{
  "resources": {
    "Queue": {
      "hasResourcePolicy": true,
      "grants": {
        "consumeMessages": {
          "actions": [
            "sqs:ReceiveMessage",
            "sqs:ChangeMessageVisibility",
            "sqs:GetQueueUrl",
            "sqs:DeleteMessage",
            "sqs:GetQueueAttributes"
          ],
          "keyActions": [
            "kms:Decrypt"
          ],
          "docSummary": "Grant permissions to consume messages from a queue\n\nThis will grant the following permissions:\n\n  - sqs:ChangeMessageVisibility\n  - sqs:DeleteMessage\n  - sqs:ReceiveMessage\n  - sqs:GetQueueAttributes\n  - sqs:GetQueueUrl\n\nIf encryption is used, permission to use the key to decrypt the contents of the queue will also be granted to the same principal.\n\nThis will grant the following KMS permissions:\n\n  - kms:Decrypt"
        },
        "sendMessages": {
          "actions": [
            "sqs:SendMessage",
            "sqs:GetQueueAttributes",
            "sqs:GetQueueUrl"
          ],
          "keyActions": [
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*"
          ],
          "docSummary": "Grant access to send messages to a queue to the given identity.\n\nThis will grant the following permissions:\n\n - sqs:SendMessage\n - sqs:GetQueueAttributes\n - sqs:GetQueueUrl\n\nIf encryption is used, permission to use the key to encrypt/decrypt the contents of the queue will also be granted to the same principal.\n\nThis will grant the following KMS permissions:\n\n - kms:Decrypt\n - kms:Encrypt\n - kms:ReEncrypt*\n - kms:GenerateDataKey*"
        },
        "purge": {
          "actions": [
            "sqs:PurgeQueue",
            "sqs:GetQueueAttributes",
            "sqs:GetQueueUrl"
          ]

        }
      }
    }
  }
}