"Timeout" : Integer
}
YAML
Arguments: Json
CrawlerName: String
JobName: String
NotificationProperty:
NotificationProperty (p. 2338)
Timeout: Integer
Properties
Arguments
The job arguments used when this trigger fires. For this job run, they replace the default arguments
set in the job definition itself.
You can specify arguments here that your own job-execution script consumes, in addition to
arguments that AWS Glue itself consumes.
For information about how to specify and consume your own job arguments, see Calling AWS Glue
APIs in Python in the AWS Glue Developer Guide.
For information about the key-value pairs that AWS Glue consumes to set up your job, see the
Special Parameters Used by AWS Glue topic in the developer guide.
Required: No
Type: Json

CrawlerName
The name of the crawler to be used with this action.
Required: No
Type: String

2335
AWS Glue
JobName
The name of a job to be executed.
Required: No
Type: String

NotificationProperty
Specifies configuration properties of a job run notification.
Required: No
Type: NotificationProperty (p. 2338)

The name of the SecurityConfiguration structure to be used with this action.
Required: No
Type: String

Timeout
The JobRun timeout in minutes. This is the maximum time that a job run can consume resources
before it is terminated and enters TIMEOUT status. The default is 2,880 minutes (48 hours). This
overrides the timeout value set in the parent job.
Required: No
Type: Integer
See Also
• Action Structure in the AWS Glue Developer Guide
AWS::Glue::Trigger Condition
Defines a condition under which a trigger fires.
Syntax
JSON
{
"CrawlerName" : String,
"CrawlState" : String,
"JobName" : String,

2336
AWS Glue
"LogicalOperator" : String,
"State" : String
}
YAML
CrawlerName: String
CrawlState: String
JobName: String
LogicalOperator: String
State: String
Properties
CrawlerName
The name of the crawler to which this condition applies.
Required: No
Type: String

CrawlState
The state of the crawler to which this condition applies.
Required: No
Type: String

JobName
The name of the job whose JobRuns this condition applies to, and on which this trigger waits.
Required: No
Type: String

LogicalOperator
A logical operator.
Required: No
Type: String

State
The condition state. Currently, the values supported are SUCCEEDED, STOPPED, TIMEOUT, and
FAILED.
Required: No
Type: String

2337
AWS Glue
See Also
• Condition Structure in the AWS Glue Developer Guide
AWS::Glue::Trigger NotificationProperty
Specifies configuration properties of a job run notification.
Syntax
JSON
{
"NotifyDelayAfter" : Integer
}
YAML
NotifyDelayAfter: Integer
Properties
NotifyDelayAfter
After a job run starts, the number of minutes to wait before sending a job run delay notification
Required: No
Type: Integer
AWS::Glue::Trigger Predicate
Defines the predicate of the trigger, which determines when it fires.
Syntax
JSON
{
"Conditions" : [ Condition (p. 2336), ... ],
"Logical" : String
}
YAML
Conditions:
- Condition (p. 2336)
Logical: String

2338
AWS Glue
Properties
Conditions
A list of the conditions that determine when the trigger will fire.
Required: No
Type: List of Condition (p. 2336)

Logical
An optional field if only one condition is listed. If multiple conditions are listed, then this field is
required.
Required: No
Type: String
See Also
• Predicate Structure in the AWS Glue Developer Guide
AWS::Glue::Workflow
The AWS::Glue::Workflow is an AWS Glue resource type that manages AWS Glue workflows. A workflow is
a container for a set of related jobs, crawlers, and triggers in AWS Glue. Using a workflow, you can design
a complex multi-job extract, transform, and load (ETL) activity that AWS Glue can execute and track as
single entity
Syntax
JSON
{
"Type" : "AWS::Glue::Workflow",
"Properties" : {
"DefaultRunProperties" : Json,
"Name" : String,
"Tags" : Json
}
}
YAML
Type: AWS::Glue::Workflow
Properties:
DefaultRunProperties: Json
Description: String
Name: String
Tags: Json

2339
GuardDuty
Properties
DefaultRunProperties
A collection of properties to be used as part of each execution of the workflow
Required: No
Type: Json

Description
A description of the workflow
Required: No
Type: String

Name
The name of the workflow representing the flow
Required: No
Type: String

Tags
The tags to use with this workflow.
Required: No
Type: Json
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the workflow
name.
GuardDuty Resource Type Reference

Resource Types
• AWS::GuardDuty::Detector (p. 2341)

• AWS::GuardDuty::Filter (p. 2342)
• AWS::GuardDuty::IPSet (p. 2346)
• AWS::GuardDuty::Master (p. 2348)
• AWS::GuardDuty::Member (p. 2350)

2340
GuardDuty
• AWS::GuardDuty::ThreatIntelSet (p. 2352)
AWS::GuardDuty::Detector
The AWS::GuardDuty::Detector resource specifies a new Amazon GuardDuty detector. A detector is
an object that represents the Amazon GuardDuty service. A detector is required for Amazon GuardDuty
to become operational.
Syntax
JSON
{
"Type" : "AWS::GuardDuty::Detector",
"Properties" : {
"Enable" : Boolean,
"FindingPublishingFrequency" : String
}
}
YAML
Type: AWS::GuardDuty::Detector
Properties:
Enable: Boolean
FindingPublishingFrequency: String
Properties
Enable
Specifies whether or not to enable the detector.
Required: Yes
Type: Boolean

FindingPublishingFrequency
A enumeration value that specifies how frequently finding updates are published. Valid values
include: FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURS. The default value is SIX_HOURS.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the unique ID of
the detector.

2341
GuardDuty
Examples
Declare a Detector Resource
The following example shows how to declare a GuardDuty Detector resource:
JSON
"mydetector": {
"Type" : "AWS::GuardDuty::Detector",
"Properties" : {
"Enable" : True,
"FindingPublishingFrequency" : "FIFTEEN_MINUTES"
}
}
YAML
mydetector:
Type: AWS::GuardDuty::Detector
Properties:
Enable: True
FindingPublishingFrequency: FIFTEEN_MINUTES
AWS::GuardDuty::Filter
The AWS::GuardDuty::Filter resource specifies a new filter defined by the provided
findingCriteria.
Syntax
JSON
{
"Type" : "AWS::GuardDuty::Filter",
"Properties" : {
"Action" : String,
"DetectorId" : String,
"FindingCriteria" : FindingCriteria (p. 2346),
"Name" : String,
"Rank" : Integer
}
}
YAML
Type: AWS::GuardDuty::Filter
Properties:
Action: String
Description: String
DetectorId: String
FindingCriteria:
FindingCriteria (p. 2346)

2342
GuardDuty
Name: String
Rank: Integer
Properties
Action
Specifies the action that is to be applied to the findings that match the filter.
Required: Yes
Type: String

Description
The description of the filter.
Required: Yes
Type: String

DetectorId
The ID of the detector to associate the Filter with.
Required: Yes
Type: String

FindingCriteria
Represents the criteria to be used in the filter for querying findings.
Required: Yes
Type: FindingCriteria (p. 2346)

Name
The name of the filter.
Required: No
Type: String

Rank
Specifies the position of the filter in the list of current filters. Also specifies the order in which this
filter is applied to the findings.
Required: Yes
Type: Integer

2343
GuardDuty
Return Values
Ref
filter, such as SampleFilter.
Examples
Declare a Filter Resource
The following example shows how to declare a GuardDuty Filter resource:
JSON
{
"Type": "AWS::GuardDuty::Filter",
"Properties": {
"Action": "ARCHIVE",
"Description": "SampleFilter",
"DetectorId": "a12abc34d567e8fa901bc2d34e56789f0",
"FindingCriteria": {
"Criterion": {
"updatedAt": {
"Gte": 0
}
}
},
"Rank": 1,
"Name": "SampleFilter"
}
}
YAML
Type: "AWS::GuardDuty::Filter"
Properties:
Action : "ARCHIVE"
Description : "SampleFilter"
DetectorId : "a12abc34d567e8fa901bc2d34e56789f0"
FindingCriteria :
Criterion:
"updatedAt":
Gte: 0
Rank : 1
Name : "SampleFilter"
AWS::GuardDuty::Filter Condition
Specifies the condition to apply to a single field when filtering through GuardDuty findings.
Syntax
JSON

2344
GuardDuty
"Eq" : [ String, ... ],

"Gte" : Integer,
"Lt" : Integer,
"Lte" : Integer,
"Neq" : [ String, ... ]
}
YAML
Eq:
- String
Gte: Integer
Lt: Integer
Lte: Integer
Neq:
- String
Properties
Eq
Represents the equal condition to apply to a single field when querying for findings.
Required: No

Gte
Represents the greater than or equal condition to apply to a single field when querying for findings.
Required: No
Type: Integer

Lt
Represents the less than condition to apply to a single field when querying for findings.
Required: No
Type: Integer

Lte
Represents the less than or equal condition to apply to a single field when querying for findings.
Required: No
Type: Integer

Neq
Represents the not equal condition to apply to a single field when querying for findings.
Required: No

2345
GuardDuty
AWS::GuardDuty::Filter FindingCriteria
Represents a map of finding properties that match specified conditions and values when querying
findings.
Syntax
JSON
{
"Criterion" : Json,
"ItemType" : Condition (p. 2344)
}
YAML
Criterion: Json
ItemType:
Condition (p. 2344)
Properties
Criterion
Represents a map of finding properties that match specified conditions and values when querying
findings.
Required: No
Type: Json

ItemType
Specifies the condition to be applied to a single field when filtering through findings.
Required: No
Type: Condition (p. 2344)
AWS::GuardDuty::IPSet
The AWS::GuardDuty::IPSet resource specifies a new IPSet. An IPSet is a list of trusted IP
addresses from which secure communication is allowed with AWS infrastructure and applications.
Syntax

2346
GuardDuty
JSON
{
"Type" : "AWS::GuardDuty::IPSet",
"Properties" : {
"Format" : String,
"Name" : String
}
}
YAML
Type: AWS::GuardDuty::IPSet
Properties:
Activate: Boolean
DetectorId: String
Format: String
Location: String
Name: String
Properties
Activate
Indicated whether or not GuardDuty uses the IPSet.
Required: Yes
Type: Boolean

DetectorId
The unique ID of the detector for the GuardDuty service to associate the IPSet with.
Required: Yes
Type: String

Format
The format of the file that contains the IPSet.
Required: Yes
Type: String

Location
The URI of the file that contains the IPSet.
Required: Yes
Type: String

2347
GuardDuty

Name
The name for the IPSet. This name is displayed in all findings that are triggered by activity
associated with the IP addresses included in this IPSet.
Required: No
Type: String
Return Values
Ref
the IPSet.
Examples
Declare an IPSet Resource
The following example shows how to declare a GuardDuty IPSet resource:
JSON
"myipset": {
"Type" : "AWS::GuardDuty::IPSet",
"Properties" : {
"Activate" : True,
"DetectorId" : "12abc34d567e8f4912ab3d45e67891f2",
"Format" : "TXT",
"Location" : "https://s3-us-west-2.amazonaws.com/mybucket/myipset.txt",
"Name" : "MyIPSet"
}
}
YAML
myipset:
Type: AWS::GuardDuty::IPSet
Properties:
Activate: True
DetectorId: "12abc34d567e8f4912ab3d45e67891f2"
Format: "TXT"
Location: "https://s3-us-west-2.amazonaws.com/mybucket/myipset.txt"
Name: "MyIPSet"
AWS::GuardDuty::Master
You can use the AWS::GuardDuty::Master resource in a GuardDuty member account to accept an
invitation from a GuardDuty master account. The invitation to the member account must be sent prior to
using the AWS::GuardDuty::Master resource to accept the master account's invitation. You can invite
a member account by using the InviteMembers operation of the Amazon GuardDuty API, or by creating
an AWS::GuardDuty::Member resource.

2348
GuardDuty
Syntax
JSON
{
"Type" : "AWS::GuardDuty::Master",
"Properties" : {
"InvitationId" : String,
"MasterId" : String
}
}
YAML
Type: AWS::GuardDuty::Master
Properties:
DetectorId: String
InvitationId: String
MasterId: String
Properties
DetectorId
The unique ID of the detector associated with the GuardDuty master account.
Required: Yes
Type: String

InvitationId
The ID of the invitation that is sent to the account designated as a member account. You can find the
invitation ID by using the ListInvitation action of the GuardDuty API.
Required: No
Type: String

MasterId
The AWS account ID of the account designated as the GuardDuty master account.
Required: Yes
Type: String
Return Values
Ref
the GuardDuty master account, such as 012345678901.

2349
GuardDuty
Examples
Declare a Master Resource
To declare a GuardDuty Master resource:
JSON
"GDMaster": {
"Type" : "AWS::GuardDuty::Master",
"Properties" : {
"DetectorId" : "a12abc34d567e8fa901bc2d34e56789f0",
"MasterId" : "012345678901",
"InvitationId" : "84b097800250d17d1872b34c4daadcf5"
}
}
YAML
"GDMaster": {
Type: AWS::GuardDuty::Master
Properties:
DetectorId: "a12abc34d567e8fa901bc2d34e56789f0"
MasterId: "012345678901"
InvitationId: "84b097800250d17d1872b34c4daadcf5"
AWS::GuardDuty::Member
You can use the AWS::GuardDuty::Member resource to add an AWS account as a GuardDuty member
account to the current GuardDuty master account. If the value of the Status property is not provided
or is set to Created, a member account is created but not invited. If the value of the Status property is
set to Invited, a member account is created and invited. A AWS::GuardDuty::Member resource must
be created with the Status property set to Invited before the AWS::GuardDuty::Master resource
can be created in a GuardDuty member account.
Syntax
JSON
{
"Type" : "AWS::GuardDuty::Member",
"Properties" : {
"DisableEmailNotification" : Boolean,
"Email" : String,
"MemberId" : String,
"Message" : String,
"Status" : String
}
}
YAML
Type: AWS::GuardDuty::Member

2350
GuardDuty
Properties:
DetectorId: String
DisableEmailNotification: Boolean
Email: String
MemberId: String
Message: String
Status: String
Properties
DetectorId
The ID of the detector associated with the GuardDuty service to add the member to.
Required: Yes
Type: String

DisableEmailNotification
Specifies whether or not to disable email notification for the member account that you invite.
Required: No
Type: Boolean

Email
The email address associated with the member account.
Required: Yes
Type: String

MemberId
The AWS account ID of the account to designate as a member.
Required: Yes
Type: String

Message
The message to include with the invitation sent to the member accounts.
Required: No
Type: String

Status
You can use the Status property to update the status of the relationship between the
member account and its master account. Valid values are Created and Invited when using
a AWS::GuardDuty::Member resource. If the value for this property is not provided or set to

2351
GuardDuty
Created, a member account is created but not invited. If the value of this property is set to
Invited, a member account is created and invited.
Required: No
Type: String
Return Values
Ref
the GuardDuty member account, such as 012345678901.
Examples
Declare a Member Resource
The following example shows how to declare a GuardDuty Member resource:
JSON
"GDmaster": {
"Type": "AWS::GuardDuty::Member",
"Properties": {
"Status": "Invited",
"MemberId": "012345678901",
"Email": "guarddutymember@amazon.com",
"Message": "You are invited to enable Amazon Guardduty.",
"DetectorId": "a12abc34d567e8fa901bc2d34e56789f0",
"DisableEmailNotification": true
}
}
YAML
Type: AWS::GuardDuty::Member
Properties:
Status: String
MemberId: String
Email: String
Message: String
DetectorId: String
DisableEmailNotification: Boolean
AWS::GuardDuty::ThreatIntelSet
The AWS::GuardDuty::ThreatIntelSet resource specifies a new ThreatIntelSet. A
ThreatIntelSet consists of known malicious IP addresses. GuardDuty generates findings based on the
ThreatIntelSet when it is activated.
Syntax

2352
GuardDuty
JSON
{
"Type" : "AWS::GuardDuty::ThreatIntelSet",
"Properties" : {
"Format" : String,
"Name" : String
}
}
YAML
Type: AWS::GuardDuty::ThreatIntelSet
Properties:
Activate: Boolean
DetectorId: String
Format: String
Location: String
Name: String
Properties
Activate
Specifies whether or not GuardDuty uses the ThreatIntelSet.
Required: Yes
Type: Boolean

DetectorId
The ID of the detector to associate the ThreatIntelSet with.
Required: Yes
Type: String

Format
The format of the file that contains the ThreatIntelSet.
Required: Yes
Type: String

Location
The URI of the file that contains the ThreatIntelSet.
Required: Yes
Type: String

2353
IAM

Name
A name for the ThreatIntelSet. The name is displayed in all finding generated by activity
associated with the IP addresses included in this ThreatIntelSet.
Required: No
Type: String
Return Values
Ref
the ThreatIntelSet.
Examples
Declare a ThreatIntelSet Resource
The following example shows how to declare a GuardDuty ThreatIntelSet resource:
JSON
"mythreatintelset": {
"Type": "AWS::GuardDuty::ThreatIntelSet",
"Properties": {
"Activate": true,
"DetectorId": "12abc34d567e8f4912ab3d45e67891f2",
"Format": "TXT",
"Location": "https://s3-us-west-2.amazonaws.com/mybucket/mythreatintelset.txt",
"Name": "MyThreatIntelSet"
}
}
YAML
mythreatintelset:
Type: AWS::GuardDuty::ThreatIntelSet
Properties:
Activate: true
DetectorId: "12abc34d567e8f4912ab3d45e67891f2"
Format: "TXT"
Location: "https://s3-us-west-2.amazonaws.com/mybucket/mythreatintelset.txt"
Name: "MyThreatIntelSet"
IAM Resource Type Reference

Resource Types
• AWS::IAM::AccessKey (p. 2355)

• AWS::IAM::Group (p. 2357)
• AWS::IAM::InstanceProfile (p. 2360)

2354
IAM
• AWS::IAM::ManagedPolicy (p. 2362)

• AWS::IAM::Policy (p. 2368)
• AWS::IAM::Role (p. 2372)
• AWS::IAM::ServiceLinkedRole (p. 2380)
• AWS::IAM::User (p. 2383)
• AWS::IAM::UserToGroupAddition (p. 2388)
AWS::IAM::AccessKey
Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The
default status for new keys is Active.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key
ID signing the request. This operation works for access keys under the AWS account. Consequently, you
can use this operation to manage AWS account root user credentials. This is true even if the AWS account
has no associated users.
For information about limits on the number of keys you can create, see Limitations on IAM Entities in the
IAM User Guide.
Important
To ensure the security of your AWS account, the secret access key is accessible only during key
and user creation. You must save the key (for example, in a text file) if you want to be able to
access it again. If a secret key is lost, you can delete the access keys for the associated user and
then create new keys.
Syntax
JSON
{
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"Serial" : Integer,
"Status" : String,
"UserName" : String
}
}
YAML
Type: AWS::IAM::AccessKey
Properties:
Serial: Integer
Status: String
UserName: String
Properties
Serial
This value is specific to CloudFormation and can only be incremented. Incrementing this value
notifies CloudFormation that you want to rotate your access key. When you update your stack,
CloudFormation will replace the existing access key with a new key.

2355
IAM
Required: No
Type: Integer

Status
The status of the access key. Active means that the key is valid for API calls, while Inactive
means it is not.
Required: No
Type: String
Allowed Values: Active | Inactive

UserName
The name of the IAM user that the new key will belong to.
This parameter allows (through its regex pattern) a string of characters consisting of upper and
lowercase alphanumeric characters with no spaces. You can also include any of the following
characters: _+=,.@-
Required: Yes
Type: String
Minimum: 1
Maximum: 128
Pattern: [\w+=,.@-]+
Return Values
Ref
AccessKeyId. For example: AKIAIOSFODNN7EXAMPLE.
Fn::GetAtt
SecretAccessKey
Returns the secret access key for the specified AWS::IAM::AccessKey resource. For example:
wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY.

2356
IAM
See Also
• To view AWS::IAM::AccessKey template example snippets, see Declaring an IAM Access Key
Resource.
• CreateAccessKey in the AWS Identity and Access Management API Reference
AWS::IAM::Group
Creates a new group.
For information about the number of groups you can create, see Limitations on IAM Entities in the IAM
User Guide.
Syntax
JSON
{
"Type" : "AWS::IAM::Group",
"Properties" : {
"ManagedPolicyArns" : [ String, ... ],
"Path" : String,
"Policies" : [ Policy (p. 2359), ... ]
}
}
YAML
Type: AWS::IAM::Group
Properties:
GroupName: String
ManagedPolicyArns:
- String
Path: String
Policies:
- Policy (p. 2359)
Properties
GroupName
The name of the group to create. Do not include the path in this value.
The group name must be unique within the account. Group names are not distinguished by case. For
example, you cannot create groups named both "ADMINS" and "admins". If you don't specify a name,
AWS CloudFormation generates a unique physical ID and uses that ID for the group name.
Important
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge
your template's capabilities. For more information, see Acknowledging IAM Resources in AWS
CloudFormation Templates.

2357
IAM
Important
Naming an IAM resource can cause an unrecoverable error if you reuse the same template
in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region
to create a Region-specific name, as in the following example: {"Fn::Join": ["",
[{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.
Required: No
Type: String

ManagedPolicyArns
The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service
Namespaces in the AWS General Reference.
Required: No

Path
The path to the group. For more information about paths, see IAM Identifiers in the IAM User Guide.
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its regex pattern) a string of characters consisting of either a forward
slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can
contain any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most
punctuation characters, digits, and upper and lowercased letters.
Required: No
Type: String
Minimum: 1
Maximum: 512
Pattern: (\u002F)|(\u002F[\u0021-\u007F]+\u002F)

Policies
Adds or updates an inline policy document that is embedded in the specified IAM group. To view
AWS::IAM::Group snippets, see Declaring an IAM Group Resource.
Important
The name of each inline policy for a role, user, or group must be unique. If you don't choose
unique names, updates to the IAM identity will fail.
For information about limits on the number of inline policies that you can embed in a group, see
Limitations on IAM Entities in the IAM User Guide.
Required: No
Type: List of Policy (p. 2359)

2358
IAM
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the GroupName.
For example: mystack-mygroup-1DZETITOWEKVO.
Fn::GetAtt
Arn
Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::Group resource. For
example: arn:aws:iam::123456789012:group/mystack-mygroup-1DZETITOWEKVO.
See Also
• To view AWS::IAM::Group template example snippets, see Declaring an IAM Group Resource.
• CreateGroup in the AWS Identity and Access Management API Reference
AWS::IAM::Group Policy
Contains information about an attached policy.
An attached policy is a managed policy that has been attached to a user, group, or role.
For more information about managed policies, refer to Managed Policies and Inline Policies in the Using
IAM guide.
Syntax
JSON
{
}
YAML
PolicyName: String
Properties
PolicyDocument
The policy document.

2359
IAM
Required: Yes
Type: Json
Minimum: 1
Maximum: 131072
Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

PolicyName
The friendly name (not ARN) identifying the policy.
Required: Yes
Type: String
Minimum: 1
Maximum: 128
See Also
• PolicyDetail in the AWS Identity and Access Management API Reference
Creates a new instance profile. For information about instance profiles, go to About Instance Profiles.
For information about the number of instance profiles you can create, see Limitations on IAM Entities in
the IAM User Guide.
Syntax
JSON
{
"Type" : "AWS::IAM::InstanceProfile",
"Properties" : {
"InstanceProfileName" : String,
"Path" : String,
"Roles" : [ String, ... ]
}
}
YAML

2360
IAM
Properties:
InstanceProfileName: String
Path: String
Roles:
- String
Properties
InstanceProfileName
The name of the instance profile to create.
characters: _+=,.@-
Required: No
Type: String
Minimum: 1
Maximum: 128

Path
The path to the instance profile. For more information about paths, see IAM Identifiers in the IAM
User Guide.
Required: No
Type: String
Minimum: 1
Maximum: 512

Roles
The role associated with the instance profile.
Required: Yes

2361
IAM
Return Values
Ref
name. For example:
{ "Ref": "MyProfile" }
For the AWS::IAM::InstanceProfile resource with the logical ID MyProfile, Ref returns the name
of the instance profile.
Fn::GetAtt
Arn
Returns the Amazon Resource Name (ARN) for the instance profile. For example:
{"Fn::GetAtt" : ["MyProfile", "Arn"] }
This returns a value such as arn:aws:iam::1234567890:instance-profile/MyProfile-

ASDNSDLKJ.
See Also
• CreateInstanceProfile in the AWS Identity and Access Management API Reference
Creates a new managed policy for your AWS account.
This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default
version. For more information about policy versions, see Versioning for Managed Policies in the IAM User
Guide.
For more information about managed policies in general, see Managed Policies and Inline Policies in the
IAM User Guide.
Syntax
JSON
{
"Type" : "AWS::IAM::ManagedPolicy",
"Properties" : {

2362
IAM
"ManagedPolicyName" : String,
"Path" : String,
"Roles" : [ String, ... ],
"Users" : [ String, ... ]
}
}
YAML
Type: AWS::IAM::ManagedPolicy
Properties:
Description: String
Groups:
- String
ManagedPolicyName: String
Path: String
Roles:
- String
Users:
- String
Properties
Description
A friendly description of the policy.
Typically used to store information about the permissions defined in the policy. For example, "Grants
access to production DynamoDB tables."
The policy description is immutable. After a value is assigned, it cannot be changed.
Required: No
Type: String
Maximum: 1000

Groups
The name (friendly name, not ARN) of the group to attach the policy to.
characters: _+=,.@-
Required: No
Minimum: 1
Maximum: 128

2363
IAM
ManagedPolicyName
The friendly name of the policy.

Important
Important
Required: No
Type: String

Path
The path for the policy.
For more information about paths, see IAM Identifiers in the IAM User Guide.
Required: No
Type: String
Minimum: 1
Maximum: 512
Pattern: ((/[A-Za-z0-9\.,\+@=_-]+)*)/

PolicyDocument
The JSON policy document that you want to use as the content for the new policy.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates
formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation
always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the
following:
• Any printable ASCII character ranging from the space character (\u0020) through the end of the
ASCII character range
• The printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF)

2364
IAM
• The special characters tab (\u0009), line feed (\u000A), and carriage return (\u000D)
Required: Yes
Type: Json
Minimum: 1
Maximum: 131072

Roles
The name (friendly name, not ARN) of the role to attach the policy to.
This parameter allows (per its regex pattern) a string of characters consisting of upper and lowercase
alphanumeric characters with no spaces. You can also include any of the following characters: _
+=,.@-
Note
If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy) has
a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to the
same role, add a DependsOn attribute to the resource to make the resource depend on the
external policy. This dependency ensures that the role's policy is available throughout the
resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service
resource, the DependsOn attribute ensures that AWS CloudFormation deletes the
AWS::ECS::Service resource before deleting its role's policy.
Required: No

Users
The name (friendly name, not ARN) of the IAM user to attach the policy to.
characters: _+=,.@-
Required: No
Minimum: 1
Maximum: 64
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN.

2365
IAM
In the following sample, the Ref function returns the ARN of the CreateTestDBPolicy
managed policy, such as arn:aws:iam::123456789012:policy/teststack-
CreateTestDBPolicy-16M23YE3CS700.
{ "Ref": "CreateTestDBPolicy" }
Examples
Create managed policy
The following example creates a managed policy and associates it with the TestDBGroup group. The
managed policy grants users permission to create t2.micro database instances. The database must use
the MySQL database engine and the instance name must include the prefix test.
JSON
{
"CreateTestDBPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "Policy for creating a test database",
"Path": "/",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:CreateDBInstance",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:rds:",
{
},
":",
{
},
":db:test*"
]
]
},
"Condition": {
"StringEquals": {
"rds:DatabaseEngine": "mysql"
}
}
},
{
"Effect": "Allow",
"Action": "rds:CreateDBInstance",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:rds:",
{
},
":",

2366
IAM
{
},
":db:test*"
]
]
},
"Condition": {
"StringEquals": {
"rds:DatabaseClass": "db.t2.micro"
}
}
}
]
},
"Groups": [
"TestDBGroup"
]
}
}
}
YAML
CreateTestDBPolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
Description: Policy for creating a test database
Path: /
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'rds:CreateDBInstance'
Resource: !Join
- ''
- - 'arn:aws:rds:'
- ':'
- ':db:test*'
Condition:
StringEquals:
'rds:DatabaseEngine': mysql
- Effect: Allow
Action: 'rds:CreateDBInstance'
Resource: !Join
- ''
- - 'arn:aws:rds:'
- ':'
- ':db:test*'
Condition:
StringEquals:
'rds:DatabaseClass': db.t2.micro
Groups:
- TestDBGroup
See Also
• CreatePolicy in the AWS Identity and Access Management API Reference

2367
IAM
AWS::IAM::Policy
Adds or updates an inline policy document that is embedded in the specified IAM user, group, or role.
An IAM user can also have a managed policy attached to it. For information about policies, see Managed
Policies and Inline Policies in the IAM User Guide.
The Groups, Roles, and Users properties are optional. However, you must specify at least one of these
properties.
For information about limits on the number of inline policies that you can embed in an identity, see
Syntax
JSON
{
"Properties" : {
"Roles" : [ String, ... ],
}
}
YAML
Properties:
Groups:
- String
PolicyName: String
Roles:
- String
Users:
- String
Properties
Groups
The name of the group to associate the policy with.
characters: _+=,.@-.
Required: No
Minimum: 1

2368
IAM
Maximum: 128

PolicyDocument
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates
formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation
always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the
following:
• Any printable ASCII character ranging from the space character (\u0020) through the end of the
ASCII character range
• The printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF)
• The special characters tab (\u0009), line feed (\u000A), and carriage return (\u000D)
Required: Yes
Type: Json
Minimum: 1
Maximum: 131072

PolicyName
The name of the policy document.
characters: _+=,.@-
Required: Yes
Type: String
Minimum: 1
Maximum: 128

Roles
The name of the role to associate the policy with.
+=,.@-

2369
IAM
Note
Required: No

Users
The name of the user to associate the policy with.
characters: _+=,.@-
Required: No
Minimum: 1
Maximum: 128
Return Values
Ref
name.
Examples
IAM Policy with policy group
JSON
{
"Properties": {
"PolicyName": "CFNUsers",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [

2370
IAM
"cloudformation:Describe*",
"cloudformation:List*",
"cloudformation:Get*"
],
"Resource": "*"
}
]
},
"Groups": [
{
"Ref": "CFNUserGroup"
}
]
}
}
YAML
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: CFNUsers
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'cloudformation:Describe*'
- 'cloudformation:List*'
- 'cloudformation:Get*'
Resource: '*'
Groups:
- !Ref CFNUserGroup
IAM Policy with specified role
JSON
{
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "RootRole"
}
]
}
}
YAML
Type: 'AWS::IAM::Policy'

2371
IAM
Properties:
PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Roles:
- !Ref RootRole
See Also
• CreatePolicy in the AWS Identity and Access Management API Reference
AWS::IAM::Role
Creates a new role for your AWS account. For more information about roles, go to IAM Roles. For
information about limitations on role names and the number of roles you can create, go to Limitations
on IAM Entities in the IAM User Guide.
Syntax
JSON
{
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : Json,
"MaxSessionDuration" : Integer,
"Path" : String,
"PermissionsBoundary" : String,
"Policies" : [ Policy (p. 2379), ... ],
"RoleName" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Properties:
AssumeRolePolicyDocument: Json
Description: String
ManagedPolicyArns:
- String
MaxSessionDuration: Integer
Path: String
PermissionsBoundary: String
Policies:
- Policy (p. 2379)
RoleName: String
Tags:
- Tag

2372
IAM
Properties
AssumeRolePolicyDocument
The trust policy that is associated with this role. Trust policies define which entities can assume the
role. You can associate only one trust policy with a role. For an example of a policy that can be used
to assume a role, see Template Examples. For more information about the elements that you can use
in an IAM policy, see IAM Policy Elements Reference in the IAM User Guide.
Required: Yes
Type: Json

Description
A description of the role that you provide.
Required: No
Type: String
Maximum: 1000
Pattern: [\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]*

ManagedPolicyArns
A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the
user.
Required: No

MaxSessionDuration
The maximum session duration (in seconds) that you want to set for the specified role. If you do not
specify a value for this setting, the default maximum of one hour is applied. This setting can have a
value from 1 hour to 12 hours.
Anyone who assumes the role from the AWS CLI or API can use the DurationSeconds
API parameter or the duration-seconds CLI parameter to request a longer session. The
MaxSessionDuration setting determines the maximum duration that can be requested using
the DurationSeconds parameter. If users don't specify a value for the DurationSeconds
parameter, their security credentials are valid for one hour by default. This applies when you use the
AssumeRole* API operations or the assume-role* CLI operations but does not apply when you
use those operations to create a console URL. For more information, see Using IAM Roles in the IAM
User Guide.
Required: No
Type: Integer

2373
IAM
Minimum: 3600
Maximum: 43200

Path
The path to the role. For more information about paths, see IAM Identifiers in the IAM User Guide.
Required: No
Type: String
Minimum: 1
Maximum: 512

PermissionsBoundary
The ARN of the policy used to set the permissions boundary for the role.
For more information about permissions boundaries, see Permissions Boundaries for IAM Identities
in the IAM User Guide.
Required: No
Type: String

Policies
Adds or updates an inline policy document that is embedded in the specified IAM role.
When you embed an inline policy in a role, the inline policy is used as part of the role's access
(permissions) policy. The role's trust policy is created at the same time as the role. You can update
a role's trust policy later. For more information about IAM roles, go to Using Roles to Delegate
Permissions and Federate Identities.
A role can also have an attached managed policy. For information about policies, see Managed
Policies and Inline Policies in the IAM User Guide.
For information about limits on the number of inline policies that you can embed with a role, see
Note

2374
IAM
Required: No

RoleName
A name for the IAM role. For valid values, see the RoleName parameter for the CreateRole action
in the IAM User Guide.
+=,.@-. The role name must be unique within the account. Role names are not distinguished by case.
For example, you cannot create roles named both "Role1" and "role1".
If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for
the role name.
Important
Required: No
Type: String

Tags
A list of tags that are attached to the specified role. For more information about tagging, see
Tagging IAM Identities in the IAM User Guide.
Required: No
Type: List of Tag
Maximum: 50
Return Values
Ref
name.
For example:

2375
IAM
{ "Ref": "RootRole" }
For the AWS::IAM::Role resource with the logical ID RootRole, Ref will return the role name.
Fn::GetAtt
Arn
Returns the Amazon Resource Name (ARN) for the role. For example:
{"Fn::GetAtt" : ["MyRole", "Arn"] }
This will return a value such as arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF.

RoleId
Returns the stable and unique string identifying the role. For example, AIDAJQABLZS4A3QDU576Q.
For more information about IDs, see IAM Identifiers in the IAM User Guide.
Examples
IAM Role with Embedded Policy and Instance Profiles
This example shows an embedded policy in the AWS::IAM::Role. The policy is specified inline in the
Policies property of the AWS::IAM::Role.
{
"Resources": {
"RootRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.&api-domain;"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {

2376
IAM
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
},
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "RootRole"
}
]
}
}
}
}
YAML
Resources:
RootRole:
Properties:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.&api-domain;
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Type: 'AWS::IAM::InstanceProfile'
Properties:
Path: /
Roles:
- !Ref RootRole
IAM Role with External Policy and Instance Profiles
In this example, the Policy and InstanceProfile resources are specified externally to the IAM Role. They
refer to the role by specifying its name, "RootRole", in their respective Roles properties.

2377
IAM
JSON
{
"Resources": {
"RootRole": {
"Properties": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
},
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Properties": {
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ {
"Ref": "RootRole"
} ]
}
},
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "RootRole"
} ]
}
}
}
}
YAML
Resources:
RootRole:
Properties:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:

2378
IAM
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
RolePolicies:
Type: "AWS::IAM::Policy"
Properties:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
Roles:
-
Ref: "RootRole"
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
-
Ref: "RootRole"
See Also
• CreateRole in the AWS Identity and Access Management API Reference
• AWS Identity and Access Management Template Snippets
• AWS::IAM::InstanceProfile
AWS::IAM::Role Policy
IAM guide.
Syntax
JSON
{
}
YAML
PolicyName: String

2379
IAM
Properties
PolicyDocument
Required: Yes
Type: Json
Minimum: 1
Maximum: 131072

PolicyName
Required: Yes
Type: String
Minimum: 1
Maximum: 128
See Also
AWS::IAM::ServiceLinkedRole
Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies
and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly
changed or deleted role, which could put your AWS resources into an unknown state. Allowing the
service to control the role helps improve service stability and proper cleanup when a service and its role
are no longer needed. For more information, see Using Service-Linked Roles in the IAM User Guide.
To attach a policy to this service-linked role, you must make the request using the AWS service that
depends on this role.
Syntax
JSON
{
"Type" : "AWS::IAM::ServiceLinkedRole",
"Properties" : {

2380
IAM
"AWSServiceName" : String,
"CustomSuffix" : String,
"Description" : String
}
}
YAML
Type: AWS::IAM::ServiceLinkedRole
Properties:
AWSServiceName: String
CustomSuffix: String
Description: String
Properties
AWSServiceName
The service principal for the AWS service to which this role is attached. You use a string similar to a
URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com.
Service principals are unique and case-sensitive. To find the exact service principal for your service-
linked role, see AWS Services That Work with IAM in the IAM User Guide. Look for the services that
have Yes in the Service-Linked Role column. Choose the Yes link to view the service-linked role
documentation for that service.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

CustomSuffix
A string that you provide, which is combined with the service-provided prefix to form the complete
role name. If you make multiple requests for the same service, then you must supply a different
CustomSuffix for each request. Otherwise the request fails with a duplicate role name error. For
example, you could add -1 or -debug to the suffix.
Some services do not support the CustomSuffix parameter. If you provide an optional suffix and
the operation fails, try the operation again without the suffix.
Required: No
Type: String
Minimum: 1
Maximum: 64

2381
IAM
Description
The description of the role.
Required: No
Type: String
Maximum: 1000
Pattern: [\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]*
Examples
Create an IAM Service-Linked Role for Auto Scaling
The following example creates a service-linked role that can be assumed by the Auto Scaling service.
JSON
{
"Description": "SLR resource create test - Auto Scaling",
"Resources": {
"BasicSLR": {
"Type": "AWS::IAM::ServiceLinkedRole",
"Properties": {
"AWSServiceName": "autoscaling.amazonaws.com",
"Description": "Test SLR description",
"CustomSuffix": "TestSuffix"
}
}
},
"Outputs": {
"SLRId": {
"Value": {
"Ref": "BasicSLR"
}
}
}
}
YAML
Description: SLR resource create test - Auto Scaling

Resources:
BasicSLR:
Type: 'AWS::IAM::ServiceLinkedRole'
Properties:
AWSServiceName: autoscaling.amazonaws.com
Description: Test SLR description
CustomSuffix: TestSuffix
Outputs:
SLRId:
Value: !Ref BasicSLR
See Also
• CreateServiceLinkedRole in the AWS Identity and Access Management API Reference
• Using Service-Linked Roles in the AWS Identity and Access Management User Guide

2382
IAM
AWS::IAM::User
Creates a new IAM user for your AWS account.
For information about limitations on the number of IAM users you can create, see Limitations on IAM
Entities in the IAM User Guide.
Syntax
JSON
{
"Type" : "AWS::IAM::User",
"Properties" : {
"LoginProfile" : LoginProfile (p. 2386),
"Path" : String,
"PermissionsBoundary" : String,
"Policies" : [ Policy (p. 2387), ... ],
"Tags" : [ Tag, ... ],
"UserName" : String
}
}
YAML
Properties:
Groups:
- String
LoginProfile:
LoginProfile (p. 2386)
ManagedPolicyArns:
- String
Path: String
PermissionsBoundary: String
Policies:
- Policy (p. 2387)
Tags:
- Tag
UserName: String
Properties
Groups
A list of groups to which you want to add the user.
Required: No

LoginProfile
Creates a password for the specified user, giving the user the ability to access AWS services through
the AWS Management Console. For more information about managing passwords, see Managing
Passwords in the IAM User Guide.

2383
IAM
Required: No
Type: LoginProfile (p. 2386)

ManagedPolicyArns
A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the
user.
Required: No

Path
The path for the user name. For more information about paths, see IAM Identifiers in the IAM User
Guide.
Required: No
Type: String
Minimum: 1
Maximum: 512

PermissionsBoundary
The ARN of the policy that is used to set the permissions boundary for the user.
Required: No
Type: String

Policies
Adds or updates an inline policy document that is embedded in the specified IAM user. To view
AWS::IAM::User snippets, see Declaring an IAM User Resource.
Important
The name of each policy for a role, user, or group must be unique. If you don't choose
unique names, updates to the IAM identity will fail.

2384
IAM
For information about limits on the number of inline policies that you can embed in a user, see
Required: No

Tags
A list of tags that you want to attach to the newly created user. Each tag consists of a key name and
an associated value. For more information about tagging, see Tagging IAM Identities in the IAM User
Guide.
Note
If any one of the tags is invalid or if you exceed the allowed number of tags per user, then
the entire request fails and the user is not created.
Required: No
Type: List of Tag
Maximum: 50

UserName
The name of the user to create. Do not include the path in this value.
+=,.@-. The user name must be unique within the account. User names are not distinguished by case.
For example, you cannot create users named both "John" and "john".
If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for
the user name.
Important
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the UserName.
For example: mystack-myuser-1CCXAFG2H2U4D.

