CloudFormation Reference Cheatsheet

Updated: at 01:00 AM

AWS CloudFormation gives you an easy way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code. A CloudFormation template describes your desired resources and their dependencies so you can launch and configure them together as a stack. You can use a template to create, update, and delete an entire stack as a single unit, as often as you need to, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS Regions.

Resource type identifiers always take the following form:

service-provider::service-name::data-type-name

You can find updated list here

Pseudo Parameters

AWS::AccountId                  12-digit AWS account
AWS::NoValue                    Use in conditionals
AWS::Region                     Deployment region
AWS::StackId                    ARN of the current stack
AWS::StackName                  Name of the current stack

Common Intrinsic Fn

!FindInMap [ Map, TopLevelKey, SecondLevelKey ] Returns values of keys in 2-level map declared in Mappings section
!GettAtt a.Arn                  Get Arn attribute of resource a in this stack
!ImportValue a                  Reference export a from another stack
!Join [':',['a','b']]           Produces 'a:b'
!Ref a                          Get value of parameter or resource a in this stack
!Select ['1',['a','b']]         Produces 'b'
!Split [ ':', 'a:b' ]           Produces ['a', 'b']
!Sub 'a-${b}'                   Inject the value of b into a string

You can’t nest the shorthand YAML functions. You must do: Fn::ImportValue: !Sub "${a}-b" not !ImportValue !Sub "${a}-b"

