# CloudFormation Ingest Guidelines, Best Practices, and Limitations
For AMS to process your CloudFormation template, there are some guidelines and restrictions.
## Guidelines
To reduce CloudFormation errors while performing CloudFormation ingest, follow these guidelines:
+ **Don't embed credentials or other sensitive information in the template** – The CloudFormation template is visible in the CloudFormation console, so you don't want to embed credentials or sensitive data in the template. The template can't contain sensitive information. The following resources are allowed only if you use AWS Secrets Manager for the value:
+ `AWS::RDS::DBInstance` - [MasterUserPassword,TdeCredentialPassword]
+ `AWS::RDS::DBCluster` - [MasterUserPassword]
+ `AWS::ElastiCache::ReplicationGroup` - [AuthToken]
**Note**
For information about using an AWS Secrets Manager secret in a resource property, see [ How to create and retrieve secrets managed in AWS Secrets Manager using AWS CloudFormation templates](https://aws.amazon.com/blogs/security/how-to-create-and-retrieve-secrets-managed-in-aws-secrets-manager-using-aws-cloudformation-template/) and [Using Dynamic References to Specify Template Values](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html).
+ **Use Amazon RDS snapshots to create RDS DB instances** – By doing this you avoid having to provide a MasterUserPassword.
+ If the template you submit contains an IAM instance profile, it must be prefixed with 'customer'. For example, using an instance profile with the name 'example-instance-profile', causes failure. Instead, use an instance profile with the name 'customer-example-instance-profile'.
+ **Don't include any sensitive data in `AWS::EC2::Instance`** - [UserData]. UserData should not contain passwords, API keys, or any other sensitive data. This type of data can be encrypted and stored in an S3 bucket and downloaded onto the instance using UserData.
+ **IAM policy creation using CloudFormation templates is supported with constraints** – IAM policies have to be reviewed and approved by AMS SecOps. Currently we only support deploying IAM roles with in-line policies that contain pre-approved permissions. In other cases, IAM policies can't be created using CloudFormation templates because that would override the AMS SecOps process.
+ **SSH KeyPairs aren't supported** – Amazon EC2 instances must be accessed through the AMS access management system. The AMS RFC process authenticates you. You cannot include SSH keypairs in CloudFormation templates because you don't have the permissions to create SSH keypairs and override the AMS access management model.
+ **Security Group ingress rules are restricted** – You can't have a source CIDR range from 0.0.0.0/0, or a publicly routable address space, with a TCP port that is anything other than 80 or 443.
+ **Follow CloudFormation guidelines when writing CloudFormation resource templates** – Ensure that you use the right data type/property name for the resource by referring to the *AWS CloudFormation User Guide* for that resource. For example, the data type of SecurityGroupIds property in an AWS::EC2::Instance resource is 'List of String values', so ["sg-aaaaaaaa"] is ok (with brackets), but "sg-aaaaaaaa" is not (without brackets).
For more information, see [AWS Resource and Property Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html).
+ **Configure your custom CloudFormation templates to use parameters defined in the AMS CloudFormation ingest CT** – When you configure your CloudFormation template to use parameters defined in the AMS CloudFormation ingest CT, you can reuse the CloudFormation template to create similar stacks by submitting it with changed parameter values in the CT input with the Management \$1 Custom stack \$1 Stack from CloudFormation template \$1 Update CT (ct-361tlo1k7339x). For an example, see [CloudFormation Ingest examples: Defining resources](cfn-ingest-ex-define-resource.md).
+ **Amazon S3 bucket endpoints with a presigned URL can't be expired** – If you are using an Amazon S3 bucket endpoint with a presigned URL, verify that the presigned Amazon S3 URL isn't expired. A CloudFormation ingest RFC submitted with an expired presigned Amazon S3 bucket URL is rejected.
+ **Wait Condition requires signal logic** – Wait Condition is used to coordinate stack resource creation with configuration actions that are external to the stack creation. If you use the Wait Condition resource in the template, CloudFormation waits for a success signal, and it marks stack creation as a failure if the number of success signals aren't made. You need to have a logic for the signal if you use the Wait Condition resource. For more information, see [Creating Wait Conditions in a Template](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-waitcondition.html).
