CloudFormation Ref and GetAtt cheatsheet

theburningmonk.com/cloudformation-ref-and-getatt-cheatsheet

Here’s a cheatsheet of CloudFormation resource types and their corresponding Ref and Fn::GetAtt outputs in one place.

Resource Type Ref Fn::GetAtt

Alexa::ASK::Skill Id

AWS::AmazonMQ::Broker Id AmqpEndpoints, Arn, ConfigurationId,

ConfigurationRevision, IpAddresses,
MqttEndpoints, OpenWireEndpoints,
StompEndpoints, WssEndpoints

AWS::AmazonMQ::Configuration Id Arn, Id, Revision

AWS::AmazonMQ::ConfigurationAssociation Id

AWS::Amplify::App – AppId, AppName, Arn, DefaultDomain

AWS::Amplify::Branch – Arn, BranchName

AWS::Amplify::Domain – Arn, CertificateRecord, DomainName,

DomainStatus, StatusReason

AWS::ApiGateway::Account Id

AWS::ApiGateway::ApiKey Id

AWS::ApiGateway::Authorizer Id

AWS::ApiGateway::BasePathMapping –

AWS::ApiGateway::ClientCertificate Name

AWS::ApiGateway::Deployment Id

AWS::ApiGateway::DocumentationPart Id

AWS::ApiGateway::DocumentationVersion –

AWS::ApiGateway::DomainName DomainName DistributionDomainName,

DistributionHostedZoneId,
RegionalDomainName,
RegionalHostedZoneId

AWS::ApiGateway::GatewayResponse –

AWS::ApiGateway::Method Id

AWS::ApiGateway::Model Name

AWS::ApiGateway::RequestValidator Id

AWS::ApiGateway::Resource Id

AWS::ApiGateway::RestApi Id RootResourceId

AWS::ApiGateway::Stage Name

AWS::ApiGateway::UsagePlan Id

AWS::ApiGateway::UsagePlanKey –

AWS::ApiGateway::VpcLink Id

AWS::ApiGatewayV2::Api Id

AWS::ApiGatewayV2::ApiMapping Id

AWS::ApiGatewayV2::Authorizer Id

AWS::ApiGatewayV2::Deployment Id

1/10
AWS::ApiGatewayV2::DomainName DomainName RegionalDomainName,
RegionalHostedZoneId

