Open
Description
Description
SAM Policy templates have outdated policies and they fail with cfn-lint (version 1.30.0) The reason of failure is rule W3037.
Example: The SQSPollerPolicy:
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:ChangeMessageVisibilityBatch",
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage"
],
"Resource": {
"Fn::Sub": [
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
{
"queueName": {
"Ref": "QueueName"
}
}
]
}
}
]
Steps to reproduce
use the following in a CFN template
SQSReader
Type: AWS::Serverless::Function
Properties:
CodeUri: ./thecode
Description: Parses Pulse events and writes them in the Staging bucket
Events:
TheQueue:
Type: SQS
Properties:
BatchSize: 10
Enabled: True
MaximumBatchingWindowInSeconds: 60
Queue: !GetAtt TheQueue.Arn
ScalingConfig:
MaximumConcurrency: 4
Handler: SomeClass:handleRequest
Policies:
- SQSPollerPolicy:
QueueName: !GetAtt PulseEventsStreamQueue.QueueName
Tracing: Active
Observed result
The policy template has rights that no longer exist
Expected result
A valid policy
Additional environment details
- OS: Linux
- If using the SAM CLI,
sam --version: - AWS region: eu-west-1