2385
IAM
Fn::GetAtt
Arn
Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::User resource. For
example: arn:aws:iam::123456789012:user/mystack-myuser-1CCXAFG2H2U4D.
See Also
• To view AWS::IAM::User template example snippets, see Declaring an IAM User Resource.
• CreateUser in the AWS Identity and Access Management API Reference
AWS::IAM::User LoginProfile
Contains the user name and password create date for a user.
Syntax
JSON
{
"PasswordResetRequired" : Boolean
}
YAML
Password: String
PasswordResetRequired: Boolean
Properties
Password
The user's password.
Required: Yes
Type: String

PasswordResetRequired
Specifies whether the user is required to set a new password on next sign-in.
Required: No

2386
IAM
Type: Boolean
See Also
• LoginProfile in the AWS Identity and Access Management API Reference
AWS::IAM::User Policy
IAM guide.
Syntax
JSON
{
}
YAML
PolicyName: String
Properties
PolicyDocument
Required: Yes
Type: Json
Minimum: 1
Maximum: 131072

PolicyName
Required: Yes

2387
IAM
Type: String
Minimum: 1
Maximum: 128
See Also
AWS::IAM::UserToGroupAddition
Adds the specified user to the specified group.
Syntax
JSON
{
"Type" : "AWS::IAM::UserToGroupAddition",
"Properties" : {
}
}
YAML
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName: String
Users:
- String
Properties
GroupName
The name of the group to update.
characters: _+=,.@-
Required: Yes
Type: String
Minimum: 1
Maximum: 128

2388
Inspector

Users
A list of the names of the users that you want to add to the group.
Required: Yes
Return Values
Ref
name.
For example:
{ "Ref": "MyUserToGroupAddition" }
For the AWS::IAM::UserToGroupAddition resource with the logical ID MyUserToGroupAddition,

Ref will return the AWS resource name.
See Also
• To view AWS::IAM::UserToGroupAddition template example snippets, see Add Users to a Group.
• AddUserToGroup in the AWS Identity and Access Management API Reference
Inspector Resource Type Reference

Resource Types
• AWS::Inspector::AssessmentTarget (p. 2389)

• AWS::Inspector::AssessmentTemplate (p. 2391)
• AWS::Inspector::ResourceGroup (p. 2394)
AWS::Inspector::AssessmentTarget
The AWS::Inspector::AssessmentTarget resource is used to create Amazon Inspector assessment
targets, which specify the Amazon EC2 instances that will be analyzed during an assessment run.
Syntax
JSON

2389
Inspector
"Type" : "AWS::Inspector::AssessmentTarget",
"Properties" : {
"AssessmentTargetName" : String,
"ResourceGroupArn" : String
}
}
YAML
Type: AWS::Inspector::AssessmentTarget
Properties:
AssessmentTargetName: String
ResourceGroupArn: String
Properties
AssessmentTargetName
The name of the Amazon Inspector assessment target. The name must be unique within the AWS
account.
Required: No
Type: String
Minimum: 1
Maximum: 140

ResourceGroupArn
The ARN that specifies the resource group that is used to create the assessment target. If
resourceGroupArn is not specified, all EC2 instances in the current AWS account and Region are
included in the assessment target.
Required: No
Type: String
Minimum: 1
Maximum: 300
Return Values
Ref
Fn::GetAtt

2390
Inspector
Arn
The Amazon Resource Name (ARN) that specifies the assessment target that is created.
Examples
Declaring an Amazon Inspector Assessment Target Resource
The following examples shows how to declare an AWS::Inspector::AssessmentTarget resource to
create an Amazon Inspector assessment target.
JSON
"myassessmenttarget": {
"Type": "AWS::Inspector::AssessmentTarget",
"Properties": {
"AssessmentTargetName" : "MyAssessmentTarget",
"ResourceGroupArn" : "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-
AB6DMKnv"
}
}
YAML
myassessmenttarget:
Type: AWS::Inspector::AssessmentTarget
Properties:
AssessmentTargetName : "MyAssessmentTarget"
ResourceGroupArn : "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-
AB6DMKnv"
AWS::Inspector::AssessmentTemplate
The AWS::Inspector::AssessmentTemplate resource creates an Amazon Inspector assessment
template, which specifies the Inspector assessment targets that will be evaluated by an assessment run
and its related configurations.
Syntax
JSON
{
"Type" : "AWS::Inspector::AssessmentTemplate",
"Properties" : {
"AssessmentTargetArn" : String,
"AssessmentTemplateName" : String,
"DurationInSeconds" : Integer,
"RulesPackageArns" : [ String, ... ],
"UserAttributesForFindings" : [ Tag, ... ]
}
}
YAML
Type: AWS::Inspector::AssessmentTemplate

2391
Inspector
Properties:
AssessmentTargetArn: String
AssessmentTemplateName: String
DurationInSeconds: Integer
RulesPackageArns:
- String
UserAttributesForFindings:
- Tag
Properties
AssessmentTargetArn
The ARN of the assessment target to be included in the assessment template.
Required: Yes
Type: String
Minimum: 1
Maximum: 300

AssessmentTemplateName
The user-defined name that identifies the assessment template that you want to create. You can
create several assessment templates for the same assessment target. The names of the assessment
templates that correspond to a particular assessment target must be unique.
Required: No
Type: String
Minimum: 1
Maximum: 140

DurationInSeconds
The duration of the assessment run in seconds.
Required: Yes
Type: Integer
Minimum: 180
Maximum: 86400

RulesPackageArns
The ARNs of the rules packages that you want to use in the assessment template.
Required: Yes

2392
Inspector
Maximum: 50

UserAttributesForFindings
The user-defined attributes that are assigned to every finding that is generated by the assessment
run that uses this assessment template. Within an assessment template, each key must be unique.
Required: No
Type: List of Tag
Maximum: 10
Return Values
Ref
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) that specifies the assessment template that is created.
Examples
Declaring an Amazon Inspector Assessment Template Resource
The following example shows how to declare an AWS::Inspector::AssessmentTemplate resource

to create an Amazon Inspector assessment template.
JSON
"myassessmenttemplate": {
"Type": "AWS::Inspector::AssessmentTemplate",
"Properties": {
"AssessmentTargetArn": "arn:aws:inspector:us-west-2:123456789012:target/0-
nvgVhaxX",
"DurationInSeconds": 180,
"AssessmentTemplateName": "MyAssessmentTemplate",
"RulesPackageArns": [
"arn:aws:inspector:us-west-2:758058086616:rulespackage/0-11B9DBXp"
],
"UserAttributesForFindings": [
{
"Key": "Example",
"Value": "example"
}
]
}

2393
Inspector
YAML
myassessmenttemplate:
Type: AWS::Inspector::AssessmentTemplate
Properties:
AssessmentTargetArn: "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX"
AssessmentTemplateName: MyAssessmentTemplate
DurationInSeconds: 180
RulesPackageArns:
- "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-11B9DBXp"
UserAttributesForFindings:
-
Key: Example
Value: example
AWS::Inspector::ResourceGroup
The AWS::Inspector::ResourceGroup resource is used to create Amazon Inspector resource groups.
A resource group defines a set of tags that, when queried, identify the AWS resources that make up the
assessment target.
Syntax
JSON
{
"Type" : "AWS::Inspector::ResourceGroup",
"Properties" : {
"ResourceGroupTags" : [ Tag, ... ]
}
}
YAML
Type: AWS::Inspector::ResourceGroup
Properties:
ResourceGroupTags:
- Tag
Properties
ResourceGroupTags
The tags (key and value pairs) that will be associated with the resource group.
Required: Yes
Type: List of Tag
Maximum: 10

2394
IoT
Return Values
Ref
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) that specifies the resource group that is created.
Examples
Declaring an Amazon Inspector Reource Group Resource
The following example shows how to declare an AWS::Inspector::ResourceGroup resource to

create an Amazon Inspector resource group.
JSON
"myresourcegroup": {
"Type": "AWS::Inspector::ResourceGroup",
"Properties": {
"ResourceGroupTags": [
{
"Key": "Name",
"Value": "example"
}
]
}
}
YAML
myresourcegroup:
Type: "AWS::Inspector::ResourceGroup"
Properties:
ResourceGroupTags:
- Key: "Name"
Value: "example"
IoT Resource Type Reference

Resource Types
• AWS::IoT::Certificate (p. 2396)

• AWS::IoT::Policy (p. 2397)
• AWS::IoT::PolicyPrincipalAttachment (p. 2399)
• AWS::IoT::Thing (p. 2400)
• AWS::IoT::ThingPrincipalAttachment (p. 2404)
• AWS::IoT::TopicRule (p. 2405)

2395
IoT
AWS::IoT::Certificate
Use the AWS::IoT::Certificate resource to declare an AWS IoT X.509 certificate. For information
about working with X.509 certificates, see Authentication in AWS IoT in the AWS IoT Developer Guide.
Syntax
JSON
{
"Type" : "AWS::IoT::Certificate",
"Properties" : {
"CertificateSigningRequest" : String,
"Status" : String
}
}
YAML
Type: AWS::IoT::Certificate
Properties:
CertificateSigningRequest: String
Status: String
Properties
CertificateSigningRequest
The certificate signing request (CSR).
Required: Yes
Type: String

Status
The status of the certificate.
The status value REGISTER_INACTIVE is deprecated and should not be used.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the certificate ID.
For example:
{ "Ref": "MyCertificate" }

2396
IoT
A value similar to the following is returned:
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2
Fn::GetAtt
Arn
Returns the Amazon Resource Name (ARN) for the instance profile. For example:
{ "Fn::GetAtt": ["MyCertificate", "Arn"] }
A value similar to the following is returned:
arn:aws:iot:ap-southeast-2:123456789012:cert/
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2
AWS::IoT::Policy
Use the AWS::IoT::Policy resource to declare an AWS IoT policy. For more information about working
with AWS IoT policies, see Authorization in the AWS IoT Developer Guide.
Syntax
JSON
{
"Type" : "AWS::IoT::Policy",
"Properties" : {
}
}
YAML
Type: AWS::IoT::Policy
Properties:
PolicyName: String
Properties
PolicyDocument
The JSON document that describes the policy.
Required: Yes

2397
IoT
Type: Json

PolicyName
The policy name.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the policy name.
For example:
{ "Ref": "MyPolicy" }
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the AWS IoT policy, such as arn:aws:iot:us-
east-2:123456789012:policy/MyPolicy.
Examples
The following example declares an AWS IoT Policy.
JSON
{
"Type": "AWS::IoT::Policy",
"Properties": {
"PolicyDocument": JSON object,
"PolicyName": String
}
}
YAML
Type: AWS::IoT::Policy
Properties:
PolicyDocument: JSON object
PolicyName: String

2398
IoT
AWS::IoT::PolicyPrincipalAttachment
Use the AWS::IoT::PolicyPrincipalAttachment resource to attach an AWS IoT policy to a
principal (an X.509 certificate or other credential).
For information about working with AWS IoT policies and principals, see Authorization in the AWS IoT
Developer Guide.
Syntax
JSON
{
"Type" : "AWS::IoT::PolicyPrincipalAttachment",
"Properties" : {
"Principal" : String
}
}
YAML
Type: AWS::IoT::PolicyPrincipalAttachment
Properties:
PolicyName: String
Principal: String
Properties
PolicyName
The name of the AWS IoT policy.
Required: Yes
Type: String

Principal
The principal, which can be a certificate ARN (as returned from the CreateCertificate operation)
or an Amazon Cognito ID.
Required: Yes
Type: String
Examples
The following example attaches a policy to a principal.
JSON

2399
IoT
"Resources": {
"MyPolicyPrincipalAttachment": {
"Type": "AWS::IoT::PolicyPrincipalAttachment",
"Properties": {
"PolicyName": {
"Ref": "NameParameter"
},
"Principal": "arn:aws:iot:ap-southeast-2:123456789012:cert/
a1234567b89c012d3e4fg567hij8k9l01mno1p23q45678901rs234567890t1u2"
}
}
},
"Parameters": {
"NameParameter": {
"Type": "String"
}
}
}
YAML
Resources:
MyPolicyPrincipalAttachment:
Type: AWS::IoT::PolicyPrincipalAttachment
Properties:
PolicyName:
Ref: "NameParameter"
Principal: "arn:aws:iot:ap-southeast-2:123456789012:cert/
Parameters:
NameParameter:
Type: "String"
AWS::IoT::Thing
Use the AWS::IoT::Thing resource to declare an AWS IoT thing.
For information about working with things, see How AWS IoT Works and Device Registry for AWS IoT in
the AWS IoT Developer Guide.
Syntax
JSON
{
"Type" : "AWS::IoT::Thing",
"Properties" : {
"AttributePayload" : AttributePayload (p. 2403),
"ThingName" : String
}
}
YAML
Type: AWS::IoT::Thing

2400
IoT
Properties:
AttributePayload:
AttributePayload (p. 2403)
ThingName: String
Properties
AttributePayload
A string that contains up to three key–value pairs. Maximum length of 800. Duplicates not allowed.
Required: No
Type: AttributePayload (p. 2403)

ThingName
The name of the thing to update.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the thing name.
For example:
{ "Ref": "MyThing" }
For a stack named MyStack, a value similar to the following is returned:
MyStack-MyThing-AB1CDEFGHIJK
Examples
The following example declares a thing and the values of its attributes.
JSON
{
"Resources": {
"MyThing": {
"Type": "AWS::IoT::Thing",
"Properties": {
"ThingName": {
},

2401
IoT
"AttributePayload": {
"Attributes": {
"myAttributeA": {
"Ref": "MyAttributeValueA"
},
"myAttributeB": {
"Ref": "MyAttributeValueB"
},
"myAttributeC": {
"Ref": "MyAttributeValueC"
}
}
}
}
}
},
"Parameters": {
"NameParameter": {
"Type": "String"
},
"MyAttributeValueA": {
"Type": "String",
"Default": "myStringA123"
},
"MyAttributeValueB": {
"Type": "String",
"Default": "myStringB123"
},
"MyAttributeValueC": {
"Type": "String",
"Default": "myStringC123"
}
}
}
YAML
Resources:
MyThing:
Type: AWS::IoT::Thing
Properties:
ThingName:
AttributePayload:
Attributes:
myAttributeA:
Ref: "MyAttributeValueA"
myAttributeB:
Ref: "MyAttributeValueB"
myAttributeC:
Ref: "MyAttributeValueC"
Parameters:
NameParameter:
Type: "String"
MyAttributeValueA:
Type: "String"
Default: "myStringA123"
MyAttributeValueB:
Type: "String"
Default: "myStringB123"
MyAttributeValueC:
Type: "String"
Default: "myStringC123"

2402
IoT
AWS::IoT::Thing AttributePayload
The AttributePayload property specifies up to three attributes for an AWS IoT as key–value pairs.
AttributePayload is a property of the AWS::IoT::Thing resource.
Syntax
JSON
{
"Attributes" : {Key : Value, ...}
}
YAML
Attributes:
Key : Value
Properties
Attributes
A JSON string containing up to three key-value pair in JSON format. For example:
{\"attributes\":{\"string1\":\"string2\"}}
Required: No
Type: Map of String
Examples
The following example declares an attribute payload with three attributes.
JSON
"AttributePayload": {
"Attributes": {
"myAttributeA": {
"Ref": "MyAttributeValueA"
},
"myAttributeB": {
"Ref": "MyAttributeValueB"
},
"myAttributeC": {
"Ref": "MyAttributeValueC"
}
}
}
YAML
AttributePayload:

2403
IoT
Attributes:
myAttributeA:
Ref: "MyAttributeValueA"
myAttributeB:
Ref: "MyAttributeValueB"
myAttributeC:
Ref: "MyAttributeValueC"
AWS::IoT::ThingPrincipalAttachment
Use the AWS::IoT::ThingPrincipalAttachment resource to attach a principal (an X.509 certificate
or another credential) to a thing.
For more information about working with AWS IoT things and principals, see Authorization in the AWS
IoT Developer Guide.
Syntax
JSON
{
"Type" : "AWS::IoT::ThingPrincipalAttachment",
"Properties" : {
"Principal" : String,
}
}
YAML
Type: AWS::IoT::ThingPrincipalAttachment
Properties:
Principal: String
ThingName: String
Properties
Principal
The principal, which can be a certificate ARN (as returned from the CreateCertificate operation)
or an Amazon Cognito ID.
Required: Yes
Type: String

ThingName
The name of the AWS IoT thing.
Required: Yes
Type: String

2404
IoT
Examples
The following example attaches a principal to a thing.
JSON
{
"Resources": {
"MyThingPrincipalAttachment": {
"Type": "AWS::IoT::ThingPrincipalAttachment",
"Properties": {
"ThingName": {
},
"Principal": "arn:aws:iot:ap-southeast-2:123456789012:cert/
}
}
},
"Parameters": {
"NameParameter": {
"Type": "String"
}
}
}
YAML
Resources:
MyThingPrincipalAttachment:
Type: AWS::IoT::ThingPrincipalAttachment
Properties:
ThingName:
Principal: "arn:aws:iot:ap-southeast-2:123456789012:cert/
Parameters:
NameParameter:
Type: "String"
AWS::IoT::TopicRule
Use the AWS::IoT::TopicRule resource to declare an AWS IoT rule. For information about working
with AWS IoT rules, see Rules for AWS IoT in the AWS IoT Developer Guide.
Syntax
JSON
{
"Type" : "AWS::IoT::TopicRule",
"Properties" : {
"TopicRulePayload" : TopicRulePayload (p. 2426)
}

2405
IoT
YAML
Type: AWS::IoT::TopicRule
Properties:
RuleName: String
TopicRulePayload:
TopicRulePayload (p. 2426)
Properties
RuleName
The name of the rule.
Required: No
Type: String

TopicRulePayload
The rule payload.
Required: Yes
Type: TopicRulePayload (p. 2426)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the topic rule
name. For example:
{ "Ref": "MyTopicRule" }
For a stack named My-Stack (the – character is omitted), a value similar to the following is returned:
MyStackMyTopicRule12ABC3D456EFG
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the AWS IoT rule, such as arn:aws:iot:us-
east-2:123456789012:rule/MyIoTRule.

2406
IoT
Examples
The following example declares an AWS IoT rule.
JSON
{
"Resources": {
"MyTopicRule": {
"Type": "AWS::IoT::TopicRule",
"Properties": {
"RuleName": {
},
"TopicRulePayload": {
"RuleDisabled": "true",
"Sql": "SELECT temp FROM 'SomeTopic' WHERE temp > 60",
"Actions": [{
"S3": {
"BucketName": {
"Ref": "MyBucket"
},
"RoleArn": {
"Fn::GetAtt": ["MyRole", "Arn"]
},
"Key": "MyKey.txt"
}
}]
}
}
},
"MyBucket": {
"Properties": {}
},
"MyRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["iot.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
}
}
}
},
"Parameters": {
"NameParameter": {
"Type": "String"
}
}
}
YAML

2407
IoT
Resources:
MyTopicRule:
Type: AWS::IoT::TopicRule
Properties:
RuleName:
TopicRulePayload:
RuleDisabled: "true"
Sql: >-
Select temp FROM 'SomeTopic' WHERE temp > 60
Actions:
-
S3:
BucketName:
Ref: "MyBucket"
RoleArn:
Fn::GetAtt:
- "MyRole"
- "Arn"
Key: "MyKey.txt"
MyBucket:
Properties:
MyRole:
Properties:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "iot.amazonaws.com"
Action:
- "sts:AssumeRole"
Parameters:
NameParameter:
Type: "String"
AWS::IoT::TopicRule Action
Describes the actions associated with a rule.
Syntax
JSON
{
"CloudwatchAlarm" : CloudwatchAlarmAction (p. 2411),
"CloudwatchMetric" : CloudwatchMetricAction (p. 2412),
"DynamoDB" : DynamoDBAction (p. 2414),
"DynamoDBv2" : DynamoDBv2Action (p. 2416),
"Elasticsearch" : ElasticsearchAction (p. 2417),
"Firehose" : FirehoseAction (p. 2418),
"IotAnalytics" : IotAnalyticsAction (p. 2419),
"Kinesis" : KinesisAction (p. 2420),
"Lambda" : LambdaAction (p. 2421),
"Republish" : RepublishAction (p. 2422),
"S3" : S3Action (p. 2423),
"Sns" : SnsAction (p. 2423),
"Sqs" : SqsAction (p. 2424),

2408
IoT
"StepFunctions" : StepFunctionsAction (p. 2425)

}
YAML
CloudwatchAlarm:
CloudwatchAlarmAction (p. 2411)
CloudwatchMetric:
CloudwatchMetricAction (p. 2412)
DynamoDB:
DynamoDBAction (p. 2414)
DynamoDBv2:
DynamoDBv2Action (p. 2416)
Elasticsearch:
ElasticsearchAction (p. 2417)
Firehose:
FirehoseAction (p. 2418)
IotAnalytics:
IotAnalyticsAction (p. 2419)
Kinesis:
KinesisAction (p. 2420)
Lambda:
LambdaAction (p. 2421)
Republish:
RepublishAction (p. 2422)
S3:
S3Action (p. 2423)
Sns:
SnsAction (p. 2423)
Sqs:
SqsAction (p. 2424)
StepFunctions:
StepFunctionsAction (p. 2425)
Properties
CloudwatchAlarm
Change the state of a CloudWatch alarm.
Required: No
Type: CloudwatchAlarmAction (p. 2411)

CloudwatchMetric
Capture a CloudWatch metric.
Required: No
Type: CloudwatchMetricAction (p. 2412)

DynamoDB
Write to a DynamoDB table.
Required: No
Type: DynamoDBAction (p. 2414)

2409
IoT

DynamoDBv2
Write to a DynamoDB table. This is a new version of the DynamoDB action. It allows you to write
each attribute in an MQTT message payload into a separate DynamoDB column.
Required: No
Type: DynamoDBv2Action (p. 2416)

Elasticsearch
Write data to an Amazon Elasticsearch Service domain.
Required: No
Type: ElasticsearchAction (p. 2417)

Firehose
Write to an Amazon Kinesis Firehose stream.
Required: No
Type: FirehoseAction (p. 2418)

IotAnalytics
Sends message data to an AWS IoT Analytics channel.
Required: No
Type: IotAnalyticsAction (p. 2419)

Kinesis
Write data to an Amazon Kinesis stream.
Required: No
Type: KinesisAction (p. 2420)

Lambda
Invoke a Lambda function.
Required: No
Type: LambdaAction (p. 2421)

Republish
Publish to another MQTT topic.

2410
IoT
Required: No
Type: RepublishAction (p. 2422)

S3
Write to an Amazon S3 bucket.
Required: No
Type: S3Action (p. 2423)

Sns
Publish to an Amazon SNS topic.
Required: No
Type: SnsAction (p. 2423)

Sqs
Publish to an Amazon SQS queue.
Required: No
Type: SqsAction (p. 2424)

StepFunctions
Starts execution of a Step Functions state machine.
Required: No
Type: StepFunctionsAction (p. 2425)
AWS::IoT::TopicRule CloudwatchAlarmAction
Describes an action that updates a CloudWatch alarm.
Syntax
JSON
{
"AlarmName" : String,
"RoleArn" : String,
"StateReason" : String,
"StateValue" : String
}

2411
IoT
YAML
AlarmName: String
RoleArn: String
StateReason: String
StateValue: String
Properties
AlarmName
The CloudWatch alarm name.
Required: Yes
Type: String

RoleArn
The IAM role that allows access to the CloudWatch alarm.
Required: Yes
Type: String

StateReason
The reason for the alarm change.
Required: Yes
Type: String

StateValue
The value of the alarm state. Acceptable values are: OK, ALARM, INSUFFICIENT_DATA.
Required: Yes
Type: String
AWS::IoT::TopicRule CloudwatchMetricAction
Describes an action that captures a CloudWatch metric.
Syntax
JSON
{
"MetricNamespace" : String,
"MetricTimestamp" : String,

2412
IoT
"MetricUnit" : String,
"MetricValue" : String,
"RoleArn" : String
}
YAML
MetricName: String
MetricNamespace: String
MetricTimestamp: String
MetricUnit: String
MetricValue: String
RoleArn: String
Properties
MetricName
The CloudWatch metric name.
Required: Yes
Type: String

MetricNamespace
The CloudWatch metric namespace name.
Required: Yes
Type: String

MetricTimestamp
An optional Unix timestamp.
Required: No
Type: String

MetricUnit
The metric unit supported by CloudWatch.
Required: Yes
Type: String

MetricValue
The CloudWatch metric value.
Required: Yes
Type: String

2413
IoT
RoleArn
The IAM role that allows access to the CloudWatch metric.
Required: Yes
Type: String
AWS::IoT::TopicRule DynamoDBAction
Describes an action to write to a DynamoDB table.
The tableName, hashKeyField, and rangeKeyField values must match the values used when you
created the table.
The hashKeyValue and rangeKeyvalue fields use a substitution template syntax. These templates
provide data at runtime. The syntax is as follows: ${sql-expression}.
You can specify any valid expression in a WHERE or SELECT clause, including JSON properties,
comparisons, calculations, and functions. For example, the following field uses the third level of the
topic:
"hashKeyValue": "${topic(3)}"
The following field uses the timestamp:
"rangeKeyValue": "${timestamp()}"
For more information, see DynamoDBv2 Action in the AWS IoT Developer Guide.
Syntax
JSON
{
"HashKeyField" : String,
"HashKeyType" : String,
"HashKeyValue" : String,
"PayloadField" : String,
"RangeKeyField" : String,
"RangeKeyType" : String,
"RangeKeyValue" : String,
"RoleArn" : String,
}
YAML
HashKeyField: String
HashKeyType: String
HashKeyValue: String
PayloadField: String
RangeKeyField: String
RangeKeyType: String
RangeKeyValue: String
RoleArn: String

2414
IoT
TableName: String
Properties
HashKeyField
The hash key name.
Required: Yes
Type: String

HashKeyType
The hash key type. Valid values are "STRING" or "NUMBER"
Required: No
Type: String

HashKeyValue
The hash key value.
Required: Yes
Type: String

PayloadField
The action payload. This name can be customized.
Required: No
Type: String

RangeKeyField
The range key name.
Required: No
Type: String

RangeKeyType
The range key type. Valid values are "STRING" or "NUMBER"
Required: No
Type: String

RangeKeyValue
The range key value.

2415
IoT
Required: No
Type: String

RoleArn
The ARN of the IAM role that grants access to the DynamoDB table.
Required: Yes
Type: String

TableName
The name of the DynamoDB table.
Required: Yes
Type: String
AWS::IoT::TopicRule DynamoDBv2Action
Describes an action to write to a DynamoDB table.
This DynamoDB action writes each attribute in the message payload into it's own column in the
DynamoDB table.
Syntax
JSON
{
"PutItem" : PutItemInput (p. 2421),
"RoleArn" : String
}
YAML
PutItem:
PutItemInput (p. 2421)
RoleArn: String
Properties
PutItem
Specifies the DynamoDB table to which the message data will be written. For example:
{ "dynamoDBv2": { "roleArn": "aws:iam:12341251:my-role" "putItem":

{ "tableName": "my-table" } } }
Each attribute in the message payload will be written to a separate column in the DynamoDB
database.

2416
IoT
Required: No
Type: PutItemInput (p. 2421)

RoleArn
The ARN of the IAM role that grants access to the DynamoDB table.
Required: No
Type: String
See Also
• AWS SDK for C++.

• AWS SDK for Go.
• AWS SDK for Go - Pilot.
• AWS SDK for Java.
• AWS SDK for Ruby V2.
AWS::IoT::TopicRule ElasticsearchAction
Describes an action that writes data to an Amazon Elasticsearch Service domain.
Syntax
JSON
{
"Endpoint" : String,
"Id" : String,
"Index" : String,
"RoleArn" : String,
"Type" : String
}
YAML
Endpoint: String
Id: String
Index: String
RoleArn: String
Type: String
Properties
Endpoint
The endpoint of your Elasticsearch domain.
Required: Yes

2417
IoT
Type: String

Id
The unique identifier for the document you are storing.
Required: Yes
Type: String

Index
The Elasticsearch index where you want to store your data.
Required: Yes
Type: String

RoleArn
The IAM role ARN that has access to Elasticsearch.
Required: Yes
Type: String

Type
The type of document you are storing.
Required: Yes
Type: String
AWS::IoT::TopicRule FirehoseAction
Describes an action that writes data to an Amazon Kinesis Firehose stream.
Syntax
JSON
{
"DeliveryStreamName" : String,
"RoleArn" : String,
"Separator" : String
}
YAML
DeliveryStreamName: String

2418
IoT
RoleArn: String
Separator: String
Properties
DeliveryStreamName
The delivery stream name.
Required: Yes
Type: String

RoleArn
The IAM role that grants access to the Amazon Kinesis Firehose stream.
Required: Yes
Type: String

Separator
A character separator that will be used to separate records written to the Firehose stream. Valid
values are: '\n' (newline), '\t' (tab), '\r\n' (Windows newline), ',' (comma).
Required: No
Type: String
AWS::IoT::TopicRule IotAnalyticsAction
Sends message data to an AWS IoT Analytics channel.
Syntax
JSON
{
"ChannelName" : String,
"RoleArn" : String
}
YAML
ChannelName: String
RoleArn: String
Properties
ChannelName
The name of the IoT Analytics channel to which message data will be sent.

2419
IoT
Required: Yes
Type: String

RoleArn
The ARN of the role which has a policy that grants IoT Analytics permission to send message data via
IoT Analytics (iotanalytics:BatchPutMessage).
Required: Yes
Type: String
See Also
• IotAnalyticsAction in the AWS IoT API Reference.
AWS::IoT::TopicRule KinesisAction
Describes an action to write data to an Amazon Kinesis stream.
Syntax
JSON
{
"PartitionKey" : String,
"RoleArn" : String,
}
YAML
PartitionKey: String
RoleArn: String
StreamName: String
Properties
PartitionKey
The partition key.
Required: No
Type: String

RoleArn
The ARN of the IAM role that grants access to the Amazon Kinesis stream.
Required: Yes

2420
IoT
Type: String

StreamName
The name of the Amazon Kinesis stream.
Required: Yes
Type: String
AWS::IoT::TopicRule LambdaAction
Describes an action to invoke a Lambda function.
Syntax
JSON
{
"FunctionArn" : String
}
YAML
FunctionArn: String
Properties
FunctionArn
The ARN of the Lambda function.
Required: No
Type: String
AWS::IoT::TopicRule PutItemInput
The input for the DynamoActionVS action that specifies the DynamoDB table to which the message data
will be written.
Syntax
JSON
{

2421
IoT
YAML
TableName: String
Properties
TableName
The table where the message data will be written.
Required: Yes
Type: String
AWS::IoT::TopicRule RepublishAction
Describes an action to republish to another topic.
Syntax
JSON
{
"RoleArn" : String,
"Topic" : String
}
YAML
RoleArn: String
Topic: String
Properties
RoleArn
The ARN of the IAM role that grants access.
Required: Yes
Type: String

Topic
The name of the MQTT topic.
Required: Yes
Type: String

2422
IoT
AWS::IoT::TopicRule S3Action
Describes an action to write data to an Amazon S3 bucket.
Syntax
JSON
{
"BucketName" : String,
"Key" : String,
"RoleArn" : String
}
YAML
BucketName: String
Key: String
RoleArn: String
Properties
BucketName
The Amazon S3 bucket.
Required: Yes
Type: String

Key
The object key.
Required: Yes
Type: String

RoleArn
Required: Yes
Type: String
AWS::IoT::TopicRule SnsAction
Describes an action to publish to an Amazon SNS topic.

2423
IoT
Syntax
JSON
{
"MessageFormat" : String,
"RoleArn" : String,
}
YAML
MessageFormat: String
RoleArn: String
TargetArn: String
Properties
MessageFormat
(Optional) The message format of the message to publish. Accepted values are "JSON" and "RAW".
The default value of the attribute is "RAW". SNS uses this setting to determine if the payload
should be parsed and relevant platform-specific bits of the payload should be extracted. For more
information, see Amazon SNS Message and JSON Formats in the Amazon Simple Notification Service
Developer Guide.
Required: No
Type: String

RoleArn
Required: Yes
Type: String

TargetArn
The ARN of the SNS topic.
Required: Yes
Type: String
AWS::IoT::TopicRule SqsAction
Describes an action to publish data to an Amazon SQS queue.
Syntax

2424
IoT
JSON
{
"QueueUrl" : String,
"RoleArn" : String,
"UseBase64" : Boolean
}
YAML
QueueUrl: String
RoleArn: String
UseBase64: Boolean
Properties
QueueUrl
The URL of the Amazon SQS queue.
Required: Yes
Type: String

RoleArn
Required: Yes
Type: String

UseBase64
Specifies whether to use Base64 encoding.
Required: No
Type: Boolean
AWS::IoT::TopicRule StepFunctionsAction
Starts execution of a Step Functions state machine.
Syntax
JSON
{
"ExecutionNamePrefix" : String,
"RoleArn" : String,
"StateMachineName" : String

2425
IoT
YAML
ExecutionNamePrefix: String
RoleArn: String
StateMachineName: String
Properties
ExecutionNamePrefix
(Optional) A name will be given to the state machine execution consisting of this prefix followed by a
UUID. Step Functions automatically creates a unique name for each state machine execution if one is
not provided.
Required: No
Type: String

RoleArn
The ARN of the role that grants IoT permission to start execution of a state machine
("Action":"states:StartExecution").
Required: Yes
Type: String

StateMachineName
The name of the Step Functions state machine whose execution will be started.
Required: Yes
Type: String
See Also
• StepFunctionsAction in the AWS IoT API Reference.
AWS::IoT::TopicRule TopicRulePayload
Describes a rule.
Syntax
JSON
{
"Actions" : [ Action (p. 2408), ... ],

2426
IoT
"AwsIotSqlVersion" : String,
"ErrorAction" : Action (p. 2408),
"RuleDisabled" : Boolean,
"Sql" : String
}
YAML
Actions:
- Action (p. 2408)
AwsIotSqlVersion: String
Description: String
ErrorAction:
Action (p. 2408)
RuleDisabled: Boolean
Sql: String
Properties
Actions
The actions associated with the rule.
Required: Yes

AwsIotSqlVersion
The version of the SQL rules engine to use when evaluating the rule.
Required: No
Type: String

Description
The description of the rule.
Required: No
Type: String

ErrorAction
The action to take when an error occurs.
Required: No
Type: Action (p. 2408)

RuleDisabled
Specifies whether the rule is disabled.

2427
IoT1Click
Required: Yes
Type: Boolean

Sql
The SQL statement used to query the topic. For more information, see AWS IoT SQL Reference in the
AWS IoT Developer Guide.
Required: Yes
Type: String
IoT1Click Resource Type Reference

Resource Types
• AWS::IoT1Click::Device (p. 2428)

• AWS::IoT1Click::Placement (p. 2430)
• AWS::IoT1Click::Project (p. 2433)
AWS::IoT1Click::Device
The AWS::IoT1Click::Device resource controls the enabled state of an AWS IoT 1-Click compatible
device. For more information, see Device in the AWS IoT 1-Click Devices API Reference.
Syntax
JSON
{
"Type" : "AWS::IoT1Click::Device",
"Properties" : {
"DeviceId" : String,
"Enabled" : Boolean
}
}
YAML
Type: AWS::IoT1Click::Device
Properties:
DeviceId: String
Enabled: Boolean
Properties
DeviceId
The ID of the device, such as G030PX0312744DWM.

2428
IoT1Click
Required: Yes
Type: String

Enabled
A Boolean value indicating whether the device is enabled (true) or not (false).
Required: Yes
Type: Boolean
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the device ARN,
such as arn:aws:iot1click:us-west-2:123456789012:devices/G030PX0312744DWM.
Fn::GetAtt
Arn
The ARN of the device, such as arn:aws:iot1click:us-west-2:123456789012:devices/

G030PX0312744DWM.
DeviceId
The unique identifier of the device.

Enabled
A Boolean value indicating whether the device is enabled (true) or not (false).
Examples
Enable an AWS IoT Device
JSON
{
"SampleDevice": {
"Type": "AWS::IoT1Click::Device",
"Properties": {
"DeviceId": "G030PX0312744DWM",
"Enabled": true
}

2429
IoT1Click
}
}
YAML
SampleDevice:
Type: "AWS::IoT1Click::Device"
Properties:
DeviceId: G030PX0312744DWM
Enabled: True
See Also
• Device
• Projects, Templates, and Placements
• AWS IoT 1-Click Programming Model
AWS::IoT1Click::Placement
The AWS::IoT1Click::Placement resource creates a placement to be associated with an AWS IoT
1-Click project. A placement is an instance of a device in a location. For more information, see Projects,
Templates, and Placements in the AWS IoT 1-Click Developer Guide.
Syntax
JSON
{
"Type" : "AWS::IoT1Click::Placement",
"Properties" : {
"AssociatedDevices" : Json,
"Attributes" : Json,
"PlacementName" : String,
"ProjectName" : String
}
}
YAML
Type: AWS::IoT1Click::Placement
Properties:
AssociatedDevices: Json
Attributes: Json
PlacementName: String
ProjectName: String
Properties
AssociatedDevices
The devices to associate with the placement, as defined by a mapping of zero or more key-value
pairs wherein the key is a template name and the value is a device ID.

2430
IoT1Click
Required: No
Type: Json

Attributes
The user-defined attributes associated with the placement.
Required: No
Type: Json

PlacementName
The name of the placement.
Required: No
Type: String

ProjectName
The name of the project containing the placement.
Required: Yes
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns a string of
the form projects/A/placements/B, where A is the name of the project and B is the name of the
placement.
Fn::GetAtt
PlacementName
The name of the placement, such as floor17.

ProjectName
The name of the project containing the placement, such as conference-rooms.

2431
IoT1Click
Examples
Declare a Project and Placement
JSON
{
"BasicProjectWithPlacement": {
"Type": "AWS::IoT1Click::Project",
"Properties": {
"ProjectName": "project-with-placements",
"Description": "description",
"PlacementTemplate": {
"DefaultAttributes": {
"Attribute": "Value",
"Foo": "Bar"
},
"DeviceTemplates": {
"testButton": {
"DeviceType": "button",
"CallbackOverrides": {
"onClickCallback": ""
}
}
}
}
}
},
"BasicPlacement": {
"Type": "AWS::IoT1Click::Placement",
"Properties": {
"ProjectName": {
"Ref": "BasicProjectWithPlacement"
},
"PlacementName": "placement"
}
}
}
YAML
BasicProjectWithPlacement:
Type: "AWS::IoT1Click::Project"
Properties:
ProjectName: "project-with-placements"
PlacementTemplate:
DefaultAttributes:
Attribute: Value
Foo: Bar
DeviceTemplates:
testButton:
DeviceType: "button"
CallbackOverrides:
onClickCallback: ""
BasicPlacement:
Type: "AWS::IoT1Click::Placement"
Properties:

2432
IoT1Click
ProjectName: !Ref BasicProjectWithPlacement

PlacementName: "placement"
See Also
• CreatePlacement
AWS::IoT1Click::Project
The AWS::IoT1Click::Project resource creates an empty project with a placement template. A
project contains zero or more placements that adhere to the placement template defined in the project.
For more information, see CreateProject in the AWS IoT 1-Click Projects API Reference.
Syntax
JSON
{
"Type" : "AWS::IoT1Click::Project",
"Properties" : {
"PlacementTemplate" : PlacementTemplate (p. 2436),
"ProjectName" : String
}
}
YAML
Type: AWS::IoT1Click::Project
Properties:
Description: String
PlacementTemplate:
PlacementTemplate (p. 2436)
ProjectName: String
Properties
Description
The description of the project.
Required: No
Type: String

PlacementTemplate
An object describing the project's placement specifications.
Required: Yes
Type: PlacementTemplate (p. 2436)

2433
IoT1Click

ProjectName
The name of the project from which to obtain information.
Required: No
Type: String
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the project ARN,
such as arn:aws:iot1click:us-west-2:0123456789012:projects/test-project.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the project, such as arn:aws:iot1click:us-

east-1:123456789012:projects/project-a1bzhi.
ProjectName
The name of the project, such as project-a1bzhi.
Examples
Declare an AWS IoT 1-Click project
JSON
{
"Description": "AWS IoT1Click Project test",
"Resources": {
"BasicProject": {
"Type": "AWS::IoT1Click::Project",
"Properties": {
"ProjectName": "project",
"Description": "description",
"PlacementTemplate": {
"DefaultAttributes": {
"Attribute": "Value",
"Foo": "Bar"
},
"DeviceTemplates": {
"testButton": {
"DeviceType": "button",
"CallbackOverrides": {

2434
IoT1Click
"onClickCallback": ""
}
}
}
}
}
}
},
"Outputs": {
"ProjectId": {
"Value": {
"Ref": "BasicProject"
}
}
}
}
YAML
Description: "AWS IoT1Click Project test"

Resources:
BasicProject:
Type: "AWS::IoT1Click::Project"
Properties:
ProjectName: "project"
PlacementTemplate:
DefaultAttributes:
Attribute: Value
Foo: Bar
DeviceTemplates:
testButton:
DeviceType: "button"
CallbackOverrides:
onClickCallback: ""
Outputs:
ProjectId:
Value: !Ref BasicProject
See Also
• CreateProject
AWS::IoT1Click::Project DeviceTemplate
In AWS CloudFormation, use the DeviceTemplate property type to define the template for an AWS IoT
1-Click project.
DeviceTemplate is a property of the AWS::IoT1Click::Project resource.
Syntax

2435
IoT1Click
JSON
{
"CallbackOverrides" : Json,
"DeviceType" : String
}
YAML
CallbackOverrides: Json
DeviceType: String
Properties
CallbackOverrides
An optional AWS Lambda function to invoke instead of the default AWS Lambda function provided
by the placement template.
Required: No
Type: Json

DeviceType
The device type, which currently must be "button".
Required: No
Type: String
See Also

AWS::IoT1Click::Project PlacementTemplate
In AWS CloudFormation, use the PlacementTemplate property type to define the template for an AWS
IoT 1-Click project.
PlacementTemplate is a property of the AWS::IoT1Click::Project resource.
Syntax
JSON
{
"DefaultAttributes" : Json,
"DeviceTemplates" : Json
}

2436
IoT Analytics
YAML
DefaultAttributes: Json
DeviceTemplates: Json
Properties
DefaultAttributes
The default attributes (key-value pairs) to be applied to all placements using this template.
Required: No
Type: Json

DeviceTemplates
An object specifying the DeviceTemplate for all placements using this (PlacementTemplate)
template.
Required: No
Type: Json
See Also

AWS IoT Analytics Resource Type Reference

Resource Types
• AWS::IoTAnalytics::Channel (p. 2437)

• AWS::IoTAnalytics::Dataset (p. 2443)
• AWS::IoTAnalytics::Datastore (p. 2467)
• AWS::IoTAnalytics::Pipeline (p. 2472)
AWS::IoTAnalytics::Channel
The AWS::IoTAnalytics::Channel resource collects data from an MQTT topic and archives the raw,
unprocessed messages before publishing the data to a pipeline. For more information, see How to Use
AWS IoT Analytics in the AWS IoT Analytics User Guide.
Syntax
JSON

2437
IoT Analytics
"Type" : "AWS::IoTAnalytics::Channel",
"Properties" : {
"ChannelStorage" : ChannelStorage (p. 2440),
"RetentionPeriod" : RetentionPeriod (p. 2442),
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::IoTAnalytics::Channel
Properties:
ChannelName: String
ChannelStorage:
ChannelStorage (p. 2440)
RetentionPeriod:
RetentionPeriod (p. 2442)
Tags:
- Tag
Properties
ChannelName
The name of the channel.
Required: No
Type: String
Minimum: 1
Maximum: 128
Pattern: ^[a-zA-Z0-9_]+$

ChannelStorage
Where channel data is stored.
Required: No
Type: ChannelStorage (p. 2440)

RetentionPeriod
How long, in days, message data is kept for the channel.
Required: No
Type: RetentionPeriod (p. 2442)

Tags
Metadata which can be used to manage the channel.

2438
IoT Analytics
Required: No
Type: List of Tag
Maximum: 50
Examples
Simple Channel
The following example creates a simple channel.
JSON
{
"Description": "Create a simple Channel",
"Resources": {
"Channel": {
"Type": "AWS::IoTAnalytics::Channel",
"Properties": {
"ChannelName": "SimpleChannel"
}
}
}
}
YAML
---
Description: "Create a simple Channel"
Resources:
Channel:
Type: "AWS::IoTAnalytics::Channel"
Properties:
ChannelName: "SimpleChannel"
Complex Channel
The following example creates a complex channel.
JSON
{
"Description": "Create a complex channel",
"Resources": {
"Channel": {
"Type": "AWS::IoTAnalytics::Channel",
"Properties": {
"ChannelName": "ComplexChannel",
"RetentionPeriod": {
"Unlimited": false,
"NumberOfDays": 10
},
"Tags": [
{

2439
IoT Analytics
"Key": "keyname1",
"Value": "value1"
},
{
"Key": "keyname2",
"Value": "value2"
}
]
}
}
}
}
YAML
---
Description: "Create a complex channel"
Resources:
Channel:
Type: "AWS::IoTAnalytics::Channel"
Properties:
ChannelName: "ComplexChannel"
RetentionPeriod:
Unlimited: false
NumberOfDays: 10
Tags:
-
Key: "keyname1"
Value: "value1"
-
Key: "keyname2"
Value: "value2"
See Also
• How to Use AWS IoT Analytics in the AWS IoT Analytics User Guide
• CreateChannel in the AWS IoT Analytics API Reference
AWS::IoTAnalytics::Channel ChannelStorage
Where channel data is stored.
Syntax
JSON
{
"CustomerManagedS3" : CustomerManagedS3 (p. 2441),
"ServiceManagedS3" : ServiceManagedS3 (p. 2443)
}
YAML
CustomerManagedS3:
CustomerManagedS3 (p. 2441)
ServiceManagedS3:

2440
IoT Analytics
ServiceManagedS3 (p. 2443)
Properties
CustomerManagedS3
Use this to store channel data in an S3 bucket that you manage. The choice of service-managed or
customer-managed S3 storage cannot be changed after creation of the channel.
Required: No
Type: CustomerManagedS3 (p. 2441)

ServiceManagedS3
Use this to store channel data in an S3 bucket managed by the AWS IoT Analytics service. The choice
of service-managed or customer-managed S3 storage cannot be changed after creation of the
channel.
Required: No
Type: ServiceManagedS3 (p. 2443)
AWS::IoTAnalytics::Channel CustomerManagedS3
Use this to store channel data in an S3 bucket that you manage. When customer managed storage
is selected, the "retentionPeriod" parameter is ignored. The choice of service-managed or customer-
managed S3 storage cannot be changed after creation of the channel.
Syntax
JSON
{
"Bucket" : String,
"KeyPrefix" : String,
"RoleArn" : String
}
YAML
Bucket: String
KeyPrefix: String
RoleArn: String
Properties
Bucket
The name of the Amazon S3 bucket in which channel data is stored.
Required: Yes

2441
IoT Analytics
Type: String

KeyPrefix
[Optional] The prefix used to create the keys of the channel data objects. Each object in an Amazon
S3 bucket has a key that is its unique identifier within the bucket (each object in a bucket has exactly
one key). The prefix must end with a '/'.
Required: No
Type: String

RoleArn
The ARN of the role which grants AWS IoT Analytics permission to interact with your Amazon S3
resources.
Required: Yes
Type: String
AWS::IoTAnalytics::Channel RetentionPeriod
How long, in days, message data is kept.
Syntax
JSON
{
"NumberOfDays" : Integer,
"Unlimited" : Boolean
}
YAML
NumberOfDays: Integer
Unlimited: Boolean
Properties
NumberOfDays
The number of days that message data is kept. The "unlimited" parameter must be false.
Required: No
Type: Integer
Minimum: 1

2442
IoT Analytics
Unlimited
If true, message data is kept indefinitely.
Required: No
Type: Boolean
AWS::IoTAnalytics::Channel ServiceManagedS3
Used to store channel data in an S3 bucket managed by the AWS IoT Analytics service. The choice of
service-managed or customer-managed S3 storage cannot be changed after creation of the channel.
Syntax
JSON
{
}
YAML
AWS::IoTAnalytics::Dataset
The AWS::IoTAnalytics::Dataset resource stores data retrieved from a data store by applying a
"queryAction" (an SQL query) or a "containerAction" (executing a containerized application). The data set
can be populated manually by calling "CreateDatasetContent" or automatically according to a "trigger"
you specify. For more information, see How to Use AWS IoT Analytics in the AWS IoT Analytics User
Guide.
Syntax
JSON
{
"Type" : "AWS::IoTAnalytics::Dataset",
"Properties" : {
"Actions" : [ Action (p. 2451), ... ],
"ContentDeliveryRules" : [ DatasetContentDeliveryRule (p. 2453), ... ],
"DatasetName" : String,
"Tags" : [ Tag, ... ],
"Triggers" : [ Trigger (p. 2463), ... ],
"VersioningConfiguration" : VersioningConfiguration (p. 2466)
}
}
YAML
Type: AWS::IoTAnalytics::Dataset

2443
IoT Analytics
Properties:
Actions:
- Action (p. 2451)
ContentDeliveryRules:
- DatasetContentDeliveryRule (p. 2453)
DatasetName: String
RetentionPeriod:
Tags:
- Tag
Triggers:
- Trigger (p. 2463)
VersioningConfiguration:
VersioningConfiguration (p. 2466)
Properties
Actions
The "DatasetAction" objects that automatically create the data set contents.
Required: Yes
Maximum: 1

ContentDeliveryRules
When data set contents are created they are delivered to destinations specified here.
Required: No
Type: List of DatasetContentDeliveryRule (p. 2453)
Maximum: 20

DatasetName
The name of the data set.
Required: No
Type: String
Minimum: 1
Maximum: 128

RetentionPeriod
[Optional] How long, in days, message data is kept for the data set.
Required: No

2444
IoT Analytics

Tags
Metadata which can be used to manage the data set.
Required: No
Type: List of Tag
Maximum: 50

Triggers
The "DatasetTrigger" objects that specify when the data set is automatically updated.
Required: No
Type: List of Trigger (p. 2463)
Maximum: 5

VersioningConfiguration
[Optional] How many versions of data set contents are kept. If not specified or set to null,
only the latest version plus the latest succeeded version (if they are different) are kept for the
time period specified by the "retentionPeriod" parameter. (For more information, see https://
docs.aws.amazon.com/iotanalytics/latest/userguide/getting-started.html#aws-iot-analytics-
dataset-versions)
Required: No
Type: VersioningConfiguration (p. 2466)
Examples
Simple SQL Dataset
The following example creates a simple SQL dataset.
JSON
{
"Description": "Create a simple SQL Dataset",
"Resources": {
"Dataset": {
"Type": "AWS::IoTAnalytics::Dataset",
"Properties": {
"DatasetName": "SimpleSQLDataset",
"Actions": [
{
"ActionName": "SqlAction",
"QueryAction": {

2445
IoT Analytics
"SqlQuery": "select * from Datastore"

}
}
],
"Triggers": [
{
"Schedule": {
"ScheduleExpression": "cron(0 12 * * ? *)"
}
}
]
}
}
}
}
YAML
---
Description: "Create a simple SQL Dataset"
Resources:
Dataset:
Type: "AWS::IoTAnalytics::Dataset"
Properties:
DatasetName: "SimpleSQLDataset"
Actions:
-
ActionName: "SqlAction"
QueryAction:
SqlQuery: "select * from Datastore"
Triggers:
-
Schedule:
ScheduleExpression: "cron(0 12 * * ? *)"
Complex SQL Dataset
The following example creates a complex SQL dataset.
JSON
{
"Description": "Create a complex SQL Dataset",
"Resources": {
"Dataset": {
"Properties": {
"DatasetName": "ComplexSQLDataset",
"Actions": [
{
"QueryAction": {
"SqlQuery": "select * from Datastore",
"Filters": [
{
"DeltaTime": {
"OffsetSeconds": 1,
"TimeExpression": "timestamp"
}
}
]
}
}

2446
IoT Analytics
],
"Triggers": [
{
"Schedule": {
}
}
],
"Unlimited": false,
"NumberOfDays": 10
},
"Tags": [
{
"Key": "keyname1",
"Value": "value1"
},
{
"Key": "keyname2",
"Value": "value2"
}
]
}
}
}
}
YAML
---
Description: "Create a complex SQL Dataset"
Resources:
Dataset:
Properties:
DatasetName: "ComplexSQLDataset"
Actions:
-
QueryAction:
Filters:
-
DeltaTime:
OffsetSeconds: 1
TimeExpression: "timestamp"
Triggers:
-
Schedule:
RetentionPeriod:
Unlimited: false
NumberOfDays: 10
Tags:
-
Key: "keyname1"
Value: "value1"
-
Key: "keyname2"
Value: "value2"
Simple Container Dataset

The following example creates a simple Container dataset.