AWS::ApiGatewayV2::Integration Id

AWS::ApiGatewayV2::IntegrationResponse Id

AWS::ApiGatewayV2::Model Id

AWS::ApiGatewayV2::Route Id

AWS::ApiGatewayV2::RouteResponse Id

AWS::ApiGatewayV2::Stage Name

AWS::ApplicationAutoScaling::ScalableTarget Id

AWS::ApplicationAutoScaling::ScalingPolicy Arn

AWS::AppMesh::Mesh Arn Arn, MeshName, Uid

AWS::AppMesh::Route Arn Arn, MeshName, Uid,

VirtualRouterName

AWS::AppMesh::VirtualNode Arn Arn, MeshName, Uid,

VirtualNodeName

AWS::AppMesh::VirtualRouter Arn Arn, MeshName, Uid,

VirtualRouterName

AWS::AppMesh::VirtualService Arn Arn, MeshName, Uid,

VirtualServiceName

AWS::AppSync::ApiKey Arn ApiKey, Arn

AWS::AppSync::DataSource Arn DataSourceArn, Name

AWS::AppSync::FunctionConfiguration Arn DataSourceName, FunctionArn,

FunctionId, Name

AWS::AppSync::GraphQLApi Arn ApiId, Arn, GraphQLUrl

AWS::AppSync::GraphQLSchema Id

AWS::AppSync::Resolver Arn FieldName, ResolverArn, TypeName

AWS::Athena::NamedQuery Name

AWS::AutoScaling::AutoScalingGroup Name

AWS::AutoScaling::LaunchConfiguration Name

AWS::AutoScaling::LifecycleHook Name

AWS::AutoScaling::ScalingPolicy Arn

AWS::AutoScaling::ScheduledAction Name

AWS::AutoScalingPlans::ScalingPlan Arn

AWS::Backup::BackupPlan Id BackupPlanArn, BackupPlanId,

VersionId

AWS::Backup::BackupSelection Id BackupPlanId, SelectionId

AWS::Backup::BackupVault Name BackupVaultArn, BackupVaultName

AWS::Batch::ComputeEnvironment Arn

AWS::Batch::JobDefinition Arn

AWS::Batch::JobQueue Arn

AWS::Budgets::Budget Name

AWS::CertificateManager::Certificate Arn

2/10
AWS::CloudFormation::CustomResource –

AWS::CloudFormation::Macro Name

AWS::CloudFormation::Stack Id

AWS::CloudFormation::WaitCondition Name Data

AWS::CloudFormation::WaitConditionHandle –

AWS::CloudFront::CloudFrontOriginAccessIdentity OriginAccessIdentity S3CanonicalUserId

AWS::CloudFront::Distribution Id DomainName

AWS::CloudFront::StreamingDistribution Id DomainName

AWS::CloudTrail::Trail Name Arn, SnsTopicArn

AWS::CloudWatch::Alarm Name Arn

AWS::CloudWatch::AnomalyDetector –

AWS::CloudWatch::Dashboard Name

AWS::CodeBuild::Project Name Arn

AWS::CodeCommit::Repository Id Arn, CloneUrlHttp, CloneUrlSsh, Name

AWS::CodeDeploy::Application Name

AWS::CodeDeploy::DeploymentConfig Name

AWS::CodeDeploy::DeploymentGroup Name

AWS::CodePipeline::CustomActionType Name

AWS::CodePipeline::Pipeline Name Version

AWS::CodePipeline::Webhook Name Url

AWS::Cognito::IdentityPool Id Name

AWS::Cognito::IdentityPoolRoleAttachment Id

AWS::Cognito::UserPool Id Arn, ProviderName, ProviderURL

AWS::Cognito::UserPoolClient Id

AWS::Cognito::UserPoolGroup Name

AWS::Cognito::UserPoolUser Name

AWS::Cognito::UserPoolUserToGroupAttachment Id

AWS::Config::AggregationAuthorization Arn

AWS::Config::ConfigRule Name Arn, Compliance.Type, ConfigRuleId

AWS::Config::ConfigurationAggregator Name

AWS::Config::ConfigurationRecorder Name

AWS::Config::DeliveryChannel Name

AWS::Config::RemediationConfiguration RemediationAction

AWS::DataPipeline::Pipeline Id

AWS::DAX::Cluster Name Arn, ClusterDiscoveryEndpoint

AWS::DAX::ParameterGroup Name

AWS::DAX::SubnetGroup Name

AWS::DLM::LifecyclePolicy Id Arn

AWS::DMS::Certificate Arn

3/10
AWS::DMS::Endpoint Arn ExternalId

AWS::DMS::EventSubscription Name

AWS::DMS::ReplicationInstance Arn ReplicationInstancePrivateIpAddresses,

ReplicationInstancePublicIpAddresses

AWS::DMS::ReplicationSubnetGroup Name

AWS::DMS::ReplicationTask Arn

AWS::DocDB::DBCluster DBClusterIdentifier ClusterResourceId, Endpoint, Port,

ReadEndpoint

AWS::DocDB::DBClusterParameterGroup Name

AWS::DocDB::DBInstance Name Endpoint, Port

AWS::DocDB::DBSubnetGroup Name

AWS::DynamoDB::Table Name Arn, StreamArn

AWS::EC2::CapacityReservation Id AvailabilityZone,
AvailableInstanceCount, InstanceType,
Tenancy, TotalInstanceCount

