CloudFormation Helper Scripts Reference - AWS CloudFormation

CloudFormation Helper Scripts Reference

AWS CloudFormation provides the following Python helper scripts that you can use to install software and start services on an Amazon EC2 instance that you create as part of your stack:

  • cfn-init: Use to retrieve and interpret resource metadata, install packages, create files, and start services.

  • cfn-signal: Use to signal with a CreationPolicy or WaitCondition, so you can synchronize other resources in the stack when the prerequisite resource or application is ready.

  • cfn-get-metadata: Use to retrieve metadata for a resource or path to a specific key.

  • cfn-hup: Use to check for updates to metadata and execute custom hooks when changes are detected.

You call the scripts directly from your template. The scripts work in conjunction with resource metadata that's defined in the same template. The scripts run on the Amazon EC2 instance during the stack creation process.


The scripts are not executed by default. You must include calls in your template to execute specific helper scripts.

Amazon Linux AMI Images

The AWS CloudFormation helper scripts are preinstalled on Amazon Linux AMI images.

  • On the latest Amazon Linux AMI version, the scripts are installed in /opt/aws/bin.

  • On previous Amazon Linux AMI versions, the aws-cfn-bootstrap package that contains the scripts is located in the Yum repository.

Downloading Packages for Other Platforms

For Linux/Unix distributions other than Amazon Linux AMI images and for Microsoft Windows (2008 or later), you can download the aws-cfn-bootstrap package.

Permissions for helper scripts

By default, helper scripts do not require credentials, so you do not need to use the --access-key, --secret-key, --role, or --credential-file options. However, if no credentials are specified, AWS CloudFormation checks for stack membership and limits the scope of the call to the stack that the instance belongs to.

If you choose to specify an option, we recommend that you specify only one of the following:

  • --role

  • --credential-file

  • --access-key together with --secret-key

If you do specify an option, keep in mind which permissions the various helper scripts require:

For more information on using AWS CloudFormation-specific actions and condition context keys in IAM policies, see Controlling Access with AWS Identity and Access Management.

Using the Latest Version

The helper scripts are updated periodically. If you use the helper scripts, ensure that your launched instances are using the latest version of the scripts:

  • Include the following command in the UserData property of your template before you call the scripts. This command ensures that you get the latest version:

    yum install -y aws-cfn-bootstrap

  • If you don't include the yum install command and you use the cfn-init, cfn-signal, or cfn-get-metadata scripts, then you'll need to manually update the scripts in each Amazon EC2 Linux instance using this command:

    sudo yum install -y aws-cfn-bootstrap

  • If you don't include the yum install command and you use the cfn-hup script, then you'll need to manually update the script in each Amazon EC2 Linux instance using these commands:

    sudo yum install -y aws-cfn-bootstrap

    sudo /sbin/service cfn-hup restart

  • If you use the source code for the scripts to work with another version of Linux or a different platform, and you have created your own certificate trust store, you'll also need to keep the trust store updated.

For the version history of the aws-cfn-bootstrap package, see Release History for AWS CloudFormation Helper Scripts.