Tigerwan, did you manage to solve this?
I have a similar issue in that I need to create a resource-based function policy for a lambda function so that it can be invoked by CloudWatch events that don’t exist at deploy time (dynamically added cron events).