AWS::EC2::ClientVpnAuthorizationRule –

AWS::EC2::ClientVpnEndpoint Id

AWS::EC2::ClientVpnRoute –

AWS::EC2::ClientVpnTargetNetworkAssociation Id

AWS::EC2::CustomerGateway Id

AWS::EC2::DHCPOptions Name

AWS::EC2::EC2Fleet Id

AWS::EC2::EgressOnlyInternetGateway Id

AWS::EC2::EIP ElasticIpAddress AllocationId

AWS::EC2::EIPAssociation Name

AWS::EC2::FlowLog Id

AWS::EC2::Host Id

AWS::EC2::Instance Id AvailabilityZone, PrivateDnsName,

PrivateIp, PublicDnsName, PublicIp

AWS::EC2::InternetGateway Name

AWS::EC2::LaunchTemplate Id DefaultVersionNumber,
LatestVersionNumber

AWS::EC2::NatGateway Name

AWS::EC2::NetworkAcl Name

AWS::EC2::NetworkAclEntry Name

AWS::EC2::NetworkInterface Name PrimaryPrivateIpAddress,

SecondaryPrivateIpAddresses

AWS::EC2::NetworkInterfaceAttachment Name

AWS::EC2::NetworkInterfacePermission Name

AWS::EC2::PlacementGroup Name

AWS::EC2::Route Id

AWS::EC2::RouteTable Id

4/10
AWS::EC2::SecurityGroup Name GroupId, VpcId

AWS::EC2::SecurityGroupEgress RuleName

AWS::EC2::SecurityGroupIngress –

AWS::EC2::SpotFleet Id

AWS::EC2::Subnet Id AvailabilityZone, Ipv6CidrBlocks,

NetworkAclAssociationId, VpcId

AWS::EC2::SubnetCidrBlock CidrBlock

AWS::EC2::SubnetNetworkAclAssociation Id AssociationId

AWS::EC2::SubnetRouteTableAssociation Id

AWS::EC2::TransitGateway Id

AWS::EC2::TransitGatewayAttachment Name

AWS::EC2::TransitGatewayRoute Name

AWS::EC2::TransitGatewayRouteTable Name

AWS::EC2::TransitGatewayRouteTableAssociation Id

AWS::EC2::TransitGatewayRouteTablePropagation RouteTableId

AWS::EC2::Volume Name

AWS::EC2::VolumeAttachment –

AWS::EC2::VPC Id CidrBlock, CidrBlockAssociations,

DefaultNetworkAcl,
DefaultSecurityGroup, Ipv6CidrBlocks

AWS::EC2::VPCCidrBlock CidrBlock

AWS::EC2::VPCDHCPOptionsAssociation Id

AWS::EC2::VPCEndpoint Id CreationTimestamp, DnsEntries,

NetworkInterfaceIds

AWS::EC2::VPCEndpointConnectionNotification Id

AWS::EC2::VPCEndpointService Id

AWS::EC2::VPCEndpointServicePermissions Id

AWS::EC2::VPCGatewayAttachment Id

AWS::EC2::VPCPeeringConnection Id

AWS::EC2::VPNConnection Id

AWS::EC2::VPNConnectionRoute Id

AWS::EC2::VPNGateway Id

AWS::EC2::VPNGatewayRoutePropagation VpnGatewayId

AWS::ECR::Repository Name Arn

AWS::ECS::Cluster Name Arn

AWS::ECS::Service Arn Name

AWS::ECS::TaskDefinition Arn

AWS::EFS::FileSystem Id

AWS::EFS::MountTarget Id IpAddress

AWS::EKS::Cluster Name Arn, CertificateAuthorityData, Endpoint

5/10
AWS::ElastiCache::CacheCluster Name ConfigurationEndpoint.Address,
ConfigurationEndpoint.Port,
RedisEndpoint.Address,
RedisEndpoint.Port

AWS::ElastiCache::ParameterGroup Name

AWS::ElastiCache::ReplicationGroup Name ConfigurationEndPoint.Address,

ConfigurationEndPoint.Port,
PrimaryEndPoint.Address,
PrimaryEndPoint.Port,
ReadEndPoint.Addresses,
ReadEndPoint.Addresses.List,
ReadEndPoint.Ports,
ReadEndPoint.Ports.List

AWS::ElastiCache::SecurityGroup Name

AWS::ElastiCache::SecurityGroupIngress Name

AWS::ElastiCache::SubnetGroup Name

AWS::ElasticBeanstalk::Application Name

AWS::ElasticBeanstalk::ApplicationVersion Name

AWS::ElasticBeanstalk::ConfigurationTemplate Name

AWS::ElasticBeanstalk::Environment Name EndpointURL

AWS::ElasticLoadBalancing::LoadBalancer Name CanonicalHostedZoneName,

CanonicalHostedZoneNameID,
DNSName,
SourceSecurityGroup.GroupName,
SourceSecurityGroup.OwnerAlias

