Lint CloudFormation JSON templates for missing DeletionPolicy, hardcoded IDs, open security groups, invalid refs, and score 0-100.
Last verified: April 2026
Always set DeletionPolicy and UpdateReplacePolicy on stateful resources like RDS instances, DynamoDB tables, and S3 buckets. This prevents accidental data loss during stack deletion or updates that require resource replacement.
Never expose SSH (22), RDP (3389), or database ports to 0.0.0.0/0. Use NoEcho for password parameters. Avoid hardcoding secrets in templates. Use AWS Secrets Manager or SSM Parameter Store instead.
Include a Description for documentation. Use Outputs for cross-stack references. Keep templates under 50 resources and use nested stacks for larger architectures. Tag all resources for cost tracking.
Avoid hardcoding account IDs and AMI IDs. Use pseudo parameters like AWS::AccountId and AWS::Region. Store AMI IDs in SSM Parameter Store or use Mappings for multi-region deployments.
The linter parses the CloudFormation template JSON or YAML into an AST, then runs a series of validation rules against the tree. Rules check for required top-level sections (AWSTemplateFormatVersion, Resources), validate resource type names against the CloudFormation resource specification, verify required properties per resource type, flag missing DeletionPolicy on stateful resources, and detect common anti-patterns like hardcoded credentials or circular Ref dependencies.
The CloudFormation Template Linter analyzes your AWS CloudFormation templates for syntax errors, missing required fields, and deviations from best practices. It checks resource type validity, required property presence, parameter and output structure, and flags common mistakes like circular dependencies or missing DependsOn attributes. The linter runs entirely in your browser and provides categorized findings with severity levels so you can prioritize fixes before deploying to AWS.
A junior engineer submits a pull request with a CloudFormation template for a new RDS PostgreSQL instance. You paste it into the linter and it flags three issues: no DeletionPolicy on the RDS instance (data loss risk), a hardcoded master password in the Properties (security violation), and a missing DependsOn for the security group the instance references. The engineer fixes all three before deployment, preventing a potential data loss incident and a security audit finding.
CloudFormation drift detection is separate from linting but equally important. A template can be perfectly valid and still drift from the actual deployed state. Run drift detection monthly on production stacks to catch manual console changes that bypass IaC. Drifted resources are ticking time bombs for your next stack update.
Always use DeletionPolicy: Retain on stateful resources like RDS instances, DynamoDB tables, and S3 buckets. Without it, deleting or replacing the CloudFormation stack permanently destroys your data. This is the single most important CloudFormation best practice that the linter checks for.
Avoid hardcoding AMI IDs in your templates. Use AWS::SSM::Parameter::Value to reference the latest AMI from Parameter Store, or use Mappings with FindInMap for region-specific AMIs. Hardcoded AMIs break when you deploy to a new region and create security risk when the AMI becomes outdated.
cfn-lint is a CLI tool you install and run locally. This is a browser-based linter that provides instant feedback without installation. It covers similar checks for syntax, required fields, and best practices, making it convenient for quick validation or when you do not have cfn-lint installed.
The linter validates the template you provide. If your template references nested stacks via AWS::CloudFormation::Stack, it checks that the resource properties are correct but cannot follow the TemplateURL to validate the nested template itself. Paste each nested template separately for full coverage.
The linter recognizes standard CloudFormation syntax. AWS SAM templates use a Transform and additional resource types like AWS::Serverless::Function. Basic structural checks apply, but SAM-specific validations may not be fully covered.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.