{
    "Parameters": {
        "QueueName": {
            "Type": "String",
            "Description": "The name of the queue to grant read permissions to."
        }
    },
    "Resources": {
        "MyQueue": {
            "Type": "AWS::SQS::Queue"
        },
        "MyQueuePolicy": {
            "Type": "AWS::SQS::QueuePolicy",
            "Properties": {
                "PolicyDocument": {
                    "Statement": [
                        {
                            "Action": "sqs:SendMessage",
                            "Effect": "Allow",
                            "Resource": {
                                "Fn::GetAtt": [
                                    "MyQueue",
                                    "Arn"
                                ]
                            },
                            "Principal": {
                                "AWS": {
                                    "Ref": "AWS::AccountId"
                                }
                            }
                        }
                    ]
                },
                "Queues": [
                    {
                        "Ref": "MyQueue"
                    }
                ]
            }
        },
        "MyRoleWithBadAction": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": {
                                    "Ref": "AWS::AccountId"
                                }
                            },
                            "Action": "sts:AssumeRole"
                        }
                    ]
                },
                "Policies": [
                    {
                        "PolicyName": "policy-with-bad-action",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": "sqs:ThisActionDoesNotExist",
                                    "Resource": "*"
                                },
                                {
                                    "Effect": "Allow",
                                    "Action": "sqs:ReceiveMessage",
                                    "Resource": {
                                        "Fn::Sub": "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${QueueName}"
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        }
    }
}