AWS::ElasticLoadBalancingV2::Listener Arn

AWS::ElasticLoadBalancingV2::ListenerCertificate –

AWS::ElasticLoadBalancingV2::ListenerRule Arn

AWS::ElasticLoadBalancingV2::LoadBalancer Arn CanonicalHostedZoneID, DNSName,

LoadBalancerFullName,
LoadBalancerName, SecurityGroups

AWS::ElasticLoadBalancingV2::TargetGroup Arn LoadBalancerArns,

TargetGroupFullName,
TargetGroupName

AWS::Elasticsearch::Domain Name Arn, DomainArn, DomainEndpoint

AWS::EMR::Cluster Id MasterPublicDNS

AWS::EMR::InstanceFleetConfig InstanceFleetId

AWS::EMR::InstanceGroupConfig InstanceGroupId

AWS::EMR::SecurityConfiguration Name

AWS::EMR::Step Id

AWS::Events::EventBus Name Arn, Name, Policy

AWS::Events::EventBusPolicy Id

AWS::Events::Rule Id Arn

AWS::Glue::Classifier Name

AWS::Glue::Connection Name

AWS::Glue::Crawler Name

AWS::Glue::Database Name
6/10
AWS::Glue::DataCatalogEncryptionSettings –

AWS::Glue::DevEndpoint Name

AWS::Glue::Job Name

AWS::Glue::Partition Name

AWS::Glue::SecurityConfiguration –

AWS::Glue::Table Name

AWS::Glue::Trigger Name

AWS::GuardDuty::Detector Id

AWS::GuardDuty::Filter Name

AWS::GuardDuty::IPSet Id

AWS::GuardDuty::Master AccountId

AWS::GuardDuty::Member AccountId

AWS::GuardDuty::ThreatIntelSet Id

AWS::IAM::AccessKey AccessKeyId SecretAccessKey

AWS::IAM::Group Name Arn

AWS::IAM::InstanceProfile Name Arn

AWS::IAM::ManagedPolicy Arn

AWS::IAM::Policy Name

AWS::IAM::Role Name Arn, RoleId

AWS::IAM::ServiceLinkedRole –

AWS::IAM::User UserName Arn

AWS::IAM::UserToGroupAddition Name

AWS::Inspector::AssessmentTarget – Arn

AWS::Inspector::AssessmentTemplate – Arn

AWS::Inspector::ResourceGroup – Arn

AWS::IoT::Certificate Id Arn

AWS::IoT::Policy Name Arn

AWS::IoT::PolicyPrincipalAttachment –

AWS::IoT::Thing Name

AWS::IoT::ThingPrincipalAttachment –

AWS::IoT::TopicRule Name Arn

AWS::IoT1Click::Device Arn Arn, DeviceId, Enabled

AWS::IoT1Click::Placement Id PlacementName, ProjectName

AWS::IoT1Click::Project Arn Arn, ProjectName

AWS::IoTAnalytics::Channel –

AWS::IoTAnalytics::Dataset –

AWS::IoTAnalytics::Datastore –

AWS::IoTAnalytics::Pipeline –

AWS::IoTEvents::DetectorModel Name

7/10
AWS::IoTEvents::Input Name

AWS::IoTThingsGraph::FlowTemplate Urn

AWS::Kinesis::Stream Name Arn

AWS::Kinesis::StreamConsumer ConsumerArn ConsumerARN,

ConsumerCreationTimestamp,
ConsumerName, ConsumerStatus,
StreamARN

AWS::KinesisAnalytics::Application –

AWS::KinesisAnalytics::ApplicationOutput –

AWS::KinesisAnalytics::ApplicationReferenceDataSource –

AWS::KinesisAnalyticsV2::Application –

AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption –

AWS::KinesisAnalyticsV2::ApplicationOutput –

AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource –

AWS::KinesisFirehose::DeliveryStream Name Arn

AWS::KMS::Alias Name

AWS::KMS::Key Id Arn

AWS::Lambda::Alias Arn

AWS::Lambda::EventSourceMapping Name

AWS::Lambda::Function Name Arn

AWS::Lambda::LayerVersion Arn

AWS::Lambda::LayerVersionPermission Arn

AWS::Lambda::Permission –

AWS::Lambda::Version Arn Version

AWS::Logs::Destination Name Arn

AWS::Logs::LogGroup Name Arn

AWS::Logs::LogStream Name

AWS::Logs::MetricFilter –