# Best Practices
Following are some best practices you can use to migrate resources using the AMS CloudFormation ingest process:
+ **Submit IAM and other policy-related resources in one CT**– If you can use automated CTs such as CloudFormation Ingest to deploy IAM roles, we recommend you do so. In other cases, AMS recommends that you gather all IAM or other policy-related resources and submit them in a single Management \$1 Other \$1 Other \$1 Create change type (ct-1e1xtak34nx76). For example, combine needed all IAM roles, IAM Amazon EC2 instance profiles, IAM policy updates for existing IAM roles, Amazon S3 bucket policies, Amazon SNS/Amazon SQS policies, and so forth, and submit a ct-1e1xtak34nx76 RFC so that these pre-existing resources can simply be referenced inside the future CloudFormation ingest templates.
+ **EC2 instances are bootstrapped and successfully joined to the domain** – This is done automatically as a best practice. To ensure that the Amazon EC2 instances launched via a CloudFormation ingest stack are bootstrapped and join the domain successfully, AMS includes a CreationPolicy and an UpdatePolicy for an Auto Scaling group resource (that is, if these policies don't already exist).
+ **Amazon RDS DB instance parameter must be specified**– When creating an Amazon RDS database via CloudFormation ingest, you must specify the `DBSnapshotIdentifier` parameter in order to restore from a previous DB snapshot. This is required because CloudFormation ingest does not currently handle sensitive data.
For an example of how to use a CloudFormation template for AMS CloudFormation template ingest, see [CloudFormation Ingest: Examples](cfn-ingest-examples.md).
# Template validation
You can self-validate your CloudFormation template before submitting it to AMS.
Templates submitted to AMS CloudFormation ingest are validated to ensure they are safe to deploy within an AMS account. The validation process checks the following:
+ **Supported resources** – Only AMS CloudFormation ingest-supported resources are used. For more information, see [Supported Resources](cfn-ingest-supp-services.md).
+ **Supported AMIs **– The AMI in the template is an AMS-supported AMI. For information about AMS AMIs, see [AMS Amazon Machine Images (AMIs)](ams-amis.md).
+ **AMS Shared Services subnet** – The template does not attempt to launch resources into the AMS Shared Services subnet.
+ **Resource policies** – There are no overly permissive resource policies, such as a publicly readable or writeable S3 bucket policy. AMS doesn't allow publicly readable or writable S3 buckets in AWS accounts.
## Validate with CloudFormation Linter
You can self-validate your CloudFormation template before submitting it to AMS by using the CloudFormation Linter tool.
The CloudFormation Linter tool is the best way to validate your CloudFormation template as it provides validation for resource/property names, data types, and functions. For more information, see [aws-cloudformation/cfn-python-lint](https://github.com/aws-cloudformation/cfn-python-lint).
The CloudFormation Linter output of the template shown previously is as follows:
```
$ cfn-lint -t ./testtmpl.json
E3002 Invalid Property Resources/SNSTopic/Properties/Name
./testtmpl.json:6:9
```
To assist with offline validation of CloudFormation templates, AMS has developed a set of pluggable custom validation rules for the CloudFormation Linter tool. They're located on the **Developers Resources** page of the AMS console.
Follow these steps to use CloudFormation pre-ingestion validation scripts:
1. Install the CloudFormation Linter tool. For installation instructions, see [aws-cloudformation / cfn-lint ](https://github.com/aws-cloudformation/cfn-python-lint).
1. Download a .zip file with validation scripts:
[CFN Lint Custom Rules](https://github.com/awslabs/aws-managed-services/tree/main/cfn-lint-custom-rules).
1. Unzip the attached rules to a directory of your choice.
1. Validate your CloudFormation template by running the following command:
```
cfn-lint --template {TEMPLATE_FILE} --append-rules {DIRECTORY_WITH_CUSTOM_RULES}
```
# CloudFormation ingest stack: CFN validator examples
These examples can help you prepare your template for a successful ingest.
## Format validation
Validate that the template contains a "Resources" section, and all resources defined under it have a "Type" value.
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description" : "Create a SNS topic",
"Resources": {
"SnsTopic": {
"Type": "AWS::SNS::Topic"
}
}
}
```
Validate that the root keys of the template are allowed. Allowed root keys are:
```
[
"AWSTemplateFormatVersion",
"Description",
"Mappings",
"Parameters",
"Conditions",
"Resources",
"Rules",
"Outputs",
"Metadata"
]
```
## Manual Managed Automation validation
If the template contains the following resources, automatic validation fails and you'll need a manual review.
