AWS CloudFormation Helper Scripts

• AWS CloudFormation helper scripts can be used to install software and start services on an EC2 instance created as a part of the stack.
• CloudFormation Helper scripts aren’t executed by default and calls must be included in the template to execute specific helper scripts.
• CloudFormation helper scripts are preinstalled on Amazon Linux AMI images (located in /opt/aws/bin on the latest Amazon Linux versions).
• Helper scripts are Python-based utilities distributed in the aws-cfn-bootstrap package (latest version 2.0-39 as of April 2026).
• Version 2.0-1 and above of the helper scripts require Python 3.4 or above.
• For non-Amazon Linux distributions (Ubuntu, RHEL, etc.) and Windows, the aws-cfn-bootstrap package must be downloaded and installed separately.
• By default, helper scripts don’t require credentials. CloudFormation checks for stack membership and limits the scope of the call to the stack that the instance belongs to.

cfn-init

• cfn-init can be used to retrieve and interpret resource metadata, install packages, create files, and start services.
• cfn-init helper script reads template metadata from the AWS::CloudFormation::Init key and acts accordingly to:
  • Fetch and parse metadata from CloudFormation
  • Install packages (supports apt, msi, python, rpm, rubygems, yum, and Zypper)
  • Write files to disk
  • Create Linux/UNIX groups and users
  • Download and unpack archive files from sources
  • Enable/disable and start/stop services
• cfn-init processes configuration sections in the following order: packages → groups → users → sources → files → commands → services.
• Configuration metadata is organized into config keys, which can be grouped into configSets to control processing order.
• If no configset is specified, cfn-init looks for a single config key named config.
• cfn-init supports all metadata types for Linux systems. It supports metadata types for Windows with some conditions.

Services Key – Systemd Support

• Amazon Linux 2 and above running aws-cfn-bootstrap version 2.0-29+ support the services key using systemd.
• Other Linux systems support the services key using sysvinit (by default) or systemd.
• Windows systems support the services key through Windows Service Manager.
• The services key allows you to specify dependencies on sources, packages, files, and commands so that if a restart is needed, cfn-init will take care of the service restart.

cfn-signal

• cfn-signal can be used to signal with a CreationPolicy or WaitCondition, so you can synchronize other resources in the stack when the prerequisite resource or application is ready.
• cfn-signal script is used in conjunction with a CreationPolicy or an Auto Scaling group with a WaitOnResourceSignals update policy.
• When CloudFormation creates or updates resources with those policies, it suspends work on the stack until the resource receives the requisite number of signals or until the timeout period is exceeded.
• For each valid signal that CloudFormation receives, CloudFormation publishes the signals to the stack events so that you track each signal.
• cfn-signal doesn’t require credentials, so you don’t need to use the --access-key, --secret-key, --role, or --credential-file options.

Troubleshoot “Failed to receive X resource signal(s) within the specified duration”

• cfn-signal script isn’t installed on one or more instances of the AWS CloudFormation stack.
• There are syntax errors or incorrect values in the AWS CloudFormation template.
• Value of the Timeout property for the CreationPolicy attribute is too low.
• Check the logs /var/log/cloud-init.log and /var/log/cfn-init.log.
• Logs can be checked only if the instance is not terminated, by setting Rollback on failure option of the AWS CloudFormation stack to No.
• cfn-signal isn’t sent from the EC2 instance.
• Verify the instances have internet connectivity (or a VPC endpoint for CloudFormation).
• On Windows, if cfn-init.exe requires a system reboot, the system might shut down and return to the EC2Launch process before cfn-signal.exe runs.

cfn-get-metadata

• cfn-get-metadata helper script helps to retrieve metadata for a resource or path to a specific key.
• cfn-get-metadata helper script can be used to fetch a metadata block from CloudFormation and print it to standard out.
• You can also print a sub-tree of the metadata block if you specify a key.
• However, only top-level keys are supported.

cfn-hup

• Use to check for updates to metadata and execute custom hooks when changes are detected.
• cfn-hup helper is a daemon that detects changes in resource metadata and runs user-specified actions when a change is detected.
• This allows you to make configuration updates on the running EC2 instances through the UpdateStack API action.
• For systemd-based systems, cfn-hup requires a unit file to be configured for proper daemon management.

