CloudFormation GetAtt Cheat Sheet - 1500+ AWS Resources with Ref Comparison [2026]

Fn::GetAtt is one of the most essential intrinsic functions in AWS CloudFormation that returns specific attributes from AWS resources in your templates. Whether you're building infrastructure as code or managing complex AWS deployments, this comprehensive cheat sheet provides instant access to all 1500+ AWS resource types and their available attributes, plus a complete decision guide for choosing between GetAtt and Ref.

Why This CloudFormation GetAtt Reference?

When working with CloudFormation templates, you often need to reference attributes from AWS resources, but finding the exact attribute names can be time-consuming. The official AWS documentation is scattered across hundreds of pages, making it inefficient to look up specific resource attributes.

This cheat sheet solves that problem by providing:

• A single, searchable table with every AWS resource type and its available Fn::GetAtt attributes
• A clear decision framework for choosing between GetAtt and Ref
• Practical examples showing when to use each attribute
• Troubleshooting guidance for common GetAtt errors

If you're using AWS CDK instead of raw CloudFormation, CDK automatically handles these intrinsic function references for you, but understanding GetAtt is still essential for debugging and understanding what CDK generates under the hood.

How to Use This CloudFormation Attributes Reference

1. Search (Ctrl+F) for your AWS resource type (e.g., "AWS::S3::Bucket")
2. Find the available attributes in the second column
3. Copy the attribute name into your CloudFormation template
4. Use with !GetAtt YourResourceName.AttributeName

Legend: ❌ = No attributes available for this resource type

Complete AWS CloudFormation Resource Attributes Table

The table below contains every AWS resource type with their corresponding Fn::GetAtt attributes:

Total Resource Types: 1502 | With Attributes: 1202 | Without Attributes: 300 | Last Updated: January 2, 2026

Note: The data was automatically fetched from the official AWS CloudFormation resource specification and got parsed in this markdown table using a custom python script.

GetAtt vs Ref: When to Use Each

One of the most common sources of confusion in CloudFormation is knowing when to use Fn::GetAtt versus Ref. Both functions retrieve values from resources, but they serve different purposes and return different things.

What Ref Returns

The Ref function returns a resource's primary identifier, which is the single most important value used to identify that resource. The specific value depends on the resource type:

Think of Ref as a shortcut to the most commonly needed identifier. For S3 buckets, you often need just the bucket name, so Ref returns that. For EC2 instances, the instance ID is most useful, so that's what you get.

What GetAtt Returns

Fn::GetAtt provides access to additional attributes beyond the primary identifier. Each resource type exposes different attributes through GetAtt, such as:

• ARNs: Amazon Resource Names for IAM policies and cross-service references
• DNS names: Endpoints for connecting to services
• IP addresses: Public and private IPs for networking configuration
• URLs: Service endpoints and access URLs
• Status information: Configuration states or operational details

Decision Framework: GetAtt vs Ref Flowchart

Use this flowchart to quickly decide which function to use:

Quick Reference: When to Use Each

*Some resources like SNS topics and SQS queues return ARNs directly from Ref.

Common Gotchas to Avoid

Here are the traps that catch even experienced CloudFormation users:

S3 Buckets: !Ref MyBucket returns the bucket name, not the ARN. For IAM policies, you need !GetAtt MyBucket.Arn.

# Wrong - Ref returns bucket name, not ARN
Resource: !Ref MyBucket  # Returns: my-bucket-name

# Correct - GetAtt returns the full ARN
Resource: !GetAtt MyBucket.Arn  # Returns: arn:aws:s3:::my-bucket-name

Lambda Functions: Same pattern. !Ref MyFunction gives you the function name, but IAM policies and event source mappings often need the ARN.

# For EventSourceMapping, you need the ARN
FunctionName: !GetAtt MyFunction.Arn

# For human-readable references, the name is fine
FunctionName: !Ref MyFunction

DynamoDB Tables: !Ref MyTable returns the table name, which works for most operations. But for IAM policies and cross-account access, use !GetAtt MyTable.Arn.

Understanding these patterns will save you hours of debugging "Access Denied" errors caused by using bucket names where ARNs are required, or function names where ARNs are expected.

