Install command
Provided
Validates AWS CloudFormation templates for syntax errors and best practices using cfn-lint v1.40.4+ and AWS CLI v2.27.54+.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Provided
Config snippet
Provided
Copy snippet
Provided
Prerequisites
None
Platforms
1 listed
Difficulty
0/100
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Safety & privacy surface
1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens, permissions & scopes.
#!/usr/bin/env bash
# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
# Check if it's a CloudFormation template
if [[ "$FILE_PATH" == *.cf.json ]] || [[ "$FILE_PATH" == *.cf.yaml ]] || [[ "$FILE_PATH" == *cloudformation*.yaml ]] || [[ "$FILE_PATH" == *cloudformation*.json ]]; then
echo "☁️ Validating CloudFormation template $FILE_PATH..." >&2
# Try cfn-lint first (preferred)
if command -v cfn-lint &> /dev/null; then
echo "Running cfn-lint validation..." >&2
if cfn-lint "$FILE_PATH" 2>&1; then
echo "✅ CloudFormation template validation passed" >&2
else
echo "❌ CloudFormation template validation failed" >&2
fi
elif command -v aws &> /dev/null; then
echo "⚠️ cfn-lint not installed, using AWS CLI validation..." >&2
if aws cloudformation validate-template --template-body "file://$FILE_PATH" 2>/dev/null; then
echo "✅ Basic CloudFormation validation passed" >&2
else
echo "❌ CloudFormation template validation failed" >&2
fi
else
echo "⚠️ Neither cfn-lint nor AWS CLI available for validation" >&2
fi
else
echo "File $FILE_PATH is not a CloudFormation template, skipping validation" >&2
fi
exit 0{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/aws-cloudformation-validator.sh",
"matchers": [
"write",
"edit"
]
}
}
}This hook defaults to cfn-lint and falls back to the AWS CLI. How the common CloudFormation/IaC validators differ:
| Tool | What it checks | Catches security issues? | Needs AWS credentials? |
|---|---|---|---|
| cfn-lint (this hook) | Template syntax, resource-property schemas, and AWS best-practice rules | Partial (best-practice rules) | No — fully local |
| aws cloudformation validate-template (fallback) | Basic syntax and template structure via the CloudFormation API | No | Yes — calls the AWS API |
| cfn_nag | Pattern-based scan for insecure infrastructure patterns (open security groups, wildcard IAM, unencrypted resources) | Yes | No — fully local |
| Checkov | 1,000+ policy checks for security and compliance across CloudFormation, Terraform, and Kubernetes | Yes | No — fully local |
For most pre-deployment checks, cfn-lint gives the best signal-to-noise on a single template; pair it with cfn_nag or Checkov when you need dedicated security/compliance scanning.
.claude/settings.local.json~/.claude/settings.json.claude/settings.json{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/aws-cloudformation-validator.sh",
"matchers": ["write", "edit"]
}
}
}
#!/usr/bin/env bash
# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
# Check if it's a CloudFormation template
if [[ "$FILE_PATH" == *.cf.json ]] || [[ "$FILE_PATH" == *.cf.yaml ]] || [[ "$FILE_PATH" == *cloudformation*.yaml ]] || [[ "$FILE_PATH" == *cloudformation*.json ]]; then
echo "☁️ Validating CloudFormation template $FILE_PATH..." >&2
# Try cfn-lint first (preferred)
if command -v cfn-lint &> /dev/null; then
echo "Running cfn-lint validation..." >&2
if cfn-lint "$FILE_PATH" 2>&1; then
echo "✅ CloudFormation template validation passed" >&2
else
echo "❌ CloudFormation template validation failed" >&2
fi
elif command -v aws &> /dev/null; then
echo "⚠️ cfn-lint not installed, using AWS CLI validation..." >&2
if aws cloudformation validate-template --template-body "file://$FILE_PATH" 2>/dev/null; then
echo "✅ Basic CloudFormation validation passed" >&2
else
echo "❌ CloudFormation template validation failed" >&2
fi
else
echo "⚠️ Neither cfn-lint nor AWS CLI available for validation" >&2
fi
else
echo "File $FILE_PATH is not a CloudFormation template, skipping validation" >&2
fi
exit 0
Complete hook script that validates CloudFormation templates using cfn-lint or AWS CLI fallback
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r ".tool_input.file_path // .tool_input.path // \"\"")
if [ -z "$FILE_PATH" ]; then exit 0; fi
if [[ "$FILE_PATH" == *.cf.json ]] || [[ "$FILE_PATH" == *.cf.yaml ]] || [[ "$FILE_PATH" == *cloudformation*.yaml ]] || [[ "$FILE_PATH" == *cloudformation*.json ]]; then
echo "Validating CloudFormation template $FILE_PATH..." >&2
if command -v cfn-lint &> /dev/null; then
if cfn-lint "$FILE_PATH" 2>&1; then
echo "CloudFormation template validation passed" >&2
else
echo "CloudFormation template validation failed" >&2
fi
elif command -v aws &> /dev/null; then
if aws cloudformation validate-template --template-body "file://$FILE_PATH" 2>/dev/null; then
echo "Basic CloudFormation validation passed" >&2
else
echo "CloudFormation template validation failed" >&2
fi
fi
fi
exit 0
Complete hook configuration for .claude/settings.json to enable CloudFormation validation on file writes and edits
{
"hooks": {
"PostToolUse": [
{
"matcher": "Write|Edit",
"hooks": [
{
"type": "command",
"command": "./.claude/hooks/aws-cloudformation-validator.sh"
}
]
}
]
}
}
Enhanced hook script that validates CloudFormation templates against multiple AWS regions
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r ".tool_input.file_path")
if [[ "$FILE_PATH" == *.yaml ]] || [[ "$FILE_PATH" == *.yml ]]; then
if command -v cfn-lint &> /dev/null; then
cfn-lint "$FILE_PATH" --regions us-east-1 us-west-2 --format json --output-file validation-results.json 2>&1
if [ $? -eq 0 ]; then
echo "Multi-region validation passed" >&2
fi
fi
fi
exit 0
Hook script that blocks operations on CloudFormation templates with validation errors
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r ".tool_input.file_path")
if [[ "$FILE_PATH" == *.yaml ]] || [[ "$FILE_PATH" == *.json ]]; then
if command -v cfn-lint &> /dev/null; then
cfn-lint "$FILE_PATH" --ignore-checks W --format parseable 2>&1
EXIT_CODE=$?
