aws-cloudformation · github-actions · Apr 11, 2026
diff --git a/docs/rules.md b/docs/rules.md
@@ -46,7 +46,7 @@ To include these rules, use the `-e/include-experimental` argument when running
 ## Rules
 (_This documentation is generated by running `cfn-lint --update-documentation`, do not alter this manually_)
 
-The following **285** rules are applied by this linter:
+The following **297** rules are applied by this linter:
 
 | Rule ID  | Title | Description | Config<br />(Name:Type:Default) | Source | Tags |
 | -------- | ----- | ----------- | ---------- | ------ | ---- |
@@ -92,6 +92,14 @@ The following **285** rules are applied by this linter:
 | [E1154<a name="E1154"></a>](../src/cfnlint/rules/formats/SubnetId.py) | Validate VPC subnet id format | Check that a VPC subnet id matches a pattern |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::EC2::Subnet.Id) |  |
 | [E1155<a name="E1155"></a>](../src/cfnlint/rules/formats/LogGroupName.py) | Validate CloudWatch logs group name | Check that a CloudWatch log group name matches a pattern |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::Logs::LogGroup.Name) |  |
 | [E1156<a name="E1156"></a>](../src/cfnlint/rules/formats/IamRoleArn.py) | Validate IAM role ARN format | Validate IAM role ARN validation for ref/gett and string values |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::IAM::Role.Arn) |  |
+| [E1157<a name="E1157"></a>](../src/cfnlint/rules/formats/KmsKeyArn.py) | Validate KMS key ARN format | Validate KMS key ARN format for ref/getatt and string values |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::KMS::Key.Arn) |  |
+| [E1158<a name="E1158"></a>](../src/cfnlint/rules/formats/SnsTopicArn.py) | Validate SNS topic ARN format | Validate SNS topic ARN format for ref/getatt and string values |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::SNS::Topic.Arn) |  |
+| [E1159<a name="E1159"></a>](../src/cfnlint/rules/formats/AcmCertificateArn.py) | Validate ACM certificate ARN format | Validate ACM certificate ARN format for ref/getatt and string values |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::ACM::Certificate.Arn) |  |
+| [E1160<a name="E1160"></a>](../src/cfnlint/rules/formats/LambdaFunctionArn.py) | Validate Lambda function ARN format | Validate Lambda function ARN format for ref/getatt and string values |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::Lambda::Function.Arn) |  |
+| [E1161<a name="E1161"></a>](../src/cfnlint/rules/formats/S3BucketName.py) | Validate S3 bucket name format | Validate S3 bucket name format for ref/getatt and string values |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::S3::Bucket.Name) |  |
+| [E1162<a name="E1162"></a>](../src/cfnlint/rules/formats/KmsKeyId.py) | Validate KMS key ID format | Validate KMS key ID format for key UUIDs and aliases |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::KMS::Key.Id) |  |
+| [E1163<a name="E1163"></a>](../src/cfnlint/rules/formats/LambdaFunctionName.py) | Validate Lambda function name format | Validate Lambda function name format for ref/getatt and string values |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::Lambda::Function.Name) |  |
+| [E1164<a name="E1164"></a>](../src/cfnlint/rules/formats/KmsAliasName.py) | Validate KMS alias name format | Validate KMS alias name format for ref/getatt and string values |  | [Source](https://github.com/aws-cloudformation/cfn-lint/blob/main/docs/format_keyword.md#AWS::KMS::Alias.AliasName) |  |
 | [E1700<a name="E1700"></a>](../src/cfnlint/rules/rules/Configuration.py) | Rules have the appropriate configuration | Making sure the Rules section is properly configured |  | [Source](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/rules-section-structure.html) | `rules` |
 | [E1701<a name="E1701"></a>](../src/cfnlint/rules/rules/Assert.py) | Validate the configuration of Assertions | Make sure the Assert value in a Rule is properly configured |  | [Source](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/rules-section-structure.html) | `rules` |
 | [E1702<a name="E1702"></a>](../src/cfnlint/rules/rules/RuleCondition.py) | Validate the configuration of Rules RuleCondition | Make sure the RuleCondition in a Rule is properly configured |  | [Source](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/rules-section-structure.html) | `rules` |
@@ -239,9 +247,9 @@ The following **285** rules are applied by this linter:
 | [E3708<a name="E3708"></a>](../src/cfnlint/rules/resources/apigateway/MethodAuthorizerType.py) | API Gateway Method AuthorizationType must match Authorizer Type | When using AuthorizationType 'CUSTOM', the referenced Authorizer must have Type 'TOKEN' or 'REQUEST'. When using AuthorizationType 'COGNITO_USER_POOLS', the Authorizer must have Type 'COGNITO_USER_POOLS'. |  | [Source](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html) | `resources`,`apigateway` |