The shown policies are high risk areas from a security standpoint. For example, an S3 bucket policy allowing anyone except for specific users or groups to create objects or write permissions, is extremely dangerous. So we validate the policies and approve or deny based on the contents, and those polices cannot be auto-created. We are investigating possible approaches to address this issue.
We currently don’t have automated validation around the following resources.
```
[
"S3::BucketPolicy",
"SNS::TopicPolicy",
"SQS::QueuePolicy"
]
```
## Parameter validation
Validate that if a template parameter doesn't have a value provided; it must have a default value.
## Resource attribute validation
Required attribute check: Certain attributes must exist for certain resource types.
+ "VPCOptions" must exist in `AWS::OpenSearch::Domain`
+ "CludsterSubnetGroupName" must exist in `AWS::Redshift::Cluster`
```
{
"AWS::OpenSearch::Domain": [
"VPCOptions"
],
"AWS::Redshift::Cluster": [
"ClusterSubnetGroupName"
]
}
```
Disallowed attributes check: Certain attributes must \$1not\$1 exist for certain resource types.
+ "SecretString" must not exist in "AWS::SecretsManager::Secret"
+ "MongoDbSettings" must not exist in "AWS::DMS::Endpoint"
```
{
"AWS::SecretsManager::Secret": [
"SecretString"
],
"AWS::DMS::Endpoint": [
"MongoDbSettings"
]
}
```
SSM parameter check: For attributes in the following list, values must be specified via Secrets Manager or Systems Manager Parameter Store (Secure String Parameter):
```
{
"RDS::DBInstance": [
"MasterUserPassword",
"TdeCredentialPassword"
],
"RDS::DBCluster": [
"MasterUserPassword"
],
"ElastiCache::ReplicationGroup": [
"AuthToken"
],
"DMS::Certificate": [
"CertificatePem",
"CertificateWallet"
],
"DMS::Endpoint": [
"Password"
],
"CodePipeline::Webhook": {
"AuthenticationConfiguration": [
"SecretToken"
]
},
"DocDB::DBCluster": [
"MasterUserPassword"
]
},
```
Some attributes must comply with certain patterns; for example, IAM instance profile names must not start with [AMS reserved prefixes](https://docs.aws.amazon.com/managedservices/latest/userguide/ams-reserved-prefixes), and the attribute value must match the specific regex as shown:
```
{
"AWS::EC2::Instance": {
"IamInstanceProfile": [
"^(?!arn:aws:iam|ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+",
"arn:aws:iam::(\\$\\{AWS::AccountId\\}|[0-9]+):instance-profile/(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+"
]
},
"AWS::AutoScaling::LaunchConfiguration": {
"IamInstanceProfile": [
"^(?!arn:aws:iam|ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+",
"arn:aws:iam::(\\$\\{AWS::AccountId\\}|[0-9]+):instance-profile/(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+"
]
},
"AWS::EC2::LaunchTemplate": {
"LaunchTemplateData.IamInstanceProfile.Name": [
"^(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+"
],
"LaunchTemplateData.IamInstanceProfile.Arn": [
"arn:aws:iam::(\\$\\{AWS::AccountId\\}|[0-9]+):instance-profile\/(?!ams|Ams|AMS|AWSManagedServices|Managed_Services|mc|Mc|MC|sentinel|Sentinel).+"
]
}
}
```
## Resource validation
Only allowlisted resources can be specified in the template; those resources are described in [Supported Resources](cfn-ingest-supp-services.md).
EC2 stacks and Auto Scaling groups (ASGs) are not allowed in the same stack due to patching limitations.
## Security group ingress rule validation
+ For requests that come from the CFN Ingest Create or Stack Update CT change types:
+ If (`IpProtocol` is tcp or 6) AND (Port is 80 or 443) , there are no restrictions around the `CidrIP` value
+ Otherwise, the `CidrIP` cannot be 0.0.0.0/0
+ For requests that come from Service Catalog (Service Catalog products):
+ In addition to the CFN Ingest Create or Stack Update CT change type validation, the port in `management_ports` with the protocol in `ip_protocols` can only be accessed via `allowed_cidrs`:
```
{
"ip_protocols": ["tcp", "6", "udp", "17"],
"management_ports": [22, 23, 389, 636, 1494, 1604, 2222, 3389, 5900, 5901, 5985, 5986],
"allowed_cidrs": ["10.0.0.0/8", "100.64.0.0/10", "172.16.0.0/12", "192.168.0.0/16"]
}
```
# Limitations
The following features and functionality currently aren't supported by the AMS CloudFormation ingest process.
