search

stelligent / cfn_nag

Linting tool for CloudFormation templates
MIT License
1.25k stars 209 forks source link

LambdaFunctionInsideVPCRule incorrectly failing for SAM template #601

Open ConorScullion opened 2 years ago

ConorScullion commented 2 years ago

I have a SAM template for a lambda (AWS::Serverless::Lambda) that has a VpcConfig declared, however cfn-nag is highlighting it as a warning with LambdaFunctionInsideVPCRule. If I change the lambda to be a plain cft lambda AWS::Lambda::Function, the warning is removed.

Thinking there may be an issue with mapping the SAM template properties?

Attached the partial template below:

  Lambda:
    Type: AWS::Serverless::Function
    Properties:
      Description: Lambda to consume events
      FunctionName: !Sub ${Environment}-lambdaTopicConsumer
      CodeUri: src/handlers/consumers/consumer
      Handler: index.handler
      MemorySize: 512
      Policies:
        - Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Action:
                - sqs:ReceiveMessage
                - sqs:DeleteMessage
                - sqs:GetQueueAttributes
              Resource:
                - !Sub '{{resolve:ssm:/${Environment}/${ServiceName}/middleware'
            - Effect: Allow
              Action:
                - dynamodb:PutItem
                - dynamodb:DeleteItem
              Resource: !Sub '{{resolve:ssm:/${Environment}/${ServiceName}/dynamo}}'
      Timeout: 30
      Tracing: Active
      VpcConfig:
        SubnetIds: !Ref VpcSubnetIds
        SecurityGroupIds:
          - !Sub '{{resolve:ssm:/${Environment}/vpc/default_sg}}'