{
  "Statement": [
    {
      "Action": [
        "sqs:AddPermission",
        "sqs:CancelMessageMoveTask",
        "sqs:CreateQueue",
        "sqs:DeleteQueue",
        "sqs:PurgeQueue",
        "sqs:RemovePermission",
        "sqs:SetQueueAttributes"
      ],
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::123456789012:user/ci",
            "arn:aws:iam::123456789012:user/person1"
          ]
        }
      },
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Sid": "Allow Restricted administer-resource 1"
    },
    {
      "Action": [
        "sqs:StartMessageMoveTask",
        "sqs:TagQueue",
        "sqs:UntagQueue"
      ],
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::123456789012:user/ci",
            "arn:aws:iam::123456789012:user/person1"
          ]
        }
      },
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Sid": "Allow Restricted administer-resource 2"
    },
    {
      "Action": [
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl",
        "sqs:ListDeadLetterSourceQueues",
        "sqs:ListMessageMoveTasks",
        "sqs:ListQueues",
        "sqs:ListQueueTags"
      ],
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::123456789012:user/ci",
            "arn:aws:iam::123456789012:user/person1",
            "arn:aws:iam::123456789012:role/k9-auditor",
            "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer"
          ]
        }
      },
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Sid": "Allow Restricted read-config"
    },
    {
      "Action": "sqs:ReceiveMessage",
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::123456789012:role/app-backend",
            "arn:aws:iam::123456789012:role/customer-service"
          ]
        }
      },
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Sid": "Allow Restricted read-data"
    },
    {
      "Action": [
        "sqs:ChangeMessageVisibility",
        "sqs:SendMessage"
      ],
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::123456789012:role/app-backend"
          ]
        }
      },
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Sid": "Allow Restricted write-data"
    },
    {
      "Action": [
        "sqs:DeleteMessage",
        "sqs:DeleteQueue",
        "sqs:PurgeQueue"
      ],
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": []
        }
      },
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Resource": "*",
      "Sid": "Allow Restricted delete-data"
    },
    {
      "Action": "sqs:*",
      "Condition": {
        "Bool": {
          "aws:PrincipalIsAWSService": [
            "false"
          ]
        },
        "ArnNotEquals": {
          "aws:PrincipalArn": [
            "${Token[TOKEN.40]}",
            "arn:aws:iam::123456789012:user/ci",
            "arn:aws:iam::123456789012:user/person1",
            "arn:aws:iam::123456789012:role/k9-auditor",
            "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
            "arn:aws:iam::123456789012:role/app-backend",
            "arn:aws:iam::123456789012:role/customer-service"
          ]
        }
      },
      "Effect": "Deny",
      "Principal": {
        "AWS": [
          "*",
          "*"
        ]
      },
      "Resource": "*",
      "Sid": "DenyEveryoneElse"
    }
  ],
  "Version": "2012-10-17"
}