Validates CloudFormation templates using AWS CLI for syntax, cfn-lint for linting and best practices, and manual reviews for IAM policies, security groups, and dependencies.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cloudformation-toolkit:template-validatorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Validate CloudFormation templates for syntax errors, security issues, and adherence to best practices before deployment.
Validate CloudFormation templates for syntax errors, security issues, and adherence to best practices before deployment.
# Basic validation
aws cloudformation validate-template \
--template-body file://template.yaml
# Validation with parameters
aws cloudformation validate-template \
--template-body file://template.yaml \
--parameters ParameterKey=Param1,ParameterValue=Value1
Check for:
# Install cfn-lint
pip install cfn-lint
# Validate template
cfn-lint template.yaml
# Validate with specific rules
cfn-lint template.yaml --ignore-checks W
# Output as JSON
cfn-lint template.yaml --format json
cfn-lint checks:
Check IAM policies:
# Review for overly permissive policies
Resources:
Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AppPolicy
PolicyDocument:
Statement:
# Avoid wildcards
- Effect: Allow
Action: s3:* # Too permissive!
Resource: '*' # Too broad!
Better approach:
Policies:
- PolicyName: AppPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
Resource: !Sub '${MyBucket.Arn}/*'
Check security groups:
# Avoid open access
Resources:
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupIngress:
# Don't allow 0.0.0.0/0 for SSH
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0 # Security risk!
Better approach:
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 10.0.0.0/8 # Restrict to internal network
Verify DependsOn usage:
Resources:
# Explicit dependency needed
Instance:
Type: AWS::EC2::Instance
DependsOn: InternetGatewayAttachment
Properties:
# ...
# Implicit dependency via Ref
SecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref SecurityGroup # Implicit dependency
Check for circular dependencies:
Use specific resource names:
# Good
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
# Avoid generic names
Resources:
SecurityGroup1:
Type: AWS::EC2::SecurityGroup
Add descriptions:
AWSTemplateFormatVersion: '2010-09-09'
Description: Web application infrastructure with ALB and Auto Scaling
Parameters:
InstanceType:
Type: String
Description: EC2 instance type for web servers
Use tags:
Resources:
Instance:
Type: AWS::EC2::Instance
Properties:
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-WebServer'
- Key: Environment
Value: !Ref Environment
- Key: ManagedBy
Value: CloudFormation
Valid YAML structure:
AWSTemplateFormatVersion: '2010-09-09'
Description: Template description
Parameters:
# Parameters section
Resources:
# Resources section (required)
Outputs:
# Outputs section
Intrinsic functions:
# Correct
Value: !Ref MyResource
Value: !GetAtt MyResource.Attribute
Value: !Sub '${MyResource}'
# Incorrect
Value: Ref: MyResource # Wrong syntax
Value: !GetAtt MyResource # Missing attribute
IAM policies:
Security groups:
Encryption:
Required properties:
Resources:
Bucket:
Type: AWS::S3::Bucket
Properties:
# BucketName is optional but recommended
BucketName: !Sub '${AWS::StackName}-bucket'
Valid property values:
Resources:
Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.micro # Must be valid instance type
ImageId: ami-12345678 # Must be valid AMI ID
# Validate template
aws cloudformation validate-template \
--template-body file://template.yaml
# Create change set (validates before applying)
aws cloudformation create-change-set \
--stack-name my-stack \
--change-set-name my-changes \
--template-body file://template.yaml
# Describe change set
aws cloudformation describe-change-set \
--stack-name my-stack \
--change-set-name my-changes
# Basic validation
cfn-lint template.yaml
# Ignore warnings
cfn-lint template.yaml --ignore-checks W
# Specific regions
cfn-lint template.yaml --regions us-east-1 us-west-2
# Custom rules
cfn-lint template.yaml --append-rules custom-rules/
# Install cfn-nag
gem install cfn-nag
# Scan template
cfn_nag_scan --input-path template.yaml
# Scan with rules
cfn_nag_scan --input-path template.yaml --deny-list-path rules.txt
# Install taskcat
pip install taskcat
# Test template
taskcat test run
# Configuration in .taskcat.yml
project:
name: my-project
regions:
- us-east-1
- us-west-2
tests:
default:
template: template.yaml
parameters:
InstanceType: t3.micro
Template structure:
Parameters:
Resources:
Security:
Outputs:
Best practices:
For detailed information, see:
npx claudepluginhub p/armanzeroeight-cloudformation-toolkit-plugins-cloudformation-toolkitAuthors, validates, and troubleshoots AWS CloudFormation templates with secure defaults, cfn-lint/cfn-guard validation, and stack failure diagnosis via CloudFormation events and CloudTrail.
Optimizes CloudFormation templates, designs nested stacks, detects drift, and applies production-ready patterns. Use when writing or reviewing CF templates.
Builds well-architected AWS infrastructure with CDK and CloudFormation using docs, samples, cfn-lint validation, cfn-guard compliance, best practices, and troubleshooting. Use for CDK, CloudFormation, cfn-lint, cfn-guard, AWS IaC.