2447
IoT Analytics
JSON
{
"Description": "Create a simple container Dataset",
"Resources": {
"ContainerDataset": {
"Properties": {
"DatasetName": "SimpleContainerDataset",
"Actions": [
{
"ActionName": "ContainerAction",
"ContainerAction": {
"Image": "<your_Account_Id>.dkr.ecr.us-east-1.amazonaws.com/
sampleimage",
"ExecutionRoleArn": "arn:aws:iam::<your_Account_Id>:role/
ExecutionRole",
"ResourceConfiguration": {
"ComputeType": "ACU_1",
"VolumeSizeInGB": 10
},
"Variables": [
{
"VariableName": "Variable1",
"StringValue": "StringValue"
}
]
}
}
],
"Triggers": [
{
"Schedule": {
}
}
]
}
}
}
}
YAML
---
Description: "Create a simple container Dataset"
Resources:
ContainerDataset:
Properties:
DatasetName: "SimpleContainerDataset"
Actions:
- ActionName: ContainerAction
ContainerAction:
Image: "<your_Account_Id>.dkr.ecr.us-east-1.amazonaws.com/sampleimage"
ExecutionRoleArn: "arn:aws:iam::<your_Account_Id>:role/ExecutionRole"
ResourceConfiguration:
ComputeType: "ACU_1"
VolumeSizeInGB: 10
Variables:
- VariableName: "Variable1"
StringValue: StringValue
Triggers:
-

2448
IoT Analytics
Schedule:
Complex Container Dataset
The following example creates a complex Container dataset.
JSON
{
"Description": "Create a complex container Dataset",
"Resources": {
"TriggeringDataset": {
"Properties": {
"DatasetName": "TriggeringDataset",
"Actions": [
{
"QueryAction": {
"SqlQuery": "select * from Datastore"
}
}
]
}
},
"ContainerDataset": {
"DependsOn": "TriggeringDataset",
"Properties": {
"DatasetName": "ComplexContainerDataset",
"Actions": [
{
"ActionName": "ContainerAction",
"ContainerAction": {
"Image": "<your_Account_Id>.dkr.ecr.us-east-1.amazonaws.com/
sampleimage",
"ExecutionRoleArn": "arn:aws:iam::<your_Account_Id>:role/
ExecutionRole",
"ResourceConfiguration": {
"ComputeType": "ACU_1",
"VolumeSizeInGB": 10
},
"Variables": [
{
"StringValue": "StringValue"
},
{
"DoubleValue": 1
},
{
"DatasetContentVersionValue": {
"DatasetName": "BasicDataset"
}
},
{
"OutputFileUriValue": {
"FileName": "fileName"
}
}

2449
IoT Analytics
]
}
}
],
"Triggers": [
{
"TriggeringDataset": {
"DatasetName": "TriggeringDataset"
}
}
]
}
}
}
}
YAML
---
Description: "Create a complex container Dataset"
Resources:
TriggeringDataset:
Properties:
DatasetName: "TriggeringDataset"
Actions:
-
QueryAction:
ContainerDataset:
DependsOn: TriggeringDataset
Properties:
DatasetName: "ComplexContainerDataset"
Actions:
-
ActionName: "ContainerAction"
ContainerAction:
Image: "<your_Account_Id>.dkr.ecr.us-east-1.amazonaws.com/sampleimage"
ExecutionRoleArn: "arn:aws:iam::<your_Account_Id>:role/ExecutionRole"
ComputeType: "ACU_1"
VolumeSizeInGB: 10
Variables:
-
VariableName: "Variable1"
StringValue: "StringValue"
-
DoubleValue: 1
-
DatasetContentVersionValue:
DatasetName: "BasicDataset"
-
OutputFileUriValue:
FileName: "fileName"
Triggers:
-
TriggeringDataset:
DatasetName: "TriggeringDataset"

2450
IoT Analytics
See Also
• CreateDataset in the AWS IoT Analytics API Reference
AWS::IoTAnalytics::Dataset Action
Information needed to run the "containerAction" to produce data set contents.
Syntax
JSON
{
"ActionName" : String,
"ContainerAction" : ContainerAction (p. 2452),
"QueryAction" : QueryAction (p. 2459)
}
YAML
ActionName: String
ContainerAction:
ContainerAction (p. 2452)
QueryAction:
QueryAction (p. 2459)
Properties
ActionName
The name of the data set action by which data set contents are automatically created.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

ContainerAction
Information which allows the system to run a containerized application in order to create the data
set contents. The application must be in a Docker container along with any needed support libraries.
Required: No
Type: ContainerAction (p. 2452)

2451
IoT Analytics
QueryAction
An "SqlQueryDatasetAction" object that uses an SQL query to automatically create data set
contents.
Required: No
Type: QueryAction (p. 2459)
AWS::IoTAnalytics::Dataset ContainerAction
Information needed to run the "containerAction" to produce data set contents.
Syntax
JSON
{
"Image" : String,
"ResourceConfiguration" : ResourceConfiguration (p. 2460),
"Variables" : [ Variable (p. 2465), ... ]
}
YAML
Image: String
ResourceConfiguration (p. 2460)
Variables:
- Variable (p. 2465)
Properties
ExecutionRoleArn
The ARN of the role which gives permission to the system to access needed resources in order to run
the "containerAction". This includes, at minimum, permission to retrieve the data set contents which
are the input to the containerized application.
Required: Yes
Type: String
Minimum: 20
Maximum: 2048

Image
The ARN of the Docker container stored in your account. The Docker container contains an
application and needed support libraries and is used to generate data set contents.
Required: Yes

2452
IoT Analytics
Type: String
Maximum: 255

ResourceConfiguration
Configuration of the resource which executes the "containerAction".
Required: Yes
Type: ResourceConfiguration (p. 2460)

Variables
The values of variables used within the context of the execution of the containerized application
(basically, parameters passed to the application). Each variable must have a name and a value given
by one of "stringValue", "datasetContentVersionValue", or "outputFileUriValue".
Required: No
Type: List of Variable (p. 2465)
Maximum: 50
AWS::IoTAnalytics::Dataset DatasetContentDeliveryRule
When data set contents are created they are delivered to destination specified here.
Syntax
JSON
{
"Destination" : DatasetContentDeliveryRuleDestination (p. 2454),
"EntryName" : String
}
YAML
Destination:
DatasetContentDeliveryRuleDestination (p. 2454)
EntryName: String
Properties
Destination
The destination to which data set contents are delivered.
Required: Yes
Type: DatasetContentDeliveryRuleDestination (p. 2454)

2453
IoT Analytics

EntryName
The name of the data set content delivery rules entry.
Required: No
Type: String
AWS::IoTAnalytics::Dataset DatasetContentDeliveryRuleDestination
The destination to which data set contents are delivered.
Syntax
JSON
{
"IotEventsDestinationConfiguration" : IotEventsDestinationConfiguration (p. 2457),
"S3DestinationConfiguration" : S3DestinationConfiguration (p. 2461)
}
YAML
IotEventsDestinationConfiguration:
IotEventsDestinationConfiguration (p. 2457)
S3DestinationConfiguration:
S3DestinationConfiguration (p. 2461)
Properties
IotEventsDestinationConfiguration
Configuration information for delivery of data set contents to AWS IoT Events.
Required: No
Type: IotEventsDestinationConfiguration (p. 2457)

S3DestinationConfiguration
Configuration information for delivery of data set contents to Amazon S3.
Required: No
Type: S3DestinationConfiguration (p. 2461)
AWS::IoTAnalytics::Dataset DatasetContentVersionValue
The data set whose latest contents are used as input to the notebook or application.

2454
IoT Analytics
Syntax
JSON
{
"DatasetName" : String
}
YAML
DatasetName: String
Properties
DatasetName
The name of the data set whose latest contents are used as input to the notebook or application.
Required: No
Type: String
Minimum: 1
Maximum: 128
AWS::IoTAnalytics::Dataset DeltaTime
Used to limit data to that which has arrived since the last execution of the action.
Syntax
JSON
{
"OffsetSeconds" : Integer,
"TimeExpression" : String
}
YAML
OffsetSeconds: Integer
TimeExpression: String
Properties
OffsetSeconds
The number of seconds of estimated "in flight" lag time of message data. When you create data
set contents using message data from a specified time frame, some message data may still be "in

2455
IoT Analytics
flight" when processing begins, and so will not arrive in time to be processed. Use this field to make
allowances for the "in flight" time of your message data, so that data not processed from a previous
time frame will be included with the next time frame. Without this, missed message data would be
excluded from processing during the next time frame as well, because its timestamp places it within
the previous time frame.
Required: Yes
Type: Integer

TimeExpression
An expression by which the time of the message data may be determined. This may be the name
of a timestamp field, or a SQL expression which is used to derive the time the message data was
generated.
Required: Yes
Type: String
AWS::IoTAnalytics::Dataset Filter
Information which is used to filter message data, to segregate it according to the time frame in which it
arrives.
Syntax
JSON
{
"DeltaTime" : DeltaTime (p. 2455)
}
YAML
DeltaTime:
DeltaTime (p. 2455)
Properties
DeltaTime
Used to limit data to that which has arrived since the last execution of the action.
Required: No
Type: DeltaTime (p. 2455)
AWS::IoTAnalytics::Dataset GlueConfiguration
Configuration information for coordination with the AWS Glue ETL (extract, transform and load) service.

2456
IoT Analytics
Syntax
JSON
{
}
YAML
TableName: String
Properties
DatabaseName
The name of the database in your AWS Glue Data Catalog in which the table is located. (An AWS
Glue Data Catalog database contains Glue Data tables.)
Required: Yes
Type: String
Minimum: 1
Maximum: 150
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*

TableName
The name of the table in your AWS Glue Data Catalog which is used to perform the ETL (extract,
transform and load) operations. (An AWS Glue Data Catalog table contains partitioned data and
descriptions of data sources and targets.)
Required: Yes
Type: String
Minimum: 1
Maximum: 150
Pattern: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*
AWS::IoTAnalytics::Dataset IotEventsDestinationConfiguration
Configuration information for delivery of data set contents to AWS IoT Events.
Syntax

2457
IoT Analytics
JSON
{
"InputName" : String,
"RoleArn" : String
}
YAML
InputName: String
RoleArn: String
Properties
InputName
The name of the AWS IoT Events input to which data set contents are delivered.
Required: Yes
Type: String
Minimum: 1
Maximum: 128
Pattern: ^[a-zA-Z][a-zA-Z0-9_]*$

RoleArn
The ARN of the role which grants AWS IoT Analytics permission to deliver data set contents to an
AWS IoT Events input.
Required: Yes
Type: String
Minimum: 20
Maximum: 2048
AWS::IoTAnalytics::Dataset OutputFileUriValue
The value of the variable as a structure that specifies an output file URI.
Syntax
JSON
{
"FileName" : String
}

2458
IoT Analytics
YAML
FileName: String
Properties
FileName
The URI of the location where data set contents are stored, usually the URI of a file in an S3 bucket.
Required: No
Type: String
Pattern: [\w\.-]{1,255}
AWS::IoTAnalytics::Dataset QueryAction
An "SqlQueryDatasetAction" object that uses an SQL query to automatically create data set contents.
Syntax
JSON
{
"Filters" : [ Filter (p. 2456), ... ],
"SqlQuery" : String
}
YAML
Filters:
- Filter (p. 2456)
SqlQuery: String
Properties
Filters
Pre-filters applied to message data.
Required: No
Type: List of Filter (p. 2456)
Maximum: 1

SqlQuery
An "SqlQueryDatasetAction" object that uses an SQL query to automatically create data set
contents.
Required: Yes

2459
IoT Analytics
Type: String
AWS::IoTAnalytics::Dataset ResourceConfiguration
The configuration of the resource used to execute the "containerAction".
Syntax
JSON
{
"ComputeType" : String,
"VolumeSizeInGB" : Integer
}
YAML
ComputeType: String
VolumeSizeInGB: Integer
Properties
ComputeType
The type of the compute resource used to execute the "containerAction". Possible values are: ACU_1
(vCPU=4, memory=16GiB) or ACU_2 (vCPU=8, memory=32GiB).
Required: Yes
Type: String
Allowed Values: ACU_1 | ACU_2

VolumeSizeInGB
The size (in GB) of the persistent storage available to the resource instance used to execute the
"containerAction" (min: 1, max: 50).
Required: Yes
Type: Integer
Minimum: 1
Maximum: 50
AWS::IoTAnalytics::Dataset RetentionPeriod

2460
IoT Analytics
Syntax
JSON
{
}
YAML
Unlimited: Boolean
Properties
NumberOfDays
Required: Yes
Type: Integer
Minimum: 1

Unlimited
Required: Yes
Type: Boolean
AWS::IoTAnalytics::Dataset S3DestinationConfiguration
Configuration information for delivery of data set contents to Amazon S3.
Syntax
JSON
{
"Bucket" : String,
"GlueConfiguration" : GlueConfiguration (p. 2456),
"Key" : String,
"RoleArn" : String
}
YAML
Bucket: String

2461
IoT Analytics
GlueConfiguration:
GlueConfiguration (p. 2456)
Key: String
RoleArn: String
Properties
Bucket
The name of the Amazon S3 bucket to which data set contents are delivered.
Required: Yes
Type: String
Minimum: 3
Maximum: 255
Pattern: ^[a-zA-Z0-9.\-_]*$

GlueConfiguration
Configuration information for coordination with the AWS Glue ETL (extract, transform and load)
service.
Required: No
Type: GlueConfiguration (p. 2456)

Key
The key of the data set contents object. Each object in an Amazon S3 bucket has a key that is its
unique identifier within the bucket (each object in a bucket has exactly one key). To produce a unique
key, you can use "!{iotanalytics:scheduleTime}" to insert the time of the scheduled SQL query run, or
"!{iotanalytics:versioned} to insert a unique hash identifying the data set, for example: "/DataSet/!
{iotanalytics:scheduleTime}/!{iotanalytics:versioned}.csv".
Required: Yes
Type: String
Minimum: 1
Maximum: 255
Pattern: ^[a-zA-Z0-9!_.*'()/{}:-]*$

RoleArn
The ARN of the role which grants AWS IoT Analytics permission to interact with your Amazon S3 and
AWS Glue resources.
Required: Yes
Type: String
Minimum: 20

2462
IoT Analytics
Maximum: 2048
AWS::IoTAnalytics::Dataset Schedule
The schedule for when to trigger an update.
Syntax
JSON
{
"ScheduleExpression" : String
}
YAML
Properties
ScheduleExpression
The expression that defines when to trigger an update. For more information, see Schedule
Expressions for Rules in the Amazon CloudWatch documentation.
Required: Yes
Type: String
AWS::IoTAnalytics::Dataset Trigger
The "DatasetTrigger" that specifies when the data set is automatically updated.
Syntax
JSON
{
"Schedule" : Schedule (p. 2463),
"TriggeringDataset" : TriggeringDataset (p. 2464)
}
YAML
Schedule:
Schedule (p. 2463)
TriggeringDataset:
TriggeringDataset (p. 2464)

2463
IoT Analytics
Properties
Schedule
The "Schedule" when the trigger is initiated.
Required: No
Type: Schedule (p. 2463)

TriggeringDataset
Information about the data set whose content generation triggers the new data set content
generation.
Required: No
Type: TriggeringDataset (p. 2464)
AWS::IoTAnalytics::Dataset TriggeringDataset
Information about the data set whose content generation triggers the new data set content generation.
Syntax
JSON
{
"DatasetName" : String
}
YAML
DatasetName: String
Properties
DatasetName
The name of the data set whose content generation triggers the new data set content generation.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

2464
IoT Analytics
AWS::IoTAnalytics::Dataset Variable
An instance of a variable to be passed to the "containerAction" execution. Each variable must have a
name and a value given by one of "stringValue", "datasetContentVersionValue", or "outputFileUriValue".
Syntax
JSON
{
"DatasetContentVersionValue" : DatasetContentVersionValue (p. 2454),
"DoubleValue" : Double,
"OutputFileUriValue" : OutputFileUriValue (p. 2458),
"StringValue" : String,
"VariableName" : String
}
YAML
DatasetContentVersionValue:
DatasetContentVersionValue (p. 2454)
DoubleValue:
Double
OutputFileUriValue:
OutputFileUriValue (p. 2458)
StringValue:
String
VariableName: String
Properties
DatasetContentVersionValue
The value of the variable as a structure that specifies a data set content version.
Required: No
Type: DatasetContentVersionValue (p. 2454)

DoubleValue
The value of the variable as a double (numeric).
Required: No
Type: Double

OutputFileUriValue
The value of the variable as a structure that specifies an output file URI.
Required: No
Type: OutputFileUriValue (p. 2458)

2465
IoT Analytics
StringValue
The value of the variable as a string.
Required: No
Type: String
Minimum: 0
Maximum: 1024

VariableName
The name of the variable.
Required: Yes
Type: String
Minimum: 1
Maximum: 256
AWS::IoTAnalytics::Dataset VersioningConfiguration
Information about the versioning of data set contents.
Syntax
JSON
{
"MaxVersions" : Integer,
}
YAML
MaxVersions: Integer
Unlimited: Boolean
Properties
MaxVersions
How many versions of data set contents will be kept. The "unlimited" parameter must be false.
Required: No
Type: Integer
Minimum: 1

2466
IoT Analytics
Maximum: 1000

Unlimited
If true, unlimited versions of data set contents will be kept.
Required: No
Type: Boolean
AWS::IoTAnalytics::Datastore
AWS::IoTAnalytics::Datastore resource is a repository for messages. For more information, see How to
Use AWS IoT Analytics in the AWS IoT Analytics User Guide.
Syntax
JSON
{
"Type" : "AWS::IoTAnalytics::Datastore",
"Properties" : {
"DatastoreName" : String,
"DatastoreStorage" : DatastoreStorage (p. 2471),
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::IoTAnalytics::Datastore
Properties:
DatastoreName: String
DatastoreStorage:
DatastoreStorage (p. 2471)
RetentionPeriod:
Tags:
- Tag
Properties
DatastoreName
The name of the data store.
Required: No
Type: String
Minimum: 1
Maximum: 128

2467
IoT Analytics

DatastoreStorage
Where data store data is stored.
Required: No
Type: DatastoreStorage (p. 2471)

RetentionPeriod
How long, in days, message data is kept for the data store. When "customerManagedS3" storage is
selected, this parameter is ignored.
Required: No

Tags
Metadata which can be used to manage the data store.
Required: No
Type: List of Tag
Maximum: 50
Examples
Simple Datastore
The following example creates a simple datastore.
JSON
{
"Description": "Create a simple Datastore",
"Resources": {
"Datastore": {
"Type": "AWS::IoTAnalytics::Datastore",
"Properties": {
"DatastoreName": "SimpleDatastore"
}
}
}
}
YAML
---
Description: "Create a simple Datastore"

2468
IoT Analytics
Resources:
Datastore:
Type: "AWS::IoTAnalytics::Datastore"
Properties:
DatastoreName: "SimpleDatastore"
Complex Datastore
The following example creates a complex datastore.
JSON
{
"Description": "Create a complex Datastore",
"Resources": {
"Datastore": {
"Type": "AWS::IoTAnalytics::Datastore",
"Properties": {
"DatastoreName": "ComplexDatastore",
"Unlimited": false,
"NumberOfDays": 10
},
"Tags": [
{
"Key": "keyname1",
"Value": "value1"
},
{
"Key": "keyname2",
"Value": "value2"
}
]
}
}
}
}
YAML
---
Description: "Create a complex Datastore"
Resources:
Datastore:
Type: "AWS::IoTAnalytics::Datastore"
Properties:
DatastoreName: "ComplexDatastore"
RetentionPeriod:
Unlimited: false
NumberOfDays: 10
Tags:
-
Key: "keyname1"
Value: "value1"
-
Key: "keyname2"
Value: "value2"
See Also

2469
IoT Analytics
• CreateDatastore in the AWS IoT Analytics API Reference
AWS::IoTAnalytics::Datastore CustomerManagedS3
Use this to store data store data in an S3 bucket that you manage. When customer managed storage
is selected, the "retentionPeriod" parameter is ignored. The choice of service-managed or customer-
managed S3 storage cannot be changed after creation of the data store.
Syntax
JSON
{
"Bucket" : String,
"KeyPrefix" : String,
"RoleArn" : String
}
YAML
Bucket: String
KeyPrefix: String
RoleArn: String
Properties
Bucket
The name of the Amazon S3 bucket in which data store data is stored.
Required: Yes
Type: String

KeyPrefix
[Optional] The prefix used to create the keys of the data store data objects. Each object in an
Amazon S3 bucket has a key that is its unique identifier within the bucket (each object in a bucket
has exactly one key). The prefix must end with a '/'.
Required: No
Type: String

RoleArn
The ARN of the role which grants AWS IoT Analytics permission to interact with your Amazon S3
resources.
Required: Yes
Type: String

2470
IoT Analytics
AWS::IoTAnalytics::Datastore DatastoreStorage
Where data store data is stored.
Syntax
JSON
{
"CustomerManagedS3" : CustomerManagedS3 (p. 2470),
"ServiceManagedS3" : ServiceManagedS3 (p. 2472)
}
YAML
CustomerManagedS3:
CustomerManagedS3 (p. 2470)
ServiceManagedS3:
ServiceManagedS3 (p. 2472)
Properties
CustomerManagedS3
Use this to store data store data in an S3 bucket that you manage. The choice of service-managed or
customer-managed S3 storage cannot be changed after creation of the data store.
Required: No
Type: CustomerManagedS3 (p. 2470)

ServiceManagedS3
Use this to store data store data in an S3 bucket managed by the AWS IoT Analytics service. The
choice of service-managed or customer-managed S3 storage cannot be changed after creation of
the data store.
Required: No
Type: ServiceManagedS3 (p. 2472)
AWS::IoTAnalytics::Datastore RetentionPeriod
Syntax
JSON

2471
IoT Analytics
}
YAML
Unlimited: Boolean
Properties
NumberOfDays
Required: No
Type: Integer
Minimum: 1

Unlimited
Required: No
Type: Boolean
AWS::IoTAnalytics::Datastore ServiceManagedS3
Used to store data store data in an S3 bucket managed by the AWS IoT Analytics service. The choice of
service-managed or customer-managed S3 storage cannot be changed after creation of the data store.
Syntax
JSON
{
}
YAML
AWS::IoTAnalytics::Pipeline
The AWS::IoTAnalytics::Pipeline resource consumes messages from one or more channels and allows you
to process the messages before storing them in a data store. You must specify both a channel and a
datastore activity and, optionally, as many as 23 additional activities in the pipelineActivities
array. For more information, see How to Use AWS IoT Analytics in the AWS IoT Analytics User Guide.

2472
IoT Analytics
Syntax
JSON
{
"Type" : "AWS::IoTAnalytics::Pipeline",
"Properties" : {
"PipelineActivities" : [ Activity (p. 2477), ... ],
"PipelineName" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::IoTAnalytics::Pipeline
Properties:
PipelineActivities:
- Activity (p. 2477)
PipelineName: String
Tags:
- Tag
Properties
PipelineActivities
A list of "PipelineActivity" objects. Activities perform transformations on your messages, such as

removing, renaming or adding message attributes; filtering messages based on attribute values;
invoking your Lambda functions on messages for advanced processing; or performing mathematical
transformations to normalize device data.
The list can be 2-25 PipelineActivity objects and must contain both a channel and a datastore
activity. Each entry in the list must contain only one activity, for example:
pipelineActivities = [ { "channel": { ... } }, { "lambda": { ... } }, ... ]
Required: Yes
Type: List of Activity (p. 2477)
Maximum: 25

PipelineName
Required: No
Type: String
Minimum: 1
Maximum: 128

2473
IoT Analytics

Tags
Metadata which can be used to manage the pipeline.
Required: No
Type: List of Tag
Maximum: 50
Examples
Simple Pipeline
The following example creates a simple pipeline.
JSON
{
"Description": "Create a simple Pipeline",
"Resources": {
"Pipeline": {
"Type": "AWS::IoTAnalytics::Pipeline",
"Properties": {
"PipelineName": "SimplePipeline",
"PipelineActivities": [
{
"Channel": {
"Name": "ChannelActivity",
"ChannelName": "SimpleChannel",
"Next": "DatastoreActivity"
},
"Datastore": {
"Name": "DatastoreActivity",
"DatastoreName": "SimpleDatastore"
}
}
]
}
}
}
}
YAML
---
Description: "Create a simple Pipeline"
Resources:
Pipeline:
Type: "AWS::IoTAnalytics::Pipeline"
Properties:
PipelineName: "SimplePipeline"
PipelineActivities:
-
Channel:
Name: "ChannelActivity"

2474
IoT Analytics
ChannelName: "SimpleChannel"
Next: "DatastoreActivity"
Datastore:
Name: "DatastoreActivity"
DatastoreName: "SimpleDatastore"
Complex Pipeline
The following example creates a complex pipeline.
JSON
{
"Description": "Create a complex Pipeline",
"Resources": {
"Pipeline": {
"Type": "AWS::IoTAnalytics::Pipeline",
"Properties": {
"PipelineName": "ComplexPipeline",
"PipelineActivities": [
{
"Channel": {
"Name": "ChannelActivity",
"ChannelName": "Channel",
"Next": "LambdaActivity"
},
"Lambda": {
"Name": "LambdaActivity",
"LambdaName": "Lambda",
"BatchSize": 1,
"Next": "AddAttributesActivity"
},
"AddAttributes": {
"Name": "AddAttributesActivity",
"Attributes": {
"key1": "attribute1",
"key2": "attribute2"
},
"Next": "RemoveAttributesActivity"
},
"RemoveAttributes": {
"Name": "RemoveAttributesActivity",
"Attributes": [
"attribute1",
"attribute2"
],
"Next": "SelectAttributesActivity"
},
"SelectAttributes": {
"Name": "SelectAttributesActivity",
"Attributes": [
"attribute1",
"attribute2"
],
"Next": "FilterActivity"
},
"Filter": {
"Name": "FilterActivity",
"Filter": "attribute1 > 40 AND attribute2 < 20",
"Next": "MathActivity"
},
"Math": {
"Name": "MathActivity",
"Attribute": "attribute",

2475
IoT Analytics
"Math": "attribute - 10",

"Next": "DeviceRegistryEnrichActivity"
},
"DeviceRegistryEnrich": {
"Name": "DeviceRegistryEnrichActivity",
"ThingName": "thingName",
"RoleArn": "arn:aws:iam::<your_Account_Id>:role/Enrich",
"Next": "DeviceShadowEnrichActivity"
},
"DeviceShadowEnrich": {
"Name": "DeviceShadowEnrichActivity",
"ThingName": "thingName",
"RoleArn": "arn:aws:iam::<your_Account_Id>:role/Enrich",
"Next": "DatastoreActivity"
},
"Datastore": {
"Name": "DatastoreActivity",
"DatastoreName": "Datastore"
}
}
]
}
}
}
}
YAML
---
Description: "Create a complex Pipeline"
Resources:
Pipeline:
Type: "AWS::IoTAnalytics::Pipeline"
Properties:
PipelineName: "ComplexPipeline"
PipelineActivities:
-
Channel:
Name: "ChannelActivity"
ChannelName: "Channel"
Next: "LambdaActivity"
Lambda:
Name: "LambdaActivity"
LambdaName: "Lambda"
BatchSize: 1
Next: "AddAttributesActivity"
AddAttributes:
Name: "AddAttributesActivity"
Attributes:
key1: "attribute1"
key2: "attribute2"
Next: "RemoveAttributesActivity"
RemoveAttributes:
Name: "RemoveAttributesActivity"
Attributes:
-
"attribute1"
-
"attribute2"
Next: "SelectAttributesActivity"
SelectAttributes:
Name: "SelectAttributesActivity"

2476
IoT Analytics
Attributes:
-
"attribute1"
-
"attribute2"
Next: "FilterActivity"
Filter:
Name: "FilterActivity"
Filter: "attribute1 > 40 AND attribute2 < 20"
Next: "MathActivity"
Math:
Name: "MathActivity"
Attribute: "attribute"
Math: "attribute - 10"
Next: "DeviceRegistryEnrichActivity"
DeviceRegistryEnrich:
Name: "DeviceRegistryEnrichActivity"
ThingName: "thingName"
RoleArn: "arn:aws:iam::<your_Account_Id>:role/Enrich"
Next: "DeviceShadowEnrichActivity"
DeviceShadowEnrich:
Name: "DeviceShadowEnrichActivity"
ThingName: "thingName"
RoleArn: "arn:aws:iam::<your_Account_Id>:role/Enrich"
Next: "DatastoreActivity"
Datastore:
Name: "DatastoreActivity"
DatastoreName: "Datastore"
See Also
• CreatePipeline in the AWS IoT Analytics API Reference
AWS::IoTAnalytics::Pipeline Activity
An activity that performs a transformation on a message.
Syntax
JSON
{
"AddAttributes" : AddAttributes (p. 2479),
"Channel" : Channel (p. 2481),
"Datastore" : Datastore (p. 2482),
"DeviceRegistryEnrich" : DeviceRegistryEnrich (p. 2482),
"DeviceShadowEnrich" : DeviceShadowEnrich (p. 2484),
"Filter" : Filter (p. 2486),
"Lambda" : Lambda (p. 2487),
"Math" : Math (p. 2488),
"RemoveAttributes" : RemoveAttributes (p. 2489),
"SelectAttributes" : SelectAttributes (p. 2490)
}

2477
IoT Analytics
YAML
AddAttributes:
AddAttributes (p. 2479)
Channel:
Channel (p. 2481)
Datastore:
Datastore (p. 2482)
DeviceRegistryEnrich:
DeviceRegistryEnrich (p. 2482)
DeviceShadowEnrich:
DeviceShadowEnrich (p. 2484)
Filter:
Filter (p. 2486)
Lambda:
Lambda (p. 2487)
Math:
Math (p. 2488)
RemoveAttributes:
RemoveAttributes (p. 2489)
SelectAttributes:
SelectAttributes (p. 2490)
Properties
AddAttributes
Adds other attributes based on existing attributes in the message.
Required: No
Type: AddAttributes (p. 2479)

Channel
Determines the source of the messages to be processed.
Required: No
Type: Channel (p. 2481)

Datastore
Specifies where to store the processed message data.
Required: No
Type: Datastore (p. 2482)

DeviceRegistryEnrich
Adds data from the AWS IoT device registry to your message.
Required: No
Type: DeviceRegistryEnrich (p. 2482)

2478
IoT Analytics
DeviceShadowEnrich
Adds information from the AWS IoT Device Shadows service to a message.
Required: No
Type: DeviceShadowEnrich (p. 2484)

Filter
Filters a message based on its attributes.
Required: No
Type: Filter (p. 2486)

Lambda
Runs a Lambda function to modify the message.
Required: No
Type: Lambda (p. 2487)

Math
Computes an arithmetic expression using the message's attributes and adds it to the message.
Required: No
Type: Math (p. 2488)

RemoveAttributes
Removes attributes from a message.
Required: No
Type: RemoveAttributes (p. 2489)

SelectAttributes
Creates a new message using only the specified attributes from the original message.
Required: No
Type: SelectAttributes (p. 2490)
AWS::IoTAnalytics::Pipeline AddAttributes
An activity that adds other attributes based on existing attributes in the message.

2479
IoT Analytics
Syntax
JSON
{
"Attributes" : Json,
"Name" : String,
"Next" : String
}
YAML
Attributes: Json
Name: String
Next: String
Properties
Attributes
A list of 1-50 "AttributeNameMapping" objects that map an existing attribute to a new attribute.
Note
The existing attributes remain in the message, so if you want to remove the originals, use
"RemoveAttributeActivity".
Required: No
Type: Json

Name
The name of the 'addAttributes' activity.
Required: No
Type: String
Minimum: 1
Maximum: 128

Next
The next activity in the pipeline.
Required: No
Type: String
Minimum: 1
Maximum: 128

2480
IoT Analytics
AWS::IoTAnalytics::Pipeline Channel
Determines the source of the messages to be processed.
Syntax
JSON
{
"Name" : String,
"Next" : String
}
YAML
ChannelName: String
Name: String
Next: String
Properties
ChannelName
The name of the channel from which the messages are processed.
Required: No
Type: String
Minimum: 1
Maximum: 128

Name
The name of the 'channel' activity.
Required: No
Type: String
Minimum: 1
Maximum: 128

Next
Required: No
Type: String
Minimum: 1

2481
IoT Analytics
Maximum: 128
AWS::IoTAnalytics::Pipeline Datastore
The 'datastore' activity that specifies where to store the processed data.
Syntax
JSON
{
"DatastoreName" : String,
"Name" : String
}
YAML
DatastoreName: String
Name: String
Properties
DatastoreName
The name of the data store where processed messages are stored.
Required: No
Type: String
Minimum: 1
Maximum: 128

Name
The name of the 'datastore' activity.
Required: No
Type: String
Minimum: 1
Maximum: 128
AWS::IoTAnalytics::Pipeline DeviceRegistryEnrich
An activity that adds data from the AWS IoT device registry to your message.

2482
IoT Analytics
Syntax
JSON
{
"Attribute" : String,
"Name" : String,
"Next" : String,
"RoleArn" : String,
}
YAML
Attribute: String
Name: String
Next: String
RoleArn: String
ThingName: String
Properties
Attribute
The name of the attribute that is added to the message.
Required: No
Type: String
Minimum: 1
Maximum: 256

Name
The name of the 'deviceRegistryEnrich' activity.
Required: No
Type: String
Minimum: 1
Maximum: 128

Next
Required: No
Type: String
Minimum: 1
Maximum: 128

2483
IoT Analytics

RoleArn
The ARN of the role that allows access to the device's registry information.
Required: No
Type: String
Minimum: 20
Maximum: 2048

ThingName
The name of the IoT device whose registry information is added to the message.
Required: No
Type: String
Minimum: 1
Maximum: 256
AWS::IoTAnalytics::Pipeline DeviceShadowEnrich
An activity that adds information from the AWS IoT Device Shadows service to a message.
Syntax
JSON
{
"Name" : String,
"Next" : String,
"RoleArn" : String,
}
YAML
Attribute: String
Name: String
Next: String
RoleArn: String
ThingName: String
Properties
Attribute
The name of the attribute that is added to the message.

2484
IoT Analytics
Required: No
Type: String
Minimum: 1
Maximum: 256

Name
The name of the 'deviceShadowEnrich' activity.
Required: No
Type: String
Minimum: 1
Maximum: 128

Next
Required: No
Type: String
Minimum: 1
Maximum: 128

RoleArn
The ARN of the role that allows access to the device's shadow.
Required: No
Type: String
Minimum: 20
Maximum: 2048

ThingName
The name of the IoT device whose shadow information is added to the message.
Required: No
Type: String
Minimum: 1
Maximum: 256

2485
IoT Analytics
AWS::IoTAnalytics::Pipeline Filter
An activity that filters a message based on its attributes.
Syntax
JSON
{
"Filter" : String (p. 2486),
"Name" : String,
"Next" : String
}
YAML
Filter: String (p. 2486)

Name: String
Next: String
Properties
Filter
An expression that looks like an SQL WHERE clause that must return a Boolean value.
Required: No
Minimum: 1
Maximum: 256

Name
The name of the 'filter' activity.
Required: No
Type: String
Minimum: 1
Maximum: 128

Next
Required: No
Type: String
Minimum: 1

2486
IoT Analytics
Maximum: 128
AWS::IoTAnalytics::Pipeline Lambda
An activity that runs a Lambda function to modify the message.
Syntax
JSON
{
"BatchSize" : Integer,
"LambdaName" : String,
"Name" : String,
"Next" : String
}
YAML
BatchSize: Integer
LambdaName: String
Name: String
Next: String
Properties
BatchSize
The number of messages passed to the Lambda function for processing.
The AWS Lambda function must be able to process all of these messages within five minutes, which
is the maximum timeout duration for Lambda functions.
Required: No
Type: Integer
Minimum: 1
Maximum: 1000

LambdaName
The name of the Lambda function that is run on the message.
Required: No
Type: String
Minimum: 1
Maximum: 64

2487
IoT Analytics

Name
The name of the 'lambda' activity.
Required: No
Type: String
Minimum: 1
Maximum: 128

Next
Required: No
Type: String
Minimum: 1
Maximum: 128
AWS::IoTAnalytics::Pipeline Math
An activity that computes an arithmetic expression using the message's attributes.
Syntax
JSON
{
"Math" : String (p. 2488),
"Name" : String,
"Next" : String
}
YAML
Attribute: String
Math: String (p. 2488)
Name: String
Next: String
Properties
Attribute
The name of the attribute that contains the result of the math operation.
Required: No

2488
IoT Analytics
Type: String
Minimum: 1
Maximum: 256

Math
An expression that uses one or more existing attributes and must return an integer value.
Required: No
Minimum: 1
Maximum: 256

Name
The name of the 'math' activity.
Required: No
Type: String
Minimum: 1
Maximum: 128

Next
Required: No
Type: String
Minimum: 1
Maximum: 128
AWS::IoTAnalytics::Pipeline RemoveAttributes
An activity that removes attributes from a message.
Syntax
JSON
{
"Attributes" : [ String, ... ],

2489
IoT Analytics
"Name" : String,
"Next" : String
}
YAML
Attributes:
- String
Name: String
Next: String
Properties
Attributes
A list of 1-50 attributes to remove from the message.
Required: No
Maximum: 50

Name
The name of the 'removeAttributes' activity.
Required: No
Type: String
Minimum: 1
Maximum: 128

Next
Required: No
Type: String
Minimum: 1
Maximum: 128
AWS::IoTAnalytics::Pipeline SelectAttributes
Creates a new message using only the specified attributes from the original message.
Syntax

2490
IoTEvents
JSON
{
"Attributes" : [ String, ... ],
"Name" : String,
"Next" : String
}
YAML
Attributes:
- String
Name: String
Next: String
Properties
Attributes
A list of the attributes to select from the message.
Required: No
Maximum: 50

Name
The name of the 'selectAttributes' activity.
Required: No
Type: String
Minimum: 1
Maximum: 128

Next
Required: No
Type: String
Minimum: 1
Maximum: 128
IoTEvents Resource Type Reference

Resource Types

2491
IoTEvents
• AWS::IoTEvents::DetectorModel (p. 2492)

• AWS::IoTEvents::Input (p. 2514)
AWS::IoTEvents::DetectorModel
The AWS::IoTEvents::DetectorModel resource creates a detector model. You create a detector model
(a model of your equipment or process) using states. For each state, you define conditional (Boolean)
logic that evaluates the incoming inputs to detect significant events. When an event is detected, it can
change the state or trigger custom-built or predefined actions using other AWS services. You can define
additional events that trigger actions when entering or exiting a state and, optionally, when a condition
is met. For more information, see How to Use AWS IoT Events in the AWS IoT Events Developer Guide.
Note
When you successfully update a detector model (using the AWS IoT Events console, AWS IoT
Events API or CLI commands, or AWS CloudFormation) all detector instances created by the
model are reset to their initial states. (The detector's state, and the values of any variables and
timers are reset.)
When you successfully update a detector model (using the AWS IoT Events console, AWS IoT
Events API or CLI commands, or AWS CloudFormation) the version number of the detector
model is incremented. (A detector model with version number 1 before the update has version
number 2 after the update succeeds.)
If you attempt to update a detector model using AWS CloudFormation and the update does not
succeed, the system may, in some cases, restore the original detector model. When this occurs,
the detector model's version is incremented twice (for example, from version 1 to version 3) and
the detector instances are reset.
Also, be aware that if you attempt to update several detector models at once using AWS
CloudFormation, some updates may succeed and others fail. In this case, the effects on each
detector model's detector instances and version number depend on whether the update
succeeded or failed, with the results as stated.
Syntax
JSON
{
"Type" : "AWS::IoTEvents::DetectorModel",
"Properties" : {
"DetectorModelDefinition" : DetectorModelDefinition (p. 2502),
"DetectorModelDescription" : String,
"DetectorModelName" : String,
"Key" : String,
"RoleArn" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::IoTEvents::DetectorModel
Properties:
DetectorModelDefinition:
DetectorModelDefinition (p. 2502)
DetectorModelDescription: String
DetectorModelName: String
Key: String
RoleArn: String

2492
IoTEvents
Tags:
- Tag
Properties
DetectorModelDefinition
Information that defines how a detector operates.
Required: No
Type: DetectorModelDefinition (p. 2502)

DetectorModelDescription
A brief description of the detector model.
Required: No
Type: String
Maximum: 128

DetectorModelName
The name of the detector model.
Required: No
Type: String
Minimum: 1
Maximum: 128

Key
The input attribute key used to identify a device or system to create a detector (an instance of the
detector model) and then to route each input received to the appropriate detector (instance). This
parameter uses a JSON-path expression to specify the attribute-value pair in the message payload
of each input that is used to identify the device associated with the input.
Required: No
Type: String
Minimum: 1
Maximum: 128
Pattern: ^((`[\w\- ]+`)|([\w\-]+))(\.((`[\w- ]+`)|([\w\-]+)))*$

RoleArn
The ARN of the role that grants permission to AWS IoT Events to perform its operations.

2493
IoTEvents
Required: No
Type: String
Minimum: 1
Maximum: 2048

Tags
Required: No
Type: List of Tag
Return Values
Ref
detector model. For example:
{"Ref": "myDetectorModel"}
For the AWS IoT Events detector model myDetectorModel, Ref returns the name of the detector
model.
Examples
Simple Detector Model
The following example creates a simple detector model with only one state.
JSON
{
"Description": "Simple Detector Model Template",
"Resources": {
"MyDetectorModel": {
"Type": "AWS::IoTEvents::DetectorModel",
"Properties": {
"DetectorModelName": "myDetectorModel",
"DetectorModelDescription": "My Detector Model created by CloudFormation",
"Key": "myKey",
"RoleArn": { "Fn::GetAtt" : [ "myRole", "Arn" ] },
"DetectorModelDefinition": {
"InitialStateName": "myInitialState",
"States": [
{
"StateName": "myInitialState",
"OnInput": {
"Events": [
{

2494
IoTEvents
"EventName": "onInputPublishEvent",
"Condition": { "Fn::Join" : [ ".", ["$input", {"Ref": "myInput"}, "foo
> 1"] ] },
"Actions": [
{
"IotTopicPublish": {
"MqttTopic": "myMqttTopic"
}
}
]
}
]
}
}
]
}
}
}
}
}
YAML
---
Description: "Simple Detector Model Template"
Resources:
MyDetectorModel:
Type: "AWS::IoTEvents::DetectorModel"
Properties:
DetectorModelName: "myDetectorModel"
DetectorModelDescription: "My Detector Model created by CloudFormation"
Key: "myKey"
RoleArn: !GetAtt myRole.Arn
InitialStateName: "myInitialState"
States:
- StateName: "myInitialState"
OnInput:
Events:
- EventName: "onInputPublishEvent"
Condition: !Join [".", ["$input", {'Ref': myInput}, "foo > 1"]]
Actions:
- IotTopicPublish:
MqttTopic: "myMqttTopic"
Full Detector Model
The following example creates a more complete example of a detector model with two states.
JSON
{
"Description": "Detector Model Template for CloudFormation",
"Resources": {
"MyDetectorModel": {
"Type": "AWS::IoTEvents::DetectorModel",
"Properties": {
"DetectorModelName": "myDetectorModel",
"DetectorModelDescription": "My Detector Model created by CloudFormation",
"Key": "myKey",
"RoleArn": "arn:aws:iam::123456789012:role/myIotEventsRole",
"DetectorModelDefinition": {

2495
IoTEvents
"InitialStateName": "myInitialState",
"States": [
{
"StateName": "myInitialState",
"OnEnter": {
"Events": [
{
"EventName": "onEnterEvent",
"Actions": [
{
"SetVariable": {
"VariableName": "Variable",
"Value": "0"
}
}
]
},
{
"EventName": "onEnter Event 2",
"Condition": "true",
"Actions": [
{
"SetTimer": {
"TimerName": "myTimer",
"Seconds": 60
}
}
]
}
]
},
"OnInput": {
"Events": [
{
"EventName": "onInputEvent",
"Condition": { "Fn::Join" : [ ".", ["$input", {"Ref": "myInput"}, "foo
> 1"] ] },
"Actions": [
{
"IotTopicPublish": {
"MqttTopic": "myMqttTopic"
}
},
{
"ResetTimer": {
"TimerName": "myTimer"
}
}
]
}
],
"TransitionEvents": [
{
"EventName": "Transit to other state",
"Actions": [
{
"Sns": {
"TargetArn": "arn:aws:sns:123456789012:mySnsTopic"
}
},
{
"Lambda": {
"FunctionArn":
"arn:aws:lambda:123456789012:function:myLambdaFunction"
}

2496
IoTEvents
},
{
"Firehose": {
"DeliveryStreamName": "myStreamName",
"Separator": ","
}
},
{
"Sqs": {
"QueueUrl": "myQueueUrl",
"UseBase64": true
}
},
{
"IotEvents": {
"InputName": "myInputName"
}
}
],
"NextState": "myOtherState"
}
]
},
"OnExit": {
"Events": [
{
"EventName": "Clear timers",
"Condition": "1 == 1",
"Actions": [
{
"ClearTimer": {
}
}
]
}
]
}
},
{
"StateName": "myOtherState",
"OnEnter": {
"Events": [
{
"EventName": "onEnterEvent",
"Actions": [
{
"SetVariable": {
"VariableName": "Variable",
"Value": "0"
}
}
]
},
{
"EventName": "onEnter Event 2",
"Actions": [
{
"SetTimer": {
"TimerName": "myTimer",
"Seconds": 60
}
}
]
}

2497
IoTEvents
]
},
"OnExit": {
"Events": [
{
"EventName": "Clear timers",
"Condition": "1 == 1",
"Actions": [
{
"ClearTimer": {
}
}
]
}
]
}
}
]
}
}
}
}
}
YAML
---
Description: "Detector Model Template for CloudFormation"
Resources:
MyDetectorModel:
Type: "AWS::IoTEvents::DetectorModel"
Properties:
DetectorModelName: "myDetectorModel"
DetectorModelDescription: "My Detector Model created by CloudFormation"
Key: "myKey"
RoleArn: "arn:aws:iam::123456789012:role/myIotEventsRole"
InitialStateName: "myInitialState"
States:
- StateName: "myInitialState"
OnEnter:
Events:
- EventName: "onEnterEvent"
Actions:
- SetVariable:
VariableName: "Variable"
Value: "0"
- EventName: "onEnter Event 2"
Condition: "true"
Actions:
- SetTimer:
TimerName: "myTimer"
Seconds: 60
OnInput:
Events:
- EventName: "onInputEvent"
Condition: !Join [".", ["$input", {'Ref': myInput}, "foo > 1"]]
Actions:
- IotTopicPublish:
MqttTopic: "myMqttTopic"
- ResetTimer:
TransitionEvents:

2498
IoTEvents
- EventName: "Transit to other state"

Condition: "true"
Actions:
- Sns:
TargetArn: "arn:aws:sns:123456789012:mySnsTopic"
- Lambda:
FunctionArn:
"arn:aws:lambda:123456789012:function:myLambdaFunction"
- Firehose:
DeliveryStreamName: "myStreamName"
Separator: ","
- Sqs:
QueueUrl: "myQueueUrl"
UseBase64: true
- IotEvents:
InputName: "myInputName"
NextState: "myOtherState"
OnExit:
Events:
- EventName: "Clear timers"
Condition: "1 == 1"
Actions:
- ClearTimer:
- StateName: "myOtherState"
OnEnter:
Events:
- EventName: "onEnterEvent"
Actions:
- SetVariable:
VariableName: "Variable"
Value: "0"
- EventName: "onEnter Event 2"
Condition: "true"
Actions:
- SetTimer:
Seconds: 60
OnExit:
Events:
- EventName: "Clear timers"
Condition: "1 == 1"
Actions:
- ClearTimer:
See Also
• How to Use AWS IoT Events in the AWS IoT Events Developer Guide
• CreateDetectorModel in the AWS IoT Events API Reference
AWS::IoTEvents::DetectorModel Action
An action to be performed when the "condition" is TRUE.
Syntax

2499
IoTEvents
JSON
{
"ClearTimer" : ClearTimer (p. 2502),
"Firehose" : Firehose (p. 2504),
"IotEvents" : IotEvents (p. 2505),
"IotTopicPublish" : IotTopicPublish (p. 2505),
"Lambda" : Lambda (p. 2506),
"ResetTimer" : ResetTimer (p. 2508),
"SetTimer" : SetTimer (p. 2509),
"SetVariable" : SetVariable (p. 2510),
"Sns" : Sns (p. 2510),
"Sqs" : Sqs (p. 2511)
}
YAML
ClearTimer:
ClearTimer (p. 2502)
Firehose:
Firehose (p. 2504)
IotEvents:
IotEvents (p. 2505)
IotTopicPublish:
IotTopicPublish (p. 2505)
Lambda:
Lambda (p. 2506)
ResetTimer:
ResetTimer (p. 2508)
SetTimer:
SetTimer (p. 2509)
SetVariable:
SetVariable (p. 2510)
Sns:
Sns (p. 2510)
Sqs:
Sqs (p. 2511)
Properties
ClearTimer
Information needed to clear the timer.
Required: No
Type: ClearTimer (p. 2502)

Firehose
Sends information about the detector model instance and the event which triggered the action to a
Kinesis Data Firehose delivery stream.
Required: No
Type: Firehose (p. 2504)

IotEvents
Sends an IoT Events input, passing in information about the detector model instance and the event
which triggered the action.