Windows Bootstrapping Considerations

• EC2Launch v2 is required for CloudFormation bootstrapping tools to properly initialize and configure Windows instances during stack creation (Windows Server 2022 and later).
• EC2Launch v2 replaces both EC2Config and EC2Launch v1, and comes pre-installed on AWS Windows Server 2022 and 2025 AMIs.
• User data on Windows is processed by EC2Launch v2 (Windows Server 2022+), EC2Launch (Windows Server 2016/2019), or EC2Config (Windows Server 2012 R2 and earlier).
• The waitAfterCompletion key in commands is specific to Windows and controls wait time (in seconds) after a command finishes in case it causes a reboot.

Alternative: AWS Systems Manager State Manager

• AWS recommends considering Systems Manager State Manager as a modern alternative to cfn-init for ongoing instance configuration management.
• State Manager advantages over cfn-init:
  • Centralized logs in Amazon S3 (vs. local-only logs with cfn-init)
  • Cleaner CloudFormation templates (decouples configuration from template)
  • Configuration compliance visibility
  • Improved auditing with CloudTrail integration
  • Scheduled configuration runs after initial provisioning
  • Tag-based targeting for new instances
  • Rate and error control settings
• Use CloudFormation to define AWS resources, and Systems Manager to perform ongoing configuration management.
• State Manager has a CloudFormation resource type (AWS::SSM::Association) with a WaitForSuccessTimeoutSeconds property that causes CloudFormation to wait until the association is successfully applied.
• Supports configuration management tools like Ansible, Chef, PowerShell DSC, and SaltStack through native SSM documents.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. Which of these is not a CloudFormation Helper Script?
   1. cfn-signal
   2. cfn-hup
   3. cfn-request (Refer link)
   4. cfn-get-metadata
2. You are designing a CloudFormation template to create a set of EC2 Instances and install an application package. You need to ensure that the stack is only successful if the software package gets installed successfully. Which of the following would assist in achieving this requirement?
   1. Use the Change sets feature
   2. Use CloudWatch logs to signal the completion
   3. Use CloudTrail to signal the completion
   4. Use the cfn-signal helper script
3. You are in charge of designing a CloudFormation template, which deploys a LAMP stack. After deploying a stack, you see that the status of the stack is showing as CREATE_COMPLETE, but the apache server is still not up and running and is experiencing issues while starting up. You want to ensure that the stack creation only shows the status of CREATE_COMPLETE after all resources defined in the stack are up and running. How can you achieve this? (Select TWO)
   1. Define a stack policy, which defines that all underlying resources should be up and running before showing a status of CREATE_COMPLETE.
   2. Use lifecycle hooks to mark the completion of the creation and configuration of the underlying resource.
   3. Use the CreationPolicy to ensure it is associated with the EC2 Instance resource.
   4. Use the cfn helper scripts to signal once the resource configuration is complete.
4. A DevOps engineer needs to ensure that configuration changes made to EC2 instances deployed through CloudFormation are maintained throughout the instance lifecycle, with centralized logging and compliance tracking. Which approach is recommended?
   1. Use cfn-init with cfn-hup daemon to poll for metadata changes
   2. Use AWS Systems Manager State Manager with AWS::SSM::Association resource in CloudFormation
   3. Use EC2 User Data scripts with a cron job
   4. Use AWS Config rules to remediate drift
5. In a CloudFormation template using AWS::CloudFormation::Init, what is the correct processing order of configuration sections by cfn-init?
   1. commands, packages, files, services, sources, groups, users
   2. files, packages, commands, services, sources, groups, users
   3. packages, groups, users, sources, files, commands, services
   4. packages, files, sources, commands, services, groups, users

References

• AWS CloudFormation Helper Scripts Reference
• AWS::CloudFormation::Init
• Release History for CloudFormation Helper Scripts
• Deploy Applications on Amazon EC2
• Using State Manager over cfn-init