Search

Resource Type Ref GetAtt
Alexa::ASK::Skill Id
AWS::AmazonMQ::Broker Id AmqpEndpoints, Arn, ConfigurationId, ConfigurationRevision, IpAddresses, MqttEndpoints, OpenWireEndpoints, StompEndpoints, WssEndpoints
AWS::AmazonMQ::Configuration Id Arn, Id, Revision
AWS::AmazonMQ::ConfigurationAssociation Id
AWS::Amplify::App AppId, AppName, Arn, DefaultDomain
AWS::Amplify::Branch Arn, BranchName
AWS::Amplify::Domain Arn, CertificateRecord, DomainName, DomainStatus, StatusReason
AWS::ApiGateway::Account Id
AWS::ApiGateway::ApiKey Id
AWS::ApiGateway::Authorizer Id
AWS::ApiGateway::BasePathMapping
AWS::ApiGateway::ClientCertificate Name
AWS::ApiGateway::Deployment Id
AWS::ApiGateway::DocumentationPart Id
AWS::ApiGateway::DocumentationVersion
AWS::ApiGateway::DomainName DomainName DistributionDomainName, DistributionHostedZoneId, RegionalDomainName, RegionalHostedZoneId
AWS::ApiGateway::GatewayResponse
AWS::ApiGateway::Method Id
AWS::ApiGateway::Model Name
AWS::ApiGateway::RequestValidator Id
AWS::ApiGateway::Resource Id
AWS::ApiGateway::RestApi Id RootResourceId
AWS::ApiGateway::Stage Name
AWS::ApiGateway::UsagePlan Id
AWS::ApiGateway::UsagePlanKey
AWS::ApiGateway::VpcLink Id
AWS::ApiGatewayV2::Api Id
AWS::ApiGatewayV2::ApiMapping Id
AWS::ApiGatewayV2::Authorizer Id
AWS::ApiGatewayV2::Deployment Id
AWS::ApiGatewayV2::DomainName DomainName RegionalDomainName, RegionalHostedZoneId
AWS::ApiGatewayV2::Integration Id
AWS::ApiGatewayV2::IntegrationResponse Id
AWS::ApiGatewayV2::Model Id
AWS::ApiGatewayV2::Route Id
AWS::ApiGatewayV2::RouteResponse Id
AWS::ApiGatewayV2::Stage Name
AWS::ApplicationAutoScaling::ScalableTarget Id
AWS::ApplicationAutoScaling::ScalingPolicy Arn
AWS::AppMesh::Mesh Arn Arn, MeshName, Uid
AWS::AppMesh::Route Arn Arn, MeshName, Uid, VirtualRouterName
AWS::AppMesh::VirtualNode Arn Arn, MeshName, Uid, VirtualNodeName
AWS::AppMesh::VirtualRouter Arn Arn, MeshName, Uid, VirtualRouterName
AWS::AppMesh::VirtualService Arn Arn, MeshName, Uid, VirtualServiceName
AWS::AppSync::ApiKey Arn ApiKey, Arn
AWS::AppSync::DataSource Arn DataSourceArn, Name
AWS::AppSync::FunctionConfiguration Arn DataSourceName, FunctionArn, FunctionId, Name
AWS::AppSync::GraphQLApi Arn ApiId, Arn, GraphQLUrl
AWS::AppSync::GraphQLSchema Id
AWS::AppSync::Resolver Arn FieldName, ResolverArn, TypeName
AWS::Athena::NamedQuery Name
AWS::AutoScaling::AutoScalingGroup Name
AWS::AutoScaling::LaunchConfiguration Name
AWS::AutoScaling::LifecycleHook Name
AWS::AutoScaling::ScalingPolicy Arn
AWS::AutoScaling::ScheduledAction Name
AWS::AutoScalingPlans::ScalingPlan Arn
AWS::Backup::BackupPlan Id BackupPlanArn, BackupPlanId, VersionId
AWS::Backup::BackupSelection Id BackupPlanId, SelectionId
AWS::Backup::BackupVault Name BackupVaultArn, BackupVaultName
AWS::Batch::ComputeEnvironment Arn
AWS::Batch::JobDefinition Arn
AWS::Batch::JobQueue Arn
AWS::Budgets::Budget Name
AWS::CertificateManager::Certificate Arn
AWS::CloudFormation::CustomResource
AWS::CloudFormation::Macro Name
AWS::CloudFormation::Stack Id
AWS::CloudFormation::WaitCondition Name Data
AWS::CloudFormation::WaitConditionHandle
AWS::CloudFront::CloudFrontOriginAccessIdentity OriginAccessIdentity S3CanonicalUserId
AWS::CloudFront::Distribution Id DomainName
AWS::CloudFront::StreamingDistribution Id DomainName
AWS::CloudTrail::Trail Name Arn, SnsTopicArn
AWS::CloudWatch::Alarm Name Arn
AWS::CloudWatch::AnomalyDetector
AWS::CloudWatch::Dashboard Name
AWS::CodeBuild::Project Name Arn
AWS::CodeCommit::Repository Id Arn, CloneUrlHttp, CloneUrlSsh, Name
AWS::CodeDeploy::Application Name