2500
IoTEvents
Required: No
Type: IotEvents (p. 2505)

IotTopicPublish
Publishes an MQTT message with the given topic to the AWS IoT message broker.
Required: No
Type: IotTopicPublish (p. 2505)

Lambda
Calls an AWS Lambda function, passing in information about the detector model instance and the
event which triggered the action.
Required: No
Type: Lambda (p. 2506)

ResetTimer
Information needed to reset the timer.
Required: No
Type: ResetTimer (p. 2508)

SetTimer
Information needed to set the timer.
Required: No
Type: SetTimer (p. 2509)

SetVariable
Sets a variable to a specified value.
Required: No
Type: SetVariable (p. 2510)

Sns
Sends an Amazon SNS message.
Required: No
Type: Sns (p. 2510)

2501
IoTEvents

Sqs
Sends information about the detector model instance and the event which triggered the action to an
Amazon SQS queue.
Required: No
Type: Sqs (p. 2511)
AWS::IoTEvents::DetectorModel ClearTimer
Information needed to clear the timer.
Syntax
JSON
{
"TimerName" : String
}
YAML
TimerName: String
Properties
TimerName
The name of the timer.
Required: No
Type: String
AWS::IoTEvents::DetectorModel DetectorModelDefinition
Information that defines how a detector operates.
Syntax
JSON
{
"InitialStateName" : String,
"States" : [ State (p. 2512), ... ]
}

2502
IoTEvents
YAML
InitialStateName: String
States:
- State (p. 2512)
Properties
InitialStateName
The state that is entered at the creation of each detector (instance).
Required: No
Type: String
Minimum: 1
Maximum: 128

States
Information about the states of the detector.
Required: No
Type: List of State (p. 2512)
AWS::IoTEvents::DetectorModel Event
Specifies the "actions" to be performed when the "condition" evaluates to TRUE.
Syntax
JSON
{
"Actions" : [ Action (p. 2499), ... ],
"EventName" : String
}
YAML
Actions:
- Action (p. 2499)
Condition: String
EventName: String
Properties
Actions
The actions to be performed.

2503
IoTEvents
Required: No

Condition
[Optional] The Boolean expression that when TRUE causes the "actions" to be performed. If
not present, the actions are performed (=TRUE); if the expression result is not a Boolean value, the
actions are NOT performed (=FALSE).
Required: No
Type: String
Maximum: 512

EventName
The name of the event.
Required: No
Type: String
Maximum: 128
AWS::IoTEvents::DetectorModel Firehose
Sends information about the detector model instance and the event which triggered the action to a
Kinesis Data Firehose delivery stream.
Syntax
JSON
{
"Separator" : String
}
YAML
Separator: String
Properties
DeliveryStreamName
The name of the Kinesis Data Firehose delivery stream where the data is written.

2504
IoTEvents
Required: No
Type: String

Separator
A character separator that is used to separate records written to the Kinesis Data Firehose delivery
stream. Valid values are: '\n' (newline), '\t' (tab), '\r\n' (Windows newline), ',' (comma).
Required: No
Type: String
AWS::IoTEvents::DetectorModel IotEvents
Sends an IoT Events input, passing in information about the detector model instance and the event
Syntax
JSON
{
"InputName" : String
}
YAML
InputName: String
Properties
InputName
The name of the AWS IoT Events input where the data is sent.
Required: No
Type: String
AWS::IoTEvents::DetectorModel IotTopicPublish
Sends information about the detector model instance and the event which triggered the action in an
MQTT message with the given topic to the AWS IoT message broker.
Syntax

2505
IoTEvents
JSON
{
"MqttTopic" : String
}
YAML
MqttTopic: String
Properties
MqttTopic
The MQTT topic of the message.
Required: No
Type: String
AWS::IoTEvents::DetectorModel Lambda
Calls an AWS Lambda function, passing in information about the detector model instance and the event
Syntax
JSON
{
"FunctionArn" : String
}
YAML
FunctionArn: String
Properties
FunctionArn
The ARN of the AWS Lambda function which is executed.
Required: No
Type: String
AWS::IoTEvents::DetectorModel OnEnter
When entering this state, perform these "actions" if the "condition" is TRUE.

2506
IoTEvents
Syntax
JSON
{
"Events" : [ Event (p. 2503), ... ]
}
YAML
Events:
- Event (p. 2503)
Properties
Events
Specifies the actions that are performed when the state is entered and the "condition" is TRUE.
Required: No
Type: List of Event (p. 2503)
AWS::IoTEvents::DetectorModel OnExit
When exiting this state, perform these "actions" if the "condition" is TRUE.
Syntax
JSON
{
"Events" : [ Event (p. 2503), ... ]
}
YAML
Events:
- Event (p. 2503)
Properties
Events
Specifies the actions that are performed when the state is exited and the "condition" is TRUE.
Required: No

2507
IoTEvents
AWS::IoTEvents::DetectorModel OnInput
When an input is received and the "condition" is TRUE, perform the specified "actions".
Syntax
JSON
{
"Events" : [ Event (p. 2503), ... ],
"TransitionEvents" : [ TransitionEvent (p. 2513), ... ]
}
YAML
Events:
- Event (p. 2503)
TransitionEvents:
- TransitionEvent (p. 2513)
Properties
Events
Specifies the actions that are performed when an input is received and the "condition" is TRUE.
Required: No

TransitionEvents
Specifies the actions performed, and the next state entered, when an input is received and a
"condition" evaluates to TRUE.
Required: No
Type: List of TransitionEvent (p. 2513)
AWS::IoTEvents::DetectorModel ResetTimer
Information needed to reset the timer.
Syntax
JSON

2508
IoTEvents
}
YAML
TimerName: String
Properties
TimerName
Required: No
Type: String
AWS::IoTEvents::DetectorModel SetTimer
Information needed to set the timer.
Syntax
JSON
{
"Seconds" : Integer,
}
YAML
Seconds: Integer
TimerName: String
Properties
Seconds
The number of seconds until the timer expires. The minimum value is 60 seconds to ensure accuracy.
Required: No
Type: Integer

TimerName
Required: No
Type: String

2509
IoTEvents
AWS::IoTEvents::DetectorModel SetVariable
Sets a variable to a specified value.
Syntax
JSON
{
"Value" : String,
"VariableName" : String
}
YAML
Value: String
VariableName: String
Properties
Value
The new value of the variable.
Required: No
Type: String

VariableName
The name of the variable.
Required: No
Type: String
AWS::IoTEvents::DetectorModel Sns
Sends an Amazon SNS message.
Syntax
JSON
{
}

2510
IoTEvents
YAML
TargetArn: String
Properties
TargetArn
The ARN of the Amazon SNS target where the message is sent.
Required: No
Type: String
AWS::IoTEvents::DetectorModel Sqs
Sends information about the detector model instance and the event which triggered the action to an
Amazon SQS queue.
Syntax
JSON
{
"QueueUrl" : String,
"UseBase64" : Boolean
}
YAML
QueueUrl: String
UseBase64: Boolean
Properties
QueueUrl
The URL of the Amazon SQS queue where the data is written.
Required: No
Type: String

UseBase64
Set this to TRUE if you want the data to be Base-64 encoded before it is written to the queue.
Otherwise, set this to FALSE.
Required: No
Type: Boolean

2511
IoTEvents
AWS::IoTEvents::DetectorModel State
Information that defines a state of a detector.
Syntax
JSON
{
"OnEnter" : OnEnter (p. 2506),
"OnExit" : OnExit (p. 2507),
"OnInput" : OnInput (p. 2508),
"StateName" : String
}
YAML
OnEnter:
OnEnter (p. 2506)
OnExit:
OnExit (p. 2507)
OnInput:
OnInput (p. 2508)
StateName: String
Properties
OnEnter
When entering this state, perform these "actions" if the "condition" is TRUE.
Required: No
Type: OnEnter (p. 2506)

OnExit
When exiting this state, perform these "actions" if the specified "condition" is TRUE.
Required: No
Type: OnExit (p. 2507)

OnInput
When an input is received and the "condition" is TRUE, perform the specified "actions".
Required: No
Type: OnInput (p. 2508)

StateName
The name of the state.

2512
IoTEvents
Required: No
Type: String
Minimum: 1
Maximum: 128
AWS::IoTEvents::DetectorModel TransitionEvent
Specifies the actions performed and the next state entered when a "condition" evaluates to TRUE.
Syntax
JSON
{
"Actions" : [ Action (p. 2499), ... ],
"EventName" : String,
"NextState" : String
}
YAML
Actions:
- Action (p. 2499)
Condition: String
EventName: String
NextState: String
Properties
Actions
The actions to be performed.
Required: No

Condition
[Required] A Boolean expression that when TRUE causes the actions to be performed and the
"nextState" to be entered.
Required: No
Type: String
Maximum: 512

2513
IoTEvents
EventName
The name of the transition event.
Required: No
Type: String
Maximum: 128

NextState
The next state to enter.
Required: No
Type: String
Minimum: 1
Maximum: 128
AWS::IoTEvents::Input
The AWS::IoTEvents::Input resource creates an input. To monitor your devices and processes, they must
have a way to get telemetry data into AWS IoT Events. This is done by sending messages as inputs to
AWS IoT Events. For more information, see How to Use AWS IoT Events in the AWS IoT Events Developer
Guide.
Syntax
JSON
{
"Type" : "AWS::IoTEvents::Input",
"Properties" : {
"InputDefinition" : InputDefinition (p. 2517),
"InputDescription" : String,
"InputName" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::IoTEvents::Input
Properties:
InputDefinition:
InputDefinition (p. 2517)
InputDescription: String
InputName: String
Tags:
- Tag

2514
IoTEvents
Properties
InputDefinition
The definition of the input.
Required: No
Type: InputDefinition (p. 2517)

InputDescription
A brief description of the input.
Required: No
Type: String
Maximum: 128

InputName
The name of the input.
Required: No
Type: String
Minimum: 1
Maximum: 128
Pattern: ^[a-zA-Z][a-zA-Z0-9_]*$

Tags
Required: No
Type: List of Tag
Return Values
Ref
input. For example:
{"Ref": "myInput"}
For the AWS IoT Events input myInput, Ref returns the name of the input.

2515
IoTEvents
Examples
Input
The following example creates an input.
JSON
{
"Description": "Input Template for CloudFormation",
"Resources": {
"myInput": {
"Type": "AWS::IoTEvents::Input",
"Properties": {
"InputName": "myInput",
"InputDescription": "My Input created by CloudFormation",
"InputDefinition": {
"Attributes": [
{
"JsonPath": "foo"
},
{
"JsonPath": "bar"
}
]
}
}
}
}
}
YAML
---
Description: "Input Template for CloudFormation"
Resources:
myInput:
Type: "AWS::IoTEvents::Input"
Properties:
InputName: "myInput"
InputDescription: "My Input created by CloudFormation"
InputDefinition:
Attributes:
-
JsonPath: "foo"
-
JsonPath: "bar"
See Also
• How to Use AWS IoT Events in the AWS IoT Events Developer Guide
• CreateInput in the AWS IoT Events API Reference
AWS::IoTEvents::Input Attribute
The attributes from the JSON payload that are made available by the input. Inputs are derived from
messages sent to the AWS IoT Events system using BatchPutMessage. Each such message contains a
JSON payload, and those attributes (and their paired values) specified here are available for use in the
condition expressions used by detectors.

2516
IoTEvents
Syntax
JSON
{
"JsonPath" : String
}
YAML
JsonPath: String
Properties
JsonPath
An expression that specifies an attribute-value pair in a JSON structure. Use this to specify an
attribute from the JSON payload that is made available by the input. Inputs are derived from
messages sent to the AWS IoT Events system (BatchPutMessage). Each such message contains
a JSON payload, and the attribute (and its paired value) specified here are available for use in the
"condition" expressions used by detectors.
Syntax: <field-name>.<field-name>...
Required: No
Type: String
Minimum: 1
Maximum: 128
Pattern: ^((`[\w\- ]+`)|([\w\-]+))(\.((`[\w- ]+`)|([\w\-]+)))*$
AWS::IoTEvents::Input InputDefinition
The definition of the input.
Syntax
JSON
{
"Attributes" : [ Attribute (p. 2516), ... ]
}
YAML
Attributes:
- Attribute (p. 2516)

2517
AWS IoT Greengrass
Properties
Attributes
The attributes from the JSON payload that are made available by the input. Inputs are derived from
messages sent to the AWS IoT Events system using BatchPutMessage. Each such message contains
a JSON payload, and those attributes (and their paired values) specified here are available for use in
the "condition" expressions used by detectors that monitor this input.
Required: No
Type: List of Attribute (p. 2516)
Maximum: 200
AWS IoT Greengrass Resource Type Reference

Resource Types
• AWS::Greengrass::ConnectorDefinition (p. 2518)

• AWS::Greengrass::ConnectorDefinitionVersion (p. 2524)
• AWS::Greengrass::CoreDefinition (p. 2527)
• AWS::Greengrass::CoreDefinitionVersion (p. 2533)
• AWS::Greengrass::DeviceDefinition (p. 2538)
• AWS::Greengrass::DeviceDefinitionVersion (p. 2543)
• AWS::Greengrass::FunctionDefinition (p. 2547)
• AWS::Greengrass::FunctionDefinitionVersion (p. 2560)
• AWS::Greengrass::Group (p. 2572)
• AWS::Greengrass::GroupVersion (p. 2585)
• AWS::Greengrass::LoggerDefinition (p. 2587)
• AWS::Greengrass::LoggerDefinitionVersion (p. 2592)
• AWS::Greengrass::ResourceDefinition (p. 2596)
• AWS::Greengrass::ResourceDefinitionVersion (p. 2610)
• AWS::Greengrass::SubscriptionDefinition (p. 2622)
• AWS::Greengrass::SubscriptionDefinitionVersion (p. 2627)
AWS::Greengrass::ConnectorDefinition
The AWS::Greengrass::ConnectorDefinition resource represents a connector definition for AWS
IoT Greengrass. Connector definitions are used to organize your connector definition versions.
Connector definitions can reference multiple connector definition versions. All connector definition
versions must be associated with a connector definition. Each connector definition version can contain
one or more connectors.
Note
When you create a connector definition, you can optionally include an initial connector
definition version. To associate a connector definition version later, create an
AWS::Greengrass::ConnectorDefinitionVersion resource and specify the ID of this
connector definition.

2518
AWS IoT Greengrass
After you create the connector definition version that contains the connectors you
want to deploy, you must add it to your group version. For more information, see
AWS::Greengrass::Group.
Syntax
JSON
{
"Type" : "AWS::Greengrass::ConnectorDefinition",
"Properties" : {
"InitialVersion" : ConnectorDefinitionVersion (p. 2523),
"Name" : String,
"Tags" : Json
}
}
YAML
Type: AWS::Greengrass::ConnectorDefinition
Properties:
InitialVersion:
ConnectorDefinitionVersion (p. 2523)
Name: String
Tags: Json
Properties
InitialVersion
The connector definition version to include when the connector definition is created. A connector
definition version contains a list of connector property types.
Note
To associate a connector definition version after the connector definition is created, create
an AWS::Greengrass::ConnectorDefinitionVersion resource and specify the ID of
this connector definition.
Required: No
Type: ConnectorDefinitionVersion (p. 2523)

Name
The name of the connector definition.
Required: Yes
Type: String

Tags
Application-specific metadata to attach to the connector definition. You can use tags in IAM
policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your
resources. For more information, see Tagging Your AWS IoT Greengrass Resources in the AWS IoT
Greengrass Developer Guide.

2519
AWS IoT Greengrass
This Json property type is processed as a map of key-value pairs. It uses the following format, which
is different from most Tags implementations in AWS CloudFormation templates.
"Tags": {
"KeyName0": "value",
"KeyName2": "value"
}
Required: No
Type: Json
Return Values
Ref
connector definition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the ConnectorDefinition, such as

arn:aws:greengrass:us-east-1:123456789012:/greengrass/definition/
connectors/1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Id
The ID of the ConnectorDefinition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

LatestVersionArn
The ARN of the last ConnectorDefinitionVersion that was added to the

ConnectorDefinition, such as arn:aws:greengrass:us-east-1:123456789012:/
greengrass/definition/connectors/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
versions/9876ac30-4bdb-4f9d-95af-b5fdb66be1a2.
Name
The name of the ConnectorDefinition, such as MyConnectorDefinition.
Examples
Connector Definition Snippet
The following snippet defines a connector definition resource with an initial version that contains a
connector.

2520
AWS IoT Greengrass
For an example of a complete template, see the AWS::Greengrass::Group resource.
JSON
"TestConnectorDefinition": {
"Type": "AWS::Greengrass::ConnectorDefinition",
"Properties": {
"Name": "DemoTestConnectorDefinition",
"InitialVersion": {
"Connectors": [
{
"Id": "Connector1",
"ConnectorArn": {
"Fn::Join": [
":",
[
"arn:aws:greengrass",
{
},
":/connectors/SNS/versions/1"
]
]
},
"Parameters": {
"DefaultSNSArn": {
"Fn::Join": [
":",
[
"arn:aws:sns",
{
},
{
},
"defaultSns"
]
]
}
}
}
]
}
}
}
YAML
TestConnectorDefinition:
Type: 'AWS::Greengrass::ConnectorDefinition'
Properties:
Name: DemoTestConnectorDefinition
InitialVersion:
Connectors:
- Id: Connector1
ConnectorArn: !Join
- ':'
- - 'arn:aws:greengrass'
- ':/connectors/SNS/versions/1'
Parameters:
DefaultSNSArn: !Join
- ':'

2521
AWS IoT Greengrass
- - 'arn:aws:sns'
- defaultSns
See Also
• CreateConnectorDefinition in the AWS IoT Greengrass API Reference
• AWS IoT Greengrass Developer Guide
AWS::Greengrass::ConnectorDefinition Connector
Connectors are modules that provide built-in integration with local infrastructure, device protocols,
AWS, and other cloud services. For more information, see Integrate with Services and Protocols Using
Greengrass Connectors in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, the Connectors property of the

ConnectorDefinitionVersion property type contains a list of Connector property types.
Syntax
JSON
{
"ConnectorArn" : String,
"Id" : String,
"Parameters" : Json
}
YAML
ConnectorArn: String
Id: String
Parameters: Json
Properties
ConnectorArn
The Amazon Resource Name (ARN) of the connector.
For more information about AWS-provided connectors, see AWS-Provided Greengrass Connectors.
Required: Yes
Type: String

Id
A descriptive or arbitrary ID for the connector. This value must be unique within the connector
definition version. Maximum length is 128 characters with pattern [a-zA-Z0-9:_-]+.
Required: Yes

2522
AWS IoT Greengrass
Type: String

Parameters
The parameters or configuration used by the connector.
Required: No
Type: Json
See Also
• Connector in the AWS IoT Greengrass API Reference

AWS::Greengrass::ConnectorDefinition ConnectorDefinitionVersion
A connector definition version contains a list of connectors.
Note
After you create a connector definition version that contains the connectors you want to deploy,
you must add it to your group version. For more information, see AWS::Greengrass::Group.
In an AWS CloudFormation template, ConnectorDefinitionVersion is the property type of the

InitialVersion property in the AWS::Greengrass::ConnectorDefinition resource.
Syntax
JSON
{
"Connectors" : [ Connector (p. 2522), ... ]
}
YAML
Connectors:
- Connector (p. 2522)
Properties
Connectors
The connectors in this version. Only one instance of a given connector can be added to a connector
definition version at a time.
Required: Yes
Type: List of Connector (p. 2522)

2523
AWS IoT Greengrass
See Also
• ConnectorDefinitionVersion in the AWS IoT Greengrass API Reference

AWS::Greengrass::ConnectorDefinitionVersion
The AWS::Greengrass::ConnectorDefinitionVersion resource represents a connector definition
version for AWS IoT Greengrass. A connector definition version contains a list of connectors.
Note
To create a connector definition version, you must specify the ID of the connector definition that
you want to associate with the version. For information about creating a connector definition,
see AWS::Greengrass::ConnectorDefinition.
After you create a connector definition version that contains the connectors you want to deploy,
Syntax
JSON
{
"Type" : "AWS::Greengrass::ConnectorDefinitionVersion",
"Properties" : {
"ConnectorDefinitionId" : String,
"Connectors" : [ Connector (p. 2526), ... ]
}
}
YAML
Type: AWS::Greengrass::ConnectorDefinitionVersion
Properties:
ConnectorDefinitionId: String
Connectors:
- Connector (p. 2526)
Properties
ConnectorDefinitionId
The ID of the connector definition associated with this version. This value is a GUID.
Required: Yes
Type: String

Connectors
The connectors in this version. Only one instance of a given connector can be added to the
connector definition version at a time.

2524
AWS IoT Greengrass
Required: Yes
Type: List of Connector (p. 2526)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref
returns the Amazon Resource Name (ARN) of the connector definition version,
such as arn:aws:greengrass:us-east-1:123456789012:/greengrass/
definition/connectors/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
Examples
Connector Definition Version Snippet
The following snippet defines connector definition and connector definition version resources. The
connector definition version references the connector definition and contains a connector.
JSON
"TestConnectorDefinition": {
"Type": "AWS::Greengrass::ConnectorDefinition",
"Properties": {
"Name": "DemoTestConnectorDefinition"
}
},
"TestConnectorDefinitionVersion": {
"Type": "AWS::Greengrass::ConnectorDefinitionVersion",
"Properties": {
"ConnectorDefinitionId": {
"Ref": "TestConnectorDefinition"
},
"Connectors": [
{
"Id": "Connector1",
"ConnectorArn": {
"Fn::Join": [
":",
[
"arn:aws:greengrass",
{
},
":/connectors/SNS/versions/1"
]
]
},
"Parameters": {
"DefaultSNSArn": {
"Fn::Join": [
":",
[

2525
AWS IoT Greengrass
"arn:aws:sns",
{
},
{
},
"defaultSns"
]
]
}
}
}
]
}
}
YAML
TestConnectorDefinition:
Type: 'AWS::Greengrass::ConnectorDefinition'
Properties:
Name: DemoTestConnectorDefinition
TestConnectorDefinitionVersion:
Type: 'AWS::Greengrass::ConnectorDefinitionVersion'
Properties:
ConnectorDefinitionId: !Ref TestConnectorDefinition
Connectors:
- Id: Connector1
ConnectorArn: !Join
- ':'
- - 'arn:aws:greengrass'
- ':/connectors/SNS/versions/1'
Parameters:
DefaultSNSArn: !Join
- ':'
- - 'arn:aws:sns'
- defaultSns
See Also
• CreateConnectorDefinitionVersion in the AWS IoT Greengrass API Reference
AWS::Greengrass::ConnectorDefinitionVersion Connector
Connectors are modules that provide built-in integration with local infrastructure, device protocols,
AWS, and other cloud services. For more information, see Integrate with Services and Protocols Using
Greengrass Connectors in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, the Connectors property of the

AWS::Greengrass::ConnectorDefinitionVersion resource contains a list of Connector
property types.
Syntax

2526
AWS IoT Greengrass
JSON
{
"ConnectorArn" : String,
"Id" : String,
"Parameters" : Json
}
YAML
ConnectorArn: String
Id: String
Parameters: Json
Properties
ConnectorArn
The Amazon Resource Name (ARN) of the connector.
Required: Yes
Type: String

Id
A descriptive or arbitrary ID for the connector. This value must be unique within the connector
Required: Yes
Type: String

Parameters
The parameters or configuration that the connector uses.
Required: No
Type: Json
See Also
• Connector in the AWS IoT Greengrass API Reference

AWS::Greengrass::CoreDefinition
The AWS::Greengrass::CoreDefinition resource represents a core definition for AWS IoT
Greengrass. Core definitions are used to organize your core definition versions.

2527
AWS IoT Greengrass
Core definitions can reference multiple core definition versions. All core definition versions must be
associated with a core definition. Each core definition version can contain one Greengrass core.
Note
When you create a core definition, you can optionally include an initial core
definition version. To associate a core definition version later, create an
AWS::Greengrass::CoreDefinitionVersion resource and specify the ID of this core
definition.
After you create the core definition version that contains the core you want to deploy, you must
add it to your group version. For more information, see AWS::Greengrass::Group.
Syntax
JSON
{
"Type" : "AWS::Greengrass::CoreDefinition",
"Properties" : {
"InitialVersion" : CoreDefinitionVersion (p. 2532),
"Name" : String,
"Tags" : Json
}
}
YAML
Type: AWS::Greengrass::CoreDefinition
Properties:
InitialVersion:
CoreDefinitionVersion (p. 2532)
Name: String
Tags: Json
Properties
InitialVersion
The core definition version to include when the core definition is created. Currently, a core definition
version can contain only one core.
Note
To associate a core definition version after the core definition is created, create an
AWS::Greengrass::CoreDefinitionVersion resource and specify the ID of this core
definition.
Required: No
Type: CoreDefinitionVersion (p. 2532)

Name
The name of the core definition.
Required: Yes
Type: String

2528
AWS IoT Greengrass

Tags
Application-specific metadata to attach to the core definition. You can use tags in IAM policies to
control access to AWS IoT Greengrass resources. You can also use tags to categorize your resources.
For more information, see Tagging Your AWS IoT Greengrass Resources in the AWS IoT Greengrass
Developer Guide.
"Tags": {
"KeyName2": "value"
}
Required: No
Type: Json
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the core
definition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the CoreDefinition, such as

cores/1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Id
The ID of the CoreDefinition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

LatestVersionArn
The ARN of the last CoreDefinitionVersion that was added to the CoreDefinition,
such as arn:aws:greengrass:us-east-1:123456789012:/greengrass/definition/
cores/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/versions/9876ac30-4bdb-4f9d-95af-
b5fdb66be1a2.
Name
The name of the CoreDefinition, such as MyCoreDefinition.

2529
AWS IoT Greengrass
Examples
Create a Core Definition
The following example creates a core definition that specifies an initial version that contains a core.
The template uses the Ref function to return the ID of the core definition for the CoreDefinitionId
property, which associates the version with the core definition. The template uses parameters to
represent the core definition name and the ID, thing ARN, and certificate ARN to use for the core. It also
outputs the ID of the new core definition.
For another template example, see the AWS::Greengrass::Group resource.
JSON
{
"Description": "Create CoreDefinition with InitialVersion",
"Parameters": {
"CoreDefinitionName": {
"Type": "String",
"Default": "TestCoreDefinition"
},
"CoreId": {
"Type": "String",
"Default": "TestCoreId"
},
"CoreThingArn": {
"Type": "String",
"Default": "TestCoreThingArn"
},
"CoreCertificateArn": {
"Type": "String",
"Default": "TestCoreCertArn"
}
},
"Resources": {
"CoreDefinition": {
"Type": "AWS::Greengrass::CoreDefinition",
"Properties": {
"Name": {
"Ref": "CoreDefinitionName"
},
"InitialVersion": {
"Cores": [
{
"Id": {
"Ref": "CoreId"
},
"ThingArn": {
"Ref": "CoreThingArn"
},
"CertificateArn": {
"Ref": "CoreCertificateArn"
},
"SyncShadow": "true"
}
]
}
}
}
},
"Outputs": {
"CoreDefinitionId": {
"Value": {

2530
AWS IoT Greengrass
"Ref": "CoreDefinition"
}
}
}
}
YAML
Description: Create CoreDefinition with InitialVersion

Parameters:
CoreDefinitionName:
Type: String
Default: TestCoreDefinition
CoreId:
Type: String
Default: TestCoreId
CoreThingArn:
Type: String
Default: TestCoreThingArn
CoreCertificateArn:
Type: String
Default: TestCoreCertArn
Resources:
CoreDefinition:
Type: 'AWS::Greengrass::CoreDefinition'
Properties:
Name: !Ref CoreDefinitionName
InitialVersion:
Cores:
- Id: !Ref CoreId
ThingArn: !Ref CoreThingArn
CertificateArn: !Ref CoreCertificateArn
SyncShadow: 'true'
Outputs:
CoreDefinitionId:
Value: !Ref CoreDefinition
See Also
• CreateCoreDefinition in the AWS IoT Greengrass API Reference
AWS::Greengrass::CoreDefinition Core
A core is an AWS IoT device that runs the AWS IoT Greengrass core software and manages local
processes for a Greengrass group. For more information, see What Is AWS IoT Greengrass? in the AWS IoT
In an AWS CloudFormation template, the Cores property of the CoreDefinitionVersion property

type contains a list of Core property types. Currently, the list can contain only one core.
Syntax
JSON
{
"Id" : String,
"SyncShadow" : Boolean,

2531
AWS IoT Greengrass
"ThingArn" : String
}
YAML
Id: String
SyncShadow: Boolean
ThingArn: String
Properties
CertificateArn
The Amazon Resource Name (ARN) of the device certificate for the core. This X.509 certificate is used
to authenticate the core with AWS IoT and AWS IoT Greengrass services.
Required: Yes
Type: String

Id
A descriptive or arbitrary ID for the core. This value must be unique within the core definition
version. Maximum length is 128 characters with pattern [a-zA-Z0-9:_-]+.
Required: Yes
Type: String

SyncShadow
Indicates whether the core's local shadow is synced with the cloud automatically. The default is false.
Required: No
Type: Boolean

ThingArn
The ARN of the core, which is an AWS IoT device (thing).
Required: Yes
Type: String
See Also
• Core in the AWS IoT Greengrass API Reference

AWS::Greengrass::CoreDefinition CoreDefinitionVersion
A core definition version contains a Greengrass core.

2532
AWS IoT Greengrass
Note
After you create a core definition version that contains the core you want to deploy, you must
In an AWS CloudFormation template, CoreDefinitionVersion is the property type of the

InitialVersion property in the AWS::Greengrass::CoreDefinition resource.
Syntax
JSON
{
"Cores" : [ Core (p. 2531), ... ]
}
YAML
Cores:
- Core (p. 2531)
Properties
Cores
The Greengrass core in this version. Currently, the Cores property for a core definition version can
contain only one core.
Required: Yes
Type: List of Core (p. 2531)
See Also
• CoreDefinitionVersion in the AWS IoT Greengrass API Reference

AWS::Greengrass::CoreDefinitionVersion
The AWS::Greengrass::CoreDefinitionVersion resource represents a core definition version for
AWS IoT Greengrass. A core definition version contains a Greengrass core.
Note
To create a core definition version, you must specify the ID of the core definition that you
want to associate with the version. For information about creating a core definition, see
AWS::Greengrass::CoreDefinition.
After you create a core definition version that contains the core you want to deploy, you must
Syntax

2533
AWS IoT Greengrass
JSON
{
"Type" : "AWS::Greengrass::CoreDefinitionVersion",
"Properties" : {
"CoreDefinitionId" : String,
"Cores" : [ Core (p. 2536), ... ]
}
}
YAML
Type: AWS::Greengrass::CoreDefinitionVersion
Properties:
CoreDefinitionId: String
Cores:
- Core (p. 2536)
Properties
CoreDefinitionId
The ID of the core definition associated with this version. This value is a GUID.
Required: Yes
Type: String

Cores
The Greengrass core in this version. Currently, the Cores property for a core definition version can
contain only one core.
Required: Yes
Type: List of Core (p. 2536)
Return Values
Ref
returns the Amazon Resource Name (ARN) of the core definition version, such as
cores/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/versions/9876ac30-4bdb-4f9d-95af-
b5fdb66be1a2.
Examples
Create a Core Definition Version
The following example creates two resources: a core definition and a core definition version that contains
a core.

2534
AWS IoT Greengrass
The template uses the Ref function to provide the CoreDefinitionId for the core definition version
(which associates the version with the core definition). The template uses parameters to represent the
core definition name and the ID, thing ARN, and certificate ARN to use for the core. It also outputs the ID
of the new core definition and the ARN of the new core definition version.
For another template example, see the AWS::Greengrass::Group resource.
JSON
{
"Description": "Create CoreDefinition and associated CoreDefinitionVersion",
"Parameters": {
"CoreDefinitionName": {
"Type": "String",
"Default": "TestCoreDefinition"
},
"CoreId": {
"Type": "String",
"Default": "TestCoreId"
},
"CoreThingArn": {
"Type": "String",
"Default": "TestCoreThingArn"
},
"Type": "String",
"Default": "TestCoreCertArn"
}
},
"Resources": {
"CoreDefinition": {
"Properties": {
"Name": {
"Ref": "CoreDefinitionName"
}
}
},
"CoreDefinitionVersion": {
"Type": "AWS::Greengrass::CoreDefinitionVersion",
"Properties": {
},
"Cores": [
{
"Id": {
"Ref": "CoreId"
},
"CertificateArn": {
},
"ThingArn": {
"Ref": "CoreThingArn"
},
}
]
}
}
},
"Outputs": {
"Value": {

2535
AWS IoT Greengrass
}
},
"CoreDefinitionVersionArn": {
"Value": {
"Ref": "CoreDefinitionVersion"
}
}
}
}
YAML
Description: Create CoreDefinition and associated CoreDefinitionVersion

Parameters:
CoreDefinitionName:
Type: String
Default: TestCoreDefinition
CoreId:
Type: String
Default: TestCoreId
CoreThingArn:
Type: String
Default: TestCoreThingArn
CoreCertificateArn:
Type: String
Default: TestCoreCertArn
Resources:
CoreDefinition:
Properties:
Name: !Ref CoreDefinitionName
CoreDefinitionVersion:
Type: 'AWS::Greengrass::CoreDefinitionVersion'
Properties:
CoreDefinitionId: !Ref CoreDefinition
Cores:
- Id: !Ref CoreId
ThingArn: !Ref CoreThingArn
SyncShadow: 'true'
Outputs:
CoreDefinitionId:
Value: !Ref CoreDefinition
CoreDefinitionVersionArn:
Value: !Ref CoreDefinitionVersion
See Also
• CreateCoreDefinitionVersion in the AWS IoT Greengrass API Reference
AWS::Greengrass::CoreDefinitionVersion Core
A core is an AWS IoT device that runs the AWS IoT Greengrass core software and manages local
processes for a Greengrass group. For more information, see What Is AWS IoT Greengrass? in the AWS IoT
In an AWS CloudFormation template, the Cores property of the

AWS::Greengrass::CoreDefinitionVersion resource contains a list of Core property types.
Currently, the list can contain only one core.

2536
AWS IoT Greengrass
Syntax
JSON
{
"Id" : String,
"ThingArn" : String
}
YAML
Id: String
SyncShadow: Boolean
ThingArn: String
Properties
CertificateArn
The ARN of the device certificate for the core. This X.509 certificate is used to authenticate the core
with AWS IoT and AWS IoT Greengrass services.
Required: Yes
Type: String

Id
A descriptive or arbitrary ID for the core. This value must be unique within the core definition
Required: Yes
Type: String

SyncShadow
Indicates whether the core's local shadow is synced with the cloud automatically. The default is false.
Required: No
Type: Boolean

ThingArn
The Amazon Resource Name (ARN) of the core, which is an AWS IoT device (thing).
Required: Yes

2537
AWS IoT Greengrass
Type: String
See Also
• Core in the AWS IoT Greengrass API Reference

AWS::Greengrass::DeviceDefinition
The AWS::Greengrass::DeviceDefinition resource represents a device definition for AWS IoT
Greengrass. Device definitions are used to organize your device definition versions.
Device definitions can reference multiple device definition versions. All device definition versions must be
associated with a device definition. Each device definition version can contain one or more devices.
Note
When you create a device definition, you can optionally include an initial device
definition version. To associate a device definition version later, create an
AWS::Greengrass::DeviceDefinitionVersion resource and specify the ID of this device
definition.
After you create the device definition version that contains the devices you want to deploy, you
must add it to your group version. For more information, see AWS::Greengrass::Group.
Syntax
JSON
{
"Type" : "AWS::Greengrass::DeviceDefinition",
"Properties" : {
"InitialVersion" : DeviceDefinitionVersion (p. 2543),
"Name" : String,
"Tags" : Json
}
}
YAML
Type: AWS::Greengrass::DeviceDefinition
Properties:
InitialVersion:
DeviceDefinitionVersion (p. 2543)
Name: String
Tags: Json
Properties
InitialVersion
The device definition version to include when the device definition is created. A device definition
version contains a list of device property types.

2538
AWS IoT Greengrass
Note
To associate a device definition version after the device definition is created, create an
AWS::Greengrass::DeviceDefinitionVersion resource and specify the ID of this
device definition.
Required: No
Type: DeviceDefinitionVersion (p. 2543)

Name
The name of the device definition.
Required: Yes
Type: String

Tags
Application-specific metadata to attach to the device definition. You can use tags in IAM policies to
Developer Guide.
"Tags": {
"KeyName2": "value"
}
Required: No
Type: Json
Return Values
Ref
device definition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Fn::GetAtt

2539
AWS IoT Greengrass
Arn
The Amazon Resource Name (ARN) of the DeviceDefinition, such as

devices/1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Id
The ID of the DeviceDefinition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

LatestVersionArn
The ARN of the last DeviceDefinitionVersion that was added to the DeviceDefinition,
definition/devices/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
Name
The name of the device definition.
Examples
Device Definition Snippet
The following snippet defines a device definition resource with an initial version that contains a device.
This example points to a manually generated device certificate.
JSON
"TestDeviceDefinition": {
"Type": "AWS::Greengrass::DeviceDefinition",
"Properties": {
"Name": "DemoTestDeviceDefinition",
"InitialVersion": {
"Devices": [
{
"Id": "TestDevice1",
"ThingArn": {
"Fn::Join": [
":",
[
"arn:aws:iot",
{
},
{
},
"thing/TestDevice1"
]
]
},
"CertificateArn": {
"Fn::Join": [
":",
[
"arn:aws:iot",
{
},

2540
AWS IoT Greengrass
{
},
"cert/4db8b7f58d95b7fdb45c38c28a0b1adf6c5f8c03e902de65734935fea83e751f"
]
]
},
}
]
}
}
}
YAML
TestDeviceDefinition:
Type: 'AWS::Greengrass::DeviceDefinition'
Properties:
Name: DemoTestDeviceDefinition
InitialVersion:
Devices:
- Id: TestDevice1
ThingArn: !Join
- ':'
- - 'arn:aws:iot'
- thing/TestDevice1
CertificateArn: !Join
- ':'
- - 'arn:aws:iot'
- >-
cert/4db8b7f58d95b7fdb45c38c28a0b1adf6c5f8c03e902de65734935fea83e751f
SyncShadow: 'true'
See Also
• CreateDeviceDefinition in the AWS IoT Greengrass API Reference
AWS::Greengrass::DeviceDefinition Device
A device is an AWS IoT device (thing) that's added to a Greengrass group. Greengrass devices can
communicate with the Greengrass core in the same group. For more information, see What Is AWS IoT
Greengrass? in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, the Devices property of the DeviceDefinitionVersion

property type contains a list of Device property types.
Syntax
JSON

2541
AWS IoT Greengrass
"Id" : String,
"ThingArn" : String
}
YAML
Id: String
SyncShadow: Boolean
ThingArn: String
Properties
CertificateArn
The Amazon Resource Name (ARN) of the device certificate for the device. This X.509 certificate is
used to authenticate the device with AWS IoT and AWS IoT Greengrass services.
Required: Yes
Type: String

Id
A descriptive or arbitrary ID for the device. This value must be unique within the device definition
Required: Yes
Type: String

SyncShadow
Indicates whether the device's local shadow is synced with the cloud automatically.
Required: No
Type: Boolean

ThingArn
The ARN of the device, which is an AWS IoT device (thing).
Required: Yes
Type: String
See Also
• Device in the AWS IoT Greengrass API Reference

2542
AWS IoT Greengrass
AWS::Greengrass::DeviceDefinition DeviceDefinitionVersion
A device definition version contains a list of devices.
Note
After you create a device definition version that contains the devices you want to deploy, you
In an AWS CloudFormation template, DeviceDefinitionVersion is the property type of the

InitialVersion property in the AWS::Greengrass::DeviceDefinition resource.
Syntax
JSON
{
"Devices" : [ Device (p. 2541), ... ]
}
YAML
Devices:
- Device (p. 2541)
Properties
Devices
The devices in this version.
Required: Yes
See Also
• DeviceDefinitionVersion in the AWS IoT Greengrass API Reference

AWS::Greengrass::DeviceDefinitionVersion
The AWS::Greengrass::DeviceDefinitionVersion resource represents a device definition version
for AWS IoT Greengrass. A device definition version contains a list of devices.
Note
To create a device definition version, you must specify the ID of the device definition that you
want to associate with the version. For information about creating a device definition, see
AWS::Greengrass::DeviceDefinition.

2543
AWS IoT Greengrass
After you create a device definition version that contains the devices you want to deploy, you
Syntax
JSON
{
"Type" : "AWS::Greengrass::DeviceDefinitionVersion",
"Properties" : {
"DeviceDefinitionId" : String,
"Devices" : [ Device (p. 2546), ... ]
}
}
YAML
Type: AWS::Greengrass::DeviceDefinitionVersion
Properties:
DeviceDefinitionId: String
Devices:
- Device (p. 2546)
Properties
DeviceDefinitionId
The ID of the device definition associated with this version. This value is a GUID.
Required: Yes
Type: String

Devices
The devices in this version.
Required: Yes
Return Values
Ref
returns the Amazon Resource Name (ARN) of the device definition version, such as
devices/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/versions/9876ac30-4bdb-4f9d-95af-
b5fdb66be1a2.