Practical Examples by Service

While the table below lists every available attribute, knowing which ones to use in real scenarios is equally important. Here are practical examples for the most commonly used AWS services.

S3 Bucket Attributes

S3 buckets expose several domain-related attributes that serve different purposes:

Practical Example: CloudFront Distribution with S3 Origin

Resources:
  MyBucket:
    Type: AWS::S3::Bucket

  MyDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          # Use DomainName for CloudFront origin
          - DomainName: !GetAtt MyBucket.DomainName
            Id: S3Origin
            S3OriginConfig:
              OriginAccessIdentity: ""
        DefaultCacheBehavior:
          TargetOriginId: S3Origin
          ViewerProtocolPolicy: redirect-to-https
          ForwardedValues:
            QueryString: false
        Enabled: true

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref MyBucket  # Use Ref for bucket name
      PolicyDocument:
        Statement:
          - Effect: Allow
            Principal: "*"
            Action: s3:GetObject
            # Use GetAtt for ARN in resource policy
            Resource: !Sub "${MyBucket.Arn}/*"

Lambda Function Attributes

Lambda functions have fewer attributes, but knowing the difference between the function name and ARN is critical:

Practical Example: API Gateway Integration with Lambda

Resources:
  MyFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: MyApiHandler
      Runtime: python3.12
      Handler: index.handler
      Code:
        ZipFile: |
          def handler(event, context):
              return {'statusCode': 200, 'body': 'Hello'}
      Role: !GetAtt LambdaRole.Arn

  # API Gateway needs the function ARN for integration
  ApiIntegration:
    Type: AWS::ApiGatewayV2::Integration
    Properties:
      ApiId: !Ref MyApi
      IntegrationType: AWS_PROXY
      IntegrationUri: !GetAtt MyFunction.Arn
      PayloadFormatVersion: "2.0"

  # Lambda permission uses the function name (Ref works)
  LambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !Ref MyFunction
      Action: lambda:InvokeFunction
      Principal: apigateway.amazonaws.com

EC2 Instance Attributes

EC2 instances expose networking information that's essential for security groups and service discovery:

Practical Example: Database Security Group with EC2 Access

Resources:
  WebServer:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-12345678
      InstanceType: t3.micro
      SubnetId: !Ref PrivateSubnet

  # Security group allowing the web server to access the database
  DatabaseSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow web server to access database
      VpcId: !Ref MyVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          # Use GetAtt to get the instance's private IP
          CidrIp: !Sub "${WebServer.PrivateIp}/32"

Outputs:
  WebServerPrivateIP:
    Description: Private IP of the web server
    Value: !GetAtt WebServer.PrivateIp
  WebServerPublicIP:
    Description: Public IP of the web server (if applicable)
    Value: !GetAtt WebServer.PublicIp
  WebServerAZ:
    Description: Availability Zone
    Value: !GetAtt WebServer.AvailabilityZone

Advanced GetAtt Patterns

Once you're comfortable with basic GetAtt usage, these advanced patterns will help you build more sophisticated and maintainable templates.

Combining GetAtt with Fn::Sub

One of the most powerful combinations is using GetAtt within Fn::Sub to build dynamic strings. This is especially useful for constructing connection strings, ARN patterns, and configuration values:

Resources:
  MyRDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceClass: db.t3.micro
      Engine: mysql
      MasterUsername: admin
      MasterUserPassword: !Ref DBPassword

Outputs:
  # Build a connection string using Fn::Sub with GetAtt
  DatabaseConnectionString:
    Value: !Sub
      - "mysql://${Username}:${Password}@${Endpoint}:${Port}/mydb"
      - Username: admin
        Password: !Ref DBPassword
        Endpoint: !GetAtt MyRDSInstance.Endpoint.Address
        Port: !GetAtt MyRDSInstance.Endpoint.Port

  # Or use the shorthand within Fn::Sub directly
  SimplifiedConnectionString:
    Value: !Sub "mysql://admin@${MyRDSInstance.Endpoint.Address}:${MyRDSInstance.Endpoint.Port}/mydb"

Using AWS::LanguageExtensions Transform

The AWS::LanguageExtensions transform unlocks advanced capabilities including dynamic GetAtt references. This is particularly useful when you need to reference resources or attributes that are determined at runtime.