+ **YAML** – Not supported. Only JSON-based CloudFormation templates are supported.
+ **Nested stacks** – Instead, architect your application infrastructure to use a single template. Or, alternatively you can make use of cross-stack referencing to separate resources across multiple stacks where one resource has a dependency on another. For more information, see [ Walkthrough: Refer to Resource Outputs in Another AWS CloudFormation Stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-crossstackref.html).
+ **CloudFormation stack sets** – Not supported, due to security implications.
+ **IAM resource creation using CloudFormation templates** – Only IAM roles are supported, due to security implications.
+ **Sensitive data** – Not supported. Do not include sensitive data in the template or in the parameter values. If you need to reference sensitive data, use Secrets Manager to store and retrieve these values. For information about using AWS Secrets Managers secrets in a resource property, see [ How to create and retrieve secrets managed in AWS Secrets Manager using AWS CloudFormation templates](https://aws.amazon.com/blogs/security/how-to-create-and-retrieve-secrets-managed-in-aws-secrets-manager-using-aws-cloudformation-template/) and [Using Dynamic References to Specify Template Values](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html).
# Supported Resources
The following AWS resources are supported in the AMS CloudFormation ingest process.
## CloudFormation Ingest Stack: Supported resources
The instance operating system must be supported by AMS workload ingestion. Only those AWS resources listed here are supported.
+ [Amazon API Gateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ApiGateway.html)
+ AWS::ApiGateway::Account
+ AWS::ApiGateway::ApiKey
+ AWS::ApiGateway::Authorizer
+ AWS::ApiGateway::BasePathMapping
+ AWS::ApiGateway::ClientCertificate
+ AWS::ApiGateway::Deployment
+ AWS::ApiGateway::DocumentationPart
+ AWS::ApiGateway::DocumentationVersion
+ AWS::ApiGateway::DomainName
+ AWS::ApiGateway::GatewayResponse
+ AWS::ApiGateway::Method
+ AWS::ApiGateway::Model
+ AWS::ApiGateway::RequestValidator
+ AWS::ApiGateway::Resource
+ AWS::ApiGateway::RestApi
+ AWS::ApiGateway::Stage
+ AWS::ApiGateway::UsagePlan
+ AWS::ApiGateway::UsagePlanKey
+ AWS::ApiGateway::VpcLink
+ [Amazon API Gateway V2](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ApiGatewayV2.html)
+ AWS::ApiGatewayV2::Api
+ AWS::ApiGatewayV2::ApiGatewayManagedOverrides
+ AWS::ApiGatewayV2::ApiMapping
+ AWS::ApiGatewayV2::Authorizer
+ AWS::ApiGatewayV2::Deployment
+ AWS::ApiGatewayV2::DomainName
+ AWS::ApiGatewayV2::Integration
+ AWS::ApiGatewayV2::IntegrationResponse
+ AWS::ApiGatewayV2::Model
+ AWS::ApiGatewayV2::Route
+ AWS::ApiGatewayV2::RouteResponse
+ AWS::ApiGatewayV2::Stage
+ AWS::ApiGatewayV2::VpcLink
+ [AWS AppSync](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_AppSync.html)
+ AWS::AppSync::ApiCache
+ AWS::AppSync::ApiKey
+ AWS::AppSync::DataSource
+ AWS::AppSync::FunctionConfiguration
+ AWS::AppSync::GraphQLApi
+ AWS::AppSync::GraphQLSchema
+ AWS::AppSync::Resolver
+ [Amazon Athena](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Athena.html)
+ AWS::Athena::NamedQuery
+ AWS::Athena::WorkGroup
+ [AWS Backup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Backup.html)
+ AWS::Backup::BackupVault
+ [Amazon CloudFront](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-reference-cloudfront.html)
+ AWS::CloudFront::Distribution
+ AWS::CloudFront::CloudFrontOriginAccessIdentity
+ AWS::CloudFront::StreamingDistribution
+ [Amazon CloudWatch](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-reference-cloudwatch.html)
+ AWS::CloudWatch::Alarm
+ AWS::CloudWatch::AnomalyDetector
+ AWS::CloudWatch::CompositeAlarm