AWS::Logs::SubscriptionFilter Name

AWS::RDS::DBCluster Name Endpoint.Address, Endpoint.Port,

ReadEndpoint.Address

AWS::RDS::DBClusterParameterGroup Name

AWS::RDS::DBInstance Name Endpoint.Address, Endpoint.Port

AWS::RDS::DBParameterGroup Name

AWS::RDS::DBSecurityGroup Name

AWS::RDS::DBSecurityGroupIngress DBSecurityGroup

AWS::RDS::DBSubnetGroup Name

AWS::RDS::EventSubscription Name

AWS::RDS::OptionGroup Name

AWS::Route53::HealthCheck HealthCheckId

8/10
AWS::Route53::HostedZone HosteadZoneId NameServers

AWS::Route53::RecordSet DomainName

AWS::Route53::RecordSetGroup Name

AWS::Route53Resolver::ResolverEndpoint ResolverEndpoint Arn, Direction, HostVPCId,

IpAddressCount, Name,
ResolverEndpointId

AWS::Route53Resolver::ResolverRule ResolverRule Arn, DomainName,

ResolverEndpointId, ResolverRuleId,
TargetIps

AWS::Route53Resolver::ResolverRuleAssociation ResolverRuleAssociationId Name, ResolverRuleAssociationId,

ResolverRuleId, VPCId

AWS::S3::Bucket Name Arn, DomainName,

DualStackDomainName,
RegionalDomainName, WebsiteURL

AWS::SageMaker::CodeRepository Arn CodeRepositoryName

AWS::SageMaker::Endpoint Arn EndpointName

AWS::SageMaker::EndpointConfig Arn EndpointConfigName

AWS::SageMaker::Model Arn ModelName

AWS::SageMaker::NotebookInstance Arn NotebookInstanceName

AWS::SageMaker::NotebookInstanceLifecycleConfig Arn NotebookInstanceLifecycleConfigName

AWS::SecretsManager::ResourcePolicy Arn

AWS::SecretsManager::RotationSchedule Arn

AWS::SecretsManager::Secret Arn

AWS::SecretsManager::SecretTargetAttachment Arn

AWS::ServiceDiscovery::HttpNamespace Id Arn, Id

AWS::ServiceDiscovery::Instance Id

AWS::ServiceDiscovery::PrivateDnsNamespace Id Arn, Id

AWS::ServiceDiscovery::PublicDnsNamespace Id Arn, Id

AWS::ServiceDiscovery::Service Id Arn, Id, Name

AWS::SES::ConfigurationSet Name

AWS::SES::ConfigurationSetEventDestination –

AWS::SES::ReceiptFilter –

AWS::SES::ReceiptRule Name

AWS::SES::ReceiptRuleSet Name

AWS::SES::Template –

AWS::SNS::Topic Arn TopicName

AWS::SQS::Queue QueueURL Arn, QueueName

AWS::SSM::Association –

AWS::SSM::Document Name

AWS::SSM::MaintenanceWindow Id

AWS::SSM::MaintenanceWindowTarget Id

AWS::SSM::MaintenanceWindowTask Id

9/10
 AWS::SSM::Parameter Name Type, Value

AWS::SSM::PatchBaseline Id

AWS::SSM::ResourceDataSync Name

AWS::StepFunctions::Activity Arn Name

AWS::StepFunctions::StateMachine Arn Name

AWS::Transfer::Server Id Arn, ServerId

AWS::Transfer::User UserName Arn, ServerId, UserName

AWS::WAF::ByteMatchSet Id

AWS::WAF::IPSet Id

AWS::WAF::Rule Id

AWS::WAF::SizeConstraintSet Id

AWS::WAF::SqlInjectionMatchSet Id

AWS::WAF::WebACL Name

AWS::WAF::XssMatchSet Id

AWS::WAFRegional::ByteMatchSet Id

AWS::WAFRegional::GeoMatchSet Id

AWS::WAFRegional::IPSet Id

AWS::WAFRegional::RateBasedRule Id

AWS::WAFRegional::RegexPatternSet Id

AWS::WAFRegional::Rule Id

AWS::WAFRegional::SizeConstraintSet Id

AWS::WAFRegional::SqlInjectionMatchSet Id

AWS::WAFRegional::WebACL Name

AWS::WAFRegional::WebACLAssociation –

AWS::WAFRegional::XssMatchSet Id

Please let me know if there are missing resources or incorrect information on this page.

10/10