if [ $EXIT_CODE -ne 0 ]; then
echo "Template validation failed with errors" >&2
exit 2
fi
fi
fi
exit 0
Hook script that detects CloudFormation templates by content and updates schemas before validation
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r ".tool_input.file_path")
if grep -q "AWSTemplateFormatVersion" "$FILE_PATH" 2>/dev/null || grep -q "Transform: AWS::Serverless" "$FILE_PATH" 2>/dev/null; then
if command -v cfn-lint &> /dev/null; then
cfn-lint "$FILE_PATH" --update-specs 2>/dev/null
cfn-lint "$FILE_PATH" 2>&1
fi
fi
exit 0
Install cfn-lint: pip install cfn-lint or pipx install cfn-lint. Verify Python environment active: which python. Check template syntax with: cfn-lint --version. Review cfn-lint logs without 2>&1. Update CloudFormation schemas: cfn-lint --update-specs.
Use cfn-lint for offline validation instead. Or configure AWS credentials: aws configure. Use IAM role with minimal permissions. Skip AWS CLI fallback if credentials unavailable. Use AWS CLI with --no-verify-ssl for local testing only.
Check exit code handling in script. Capture command output: OUTPUT=$(cfn-lint file) && echo success. Review conditional logic for success detection. Debug with: set -x in script. Verify cfn-lint exit codes: 0=success, 4=warnings, 8=errors.
Strengthen template detection regex. Check file content for AWSTemplateFormatVersion key: grep -q AWSTemplateFormatVersion file. Add explicit template marker in filename convention. Use content-based detection: grep -q "Resources:" file.
Verify file write completed before validation. Add small sleep: sleep 0.5 before validation. Check file size: [ -s "$FILE_PATH" ]. Use file lock detection if available. Validate file is not empty before processing.
cfn-lint performs deeper validation than AWS CLI. Review cfn-lint errors for best practices violations. AWS CLI only validates basic syntax. Use cfn-lint for comprehensive validation. Check cfn-lint rule documentation for specific error codes.
cfn-lint automatically transforms SAM templates. Verify Transform: AWS::Serverless-2016-10-31 is present. Update cfn-lint: pip install --upgrade cfn-lint. Check SAM template syntax matches SAM specification. Use --template parameter if needed.
Limit regions: cfn-lint file --regions us-east-1. Add timeout wrapper: timeout 60s cfn-lint file. Validate against single region first. Use --ignore-checks to skip non-critical rules. Consider validating in CI/CD instead of on every edit.
Show that AWS CloudFormation Validator - Hooks is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/hooks/aws-cloudformation-validator)AWS CloudFormation Validator - Hooks side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Validates AWS CloudFormation templates for syntax errors and best practices using cfn-lint v1.40.4+ and AWS CLI v2.27.54+. Open dossier | A Stop hook that syncs your changed files to cloud storage when a Claude Code session ends, using rclone to push to S3, Google Cloud Storage, or any of its 70+ supported backends. Open dossier | Validates environment variables, checks for required vars, and ensures proper configuration across environments. Open dossier | Validates GraphQL schema files and checks for breaking changes when modified. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed | Source-backed |
| Submitter | — | — | — | — |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | ||
| Category | hooks | hooks | hooks | hooks |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | JSONbored | JSONbored | JSONbored | JSONbored |
| Added | 2025-09-19 | 2025-09-19 | 2025-09-16 | 2025-09-19 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. | ✓Runs automatically at session end and can create compressed archives of modified git files. Uploads backups through AWS CLI, Google Cloud SDK, or rclone when those tools and bucket variables are configured. Writes a temporary archive under /tmp when using the rclone fallback and removes it after the copy attempt. | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. |
| Privacy notes | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. | ✓Sends modified file contents to the configured cloud storage destination. Uses locally configured cloud credentials and bucket environment variables but does not define or manage them. Backup archives may include source code, docs, generated files, and any unignored local changes listed by git diff. | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. |
| Prerequisites | — none listed | — none listed | — none listed | — none listed |
| Install | | | | |
| Config | | | | |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Configure Claude Code to run on Amazon Bedrock with correct AWS auth.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.