+ AWS::CloudWatch::Dashboard
+ AWS::CloudWatch::InsightRule
+ [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Logs.html)
+ AWS::Logs::LogGroup
+ AWS::Logs::LogStream
+ AWS::Logs::MetricFilter
+ AWS::Logs::SubscriptionFilter
+ [Amazon Cognito](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Cognito.html)
+ AWS::Cognito::IdentityPool
+ AWS::Cognito::IdentityPoolRoleAttachment
+ AWS::Cognito::UserPool
+ AWS::Cognito::UserPoolClient
+ AWS::Cognito::UserPoolDomain
+ AWS::Cognito::UserPoolGroup
+ AWS::Cognito::UserPoolIdentityProvider
+ AWS::Cognito::UserPoolResourceServer
+ AWS::Cognito::UserPoolRiskConfigurationAttachment
+ AWS::Cognito::UserPoolUICustomizationAttachment
+ AWS::Cognito::UserPoolUser
+ AWS::Cognito::UserPoolUserToGroupAttachment
+ [Amazon DocumentDB](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_DocDB.html)
+ AWS::DocDB::DBCluster
+ AWS::DocDB::DBClusterParameterGroup
+ AWS::DocDB::DBInstance
+ AWS::DocDB::DBSubnetGroup
+ [Amazon DynamoDB](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_DynamoDB.html)
+ AWS::DynamoDB::Table
+ [Amazon EC2](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EC2.html)
+ AWS::EC2::Volume
+ AWS::EC2::VolumeAttachment
+ AWS::EC2::Instance
+ AWS::EC2::EIP
+ AWS::EC2::EIPAssociation
+ AWS::EC2::NetworkInterface
+ AWS::EC2::NetworkInterfaceAttachment
+ AWS::EC2::SecurityGroup
+ AWS::EC2::SecurityGroupIngress
+ AWS::EC2::SecurityGroupEgress
+ AWS::EC2::LaunchTemplate
+ [AWS Batch](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Batch.html)
+ AWS::Batch::ComputeEnvironment
+ AWS::Batch::JobDefinition
+ AWS::Batch::JobQueue
+ [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ECR.html)
+ AWS::ECR::Repository
+ [Amazon Elastic Container Service (ECS) (Fargate)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EFS.html)
+ AWS::ECS::CapacityProvider
+ AWS::ECS::Cluster
+ AWS::ECS::PrimaryTaskSet
+ AWS::ECS::Service
+ AWS::ECS::TaskDefinition
+ AWS::ECS::TaskSet
+ [Amazon Elastic File System (EFS)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EFS.html)
+ AWS::EFS::FileSystem
+ AWS::EFS::MountTarget
+ [Amazon ElastiCache](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ElastiCache.html)
+ AWS::ElastiCache::CacheCluster
+ AWS::ElastiCache::ParameterGroup
+ AWS::ElastiCache::ReplicationGroup
+ AWS::ElastiCache::SecurityGroup
+ AWS::ElastiCache::SecurityGroupIngress
+ AWS::ElastiCache::SubnetGroup
+ [Amazon EventBridge](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Events.html)
+ AWS::Events::EventBus
+ AWS::Events::EventBusPolicy
+ AWS::Events::Rule
+ [Amazon FSx](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_FSx.html)
+ AWS::FSx::FileSystem
+ [Amazon Inspector](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Inspector.html)
+ AWS::Inspector::AssessmentTarget
+ AWS::Inspector::AssessmentTemplate
+ AWS::Inspector::ResourceGroup
+ [Amazon Kinesis Data Analytics](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_KinesisAnalytics.html)
+ AWS::KinesisAnalytics::Application
+ AWS::KinesisAnalytics::ApplicationOutput
+ AWS::KinesisAnalytics::ApplicationReferenceDataSource
+ [Amazon Kinesis Data Firehose](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_KinesisFirehose.html)
+ AWS::KinesisFirehose::DeliveryStream
+ [Amazon Kinesis Data Streams](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Kinesis.html)
+ AWS::Kinesis::Stream
+ AWS::Kinesis::StreamConsumer
+ [Amazon MQ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_AmazonMQ.html)
+ AWS::AmazonMQ::Broker
+ AWS::AmazonMQ::Configuration
+ AWS::AmazonMQ::ConfigurationAssociation
+ [Amazon OpenSearch](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_OpenSearchService.html)
+ AWS::OpenSearchService::Domain
