CloudFormation Extensions allow you to provision resources managed by AWS services that aren’t natively supported by CloudFormation.
Let’s see this in action with a common scenario: provisioning an AWS Systems Manager Parameter Store parameter.
AWSTemplateFormatVersion: '2010-09-09'
Description: Provision an SSM Parameter using a CloudFormation Extension
Resources:
MySecureStringParameter:
Type: AWS::SSM::Parameter::MySecureStringParameter # This is the Type for the SSM Parameter extension
Properties:
Name: /myapp/config/db_password
Type: SecureString
Value: '{"Ref": "DBPasswordSecret"}' # Example: referencing a secret
Description: Database password for MyApp
Tier: Standard
Policies:
- ParameterStore:
Type: String
Version: 1
AllowedPattern: ".*"
Outputs:
ParameterName:
Description: Name of the SSM Parameter
Value: !Ref MySecureStringParameter
The problem CloudFormation Extensions solve is fragmentation. Without them, you’d need separate tools or manual steps to manage resources like SSM parameters, Secrets Manager secrets, or even custom resources that interact with external APIs. Extensions bring these under the declarative, version-controlled umbrella of CloudFormation.
Internally, when you use an extension, CloudFormation doesn’t directly manage the resource. Instead, it calls out to the specific AWS service (like SSM in our example) and tells it to create, update, or delete the resource. The extension acts as a bridge, translating CloudFormation’s generic "create resource" command into the specific API calls needed by the target service.
The Type property is where the magic happens. It’s not a standard AWS service prefix like AWS::EC2::Instance. Instead, it follows the pattern AWS::<ServiceName>::<ResourceType>::<ExtensionName>. For SSM parameters, it looks like AWS::SSM::Parameter::MySecureStringParameter. This tells CloudFormation to look for a registered extension for SSM parameters of type SecureString.
The Properties are then passed directly to the underlying service’s API. For our AWS::SSM::Parameter::MySecureStringParameter example, the Name, Type, Value, Description, Tier, and Policies all map to the parameters you’d use if you were calling the PutParameter API directly. Notice how the Value can even reference other CloudFormation resources or parameters, enabling dynamic configuration.
You control the behavior by defining the Type and then providing the correct Properties that align with the target service’s API. The key is knowing the correct Type string and understanding which properties are supported by that specific extension. You can find these types in the AWS documentation for CloudFormation extensions or by exploring the AWS CloudFormation registry.
The most surprising thing is how seamlessly extensions integrate, making you forget they’re not native. The underlying mechanism involves CloudFormation invoking a CloudFormation Resource Provider, which is essentially a service that knows how to interact with a specific AWS service or API. When you specify an extension type, CloudFormation looks up the corresponding resource provider in the registry and delegates the creation, update, or deletion operations to it. This provider then makes the necessary API calls to the target AWS service.
The next step is exploring custom resource providers, which let you extend CloudFormation to manage any API, not just AWS services.