2544
AWS IoT Greengrass
Examples
Device Definition Version Snippet
The following snippet defines device definition and device definition version resources. The device
definition version references the device definition and contains a device. This example points to a
manually generated device certificate.
JSON
"Properties": {
"Name": "DemoTestDeviceDefinition"
}
},
"TestDeviceDefinitionVersion": {
"Type": "AWS::Greengrass::DeviceDefinitionVersion",
"Properties": {
"DeviceDefinitionId": {
"Fn::GetAtt": [
"TestDeviceDefinition",
"Id"
]
},
"Devices": [
{
"CertificateArn": {
"Fn::Join": [
":",
[
"arn:aws:iot",
{
},
{
},
"cert/4db8b7f58d95b7fdb45c38c28a0b1adf6c5f8c03e902de65734935fea83e751f"
]
]
},
"SyncShadow": "true",
"ThingArn": {
"Fn::Join": [
":",
[
"arn:aws:iot",
{
},
{
},
"thing/TestDevice1"
]
]
}
}
]

2545
AWS IoT Greengrass
}
}
YAML
Properties:
TestDeviceDefinitionVersion:
Type: 'AWS::Greengrass::DeviceDefinitionVersion'
Properties:
DeviceDefinitionId: !GetAtt
- TestDeviceDefinition
- Id
Devices:
- Id: TestDevice1
CertificateArn: !Join
- ':'
- - 'arn:aws:iot'
- >-
cert/4db8b7f58d95b7fdb45c38c28a0b1adf6c5f8c03e902de65734935fea83e751f
SyncShadow: 'true'
ThingArn: !Join
- ':'
- - 'arn:aws:iot'
- thing/TestDevice1
See Also
• CreateDeviceDefinitionVersion in the AWS IoT Greengrass API Reference
AWS::Greengrass::DeviceDefinitionVersion Device
A device is an AWS IoT device (thing) that's added to a Greengrass group. Greengrass devices can
communicate with the Greengrass core in the same group. For more information, see What Is AWS IoT
Greengrass? in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, the Devices property of the

AWS::Greengrass::DeviceDefinitionVersion resource contains a list of Device property types.
Syntax
JSON
{
"Id" : String,
"ThingArn" : String
}

2546
AWS IoT Greengrass
YAML
Id: String
SyncShadow: Boolean
ThingArn: String
Properties
CertificateArn
The ARN of the device certificate for the device. This X.509 certificate is used to authenticate the
device with AWS IoT and AWS IoT Greengrass services.
Required: Yes
Type: String

Id
A descriptive or arbitrary ID for the device. This value must be unique within the device definition
Required: Yes
Type: String

SyncShadow
Indicates whether the device's local shadow is synced with the cloud automatically.
Required: No
Type: Boolean

ThingArn
The Amazon Resource Name (ARN) of the device, which is an AWS IoT device (thing).
Required: Yes
Type: String
See Also
• Device in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinition
The AWS::Greengrass::FunctionDefinition resource represents a function definition for AWS IoT
Greengrass. Function definitions are used to organize your function definition versions.

2547
AWS IoT Greengrass
Function definitions can reference multiple function definition versions. All function definition versions
must be associated with a function definition. Each function definition version can contain one or more
functions.
Note
When you create a function definition, you can optionally include an initial function
definition version. To associate a function definition version later, create an
AWS::Greengrass::FunctionDefinitionVersion resource and specify the ID of this
function definition.
After you create the function definition version that contains the functions you want to deploy,
Syntax
JSON
{
"Type" : "AWS::Greengrass::FunctionDefinition",
"Properties" : {
"InitialVersion" : FunctionDefinitionVersion (p. 2558),
"Name" : String,
"Tags" : Json
}
}
YAML
Type: AWS::Greengrass::FunctionDefinition
Properties:
InitialVersion:
FunctionDefinitionVersion (p. 2558)
Name: String
Tags: Json
Properties
InitialVersion
The function definition version to include when the function definition is created. A function
definition version contains a list of function property types.
Note
To associate a function definition version after the function definition is created, create an
AWS::Greengrass::FunctionDefinitionVersion resource and specify the ID of this
function definition.
Required: No
Type: FunctionDefinitionVersion (p. 2558)

Name
The name of the function definition.
Required: Yes
Type: String

2548
AWS IoT Greengrass

Tags
Application-specific metadata to attach to the function definition. You can use tags in IAM policies to
Developer Guide.
"Tags": {
"KeyName2": "value"
}
Required: No
Type: Json
Return Values
Ref
function definition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the FunctionDefinition, such as

functions/1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Id
The ID of the FunctionDefinition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

LatestVersionArn
The ARN of the last FunctionDefinitionVersion that was added to the

FunctionDefinition, such as arn:aws:greengrass:us-east-1:123456789012:/
greengrass/definition/functions/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
Name
The name of the FunctionDefinition, such as MyFunctionDefinition.

2549
AWS IoT Greengrass
Examples
Function Definition Snippet
The following snippet defines a function definition resource with an initial version that contains a
function. In this example, the Lambda function is created in another stack and is referenced using the
ImportValue function.
JSON
"TestFunctionDefinition": {
"Type": "AWS::Greengrass::FunctionDefinition",
"Properties": {
"Name": "DemoTestFunctionDefinition",
"InitialVersion": {
"DefaultConfig": {
"Execution": {
"IsolationMode": "GreengrassContainer"
}
},
"Functions": [
{
"Id": "TestLambda1",
"FunctionArn": {
"Fn::ImportValue": "TestCanaryLambdaVersionArn"
},
"Pinned": "false",
"Executable": "run.exe",
"ExecArgs": "argument1",
"MemorySize": "256",
"Timeout": "3000",
"EncodingType": "binary",
"Environment": {
"Variables": {
"variable1": "value1"
},
"ResourceAccessPolicies": [
{
"ResourceId": "ResourceId1",
"Permission": "ro"
},
{
"Permission": "rw"
}
],
"AccessSysfs": "true",
"Execution": {
"RunAs": {
"Uid": "1",
"Gid": "10"
}
}
}
}
}
]
}
}
}

2550
AWS IoT Greengrass
YAML
TestFunctionDefinition:
Type: 'AWS::Greengrass::FunctionDefinition'
Properties:
Name: DemoTestFunctionDefinition
InitialVersion:
DefaultConfig:
Execution:
IsolationMode: GreengrassContainer
Functions:
- Id: TestLambda1
FunctionArn: !ImportValue TestCanaryLambdaVersionArn
Pinned: 'false'
Executable: run.exe
ExecArgs: argument1
MemorySize: '256'
Timeout: '3000'
EncodingType: binary
Environment:
Variables:
variable1: value1
ResourceAccessPolicies:
- ResourceId: ResourceId1
Permission: ro
Permission: rw
AccessSysfs: 'true'
Execution:
RunAs:
Uid: '1'
Gid: '10'
See Also
• CreateFunctionDefinition in the AWS IoT Greengrass API Reference
AWS::Greengrass::FunctionDefinition DefaultConfig
The default configuration that applies to all Lambda functions in the function definition version.
Individual Lambda functions can override these settings.
In an AWS CloudFormation template, DefaultConfig is a property of the

FunctionDefinitionVersion property type.
Syntax
JSON
{
"Execution" : Execution (p. 2553)
}
YAML
Execution:

2551
AWS IoT Greengrass
Execution (p. 2553)
Properties
Execution
Configuration settings for the Lambda execution environment on the AWS IoT Greengrass core.
Required: Yes
Type: Execution (p. 2553)
See Also
• FunctionDefaultConfig in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinition Environment
The environment configuration for a Lambda function on the AWS IoT Greengrass core.
In an AWS CloudFormation template, Environment is a property of the FunctionConfiguration

property type.
Syntax
JSON
{
"AccessSysfs" : Boolean,
"Execution" : Execution (p. 2553),
"ResourceAccessPolicies" : [ ResourceAccessPolicy (p. 2559), ... ],
"Variables" : Json
}
YAML
AccessSysfs: Boolean
Execution:
Execution (p. 2553)
- ResourceAccessPolicy (p. 2559)
Variables: Json
Properties
AccessSysfs
Indicates whether the function is allowed to access the /sys directory on the core device, which
allows the read device information from /sys.
Note
This property applies only to Lambda functions that run in a Greengrass container.

2552
AWS IoT Greengrass
Required: No
Type: Boolean

Execution
Settings for the Lambda execution environment in AWS IoT Greengrass.
Required: No

ResourceAccessPolicies
A list of the resources in the group that the function can access, with the corresponding read-only or
read-write permissions. The maximum is 10 resources.
Note
This property applies only for Lambda functions that run in a Greengrass container.
Required: No
Type: List of ResourceAccessPolicy (p. 2559)

Variables
Environment variables for the Lambda function.
Required: No
Type: Json
See Also
• FunctionConfigurationEnvironment in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinition Execution
In an AWS CloudFormation template, Execution is a property of the DefaultConfig property type

for a function definition version and the Environment property type for a function.
Syntax
JSON
{
"IsolationMode" : String,

2553
AWS IoT Greengrass
"RunAs" : RunAs (p. 2559)

}
YAML
IsolationMode: String
RunAs:
RunAs (p. 2559)
Properties
IsolationMode
The containerization that the Lambda function runs in. Valid values are GreengrassContainer
or NoContainer. Typically, this is GreengrassContainer. For more information, see
Containerization in the AWS IoT Greengrass Developer Guide.
• When set on the DefaultConfig property of a function definition version, this setting is used as
the default containerization for all Lambda functions in the function definition version.
• When set on the Environment property of a function, this setting applies to the individual
function and overrides the default. Omit this value to run the function with the default
containerization.
Note
We recommend that you run in a Greengrass container unless your business case requires
that you run without containerization.
Required: No
Type: String

RunAs
The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and
ggc_group. For more information, see Run as in the AWS IoT Greengrass Developer Guide.
the default access identity for all Lambda functions in the function definition version.
function and overrides the default. You can override the user, group, or both. Omit this value to
run the function with the default permissions.
Important
Running as the root user increases risks to your data and device. Do not run as root (UID/
GID=0) unless your business case requires it. For more information and requirements, see
Running a Lambda Function as Root.
Required: No
Type: RunAs (p. 2559)
See Also
• FunctionExecutionConfig in the AWS IoT Greengrass API Reference


2554
AWS IoT Greengrass
AWS::Greengrass::FunctionDefinition Function
A function is a Lambda function that's referenced from an AWS IoT Greengrass group. The function is
deployed to a Greengrass core where it runs locally. For more information, see Run Lambda Functions on
the AWS IoT Greengrass Core in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, the Functions property of the FunctionDefinitionVersion

property type contains a list of Function property types.
Syntax
JSON
{
"FunctionArn" : String,
"FunctionConfiguration" : FunctionConfiguration (p. 2556),
"Id" : String
}
YAML
FunctionArn: String
FunctionConfiguration (p. 2556)
Id: String
Properties
FunctionArn
The Amazon Resource Name (ARN) of the alias (recommended) or version of the referenced Lambda
function.
Required: Yes
Type: String

FunctionConfiguration
The group-specific settings of the Lambda function. These settings configure the function's behavior
in the Greengrass group.
Required: Yes
Type: FunctionConfiguration (p. 2556)

Id
A descriptive or arbitrary ID for the function. This value must be unique within the function
Required: Yes
Type: String

2555
AWS IoT Greengrass
See Also
• Function in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinition FunctionConfiguration
The group-specific configuration settings for a Lambda function. These settings configure the function's
behavior in the Greengrass group. For more information, see Controlling Execution of Greengrass
Lambda Functions by Using Group-Specific Configuration in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, FunctionConfiguration is a property of the Function

property type.
Syntax
JSON
{
"EncodingType" : String,
"ExecArgs" : String,
"Executable" : String,
"MemorySize" : Integer,
"Pinned" : Boolean,
"Timeout" : Integer
}
YAML
EncodingType: String
Environment:
ExecArgs: String
Executable: String
MemorySize: Integer
Pinned: Boolean
Timeout: Integer
Properties
EncodingType
The expected encoding type of the input payload for the function. Valid values are json (default)
and binary.
Required: No
Type: String

Environment
The environment configuration of the function.

2556
AWS IoT Greengrass
Required: No

ExecArgs
The execution arguments.
Required: No
Type: String

Executable
The name of the function executable.
Required: No
Type: String

MemorySize
The memory size (in KB) required by the function.

Note
Required: No
Type: Integer

Pinned
Indicates whether the function is pinned (or long-lived). Pinned functions start when the core starts
and process all requests in the same container. The default value is false.
Required: No
Type: Boolean

Timeout
The allowed execution time (in seconds) after which the function should terminate. For pinned
functions, this timeout applies for each request.
Required: No
Type: Integer
See Also
• FunctionConfiguration in the AWS IoT Greengrass API Reference

2557
AWS IoT Greengrass
AWS::Greengrass::FunctionDefinition FunctionDefinitionVersion
A function definition version contains a list of functions.
Note
After you create a function definition version that contains the functions you want to deploy,
In an AWS CloudFormation template, FunctionDefinitionVersion is the property type of the

InitialVersion property in the AWS::Greengrass::FunctionDefinition resource.
Syntax
JSON
{
"DefaultConfig" : DefaultConfig (p. 2551),
"Functions" : [ Function (p. 2555), ... ]
}
YAML
DefaultConfig:
DefaultConfig (p. 2551)
Functions:
- Function (p. 2555)
Properties
DefaultConfig
The default configuration that applies to all Lambda functions in the group. Individual Lambda
functions can override these settings.
Required: No
Type: DefaultConfig (p. 2551)

Functions
The functions in this version.
Required: Yes
Type: List of Function (p. 2555)
See Also
• FunctionDefinitionVersion in the AWS IoT Greengrass API Reference


2558
AWS IoT Greengrass
AWS::Greengrass::FunctionDefinition ResourceAccessPolicy
Note
In an AWS CloudFormation template, ResourceAccessPolicy is a property of the Environment

property type.
Syntax
JSON
{
"Permission" : String,
"ResourceId" : String
}
YAML
Permission: String
ResourceId: String
Properties
Permission
The read-only or read-write access that the Lambda function has to the resource. Valid values are ro
or rw.
Required: No
Type: String

ResourceId
The ID of the resource. This ID is assigned to the resource when you create the resource definition.
Required: Yes
Type: String
See Also
• ResourceAccessPolicy in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinition RunAs
The access identity whose permissions are used to run the Lambda function. This setting overrides the
default access identity that's specified for the group (by default, ggc_user and ggc_group). You can

2559
AWS IoT Greengrass
override the user, group, or both. For more information, see Run as in the AWS IoT Greengrass Developer
Guide.
Important
Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0)
unless your business case requires it. For more information and requirements, see Running a
Lambda Function as Root.
In an AWS CloudFormation template, RunAs is a property of the Execution property type.
Syntax
JSON
{
"Gid" : Integer,
"Uid" : Integer
}
YAML
Gid: Integer
Uid: Integer
Properties
Gid
The group ID whose permissions are used to run the Lambda function. You can use the getent group
command on your core device to look up the group ID.
Required: No
Type: Integer

Uid
The user ID whose permissions are used to run the Lambda function. You can use the getent passwd
command on your core device to look up the user ID.
Required: No
Type: Integer
See Also
• FunctionRunAsConfig in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinitionVersion
The AWS::Greengrass::FunctionDefinitionVersion resource represents a function definition
version for AWS IoT Greengrass. A function definition version contains contain a list of functions.

2560
AWS IoT Greengrass
Note
To create a function definition version, you must specify the ID of the function definition that
you want to associate with the version. For information about creating a function definition, see
AWS::Greengrass::FunctionDefinition.
After you create a function definition version that contains the functions you want to deploy,
Syntax
JSON
{
"Type" : "AWS::Greengrass::FunctionDefinitionVersion",
"Properties" : {
"DefaultConfig" : DefaultConfig (p. 2564),
"FunctionDefinitionId" : String,
"Functions" : [ Function (p. 2567), ... ]
}
}
YAML
Type: AWS::Greengrass::FunctionDefinitionVersion
Properties:
DefaultConfig:
DefaultConfig (p. 2564)
FunctionDefinitionId: String
Functions:
- Function (p. 2567)
Properties
DefaultConfig
The default configuration that applies to all Lambda functions in the group. Individual Lambda
functions can override these settings.
Required: No
Type: DefaultConfig (p. 2564)

FunctionDefinitionId
The ID of the function definition associated with this version. This value is a GUID.
Required: Yes
Type: String

Functions
The functions in this version.
Required: Yes
Type: List of Function (p. 2567)

2561
AWS IoT Greengrass
Return Values
Ref
returns the Amazon Resource Name (ARN) of the function definition version,
definition/functions/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
Examples
Function Definition Version Snippet
The following snippet defines function definition and function definition version resources. The function
definition version references the function definition and contains a function. In this example, the Lambda
function is created in another stack and is referenced using the ImportValue function.
JSON
"Properties": {
"Name": "DemoTestFunctionDefinition"
}
},
"TestFunctionDefinitionVersion": {
"Type": "AWS::Greengrass::FunctionDefinitionVersion",
"Properties": {
"FunctionDefinitionId": {
"Fn::GetAtt": [
"TestFunctionDefinition",
"Id"
]
},
"DefaultConfig": {
"Execution": {
}
},
"Functions": [
{
"FunctionArn": {
},
"Pinned": "true",
"Timeout": "2000",
"Environment": {
"Variables": {

2562
AWS IoT Greengrass
},
{
"Permission": "ro"
},
{
"Permission": "rw"
}
],
"AccessSysfs": "false",
"Execution": {
"RunAs": {
"Uid": "1",
"Gid": "10"
}
}
}
}
}
]
}
}
YAML
Properties:
TestFunctionDefinitionVersion:
Type: 'AWS::Greengrass::FunctionDefinitionVersion'
Properties:
FunctionDefinitionId: !GetAtt
- TestFunctionDefinition
- Id
DefaultConfig:
Execution:
Functions:
- Id: TestLambda1
FunctionArn: !ImportValue TestCanaryLambdaVersionArn
Pinned: 'true'
Executable: run.exe
ExecArgs: argument1
MemorySize: '512'
Timeout: '2000'
Environment:
Variables:
variable1: value1
Permission: ro
Permission: rw
AccessSysfs: 'false'
Execution:
RunAs:
Uid: '1'
Gid: '10'

2563
AWS IoT Greengrass
See Also
• CreateFunctionDefinitionVersion in the AWS IoT Greengrass API Reference
AWS::Greengrass::FunctionDefinitionVersion DefaultConfig
The default configuration that applies to all Lambda functions in the function definition version.
Individual Lambda functions can override these settings.
In an AWS CloudFormation template, DefaultConfig is a property of the

AWS::Greengrass::FunctionDefinitionVersion resource.
Syntax
JSON
{
"Execution" : Execution (p. 2566)
}
YAML
Execution:
Execution (p. 2566)
Properties
Execution
Required: Yes
See Also
• FunctionDefaultConfig in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinitionVersion Environment
The environment configuration for a Lambda function on the AWS IoT Greengrass core.
In an AWS CloudFormation template, Environment is a property of the FunctionConfiguration

property type.
Syntax

2564
AWS IoT Greengrass
JSON
{
"AccessSysfs" : Boolean,
"Execution" : Execution (p. 2566),
"ResourceAccessPolicies" : [ ResourceAccessPolicy (p. 2570), ... ],
"Variables" : Json
}
YAML
AccessSysfs: Boolean
Execution:
Execution (p. 2566)
- ResourceAccessPolicy (p. 2570)
Variables: Json
Properties
AccessSysfs
Indicates whether the function is allowed to access the /sys directory on the core device, which
allows the read device information from /sys.
Note
Required: No
Type: Boolean

Execution
Settings for the Lambda execution environment in AWS IoT Greengrass.
Required: No

ResourceAccessPolicies
Note
Required: No
Type: List of ResourceAccessPolicy (p. 2570)

Variables
Environment variables for the Lambda function.

2565
AWS IoT Greengrass
Required: No
Type: Json
See Also
• FunctionConfigurationEnvironment in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinitionVersion Execution
In an AWS CloudFormation template, Execution is a property of the DefaultConfig property type

for a function definition version and the Environment property type for a function.
Syntax
JSON
{
"IsolationMode" : String,
"RunAs" : RunAs (p. 2571)
}
YAML
IsolationMode: String
RunAs:
RunAs (p. 2571)
Properties
IsolationMode
The containerization that the Lambda function runs in. Valid values are GreengrassContainer
or NoContainer. Typically, this is GreengrassContainer. For more information, see
Containerization in the AWS IoT Greengrass Developer Guide.
the default containerization for all Lambda functions in the function definition version.
function and overrides the default. Omit this value to run the function with the default
containerization.
Note
We recommend that you run in a Greengrass container unless your business case requires
that you run without containerization.
Required: No
Type: String

2566
AWS IoT Greengrass

RunAs
The user and group permissions used to run the Lambda function. Typically, this is the ggc_user and
ggc_group. For more information, see Run as in the AWS IoT Greengrass Developer Guide.
the default access identity for all Lambda functions in the function definition version.
function and overrides the default. You can override the user, group, or both. Omit this value to
run the function with the default permissions.
Important
Running as the root user increases risks to your data and device. Do not run as root (UID/
GID=0) unless your business case requires it. For more information and requirements, see
Running a Lambda Function as Root.
Required: No
Type: RunAs (p. 2571)
See Also
• FunctionExecutionConfig in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinitionVersion Function
A function is a Lambda function that's referenced from an AWS IoT Greengrass group. The function is
deployed to a Greengrass core where it runs locally. For more information, see Run Lambda Functions on
the AWS IoT Greengrass Core in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, the Functions property of the

AWS::Greengrass::FunctionDefinitionVersion resource contains a list of Function property
types.
Syntax
JSON
{
"FunctionArn" : String,
"FunctionConfiguration" : FunctionConfiguration (p. 2568),
"Id" : String
}
YAML
FunctionArn: String
FunctionConfiguration (p. 2568)
Id: String

2567
AWS IoT Greengrass
Properties
FunctionArn
The Amazon Resource Name (ARN) of the alias (recommended) or version of the referenced Lambda
function.
Required: Yes
Type: String

FunctionConfiguration
The group-specific settings of the Lambda function. These settings configure the function's behavior
in the Greengrass group.
Required: Yes
Type: FunctionConfiguration (p. 2568)

Id
A descriptive or arbitrary ID for the function. This value must be unique within the function
Required: Yes
Type: String
See Also
• Function in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinitionVersion FunctionConfiguration
The group-specific configuration settings for a Lambda function. These settings configure the function's
behavior in the Greengrass group. For more information, see Controlling Execution of Greengrass
Lambda Functions by Using Group-Specific Configuration in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, FunctionConfiguration is a property of the Function

property type.
Syntax
JSON
{
"EncodingType" : String,
"ExecArgs" : String,
"Executable" : String,
"MemorySize" : Integer,

2568
AWS IoT Greengrass
"Pinned" : Boolean,
"Timeout" : Integer
}
YAML
EncodingType: String
Environment:
ExecArgs: String
Executable: String
MemorySize: Integer
Pinned: Boolean
Timeout: Integer
Properties
EncodingType
The expected encoding type of the input payload for the function. Valid values are json (default)
and binary.
Required: No
Type: String

Environment
The environment configuration of the function.
Required: No

ExecArgs
The execution arguments.
Required: No
Type: String

Executable
The name of the function executable.
Required: No
Type: String

MemorySize
The memory size (in KB) required by the function.

Note

2569
AWS IoT Greengrass
Required: No
Type: Integer

Pinned
Indicates whether the function is pinned (or long-lived). Pinned functions start when the core starts
and process all requests in the same container. The default value is false.
Required: No
Type: Boolean

Timeout
The allowed execution time (in seconds) after which the function should terminate. For pinned
functions, this timeout applies for each request.
Required: No
Type: Integer
See Also
• FunctionConfiguration in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinitionVersion ResourceAccessPolicy
Note
In an AWS CloudFormation template, ResourceAccessPolicy is a property of the Environment

property type.
Syntax
JSON
{
"Permission" : String,
"ResourceId" : String
}
YAML
Permission: String

2570
AWS IoT Greengrass
ResourceId: String
Properties
Permission
The read-only or read-write access that the Lambda function has to the resource. Valid values are ro
or rw.
Required: No
Type: String

ResourceId
The ID of the resource. This ID is assigned to the resource when you create the resource definition.
Required: Yes
Type: String
See Also
• ResourceAccessPolicy in the AWS IoT Greengrass API Reference

AWS::Greengrass::FunctionDefinitionVersion RunAs
The user and group permissions used to run the Lambda function. This setting overrides the default
access identity that's specified for the group (by default, ggc_user and ggc_group). You can override the
user, group, or both. For more information, see Run as in the AWS IoT Greengrass Developer Guide.
Important
Running as the root user increases risks to your data and device. Do not run as root (UID/GID=0)
unless your business case requires it. For more information and requirements, see Running a
Lambda Function as Root.
In an AWS CloudFormation template, RunAs is a property of the Execution property type.
Syntax
JSON
{
"Gid" : Integer,
"Uid" : Integer
}
YAML
Gid: Integer

2571
AWS IoT Greengrass
Uid: Integer
Properties
Gid
The group ID whose permissions are used to run the Lambda function. You can use the getent group
command on your core device to look up the group ID.
Required: No
Type: Integer

Uid
The user ID whose permissions are used to run the Lambda function. You can use the getent passwd
command on your core device to look up the user ID.
Required: No
Type: Integer
See Also
• FunctionRunAsConfig in the AWS IoT Greengrass API Reference

AWS::Greengrass::Group
AWS IoT Greengrass seamlessly extends AWS to edge devices so they can act locally on the data they
generate, while still using the cloud for management, analytics, and durable storage. With AWS IoT
Greengrass, connected devices can run AWS Lambda functions, execute predictions based on machine
learning models, keep device data in sync, and communicate with other devices securely – even when not
connected to the internet. For more information, see the AWS IoT Greengrass Developer Guide.
Note
For AWS Region support, see AWS CloudFormation Support for AWS IoT Greengrass in the AWS
IoT Greengrass Developer Guide.
The AWS::Greengrass::Group resource represents a group in AWS IoT Greengrass. In the AWS IoT
Greengrass API, groups are used to organize your group versions.
Groups can reference multiple group versions. All group versions must be associated with a group. A
group version references a device definition version, subscription definition version, and other version
types that contain the components you want to deploy to a Greengrass core device.
To deploy a group version, the group version must reference a core definition version that contains one
core. Other version types are optionally included, depending on your business need.
Note
When you create a group, you can optionally include an initial group version. To associate a
group version later, create a AWS::Greengrass::GroupVersion resource and specify the ID
of this group.
To change group components (such as devices, subscriptions, or functions), you must create new
versions. This is because versions are immutable. For example, to add a function, you create a

2572
AWS IoT Greengrass
function definition version that contains the new function (and all other functions that you want
to deploy). Then you create a group version that references the new function definition version
(and all other version types that you want to deploy).
Deploying a Group Version
After you create the group version in your AWS CloudFormation template, you can deploy it using the
aws greengrass create-deployment command in the AWS CLI or from the Greengrass node in the AWS
IoT console. To deploy a group version, you must have a Greengrass service role associated with your
AWS account. For more information, see AWS CloudFormation Support for AWS IoT Greengrass in the
AWS IoT Greengrass Developer Guide.
Syntax
JSON
{
"Type" : "AWS::Greengrass::Group",
"Properties" : {
"InitialVersion" : GroupVersion (p. 2583),
"Name" : String,
"RoleArn" : String,
"Tags" : Json
}
}
YAML
Type: AWS::Greengrass::Group
Properties:
InitialVersion:
GroupVersion (p. 2583)
Name: String
RoleArn: String
Tags: Json
Properties
InitialVersion
The group version to include when the group is created. A group version references the Amazon
Resource Name (ARN) of a core definition version, device definition version, subscription definition
version, and other version types. The group version must reference a core definition version that
contains one core. Other version types are optionally included, depending on your business need.
Note
To associate a group version after the group is created, create an
AWS::Greengrass::GroupVersion resource and specify the ID of this group.
Required: No
Type: GroupVersion (p. 2583)

Name
The name of the group.

2573
AWS IoT Greengrass
Required: Yes
Type: String

RoleArn
The Amazon Resource Name (ARN) of the IAM role attached to the group. This role contains the
permissions that Lambda functions and connectors use to interact with other AWS services.
Required: No
Type: String

Tags
Application-specific metadata to attach to the group. You can use tags in IAM policies to control
access to AWS IoT Greengrass resources. You can also use tags to categorize your resources. For more
information, see Tagging Your AWS IoT Greengrass Resources in the AWS IoT Greengrass Developer
Guide.
"Tags": {
"KeyName2": "value"
}
Required: No
Type: Json
Return Values
Ref
group, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Fn::GetAtt
Arn
The ARN of the Group, such as arn:aws:greengrass:us-east-1:123456789012:/

greengrass/definition/groups/1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

2574
AWS IoT Greengrass
Id
The ID of the Group, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

LatestVersionArn
The ARN of the last GroupVersion that was added to the Group, such as
arn:aws:greengrass:us-east-1:123456789012:/greengrass/
definition/groups/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
Name
The name of the Group, such as MyGroup.

RoleArn
The ARN of the IAM role that's attached to the Group, such as
arn:aws:iam::123456789012:role/role-name.
RoleAttachedAt
The time (in milliseconds since the epoch) when the group role was attached to the Group.
Examples
Create a Group
The following template defines a core, device, function, logger, subscription, and two resources, and then
references them from the group version.
The template includes parameters that let you specify the certificate ARNs for the core and device and
the ARN of the source Lambda function (which is an AWS Lambda resource). It uses the Ref and GetAtt
intrinsic functions to reference IDs, ARNs, and other attributes that are required to create Greengrass
resources.
Note
After you create the group version in your AWS CloudFormation template, you can deploy it
using the aws greengrass create-deployment command in the AWS CLI or from the group
configuration page in the AWS IoT console. To deploy a group version, you must have a
Greengrass service role associated with your AWS account. For more information, see AWS
CloudFormation Support for AWS IoT Greengrass in the AWS IoT Greengrass Developer Guide.
JSON
{
"Description": "AWS IoT Greengrass example template that creates a group version with a
core, device, function, logger, subscription, and resources.",
"Parameters": {
"Type": "String"
},
"DeviceCertificateArn": {
"Type": "String"
},
"LambdaVersionArn": {
"Type": "String"
}
},
"Resources": {
"TestCore1": {
"Properties": {

2575
AWS IoT Greengrass
"ThingName": "TestCore1"
}
},
"TestCoreDefinition": {
"Properties": {
"Name": "DemoTestCoreDefinition"
}
},
"TestCoreDefinitionVersion": {
"Type": "AWS::Greengrass::CoreDefinitionVersion",
"Properties": {
"Ref": "TestCoreDefinition"
},
"Cores": [
{
"Id": "TestCore1",
"CertificateArn": {
},
"SyncShadow": "false",
"ThingArn": {
"Fn::Join": [
":",
[
"arn:aws:iot",
{
},
{
},
"thing/TestCore1"
]
]
}
}
]
}
},
"TestDevice1": {
"Properties": {
"ThingName": "TestDevice1"
}
},
"Properties": {
"Name": "DemoTestDeviceDefinition"
}
},
"TestDeviceDefinitionVersion": {
"Type": "AWS::Greengrass::DeviceDefinitionVersion",
"Properties": {
"DeviceDefinitionId": {
"Fn::GetAtt": [
"TestDeviceDefinition",
"Id"
]
},
"Devices": [
{
"CertificateArn": {

2576
AWS IoT Greengrass
"Ref": "DeviceCertificateArn"
},
"SyncShadow": "true",
"ThingArn": {
"Fn::Join": [
":",
[
"arn:aws:iot",
{
},
{
},
"thing/TestDevice1"
]
]
}
}
]
}
},
"Properties": {
"Name": "DemoTestFunctionDefinition"
}
},
"TestFunctionDefinitionVersion": {
"Type": "AWS::Greengrass::FunctionDefinitionVersion",
"Properties": {
"FunctionDefinitionId": {
"Fn::GetAtt": [
"TestFunctionDefinition",
"Id"
]
},
"DefaultConfig": {
"Execution": {
}
},
"Functions": [
{
"FunctionArn": {
"Ref": "LambdaVersionArn"
},
"Pinned": "true",
"Timeout": "2000",
"Environment": {
"Variables": {
},
{
"Permission": "ro"
},
{

2577
AWS IoT Greengrass
"Permission": "rw"
}
],
"AccessSysfs": "false",
"Execution": {
"IsolationMode": "GreengrassContainer",
"RunAs": {
"Uid": "1",
"Gid": "10"
}
}
}
}
}
]
}
},
"TestLoggerDefinition": {
"Type": "AWS::Greengrass::LoggerDefinition",
"Properties": {
"Name": "DemoTestLoggerDefinition"
}
},
"TestLoggerDefinitionVersion": {
"Type": "AWS::Greengrass::LoggerDefinitionVersion",
"Properties": {
"LoggerDefinitionId": {
"Ref": "TestLoggerDefinition"
},
"Loggers": [
{
"Id": "TestLogger1",
"Type": "AWSCloudWatch",
"Component": "GreengrassSystem",
"Level": "INFO"
}
]
}
},
"TestResourceDefinition": {
"Type": "AWS::Greengrass::ResourceDefinition",
"Properties": {
"Name": "DemoTestResourceDefinition"
}
},
"TestResourceDefinitionVersion": {
"Type": "AWS::Greengrass::ResourceDefinitionVersion",
"Properties": {
"ResourceDefinitionId": {
"Ref": "TestResourceDefinition"
},
"Resources": [
{
"Id": "ResourceId1",
"Name": "LocalDeviceResource",
"ResourceDataContainer": {
"LocalDeviceResourceData": {
"SourcePath": "/dev/TestSourcePath1",
"GroupOwnerSetting": {
"AutoAddGroupOwner": "false",
"GroupOwner": "TestOwner"
}
}
}
},
{

2578
AWS IoT Greengrass
"Name": "LocalVolumeResourceData",
"LocalVolumeResourceData": {
"DestinationPath": "/volumes/TestDestinationPath2",
}
}
}
}
]
}
},
"TestSubscriptionDefinition": {
"Type": "AWS::Greengrass::SubscriptionDefinition",
"Properties": {
"Name": "DemoTestSubscriptionDefinition"
}
},
"TestSubscriptionDefinitionVersion": {
"Type": "AWS::Greengrass::SubscriptionDefinitionVersion",
"Properties": {
"SubscriptionDefinitionId": {
"Ref": "TestSubscriptionDefinition"
},
"Subscriptions": [
{
"Id": "TestSubscription1",
"Source": {
"Fn::Join": [
":",
[
"arn:aws:iot",
{
},
{
},
"thing/TestDevice1"
]
]
},
"Subject": "TestSubjectUpdated",
"Target": {
"Ref": "LambdaVersionArn"
}
}
]
}
},
"TestGroup": {
"Type": "AWS::Greengrass::Group",
"Properties": {
"Name": "DemoTestGroupNewName",
"RoleArn": {
"Fn::Join": [
":",
[
"arn:aws:iam:",
{
},

2579
AWS IoT Greengrass
"role/TestUser"
]
]
},
"InitialVersion": {
"CoreDefinitionVersionArn": {
"Ref": "TestCoreDefinitionVersion"
},
"DeviceDefinitionVersionArn": {
"Ref": "TestDeviceDefinitionVersion"
},
"FunctionDefinitionVersionArn": {
"Ref": "TestFunctionDefinitionVersion"
},
"SubscriptionDefinitionVersionArn": {
"Ref": "TestSubscriptionDefinitionVersion"
},
"LoggerDefinitionVersionArn": {
"Ref": "TestLoggerDefinitionVersion"
},
"ResourceDefinitionVersionArn": {
"Ref": "TestResourceDefinitionVersion"
}
}
}
}
}
}
YAML
Description: >-
AWS IoT Greengrass example template that creates a group version with a core,
device, function, logger, subscription, and resources.
Parameters:
CoreCertificateArn:
Type: String
DeviceCertificateArn:
Type: String
LambdaVersionArn:
Type: String
Resources:
TestCore1:
Type: 'AWS::IoT::Thing'
Properties:
ThingName: TestCore1
TestCoreDefinition:
Properties:
Name: DemoTestCoreDefinition
TestCoreDefinitionVersion:
Type: 'AWS::Greengrass::CoreDefinitionVersion'
Properties:
CoreDefinitionId: !Ref TestCoreDefinition
Cores:
- Id: TestCore1
SyncShadow: 'false'
ThingArn: !Join
- ':'
- - 'arn:aws:iot'
- thing/TestCore1

2580
AWS IoT Greengrass
TestDevice1:
Type: 'AWS::IoT::Thing'
Properties:
ThingName: TestDevice1
Properties:
TestDeviceDefinitionVersion:
Type: 'AWS::Greengrass::DeviceDefinitionVersion'
Properties:
DeviceDefinitionId: !GetAtt
- TestDeviceDefinition
- Id
Devices:
- Id: TestDevice1
CertificateArn: !Ref DeviceCertificateArn
SyncShadow: 'true'
ThingArn: !Join
- ':'
- - 'arn:aws:iot'
- thing/TestDevice1
Properties:
TestFunctionDefinitionVersion:
Type: 'AWS::Greengrass::FunctionDefinitionVersion'
Properties:
FunctionDefinitionId: !GetAtt
- TestFunctionDefinition
- Id
DefaultConfig:
Execution:
Functions:
- Id: TestLambda1
FunctionArn: !Ref LambdaVersionArn
Pinned: 'true'
Executable: run.exe
ExecArgs: argument1
MemorySize: '512'
Timeout: '2000'
Environment:
Variables:
variable1: value1
Permission: ro
Permission: rw
AccessSysfs: 'false'
Execution:
RunAs:
Uid: '1'
Gid: '10'
TestLoggerDefinition:
Type: 'AWS::Greengrass::LoggerDefinition'
Properties:
Name: DemoTestLoggerDefinition
TestLoggerDefinitionVersion:

2581
AWS IoT Greengrass
Type: 'AWS::Greengrass::LoggerDefinitionVersion'
Properties:
LoggerDefinitionId: !Ref TestLoggerDefinition
Loggers:
- Id: TestLogger1
Type: AWSCloudWatch
Component: GreengrassSystem
Level: INFO
TestResourceDefinition:
Type: 'AWS::Greengrass::ResourceDefinition'
Properties:
Name: DemoTestResourceDefinition
TestResourceDefinitionVersion:
Type: 'AWS::Greengrass::ResourceDefinitionVersion'
Properties:
ResourceDefinitionId: !Ref TestResourceDefinition
Resources:
- Id: ResourceId1
Name: LocalDeviceResource
ResourceDataContainer:
LocalDeviceResourceData:
SourcePath: /dev/TestSourcePath1
GroupOwnerSetting:
AutoAddGroupOwner: 'false'
GroupOwner: TestOwner
- Id: ResourceId2
Name: LocalVolumeResourceData
LocalVolumeResourceData:
DestinationPath: /volumes/TestDestinationPath2
GroupOwnerSetting:
TestSubscriptionDefinition:
Type: 'AWS::Greengrass::SubscriptionDefinition'
Properties:
Name: DemoTestSubscriptionDefinition
TestSubscriptionDefinitionVersion:
Type: 'AWS::Greengrass::SubscriptionDefinitionVersion'
Properties:
SubscriptionDefinitionId: !Ref TestSubscriptionDefinition
Subscriptions:
- Id: TestSubscription1
Source: !Join
- ':'
- - 'arn:aws:iot'
- thing/TestDevice1
Subject: TestSubjectUpdated
Target: !Ref LambdaVersionArn
TestGroup:
Type: 'AWS::Greengrass::Group'
Properties:
Name: DemoTestGroupNewName
RoleArn: !Join
- ':'
- - 'arn:aws:iam:'
- role/TestUser
InitialVersion:
CoreDefinitionVersionArn: !Ref TestCoreDefinitionVersion
DeviceDefinitionVersionArn: !Ref TestDeviceDefinitionVersion
FunctionDefinitionVersionArn: !Ref TestFunctionDefinitionVersion
SubscriptionDefinitionVersionArn: !Ref TestSubscriptionDefinitionVersion

2582
AWS IoT Greengrass
LoggerDefinitionVersionArn: !Ref TestLoggerDefinitionVersion

ResourceDefinitionVersionArn: !Ref TestResourceDefinitionVersion
See Also
• CreateGroup in the AWS IoT Greengrass API Reference
AWS::Greengrass::Group GroupVersion
A group version in AWS IoT Greengrass, which references of a core definition version, device definition
version, subscription definition version, and other version types that contain the components you want
to deploy to a Greengrass core device. The group version must reference a core definition version that
contains one core. Other version types are optionally included, depending on your business need.
In an AWS CloudFormation template, GroupVersion is the property type of the InitialVersion

property in the AWS::Greengrass::Group resource.
Syntax
JSON
{
"ConnectorDefinitionVersionArn" : String,
"CoreDefinitionVersionArn" : String,
"DeviceDefinitionVersionArn" : String,
"FunctionDefinitionVersionArn" : String,
"LoggerDefinitionVersionArn" : String,
"ResourceDefinitionVersionArn" : String,
"SubscriptionDefinitionVersionArn" : String
}
YAML
ConnectorDefinitionVersionArn: String
CoreDefinitionVersionArn: String
DeviceDefinitionVersionArn: String
FunctionDefinitionVersionArn: String
LoggerDefinitionVersionArn: String
ResourceDefinitionVersionArn: String
SubscriptionDefinitionVersionArn: String
Properties
ConnectorDefinitionVersionArn
The Amazon Resource Name (ARN) of the connector definition version that contains the connectors
you want to deploy with the group version.
Required: No
Type: String

CoreDefinitionVersionArn
The ARN of the core definition version that contains the core you want to deploy with the group
version. Currently, the core definition version can contain only one core.

2583
AWS IoT Greengrass
Required: No
Type: String

DeviceDefinitionVersionArn
The ARN of the device definition version that contains the devices you want to deploy with the
group version.
Required: No
Type: String

FunctionDefinitionVersionArn
The ARN of the function definition version that contains the functions you want to deploy with the
group version.
Required: No
Type: String

LoggerDefinitionVersionArn
The ARN of the logger definition version that contains the loggers you want to deploy with the
group version.
Required: No
Type: String

ResourceDefinitionVersionArn
The ARN of the resource definition version that contains the resources you want to deploy with the
group version.
Required: No
Type: String

SubscriptionDefinitionVersionArn
The ARN of the subscription definition version that contains the subscriptions you want to deploy
with the group version.
Required: No
Type: String
See Also
• GroupVersion in the AWS IoT Greengrass API Reference


2584
AWS IoT Greengrass
AWS::Greengrass::GroupVersion
The AWS::Greengrass::GroupVersion resource represents a group version in AWS IoT Greengrass.
A group version references a core definition version, device definition version, subscription definition
version, and other version types that contain the components you want to deploy to a Greengrass core
device. The group version must reference a core definition version that contains one core. Other version
types are optionally included, depending on your business need.
Note
To create a group version, you must specify the ID of the group that you want to associate with
the version. For information about creating a group, see AWS::Greengrass::Group.
Syntax
JSON
{
"Type" : "AWS::Greengrass::GroupVersion",
"Properties" : {
"ConnectorDefinitionVersionArn" : String,
"CoreDefinitionVersionArn" : String,
"DeviceDefinitionVersionArn" : String,
"FunctionDefinitionVersionArn" : String,
"GroupId" : String,
"LoggerDefinitionVersionArn" : String,
"ResourceDefinitionVersionArn" : String,
"SubscriptionDefinitionVersionArn" : String
}
}
YAML
Type: AWS::Greengrass::GroupVersion
Properties:
ConnectorDefinitionVersionArn: String
CoreDefinitionVersionArn: String
DeviceDefinitionVersionArn: String
FunctionDefinitionVersionArn: String
GroupId: String
LoggerDefinitionVersionArn: String
ResourceDefinitionVersionArn: String
SubscriptionDefinitionVersionArn: String
Properties
ConnectorDefinitionVersionArn
The Amazon Resource Name (ARN) of the connector definition version that contains the connectors
you want to deploy with the group version.
Required: No
Type: String

CoreDefinitionVersionArn
The ARN of the core definition version that contains the core you want to deploy with the group
version. Currently, the core definition version can contain only one core.

2585
AWS IoT Greengrass
Required: No
Type: String

DeviceDefinitionVersionArn
The ARN of the device definition version that contains the devices you want to deploy with the
group version.
Required: No
Type: String

FunctionDefinitionVersionArn
The ARN of the function definition version that contains the functions you want to deploy with the
group version.
Required: No
Type: String

GroupId
The ID of the group associated with this version. This value is a GUID.
Required: Yes
Type: String

LoggerDefinitionVersionArn
The ARN of the logger definition version that contains the loggers you want to deploy with the
group version.
Required: No
Type: String

ResourceDefinitionVersionArn
The ARN of the resource definition version that contains the resources you want to deploy with the
group version.
Required: No
Type: String

SubscriptionDefinitionVersionArn
The ARN of the subscription definition version that contains the subscriptions you want to deploy
with the group version.
Required: No

2586
AWS IoT Greengrass
Type: String
Return Values
Ref
ARN of the group version, such as arn:aws:greengrass:us-east-1:123456789012:/
greengrass/definition/groups/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
See Also
• CreateGroupVersion in the AWS IoT Greengrass API Reference
AWS::Greengrass::LoggerDefinition
The AWS::Greengrass::LoggerDefinition resource represents a logger definition for AWS IoT
Greengrass. Logger definitions are used to organize your logger definition versions.
Logger definitions can reference multiple logger definition versions. All logger definition versions must
be associated with a logger definition. Each logger definition version can contain one or more loggers.
Note
When you create a logger definition, you can optionally include an initial logger
definition version. To associate a logger definition version later, create an
AWS::Greengrass::LoggerDefinitionVersion resource and specify the ID of this logger
definition.
After you create the logger definition version that contains the loggers you want to deploy, you
Syntax
JSON
{
"Type" : "AWS::Greengrass::LoggerDefinition",
"Properties" : {
"InitialVersion" : LoggerDefinitionVersion (p. 2591),
"Name" : String,
"Tags" : Json
}
}
YAML
Type: AWS::Greengrass::LoggerDefinition
Properties:
InitialVersion:
LoggerDefinitionVersion (p. 2591)

2587
AWS IoT Greengrass
Name: String
Tags: Json
Properties
InitialVersion
The logger definition version to include when the logger definition is created. A logger definition
version contains a list of logger property types.
Note
To associate a logger definition version after the logger definition is created, create an
AWS::Greengrass::LoggerDefinitionVersion resource and specify the ID of this
logger definition.
Required: No
Type: LoggerDefinitionVersion (p. 2591)

Name
The name of the logger definition.
Required: Yes
Type: String

Tags
Application-specific metadata to attach to the logger definition. You can use tags in IAM policies to
Developer Guide.
"Tags": {
"KeyName2": "value"
}
Required: No
Type: Json
Return Values
Ref
logger definition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

2588
AWS IoT Greengrass
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the LoggerDefinition, such as

loggers/1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Id
The ID of the LoggerDefinition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

LatestVersionArn
The ARN of the last LoggerDefinitionVersion that was added to the LoggerDefinition,
definition/loggers/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
Name
The name of the LoggerDefinition, such as MyLoggerDefinition.
Examples
Logger Definition Snippet
The following snippet defines a logger definition resource with an initial version that contains a logger.
JSON
"Properties": {
"Name": "DemoTestLoggerDefinition",
"InitialVersion": {
"Loggers": [
{
"Type": "FileSystem",
"Level": "INFO",
"Space": "128"
}
]
}
}
}
YAML

2589
AWS IoT Greengrass
Properties:
InitialVersion:
Loggers:
- Id: TestLogger1
Type: FileSystem
Level: INFO
Space: '128'
See Also
• CreateLoggerDefinition in the AWS IoT Greengrass API Reference
AWS::Greengrass::LoggerDefinition Logger
A logger represents logging settings for the AWS IoT Greengrass group, which can be stored in
CloudWatch and the local file system of your core device. All log entries include a timestamp, log level,
and information about the event. For more information, see Monitoring with AWS IoT Greengrass Logs in
the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, the Loggers property of the LoggerDefinitionVersion

property type contains a list of Logger property types.
Syntax
JSON
{
"Component" : String,
"Id" : String,
"Level" : String,
"Space" : Integer,
"Type" : String
}
YAML
Component: String
Id: String
Level: String
Space: Integer
Type: String
Properties
Component
The source of the log event. Valid values are GreengrassSystem or Lambda. When
GreengrassSystem is used, events from Greengrass system components are logged. When Lambda
is used, events from user-defined Lambda functions are logged.
Required: Yes
Type: String

2590
AWS IoT Greengrass

Id
A descriptive or arbitrary ID for the logger. This value must be unique within the logger definition
Required: Yes
Type: String

Level
The log-level threshold. Log events below this threshold are filtered out and aren't stored. Valid
values are DEBUG, INFO (recommended), WARN, ERROR, or FATAL.
Required: Yes
Type: String

Space
The amount of file space (in KB) to use when writing logs to the local file system. This property does
not apply for CloudWatch Logs.
Required: No
Type: Integer

Type
The storage mechanism for log events. Valid values are FileSystem or AWSCloudWatch. When
AWSCloudWatch is used, log events are sent to CloudWatch Logs. When FileSystem is used, log
events are stored on the local file system.
Required: Yes
Type: String
See Also
• Logger in the AWS IoT Greengrass API Reference

AWS::Greengrass::LoggerDefinition LoggerDefinitionVersion
A logger definition version contains a list of loggers.
Note
After you create a logger definition version that contains the loggers you want to deploy, you
In an AWS CloudFormation template, LoggerDefinitionVersion is the property type of the

InitialVersion property in the AWS::Greengrass::LoggerDefinition resource.