 | [E3709<a name="E3709"></a>](../src/cfnlint/rules/resources/rds/DbInstanceClusterStorageEncrypted.py) | Validate RDS DBInstance StorageEncrypted matches DBCluster | When a DBInstance references a DBCluster via DBClusterIdentifier, the StorageEncrypted property must match between the two resources |  | [Source](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbinstance.html) | `resources`,`rds` |
 | [E3710<a name="E3710"></a>](../src/cfnlint/rules/resources/Lifecycle.py) | Resource type is from a service that has been shut down | Checks if a resource type belongs to an AWS service that has reached full shutdown and is no longer available |  | [Source](https://docs.aws.amazon.com/general/latest/gr/full_shutdown_services.html) | `resources`,`lifecycle` |
-| [E3711<a name="E3711"></a>](../src/cfnlint/rules/resources/elasticloadbalancingv2/ListenerRuleTargetGroupProtocol.py) | Validate ListenerRule target group protocol is not GENEVE | When a ListenerRule forwards to a TargetGroup, the TargetGroup protocol must not be GENEVE. GENEVE is only supported with Gateway Load Balancers. |  | [Source](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/target-groups.html) | `resources`,`elasticloadbalancingv2` |
-| [E3712<a name="E3712"></a>](../src/cfnlint/rules/resources/autoscaling/ScalingPolicyTargetTrackingAsg.py) | Validate TargetTrackingScaling policy references ASG with different MinSize and MaxSize | When a ScalingPolicy uses 'TargetTrackingScaling', the referenced AutoScalingGroup must have different 'MaxSize' and 'MinSize' to allow scaling |  | [Source](https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-target-tracking.html) | `resources`,`autoscaling` |
-| [E3713<a name="E3713"></a>](../src/cfnlint/rules/resources/ecs/ServiceFargateLogDriver.py) | Validate Fargate ECS services use supported log drivers | When using an ECS service with 'LaunchType' of 'FARGATE' the referenced task definition containers must use a supported log driver ('awslogs', 'splunk', or 'awsfirelens') |  | [Source](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html) | `resources`,`ecs` |
+| [E3711<a name="E3711"></a>](../src/cfnlint/rules/resources/elasticloadbalancingv2/ListenerRuleTargetGroupProtocol.py) | Validate ListenerRule target group protocol is not GENEVE | When a ListenerRule forwards to a TargetGroup, the TargetGroup protocol must not be GENEVE. GENEVE is only supported with Gateway Load Balancers, not Application or Network Load Balancers. |  | [Source](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/target-groups.html) | `resources`,`elasticloadbalancingv2` |
+| [E3712<a name="E3712"></a>](../src/cfnlint/rules/resources/autoscaling/ScalingPolicyTargetTrackingAsg.py) | TargetTrackingScaling policy requires ASG MaxSize greater than MinSize | When using a TargetTrackingScaling policy the referenced AutoScalingGroup must have MaxSize different from MinSize to allow scaling |  | [Source](https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scaling-target-tracking.html) | `resources`,`autoscaling` |
+| [E3713<a name="E3713"></a>](../src/cfnlint/rules/resources/ecs/ServiceFargateLogDriver.py) | Validate Fargate ECS services use supported log drivers | When using an ECS service with 'LaunchType' of 'FARGATE' the referenced task definition containers must use a supported log driver ('awslogs', 'splunk', or 'awsfirelens'). Other log drivers like 'json-file' or 'syslog' are not supported on Fargate. |  | [Source](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html) | `resources`,`ecs` |
 | [E3714<a name="E3714"></a>](../src/cfnlint/rules/resources/ectwo/LaunchTemplateSubnetSecurityGroupVpc.py) | Validate LaunchTemplate SecurityGroup and Subnet are in the same VPC | When a LaunchTemplate references SecurityGroups via 'SecurityGroupIds' and Subnets via 'NetworkInterfaces', the SecurityGroup's VpcId must match the Subnet's VpcId |  | [Source](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html) | `resources`,`ec2` |
 | [E4001<a name="E4001"></a>](../src/cfnlint/rules/metadata/InterfaceConfiguration.py) | Metadata Interface have appropriate properties | Metadata Interface properties are properly configured |  | [Source](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-interface.html) | `metadata` |
 | [E4002<a name="E4002"></a>](../src/cfnlint/rules/metadata/Configuration.py) | Validate the configuration of the Metadata section | Validates that Metadata section is an object and has no null values |  | [Source](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html) | `metadata` |

diff --git a/requirements/base.txt b/requirements/base.txt
@@ -1,5 +1,5 @@
 pyyaml>5.4
-aws-sam-translator>=1.108.0
+aws-sam-translator>=1.109.0
 jsonpatch
 networkx>=2.4,<4
 sympy>=1.0.0