This is my policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1493711257000",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:SendMessageBatch"
],
"Resource": [
"arn:aws:sqs:::q1",
"arn:aws:sqs:::q2",
"arn:aws:sqs:::q3"
]
}
]
}
In the previous version, I actually have the queue names fully qualified. i.e..
"Resource": [
"arn:aws:sqs:us-west-2:1234567:q1",
"arn:aws:sqs:us-west-2:1234567:q2",
"arn:aws:sqs:us-west-2:1234567:q3"
]
However I want to make them more generic, so I try to use the ':::' shorthand to replace the region and user account identifier. And it becomes the version as I posted at the beginning of this question.
Before I save it, I use 'Validate Policy' to double check. It passed the validation.
Then I try to test it in IAM Policy Simulator. I got this error:
So what exactly is wrong with my policy? It seems like I cannot trust the validation function in the group policy editor.