2591
AWS IoT Greengrass
Syntax
JSON
{
"Loggers" : [ Logger (p. 2590), ... ]
}
YAML
Loggers:
- Logger (p. 2590)
Properties
Loggers
The loggers in this version.
Required: Yes
Type: List of Logger (p. 2590)
See Also
• LoggerDefinitionVersion in the AWS IoT Greengrass API Reference

AWS::Greengrass::LoggerDefinitionVersion
The AWS::Greengrass::LoggerDefinitionVersion resource represents a logger definition version
for AWS IoT Greengrass. A logger definition version contains a list of loggers.
Note
To create a logger definition version, you must specify the ID of the logger definition that you
want to associate with the version. For information about creating a logger definition, see
AWS::Greengrass::LoggerDefinition.
After you create a logger definition version that contains the loggers you want to deploy, you
Syntax
JSON
{
"Type" : "AWS::Greengrass::LoggerDefinitionVersion",
"Properties" : {
"LoggerDefinitionId" : String,
"Loggers" : [ Logger (p. 2594), ... ]
}

2592
AWS IoT Greengrass
YAML
Type: AWS::Greengrass::LoggerDefinitionVersion
Properties:
LoggerDefinitionId: String
Loggers:
- Logger (p. 2594)
Properties
LoggerDefinitionId
The ID of the logger definition associated with this version. This value is a GUID.
Required: Yes
Type: String

Loggers
The loggers in this version.
Required: Yes
Type: List of Logger (p. 2594)
Return Values
Ref
returns the Amazon Resource Name (ARN) of the logger definition version, such as
loggers/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/versions/9876ac30-4bdb-4f9d-95af-
b5fdb66be1a2.
Examples
Logger Definition Version Snippet
The following snippet defines logger definition and logger definition version resources. The logger
definition version references the logger definition and contains a logger.
JSON
"Properties": {

2593
AWS IoT Greengrass
"Name": "DemoTestLoggerDefinition"
}
},
"TestLoggerDefinitionVersion": {
"Type": "AWS::Greengrass::LoggerDefinitionVersion",
"Properties": {
"LoggerDefinitionId": {
"Ref": "TestLoggerDefinition"
},
"Loggers": [
{
"Type": "FileSystem",
"Level": "INFO",
"Space": "128"
}
]
}
}
YAML
Properties:
TestLoggerDefinitionVersion:
Type: 'AWS::Greengrass::LoggerDefinitionVersion'
Properties:
LoggerDefinitionId: !Ref TestLoggerDefinition
Loggers:
- Id: TestLogger1
Type: FileSystem
Level: INFO
Space: '128'
See Also
• CreateLoggerDefinitionVersion in the AWS IoT Greengrass API Reference
AWS::Greengrass::LoggerDefinitionVersion Logger
A logger represents logging settings for the AWS IoT Greengrass group, which can be stored in
CloudWatch and the local file system of your core device. All log entries include a timestamp, log level,
and information about the event. For more information, see Monitoring with AWS IoT Greengrass Logs in
the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, the Loggers property of the

AWS::Greengrass::LoggerDefinitionVersion resource contains a list of Logger property types.
Syntax
JSON

2594
AWS IoT Greengrass
"Component" : String,
"Id" : String,
"Level" : String,
"Space" : Integer,
"Type" : String
}
YAML
Component: String
Id: String
Level: String
Space: Integer
Type: String
Properties
Component
The source of the log event. Valid values are GreengrassSystem or Lambda. When
GreengrassSystem is used, events from Greengrass system components are logged. When Lambda
is used, events from user-defined Lambda functions are logged.
Required: Yes
Type: String

Id
A descriptive or arbitrary ID for the logger. This value must be unique within the logger definition
Required: Yes
Type: String

Level
The log-level threshold. Log events below this threshold are filtered out and aren't stored. Valid
values are DEBUG, INFO (recommended), WARN, ERROR, or FATAL.
Required: Yes
Type: String

Space
The amount of file space (in KB) to use when writing logs to the local file system. This property does
not apply for CloudWatch Logs.
Required: No
Type: Integer

2595
AWS IoT Greengrass
Type
The storage mechanism for log events. Valid values are FileSystem or AWSCloudWatch. When
AWSCloudWatch is used, log events are sent to CloudWatch Logs. When FileSystem is used, log
events are stored on the local file system.
Required: Yes
Type: String
See Also
• Logger in the AWS IoT Greengrass API Reference

AWS::Greengrass::ResourceDefinition
The AWS::Greengrass::ResourceDefinition resource represents a resource definition for AWS IoT
Greengrass. Resource definitions are used to organize your resource definition versions.
Resource definitions can reference multiple resource definition versions. All resource definition versions
must be associated with a resource definition. Each resource definition version can contain one or more
resources. (In AWS CloudFormation, resources are named resource instances.)
Note
When you create a resource definition, you can optionally include an initial resource
definition version. To associate a resource definition version later, create an
AWS::Greengrass::ResourceDefinitionVersion resource and specify the ID of this
resource definition.
After you create the resource definition version that contains the resources you want to deploy,
Syntax
JSON
{
"Type" : "AWS::Greengrass::ResourceDefinition",
"Properties" : {
"InitialVersion" : ResourceDefinitionVersion (p. 2605),
"Name" : String,
"Tags" : Json
}
}
YAML
Type: AWS::Greengrass::ResourceDefinition
Properties:
InitialVersion:
ResourceDefinitionVersion (p. 2605)
Name: String
Tags: Json

2596
AWS IoT Greengrass
Properties
InitialVersion
The resource definition version to include when the resource definition is created. A resource
definition version contains a list of resource instance property types.
Note
To associate a resource definition version after the resource definition is created, create an
AWS::Greengrass::ResourceDefinitionVersion resource and specify the ID of this
resource definition.
Required: No
Type: ResourceDefinitionVersion (p. 2605)

Name
The name of the resource definition.
Required: Yes
Type: String

Tags
Application-specific metadata to attach to the resource definition. You can use tags in IAM policies to
Developer Guide.
"Tags": {
"KeyName2": "value"
}
Required: No
Type: Json
Return Values
Ref
resource definition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Fn::GetAtt

2597
AWS IoT Greengrass
Arn
The Amazon Resource Name (ARN) of the ResourceDefinition, such as

resources/1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Id
The ID of the ResourceDefinition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

LatestVersionArn
The ARN of the last ResourceDefinitionVersion that was added to the

ResourceDefinition, such as arn:aws:greengrass:us-east-1:123456789012:/
greengrass/definition/resources/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
Name
The name of the ResourceDefinition, such as MyResourceDefinition.
Examples
Resource Definition Snippet
The following snippet defines a resource definition resource with an initial version that contains each
type of resource.
JSON
"Properties": {
"Name": "DemoTestResourceDefinition",
"InitialVersion": {
"Resources": [
{
}
}
}
},
{

2598
AWS IoT Greengrass
}
}
}
},
{
"Name": "SageMakerMachineLearningModelResourceData",
"SageMakerMachineLearningModelResourceData": {
"SageMakerJobArn": {
"Fn::Join": [
":",
[
"arn:aws:sagemaker",
{
},
{
},
"training-job/testJob"
]
]
},
"DestinationPath": "/sagemakermodels/TestDestinationPath3"
}
}
},
{
"Name": "S3MachineLearningModelResourceData",
"S3MachineLearningModelResourceData": {
"S3Uri": "http://testBucket.s3.amazonaws.com/testUri.zip",
"DestinationPath": "/mlModels/TestDestinationPath4"
}
}
},
{
"Name": "SecretsManagerSecretResourceData",
"SecretsManagerSecretResourceData": {
"ARN": {
"Fn::Join": [
":",
[
"arn:aws:secretsmanager",
{
},
{
},
"secret:testARN"
]
]
},
"AdditionalStagingLabelsToDownload": [
"label1",
"label2"
]
}
}

2599
AWS IoT Greengrass
}
]
}
}
}
YAML
Properties:
TestResourceDefinitionVersion:
Type: 'AWS::Greengrass::ResourceDefinitionVersion'
Properties:
ResourceDefinitionId: !Ref TestResourceDefinition
Resources:
- Id: ResourceId1
GroupOwnerSetting:
- Id: ResourceId2
GroupOwnerSetting:
- Id: ResourceId3
Name: SageMakerMachineLearningModelResourceData
SageMakerMachineLearningModelResourceData:
SageMakerJobArn: !Join
- ':'
- - 'arn:aws:sagemaker'
- training-job/testJob
DestinationPath: /sagemakermodels/TestDestinationPath3
- Id: ResourceId4
Name: S3MachineLearningModelResourceData
S3MachineLearningModelResourceData:
S3Uri: 'http://testBucket.s3.amazonaws.com/testUri.zip'
DestinationPath: /mlModels/TestDestinationPath4
- Id: ResourceId5
Name: SecretsManagerSecretResourceData
SecretsManagerSecretResourceData:
ARN: !Join
- ':'
- - 'arn:aws:secretsmanager'
- 'secret:testARN'
AdditionalStagingLabelsToDownload:
- label1
- label2

2600
AWS IoT Greengrass
See Also
• CreateResourceDefinition in the AWS IoT Greengrass API Reference
AWS::Greengrass::ResourceDefinition GroupOwnerSetting
Settings that define additional Linux OS group permissions to give to the Lambda function process. You
can give the permissions of the Linux group that owns the resource or choose another Linux group. These
permissions are in addition to the function's RunAs permissions.
In an AWS CloudFormation template, GroupOwnerSetting is a property of the

LocalDeviceResourceData and LocalVolumeResourceData property types.
Syntax
JSON
{
"AutoAddGroupOwner" : Boolean,
"GroupOwner" : String
}
YAML
AutoAddGroupOwner: Boolean
GroupOwner: String
Properties
AutoAddGroupOwner
Indicates whether to give the privileges of the Linux group that owns the resource to the Lambda
process. This gives the Lambda process the file access permissions of the Linux group.
Required: Yes
Type: Boolean

GroupOwner
The name of the Linux group whose privileges you want to add to the Lambda process. This value is
ignored if AutoAddGroupOwner is true.
Required: No
Type: String
See Also
• GroupOwnerSetting in the AWS IoT Greengrass API Reference


2601
AWS IoT Greengrass
AWS::Greengrass::ResourceDefinition LocalDeviceResourceData
Settings for a local device resource, which represents a file under /dev. For more information, see Access
Local Resources with Lambda Functions in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, LocalDeviceResourceData can be used in the

ResourceDataContainer property type.
Syntax
JSON
{
"GroupOwnerSetting" : GroupOwnerSetting (p. 2601),
}
YAML
GroupOwnerSetting:
GroupOwnerSetting (p. 2601)
SourcePath: String
Properties
GroupOwnerSetting
Settings that define additional Linux OS group permissions to give to the Lambda function process.
Required: No
Type: GroupOwnerSetting (p. 2601)

SourcePath
The local absolute path of the device resource. The source path for a device resource can refer only
to a character device or block device under /dev.
Required: Yes
Type: String
See Also
• LocalDeviceResourceData in the AWS IoT Greengrass API Reference

AWS::Greengrass::ResourceDefinition LocalVolumeResourceData
Settings for a local volume resource, which represents a file or directory on the root file system. For more
information, see Access Local Resources with Lambda Functions in the AWS IoT Greengrass Developer
Guide.

2602
AWS IoT Greengrass
In an AWS CloudFormation template, LocalVolumeResourceData can be used in the

Syntax
JSON
{
"DestinationPath" : String,
}
YAML
DestinationPath: String
GroupOwnerSetting:
SourcePath: String
Properties
DestinationPath
The absolute local path of the resource in the Lambda environment.
Required: Yes
Type: String

GroupOwnerSetting
Required: No

SourcePath
The local absolute path of the volume resource on the host. The source path for a volume resource
type cannot start with /sys.
Required: Yes
Type: String
See Also
• LocalVolumeResourceData in the AWS IoT Greengrass API Reference


2603
AWS IoT Greengrass
AWS::Greengrass::ResourceDefinition ResourceDataContainer
A container for resource data, which defines the resource type. The container takes only one of the
following supported resource data types: LocalDeviceResourceData, LocalVolumeResourceData,
SageMakerMachineLearningModelResourceData, S3MachineLearningModelResourceData, or
SecretsManagerSecretResourceData.
Note
Only one resource type can be defined for a ResourceDataContainer instance.
In an AWS CloudFormation template, ResourceDataContainer is a property of the

ResourceInstance property type.
Syntax
JSON
{
"LocalDeviceResourceData" : LocalDeviceResourceData (p. 2602),
"LocalVolumeResourceData" : LocalVolumeResourceData (p. 2602),
"S3MachineLearningModelResourceData" : S3MachineLearningModelResourceData (p. 2607),
"SageMakerMachineLearningModelResourceData" : SageMakerMachineLearningModelResourceData (p. 2608),

"SecretsManagerSecretResourceData" : SecretsManagerSecretResourceData (p. 2609)
}
YAML
LocalDeviceResourceData (p. 2602)
LocalVolumeResourceData (p. 2602)
S3MachineLearningModelResourceData (p. 2607)
SageMakerMachineLearningModelResourceData (p. 2608)
SecretsManagerSecretResourceData (p. 2609)
Properties
LocalDeviceResourceData
Settings for a local device resource.
Required: No
Type: LocalDeviceResourceData (p. 2602)

LocalVolumeResourceData
Settings for a local volume resource.
Required: No
Type: LocalVolumeResourceData (p. 2602)

2604
AWS IoT Greengrass
S3MachineLearningModelResourceData
Settings for a machine learning resource stored in Amazon S3.
Required: No
Type: S3MachineLearningModelResourceData (p. 2607)

SageMakerMachineLearningModelResourceData
Settings for a machine learning resource saved as an Amazon SageMaker training job.
Required: No
Type: SageMakerMachineLearningModelResourceData (p. 2608)

SecretsManagerSecretResourceData
Settings for a secret resource.
Required: No
Type: SecretsManagerSecretResourceData (p. 2609)
See Also
• ResourceDataContainer in the AWS IoT Greengrass API Reference

AWS::Greengrass::ResourceDefinition ResourceDefinitionVersion
A resource definition version contains a list of resources. (In AWS CloudFormation, resources are named
resource instances.)
Note
After you create a resource definition version that contains the resources you want to deploy,
In an AWS CloudFormation template, ResourceDefinitionVersion is the property type of the

InitialVersion property in the AWS::Greengrass::ResourceDefinition resource.
Syntax
JSON
{
"Resources" : [ ResourceInstance (p. 2606), ... ]
}
YAML
Resources:
- ResourceInstance (p. 2606)

2605
AWS IoT Greengrass
Properties
Resources
The resources in this version.
Required: Yes
Type: List of ResourceInstance (p. 2606)
See Also
• ResourceDefinitionVersion in the AWS IoT Greengrass API Reference

AWS::Greengrass::ResourceDefinition ResourceInstance
A local resource, machine learning resource, or secret resource. For more information, see Access Local
Resources with Lambda Functions, Perform Machine Learning Inference, and Deploy Secrets to the AWS
IoT Greengrass Core in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, the Resources property of the

AWS::Greengrass::ResourceDefinition resource contains a list of ResourceInstance property
types.
Syntax
JSON
{
"Id" : String,
"Name" : String,
"ResourceDataContainer" : ResourceDataContainer (p. 2604)
}
YAML
Id: String
Name: String
ResourceDataContainer (p. 2604)
Properties
Id
A descriptive or arbitrary ID for the resource. This value must be unique within the resource
Required: Yes
Type: String

2606
AWS IoT Greengrass
Name
The descriptive resource name, which is displayed on the AWS IoT Greengrass console. Maximum
length 128 characters with pattern [a-zA-Z0-9:_-]+. This must be unique within a Greengrass group.
Required: Yes
Type: String

ResourceDataContainer
A container for resource data. The container takes only one of the
following supported resource data types: LocalDeviceResourceData,
LocalVolumeResourceData, SageMakerMachineLearningModelResourceData,
S3MachineLearningModelResourceData, or SecretsManagerSecretResourceData.
Note
Required: Yes
Type: ResourceDataContainer (p. 2604)
See Also
• Resource in the AWS IoT Greengrass API Reference

AWS::Greengrass::ResourceDefinition S3MachineLearningModelResourceData
Settings for an Amazon S3 machine learning resource. For more information, see Perform Machine
Learning Inference in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, S3MachineLearningModelResourceData can be used in the

Syntax
JSON
{
"S3Uri" : String
}
YAML
S3Uri: String
Properties
DestinationPath
The absolute local path of the resource inside the Lambda environment.

2607
AWS IoT Greengrass
Required: Yes
Type: String

S3Uri
The URI of the source model in an Amazon S3 bucket. The model package must be in tar.gz or
.zip format.
Required: Yes
Type: String
See Also
• S3MachineLearningModelResourceData in the AWS IoT Greengrass API Reference

AWS::Greengrass::ResourceDefinition
Settings for an Secrets Manager machine learning resource. For more information, see Perform Machine
In an AWS CloudFormation template, SageMakerMachineLearningModelResourceData can be used

in the ResourceDataContainer property type.
Syntax
JSON
{
"SageMakerJobArn" : String
}
YAML
SageMakerJobArn: String
Properties
DestinationPath
Required: Yes
Type: String

2608
AWS IoT Greengrass
SageMakerJobArn
The Amazon Resource Name (ARN) of the Amazon SageMaker training job that represents the source
model.
Required: Yes
Type: String
See Also
• SageMakerMachineLearningModelResourceData in the AWS IoT Greengrass API Reference

AWS::Greengrass::ResourceDefinition SecretsManagerSecretResourceData
Settings for a secret resource, which references a secret from AWS Secrets Manager. AWS IoT Greengrass
stores a local, encrypted copy of the secret on the Greengrass core, where it can be securely accessed by
connectors and Lambda functions. For more information, see Deploy Secrets to the AWS IoT Greengrass
Core in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, SecretsManagerSecretResourceData can be used in the

Syntax
JSON
{
"AdditionalStagingLabelsToDownload" : [ String, ... ],
"ARN" : String
}
YAML
- String
ARN: String
Properties
AdditionalStagingLabelsToDownload
The staging labels whose values you want to make available on the core, in addition to AWSCURRENT.
Required: No

ARN
The Amazon Resource Name (ARN) of the Secrets Manager secret to make available on the core. The
value of the secret's latest version (represented by the AWSCURRENT staging label) is included by
default.

2609
AWS IoT Greengrass
Required: Yes
Type: String
See Also
• SecretsManagerSecretResourceData in the AWS IoT Greengrass API Reference

AWS::Greengrass::ResourceDefinitionVersion
The AWS::Greengrass::ResourceDefinitionVersion resource represents a resource definition
version for AWS IoT Greengrass. A resource definition version contains a list of resources. (In AWS
CloudFormation, resources are named resource instances.)
Note
To create a resource definition version, you must specify the ID of the resource definition that
you want to associate with the version. For information about creating a resource definition, see
AWS::Greengrass::ResourceDefinition.
After you create a resource definition version that contains the resources you want to deploy,
Syntax
JSON
{
"Type" : "AWS::Greengrass::ResourceDefinitionVersion",
"Properties" : {
"ResourceDefinitionId" : String,
"Resources" : [ ResourceInstance (p. 2618), ... ]
}
}
YAML
Type: AWS::Greengrass::ResourceDefinitionVersion
Properties:
ResourceDefinitionId: String
Resources:
- ResourceInstance (p. 2618)
Properties
ResourceDefinitionId
The ID of the resource definition associated with this version. This value is a GUID.
Required: Yes
Type: String

2610
AWS IoT Greengrass
Resources
The resources in this version.
Required: Yes
Type: List of ResourceInstance (p. 2618)
Return Values
Ref
returns the Amazon Resource Name (ARN) of the resource definition version,
definition/resources/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
Examples
Resource Definition Version Snippet
The following snippet defines resource definition and resource definition version resources. The resource
definition version references the resource definition and contains each type of resource.
JSON
"Properties": {
"Name": "DemoTestResourceDefinition"
}
},
"TestResourceDefinitionVersion": {
"Type": "AWS::Greengrass::ResourceDefinitionVersion",
"Properties": {
"ResourceDefinitionId": {
"Ref": "TestResourceDefinition"
},
"Resources": [
{
}
}
}
},
{

2611
AWS IoT Greengrass
}
}
}
},
{
"Name": "SageMakerMachineLearningModelResourceData",
"SageMakerMachineLearningModelResourceData": {
"SageMakerJobArn": {
"Fn::Join": [
":",
[
"arn:aws:sagemaker",
{
},
{
},
"training-job/testJob"
]
]
},
"DestinationPath": "/sagemakermodels/TestDestinationPath3"
}
}
},
{
"Name": "S3MachineLearningModelResourceData",
"S3MachineLearningModelResourceData": {
"S3Uri": "http://testBucket.s3.amazonaws.com/testUri.zip",
"DestinationPath": "/mlModels/TestDestinationPath4"
}
}
},
{
"Name": "SecretsManagerSecretResourceData",
"SecretsManagerSecretResourceData": {
"ARN": {
"Fn::Join": [
":",
[
"arn:aws:secretsmanager",
{
},
{
},
"secret:testARN"
]
]
},
"AdditionalStagingLabelsToDownload": [
"label1",

2612
AWS IoT Greengrass
"label2"
]
}
}
}
]
}
}
YAML
Properties:
InitialVersion:
Resources:
- Id: ResourceId1
GroupOwnerSetting:
- Id: ResourceId2
GroupOwnerSetting:
- Id: ResourceId3
Name: SageMakerMachineLearningModelResourceData
SageMakerJobArn: !Join
- ':'
- - 'arn:aws:sagemaker'
- training-job/testJob
DestinationPath: /sagemakermodels/TestDestinationPath3
- Id: ResourceId4
Name: S3MachineLearningModelResourceData
S3Uri: 'http://testBucket.s3.amazonaws.com/testUri.zip'
DestinationPath: /mlModels/TestDestinationPath4
- Id: ResourceId5
Name: SecretsManagerSecretResourceData
ARN: !Join
- ':'
- - 'arn:aws:secretsmanager'
- 'secret:testARN'
- label1
- label2

2613
AWS IoT Greengrass
See Also
• CreateResourceDefinitionVersion in the AWS IoT Greengrass API Reference
AWS::Greengrass::ResourceDefinitionVersion GroupOwnerSetting
Settings that define additional Linux OS group permissions to give to the Lambda function process. You
can give the permissions of the Linux group that owns the resource or choose another Linux group. These
permissions are in addition to the function's RunAs permissions.
In an AWS CloudFormation template, GroupOwnerSetting is a property of the

LocalDeviceResourceData and LocalVolumeResourceData property types.
Syntax
JSON
{
"AutoAddGroupOwner" : Boolean,
"GroupOwner" : String
}
YAML
AutoAddGroupOwner: Boolean
GroupOwner: String
Properties
AutoAddGroupOwner
Indicates whether to give the privileges of the Linux group that owns the resource to the Lambda
process. This gives the Lambda process the file access permissions of the Linux group.
Required: Yes
Type: Boolean

GroupOwner
The name of the Linux group whose privileges you want to add to the Lambda process. This value is
ignored if AutoAddGroupOwner is true.
Required: No
Type: String
See Also
• GroupOwnerSetting in the AWS IoT Greengrass API Reference


2614
AWS IoT Greengrass
AWS::Greengrass::ResourceDefinitionVersion LocalDeviceResourceData
Settings for a local device resource, which represents a file under /dev. For more information, see Access
Local Resources with Lambda Functions in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, LocalDeviceResourceData can be used in the

Syntax
JSON
{
}
YAML
GroupOwnerSetting:
SourcePath: String
Properties
GroupOwnerSetting
Required: No

SourcePath
The local absolute path of the device resource. The source path for a device resource can refer only
to a character device or block device under /dev.
Required: Yes
Type: String
See Also
• LocalDeviceResourceData in the AWS IoT Greengrass API Reference

AWS::Greengrass::ResourceDefinitionVersion LocalVolumeResourceData
Settings for a local volume resource, which represents a file or directory on the root file system. For more
information, see Access Local Resources with Lambda Functions in the AWS IoT Greengrass Developer
Guide.

2615
AWS IoT Greengrass
In an AWS CloudFormation template, LocalVolumeResourceData can be used in the

Syntax
JSON
{
}
YAML
GroupOwnerSetting:
SourcePath: String
Properties
DestinationPath
The absolute local path of the resource in the Lambda environment.
Required: Yes
Type: String

GroupOwnerSetting
Required: No

SourcePath
The local absolute path of the volume resource on the host. The source path for a volume resource
type cannot start with /sys.
Required: Yes
Type: String
See Also
• LocalVolumeResourceData in the AWS IoT Greengrass API Reference


2616
AWS IoT Greengrass
AWS::Greengrass::ResourceDefinitionVersion ResourceDataContainer
A container for resource data, which defines the resource type. The container takes only one of the
following supported resource data types: LocalDeviceResourceData, LocalVolumeResourceData,
SageMakerMachineLearningModelResourceData, S3MachineLearningModelResourceData, or
SecretsManagerSecretResourceData.
Note
In an AWS CloudFormation template, ResourceDataContainer is a property of the

ResourceInstance property type.
Syntax
JSON
{
"LocalDeviceResourceData" : LocalDeviceResourceData (p. 2615),
"LocalVolumeResourceData" : LocalVolumeResourceData (p. 2615),
"S3MachineLearningModelResourceData" : S3MachineLearningModelResourceData (p. 2619),
"SageMakerMachineLearningModelResourceData" : SageMakerMachineLearningModelResourceData (p. 2620),

"SecretsManagerSecretResourceData" : SecretsManagerSecretResourceData (p. 2621)
}
YAML
LocalDeviceResourceData (p. 2615)
LocalVolumeResourceData (p. 2615)
S3MachineLearningModelResourceData (p. 2619)
SageMakerMachineLearningModelResourceData (p. 2620)
SecretsManagerSecretResourceData (p. 2621)
Properties
LocalDeviceResourceData
Settings for a local device resource.
Required: No
Type: LocalDeviceResourceData (p. 2615)

LocalVolumeResourceData
Settings for a local volume resource.
Required: No
Type: LocalVolumeResourceData (p. 2615)

2617
AWS IoT Greengrass
Settings for a machine learning resource stored in Amazon S3.
Required: No
Type: S3MachineLearningModelResourceData (p. 2619)

Settings for a machine learning resource saved as an Amazon SageMaker training job.
Required: No
Type: SageMakerMachineLearningModelResourceData (p. 2620)

Settings for a secret resource.
Required: No
Type: SecretsManagerSecretResourceData (p. 2621)
See Also
• ResourceDataContainer in the AWS IoT Greengrass API Reference

AWS::Greengrass::ResourceDefinitionVersion ResourceInstance
A local resource, machine learning resource, or secret resource. For more information, see Access Local
Resources with Lambda Functions, Perform Machine Learning Inference, and Deploy Secrets to the AWS
IoT Greengrass Core in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, the Resources property of the

AWS::Greengrass::ResourceDefinitionVersion resource contains a list of ResourceInstance
property types.
Syntax
JSON
{
"Id" : String,
"Name" : String,
"ResourceDataContainer" : ResourceDataContainer (p. 2617)
}
YAML
Id: String

2618
AWS IoT Greengrass
Name: String
ResourceDataContainer (p. 2617)
Properties
Id
A descriptive or arbitrary ID for the resource. This value must be unique within the resource
Required: Yes
Type: String

Name
The descriptive resource name, which is displayed on the AWS IoT Greengrass console. Maximum
length 128 characters with pattern [a-zA-Z0-9:_-]+. This must be unique within a Greengrass group.
Required: Yes
Type: String

ResourceDataContainer
A container for resource data. The container takes only one of the
following supported resource data types: LocalDeviceResourceData,
LocalVolumeResourceData, SageMakerMachineLearningModelResourceData,
S3MachineLearningModelResourceData, or SecretsManagerSecretResourceData.
Note
Required: Yes
Type: ResourceDataContainer (p. 2617)
See Also
• Resource in the AWS IoT Greengrass API Reference

Settings for an Amazon S3 machine learning resource. For more information, see Perform Machine
In an AWS CloudFormation template, S3MachineLearningModelResourceData can be used in the

Syntax

2619
AWS IoT Greengrass
JSON
{
"S3Uri" : String
}
YAML
S3Uri: String
Properties
DestinationPath
Required: Yes
Type: String

S3Uri
The URI of the source model in an Amazon S3 bucket. The model package must be in tar.gz or
.zip format.
Required: Yes
Type: String
See Also
• S3MachineLearningModelResourceData in the AWS IoT Greengrass API Reference

Settings for an Secrets Manager machine learning resource. For more information, see Perform Machine
In an AWS CloudFormation template, SageMakerMachineLearningModelResourceData can be used

in the ResourceDataContainer property type.
Syntax
JSON
{
"SageMakerJobArn" : String
}

2620
AWS IoT Greengrass
YAML
SageMakerJobArn: String
Properties
DestinationPath
Required: Yes
Type: String

SageMakerJobArn
The Amazon Resource Name (ARN) of the Amazon SageMaker training job that represents the source
model.
Required: Yes
Type: String
See Also
• SageMakerMachineLearningModelResourceData in the AWS IoT Greengrass API Reference

Settings for a secret resource, which references a secret from AWS Secrets Manager. AWS IoT Greengrass
stores a local, encrypted copy of the secret on the Greengrass core, where it can be securely accessed by
connectors and Lambda functions. For more information, see Deploy Secrets to the AWS IoT Greengrass
Core in the AWS IoT Greengrass Developer Guide.
In an AWS CloudFormation template, SecretsManagerSecretResourceData can be used in the

Syntax
JSON
{
"AdditionalStagingLabelsToDownload" : [ String, ... ],
"ARN" : String
}
YAML

2621
AWS IoT Greengrass
- String
ARN: String
Properties
AdditionalStagingLabelsToDownload
The staging labels whose values you want to make available on the core, in addition to AWSCURRENT.
Required: No

ARN
The Amazon Resource Name (ARN) of the Secrets Manager secret to make available on the core. The
value of the secret's latest version (represented by the AWSCURRENT staging label) is included by
default.
Required: Yes
Type: String
See Also
• SecretsManagerSecretResourceData in the AWS IoT Greengrass API Reference

AWS::Greengrass::SubscriptionDefinition
The AWS::Greengrass::SubscriptionDefinition resource represents a subscription definition for
AWS IoT Greengrass. Subscription definitions are used to organize your subscription definition versions.
Subscription definitions can reference multiple subscription definition versions. All subscription
definition versions must be associated with a subscription definition. Each subscription definition version
can contain one or more subscriptions.
Note
When you create a subscription definition, you can optionally include an initial subscription
definition version. To associate a subscription definition version later, create an
AWS::Greengrass::SubscriptionDefinitionVersion resource and specify the ID of this
subscription definition.
After you create the subscription definition version that contains the subscriptions
you want to deploy, you must add it to your group version. For more information, see
Syntax
JSON
{
"Type" : "AWS::Greengrass::SubscriptionDefinition",

2622
AWS IoT Greengrass
"Properties" : {
"InitialVersion" : SubscriptionDefinitionVersion (p. 2627),
"Name" : String,
"Tags" : Json
}
}
YAML
Type: AWS::Greengrass::SubscriptionDefinition
Properties:
InitialVersion:
SubscriptionDefinitionVersion (p. 2627)
Name: String
Tags: Json
Properties
InitialVersion
The subscription definition version to include when the subscription definition is created. A
subscription definition version contains a list of subscription property types.
Note
To associate a subscription definition version after the subscription definition is created,
create an AWS::Greengrass::SubscriptionDefinitionVersion resource and
specify the ID of this subscription definition.
Required: No
Type: SubscriptionDefinitionVersion (p. 2627)

Name
The name of the subscription definition.
Required: Yes
Type: String

Tags
Application-specific metadata to attach to the subscription definition. You can use tags in IAM
policies to control access to AWS IoT Greengrass resources. You can also use tags to categorize your
resources. For more information, see Tagging Your AWS IoT Greengrass Resources in the AWS IoT
"Tags": {
"KeyName2": "value"
}
Required: No

2623
AWS IoT Greengrass
Type: Json
Return Values
Ref
subscription definition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Fn::GetAtt
Arn
The Amazon Resource Name (ARN) of the SubscriptionDefinition, such as

subscriptions/1234a5b6-78cd-901e-2fgh-3i45j6k178l9.
Id
The ID of the SubscriptionDefinition, such as 1234a5b6-78cd-901e-2fgh-3i45j6k178l9.

LatestVersionArn
The ARN of the last SubscriptionDefinitionVersion that was added to the

SubscriptionDefinition, such as arn:aws:greengrass:us-east-1:123456789012:/
greengrass/definition/subscriptions/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
Name
The name of the SubscriptionDefinition, such as MySubscriptionDefinition.
Examples
Subscription Definition Snippet
The following snippet defines a subscription definition subscription with an initial version that contains
a subscription. In this example, the subscription source is an existing device in the group. The target is
a function in the group that was created in another stack and is referenced using the ImportValue
function.
For an example of a complete template, see the AWS::Greengrass::Group subscription.
JSON
"Properties": {
"Name": "DemoTestSubscriptionDefinition",
"InitialVersion": {
"Subscriptions": [

2624
AWS IoT Greengrass
{
"Source": {
"Fn::Join": [
":",
[
"arn:aws:iot",
{
},
{
},
"thing/TestDevice1"
]
]
},
"Subject": "some/topic",
"Target": {
}
}
]
}
}
}
YAML
Properties:
InitialVersion:
Subscriptions:
Source: !Join
- ':'
- - 'arn:aws:iot'
- thing/TestDevice1
Subject: some/topic
Target: !ImportValue TestCanaryLambdaVersionArn
See Also
• CreateSubscriptionDefinition in the AWS IoT Greengrass API Reference
AWS::Greengrass::SubscriptionDefinition Subscription
Subscriptions define how MQTT messages can be exchanged between devices, functions, and connectors
in the group, and with AWS IoT or the local shadow service. A subscription defines a message source,
message target, and a topic (or subject) that's used to route messages from the source to the target.
A subscription defines the message flow in one direction, from the source to the target. For two-way
communication, you must set up two subscriptions, one for each direction.
In an AWS CloudFormation template, the Subscriptions property of the

SubscriptionDefinitionVersion property type contains a list of Subscription property types.

2625
AWS IoT Greengrass
Syntax
JSON
{
"Id" : String,
"Source" : String,
"Subject" : String,
"Target" : String
}
YAML
Id: String
Source: String
Subject: String
Target: String
Properties
Id
A descriptive or arbitrary ID for the subscription. This value must be unique within the subscription
Required: Yes
Type: String

Source
The originator of the message. The value can be a thing ARN, a Lambda function ARN, a connector
ARN, cloud (which represents the AWS IoT cloud), or GGShadowService.
Required: Yes
Type: String

Subject
The MQTT topic used to route the message.
Required: Yes
Type: String

Target
The destination of the message. The value can be a thing ARN, a Lambda function ARN, a connector
Required: Yes
Type: String

2626
AWS IoT Greengrass
See Also
• Subscription in the AWS IoT Greengrass API Reference

AWS::Greengrass::SubscriptionDefinition SubscriptionDefinitionVersion
A subscription definition version contains a list of subscriptions.
Note
After you create a subscription definition version that contains the subscriptions you
In an AWS CloudFormation template, SubscriptionDefinitionVersion is the property type of the

InitialVersion property in the AWS::Greengrass::SubscriptionDefinition resource.
Syntax
JSON
{
"Subscriptions" : [ Subscription (p. 2625), ... ]
}
YAML
Subscriptions:
- Subscription (p. 2625)
Properties
Subscriptions
The subscriptions in this version.
Required: Yes
Type: List of Subscription (p. 2625)
See Also
• SubscriptionDefinitionVersion in the AWS IoT Greengrass API Reference

AWS::Greengrass::SubscriptionDefinitionVersion
The AWS::Greengrass::SubscriptionDefinitionVersion resource represents a subscription
definition version for AWS IoT Greengrass. A subscription definition version contains a list of
subscriptions.

2627
AWS IoT Greengrass
Note
To create a subscription definition version, you must specify the ID of the subscription definition
that you want to associate with the version. For information about creating a subscription
definition, see AWS::Greengrass::SubscriptionDefinition.
After you create a subscription definition version that contains the subscriptions you
Syntax
JSON
{
"Type" : "AWS::Greengrass::SubscriptionDefinitionVersion",
"Properties" : {
"SubscriptionDefinitionId" : String,
"Subscriptions" : [ Subscription (p. 2630), ... ]
}
}
YAML
Type: AWS::Greengrass::SubscriptionDefinitionVersion
Properties:
SubscriptionDefinitionId: String
Subscriptions:
- Subscription (p. 2630)
Properties
SubscriptionDefinitionId
The ID of the subscription definition associated with this version. This value is a GUID.
Required: Yes
Type: String

Subscriptions
The subscriptions in this version.
Required: Yes
Type: List of Subscription (p. 2630)
Return Values
Ref
returns the Amazon Resource Name (ARN) of the subscription definition version,

2628
AWS IoT Greengrass
definition/subscriptions/1234a5b6-78cd-901e-2fgh-3i45j6k178l9/
Examples
Subscription Definition Version Snippet
The following snippet defines subscription definition and subscription definition version subscriptions.
The subscription definition version references the subscription definition and contains a subscription. In
this example, the subscription source is an existing device in the group. The target is a function in the
group that was created in another stack and is referenced using the ImportValue function.
For an example of a complete template, see the AWS::Greengrass::Group subscription.
JSON
"Properties": {
"Name": "DemoTestSubscriptionDefinition"
}
},
"TestSubscriptionDefinitionVersion": {
"Type": "AWS::Greengrass::SubscriptionDefinitionVersion",
"Properties": {
"SubscriptionDefinitionId": {
"Ref": "TestSubscriptionDefinition"
},
"Subscriptions": [
{
"Source": {
"Fn::Join": [
":",
[
"arn:aws:iot",
{
},
{
},
"thing/TestDevice1"
]
]
},
"Subject": "some/topic",
"Target": {
}
}
]
}
}
YAML
Properties:

2629
AWS IoT Greengrass
TestSubscriptionDefinitionVersion:
Type: 'AWS::Greengrass::SubscriptionDefinitionVersion'
Properties:
SubscriptionDefinitionId: !Ref TestSubscriptionDefinition
Subscriptions:
Source: !Join
- ':'
- - 'arn:aws:iot'
- thing/TestDevice1
Subject: some/topic
Target: !ImportValue TestCanaryLambdaVersionArn
See Also
• CreateSubscriptionDefinitionVersion in the AWS IoT Greengrass API Reference
AWS::Greengrass::SubscriptionDefinitionVersion Subscription
Subscriptions define how MQTT messages can be exchanged between devices, functions, and connectors
in the group, and with AWS IoT or the local shadow service. A subscription defines a message source,
message target, and a topic (or subject) that's used to route messages from the source to the target.
A subscription defines the message flow in one direction, from the source to the target. For two-way
communication, you must set up two subscriptions, one for each direction.
In an AWS CloudFormation template, the Subscriptions property of the

AWS::Greengrass::SubscriptionDefinitionVersion resource contains a list of Subscription
property types.
Syntax
JSON
{
"Id" : String,
"Source" : String,
"Subject" : String,
"Target" : String
}
YAML
Id: String
Source: String
Subject: String
Target: String
Properties
Id
A descriptive or arbitrary ID for the subscription. This value must be unique within the subscription

2630
AWS IoT Things Graph
Required: Yes
Type: String

Source
The originator of the message. The value can be a thing ARN, a Lambda function ARN, a connector
Required: Yes
Type: String

Subject
The MQTT topic used to route the message.
Required: Yes
Type: String

Target
The destination of the message. The value can be a thing ARN, a Lambda function ARN, a connector
Required: Yes
Type: String
See Also
• Subscription in the AWS IoT Greengrass API Reference

AWS IoT Things Graph Resource Type Reference

Resource Types
• AWS::IoTThingsGraph::FlowTemplate (p. 2631)
AWS::IoTThingsGraph::FlowTemplate
Represents a workflow template. Workflows can be created only in the user's namespace. (The public
namespace contains only entities.) The workflow can contain only entities in the specified namespace.
The workflow is validated against the entities in the latest version of the user's namespace unless
another namespace version is specified in the request.
Syntax

2631
AWS IoT Things Graph
JSON
{
"Type" : "AWS::IoTThingsGraph::FlowTemplate",
"Properties" : {
"CompatibleNamespaceVersion" : Double,
"Definition" : DefinitionDocument (p. 2632)
}
}
YAML
Type: AWS::IoTThingsGraph::FlowTemplate
Properties:
CompatibleNamespaceVersion: Double
Definition:
DefinitionDocument (p. 2632)
Properties
CompatibleNamespaceVersion
The version of the user's namespace against which the workflow was validated. Use this value in
your system instance.
Required: No
Type: Double

Definition
A workflow's definition document.
Required: Yes
Type: DefinitionDocument (p. 2632)
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the URN of the
workflow template, such as urn:tdm:us-west-2/123456789101/default:workflow:flowname.
AWS::IoTThingsGraph::FlowTemplate DefinitionDocument
A document that defines an entity.
Syntax

2632
Amazon Kinesis
JSON
{
"Language" : String,
"Text" : String
}
YAML
Language: String
Text: String
Properties
Language
The language used to define the entity. GRAPHQL is the only valid value.
Required: Yes
Type: String

Text
The GraphQL text that defines the entity.
Required: Yes
Type: String
Amazon Kinesis Resource Type Reference

Resource Types
• AWS::Kinesis::Stream (p. 2633)

• AWS::Kinesis::StreamConsumer (p. 2637)
AWS::Kinesis::Stream
Creates a Kinesis stream that captures and transports data records that are emitted from data sources.
For information about creating streams, see CreateStream in the Amazon Kinesis API Reference.
Syntax
JSON
{
"Type" : "AWS::Kinesis::Stream",
"Properties" : {

2633
Amazon Kinesis
"Name" : String,
"RetentionPeriodHours" : Integer,
"ShardCount" : Integer,
"StreamEncryption" : StreamEncryption (p. 2636),
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::Kinesis::Stream
Properties:
Name: String
RetentionPeriodHours: Integer
ShardCount: Integer
StreamEncryption:
StreamEncryption (p. 2636)
Tags:
- Tag
Properties
Name
The name of the Kinesis stream. If you don't specify a name, AWS CloudFormation generates a
unique physical ID and uses that ID for the stream name. For more information, see Name Type.
If you specify a name, you cannot perform updates that require replacement of this resource. You
can perform updates that require no or some interruption. If you must replace the resource, specify a
new name.
Required: No
Type: String
Minimum: 1
Maximum: 128

RetentionPeriodHours
The number of hours for the data records that are stored in shards to remain accessible. The
default value is 24. For more information about the stream retention period, see Changing the Data
Retention Period in the Amazon Kinesis Developer Guide.
Required: No
Type: Integer

ShardCount
The number of shards that the stream uses. For greater provisioned throughput, increase the
number of shards.
Required: Yes

2634
Amazon Kinesis
Type: Integer
Minimum: 1

StreamEncryption
Enables or updates server-side encryption using an AWS KMS key for a specified stream.
Required: No
Type: StreamEncryption (p. 2636)

Tags
An arbitrary set of tags (key–value pairs) to associate with the Kinesis stream. For information about
constraints for this property, see Tag Restrictions in the Amazon Kinesis Developer Guide.
Required: No
Type: List of Tag
Return Values
Ref
When you specify an AWS::Kinesis::Stream resource as an argument to the Ref function, AWS
CloudFormation returns the stream name (physical ID).
Fn::GetAtt
Fn::GetAtt returns a value for the Arn attribute.
Arn
The Amazon resource name (ARN) of the Kinesis stream, such as arn:aws:kinesis:us-
east-2:123456789012:stream/mystream.
Examples
Create a Stream
The following example creates a Stream resource that uses three shards, sets a seven-day retention
period, and specifies the KMS key for server-side encryption.
JSON
"MyStream": {

2635
Amazon Kinesis
"Type": "AWS::Kinesis::Stream",
"Properties": {
"Name": "MyKinesisStream",
"RetentionPeriodHours" : 168,
"ShardCount": 3,
"StreamEncryption": {
"EncryptionType": "KMS",
"KeyId": "!Ref myKey"
},
"Tags": [ {
"Key": "Environment",
"Value": "Production" } ]
}
}
YAML
MyStream:
Properties:
Name: MyKinesisStream
RetentionPeriodHours: 168
ShardCount: 3
StreamEncryption:
EncryptionType: KMS
KeyId: !Ref myKey
Tags:
-
Key: Environment Value:
Production
AWS::Kinesis::Stream StreamEncryption
Enables or updates server-side encryption using an AWS KMS key for a specified stream.
Starting encryption is an asynchronous operation. Upon receiving the request, Kinesis Data Streams
returns immediately and sets the status of the stream to UPDATING. After the update is complete,
Kinesis Data Streams sets the status of the stream back to ACTIVE. Updating or applying encryption
normally takes a few seconds to complete, but it can take minutes. You can continue to read and write
data to your stream while its status is UPDATING. Once the status of the stream is ACTIVE, encryption
begins for records written to the stream.
API Limits: You can successfully apply a new AWS KMS key for server-side encryption 25 times in a rolling
24-hour period.
Note: It can take up to 5 seconds after the stream is in an ACTIVE status before all records written to
the stream are encrypted. After you enable encryption, you can verify that encryption is applied by
inspecting the API response from PutRecord or PutRecords.
Syntax
JSON
{
"EncryptionType" : String,
"KeyId" : String
}

2636
Amazon Kinesis
YAML
EncryptionType: String
KeyId: String
Properties
EncryptionType
The encryption type to use. The only valid value is KMS.
Required: Yes
Type: String
Allowed Values: KMS | NONE

KeyId
The GUID for the customer-managed AWS KMS key to use for encryption. This value can be a
globally unique identifier, a fully specified Amazon Resource Name (ARN) to either an alias or a key,
or an alias name prefixed by "alias/".You can also use a master key owned by Kinesis Data Streams by
specifying the alias aws/kinesis.
• Key ARN example: arn:aws:kms:us-
east-1:123456789012:key/12345678-1234-1234-1234-123456789012
• Alias ARN example: arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
• Globally unique key ID example: 12345678-1234-1234-1234-123456789012
• Alias name example: alias/MyAliasName
• Master key owned by Kinesis Data Streams: alias/aws/kinesis
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
AWS::Kinesis::StreamConsumer
Use the AWS CloudFormation AWS::Kinesis::StreamConsumer resource to register a consumer with
a Kinesis data stream. The consumer you register can then call SubscribeToShard to receive data from
the stream using enhanced fan-out, at a rate of up to 2 MiB per second for every shard you subscribe to.
This rate is unaffected by the total number of consumers that read from the same stream.
You can register up to five consumers per stream. However, you can request a limit increase using the
Kinesis Data Streams limits form. A given consumer can only be registered with one stream at a time.
For more information, see Using Consumers with Enhanced Fan-Out.
Syntax

2637
Amazon Kinesis
JSON
{
"Type" : "AWS::Kinesis::StreamConsumer",
"Properties" : {
"ConsumerName" : String,
"StreamARN" : String
}
}
YAML
Type: AWS::Kinesis::StreamConsumer
Properties:
ConsumerName: String
StreamARN: String
Properties
ConsumerName
The name of the consumer is something you choose when you register the consumer.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

StreamARN
The ARN of the stream with which you registered the consumer.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:aws.*:kinesis:.*:\d{12}:stream/.+
Return Values
Ref
When you pass the logical ID of an AWS::Kinesis::StreamConsumer resource to the intrinsic Ref
function, the function returns the consumer ARN. For example ARN formats, see Example ARNs.