To enable the transform, declare it at the top of your template:

Transform: AWS::LanguageExtensions

Resources:
  # Now you can use intrinsic functions within GetAtt parameters

With the transform enabled, you can use these functions inside GetAtt:

• Fn::Sub
• Fn::Join
• Fn::If
• Fn::FindInMap
• Ref

Dynamic Resource References Example:

Transform: AWS::LanguageExtensions

Mappings:
  Environments:
    prod:
      BucketSuffix: production
    dev:
      BucketSuffix: development

Resources:
  ProdBucket:
    Type: AWS::S3::Bucket

  DevBucket:
    Type: AWS::S3::Bucket

Outputs:
  # Dynamically select which bucket's ARN to output based on parameter
  SelectedBucketArn:
    Value: !GetAtt
      - !Sub "${Environment}Bucket"
      - Arn

Looping with Fn::ForEach:

Transform: AWS::LanguageExtensions

Mappings:
  Buckets:
    Config:
      Names: [DataBucket, LogBucket, BackupBucket]

Resources:
  Fn::ForEach::CreateBuckets:
    - BucketName
    - !FindInMap [Buckets, Config, Names]
    - ${BucketName}:
        Type: AWS::S3::Bucket

Outputs:
  # Output ARNs for all dynamically created buckets
  Fn::ForEach::BucketArns:
    - BucketName
    - !FindInMap [Buckets, Config, Names]
    - ${BucketName}Arn:
        Value: !GetAtt
          - !Ref BucketName
          - Arn

Cross-Stack References with GetAtt

When building multi-stack architectures, you'll often need to share resource attributes between stacks. Export the values you need using Outputs with Export names:

Network Stack (exports VPC and subnet information):

# network-stack.yaml
Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16

  PrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.1.0/24

Outputs:
  VPCId:
    Value: !Ref MyVPC
    Export:
      Name: !Sub "${AWS::StackName}-VPCId"

  VPCCidrBlock:
    Value: !GetAtt MyVPC.CidrBlock
    Export:
      Name: !Sub "${AWS::StackName}-VPCCidr"

  PrivateSubnetId:
    Value: !Ref PrivateSubnet
    Export:
      Name: !Sub "${AWS::StackName}-PrivateSubnetId"

Application Stack (imports from network stack):

# application-stack.yaml
Parameters:
  NetworkStackName:
    Type: String
    Default: network-stack

Resources:
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Application security group
      VpcId: !ImportValue
        Fn::Sub: "${NetworkStackName}-VPCId"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: !ImportValue
            Fn::Sub: "${NetworkStackName}-VPCCidr"

For more on managing multi-stack architectures, see our guide on sharing resources across AWS CDK stacks, which covers similar patterns in CDK that generate these CloudFormation exports.

Troubleshooting GetAtt Errors

Even experienced CloudFormation users encounter GetAtt errors. Here are the most common issues and how to resolve them.

"Template error: instance of Fn::GetAtt references undefined resource"

This error means CloudFormation can't find the resource you're referencing.

Common Causes:

1. Typo in resource name: The logical ID must match exactly (case-sensitive)
2. Resource not in same template: GetAtt only works within the same template
3. Resource in a different stack: Use Fn::ImportValue for cross-stack references
4. Conditional resource: The resource might not exist due to a Condition

Example of the Problem:

Resources:
  MyS3Bucket:  # Note the capital 'B'
    Type: AWS::S3::Bucket

Outputs:
  BucketArn:
    # Error: "Mys3Bucket" doesn't match "MyS3Bucket"
    Value: !GetAtt Mys3Bucket.Arn

Solution:

Outputs:
  BucketArn:
    # Correct: Exact match with resource logical ID
    Value: !GetAtt MyS3Bucket.Arn

Prevention Tips:

• Use your IDE's CloudFormation extension for auto-complete (see our guide on VS Code extensions for CloudFormation)
• Run cfn-lint before deploying to catch reference errors early
• Consider validating CloudFormation templates in your pipeline

"Template error: resource type does not support attribute type"

This error occurs when you request an attribute that doesn't exist for the resource type.