AWS::CodeDeploy::DeploymentConfig Name
AWS::CodeDeploy::DeploymentGroup Name
AWS::CodePipeline::CustomActionType Name
AWS::CodePipeline::Pipeline Name Version
AWS::CodePipeline::Webhook Name Url
AWS::Cognito::IdentityPool Id Name
AWS::Cognito::IdentityPoolRoleAttachment Id
AWS::Cognito::UserPool Id Arn, ProviderName, ProviderURL
AWS::Cognito::UserPoolClient Id
AWS::Cognito::UserPoolGroup Name
AWS::Cognito::UserPoolUser Name
AWS::Cognito::UserPoolUserToGroupAttachment Id
AWS::Config::AggregationAuthorization Arn
AWS::Config::ConfigRule Name Arn, Compliance.Type, ConfigRuleId
AWS::Config::ConfigurationAggregator Name
AWS::Config::ConfigurationRecorder Name
AWS::Config::DeliveryChannel Name
AWS::Config::RemediationConfiguration RemediationAction
AWS::DataPipeline::Pipeline Id
AWS::DAX::Cluster Name Arn, ClusterDiscoveryEndpoint
AWS::DAX::ParameterGroup Name
AWS::DAX::SubnetGroup Name
AWS::DLM::LifecyclePolicy Id Arn
AWS::DMS::Certificate Arn
AWS::DMS::Endpoint Arn ExternalId
AWS::DMS::EventSubscription Name
AWS::DMS::ReplicationInstance Arn ReplicationInstancePrivateIpAddresses, ReplicationInstancePublicIpAddresses
AWS::DMS::ReplicationSubnetGroup Name
AWS::DMS::ReplicationTask Arn
AWS::DocDB::DBCluster DBClusterIdentifier ClusterResourceId, Endpoint, Port, ReadEndpoint
AWS::DocDB::DBClusterParameterGroup Name
AWS::DocDB::DBInstance Name Endpoint, Port
AWS::DocDB::DBSubnetGroup Name
AWS::DynamoDB::Table Name Arn, StreamArn
AWS::EC2::CapacityReservation Id AvailabilityZone, AvailableInstanceCount, InstanceType, Tenancy, TotalInstanceCount
AWS::EC2::ClientVpnAuthorizationRule
AWS::EC2::ClientVpnEndpoint Id
AWS::EC2::ClientVpnRoute
AWS::EC2::ClientVpnTargetNetworkAssociation Id
AWS::EC2::CustomerGateway Id
AWS::EC2::DHCPOptions Name
AWS::EC2::EC2Fleet Id
AWS::EC2::EgressOnlyInternetGateway Id
AWS::EC2::EIP ElasticIpAddress AllocationId
AWS::EC2::EIPAssociation Name
AWS::EC2::FlowLog Id
AWS::EC2::Host Id
AWS::EC2::Instance Id AvailabilityZone, PrivateDnsName, PrivateIp, PublicDnsName, PublicIp
AWS::EC2::InternetGateway Name
AWS::EC2::LaunchTemplate Id DefaultVersionNumber, LatestVersionNumber
AWS::EC2::NatGateway Name
AWS::EC2::NetworkAcl Name
AWS::EC2::NetworkAclEntry Name
AWS::EC2::NetworkInterface Name PrimaryPrivateIpAddress, SecondaryPrivateIpAddresses
AWS::EC2::NetworkInterfaceAttachment Name
AWS::EC2::NetworkInterfacePermission Name
AWS::EC2::PlacementGroup Name
AWS::EC2::Route Id
AWS::EC2::RouteTable Id
AWS::EC2::SecurityGroup Name GroupId, VpcId
AWS::EC2::SecurityGroupEgress RuleName
AWS::EC2::SecurityGroupIngress
AWS::EC2::SpotFleet Id
AWS::EC2::Subnet Id AvailabilityZone, Ipv6CidrBlocks, NetworkAclAssociationId, VpcId
AWS::EC2::SubnetCidrBlock CidrBlock
AWS::EC2::SubnetNetworkAclAssociation Id AssociationId
AWS::EC2::SubnetRouteTableAssociation Id
AWS::EC2::TransitGateway Id
AWS::EC2::TransitGatewayAttachment Name
AWS::EC2::TransitGatewayRoute Name
AWS::EC2::TransitGatewayRouteTable Name
AWS::EC2::TransitGatewayRouteTableAssociation Id
AWS::EC2::TransitGatewayRouteTablePropagation RouteTableId
AWS::EC2::Volume Name
AWS::EC2::VolumeAttachment
AWS::EC2::VPC Id CidrBlock, CidrBlockAssociations, DefaultNetworkAcl, DefaultSecurityGroup, Ipv6CidrBlocks
AWS::EC2::VPCCidrBlock CidrBlock
AWS::EC2::VPCDHCPOptionsAssociation Id
AWS::EC2::VPCEndpoint Id CreationTimestamp, DnsEntries, NetworkInterfaceIds
AWS::EC2::VPCEndpointConnectionNotification Id
AWS::EC2::VPCEndpointService Id
AWS::EC2::VPCEndpointServicePermissions Id
AWS::EC2::VPCGatewayAttachment Id
AWS::EC2::VPCPeeringConnection Id
AWS::EC2::VPNConnection Id
AWS::EC2::VPNConnectionRoute Id