+ [Amazon Relational Database Service (RDS)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_RDS.html)
+ AWS::RDS::DBCluster
+ AWS::RDS::DBClusterParameterGroup
+ AWS::RDS::DBInstance
+ AWS::RDS::DBParameterGroup
+ AWS::RDS::DBSubnetGroup
+ AWS::RDS::EventSubscription
+ AWS::RDS::OptionGroup
+ [Amazon Route 53](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Route53.html)
+ AWS::Route53::HealthCheck
+ AWS::Route53::HostedZone
+ AWS::Route53::RecordSet
+ AWS::Route53::RecordSetGroup
+ AWS::Route53Resolver::ResolverRule
+ AWS::Route53Resolver::ResolverRuleAssociation
+ [Amazon S3](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_S3.html)
+ AWS::S3::Bucket
+ [Amazon Sagemaker](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SageMaker.html)
+ AWS::SageMaker::CodeRepository
+ AWS::SageMaker::Endpoint
+ AWS::SageMaker::EndpointConfig
+ AWS::SageMaker::Model
+ AWS::SageMaker::NotebookInstance
+ AWS::SageMaker::NotebookInstanceLifecycleConfig
+ AWS::SageMaker::Workteam
+ [Amazon Simple Email Service (SES)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SES.html)
+ AWS::SES::ConfigurationSet
+ AWS::SES::ConfigurationSetEventDestination
+ AWS::SES::ReceiptFilter
+ AWS::SES::ReceiptRule
+ AWS::SES::ReceiptRuleSet
+ AWS::SES::Template
+ [Amazon SimpleDB](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SDB.html)
+ AWS::SDB::Domain
+ [Amazon SNS](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SNS.html)
+ AWS::SNS::Subscription
+ AWS::SNS::Topic
+ [Amazon SQS](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SQS.html)
+ AWS::SQS::Queue
+ [Amazon WorkSpaces](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_WorkSpaces.html)
+ AWS::WorkSpaces::Workspace
+ [Application AutoScaling](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ApplicationAutoScaling.html)
+ AWS::ApplicationAutoScaling::ScalableTarget
+ AWS::ApplicationAutoScaling::ScalingPolicy
+ [Amazon EC2 AutoScaling](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_AutoScaling.html)
+ AWS::AutoScaling::AutoScalingGroup
+ AWS::AutoScaling::LaunchConfiguration
+ AWS::AutoScaling::LifecycleHook
+ AWS::AutoScaling::ScalingPolicy
+ AWS::AutoScaling::ScheduledAction
+ [AWS Certificate Manager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html)
+ AWS::CertificateManager::Certificate
+ [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_CloudFormation.html)
+ AWS::CloudFormation::CustomResource
+ AWS::CloudFormation::Designer
+ AWS::CloudFormation::WaitCondition
+ AWS::CloudFormation::WaitConditionHandle
+ [AWS CodeBuild](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_CodeBuild.html)
+ AWS::CodeBuild::Project
+ AWS::CodeBuild::ReportGroup
+ AWS::CodeBuild::SourceCredential
+ [AWS CodeCommit](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_CodeCommit.html)
+ AWS::CodeCommit::Repository
+ [AWS CodeDeploy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_CodeDeploy.html)
+ AWS::CodeDeploy::Application
+ AWS::CodeDeploy::DeploymentConfig
+ AWS::CodeDeploy::DeploymentGroup
+ [AWS CodePipeline](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_CodePipeline.html)
+ AWS::CodePipeline::CustomActionType
+ AWS::CodePipeline::Pipeline
+ AWS::CodePipeline::Webhook
+ [AWS Database Migration Service (DMS)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_DMS.html)
+ AWS::DMS::Certificate
+ AWS::DMS::Endpoint
+ AWS::DMS::EventSubscription
+ AWS::DMS::ReplicationInstance
+ AWS::DMS::ReplicationSubnetGroup
+ AWS::DMS::ReplicationTask
The MongoDbSettings property in AWS::DMS::Endpoint resource is not allowed.
The following properties are only allowed if they are resolved by AWS Secrets Manager: CertificatePem and CertificateWallet properties in the AWS::DMS::Certificate resource, and the Password property in the AWS::DMS::Endpoint resource.