Common Causes:

1. Wrong attribute name: The attribute doesn't exist for this resource
2. Attribute name typo: Case sensitivity matters for attribute names too
3. Deprecated attribute: The attribute was removed in a newer resource version

Example of the Problem:

Resources:
  MyBucket:
    Type: AWS::S3::Bucket

Outputs:
  BucketUrl:
    # Error: "Url" is not a valid S3 bucket attribute
    Value: !GetAtt MyBucket.Url

Solution:

Check the table above or AWS documentation for valid attributes:

Outputs:
  BucketWebsiteUrl:
    # Correct: Use the actual attribute name
    Value: !GetAtt MyBucket.WebsiteURL

  BucketDomainName:
    # Alternative: Use DomainName for non-website access
    Value: !GetAtt MyBucket.DomainName

Template Validation Tips

AWS CloudFormation now offers powerful pre-deployment validation that catches GetAtt errors before you attempt to create or update a stack:

1. Use cfn-lint Locally

# Install cfn-lint
pip install cfn-lint

# Validate your template
cfn-lint my-template.yaml

cfn-lint will catch:

• References to undefined resources
• Invalid attribute names for resource types
• Syntax errors in intrinsic functions

2. CloudFormation Language Server in VS Code

The AWS CloudFormation Language Server provides real-time validation and auto-complete for GetAtt attributes directly in your editor. This is included in the AWS Toolkit for VS Code.

3. Use Change Sets for Validation

Before applying changes to production stacks, create a change set to validate the template:

aws cloudformation create-change-set \
  --stack-name my-stack \
  --template-body file://template.yaml \
  --change-set-name validation-check

# Review the change set for any errors
aws cloudformation describe-change-set \
  --stack-name my-stack \
  --change-set-name validation-check

Change sets now show before-and-after values for GetAtt references, making it easier to understand how your changes will affect dependent resources.

Circular Dependency Errors

If you see "Circular dependency between resources", it means two or more resources reference each other's attributes in a way that creates an infinite loop.

Example of the Problem:

Resources:
  SecurityGroupA:
    Type: AWS::EC2::SecurityGroup
    Properties:
      SecurityGroupIngress:
        - SourceSecurityGroupId: !GetAtt SecurityGroupB.GroupId  # References B

  SecurityGroupB:
    Type: AWS::EC2::SecurityGroup
    Properties:
      SecurityGroupIngress:
        - SourceSecurityGroupId: !GetAtt SecurityGroupA.GroupId  # References A

Solution:

Break the cycle using separate ingress/egress rules:

Resources:
  SecurityGroupA:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group A

  SecurityGroupB:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group B

  # Add ingress rules as separate resources
  SecurityGroupAIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref SecurityGroupA
      SourceSecurityGroupId: !Ref SecurityGroupB
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443

  SecurityGroupBIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref SecurityGroupB
      SourceSecurityGroupId: !Ref SecurityGroupA
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443

Generate CloudFormation Resources in VS Code

If you prefer working directly in your IDE, I've created a VS Code extension that automatically generates CloudFormation resource snippets for you.

Instead of manually typing out resource definitions, you can simply use the CloudFormation Snippets VSCode extension to quickly scaffold CloudFormation resources in YAML.

More Useful AWS Cheat Sheets, Lists and Tables

• AWS CloudFormation Resource Properties - Comprehensive table of all CloudFormation resource properties
• AWS IAM Service Principals: The Complete Auto-Updated List (2026) - Complete reference of AWS IAM service principals (useful for AWS::IAM::Role and AWS::IAM::Policy resources)
• Amazon Resource Names (ARNs) - A table containing a complete overview of 400+ Amazon Resource Names (ARNs) references that you can apply to IAM policies within AWS
• Autocomplete CloudFormation Resources in VS Code - Speed up CloudFormation template creation with auto-complete
• AWS CloudFormation Documentation - Official guide to CloudFormation templates and resources