Back to Skills

template-validator

verified

Validates CloudFormation templates for syntax, security, and best practices. Use when validating CloudFormation templates, checking for security issues, or ensuring compliance with best practices.

View on GitHub

Marketplace

fastagent-marketplace

armanzeroeight/fastagent-plugins

Plugin

cloudformation-toolkit

Infrastructure as Code

Repository

armanzeroeight/fastagent-plugins
20stars

plugins/cloudformation-toolkit/skills/template-validator/SKILL.md

Last Verified

January 21, 2026

Install Skill

Select agents to install to:

Scope:
npx add-skill https://github.com/armanzeroeight/fastagent-plugins/blob/main/plugins/cloudformation-toolkit/skills/template-validator/SKILL.md -a claude-code --skill template-validator

Installation paths:

Claude
.claude/skills/template-validator/
Powered by add-skill CLI

Instructions

# Template Validator

## Quick Start

Validate CloudFormation templates for syntax errors, security issues, and adherence to best practices before deployment.

## Instructions

### Step 1: Validate template syntax

```bash
# Basic validation
aws cloudformation validate-template \
  --template-body file://template.yaml

# Validation with parameters
aws cloudformation validate-template \
  --template-body file://template.yaml \
  --parameters ParameterKey=Param1,ParameterValue=Value1
```

**Check for:**
- Valid YAML/JSON syntax
- Required template sections
- Valid resource types
- Correct intrinsic function usage
- Parameter references

### Step 2: Use cfn-lint for comprehensive checks

```bash
# Install cfn-lint
pip install cfn-lint

# Validate template
cfn-lint template.yaml

# Validate with specific rules
cfn-lint template.yaml --ignore-checks W

# Output as JSON
cfn-lint template.yaml --format json
```

**cfn-lint checks:**
- Template structure
- Resource properties
- Best practices
- Security issues
- Regional availability

### Step 3: Security validation

**Check IAM policies:**
```yaml
# Review for overly permissive policies
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: AppPolicy
          PolicyDocument:
            Statement:
              # Avoid wildcards
              - Effect: Allow
                Action: s3:*  # Too permissive!
                Resource: '*'  # Too broad!
```

**Better approach:**
```yaml
Policies:
  - PolicyName: AppPolicy
    PolicyDocument:
      Statement:
        - Effect: Allow
          Action:
            - s3:GetObject
            - s3:PutObject
          Resource: !Sub '${MyBucket.Arn}/*'
```

**Check security groups:**
```yaml
# Avoid open access
Resources:
  SecurityGroup:
    Type: AWS::EC2::SecurityG

Validation Details

Front Matter
Required Fields
Valid Name Format
Valid Description
Has Sections
Allowed Tools
Instruction Length:
7038 chars