Know How Guide and Hands on Guide for AWS
ARN includes the aws-cn partition for resources in the region. For example: arn:aws-cn:iam::123456789012:user/div/subdiv/Zhang
Suggest use the arn:${AWS::Partition} to automatically adjust based on region, not hard code
Sample Format: xyz.cn-north-1.amazonaws.com.cn
It is a good practice to make sure your CloudFormation follow AWS best practice. We use open source tool cfn_nag to scan your CloudFormation templates in our pipeline. It is highly recommended to do it on your local development before you public your cloudformation.
```shell script
brew install ruby brew-gem brew gem install cfn-nag
cfn_nag_scan –input-path deployment/cloudformation-sample.template
deployment/cloudformation-sample.template ———————————————————— Failures count: 0 Warnings count: 0
If you see any warnings for failings, consider make your CloudFormation templates to follow the best practice. If you do need to suppress the Cfn_Nag rules, see [Rule Suppression](https://github.com/stelligent/cfn_nag#per-resource-rule-suppression) for how to add metadata to avoid warnings and failing in templates.
For exmaple:
```yaml
PublicAlbSecurityGroup:
Properties:
GroupDescription: 'Security group for a public Application Load Balancer'
VpcId:
Ref: vpc
Type: AWS::EC2::SecurityGroup
Metadata:
cfn_nag:
rules_to_suppress:
- id: W9
reason: "This is a public facing ELB and ingress from the internet should be permitted."
- id: W2
reason: "This is a public facing ELB and ingress from the internet should be permitted."