W58 cannot be suppressed

[jwtdrjj]

I have three AWS::Serverless::Function resources in a template but the lambda role is in a separate stack. CFN-Nag prompts with W58. The lambda role was update to included the CloudWatch logs permissions. CFN-Nag still prompts with W58. I put meta in on the resource and stack and still I get the nag about W58.

CFNCustomProviderDev:
Type: AWS::Serverless::Function
Metadata:
cfn_nag:
rules_to_suppress:
- id: W58
reason: "Lambda Role is in org-iam"

31-Mar-2020 09:02:44	cp_lambda.yml
31-Mar-2020 09:02:44	------------------------------------------------------------------------------------------------------------------------
31-Mar-2020 09:02:44	| WARN W58
31-Mar-2020 09:02:44	|
31-Mar-2020 09:02:44	| Resources: ["CFNCustomProviderDev", "CFNCustomProviderTst", "CFNCustomProviderPrd"]
31-Mar-2020 09:02:44	| Line Numbers: [-1, -1, -1]
31-Mar-2020 09:02:44	|
31-Mar-2020 09:02:44	| Lambda functions require permission to write CloudWatch Logs

[rbs4ba]

I'm running into this issue too. The core of the issue as to why the rules_to_suppress isn't working is because the suppression is set for the AWS::Serverless::Function CFNCustomProviderDev and the W58 warning is coming from the AWS::Lambda::Function CFNCustomProviderDev that is created by SAM.

So it seems like there are two problems here:

1. cfn_nag doesn't seem to be respecting the permissions that are set in a role outside of the template
2. It's generally pointless to use rules_to_suppress on AWS::Serverless::Function because it's usually the child resources spawned by SAM that have the actual warnings/errors

[PatMyron]

aws/serverless-application-model#450 (comment)

[arothian]

cfn_nag will pass through the metadata declared on the SAM resource to the transformed function and role for the purposes of allowing warning suppression.