AWS::EC2::VPNGateway Id
AWS::EC2::VPNGatewayRoutePropagation VpnGatewayId
AWS::ECR::Repository Name Arn
AWS::ECS::Cluster Name Arn
AWS::ECS::Service Arn Name
AWS::ECS::TaskDefinition Arn
AWS::EFS::FileSystem Id
AWS::EFS::MountTarget Id IpAddress
AWS::EKS::Cluster Name Arn, CertificateAuthorityData, Endpoint
AWS::ElastiCache::CacheCluster Name ConfigurationEndpoint.Address, ConfigurationEndpoint.Port, RedisEndpoint.Address, RedisEndpoint.Port
AWS::ElastiCache::ParameterGroup Name
AWS::ElastiCache::ReplicationGroup Name ConfigurationEndPoint.Address, ConfigurationEndPoint.Port, PrimaryEndPoint.Address, PrimaryEndPoint.Port, ReadEndPoint.Addresses, ReadEndPoint.Addresses.List, ReadEndPoint.Ports, ReadEndPoint.Ports.List
AWS::ElastiCache::SecurityGroup Name
AWS::ElastiCache::SecurityGroupIngress Name
AWS::ElastiCache::SubnetGroup Name
AWS::ElasticBeanstalk::Application Name
AWS::ElasticBeanstalk::ApplicationVersion Name
AWS::ElasticBeanstalk::ConfigurationTemplate Name
AWS::ElasticBeanstalk::Environment Name EndpointURL
AWS::ElasticLoadBalancing::LoadBalancer Name CanonicalHostedZoneName, CanonicalHostedZoneNameID, DNSName, SourceSecurityGroup.GroupName, SourceSecurityGroup.OwnerAlias
AWS::ElasticLoadBalancingV2::Listener Arn
AWS::ElasticLoadBalancingV2::ListenerCertificate
AWS::ElasticLoadBalancingV2::ListenerRule Arn
AWS::ElasticLoadBalancingV2::LoadBalancer Arn CanonicalHostedZoneID, DNSName, LoadBalancerFullName, LoadBalancerName, SecurityGroups
AWS::ElasticLoadBalancingV2::TargetGroup Arn LoadBalancerArns, TargetGroupFullName, TargetGroupName
AWS::Elasticsearch::Domain Name Arn, DomainArn, DomainEndpoint
AWS::EMR::Cluster Id MasterPublicDNS
AWS::EMR::InstanceFleetConfig InstanceFleetId
AWS::EMR::InstanceGroupConfig InstanceGroupId
AWS::EMR::SecurityConfiguration Name
AWS::EMR::Step Id
AWS::Events::EventBus Name Arn, Name, Policy
AWS::Events::EventBusPolicy Id
AWS::Events::Rule Id Arn
AWS::Glue::Classifier Name
AWS::Glue::Connection Name
AWS::Glue::Crawler Name
AWS::Glue::Database Name
AWS::Glue::DataCatalogEncryptionSettings
AWS::Glue::DevEndpoint Name
AWS::Glue::Job Name
AWS::Glue::Partition Name
AWS::Glue::SecurityConfiguration
AWS::Glue::Table Name
AWS::Glue::Trigger Name
AWS::GuardDuty::Detector Id
AWS::GuardDuty::Filter Name
AWS::GuardDuty::IPSet Id
AWS::GuardDuty::Master AccountId
AWS::GuardDuty::Member AccountId
AWS::GuardDuty::ThreatIntelSet Id
AWS::IAM::AccessKey AccessKeyId SecretAccessKey
AWS::IAM::Group Name Arn
AWS::IAM::InstanceProfile Name Arn
AWS::IAM::ManagedPolicy Arn
AWS::IAM::Policy Name
AWS::IAM::Role Name Arn, RoleId
AWS::IAM::ServiceLinkedRole
AWS::IAM::User UserName Arn
AWS::IAM::UserToGroupAddition Name
AWS::Inspector::AssessmentTarget Arn
AWS::Inspector::AssessmentTemplate Arn
AWS::Inspector::ResourceGroup Arn
AWS::IoT::Certificate Id Arn
AWS::IoT::Policy Name Arn
AWS::IoT::PolicyPrincipalAttachment
AWS::IoT::Thing Name
AWS::IoT::ThingPrincipalAttachment
AWS::IoT::TopicRule Name Arn
AWS::IoT1Click::Device Arn Arn, DeviceId, Enabled
AWS::IoT1Click::Placement Id PlacementName, ProjectName
AWS::IoT1Click::Project Arn Arn, ProjectName
AWS::IoTAnalytics::Channel
AWS::IoTAnalytics::Dataset
AWS::IoTAnalytics::Datastore
AWS::IoTAnalytics::Pipeline
AWS::IoTEvents::DetectorModel Name
AWS::IoTEvents::Input Name
AWS::IoTThingsGraph::FlowTemplate Urn
AWS::Kinesis::Stream Name Arn
AWS::Kinesis::StreamConsumer ConsumerArn ConsumerARN, ConsumerCreationTimestamp, ConsumerName, ConsumerStatus, StreamARN
AWS::KinesisAnalytics::Application
AWS::KinesisAnalytics::ApplicationOutput
