Python Package (CFN Lint Rules)
Following are the list of custom CFN Lint rules that are provided in this repo..
| Rule | Description |
|---|---|
| best_practice/s3_versioning.py | rule to check S3 buckets have versioning enabled |
| mandatory/casing.py | rule to check if all Parameter, Output and Resource names follow PascalCase naming convention |
| mandatory/descriptions.py | rule to check if all parameters have a description defined |
| mandatory/groups.py | rule to check if all parameters are part of a ParameterGroup in the template |
| mandatory/inclusive_language.py | rule to check for non-inclusive language in the template. it checks the entire CloudFormation template for biased language using a deny list and preferred terms. |
| mandatory/labels.py | rule to check if all parameters have a label defined |
| mandatory/params_defined_are_used.py | rule to check for unused parameters in the template. |
| mandatory/params_in_metadata_exist.py | checks parameters referenced in metadata exist in the template |
| mandatory/sentence_case.py | it enforces parameter descriptions, labels and groups follow best practices like sentence case, no spelling errors, full stop |
| security/ebs_volume_encryption.py | check if EBS volumes have encryption enabled. |
| security/efs_file_system_encryption_enabled.py | check if EFS filesystems have encryption enabled. |
| security/iam_action_wildcard.py | check for wildcards in IAM policy Action statements. |
| security/iam_exclude_reason.py | rule enforces that a justification must be provided when excluding security best practice rules for IAM policies in the template. This prevents blind exclusions. |
| security/iam_no_account_number.py | checks for hard-coded AWS account IDs in IAM policy principal elements. |
| security/iam_not_action.py | rule checks for and disallows the anti-pattern of using both Allow and Deny actions in the same IAM policy statement. |
| security/iam_not_resource.py | rule checks for and disallows the anti-pattern of using both Allow and Deny resource elements in the same IAM policy statement |
| security/iam_partition.py | rule checks for hardcoded partition-specific ARNs and provides fixes to make them partition-agnostic using ${AWS::Partition} as a best practice |
| security/iam_resource_wildcard.py | rule checks for wildcard resources, reports them, and can automatically generate fixes to replace them with specific resource ARNs. |
| security/lambda_runtime_eol.py | checks for end-of-life Lambda function runtimes being used. |
| security/no_default_and_echo.py | check for sensitive properties in various resources that should have NoEcho set. - AWS::RDS::DBInstance - MasterUserPassword - AWS::DirectoryService::SimpleAD - Password - AWS::RDS::DBCluster - MasterUserPassword - AWS::Redshift::DBCluster - MasterUserPassword - AWS::DirectoryService::MicrosoftAD - Password - AWS::DMS::Endpoint - Password, MongoDbSettings.Password - AWS::Amplify::App - AccessToken, BasicAuthConfig, OauthToken - AWS::Amplify::Branch - BasicAuthConfig.Password - AWS::Pinpoint::APNSandbox - PrivateKey, TokenKey - AWS::ElastiCache::ReplicationGroup - AuthToken - AWS::Lambda::Permission - EventSourceToken - AWS::Pinpoint::APNSVoipSandboxChannel - PrivateKey, TokenKey - AWS::Pinpoint::APNSChannel - PrivateKey, TokenKey - AWS::Pinpoint::APNSVoipChannel - PrivateKey, TokenKey - AWS::IAM::User - LoginProfile.Password - AWS::AppStream::DirectoryConfig - ServiceAccountCredentials.AccountPassword - AWS::OpsWorks::Stack - RDSDbInstance.DbPassword, CustomCookbooksSource.Password - AWS::OpsWorks::App |
| security/principal_wildcard.py | checks for wildcards in the Principal element of IAM policies. |
| security/prohibited_resource_properties.py | This rule checks if AWS WAFv2 web ACLs have Allow specified as the DefaultAction. Having Allow by default is dangerous. The rule flags it as a failure to prohibit this misconfiguration in CloudFormation templates |
| security/prohibited_resources.py | prohibits the use of AWS::SimpleDB::Domain resources. |
| security/required_resource_properties.py | check for specific security properties being enabled in various resource types. AWS::ElastiCache::ReplicationGroup | AtRestEncryptionEnabled AWS::Redshift::Cluster | Encrypted AWS::Workspaces::Workspace | RootVolumeEncryptionEnabled AWS::Neptune::DBCluster | StorageEncrypted AWS::EFS::Filesystem | Encrypted AWS::ElastiCache::ReplicationGroup | TransitEncryptionEnabled AWS::KMS::Key | EnableKeyRotation AWS::RDS::DBInstance | PubliclyAccessible AWS::Cognito::UserPool | MfaConfiguration |
| security/s3_bucket_encryption.py | check if S3 buckets have encryption enabled. |
| security/storage_encryption_enabled.py | checks if RDS DB clusters have encryption enabled. |
| security/validate_iam_exclusions.py | rule prevents global exclusion of important IAM security checks and forces exclusions to be done per resource basis only. Specifically, EIAM* rules should only be excluded for specific resources, not globally |
| stack/default_parameter.py | rule checks that parent templates explicitly pass values for parameters defined as default in nested templates, rather than implicitly relying on the defaults. |
| stack/matching_parameter_not_passed.py | rule checks for parameters defined in both parent and child templates and flags cases where the parent value is not properly passed to the child |
| stack/missing_parameter.py | rule checks that parent templates provide all the parameters required by the nested templates to prevent errors during deployment. |
| stack/parameter_not_in_child.py | checks for parameters passed to a nested stack that are not actually defined in the child template. Passing undefined parameters results in errors. |