+ [AWS Elastic Load Balancing - Application Load Balancer / Network Load Balancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ElasticLoadBalancingV2.html)
+ AWS::ElasticLoadBalancingV2::Listener
+ AWS::ElasticLoadBalancingV2::ListenerCertificate
+ AWS::ElasticLoadBalancingV2::ListenerRule
+ AWS::ElasticLoadBalancingV2::LoadBalancer
+ AWS::ElasticLoadBalancingV2::TargetGroup
+ [AWS Elastic Load Balancing - Classic Load Balancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_ElasticLoadBalancing.html)
+ AWS::ElasticLoadBalancing::LoadBalancer
+ [AWS Elemental MediaConvert](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_MediaConvert.html)
+ AWS::MediaConvert::JobTemplate
+ AWS::MediaConvert::Preset
+ AWS::MediaConvert::Queue
+ [AWS Elemental MediaStore](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_MediaStore.html)
+ AWS::MediaStore::Container
+ [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html)
+ AWS::IAM::Role
+ [AWS Managed Streaming for Apache Kafka (MSK)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_MSK.html)
+ AWS::MSK::Cluster
+ [AWS Glue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Glue.html)
+ AWS::Glue::Classifier
+ AWS::Glue::Connection
+ AWS::Glue::Crawler
+ AWS::Glue::Database
+ AWS::Glue::DataCatalogEncryptionSettings
+ AWS::Glue::DevEndpoint
+ AWS::Glue::Job
+ AWS::Glue::MLTransform
+ AWS::Glue::Partition
+ AWS::Glue::SecurityConfiguration
+ AWS::Glue::Table
+ AWS::Glue::Trigger
+ AWS::Glue::Workflow
+ [AWS Key Management Service (KMS)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_KMS.html)
+ AWS::KMS::Key
+ AWS::KMS::Alias
+ [AWS Lake Formation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_LakeFormation.html)
+ AWS::LakeFormation::DataLakeSettings
+ AWS::LakeFormation::Permissions
+ AWS::LakeFormation::Resource
+ [AWS Lambda](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Lambda.html)
+ AWS::Lambda::Alias
+ AWS::Lambda::EventInvokeConfig
+ AWS::Lambda::EventSourceMapping
+ AWS::Lambda::Function
+ AWS::Lambda::LayerVersion
+ AWS::Lambda::LayerVersionPermission
+ AWS::Lambda::Permission
+ AWS::Lambda::Version
+ [Amazon Redshift](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Redshift.html)
+ AWS::Redshift::Cluster
+ AWS::Redshift::ClusterParameterGroup
+ AWS::Redshift::ClusterSubnetGroup
+ [AWS Secrets Manager](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SecretsManager.html)
+ AWS::SecretsManager::ResourcePolicy
+ AWS::SecretsManager::RotationSchedule
+ AWS::SecretsManager::Secret
+ AWS::SecretsManager::SecretTargetAttachment
+ [AWS Security Hub](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SecurityHub.html)
+ AWS::SecurityHub::Hub
+ [AWS Step Functions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_StepFunctions.html)
+ AWS::StepFunctions::Activity
+ AWS::StepFunctions::StateMachine
+ [AWS Systems Manager (SSM)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SSM.html)
+ AWS::SSM::Parameter
+ [Amazon CloudWatch Synthetics](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Synthetics.html)
+ AWS::Synthetics::Canary
+ [AWS Transfer Family](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_Transfer.html)
+ AWS::Transfer::Server
+ AWS::Transfer::User
+ [AWS WAF](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_WAF.html)
+ AWS::WAF::ByteMatchSet
+ AWS::WAF::IPSet
+ AWS::WAF::Rule
+ AWS::WAF::SizeConstraintSet
+ AWS::WAF::SqlInjectionMatchSet
+ AWS::WAF::WebACL
+ AWS::WAF::XssMatchSet
+ [AWS WAF Regional](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_WAFRegional.html)
+ AWS::WAFRegional::ByteMatchSet
+ AWS::WAFRegional::GeoMatchSet
+ AWS::WAFRegional::IPSet
+ AWS::WAFRegional::RateBasedRule
+ AWS::WAFRegional::RegexPatternSet
+ AWS::WAFRegional::Rule
+ AWS::WAFRegional::SizeConstraintSet
+ AWS::WAFRegional::SqlInjectionMatchSet
+ AWS::WAFRegional::WebACL
+ AWS::WAFRegional::WebACLAssociation
+ AWS::WAFRegional::XssMatchSet
+ [AWS WAFv2](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_WAFv2.html)
+ AWS::WAFv2::IPSet
+ AWS::WAFv2::RegexPatternSet
+ AWS::WAFv2::RuleGroup
+ AWS::WAFv2::WebACL
+ AWS::WAFv2::WebACLAssociation