AWS::KinesisAnalytics::ApplicationReferenceDataSource
AWS::KinesisAnalyticsV2::Application
AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption
AWS::KinesisAnalyticsV2::ApplicationOutput
AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource
AWS::KinesisFirehose::DeliveryStream Name Arn
AWS::KMS::Alias Name
AWS::KMS::Key Id Arn
AWS::Lambda::Alias Arn
AWS::Lambda::EventSourceMapping Name
AWS::Lambda::Function Name Arn
AWS::Lambda::LayerVersion Arn
AWS::Lambda::LayerVersionPermission Arn
AWS::Lambda::Permission
AWS::Lambda::Version Arn Version
AWS::Logs::Destination Name Arn
AWS::Logs::LogGroup Name Arn
AWS::Logs::LogStream Name
AWS::Logs::MetricFilter
AWS::Logs::SubscriptionFilter Name
AWS::RDS::DBCluster Name Endpoint.Address, Endpoint.Port, ReadEndpoint.Address
AWS::RDS::DBClusterParameterGroup Name
AWS::RDS::DBInstance Name Endpoint.Address, Endpoint.Port
AWS::RDS::DBParameterGroup Name
AWS::RDS::DBSecurityGroup Name
AWS::RDS::DBSecurityGroupIngress DBSecurityGroup
AWS::RDS::DBSubnetGroup Name
AWS::RDS::EventSubscription Name
AWS::RDS::OptionGroup Name
AWS::Route53::HealthCheck HealthCheckId
AWS::Route53::HostedZone HosteadZoneId NameServers
AWS::Route53::RecordSet DomainName
AWS::Route53::RecordSetGroup Name
AWS::Route53Resolver::ResolverEndpoint ResolverEndpoint Arn, Direction, HostVPCId, IpAddressCount, Name, ResolverEndpointId
AWS::Route53Resolver::ResolverRule ResolverRule Arn, DomainName, ResolverEndpointId, ResolverRuleId, TargetIps
AWS::Route53Resolver::ResolverRuleAssociation ResolverRuleAssociationId Name, ResolverRuleAssociationId, ResolverRuleId, VPCId
AWS::S3::Bucket Name Arn, DomainName, DualStackDomainName, RegionalDomainName, WebsiteURL
AWS::SageMaker::CodeRepository Arn CodeRepositoryName
AWS::SageMaker::Endpoint Arn EndpointName
AWS::SageMaker::EndpointConfig Arn EndpointConfigName
AWS::SageMaker::Model Arn ModelName
AWS::SageMaker::NotebookInstance Arn NotebookInstanceName
AWS::SageMaker::NotebookInstanceLifecycleConfig Arn NotebookInstanceLifecycleConfigName
AWS::SecretsManager::ResourcePolicy Arn
AWS::SecretsManager::RotationSchedule Arn
AWS::SecretsManager::Secret Arn
AWS::SecretsManager::SecretTargetAttachment Arn
AWS::ServiceDiscovery::HttpNamespace Id Arn, Id
AWS::ServiceDiscovery::Instance Id
AWS::ServiceDiscovery::PrivateDnsNamespace Id Arn, Id
AWS::ServiceDiscovery::PublicDnsNamespace Id Arn, Id
AWS::ServiceDiscovery::Service Id Arn, Id, Name
AWS::SES::ConfigurationSet Name
AWS::SES::ConfigurationSetEventDestination
AWS::SES::ReceiptFilter
AWS::SES::ReceiptRule Name
AWS::SES::ReceiptRuleSet Name
AWS::SES::Template
AWS::SNS::Topic Arn TopicName
AWS::SQS::Queue QueueURL Arn, QueueName
AWS::SSM::Association
AWS::SSM::Document Name
AWS::SSM::MaintenanceWindow Id
AWS::SSM::MaintenanceWindowTarget Id
AWS::SSM::MaintenanceWindowTask Id
AWS::SSM::Parameter Name Type, Value
AWS::SSM::PatchBaseline Id
AWS::SSM::ResourceDataSync Name
AWS::StepFunctions::Activity Arn Name
AWS::StepFunctions::StateMachine Arn Name
AWS::Transfer::Server Id Arn, ServerId
AWS::Transfer::User UserName Arn, ServerId, UserName
AWS::WAF::ByteMatchSet Id
AWS::WAF::IPSet Id
AWS::WAF::Rule Id
AWS::WAF::SizeConstraintSet Id
AWS::WAF::SqlInjectionMatchSet Id
AWS::WAF::WebACL Name
AWS::WAF::XssMatchSet Id
AWS::WAFRegional::ByteMatchSet Id
AWS::WAFRegional::GeoMatchSet Id
AWS::WAFRegional::IPSet Id
AWS::WAFRegional::RateBasedRule Id
AWS::WAFRegional::RegexPatternSet Id
AWS::WAFRegional::Rule Id
AWS::WAFRegional::SizeConstraintSet Id
AWS::WAFRegional::SqlInjectionMatchSet Id
AWS::WAFRegional::WebACL Name
AWS::WAFRegional::WebACLAssociation