2638
Amazon Kinesis
Fn::GetAtt
ConsumerARN
When you register a consumer, Kinesis Data Streams generates an ARN for it. You need this ARN to
be able to call SubscribeToShard.
If you delete a consumer and then create a new one with the same name, it won't have the same
ARN. That's because consumer ARNs contain the creation timestamp. This is important to keep in
mind if you have IAM policies that reference consumer ARNs.
ConsumerCreationTimestamp
The time at which the consumer was created.

ConsumerName
The name you gave the consumer when you registered it.
ConsumerStatus
A consumer can't read data while in the CREATING or DELETING states.

StreamARN
The ARN of the data stream with which the consumer is registered.
Examples
Register a Consumer with a Kinesis Data Stream
JSON
{
"Parameters": {
"TestStreamARN": {
"Type": "String" },
"TestConsumerName": {
"Type": "String" } },
"Resources": {
"StreamConsumer": {
"Type": "AWS::Kinesis::StreamConsumer",
"Properties": {
"StreamARN": { "Ref" : TestStreamARN },
"ConsumerName": { "Ref" : TestConsumerName }
}
}
}
}
YAML
Parameters:
TestStreamARN:

2639
KinesisAnalytics
Type: String
TestConsumerName:
Type: String
Resources: StreamConsumer:
Type: "AWS::Kinesis::StreamConsumer"
Properties:
StreamARN: !Ref TestStreamARN
ConsumerName: !Ref TestConsumerName
KinesisAnalytics Resource Type Reference

Resource Types
• AWS::KinesisAnalytics::Application (p. 2640)

• AWS::KinesisAnalytics::ApplicationOutput (p. 2654)
• AWS::KinesisAnalytics::ApplicationReferenceDataSource (p. 2661)
AWS::KinesisAnalytics::Application
The AWS::KinesisAnalytics::Application resource creates an Amazon Kinesis Data Analytics
application. For more information, see the Amazon Kinesis Data Analytics Developer Guide.
Syntax
JSON
{
"Type" : "AWS::KinesisAnalytics::Application",
"Properties" : {
"ApplicationCode" : String,
"ApplicationDescription" : String,
"Inputs" : [ Input (p. 2644), ... ]
}
}
YAML
Type: AWS::KinesisAnalytics::Application
Properties:
ApplicationCode: String
ApplicationDescription: String
Inputs:
- Input (p. 2644)
Properties
ApplicationCode
One or more SQL statements that read input data, transform it, and generate output. For example,
you can write a SQL statement that reads data from one in-application stream, generates a running
average of the number of advertisement clicks by vendor, and insert resulting rows in another in-

2640
KinesisAnalytics
application stream using pumps. For more information about the typical pattern, see Application
Code.
You can provide such series of SQL statements, where output of one statement can be used as the
input for the next statement. You store intermediate results by creating in-application streams and
pumps.
Note that the application code must create the streams with names specified in the Outputs.
For example, if your Outputs defines output streams named ExampleOutputStream1 and
ExampleOutputStream2, then your application code must create these streams.
Required: No
Type: String
Minimum: 0
Maximum: 102400

ApplicationDescription
Summary description of the application.
Required: No
Type: String
Minimum: 0
Maximum: 1024

ApplicationName
Name of your Amazon Kinesis Analytics application (for example, sample-app).
Required: No
Type: String
Minimum: 1
Maximum: 128

Inputs
Use this parameter to configure the application input.
You can configure your application to receive input from a single streaming source. In this
configuration, you map this streaming source to an in-application stream that is created. Your
application code can then query the in-application stream like a table (you can think of it as a
constantly updating table).
For the streaming source, you provide its Amazon Resource Name (ARN) and format of data on
the stream (for example, JSON, CSV, etc.). You also must provide an IAM role that Amazon Kinesis
Analytics can assume to read this stream on your behalf.

2641
KinesisAnalytics
To create the in-application stream, you need to specify a schema to transform your data into a
schematized version used in SQL. In the schema, you provide the necessary mapping of the data
elements in the streaming source to record columns in the in-app stream.
Required: Yes
Type: List of Input (p. 2644)
Examples
Creating an Amazon Kinesis Data Analytics Application
The following example demonstrates how to create and configure a Kinesis Data Analytics application.
YAML
---
Description: "Sample KinesisAnalytics via CloudFormation"
Resources:
BasicApplication:
Type: AWS::KinesisAnalytics::Application
Properties:
ApplicationName: "sampleApplication"
ApplicationDescription: "SampleApp"
ApplicationCode: "Example Application Code"
Inputs:
- NamePrefix: "exampleNamePrefix"
InputSchema:
RecordColumns:
- Name: "example"
SqlType: "VARCHAR(16)"
Mapping: "$.example"
RecordFormat:
RecordFormatType: "JSON"
MappingParameters:
JSONMappingParameters:
RecordRowPath: "$"
KinesisStreamsInput:
ResourceARN: !GetAtt InputKinesisStream.Arn
RoleARN: !GetAtt KinesisAnalyticsRole.Arn
InputKinesisStream:
Properties:
ShardCount: 1
KinesisAnalyticsRole:
Properties:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: kinesisanalytics.amazonaws.com
Path: "/"
Policies:
- PolicyName: Open
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow

2642
KinesisAnalytics
Action: "*"
Resource: "*"
BasicApplicationOutputs:
Type: AWS::KinesisAnalytics::ApplicationOutput
DependsOn: BasicApplication
Properties:
ApplicationName: !Ref BasicApplication
Output:
Name: "exampleOutput"
DestinationSchema:
RecordFormatType: "CSV"
KinesisStreamsOutput:
ResourceARN: !GetAtt OutputKinesisStream.Arn
OutputKinesisStream:
Properties:
ShardCount: 1
ApplicationReferenceDataSource:
Type: AWS::KinesisAnalytics::ApplicationReferenceDataSource
DependsOn: BasicApplicationOutputs
Properties:
ReferenceDataSource:
TableName: "exampleTable"
ReferenceSchema:
RecordColumns:
- Name: "example"
RecordFormat:
MappingParameters:
RecordRowPath: "$"
S3ReferenceDataSource:
BucketARN: !GetAtt S3Bucket.Arn
FileKey: 'fakeKey'
ReferenceRoleARN: !GetAtt KinesisAnalyticsRole.Arn
S3Bucket:
Outputs:
ApplicationPhysicalResourceId:
Value: !Ref BasicApplication
AWS::KinesisAnalytics::Application CSVMappingParameters
Provides additional mapping information when the record format uses delimiters, such as CSV. For
example, the following sample records use CSV format, where the records use the '\n' as the row
delimiter and a comma (",") as the column delimiter:
"name1", "address1"
"name2", "address2"
Syntax
JSON
{
"RecordColumnDelimiter" : String,

2643
KinesisAnalytics
"RecordRowDelimiter" : String
}
YAML
RecordColumnDelimiter: String
RecordRowDelimiter: String
Properties
RecordColumnDelimiter
Column delimiter. For example, in a CSV format, a comma (",") is the typical column delimiter.
Required: Yes
Type: String
Minimum: 1

RecordRowDelimiter
Row delimiter. For example, in a CSV format, '\n' is the typical row delimiter.
Required: Yes
Type: String
Minimum: 1
AWS::KinesisAnalytics::Application Input
When you configure the application input, you specify the streaming source, the in-application stream
name that is created, and the mapping between the two. For more information, see Configuring
Application Input.
Syntax
JSON
{
"InputParallelism" : InputParallelism (p. 2647),
"InputProcessingConfiguration" : InputProcessingConfiguration (p. 2648),
"InputSchema" : InputSchema (p. 2648),
"KinesisFirehoseInput" : KinesisFirehoseInput (p. 2650),
"KinesisStreamsInput" : KinesisStreamsInput (p. 2651),
"NamePrefix" : String
}
YAML
InputParallelism:

2644
KinesisAnalytics
InputParallelism (p. 2647)

InputProcessingConfiguration:
InputProcessingConfiguration (p. 2648)
InputSchema:
InputSchema (p. 2648)
KinesisFirehoseInput:
KinesisFirehoseInput (p. 2650)
KinesisStreamsInput (p. 2651)
NamePrefix: String
Properties
InputParallelism
Describes the number of in-application streams to create.
Data from your source is routed to these in-application input streams.
See Configuring Application Input.
Required: No
Type: InputParallelism (p. 2647)

InputProcessingConfiguration
The InputProcessingConfiguration for the input. An input processor transforms records as they are
received from the stream, before the application's SQL code executes. Currently, the only input
processing configuration available is InputLambdaProcessor.
Required: No
Type: InputProcessingConfiguration (p. 2648)

InputSchema
Describes the format of the data in the streaming source, and how each data element maps to
corresponding columns in the in-application stream that is being created.
Also used to describe the format of the reference data source.
Required: Yes
Type: InputSchema (p. 2648)

KinesisFirehoseInput
If the streaming source is an Amazon Kinesis Firehose delivery stream, identifies the delivery
stream's ARN and an IAM role that enables Amazon Kinesis Analytics to access the stream on your
behalf.
Note: Either KinesisStreamsInput or KinesisFirehoseInput is required.
Type: KinesisFirehoseInput (p. 2650)

2645
KinesisAnalytics

KinesisStreamsInput
If the streaming source is an Amazon Kinesis stream, identifies the stream's Amazon Resource Name
(ARN) and an IAM role that enables Amazon Kinesis Analytics to access the stream on your behalf.
Note: Either KinesisStreamsInput or KinesisFirehoseInput is required.
Type: KinesisStreamsInput (p. 2651)

NamePrefix
Name prefix to use when creating an in-application stream. Suppose that you specify a
prefix "MyInApplicationStream." Amazon Kinesis Analytics then creates one or more (as
per the InputParallelism count you specified) in-application streams with names
"MyInApplicationStream_001," "MyInApplicationStream_002," and so on.
Required: Yes
Type: String
Minimum: 1
Maximum: 32
AWS::KinesisAnalytics::Application InputLambdaProcessor
An object that contains the Amazon Resource Name (ARN) of the AWS Lambda function that is used to
preprocess records in the stream, and the ARN of the IAM role that is used to access the AWS Lambda
function.
Syntax
JSON
{
"ResourceARN" : String,
"RoleARN" : String
}
YAML
ResourceARN: String
RoleARN: String
Properties
ResourceARN
The ARN of the AWS Lambda function that operates on records in the stream.

2646
KinesisAnalytics
Note
To specify an earlier version of the Lambda function than the latest, include the Lambda
function version in the Lambda function ARN. For more information about Lambda ARNs,
see Example ARNs: AWS Lambda
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*

RoleARN
The ARN of the IAM role that is used to access the AWS Lambda function.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:aws:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+
AWS::KinesisAnalytics::Application InputParallelism
Describes the number of in-application streams to create for a given streaming source. For information
about parallelism, see Configuring Application Input.
Syntax
JSON
{
"Count" : Integer
}
YAML
Count: Integer
Properties
Count
Number of in-application streams to create. For more information, see Limits.
Required: No

2647
KinesisAnalytics
Type: Integer
Minimum: 1
Maximum: 64
AWS::KinesisAnalytics::Application InputProcessingConfiguration
Provides a description of a processor that is used to preprocess the records in the stream before being
processed by your application code. Currently, the only input processor available is AWS Lambda.
Syntax
JSON
{
"InputLambdaProcessor" : InputLambdaProcessor (p. 2646)
}
YAML
InputLambdaProcessor:
InputLambdaProcessor (p. 2646)
Properties
InputLambdaProcessor
The InputLambdaProcessor that is used to preprocess the records in the stream before being
processed by your application code.
Required: No
Type: InputLambdaProcessor (p. 2646)
AWS::KinesisAnalytics::Application InputSchema
Syntax
JSON
{
"RecordColumns" : [ RecordColumn (p. 2653), ... ],

2648
KinesisAnalytics
"RecordEncoding" : String,
"RecordFormat" : RecordFormat (p. 2654)
}
YAML
RecordColumns:
- RecordColumn (p. 2653)
RecordEncoding: String
RecordFormat:
RecordFormat (p. 2654)
Properties
RecordColumns
A list of RecordColumn objects.
Required: Yes
Type: List of RecordColumn (p. 2653)
Maximum: 1000

RecordEncoding
Specifies the encoding of the records in the streaming source. For example, UTF-8.
Required: No
Type: String
Pattern: UTF-8

RecordFormat
Specifies the format of the records on the streaming source.
Required: Yes
Type: RecordFormat (p. 2654)
AWS::KinesisAnalytics::Application JSONMappingParameters
Provides additional mapping information when JSON is the record format on the streaming source.
Syntax
JSON
{
"RecordRowPath" : String

2649
KinesisAnalytics
YAML
RecordRowPath: String
Properties
RecordRowPath
Path to the top-level parent that contains the records.
Required: Yes
Type: String
Minimum: 1
AWS::KinesisAnalytics::Application KinesisFirehoseInput
Identifies an Amazon Kinesis Firehose delivery stream as the streaming source. You provide the delivery
stream's Amazon Resource Name (ARN) and an IAM role ARN that enables Amazon Kinesis Analytics to
access the stream on your behalf.
Syntax
JSON
{
"RoleARN" : String
}
YAML
ResourceARN: String
RoleARN: String
Properties
ResourceARN
ARN of the input delivery stream.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*

2650
KinesisAnalytics

RoleARN
ARN of the IAM role that Amazon Kinesis Analytics can assume to access the stream on your behalf.
You need to make sure that the role has the necessary permissions to access the stream.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
AWS::KinesisAnalytics::Application KinesisStreamsInput
Identifies an Amazon Kinesis stream as the streaming source. You provide the stream's Amazon Resource
Name (ARN) and an IAM role ARN that enables Amazon Kinesis Analytics to access the stream on your
behalf.
Syntax
JSON
{
"RoleARN" : String
}
YAML
ResourceARN: String
RoleARN: String
Properties
ResourceARN
ARN of the input Amazon Kinesis stream to read.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*

2651
KinesisAnalytics
RoleARN
ARN of the IAM role that Amazon Kinesis Analytics can assume to access the stream on your behalf.
You need to grant the necessary permissions to this role.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
AWS::KinesisAnalytics::Application MappingParameters
When configuring application input at the time of creating or updating an application, provides
additional mapping information specific to the record format (such as JSON, CSV, or record fields
delimited by some delimiter) on the streaming source.
Syntax
JSON
{
"CSVMappingParameters" : CSVMappingParameters (p. 2643),
"JSONMappingParameters" : JSONMappingParameters (p. 2649)
}
YAML
CSVMappingParameters:
CSVMappingParameters (p. 2643)
JSONMappingParameters (p. 2649)
Properties
CSVMappingParameters
Provides additional mapping information when the record format uses delimiters (for example, CSV).
Required: No
Type: CSVMappingParameters (p. 2643)

JSONMappingParameters
Required: No
Type: JSONMappingParameters (p. 2649)

2652
KinesisAnalytics
AWS::KinesisAnalytics::Application RecordColumn
Describes the mapping of each data element in the streaming source to the corresponding column in the
in-application stream.
Syntax
JSON
{
"Mapping" : String,
"Name" : String,
"SqlType" : String
}
YAML
Mapping: String
Name: String
SqlType: String
Properties
Mapping
Reference to the data element in the streaming input or the reference data source. This element is
required if the RecordFormatType is JSON.
Required: No
Type: String

Name
Name of the column created in the in-application input stream or reference table.
Required: Yes
Type: String

SqlType
Type of column created in the in-application input stream or reference table.
Required: Yes
Type: String
Minimum: 1

2653
KinesisAnalytics
AWS::KinesisAnalytics::Application RecordFormat
Describes the record format and relevant mapping information that should be applied to schematize the
records on the stream.
Syntax
JSON
{
"MappingParameters" : MappingParameters (p. 2652),
"RecordFormatType" : String
}
YAML
MappingParameters:
MappingParameters (p. 2652)
RecordFormatType: String
Properties
MappingParameters
Required: No
Type: MappingParameters (p. 2652)

RecordFormatType
The type of record format.
Required: Yes
Type: String
Allowed Values: CSV | JSON
AWS::KinesisAnalytics::ApplicationOutput
Adds an external destination to your Amazon Kinesis Analytics application.
If you want Amazon Kinesis Analytics to deliver data from an in-application stream within your
application to an external destination (such as an Amazon Kinesis stream, an Amazon Kinesis Firehose
delivery stream, or an AWS Lambda function), you add the relevant configuration to your application

2654
KinesisAnalytics
using this operation. You can configure one or more outputs for your application. Each output
configuration maps an in-application stream and an external destination.
You can use one of the output configurations to deliver data from your in-application error stream to
an external destination so that you can analyze the errors. For more information, see Understanding
Application Output (Destination).
Any configuration update, including adding a streaming source using this operation, results in a new
version of the application. You can use the DescribeApplication operation to find the current
For the limits on the number of application inputs and outputs you can configure, see Limits.
This operation requires permissions to perform the kinesisanalytics:AddApplicationOutput

action.
Syntax
JSON
{
"Type" : "AWS::KinesisAnalytics::ApplicationOutput",
"Properties" : {
"Output" : Output (p. 2660)
}
}
YAML
Properties:
Output:
Output (p. 2660)
Properties
ApplicationName
Name of the application to which you want to add the output configuration.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

Output
An array of objects, each describing one output configuration. In the output configuration, you
specify the name of an in-application stream, a destination (that is, an Amazon Kinesis stream, an

2655
KinesisAnalytics
Amazon Kinesis Firehose delivery stream, or an AWS Lambda function), and record the formation to
use when writing to the destination.
Required: Yes
Type: Output (p. 2660)
Examples
Adding an ApplicationOutput Resource
The following example creates an ApplicationOutput resource:
YAML
Properties:
Output:
Name: "exampleOutput"
DestinationSchema:
RecordFormatType: "CSV"
ResourceARN: !GetAtt OutputKinesisStream.Arn
AWS::KinesisAnalytics::ApplicationOutput DestinationSchema
Describes the data format when records are written to the destination. For more information, see
Configuring Application Output.
Syntax
JSON
{
}
YAML
Properties
RecordFormatType
Specifies the format of the records on the output stream.
Required: No
Type: String

2656
KinesisAnalytics
AWS::KinesisAnalytics::ApplicationOutput KinesisFirehoseOutput
When configuring application output, identifies an Amazon Kinesis Firehose delivery stream as the
destination. You provide the stream Amazon Resource Name (ARN) and an IAM role that enables Amazon
Kinesis Analytics to write to the stream on your behalf.
Syntax
JSON
{
"RoleARN" : String
}
YAML
ResourceARN: String
RoleARN: String
Properties
ResourceARN
ARN of the destination Amazon Kinesis Firehose delivery stream to write to.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*

RoleARN
ARN of the IAM role that Amazon Kinesis Analytics can assume to write to the destination stream on
your behalf. You need to grant the necessary permissions to this role.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048

2657
KinesisAnalytics
AWS::KinesisAnalytics::ApplicationOutput KinesisStreamsOutput
When configuring application output, identifies an Amazon Kinesis stream as the destination. You
provide the stream Amazon Resource Name (ARN) and also an IAM role ARN that Amazon Kinesis
Analytics can use to write to the stream on your behalf.
Syntax
JSON
{
"RoleARN" : String
}
YAML
ResourceARN: String
RoleARN: String
Properties
ResourceARN
ARN of the destination Amazon Kinesis stream to write to.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*

RoleARN
ARN of the IAM role that Amazon Kinesis Analytics can assume to write to the destination stream on
your behalf. You need to grant the necessary permissions to this role.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048

2658
KinesisAnalytics
AWS::KinesisAnalytics::ApplicationOutput LambdaOutput
When configuring application output, identifies an AWS Lambda function as the destination. You provide
the function Amazon Resource Name (ARN) and also an IAM role ARN that Amazon Kinesis Analytics can
use to write to the function on your behalf.
Syntax
JSON
{
"RoleARN" : String
}
YAML
ResourceARN: String
RoleARN: String
Properties
ResourceARN
Amazon Resource Name (ARN) of the destination Lambda function to write to.
Note
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*

RoleARN
ARN of the IAM role that Amazon Kinesis Analytics can assume to write to the destination function
on your behalf. You need to grant the necessary permissions to this role.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048

2659
KinesisAnalytics
AWS::KinesisAnalytics::ApplicationOutput Output
Describes application output configuration in which you identify an in-application stream and a
destination where you want the in-application stream data to be written. The destination can be an
Amazon Kinesis stream or an Amazon Kinesis Firehose delivery stream.
For limits on how many destinations an application can write and other limitations, see Limits.
Syntax
JSON
{
"DestinationSchema" : DestinationSchema (p. 2656),
"KinesisFirehoseOutput" : KinesisFirehoseOutput (p. 2657),
"KinesisStreamsOutput" : KinesisStreamsOutput (p. 2658),
"LambdaOutput" : LambdaOutput (p. 2659),
"Name" : String
}
YAML
DestinationSchema:
DestinationSchema (p. 2656)
KinesisFirehoseOutput:
KinesisFirehoseOutput (p. 2657)
KinesisStreamsOutput (p. 2658)
LambdaOutput:
LambdaOutput (p. 2659)
Name: String
Properties
DestinationSchema
Describes the data format when records are written to the destination. For more information, see
Configuring Application Output.
Required: Yes
Type: DestinationSchema (p. 2656)

KinesisFirehoseOutput
Identifies an Amazon Kinesis Firehose delivery stream as the destination.
Required: No
Type: KinesisFirehoseOutput (p. 2657)

KinesisStreamsOutput
Identifies an Amazon Kinesis stream as the destination.
Required: No

2660
KinesisAnalytics
Type: KinesisStreamsOutput (p. 2658)

LambdaOutput
Identifies an AWS Lambda function as the destination.
Required: No
Type: LambdaOutput (p. 2659)

Name
Name of the in-application stream.
Required: No
Type: String
Minimum: 1
Maximum: 32
AWS::KinesisAnalytics::ApplicationReferenceDataSource
Adds a reference data source to an existing application.
Amazon Kinesis Analytics reads reference data (that is, an Amazon S3 object) and creates an in-
application table within your application. In the request, you provide the source (S3 bucket name and
object key name), name of the in-application table to create, and the necessary mapping information
that describes how data in Amazon S3 object maps to columns in the resulting in-application table.
For conceptual information, see Configuring Application Input. For the limits on data sources you can add
to your application, see Limits.
This operation requires permissions to perform the kinesisanalytics:AddApplicationOutput

action.
Syntax
JSON
{
"Type" : "AWS::KinesisAnalytics::ApplicationReferenceDataSource",
"Properties" : {
"ReferenceDataSource" : ReferenceDataSource (p. 2667)
}
}
YAML
Properties:

2661
KinesisAnalytics
ReferenceDataSource (p. 2667)
Properties
ApplicationName
Name of an existing application.
Required: Yes
Type: String
Minimum: 1
Maximum: 128

ReferenceDataSource
The reference data source can be an object in your Amazon S3 bucket. Amazon Kinesis Analytics
reads the object and copies the data into the in-application table that is created. You provide an S3
bucket, object key name, and the resulting in-application table that is created. You must also provide
an IAM role with the necessary permissions that Amazon Kinesis Analytics can assume to read the
object from your S3 bucket on your behalf.
Required: Yes
Type: ReferenceDataSource (p. 2667)
Examples
Adding an ApplicationReferenceDataSource Resource
The following example creates an ApplicationReferenceDataSource resource:
YAML
Properties:
TableName: "exampleTable"
ReferenceSchema:
RecordColumns:
- Name: "example"
RecordFormat:
MappingParameters:
RecordRowPath: "$"

2662
KinesisAnalytics
BucketARN: !GetAtt S3Bucket.Arn

FileKey: 'fakeKey'
ReferenceRoleARN: !GetAtt KinesisAnalyticsRole.Arn
AWS::KinesisAnalytics::ApplicationReferenceDataSource CSVMappingParameters
Provides additional mapping information when the record format uses delimiters, such as CSV. For
example, the following sample records use CSV format, where the records use the '\n' as the row
delimiter and a comma (",") as the column delimiter:
"name1", "address1"
"name2", "address2"
Syntax
JSON
{
}
YAML
Properties
Column delimiter. For example, in a CSV format, a comma (",") is the typical column delimiter.
Required: Yes
Type: String
Minimum: 1

RecordRowDelimiter
Row delimiter. For example, in a CSV format, '\n' is the typical row delimiter.
Required: Yes
Type: String
Minimum: 1
AWS::KinesisAnalytics::ApplicationReferenceDataSource

2663
KinesisAnalytics
Syntax
JSON
{
}
YAML
Properties
RecordRowPath
Path to the top-level parent that contains the records.
Required: Yes
Type: String
Minimum: 1
AWS::KinesisAnalytics::ApplicationReferenceDataSource MappingParameters
Syntax
JSON
{
}
YAML
Properties

2664
KinesisAnalytics
Required: No

Required: No
AWS::KinesisAnalytics::ApplicationReferenceDataSource RecordColumn
Describes the mapping of each data element in the streaming source to the corresponding column in the
in-application stream.
Syntax
JSON
{
"Mapping" : String,
"Name" : String,
"SqlType" : String
}
YAML
Mapping: String
Name: String
SqlType: String
Properties
Mapping
Reference to the data element in the streaming input or the reference data source. This element is
required if the RecordFormatType is JSON.
Required: No
Type: String

Name
Name of the column created in the in-application input stream or reference table.
Required: Yes
Type: String

2665
KinesisAnalytics

SqlType
Type of column created in the in-application input stream or reference table.
Required: Yes
Type: String
Minimum: 1
AWS::KinesisAnalytics::ApplicationReferenceDataSource RecordFormat
Describes the record format and relevant mapping information that should be applied to schematize the
records on the stream.
Syntax
JSON
{
}
YAML
MappingParameters:
Properties
MappingParameters
Required: No

RecordFormatType
Required: Yes
Type: String

2666
KinesisAnalytics
AWS::KinesisAnalytics::ApplicationReferenceDataSource ReferenceDataSource
Describes the reference data source by providing the source information (S3 bucket name and object
key name), the resulting in-application table name that is created, and the necessary schema to map the
data elements in the Amazon S3 object to the in-application table.
Syntax
JSON
{
"ReferenceSchema" : ReferenceSchema (p. 2668),
"S3ReferenceDataSource" : S3ReferenceDataSource (p. 2669),
}
YAML
ReferenceSchema:
ReferenceSchema (p. 2668)
S3ReferenceDataSource (p. 2669)
TableName: String
Properties
ReferenceSchema
corresponding columns created in the in-application stream.
Required: Yes
Type: ReferenceSchema (p. 2668)

S3ReferenceDataSource
Identifies the S3 bucket and object that contains the reference data. Also identifies the IAM
role Amazon Kinesis Analytics can assume to read this object on your behalf. An Amazon
Kinesis Analytics application loads reference data only once. If the data changes, you call the
UpdateApplication operation to trigger reloading of data into your application.
Required: No
Type: S3ReferenceDataSource (p. 2669)

TableName
Name of the in-application table to create.
Required: No

2667
KinesisAnalytics
Type: String
Minimum: 1
Maximum: 32
AWS::KinesisAnalytics::ApplicationReferenceDataSource ReferenceSchema
The ReferenceSchema property type specifies the format of the data in the reference source for a SQL-
based Amazon Kinesis Data Analytics application.
Syntax
JSON
{
}
YAML
RecordColumns:
RecordFormat:
Properties
RecordColumns
Required: Yes

RecordEncoding
Specifies the encoding of the records in the reference source. For example, UTF-8.
Required: No
Type: String

RecordFormat
Specifies the format of the records on the reference source.
Required: Yes

2668
KinesisAnalytics
AWS::KinesisAnalytics::ApplicationReferenceDataSource S3ReferenceDataSource
Identifies the S3 bucket and object that contains the reference data. Also identifies the IAM role Amazon
Kinesis Analytics can assume to read this object on your behalf.
An Amazon Kinesis Analytics application loads reference data only once. If the data changes, you call the
Syntax
JSON
{
"BucketARN" : String,
"FileKey" : String,
"ReferenceRoleARN" : String
}
YAML
BucketARN: String
FileKey: String
ReferenceRoleARN: String
Properties
BucketARN
Amazon Resource Name (ARN) of the S3 bucket.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*

FileKey
Object key name containing reference data.
Required: Yes
Type: String
Minimum: 1
Maximum: 1024

2669
Amazon Kinesis Data Analytics V2

ReferenceRoleARN
ARN of the IAM role that the service can assume to read data on your behalf. This role must have
permission for the s3:GetObject action on the object and trust policy that allows Amazon Kinesis
Analytics service principal to assume this role.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Amazon Kinesis Data Analytics V2 Resource Type

Reference
Resource Types
• AWS::KinesisAnalyticsV2::Application (p. 2670)

• AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption (p. 2701)
• AWS::KinesisAnalyticsV2::ApplicationOutput (p. 2703)
• AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource (p. 2710)
AWS::KinesisAnalyticsV2::Application
Creates an Amazon Kinesis Data Analytics application. For information about creating a Kinesis Data
Analytics application, see Creating an Application.
Syntax
JSON
{
"Type" : "AWS::KinesisAnalyticsV2::Application",
"Properties" : {
"ApplicationConfiguration" : ApplicationConfiguration (p. 2678),
"ApplicationDescription" : String,
"RuntimeEnvironment" : String,
"ServiceExecutionRole" : String
}
}
YAML
Type: AWS::KinesisAnalyticsV2::Application
Properties:

2670
ApplicationConfiguration:
ApplicationConfiguration (p. 2678)
ApplicationDescription: String
RuntimeEnvironment: String
ServiceExecutionRole: String
Properties
ApplicationConfiguration
Use this parameter to configure the application.
Required: No
Type: ApplicationConfiguration (p. 2678)

ApplicationDescription
The description of the application.
Required: No
Type: String
Minimum: 0
Maximum: 1024

ApplicationName
Required: No
Type: String
Minimum: 1
Maximum: 128

RuntimeEnvironment
The runtime environment for the application (SQL-1.0 or FLINK-1_6).
Required: Yes
Type: String
Allowed Values: FLINK-1_6 | SQL-1_0

ServiceExecutionRole
Specifies the IAM role that the application uses to access external resources.

2671
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Examples
Create an application
JSON
{
"Description": "Sample KinesisAnalytics via CloudFormation",
"Resources": {
"BasicApplication": {
"Type": "AWS::KinesisAnalyticsV2::Application",
"Properties": {
"ApplicationName": "sampleApplication",
"ApplicationDescription": "SampleApp",
"RuntimeEnvironment": "SQL-1_0",
"ServiceExecutionRole": {
"Fn::GetAtt": [
"ServiceExecutionRole",
"Arn"
]
},
"ApplicationConfiguration": {
"SqlApplicationConfiguration": {
"Inputs": [
{
"NamePrefix": "exampleNamePrefix",
"InputSchema": {
"RecordColumns": [
{
"Name": "example",
"SqlType": "VARCHAR(16)",
"Mapping": "$.example"
}
],
"RecordFormat": {
"RecordFormatType": "JSON",
"MappingParameters": {
"JSONMappingParameters": {
"RecordRowPath": "$"
}
}
}
},
"KinesisStreamsInput": {
"ResourceARN": {
"Fn::GetAtt": [
"SQLCanaryInputStream",
"Arn"
]
}
}

2672
}
]
},
"ApplicationCodeConfiguration": {
"CodeContent": {
"TextContent": "Example Application Code"
},
"CodeContentType": "PLAINTEXT"
}
}
}
},
"ServiceExecutionRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "kinesisanalytics.amazonaws.com"
},
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "Open",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
},
"InputKinesisStream": {
"Properties": {
"ShardCount": 1
}
},
"KinesisAnalyticsRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "kinesisanalytics.amazonaws.com"
},
}
]
},

2673
"Path": "/",
"Policies": [
{
"PolicyName": "Open",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
]
}
},
"BasicApplicationOutputs": {
"Type": "AWS::KinesisAnalytics::ApplicationOutput",
"DependsOn": "BasicApplication",
"Properties": {
"Ref": "BasicApplication"
},
"Output": {
"Name": "exampleOutput",
"DestinationSchema": {
"RecordFormatType": "CSV"
},
"KinesisStreamsOutput": {
"ResourceARN": {
"Fn::GetAtt": [
"OutputKinesisStream",
"Arn"
]
},
"RoleARN": {
"Fn::GetAtt": [
"KinesisAnalyticsRole",
"Arn"
]
}
}
}
}
},
"OutputKinesisStream": {
"Properties": {
"ShardCount": 1
}
},
"BasicApplicationReferenceDataSource": {
"Type": "AWS::KinesisAnalytics::ApplicationReferenceDataSource",
"DependsOn": "BasicApplicationOutputs",
"Properties": {
},
"ReferenceDataSource": {
"TableName": "exampleTable",
"ReferenceSchema": {
"RecordColumns": [
{
"Name": "example",

2674
}
],
"RecordFormat": {
}
}
}
},
"S3ReferenceDataSource": {
"BucketARN": {
"Fn::GetAtt": [
"S3Bucket",
"Arn"
]
},
"FileKey": "fakeKey",
"ReferenceRoleARN": {
"Fn::GetAtt": [
"KinesisAnalyticsRole",
"Arn"
]
}
}
}
}
},
"S3Bucket": {
}
},
"Outputs": {
"ApplicationPhysicalResourceId": {
"Value": {
}
}
}
}
YAML
Description: Sample KinesisAnalytics via CloudFormation

Resources:
BasicApplication:
Type: 'AWS::KinesisAnalyticsV2::Application'
Properties:
ApplicationName: sampleApplication
ApplicationDescription: SampleApp
RuntimeEnvironment: SQL-1_0
ServiceExecutionRole: !GetAtt
- ServiceExecutionRole
- Arn
ApplicationConfiguration:
SqlApplicationConfiguration:
Inputs:
- NamePrefix: exampleNamePrefix
InputSchema:
RecordColumns:
- Name: example

2675
SqlType: VARCHAR(16)
Mapping: $.example
RecordFormat:
RecordFormatType: JSON
MappingParameters:
RecordRowPath: $
ResourceARN: !GetAtt
- SQLCanaryInputStream
- Arn
ApplicationCodeConfiguration:
CodeContent:
TextContent: Example Application Code
CodeContentType: PLAINTEXT
ServiceExecutionRole:
Properties:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Path: /
Policies:
- PolicyName: Open
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
InputKinesisStream:
Type: 'AWS::Kinesis::Stream'
Properties:
ShardCount: 1
KinesisAnalyticsRole:
Properties:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Path: /
Policies:
- PolicyName: Open
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
BasicApplicationOutputs:
Type: 'AWS::KinesisAnalytics::ApplicationOutput'
DependsOn: BasicApplication
Properties:
Output:
Name: exampleOutput
DestinationSchema:
RecordFormatType: CSV

2676
- OutputKinesisStream
- Arn
RoleARN: !GetAtt
- KinesisAnalyticsRole
- Arn
OutputKinesisStream:
Type: 'AWS::Kinesis::Stream'
Properties:
ShardCount: 1
BasicApplicationReferenceDataSource:
Type: 'AWS::KinesisAnalytics::ApplicationReferenceDataSource'
DependsOn: BasicApplicationOutputs
Properties:
TableName: exampleTable
ReferenceSchema:
RecordColumns:
- Name: example
Mapping: $.example
RecordFormat:
MappingParameters:
RecordRowPath: $
BucketARN: !GetAtt
- S3Bucket
- Arn
FileKey: fakeKey
ReferenceRoleARN: !GetAtt
- KinesisAnalyticsRole
- Arn
S3Bucket:
Outputs:
ApplicationPhysicalResourceId:
Value: !Ref BasicApplication
See Also
• CreateApplication in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application ApplicationCodeConfiguration
Describes code configuration for a Java-based Kinesis Data Analytics application.
Syntax
JSON
{
"CodeContent" : CodeContent (p. 2682),
"CodeContentType" : String
}

2677
YAML
CodeContent:
CodeContent (p. 2682)
CodeContentType: String
Properties
CodeContent
The location and type of the application code.
Required: Yes
Type: CodeContent (p. 2682)

CodeContentType
Specifies whether the code content is in text or zip format.
Required: Yes
Type: String
Allowed Values: PLAINTEXT | ZIPFILE
See Also
• ApplicationCodeConfiguration in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application ApplicationConfiguration
Specifies the creation parameters for an Amazon Kinesis Data Analytics application.
Syntax
JSON
{
"ApplicationCodeConfiguration" : ApplicationCodeConfiguration (p. 2677),
"ApplicationSnapshotConfiguration" : ApplicationSnapshotConfiguration (p. 2679),
"EnvironmentProperties" : EnvironmentProperties (p. 2684),
"FlinkApplicationConfiguration" : FlinkApplicationConfiguration (p. 2684),
"SqlApplicationConfiguration" : SqlApplicationConfiguration (p. 2700)
}
YAML
ApplicationCodeConfiguration:
ApplicationCodeConfiguration (p. 2677)
ApplicationSnapshotConfiguration:
ApplicationSnapshotConfiguration (p. 2679)
EnvironmentProperties:
EnvironmentProperties (p. 2684)

2678
FlinkApplicationConfiguration:
FlinkApplicationConfiguration (p. 2684)
SqlApplicationConfiguration:
SqlApplicationConfiguration (p. 2700)
Properties
ApplicationCodeConfiguration
The code location and type parameters for a Java-based Kinesis Data Analytics application.
Type: ApplicationCodeConfiguration (p. 2677)

ApplicationSnapshotConfiguration
Describes whether snapshots are enabled for a Java-based Kinesis Data Analytics application.
Required: No
Type: ApplicationSnapshotConfiguration (p. 2679)

EnvironmentProperties
Describes execution properties for a Java-based Kinesis Data Analytics application.
Required: No
Type: EnvironmentProperties (p. 2684)

FlinkApplicationConfiguration
The creation and update parameters for a Java-based Kinesis Data Analytics application.
Required: No
Type: FlinkApplicationConfiguration (p. 2684)

SqlApplicationConfiguration
The creation and update parameters for an SQL-based Kinesis Data Analytics application.
Required: No
Type: SqlApplicationConfiguration (p. 2700)
See Also
• ApplicationConfiguration in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application ApplicationSnapshotConfiguration

2679
Syntax
JSON
{
"SnapshotsEnabled" : Boolean
}
YAML
SnapshotsEnabled: Boolean
Properties
SnapshotsEnabled
Required: Yes
Type: Boolean
See Also
• ApplicationSnapshotConfiguration in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application CheckpointConfiguration
Describes an application's checkpointing configuration. Checkpointing is the process of persisting
application state for fault tolerance. For more information, see Checkpoints for Fault Tolerance in the
Apache Flink Documentation.
Syntax
JSON
{
"CheckpointingEnabled" : Boolean,
"CheckpointInterval" : Integer,
"ConfigurationType" : String,
"MinPauseBetweenCheckpoints" : Integer
}
YAML
CheckpointingEnabled: Boolean
CheckpointInterval: Integer
ConfigurationType: String
MinPauseBetweenCheckpoints: Integer

2680
Properties
CheckpointingEnabled
Describes whether checkpointing is enabled for a Java-based Kinesis Data Analytics application.
Note
If CheckpointConfiguration.ConfigurationType is DEFAULT, the application will
use a CheckpointingEnabled value of true, even if this value is set to another value
using this API or in application code.
Required: No
Type: Boolean

CheckpointInterval
Describes the interval in milliseconds between checkpoint operations.

Note
use a CheckpointInterval vaue of 60000, even if this value is set to another value using
this API or in application code.
Required: No
Type: Integer

ConfigurationType
Describes whether the application uses Amazon Kinesis Data Analytics' default checkpointing
behavior. You must set this property to CUSTOM in order to set the CheckpointingEnabled,
CheckpointInterval, or MinPauseBetweenCheckpoints parameters.
Note
If this value is set to DEFAULT, the application will use the following values, even if they are
set to other values using APIs or application code:
• CheckpointingEnabled: true
• CheckpointInterval: 60000
• MinPauseBetweenCheckpoints: 5000
Required: Yes
Type: String
Allowed Values: CUSTOM | DEFAULT

MinPauseBetweenCheckpoints
Describes the minimum time in milliseconds after a checkpoint operation completes that
a new checkpoint operation can start. If a checkpoint operation takes longer than the
CheckpointInterval, the application otherwise performs continual checkpoint operations. For
more information, see Tuning Checkpointing in the Apache Flink Documentation.
Note
use a MinPauseBetweenCheckpoints value of 5000, even if this value is set using this
API or in application code.

2681
Required: No
Type: Integer
See Also
• CheckpointConfiguration in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application CodeContent
Specifies either the application code, or the location of the application code, for a Java-based Amazon
Kinesis Data Analytics application.
Syntax
JSON
{
"S3ContentLocation" : S3ContentLocation (p. 2699),
"TextContent" : String,
"ZipFileContent" : String
}
YAML
S3ContentLocation:
S3ContentLocation (p. 2699)
TextContent: String
ZipFileContent: String
Properties
S3ContentLocation
Information about the Amazon S3 bucket containing the application code.
Required: No
Type: S3ContentLocation (p. 2699)

TextContent
The text-format code for a Java-based Kinesis Data Analytics application.
Required: No
Type: String
Minimum: 0
Maximum: 102400

2682
ZipFileContent
The zip-format code for a Java-based Kinesis Data Analytics application.
Required: No
Type: String
See Also
• CodeContent in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application CSVMappingParameters
For an SQL-based application, provides additional mapping information when the record format uses
delimiters, such as CSV. For example, the following sample records use CSV format, where the records
use the '\n' as the row delimiter and a comma (",") as the column delimiter:
"name1", "address1"
"name2", "address2"
Syntax
JSON
{
}
YAML
Properties
The column delimiter. For example, in a CSV format, a comma (",") is the typical column delimiter.
Required: Yes
Type: String
Minimum: 1

RecordRowDelimiter
The row delimiter. For example, in a CSV format, '\n' is the typical row delimiter.

2683
Required: Yes
Type: String
Minimum: 1
See Also
• CSVMappingParameters in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application EnvironmentProperties
Describes execution properties for a Java-based Kinesis Data Analytics application.
Syntax
JSON
{
"PropertyGroups" : [ PropertyGroup (p. 2696), ... ]
}
YAML
PropertyGroups:
- PropertyGroup (p. 2696)
Properties
PropertyGroups
Describes the execution property groups.
Required: No
Type: List of PropertyGroup (p. 2696)
Maximum: 50
See Also
• EnvironmentProperties in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application FlinkApplicationConfiguration
Describes configuration parameters for a Java-based Amazon Kinesis Data Analytics application.
Syntax

2684
JSON
{
"CheckpointConfiguration" : CheckpointConfiguration (p. 2680),
"MonitoringConfiguration" : MonitoringConfiguration (p. 2693),
"ParallelismConfiguration" : ParallelismConfiguration (p. 2695)
}
YAML
CheckpointConfiguration:
CheckpointConfiguration (p. 2680)
MonitoringConfiguration:
MonitoringConfiguration (p. 2693)
ParallelismConfiguration:
ParallelismConfiguration (p. 2695)
Properties
CheckpointConfiguration
Describes an application's checkpointing configuration. Checkpointing is the process of persisting

application state for fault tolerance. For more information, see Checkpoints for Fault Tolerance in
the Apache Flink Documentation.
Required: No
Type: CheckpointConfiguration (p. 2680)

MonitoringConfiguration
Describes configuration parameters for Amazon CloudWatch logging for an application.
Required: No
Type: MonitoringConfiguration (p. 2693)

ParallelismConfiguration
Describes parameters for how an application executes multiple tasks simultaneously.
Required: No
Type: ParallelismConfiguration (p. 2695)
See Also
• FlinkApplicationConfiguration in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application Input
When you configure the application input for an SQL-based Amazon Kinesis Data Analytics application,
you specify the streaming source, the in-application stream name that is created, and the mapping
between the two.

