E3031 with AWS Managed Policies in If function

[francilioaraujo]

CloudFormation Lint Version

cfn-lint 1.43.4

What operating system are you using?

Debian 13

Describe the bug

AWS Managed Policies from this list are accepted, as one can see in the documentation.

Managed policies used in ifs are validated as ARNs.

E3031 'CloudWatchLambdaInsightsExecutionRolePolicy' does not match 'arn:(aws[a-zA-Z-]*)?:iam::(\\d{12}|aws):policy/[a-zA-Z_0-9+=,.@\\-_/]+'
template.yaml:17:24

Expected behavior

The validation should pass

Reproduction template

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31

Conditions:
  IsTrue: true

Resources:
  ExampleFunction:
    Type: AWS::Serverless::Function
    Properties:
      Runtime: python3.12
      Handler: handler
      InlineCode: >
        def handler():
          pass
      Policies:
        - !If [IsTrue, CloudWatchLambdaInsightsExecutionRolePolicy, !Ref AWS::NoValue] # This line does not pass
        - Fn::If:                                                                      #
          - IsTrue                                                                     #
          - AWSLambdaExecute                                                           # This line does not pass
          - !Ref AWS::NoValue                                                          #
        - CloudWatchLambdaInsightsExecutionRolePolicy                                  # This line pass

[francilioaraujo]

I made some debugging and found the possible cause. On aws-sam-translator is made the following assumption:

https://github.com/aws/serverless-application-model/blob/85d142dd23a91c9b0dcacaa4efb9ca9fdf415e75/samtranslator/model/role_utils/role_constructor.py#L133-L140

With intrinsic functions the managed policy name is not translated to an ARN.