2685
Syntax
JSON
{
"InputParallelism" : InputParallelism (p. 2688),
"InputProcessingConfiguration" : InputProcessingConfiguration (p. 2689),
"InputSchema" : InputSchema (p. 2689),
"KinesisFirehoseInput" : KinesisFirehoseInput (p. 2691),
"KinesisStreamsInput" : KinesisStreamsInput (p. 2692),
"NamePrefix" : String
}
YAML
InputParallelism:
InputParallelism (p. 2688)
InputProcessingConfiguration:
InputProcessingConfiguration (p. 2689)
InputSchema:
InputSchema (p. 2689)
KinesisFirehoseInput:
KinesisFirehoseInput (p. 2691)
KinesisStreamsInput (p. 2692)
NamePrefix: String
Properties
InputParallelism
Describes the number of in-application streams to create.
Required: No
Type: InputParallelism (p. 2688)

InputProcessingConfiguration
The InputProcessingConfiguration for the input. An input processor transforms records as they are
received from the stream, before the application's SQL code executes. Currently, the only input
processing configuration available is InputLambdaProcessor.
Required: No
Type: InputProcessingConfiguration (p. 2689)

InputSchema
Required: Yes

2686
Type: InputSchema (p. 2689)

KinesisFirehoseInput
If the streaming source is an Amazon Kinesis Data Firehose delivery stream, identifies the delivery
stream's ARN.
Required: No
Type: KinesisFirehoseInput (p. 2691)

KinesisStreamsInput
If the streaming source is an Amazon Kinesis data stream, identifies the stream's Amazon Resource
Name (ARN).
Required: No
Type: KinesisStreamsInput (p. 2692)

NamePrefix
The name prefix to use when creating an in-application stream. Suppose that you specify
a prefix "MyInApplicationStream." Kinesis Data Analytics then creates one or more (as
per the InputParallelism count you specified) in-application streams with the names
"MyInApplicationStream_001," "MyInApplicationStream_002," and so on.
Required: Yes
Type: String
Minimum: 1
Maximum: 32
See Also
• Input in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application InputLambdaProcessor
An object that contains the Amazon Resource Name (ARN) of the AWS Lambda function that is used to
preprocess records in the stream in an SQL-based Amazon Kinesis Data Analytics application.
Syntax
JSON
{
"ResourceARN" : String
}

2687
YAML
ResourceARN: String
Properties
ResourceARN
The ARN of the AWS Lambda function that operates on records in the stream.
Note
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*
See Also
• InputLambdaProcessor in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application InputParallelism
For an SQL-based Amazon Kinesis Data Analytics application, describes the number of in-application
streams to create for a given streaming source.
Syntax
JSON
{
"Count" : Integer
}
YAML
Count: Integer
Properties
Count
The number of in-application streams to create.
Required: No

2688
Type: Integer
Minimum: 1
Maximum: 64
See Also
• InputParallelism in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application InputProcessingConfiguration
For an SQL-based Amazon Kinesis Data Analytics application, describes a processor that is used to
preprocess the records in the stream before being processed by your application code. Currently, the only
input processor available is AWS Lambda.
Syntax
JSON
{
"InputLambdaProcessor" : InputLambdaProcessor (p. 2687)
}
YAML
InputLambdaProcessor:
InputLambdaProcessor (p. 2687)
Properties
InputLambdaProcessor
The InputLambdaProcessor that is used to preprocess the records in the stream before being
processed by your application code.
Required: No
Type: InputLambdaProcessor (p. 2687)
See Also
• InputProcessingConfiguration in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application InputSchema
For an SQL-based Amazon Kinesis Data Analytics application, describes the format of the data in
the streaming source, and how each data element maps to corresponding columns created in the in-
application stream.

2689
Syntax
JSON
{
}
YAML
RecordColumns:
RecordFormat:
Properties
RecordColumns
Required: Yes
Maximum: 1000

RecordEncoding
Required: No
Type: String
Pattern: UTF-8

RecordFormat
Required: Yes
See Also
• SourceSchema in the Amazon Kinesis Data Analytics API Reference

2690
AWS::KinesisAnalyticsV2::Application JSONMappingParameters
For an SQL-based Amazon Kinesis Data Analytics application, provides additional mapping information
when JSON is the record format on the streaming source.
Syntax
JSON
{
}
YAML
Properties
RecordRowPath
The path to the top-level parent that contains the records.
Required: Yes
Type: String
Minimum: 1
See Also
• JSONMappingParameters in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application KinesisFirehoseInput
For an SQL-based Amazon Kinesis Data Analytics application, identifies a Kinesis Data Firehose delivery
stream as the streaming source. You provide the delivery stream's Amazon Resource Name (ARN).
Syntax
JSON
{
}
YAML
ResourceARN: String

2691
Properties
ResourceARN
The Amazon Resource Name (ARN) of the delivery stream.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*
See Also
• KinesisFirehoseInput in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application KinesisStreamsInput
Identifies an Amazon Kinesis data stream as the streaming source. You provide the stream's Amazon
Syntax
JSON
{
}
YAML
ResourceARN: String
Properties
ResourceARN
The ARN of the input Kinesis data stream to read.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*

2692
See Also
• KinesisStreamsInput in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application MappingParameters
When you configure an SQL-based Amazon Kinesis Data Analytics application's input at the time of
creating or updating an application, provides additional mapping information specific to the record
format (such as JSON, CSV, or record fields delimited by some delimiter) on the streaming source.
Syntax
JSON
{
}
YAML
Properties
Required: No

Required: No
See Also
• MappingParameters in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application MonitoringConfiguration
Describes configuration parameters for Amazon CloudWatch logging for a Java-based Kinesis Data
Analytics application. For more information about CloudWatch logging, see Monitoring.

2693
Syntax
JSON
{
"LogLevel" : String,
"MetricsLevel" : String
}
YAML
LogLevel: String
MetricsLevel: String
Properties
ConfigurationType
Describes whether to use the default CloudWatch logging configuration for an application. You must
set this property to CUSTOM in order to set the LogLevel or MetricsLevel parameters.
Required: Yes
Type: String

LogLevel
Describes the verbosity of the CloudWatch Logs for an application.
Required: No
Type: String
Allowed Values: DEBUG | ERROR | INFO | WARN

MetricsLevel
Describes the granularity of the CloudWatch Logs for an application.
Required: No
Type: String
Allowed Values: APPLICATION | OPERATOR | PARALLELISM | TASK
See Also
• MonitoringConfiguration in the Amazon Kinesis Data Analytics API Reference

2694
AWS::KinesisAnalyticsV2::Application ParallelismConfiguration
Describes parameters for how a Java-based Amazon Kinesis Data Analytics application executes multiple
tasks simultaneously. For more information about parallelism, see Parallel Execution in the Apache Flink
Documentation.
Syntax
JSON
{
"AutoScalingEnabled" : Boolean,
"Parallelism" : Integer,
"ParallelismPerKPU" : Integer
}
YAML
AutoScalingEnabled: Boolean
Parallelism: Integer
ParallelismPerKPU: Integer
Properties
AutoScalingEnabled
Describes whether the Kinesis Data Analytics service can increase the parallelism of the application
in response to increased throughput.
Required: No
Type: Boolean

ConfigurationType
Describes whether the application uses the default parallelism for the Kinesis Data Analytics service.
You must set this property to CUSTOM in order to change your application's AutoScalingEnabled,
Parallelism, or ParallelismPerKPU properties.
Required: Yes
Type: String

Parallelism
Describes the initial number of parallel tasks that a Java-based Kinesis Data Analytics application
can perform. The Kinesis Data Analytics service can increase this number automatically if
ParallelismConfiguration:AutoScalingEnabled is set to true.
Required: No

2695
Type: Integer
Minimum: 1

ParallelismPerKPU
Describes the number of parallel tasks that a Java-based Kinesis Data Analytics application can
perform per Kinesis Processing Unit (KPU) used by the application. For more information about
KPUs, see Amazon Kinesis Data Analytics Pricing.
Required: No
Type: Integer
Minimum: 1
See Also
• ParallelismConfiguration in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application PropertyGroup
Property key-value pairs passed into a Java-based Kinesis Data Analytics application.
Syntax
JSON
{
"PropertyGroupId" : String,
"PropertyMap" : Json
}
YAML
PropertyGroupId: String
PropertyMap: Json
Properties
PropertyGroupId
Describes the key of an application execution property key-value pair.
Required: No
Type: String
Minimum: 1
Maximum: 50

2696

PropertyMap
Describes the value of an application execution property key-value pair.
Required: No
Type: Json
See Also
• PropertyGroup in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application RecordColumn
For an SQL-based Amazon Kinesis Data Analytics application, describes the mapping of each data
element in the streaming source to the corresponding column in the in-application stream.
Syntax
JSON
{
"Mapping" : String,
"Name" : String,
"SqlType" : String
}
YAML
Mapping: String
Name: String
SqlType: String
Properties
Mapping
A reference to the data element in the streaming input or the reference data source.
Required: No
Type: String

Name
The name of the column that is created in the in-application input stream or reference table.

2697
Required: Yes
Type: String

SqlType
The type of column created in the in-application input stream or reference table.
Required: Yes
Type: String
Minimum: 1
See Also
• RecordColumn in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application RecordFormat
For an SQL-based Amazon Kinesis Data Analytics application, describes the record format and relevant
mapping information that should be applied to schematize the records on the stream.
Syntax
JSON
{
}
YAML
MappingParameters:
Properties
MappingParameters
When you configure application input at the time of creating or updating an application, provides
Required: No

2698
RecordFormatType
Required: Yes
Type: String
See Also
• RecordFormat in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application S3ContentLocation
For a Java-based Amazon Kinesis Data Analytics application, provides a description of an Amazon S3
object, including the Amazon Resource Name (ARN) of the S3 bucket, the name of the Amazon S3 object
that contains the data, and the version number of the Amazon S3 object that contains the data.
Syntax
JSON
{
"FileKey" : String,
}
YAML
BucketARN: String
FileKey: String
Properties
BucketARN
The Amazon Resource Name (ARN) for the S3 bucket containing the application code.
Required: No
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*

2699
FileKey
The file key for the object containing the application code.
Required: No
Type: String
Minimum: 1
Maximum: 1024

ObjectVersion
The version of the object containing the application code.
Required: No
Type: String
See Also
• S3ContentLocation in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::Application SqlApplicationConfiguration
Describes the inputs, outputs, and reference data sources for an SQL-based Kinesis Data Analytics
application.
Syntax
JSON
{
"Inputs" : [ Input (p. 2685), ... ]
}
YAML
Inputs:
- Input (p. 2685)
Properties
Inputs
The array of Input objects describing the input streams used by the application.
Required: No
Type: List of Input (p. 2685)

2700
See Also
• SqlApplicationConfiguration in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption
Adds an Amazon CloudWatch log stream to monitor application configuration errors.
Syntax
JSON
{
"Type" : "AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption",
"Properties" : {
"CloudWatchLoggingOption" : CloudWatchLoggingOption (p. 2703)
}
}
YAML
Type: AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption
Properties:
CloudWatchLoggingOption:
CloudWatchLoggingOption (p. 2703)
Properties
ApplicationName
Required: Yes
Type: String
Minimum: 1
Maximum: 128

CloudWatchLoggingOption
Provides a description of Amazon CloudWatch logging options, including the log stream Amazon
Required: Yes

2701
Type: CloudWatchLoggingOption (p. 2703)
Examples
Create an ApplicationCloudWatchLoggingOption resource
JSON
{
"BasicApplicationV2CloudWatchLoggingOption": {
"Type": "AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption",
"Properties": {
},
"CloudWatchLoggingOption": {
"LogStreamARN": {
"Fn::Join": [
":",
[
"arn:aws:logs",
{
},
{
},
"log-group",
{
"Ref": "TestCWLogGroup"
},
"log-stream",
{
"Ref": "TestCWLogStream"
}
]
]
}
}
}
}
}
YAML
BasicApplicationV2CloudWatchLoggingOption:
Type: 'AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption'
Properties:
CloudWatchLoggingOption:
LogStreamARN: !Join
- ':'
- - 'arn:aws:logs'
- log-group
- !Ref TestCWLogGroup
- log-stream
- !Ref TestCWLogStream

2702
See Also
• AddApplicationCloudWatchLoggingOption in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption
CloudWatchLoggingOption
Provides a description of Amazon CloudWatch logging options, including the log stream Amazon
Syntax
JSON
{
"LogStreamARN" : String
}
YAML
LogStreamARN: String
Properties
LogStreamARN
The ARN of the CloudWatch log to receive application messages.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*
See Also
• CloudWatchLoggingOption in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationOutput
Adds an external destination to your SQL-based Amazon Kinesis Data Analytics application.
If you want Kinesis Data Analytics to deliver data from an in-application stream within your application
to an external destination (such as an Kinesis data stream, a Kinesis Data Firehose delivery stream, or
an AWS Lambda function), you add the relevant configuration to your application using this operation.
You can configure one or more outputs for your application. Each output configuration maps an in-
application stream and an external destination.

2703
You can use one of the output configurations to deliver data from your in-application error stream to an
external destination so that you can analyze the errors.
Any configuration update, including adding a streaming source using this operation, results in a new
version of the application. You can use the DescribeApplication operation to find the current application
version.
Syntax
JSON
{
"Type" : "AWS::KinesisAnalyticsV2::ApplicationOutput",
"Properties" : {
"Output" : Output (p. 2708)
}
}
YAML
Type: AWS::KinesisAnalyticsV2::ApplicationOutput
Properties:
Output:
Output (p. 2708)
Properties
ApplicationName
Required: Yes
Type: String
Minimum: 1
Maximum: 128

Output
Describes an SQL-based Amazon Kinesis Data Analytics application's output configuration, in which
you identify an in-application stream and a destination where you want the in-application stream
data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery
stream.
Required: Yes
Type: Output (p. 2708)

2704
Examples
Create an ApplicationOutput object
JSON
{
"Type": "AWS::KinesisAnalyticsV2::ApplicationOutput",
"Properties": {
},
"Output": {
"Name": "exampleOutput",
"DestinationSchema": {
"RecordFormatType": "CSV"
},
"KinesisStreamsOutput": {
"ResourceARN": {
"Fn::GetAtt": [
"OutputKinesisStream",
"Arn"
]
}
}
}
}
}
YAML
Type: 'AWS::KinesisAnalyticsV2::ApplicationOutput'
Properties:
Output:
Name: exampleOutput
DestinationSchema:
RecordFormatType: CSV
- OutputKinesisStream
- Arn
See Also
• AddApplicationOutput in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationOutput DestinationSchema
Describes the data format when records are written to the destination in an SQL-based Amazon Kinesis
Data Analytics application.
Syntax
JSON

2705
}
YAML
Properties
RecordFormatType
Specifies the format of the records on the output stream.
Required: No
Type: String
See Also
• DestinationSchema in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationOutput KinesisFirehoseOutput
For an SQL-based Amazon Kinesis Data Analytics application, when configuring application output,
identifies a Kinesis Data Firehose delivery stream as the destination. You provide the stream Amazon
Resource Name (ARN) of the delivery stream.
Syntax
JSON
{
}
YAML
ResourceARN: String
Properties
ResourceARN
The ARN of the destination delivery stream to write to.
Required: Yes
Type: String
Minimum: 1

2706
Maximum: 2048
Pattern: arn:.*
See Also
• KinesisFirehoseOutput in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationOutput KinesisStreamsOutput
When you configure an SQL-based Amazon Kinesis Data Analytics application's output, identifies a
Kinesis data stream as the destination. You provide the stream Amazon Resource Name (ARN).
Syntax
JSON
{
}
YAML
ResourceARN: String
Properties
ResourceARN
The ARN of the destination Kinesis data stream to write to.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*
See Also
• KinesisStreamsOutput in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationOutput LambdaOutput
When you configure an SQL-based Amazon Kinesis Data Analytics application's output, identifies an
AWS Lambda function as the destination. You provide the function Amazon Resource Name (ARN) of the
Lambda function.

2707
Syntax
JSON
{
}
YAML
ResourceARN: String
Properties
ResourceARN
The Amazon Resource Name (ARN) of the destination Lambda function to write to.
Note
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*
See Also
• LambdaOutput in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationOutput Output
Describes an SQL-based Amazon Kinesis Data Analytics application's output configuration, in which you
identify an in-application stream and a destination where you want the in-application stream data to be
written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.
Syntax
JSON
{
"DestinationSchema" : DestinationSchema (p. 2705),
"KinesisFirehoseOutput" : KinesisFirehoseOutput (p. 2706),

2708
"KinesisStreamsOutput" : KinesisStreamsOutput (p. 2707),

"LambdaOutput" : LambdaOutput (p. 2707),
"Name" : String
}
YAML
DestinationSchema:
DestinationSchema (p. 2705)
KinesisFirehoseOutput:
KinesisFirehoseOutput (p. 2706)
KinesisStreamsOutput (p. 2707)
LambdaOutput:
LambdaOutput (p. 2707)
Name: String
Properties
DestinationSchema
Describes the data format when records are written to the destination.
Required: Yes
Type: DestinationSchema (p. 2705)

KinesisFirehoseOutput
Identifies an Amazon Kinesis Data Firehose delivery stream as the destination.
Required: No
Type: KinesisFirehoseOutput (p. 2706)

KinesisStreamsOutput
Identifies an Amazon Kinesis data stream as the destination.
Required: No
Type: KinesisStreamsOutput (p. 2707)

LambdaOutput
Identifies an AWS Lambda function as the destination.
Required: No
Type: LambdaOutput (p. 2707)

Name
The name of the in-application stream.

2709
Required: No
Type: String
Minimum: 1
Maximum: 32
See Also
• Output in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource
Adds a reference data source to an existing SQL-based Amazon Kinesis Data Analytics application.
Kinesis Data Analytics reads reference data (that is, an Amazon S3 object) and creates an in-application
table within your application. In the request, you provide the source (S3 bucket name and object key
name), name of the in-application table to create, and the necessary mapping information that describes
how data in an Amazon S3 object maps to columns in the resulting in-application table.
Syntax
JSON
{
"Type" : "AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource",
"Properties" : {
"ReferenceDataSource" : ReferenceDataSource (p. 2716)
}
}
YAML
Type: AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource
Properties:
ReferenceDataSource (p. 2716)
Properties
ApplicationName
Required: Yes
Type: String
Minimum: 1

2710
Maximum: 128

ReferenceDataSource
For an SQL-based Amazon Kinesis Data Analytics application, describes the reference data source by
providing the source information (Amazon S3 bucket name and object key name), the resulting in-
application table name that is created, and the necessary schema to map the data elements in the
Amazon S3 object to the in-application table.
Required: Yes
Type: ReferenceDataSource (p. 2716)
Examples
Create an ApplicationReferenceDataSource resource
JSON
{
"ApplicationReferenceDataSource": {
"Type": "AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource",
"Properties": {
},
"ReferenceDataSource": {
"TableName": "exampleTable",
"ReferenceSchema": {
"RecordColumns": [
{
"Name": "example",
}
],
"RecordFormat": {
}
}
}
},
"S3ReferenceDataSource": {
"BucketARN": {
"Fn::GetAtt": [
"S3Bucket",
"Arn"
]
},
"FileKey": "fakeKey"
}
}
}

2711
}
}
YAML
Type: 'AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource'
Properties:
TableName: exampleTable
ReferenceSchema:
RecordColumns:
- Name: example
Mapping: $.example
RecordFormat:
MappingParameters:
RecordRowPath: $
BucketARN: !GetAtt
- S3Bucket
- Arn
FileKey: fakeKey
See Also
• AddApplicationReferenceDataSource in the Amazon Kinesis Data Analytics API Reference
For an SQL-based application, provides additional mapping information when the record format uses
delimiters, such as CSV. For example, the following sample records use CSV format, where the records
use the '\n' as the row delimiter and a comma (",") as the column delimiter:
"name1", "address1"
"name2", "address2"
Syntax
JSON
{
}
YAML

2712
Properties
The column delimiter. For example, in a CSV format, a comma (",") is the typical column delimiter.
Required: Yes
Type: String
Minimum: 1

RecordRowDelimiter
The row delimiter. For example, in a CSV format, '\n' is the typical row delimiter.
Required: Yes
Type: String
Minimum: 1
See Also
• CSVMappingParameters in the Amazon Kinesis Data Analytics API Reference
For an SQL-based Amazon Kinesis Data Analytics application, provides additional mapping information
when JSON is the record format on the streaming source.
Syntax
JSON
{
}
YAML
Properties
RecordRowPath
The path to the top-level parent that contains the records.
Required: Yes
Type: String

2713
Minimum: 1
See Also
• JSONMappingParameters in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource MappingParameters
When you configure an SQL-based Amazon Kinesis Data Analytics application's input at the time of
creating or updating an application, provides additional mapping information specific to the record
format (such as JSON, CSV, or record fields delimited by some delimiter) on the streaming source.
Syntax
JSON
{
}
YAML
Properties
Required: No

Required: No
See Also
• MappingParameters in the Amazon Kinesis Data Analytics API Reference

2714
AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource RecordColumn
For an SQL-based Amazon Kinesis Data Analytics application, describes the mapping of each data
element in the streaming source to the corresponding column in the in-application stream.
Syntax
JSON
{
"Mapping" : String,
"Name" : String,
"SqlType" : String
}
YAML
Mapping: String
Name: String
SqlType: String
Properties
Mapping
A reference to the data element in the streaming input or the reference data source.
Required: No
Type: String

Name
The name of the column that is created in the in-application input stream or reference table.
Required: Yes
Type: String

SqlType
The type of column created in the in-application input stream or reference table.
Required: Yes
Type: String
Minimum: 1
See Also
• RecordColumn in the Amazon Kinesis Data Analytics API Reference

2715
AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource RecordFormat
For an SQL-based Amazon Kinesis Data Analytics application, describes the record format and relevant
mapping information that should be applied to schematize the records on the stream.
Syntax
JSON
{
}
YAML
MappingParameters:
Properties
MappingParameters
When you configure application input at the time of creating or updating an application, provides
Required: No

RecordFormatType
Required: Yes
Type: String
See Also
• RecordFormat in the Amazon Kinesis Data Analytics API Reference
AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource ReferenceDataSource
For an SQL-based Amazon Kinesis Data Analytics application, describes the reference data source by
providing the source information (Amazon S3 bucket name and object key name), the resulting in-
application table name that is created, and the necessary schema to map the data elements in the
Amazon S3 object to the in-application table.

2716
Syntax
JSON
{
"ReferenceSchema" : ReferenceSchema (p. 2718),
"S3ReferenceDataSource" : S3ReferenceDataSource (p. 2719),
}
YAML
ReferenceSchema:
ReferenceSchema (p. 2718)
S3ReferenceDataSource (p. 2719)
TableName: String
Properties
ReferenceSchema
corresponding columns created in the in-application stream.
Required: Yes
Type: ReferenceSchema (p. 2718)

Identifies the S3 bucket and object that contains the reference data. A Kinesis Data Analytics
application loads reference data only once. If the data changes, you call the UpdateApplication
operation to trigger reloading of data into your application.
Required: No
Type: S3ReferenceDataSource (p. 2719)

TableName
The name of the in-application table to create.
Required: No
Type: String
Minimum: 1
Maximum: 32
See Also
• ReferenceDataSource in the Amazon Kinesis Data Analytics API Reference

2717
AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource ReferenceSchema
For an SQL-based Amazon Kinesis Data Analytics application, describes the format of the data in
the streaming source, and how each data element maps to corresponding columns created in the in-
application stream.
Syntax
JSON
{
}
YAML
RecordColumns:
RecordFormat:
Properties
RecordColumns
Required: Yes
Maximum: 1000

RecordEncoding
Required: No
Type: String
Pattern: UTF-8

RecordFormat
Required: Yes

2718
See Also
• SourceSchema in the Amazon Kinesis Data Analytics API Reference
For an SQL-based Amazon Kinesis Data Analytics application, identifies the Amazon S3 bucket and object
that contains the reference data.
A Kinesis Data Analytics application loads reference data only once. If the data changes, you call the
Syntax
JSON
{
"FileKey" : String
}
YAML
BucketARN: String
FileKey: String
Properties
BucketARN
The Amazon Resource Name (ARN) of the S3 bucket.
Required: Yes
Type: String
Minimum: 1
Maximum: 2048
Pattern: arn:.*

FileKey
The object key name containing the reference data.
Required: Yes
Type: String
Minimum: 1
Maximum: 1024

2719
Amazon Kinesis Data Firehose
See Also
• S3ReferenceDataSource in the Amazon Kinesis Data Analytics API Reference
Amazon Kinesis Data Firehose Resource Type

Reference
Resource Types
• AWS::KinesisFirehose::DeliveryStream (p. 2720)
AWS::KinesisFirehose::DeliveryStream
The AWS::KinesisFirehose::DeliveryStream resource creates an Amazon Kinesis Data Firehose
(Kinesis Data Firehose) delivery stream that delivers real-time streaming data to an Amazon Simple
Storage Service (Amazon S3), Amazon Redshift, or Amazon Elasticsearch Service (Amazon ES)
destination. For more information, see Creating an Amazon Kinesis Data Firehose Delivery Stream in the
Amazon Kinesis Data Firehose Developer Guide.
Syntax
JSON
{
"Type" : "AWS::KinesisFirehose::DeliveryStream",
"Properties" : {
"DeliveryStreamType" : String,
"ElasticsearchDestinationConfiguration" : ElasticsearchDestinationConfiguration (p. 2737),

"ExtendedS3DestinationConfiguration" : ExtendedS3DestinationConfiguration (p. 2742),
"KinesisStreamSourceConfiguration" : KinesisStreamSourceConfiguration (p. 2746),
"RedshiftDestinationConfiguration" : RedshiftDestinationConfiguration (p. 2756),
"S3DestinationConfiguration" : S3DestinationConfiguration (p. 2758),
"SplunkDestinationConfiguration" : SplunkDestinationConfiguration (p. 2763)
}
}
YAML
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
DeliveryStreamType: String
ElasticsearchDestinationConfiguration:
ElasticsearchDestinationConfiguration (p. 2737)
ExtendedS3DestinationConfiguration:
ExtendedS3DestinationConfiguration (p. 2742)
KinesisStreamSourceConfiguration:
KinesisStreamSourceConfiguration (p. 2746)
RedshiftDestinationConfiguration:
RedshiftDestinationConfiguration (p. 2756)

2720
S3DestinationConfiguration:
S3DestinationConfiguration (p. 2758)
SplunkDestinationConfiguration:
SplunkDestinationConfiguration (p. 2763)
Properties
DeliveryStreamName
The name of the delivery stream.
Required: No
Type: String
Minimum: 1
Maximum: 64

DeliveryStreamType
The delivery stream type. This can be one of the following values:
• DirectPut: Provider applications access the delivery stream directly.
• KinesisStreamAsSource: The delivery stream uses a Kinesis data stream as a source.
Required: No
Type: String
Allowed Values: DirectPut | KinesisStreamAsSource

ElasticsearchDestinationConfiguration
An Amazon ES destination for the delivery stream.
Conditional. You must specify only one destination configuration.
If you change the delivery stream destination from an Amazon ES destination to an Amazon S3 or
Amazon Redshift destination, update requires some interruptions.
Type: ElasticsearchDestinationConfiguration (p. 2737)

ExtendedS3DestinationConfiguration
An Amazon S3 destination for the delivery stream.
If you change the delivery stream destination from an Amazon Extended S3 destination to an
Amazon ES destination, update requires some interruptions.

2721
Type: ExtendedS3DestinationConfiguration (p. 2742)

KinesisStreamSourceConfiguration
When a Kinesis stream is used as the source for the delivery stream, a
KinesisStreamSourceConfiguration containing the Kinesis stream ARN and the role ARN for the
source stream.
Required: No
Type: KinesisStreamSourceConfiguration (p. 2746)

RedshiftDestinationConfiguration
An Amazon Redshift destination for the delivery stream.
If you change the delivery stream destination from an Amazon Redshift destination to an Amazon ES
destination, update requires some interruptions.
Type: RedshiftDestinationConfiguration (p. 2756)

S3DestinationConfiguration
The S3DestinationConfiguration property type specifies an Amazon Simple Storage Service

(Amazon S3) destination to which Amazon Kinesis Data Firehose (Kinesis Data Firehose) delivers
data.
If you change the delivery stream destination from an Amazon S3 destination to an Amazon ES
destination, update requires some interruptions.
Type: S3DestinationConfiguration (p. 2758)

SplunkDestinationConfiguration
The configuration of a destination in Splunk for the delivery stream.
Required: No
Type: SplunkDestinationConfiguration (p. 2763)
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the delivery
stream name, such as mystack-deliverystream-1ABCD2EF3GHIJ.

2722
Fn::GetAtt
Fn::GetAtt returns a value for a specified attribute of this type. The following are the available attributes
and sample return values.
Arn
The Amazon Resource Name (ARN) of the delivery stream, such as arn:aws:firehose:us-
east-2:123456789012:deliverystream/delivery-stream-name.
Examples
Create a Kinesis Data Firehose Delivery Stream
The following example creates a Kinesis Data Firehose delivery stream that delivers data to an Amazon
ES destination. Kinesis Data Firehose backs up all data sent to the destination in an Amazon S3 bucket.
JSON
"ElasticSearchDeliveryStream": {
"Type": "AWS::KinesisFirehose::DeliveryStream",
"Properties": {
"ElasticsearchDestinationConfiguration": {
"BufferingHints": {
"IntervalInSeconds": 60,
"SizeInMBs": 50
},
"CloudWatchLoggingOptions": {
"Enabled": true,
"LogGroupName": "deliverystream",
"LogStreamName": "elasticsearchDelivery"
},
"DomainARN": { "Ref" : "MyDomainARN" },
"IndexName": { "Ref" : "MyIndexName" },
"IndexRotationPeriod": "NoRotation",
"TypeName" : "fromFirehose",
"RetryOptions": {
"DurationInSeconds": "60"
},
"RoleARN": { "Fn::GetAtt" : ["ESdeliveryRole", "Arn"] },
"S3BackupMode": "AllDocuments",
"S3Configuration": {
"BucketARN": { "Ref" : "MyBackupBucketARN" },
"BufferingHints": {
"IntervalInSeconds": "60",
"SizeInMBs": "50"
},
"CompressionFormat": "UNCOMPRESSED",
"Prefix": "firehose/",
"RoleARN": { "Fn::GetAtt" : ["S3deliveryRole", "Arn"] },
"CloudWatchLoggingOptions" : {
"Enabled" : true,
"LogGroupName" : "deliverystream",
"LogStreamName" : "s3Backup"
}
}
}
}

2723
YAML
ElasticSearchDeliveryStream:
Properties:
ElasticsearchDestinationConfiguration:
BufferingHints:
IntervalInSeconds: 60
SizeInMBs: 50
CloudWatchLoggingOptions:
Enabled: true
LogGroupName: "deliverystream"
LogStreamName: "elasticsearchDelivery"
DomainARN:
Ref: "MyDomainARN"
IndexName:
Ref: "MyIndexName"
IndexRotationPeriod: "NoRotation"
TypeName: "fromFirehose"
RetryOptions:
DurationInSeconds: "60"
RoleARN:
Fn::GetAtt:
- "ESdeliveryRole"
- "Arn"
S3BackupMode: "AllDocuments"
S3Configuration:
BucketARN:
Ref: "MyBackupBucketARN"
BufferingHints:
IntervalInSeconds: "60"
SizeInMBs: "50"
CompressionFormat: "UNCOMPRESSED"
Prefix: "firehose/"
RoleARN:
Fn::GetAtt:
- "S3deliveryRole"
- "Arn"
Enabled: true
LogGroupName: "deliverystream"
LogStreamName: "s3Backup"
Convert Record Format
The following example shows record format conversion.
YAML
Description: Stack for Firehose DeliveryStream S3 Destination.
Resources:
GlueDatabase:
Properties:
DatabaseInput: {}
GlueTable:
Type: AWS::Glue::Table

2724
Properties:
DatabaseName: !Ref GlueDatabase
TableInput:
Owner: owner
Retention: 0
StorageDescriptor:
Columns:
- Name: pickup_latitude
Type: double
- Name: pickup_longitude
Type: double
- Name: dropoff_latitude
Type: double
- Name: dropoff_longitude
Type: double
- Name: trip_id
Type: int
- Name: trip_distance
Type: double
- Name: passenger_count
Type: int
- Name: pickup_datetime
Type: timestamp
- Name: dropoff_datetime
Type: timestamp
- Name: total_amount
Type: double
InputFormat: org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat
OutputFormat: org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat
Compressed: false
NumberOfBuckets: -1
SerdeInfo:
SerializationLibrary:
org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe
Parameters:
serialization.format: '1'
BucketColumns: []
SortColumns: []
StoredAsSubDirectories: false
PartitionKeys:
- Name: year
Type: string
- Name: month
Type: string
- Name: day
Type: string
- Name: hour
Type: string
TableType: EXTERNAL_TABLE
deliverystream:
Properties:
DeliveryStreamType: DirectPut
RoleARN: !GetAtt deliveryRole.Arn
BucketARN: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref s3bucket
Prefix: !Join
- ''
- - !Ref GlueTable
- '/year=!{timestamp:YYYY}/month=!{timestamp:MM}/day=!{timestamp:dd}/hour=!
{timestamp:HH}/'

2725
ErrorOutputPrefix: !Join
- ''
- - !Ref GlueTable
- 'error/!{firehose:error-output-type}/year=!{timestamp:YYYY}/month=!
{timestamp:MM}/day=!{timestamp:dd}/hour=!{timestamp:HH}/'
BufferingHints:
SizeInMBs: 128
CompressionFormat: UNCOMPRESSED
EncryptionConfiguration:
NoEncryptionConfig: NoEncryption
Enabled: true
LogGroupName: !Join
- ''
- - 'KDF-'
- !Ref GlueTable
LogStreamName: S3Delivery
S3BackupMode: Disabled
DataFormatConversionConfiguration:
SchemaConfiguration:
DatabaseName: !Ref GlueDatabase
TableName: !Ref GlueTable
Region: !Ref AWS::Region
VersionId: LATEST
InputFormatConfiguration:
Deserializer:
OpenXJsonSerDe: {}
OutputFormatConfiguration:
Serializer:
ParquetSerDe: {}
Enabled: True
s3bucket:
Properties:
Status: Enabled
deliveryRole:
Properties:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Condition:
StringEquals:
'sts:ExternalId': !Ref 'AWS::AccountId'
Path: "/"
Policies:
- PolicyName: firehose_delivery_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 's3:AbortMultipartUpload'
- 's3:GetBucketLocation'
- 's3:GetObject'

2726
- 's3:ListBucket'
- 's3:ListBucketMultipartUploads'
- 's3:PutObject'
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref s3bucket
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref s3bucket
- '*'
- Effect: Allow
Action: 'glue:GetTableVersions'
Resource: '*'
- Effect: Allow
Action: 'logs:PutLogEvents'
Resource:
- !Join
- ''
- - 'arn:aws:logs:'
- ':'
- 'log-group:/aws/kinesisfirehose/KDF-'
- !Ref GlueTable
- ':log-stream:*'
Outputs:
deliverysreamARN:
Description: The ARN of the firehose delivery stream
Value: !GetAtt deliverystream.Arn
Specify an Amazon S3 Destination for the Delivery Stream
The following example uses the ExtendedS3DestinationConfiguration property to specify an

Amazon S3 destination for the delivery stream.
JSON
{
"Description" : "Stack for Firehose DeliveryStream S3 Destination.",
"Resources": {
"deliverystream": {
"DependsOn": ["deliveryPolicy"],
"Properties": {
"ExtendedS3DestinationConfiguration": {
"BucketARN": {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref":"s3bucket"}]]},
"BufferingHints": {
"IntervalInSeconds": "60",
"SizeInMBs": "50"
},
"RoleARN": {"Fn::GetAtt" : ["deliveryRole", "Arn"] },
"ProcessingConfiguration" : {
"Enabled": "true",
"Processors": [
{
"Parameters": [
{
"ParameterName": "LambdaArn",

2727
"ParameterValue": {"Fn::GetAtt" : ["myLambda", "Arn"] }

}],
"Type": "Lambda"
}]
}
}
}
},
"s3bucket": {
"Properties": {
"VersioningConfiguration": {
"Status": "Enabled"
}
}
},
"deliveryRole": {
"Properties": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {"Ref":"AWS::AccountId"}
}
}
}
]
}
}
},
"deliveryPolicy": {
"Properties": {
"PolicyName": "firehose_delivery_policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
{"Fn::Join": ["", ["arn:aws:s3:::", {"Ref":"s3bucket"}]]},
{"Fn::Join": ["", ["arn:aws:s3:::", {"Ref":"s3bucket"}, "*"]]}
]
}
]
},
"Roles": [{"Ref": "deliveryRole"}]
}
}

2728
}
}
YAML
Description: Stack for Firehose DeliveryStream S3 Destination.
Resources:
deliverystream:
DependsOn:
- deliveryPolicy
Properties:
BucketARN: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref s3bucket
BufferingHints:
IntervalInSeconds: '60'
SizeInMBs: '50'
Prefix: firehose/
ProcessingConfiguration:
Enabled: 'true'
Processors:
- Parameters:
- ParameterName: LambdaArn
ParameterValue: !GetAtt myLambda.Arn
Type: Lambda
s3bucket:
Properties:
Status: Enabled
deliveryRole:
Properties:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Condition:
StringEquals:
'sts:ExternalId': !Ref 'AWS::AccountId'
deliveryPolicy:
Properties:
PolicyName: firehose_delivery_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 's3:AbortMultipartUpload'
- 's3:GetBucketLocation'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:ListBucketMultipartUploads'

2729
- 's3:PutObject'
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref s3bucket
- !Join
- ''
- - 'arn:aws:s3:::'
- !Ref s3bucket
- '*'
Roles:
- !Ref deliveryRole
Specify a Kinesis Stream as the Source for the Delivery Stream
The following example uses the KinesisStreamSourceConfiguration property to specify a Kinesis

stream as the source for the delivery stream.
JSON
{
"Parameters": {
"deliveryRoleArn": {
"Type": "String"
},
"deliveryStreamName": {
"Type": "String"
},
"kinesisStreamARN": {
"Type": "String"
},
"kinesisStreamRoleArn": {
"Type": "String"
},
"s3bucketArn": {
"Type": "String"
}
},
"Resources": {
"Deliverystream": {
"Properties": {
"DeliveryStreamName": {
"Ref": "deliveryStreamName"
},
"DeliveryStreamType": "KinesisStreamAsSource",
"KinesisStreamSourceConfiguration": {
"KinesisStreamARN": {
"Ref": "kinesisStreamARN"
},
"RoleARN": {
"Ref": "kinesisStreamRoleArn"
}
},
"ExtendedS3DestinationConfiguration": {
"BucketARN": {
"Ref": "s3bucketArn"
},
"BufferingHints": {
"IntervalInSeconds": 60,
"SizeInMBs": 50
},

2730
"RoleARN": {
"Ref": "deliveryRoleArn"
}
}
}
}
}
}
YAML
Parameters:
deliveryRoleArn:
Type: String
deliveryStreamName:
Type: String
kinesisStreamARN :
Type : String
kinesisStreamRoleArn:
Type : String
s3bucketArn:
Type: String
Resources :
Deliverystream:
Properties:
DeliveryStreamName: !Ref deliveryStreamName
DeliveryStreamType: KinesisStreamAsSource
KinesisStreamSourceConfiguration:
KinesisStreamARN: !Ref kinesisStreamARN
RoleARN: !Ref kinesisStreamRoleArn
BucketARN: !Ref s3bucketArn
BufferingHints:
SizeInMBs: 50
Prefix: firehose/
RoleARN: !Ref deliveryRoleArn
See Also
• CreateDeliveryStream in the Amazon Kinesis Data Firehose API Reference.
AWS::KinesisFirehose::DeliveryStream BufferingHints
The BufferingHints property type specifies how Amazon Kinesis Data Firehose (Kinesis Data Firehose)
buffers incoming data before delivering it to the destination. The first buffer condition that is satisfied
triggers Kinesis Data Firehose to deliver the data.
Syntax
JSON
{
"IntervalInSeconds" : Integer,
"SizeInMBs" : Integer

2731
YAML
IntervalInSeconds: Integer
SizeInMBs: Integer
Properties
IntervalInSeconds
The length of time, in seconds, that Kinesis Data Firehose buffers incoming data before delivering
it to the destination. For valid values, see the IntervalInSeconds content for the BufferingHints
data type in the Amazon Kinesis Data Firehose API Reference.
Required: Yes
Type: Integer
Minimum: 60
Maximum: 900

SizeInMBs
The size of the buffer, in MBs, that Kinesis Data Firehose uses for incoming data before delivering it
to the destination. For valid values, see the SizeInMBs content for the BufferingHints data type in
the Amazon Kinesis Data Firehose API Reference.
Required: Yes
Type: Integer
Minimum: 1
Maximum: 128
AWS::KinesisFirehose::DeliveryStream CloudWatchLoggingOptions
The CloudWatchLoggingOptions property type specifies Amazon CloudWatch Logs (CloudWatch
Logs) logging options that Amazon Kinesis Data Firehose (Kinesis Data Firehose) uses for the delivery
stream.
Syntax
JSON
{
"LogStreamName" : String
}

2732
YAML
Enabled: Boolean
LogStreamName: String
Properties
Enabled
Indicates whether CloudWatch Logs logging is enabled.
Required: No
Type: Boolean

LogGroupName
The name of the CloudWatch Logs log group that contains the log stream that Kinesis Data Firehose
will use.
Conditional. If you enable logging, you must specify this property.
Type: String

LogStreamName
The name of the CloudWatch Logs log stream that Kinesis Data Firehose uses to send logs about
data delivery.
Conditional. If you enable logging, you must specify this property.
Type: String
AWS::KinesisFirehose::DeliveryStream CopyCommand
The CopyCommand property type configures the Amazon Redshift COPY command that Amazon Kinesis
Data Firehose (Kinesis Data Firehose) uses to load data into an Amazon Redshift cluster from an Amazon
S3 bucket.
Syntax
JSON
{
"CopyOptions" : String,
"DataTableColumns" : String,
"DataTableName" : String
}

2733
YAML
CopyOptions: String
DataTableColumns: String
DataTableName: String
Properties
CopyOptions
Parameters to use with the Amazon Redshift COPY command. For examples, see the CopyOptions
content for the CopyCommand data type in the Amazon Kinesis Data Firehose API Reference.
Required: No
Type: String

DataTableColumns
A comma-separated list of column names.
Required: No
Type: String

DataTableName
The name of the target table. The table must already exist in the database.
Required: Yes
Type: String
Minimum: 1
AWS::KinesisFirehose::DeliveryStream DataFormatConversionConfiguration
Specifies that you want Kinesis Data Firehose to convert data from the JSON format to the Parquet or
ORC format before writing it to Amazon S3. Kinesis Data Firehose uses the serializer and deserializer that
you specify, in addition to the column information from the AWS Glue table, to deserialize your input
data from JSON and then serialize it to the Parquet or ORC format. For more information, see Kinesis
Data Firehose Record Format Conversion.
Syntax
JSON
{
"InputFormatConfiguration" : InputFormatConfiguration (p. 2745),
"OutputFormatConfiguration" : OutputFormatConfiguration (p. 2751),
"SchemaConfiguration" : SchemaConfiguration (p. 2760)

2734
YAML
Enabled: Boolean
InputFormatConfiguration:
InputFormatConfiguration (p. 2745)
OutputFormatConfiguration:
OutputFormatConfiguration (p. 2751)
SchemaConfiguration:
SchemaConfiguration (p. 2760)
Properties
Enabled
Defaults to true. Set it to false if you want to disable format conversion while preserving the
configuration details.
Required: Yes
Type: Boolean

InputFormatConfiguration
Specifies the deserializer that you want Kinesis Data Firehose to use to convert the format of your
data from JSON.
Required: Yes
Type: InputFormatConfiguration (p. 2745)

OutputFormatConfiguration
Specifies the serializer that you want Kinesis Data Firehose to use to convert the format of your data
to the Parquet or ORC format.
Required: Yes
Type: OutputFormatConfiguration (p. 2751)

SchemaConfiguration
Specifies the AWS Glue Data Catalog table that contains the column information.
Required

CFN Ug

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CFN Ug

Uploaded by

Copyright:

Available Formats

AWS CloudFormation

AWS CloudFormation: User Guide

API Version 2010-05-15

Changing Resource Properties ............................................................................................ 60

API Version 2010-05-15

Deleting a Stack ............................................................................................................. 114

API Version 2010-05-15

Revert an Import Operation Using the AWS CLI .................................................................. 205

API Version 2010-05-15

How AWS CloudFormation Macros Work ............................................................................ 542

API Version 2010-05-15

API Gateway .................................................................................................................. 652

API Version 2010-05-15

IoTEvents ..................................................................................................................... 2491

API Version 2010-05-15

Fn::FindInMap .......................................................................................................... 3804

API Version 2010-05-15

What is AWS CloudFormation?

Simplify Infrastructure Management

Quickly Replicate Your Infrastructure

Easily Control and Track Changes to Your

API Version 2010-05-15

AWS CloudFormation Concepts

API Version 2010-05-15

API Version 2010-05-15

API Version 2010-05-15

How Does AWS CloudFormation Work?

API Version 2010-05-15

Example JSON Syntax

Example YAML Syntax

API Version 2010-05-15

Updating a Stack with Change Sets

For more information, see Modifying a Stack Template (p. 128).

API Version 2010-05-15

API Version 2010-05-15

Signing Up for an AWS Account and Pricing

To sign up for an AWS account

Controlling Access with AWS Identity and Access

API Version 2010-05-15

AWS CloudFormation Actions

Example A sample policy that grants view stack permissions

API Version 2010-05-15

AWS CloudFormation Console-Speciﬁc Actions

ec2:DescribeSecurityGroups (for the AWS::EC2::SecurityGroup::Id parameter type)

AWS CloudFormation Resources

API Version 2010-05-15

AWS CloudFormation Conditions

API Version 2010-05-15

Specify all supported AWS resources.

Specify all supported resources for a speciﬁc AWS service.

Specify all custom resources.

Specify a speciﬁc custom resource type.

Specify all AWS resources.

Specify all resources for a speciﬁc AWS service.

Specify all custom resources.

Specify a speciﬁc custom resource type, which is deﬁned in the template.

API Version 2010-05-15

Example Template URL Condition

Example Import Resource Types Condition

API Version 2010-05-15

Example Import Resource Types Condition

Example Resource Type Condition

API Version 2010-05-15